commit 8b436d7e7acee3e1ba452d517da04d788a545338 Author: whysthatso Date: Fri Nov 8 00:46:58 2019 +0200 initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ddb6765 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +ansible/vault_pass +roles diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..d793f9c --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,9 @@ +[defaults] +nocows = 1 +inventory = ./inventory.ini +retry_files_enabled = False +vault_password_file = ./vault_pass + +[ssh_connection] +ssh_args = -o ControlMaster=auto -o ControlPersist=30m +control_path = ~/.ssh/ansible-%%r@%%h:%%p diff --git a/ansible/helpers/ping.yml b/ansible/helpers/ping.yml new file mode 100644 index 0000000..840714d --- /dev/null +++ b/ansible/helpers/ping.yml @@ -0,0 +1,9 @@ +--- +- hosts: kspace + become: yes + become_user: root + become_method: sudo + tasks: + - name: ping + ping: +... diff --git a/ansible/host_vars/kanban/vars.yml b/ansible/host_vars/kanban/vars.yml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/host_vars/kanban/vault.yml b/ansible/host_vars/kanban/vault.yml new file mode 100644 index 0000000..c7a085b --- /dev/null +++ b/ansible/host_vars/kanban/vault.yml @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +38353066623230336238383639313964393766373738616466633765386132636438303232306635 +6439623733333332616333656366353637383466623664610a346130653061303763393961306534 +66326162653666663931303531626665656331666639626564626133643565343830643538663366 +6263663833623661340a306335333935383166636638333036323766303433363833383864313062 +32326638306564393038336439303662313962383563303531643961626462643563353839633135 +3732646565383732353461366239383635363638616233353633 diff --git a/ansible/inventory.ini b/ansible/inventory.ini new file mode 100644 index 0000000..d2ce3aa --- /dev/null +++ b/ansible/inventory.ini @@ -0,0 +1,7 @@ +[kspace] +kanban ansible_host=172.20.8.130 +kanban ansible_port=22 +kanban ansible_user=andreas +kanban ansible_become_pass="{{ vault_ansible_become_pass }}" +kanban ansible_ssh_private_key_file=~/.ssh/id_whysthatso +kanban public_ipv6=2001:bb8:4008:20:461e:a1ff:fe43:e5e8 diff --git a/ansible/kanban/base_setup.yml b/ansible/kanban/base_setup.yml new file mode 100644 index 0000000..3b5710f --- /dev/null +++ b/ansible/kanban/base_setup.yml @@ -0,0 +1,27 @@ +--- +- hosts: kanban + become: yes + become_user: root + become_method: sudo + + tasks: + - name: install docker-compose + package: + name: docker-compose + state: present + + - name: create systemd group file + template: + dest: /etc/systemd/system/docker-compose@.service + src: templates/systemd_docker-compose_service.j2 + register: service_config + + - name: reload daemon + shell: systemctl daemon-reload + when: service_config.changed + + - name: enable and start docker service + service: + name: docker + enabled: true + state: started diff --git a/ansible/kanban/deploy_wekan.yml b/ansible/kanban/deploy_wekan.yml new file mode 100644 index 0000000..8c2eea8 --- /dev/null +++ b/ansible/kanban/deploy_wekan.yml @@ -0,0 +1,85 @@ +--- +- hosts: kanban + become: yes + become_user: root + become_method: sudo + + tasks: + - name: create app group + group: + name: wekan + state: present + + - name: create app user + user: + name: wekan + append: yes + group: wekan + groups: docker + shell: /bin/false + + # - name: create .ssh directory + # file: + # path: /home/wekan/.ssh + # state: directory + # mode: 0700 + # owner: wekan + + # - name: move ssh key + # copy: + # src: ~/.ssh/id_whysthatso + # dest: /home/wekan/.ssh/id_whysthatso + # directory_mode: 0700 + # owner: wekan + # group: wekan + # mode: 0600 + + - name: create app directory + file: + path: /opt/wekan + state: directory + mode: 0755 + owner: wekan + group: wekan + + - name: create db directory + file: + path: /opt/wekan/{{ item }} + state: directory + mode: 0755 + owner: wekan + group: wekan + with_items: + - db + - uploads + - db-dump + + - name: configure wekan + template: + dest: /opt/wekan/{{ item }} + src: "{{ item }}" + owner: wekan + group: wekan + with_items: + - docker-compose.yml + register: wekan_config + + - name: fix file permissions + file: + path: /opt/wekan + state: directory + recurse: yes + owner: wekan + group: wekan + + - name: restart wekan service + service: + name: docker-compose@wekan + state: restarted + when: wekan_config.changed + + - name: enable wekan service + service: + name: docker-compose@wekan + state: started + enabled: yes diff --git a/ansible/kanban/templates/docker-compose.yml b/ansible/kanban/templates/docker-compose.yml new file mode 100644 index 0000000..92380e4 --- /dev/null +++ b/ansible/kanban/templates/docker-compose.yml @@ -0,0 +1,618 @@ +version: '2' + +# Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required. +#--------------------------------------------------------------------------------------------------------- +# ==== CREATING USERS AND LOGGING IN TO WEKAN ==== +# https://github.com/wekan/wekan/wiki/Adding-users +#--------------------------------------------------------------------------------------------------------- +# ==== FORGOT PASSWORD ==== +# https://github.com/wekan/wekan/wiki/Forgot-Password +#--------------------------------------------------------------------------------------------------------- +# ==== Upgrading Wekan to new version ===== +# NOTE: MongoDB has changed from 3.x to 4.x, in that case you need backup/restore with --noIndexRestore +# see https://github.com/wekan/wekan/wiki/Backup +# 1) Stop Wekan: +# docker-compose stop +# 2) Download new version: +# docker-compose pull wekan +# 3) If you have more networks for VPN etc as described at bottom of +# this config, download for them too: +# docker-compose pull wekan2 +# 4) Start Wekan: +# docker-compose start +#---------------------------------------------------------------------------------- +# ==== OPTIONAL: DEDICATED DOCKER USER ==== +# 1) Optionally create a dedicated user for Wekan, for example: +# sudo useradd -d /home/wekan -m -s /bin/bash wekan +# 2) Add this user to the docker group, then logout+login or reboot: +# sudo usermod -aG docker wekan +# 3) Then login as user wekan. +# 4) Create this file /home/wekan/docker-compose.yml with your modifications. +#---------------------------------------------------------------------------------- +# ==== RUN DOCKER AS SERVICE ==== +# 1a) Running Docker as service, on Systemd like Debian 9, Ubuntu 16.04, CentOS 7: +# sudo systemctl enable docker +# sudo systemctl start docker +# 1b) Running Docker as service, on init.d like Debian 8, Ubuntu 14.04, CentOS 6: +# sudo update-rc.d docker defaults +# sudo service docker start +# ---------------------------------------------------------------------------------- +# ==== USAGE OF THIS docker-compose.yml ==== +# 1) For seeing does Wekan work, try this and check with your webbroser: +# docker-compose up +# 2) Stop Wekan and start Wekan in background: +# docker-compose stop +# docker-compose up -d +# 3) See running Docker containers: +# docker ps +# 4) Stop Docker containers: +# docker-compose stop +# ---------------------------------------------------------------------------------- +# ===== INSIDE DOCKER CONTAINERS, AND BACKUP/RESTORE ==== +# https://github.com/wekan/wekan/wiki/Backup +# If really necessary, repair MongoDB: https://github.com/wekan/wekan-mongodb/issues/6#issuecomment-424004116 +# 1) Going inside containers: +# a) Wekan app, does not contain data +# docker exec -it wekan-app bash +# b) MongoDB, contains all data +# docker exec -it wekan-db bash +# 2) Copying database to outside of container: +# docker exec -it wekan-db bash +# cd /data +# mongodump +# exit +# docker cp wekan-db:/data/dump . +# 3) Restoring database +# # 1) Stop wekan +# docker stop wekan-app +# # 2) Go inside database container +# docker exec -it wekan-db bash +# # 3) and data directory +# cd /data +# # 4) Remove previos dump +# rm -rf dump +# # 5) Exit db container +# exit +# # 6) Copy dump to inside docker container +# docker cp dump wekan-db:/data/ +# # 7) Go inside database container +# docker exec -it wekan-db bash +# # 8) and data directory +# cd /data +# # 9) Restore +# mongorestore --drop +# # 10) Exit db container +# exit +# # 11) Start wekan +# docker start wekan-app +#------------------------------------------------------------------------- + +services: + + wekandb: + #------------------------------------------------------------------------------------- + # ==== MONGODB