Add Lago support

docs/services/lago.md

@@ -0,0 +1,69 @@
+# Lago
+
+[Lago](https://www.getlago.com/) is an open-source metering and usage-based billing solution.
+
+
+## Dependencies
+
+This service requires the following other services:
+
+- a [Postgres](postgres.md) database
+- a [Redis](redis.md) data-store, installation details [below](#redis)
+- a [Traefik](traefik.md) reverse-proxy server
+
+
+## Configuration
+
+To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
+
+```yaml
+########################################################################
+#                                                                      #
+# lago                                                                 #
+#                                                                      #
+########################################################################
+
+lago_enabled: true
+
+lago_hostname: lago.example.com
+
+# Generate this using `openssl genrsa 2048 | base64 --wrap=0`
+lago_api_environment_variable_lago_rsa_private_key: ''
+
+# WARNING: remove this after you create your user account,
+# unless you'd like to run a server with public registration enabled.
+lago_front_environment_variable_lago_disable_signup: false
+
+# Redis configuration, as described below
+
+########################################################################
+#                                                                      #
+# /lago                                                                #
+#                                                                      #
+########################################################################
+```
+
+### URL
+
+In the example configuration above, we configure the service to be hosted at `https://lago.example.com`.
+
+Hosting Lago under a subpath (by configuring the `lago_path_prefix` variable) does not seem to be possible right now, due to Lago limitations.
+
+Our setup hosts the Lago frontend at the root path (`/`) and the Lago API at the `/api` prefix.
+This seems to work well, except for [PDF invoices failing due to a Lago bug](https://github.com/getlago/lago/issues/221).
+
+### Authentication
+
+Public registration can be enabled/disabled using the `lago_front_environment_variable_lago_disable_signup` variable.
+
+We recommend installing with public registration enabled at first, creating your first user account, and then disabling public registration (unless you need it).
+
+It should be noted that disabling public signup with this variable merely disables the Sign-Up page in the web interface, but [does not actually disable signups due to a Lago bug](https://github.com/getlago/lago/issues/220).
+
+## Usage
+
+After installation, you can go to the Lago URL, as defined in `lago_hostname`.
+
+As mentioned in [Authentication](#authentication) above, you can create the first user from the web interface.
+
+If you'd like to prevent other users from registering, consider disabling public registration by removing the `lago_front_environment_variable_lago_disable_signup` references from your configuration and re-running the playbook (`just install-service lago`).

docs/supported-services.md

@@ -19,6 +19,7 @@
 | [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) |
 | [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) |
 | [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) |
+| [Lago](https://www.getlago.com/) | Open-source metering and usage-based billing | [Link](services/lago.md) |
 | [MariaDB](https://mariadb.org/) | A powerful, open source object-relational database system | [Link](services/mariadb.md) |
 | [Matrix Rooms Search API](https://gitlab.com/etke.cc/mrs/api) | A fully-featured, standalone, matrix rooms search service. | [Link](services/mrs.md) |
 | [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) |

group_vars/mash_servers

@@ -119,6 +119,16 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': (keycloak_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'keycloak']}] if keycloak_enabled else [])
     +
+    ([{'name': (lago_identifier + '-api.service'), 'priority': 2000, 'groups': ['mash', 'lago', 'lago-api']}] if lago_enabled else [])
+    +
+    ([{'name': (lago_identifier + '-api-worker.service'), 'priority': 2500, 'groups': ['mash', 'lago', 'lago-api-worker']}] if lago_enabled else [])
+    +
+    ([{'name': (lago_identifier + '-api-clock.service'), 'priority': 2500, 'groups': ['mash', 'lago', 'lago-api-clock']}] if lago_enabled else [])
+    +
+    ([{'name': (lago_identifier + '-front.service'), 'priority': 2200, 'groups': ['mash', 'lago', 'lago-front']}] if lago_enabled else [])
+    +
+    ([{'name': (lago_identifier + '-pdf.service'), 'priority': 1900, 'groups': ['mash', 'lago', 'lago-pdf']}] if lago_enabled else [])
+    +
     ([{'name': (miniflux_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'miniflux']}] if miniflux_enabled else [])
     +
     ([{'name': (mrs_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'mrs']}] if mrs_enabled else [])
@@ -240,6 +250,12 @@ devture_postgres_managed_databases_auto: |
       'password': keycloak_database_password,
     }] if keycloak_enabled and keycloak_database_type == 'postgres' and keycloak_database_hostname == devture_postgres_identifier else [])
     +
+    ([{
+      'name': lago_database_name,
+      'username': lago_database_username,
+      'password': lago_database_password,
+    }] if lago_enabled and lago_database_hostname == devture_postgres_identifier else [])
+    +
     ([{
       'name': miniflux_database_name,
       'username': miniflux_database_username,
@@ -1229,6 +1245,57 @@ keycloak_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key)
 
 
 
+########################################################################
+#                                                                      #
+# lago                                                                 #
+#                                                                      #
+########################################################################
+
+lago_enabled: false
+
+lago_architecture: "{{ mash_playbook_architecture }}"
+
+lago_identifier: "{{ mash_playbook_service_identifier_prefix }}lago"
+
+lago_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}lago"
+
+lago_uid: "{{ mash_playbook_uid }}"
+lago_gid: "{{ mash_playbook_gid }}"
+
+lago_api_container_additional_networks_auto: |
+  {{
+    ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+    +
+    ([devture_postgres_container_network] if devture_postgres_enabled and lago_database_hostname == devture_postgres_identifier and lago_api_container_network != devture_postgres_container_network else [])
+  }}
+
+lago_front_container_additional_networks_auto: |
+  {{
+    ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+  }}
+
+lago_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
+lago_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
+lago_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+lago_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+lago_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
+lago_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
+lago_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.db', rounds=655555) | to_uuid }}"
+
+lago_api_environment_variable_secret_key_base: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.sec.key', rounds=655555) | to_uuid }}"
+lago_api_environment_variable_encryption_primary_key: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.enc.primary', rounds=655555) | to_uuid }}"
+lago_api_environment_variable_encryption_deterministic_key: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.deter.key', rounds=655555) | to_uuid }}"
+lago_api_environment_variable_encryption_key_derivation_salt: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.deriv.salt', rounds=655555) | to_uuid }}"
+
+########################################################################
+#                                                                      #
+# /lago                                                                #
+#                                                                      #
+########################################################################
+
+
+
 ########################################################################
 #                                                                      #
 # miniflux                                                             #

requirements.yml

@@ -78,6 +78,9 @@
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git
   version: v21.0.2-0
   name: keycloak
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git
+  version: v0.28.1-0
+  name: lago
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git
   version: v10.11.2-0
   name: mariadb

setup.yml

@@ -88,6 +88,8 @@
 
     - role: galaxy/keycloak
 
+    - role: lago
+
     - role: galaxy/navidrome
 
     - role: galaxy/netbox