Compare commits

...

191 Commits
0.1.2 ... 0.2.1

Author SHA1 Message Date
3286c56929 meta: bump collection version to 0.2.1 2025-10-23 18:49:50 +02:00
cd4fac6372 update(ghost): bump version to 6.5.1 2025-10-23 18:48:46 +02:00
22cce2bf06 update(keycloak): bump version to 26.4.2 2025-10-23 18:47:45 +02:00
22c1e9d179 update(jellyfin): bump version to 10.11.0 2025-10-20 18:10:41 +02:00
acc7ae289b update(snipe_it): bump version to 8.3.4 2025-10-17 22:06:34 +02:00
3adb3d4d6d update(keycloak): bump version to 26.4.1 2025-10-16 15:35:24 +02:00
86cea40cfc update(vouch_proxy): bump version to 0.45.1 2025-10-13 16:41:00 +02:00
066a5f2c59 update(authelia): bump version to 4.39.13 2025-10-12 09:09:39 +02:00
ce14010fee update(ghost): bump version to 6.3.1 2025-10-10 22:46:57 +02:00
e6f0c912d5 update(pretix): bump version to 2025.8.0 2025-10-08 18:36:39 +02:00
8838e17624 update(authelia): bump version to 4.39.12 2025-10-08 13:42:02 +02:00
5d8845c075 update(snipe_it): bump version to 8.3.3 2025-10-07 12:23:12 +02:00
c593006de1 update(phpldapadmin): bump version to 2.3.4 2025-10-07 10:36:51 +02:00
55363ef3ae update(keycloak): bump version to 26.4.0 2025-10-01 16:00:29 +02:00
504b54f7ef update(authelia): bump version to 4.39.11 2025-10-01 15:44:49 +02:00
bca5e68288 feat(pretix): add ansible role and playbook 2025-09-29 16:41:20 +02:00
04f62eb021 update(keycloak): bump version to 26.3.5 2025-09-25 21:27:21 +02:00
887fd4055f update(phpldapadmin): bump version to 2.3.3 2025-09-20 19:06:19 +02:00
873dc4894a update(snipe_it): bump version to 8.3.2 2025-09-19 22:06:15 +02:00
1b979d54d3 update(authelia): bump version to 4.39.10 2025-09-16 22:46:34 +02:00
a1aea3ba10 update(phpldapadmin): bump version to 2.3.1 2025-09-13 10:53:53 +02:00
7360beb85d update(gitea): bump version to 1.24.6 2025-09-11 22:02:20 +02:00
c5d66a4bc3 update(authelia): bump version to 4.39.9 2025-09-09 19:04:52 +02:00
c1643a2a06 update(ghost): bump version to 6.0.7 2025-09-08 22:33:46 +02:00
6b004e3477 update(authelia): bump version to 4.39.8 2025-09-02 18:19:12 +02:00
b6e0a88716 update(snipe_it): bump version to 8.3.1 2025-09-01 16:59:08 +02:00
ae24dcfd9b update(authelia): bump version to 4.39.7 2025-08-31 16:12:29 +02:00
5457046433 update(snipe_it): bump version to 8.3.0 2025-08-29 22:04:30 +02:00
61be252a50 update(ghost): bump version to 6.0.5 2025-08-23 22:57:24 +02:00
20867e7a36 update(vouch_proxy): bump version to 0.45.0 2025-08-22 21:17:33 +02:00
5fbe6325d0 update(keycloak): bump version to 26.3.3 2025-08-20 16:26:41 +02:00
f3aa284efa update(ghost): bump version to 6.0.4 2025-08-19 21:24:30 +02:00
94a73bd3a9 update(phpldapadmin): bump version to 2.3.0 2025-08-18 21:38:25 +02:00
b66213e29d meta: update collection version to 0.2.0, update dependencies 2025-08-16 17:12:17 +02:00
79a39e1aca update(gitea): bump version to 1.24.5 2025-08-13 19:00:25 +02:00
448975a12f update(authelia): bump version to 4.39.6 2025-08-09 10:19:13 +02:00
9cde7b3961 update(gitea): bump version to 1.24.4 2025-08-04 21:47:37 +02:00
0b1ac4957e update(vaultwarden): bump version to 1.34.3 2025-07-31 23:27:20 +02:00
ef83afc453 update(vaultwarden): bump version to 1.34.2 2025-07-28 16:12:58 +02:00
4d266054d4 update(keycloak): bump version to 26.3.2 2025-07-25 22:59:40 +02:00
15810fd6dc update(snipe_it): bump version to 8.2.1 2025-07-24 20:30:42 +02:00
df5f37bd5a update(snipe_it): bump version to 8.2.0 2025-07-23 17:30:53 +02:00
6a5f04f751 update(phpldapadmin): bump version to 2.2.2 2025-07-18 23:06:48 +02:00
63803053dc update(gitea): bump version to 1.24.3 2025-07-15 21:16:00 +02:00
0d07413608 update(phpldapadmin): bump version to 2.2.1 2025-07-13 16:14:54 +02:00
f46812872c update(authelia): bump version to 4.39.5 2025-07-13 10:16:25 +02:00
9861de8914 update(snipe_it): bump version to 8.1.18 2025-07-09 18:15:27 +02:00
b73d10f31e update(keycloak): bump version to 26.3.1 2025-07-09 18:13:22 +02:00
a38ded822f update(ghost): bump version to 5.129.1 2025-07-06 22:48:56 +02:00
52a8630554 update(keycloak): bump version to 26.3.0 2025-07-02 21:53:21 +02:00
d0cbff5d20 update(snipe-it): bump version to 8.1.17 2025-06-30 15:32:13 +02:00
3a52c20914 update(ghost): bump version to 5.126.1 2025-06-22 19:37:07 +02:00
017edc5ee5 update(gitea): bump version to 1.24.2 2025-06-21 11:03:45 +02:00
f8a5b865ae update(gitea): bump version to 1.24.1 2025-06-20 16:24:55 +02:00
a3f750c17d update(snipe_it): bump version to 8.1.16 2025-06-16 15:57:30 +02:00
b12a374ef1 update(gost): bump version to 5.125.1 2025-06-14 23:06:41 +02:00
aa6bf10e97 update(gitea): bump version to 1.24.0 2025-06-11 19:49:49 +02:00
78beaa1814 meta: add community.general@^10.0.0 dependency 2025-06-07 22:14:50 +02:00
fcbcb39e55 update(ghost): bump version to 5.121.0 2025-06-06 23:10:35 +02:00
a7b6189fa3 update(snipe_it): bump version to 8.1.15 2025-06-03 16:42:39 +02:00
cd0e305d34 update(ghost): bump version to 5.102.4 2025-05-30 17:16:02 +02:00
d09baa48fa update(keycloak): bump version to 26.2.5 2025-05-28 12:53:54 +02:00
3bb6928fad update(vaultwarden): bump version to 1.34.1 2025-05-27 16:25:46 +02:00
bce1d4ecee update(authelia): bump version to 4.39.4 2025-05-25 14:04:24 +02:00
4de87f2407 update(snipe_it): bump version to 8.1.4 2025-05-23 15:03:05 +02:00
2984018cd2 update(ghost): bump version to 5.120.0 2025-05-17 22:07:45 +02:00
536c988d64 update(gitea): bump version to 1.23.8 2025-05-13 15:54:51 +02:00
ef34c4de67 update(authelia): bump version to 4.39.3 2025-05-11 20:25:12 +02:00
f23a3538bd update(authelia): bump version to 4.39.2, change registry to ghcr.io 2025-05-10 23:31:32 +02:00
503c421b2f update(ghost): bump version to 5.119.2 2025-05-09 21:59:52 +02:00
46f26900fc update(keycloak): bump version to 26.2.4 2025-05-08 17:56:15 +02:00
0b9bfc1646 update(snipe_it): bump version to 8.1.3 2025-05-07 17:24:22 +02:00
79c8b6537e update(keycloak): bump version to 26.2.3 2025-05-05 16:11:18 +02:00
1de7bc2de9 update(snipe_it): bump version to 8.1.2 2025-05-05 16:08:35 +02:00
9587b4193c feat(phpldapadmin): add ansible role 2025-05-02 21:52:12 +02:00
f996c7a373 chore(vaultwarden): use strict env comparisions for container 2025-05-01 10:21:15 +02:00
e1866a1a41 update(keycloak): bump version to 26.2.2 2025-04-30 16:56:05 +02:00
800ebbae77 meta: update collection version to 0.1.15 2025-04-27 19:00:17 +02:00
6faba56371 update(keycloak): bump version to 26.2.1 2025-04-23 18:21:28 +02:00
05aec0581b update(ghost): bump version to 5.117.0 2025-04-17 17:45:11 +02:00
fbe33c06cf update(keycloak): bump version to 26.2.0 2025-04-12 11:34:44 +02:00
0e405cef07 update(keycloak): bump version to 26.1.5 2025-04-12 11:34:43 +02:00
42782b58a4 update(hedgedoc): bump version to 1.10.3 2025-04-10 17:08:45 +02:00
ee410b29a8 update(gitea): bump version to 1.23.7 2025-04-08 21:21:42 +02:00
1f7c4635a4 update(jellyfin): bump version to 10.10.7 2025-04-06 09:09:38 +02:00
7995eba69b update(ghost): bump version to 5.116.0 2025-04-04 21:59:18 +02:00
c766e2ef46 meta: bump galaxy version to 0.1.14 2025-03-28 16:05:11 +01:00
8e667d113a update(gitea): bump version to 1.23.6 2025-03-25 17:13:53 +01:00
c8d49760b1 update(ghost): bump version to 5.113.1 2025-03-20 22:06:35 +01:00
c28cba452c update(snipe_it): bump version to 8.0.4 2025-03-18 21:24:02 +01:00
ed5118ea95 update(authelia): bump version to 4.39.1 2025-03-18 20:33:33 +01:00
4d43f3c425 update(ghost): bump version to 5.113.0 2025-03-17 21:49:18 +01:00
3c789f2736 update(authelia): bump version to 4.39.0 2025-03-16 19:56:00 +01:00
62b99afa95 update(keycloak): bump version to 26.1.4 2025-03-14 22:32:25 +01:00
213cff7da7 update(ghost): bump version to 5.111.0 2025-03-07 21:34:55 +01:00
6ce6c3ce41 update(gitea): bump version to 1.23.5 2025-03-06 14:57:09 +01:00
70fa36ff98 update(snipe_it): bump version to 7.1.17 2025-03-03 21:09:04 +01:00
a4d56624e5 chore(jellyfin): allow passing more options to docker container 2025-03-02 21:23:27 +01:00
fc79dc4bc1 update(keycloak): bump version to 26.1.3 2025-02-28 19:15:31 +01:00
94404387cc feat(authelia): add state absent support 2025-02-26 20:51:21 +01:00
6a420416db update(ghost): bump version to 5.110.1 2025-02-26 20:42:02 +01:00
fac73c1a6a update(vouch_proxy): bump version to 0.41.0 2025-02-20 17:39:58 +01:00
307025181b update(gitea): bump version to 1.23.4 2025-02-19 15:18:07 +01:00
f7594fed77 update(jellyfin): bump version to 10.10.6 2025-02-17 12:42:21 +01:00
c72e87dfd5 update(authelia): bump version to 4.38.19 2025-02-16 14:56:02 +01:00
82fc10fd5f update(hedgedoc): bump version to 1.10.2 2025-02-15 10:45:31 +01:00
05145b3b21 feat(jellyfin): add podman as deployment method 2025-02-14 22:26:48 +01:00
1e234bf68b feat(vaultwarden): support podman as deployment method 2025-02-14 22:12:52 +01:00
6516780e16 meta: add containers.podman@^1.16.0 to collection requirements 2025-02-14 22:12:51 +01:00
06df5b790e feat(hedgedoc): support podman as deployment method 2025-02-14 22:12:50 +01:00
9bfd87f256 meta: bump galaxy version to 0.1.13 2025-02-12 21:59:50 +01:00
20a4cf4da4 update(keycloak): bump version to 26.1.2 2025-02-11 17:24:58 +01:00
60ce6ca758 update(vaultwarden): bump version to 1.33.2 2025-02-09 19:44:00 +01:00
a1039eaa45 update(ghost): bump version to 5.109.3 2025-02-07 21:35:11 +01:00
01ff782b14 update(gitea): bump version to 1.23.3 2025-02-06 17:31:40 +01:00
bc61a40771 update(keycloak): bump version to 26.1.1 2025-02-06 17:31:09 +01:00
94ddaf98f0 chore(keycloak): allow disabling mapping of local providers into the container image 2025-02-04 12:04:15 +01:00
23f5f560b6 update(vaultwarden): bump version to 1.33.1 2025-02-03 20:23:50 +01:00
a8f74baa53 meta: bump version to 0.1.12, require community.docker@^4.0.0, community.crypto@^2.22.0 2025-02-03 09:44:09 +01:00
836183ad55 update(hedgedoc): bump version to 1.10.1 2025-02-03 09:40:21 +01:00
0deea90113 update(ghost): bump version to 5.109.0 2025-02-02 19:50:54 +01:00
a5108c1bb6 feat(gitea): allow specifying container user for rootless mode 2025-01-31 13:11:54 +01:00
a278d5a438 meta: bump collection version to 0.1.11 2025-01-30 15:47:46 +01:00
6ff3590514 update(jellyfin): bump version to 10.10.5 2025-01-26 09:01:10 +01:00
801b4b2cbf update(vaultwarden): bump version to 1.33.0 2025-01-25 22:06:06 +01:00
5ea018e04c update(ghost): bump version to 5.107.2 2025-01-23 21:40:20 +01:00
842492c30d update(jellyfin): bump version to 10.10.4 2025-01-22 20:37:58 +01:00
249f2e8926 update(ghost): bump version to 5.107.0 2025-01-19 14:07:00 +01:00
0f75b2a4aa update(keycloak): bump version to 26.1.0 2025-01-18 12:36:11 +01:00
d934993817 update(keycloak): bump version to 26.0.8 2025-01-17 16:01:52 +01:00
4c65b70f97 update(gitea): bump version to 1.23.1 2025-01-10 19:21:04 +01:00
fe5ebb9531 update(gitea): bump version to 1.23.0 2025-01-09 20:18:45 +01:00
2d5b6a9357 update(authelia): bump version to 4.38.18 2025-01-01 20:45:01 +01:00
563e261ef3 fix(hedgedoc): jinja template syntax error 2024-12-29 15:18:46 +01:00
51a466a150 update(ghost): bump version to 5.105.0 2024-12-24 23:07:59 +01:00
7b9fed4a11 update(gitea): bump version to 1.22.6 2024-12-23 19:58:02 +01:00
25be7155e0 update(vaultwarden): bump version to 1.32.7 2024-12-21 23:04:35 +01:00
950d017889 update(authelia): bump version to 4.38.17 2024-12-14 22:33:27 +01:00
31639291f1 meta: update collection to 0.1.10 2024-12-08 13:54:25 +01:00
127a128a73 update(gitea): bump version to 1.22.4 2024-12-08 13:52:42 +01:00
6bf38f8273 update(ghost): bump version to 5.103.0 2024-12-05 23:18:32 +01:00
266057d11c update(keycloak): bump version to 26.0.7 2024-12-03 16:14:52 +01:00
afa91a622b update(keycloak): bump version to 26.0.6 2024-11-29 22:50:54 +01:00
d92262798a update(snipe_it): bump version to 7.1.15 2024-11-28 22:05:40 +01:00
4b13c448d0 update(ghost): bump version to 5.101.4 2024-11-27 20:04:01 +01:00
a9a988ec69 update(ghost): bump version to 5.101.3 2024-11-23 21:54:14 +01:00
d9de07c8f8 update(jellyfin): bump version to 10.10.3 2024-11-19 14:08:00 +01:00
c51dd4c142 meta: update collection to 0.1.9 2024-11-18 14:01:46 +01:00
bfd6449a71 update(vaultwarden): bump version to 1.32.5 2024-11-18 14:00:42 +01:00
7ebde915db update(ghost): bump version to 5.101.1 2024-11-15 21:07:30 +01:00
a18c8c3355 meta: bump collection version to 0.1.8 2024-11-11 08:34:17 +01:00
5a6ffc6991 update(vaultwarden): bump version to 1.32.4 2024-11-11 08:32:26 +01:00
e7ea03c00e update(jellyfin): bump version to 10.10.1 2024-11-10 19:52:04 +01:00
c7040c96f8 chore(keycloak): set keycloak hostname and header mode for proxy 2024-11-09 12:21:56 +01:00
d8d0b5c9e5 chore(keycloak): use fully-qualified module names 2024-11-08 18:30:18 +01:00
1d1f519e3a chore(keycloak): split upstream container image coordinates 2024-11-08 18:29:35 +01:00
11d5c81c60 update(keycloak): bump version to 26.0.5 2024-11-08 18:24:12 +01:00
f7eeb59288 update(keycloak): bump version to 25.0.6 2024-11-08 18:11:25 +01:00
72d8ac9644 feat(keycloak): add ansible role
Migrate role from `entropia.sso` collection
2024-11-08 18:05:19 +01:00
d3d6f89949 fix(authelia): correctly template session.redis config section, fix container restarts recreating the container 2024-11-02 10:48:05 +01:00
43d0dc171a update(openproject)!: bump version to release/14 2024-11-01 21:32:08 +01:00
d8dfb24df0 update(vaultwarden): bump version to 1.32.3 2024-10-31 09:53:41 +01:00
57c8dae0c4 meta: bump version to 0.1.7 2024-10-27 19:26:55 +01:00
6385b6f7a8 update(jellyfin): bump version to 10.10.0 2024-10-27 19:23:09 +01:00
7d09c9a88d feat(snipe_it): add ansible role for deployment 2024-10-27 18:35:22 +01:00
98c60a73c6 meta: bump version to 0.1.6 2024-10-22 20:42:24 +02:00
5ac019bace docs: fix typo 2024-10-19 17:33:13 +02:00
43fd798712 feat(vaultwarden): add ansible role 2024-10-19 17:26:50 +02:00
88dc6377ce fix(hedgedoc): incorrect module used 2024-10-19 17:13:24 +02:00
0a132b0ad5 meta: update collection version to 0.1.5, add galaxy tags 2024-10-10 17:01:35 +02:00
72942ee382 update(hedgedoc): bump version to 1.10.0 2024-10-10 16:59:06 +02:00
755e5d55f2 update(ghost): bump version to 5.96.0 2024-10-10 16:58:01 +02:00
5023a56b29 update(authelia): bump version to 4.38.15 2024-10-10 16:56:49 +02:00
17dfe4b2bb update(gitea): bump version to 1.22.3 2024-10-10 16:55:57 +02:00
cd122ebbdb fix(gitea): typo in variable name 2024-10-10 16:55:27 +02:00
0d914bd11c feat(hedgedoc): add deployment_method=podman, add docs 2024-10-09 20:06:48 +02:00
49ed240f10 fix(hedgedoc): add options ports and user to container creation task 2024-10-08 17:55:06 +02:00
81d6f809d7 meta: bump collection version to 0.1.4 2024-10-07 19:44:08 +02:00
b24ea1e925 feat(jellyfin): add playbook to collection, add state=absent support to role 2024-10-07 19:42:22 +02:00
912c32cb3e feat(hedgedoc): add ansible role for deployment 2024-10-07 19:09:52 +02:00
cde5f12e79 meta: bump galaxy version to 0.1.3 2024-10-03 22:37:43 +02:00
a8f5507eab meta: add role descriptions 2024-10-03 22:34:28 +02:00
ddfa8d6687 chore(jellyfin): migrate to fully-qualified module names 2024-10-03 22:25:46 +02:00
fd4cc0fe6a meta: require community.crypto@^2.0.0 in collection 2024-10-03 22:24:30 +02:00
3a15ed1157 chore(gitea): migrate to fully-qualified module names 2024-10-03 22:22:31 +02:00
a7fad79d05 chore(authelia): add container recreation option 2024-10-03 22:19:16 +02:00
f3d3617ec0 chore(authelia): migrate to fully-qualified module names 2024-10-03 22:18:34 +02:00
908b579f2c chore(authelia): more config migration in preparation for authelia 5.0.x 2024-10-03 22:05:08 +02:00
bab5b94500 update(ghost): bump version to 5.95.0 2024-10-03 21:30:48 +02:00
b5b4f67a08 chore(authelia): migrate away from deprecated config options 2024-10-03 18:01:40 +02:00
5e29e174d5 chore(authelia): add etc_hosts container option 2024-10-03 17:06:49 +02:00
92 changed files with 2260 additions and 147 deletions

