remove legacy code

2024-02-08 23:53:02 +01:00 · 2024-02-08 23:53:02 +01:00 · a3ace01a6d
commit a3ace01a6d
parent f38b9af075
75 changed files with 1 additions and 2522 deletions
--- a/docker_swarm/README.md
+++ b/docker_swarm/README.md
@ -0,0 +1,5 @@
+# shoarma ansible
+
+This requires a rootless docker daemon on the Ansible host.
+See: https://docs.docker.com/engine/security/rootless/
+Also you need jsondiff for docker stack.
--- a/docker_swarm/ansible.cfg
+++ b/docker_swarm/ansible.cfg
@ -0,0 +1,9 @@
+[defaults]
+roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
+inventory=inventory
+interpreter_python=/run/current-system/sw/bin/python3.11
+remote_user = root
+vault_password_file=$HOME/.config/home/ansible-vault-secret
+
+[diff]
+always = True
--- a/docker_swarm/inventory/group_vars/all.yml
+++ b/docker_swarm/inventory/group_vars/all.yml
@ -0,0 +1,23 @@
+data_directory_base: /mnt/data
+git_ssh_port: 56287
+elasticsearch_port: 14653
+fluent_forward_port: 24224
+concourse_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSVLcr617iJt+hqLFSsOQy1JeueLIAj1eRfuI+KeZAu pim@x260"
+
+database_passwords:
+  nextcloud: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    66326230303135303930363761316534313439383365376231623661316635393839336431313262
+    3832626365376533646561653863316364313135343366330a356136343938666133356532613263
+    39663037623232363266376335643834353735363431636535386566643763386463353962663930
+    3466343563353162320a376437353933656166323364323166376663323531373338656563653463
+    33346263626430616164613937363836343430383233393061643231346661656539623938333631
+    3632373964346139316637663364646132636636373461613534
+  hedgedoc: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    63363464666633663762393135333362613966636338623533393132376338343339653431396465
+    6634643863623163366235393434343662313735363438610a373065363361326565633766633835
+    38383637343230363031636634623930666365333739323162313937656239646166613738393965
+    3533666462303563360a313233306335396234393932396331313238376464363964363839396164
+    66366662356135343035363935616664613831626131376330643133313530636431613266636165
+    6265613666616164373637356235396165383662333561393939
--- a/docker_swarm/inventory/hosts.yml
+++ b/docker_swarm/inventory/hosts.yml
@ -0,0 +1,11 @@
+all:
+  hosts:
+    manager:
+      ansible_host: maestro.dmz
+  children:
+    workers:
+      hosts:
+        bancomart:
+          ansible_host: bancomart.dmz
+        vpay:
+          ansible_host: vpay.dmz
--- a/docker_swarm/playbooks/remove_stack.yml
+++ b/docker_swarm/playbooks/remove_stack.yml
@ -0,0 +1,9 @@
+---
+- name: Remove a Docker swarm stack
+  hosts: manager
+
+  tasks:
+    - name: Remove the stack
+      docker_stack:
+        name: "{{ stack }}"
+        state: absent
--- a/docker_swarm/playbooks/setup.yml
+++ b/docker_swarm/playbooks/setup.yml
@ -0,0 +1,23 @@
+---
+
+- name: Setup Docker Swarm manager
+  hosts: manager
+  tasks:
+    - name: Create Docker Swarm
+      docker_swarm:
+    
+    - name: Get Docker Swarm manager info
+      docker_swarm_info:
+        nodes: yes
+        nodes_filters:
+          name: manager
+      register: swarm_info
+
+- hosts: workers
+  tasks:
+    - name: Join Docker Swarm
+      docker_swarm:
+        state: join
+        join_token: "{{ hostvars.manager.swarm_info.swarm_facts.JoinTokens.Worker }}"
+        remote_addrs:
+          - "{{ hostvars.manager.ansible_default_ipv4.address }}"
--- a/docker_swarm/playbooks/stacks.yml
+++ b/docker_swarm/playbooks/stacks.yml
@ -0,0 +1,18 @@
+---
+- name: Start Docker stacks
+  hosts: manager
+  roles:
+    - {role: traefik, tags: traefik}
+    - {role: forgejo, tags: forgejo}
+    - {role: radicale, tags: radicale}
+    - {role: freshrss, tags: freshrss}
+    - {role: hedgedoc, tags: hedgedoc}
+    - {role: cyberchef, tags: cyberchef}
+    - {role: inbucket, tags: inbucket}
+    - {role: kms, tags: kms}
+    - {role: swarm_dashboard, tags: swarm_dashboard}
+    - {role: pihole, tags: pihole}
+    - {role: nextcloud, tags: nextcloud}
+    - {role: syncthing, tags: syncthing}
+    - {role: kitchenowl, tags: kitchenowl}
+    - {role: paperless-ngx, tags: paperless-ngx}
--- a/docker_swarm/requirements.yml
+++ b/docker_swarm/requirements.yml
@ -0,0 +1,5 @@
+---
+roles:
+  - name: setup_apt
+    src: https://github.com/sunscrapers/ansible-role-apt.git
+    scm: git
--- a/docker_swarm/roles/cyberchef/docker-stack.yml.j2
