From 687e1bd0016d91943db939e909144669e18c8ab7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Apr 2024 08:18:01 +0300 Subject: [PATCH 01/27] Add support easily passing additional Docker daemon options Provoked by: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3247#issuecomment-2067207227 --- roles/mash/playbook_base/defaults/main.yml | 8 ++++++++ templates/group_vars_mash_servers | 8 +------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/roles/mash/playbook_base/defaults/main.yml b/roles/mash/playbook_base/defaults/main.yml index 380e934..ca7278a 100644 --- a/roles/mash/playbook_base/defaults/main.yml +++ b/roles/mash/playbook_base/defaults/main.yml @@ -65,6 +65,14 @@ mash_playbook_reverse_proxy_type: none # Also see `devture_docker_sdk_for_python_installation_enabled`. mash_playbook_docker_installation_enabled: false +mash_playbook_docker_installation_daemon_options: "{{ mash_playbook_docker_installation_daemon_options_auto | combine(mash_playbook_docker_installation_daemon_options_custom, recursive=True) }}" + +mash_playbook_docker_installation_daemon_options_auto: + experimental: "{{ devture_systemd_docker_base_ipv6_enabled }}" + ip6tables: "{{ devture_systemd_docker_base_ipv6_enabled }}" + +mash_playbook_docker_installation_daemon_options_custom: {} + # Controls whether to attach Traefik labels to services. # This is separate from `devture_traefik_enabled`, because you may wish to disable Traefik installation by the playbook, # yet still use Traefik installed in another way. diff --git a/templates/group_vars_mash_servers b/templates/group_vars_mash_servers index 838c91b..df836b6 100644 --- a/templates/group_vars_mash_servers +++ b/templates/group_vars_mash_servers @@ -1016,13 +1016,7 @@ devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ mash_playbook # # ######################################################################## -docker_daemon_options: | - {{ - { - 'experimental': devture_systemd_docker_base_ipv6_enabled, - 'ip6tables': devture_systemd_docker_base_ipv6_enabled, - } - }} +docker_daemon_options: "{{ mash_playbook_docker_installation_daemon_options }}" ######################################################################## # # From 619292c158dff5bd00719f4501a239a9d31558c0 Mon Sep 17 00:00:00 2001 From: M <98937938+NeonMinnen@users.noreply.github.com> Date: Sat, 20 Apr 2024 05:48:02 -0700 Subject: [PATCH 02/27] Upgrade (v1.21.10-0-0 > v1.21.11-0-0) --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index 2c1f7be..14f11dc 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -101,7 +101,7 @@ name: focalboard activation_prefix: focalboard_ - src: git+https://github.com/NeonMinnen/ansible-role-forgejo.git - version: v1.21.10-0-0 + version: v1.21.11-0-0 name: forgejo activation_prefix: forgejo_ - src: git+https://github.com/kinduff/ansible-docker-freshrss.git From 9b7128265beade0d04d6b3ee21779145a37498dc Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 22 Apr 2024 18:46:36 +0300 Subject: [PATCH 03/27] update changedetection, firezone (role), uptime kuma --- VERSIONS.md | 8 ++++---- releases.opml | 1 + templates/requirements.yml | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/VERSIONS.md b/VERSIONS.md index 483ebdf..7625376 100644 --- a/VERSIONS.md +++ b/VERSIONS.md @@ -3,10 +3,10 @@ * Apisix Gateway: 3.8.0 * Appsmith: v1.9.50 * Authelia: 4.37.5 -* Authentik: 2024.2.2 +* Authentik: 2024.2.3 * Borg: 1.2.8 * Borgmatic: 1.8.10 -* Changedetection: 0.45.17 +* Changedetection: 0.45.20 * Changedetection Playwright Driver: latest * Clickhouse: 23.10.5.20 * Collabora Online: 22.05.13.1.1 @@ -21,7 +21,7 @@ * Exim Relay: 4.97.1-r0-0 * Firezone: 0.7.36 * Focalboard: 7.10.4 -* Forgejo: 1.21.10-0 +* Forgejo: 1.21.11-0 * Freshrss: 1.23.0 * Funkwhale: 1.4.0 * Gitea: 1.21.11 @@ -73,7 +73,7 @@ * Tandoor Frontend: 1.25.4-alpine * Telegraf: 1.27.1 * Traefik: v2.11.2 -* Uptime Kuma: 1.23.11 +* Uptime Kuma: 1.23.12 * Vaultwarden: 1.30.5 * Wetty: 2.5 * Wg Easy: 7 diff --git a/releases.opml b/releases.opml index 4af13d5..eeec4af 100644 --- a/releases.opml +++ b/releases.opml @@ -19,6 +19,7 @@ + diff --git a/templates/requirements.yml b/templates/requirements.yml index 14f11dc..67ce67b 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -33,7 +33,7 @@ name: backup_borg activation_prefix: backup_borg_ - src: git+https://github.com/nielscil/ansible-role-changedetection.git - version: v0.45.17-0 + version: v0.45.20-0 name: changedetection activation_prefix: changedetection_ - src: git+https://gitlab.com/etke.cc/roles/cleanup.git @@ -93,7 +93,7 @@ name: fail2ban activation_prefix: system_security_fail2ban_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-firezone.git - version: v0.7.36-0 + version: v0.7.36-1 name: firezone activation_prefix: firezone_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-focalboard.git @@ -341,7 +341,7 @@ name: traefik activation_prefix: devture_traefik_ - src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git - version: v1.23.11-0 + version: v1.23.12-0 name: uptime_kuma activation_prefix: uptime_kuma_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git From 74c52bec2d608fd159c9ce788887746d64c25c26 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Apr 2024 11:49:55 +0300 Subject: [PATCH 04/27] Add OAuth2-Proxy support --- docs/services/authelia.md | 1 + docs/services/hubsite.md | 5 +- docs/services/keycloak.md | 6 ++ docs/services/oauth2-proxy.md | 158 ++++++++++++++++++++++++++++++ docs/supported-services.md | 1 + templates/group_vars_mash_servers | 37 +++++++ templates/requirements.yml | 4 + templates/setup.yml | 4 + 8 files changed, 215 insertions(+), 1 deletion(-) create mode 100644 docs/services/oauth2-proxy.md diff --git a/docs/services/authelia.md b/docs/services/authelia.md index a3bc5e7..ed97546 100644 --- a/docs/services/authelia.md +++ b/docs/services/authelia.md @@ -196,3 +196,4 @@ If a dedicated variable is not available for you to use or if you wish to overri - [authentik](authentik.md) - An open-source Identity Provider focused on flexibility and versatility. - [Keycloak](keycloak.md) - An open source identity and access management solution +- [OAuth2-Proxy](oauth2-proxy.md) - A reverse proxy and static file server that provides authentication using OpenID Connect Providers (Google, GitHub, [Authentik](authentik.md), [Keycloak](keycloak.md), and others) to SSO-protect services which do not support SSO natively diff --git a/docs/services/hubsite.md b/docs/services/hubsite.md index 8b55974..9eb6d3a 100644 --- a/docs/services/hubsite.md +++ b/docs/services/hubsite.md @@ -24,7 +24,7 @@ hubsite_subtitle: "Just click on a service to use it" # ([{'name': 'My blog', 'url': 'https://example.com', 'logo_location': '', 'description': 'A link to a blog not hosted by this playbook', 'priority': 1000 }]) # }} -# If you want to explicitly control which services you want to show on this page you can overwrite +# If you want to explicitly control which services you want to show on this page you can overwrite # hubsite_service_list_auto: | # {{ # ([{'name': 'Miniflux', 'url': hubsite_service_miniflux_url, 'logo_location': '{{ role_path }}/assets/miniflux.png', 'description': 'An opinionated feed reader', 'priority': hubsite_service_miniflux_priority}] if hubsite_service_miniflux_enabled else []) @@ -36,3 +36,6 @@ hubsite_subtitle: "Just click on a service to use it" # /hubsite # # # ######################################################################## +``` + +You can SSO-protect this website with the help of [Authelia](authelia.md) or [OAuth2-Proxy](oauth2-proxy.md) (connected to any OIDC provider). diff --git a/docs/services/keycloak.md b/docs/services/keycloak.md index 3d29ee5..06b6c65 100644 --- a/docs/services/keycloak.md +++ b/docs/services/keycloak.md @@ -54,8 +54,14 @@ On each start after that, Keycloak will attempt to create the user again and rep Subsequent changes to the password will not affect an existing user's password. + ## Usage After installation, you can go to the Keycloak URL, as defined in `keycloak_hostname` and `keycloak_path_prefix` and log in as described in [Authentication](#authentication). Follow the [Keycloak documentation](https://www.keycloak.org/documentation) or other guides for learning