View File

@@ -1,4 +1,4 @@
# `finallycoffee.service` ansible collection # `finallycoffee.services` ansible collection
## Overview ## Overview
@@ -17,12 +17,26 @@ concise area of concern.
- [`gitea`](roles/gitea/README.md): Deploy [gitea.io](https://gitea.io), a - [`gitea`](roles/gitea/README.md): Deploy [gitea.io](https://gitea.io), a
lightweight, self-hosted git service. lightweight, self-hosted git service.
- [`hedgedoc`](roles/hedgedoc/README.md): Deploy [hedgedoc](https://hedgedoc.org/),
a collaborative real-time markdown editor using websockts
- [`jellyfin`](roles/jellyfin/README.md): Deploy [jellyfin.org](https://jellyfin.org), - [`jellyfin`](roles/jellyfin/README.md): Deploy [jellyfin.org](https://jellyfin.org),
the free software media system for streaming stored media to any device. the free software media system for streaming stored media to any device.
- [`keycloak`](roles/keycloak/README.md): Deploy [keycloak](https://www.keycloak.org/),
the open source identity and access management solution.
- [`openproject`](roles/openproject/README.md): Deploys an [openproject.org](https://www.openproject.org) - [`openproject`](roles/openproject/README.md): Deploys an [openproject.org](https://www.openproject.org)
installation using the upstream provided docker-compose setup. installation using the upstream provided docker-compose setup.
- [`pretix`](roles/pretix/README.md): Deploy [pretix](https://pretix.eu), the open source online ticketing solution.
- [`snipe_it`](roles/snipe_it/README.md): Deploys [Snipe-IT](https://snipeitapp.com/),
the free and open-source IT asset (and license) management with a powerful REST API
- [`vaultwarden`](roles/vaultwarden/README.md): Deploy [vaultwarden](https://github.com/dani-garcia/vaultwarden/),
an open-source implementation of the Bitwarden Server (formerly Bitwarden\_RS).
- [`vouch_proxy`](roles/vouch_proxy/README.md): Deploys [vouch-proxy](https://github.com/vouch/vouch-proxy), - [`vouch_proxy`](roles/vouch_proxy/README.md): Deploys [vouch-proxy](https://github.com/vouch/vouch-proxy),
an authorization proxy for arbitrary webapps working with `nginx`s' `auth_request` module. an authorization proxy for arbitrary webapps working with `nginx`s' `auth_request` module.

View File

@@ -1,14 +1,27 @@
namespace: finallycoffee namespace: finallycoffee
name: services name: services
version: 0.1.2 version: "0.2.1"
readme: README.md readme: README.md
authors: authors:
- transcaffeine <transcaffeine@finally.coffee> - transcaffeine <transcaffeine@finally.coffee>
description: Various ansible roles useful for automating infrastructure description: Various ansible roles useful for automating infrastructure
dependencies: dependencies:
"community.docker": "^3.0.0" "community.general": "^11.0.0"
"community.crypto": "^3.0.3"
"community.docker": "^4.7.0"
"containers.podman": "^1.16.0"
license_file: LICENSE.md license_file: LICENSE.md
build_ignore: build_ignore:
- '*.tar.gz' - '*.tar.gz'
repository: https://git.finally.coffee/finallycoffee/services repository: https://git.finally.coffee/finallycoffee/services
issues: https://codeberg.org/finallycoffee/ansible-collection-services/issues issues: https://codeberg.org/finallycoffee/ansible-collection-services/issues
tags:
- authelia
- gitea
- hedgedoc
- jellyfin
- vaultwarden
- snipeit
- docker
- phpldapadmin
- pretix

6
playbooks/hedgedoc.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Install and configure hedgedoc
hosts: "{{ hedgedoc_hosts | default('hedgedoc') }}"
become: "{{ hedgedoc_become | default(true, false) }}"
roles:
- role: finallycoffee.services.hedgedoc

6
playbooks/jellyfin.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Install and configure jellyfin
hosts: "{{ jellyfin_hosts | default('jellyfin') }}"
become: "{{ jellyfin_become | default(true, false) }}"
roles:
- role: finallycoffee.services.jellyfin

View File

@@ -0,0 +1,7 @@
---
- name: Configure and run phpldapadmin
hosts: "{{ phpldapadmin_hosts | default('phpldapadmin', true) }}"
become: "{{ phpldapadmin_become | default(false) }}"
gather_facts: "{{ phpldapadmin_gather_facts | default(false) }}"
roles:
- role: finallycoffee.services.phpldapadmin

99
playbooks/pretix.yml Normal file
View File

@@ -0,0 +1,99 @@
---
- import_playbook: finallycoffee.databases.postgresql_client
when: pretix_configure_postgresql | default(true)
vars:
postgresql_hosts: "{{ pretix_hosts | default('pretix') }}"
postgresql_become: >-2
{{ pretix_postgresql_client_become | default(pretix_become | default(true)) }}
postgresql_client_database: "{{ pretix_postgresql_database | default('pretix') }}"
postgresql_client_username: "{{ pretix_postgresql_user | default('pretix') }}"
postgresql_client_password: >-2
{{ pretix_postgresql_password | mandatory(msg='pretix postgresql password is required') }}
- import_playbook: finallycoffee.databases.valkey
when: pretix_configure_valkey | default(true)
vars:
valkey_hosts: "{{ pretix_hosts | default('pretix') }}"
valkey_instance: "pretix"
valkey_secret: "{{ pretix_redis_secret | mandatory(msg='pretix valkey secret is required') }}"
valkey_config_user:
- "default on +@all -DEBUG ~* &* >{{ pretix_redis_secret }}"
valkey_container_ports:
- "{{ pretix_redis_bind_addr | default('127.0.10.1:6739') }}:{{ valkey_config_port }}"
valkey_config_bind:
- "0.0.0.0"
- "-::"
- name: Install and configure pretix
hosts: "{{ pretix_hosts | default('pretix') }}"
become: "{{ pretix_become | default(true) }}"
gather_facts: "{{ pretix_gather_facts | default(false) }}"
roles:
- role: finallycoffee.services.pretix
vars:
pretix_config_url: "https://{{ pretix_domain }}"
pretix_config_database_name: "{{ pretix_postgresql_database | default('pretix') }}"
pretix_config_database_user: "{{ pretix_postgresql_user | default('pretix') }}"
pretix_config_database_password: "{{ pretix_postgresql_password }}"
pretix_config_redis_location: >-2
redis://:{{ pretix_redis_secret }}@{{ pretix_redis_bind_addr }}/0
pretix_config_celery_backend: >-2
redis://:{{ pretix_redis_secret }}@{{ pretix_redis_bind_addr }}/1
pretix_config_celery_broker: >-2
redis://:{{ pretix_redis_secret }}@{{ pretix_redis_bind_addr }}/2
- role: finallycoffee.base.nginx
when: pretix_configure_nginx | default(true)
vars:
nginx_container_name: "nginx-pretix"
nginx_container_labels: "{{ pretix_nginx_container_labels | default({}, true) }}"
nginx_config_file: "{{ nginx_base_path }}/nginx-pretix.conf"
nginx_config: |+
server {
listen 80 default_server;
server_name {{ pretix_domain }};
add_header Referrer-Policy same-origin;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass http://{{ pretix_config_wsgi_bind_addr }};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
}
location /media/ {
alias {{ pretix_media_dir }}/;
expires 7d;
access_log off;
}
location ^~ /media/cachedfiles {
deny all;
return 404;
}
location ^~ /media/invoices {
deny all;
return 404;
}
location /static/staticfiles.json {
deny all;
return 404;
}
location /static/CACHE/manifest.json {
deny all;
return 404;
}
location /static/ {
alias {{ pretix_static_asset_dir }};
access_log off;
expires 365d;
add_header Cache-Control "public";
}
}
pretix_python_version: >-2
python{{ ansible_python.version.major }}.{{ ansible_python.version.minor }}
pretix_static_asset_dir: >-2
{{ pretix_virtualenv_dir }}/lib/{{ pretix_python_version }}/site-packages/pretix/static.dist/
nginx_container_volumes:
- "{{ nginx_config_file }}:/etc/nginx/conf.d/nginx.conf:ro"
- "{{ pretix_media_dir }}:{{ pretix_media_dir }}:ro"
- "{{ pretix_static_asset_dir }}:{{ pretix_static_asset_dir }}:ro"
vars:
pretix_redis_bind_addr: "127.0.10.1:6739"

6
playbooks/snipe_it.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Install and configure Snipe-IT
hosts: "{{ snipe_it_hosts | default('snipe_it') }}"
become: "{{ snipe_it_become | default(true, false) }}"
roles:
- role: finallycoffee.services.snipe_it

View File

@@ -0,0 +1,6 @@
---
- name: Install and configure vaultwarden
hosts: "{{ vaultwarden_hosts | default('vaultwarden') }}"
become: "{{ vaultwarden_become | default(true, false) }}"
roles:
- role: finallycoffee.services.vaultwarden

View File

@@ -1,9 +1,10 @@
--- ---
authelia_version: "4.39.13"
authelia_version: 4.38.15
authelia_user: authelia authelia_user: authelia
authelia_base_dir: /opt/authelia authelia_base_dir: /opt/authelia
authelia_domain: authelia.example.org authelia_domain: authelia.example.org
authelia_state: present
authelia_deployment_method: docker
authelia_config_dir: "{{ authelia_base_dir }}/config" authelia_config_dir: "{{ authelia_base_dir }}/config"
authelia_config_file: "{{ authelia_config_dir }}/config.yaml" authelia_config_file: "{{ authelia_config_dir }}/config.yaml"
@@ -14,7 +15,7 @@ authelia_notification_storage_file: "{{ authelia_data_dir }}/notifications.txt"
authelia_user_storage_file: "{{ authelia_data_dir }}/user_database.yml" authelia_user_storage_file: "{{ authelia_data_dir }}/user_database.yml"
authelia_container_name: authelia authelia_container_name: authelia
authelia_container_image_server: docker.io authelia_container_image_server: ghcr.io
authelia_container_image_namespace: authelia authelia_container_image_namespace: authelia
authelia_container_image_name: authelia authelia_container_image_name: authelia
authelia_container_image: >-2 authelia_container_image: >-2
@@ -57,10 +58,18 @@ authelia_config_server_address: >-2
{{ authelia_config_server_host }}:{{ authelia_config_server_port }} {{ authelia_config_server_host }}:{{ authelia_config_server_port }}
authelia_config_server_path: "" authelia_config_server_path: ""
authelia_config_server_asset_path: "/config/assets/" authelia_config_server_asset_path: "/config/assets/"
authelia_config_server_read_buffer_size: 4096 authelia_config_server_buffers_read: 4096
authelia_config_server_write_buffer_size: 4096 authelia_config_server_read_buffer_size: >-2
authelia_config_server_enable_pprof: true {{ authelia_config_server_buffers_read }}
authelia_config_server_enable_expvars: true authelia_config_server_buffers_write: 4096
authelia_config_server_write_buffer_size: >-2
{{ authelia_config_server_buffers_write }}
authelia_config_server_endpoints_enable_pprof: true
authelia_config_server_enable_pprof: >-2
{{ authelia_config_server_endpoints_enable_pprof }}
authelia_config_server_endpoints_enable_expvars: true
authelia_config_server_enable_expvars: >-2
{{ authelia_config_server_endpoints_enable_expvars }}
authelia_config_server_disable_healthcheck: authelia_config_server_disable_healthcheck:
authelia_config_server_tls_key: ~ authelia_config_server_tls_key: ~
authelia_config_server_tls_certificate: ~ authelia_config_server_tls_certificate: ~
@@ -83,7 +92,11 @@ authelia_config_webauthn_disable: true
authelia_config_webauthn_timeout: 60s authelia_config_webauthn_timeout: 60s
authelia_config_webauthn_display_name: "Authelia ({{ authelia_domain }})" authelia_config_webauthn_display_name: "Authelia ({{ authelia_domain }})"
authelia_config_webauthn_attestation_conveyance_preference: indirect authelia_config_webauthn_attestation_conveyance_preference: indirect
authelia_config_webauthn_user_verification: preferred authelia_config_webauthn_user_verification: "preferred"
authelia_config_webauthn_selection_criteria_user_verification: >-2
{{ authelia_config_webauthn_user_verification }}
authelia_config_webauthn_selection_criteria_discoverability: "preferred"
authelia_config_webauthn_selection_criteria_attachment: ""
authelia_config_duo_api_hostname: ~ authelia_config_duo_api_hostname: ~
authelia_config_duo_api_integration_key: ~ authelia_config_duo_api_integration_key: ~
authelia_config_duo_api_secret_key: ~ authelia_config_duo_api_secret_key: ~
@@ -98,6 +111,8 @@ authelia_config_authentication_backend_password_reset_disable: false
authelia_config_authentication_backend_password_reset_custom_url: ~ authelia_config_authentication_backend_password_reset_custom_url: ~
authelia_config_authentication_backend_ldap_implementation: custom authelia_config_authentication_backend_ldap_implementation: custom
authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1:389 authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1:389
authelia_config_authentication_backend_ldap_address: >-2
{{ authelia_config_authentication_backend_ldap_url }}
authelia_config_authentication_backend_ldap_timeout: 5s authelia_config_authentication_backend_ldap_timeout: 5s
authelia_config_authentication_backend_ldap_start_tls: false authelia_config_authentication_backend_ldap_start_tls: false
authelia_config_authentication_backend_ldap_tls_skip_verify: false authelia_config_authentication_backend_ldap_tls_skip_verify: false
@@ -107,10 +122,18 @@ authelia_config_authentication_backend_ldap_additional_users_dn: "ou=users"
authelia_config_authentication_backend_ldap_users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))" authelia_config_authentication_backend_ldap_users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))"
authelia_config_authentication_backend_ldap_additional_groups_dn: "ou=groups" authelia_config_authentication_backend_ldap_additional_groups_dn: "ou=groups"
authelia_config_authentication_backend_ldap_groups_filter: "(member={dn})" authelia_config_authentication_backend_ldap_groups_filter: "(member={dn})"
authelia_config_authentication_backend_ldap_attributes_username: uid
authelia_config_authentication_backend_ldap_username_attribute: >-2
{{ authelia_config_authentication_backend_ldap_attributes_username }}
authelia_config_authentication_backend_ldap_attributes_mail: mail
authelia_config_authentication_backend_ldap_mail_attribute: >-2
{{ authelia_config_authentication_backend_ldap_attributes_mail }}
authelia_config_authentication_backend_ldap_attributes_display_name: displayName
authelia_config_authentication_backend_ldap_display_name_attribute: >-2
{{ authelia_config_authentication_backend_ldap_attributes_display_name }}
authelia_config_authentication_backend_ldap_group_name_attribute: cn authelia_config_authentication_backend_ldap_group_name_attribute: cn
authelia_config_authentication_backend_ldap_username_attribute: uid authelia_config_authentication_backend_ldap_attributes_group_name: >-2
authelia_config_authentication_backend_ldap_mail_attribute: mail {{ authelia_config_authentication_backend_ldap_group_name_attribute }}
authelia_config_authentication_backend_ldap_display_name_attribute: displayName
authelia_config_authentication_backend_ldap_user: ~ authelia_config_authentication_backend_ldap_user: ~
authelia_config_authentication_backend_ldap_password: ~ authelia_config_authentication_backend_ldap_password: ~
authelia_config_authentication_backend_file_path: ~ authelia_config_authentication_backend_file_path: ~
@@ -138,6 +161,21 @@ authelia_config_session_secret: ~
authelia_config_session_expiration: 1h authelia_config_session_expiration: 1h
authelia_config_session_inactivity: 5m authelia_config_session_inactivity: 5m
authelia_config_session_remember_me_duration: 1M authelia_config_session_remember_me_duration: 1M
authelia_config_session_remember_me: >-2
{{ authelia_config_session_remember_me_duration }}
authelia_config_session_cookies:
- "{{ authelia_config_session_cookies_default }}"
authelia_config_session_cookies_default_domain: >-2
{{ authelia_config_session_domain }}
authelia_config_session_cookies_default_authelia_url: >-2
https://{{ authelia_config_session_cookies_default_domain }}
authelia_config_session_cookies_default_default_redirection_url: >-2
{{ authelia_config_default_redirection_url }}
authelia_config_session_cookies_default:
domain: "{{ authelia_config_session_cookies_default_domain }}"
authelia_url: "{{ authelia_config_session_cookies_default_authelia_url }}"
default_redirection_url: >-2
{{ authelia_config_session_cookies_default_default_redirection_url }}
authelia_config_session_redis_host: "{{ authelia_redis_host }}" authelia_config_session_redis_host: "{{ authelia_redis_host }}"
authelia_config_session_redis_port: "{{ authelia_redis_port }}" authelia_config_session_redis_port: "{{ authelia_redis_port }}"
authelia_config_session_redis_username: "{{ authelia_redis_user }}" authelia_config_session_redis_username: "{{ authelia_redis_user }}"
@@ -174,7 +212,10 @@ authelia_config_notifier_smtp_disable_require_tls: false
authelia_config_notifier_smtp_disable_html_emails: false authelia_config_notifier_smtp_disable_html_emails: false
authelia_config_notifier_smtp_tls_skip_verify: false authelia_config_notifier_smtp_tls_skip_verify: false
authelia_config_notifier_smtp_tls_minimum_version: "{{ authelia_tls_minimum_version }}" authelia_config_notifier_smtp_tls_minimum_version: "{{ authelia_tls_minimum_version }}"
#authelia_config_identity_provider_ authelia_config_identity_validation_reset_password_jwt_secret: >-2
{{ authelia_config_jwt_secret }}
authelia_config_identity_validation_reset_password_jwt_lifespan: "5 minutes"
authelia_config_identity_validation_reset_password_jwt_algorithm: "HS256"
authelia_database_type: ~ authelia_database_type: ~
authelia_database_host: ~ authelia_database_host: ~

