service: fix conditional

roles/alertmanager/tasks/main.yml

@@ -1,8 +1,7 @@
 ---
-
 - name: Prometheus alertmanager container
   include_role:
-    name: container
+    name: service
   vars:
     docker_service: alertmanager
     docker_image: prom/alertmanager

roles/authentik/defaults/main.yml

@@ -3,3 +3,5 @@ authentik_tag: latest
 authentik_env: {}
 docker_networks:
   - name: authentik
+
+authentik_additional_mounts: []

roles/authentik/meta/argument_specs.yml

@@ -15,6 +15,42 @@ argument_specs:
         type: dict
         required: false
         default: {}
+      authentik_additional_mounts:
+        description: "List of bind mounts or volumes to be mounted inside the container. Each element is a dict with path and exactly one of name, src or template"
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          path:
+            description: "The path inside the container to mount at"
+            type: str
+            required: true
+          readonly:
+            description: "If true, volume will be mounted as read only inside the container. Only applies for named and src mounts."
+            type: bool
+            required: false
+            default: false
+          mode:
+            description: "Permissions for the created/templated directory. Defaults to '0644' for files, '0755' for directories. Doesn't apply for named volumes."
+            type: str
+            required: false
+          name:
+            description: "If docker_volume_type is named, the name of the named volume to be mounted at path. If docker_volume_type is bind, the name of the folder to create under /opt/<service>[/suffix]/mounts/ and mount at path."
+            type: str
+            required: false
+          src:
+            description: "Host path to bind mount inside the container."
+            type: str
+            required: false
+          template:
+            description: "Name of template without .j2 extension. Will be templated at /opt/<service>[/suffix]/mounts/<template> and mounted read only inside the container."
+            type: str
+            required: false
+          copypath:
+            description: "Name of file or directory to copy. Will be deployed from files/<copypath> to /opt/<service>[/suffix]/mounts/<copypath> and mounted read only inside the container."
+            type: str
+            required: false
 
       # All options after this will be passed directly to the container role
       docker_service_suffix:

roles/authentik/tasks/main.yml

@@ -4,7 +4,7 @@
     name: service
   vars:
     docker_service: authentik
-    docker_image: "beryju/authentik:{{ authentik_tag }}"
+    docker_image: "ghcr.io/goauthentik/server:{{ authentik_tag }}"
     docker_command:
       - server
     docker_image_http_port: 9000
@@ -12,13 +12,7 @@
     docker_additional_services:
       - redis
     docker_env: "{{ authentik_common_env | combine(authentik_env) }}"
-    docker_mounts:
-      - path: /media
-        name: "media"
-      - path: /templates
-        name: "templates"
-      - path: /certs
-        name: "certs"
+    docker_mounts: "{{ _authentik_mounts }}"
 
 - name: Authentik worker container
   ansible.builtin.include_role:
@@ -26,15 +20,9 @@
   vars:
     docker_namespace: authentik
     docker_service: worker
-    docker_image: "beryju/authentik:{{ authentik_tag }}"
+    docker_image: "ghcr.io/goauthentik/server:{{ authentik_tag }}"
     docker_command:
       - worker
     reverse_proxy_type: none
     docker_env: "{{ authentik_common_env | combine(authentik_env) }}"
-    docker_mounts:
-      - path: /media
-        name: "media"
-      - path: /templates
-        name: "templates"
-      - path: /certs
-        name: "certs"
+    docker_mounts: "{{ _authentik_mounts }}"

roles/authentik/vars/main.yml

@@ -1,4 +1,12 @@
 ---
+_authentik_default_mounts:
+  - path: /media
+    name: "media"
+  - path: /templates
+    name: "templates"
+  - path: /certs
+    name: "certs"
+_authentik_mounts: "{{ _authentik_default_mounts + authentik_additional_mounts }}"
 
 authentik_common_env:
   AUTHENTIK_REDIS__HOST: authentik-redis

roles/authentik_ldap/tasks/main.yaml

@@ -4,7 +4,7 @@
     name: service
   vars:
     docker_service: authentik-ldap
-    docker_image: beryju/authentik-ldap:{{ authentik_ldap_tag }}
+    docker_image: ghcr.io/goauthentik/ldap:{{ authentik_ldap_tag }}
     reverse_proxy_type: none
     docker_env:
       AUTHENTIK_HOST: "{{ authentik_ldap_authentik_address }}"

roles/docker/tasks/main.yml

@@ -1,14 +1,17 @@
 ---
+- name: Ensure legacy apt repository not present
+  ansible.builtin.file:
+    path: /etc/apt/sources.list.d/docker.list
+    state: absent
 