how to use Keycloak. + + +## Related services + +- [OAuth2-Proxy](oauth2-proxy.md) - A reverse proxy and static file server that provides authentication using OpenID Connect Providers (Google, GitHub, [Authentik](authentik.md), [Keycloak](keycloak.md), and others) to SSO-protect services which do not support SSO natively diff --git a/docs/services/oauth2-proxy.md b/docs/services/oauth2-proxy.md new file mode 100644 index 0000000..0f05a34 --- /dev/null +++ b/docs/services/oauth2-proxy.md @@ -0,0 +1,158 @@ +# OAuth2-Proxy + +[OAuth2-Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) is a reverse proxy and static file server that provides authentication using OpenID Connect Providers (Google, GitHub, [Authentik](authentik.md), [Keycloak](keycloak.md), and others) to SSO-protect services which do not support SSO natively. + + +## Modes of operation + +OAuth2-Proxy can be used in 2 different modes: + +1. Capturing incoming traffic for the app (e.g. https://app.example.com/), and then proxying it to the application container if the user is authenticated + +2. Letting the application itself capture incoming traffic for itself (on https://app.example.com/) and use Traefik's [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) middleware to authenticate the request via OAuth2-Proxy. In this case, OAuth2-Proxy will only handle the `/oauth2/` prefix on the application domain (e.g. https://app.example.com/oauth/). + +The 1st one is a bit invasive, as it requires moving all custom reverse-proxying configuration for the handled domain to the OAuth2-Proxy side. + +The 2nd one lets you keep the existing application configuration. However, it needs all URLs to go to one service (the application) with the exception of `/oauth2/` (which should go to OAuth2-Proxy). As such, it it requires that both services (the application and OAuth2-Proxy) run on the same machine. + +Our [Sample configuration](#sample-configuration) below uses [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/). + +The [OAuth2-Proxy Ansible role](https://github.com/mother-of-all-self-hosting/ansible-role-oauth2-proxy) should be flexible enough to let you reconfigure it for both modes of operation. However, if feasible, we recommend using the 2nd (ForwardAuth) method. + +## Dependencies + +This service requires the following other services: + +- a [Traefik](traefik.md) reverse-proxy server +- an OIDC provider running anywhere. See [Choosing a provider](#choosing-a-provider). + + +## Choosing a provider + +To use OAuth2-Proxy, you need to choose an [OIDC provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/). + +This can be any of the supported providers. If hosting your own (via this playbook or via other means), the OIDC provider may be hosted anywhere (not necessarily on the same server as OAuth2-Proxy or the service you're SSO-protecting). + + +## Sample configuration + +The configuration is [provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/)-specific and also depends on the the service you're SSO-protecting, on which server it runs (in relation to OAuth-Proxy), etc. + +Below is a **sample** configuration for protecting a static website (in this case powered by the [Hubsite](hubsite.md)) service via [Keycloak](keycloak.md). + +For this to work as described here, both OAuth2-Proxy and the protected service (e.g. [Hubsite](hubsite.md)) need to run on the same machine. + +Keycloak may run anywhere. + +You also need to have prepared Keycloak and a "Client app" for it, according to the [Keycloak OIDC](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc) documentation of OAuth2-Proxy. + + +#### OAuth2-Proxy configuration + +```yaml +######################################################################## +# # +# oauth2_proxy # +# # +######################################################################## + +oauth2_proxy_enabled: true + +oauth2_proxy_environment_variable_provider: keycloak-oidc +oauth2_proxy_environment_variable_provider_display_name: SSO + +oauth2_proxy_environment_variable_client_id: hubsite +oauth2_proxy_environment_variable_client_secret: '' +oauth2_proxy_environment_variable_oidc_issuer_url: https://keycloak.example.com/realms/my-realm +oauth2_proxy_environment_variable_redirect_url: "https://{{ hubsite_hostname }}/oauth2/callback" + +oauth2_proxy_environment_variable_code_challenge_method: S256 + +# Generate this with: `python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'` +oauth2_proxy_environment_variable_cookie_secret: '' + +oauth2_proxy_container_labels_additional_labels: | + traefik.http.routers.{{ oauth2_proxy_identifier }}-hubsite.rule=Host(`{{ hubsite_hostname }}`) && PathPrefix(`/oauth2/`) + traefik.http.routers.{{ oauth2_proxy_identifier }}-hubsite.service={{ oauth2_proxy_identifier }} + traefik.http.routers.{{ oauth2_proxy_identifier }}-hubsite.entrypoints={{ oauth2_proxy_container_labels_traefik_entrypoints }} + traefik.http.routers.{{ oauth2_proxy_identifier }}-hubsite.tls={{ oauth2_proxy_container_labels_traefik_tls }} + traefik.http.routers.{{ oauth2_proxy_identifier }}-hubsite.tls.certResolver={{ oauth2_proxy_container_labels_traefik_tls_certResolver }} + +######################################################################## +# # +# /oauth2_proxy # +# # +######################################################################## +``` + +After adding this to your `vars.yml` file, [re-run the playbook](../installing.md): `just install-service oauth-2proxy`. + +This merely configures OAuth2-Proxy to handle the `/oauth2/` paths for Hubsite's domain. + +[Hubsite configuration adjustments](#hubsite-configuration-adjustments) are also necessary, so proceed to do those as well. + + +### Hubsite configuration adjustments + +Now that OAuth2-Proxy is ready and handling the `/oauth2/` paths on the domain Hubsite is running, we need to set up Traefik's [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) middlware, so that all Hubsite requests would consult OAuth2-Proxy. + +The configuration described below is based on the official [Configuring for use with the Traefik (v2) ForwardAuth middleware](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#configuring-for-use-with-the-traefik-v2-forwardauth-middleware) documentation of OAuth2-Proxy. + +```yml +######################################################################## +# # +# hubsite # +# # +######################################################################## + +# Your other Hubsite configuration goes here. +# See the documentation in hubsite.md. + +hubsite_container_labels_additional_labels: | + # Create a middleware which catches "unauthenticated" errors and serves the OAuth-Proxy sign in page. + traefik.http.middlewares.{{ hubsite_identifier }}-oauth-errors.errors.status=401-403 + traefik.http.middlewares.{{ hubsite_identifier }}-oauth-errors.errors.service={{ oauth2_proxy_identifier }} + traefik.http.middlewares.{{ hubsite_identifier }}-oauth-errors.errors.query=/oauth2/sign_in?rd={url} + + # Create a middlware which passes each incoming request to OAuth2-Proxy, + # so it can decide whether it should be let through (to Hubsite) or should blocked (serving the OAuth2-Proxy sign in page). + traefik.http.middlewares.{{ hubsite_identifier }}-oauth-auth.forwardAuth.address=http://{{ oauth2_proxy_identifier }}:{{ oauth2_proxy_container_process_http_port }}/oauth2/auth + + traefik.http.middlewares.{{ hubsite_identifier }}-oauth-auth.forwardAuth.trustForwardHeader=true + + # Let a few HTTP headers set by OAuth2-Proxy get passed to Hubsite. + # Hubsite is a static website, so it cannot make use of them. + # Nevertheless, this is here as an example of how you can whitelist headers, + # so that applications which can make use of these headers can benefit from it. + # See more information about this in the comments for `oauth2_proxy_environment_variable_set_xauthrequest`. + traefik.http.middlewares.{{ hubsite_identifier }}-oauth-auth.forwardAuth.authResponseHeaders=X-Auth-Request-Preferred-Username, X-Auth-Request-Groups + + # Inject the 2 middlewares defined above into the router of the Hubsite service + traefik.http.routers.