View File

@@ -4,5 +4,7 @@
docker_container: docker_container:
name: "{{ authelia_container_name }}" name: "{{ authelia_container_name }}"
state: started state: started
restart: yes restart: true
comparisons:
'*': ignore
listen: restart-authelia listen: restart-authelia

View File

@@ -0,0 +1,9 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: authelia
description: Ansible role to deploy authelia using docker
galaxy_tags:
- authelia
- docker

View File

@@ -0,0 +1,61 @@
---
- name: Ensure container mounts are present
when: authelia_state == 'present'
block:
- name: Ensure sqlite database file exists before mounting it
ansible.builtin.file:
path: "{{ authelia_sqlite_storage_file }}"
state: touch
owner: "{{ authelia_run_user }}"
group: "{{ authelia_run_group }}"
mode: "0640"
access_time: preserve
modification_time: preserve
when: authelia_config_storage_local_path | default(false, true)
- name: Ensure user database exists before mounting it
ansible.builtin.file:
path: "{{ authelia_user_storage_file }}"
state: touch
owner: "{{ authelia_run_user }}"
group: "{{ authelia_run_group }}"
mode: "0640"
access_time: preserve
modification_time: preserve
when: authelia_config_authentication_backend_file_path | default(false, true)
- name: Ensure notification reports file exists before mounting it
ansible.builtin.file:
path: "{{ authelia_notification_storage_file }}"
state: touch
owner: "{{ authelia_run_user }}"
group: "{{ authelia_run_group }}"
mode: "0640"
access_time: preserve
modification_time: preserve
when: authelia_config_notifier_filesystem_filename | default(false, true)
- name: Ensure authelia container image is {{ authelia_state }}
community.docker.docker_image:
name: "{{ authelia_container_image_ref }}"
state: "{{ authelia_state }}"
source: pull
force_source: "{{ authelia_container_image_force_pull }}"
register: authelia_container_image_info
- name: Ensure authelia container is {{ authelia_container_state }}
community.docker.docker_container:
name: "{{ authelia_container_name }}"
image: "{{ authelia_container_image_ref }}"
env: "{{ authelia_container_env }}"
user: "{{ authelia_run_user }}:{{ authelia_run_group }}"
ports: "{{ authelia_container_ports | default(omit, true) }}"
labels: "{{ authelia_container_labels }}"
volumes: "{{ authelia_container_volumes }}"
networks: "{{ authelia_container_networks | default(omit, true) }}"
etc_hosts: "{{ authelia_container_etc_hosts | default(omit, true) }}"
purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}"
restart_policy: "{{ authelia_container_restart_policy }}"
recreate: "{{ authelia_container_recreate | default(omit, true) }}"
state: "{{ authelia_container_state }}"
register: authelia_container_info

View File

@@ -1,16 +1,30 @@
--- ---
- name: Check for valid state
ansible.builtin.fail:
msg: >-2
Unsupported state '{{ authelia_state }}'.
Supported states are {{ authelia_states | join(', ') }}.
when: authelia_state not in authelia_states
- name: Ensure user {{ authelia_user }} exists - name: Check for valid authelia deployment method
user: ansible.builtin.fail:
msg: >-2
Unsupported deployment method '{{ authelia_deployment_method }}'.
Supported states are {{ authelia_deployment_methods | join(', ') }}.
when: authelia_deployment_method not in authelia_deployment_methods
- name: Ensure user {{ authelia_user }} is {{ authelia_state }}
ansible.builtin.user:
name: "{{ authelia_user }}" name: "{{ authelia_user }}"
state: present state: "{{ authelia_state }}"
system: true system: true
create_home: false
register: authelia_user_info register: authelia_user_info
- name: Ensure host directories are created with correct permissions - name: Ensure host directories are {{ authelia_state }}
file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
state: directory state: "{{ (authelia_state == 'present') | ternary('directory', 'absent') }}"
owner: "{{ item.owner | default(authelia_user) }}" owner: "{{ item.owner | default(authelia_user) }}"
group: "{{ item.group | default(authelia_user) }}" group: "{{ item.group | default(authelia_user) }}"
mode: "{{ item.mode | default('0750') }}" mode: "{{ item.mode | default('0750') }}"
@@ -25,67 +39,16 @@
- path: "{{ authelia_asset_dir }}" - path: "{{ authelia_asset_dir }}"
mode: "0750" mode: "0750"
- name: Ensure config file is generated - name: Ensure config file is {{ authelia_state }}
copy: ansible.builtin.copy:
content: "{{ authelia_config | to_nice_yaml(indent=2, width=10000) }}" content: "{{ authelia_config | to_nice_yaml(indent=2, width=10000) }}"
dest: "{{ authelia_config_file }}" dest: "{{ authelia_config_file }}"
owner: "{{ authelia_run_user }}" owner: "{{ authelia_run_user }}"
group: "{{ authelia_run_group }}" group: "{{ authelia_run_group }}"
mode: "0640" mode: "0640"
notify: restart-authelia notify: restart-authelia
when: authelia_state == 'present'
- name: Ensure sqlite database file exists before mounting it - name: Deploy authelia using {{ authelia_deployment_method }}
file: ansible.builtin.include_tasks:
path: "{{ authelia_sqlite_storage_file }}" file: "deploy-{{ authelia_deployment_method }}.yml"
state: touch
owner: "{{ authelia_run_user }}"
group: "{{ authelia_run_group }}"
mode: "0640"
access_time: preserve
modification_time: preserve
when: authelia_config_storage_local_path | default(false, true)
- name: Ensure user database exists before mounting it
file:
path: "{{ authelia_user_storage_file }}"
state: touch
owner: "{{ authelia_run_user }}"
group: "{{ authelia_run_group }}"
mode: "0640"
access_time: preserve
modification_time: preserve
when: authelia_config_authentication_backend_file_path | default(false, true)
- name: Ensure notification reports file exists before mounting it
file:
path: "{{ authelia_notification_storage_file }}"
state: touch
owner: "{{ authelia_run_user }}"
group: "{{ authelia_run_group }}"
mode: "0640"
access_time: preserve
modification_time: preserve
when: authelia_config_notifier_filesystem_filename | default(false, true)
- name: Ensure authelia container image is present
community.docker.docker_image:
name: "{{ authelia_container_image_ref }}"
state: present
source: pull
force_source: "{{ authelia_container_image_force_pull }}"
register: authelia_container_image_info
- name: Ensure authelia container is running
docker_container:
name: "{{ authelia_container_name }}"
image: "{{ authelia_container_image_ref }}"
env: "{{ authelia_container_env }}"
user: "{{ authelia_run_user }}:{{ authelia_run_group }}"
ports: "{{ authelia_container_ports | default(omit, true) }}"
labels: "{{ authelia_container_labels }}"
volumes: "{{ authelia_container_volumes }}"
networks: "{{ authelia_container_networks | default(omit, true) }}"
purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}"
restart_policy: "{{ authelia_container_restart_policy }}"
state: "{{ authelia_container_state }}"
register: authelia_container_info

View File

@@ -1,4 +1,9 @@
--- ---
authelia_states:
- "present"
- "absent"
authelia_deployment_methods:
- "docker"
authelia_run_user: "{{ (authelia_user_info.uid) if authelia_user_info is defined else authelia_user }}" authelia_run_user: "{{ (authelia_user_info.uid) if authelia_user_info is defined else authelia_user }}"
authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defined else authelia_user }}" authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defined else authelia_user }}"
@@ -20,7 +25,6 @@ authelia_container_base_labels:
authelia_config: "{{ authelia_base_config | combine(authelia_extra_config, recursive=True) }}" authelia_config: "{{ authelia_base_config | combine(authelia_extra_config, recursive=True) }}"
authelia_top_level_config: authelia_top_level_config:
theme: "{{ authelia_config_theme }}" theme: "{{ authelia_config_theme }}"
jwt_secret: "{{ authelia_config_jwt_secret }}"
log: "{{ authelia_config_log }}" log: "{{ authelia_config_log }}"
telemetry: "{{ authelia_config_telemetry }}" telemetry: "{{ authelia_config_telemetry }}"
totp: "{{ authelia_config_totp }}" totp: "{{ authelia_config_totp }}"
@@ -34,12 +38,11 @@ authelia_top_level_config:
regulation: "{{ authelia_config_regulation }}" regulation: "{{ authelia_config_regulation }}"
storage: "{{ authelia_config_storage }}" storage: "{{ authelia_config_storage }}"
notifier: "{{ authelia_config_notifier }}" notifier: "{{ authelia_config_notifier }}"
identity_validation: "{{ authelia_config_identity_validation }}"
authelia_base_config: >-2 authelia_base_config: >-2
{{ {{
authelia_top_level_config authelia_top_level_config
| combine({"default_redirection_url": authelia_config_default_redirection_url}
if authelia_config_default_redirection_url | default(false, true) else {})
| combine(({"server": authelia_config_server }) | combine(({"server": authelia_config_server })
| combine({"tls": authelia_config_server_tls} | combine({"tls": authelia_config_server_tls}
if authelia_config_server_tls_key | default(false, true) else {})) if authelia_config_server_tls_key | default(false, true) else {}))
@@ -50,14 +53,18 @@ authelia_config_server: >-2
{ {
"address": authelia_config_server_address, "address": authelia_config_server_address,
"asset_path": authelia_config_server_asset_path, "asset_path": authelia_config_server_asset_path,
"read_buffer_size": authelia_config_server_read_buffer_size,
"write_buffer_size": authelia_config_server_write_buffer_size,
"enable_pprof": authelia_config_server_enable_pprof,
"enable_expvars": authelia_config_server_enable_expvars,
"disable_healthcheck": authelia_config_server_disable_healthcheck, "disable_healthcheck": authelia_config_server_disable_healthcheck,
"endpoints": authelia_config_server_endpoints,
"buffers": authelia_config_server_buffers,
} | combine({"headers": {"csp_template": authelia_config_server_headers_csp_template}} } | combine({"headers": {"csp_template": authelia_config_server_headers_csp_template}}
if authelia_config_server_headers_csp_template | default(false, true) else {}) if authelia_config_server_headers_csp_template | default(false, true) else {})
}} }}
authelia_config_server_endpoints:
enable_expvars: "{{ authelia_config_server_endpoints_enable_expvars }}"
enable_pprof: "{{ authelia_config_server_endpoints_enable_pprof }}"
authelia_config_server_buffers:
read: "{{ authelia_config_server_buffers_read }}"
write: "{{ authelia_config_server_buffers_write }}"
authelia_config_server_tls: authelia_config_server_tls:
key: "{{ authelia_config_server_tls_key }}" key: "{{ authelia_config_server_tls_key }}"
certificate: "{{ authelia_config_server_tls_certificate }}" certificate: "{{ authelia_config_server_tls_certificate }}"
@@ -90,7 +97,10 @@ authelia_config_webauthn:
timeout: "{{ authelia_config_webauthn_timeout }}" timeout: "{{ authelia_config_webauthn_timeout }}"
display_name: "{{ authelia_config_webauthn_display_name }}" display_name: "{{ authelia_config_webauthn_display_name }}"
attestation_conveyance_preference: "{{ authelia_config_webauthn_attestation_conveyance_preference }}" attestation_conveyance_preference: "{{ authelia_config_webauthn_attestation_conveyance_preference }}"
user_verification: "{{ authelia_config_webauthn_user_verification }}" selection_criteria:
attachment: "{{ authelia_config_webauthn_selection_criteria_attachment }}"
discoverability: "{{ authelia_config_webauthn_selection_criteria_discoverability }}"
user_verification: "{{ authelia_config_webauthn_selection_criteria_user_verification }}"
authelia_config_duo_api: authelia_config_duo_api:
hostname: "{{ authelia_config_duo_api_hostname }}" hostname: "{{ authelia_config_duo_api_hostname }}"
integration_key: "{{ authelia_config_duo_api_integration_key }}" integration_key: "{{ authelia_config_duo_api_integration_key }}"
@@ -119,7 +129,7 @@ authelia_config_authentication_backend_password_reset:
disable: "{{ authelia_config_authentication_backend_password_reset_disable }}" disable: "{{ authelia_config_authentication_backend_password_reset_disable }}"
authelia_config_authentication_backend_ldap: authelia_config_authentication_backend_ldap:
implementation: "{{ authelia_config_authentication_backend_ldap_implementation }}" implementation: "{{ authelia_config_authentication_backend_ldap_implementation }}"
url: "{{ authelia_config_authentication_backend_ldap_url }}" address: "{{ authelia_config_authentication_backend_ldap_address }}"
timeout: "{{ authelia_config_authentication_backend_ldap_timeout }}" timeout: "{{ authelia_config_authentication_backend_ldap_timeout }}"
start_tls: "{{ authelia_config_authentication_backend_ldap_start_tls }}" start_tls: "{{ authelia_config_authentication_backend_ldap_start_tls }}"
tls: tls:
@@ -130,10 +140,11 @@ authelia_config_authentication_backend_ldap:
additional_groups_dn: "{{ authelia_config_authentication_backend_ldap_additional_groups_dn }}" additional_groups_dn: "{{ authelia_config_authentication_backend_ldap_additional_groups_dn }}"
users_filter: "{{ authelia_config_authentication_backend_ldap_users_filter }}" users_filter: "{{ authelia_config_authentication_backend_ldap_users_filter }}"
groups_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}" groups_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}"
group_name_attribute: "{{ authelia_config_authentication_backend_ldap_group_name_attribute }}" attributes:
username_attribute: "{{ authelia_config_authentication_backend_ldap_username_attribute }}" username: "{{ authelia_config_authentication_backend_ldap_attributes_username }}"
mail_attribute: "{{ authelia_config_authentication_backend_ldap_mail_attribute }}" mail: "{{ authelia_config_authentication_backend_ldap_attributes_mail }}"
display_name_attribute: "{{ authelia_config_authentication_backend_ldap_display_name_attribute }}" display_name: "{{ authelia_config_authentication_backend_ldap_attributes_display_name }}"
group_name: "{{ authelia_config_authentication_backend_ldap_attributes_group_name }}"
user: "{{ authelia_config_authentication_backend_ldap_user }}" user: "{{ authelia_config_authentication_backend_ldap_user }}"
password: "{{ authelia_config_authentication_backend_ldap_password }}" password: "{{ authelia_config_authentication_backend_ldap_password }}"
authelia_config_authentication_backend_file: authelia_config_authentication_backend_file:
@@ -165,14 +176,19 @@ authelia_config_access_control:
default_policy: "{{ authelia_config_access_control_default_policy }}" default_policy: "{{ authelia_config_access_control_default_policy }}"
networks: "{{ authelia_config_access_control_networks }}" networks: "{{ authelia_config_access_control_networks }}"
rules: "{{ authelia_config_access_control_rules }}" rules: "{{ authelia_config_access_control_rules }}"
authelia_config_session: authelia_config_session: >-2
{{ authelia_config_session_base
| combine(({'redis': authelia_config_session_redis}
if authelia_config_session_redis_host else {}), recursive=true)
}}
authelia_config_session_base:
name: "{{ authelia_config_session_name }}" name: "{{ authelia_config_session_name }}"
domain: "{{ authelia_config_session_domain }}"
same_site: "{{ authelia_config_session_same_site }}" same_site: "{{ authelia_config_session_same_site }}"
secret: "{{ authelia_config_session_secret }}" secret: "{{ authelia_config_session_secret }}"
expiration: "{{ authelia_config_session_expiration }}" expiration: "{{ authelia_config_session_expiration }}"
inactivity: "{{ authelia_config_session_inactivity }}" inactivity: "{{ authelia_config_session_inactivity }}"
remember_me_duration: "{{ authelia_config_session_remember_me_duration }}" remember_me: "{{ authelia_config_session_remember_me }}"
cookies: "{{ authelia_config_session_cookies }}"
authelia_config_session_redis: >-2 authelia_config_session_redis: >-2
{{ {{
{ {
@@ -259,3 +275,9 @@ authelia_config_notifier_smtp:
tls: tls:
skip_verify: "{{ authelia_config_notifier_smtp_tls_skip_verify }}" skip_verify: "{{ authelia_config_notifier_smtp_tls_skip_verify }}"
minimum_version: "{{ authelia_config_notifier_smtp_tls_minimum_version }}" minimum_version: "{{ authelia_config_notifier_smtp_tls_minimum_version }}"
authelia_config_identity_validation:
reset_password: "{{ authelia_config_identity_validation_reset_password }}"
authelia_config_identity_validation_reset_password:
jwt_secret: "{{ authelia_config_identity_validation_reset_password_jwt_secret }}"
jwt_lifespan: "{{ authelia_config_identity_validation_reset_password_jwt_lifespan }}"
jwt_algorithm: "{{ authelia_config_identity_validation_reset_password_jwt_algorithm }}"