 - name: Add docker apt repository
-  ansible.builtin.import_role:
-    name: uumas.general.apt_repository
-  vars:
-    repo_name: docker
-    repo_url: https://download.docker.com/linux/{{ ansible_distribution | lower }}
-    repo_key_url: https://download.docker.com/linux/debian/gpg
-    repo_arch: "{{ apt_arch }}"
-    repo_components:
+  ansible.builtin.deb822_repository:
+    name: docker
+    uris: https://download.docker.com/linux/{{ ansible_distribution | lower }}
+    signed_by: https://download.docker.com/linux/debian/gpg
+    suites: "{{ ansible_distribution_release }}"
+#    architectures: "{{ apt_arch }}"
+    components:
       - stable
 
 - name: Install docker

roles/dokuwiki/defaults/main.yml

@@ -1,4 +1,3 @@
 ---
-
 dokuwiki_wiki_name: DokuWiki
 dokuwiki_admin_email: "{{ admin_email }}"

roles/dokuwiki/tasks/main.yml

@@ -1,18 +1,11 @@
 ---
-
 - name: Dokuwiki container
   import_role:
-    name: container
+    name: service
   vars:
     docker_service: dokuwiki
-    docker_image: bitnami/dokuwiki
+    docker_image: dokuwiki/dokuwiki:stable
     docker_image_http_port: 8080
     docker_mounts:
       - name: data
-        path: /bitnami/dokuwiki
-    docker_env:
-      DOKUWIKI_USERNAME: admin
-      DOKUWIKI_FULL_NAME: Admin
-      DOKUWIKI_PASSWORD: "{{ dokuwiki_admin_password }}"
-      DOKUWIKI_EMAIL: "{{ dokuwiki_admin_email }}"
-      DOKUWIKI_WIKI_NAME: "{{ dokuwiki_wiki_name }}"
+        path: /storage

roles/gitea/meta/main.yml

@@ -26,7 +26,7 @@ dependencies:
       GITEA__mailer__ENABLED: "true"
       GITEA__mailer__HOST: "{{ smtp_server }}:587"
       GITEA__mailer__FROM: "{{ smtp_from }}"
-      GITEA__mailer__MAILER_TYPE: smtp
+      GITEA__mailer__PROTOCOL: smtp
       GITEA__mailer__USER: "{{ smtp_user | default(omit) }}"
       GITEA__mailer__PASSWD: "{{ smtp_pw | default(omit) }}"
       GITEA__service__REQUIRE_SIGNIN_VIEW: "{{ gitea_require_signin_view | default(omit) }}"

roles/grafana/tasks/main.yml

@@ -1,8 +1,7 @@
 ---
-
 - name: Grafana container
-  import_role:
-    name: container
+  include_role:
+    name: service
   vars:
     docker_service: grafana
     docker_image: grafana/grafana

roles/hedgedoc/meta/main.yml

@@ -7,7 +7,7 @@ dependencies:
     docker_image_http_port: 3000
     docker_database: postgres
     docker_mounts:
-      - name: hedgedoc_uploads
+      - name: uploads
         path: /hedgedoc/public/uploads
     docker_env:
       CMD_DB_URL: postgres://hedgedoc:{{ database_passwords.hedgedoc }}@hedgedoc_db:5432/hedgedoc

roles/jitsi/tasks/main.yml

@@ -133,3 +133,13 @@
       - name: meet.jitsi
         aliases:
           - jvb.meet.jitsi
+
+- name: Open ports for jitsi
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    state: enabled
+    permanent: true
+    immediate: true
+  loop:
+    - 4443/tcp
+    - 10000/udp