{{ hubsite_identifier }}.middlewares={{ hubsite_identifier }}-oauth-errors,{{ hubsite_identifier }}-oauth-auth + +######################################################################## +# # +# /hubsite # +# # +######################################################################## +``` + +After adding this to your `vars.yml` file, [re-run the playbook](../installing.md): `just install-service hubsite`. + +Some [services](../supported-services.md) already define their own `middlewares` in their Traefik `labels` file, so you may not be able to inject new ones the same way as done for Hubsite above. + +Specific services (e.g. [Nextcloud](./nextcloud.md)) provide Ansible variables (`nextcloud_container_labels_traefik_http_middlewares_custom`) for injecting new middlewares at a specific position (priority) in the list. Others services (Ansible roles) do not support this yet, which would prevent you from using them this way. Consider submitting an issue or better yet opening a PR to improve these services. + + +## Further reading + +If you'd like to do something more advanced, the [`ansible-role-oauth2-proxy` Ansible role](https://github.com/mother-of-all-self-hosting/ansible-role-oauth2-proxy) is very configurable and should let you do what you need. + +Take a look at [its `default/main.yml` file](https://github.com/mother-of-all-self-hosting/ansible-role-oauth2-proxy/blob/main/defaults/main.yml) for available Ansible variables you can use in your own `vars.yml` configuration file. + + +## Related services + +- [authentik](authentik.md) - An open-source Identity Provider focused on flexibility and versatility. +- [Keycloak](keycloak.md) - An open source identity and access management solution +- [Authelia](authelia.md) - An open-source authentication and authorization server that can work as a companion to [common reverse proxies](https://www.authelia.com/overview/prologue/supported-proxies/) (like [Traefik](traefik.md) frequently used by this playbook) diff --git a/docs/supported-services.md b/docs/supported-services.md index d9e0f6d..975a27e 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -51,6 +51,7 @@ | [NetBox](https://docs.netbox.dev/en/stable/) | Web application that provides [IP address management (IPAM)](https://en.wikipedia.org/wiki/IP_address_management) and [data center infrastructure management (DCIM)](https://en.wikipedia.org/wiki/Data_center_management#Data_center_infrastructure_management) functionality | [Link](services/netbox.md) | | [Nextcloud](https://nextcloud.com/) | The most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe. | [Link](services/nextcloud.md) | | [Outline](https://www.getoutline.com/) | An open-source knowledge base for growing teams. | [Link](services/outline.md) | +| [OAuth2-Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) | A reverse proxy and static file server that provides authentication using OpenID Connect Providers (Google, GitHub, [Keycloak](services/keycloak.md), and others) to SSO-protect services which do not support SSO natively. | [Link](services/oauth2-proxy.md) | | [Owncast](https://owncast.online/) | Owncast is a free and open source live video and web chat server for use with existing popular broadcasting software. | [Link](services/owncast.md) | | [OxiTraffic](https://codeberg.org/mo8it/oxitraffic) | [OxiTraffic](https://codeberg.org/mo8it/oxitraffic) is a self-hosted, simple and privacy respecting website traffic tracker. | [Link](services/oxitraffic.md) | | [PeerTube](https://joinpeertube.org/) | A tool for sharing online videos | [Link](services/peertube.md) | diff --git a/templates/group_vars_mash_servers b/templates/group_vars_mash_servers index df836b6..f04eb29 100644 --- a/templates/group_vars_mash_servers +++ b/templates/group_vars_mash_servers @@ -443,6 +443,11 @@ mash_playbook_devture_systemd_service_manager_services_list_auto_itemized: {{ ({'name': (mariadb_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'mariadb']} if mariadb_enabled else omit) }} # /role-specific:mariadb + # role-specific:oauth2_proxy + - |- + {{ ({'name': (oauth2_proxy_identifier + '.service'), 'priority': 1900, 'groups': ['mash', 'oauth2-proxy']} if oauth2_proxy_enabled else omit) }} + # /role-specific:oauth2_proxy + # role-specific:outline - |- {{ ({'name': (outline_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'outline']} if outline_enabled else omit) }} @@ -3836,6 +3841,38 @@ outline_database_sslmode: "{{ 'disable' if devture_postgres_enabled and outline_ +# role-specific:oauth2_proxy +######################################################################## +# # +# oauth2_proxy # +# # +######################################################################## + +oauth2_proxy_enabled: false + +oauth2_proxy_identifier: "{{ mash_playbook_service_identifier_prefix }}oauth2-proxy" + +oauth2_proxy_uid: "{{ mash_playbook_uid }}" +oauth2_proxy_gid: "{{ mash_playbook_gid }}" + +oauth2_proxy_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}oauth2-proxy" + +oauth2_proxy_container_network: "{{ (mash_playbook_reverse_proxyable_services_additional_network if mash_playbook_traefik_labels_enabled else '') | default(oauth2_proxy_identifier) }}" + +oauth2_proxy_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +oauth2_proxy_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +oauth2_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +oauth2_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /oauth2_proxy # +# # +######################################################################## +# /role-specific:oauth2_proxy + + + # role-specific:owncast ######################################################################## # # diff --git a/templates/requirements.yml b/templates/requirements.yml index 67ce67b..f7b8d67 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -212,6 +212,10 @@ version: v28.0.2-1 name: nextcloud activation_prefix: nextcloud_ +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-oauth2-proxy.git + version: v7.6.0-1 + name: oauth2_proxy + activation_prefix: oauth2_proxy_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-outline.git version: v0.74.0-0-0 name: outline diff --git a/templates/setup.yml b/templates/setup.yml index f9f078a..a004809 100644 --- a/templates/setup.yml +++ b/templates/setup.yml @@ -274,6 +274,10 @@ - role: galaxy/nextcloud # /role-specific:nextcloud + # role-specific:oauth2_proxy + - role: galaxy/oauth2_proxy + # /role-specific:oauth2_proxy + # role-specific:owncast - role: galaxy/owncast # /role-specific:owncast From 1172ba3dd76c0df368a50804941b3083eb17164a Mon Sep 17 00:00:00 2001 From: M <98937938+NeonMinnen@users.noreply.github.com> Date: Tue, 23 Apr 2024 06:43:23 -0700 Subject: [PATCH 05/27] Upgrade Forgejo (v1.21.11-0-0 -> v.1.21.11-1-0) --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index f7b8d67..3de0a5e 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -101,7 +101,7 @@ name: focalboard activation_prefix: focalboard_ - src: git+https://github.com/NeonMinnen/ansible-role-forgejo.git - version: v1.21.11-0-0 + version: v1.21.11-1-0 name: forgejo activation_prefix: forgejo_ - src: git+https://github.com/kinduff/ansible-docker-freshrss.git From db0510a43be2fa751b4f5df6ddff3e222f49a614 Mon Sep 17 00:00:00 2001 From: Aine Date: Wed, 24 Apr 2024 18:14:45 +0300 Subject: [PATCH 06/27] prometheus node exporter v1.8.0 --- VERSIONS.md | 5 +++-- releases.opml | 1 + templates/requirements.yml | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/VERSIONS.md b/VERSIONS.md index 7625376..15d6b21 100644 --- a/VERSIONS.md +++ b/VERSIONS.md @@ -21,7 +21,7 @@ * Exim Relay: 4.97.1-r0-0 * Firezone: 0.7.36 * Focalboard: 7.10.4 -* Forgejo: 1.21.11-0 +* Forgejo: 1.21.11-1 * Freshrss: 1.23.0 * Funkwhale: 1.4.0 * Gitea: 1.21.11 @@ -51,13 +51,14 @@ * Netbox: v3.7.0-2.8.0 * Netbox Container Image Customizations Keycloak Sso Expiration Middleware: a2ac39b1c73a50742c6e834e89162f87528c7f73 * Nextcloud: 28.0.2 +* Oauth2 Proxy: v7.6.0 * Outline: 0.74.0-0 * Owncast: 0.1.2 * Oxitraffic: 0.9.0 * Peertube: v6.0.4 * Prometheus: v2.51.2 * Prometheus Blackbox Exporter: v0.25.0 -* Prometheus Node Exporter: v1.7.0 +* Prometheus Node Exporter: v1.8.0 * Prometheus Postgres Exporter: v0.14.0 * Prometheus Ssh Exporter: v1.5.0 * Promtail: 2.9.5 diff --git a/releases.opml b/releases.opml index eeec4af..4a1c607 