Mirrors/mash-playbook
2
0
Fork 0
mirror of https://github.com/mother-of-all-self-hosting/mash-playbook synced 2024-09-20 05:51:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'main' into notfellchen

Browse source
This commit is contained in:
Slavi Pantaleev 2024-05-01 09:29:01 +03:00 committed by GitHub
commit 4c18daf9af
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 528 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
VERSIONS.md
View file

@ -3,10 +3,10 @@
* Apisix Gateway: 3.8.0
* Appsmith: v1.9.50
* Authelia: 4.37.5
* Authentik: 2024.2.2
* Authentik: 2024.2.3
* Borg: 1.2.8
* Borgmatic: 1.8.10
* Changedetection: 0.45.17
* Borgmatic: 1.8.11
* Changedetection: 0.45.21
* Changedetection Playwright Driver: latest
* Clickhouse: 23.10.5.20
* Collabora Online: 22.05.13.1.1
@ -21,7 +21,7 @@
* Exim Relay: 4.97.1-r0-0
* Firezone: 0.7.36
* Focalboard: 7.10.4
* Forgejo: 1.21.10-0
* Forgejo: 1.21.11-1
* Freshrss: 1.23.0
* Funkwhale: 1.4.0
* Gitea: 1.21.11
@ -32,7 +32,7 @@
* Ilmo: 1.0.4
* Infisical: v0.3.8
* Influxdb: 2.7.5
* Jitsi: stable-9364-1
* Jitsi: stable-9457-2
* Jitsi Ldap: 3
* Jitsi Prosody Auth Matrix User Verification Repo: 2839499cb03894d8cfc3e5b2219441427cb133d8
* Keycloak: 24.0.2
@ -41,25 +41,27 @@
* Languagetool: 6.3
* Linkding: latest
* Loki: 2.9.4
* Miniflux: 2.1.2
* Miniflux: 2.1.3
* Mobilizon: 3.1.0
* Mongodb: 7.0.4
* Mosquitto: 2.0.15
* Mrs: latest
* N8N: next
* Navidrome: 0.51.1
* Navidrome: 0.52.0
* Netbox: v3.7.0-2.8.0
* Netbox Container Image Customizations Keycloak Sso Expiration Middleware: a2ac39b1c73a50742c6e834e89162f87528c7f73
* Nextcloud: 28.0.2
* Nextcloud: 28.0.4
* Notfellchen: 0.1.1
* Notfellchen Sws: 2
* Oauth2 Proxy: v7.6.0
* Outline: 0.74.0-0
* Owncast: 0.1.2
* Oxitraffic: 0.9.0
* Paperless: 2.7.2
* Peertube: v6.0.4
* Prometheus: v2.51.2
* Prometheus Blackbox Exporter: v0.25.0
* Prometheus Node Exporter: v1.7.0
* Prometheus Node Exporter: v1.8.0
* Prometheus Postgres Exporter: v0.14.0
* Prometheus Ssh Exporter: v1.5.0
* Promtail: 2.9.5
@ -75,9 +77,9 @@
* Tandoor Frontend: 1.25.4-alpine
* Telegraf: 1.27.1
* Traefik: v2.11.2
* Uptime Kuma: 1.23.11
* Uptime Kuma: 1.23.13
* Vaultwarden: 1.30.5
* Wetty: 2.5
* Wg Easy: 7
* Wg Easy: 12
* Woodpecker Ci Agent: v2.4.1
* Woodpecker Ci Server: v2.4.1

4
bin/optimize.py
View file

@ -52,11 +52,11 @@ def write_to_file(contents, path):
# Matches the beginning of role-specific blocks.
# Example: `# role-specific:playbook_help`
regex_role_specific_block_start = regex.compile('^\s*#\s*role-specific\:\s*([^\s]+)$')
regex_role_specific_block_start = regex.compile('^\\s*#\\s*role-specific:\\s*([^\\s]+)$')
# Matches the end of role-specific blocks.
# Example: `# /role-specific:playbook_help`
regex_role_specific_block_end = regex.compile('^\s*#\s*/role-specific\:\s*([^\s]+)$')
regex_role_specific_block_end = regex.compile('^\\s*#\\s*/role-specific:\\s*([^\\s]+)$')
def process_file_contents(file_name, enabled_role_names, known_role_names):
contents = read_file(file_name)

1
docs/services/authelia.md
View file

@ -196,3 +196,4 @@ If a dedicated variable is not available for you to use or if you wish to overri
- [authentik](authentik.md) - An open-source Identity Provider focused on flexibility and versatility.
- [Keycloak](keycloak.md) - An open source identity and access management solution
- [OAuth2-Proxy](oauth2-proxy.md) - A reverse proxy and static file server that provides authentication using OpenID Connect Providers (Google, GitHub, [Authentik](authentik.md), [Keycloak](keycloak.md), and others) to SSO-protect services which do not support SSO natively