View File

@@ -1,7 +1,6 @@
--- ---
ghost_domain: ~ ghost_domain: ~
ghost_version: "5.94.1" ghost_version: "6.5.1"
ghost_user: ghost ghost_user: ghost
ghost_user_group: ghost ghost_user_group: ghost
ghost_base_path: /opt/ghost ghost_base_path: /opt/ghost

10
roles/ghost/meta/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: ghost
description: Ansible role to deploy ghost (https://ghost.org) using docker
galaxy_tags:
- ghost
- blog
- docker

View File

@@ -1,6 +1,5 @@
--- ---
gitea_version: "1.24.6"
gitea_version: "1.22.2"
gitea_user: git gitea_user: git
gitea_run_user: "{{ gitea_user }}" gitea_run_user: "{{ gitea_user }}"
gitea_base_path: "/opt/gitea" gitea_base_path: "/opt/gitea"
@@ -11,7 +10,7 @@ gitea_domain: ~
# container config # container config
gitea_container_name: "{{ gitea_user }}" gitea_container_name: "{{ gitea_user }}"
gitea_contianer_image_server: "docker.io" gitea_container_image_server: "docker.io"
gitea_container_image_name: "gitea" gitea_container_image_name: "gitea"
gitea_container_image_namespace: gitea gitea_container_image_namespace: gitea
gitea_container_image_fq_name: >- gitea_container_image_fq_name: >-
@@ -33,6 +32,7 @@ gitea_container_extra_labels: {}
gitea_container_extra_ports: [] gitea_container_extra_ports: []
gitea_container_extra_volumes: [] gitea_container_extra_volumes: []
gitea_container_state: started gitea_container_state: started
gitea_container_user: ~
# container defaults # container defaults
gitea_container_base_volumes: gitea_container_base_volumes:

10
roles/gitea/meta/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: gitea
description: Ansible role to deploy gitea using docker
galaxy_tags:
- gitea
- git
- docker

View File

@@ -1,7 +1,6 @@
--- ---
- name: Ensure gitea user '{{ gitea_user }}' is present - name: Ensure gitea user '{{ gitea_user }}' is present
user: ansible.builtin.user:
name: "{{ gitea_user }}" name: "{{ gitea_user }}"
state: "present" state: "present"
system: false system: false
@@ -9,7 +8,7 @@
register: gitea_user_res register: gitea_user_res
- name: Ensure host directories exist - name: Ensure host directories exist
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
owner: "{{ gitea_user_res.uid }}" owner: "{{ gitea_user_res.uid }}"
group: "{{ gitea_user_res.group }}" group: "{{ gitea_user_res.group }}"
@@ -19,7 +18,7 @@
- "{{ gitea_data_path }}" - "{{ gitea_data_path }}"
- name: Ensure .ssh folder for gitea user exists - name: Ensure .ssh folder for gitea user exists
file: ansible.builtin.file:
path: "/home/{{ gitea_user }}/.ssh" path: "/home/{{ gitea_user }}/.ssh"
state: directory state: directory
owner: "{{ gitea_user_res.uid }}" owner: "{{ gitea_user_res.uid }}"
@@ -38,7 +37,7 @@
register: gitea_user_ssh_key register: gitea_user_ssh_key
- name: Create forwarding script - name: Create forwarding script
copy: ansible.builtin.copy:
dest: "/usr/local/bin/gitea" dest: "/usr/local/bin/gitea"
owner: "{{ gitea_user_res.uid }}" owner: "{{ gitea_user_res.uid }}"
group: "{{ gitea_user_res.group }}" group: "{{ gitea_user_res.group }}"
@@ -47,7 +46,7 @@
ssh -p {{ gitea_public_ssh_server_port }} -o StrictHostKeyChecking=no {{ gitea_run_user }}@127.0.0.1 -i /home/{{ gitea_user }}/.ssh/id_ssh_ed25519 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" ssh -p {{ gitea_public_ssh_server_port }} -o StrictHostKeyChecking=no {{ gitea_run_user }}@127.0.0.1 -i /home/{{ gitea_user }}/.ssh/id_ssh_ed25519 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
- name: Add host pubkey to git users authorized_keys file - name: Add host pubkey to git users authorized_keys file
lineinfile: ansible.builtin.lineinfile:
path: "/home/{{ gitea_user }}/.ssh/authorized_keys" path: "/home/{{ gitea_user }}/.ssh/authorized_keys"
line: "{{ gitea_user_ssh_key.public_key }} Gitea:Host2Container" line: "{{ gitea_user_ssh_key.public_key }} Gitea:Host2Container"
state: present state: present
@@ -75,9 +74,10 @@
published_ports: "{{ gitea_container_ports }}" published_ports: "{{ gitea_container_ports }}"
restart_policy: "{{ gitea_container_restart_policy }}" restart_policy: "{{ gitea_container_restart_policy }}"
state: "{{ gitea_container_state }}" state: "{{ gitea_container_state }}"
user: "{{ gitea_container_user | default(omit, true) }}"
- name: Ensure given configuration is set in the config file - name: Ensure given configuration is set in the config file
ini_file: ansible.builtin.ini_file:
path: "{{ gitea_data_path }}/gitea/conf/app.ini" path: "{{ gitea_data_path }}/gitea/conf/app.ini"
section: "{{ section }}" section: "{{ section }}"
option: "{{ option }}" option: "{{ option }}"

21
roles/hedgedoc/README.md Normal file
View File

@@ -0,0 +1,21 @@
# `finallycoffee.services.hedgedoc` ansible role
Role to deploy and configure hedgedoc using `docker` or `podman`.
To configure hedgedoc, set either the config as complex data
directly in `hedgedoc_config` or use the flattened variables
from the `hedgedoc_config_*` prefix (see
[defaults/main/config.yml](defaults/main/config.yml)).
To remove hedgedoc, set `hedgedoc_state: absent`. Note that this
will delete all data directories aswell, removing any traces this
role created on the target (except database contents).
# Required configuration
- `hedgedoc_config_domain` - Domain of the hedgedoc instance
- `hedgedoc_config_session_secret` - session secret for hedgedoc
## Deployment methods
To set the desired deployment method, set `hedgedoc_deployment_method` to a
supported deployment methods (see [vars/main.yml](vars/main.yml#5)).

View File

@@ -0,0 +1,52 @@
---
hedgedoc_config_domain: ~
hedgedoc_config_log_level: "info"
hedgedoc_config_session_secret: ~
hedgedoc_config_protocol_use_ssl: true
hedgedoc_config_hsts_enable: true
hedgedoc_config_csp_enable: true
hedgedoc_config_cookie_policy: 'lax'
hedgedoc_config_allow_free_url: true
hedgedoc_config_allow_email_register: false
hedgedoc_config_allow_anonymous: true
hedgedoc_config_allow_gravatar: true
hedgedoc_config_require_free_url_authentication: true
hedgedoc_config_default_permission: 'full'
hedgedoc_config_db_username: hedgedoc
hedgedoc_config_db_password: ~
hedgedoc_config_db_database: hedgedoc
hedgedoc_config_db_host: localhost
hedgedoc_config_db_port: 5432
hedgedoc_config_db_dialect: postgres
hedgedoc_config_database:
username: "{{ hedgedoc_config_db_username }}"
password: "{{ hedgedoc_config_db_password }}"
database: "{{ hedgedoc_config_db_database }}"
host: "{{ hedgedoc_config_db_host }}"
port: "{{ hedgedoc_config_db_port | int }}"
dialect: "{{ hedgedoc_config_db_dialect }}"
hedgedoc_config_base:
production:
domain: "{{ hedgedoc_config_domain }}"
loglevel: "{{ hedgedoc_config_log_level }}"
sessionSecret: "{{ hedgedoc_config_session_secret }}"
protocolUseSSL: "{{ hedgedoc_config_protocol_use_ssl }}"
cookiePolicy: "{{ hedgedoc_config_cookie_policy }}"
allowFreeURL: "{{ hedgedoc_config_allow_free_url }}"
allowAnonymous: "{{ hedgedoc_config_allow_anonymous }}"
allowEmailRegister: "{{ hedgedoc_config_allow_email_register }}"
allowGravatar: "{{ hedgedoc_config_allow_gravatar }}"
requireFreeURLAuthentication: >-2
{{ hedgedoc_config_require_free_url_authentication }}
defaultPermission: "{{ hedgedoc_config_default_permission }}"
hsts:
enable: "{{ hedgedoc_config_hsts_enable }}"
csp:
enable: "{{ hedgedoc_config_csp_enable }}"
db: "{{ hedgedoc_config_database }}"
hedgedoc_config: ~
hedgedoc_full_config: >-2
{{ hedgedoc_config_base | default({}, true)
| combine(hedgedoc_config | default({}, true), recursive=True) }}

View File

@@ -0,0 +1,57 @@
---
hedgedoc_container_image_registry: quay.io
hedgedoc_container_image_namespace: hedgedoc
hedgedoc_container_image_name: hedgedoc
hedgedoc_container_image_flavour: alpine
hedgedoc_container_image_tag: ~
hedgedoc_container_image: >-2
{{
([
hedgedoc_container_image_registry,
hedgedoc_container_image_namespace | default([], true),
hedgedoc_container_image_name,
] | flatten | join('/'))
+ ':'
+ hedgedoc_container_image_tag | default(
hedgedoc_version + (
((hedgedoc_container_image_flavour is string)
and (hedgedoc_container_image_flavour | length > 0))
| ternary('-' +
hedgedoc_container_image_flavour | default('', true),
''
)
),
true
)
}}
hedgedoc_container_image_source: pull
hedgedoc_container_name: hedgedoc
hedgedoc_container_state: >-2
{{ (hedgedoc_state == 'present') | ternary('started', 'absent') }}
hedgedoc_container_config_file: "/hedgedoc/config.json"
hedgedoc_container_upload_path: "/hedgedoc/public/uploads"
hedgedoc_container_env: ~
hedgedoc_container_user: >-2
{{ hedgedoc_run_user_id }}:{{ hedgedoc_run_group_id }}
hedgedoc_container_ports: ~
hedgedoc_container_networks: ~
hedgedoc_container_etc_hosts: ~
hedgedoc_container_base_volumes:
- "{{ hedgedoc_config_file }}:{{ hedgedoc_container_config_file }}:ro"
- "{{ hedgedoc_uploads_path }}:{{ hedgedoc_container_upload_path }}:rw"
hedgedoc_container_volumes: ~
hedgedoc_container_all_volumes: >-2
{{ hedgedoc_container_base_volumes | default([], true)
+ hedgedoc_container_volumes | default([], true) }}
hedgedoc_container_base_labels:
version: "{{ hedgedoc_container_tag | default(hedgedoc_version, true) }}"
hedgedoc_container_labels: ~
hedgedoc_container_network_mode: ~
hedgedoc_container_all_labels: >-2
{{ hedgedoc_container_base_labels | default({}, true)
| combine(hedgedoc_container_labels | default({}, true)) }}
hedgedoc_container_restart_policy: >-2
{{ (hedgedoc_deployment_method == 'docker')
| ternary('unless-stopped', 'on-failure') }}

View File

@@ -0,0 +1,9 @@
---
hedgedoc_user: hedgedoc
hedgedoc_version: "1.10.3"
hedgedoc_state: present
hedgedoc_deployment_method: docker
hedgedoc_config_file: "/etc/hedgedoc/config.json"
hedgedoc_uploads_path: "/var/lib/hedgedoc-uploads"

View File

@@ -0,0 +1,5 @@
---
hedgedoc_run_user_id: >-2
{{ hedgedoc_user_info.uid | default(hedgedoc_user) }}
hedgedoc_run_group_id: >-2
{{ hedgedoc_user_info.group | default(hedgedoc_user) }}

View File

@@ -0,0 +1,12 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: hedgedoc
description: >-2
Deploy hedgedoc, a collaborative markdown editor, using docker
galaxy_tags:
- hedgedoc
- markdown
- collaboration
- docker

View File

@@ -0,0 +1,23 @@
---
- name: Check for valid state
ansible.builtin.fail:
msg: >-2
Unsupported state '{{ hedgedoc_state }}'. Supported
states are {{ hedgedoc_states | join(', ') }}.
when: hedgedoc_state not in hedgedoc_states
- name: Check for valid deployment method
ansible.builtin.fail:
msg: >-2
Deployment method '{{ hedgedoc_deployment_method }}'
is not supported. Supported are:
{{ hedgedoc_deployment_methods | join(', ') }}
when: hedgedoc_deployment_method not in hedgedoc_deployment_methods
- name: Ensure required variables are given
ansible.builtin.fail:
msg: "Required variable '{{ item }}' is undefined!"
loop: "{{ hedgedoc_required_arguments }}"
when: >-2
item not in hostvars[inventory_hostname]
or hostvars[inventory_hostname][item] | length == 0

View File

@@ -0,0 +1,31 @@
---
- name: Ensure container image '{{ hedgedoc_container_image }}' is {{ hedgedoc_state }}
community.docker.docker_image:
name: "{{ hedgedoc_container_image }}"
state: "{{ hedgedoc_state }}"
source: "{{ hedgedoc_container_image_source }}"
force_source: >-2
{{ hedgedoc_container_force_source | default(
hedgedoc_container_image_tag | default(false, true), true) }}
register: hedgedoc_container_image_info
until: hedgedoc_container_image_info is success
retries: 5
delay: 3
- name: Ensure container '{{ hedgedoc_container_name }}' is {{ hedgedoc_container_state }}
community.docker.docker_container:
name: "{{ hedgedoc_container_name }}"
image: "{{ hedgedoc_container_image }}"
env: "{{ hedgedoc_container_env | default(omit, true) }}"
user: "{{ hedgedoc_container_user | default(omit, true) }}"
ports: "{{ hedgedoc_container_ports | default(omit, true) }}"
labels: "{{ hedgedoc_container_all_labels }}"
volumes: "{{ hedgedoc_container_all_volumes }}"
etc_hosts: "{{ hedgedoc_container_etc_hosts | default(omit, true) }}"
dns_servers: >-2
{{ hedgedoc_container_dns_servers | default(omit, true) }}
network_mode: >-2
{{ hedgedoc_container_network_mode | default(omit, true) }}
restart_policy: >-2
{{ hedgedoc_container_restart_policy | default(omit, true) }}
state: "{{ hedgedoc_container_state }}"

View File

@@ -0,0 +1,31 @@
---
- name: Ensure container image '{{ hedgedoc_container_image }}' is {{ hedgedoc_state }}
containers.podman.podman_image:
name: "{{ hedgedoc_container_image }}"
state: "{{ hedgedoc_state }}"
pull: "{{ (hedgedoc_container_image_source == 'pull') | bool }}"
force: >-2
{{ hedgedoc_container_force_source | default(
hedgedoc_container_image_tag | default(false, true), true) }}
register: hedgedoc_container_image_info
until: hedgedoc_container_image_info is success
retries: 5
delay: 3
- name: Ensure container '{{ hedgedoc_container_name }}' is {{ hedgedoc_container_state }}
containers.podman.podman_container:
name: "{{ hedgedoc_container_name }}"
image: "{{ hedgedoc_container_image }}"
env: "{{ hedgedoc_container_env | default(omit, true) }}"
user: "{{ hedgedoc_container_user | default(omit, true) }}"
ports: "{{ hedgedoc_container_ports | default(omit, true) }}"
labels: "{{ hedgedoc_container_all_labels }}"
volumes: "{{ hedgedoc_container_all_volumes }}"
etc_hosts: "{{ hedgedoc_container_etc_hosts | default(omit, true) }}"
dns_servers: >-2
{{ hedgedoc_container_dns_servers | default(omit, true) }}
network_mode: >-2
{{ hedgedoc_container_network_mode | default(omit, true) }}
restart_policy: >-2
{{ hedgedoc_container_restart_policy | default(omit, true) }}
state: "{{ hedgedoc_container_state }}"

View File

@@ -0,0 +1,21 @@
---
- name: Check preconditions
ansible.builtin.include_tasks:
file: "check.yml"
- name: Ensure user '{{ hedgedoc_user }}' is {{ hedgedoc_state }}
ansible.builtin.user:
name: "{{ hedgedoc_user }}"
state: "{{ hedgedoc_state }}"
system: "{{ hedgedoc_user_system | default(true, false) }}"
register: hedgedoc_user_info
- name: Ensure configuration file '{{ hedgedoc_config_file }}' is {{ hedgedoc_state }}
ansible.builtin.copy:
dest: "{{ hedgedoc_config_file }}"
content: "{{ hedgedoc_full_config | to_nice_json }}"
when: hedgedoc_state == 'present'
- name: Ensure hedgedoc is deployed using {{ hedgedoc_deployment_method }}
ansible.builtin.include_tasks:
file: "deploy-{{ hedgedoc_deployment_method }}.yml"

View File

@@ -0,0 +1,11 @@
---
hedgedoc_states:
- present
- absent
hedgedoc_deployment_methods:
- docker
- podman
hedgedoc_required_arguments:
- hedgedoc_config_domain
- hedgedoc_config_session_secret

View File

@@ -1,7 +1,8 @@
--- ---
jellyfin_user: jellyfin jellyfin_user: jellyfin
jellyfin_version: 10.9.11 jellyfin_version: "10.11.0"
jellyfin_state: present
jellyfin_deployment_method: docker
jellyfin_base_path: /opt/jellyfin jellyfin_base_path: /opt/jellyfin
jellyfin_config_path: "{{ jellyfin_base_path }}/config" jellyfin_config_path: "{{ jellyfin_base_path }}/config"
@@ -12,7 +13,11 @@ jellyfin_media_volumes: []
jellyfin_container_name: jellyfin jellyfin_container_name: jellyfin
jellyfin_container_image_name: "docker.io/jellyfin/jellyfin" jellyfin_container_image_name: "docker.io/jellyfin/jellyfin"
jellyfin_container_image_tag: ~ jellyfin_container_image_tag: ~
jellyfin_container_image_ref: "{{ jellyfin_container_image_name }}:{{ jellyfin_container_image_tag | default(jellyfin_version, true) }}" jellyfin_container_image_ref: >-2
{{ jellyfin_container_image_name }}:{{ jellyfin_container_image_tag | default(jellyfin_version, true) }}
jellyfin_container_image_source: pull
jellyfin_container_state: >-2
{{ (jellyfin_state == 'present') | ternary('started', 'absent') }}
jellyfin_container_network_mode: host jellyfin_container_network_mode: host
jellyfin_container_networks: ~ jellyfin_container_networks: ~
jellyfin_container_volumes: "{{ jellyfin_container_base_volumes + jellyfin_media_volumes }}" jellyfin_container_volumes: "{{ jellyfin_container_base_volumes + jellyfin_media_volumes }}"

