service: fix conditional

galaxy.yml

@@ -3,11 +3,11 @@
 namespace: uumas
 name: docker
 description: Roles for installing services in docker containers
-version: 0.9.0
+version: 0.9.1
 readme: README.md
 repository: https://git.uumas.fi/uumas/ansible-docker
 license_file: LICENSE
 dependencies:
-  uumas.general: '>=0.5.9'
+  uumas.general: '>=0.5.13'
 authors:
   - uumas

roles/alertmanager/meta/argument_specs.yml

@@ -74,6 +74,9 @@ argument_specs:
       docker_vhost_domains:
         description: "Passed to container role"
         required: false
+      docker_vhost_additional_locations:
+        description: "Passed to container role"
+        required: false
       docker_entrypoint:
         description: "Passed to container role"
         required: false

roles/alertmanager/tasks/main.yml

@@ -1,8 +1,7 @@
 ---
-
 - name: Prometheus alertmanager container
   include_role:
-    name: container
+    name: service
   vars:
     docker_service: alertmanager
     docker_image: prom/alertmanager

roles/alpine/meta/argument_specs.yml

@@ -33,6 +33,9 @@ argument_specs:
       docker_vhost_domains:
         description: "Passed to container role"
         required: false
+      docker_vhost_additional_locations:
+        description: "Passed to container role"
+        required: false
       docker_entrypoint:
         description: "Passed to container role"
         required: false

roles/authentik/defaults/main.yml

@@ -1,5 +1,7 @@
 ---
-
+authentik_tag: latest
 authentik_env: {}
 docker_networks:
   - name: authentik
+
+authentik_additional_mounts: []

roles/authentik/meta/argument_specs.yml

@@ -5,11 +5,52 @@ argument_specs:
     short_description: Authentik container
     description: "Sets up an authentik docker container."
     options:
+      authentik_tag:
+        description: 'Authentik version to use. Can be minor (2024.8) or patch (2024.8.1) or "latest".'
+        type: str
+        required: false
+        default: latest
       authentik_env:
         description: "dict of custom environment variables for authentik container"
         type: dict
         required: false
         default: {}
+      authentik_additional_mounts:
+        description: "List of bind mounts or volumes to be mounted inside the container. Each element is a dict with path and exactly one of name, src or template"
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          path:
+            description: "The path inside the container to mount at"
+            type: str
+            required: true
+          readonly:
+            description: "If true, volume will be mounted as read only inside the container. Only applies for named and src mounts."
+            type: bool
+            required: false
+            default: false
+          mode:
+            description: "Permissions for the created/templated directory. Defaults to '0644' for files, '0755' for directories. Doesn't apply for named volumes."
+            type: str
+            required: false
+          name:
+            description: "If docker_volume_type is named, the name of the named volume to be mounted at path. If docker_volume_type is bind, the name of the folder to create under /opt/<service>[/suffix]/mounts/ and mount at path."
+            type: str
+            required: false
+          src:
+            description: "Host path to bind mount inside the container."
+            type: str
+            required: false
+          template:
+            description: "Name of template without .j2 extension. Will be templated at /opt/<service>[/suffix]/mounts/<template> and mounted read only inside the container."
+            type: str
+            required: false
+          copypath:
+            description: "Name of file or directory to copy. Will be deployed from files/<copypath> to /opt/<service>[/suffix]/mounts/<copypath> and mounted read only inside the container."
+            type: str
+            required: false
 
       # All options after this will be passed directly to the container role
       docker_service_suffix:
@@ -38,6 +79,9 @@ argument_specs:
       docker_vhost_domains:
         description: "Passed to container role"
         required: false
+      docker_vhost_additional_locations:
+        description: "Passed to container role"
+        required: false
       docker_entrypoint:
         description: "Passed to container role"
         required: false

roles/authentik/tasks/main.yml

@@ -1,15 +1,10 @@
 ---
-
-- name: Set docker service full name (required because docker_mounts uses it)
-  set_fact:
-    authentik_service_name: "authentik{{ '_' + docker_service_suffix if docker_service_suffix is defined else '' }}"
-
 - name: Authentik container
   ansible.builtin.include_role:
     name: service
   vars:
     docker_service: authentik
-    docker_image: beryju/authentik:latest
+    docker_image: "ghcr.io/goauthentik/server:{{ authentik_tag }}"
     docker_command:
       - server
     docker_image_http_port: 9000
@@ -17,13 +12,7 @@
     docker_additional_services:
       - redis
     docker_env: "{{ authentik_common_env | combine(authentik_env) }}"
-    docker_mounts:
+    docker_mounts: "{{ _authentik_mounts }}"
-      - path: /media
-        name: "media"
-      - path: /templates
-        name: "templates"
-      - path: /certs
-        name: "certs"
 