5
docs/services/hubsite.md
View file

@ -24,7 +24,7 @@ hubsite_subtitle: "Just click on a service to use it"
# ([{'name': 'My blog', 'url': 'https://example.com', 'logo_location': '', 'description': 'A link to a blog not hosted by this playbook', 'priority': 1000 }])
# }}
# If you want to explicitly control which services you want to show on this page you can overwrite
# If you want to explicitly control which services you want to show on this page you can overwrite
# hubsite_service_list_auto: |
# {{
# ([{'name': 'Miniflux', 'url': hubsite_service_miniflux_url, 'logo_location': '{{ role_path }}/assets/miniflux.png', 'description': 'An opinionated feed reader', 'priority': hubsite_service_miniflux_priority}] if hubsite_service_miniflux_enabled else [])
@ -36,3 +36,6 @@ hubsite_subtitle: "Just click on a service to use it"
# /hubsite #
# #
########################################################################
```
You can SSO-protect this website with the help of [Authelia](authelia.md) or [OAuth2-Proxy](oauth2-proxy.md) (connected to any OIDC provider).

6
docs/services/keycloak.md
View file

@ -54,8 +54,14 @@ On each start after that, Keycloak will attempt to create the user again and rep
Subsequent changes to the password will not affect an existing user's password.
## Usage
After installation, you can go to the Keycloak URL, as defined in `keycloak_hostname` and `keycloak_path_prefix` and log in as described in [Authentication](#authentication).
Follow the [Keycloak documentation](https://www.keycloak.org/documentation) or other guides for learning how to use Keycloak.
## Related services
- [OAuth2-Proxy](oauth2-proxy.md) - A reverse proxy and static file server that provides authentication using OpenID Connect Providers (Google, GitHub, [Authentik](authentik.md), [Keycloak](keycloak.md), and others) to SSO-protect services which do not support SSO natively

158
docs/services/oauth2-proxy.md Normal file
View file

@ -0,0 +1,158 @@
# OAuth2-Proxy
[OAuth2-Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) is a reverse proxy and static file server that provides authentication using OpenID Connect Providers (Google, GitHub, [Authentik](authentik.md), [Keycloak](keycloak.md), and others) to SSO-protect services which do not support SSO natively.
## Modes of operation
OAuth2-Proxy can be used in 2 different modes:
1. Capturing incoming traffic for the app (e.g. https://app.example.com/), and then proxying it to the application container if the user is authenticated
2. Letting the application itself capture incoming traffic for itself (on https://app.example.com/) and use Traefik's [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) middleware to authenticate the request via OAuth2-Proxy. In this case, OAuth2-Proxy will only handle the `/oauth2/` prefix on the application domain (e.g. https://app.example.com/oauth/).
The 1st one is a bit invasive, as it requires moving all custom reverse-proxying configuration for the handled domain to the OAuth2-Proxy side.
The 2nd one lets you keep the existing application configuration. However, it needs all URLs to go to one service (the application) with the exception of `/oauth2/` (which should go to OAuth2-Proxy). As such, it it requires that both services (the application and OAuth2-Proxy) run on the same machine.
Our [Sample configuration](#sample-configuration) below uses [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/).
The [OAuth2-Proxy Ansible role](https://github.com/mother-of-all-self-hosting/ansible-role-oauth2-proxy) should be flexible enough to let you reconfigure it for both modes of operation. However, if feasible, we recommend using the 2nd (ForwardAuth) method.
## Dependencies
This service requires the following other services:
- a [Traefik](traefik.md) reverse-proxy server
- an OIDC provider running anywhere. See [Choosing a provider](#choosing-a-provider).
## Choosing a provider
To use OAuth2-Proxy, you need to choose an [OIDC provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/).
This can be any of the supported providers. If hosting your own (via this playbook or via other means), the OIDC provider may be hosted anywhere (not necessarily on the same server as OAuth2-Proxy or the service you're SSO-protecting).
## Sample configuration
The configuration is [provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/)-specific and also depends on the the service you're SSO-protecting, on which server it runs (in relation to OAuth-Proxy), etc.
Below is a **sample** configuration for protecting a static website (in this case powered by the [Hubsite](hubsite.md)) service via [Keycloak](keycloak.md).
For this to work as described here, both OAuth2-Proxy and the protected service (e.g. [Hubsite](hubsite.md)) need to run on the same machine.
Keycloak may run anywhere.
You also need to have prepared Keycloak and a "Client app" for it, according to the [Keycloak OIDC](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc) documentation of OAuth2-Proxy.
#### OAuth2-Proxy configuration
```yaml
########################################################################
# #
# oauth2_proxy #
# #
########################################################################
oauth2_proxy_enabled: true
oauth2_proxy_environment_variable_provider: keycloak-oidc
oauth2_proxy_environment_variable_provider_display_name: SSO
oauth2_proxy_environment_variable_client_id: hubsite
oauth2_proxy_environment_variable_client_secret: ''
oauth2_proxy_environment_variable_oidc_issuer_url: https://keycloak.example.com/realms/my-realm
oauth2_proxy_environment_variable_redirect_url: "https://{{ hubsite_hostname }}/oauth2/callback"
oauth2_proxy_environment_variable_code_challenge_method: S256
# Generate this with: `python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'`
oauth2_proxy_environment_variable_cookie_secret: ''
oauth2_proxy_container_labels_additional_labels: |
traefik.http.routers.{{ oauth2_proxy_identifier }}-hubsite.rule=Host(`{{ hubsite_hostname }}`) && PathPrefix(`/oauth2/`)