View File

@@ -0,0 +1,10 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: jellyfin
description: Ansible role to deploy jellyfin using docker
galaxy_tags:
- jellyfin
- streaming
- docker

View File

@@ -0,0 +1,25 @@
---
- name: Ensure container image '{{ jellyfin_container_image_ref }}' is {{ jellyfin_state }}
community.docker.docker_image:
name: "{{ jellyfin_container_image_ref }}"
state: "{{ jellyfin_state }}"
source: "{{ jellyfin_container_image_source }}"
force_source: "{{ jellyfin_container_image_tag | default(false, true) }}"
register: jellyfin_container_image_pull_result
until: jellyfin_container_image_pull_result is succeeded
retries: 5
delay: 3
- name: Ensure container '{{ jellyfin_container_name }}' is {{ jellyfin_container_state }}
community.docker.docker_container:
name: "{{ jellyfin_container_name }}"
image: "{{ jellyfin_container_image_ref }}"
user: "{{ jellyfin_uid }}:{{ jellyfin_gid }}"
labels: "{{ jellyfin_container_labels }}"
volumes: "{{ jellyfin_container_volumes }}"
ports: "{{ jellyfin_container_ports | default(omit, true) }}"
networks: "{{ jellyfin_container_networks | default(omit, true) }}"
network_mode: "{{ jellyfin_container_network_mode }}"
etc_hosts: "{{ jellyfin_container_etc_hosts | default(omit, true) }}"
restart_policy: "{{ jellyfin_container_restart_policy }}"
state: "{{ jellyfin_container_state }}"

View File

@@ -0,0 +1,22 @@
---
- name: Ensure container image '{{ jellyfin_container_image_ref }}' is {{ jellyfin_state }}
containers.podman.podman_image:
name: "{{ jellyfin_container_image_ref }}"
state: "{{ jellyfin_state }}"
pull: "{{ (jellyfin_container_image_source == 'pull') | bool }}"
force: "{{ jellyfin_container_image_tag | default(false, true) }}"
register: jellyfin_container_image_pull_result
until: jellyfin_container_image_pull_result is succeeded
retries: 5
delay: 3
- name: Ensure container '{{ jellyfin_container_name }}' is {{ jellyfin_container_state }}
containers.podman.podman_container:
name: "{{ jellyfin_container_name }}"
image: "{{ jellyfin_container_image_ref }}"
user: "{{ jellyfin_uid }}:{{ jellyfin_gid }}"
labels: "{{ jellyfin_container_labels }}"
volumes: "{{ jellyfin_container_volumes }}"
network: "{{ jellyfin_container_networks | default(omit, True) }}"
restart_policy: "{{ jellyfin_container_restart_policy }}"
state: "{{ jellyfin_container_state }}"

View File

@@ -1,40 +1,35 @@
--- ---
- name: Check if state is valid
ansible.builtin.fail:
msg: >-2
Unsupported state '{{ jellyfin_state }}'. Supported
states are {{ jellyfin_states | join(', ') }}.
when: jellyfin_state not in jellyfin_states
- name: Ensure user '{{ jellyfin_user }}' for jellyfin is created - name: Check if deployment method is valid
user: ansible.builtin.fail:
msg: >-2
Unsupported state '{{ jellyfin_deployment_method }}'. Supported
states are {{ jellyfin_deployment_methods | join(', ') }}.
when: jellyfin_deployment_method not in jellyfin_deployment_methods
- name: Ensure jellyfin user '{{ jellyfin_user }}' is {{ jellyfin_state }}
ansible.builtin.user:
name: "{{ jellyfin_user }}" name: "{{ jellyfin_user }}"
state: present state: "{{ jellyfin_state }}"
system: yes system: "{{ jellyfin_user_system | default(true, true) }}"
register: jellyfin_user_info register: jellyfin_user_info
- name: Ensure host directories for jellyfin exist - name: Ensure host directories for jellyfin are {{ jellyfin_state }}
file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
state: directory state: >-2
{{ (jellyfin_state == 'present') | ternary('directory', 'absent') }}
owner: "{{ item.owner | default(jellyfin_uid) }}" owner: "{{ item.owner | default(jellyfin_uid) }}"
group: "{{ item.group | default(jellyfin_gid) }}" group: "{{ item.group | default(jellyfin_gid) }}"
mode: "{{ item.mode }}" mode: "{{ item.mode }}"
loop: "{{ jellyfin_host_directories }}" loop: "{{ jellyfin_host_directories }}"
- name: Ensure container image for jellyfin is available - name: Ensure jellyfin is deployed using {{ jellyfin_deployment_method }}
docker_image: ansible.builtin.include_tasks:
name: "{{ jellyfin_container_image_ref }}" file: "deploy-{{ jellyfin_deployment_method }}.yml"
state: present
source: pull
force_source: "{{ jellyfin_container_image_tag | default(false, true) }}"
register: jellyfin_container_image_pull_result
until: jellyfin_container_image_pull_result is succeeded
retries: 5
delay: 3
- name: Ensure container '{{ jellyfin_container_name }}' is running
docker_container:
name: "{{ jellyfin_container_name }}"
image: "{{ jellyfin_container_image_ref }}"
user: "{{ jellyfin_uid }}:{{ jellyfin_gid }}"
labels: "{{ jellyfin_container_labels }}"
volumes: "{{ jellyfin_container_volumes }}"
networks: "{{ jellyfin_container_networks | default(omit, True) }}"
network_mode: "{{ jellyfin_container_network_mode }}"
restart_policy: "{{ jellyfin_container_restart_policy }}"
state: started

View File

@@ -1,4 +1,10 @@
--- ---
jellyfin_states:
- present
- absent
jellyfin_deployment_methods:
- docker
- podman
jellyfin_container_base_volumes: jellyfin_container_base_volumes:
- "{{ jellyfin_config_path }}:/config:z" - "{{ jellyfin_config_path }}:/config:z"

16
roles/keycloak/README.md Normal file
View File

@@ -0,0 +1,16 @@
# `finallycoffee.services.keycloak` ansible role
Ansible role for deploying keycloak, currently only supports docker.
Migrated from `entropia.sso.keycloak`.
## Required variables
- `keycloak_database_password` - password for the database user
- `keycloak_config_hostname` - public domain of the keycloak server
## Database configuration
- `keycloak_database_hostname` - hostname of the database server, defaults to `localhost`
- `keycloak_database_username` - username to use when connecting to the database server, defaults to `keycloak`
- `keycloak_database_database` - name of the database to use, defaults to `keycloak`

View File

@@ -0,0 +1,51 @@
---
keycloak_version: "26.4.2"
keycloak_container_name: keycloak
keycloak_container_image_upstream_registry: quay.io
keycloak_container_image_upstream_namespace: keycloak
keycloak_container_image_upstream_name: keycloak
keycloak_container_image_upstream: >-2
{{
([
keycloak_container_image_upstream_registry | default([]),
keycloak_container_image_upstream_namespace | default([]),
keycloak_container_image_upstream_name,
] | flatten | join('/'))
}}
keycloak_container_image_name: "keycloak:{{ keycloak_version }}-custom"
keycloak_container_database_vendor: postgres
keycloak_base_path: /opt/keycloak
keycloak_container_build_directory: "{{ keycloak_base_path }}/build"
keycloak_container_build_jar_directory: providers
keycloak_container_build_flags: {}
keycloak_provider_jars_directory: "{{ keycloak_base_path }}/providers"
keycloak_build_provider_jars_directory: "{{ keycloak_container_build_directory }}/{{ keycloak_container_build_jar_directory }}"
keycloak_database_hostname: localhost
keycloak_database_port: 5432
keycloak_database_username: keycloak
keycloak_database_password: ~
keycloak_database_database: keycloak
keycloak_container_env: {}
keycloak_container_labels: ~
keycloak_container_volumes: ~
keycloak_container_restart_policy: unless-stopped
keycloak_container_command: >-2
start
--db-username {{ keycloak_database_username }}
--db-password {{ keycloak_database_password }}
--db-url jdbc:postgresql://{{ keycloak_database_hostname }}{{ keycloak_database_port | ternary(':' ~ keycloak_database_port, '') }}/{{ keycloak_database_database }}
{{ keycloak_container_extra_start_flags | default([]) | join(' ') }}
--proxy-headers=xforwarded
--hostname {{ keycloak_config_hostname }}
--optimized
keycloak_config_health_enabled: true
keycloak_config_metrics_enabled: true
keycloak_config_hostname: localhost
keycloak_config_admin_username: admin
keycloak_config_admin_password: ~

View File

@@ -0,0 +1,13 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: keycloak
description: Deploy keycloak, the opensource identity and access management solution
galaxy_tags:
- keycloak
- sso
- oidc
- oauth2
- iam
- docker

View File

@@ -0,0 +1,72 @@
---
- name: Ensure build directory exists
ansible.builtin.file:
name: "{{ keycloak_container_build_directory }}"
state: directory
recurse: yes
mode: 0700
tags:
- keycloak-build-container
- name: Ensure provider jars directory exists
ansible.builtin.file:
name: "{{ keycloak_provider_jars_directory }}"
state: directory
mode: 0775
tags:
- keycloak-build-container
- name: Ensure Dockerfile is templated
ansible.builtin.template:
src: Dockerfile.j2
dest: "{{ keycloak_container_build_directory }}/Dockerfile"
mode: 0700
register: keycloak_buildfile_info
tags:
- keycloak-container
- keycloak-build-container
- name: Ensure upstream Keycloak container image '{{ keycloak_container_image_upstream }}:{{ keycloak_version }}' is present
community.docker.docker_image:
name: "{{ keycloak_container_image_upstream }}:{{ keycloak_version }}"
source: pull
state: present
register: keycloak_container_image_upstream_status
tags:
- keycloak-container
- keycloak-build-container
- name: Ensure custom keycloak container image '{{ keycloak_container_image_name }}' is built
community.docker.docker_image:
name: "{{ keycloak_container_image_name }}"
build:
args:
DB_VENDOR: "{{ keycloak_container_database_vendor }}"
KC_ADMIN_PASSWORD: "{{ keycloak_config_admin_password }}"
dockerfile: "{{ keycloak_container_build_directory }}/Dockerfile"
path: "{{ keycloak_container_build_directory }}"
source: build
state: present
force_source: "{{ keycloak_buildfile_info.changed or keycloak_container_image_upstream_status.changed or (keycloak_force_rebuild_container | default(false))}}"
register: keycloak_container_image_status
tags:
- keycloak-container
- keycloak-build-container
- name: Ensure keycloak container is running
community.docker.docker_container:
name: "{{ keycloak_container_name }}"
image: "{{ keycloak_container_image_name }}"
env: "{{ keycloak_container_env | default(omit, true) }}"
ports: "{{ keycloak_container_ports | default(omit, true) }}"
hostname: "{{ keycloak_container_hostname | default(omit) }}"
labels: "{{ keycloak_container_labels | default(omit, true) }}"
volumes: "{{ keycloak_container_volumes | default(omit, true) }}"
restart_policy: "{{ keycloak_container_restart_policy }}"
recreate: "{{ keycloak_container_force_recreate | default(false) or (keycloak_container_image_status.changed if keycloak_container_image_status is defined else false) }}"
etc_hosts: "{{ keycloak_container_etc_hosts | default(omit) }}"
state: started
command: "{{ keycloak_container_command }}"
tags:
- keycloak-container

View File

@@ -0,0 +1,43 @@
FROM {{ keycloak_container_image_upstream }}:{{ keycloak_version }} as builder
# Enable health and metrics support
ENV KC_HEALTH_ENABLED={{ keycloak_config_health_enabled | ternary('true', 'false') }}
ENV KC_METRICS_ENABLED={{ keycloak_config_metrics_enabled | ternary('true', 'false') }}
# Configure a database vendor
ARG DB_VENDOR
ENV KC_DB=$DB_VENDOR
WORKDIR {{ keycloak_container_working_directory }}
{% if keycloak_container_image_add_local_providers | default(true) %}
ADD ./providers/* providers/
{% endif %}
# Workaround to set correct mode on jar files
USER root
RUN chmod -R 0770 providers/*
USER keycloak
RUN {{ keycloak_container_working_directory }}/bin/kc.sh --verbose \
{% for argument in keycloak_container_build_flags | dict2items(key_name='flag', value_name='value') %}
--{{- argument['flag'] -}}{{- argument['value'] | default(false, true) | ternary('=' + argument['value'], '') }} \
{% endfor%}
build{% if keycloak_container_build_features | default([]) | length > 0 %} \
{% endif %}
{% if keycloak_container_build_features | default([]) | length > 0 %}
--features="{{ keycloak_container_build_features | join(',') }}"
{% endif %}
FROM {{ keycloak_container_image_upstream }}:{{ keycloak_version }}
COPY --from=builder {{ keycloak_container_working_directory }}/ {{ keycloak_container_working_directory }}/
ENV KC_HOSTNAME={{ keycloak_config_hostname }}
ENV KEYCLOAK_ADMIN={{ keycloak_config_admin_username }}
ARG KC_ADMIN_PASSWORD
{% if keycloak_version | split('.') | first | int > 21 %}
ENV KEYCLOAK_ADMIN_PASSWORD=$KC_ADMIN_PASSWORD
{% else %}
ENV KEYCLOAK_PASSWORD=$KC_ADMIN_PASSWORD
{% endif %}
ENTRYPOINT ["{{ keycloak_container_working_directory }}/bin/kc.sh"]

View File

@@ -0,0 +1,3 @@
---
keycloak_container_working_directory: /opt/keycloak

View File

@@ -2,9 +2,9 @@
openproject_base_path: "/opt/openproject" openproject_base_path: "/opt/openproject"
openproject_upstream_git_url: "https://github.com/opf/openproject-deploy.git" openproject_upstream_git_url: "https://github.com/opf/openproject-deploy.git"
openproject_upstream_git_branch: "stable/13" openproject_upstream_git_branch: "stable/14"
openproject_compose_project_path: "{{ openproject_base_path }}/compose" openproject_compose_project_path: "{{ openproject_base_path }}"
openproject_compose_project_name: "openproject" openproject_compose_project_name: "openproject"
openproject_compose_project_env_file: "{{ openproject_compose_project_path }}/.env" openproject_compose_project_env_file: "{{ openproject_compose_project_path }}/.env"
openproject_compose_project_override_file: "{{ openproject_compose_project_path }}/docker-compose.override.yml" openproject_compose_project_override_file: "{{ openproject_compose_project_path }}/docker-compose.override.yml"

View File

@@ -26,14 +26,13 @@
content: "{{ openproject_compose_overrides | default({}) | to_nice_yaml }}" content: "{{ openproject_compose_overrides | default({}) | to_nice_yaml }}"
- name: Ensure containers are pulled - name: Ensure containers are pulled
community.docker.docker_compose: community.docker.docker_compose_v2:
project_src: "{{ openproject_compose_project_path }}" project_src: "{{ openproject_compose_project_path }}"
project_name: "{{ openproject_compose_project_name }}" project_name: "{{ openproject_compose_project_name }}"
pull: true pull: "missing"
- name: Ensure services are running - name: Ensure services are running
community.docker.docker_compose: community.docker.docker_compose_v2:
project_src: "{{ openproject_compose_project_path }}" project_src: "{{ openproject_compose_project_path }}"
project_name: "{{ openproject_compose_project_name }}" project_name: "{{ openproject_compose_project_name }}"
state: "present" state: "present"
build: false

View File

@@ -0,0 +1,3 @@
# `finallycoffee.services.phpldapadmin`
Role to deploy and configure [phpldapadmin](https://github.com/leenooks/phpLDAPadmin).