 - name: Authentik worker container
   ansible.builtin.include_role:
@@ -31,15 +20,9 @@
   vars:
     docker_namespace: authentik
     docker_service: worker
-    docker_image: beryju/authentik:latest
+    docker_image: "ghcr.io/goauthentik/server:{{ authentik_tag }}"
     docker_command:
       - worker
     reverse_proxy_type: none
     docker_env: "{{ authentik_common_env | combine(authentik_env) }}"
-    docker_mounts:
+    docker_mounts: "{{ _authentik_mounts }}"
-      - path: /media
-        name: "media"
-      - path: /templates
-        name: "templates"
-      - path: /certs
-        name: "certs"

roles/authentik/vars/main.yml

@@ -1,4 +1,12 @@
 ---
+_authentik_default_mounts:
+  - path: /media
+    name: "media"
+  - path: /templates
+    name: "templates"
+  - path: /certs
+    name: "certs"
+_authentik_mounts: "{{ _authentik_default_mounts + authentik_additional_mounts }}"
 
 authentik_common_env:
   AUTHENTIK_REDIS__HOST: authentik-redis

roles/authentik_ldap/README.md

@@ -0,0 +1 @@
+Sets up an authentik ldap outpost container.

roles/authentik_ldap/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+authentik_ldap_tag: latest

roles/authentik_ldap/meta/argument_specs.yaml

@@ -1,12 +1,21 @@
 ---
-
 argument_specs:
   main:
-    short_description: UISP container
+    short_description: Authentik container
-    description: "Sets up an UISP docker container."
+    description: "Sets up an authentik docker container."
     options:
-      ports:
+      authentik_ldap_tag:
-        description: "ports.netflow is used directly. Others passed to container role"
+        description: 'Authentik ldap outpost version to use. Can be minor (2024.8) or patch (2024.8.1) or "latest". Should probably be the same as authentik.'
+        type: str
+        required: false
+        default: latest
+      authentik_ldap_authentik_address:
+        description: "Address starting with https where authentik is reachable"
+        type: str
+        required: true
+      authentik_ldap_outpost_token:
+        description: Outpost token generated by authentik
+        type: str
         required: true
 
       # All options after this will be passed directly to the container role
@@ -17,6 +26,9 @@ argument_specs:
         description: "Passed to container role"
         required: false
 
+      database_passwords:
+        description: "Passed to container role"
+        required: false
       docker_additional_services:
         description: "Passed to container role"
         required: false
@@ -24,12 +36,12 @@ argument_specs:
       docker_volume_type:
         description: "Passed to container role"
         required: false
-      reverse_proxy_type:
+      ports:
-        description: "Passed to container role"
-        required: false
-      docker_vhost_domains:
         description: "Passed to container role"
         required: false
       docker_entrypoint:
         description: "Passed to container role"
         required: false
+      dockerfile:
+        description: "Passed to container role"
+        required: false

roles/authentik_ldap/tasks/main.yaml

@@ -0,0 +1,12 @@
+---
+- name: Authentik ldap container
+  ansible.builtin.include_role:
+    name: service
+  vars:
+    docker_service: authentik-ldap
+    docker_image: ghcr.io/goauthentik/ldap:{{ authentik_ldap_tag }}
+    reverse_proxy_type: none
+    docker_env:
+      AUTHENTIK_HOST: "{{ authentik_ldap_authentik_address }}"
+      AUTHENTIK_INSECURE: 'false'
+      AUTHENTIK_TOKEN: "{{ authentik_ldap_outpost_token }}"

roles/container/tasks/proxy.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Reverse proxy
   include_role:
     name: uumas.general.vhost
@@ -8,7 +7,7 @@
     vhost_id: "{{ docker_service_name }}"
     vhost_proxy_target_protocol: "{{ docker_proxy_target_protocol }}"
     vhost_domains: "{{ docker_vhost_domains[docker_service_name] }}"
-    vhost_proxy_target_port: "{{ ports[docker_service_name][proxy_target_protocol] }}"
+    vhost_proxy_target_port: "{{ ports[docker_service_name][vhost_proxy_target_protocol] }}"
   when: reverse_proxy_type != 'traefik'
 