AND METEOR VERSION ==== + # a) For Wekan Meteor 1.8.x version at master branch, use mongo 4.x + image: mongo:4.0.12 + # b) For Wekan Meteor 1.6.x version at devel branch. + # Only for Snap and Sandstorm while they are not upgraded yet to Meteor 1.8.x + #image: mongo:3.2.21 + #------------------------------------------------------------------------------------- + container_name: wekan-db + restart: always + command: mongod --smallfiles --oplogSize 128 + networks: + - wekan-tier + expose: + - 27017 + volumes: + - /opt/wekan/db:/data/db + - /opt/wekan/db-dump:/dump + - /opt/wekan/uploads:/uploads + + wekan: + #------------------------------------------------------------------------------------- + # ==== MONGODB AND METEOR VERSION ==== + # NOTE: Quay is currently not updated, use Docker Hub image below c) + # a) For Wekan Meteor 1.8.x version at master branch, + # using https://quay.io/wekan/wekan automatic builds + #image: quay.io/wekan/wekan + # b) Using specific Meteor 1.6.x version tag: + # image: quay.io/wekan/wekan:v1.95 + # c) Using Docker Hub automatic builds https://hub.docker.com/r/wekanteam/wekan + image: wekanteam/wekan:latest + # image: wekanteam/wekan:v2.99 + #------------------------------------------------------------------------------------- + container_name: wekan-app + restart: always + networks: + - wekan-tier + #------------------------------------------------------------------------------------- + # ==== BUILD wekan-app DOCKER CONTAINER FROM SOURCE, if you uncomment these ==== + # ==== and use commands: docker-compose up -d --build + #build: + # context: . + # dockerfile: Dockerfile + # args: + # - NODE_VERSION=${NODE_VERSION} + # - METEOR_RELEASE=${METEOR_RELEASE} + # - NPM_VERSION=${NPM_VERSION} + # - ARCHITECTURE=${ARCHITECTURE} + # - SRC_PATH=${SRC_PATH} + # - METEOR_EDGE=${METEOR_EDGE} + # - USE_EDGE=${USE_EDGE} + #------------------------------------------------------------------------------------- + ports: + # Docker outsideport:insideport. Do not add anything extra here. + # For example, if you want to have wekan on port 3001, + # use 3001:8080 . Do not add any extra address etc here, that way it does not work. + # remove port mapping if you use nginx reverse proxy, port 8080 is already exposed to wekan-tier network + - 80:8080 + environment: + - MONGO_URL=mongodb://wekandb:27017/wekan + #--------------------------------------------------------------- + # ==== ROOT_URL SETTING ==== + # Change ROOT_URL to your real Wekan URL, for example: + # If you have Caddy/Nginx/Apache providing SSL + # - https://example.com + # - https://boards.example.com + # This can be problematic with avatars https://github.com/wekan/wekan/issues/1776 + # - https://example.com/wekan + # If without https, can be only wekan node, no need for Caddy/Nginx/Apache if you don't need them + # - http://example.com + # - http://boards.example.com + # - http://192.168.1.100 <=== using at local LAN + - ROOT_URL=http://localhost # <=== using only at same laptop/desktop where Wekan is installed + #--------------------------------------------------------------- + # ==== EMAIL SETTINGS ==== + # Email settings are required in both MAIL_URL and Admin Panel, + # see https://github.com/wekan/wekan/wiki/Troubleshooting-Mail + # For SSL in email, change smtp:// to smtps:// + # NOTE: Special characters need to be url-encoded in MAIL_URL. + # You can encode those characters for example at: https://www.urlencoder.org + #- MAIL_URL=smtp://user:pass@mailserver.example.com:25/ + - MAIL_URL=smtp://:25/?ignoreTLS=true&tls={rejectUnauthorized:false} + - MAIL_FROM=Wekan Notifications + #--------------------------------------------------------------- + # ==== OPTIONAL: MONGO OPLOG SETTINGS ===== + # https://github.com/wekan/wekan-mongodb/issues/2#issuecomment-378343587 + # We've fixed our CPU usage problem today with an environment + # change around Wekan. I wasn't aware during implementation + # that if you're using more than 1 instance of Wekan + # (or any MeteorJS based tool) you're supposed to set + # MONGO_OPLOG_URL as an environment variable. + # Without setting it, Meteor will perform a pull-and-diff + # update of it's dataset. With