traefik.http.routers.{{ oauth2_proxy_identifier }}-hubsite.service={{ oauth2_proxy_identifier }}
traefik.http.routers.{{ oauth2_proxy_identifier }}-hubsite.entrypoints={{ oauth2_proxy_container_labels_traefik_entrypoints }}
traefik.http.routers.{{ oauth2_proxy_identifier }}-hubsite.tls={{ oauth2_proxy_container_labels_traefik_tls }}
traefik.http.routers.{{ oauth2_proxy_identifier }}-hubsite.tls.certResolver={{ oauth2_proxy_container_labels_traefik_tls_certResolver }}
########################################################################
# #
# /oauth2_proxy #
# #
########################################################################
```
After adding this to your `vars.yml` file, [re-run the playbook](../installing.md): `just install-service oauth-2proxy`.
This merely configures OAuth2-Proxy to handle the `/oauth2/` paths for Hubsite's domain.
[Hubsite configuration adjustments](#hubsite-configuration-adjustments) are also necessary, so proceed to do those as well.
### Hubsite configuration adjustments
Now that OAuth2-Proxy is ready and handling the `/oauth2/` paths on the domain Hubsite is running, we need to set up Traefik's [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) middlware, so that all Hubsite requests would consult OAuth2-Proxy.
The configuration described below is based on the official [Configuring for use with the Traefik (v2) ForwardAuth middleware](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#configuring-for-use-with-the-traefik-v2-forwardauth-middleware) documentation of OAuth2-Proxy.
```yml
########################################################################
# #
# hubsite #
# #
########################################################################
# Your other Hubsite configuration goes here.
# See the documentation in hubsite.md.
hubsite_container_labels_additional_labels: |
# Create a middleware which catches "unauthenticated" errors and serves the OAuth-Proxy sign in page.
traefik.http.middlewares.{{ hubsite_identifier }}-oauth-errors.errors.status=401-403
traefik.http.middlewares.{{ hubsite_identifier }}-oauth-errors.errors.service={{ oauth2_proxy_identifier }}
traefik.http.middlewares.{{ hubsite_identifier }}-oauth-errors.errors.query=/oauth2/sign_in?rd={url}
# Create a middlware which passes each incoming request to OAuth2-Proxy,
# so it can decide whether it should be let through (to Hubsite) or should blocked (serving the OAuth2-Proxy sign in page).
traefik.http.middlewares.{{ hubsite_identifier }}-oauth-auth.forwardAuth.address=http://{{ oauth2_proxy_identifier }}:{{ oauth2_proxy_container_process_http_port }}/oauth2/auth
traefik.http.middlewares.{{ hubsite_identifier }}-oauth-auth.forwardAuth.trustForwardHeader=true
# Let a few HTTP headers set by OAuth2-Proxy get passed to Hubsite.
# Hubsite is a static website, so it cannot make use of them.
# Nevertheless, this is here as an example of how you can whitelist headers,
# so that applications which can make use of these headers can benefit from it.
# See more information about this in the comments for `oauth2_proxy_environment_variable_set_xauthrequest`.
traefik.http.middlewares.{{ hubsite_identifier }}-oauth-auth.forwardAuth.authResponseHeaders=X-Auth-Request-Preferred-Username, X-Auth-Request-Groups
# Inject the 2 middlewares defined above into the router of the Hubsite service
traefik.http.routers.{{ hubsite_identifier }}.middlewares={{ hubsite_identifier }}-oauth-errors,{{ hubsite_identifier }}-oauth-auth
########################################################################
# #
# /hubsite #
# #
########################################################################
```
After adding this to your `vars.yml` file, [re-run the playbook](../installing.md): `just install-service hubsite`.
Some [services](../supported-services.md) already define their own `middlewares` in their Traefik `labels` file, so you may not be able to inject new ones the same way as done for Hubsite above.
Specific services (e.g. [Nextcloud](./nextcloud.md)) provide Ansible variables (`nextcloud_container_labels_traefik_http_middlewares_custom`) for injecting new middlewares at a specific position (priority) in the list. Others services (Ansible roles) do not support this yet, which would prevent you from using them this way. Consider submitting an issue or better yet opening a PR to improve these services.
## Further reading
If you'd like to do something more advanced, the [`ansible-role-oauth2-proxy` Ansible role](https://github.com/mother-of-all-self-hosting/ansible-role-oauth2-proxy) is very configurable and should let you do what you need.
Take a look at [its `default/main.yml` file](https://github.com/mother-of-all-self-hosting/ansible-role-oauth2-proxy/blob/main/defaults/main.yml) for available Ansible variables you can use in your own `vars.yml` configuration file.
## Related services
- [authentik](authentik.md) - An open-source Identity Provider focused on flexibility and versatility.
- [Keycloak](keycloak.md) - An open source identity and access management solution
- [Authelia](authelia.md) - An open-source authentication and authorization server that can work as a companion to [common reverse proxies](https://www.authelia.com/overview/prologue/supported-proxies/) (like [Traefik](traefik.md) frequently used by this playbook)

192
docs/services/paperless-ngx.md Normal file
View file

@ -0,0 +1,192 @@
# Paperless-ngx
[Paperless-ngx](https://paperless-ngx.com) s a community-supported open-source document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper. MASH can install paperless-ngx with the [`mother-of-all-self-hosting/ansible-role-paperless`](https://github.com/mother-of-all-self-hosting/ansible-role-paperless) ansible role.
**Warning** Paperless-ngx currently [does not support](https://github.com/paperless-ngx/paperless-ngx/issues/6352) running the container rootless, therefore the role has not the usual security features of other services provided by this playbook. This put your system more at higher risk as vulnerabilities can have a higher impact.
## Dependencies
This service requires the following other services:
- a [Postgres](postgres.md) database
- a [KeyDB](keydb.md) data-store, installation details [below](#keydb)
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# paperless #
# #
########################################################################
paperless_enabled: true
paperless_hostname: paperless.example.org
# Set the following variables to create an initial admin user
# It will not re-create an admin user, it will not change a password if the user is already created
# paperless_admin_user: USERNAME
# paperless_admin_password: SECURE_PASSWORD
# KeyDB configuration, as described below
########################################################################
# #
# /paperless #
# #
########################################################################
```
### KeyDB
As described on the [KeyDB](keydb.md) documentation page, if you're hosting additional services which require KeyDB on the same server, you'd better go for installing a separate KeyDB instance for each service. See [Creating a KeyDB instance dedicated to paperless-ngx](#creating-a-keydb-instance-dedicated-to-paperless-ngx).
If you're only running paperless-ngx on this server and don't need to use KeyDB for anything else, you can [use a single KeyDB instance](#using-the-shared-keydb-instance-for-paperless).
#### Using the shared KeyDB instance for paperless-ngx
To install a single (non-dedicated) KeyDB instance (`mash-keydb`) and hook paperless to it, add the following **additional** configuration:
```yaml
########################################################################
# #
# keydb #
# #
########################################################################
keydb_enabled: true
########################################################################
# #
# /keydb #
# #
########################################################################
########################################################################
# #
# paperless #
# #
########################################################################
# Base configuration as shown above
# Point paperless to the shared KeyDB instance
paperless_redis_hostname: "{{ keydb_identifier }}"
# Make sure the paperless service (mash-paperless.service) starts after the shared KeyDB service (mash-keydb.service)
paperless_systemd_required_services_list_custom:
- "{{ keydb_identifier }}.service"
# Make sure the paperless container is connected to the container network of the shared KeyDB service (mash-keydb)
paperless_container_additional_networks_custom:
- "{{ keydb_identifier }}"
########################################################################
# #
# /paperless #
# #
########################################################################
```
This will create a `mash-keydb` KeyDB instance on this host.
This is only recommended if you won't be installing other services which require KeyDB. Alternatively, go for [Creating a KeyDB instance dedicated to paperless-ngx](#creating-a-keydb-instance-dedicated-to-paperless-ngx).
#### Creating a KeyDB instance dedicated to paperless
The following instructions are based on the [Running multiple instances of the same service on the same host](../running-multiple-instances.md) documentation.
Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `paperless.example.org` is your main one, create `paperless.example.org-deps`).
Then, create a new `vars.yml` file for the
`inventory/host_vars/paperless.example.org-deps/vars.yml`:
```yaml
---
########################################################################
# #
# Playbook #
# #
########################################################################
# Put a strong secret below, generated with `pwgen -s 64 1` or in another way
# Various other secrets will be derived from this secret automatically.
mash_playbook_generic_secret_key: ''
# Override service names and directory path prefixes
mash_playbook_service_identifier_prefix: 'mash-paperless-'
mash_playbook_service_base_directory_name_prefix: 'paperless-'
########################################################################
# #
# /Playbook #
# #
########################################################################
########################################################################
# #
# keydb #
# #
########################################################################
keydb_enabled: true
########################################################################
# #
# /keydb #
# #
########################################################################
```
This will create a `mash-paperless-keydb` instance on this host with its data in `/mash/paperless-keydb`.
Then, adjust your main inventory host's variables file (`inventory/host_vars/paperless.example.org/vars.yml`) like this:
```yaml
########################################################################
# #
# paperless #
# #
########################################################################
# Base configuration as shown above
# Point paperless to its dedicated KeyDB instance
paperless_redis_hostname: mash-paperless-keydb
# Make sure the paperless service (mash-paperless.service) starts after its dedicated KeyDB service (mash-paperless-keydb.service)
paperless_systemd_required_services_list_custom:
- "mash-paperless-keydb.service"
# Make sure the paperless container is connected to the container network of its dedicated KeyDB service (mash-paperless-keydb)
paperless_container_additional_networks_custom:
- "mash-paperless-keydb"
########################################################################
# #
# /paperless #
# #
########################################################################
```
## Installation
If you've decided to install a dedicated KeyDB instance for paperless, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `paperless.example.org-deps`), before running installation for the main one (e.g. `paperless.example.org`).
## Usage
Access your instance in your browser at `https://paperless.example.org`
Refer to the [official documentation](https://docs.paperless-ngx.com/) to learn how to use paperless.