100644 --- a/releases.opml +++ b/releases.opml @@ -40,6 +40,7 @@ + diff --git a/templates/requirements.yml b/templates/requirements.yml index 3de0a5e..df94263 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -265,7 +265,7 @@ name: prometheus_blackbox_exporter activation_prefix: prometheus_blackbox_exporter_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git - version: v1.7.0-3 + version: v1.8.0-0 name: prometheus_node_exporter activation_prefix: prometheus_node_exporter_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git From a62588c3040c59d0d5fe26ec41e4d2f6d628892c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Apr 2024 21:39:47 +0300 Subject: [PATCH 07/27] Upgrade Nextcloud (v28.0.2-1 -> v28.0.4-0) --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index df94263..19c5fb9 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -209,7 +209,7 @@ name: netbox activation_prefix: netbox_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git - version: v28.0.2-1 + version: v28.0.4-0 name: nextcloud activation_prefix: nextcloud_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-oauth2-proxy.git From 16b9b5d167c85aa4337862c5c77b110ffcc78837 Mon Sep 17 00:00:00 2001 From: adam-kress Date: Wed, 24 Apr 2024 17:17:28 -0400 Subject: [PATCH 08/27] Upgrade Jitsi (v9364-1 -> v9457-0) --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index 19c5fb9..42dff0b 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -145,7 +145,7 @@ name: influxdb activation_prefix: influxdb_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v9364-1 + version: v9457-0 name: jitsi activation_prefix: jitsi_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git From 99d79b7170717d32ce7c23fea39f108ace74f3b1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Apr 2024 06:52:48 +0300 Subject: [PATCH 09/27] Upgrade Jitsi (v9457-0 -> v9457-1) --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index 42dff0b..c5d4600 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -145,7 +145,7 @@ name: influxdb activation_prefix: influxdb_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v9457-0 + version: v9457-1 name: jitsi activation_prefix: jitsi_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git From 22c752d36a3ac29cb80ef79cd4f7c08afd2fb96a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Apr 2024 13:30:28 +0300 Subject: [PATCH 10/27] Upgrade Jitsi (v9457-1 -> v9457-2) --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index c5d4600..b9472a7 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -145,7 +145,7 @@ name: influxdb activation_prefix: influxdb_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v9457-1 + version: v9457-2 name: jitsi activation_prefix: jitsi_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git From af6d631b10de94f8aef8a03839dbcfa41951b1ad Mon Sep 17 00:00:00 2001 From: Katherine Door Date: Fri, 26 Apr 2024 21:44:19 +0200 Subject: [PATCH 11/27] Update project link for WG Easy --- docs/supported-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supported-services.md b/docs/supported-services.md index 975a27e..9afacaf 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -78,7 +78,7 @@ | [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) | | [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) | | [Wetty](https://github.com/butlerx/wetty) | An SSH terminal over HTTP/HTTPS | [Link](services/wetty.md) | -| [WireGuard Easy](https://github.com/WeeJeWel/wg-easy) | The easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI. | [Link](services/wg-easy.md) | +| [WireGuard Easy](https://github.com/wg-easy/wg-easy) | The easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI. | [Link](services/wg-easy.md) | | [Forgejo](https://forgejo.org/) | An alternative fork of Gitea. Easy and painless self-hosted git server. | [Link](services/forgejo.md) | | [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) | | System-related | A collection of various system-related components | [Link](services/system.md) | From ad852cbd08c36bff3e3252cfa437da75424a371c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 27 Apr 2024 09:12:43 +0300 Subject: [PATCH 12/27] Upgrade wg-easy (v7-1 -> v12-0) Related to https://github.com/mother-of-all-self-hosting/mash-playbook/pull/195 --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index b9472a7..fc134e6 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -357,7 +357,7 @@ name: wetty activation_prefix: wetty_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-wg-easy.git - version: v7-1 + version: v12-0 name: wg_easy activation_prefix: wg_easy_ - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git From c9e51f3f0479d6d754f7fbe9b6197b4976aea6cb Mon Sep 17 00:00:00 2001 From: moanos Date: Sat, 27 Apr 2024 08:27:28 +0200 Subject: [PATCH 13/27] feat: Add basic paperless support --- templates/group_vars_mash_servers | 65 +++++++++++++++++++++++++++++++ templates/requirements.yml | 3 ++ templates/setup.yml | 4 ++ 3 files changed, 72 insertions(+) diff --git a/templates/group_vars_mash_servers b/templates/group_vars_mash_servers index f04eb29..645f70d 100644 --- a/templates/group_vars_mash_servers +++ b/templates/group_vars_mash_servers @@ -463,6 +463,11 @@ mash_playbook_devture_systemd_service_manager_services_list_auto_itemized: {{ ({'name': (oxitraffic_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'oxitraffic']} if oxitraffic_enabled else omit) }} # /role-specific:oxitraffic + # role-specific:paperless + - |- + {{ ({'name': (paperless_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'paperless']} if paperless_enabled else omit) }} + # /role-specific:paperless + # role-specific:peertube - |- {{ ({'name': (peertube_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'peertube']} if peertube_enabled else omit) }} @@ -841,6 +846,18 @@ mash_playbook_devture_postgres_managed_databases_auto_itemized: }} # /role-specific:oxitraffic + + # role-specific:paperless + - |- + {{ + ({ + 'name': paperless_database_name, + 'username': paperless_database_username, + 'password': paperless_database_password, + } if paperless_enabled and paperless_database_hostname == devture_postgres_identifier else omit) + }} + # /role-specific:paperless + # role-specific:peertube - |- {{ @@ -3955,6 +3972,54 @@ oxitraffic_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certRe # /role-specific:oxitraffic +# role-specific:paperless +######################################################################## +# # +# paperless # +# # +######################################################################## + +paperless_enabled: false + +paperless_identifier: "{{ mash_playbook_service_identifier_prefix }}paperless" + +paperless_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}paperless" + +paperless_uid: "{{ mash_playbook_uid }}" +paperless_gid: "{{ mash_playbook_gid }}" + +paperless_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +paperless_database_username: "paperless" +paperless_database_port: "{{ '5432' if devture_postgres_enabled else '' }}" +paperless_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.paperless', rounds=655555) | to_uuid }}" + +paperless_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and paperless_database_hostname == devture_postgres_identifier else []) + }} + +paperless_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and paperless_database_hostname == devture_postgres_identifier and paperless_container_network != devture_postgres_container_network else []) + }} + +paperless_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +paperless_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +paperless_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +paperless_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /paperless # +# # +######################################################################## +# /role-specific:paperless + + # role-specific:peertube ######################################################################## diff --git a/templates/requirements.yml b/templates/requirements.yml index b9472a7..db25c92 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -228,6 +228,9 @@ version: v0.9.0-0 name: oxitraffic activation_prefix: oxitraffic_ +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-paperless.git + version: v2.7.2-0 + name: paperless - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-peertube.git version: v6.0.4-0 name: peertube diff --git a/templates/setup.yml b/templates/setup.yml index a004809..c0f5e32 100644 --- a/templates/setup.yml +++ b/templates/setup.yml @@ -290,6 +290,10 @@ - role: galaxy/oxitraffic # /role-specific:oxitraffic + # role-specific:paperless + - role: galaxy/paperless + # /role-specific:paperless + # role-specific:peertube - role: galaxy/peertube # /role-specific:peertube From c631449820205c1e4b7ec2c9f64b59616561851c Mon Sep 17 00:00:00 2001 From: moanos Date: Sat, 27 Apr 2024 08:29:00 +0200 Subject: [PATCH 14/27] chore: Bump funwhale version to fix S3 issue --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index fc134e6..34ae85f 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -109,7 +109,7 @@ name: freshrss activation_prefix: freshrss_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-funkwhale.git - version: v1.4.0-3 + version: v1.4.0-4 name: funkwhale activation_prefix: funkwhale_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git From b415148032331c9d81734b76404b9cc3b6c4e3ec Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Apr 2024 15:15:13 +0300 Subject: [PATCH 15/27] Fix some "invalid escape sequences" errors in bin/optimize.py --- bin/optimize.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/optimize.py b/bin/optimize.py index 2903d9f..516ee2b 100644 --- a/bin/optimize.py +++ b/bin/optimize.py @@ -52,11 +52,11 @@ def write_to_file(contents, path): # Matches the beginning of role-specific blocks. # Example: `# role-specific:playbook_help` -regex_role_specific_block_start = regex.compile('^\s*#\s*role-specific\:\s*([^\s]+)$') +regex_role_specific_block_start = regex.compile('^\\s*#\\s*role-specific:\\s*([^\\s]+)$') # Matches the end of role-specific blocks. # Example: `# /role-specific:playbook_help` -regex_role_specific_block_end = regex.compile('^\s*#\s*/role-specific\:\s*([^\s]+)$') +regex_role_specific_block_end = regex.compile('^\\s*#\\s*/role-specific:\\s*([^\\s]+)$') def process_file_contents(file_name, enabled_role_names, known_role_names): contents = read_file(file_name) From 4e8baf74be4720843e9d7c45de69a2e8fc1c714b Mon Sep 17 00:00:00 2001 From: adam-kress Date: Mon, 29 Apr 2024 09:24:56 -0400 Subject: [PATCH 16/27] Upgrade Navidrome (0.51.1-0 -> 0.52.0-0) --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index 34ae85f..ee1cbe7 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -201,7 +201,7 @@ name: n8n activation_prefix: n8n_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git - version: v0.51.1-0 + version: v0.52.0-0 name: navidrome activation_prefix: navidrome_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-netbox.git From 2c7139e2b7f0425da9f5872b7c9beb25389141fd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Apr 2024 18:41:58 +0300 Subject: [PATCH 17/27] Upgrade registry (v2.8.3-1 -> v2.8.3-2) --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index ee1cbe7..2a5963f 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -57,7 +57,7 @@ name: docker activation_prefix: mash_playbook_docker_installation_enabled - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry.git - version: v2.8.3-1 + version: v2.8.3-2 name: docker_registry activation_prefix: docker_registry_enabled - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-browser.git From 367b421435ae9da87c284659b8373d06a9906192 Mon Sep 17 00:00:00 2001 From: adam-kress Date: Mon, 29 Apr 2024 13:00:40 -0400 Subject: [PATCH 18/27] Upgrade Jitsi (v9457-2 -> v9457-3) --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index 2a5963f..c5565c1 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -145,7 +145,7 @@ name: influxdb activation_prefix: influxdb_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v9457-2 + version: v9457-3 name: jitsi activation_prefix: jitsi_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git From 24d7b5e9048b4817a061a51e9805bbdba3cad2ab Mon Sep 17 00:00:00 2001 From: moanos Date: Mon, 29 Apr 2024 22:44:16 +0200 Subject: [PATCH 19/27] fix(paperless): Set additional networks correctly --- templates/group_vars_mash_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/group_vars_mash_servers b/templates/group_vars_mash_servers index 645f70d..7c0fd99 100644 --- a/templates/group_vars_mash_servers +++ b/templates/group_vars_mash_servers @@ -4000,7 +4000,7 @@ paperless_systemd_required_services_list: | ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and paperless_database_hostname == devture_postgres_identifier else []) }} -paperless_container_additional_networks: | +paperless_container_additional_networks_auto: | {{ ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + From 42a1f2e376adb24022bcd4cc95d42cd32de64ef8 Mon Sep 17 00:00:00 2001 From: moanos Date: Mon, 29 Apr 2024 23:48:52 +0200 Subject: [PATCH 20/27] chore: Bump paperless version v2.7.2-0 -> v2.7.2-1 --- VERSIONS.md | 1 + templates/requirements.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/VERSIONS.md b/VERSIONS.md index 15d6b21..cfbedb3 100644 --- a/VERSIONS.md +++ b/VERSIONS.md @@ -55,6 +55,7 @@ * Outline: 0.74.0-0 * Owncast: 0.1.2 * Oxitraffic: 0.9.0 +* Paperless: 2.7.2 * Peertube: v6.0.4 * Prometheus: v2.51.2 * Prometheus Blackbox Exporter: v0.25.0 diff --git a/templates/requirements.yml b/templates/requirements.yml index 85ebd79..cd194b0 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -229,7 +229,7 @@ name: oxitraffic activation_prefix: oxitraffic_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-paperless.git - version: v2.7.2-0 + version: v2.7.2-1 name: paperless - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-peertube.git version: v6.0.4-0 From 93b78b09c217e37909a12f5abf774271d9f81aa3 Mon Sep 17 00:00:00 2001 From: moanos Date: Mon, 29 Apr 2024 23:56:29 +0200 Subject: [PATCH 21/27] docs(paperless): Start with paperless documentation --- docs/services/paperless-ngx.md | 189 +++++++++++++++++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100644 docs/services/paperless-ngx.md diff --git a/docs/services/paperless-ngx.md b/docs/services/paperless-ngx.md new file mode 100644 index 0000000..d865212 --- /dev/null +++ b/docs/services/paperless-ngx.md @@ -0,0 +1,189 @@ +# Paperless-ngx + +[Paperless-ngx](https://paperless-ngx.com) s a community-supported open-source document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper. MASH can install paperless-ngx with the [`mother-of-all-self-hosting/ansible-role-paperless`](https://github.com/mother-of-all-self-hosting/ansible-role-paperless) ansible role. + + +## Dependencies + +This service requires the following other services: + +- a [Postgres](postgres.md) database +- a [KeyDB](keydb.md) data-store, installation details [below](#keydb) +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# authentik # +# # +######################################################################## + +authentik_enabled: true + +authentik_hostname: authentik.example.com + +# Put a strong secret below, generated with `pwgen -s 64 1` or in another way +authentik_secret_key: '' + +# KeyDB configuration, as described below + +######################################################################## +# # +# /authentik # +# # +######################################################################## +``` + +### KeyDB + +As described on the [KeyDB](keydb.md) documentation page, if you're hosting additional services which require KeyDB on the same server, you'd better go for installing a separate KeyDB instance for each service. See [Creating a KeyDB instance dedicated to paperless-ngx](#creating-a-keydb-instance-dedicated-to-paperless-ngx). + +If you're only running authentik on this server and don't need to use KeyDB for anything else, you can [use a single KeyDB instance](#using-the-shared-keydb-instance-for-authentik). + +#### Using the shared KeyDB instance for authentik + +To install a single (non-dedicated) KeyDB instance (`mash-keydb`) and hook authentik to it, add the following **additional** configuration: + +```yaml +######################################################################## +# # +# keydb # +# # +######################################################################## + +keydb_enabled: true + +######################################################################## +# # +# /keydb # +# # +######################################################################## + + +######################################################################## +# # +# authentik # +# # +######################################################################## + +# Base configuration as shown above + +# Point authentik to the shared KeyDB instance +authentik_config_redis_hostname: "{{ keydb_identifier }}" + +# Make sure the authentik service (mash-authentik.service) starts after the shared KeyDB service (mash-keydb.service) +authentik_systemd_required_services_list_custom: + - "{{ keydb_identifier }}.service" + +# Make sure the authentik container is connected to the container network of the shared KeyDB service (mash-keydb) +authentik_container_additional_networks_custom: + - "{{ keydb_identifier }}" + +######################################################################## +# # +# /authentik # +# # +######################################################################## +``` + +This will create a `mash-keydb` KeyDB instance on this host. + +This is only recommended if you won't be installing other services which require KeyDB. Alternatively, go for [Creating a KeyDB instance dedicated to authentik](#creating-a-keydb-instance-dedicated-to-authentik). + + +#### Creating a KeyDB instance dedicated to authentik + +The following instructions are based on the [Running multiple instances of the same service on the same host](../running-multiple-instances.md) documentation. + +Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `authentik.example.com` is your main one, create `authentik.example.com-deps`). + +Then, create a new `vars.yml` file for the + +`inventory/host_vars/authentik.example.com-deps/vars.yml`: + +```yaml +--- + +######################################################################## +# # +# Playbook # +# # +######################################################################## + +# Put a strong secret below, generated with `pwgen -s 64 1` or in another way +# Various other secrets will be derived from this secret automatically. +mash_playbook_generic_secret_key: '' + +# Override service names and directory path prefixes +mash_playbook_service_identifier_prefix: 'mash-authentik-' +mash_playbook_service_base_directory_name_prefix: 'authentik-' + +######################################################################## +# # +# /Playbook # +# # +######################################################################## + + +######################################################################## +# # +# keydb # +# # +######################################################################## + +keydb_enabled: true + +######################################################################## +# # +# /keydb # +# # +######################################################################## +``` + +This will create a `mash-authentik-keydb` instance on this host with its data in `/mash/authentik-keydb`. + +Then, adjust your main inventory host's variables file (`inventory/host_vars/authentik.example.com/vars.yml`) like this: + +```yaml +######################################################################## +# # +# authentik # +# # +######################################################################## + +# Base configuration as shown above + +# Point authentik to its dedicated KeyDB instance +authentik_config_redis_hostname: mash-authentik-keydb + +# Make sure the authentik service (mash-authentik.service) starts after its dedicated KeyDB service (mash-authentik-keydb.service) +authentik_systemd_required_services_list_custom: + - "mash-authentik-keydb.service" + +# Make sure the authentik container is connected to the container network of its dedicated KeyDB service (mash-authentik-keydb) +authentik_container_additional_networks_custom: + - "mash-authentik-keydb" + +######################################################################## +# # +# /authentik # +# # +######################################################################## +``` + + +## Installation + +If you've decided to install a dedicated KeyDB instance for paperless, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `paperless.example.com-deps`), before running installation for the main one (e.g. `paperless.example.com`). + + +## Usage + +Access your instance in your browser at `https://paperless.example.org` + +Refer to the [official documentation](https://docs.paperless-ngx.com/) to learn how to use paperless. \ No newline at end of file From 4b8ba241ba4c81573851ecf141c73128745dc08c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Tue, 30 Apr 2024 08:13:48 +0200 Subject: [PATCH 22/27] docs: expand --- docs/services/paperless-ngx.md | 63 ++++++++++++++++------------------ 1 file changed, 30 insertions(+), 33 deletions(-) diff --git a/docs/services/paperless-ngx.md b/docs/services/paperless-ngx.md index d865212..a0a5690 100644 --- a/docs/services/paperless-ngx.md +++ b/docs/services/paperless-ngx.md @@ -19,22 +19,19 @@ To enable this service, add the following configuration to your `vars.yml` file ```yaml ######################################################################## # # -# authentik # +# paperless # # # ######################################################################## -authentik_enabled: true +paperless_enabled: true -authentik_hostname: authentik.example.com - -# Put a strong secret below, generated with `pwgen -s 64 1` or in another way -authentik_secret_key: '' +paperless_hostname: paperless.example.org # KeyDB configuration, as described below ######################################################################## # # -# /authentik # +# /paperless # # # ######################################################################## ``` @@ -43,11 +40,11 @@ authentik_secret_key: '' As described on the [KeyDB](keydb.md) documentation page, if you're hosting additional services which require KeyDB on the same server, you'd better go for installing a separate KeyDB instance for each service. See [Creating a KeyDB instance dedicated to paperless-ngx](#creating-a-keydb-instance-dedicated-to-paperless-ngx). -If you're only running authentik on this server and don't need to use KeyDB for anything else, you can [use a single KeyDB instance](#using-the-shared-keydb-instance-for-authentik). +If you're only running paperless-ngx on this server and don't need to use KeyDB for anything else, you can [use a single KeyDB instance](#using-the-shared-keydb-instance-for-authentik). #### Using the shared KeyDB instance for authentik -To install a single (non-dedicated) KeyDB instance (`mash-keydb`) and hook authentik to it, add the following **additional** configuration: +To install a single (non-dedicated) KeyDB instance (`mash-keydb`) and hook paperless to it, add the following **additional** configuration: ```yaml ######################################################################## @@ -67,44 +64,44 @@ keydb_enabled: true ######################################################################## # # -# authentik # +# paperless # # # ######################################################################## # Base configuration as shown above -# Point authentik to the shared KeyDB instance -authentik_config_redis_hostname: "{{ keydb_identifier }}" +# Point paperless to the shared KeyDB instance +paperless_redis_hostname: "{{ keydb_identifier }}" # Make sure the authentik service (mash-authentik.service) starts after the shared KeyDB service (mash-keydb.service) -authentik_systemd_required_services_list_custom: +paperless_systemd_required_services_list_custom: - "{{ keydb_identifier }}.service" # Make sure the authentik container is connected to the container network of the shared KeyDB service (mash-keydb) -authentik_container_additional_networks_custom: +paperless_container_additional_networks_custom: - "{{ keydb_identifier }}" ######################################################################## # # -# /authentik # +# /paperless # # # ######################################################################## ``` This will create a `mash-keydb` KeyDB instance on this host. -This