 - name: Set published ports variable to http port

roles/docker/tasks/main.yml

@@ -1,14 +1,17 @@
 ---
+- name: Ensure legacy apt repository not present
+  ansible.builtin.file:
+    path: /etc/apt/sources.list.d/docker.list
+    state: absent
 
 - name: Add docker apt repository
-  ansible.builtin.import_role:
+  ansible.builtin.deb822_repository:
-    name: uumas.general.apt_repository
+    name: docker
-  vars:
+    uris: https://download.docker.com/linux/{{ ansible_distribution | lower }}
-    repo_name: docker
+    signed_by: https://download.docker.com/linux/debian/gpg
-    repo_url: https://download.docker.com/linux/{{ ansible_distribution | lower }}
+    suites: "{{ ansible_distribution_release }}"
-    repo_key_url: https://download.docker.com/linux/debian/gpg
+#    architectures: "{{ apt_arch }}"
-    repo_arch: "{{ apt_arch }}"
+    components:
-    repo_components:
       - stable
 
 - name: Install docker

roles/dokuwiki/defaults/main.yml

@@ -1,4 +1,3 @@
 ---
-
 dokuwiki_wiki_name: DokuWiki
 dokuwiki_admin_email: "{{ admin_email }}"

roles/dokuwiki/meta/argument_specs.yml

@@ -40,6 +40,9 @@ argument_specs:
       docker_vhost_domains:
         description: "Passed to container role"
         required: false
+      docker_vhost_additional_locations:
+        description: "Passed to container role"
+        required: false
       docker_entrypoint:
         description: "Passed to container role"
         required: false

roles/dokuwiki/tasks/main.yml

@@ -1,18 +1,11 @@
 ---
-
 - name: Dokuwiki container
   import_role:
-    name: container
+    name: service
   vars:
     docker_service: dokuwiki
-    docker_image: bitnami/dokuwiki
+    docker_image: dokuwiki/dokuwiki:stable
     docker_image_http_port: 8080
     docker_mounts:
       - name: data
-        path: /bitnami/dokuwiki
+        path: /storage
-    docker_env:
-      DOKUWIKI_USERNAME: admin
-      DOKUWIKI_FULL_NAME: Admin
-      DOKUWIKI_PASSWORD: "{{ dokuwiki_admin_password }}"
-      DOKUWIKI_EMAIL: "{{ dokuwiki_admin_email }}"
-      DOKUWIKI_WIKI_NAME: "{{ dokuwiki_wiki_name }}"

roles/element/meta/main.yml

@@ -6,5 +6,5 @@ dependencies:
     vhost_type: reverse_proxy
     vhost_id: element
     vhost_domains: "{{ element_domains }}"
-    vhost_proxy_target: http://127.0.0.1:{{ ports.element_http }}
+    vhost_proxy_target_port: "{{ ports.element_http }}"
     when: reverse_proxy_type != 'none' and reverse_proxy_type != 'traefik'

roles/gitea/meta/main.yml

@@ -7,7 +7,7 @@ dependencies:
     docker_image_http_port: 3000
     docker_database: postgres
     docker_mounts:
-      - name: gitea_data
+      - name: data
         path: /data
       - src: /var/lib/gitea/.ssh/
         path: /data/git/.ssh
@@ -26,7 +26,7 @@ dependencies:
       GITEA__mailer__ENABLED: "true"
       GITEA__mailer__HOST: "{{ smtp_server }}:587"
       GITEA__mailer__FROM: "{{ smtp_from }}"
-      GITEA__mailer__MAILER_TYPE: smtp
+      GITEA__mailer__PROTOCOL: smtp
       GITEA__mailer__USER: "{{ smtp_user | default(omit) }}"
       GITEA__mailer__PASSWD: "{{ smtp_pw | default(omit) }}"
       GITEA__service__REQUIRE_SIGNIN_VIEW: "{{ gitea_require_signin_view | default(omit) }}"

roles/grafana/meta/argument_specs.yml

@@ -88,4 +88,6 @@ argument_specs:
       docker_entrypoint:
         description: "Passed to container role"
         required: false
-
+      docker_vhost_additional_locations:
+        description: "Passed to container role"
+        required: false