+++ b/docker_swarm/roles/cyberchef/docker-stack.yml.j2
@ -0,0 +1,20 @@
+# vi: ft=yaml
+version: "3.7"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  cyberchef:
+    image: mpepping/cyberchef
+    networks:
+      - traefik
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.cyberchef.entrypoints=websecure
+        - traefik.http.services.cyberchef.loadbalancer.server.port=8000
+        - traefik.http.routers.cyberchef.rule=Host(`cyberchef.kun.is`)
+        - traefik.http.routers.cyberchef.tls=true
+        - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt
--- a/docker_swarm/roles/cyberchef/tasks/main.yml
+++ b/docker_swarm/roles/cyberchef/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: cyberchef
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/cyberchef2/docker-stack.yml.j2
+++ b/docker_swarm/roles/cyberchef2/docker-stack.yml.j2
@ -0,0 +1,8 @@
+# vi: ft=yaml
+version: "3.7"
+
+services:
+  cyberchef:
+    image: mpepping/cyberchef
+    ports:
+      - 8000:8000
--- a/docker_swarm/roles/cyberchef2/tasks/main.yml
+++ b/docker_swarm/roles/cyberchef2/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: cyberchef
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/forgejo/app.ini.j2
+++ b/docker_swarm/roles/forgejo/app.ini.j2
@ -0,0 +1,109 @@
+APP_NAME = Forgejo: Beyond coding. We forge.
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH=/data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+DEFAULT_BRANCH = master
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH    = /data/gitea
+DOMAIN           = {{ git_domain }}
+SSH_DOMAIN       = {{ git_domain }}
+HTTP_PORT        = 3000
+ROOT_URL         = {{ root_url }}
+DISABLE_SSH      = false
+SSH_PORT         = {{ git_ssh_port }}
+SSH_LISTEN_PORT  = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET   = {{ lfs_jwt_secret }}
+OFFLINE_MODE     = false
+
+[database]
+PATH     = /data/gitea/gitea.db
+DB_TYPE  = sqlite3
+HOST     = localhost:3306
+NAME     = gitea
+USER     = root
+PASSWD   = 
+LOG_SQL  = false
+SCHEMA   = 
+SSL_MODE = disable
+CHARSET  = utf8
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+ISSUE_INDEXER_TYPE = db
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER        = file
+
+[picture]
+AVATAR_UPLOAD_PATH            = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+ENABLE_FEDERATED_AVATAR       = false
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE      = console
+LEVEL     = info
+logger.router.MODE = console
+ROOT_PATH = /data/gitea/log
+logger.access.MODE=console
+
+[security]
+INSTALL_LOCK                  = true
+SECRET_KEY                    = 
+REVERSE_PROXY_LIMIT           = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN                = {{ internal_token }}
+PASSWORD_HASH_ALGO            = pbkdf2
+
+[service]
+DISABLE_REGISTRATION              = true
+REQUIRE_SIGNIN_VIEW               = false
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
+
+[lfs]
+PATH = /data/git/lfs
+
+[mailer]
+ENABLED   = true
+SMTP_ADDR = {{ mailer_host }}
+SMTP_PORT = 587
+FROM      = {{ mailer_from }}
+USER      = 
+PASSWD    = 
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[ui]
+DEFAULT_THEME = forgejo-light
+
+[oauth2]
+ENABLE=false
--- a/docker_swarm/roles/forgejo/docker-stack.yml.j2
+++ b/docker_swarm/roles/forgejo/docker-stack.yml.j2
@ -0,0 +1,57 @@
+# vi: ft=yaml
+version: "3"
+
+networks:
+  traefik:
+    external: true
+
+configs:
+  config:
+    external: true
+    name: "{{ config.config_name }}"
+
+volumes:
+  forgejo:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/forgejo"
+
+services:
+  forgejo:
+    image: codeberg.org/forgejo/forgejo:1.20
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    networks:
+      - traefik
+    ports:
+      - "{{ git_ssh_port }}:22"
+    volumes:
+      - type: volume
+        source: forgejo
+        target: /data
+        volume:
+          nocopy: true
+      # TODO: fix this
+      # - /etc/timezone:/etc/timezone:ro
+      # - /etc/localtime:/etc/localtime:ro
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        - traefik.port=443
+        - traefik.enable=true
+        - traefik.http.routers.forgejo.entrypoints=websecure
+        - traefik.http.routers.forgejo.rule=Host(`{{ git_domain }}`)
+        - traefik.http.routers.forgejo.tls=true
+        - traefik.http.routers.forgejo.tls.certresolver=letsencrypt
+        - traefik.http.routers.forgejo.service=forgejo
+        - traefik.http.services.forgejo.loadbalancer.server.port=3000