roles/keycloak/meta/main.yml

@@ -6,13 +6,12 @@ dependencies:
     docker_image: quay.io/keycloak/keycloak:latest
     docker_image_http_port: 8080
     docker_database: postgres
-    docker_command: start
+    docker_command: start --proxy-headers xforwarded
     docker_env:
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_pw }}"
       KC_HOSTNAME: "{{ docker_vhost_domains.keycloak[0] }}"
       KC_HTTP_ENABLED: "true"
-      KC_PROXY: edge
       KC_DB: postgres
       KC_DB_URL: jdbc:postgresql://keycloak_db/keycloak
       KC_DB_USERNAME: keycloak

roles/prometheus/tasks/main.yml

@@ -1,8 +1,7 @@
 ---
-
 - name: Prometheus container
   include_role:
-    name: container
+    name: service
   vars:
     docker_service: prometheus
     docker_image: prom/prometheus
@@ -10,7 +9,7 @@
     docker_command:
       - "--config.file=/etc/prometheus/prometheus.yml"
       - "--storage.tsdb.path=/prometheus"
-      - "--storage.tsdb.retention={{ prometheus_storage_retention }}"
+      - "--storage.tsdb.retention.time={{ prometheus_storage_retention }}"
       - "--web.console.libraries=/usr/share/prometheus/console_libraries"
       - "--web.console.templates=/usr/share/prometheus/consoles"
     docker_mounts:
@@ -33,7 +32,7 @@
 
 - name: Webhook container for prometheus
   include_role:
-    name: container
+    name: service
   vars:
     docker_service: prometheus_webhook
     docker_image: thecatlady/webhook
@@ -47,7 +46,7 @@
 
 - name: Blackbox exporter for prometheus
   include_role:
-    name: container
+    name: service
   vars:
     docker_service: blackbox_exporter
     docker_image: prom/blackbox-exporter

roles/service/tasks/image.yml

@@ -68,4 +68,4 @@
     image_user: "{{ container_image.Config.User }}"
   when:
     - not ansible_check_mode
-    - container_image.Config.User | int
+    - container_image.Config.User | int != 0

roles/service/tasks/init.yml

@@ -10,6 +10,7 @@
     _docker_service_name: "{{ docker_service_name }}"
     _docker_mount_definition: "{{ docker_mount_definition }}"
     _container_published_ports: "{{ container_published_ports }}"
+    _docker_published_ports: "{{ docker_published_ports }}"
     _container_image: "{{ container_image }}"
     _container_networks: "{{ container_networks }}"
     _template_mounts_needed: "{{ template_mounts_needed }}"

roles/service/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: Container role initialization
+- name: Role initialization
   import_tasks: init.yml
 
 - name: Docker network
@@ -123,6 +123,7 @@
     docker_service_name: "{{ _docker_service_name }}"
     docker_mount_definition: "{{ _docker_mount_definition }}"
     container_published_ports: "{{ _container_published_ports }}"
+    docker_published_ports: "{{ _docker_published_ports }}"
     container_image: "{{ _container_image }}"
     container_networks: "{{ _container_networks }}"
     template_mounts_needed: "{{ _template_mounts_needed }}"

roles/service/tasks/mounts.yml

@@ -41,7 +41,8 @@
       copy:
         src: "files/{{ item.copypath }}"
         dest: "{{ docker_mounts_dir }}/"
-        mode: "{{ item.mode | default('0755') }}"
+        directory_mode: "{{ item.mode | default('0755') }}"
+        mode: "{{ item.mode | default('0644') }}"
       when: item.copypath is defined
       loop: "{{ docker_mounts }}"
       notify: Restart container

roles/wekan/meta/main.yml

@@ -7,7 +7,7 @@ dependencies:
     docker_image_http_port: 8080
     docker_database: mongo
     docker_mounts:
-      - name: wekan_data
+      - name: data
         path: /data
     docker_env:
       MONGO_URL: mongodb://wekan_db:27017/wekan

roles/wekan/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Get wekan data volume path from container creation output
   set_fact:
     wekan_data_volume: "{{ container_out.container.Mounts | selectattr('Destination', 'equalto', '/data') | join }}"