4
docs/supported-services.md
View file

@ -51,8 +51,10 @@
| [NetBox](https://docs.netbox.dev/en/stable/) | Web application that provides [IP address management (IPAM)](https://en.wikipedia.org/wiki/IP_address_management) and [data center infrastructure management (DCIM)](https://en.wikipedia.org/wiki/Data_center_management#Data_center_infrastructure_management) functionality | [Link](services/netbox.md) |
| [Nextcloud](https://nextcloud.com/) | The most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe. | [Link](services/nextcloud.md) |
| [Outline](https://www.getoutline.com/) | An open-source knowledge base for growing teams. | [Link](services/outline.md) |
| [OAuth2-Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) | A reverse proxy and static file server that provides authentication using OpenID Connect Providers (Google, GitHub, [Keycloak](services/keycloak.md), and others) to SSO-protect services which do not support SSO natively. | [Link](services/oauth2-proxy.md) |
| [Owncast](https://owncast.online/) | Owncast is a free and open source live video and web chat server for use with existing popular broadcasting software. | [Link](services/owncast.md) |
| [OxiTraffic](https://codeberg.org/mo8it/oxitraffic) | [OxiTraffic](https://codeberg.org/mo8it/oxitraffic) is a self-hosted, simple and privacy respecting website traffic tracker. | [Link](services/oxitraffic.md) |
| [Paperless-ngx](https://paperless-ngx.com) | [Paperless-ngx](https://paperless-ngx.com) is a community-supported open-source document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper. | [Link](services/paperless-ngx.md) |
| [PeerTube](https://joinpeertube.org/) | A tool for sharing online videos | [Link](services/peertube.md) |
| [Postgis](https://postgis.net/) | A spatial database extender for PostgreSQL object-relational database | [Link](services/postgis.md) |
| [Postgres](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](services/postgres.md) |
@ -77,7 +79,7 @@
| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) |
| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) |
| [Wetty](https://github.com/butlerx/wetty) | An SSH terminal over HTTP/HTTPS | [Link](services/wetty.md) |
| [WireGuard Easy](https://github.com/WeeJeWel/wg-easy) | The easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI. | [Link](services/wg-easy.md) |
| [WireGuard Easy](https://github.com/wg-easy/wg-easy) | The easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI. | [Link](services/wg-easy.md) |
| [Forgejo](https://forgejo.org/) | An alternative fork of Gitea. Easy and painless self-hosted git server. | [Link](services/forgejo.md) |
| [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) |
| System-related | A collection of various system-related components | [Link](services/system.md) |