+        - traefik.docker.network=traefik
+        - traefik.http.middlewares.set-forwarded-for.headers.hostsProxyHeaders=X-Forwarded-For
+        - traefik.http.routers.forgejo.middlewares=set-forwarded-for
+    configs:
+      - source: config
+        target: /data/gitea/conf/app.ini
--- a/docker_swarm/roles/forgejo/tasks/main.yml
+++ b/docker_swarm/roles/forgejo/tasks/main.yml
@ -0,0 +1,13 @@
+- name: Create Docker config
+  docker_config:
+    name: forgejo_config
+    data: "{{ lookup('template', '{{ role_path }}/app.ini.j2') }}"
+    use_ssh_client: true
+    rolling_versions: true
+  register: config
+
+- name: Deploy Docker stack
+  docker_stack:
+    name: forgejo
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/forgejo/vars/main.yml
+++ b/docker_swarm/roles/forgejo/vars/main.yml
@ -0,0 +1,23 @@
+git_domain: "git.kun.is"
+root_url: "https://{{ git_domain }}"
+mailer_host: "smtp.tweak.nl"
+mailer_from: "git@kunis.nl"
+lfs_jwt_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  66613032363837346461326131303839646332646233633736623865346135623739343233396165
+  6530326162323466623939393133623336366466343837620a613532616365646137326138383235
+  32313264653262656564336531646662323039623865393366616536633531306430336137313862
+  3361373539373561390a653236306433393737616561306236343362396438366134313032656233
+  35626364373961613361366138383566353463626136393861383934326263383336393766623063
+  3434656437663165376635326139383065383861386133623765
+internal_token: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  62633334656235613035343830326237633637626639363465313861323734393766636464303862
+  3936306561343863316630616164616537323537333262650a336337303232623832636666353038
+  64313134383330646537356432383332386238373835656663313431373939373630373566396339
+  6561643037383666340a643464326531623731303564646464376239613263643761643766623930
+  37623362326561346262306331376663313661633635323435333339396138383134303364306532
+  37353264363737643965643932356336633734316534303262336461313038626538396536333964
+  36353635323731353061393430656166363263366437313434336139616666326335633037663336
+  37353665613938613731316330396461343632643039643864343164303937613263343262623964
+  33366364636339623633653035313736653563363064646233383437373431373232
--- a/docker_swarm/roles/freshrss/docker-stack.yml.j2
+++ b/docker_swarm/roles/freshrss/docker-stack.yml.j2
@ -0,0 +1,42 @@
+# vi: ft=yaml
+version: "3"
+
+networks:
+  traefik:
+    external: true
+
+volumes:
+  data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/freshrss/data"
+
+services:
+  freshrss:
+    image: freshrss/freshrss:edge
+    networks:
+      - traefik
+    volumes:
+      - type: volume
+        source: data
+        target: /var/www/FreshRSS/data
+        volume:
+          nocopy: true
+    environment:
+      TZ: Europe/Amsterdam
+      CRON_MIN: '2,32'
+      ADMIN_EMAIL: pim@kunis.nl
+      ADMIN_PASSWORD: {{ admin_password }}
+      ADMIN_API_PASSWORD: {{ admin_password }}
+      PUBLISHED_PORT: 443
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.freshrss.entrypoints=websecure
+        - traefik.http.routers.freshrss.rule=Host(`rss.kun.is`)
+        - traefik.http.routers.freshrss.tls=true
+        - traefik.http.routers.freshrss.tls.certresolver=letsencrypt
+        - traefik.http.routers.freshrss.service=freshrss
+        - traefik.http.services.freshrss.loadbalancer.server.port=80
+        - traefik.docker.network=traefik
--- a/docker_swarm/roles/freshrss/tasks/main.yml
+++ b/docker_swarm/roles/freshrss/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: freshrss
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/freshrss/vars/main.yml
+++ b/docker_swarm/roles/freshrss/vars/main.yml
@ -0,0 +1,8 @@
+admin_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  38363734333534376665616439306566613632303739373661333338356533653334323366326130
+  3031316133383432366639613565656134666338326639360a633263363066613964643665316334
+  63373830663239393137653131326630326465343333346430376536393162383836333130353562
+  3336306561636134650a646433633063316431643466326161303666313765323034343233646566
+  66613330616463346561343561616438643763643465373839303861356133313831303338356430
+  6634653635383833303265316662663631376163636134666565
--- a/docker_swarm/roles/hedgedoc/docker-stack.yml.j2
+++ b/docker_swarm/roles/hedgedoc/docker-stack.yml.j2
@ -0,0 +1,44 @@
+# vi: ft=yaml
+version: '3'
+
+networks:
+  traefik:
+    external: true
+