View File

@@ -0,0 +1,39 @@
---
phpldapadmin_container_name: phpldapadmin
phpldapadmin_container_image_registry: docker.io
phpldapadmin_container_image_namespace: phpldapadmin
phpldapadmin_container_image_name: phpldapadmin
phpldapadmin_container_image_repository: >-2
{{
[
phpldapadmin_container_image_registry | default([], true),
phpldapadmin_container_image_namespace | default([], true),
phpldapadmin_container_image_name
] | flatten | join('/')
}}
phpldapadmin_container_image: >-2
{{
[
phpldapadmin_container_image_repository,
phpldapadmin_container_image_tag | default(phpldapadmin_version, true)
] | join(':')
}}
phpldapadmin_container_image_tag: ~
phpldapadmin_container_image_source: pull
phpldapadmin_container_image_force_source: >-2
{{ phpldapadmin_container_image_tag | default(false, true) }}
phpldapadmin_container_env: ~
phpldapadmin_container_user: ~
phpldapadmin_container_ports: ~
phpldapadmin_container_labels: ~
phpldapadmin_container_volumes: ~
phpldapadmin_container_networks: ~
phpldapadmin_container_network_mode: ~
phpldapadmin_container_dns_servers: ~
phpldapadmin_container_etc_hosts: ~
phpldapadmin_container_memory: ~
phpldapadmin_container_memory_swap: ~
phpldapadmin_container_memory_reservation: ~
phpldapadmin_container_restart_policy: "on-failure"
phpldapadmin_container_state: >-2
{{ (phpldapadmin_state == 'present') | ternary('started', 'absent') }}

View File

@@ -0,0 +1,5 @@
---
phpldapadmin_version: "2.3.4"
phpldapadmin_state: present
phpldapadmin_deployment_method: docker

View File

@@ -0,0 +1,27 @@
---
- name: Ensure phpldapadmin container image '{{ phpldapadmin_container_image }}' is {{ phpldapadmin_state }}
community.docker.docker_image:
name: "{{ phpldapadmin_container_image }}"
state: "{{ phpldapadmin_state }}"
source: "{{ phpldapadmin_container_image_source }}"
force_source: "{{ phpldapadmin_container_image_force_source }}"
- name: Ensure phpldapadmin container '{{ phpldapadmin_container_name }}' is {{ phpldapadmin_container_state }}
community.docker.docker_container:
name: "{{ phpldapadmin_container_name }}"
image: "{{ phpldapadmin_container_image }}"
env: "{{ phpldapadmin_container_env | default(omit, true) }}"
user: "{{ phpldapadmin_container_user | default(omit, true) }}"
ports: "{{ phpldapadmin_container_ports | default(omit, true) }}"
labels: "{{ phpldapadmin_container_labels | default(omit, true) }}"
volumes: "{{ phpldapadmin_container_volumes | default(omit, true) }}"
networks: "{{ phpldapadmin_container_networks | default(omit, true) }}"
network_mode: "{{ phpldapadmin_container_network_mode | default(omit, true) }}"
dns_servers: "{{ phpldapadmin_container_dns_servers | default(omit, true) }}"
etc_hosts: "{{ phpldapadmin_container_etc_hosts | default(omit, true) }}"
memory: "{{ phpldapadmin_container_memory | default(omit, true) }}"
memory_swap: "{{ phpldapadmin_container_memory_swap | default(omit, true) }}"
memory_reservation: >-2
{{ phpldapadmin_container_memory_reservation | default(omit, true) }}
restart_policy: "{{ phpldapadmin_container_restart_policy | default(omit, true) }}"
state: "{{ phpldapadmin_container_state }}"

View File

@@ -0,0 +1,18 @@
---
- name: Ensure 'phpldapadmin_state' is valid
ansible.builtin.fail:
msg: >-2
Unsupported state '{{ phpldapadmin_state }}'!
Supported states are {{ phpldapadmin_states | join(', ') }}
when: phpldapadmin_state not in phpldapadmin_states
- name: Ensure 'phpldapadmin_deployment_method' is valid
ansible.builtin.fail:
msg: >-2
Unsupported deployment method '{{ phpldapadmin_deployment_method }}'!
Supported deployment methods are {{ phpldapadmin_deployment_methods | join(', ') }}
when: phpldapadmin_deployment_method not in phpldapadmin_deployment_methods
- name: Deploy using {{ phpldapadmin_deployment_method }}
ansible.builtin.import_tasks:
file: "deploy-{{ phpldapadmin_deployment_method }}.yml"

View File

@@ -0,0 +1,6 @@
---
phpldapadmin_states:
- "present"
- "absent"
phpldapadmin_deployment_methods:
- "docker"

54
roles/pretix/README.md Normal file
View File

@@ -0,0 +1,54 @@
# `finallycoffee.services.pretix` ansible role
Deploy [pretix](https://pretix.eu) using ansible. Note that this
role does not configure pretix beyond its own configuration file,
and requires changing a default admin password after a successful
installation.
## Configuration
For all available configuration options, see [`defaults/main/config.yml`](defaults/main/config.yml)
and other supporting files in the [`defaults/main/`](defaults/main/) folder.
To add custom configuration to pretix, populate them in `pretix_config`,
where they will be (recusively) merged into the default configuration.
### Required
- `pretix_domain`: domain of the pretix instance
- `pretix_postgresql_password`: password for the (default: postgresql) database
- `pretix_config_redis_location`: connection string for the main pretix redis database
- `pretix_config_celery_backend`: connection string for the celery backend, can be a (different!) redis database
- `pretix_config_celery_broker`: connection string for the celery broker, can be a (yet another different) redis database
For examples on how a redis server (like valkey) can be configured
for redis, see [`playbooks/pretix.yml`](../../playbooks/pretix.yml).
### Mailing
Set up mails in pretix by populating the following variables:
- `pretix_config_mail_host`: domain/IP and optional port of the SMTP server
- `pretix_config_mail_user`: SMTP user to authenticate
- `pretix_config_mail_password`: password for the SMTP user
### Plugins
To install more plugins, list the wanted `pypi` packages as a list in
`pretix_plugins`. They will be installed in the created virtualenv, and migrations and an asset rebuild will be automatically started.
If your plugin requires custom configuration (f.ex.: `pretix-oidc`),
add the configuration into `pretix_config`.
## Troubleshooting
### virtualenv
By default, the virtualenv is located in `/var/lib/pretix/virtualenv`.
This can be controlled by setting `pretix_virtualenv_dir`.
NOTE: To fix a broken virtualenv, try setting `pretix_virtualenv_state` to `forcereinstall` (see
[`ansible.builtin.pip` on docs.ansible.com](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/pip_module.html)).
NOTE: To install pip packages or execute migrations in the virtualenv, ansible
needs to become the unprivilated `pretix_user` (default: `pretix`). This might
require having the `acl` system package installed.

View File

@@ -0,0 +1,86 @@
---
pretix_config_instance_name: "My pretix installation"
pretix_config_url: "https://pretix.example.org"
pretix_config_currency: "EUR"
pretix_config_data_dir: "{{ pretix_data_dir }}"
pretix_config_trust_x_forwarded_for: "on"
pretix_config_trust_x_forwarded_proto: "on"
pretix_config_wsgi_name: "pretix"
pretix_config_wsgi_workers: 4
pretix_config_wsgi_max_requests: 100
pretix_config_wsgi_log_level: "info"
pretix_config_wsgi_bind_addr: "127.0.0.1:8345"
pretix_config_worker_log_level: "{{ pretix_config_wsgi_log_level }}"
pretix_config_database_backend: postgresql
pretix_config_database_name: pretix
pretix_config_database_user: pretix
pretix_config_database_password: ~
pretix_config_database_host: ""
pretix_config_mail_host: ~
pretix_config_mail_from: "tickets@example.org"
pretix_config_mail_user: ~
pretix_config_mail_password: ~
pretix_config_mail_tls: true
pretix_config_mail_ssl: false
pretix_config_redis_location: ~
pretix_config_redis_sessions: true
pretix_config_celery_backend: ~
pretix_config_celery_broker: ~
pretix_app_config:
url: "{{ pretix_config_url }}"
instance_name: "{{ pretix_config_instance_name }}"
datadir: "{{ pretix_config_data_dir }}"
trust_x_forwarded_for: "{{ pretix_config_trust_x_forwarded_for }}"
trust_x_forwarded_proto: "{{ pretix_config_trust_x_forwarded_proto }}"
currency: "{{ pretix_config_currency }}"
pretix_database_config:
backend: "{{ pretix_config_database_backend }}"
name: "{{ pretix_config_database_name }}"
user: "{{ pretix_config_database_user }}"
password: "{{ pretix_config_database_password }}"
host: "{{ pretix_config_database_host }}"
pretix_mail_minimal_config:
host: "{{ pretix_config_mail_host }}"
from: "{{ pretix_config_mail_from }}"
pretix_mail_config: >-2
{{ pretix_mail_minimal_config
| combine({'user': pretix_config_mail_user} if pretix_config_mail_user else {})
| combine({'password': pretix_config_mail_password} if pretix_config_mail_password else {})
| combine({'ssl': pretix_config_mail_ssl | bool | ternary('on', 'off')} if pretix_config_mail_ssl else {})
| combine({'tls': pretix_config_mail_tls | bool | ternary('on', 'off')} if pretix_config_mail_tls else {})
}}
pretix_redis_config:
location: "{{ pretix_config_redis_location }}"
sessions: "{{ pretix_config_redis_sessions | bool | ternary('true', 'false') }}"
pretix_celery_config:
backend: "{{ pretix_config_celery_backend }}"
broker: "{{ pretix_config_celery_broker }}"
pretix_config: {}
pretix_default_config:
pretix: "{{ pretix_app_config }}"
database: "{{ pretix_database_config }}"
mail: "{{ pretix_mail_config }}"
redis: "{{ pretix_redis_config }}"
celery: "{{ pretix_celery_config }}"
pretix_config_merged: >-2
{{ pretix_default_config | combine(pretix_config | default({}), recursive=True) }}
pretix_config_file_content: |+2
{% for kv in (pretix_config_merged | dict2items) %}
[{{ kv.key }}]
{% for entry in ((kv.value | default({}, true)) | dict2items) %}
{{ entry.key }}={{ entry.value }}
{% endfor %}
{% endfor %}

View File

@@ -0,0 +1,16 @@
---
pretix_version: "2025.8.0"
pretix_state: "present"
pretix_deployment_method: "systemd"
pretix_config_file: "/etc/pretix/pretix.cfg"
pretix_config_file_owner: "{{ pretix_user_id }}"
pretix_config_file_group: "{{ pretix_group_id }}"
pretix_config_file_mode: "0640"
pretix_config_dir: "{{ pretix_config_file | dirname }}"
pretix_install_dir: "/var/lib/pretix"
pretix_virtualenv_dir: "{{ pretix_install_dir }}/virtualenv"
pretix_data_dir: "{{ pretix_install_dir }}/data"
pretix_media_dir: "{{ pretix_data_dir }}/media"
pretix_plugins: []

View File

@@ -0,0 +1,22 @@
---
pretix_debian_packages:
- "git"
- "build-essential"
- "python3-dev"
- "python3-venv"
- "python3"
- "python3-pip"
- "libxml2-dev"
- "libxslt1-dev"
- "libffi-dev"
- "zlib1g-dev"
- "libssl-dev"
- "gettext"
- "libpq-dev"
- "libjpeg-dev"
- "libopenjp2-7-dev"
- "nodejs"
pretix_packages:
"debian":
"12": "{{ pretix_debian_packages }}"

View File

@@ -0,0 +1,50 @@
---
pretix_systemd_unit_description: "pretix web service"
pretix_systemd_unit_after: "network.target"
pretix_systemd_unit_file_path: >-2
/etc/systemd/system/{{ pretix_systemd_service_name }}
pretix_systemd_service_name: "pretix.service"
pretix_systemd_service_user: "{{ pretix_user }}"
pretix_systemd_service_group: "{{ pretix_user }}"
pretix_systemd_service_environment:
VIRTUAL_ENV: "{{ pretix_virtualenv_dir }}"
PATH: "{{ pretix_virtualenv_dir }}/bin:/usr/local/bin:/usr/bin:/bin"
pretix_systemd_service_working_directory: "{{ pretix_install_dir }}"
pretix_systemd_service_exec_start: >-2
{{ pretix_virtualenv_dir }}/bin/gunicorn pretix.wsgi
--name {{ pretix_config_wsgi_name }}
--workers {{ pretix_config_wsgi_workers }}
--max-requests {{ pretix_config_wsgi_max_requests }}
--log-level={{ pretix_config_wsgi_log_level }}
--bind={{ pretix_config_wsgi_bind_addr }}
pretix_systemd_service_restart: "on-failure"
pretix_systemd_install_wanted_by: "multi-user.target"
# pretix worker
pretix_worker_systemd_service_name: "pretix-worker.service"
pretix_worker_systemd_service_description: "pretix worker service"
pretix_worker_systemd_unit_file_path: >-2
/etc/systemd/system/{{ pretix_worker_systemd_service_name }}
pretix_worker_systemd_service_exec_start: >-2
{{ pretix_virtualenv_dir }}/bin/celery
-A pretix.celery_app worker
-l {{ pretix_config_worker_log_level }}
# pretix cron
pretix_cron_systemd_service_name: "pretix-cron.service"
pretix_cron_systemd_service_description: "pretix cron service"
pretix_cron_systemd_unit_file_path: >-2
/etc/systemd/system/{{ pretix_cron_systemd_service_name }}
pretix_cron_systemd_service_exec_start: >-2
python3 -m pretix runperiodic
pretix_cron_systemd_timer_name: "pretix-cron.timer"
pretix_cron_systemd_timer_description: "pretix cron timer"
pretix_cron_systemd_timer_file_path: >-2
/etc/systemd/system/{{ pretix_cron_systemd_timer_name }}
pretix_cron_systemd_timer_on_active_sec: 1800
pretix_cron_systemd_timer_on_startup_sec: >-2
{{ pretix_cron_systemd_timer_on_active_sec }}
pretix_cron_systemd_timer_accuracy_sec: 60

View File

@@ -0,0 +1,7 @@
---
pretix_user: "pretix"
pretix_user_system: true
pretix_user_create_home: false
pretix_user_id: "{{ pretix_user_info.uid | default(pretix_user) }}"
pretix_group_id: "{{ pretix_user_info.group | default(pretix_user) }}"

View File

@@ -0,0 +1,11 @@
---
pretix_virtualenv_state: "{{ pretix_state }}"
pretix_virtualenv_packages:
- "pip"
- "setuptools"
- "wheel"
- "gunicorn"
- "pretix=={{ pretix_version }}"
pretix_virtualenv_site_packages: false
pretix_virtualenv_command: "python3 -m venv"

View File

@@ -0,0 +1,6 @@
---
- name: Ensure pretix systemd service is restarted
listen: pretix_restart
ansible.builtin.systemd_service:
name: "{{ pretix_systemd_service_name }}"
state: "restarted"

View File

@@ -0,0 +1,9 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: pretix
description: Ansible role to deploy pretix (https://pretix.eu)
galaxy_tags:
- pretix
- ticketing

View File

@@ -0,0 +1,14 @@
---
- name: Ensure 'pretix_state' is valid
ansible.builtin.fail:
msg: >-2
Unsupported pretix_state '{{ pretix_state }}'.
Supported states are {{ pretix_states | join(', ') }}
when: pretix_state not in pretix_states
- name: Ensure 'pretix_deployment_method' is valid
ansible.builtin.fail:
msg: >-2
Unsupported pretix_state '{{ pretix_deployment_method }}'.
Supported states are {{ pretix_deployment_methods | join(', ') }}
when: pretix_deployment_method not in pretix_deployment_methods

View File

@@ -0,0 +1,10 @@
---
- name: Ensure configuration file is written
ansible.builtin.copy:
dest: "{{ pretix_config_file }}"
content: "{{ pretix_config_file_content }}"
owner: "{{ pretix_config_file_owner }}"
group: "{{ pretix_config_file_group }}"
mode: "{{ pretix_config_file_mode }}"
when: pretix_state == 'present'
register: pretix_config_file_info

View File

@@ -0,0 +1,64 @@
---
- name: Ensure virtualenv in {{ pretix_virtualenv_dir }} is present
ansible.builtin.pip:
name: "{{ pretix_virtualenv_packages + pretix_plugins }}"
state: "{{ pretix_virtualenv_state }}"
chdir: "{{ pretix_install_dir }}"
virtualenv: "{{ pretix_virtualenv_dir }}"
virtualenv_command: "{{ pretix_virtualenv_command | default(omit, true) }}"
virtualenv_site_packages: "{{ pretix_virtualenv_site_packages }}"
become: true
become_user: "{{ pretix_user }}"
register: pretix_virtualenv_info
# TODO: determine to only do this on a) upgrades or b) initial deployis
- name: Ensure pretix database migrations are run
ansible.builtin.command:
cmd: "{{ pretix_virtualenv_dir }}/bin/python -m pretix migrate"
chdir: "{{ pretix_install_dir }}"
environment:
VIRTUAL_ENV: "{{ pretix_virtualenv_dir }}"
become: true
become_user: "{{ pretix_user }}"
notify: pretix_restart
when:
- pretix_state == 'present'
- pretix_virtualenv_info.changed or pretix_config_file_info.changed
# TODO: determine to only do this on a) upgrades or b) initial deployis
- name: Ensure pretix static assets are built
ansible.builtin.command:
cmd: "{{ pretix_virtualenv_dir }}/bin/python -m pretix rebuild"
chdir: "{{ pretix_install_dir }}"
environment:
VIRTUAL_ENV: "{{ pretix_virtualenv_dir }}"
become: true
become_user: "{{ pretix_user }}"
notify: pretix_restart
when:
- pretix_state == 'present'
- pretix_virtualenv_info.changed or pretix_config_file_info.changed
- name: Ensure pretix systemd service is enabled
ansible.builtin.systemd_service:
name: "{{ _service }}"
enabled: true
when: pretix_state == 'present'
loop:
- "{{ pretix_systemd_service_name }}"
- "{{ pretix_worker_systemd_service_name }}"
- "{{ pretix_cron_systemd_service_name }}"
- "{{ pretix_cron_systemd_timer_name }}"
loop_control:
loop_var: _service
- name: Ensure pretix systemd service is {{ pretix_state }}
ansible.builtin.systemd_service:
name: "{{ _service }}"
state: "{{ (pretix_state == 'present') | ternary('started', 'stopped') }}"
loop:
- "{{ pretix_systemd_service_name }}"
- "{{ pretix_worker_systemd_service_name }}"
- "{{ pretix_cron_systemd_timer_name }}"
loop_control:
loop_var: _service

View File

@@ -0,0 +1,5 @@
---
- name: Ensure pretix is deployed using {{ pretix_deployment_method }}
ansible.builtin.include_tasks:
file: "deploy-{{ pretix_deployment_method }}.yml"
when: pretix_state == 'present'

View File

@@ -0,0 +1,16 @@
---
- name: Ensure preconditions are met
ansible.builtin.include_tasks:
file: "check.yml"
- name: Ensure deployment preparations are done
ansible.builtin.include_tasks:
file: "prepare.yml"
- name: Ensure pretix is configured
ansible.builtin.include_tasks:
file: "configure.yml"
- name: Ensure pretix is deployed
ansible.builtin.include_tasks:
file: "deploy.yml"

View File

@@ -0,0 +1,61 @@
---
- name: Ensure ansible facts are collected
ansible.builtin.setup:
gather_subset:
- "!all"
- "pkg_mgr"
- "distribution"
- "distribution_release"
- "distribution_version"
- "distribution_major_version"
- name: Ensure system packages are present (apt)
ansible.builtin.apt:
name: "{{ package }}"
state: "{{ pretix_state }}"
loop: "{{ pretix_packages[ansible_distribution | lower][ansible_distribution_major_version] }}"
loop_control:
loop_var: "package"
when: ansible_facts['pkg_mgr'] == 'apt'
# TODO: add pretix worker and cron
- name: Ensure systemd unit {{ pretix_systemd_unit_name }} is {{ pretix_state }}
ansible.builtin.template:
src: "pretix.service.j2"
dest: "{{ pretix_systemd_unit_file_path }}"
register: pretix_systemd_unit_info
notify:
- pretix_restart
- name: Ensure systemd unit {{ pretix_worker_systemd_unit_name }} is {{ pretix_state }}
ansible.builtin.template:
src: "pretix.service.j2"
dest: "{{ pretix_worker_systemd_unit_file_path }}"
register: pretix_worker_systemd_unit_info
vars:
pretix_systemd_service_exec_start: "{{ pretix_worker_systemd_service_exec_start }}"
pretix_systemd_service_description: "{{ pretix_worker_systemd_service_description }}"
- name: Ensure systemd unit {{ pretix_cron_systemd_service_name }} is {{ pretix_state }}
ansible.builtin.template:
src: "pretix.service.j2"
dest: "{{ pretix_cron_systemd_unit_file_path }}"
register: pretix_cron_systemd_unit_info
vars:
pretix_systemd_service_exec_start: "{{ pretix_cron_systemd_service_exec_start }}"
pretix_systemd_service_description: "{{ pretix_cron_systemd_service_description }}"
- name: Ensure systemd timer unit {{ pretix_cron_systemd_timer_name }} is {{ pretix_state }}
ansible.builtin.template:
src: "pretix-cron.timer.j2"
dest: "{{ pretix_cron_systemd_timer_file_path }}"
register: pretix_cron_systemd_timer_info
- name: Ensure systemd is reloaded
ansible.builtin.systemd_service:
daemon_reload: true
when: >-2
pretix_systemd_unit_info.changed
or pretix_worker_systemd_unit_info.changed
or pretix_cron_systemd_unit_info.changed
or pretix_cron_systemd_timer_info.changed