it, Meteor will update from + # the OPLOG. See here + # https://blog.meteor.com/tuning-meteor-mongo-livedata-for-scalability-13fe9deb8908 + # After setting + # MONGO_OPLOG_URL=mongodb://:@/local?authSource=admin&replicaSet=rsWekan + # the CPU usage for all Wekan instances dropped to an average + # of less than 10% with only occasional spikes to high usage + # (I guess when someone is doing a lot of work) + # - MONGO_OPLOG_URL=mongodb://:@/local?authSource=admin&replicaSet=rsWekan + #--------------------------------------------------------------- + # ==== OPTIONAL: KADIRA PERFORMANCE MONITORING FOR METEOR ==== + # https://github.com/edemaine/kadira-compose + # https://github.com/meteor/meteor-apm-agent + # https://blog.meteor.com/kadira-apm-is-now-open-source-490469ffc85f + #- APM_OPTIONS_ENDPOINT=http://:11011 + #- APM_APP_ID= + #- APM_APP_SECRET= + #--------------------------------------------------------------- + # ==== OPTIONAL: LOGS AND STATS ==== + # https://github.com/wekan/wekan/wiki/Logs + # + # Daily export of Wekan changes as JSON to Logstash and ElasticSearch / Kibana (ELK) + # https://github.com/wekan/wekan-logstash + # + # Statistics Python script for Wekan Dashboard + # https://github.com/wekan/wekan-stats + # + # Console, file, and zulip logger on database changes https://github.com/wekan/wekan/pull/1010 + # with fix to replace console.log by winston logger https://github.com/wekan/wekan/pull/1033 + # but there could be bug https://github.com/wekan/wekan/issues/1094 + # + # There is Feature Request: Logging date and time of all activity with summary reports, + # and requesting reason for changing card to other column https://github.com/wekan/wekan/issues/1598 + #--------------------------------------------------------------- + # ==== WEKAN API AND EXPORT BOARD ==== + # Wekan Export Board works when WITH_API=true. + # https://github.com/wekan/wekan/wiki/REST-API + # https://github.com/wekan/wekan-gogs + # If you disable Wekan API with false, Export Board does not work. + - WITH_API=true + #--------------------------------------------------------------- + # ==== PASSWORD BRUTE FORCE PROTECTION ==== + #https://atmospherejs.com/lucasantoniassi/accounts-lockout + #Defaults below. Uncomment to change. wekan/server/accounts-lockout.js + #- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=3 + #- ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD=60 + #- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW=15 + #- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE=3 + #- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD=60 + #- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW=15 + #--------------------------------------------------------------- + # ==== STORE ATTACHMENT ON SERVER FILESYSTEM INSTEAD OF MONGODB ==== + # https://github.com/wekan/wekan/pull/2603 + - ATTACHMENTS_STORE_PATH = /uploads # pathname can be relative or fullpath + #--------------------------------------------------------------- + # ==== RICH TEXT EDITOR IN CARD COMMENTS ==== + # https://github.com/wekan/wekan/pull/2560 + - RICHER_CARD_COMMENT_EDITOR=true + #--------------------------------------------------------------- + # ==== CARD OPENED, SEND WEBHOOK MESSAGE ==== + # https://github.com/wekan/wekan/issues/2518 + - CARD_OPENED_WEBHOOK_ENABLED=true + #--------------------------------------------------------------- + # ==== Allow to shrink attached/pasted image ==== + # https://github.com/wekan/wekan/pull/2544 + #-MAX_IMAGE_PIXEL=1024 + #-IMAGE_COMPRESS_RATIO=80 + #--------------------------------------------------------------- + # ==== BIGEVENTS DUE ETC NOTIFICATIONS ===== + # https://github.com/wekan/wekan/pull/2541 + # Introduced a system env var BIGEVENTS_PATTERN default as "NONE", + # so any activityType matches the pattern, system will send out + # notifications to all board members no matter they are watching + # or tracking the board or not. Owner of the wekan server can + # disable the feature by setting this variable to "NONE" or + # change the pattern to any valid regex. i.e. '|' delimited + # activityType names. + # a) Example + #- BIGEVENTS_PATTERN=due + # b) All + #- BIGEVENTS_PATTERN=received|start|due|end + # c) Disabled + - BIGEVENTS_PATTERN=NONE + #--------------------------------------------------------------- + # ==== EMAIL DUE DATE NOTIFICATION ===== + # https://github.com/wekan/wekan/pull/2536 + # System timelines will be showing any user modification for + # dueat startat endat receivedat, also notification to + # the watchers and if any card is due, about due or past due. + # + # Notify due days, default is None, 2 days before and on the event day + #- NOTIFY_DUE_DAYS_BEFORE_AND_AFTER=2,0 + # + # Notify due at hour of day. Default every morning at 8am. Can be 0-23. + # If env variable has parsing error, use default. Notification sent to watchers. + #- NOTIFY_DUE_AT_HOUR_OF_DAY=8 + #----------------------------------------------------------------- + # ==== EMAIL NOTIFICATION TIMEOUT, ms ===== + # Defaut: 30000 ms = 30s + #- EMAIL_NOTIFICATION_TIMEOUT=30000 + #----------------------------------------------------------------- + # ==== CORS ===== + # CORS: Set Access-Control-Allow-Origin header. + #- CORS=* + # CORS_ALLOW_HEADERS: Set Access-Control-Allow-Headers header. "Authorization,Content-Type" is required for cross-origin use of the API. + #- CORS_ALLOW_HEADERS=Authorization,Content-Type + # CORS_EXPOSE_HEADERS: Set Access-Control-Expose-Headers header. This is not needed for typical CORS situations + #- CORS_EXPOSE_HEADERS=* + #----------------------------------------------------------------- + # ==== MATOMO INTEGRATION ==== + # Optional: Integration with Matomo https://matomo.org that is installed to your server + # The address of the server where Matomo is hosted. + #- MATOMO_ADDRESS=https://example.com/matomo + # The value of the site ID given in Matomo server for Wekan + #- MATOMO_SITE_ID=1 + # The option do not track which enables users to not be tracked by matomo + #- MATOMO_DO_NOT_TRACK=true + # The option that allows matomo to retrieve the username: + #- MATOMO_WITH_USERNAME=true + #----------------------------------------------------------------- + # ==== BROWSER POLICY AND TRUSTED IFRAME URL ==== + # Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside. + # Setting this to false is not recommended, it also disables all other browser policy protections + # and allows all iframing etc. See wekan/server/policy.js + - BROWSER_POLICY_ENABLED=true + # When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside. + #- TRUSTED_URL=https://intra.example.com + #----------------------------------------------------------------- + # ==== OUTGOING WEBHOOKS ==== + # What to send to Outgoing Webhook, or leave out. Example, that includes all that are default: cardId,listId,oldListId,boardId,comment,user,card,commentId . + - WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId + #----------------------------------------------------------------- + # ==== Debug OIDC OAuth2 etc ==== + #- DEBUG=true + #----------------------------------------------------------------- + # ==== OAUTH2 AZURE ==== + # https://github.com/wekan/wekan/wiki/Azure + # 1) Register the application with Azure. Make sure you capture + # the application ID as well as generate a secret key. + # 2) Configure the environment variables. This differs slightly + # by installation type, but make sure you have the following: + #- OAUTH2_ENABLED=true + # OAuth2 login style: popup or redirect. + #- OAUTH2_LOGIN_STYLE=redirect + # Application GUID captured during app registration: + #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx + # Secret key generated during app registration: + #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + #- OAUTH2_SERVER_URL=https://login.microsoftonline.com/ + #- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize + #- OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo + #- OAUTH2_TOKEN_ENDPOINT=/oauth2/v2.0/token + # The claim name you want to map to the unique ID field: + #- OAUTH2_ID_MAP=email + # The claim name you want to map to the username field: + #- OAUTH2_USERNAME_MAP=email + # The claim name you want to map to the full name field: + #- OAUTH2_FULLNAME_MAP=name + # Tthe claim name you want to map to the email field: + #- OAUTH2_EMAIL_MAP=email + #----------------------------------------------------------------- + # ==== OAUTH2 KEYCLOAK ==== + # https://github.com/wekan/wekan/wiki/Keycloak <== MAPPING INFO, REQUIRED + #- OAUTH2_ENABLED=true + # OAuth2 login style: popup or redirect. + #- OAUTH2_LOGIN_STYLE=redirect + #- OAUTH2_CLIENT_ID= + #- OAUTH2_SERVER_URL=/auth + #- OAUTH2_AUTH_ENDPOINT=/realms//protocol/openid-connect/auth + #- OAUTH2_USERINFO_ENDPOINT=/realms//protocol/openid-connect/userinfo + #- OAUTH2_TOKEN_ENDPOINT=/realms//protocol/openid-connect/token + #- OAUTH2_SECRET= + #----------------------------------------------------------------- + # ==== OAUTH2 DOORKEEPER ==== + # https://github.com/wekan/wekan/issues/1874 + # https://github.com/wekan/wekan/wiki/OAuth2 + # Enable the OAuth2 connection + #- OAUTH2_ENABLED=true + # OAuth2 docs: https://github.com/wekan/wekan/wiki/OAuth2 + # OAuth2 login style: popup or redirect. + #- OAUTH2_LOGIN_STYLE=redirect + # OAuth2 Client ID. + #- OAUTH2_CLIENT_ID=abcde12345 + # OAuth2 Secret. + #- OAUTH2_SECRET=54321abcde + # OAuth2 Server URL. + #- OAUTH2_SERVER_URL=https://chat.example.com + # OAuth2 Authorization Endpoint. + #- OAUTH2_AUTH_ENDPOINT=/oauth/authorize + # OAuth2 Userinfo Endpoint. + #- OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo + # OAuth2 Token Endpoint. + #- OAUTH2_TOKEN_ENDPOINT=/oauth/token + # OAUTH2 ID Token Whitelist Fields. + #- OAUTH2_ID_TOKEN_WHITELIST_FIELDS="" + # OAUTH2 Request Permissions. + #- OAUTH2_REQUEST_PERMISSIONS=openid profile email + # OAuth2 ID Mapping + #- OAUTH2_ID_MAP= + # OAuth2 Username Mapping + #- OAUTH2_USERNAME_MAP= + # OAuth2 Fullname Mapping + #- OAUTH2_FULLNAME_MAP= + # OAuth2 Email Mapping + #- OAUTH2_EMAIL_MAP= + #----------------------------------------------------------------- + # ==== LDAP: UNCOMMENT ALL TO ENABLE LDAP ==== + # https://github.com/wekan/wekan/wiki/LDAP + # For Snap settings see https://github.com/wekan/wekan-snap/wiki/Supported-settings-keys + # Most settings work both on Snap and Docker below. + # Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required. + # + # The default authentication method used if a user does not exist to create and authenticate. Can be set as ldap. + - DEFAULT_AUTHENTICATION_METHOD=ldap + # + # Enable or not the connection by the LDAP + - LDAP_ENABLE=true + # + # The port of the LDAP server + - LDAP_PORT=389 + # + # The host server for the LDAP server + - LDAP_HOST=dc1.k-space.lan + # + # The base DN for the LDAP Tree + - LDAP_BASEDN=dc=k-space,dc=lan + # + # Fallback on the default authentication method + - LDAP_LOGIN_FALLBACK=false + # + # Reconnect to the server if the connection is lost + - LDAP_RECONNECT=true + # + # Overall timeout, in milliseconds + - LDAP_TIMEOUT=10000 + # + # Specifies the timeout for idle LDAP connections in milliseconds + - LDAP_IDLE_TIMEOUT=10000 + # + # Connection timeout, in milliseconds + - LDAP_CONNECT_TIMEOUT=10000 + # + # If the LDAP needs a user account to search + - LDAP_AUTHENTIFICATION=true + # + # The search user DN - You need quotes when you have spaces in parameters + # 2 examples: + #- LDAP_AUTHENTIFICATION_USERDN="CN=ldap admin,CN=users,DC=domainmatter,DC=lan" + #- LDAP_AUTHENTIFICATION_USERDN="CN=wekan_adm,OU=serviceaccounts,OU=admin,OU=prod,DC=mydomain,DC=com" + # + # The password for the search user + - LDAP_AUTHENTIFICATION_PASSWORD=pwd + # + # Enable logs for the module + - LDAP_LOG_ENABLED=true + # + # If the sync of the users should be done in the background + - LDAP_BACKGROUND_SYNC=false + # + # At which interval does the background task sync in milliseconds. + # Leave this unset, so it uses default, and does not crash. + # https://github.com/wekan/wekan/issues/2354#issuecomment-515305722 + - LDAP_BACKGROUND_SYNC_INTERVAL='' + # + #- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false + # + #- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false + # + # If using LDAPS: LDAP_ENCRYPTION=ssl + - LDAP_ENCRYPTION=ssl + # + # The certification for the LDAPS server. Certificate needs to be included in this docker-compose.yml file. + - LDAP_CA_CERT=-----BEGIN