+volumes:
+  uploads:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/hedgedoc/uploads"
+
+services:
+  hedgedoc:
+    image: quay.io/hedgedoc/hedgedoc:1.9.7
+    environment:
+      - CMD_DB_URL=postgres://hedgedoc:{{ database_passwords.hedgedoc }}@lewis.dmz:5432/hedgedoc
+      - CMD_DOMAIN=md.kun.is
+      - CMD_PORT=3000
+      - CMD_URL_ADDPORT=false
+      - CMD_ALLOW_ANONYMOUS=true
+      - CMD_ALLOW_EMAIL_REGISTER=false
+      - CMD_PROTOCOL_USESSL=true
+      - CMD_SESSION_SECRET={{ session_secret }}
+    volumes:
+      - type: volume
+        source: uploads
+        target: /hedgedoc/public/uploads
+        volume:
+          nocopy: true
+    networks:
+      - traefik
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.hedgedoc.entrypoints=websecure
+        - traefik.http.routers.hedgedoc.rule=Host(`md.kun.is`)
+        - traefik.http.routers.hedgedoc.tls=true
+        - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt
+        - traefik.http.routers.hedgedoc.service=hedgedoc
+        - traefik.http.services.hedgedoc.loadbalancer.server.port=3000
+        - traefik.docker.network=traefik
--- a/docker_swarm/roles/hedgedoc/tasks/main.yml
+++ b/docker_swarm/roles/hedgedoc/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: hedgedoc
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/hedgedoc/vars/main.yml
+++ b/docker_swarm/roles/hedgedoc/vars/main.yml
@ -0,0 +1,10 @@
+session_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  30633835386265643561343033326536653166343630396139303137613138383233666565666330
+  3032613865333836656566626435383165396539323837350a376331306464643766373839386638
+  65653865343539633636323833343964636332636461386434386432306230343833343431363134
+  6563373138626637650a633932313862326231666330343662343765666166373961376237396434
+  33396131353830323063326266623862353731653665626466653335656434303033353333353164
+  61613535373037646565386131383631366338616565373261396136616433393462313537313861
+  35313661616365373231373963323865393635626132343138363230313431636333363130346239
+  32656335333635613736
--- a/docker_swarm/roles/inbucket/docker-stack.yml.j2
+++ b/docker_swarm/roles/inbucket/docker-stack.yml.j2
@ -0,0 +1,24 @@
+# vi: ft=yaml
+version: "3.7"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  inbucket:
+    image: inbucket/inbucket
+    networks:
+      - traefik
+    ports:
+      - 2500:2500
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.inbucket.entrypoints=localsecure
+        - traefik.http.routers.inbucket.rule=Host(`inbucket.kun.is`)
+        - traefik.http.routers.inbucket.service=inbucket
+        - traefik.http.routers.inbucket.tls=true
+        - traefik.http.routers.inbucket.tls.certresolver=letsencrypt
+        - traefik.docker.network=traefik
+        - traefik.http.services.inbucket.loadbalancer.server.port=9000
--- a/docker_swarm/roles/inbucket/tasks/main.yml
+++ b/docker_swarm/roles/inbucket/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: inbucket
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/kitchenowl/docker-stack.yml.j2
+++ b/docker_swarm/roles/kitchenowl/docker-stack.yml.j2
@ -0,0 +1,50 @@
+# vi: ft=yaml
+version: '3.7'
+
+networks:
+  traefik:
+    external: true
+  kitchenowl:
+
+volumes:
+  data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/kitchenowl/data"
+
+services:
+  kitchenowl-front:
+    image: tombursch/kitchenowl-web:v0.4.20
+    depends_on:
+      - kitchenowl
+    networks:
+      - traefik
+      - kitchenowl
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.kitchenowl.entrypoints=websecure
+        - traefik.http.routers.kitchenowl.rule=Host(`boodschappen.kun.is`)
+        - traefik.http.routers.kitchenowl.tls=true
+        - traefik.http.routers.kitchenowl.tls.certresolver=letsencrypt
+        - traefik.http.routers.kitchenowl.service=kitchenowl
+        - traefik.http.services.kitchenowl.loadbalancer.server.port=80
+        - traefik.docker.network=traefik
+    environment:
+      BACK_URL: 'kitchenowl:5000'
+  kitchenowl:
+    image: tombursch/kitchenowl:v92
+    networks:
+      kitchenowl:
+        aliases:
+          - kitchenowl
+    environment:
+      - JWT_SECRET_KEY={{ jwt_secret_key }}
+    volumes:
+      - type: volume
+        source: data
+        target: /data
+        volume:
+          nocopy: true
+    hostname: kitchenowl
--- a/docker_swarm/roles/kitchenowl/tasks/main.yml
+++ b/docker_swarm/roles/kitchenowl/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: kitchenowl