is only recommended if you won't be installing other services which require KeyDB. Alternatively, go for [Creating a KeyDB instance dedicated to authentik](#creating-a-keydb-instance-dedicated-to-authentik). +This is only recommended if you won't be installing other services which require KeyDB. Alternatively, go for [Creating a KeyDB instance dedicated to paperless-ngx](#creating-a-keydb-instance-dedicated-to-paperless-ngx). -#### Creating a KeyDB instance dedicated to authentik +#### Creating a KeyDB instance dedicated to paperless The following instructions are based on the [Running multiple instances of the same service on the same host](../running-multiple-instances.md) documentation. -Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `authentik.example.com` is your main one, create `authentik.example.com-deps`). +Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `paperless.example.org` is your main one, create `paperless.example.org-deps`). Then, create a new `vars.yml` file for the -`inventory/host_vars/authentik.example.com-deps/vars.yml`: +`inventory/host_vars/paperless.example.org-deps/vars.yml`: ```yaml --- @@ -120,8 +117,8 @@ Then, create a new `vars.yml` file for the mash_playbook_generic_secret_key: '' # Override service names and directory path prefixes -mash_playbook_service_identifier_prefix: 'mash-authentik-' -mash_playbook_service_base_directory_name_prefix: 'authentik-' +mash_playbook_service_identifier_prefix: 'mash-paperless-' +mash_playbook_service_base_directory_name_prefix: 'paperless-' ######################################################################## # # @@ -145,33 +142,33 @@ keydb_enabled: true ######################################################################## ``` -This will create a `mash-authentik-keydb` instance on this host with its data in `/mash/authentik-keydb`. +This will create a `mash-paperless-keydb` instance on this host with its data in `/mash/paperless-keydb`. -Then, adjust your main inventory host's variables file (`inventory/host_vars/authentik.example.com/vars.yml`) like this: +Then, adjust your main inventory host's variables file (`inventory/host_vars/paperless.example.org/vars.yml`) like this: ```yaml ######################################################################## # # -# authentik # +# paperless # # # ######################################################################## # Base configuration as shown above # Point authentik to its dedicated KeyDB instance -authentik_config_redis_hostname: mash-authentik-keydb +paperless_redis_hostname: mash-authentik-keydb -# Make sure the authentik service (mash-authentik.service) starts after its dedicated KeyDB service (mash-authentik-keydb.service) -authentik_systemd_required_services_list_custom: - - "mash-authentik-keydb.service" +# Make sure the authentik service (mash-paperless.service) starts after its dedicated KeyDB service (mash-paperless-keydb.service) +paperless_systemd_required_services_list_custom: + - "mash-paperless-keydb.service" -# Make sure the authentik container is connected to the container network of its dedicated KeyDB service (mash-authentik-keydb) +# Make sure the authentik container is connected to the container network of its dedicated KeyDB service (mash-paperless-keydb) authentik_container_additional_networks_custom: - - "mash-authentik-keydb" + - "mash-paperless-keydb" ######################################################################## # # -# /authentik # +# /paperless # # # ######################################################################## ``` @@ -179,11 +176,11 @@ authentik_container_additional_networks_custom: ## Installation -If you've decided to install a dedicated KeyDB instance for paperless, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `paperless.example.com-deps`), before running installation for the main one (e.g. `paperless.example.com`). +If you've decided to install a dedicated KeyDB instance for paperless, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `paperless.example.org-deps`), before running installation for the main one (e.g. `paperless.example.org`). ## Usage Access your instance in your browser at `https://paperless.example.org` -Refer to the [official documentation](https://docs.paperless-ngx.com/) to learn how to use paperless. \ No newline at end of file +Refer to the [official documentation](https://docs.paperless-ngx.com/) to learn how to use paperless. From 5f82bf8abc147fb4d1e551c7e7b2df5245a37c72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Tue, 30 Apr 2024 08:21:54 +0200 Subject: [PATCH 23/27] docs: Add warning about running as root --- docs/services/paperless-ngx.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/services/paperless-ngx.md b/docs/services/paperless-ngx.md index a0a5690..83602bd 100644 --- a/docs/services/paperless-ngx.md +++ b/docs/services/paperless-ngx.md @@ -2,6 +2,7 @@ [Paperless-ngx](https://paperless-ngx.com) s a community-supported open-source document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper. MASH can install paperless-ngx with the [`mother-of-all-self-hosting/ansible-role-paperless`](https://github.com/mother-of-all-self-hosting/ansible-role-paperless) ansible role. +**Warning** Paperless-ngx currently [does not support](https://github.com/paperless-ngx/paperless-ngx/issues/6352) running the container rootless, therfore the role has not the usual security features of other services provided by this playbook. This put your system more at higher risk as vulerabilities can have a higher impact. ## Dependencies From 93c17e2e8bce0b1ed49aca072d448f9ea1a102c7 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 30 Apr 2024 16:16:06 +0300 Subject: [PATCH 24/27] borgmatic v1.8.11; changedetection v0.45.21; jitsi v9457-2; miniflux v2.1.3; navidrome v0.52.0; nextcloud v28.0.4; uptime kuma v1.23.13 --- VERSIONS.md | 16 ++++++++-------- releases.opml | 3 ++- templates/requirements.yml | 10 +++++----- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/VERSIONS.md b/VERSIONS.md index 15d6b21..6346957 100644 --- a/VERSIONS.md +++ b/VERSIONS.md @@ -5,8 +5,8 @@ * Authelia: 4.37.5 * Authentik: 2024.2.3 * Borg: 1.2.8 -* Borgmatic: 1.8.10 -* Changedetection: 0.45.20 +* Borgmatic: 1.8.11 +* Changedetection: 0.45.21 * Changedetection Playwright Driver: latest * Clickhouse: 23.10.5.20 * Collabora Online: 22.05.13.1.1 @@ -32,7 +32,7 @@ * Ilmo: 1.0.4 * Infisical: v0.3.8 * Influxdb: 2.7.5 -* Jitsi: stable-9364-1 +* Jitsi: stable-9457-2 * Jitsi Ldap: 3 * Jitsi Prosody Auth Matrix User Verification Repo: 2839499cb03894d8cfc3e5b2219441427cb133d8 * Keycloak: 24.0.2 @@ -41,16 +41,16 @@ * Languagetool: 6.3 * Linkding: latest * Loki: 2.9.4 -* Miniflux: 2.1.2 +* Miniflux: 2.1.3 * Mobilizon: 3.1.0 * Mongodb: 7.0.4 * Mosquitto: 2.0.15 * Mrs: latest * N8N: next -* Navidrome: 0.51.1 +* Navidrome: 0.52.0 * Netbox: v3.7.0-2.8.0 * Netbox Container Image Customizations Keycloak Sso Expiration Middleware: a2ac39b1c73a50742c6e834e89162f87528c7f73 -* Nextcloud: 28.0.2 +* Nextcloud: 28.0.4 * Oauth2 Proxy: v7.6.0 * Outline: 0.74.0-0 * Owncast: 0.1.2 @@ -74,9 +74,9 @@ * Tandoor Frontend: 1.25.4-alpine * Telegraf: 1.27.1 * Traefik: v2.11.2 -* Uptime Kuma: 1.23.12 +* Uptime Kuma: 1.23.13 * Vaultwarden: 1.30.5 * Wetty: 2.5 -* Wg Easy: 7 +* Wg Easy: 12 * Woodpecker Ci Agent: v2.4.1 * Woodpecker Ci Server: v2.4.1 diff --git a/releases.opml b/releases.opml index 4a1c607..6c39324 100644 --- a/releases.opml +++ b/releases.opml @@ -40,6 +40,7 @@ + @@ -65,7 +66,7 @@ - + diff --git a/templates/requirements.yml b/templates/requirements.yml index 2a5963f..5044945 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -29,11 +29,11 @@ name: auxiliary activation_prefix: aux_ - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.8-1.8.10-0 + version: v1.2.8-1.8.11-0 name: backup_borg activation_prefix: backup_borg_ - src: git+https://github.com/nielscil/ansible-role-changedetection.git - version: v0.45.20-0 + version: v0.45.21-0 name: changedetection activation_prefix: changedetection_ - src: git+https://gitlab.com/etke.cc/roles/cleanup.git @@ -145,7 +145,7 @@ name: influxdb activation_prefix: influxdb_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v9457-2 + version: v9457-3 name: jitsi