View File

@@ -0,0 +1,29 @@
---
- name: Ensure pretix user '{{ pretix_user }}' is {{ pretix_state }}
ansible.builtin.user:
name: "{{ pretix_user }}"
state: "{{ pretix_state }}"
system: "{{ pretix_user_system }}"
create_home: "{{ pretix_user_create_home }}"
register: pretix_user_info
- name: Ensure host directories are {{ pretix_state }}
ansible.builtin.file:
path: "{{ item.path }}"
owner: "{{ item.owner | default(pretix_user_id) }}"
group: "{{ item.group | default(pretix_group_id) }}"
mode: "{{ item.mode | default('0750') }}"
state: "directory"
loop:
- path: "{{ pretix_config_dir }}"
- path: "{{ pretix_virtualenv_dir }}"
- path: "{{ pretix_data_dir }}"
- path: "{{ pretix_media_dir }}"
when: pretix_state == 'present'
- name: Ensure deployment-type specific preparations for '{{ pretix_deployment_method }}' are run
ansible.builtin.include_tasks:
file: "prepare-{{ pretix_deployment_method }}.yml"
when:
- pretix_state == 'present'
- pretix_deployment_method in ['systemd']

View File

@@ -0,0 +1,10 @@
[Unit]
Description={{ pretix_cron_systemd_timer_description }}
[Timer]
OnActiveSec={{ pretix_cron_systemd_timer_on_active_sec }}
OnStartupSec={{ pretix_cron_systemd_timer_on_startup_sec }}
AccuracySec={{ pretix_cron_systemd_timer_accuracy_sec }}
[Install]
WantedBy=timers.target

View File

@@ -0,0 +1,16 @@
[Unit]
Description={{ pretix_systemd_unit_description }}
After={{ pretix_systemd_unit_after }}
[Service]
User={{ pretix_systemd_service_user }}
Group={{ pretix_systemd_service_group }}
{% for kv in pretix_systemd_service_environment | dict2items %}
Environment="{{ kv.key }}={{ kv.value }}"
{% endfor %}
WorkingDirectory={{ pretix_systemd_service_working_directory }}
ExecStart={{ pretix_systemd_service_exec_start }}
Restart={{ pretix_systemd_service_restart }}
[Install]
WantedBy={{ pretix_systemd_install_wanted_by }}

View File

@@ -0,0 +1,7 @@
---
pretix_states:
- "present"
- "absent"
pretix_deployment_methods:
- "systemd"

46
roles/snipe_it/README.md Normal file
View File

@@ -0,0 +1,46 @@
# `finallycoffee.services.snipe_it` ansible role
[Snipe-IT](https://snipeitapp.com/) is an open-source asset management with
a powerful JSON-REST API. This ansible role deploys and configures Snipe-IT.
## Requirements
Snipe-IT requires a MySQL-Database like MariaDB and a working email service
for sending email. For installing and configuring MariaDB, see
[`finallycoffee.base.mariadb`](https://galaxy.ansible.com/ui/repo/published/finallycoffee/base/content/role/mariadb/).
## Configuration
Required variables to set are:
- `snipe_it_domain` - domain name of the snipe-it instance
- `snipe_it_config_app_url` - URL where snipe-it will be reachable including protocol and port
- `snipe_it_config_app_key` - Laravel application key
### Database configuration
All (database) options from the upstream laravel `.env` file are available
under the `snipe_it_config_db_*` prefix. Configure a database as follows:
```
snipe_it_config_db_host: localhost # defaults to localhost
snipe_it_config_db_port: "3306" # defaults to 3306
snipe_it_config_db_database: my_snipe_db_name # defaults to 'snipeit'
snipe_it_config_db_username: my_snipe_db_user # defaults to 'snipeit'
snipe_it_config_db_password: my_snipe_db_password
# Set this if the database is shared with
# other applications. defaults to not set
snipe_it_config_db_prefix: snipe_
```
### Email configuration
Configuring an email server is mandatory. An example is provided below:
```yaml
snipe_it_config_mail_host: smtp.example.com
snipe_it_config_mail_username: snipe_user@snipe.example.com
snipe_it_config_mail_password: i_want_to_be_strong_and_long
snipe_it_config_mail_from_addr: "noreply@snipe.example.com"
snipe_it_config_mail_from_name: "Example.com SnipeIT instance"
```
The default smtp port is `587` and can be set in `snipe_it_config_mail_port`.

View File

@@ -0,0 +1,131 @@
---
snipe_it_config_app_version: "v{{ snipe_it_version }}"
snipe_it_config_app_port: 8000
snipe_it_config_app_env: "production"
snipe_it_config_app_debug: false
snipe_it_config_app_key: ~
snipe_it_config_app_url: "http://localhost:{{ snipe_it_config_app_port }}"
snipe_it_config_app_timezone: UTC
snipe_it_config_app_locale: en-US
snipe_it_config_app_locked: false
snipe_it_config_app_cipher: "AES-256-GCM"
snipe_it_config_app_force_tls: false
snipe_it_config_app_trusted_proxies:
- '192.168.0.0/16'
- '172.16.0.0/12'
- '10.0.0.0/8'
snipe_it_config_db_connection: mysql
snipe_it_config_db_host: localhost
snipe_it_config_db_port: "3306"
snipe_it_config_db_database: snipeit
snipe_it_config_db_username: snipeit
snipe_it_config_db_password: ~
snipe_it_config_db_prefix: ~
snipe_it_config_db_dump_path: /usr/bin/
snipe_it_config_db_charset: utf8mb4
snipe_it_config_db_collation: utf8mb4_unicode_ci
snipe_it_config_db_ssl: false
snipe_it_config_db_ssl_is_paas: false
snipe_it_config_db_ssl_key_path: ~
snipe_it_config_db_ssl_cert_path: ~
snipe_it_config_db_ssl_ca_path: ~
snipe_it_config_db_ssl_cipher: ~
snipe_it_config_db_ssl_verify_server: ~
snipe_it_config_mail_mailer: smtp
snipe_it_config_mail_host: ~
snipe_it_config_mail_port: 587
snipe_it_config_mail_username: ~
snipe_it_config_mail_password: ~
snipe_it_config_mail_tls_verify_peer: true
snipe_it_config_mail_from_addr: ~
snipe_it_config_mail_from_name: ~
snipe_it_config_mail_replyto_addr: "{{ snipe_it_config_mail_from_addr }}"
snipe_it_config_mail_replyto_name: "{{ snipe_it_config_mail_from_name }}"
snipe_it_config_mail_auto_embed_method: attachment
snipe_it_config_mail_backup_notification_driver: ~
snipe_it_config_mail_backup_notification_address: ~
snipe_it_config_private_filesystem_disk: "local"
snipe_it_config_public_filesystem_disk: "local_public"
snipe_it_config_allow_backup_delete: false
snipe_it_config_allow_data_purge: false
snipe_it_config_image_lib: 'gd'
snipe_it_config_log_channel: 'stderr'
snipe_it_config_log_max_days: 10
snipe_it_config_cookie_name: "_snipe_session"
snipe_it_config_cookie_domain: "{{ snipe_it_domain }}"
snipe_it_config_secure_cookies: true
snipe_it_config_session_driver: file
snipe_it_config_session_lifetime: 12000
snipe_it_config_cache_driver: file
snipe_it_config_cache_prefix: snipeit
snipe_it_config_queue_driver: file
snipe_it_base_config:
APP_VERSION: "{{ snipe_it_config_app_version }}"
APP_PORT: "{{ snipe_it_config_app_port }}"
APP_ENV: "{{ snipe_it_config_app_env }}"
APP_DEBUG: "{{ snipe_it_config_app_debug }}"
APP_KEY: "{{ snipe_it_config_app_key }}"
APP_URL: "{{ snipe_it_config_app_url }}"
APP_TIMEZONE: "{{ snipe_it_config_app_timezone }}"
APP_LOCALE: "{{ snipe_it_config_app_locale }}"
APP_LOCKED: "{{ snipe_it_config_app_locked }}"
APP_CIPHER: "{{ snipe_it_config_app_cipher }}"
APP_FORCE_TLS: "{{ snipe_it_config_app_force_tls }}"
APP_TRUSTED_PROXIES: "{{ snipe_it_config_app_trusted_proxies | join(',') }}"
DB_CONNECTION: "{{ snipe_it_config_db_connection }}"
DB_HOST: "{{ snipe_it_config_db_host }}"
DB_PORT: "{{ snipe_it_config_db_port }}"
DB_DATABASE: "{{ snipe_it_config_db_database }}"
DB_USERNAME: "{{ snipe_it_config_db_username }}"
DB_PASSWORD: "{{ snipe_it_config_db_password }}"
DB_PREFIX: "{{ snipe_it_config_db_prefix | default('null', true) }}"
DB_DUMP_PATH: "{{ snipe_it_config_db_dump_path }}"
DB_CHARSET: "{{ snipe_it_config_db_charset }}"
DB_COLLATION: "{{ snipe_it_config_db_collation }}"
DB_SSL: "{{ snipe_it_config_db_ssl }}"
DB_SSL_IS_PAAS: "{{ snipe_it_config_db_ssl_is_paas }}"
DB_SSL_KEY_PATH: "{{ snipe_it_config_db_ssl_key_path | default('null', true) }}"
DB_SSL_CERT_PATH: "{{ snipe_it_config_db_ssl_cert_path | default('null', true) }}"
DB_SSL_CA_PATH: "{{ snipe_it_config_db_ssl_ca_path | default('null', true) }}"
DB_SSL_CIPHER: "{{ snipe_it_config_db_ssl_cipher | default('null', true) }}"
DB_SSL_VERIFY_SERVER: "{{ snipe_it_config_db_ssl_verify_server | default('null', true) }}"
MAIL_MAILER: "{{ snipe_it_config_mail_mailer }}"
MAIL_HOST: "{{ snipe_it_config_mail_host }}"
MAIL_PORT: "{{ snipe_it_config_mail_port }}"
MAIL_USERNAME: "{{ snipe_it_config_mail_username }}"
MAIL_PASSWORD: "{{ snipe_it_config_mail_password }}"
MAIL_TLS_VERIFY_PEER: "{{ snipe_it_config_mail_tls_verify_peer }}"
MAIL_FROM_ADDR: "{{ snipe_it_config_mail_from_addr | default('null', true) }}"
MAIL_FROM_NAME: "{{ snipe_it_config_mail_from_name | default('null', true) }}"
MAIL_REPLYTO_ADDR: "{{ snipe_it_config_mail_replyto_addr | default('null', true) }}"
MAIL_REPLYTO_NAME: "{{ snipe_it_config_mail_replyto_name | default('null', true) }}"
MAIL_AUTO_EMBED_METHOD: "{{ snipe_it_config_mail_auto_embed_method }}"
MAIL_BACKUP_NOTIFICATION_DRIVER: "{{ snipe_it_config_mail_backup_notification_driver }}"
MAIL_BACKUP_NOTIFICATION_ADDRESS: "{{ snipe_it_config_mail_backup_notification_address }}"
SESSION_DRIVER: "{{ snipe_it_config_session_driver }}"
SESSION_LIFETIME: "{{ snipe_it_config_session_lifetime }}"
CACHE_DRIVER: "{{ snipe_it_config_cache_driver }}"
CACHE_PREFIX: "{{ snipe_it_config_cache_prefix }}"
QUEUE_DRIVER: "{{ snipe_it_config_queue_driver }}"
PRIVATE_FILESYSTEM_DISK: "{{ snipe_it_config_private_filesystem_disk }}"
PUBLIC_FILESYSTEM_DISK: "{{ snipe_it_config_public_filesystem_disk }}"
ALLOW_BACKUP_DELETE: "{{ snipe_it_config_allow_backup_delete }}"
ALLOW_DATA_PURGE: "{{ snipe_it_config_allow_data_purge }}"
IMAGE_LIB: "{{ snipe_it_config_image_lib }}"
LOG_CHANNEL: "{{ snipe_it_config_log_channel }}"
LOG_MAX_DAYS: "{{ snipe_it_config_log_max_days }}"
COOKIE_NAME: "{{ snipe_it_config_cookie_name }}"
COOKIE_DOMAIN: "{{ snipe_it_config_cookie_domain }}"
SECURE_COOKIES: "{{ snipe_it_config_secure_cookies }}"
snipe_it_config: ~
snipe_it_merged_config: >-2
{{ (snipe_it_base_config | default({}, true))
| combine((snipe_it_config | default({}, true)), recursive=True) }}

View File

@@ -0,0 +1,48 @@
---
snipe_it_container_image_registry: docker.io
snipe_it_container_image_namespace: 'snipe'
snipe_it_container_image_name: 'snipe-it'
snipe_it_container_image_tag: ~
snipe_it_container_image_flavour: alpine
snipe_it_container_image_source: pull
snipe_it_container_image_force_source: >-2
{{ snipe_it_container_image_tag | default(false, true) | bool }}
snipe_it_container_image: >-2
{{
([
snipe_it_container_image_registry | default([], true),
snipe_it_container_image_namespace | default([], true),
snipe_it_container_image_name,
] | flatten | join('/'))
+ ':'
+ (snipe_it_container_image_tag | default(
'v' + snipe_it_version + (
((snipe_it_container_image_flavour is string)
and (snipe_it_container_image_flavour | length > 0))
| ternary(
'-' + snipe_it_container_image_flavour | default('', true),
''
)
),
true
))
}}
snipe_it_container_env_file: "/var/www/html/.env"
snipe_it_container_data_directory: "/var/lib/snipeit/"
snipe_it_container_volumes:
- "{{ snipe_it_data_directory }}:{{ snipe_it_container_data_directory }}:z"
snipe_it_container_name: 'snipe-it'
snipe_it_container_state: >-2
{{ (snipe_it_state == 'present') | ternary('started', 'absent') }}
snipe_it_container_env: ~
snipe_it_container_user: ~
snipe_it_container_ports: ~
snipe_it_container_labels: ~
snipe_it_container_recreate: ~
snipe_it_container_networks: ~
snipe_it_container_etc_hosts: ~
snipe_it_container_dns_servers: ~
snipe_it_container_network_mode: ~
snipe_it_container_restart_policy: 'unless-stopped'

View File

@@ -0,0 +1,9 @@
---
snipe_it_user: snipeit
snipe_it_version: "8.3.4"
snipe_it_domain: ~
snipe_it_state: present
snipe_it_deployment_method: docker
snipe_it_env_file: /etc/snipeit/env
snipe_it_data_directory: /var/lib/snipeit

View File

@@ -0,0 +1,5 @@
---
snipe_it_run_user_id: >-2
{{ snipe_it_user_info.uid | default(snipe_it_user) }}
snipe_it_run_group_id: >-2
{{ snipe_it_user_info.group | default(snipe_it_user) }}

View File

@@ -0,0 +1,12 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: snipe_it
description: >-2
Deploy Snipe-IT, an open-source asset / license management system with
powerful JSON REST API
galaxy_tags:
- snipeit
- asset-management
- docker

View File

@@ -0,0 +1,14 @@
---
- name: Ensure state is valid
ansible.builtin.fail:
msg: >-2
Unsupported state '{{ snipe_it_state }}'!
Supported states are {{ snipe_it_states | join(', ') }}.
when: snipe_it_state is not in snipe_it_states
- name: Ensure deployment method is valid
ansible.builtin.fail:
msg: >-2
Unsupported deployment_method '{{ snipe_it_deployment_method }}'!
Supported values are {{ snipe_it_deployment_methods | join(', ') }}.
when: snipe_it_deployment_method is not in snipe_it_deployment_methods

View File

@@ -0,0 +1,30 @@
---
- name: Ensure container image '{{ snipe_it_container_image }}' is {{ snipe_it_state }}
community.docker.docker_image:
name: "{{ snipe_it_container_image }}"
state: "{{ snipe_it_state }}"
source: "{{ snipe_it_container_image_source }}"
force_source: "{{ snipe_it_container_image_force_source }}"
register: snipe_it_container_image_info
until: snipe_it_container_image_info is success
retries: 5
delay: 3
- name: Ensure container '{{ snipe_it_container_name }}' is {{ snipe_it_container_state }}
community.docker.docker_container:
name: "{{ snipe_it_container_name }}"
image: "{{ snipe_it_container_image }}"
env_file: "{{ snipe_it_env_file }}"
env: "{{ snipe_it_container_env | default(omit, true) }}"
user: "{{ snipe_it_container_user | default(omit, true) }}"
ports: "{{ snipe_it_container_ports | default(omit, true) }}"
labels: "{{ snipe_it_container_labels | default(omit, true) }}"
volumes: "{{ snipe_it_container_volumes | default(omit, true) }}"
networks: "{{ snipe_it_container_networks | default(omit, true) }}"
etc_hosts: "{{ snipe_it_container_etc_hosts | default(omit, true) }}"
dns_servers: "{{ snipe_it_container_dns_servers | default(omit, true) }}"
network_mode: "{{ snipe_it_container_network_mode | default(omit, true) }}"
restart_policy: >-2
{{ snipe_it_container_restart_policy | default(omit, true) }}
recreate: "{{ snipe_it_container_recreate | default(omit, true) }}"
state: "{{ snipe_it_container_state }}"