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/kitchenowl/vars/main.yml
+++ b/docker_swarm/roles/kitchenowl/vars/main.yml
@ -0,0 +1,7 @@
+jwt_secret_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  37376338663532376135613331303737626633666138643132316336306164393134633639303865
+  3134613830323335663466373262316262353464323535300a636163633439323035643033623363
+  36316361656133663235333834343233363134313938656664356538366166653336656562623664
+  3332393330616636630a646139393937313932373963623764346134323635336539346562346635
+  36613637396133383664323561666464346336386233363434653765356334633831
--- a/docker_swarm/roles/kms/docker-stack.yml.j2
+++ b/docker_swarm/roles/kms/docker-stack.yml.j2
@ -0,0 +1,8 @@
+# vi: ft=yaml
+version: '3.7'
+
+services:
+  kms:
+    image: teddysun/kms
+    ports:
+      - 1688:1688
--- a/docker_swarm/roles/kms/tasks/main.yml
+++ b/docker_swarm/roles/kms/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: kms
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/nextcloud/docker-stack.yml.j2
+++ b/docker_swarm/roles/nextcloud/docker-stack.yml.j2
@ -0,0 +1,40 @@
+# vi: ft=yaml
+version: '3.8'
+
+networks:
+  traefik:
+    external: true
+
+volumes:
+  data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/nextcloud/data"
+
+services:
+  nextcloud:
+    image: nextcloud:27
+    volumes:
+      - type: volume
+        source: data
+        target: /var/www/html
+        volume:
+          nocopy: true
+    environment:
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_PASSWORD={{ database_passwords.nextcloud }}
+      - POSTGRES_HOST=lewis.dmz
+    networks:
+      - traefik
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.nextcloud.entrypoints=websecure
+        - traefik.http.routers.nextcloud.rule=Host(`cloud.kun.is`)
+        - traefik.http.routers.nextcloud.tls=true
+        - traefik.http.routers.nextcloud.tls.certresolver=letsencrypt
+        - traefik.http.routers.nextcloud.service=nextcloud
+        - traefik.http.services.nextcloud.loadbalancer.server.port=80
+        - traefik.docker.network=traefik
--- a/docker_swarm/roles/nextcloud/tasks/main.yml
+++ b/docker_swarm/roles/nextcloud/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: nextcloud
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/paperless-ngx/docker-stack.yml.j2
+++ b/docker_swarm/roles/paperless-ngx/docker-stack.yml.j2
@ -0,0 +1,113 @@
+# vi: ft=yaml
+# Docker Compose file for running paperless from the Docker Hub.
+# This file contains everything paperless needs to run.
+# Paperless supports amd64, arm and arm64 hardware.
+#
+# All compose files of paperless configure paperless in the following way:
+#
+# - Paperless is (re)started on system boot, if it was running before shutdown.
+# - Docker volumes for storing data are managed by Docker.
+# - Folders for importing and exporting files are created in the same directory
+#   as this file and mounted to the correct folders inside the container.
+# - Paperless listens on port 8000.
+#
+# In addition to that, this Docker Compose file adds the following optional
+# configurations:
+#
+# - Instead of SQLite (default), PostgreSQL is used as the database server.
+#
+# To install and update paperless with this file, do the following:
+#
+# - Copy this file as 'docker-compose.yml' and the files 'docker-compose.env'
+#   and '.env' into a folder.
+# - Run 'docker compose pull'.
+# - Run 'docker compose run --rm webserver createsuperuser' to create a user.
+# - Run 'docker compose up -d'.
+#
+# For more extensive installation and update instructions, refer to the
+# documentation.
+
+version: "3.7"
+
+networks:
+  traefik:
+    external: true
+  paperless-ngx:
+
+volumes:
+  data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/paperless-ngx/data"
+  redisdata:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/paperless-ngx/redisdata"
+  nextcloud:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/nextcloud/data"
+
+services:
+  broker:
+    image: docker.io/library/redis:7
+    volumes:
+      - type: volume
+        source: redisdata
+        target: /data
+        volume:
+          nocopy: true
+    networks:
+      - paperless-ngx
+
+  webserver:
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.3
+    depends_on:
+      - broker
+    volumes:
+      - type: volume
+        source: data
+        target: /data
+        volume:
+          nocopy: true
+      # TODO: what does this directory even do?