5
releases.opml
View file

@ -19,6 +19,7 @@
<outline text="echoip" title="echoip" type="rss" htmlUrl="https://github.com/mpolden/echoip" xmlUrl="https://github.com/mpolden/echoip/releases.atom" />
<outline text="etcd" title="etcd" type="rss" htmlUrl="https://github.com/etcd-io/etcd" xmlUrl="https://github.com/etcd-io/etcd/releases.atom" />
<outline text="exim_relay" title="exim_relay" type="rss" htmlUrl="https://github.com/devture/exim-relay" xmlUrl="https://github.com/devture/exim-relay/releases.atom" />
<outline text="firezone" title="firezone" type="rss" htmlUrl="https://github.com/firezone/firezone" xmlUrl="https://github.com/firezone/firezone/releases.atom" />
<outline text="focalboard" title="focalboard" type="rss" htmlUrl="https://github.com/mattermost/focalboard" xmlUrl="https://github.com/mattermost/focalboard/releases.atom" />
<outline text="freshrss" title="freshrss" type="rss" htmlUrl="https://github.com/freshrss/freshrss" xmlUrl="https://github.com/freshrss/freshrss/releases.atom" />
<outline text="funkwhale" title="funkwhale" type="rss" htmlUrl="https://dev.funkwhale.audio/funkwhale/funkwhale" xmlUrl="https://dev.funkwhale.audio/funkwhale/funkwhale/-/tags?format=atom" />
@ -39,6 +40,8 @@
<outline text="n8n" title="n8n" type="rss" htmlUrl="https://github.com/n8n-io/n8n" xmlUrl="https://github.com/n8n-io/n8n/releases.atom" />
<outline text="navidrome" title="navidrome" type="rss" htmlUrl="https://github.com/navidrome/navidrome" xmlUrl="https://github.com/navidrome/navidrome/releases.atom" />
<outline text="netbox" title="netbox" type="rss" htmlUrl="https://github.com/netbox-community/netbox-docker/" xmlUrl="https://github.com/netbox-community/netbox-docker//releases.atom" />
<outline text="nextcloud" title="nextcloud" type="rss" htmlUrl="https://github.com/nextcloud/server" xmlUrl="https://github.com/nextcloud/server/releases.atom" />
<outline text="oauth2_proxy" title="oauth2_proxy" type="rss" htmlUrl="https://github.com/oauth2-proxy/oauth2-proxy" xmlUrl="https://github.com/oauth2-proxy/oauth2-proxy/releases.atom" />
<outline text="outline" title="outline" type="rss" htmlUrl="https://github.com/outline/outline" xmlUrl="https://github.com/outline/outline/releases.atom" />
<outline text="owncast" title="owncast" type="rss" htmlUrl="https://github.com/owncast/owncast" xmlUrl="https://github.com/owncast/owncast/releases.atom" />
<outline text="peertube" title="peertube" type="rss" htmlUrl="https://github.com/Chocobozzz/PeerTube" xmlUrl="https://github.com/Chocobozzz/PeerTube/releases.atom" />
@ -63,7 +66,7 @@
<outline text="uptime_kuma" title="uptime_kuma" type="rss" htmlUrl="https://github.com/louislam/uptime-kuma" xmlUrl="https://github.com/louislam/uptime-kuma/releases.atom" />
<outline text="vaultwarden" title="vaultwarden" type="rss" htmlUrl="https://github.com/dani-garcia/vaultwarden" xmlUrl="https://github.com/dani-garcia/vaultwarden/releases.atom" />
<outline text="wetty" title="wetty" type="rss" htmlUrl="https://github.com/butlerx/wetty" xmlUrl="https://github.com/butlerx/wetty/releases.atom" />
<outline text="wg_easy" title="wg_easy" type="rss" htmlUrl="https://github.com/WeeJeWel/wg-easy" xmlUrl="https://github.com/WeeJeWel/wg-easy/releases.atom" />
<outline text="wg_easy" title="wg_easy" type="rss" htmlUrl="https://github.com/wg-easy/wg-easy" xmlUrl="https://github.com/wg-easy/wg-easy/releases.atom" />
<outline text="woodpecker_ci_agent" title="woodpecker_ci_agent" type="rss" htmlUrl="https://github.com/woodpecker-ci/woodpecker" xmlUrl="https://github.com/woodpecker-ci/woodpecker/releases.atom" />
<outline text="woodpecker_ci_server" title="woodpecker_ci_server" type="rss" htmlUrl="https://github.com/woodpecker-ci/woodpecker" xmlUrl="https://github.com/woodpecker-ci/woodpecker/releases.atom" />
</body>

8
roles/mash/playbook_base/defaults/main.yml
View file

@ -65,6 +65,14 @@ mash_playbook_reverse_proxy_type: none
# Also see `devture_docker_sdk_for_python_installation_enabled`.
mash_playbook_docker_installation_enabled: false
mash_playbook_docker_installation_daemon_options: "{{ mash_playbook_docker_installation_daemon_options_auto | combine(mash_playbook_docker_installation_daemon_options_custom, recursive=True) }}"
mash_playbook_docker_installation_daemon_options_auto:
experimental: "{{ devture_systemd_docker_base_ipv6_enabled }}"
ip6tables: "{{ devture_systemd_docker_base_ipv6_enabled }}"
mash_playbook_docker_installation_daemon_options_custom: {}
# Controls whether to attach Traefik labels to services.
# This is separate from `devture_traefik_enabled`, because you may wish to disable Traefik installation by the playbook,
# yet still use Traefik installed in another way.