activation_prefix: jitsi_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git @@ -177,7 +177,7 @@ name: mariadb activation_prefix: mariadb_ - src: git+https://gitlab.com/etke.cc/roles/miniflux.git - version: v2.1.2-0 + version: v2.1.3-0 name: miniflux activation_prefix: miniflux_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mobilizon.git @@ -345,7 +345,7 @@ name: traefik activation_prefix: devture_traefik_ - src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git - version: v1.23.12-0 + version: v1.23.13-0 name: uptime_kuma activation_prefix: uptime_kuma_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git From 5f553bf3ef6c5cae46364201ffc7802e2c786730 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Apr 2024 17:30:31 +0300 Subject: [PATCH 25/27] Upgrade Authentik (v2024.2.3-0 -> v2024.4.1-0) --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index 5044945..33707e2 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -21,7 +21,7 @@ name: authelia activation_prefix: authelia_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2024.2.3-0 + version: v2024.4.1-0 name: authentik activation_prefix: authentik_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git From 54f8331c0097b89524d10bea985b2e92e1a6e760 Mon Sep 17 00:00:00 2001 From: moanos Date: Tue, 30 Apr 2024 16:49:27 +0200 Subject: [PATCH 26/27] docs(paperless): Various fixes --- docs/services/paperless-ngx.md | 25 +++++++++++++++---------- docs/supported-services.md | 1 + 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/docs/services/paperless-ngx.md b/docs/services/paperless-ngx.md index 83602bd..d641d3b 100644 --- a/docs/services/paperless-ngx.md +++ b/docs/services/paperless-ngx.md @@ -2,7 +2,7 @@ [Paperless-ngx](https://paperless-ngx.com) s a community-supported open-source document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper. MASH can install paperless-ngx with the [`mother-of-all-self-hosting/ansible-role-paperless`](https://github.com/mother-of-all-self-hosting/ansible-role-paperless) ansible role. -**Warning** Paperless-ngx currently [does not support](https://github.com/paperless-ngx/paperless-ngx/issues/6352) running the container rootless, therfore the role has not the usual security features of other services provided by this playbook. This put your system more at higher risk as vulerabilities can have a higher impact. +**Warning** Paperless-ngx currently [does not support](https://github.com/paperless-ngx/paperless-ngx/issues/6352) running the container rootless, therefore the role has not the usual security features of other services provided by this playbook. This put your system more at higher risk as vulnerabilities can have a higher impact. ## Dependencies @@ -28,6 +28,11 @@ paperless_enabled: true paperless_hostname: paperless.example.org +# Set the following variables to create an initial admin user +# It will not re-create an admin user, it will not change a password if the user is already created +# paperless_admin_user: USERNAME +# paperless_admin_password: SECURE_PASSWORD + # KeyDB configuration, as described below ######################################################################## @@ -41,9 +46,9 @@ paperless_hostname: paperless.example.org As described on the [KeyDB](keydb.md) documentation page, if you're hosting additional services which require KeyDB on the same server, you'd better go for installing a separate KeyDB instance for each service. See [Creating a KeyDB instance dedicated to paperless-ngx](#creating-a-keydb-instance-dedicated-to-paperless-ngx). -If you're only running paperless-ngx on this server and don't need to use KeyDB for anything else, you can [use a single KeyDB instance](#using-the-shared-keydb-instance-for-authentik). +If you're only running paperless-ngx on this server and don't need to use KeyDB for anything else, you can [use a single KeyDB instance](#using-the-shared-keydb-instance-for-paperless). -#### Using the shared KeyDB instance for authentik +#### Using the shared KeyDB instance for paperless-ngx To install a single (non-dedicated) KeyDB instance (`mash-keydb`) and hook paperless to it, add the following **additional** configuration: @@ -74,11 +79,11 @@ keydb_enabled: true # Point paperless to the shared KeyDB instance paperless_redis_hostname: "{{ keydb_identifier }}" -# Make sure the authentik service (mash-authentik.service) starts after the shared KeyDB service (mash-keydb.service) +# Make sure the paperless service (mash-paperless.service) starts after the shared KeyDB service (mash-keydb.service) paperless_systemd_required_services_list_custom: - "{{ keydb_identifier }}.service" -# Make sure the authentik container is connected to the container network of the shared KeyDB service (mash-keydb) +# Make sure the paperless container is connected to the container network of the shared KeyDB service (mash-keydb) paperless_container_additional_networks_custom: - "{{ keydb_identifier }}" @@ -156,15 +161,15 @@ Then, adjust your main inventory host's variables file (`inventory/host_vars/pap # Base configuration as shown above -# Point authentik to its dedicated KeyDB instance -paperless_redis_hostname: mash-authentik-keydb +# Point paperless to its dedicated KeyDB instance +paperless_redis_hostname: mash-paperless-keydb -# Make sure the authentik service (mash-paperless.service) starts after its dedicated KeyDB service (mash-paperless-keydb.service) +# Make sure the paperless service (mash-paperless.service) starts after its dedicated KeyDB service (mash-paperless-keydb.service) paperless_systemd_required_services_list_custom: - "mash-paperless-keydb.service" -# Make sure the authentik container is connected to the container network of its dedicated KeyDB service (mash-paperless-keydb) -authentik_container_additional_networks_custom: +# Make sure the paperless container is connected to the container network of its dedicated KeyDB service (mash-paperless-keydb) +paperless_container_additional_networks_custom: - "mash-paperless-keydb" ######################################################################## diff --git a/docs/supported-services.md b/docs/supported-services.md index 9afacaf..33b90b5 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -54,6 +54,7 @@ | [OAuth2-Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) | A reverse proxy and static file server that provides authentication using OpenID Connect Providers (Google, GitHub, [Keycloak](services/keycloak.md), and others) to SSO-protect services which do not support SSO natively. | [Link](services/oauth2-proxy.md) | | [Owncast](https://owncast.online/) | Owncast is a free and open source live video and web chat server for use with existing popular broadcasting software. | [Link](services/owncast.md) | | [OxiTraffic](https://codeberg.org/mo8it/oxitraffic) | [OxiTraffic](https://codeberg.org/mo8it/oxitraffic) is a self-hosted, simple and privacy respecting website traffic tracker. | [Link](services/oxitraffic.md) | +| [Paperless-ngx](https://paperless-ngx.com) | [Paperless-ngx](https://paperless-ngx.com) is a community-supported open-source document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper. | [Link](services/paperless-ngx.md) | | [PeerTube](https://joinpeertube.org/) | A tool for sharing online videos | [Link](services/peertube.md) | | [Postgis](https://postgis.net/) | A spatial database extender for PostgreSQL object-relational database | [Link](services/postgis.md) | | [Postgres](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](services/postgres.md) | From 24be4ff689a5291563089802979783368b0e64b5 Mon Sep 17 00:00:00 2001 From: moanos Date: Tue, 30 Apr 2024 17:32:36 +0200 Subject: [PATCH 27/27] fix(funkwhale): Bump v1.4.0-4 -> v1.4.0-5 to get rid of duplicate line definition --- templates/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/requirements.yml b/templates/requirements.yml index 33707e2..ce076f2 100644 --- a/templates/requirements.yml +++ b/templates/requirements.yml @@ -109,7 +109,7 @@ name: freshrss activation_prefix: freshrss_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-funkwhale.git - version: v1.4.0-4 + version: v1.4.0-5 name: funkwhale activation_prefix: funkwhale_ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git