+      # - ./export:/usr/src/paperless/export
+      - type: volume
+        source: nextcloud
+        target: /nextcloud
+        volume:
+          nocopy: true
+    environment:
+      PAPERLESS_REDIS: redis://broker:6379
+      PAPERLESS_DBENGINE: postgresql
+      PAPERLESS_DBHOST: lewis.dmz
+      PAPERLESS_DBNAME: paperless
+      PAPERLESS_DBUSER: paperless
+      PAPERLESS_DBPASS: "{{ paperless_db_password }}"
+      PAPERLESS_CONSUMPTION_DIR: /nextcloud/data/pim/files/paperless-ngx/consumption/
+      PAPERLESS_DATA_DIR: /data/
+      PAPERLESS_MEDIA_ROOT: /data/
+      PAPERLESS_CONSUMER_POLLING: 10
+      PAPERLESS_OCR_LANGUAGES: nld eng
+      PAPERLESS_URL: https://paperless.kun.is
+      PAPERLESS_TIME_ZONE: Europe/Amsterdam
+      PAPERLESS_OCR_LANGUAGE: nld
+      PAPERLESS_SECRET_KEY: "{{ paperless_secret_key }}"
+      USERMAP_UID: "33"
+      USERMAP_GID: "33"
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.paperless-ngx.entrypoints=websecure
+        - traefik.http.routers.paperless-ngx.rule=Host(`paperless.kun.is`)
+        - traefik.http.routers.paperless-ngx.tls=true
+        - traefik.http.routers.paperless-ngx.tls.certresolver=letsencrypt
+        - traefik.http.routers.paperless-ngx.service=paperless-ngx
+        - traefik.http.services.paperless-ngx.loadbalancer.server.port=8000
+        - traefik.docker.network=traefik
+    networks:
+      - traefik
+      - paperless-ngx
--- a/docker_swarm/roles/paperless-ngx/tasks/main.yml
+++ b/docker_swarm/roles/paperless-ngx/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: paperless-ngx
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/paperless-ngx/vars/main.yml
+++ b/docker_swarm/roles/paperless-ngx/vars/main.yml
@ -0,0 +1,14 @@
+paperless_secret_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          63306337643736303137376130613866353330633632633233376463626366316562623836613065
+          6337353539323238643739323964613464666163333161350a323532333239303161383164616535
+          38343534663664356131653838626139653838393437633461333035323933356262366232643635
+          6165373765653132360a346132653262316232306237336337393861646466613831323837636138
+          61373633653562363636373835656665643537313864313266626638343063643039
+paperless_db_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          66366431303231626232303861383735373733373035663864326235623731643561336333626536
+          6135316437376361656636386337373637343237613139640a393232373136323466363465393562
+          61383963353931353931306261366566656264303034373936336539346337316639626538616661
+          6438383134366333360a616538373533373533326264666463396666353532333864343832333239
+          62343237653431633030366230373137343564313334363736363232346238646361
--- a/docker_swarm/roles/pihole/docker-stack.yml.j2
+++ b/docker_swarm/roles/pihole/docker-stack.yml.j2
@ -0,0 +1,57 @@
+# vi: ft=yaml
+version: "3.8"
+
+networks:
+  traefik:
+    external: true
+  pihole:
+
+volumes:
+  data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/pihole/data"
+  dnsmasq:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/pihole/dnsmasq"
+
+services:
+  pihole:
+    image: pihole/pihole:latest
+    ports:
+      - "53:53/tcp"
+      - "53:53/udp"
+    network_mode: "host"
+    environment:
+      TZ: 'Europe/Amsterdam'
+      WEBPASSWORD: {{ pihole_password }}
+      PIHOLE_DNS_: '192.168.30.1'
+    volumes:
+      - type: volume
+        source: data
+        target: /etc/pihole
+        volume:
+          nocopy: true
+      - type: volume
+        source: dnsmasq
+        target: /etc/dnsmasq.d
+        volume:
+          nocopy: true
+    networks:
+      - traefik
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.pihole.entrypoints=localsecure
+        - traefik.http.routers.pihole.rule=Host(`pihole.kun.is`)
+        - traefik.http.routers.pihole.tls=true
+        - traefik.http.routers.pihole.tls.certresolver=letsencrypt
+        - traefik.http.routers.pihole.service=pihole
+        - traefik.http.services.pihole.loadbalancer.server.port=80
+        - traefik.docker.network=traefik
+      placement:
+        constraints:
+          - node.role == manager
--- a/docker_swarm/roles/pihole/tasks/main.yml
+++ b/docker_swarm/roles/pihole/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: pihole
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/pihole/vars/main.yml
+++ b/docker_swarm/roles/pihole/vars/main.yml
@ -0,0 +1,8 @@
+pihole_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  38616134666661363535303137373633613063613731383766303633336533373233363736333263
+  3461336138663861623134633031663631633666393939340a396561643132333665373430343466