120
templates/group_vars_mash_servers
View file

@ -438,11 +438,6 @@ mash_playbook_devture_systemd_service_manager_services_list_auto_itemized:
{{ ({'name': (nextcloud_identifier + '-cron.timer'), 'priority': 2500, 'groups': ['mash', 'nextcloud', 'nextcloud-cron']} if nextcloud_enabled else omit) }}
# /role-specific:nextcloud
# role-specific:mariadb
- |-
{{ ({'name': (mariadb_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'mariadb']} if mariadb_enabled else omit) }}
# /role-specific:mariadb
# role-specific:notfellchen
- |-
{{ ({'name': (notfellchen_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'notfellchen']} if notfellchen_enabled else omit) }}
@ -450,6 +445,16 @@ mash_playbook_devture_systemd_service_manager_services_list_auto_itemized:
{{ ({'name': (notfellchen_sws_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'notfellchen', 'notfellchen-sws']} if notfellchen_enabled else omit) }}
# /role-specific:notfellchen
# role-specific:mariadb
- |-
{{ ({'name': (mariadb_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'mariadb']} if mariadb_enabled else omit) }}
# /role-specific:mariadb
# role-specific:oauth2_proxy
- |-
{{ ({'name': (oauth2_proxy_identifier + '.service'), 'priority': 1900, 'groups': ['mash', 'oauth2-proxy']} if oauth2_proxy_enabled else omit) }}
# /role-specific:oauth2_proxy
# role-specific:outline
- |-
{{ ({'name': (outline_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'outline']} if outline_enabled else omit) }}
@ -465,6 +470,11 @@ mash_playbook_devture_systemd_service_manager_services_list_auto_itemized:
{{ ({'name': (oxitraffic_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'oxitraffic']} if oxitraffic_enabled else omit) }}
# /role-specific:oxitraffic
# role-specific:paperless
- |-
{{ ({'name': (paperless_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'paperless']} if paperless_enabled else omit) }}
# /role-specific:paperless
# role-specific:peertube
- |-
{{ ({'name': (peertube_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'peertube']} if peertube_enabled else omit) }}
@ -854,6 +864,18 @@ mash_playbook_devture_postgres_managed_databases_auto_itemized:
}}
# /role-specific:oxitraffic
# role-specific:paperless
- |-
{{
({
'name': paperless_database_name,
'username': paperless_database_username,
'password': paperless_database_password,
} if paperless_enabled and paperless_database_hostname == devture_postgres_identifier else omit)
}}
# /role-specific:paperless
# role-specific:peertube
- |-
{{
@ -1034,13 +1056,7 @@ devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ mash_playbook
# #
########################################################################
docker_daemon_options: |
{{
{
'experimental': devture_systemd_docker_base_ipv6_enabled,
'ip6tables': devture_systemd_docker_base_ipv6_enabled,
}
}}
docker_daemon_options: "{{ mash_playbook_docker_installation_daemon_options }}"
########################################################################
# #
@ -3918,6 +3934,38 @@ outline_database_sslmode: "{{ 'disable' if devture_postgres_enabled and outline_
# role-specific:oauth2_proxy
########################################################################
# #
# oauth2_proxy #
# #
########################################################################
oauth2_proxy_enabled: false
oauth2_proxy_identifier: "{{ mash_playbook_service_identifier_prefix }}oauth2-proxy"
oauth2_proxy_uid: "{{ mash_playbook_uid }}"
oauth2_proxy_gid: "{{ mash_playbook_gid }}"
oauth2_proxy_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}oauth2-proxy"
oauth2_proxy_container_network: "{{ (mash_playbook_reverse_proxyable_services_additional_network if mash_playbook_traefik_labels_enabled else '') | default(oauth2_proxy_identifier) }}"
oauth2_proxy_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
oauth2_proxy_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
oauth2_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
oauth2_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
########################################################################
# #
# /oauth2_proxy #
# #
########################################################################
# /role-specific:oauth2_proxy
# role-specific:owncast
########################################################################
# #
@ -4000,6 +4048,54 @@ oxitraffic_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certRe
# /role-specific:oxitraffic
# role-specific:paperless
########################################################################
# #
# paperless #
# #
########################################################################
paperless_enabled: false
paperless_identifier: "{{ mash_playbook_service_identifier_prefix }}paperless"
paperless_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}paperless"
paperless_uid: "{{ mash_playbook_uid }}"
paperless_gid: "{{ mash_playbook_gid }}"
paperless_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
paperless_database_username: "paperless"
paperless_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
paperless_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.paperless', rounds=655555) | to_uuid }}"
paperless_systemd_required_services_list: |
{{
(['docker.service'])
+
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and paperless_database_hostname == devture_postgres_identifier else [])
}}
paperless_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+
([devture_postgres_container_network] if devture_postgres_enabled and paperless_database_hostname == devture_postgres_identifier and paperless_container_network != devture_postgres_container_network else [])
}}
paperless_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
paperless_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
paperless_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
paperless_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
########################################################################
# #
# /paperless #
# #
########################################################################
# /role-specific:paperless
# role-specific:peertube
########################################################################