CERTIFICATE-----MIIFqDCCA5CgAwIBAgIE5hknWjANBgkqhkiG9w0BAQUFADByMR0wGwYDVQQKExRTYW1iYSBBZG1pbmlzdHJhdGlvbjE3MDUGA1UECxMuU2FtYmEgLSB0ZW1wb3JhcnkgYXV0b2dlbmVyYXRlZCBDQSBjZXJ0aWZpY2F0ZTEYMBYGA1UEAxMPREMxLmstc3BhY2UubGFuMB4XDTE3MTIwNTIyMTI1NFoXDTE5MTEwNTIyMTI1NFowdDEdMBsGA1UEChMUU2FtYmEgQWRtaW5pc3RyYXRpb24xOTA3BgNVBAsTMFNhbWJhIC0gdGVtcG9yYXJ5IGF1dG9nZW5lcmF0ZWQgSE9TVCBjZXJ0aWZpY2F0ZTEYMBYGA1UEAxMPREMxLmstc3BhY2UubGFuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5wiOgdRYZ5UTlGGQ6yLrFKQG9ZqfFOI/NBSlhw6+fs9KbHQiDwjSMzqUQa2lDWGoqJcmn4EP4v6dNEs1rxXjahVR00CzMpPumma/seHrkKx26t6DvDMgLmCuNswGU/KN5sV1wU5cEmQonkr+BH5k5M4d8fTVaGQOFGun2AaA2KRLm1dilOsr37bYhMeKHKDLnShZOGegUKw0+Dn8W7W6taVNU2yKZXmy07Hg55PAIgNT/Ni+gYjy+T4dul//zILlnuvfopd3giIJ0G8h/1rK3SzqaB/I2BHIAoVQ+LIb/bwWYAU06/vT480Uhdmr5jOyFs/EOwm+X706KTobRtr2aRzZVHLQvwGHnl4Y6Ga0ocbOFEKWzpkeIDPO+iP5Q+vWBFJID0Zv64fZYjIL1jJ2+l598JCI3lJTqBczXaaUigJzPxUyk0h/9yR+zzj7qZb0rc3loqvNFn6N+1a3y+5uXfsbtf6H7Qmugw1RT+gsWwdIlJBca+0wEzp1XDymryJW1jKTq2jcQO2VTuYgPfAAkk9E/pbFyUSdBMLyJf0yALCRgKtGmH+jio9CZKnfyH+WDZZMf64GAxFLBLbInOUBZDXjLoNcsldeejpsDQ6b8BWYHRGGmwspYvp/EBDY3oC0lfHx1dgu1xkAbIPUJarzDuLGAMD5JJUkCVwkD92ivgkCAwEAAaNEMEIwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUUXuarAUGg5SXgVTd7qjm39Jay6owDQYJKoZIhvcNAQEFBQADggIBACJDpQKuCanGQ7U0jsltgKunpJs3ZOtZP7jJhz+TeEvEYDaOFPreFLRpTOF2dTE3E5XVrUVFdCZCJcON3gkBCVDcEGfHxHTL1geGnKb6o/PY2N5l/Z8mjlqB83jxJ4xCbpELA4LWQ6jNTYcih4viInrpIyD7w05kN8bEyzet/pgms8G46+E8xAxQCCbKEM0bLrSRcUjWtqjgK34sXKYyFA0YDMafJtHgw4vDti1NdCCA88RjEdwTXJD/iiJLvA4rK7lU3JPt1sXaeawQJAK1XK7nWArmHZ3mpch+wRBX62BOvYtJAvboYMCc29bOQszQZEASnzj8cZmb5qAS2MWg2wvDgn0Z87NiGYD3xnadaVtUIYmIRb/2bOJc8qlDdasvdNvJY7zRD5xJZoUUax1eZcu/73f3PCelUsZmnUsrYhpSX5VaZyJfIBujygf9RFEeZ0q1br10ULkTN2DxAWmY6r+huywQr2wd9A3iPeo+BcUboQV3c0oFd+okDB6rbJ9U+x/CCQLXOBattZV2fqjN9C4DzSlWmLDxgFayFnG9bGUu1rfVj2S9D09hXCzY/hcM6OIhAnFVi6BxPred0RRT8q/GLgxwVlG8nN1AwMEXvDYR6q6BawDMyPAyWBE7AiV/6ubfuq94CYPxPWCaaUfuhwh5aGWn0mtyxK80rNIJZ1U1-----END CERTIFICATE----- + # + # Reject Unauthorized Certificate + #- LDAP_REJECT_UNAUTHORIZED=false + # + # Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key). + #- LDAP_USER_AUTHENTICATION="true" + # + # Which field is used to find the user for the user authentication. Default: uid. + #- LDAP_USER_AUTHENTICATION_FIELD="uid" + # + # Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed + #- LDAP_USER_SEARCH_FILTER= + # + # base (search only in the provided DN), one (search only in the provided DN and one level deep), or sub (search the whole subtree) + #- LDAP_USER_SEARCH_SCOPE=one + # + # Which field is used to find the user, like uid / sAMAccountName + #- LDAP_USER_SEARCH_FIELD=sAMAccountName + # + # Used for pagination (0=unlimited) + #- LDAP_SEARCH_PAGE_SIZE=0 + # + # The limit number of entries (0=unlimited) + #- LDAP_SEARCH_SIZE_LIMIT=0 + # + # Enable group filtering + #- LDAP_GROUP_FILTER_ENABLE=false + # + # The object class for filtering. Example: group + #- LDAP_GROUP_FILTER_OBJECTCLASS= + # + #- LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE= + # + #- LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE= + # + #- LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT= + # + #- LDAP_GROUP_FILTER_GROUP_NAME= + # + # LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier). Example: guid + #- LDAP_UNIQUE_IDENTIFIER_FIELD= + # + # LDAP_UTF8_NAMES_SLUGIFY : Convert the username to utf8 + #- LDAP_UTF8_NAMES_SLUGIFY=true + # + # LDAP_USERNAME_FIELD : Which field contains the ldap username. username / sAMAccountName + #- LDAP_USERNAME_FIELD=sAMAccountName + # + # LDAP_FULLNAME_FIELD : Which field contains the ldap fullname. fullname / sAMAccountName + #- LDAP_FULLNAME_FIELD=fullname + # + #- LDAP_MERGE_EXISTING_USERS=false + # + # Allow existing account matching by e-mail address when username does not match + #- LDAP_EMAIL_MATCH_ENABLE=true + # + # LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match + #- LDAP_EMAIL_MATCH_REQUIRE=true + # + # LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching + #- LDAP_EMAIL_MATCH_VERIFIED=true + # + # LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address + #- LDAP_EMAIL_FIELD=mail + #----------------------------------------------------------------- + #- LDAP_SYNC_USER_DATA=false + # + #- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"} + # + #- LDAP_SYNC_GROUP_ROLES='' + # + # The default domain of the ldap it is used to create email if the