View File

@@ -0,0 +1,59 @@
---
- name: Check preconditions
ansible.builtin.include_tasks:
file: "check.yml"
- name: Ensure snipe-it user '{{ snipe_it_user }}' is {{ snipe_it_state }}
ansible.builtin.user:
name: "{{ snipe_it_user }}"
state: "{{ snipe_it_state }}"
system: "{{ snipe_it_user_system | default(true, true) }}"
create_home: "{{ snipe_it_user_create_home | default(false, true) }}"
groups: "{{ snipe_it_user_groups | default(omit, true) }}"
append: >-2
{{
snipe_it_user_groups_append | default(
snipe_it_user_groups | default([], true) | length > 0,
true,
)
}}
register: snipe_it_user_info
- name: Ensure snipe-it environment file is {{ snipe_it_state }}
ansible.builtin.file:
path: "{{ snipe_it_env_file }}"
state: "{{ snipe_it_state }}"
when: snipe_it_state == 'absent'
- name: Ensure snipe-it config directory is {{ snipe_it_state }}
ansible.builtin.file:
path: "{{ snipe_it_env_file | dirname }}"
state: "{{ (snipe_it_state == 'present') | ternary('directory', 'absent') }}"
owner: "{{ snipe_it_run_user_id }}"
group: "{{ snipe_it_run_group_id }}"
mode: "0755"
when: snipe_it_state == 'present'
- name: Ensure snipe-it data directory '{{ snipe_it_data_directory }}' is {{ snipe_it_state }}
ansible.builtin.file:
path: "{{ snipe_it_data_directory }}"
state: "{{ (snipe_it_state == 'present') | ternary('directory', 'absent') }}"
owner: "{{ snipe_it_run_user_id }}"
group: "{{ snipe_it_run_group_id }}"
mode: "0755"
- name: Ensure snipe-it environment file is templated
ansible.builtin.copy:
content: |+2
{% for entry in snipe_it_merged_config | dict2items %}
{{ entry.key }}={{ entry.value }}
{% endfor %}
dest: "{{ snipe_it_env_file }}"
owner: "{{ snipe_it_run_user_id }}"
group: "{{ snipe_it_run_group_id }}"
mode: "0640"
when: snipe_it_state == 'present'
- name: Deploy using {{ snipe_it_deployment_method }}
ansible.builtin.include_tasks:
file: "deploy-{{ snipe_it_deployment_method }}.yml"

View File

@@ -0,0 +1,6 @@
---
snipe_it_states:
- present
- absent
snipe_it_deployment_methods:
- docker

View File

@@ -0,0 +1,54 @@
# `finallycoffee.services.vaultwarden` ansible role
Vaultwarden is an unofficial (not associated with Bitwarden) bitwarden API compatible
server backend, formally called `bitwarden_rs`, written in rust.
This ansible role can deploy and configure `vaultwarden`, and supports removing
itself using `vaultwarden_state: absent` (Warning: It does not ask for confirmation,
and will remove all user data when instructed to remove it).
## Configuration
To use this role, the following variables need to be populated:
- `vaultwarden_config_domain` - always. Changing this will lead to two-factor not working for two-factor methods registered in the past.
- `vaultwarden_config_admin_token` - if `vaultwarden_config_disable_admin_token` is `false`.
Setting other configuration values for vaultwarden can be done using role-provided flattened keys in the
`vaultwarden_config_*` namespace (see [`defaults/main/config.yml`](defaults/main/config.yml) for available variables),
or by setting the configuration directly in the same structure as the `config.json` would be in `vaultwarden_config`.
### Email
Configure mailing by first enabling SMTP using `vaultwarden_config_enable_smtp: true`,
then configure your email server like this:
```yaml
vaultwarden_config:
smtp_host: "mail.example.com"
smtp_explicit_tls: true
smtp_port: 465
smtp_from: "noreply+vaultwarden@example.com"
smtp_from_name: "'Example.com Vaultwarden instance' <noreply+vaultwarden@example.com>"
smtp_username: vaultwarden@example.com
smtp_password: i_hope_i_will_be_a_strong_one!
helo_name: "{{ vaultwarden_config_domain }}"
```
### 2FA via email
To enable email-based two-factor-authentication, set `vaultwarden_config_enable_email_2fa: true`
and optionally set the following configuration:
```yaml
vaultwarden_config:
email_token_size: 8
email_expiration_time: 300 # 300 seconds = 5min
email_attempts_limit: 3
```
### Feature flags
To enable more authentication methods, toggles are provided in
[`vaultwarden_config_enable_*`](defaults/main/config.yml#L18).
It is genereally recommended to simply keep unused methods off.
Per default, 'Sends' are allowed.

View File

@@ -0,0 +1,68 @@
---
# Required configuration
vaultwarden_config_domain: ~
vaultwarden_config_admin_token: ~
# Invitations and signups
vaultwarden_config_invitations_allowed: false
vaultwarden_config_invitation_org_name: ~
vaultwarden_config_signups_allowed: false
vaultwarden_config_signups_verify: true
vaultwarden_config_signups_verify_resend_time: 3600
vaultwarden_config_signups_verify_resend_limit: 5
# Entry preview icons
vaultwarden_config_disable_icon_download: true
vaultwarden_config_icon_cache_ttl: 604800 # 7 days
vaultwarden_config_icon_cache_negttl: 259200 # 3 days
vaultwarden_config_icon_download_timeout: 30 # seconds
vaultwarden_config_icon_blacklist_non_global_ips: true
# Features
vaultwarden_config_sends_allowed: true
vaultwarden_config_enable_yubico: false
vaultwarden_config_enable_duo: false
vaultwarden_config_enable_smtp: false
vaultwarden_config_enable_email_2fa: false
# Security
vaultwarden_config_password_iterations: 100000
vaultwarden_config_show_password_hint: false
vaultwarden_config_disable_2fa_remember: false
vaultwarden_config_disable_admin_token: true
vaultwarden_config_require_device_email: false
vaultwarden_config_authenticator_disable_time_drift: true
# Other
vaultwarden_config_log_timestamp_format: "%Y-%m-%d %H:%M:%S.%3f"
vaultwarden_config_ip_header: "X-Real-IP"
vaultwarden_config_reload_templates: false
vaultwarden_base_config:
domain: "{{ vaultwarden_config_domain }}"
admin_token: "{{ vaultwarden_config_admin_token }}"
invitations_allowed: "{{ vaultwarden_config_invitations_allowed }}"
invitation_org_name: "{{ vaultwarden_config_invitation_org_name | default('', true) }}"
signups_allowed: "{{ vaultwarden_config_signups_allowed }}"
signups_verify: "{{ vaultwarden_config_signups_verify }}"
signups_verify_resend_time: "{{ vaultwarden_config_signups_verify_resend_time }}"
signups_verify_resend_limit: "{{ vaultwarden_config_signups_verify_resend_limit }}"
disable_icon_download: "{{ vaultwarden_config_disable_icon_download }}"
icon_cache_ttl: "{{ vaultwarden_config_icon_cache_ttl }}"
icon_cache_negttl: "{{ vaultwarden_config_icon_cache_negttl }}"
icon_download_timeout: "{{ vaultwarden_config_icon_download_timeout }}"
icon_blacklist_non_global_ips: "{{ vaultwarden_config_icon_blacklist_non_global_ips }}"
password_iterations: "{{ vaultwarden_config_password_iterations }}"
show_password_hint: "{{ vaultwarden_config_show_password_hint }}"
disable_2fa_remember: "{{ vaultwarden_config_disable_2fa_remember }}"
disable_admin_token: "{{ vaultwarden_config_disable_admin_token }}"
require_device_email: "{{ vaultwarden_config_require_device_email }}"
authenticator_disable_time_drift: "{{ vaultwarden_config_authenticator_disable_time_drift }}"
ip_header: "{{ vaultwarden_config_ip_header }}"
log_timestamp_format: "{{ vaultwarden_config_log_timestamp_format }}"
reload_templates: "{{ vaultwarden_config_reload_templates }}"
sends_allowed: "{{ vaultwarden_config_sends_allowed }}"
_enable_yubico: "{{ vaultwarden_config_enable_yubico }}"
_enable_duo: "{{ vaultwarden_config_enable_duo }}"
_enable_smtp: "{{ vaultwarden_config_enable_smtp }}"
_enable_email_2fa: "{{ vaultwarden_config_enable_email_2fa }}"
vaultwarden_config: ~
vaultwarden_merged_config: >-2
{{ vaultwarden_base_config | default({}, true)
| combine(vaultwarden_config | default({}, true), recursive=true) }}

View File

@@ -0,0 +1,50 @@
---
vaultwarden_container_image_registry: docker.io
vaultwarden_container_image_namespace: vaultwarden
vaultwarden_container_image_name: server
vaultwarden_container_image_tag: ~
vaultwarden_container_image_flavour: alpine
vaultwarden_container_image_source: pull
vaultwarden_container_image_force_source: >-2
{{ vaultwarden_container_image_tag | default(false, true) | bool }}
vaultwarden_container_image: >-2
{{
([
vaultwarden_container_image_registry | default([], true),
vaultwarden_container_image_namespace | default([], true),
vaultwarden_container_image_name,
] | flatten | join('/'))
+ ':'
+ (vaultwarden_container_image_tag | default(
vaultwarden_version + (
((vaultwarden_container_image_flavour is string)
and (vaultwarden_container_image_flavour | length > 0))
| ternary(
'-' + vaultwarden_container_image_flavour | default('', true),
''
)
),
true
))
}}
vaultwarden_container_name: vaultwarden
vaultwarden_container_env: ~
vaultwarden_container_user: >-2
{{ vaultwarden_run_user_id }}:{{ vaultwarden_run_group_id }}
vaultwarden_container_ports: ~
vaultwarden_container_labels: ~
vaultwarden_container_networks: ~
vaultwarden_container_etc_hosts: ~
vaultwarden_container_dns_servers: ~
vaultwarden_container_restart_policy: >-2
{{ (vaultwarden_deployment_method == 'docker') | ternary(
'unless-stopped',
'on-failure',
)
}}
vaultwarden_container_state: >-2
{{ (vaultwarden_state == 'present') | ternary('started', 'absent') }}
vaultwarden_container_volumes:
- "{{ vaultwarden_data_directory }}:/data:rw"
- "{{ vaultwarden_config_file }}:/data/config.json:ro"

View File

@@ -0,0 +1,10 @@
---
vaultwarden_user: vaultwarden
vaultwarden_version: "1.34.3"
vaultwarden_config_file: "/etc/vaultwarden/config.json"
vaultwarden_config_directory: "{{ vaultwarden_config_file | dirname }}"
vaultwarden_data_directory: "/var/lib/vaultwarden"
vaultwarden_state: present
vaultwarden_deployment_method: docker

View File

@@ -0,0 +1,5 @@
---
vaultwarden_run_user_id: >-2
{{ vaultwarden_user_info.uid | default(vaultwarden_user, true) }}
vaultwarden_run_group_id: >-2
{{ vaultwarden_user_info.group | default(vaultwarden_user, true) }}

View File

@@ -0,0 +1,9 @@
---
- name: Ensure vaultwarden container '{{ vaultwarden_container_name }}' is restarted
community.docker.docker_container:
name: "{{ vaultwarden_container_name }}"
state: "{{ vaultwarden_container_state }}"
restart: true
listen: vaultwarden-restart
when: vaultwarden_deployment_method == 'docker'
ignore_errors: "{{ ansible_check_mode }}"

View File

@@ -0,0 +1,12 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: vaultwarden
description: >-2
Deploy vaultwarden, a bitwarden-compatible server backend
galaxy_tags:
- vaultwarden
- bitwarden
- passwordstore
- docker

View File

@@ -0,0 +1,24 @@
---
- name: Ensure container image '{{ vaultwarden_container_image }}' is {{ vaultwarden_state }}
community.docker.docker_image:
name: "{{ vaultwarden_container_image }}"
state: "{{ vaultwarden_state }}"
source: "{{ vaultwarden_container_image_source }}"
force_source: "{{ vaultwarden_container_image_force_source }}"
- name: Ensure container '{{ vaultwarden_container_name }}' is {{ vaultwarden_container_state }}
community.docker.docker_container:
name: "{{ vaultwarden_container_name }}"
image: "{{ vaultwarden_container_image }}"
env: "{{ vaultwarden_container_env | default(omit, true) }}"
user: "{{ vaultwarden_container_user | default(omit, true) }}"
ports: "{{ vaultwarden_container_ports | default(omit, true) }}"
labels: "{{ vaultwarden_container_labels | default(omit, true) }}"
volumes: "{{ vaultwarden_container_volumes }}"
networks: "{{ vaultwarden_container_networks | default(omit, true) }}"
etc_hosts: "{{ vaultwarden_container_etc_hosts | default(omit, true) }}"
dns_servers: "{{ vaultwarden_container_dns_servers | default(omit, true) }}"
restart_policy: "{{ vaultwarden_container_restart_policy | default(omit, true) }}"
state: "{{ vaultwarden_container_state | default(omit, true) }}"
comparisons:
'env': 'strict'

View File

@@ -0,0 +1,22 @@
---
- name: Ensure container image '{{ vaultwarden_container_image }}' is {{ vaultwarden_state }}
containers.podman.podman_image:
name: "{{ vaultwarden_container_image }}"
state: "{{ vaultwarden_state }}"
pull: "{{ (vaultwarden_container_image_source == 'pull') | bool }}"
force: "{{ vaultwarden_container_image_force_source }}"
- name: Ensure container '{{ vaultwarden_container_name }}' is {{ vaultwarden_container_state }}
containers.podman.podman_container:
name: "{{ vaultwarden_container_name }}"
image: "{{ vaultwarden_container_image }}"
env: "{{ vaultwarden_container_env | default(omit, true) }}"
user: "{{ vaultwarden_container_user | default(omit, true) }}"
ports: "{{ vaultwarden_container_ports | default(omit, true) }}"
labels: "{{ vaultwarden_container_labels | default(omit, true) }}"
volumes: "{{ vaultwarden_container_volumes }}"
network: "{{ vaultwarden_container_networks | default(omit, true) }}"
etc_hosts: "{{ vaultwarden_container_etc_hosts | default(omit, true) }}"
dns_servers: "{{ vaultwarden_container_dns_servers | default(omit, true) }}"
restart_policy: "{{ vaultwarden_container_restart_policy | default(omit, true) }}"
state: "{{ vaultwarden_container_state | default(omit, true) }}"

View File

@@ -0,0 +1,78 @@
---
- name: Ensure state is valid
ansible.builtin.fail:
msg: >-2
Unsupported state '{{ vaultwarden_state }}'!
Supported states are {{ vaultwarden_states | join(', ') }}.
when: vaultwarden_state not in vaultwarden_states
- name: Ensure deployment method is valid
ansible.builtin.fail:
msg: >-2
Unsupported deployment method '{{ vaultwarden_deployment_method }}'!
Supported are {{ vaultwarden_deployment_methods | join(', ') }}.
when: vaultwarden_deployment_method not in vaultwarden_deployment_methods
- name: Ensure required variables are given
ansible.builtin.fail:
msg: "Required variable '{{ var }}' is undefined!"
loop: "{{ vaultwarden_required_variables }}"
loop_control:
loop_var: var
when: >-2
var not in hostvars[inventory_hostname]
or hostvars[inventory_hostname][var] | length == 0
- name: Ensure required variables are given
ansible.builtin.fail:
msg: "Required variable '{{ var.name }}' is undefined!"
loop: "{{ vaultwarden_conditionally_required_variables }}"
loop_control:
loop_var: var
label: "{{ var.name }}"
when: >-2
var.when and (
var.name not in hostvars[inventory_hostname]
or hostvars[inventory_hostname][var.name] | length == 0)
- name: Ensure vaultwarden user '{{ vaultwarden_user }}' is {{ vaultwarden_state }}
ansible.builtin.user:
name: "{{ vaultwarden_user }}"
state: "{{ vaultwarden_state }}"
system: "{{ vaultwarden_user_system | default(true, true) }}"
create_home: "{{ vaultwarden_user_create_home | default(false, true) }}"
groups: "{{ vaultwarden_user_groups | default(omit, true) }}"
append: >-2
{{ vaultwarden_user_append_groups | default(
(vaultwarden_user_groups | default([], true) | length > 0),
true,
) }}
register: vaultwarden_user_info
- name: Ensure base paths are {{ vaultwarden_state }}
ansible.builtin.file:
path: "{{ mount.path }}"
state: "{{ (vaultwarden_state == 'present') | ternary('directory', 'absent') }}"
owner: "{{ mount.owner | default(vaultwarden_run_user_id) }}"
group: "{{ mount.group | default(vaultwarden_run_group_id) }}"
mode: "{{ mount.mode | default('0755', true) }}"
loop:
- path: "{{ vaultwarden_config_directory }}"
- path: "{{ vaultwarden_data_directory }}"
loop_control:
loop_var: mount
label: "{{ mount.path }}"
- name: Ensure vaultwarden config file '{{ vaultwarden_config_file }}' is {{ vaultwarden_state }}
ansible.builtin.copy:
content: "{{ vaultwarden_merged_config | to_nice_json(indent=4) }}"
dest: "{{ vaultwarden_config_file }}"
owner: "{{ vaultwarden_run_user_id }}"
group: "{{ vaultwarden_run_group_id }}"
mode: "0640"
when: vaultwarden_state == 'present'
notify: vaultwarden-restart
- name: Deploy vaultwarden using {{ vaultwarden_deployment_method }}
ansible.builtin.include_tasks:
file: "deploy-{{ vaultwarden_deployment_method }}.yml"

View File

@@ -0,0 +1,12 @@
---
vaultwarden_states:
- present
- absent
vaultwarden_deployment_methods:
- docker
- podman
vaultwarden_required_variables:
- vaultwarden_config_domain
vaultwarden_conditionally_required_variables:
- name: vaultwarden_config_admin_token
when: "{{ vaultwarden_config_disable_admin_token | default(true, true) | bool }}"

View File

@@ -1,7 +1,6 @@
--- ---
vouch_proxy_user: vouch-proxy vouch_proxy_user: vouch-proxy
vouch_proxy_version: 0.40.0 vouch_proxy_version: "0.45.1"
vouch_proxy_base_path: /opt/vouch-proxy vouch_proxy_base_path: /opt/vouch-proxy
vouch_proxy_config_path: "{{ vouch_proxy_base_path }}/config" vouch_proxy_config_path: "{{ vouch_proxy_base_path }}/config"
vouch_proxy_config_file: "{{ vouch_proxy_config_path }}/config.yaml" vouch_proxy_config_file: "{{ vouch_proxy_config_path }}/config.yaml"

View File

@@ -0,0 +1,12 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: vouch_proxy
description: Ansible role to deploy vouch_proxy using docker
galaxy_tags:
- vouch_proxy
- oidc
- authentication
- authorization
- docker