+  36626633366232376236383434336166353638653733666566336266373739663236636334373866
+  3261303962613966610a643765613762396335643233383432613737316361386234663365656566
+  30336535326437336437383336393838306161333662346165333262383735616137653766653165
+  3361333436346130376261316133323963393338633838303031
--- a/docker_swarm/roles/radicale/docker-stack.yml.j2
+++ b/docker_swarm/roles/radicale/docker-stack.yml.j2
@ -0,0 +1,61 @@
+# vi: ft=yaml
+version: '3.7'
+
+networks:
+  traefik:
+    external: true
+
+configs:
+  config:
+    external: true
+    name: "{{ config.config_name }}"
+  users:
+    external: true
+    name: "{{ users.config_name }}"
+
+volumes:
+  data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/radicale"
+
+services:
+  radicale:
+    image: tomsquest/docker-radicale
+    init: true
+    read_only: true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETUID
+      - SETGID
+      - CHOWN
+      - KILL
+    healthcheck:
+      test: curl -f http://127.0.0.1:5232 || exit 1
+      interval: 30s
+      retries: 3
+    volumes:
+      - type: volume
+        source: data
+        target: /data
+        volume:
+          nocopy: true
+    networks:
+      - traefik
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.radicale.entrypoints=websecure
+        - traefik.http.routers.radicale.rule=Host(`dav.kun.is`)
+        - traefik.http.routers.radicale.tls=true
+        - traefik.http.routers.radicale.tls.certresolver=letsencrypt
+        - traefik.http.routers.radicale.service=radicale
+        - traefik.http.services.radicale.loadbalancer.server.port=5232
+        - traefik.docker.network=traefik
+    configs:
+      - source: config
+        target: /config/config
+      - source: users
+        target: /config/users
--- a/docker_swarm/roles/radicale/radicale.conf
+++ b/docker_swarm/roles/radicale/radicale.conf
@ -0,0 +1,24 @@
+[server]
+hosts = 0.0.0.0:5232, [::]:5232
+ssl = False
+
+[encoding]
+request = utf-8
+stock = utf-8
+
+[auth]
+realm = Radicale - Password Required
+type = htpasswd
+htpasswd_filename = /config/users
+htpasswd_encryption = md5
+
+[rights]
+type = owner_only
+
+[storage]
+type = multifilesystem
+filesystem_folder = /data
+
+[logging]
+
+[headers]
--- a/docker_swarm/roles/radicale/tasks/main.yml
+++ b/docker_swarm/roles/radicale/tasks/main.yml
@ -0,0 +1,21 @@
+- name: Create radicale config
+  docker_config:
+    name: radicale_config
+    data: "{{ lookup('file', '{{ role_path }}/radicale.conf') }}"
+    use_ssh_client: true
+    rolling_versions: true
+  register: config
+
+- name: Create radicale users
+  docker_config:
+    name: radicale_users
+    data: "{{ lookup('file', '{{ role_path }}/users') }}"
+    use_ssh_client: true
+    rolling_versions: true
+  register: users
+
+- name: Deploy Docker stack
+  docker_stack:
+    name: radicale
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/radicale/users
+++ b/docker_swarm/roles/radicale/users
@ -0,0 +1 @@
+pim:$apr1$GUiTihkS$dDCkaUxFx/O86m6NCy/yQ.
--- a/docker_swarm/roles/swarm_dashboard/docker-stack.yml.j2
+++ b/docker_swarm/roles/swarm_dashboard/docker-stack.yml.j2
@ -0,0 +1,31 @@
+# vi: ft=yaml
+version: "3"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  swarm-dashboard:
+    image: charypar/swarm-dashboard
+    volumes:
+      - type: bind
+        source: /var/run/docker.sock
+        target: /var/run/docker.sock
+    environment:
+      PORT: 80
+    networks:
+      - traefik
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.swarm-dashboard.entrypoints=localsecure
+        - traefik.http.routers.swarm-dashboard.rule=Host(`swarm.kun.is`)
+        - traefik.http.routers.swarm-dashboard.tls=true
+        - traefik.http.routers.swarm-dashboard.tls.certresolver=letsencrypt
+        - traefik.http.routers.swarm-dashboard.service=swarm-dashboard
+        - traefik.http.services.swarm-dashboard.loadbalancer.server.port=80
+        - traefik.docker.network=traefik
--- a/docker_swarm/roles/swarm_dashboard/tasks/main.yml
+++ b/docker_swarm/roles/swarm_dashboard/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: swarm_dashboard
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/syncthing/docker-stack.yml.j2
+++ b/docker_swarm/roles/syncthing/docker-stack.yml.j2
@ -0,0 +1,50 @@
+# vi: ft=yaml
+version: "3"
+
+networks:
+  traefik:
+    external: true
+
+volumes:
+  config:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/syncthing/config"
+  nextcloud_data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/nextcloud/data"
+
+services:
+  syncthing:
+    image: lscr.io/linuxserver/syncthing:1.23.6
+    networks:
+      - traefik
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=traefik
+
+        - traefik.http.routers.syncthing.entrypoints=localsecure