field is not map correctly with the LDAP_SYNC_USER_DATA_FIELDMAP + # example : + - LDAP_DEFAULT_DOMAIN=k-space.lan + # + # Enable/Disable syncing of admin status based on ldap groups: + - LDAP_SYNC_ADMIN_STATUS=true + # + # Comma separated list of admin group names to sync. + #- LDAP_SYNC_ADMIN_GROUPS=group1,group2 + #--------------------------------------------------------------------- + # Login to LDAP automatically with HTTP header. + # In below example for siteminder, at right side of = is header name. + #- HEADER_LOGIN_ID=HEADERUID + #- HEADER_LOGIN_FIRSTNAME=HEADERFIRSTNAME + #- HEADER_LOGIN_LASTNAME=HEADERLASTNAME + #- HEADER_LOGIN_EMAIL=HEADEREMAILADDRESS + #--------------------------------------------------------------------- + # ==== LOGOUT TIMER, probably does not work yet ==== + # LOGOUT_WITH_TIMER : Enables or not the option logout with timer + # example : LOGOUT_WITH_TIMER=true + #- LOGOUT_WITH_TIMER= + # + # LOGOUT_IN : The number of days + # example : LOGOUT_IN=1 + #- LOGOUT_IN= + # + # LOGOUT_ON_HOURS : The number of hours + # example : LOGOUT_ON_HOURS=9 + #- LOGOUT_ON_HOURS= + # + # LOGOUT_ON_MINUTES : The number of minutes + # example : LOGOUT_ON_MINUTES=55 + #- LOGOUT_ON_MINUTES= + #------------------------------------------------------------------- + + depends_on: + - wekandb + +#--------------------------------------------------------------------------------- +# ==== OPTIONAL: SHARE DATABASE TO OFFICE LAN AND REMOTE VPN ==== +# When using Wekan both at office LAN and remote VPN: +# 1) Have above Wekan docker container config with LAN IP address +# 2) Copy all of above wekan container config below, look above of this part above and all config below it, +# before above depends_on: part: +# +# wekan: +# #------------------------------------------------------------------------------------- +# # ==== MONGODB AND METEOR VERSION ==== +# # a) For Wekan Meteor 1.8.x version at meteor-1.8 branch, ..... +# +# +# and change name to different name like wekan2 or wekanvpn, and change ROOT_URL to server VPN IP +# address. +# 3) This way both Wekan containers can use same MongoDB database +# and see the same Wekan boards. +# 4) You could also add 3rd Wekan container for 3rd network etc. +# EXAMPLE: +# wekan2: +# ....COPY CONFIG FROM ABOVE TO HERE... +# environment: +# - ROOT_URL='http://10.10.10.10' +# ...COPY CONFIG FROM ABOVE TO HERE... +#--------------------------------------------------------------------------------- + +# OPTIONAL NGINX CONFIG FOR REVERSE PROXY +# nginx: +# image: nginx +# container_name: nginx +# restart: always +# networks: +# - wekan-tier +# depends_on: +# - wekan +# ports: +# - 80:80 +# - 443:443 +# volumes: +# - ./nginx/ssl:/etc/nginx/ssl/:ro +# - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro +## Alternative volume config: +## volumes: +## - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro +## - ./nginx/ssl/ssl.conf:/etc/nginx/conf.d/ssl/ssl.conf:ro +## - ./nginx/ssl/testvm-ehu.crt:/etc/nginx/conf.d/ssl/certs/mycert.crt:ro +## - ./nginx/ssl/testvm-ehu.key:/etc/nginx/conf.d/ssl/certs/mykey.key:ro +## - ./nginx/ssl/pphrase:/etc/nginx/conf.d/ssl/pphrase:ro + +networks: + wekan-tier: + driver: bridge diff --git a/ansible/kanban/templates/systemd_docker-compose_service.j2 b/ansible/kanban/templates/systemd_docker-compose_service.j2 new file mode 100644 index 0000000..79a6d28 --- /dev/null +++ b/ansible/kanban/templates/systemd_docker-compose_service.j2 @@ -0,0 +1,25 @@ +[Unit] +Description=%i service with docker compose managed by Ansible +Requires=docker.service +After=docker.service + +[Service] +Restart=always + +WorkingDirectory=/opt/%i + +# Remove old containers, images and volumes +ExecStartPre=/usr/bin/docker-compose down -v +ExecStartPre=/usr/bin/docker-compose rm -fv +ExecStartPre=-/bin/bash -c 'docker volume ls -qf "name=%i_" | xargs docker volume rm' +ExecStartPre=-/bin/bash -c 'docker network ls -qf "name=%i_" | xargs docker network rm' +ExecStartPre=-/bin/bash -c 'docker ps -aqf "name=%i_*" | xargs docker rm' + +# Compose up +ExecStart=/usr/bin/docker-compose up + +# Compose down, remove containers and volumes +ExecStop=/usr/bin/docker-compose down -v + +[Install] +WantedBy=multi-user.target