35
templates/requirements.yml
View file

@ -21,7 +21,7 @@
name: authelia
activation_prefix: authelia_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git
version: v2024.2.3-0
version: v2024.4.1-0
name: authentik
activation_prefix: authentik_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
@ -29,11 +29,11 @@
name: auxiliary
activation_prefix: aux_
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
version: v1.2.8-1.8.10-0
version: v1.2.8-1.8.11-0
name: backup_borg
activation_prefix: backup_borg_
- src: git+https://github.com/nielscil/ansible-role-changedetection.git
version: v0.45.17-0
version: v0.45.21-0
name: changedetection
activation_prefix: changedetection_
- src: git+https://gitlab.com/etke.cc/roles/cleanup.git
@ -57,7 +57,7 @@
name: docker
activation_prefix: mash_playbook_docker_installation_enabled
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry.git
version: v2.8.3-1
version: v2.8.3-2
name: docker_registry
activation_prefix: docker_registry_enabled
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-browser.git
@ -93,7 +93,7 @@
name: fail2ban
activation_prefix: system_security_fail2ban_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-firezone.git
version: v0.7.36-0
version: v0.7.36-1
name: firezone
activation_prefix: firezone_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-focalboard.git
@ -101,7 +101,7 @@
name: focalboard
activation_prefix: focalboard_
- src: git+https://github.com/NeonMinnen/ansible-role-forgejo.git
version: v1.21.10-0-0
version: v1.21.11-1-0
name: forgejo
activation_prefix: forgejo_
- src: git+https://github.com/kinduff/ansible-docker-freshrss.git
@ -109,7 +109,7 @@
name: freshrss
activation_prefix: freshrss_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-funkwhale.git
version: v1.4.0-3
version: v1.4.0-5
name: funkwhale
activation_prefix: funkwhale_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git
@ -145,7 +145,7 @@
name: influxdb
activation_prefix: influxdb_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v9364-1
version: v9457-3
name: jitsi
activation_prefix: jitsi_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git
@ -177,7 +177,7 @@
name: mariadb
activation_prefix: mariadb_
- src: git+https://gitlab.com/etke.cc/roles/miniflux.git
version: v2.1.2-0
version: v2.1.3-0
name: miniflux
activation_prefix: miniflux_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mobilizon.git
@ -201,7 +201,7 @@
name: n8n
activation_prefix: n8n_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git
version: v0.51.1-0
version: v0.52.0-0
name: navidrome
activation_prefix: navidrome_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-netbox.git
@ -209,13 +209,17 @@
name: netbox
activation_prefix: netbox_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git
version: v28.0.2-1
version: v28.0.4-0
name: nextcloud
activation_prefix: nextcloud_
- src: git+https://codeberg.org/moanos/ansible-role-notfellchen.git
version: v0.1.0-2
name: notfellchen
activation_prefix: notfellchen_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-oauth2-proxy.git
version: v7.6.0-1
name: oauth2_proxy
activation_prefix: oauth2_proxy_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-outline.git
version: v0.74.0-0-0
name: outline
@ -228,6 +232,9 @@
version: v0.9.0-0
name: oxitraffic
activation_prefix: oxitraffic_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-paperless.git
version: v2.7.2-1
name: paperless
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-peertube.git
version: v6.0.4-0
name: peertube
@ -265,7 +272,7 @@
name: prometheus_blackbox_exporter
activation_prefix: prometheus_blackbox_exporter_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
version: v1.7.0-3
version: v1.8.0-0
name: prometheus_node_exporter
activation_prefix: prometheus_node_exporter_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
@ -345,7 +352,7 @@
name: traefik
activation_prefix: devture_traefik_
- src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git
version: v1.23.11-0
version: v1.23.13-0
name: uptime_kuma
activation_prefix: uptime_kuma_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
@ -357,7 +364,7 @@
name: wetty
activation_prefix: wetty_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-wg-easy.git
version: v7-1
version: v12-0
name: wg_easy
activation_prefix: wg_easy_
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git

8
templates/setup.yml
View file

@ -274,6 +274,10 @@
- role: galaxy/nextcloud
# /role-specific:nextcloud
# role-specific:oauth2_proxy
- role: galaxy/oauth2_proxy
# /role-specific:oauth2_proxy
# role-specific:owncast
- role: galaxy/owncast
# /role-specific:owncast
@ -286,6 +290,10 @@
- role: galaxy/oxitraffic
# /role-specific:oxitraffic
# role-specific:paperless
- role: galaxy/paperless
# /role-specific:paperless
# role-specific:peertube
- role: galaxy/peertube
# /role-specific:peertube