+        - traefik.http.routers.syncthing.rule=Host(`sync.kun.is`)
+        - traefik.http.routers.syncthing.service=syncthing
+        - traefik.http.routers.syncthing.tls=true
+        - traefik.http.routers.syncthing.tls.certresolver=letsencrypt
+        - traefik.http.services.syncthing.loadbalancer.server.port=8384
+    environment:
+      - PUID=33
+      - PGID=33
+      - TZ=Europe/Amsterdam
+    volumes:
+      - type: volume
+        source: nextcloud_data
+        target: /data
+        volume:
+          nocopy: true
+      - type: volume
+        source: config
+        target: /config
+        volume:
+          nocopy: true
--- a/docker_swarm/roles/syncthing/tasks/main.yml
+++ b/docker_swarm/roles/syncthing/tasks/main.yml
@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: syncthing
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/docker_swarm/roles/traefik/docker-stack.yml.j2
+++ b/docker_swarm/roles/traefik/docker-stack.yml.j2
@ -0,0 +1,105 @@
+# vi: ft=yaml
+version: "3.7"
+
+networks:
+  traefik:
+    external: true
+
+configs:
+  services:
+    external: true
+    name: "{{ services.config_name }}"
+
+volumes:
+  acme:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/traefik/acme"
+
+services:
+  traefik:
+    image: traefik:3.0.0-beta2
+    networks:
+      - traefik
+    ports:
+      - mode: host
+        protocol: tcp
+        published: 443
+        target: 443
+      - mode: host
+        protocol: tcp
+        published: 80
+        target: 80
+      - mode: host
+        protocol: tcp
+        published: 444
+        target: 444
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.dashboard.entrypoints=localsecure
+        - traefik.http.routers.dashboard.rule=Host(`traefik.kun.is`)
+        - traefik.http.routers.dashboard.service=api@internal
+        - traefik.http.services.dashboard.loadbalancer.server.port=8080
+        - traefik.http.routers.dashboard.tls=true
+        - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
+        - traefik.docker.network=traefik
+
+        - traefik.http.routers.esrom.entrypoints=websecure
+        - traefik.http.routers.esrom.service=esrom@file
+        - traefik.http.routers.esrom.rule=Host(`esrom.kun.is`)
+        - traefik.http.routers.esrom.tls=true
+        - traefik.http.routers.esrom.tls.certresolver=letsencrypt
+    volumes:
+      - type: bind
+        source: /var/run/docker.sock
+        target: /var/run/docker.sock
+      - type: volume
+        source: acme
+        target: /acme
+        volume:
+          nocopy: true
+    configs:
+      - source: services
+        target: /etc/traefik/services.yml
+    command:
+      - --providers.docker
+      - --providers.docker.swarmmode
+      - --providers.docker.watch
+      - --providers.docker.exposedbydefault=false
+
+      - --providers.file.filename=/etc/traefik/services.yml
+
+      - --api
+      - --api.insecure=false
+      - --api.dashboard=true
+
+      - --entrypoints.web.address=:80
+      - --entrypoints.web.http.redirections.entrypoint=true
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+      - --entrypoints.web.http.redirections.entrypoint.permanent=true
+
+      - --entrypoints.websecure.address=:443
+
+      - --entrypoints.localsecure.address=:444
+
+      - --certificatesresolvers.letsencrypt.acme=true
+      - --certificatesresolvers.letsencrypt.acme.email=pim@kunis.nl
+      - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
+      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
+      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
+
+      - --serversTransport.insecureSkipVerify=true
+
+      - --accesslog=true
+      - --accesslog.fields.defaultmode=keep
+      - --accesslog.fields.names.ClientUsername=drop
+      - --accesslog.fields.headers.defaultmode=keep
+      - --accesslog.fields.headers.names.User-Agent=keep
+      - --accesslog.fields.headers.names.Authorization=drop
+      - --accesslog.fields.headers.names.Content-Type=keep
--- a/docker_swarm/roles/traefik/services.yml
+++ b/docker_swarm/roles/traefik/services.yml
@ -0,0 +1,6 @@
+http:
+  services:
+    esrom:
+      loadBalancer:
+        servers:
+          - url: http://esrom.dmz:80/
--- a/docker_swarm/roles/traefik/tasks/main.yml
+++ b/docker_swarm/roles/traefik/tasks/main.yml
@ -0,0 +1,18 @@
+- name: Create Traefik network
+  docker_network:
+    name: traefik
+    driver: overlay
+
+- name: Create Docker config
+  docker_config:
+    name: traefik_services
+    data: "{{ lookup('file', '{{ role_path }}/services.yml') }}"
+    use_ssh_client: true
+    rolling_versions: true
+  register: services
+
+- name: Deploy Docker stack
+  docker_stack:
+    name: traefik
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"