roles/grafana/tasks/main.yml

@@ -1,8 +1,7 @@
 ---
-
 - name: Grafana container
-  import_role:
+  include_role:
-    name: container
+    name: service
   vars:
     docker_service: grafana
     docker_image: grafana/grafana

roles/hedgedoc/meta/main.yml

@@ -7,7 +7,7 @@ dependencies:
     docker_image_http_port: 3000
     docker_database: postgres
     docker_mounts:
-      - name: hedgedoc_uploads
+      - name: uploads
         path: /hedgedoc/public/uploads
     docker_env:
       CMD_DB_URL: postgres://hedgedoc:{{ database_passwords.hedgedoc }}@hedgedoc_db:5432/hedgedoc

roles/jitsi/meta/main.yml

@@ -7,5 +7,5 @@ dependencies:
     vhost_id: jitsi
     vhost_domains:
       - "{{ jitsi_domain }}"
-    vhost_proxy_target: http://127.0.0.1:{{ ports.jitsi_http }}
+    vhost_proxy_target_port: "{{ ports.jitsi_http }}"
     when: reverse_proxy_type != 'traefik'

roles/jitsi/tasks/main.yml

@@ -133,3 +133,13 @@
       - name: meet.jitsi
         aliases:
           - jvb.meet.jitsi
+
+- name: Open ports for jitsi
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    state: enabled
+    permanent: true
+    immediate: true
+  loop:
+    - 4443/tcp
+    - 10000/udp

roles/keycloak/meta/main.yml

@@ -6,13 +6,12 @@ dependencies:
     docker_image: quay.io/keycloak/keycloak:latest
     docker_image_http_port: 8080
     docker_database: postgres
-    docker_command: start
+    docker_command: start --proxy-headers xforwarded
     docker_env:
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_pw }}"
       KC_HOSTNAME: "{{ docker_vhost_domains.keycloak[0] }}"
       KC_HTTP_ENABLED: "true"
-      KC_PROXY: edge
       KC_DB: postgres
       KC_DB_URL: jdbc:postgresql://keycloak_db/keycloak
       KC_DB_USERNAME: keycloak

roles/prometheus/meta/argument_specs.yml

@@ -144,6 +144,9 @@ argument_specs:
       docker_vhost_domains:
         description: "Passed to container role"
         required: false
+      docker_vhost_additional_locations:
+        description: "Passed to container role"
+        required: false
       docker_entrypoint:
         description: "Passed to container role"
         required: false

roles/prometheus/tasks/main.yml

@@ -1,8 +1,7 @@
 ---
-
 - name: Prometheus container
   include_role:
-    name: container
+    name: service
   vars:
     docker_service: prometheus
     docker_image: prom/prometheus
@@ -10,7 +9,7 @@
     docker_command:
       - "--config.file=/etc/prometheus/prometheus.yml"
       - "--storage.tsdb.path=/prometheus"
-      - "--storage.tsdb.retention={{ prometheus_storage_retention }}"
+      - "--storage.tsdb.retention.time={{ prometheus_storage_retention }}"
       - "--web.console.libraries=/usr/share/prometheus/console_libraries"
       - "--web.console.templates=/usr/share/prometheus/consoles"
     docker_mounts:
@@ -33,7 +32,7 @@
 
 - name: Webhook container for prometheus
   include_role:
-    name: container
+    name: service
   vars:
     docker_service: prometheus_webhook
     docker_image: thecatlady/webhook
@@ -47,7 +46,7 @@
 
 - name: Blackbox exporter for prometheus
   include_role:
-    name: container
+    name: service
   vars:
     docker_service: blackbox_exporter
     docker_image: prom/blackbox-exporter

roles/service/defaults/main.yml

@@ -7,10 +7,12 @@ docker_restart_policy: always
 
 reverse_proxy_type: caddy
 docker_proxy_target_protocol: http
+docker_vhost_additional_locations: []
 
 docker_additional_env: {}
 docker_additional_services: []
 docker_database: none
+docker_postgres_tag: 14-alpine
 docker_mounts: []
 docker_network_mode: ""
 docker_networks: []

roles/service/meta/argument_specs.yml

@@ -54,6 +54,11 @@ argument_specs:
           set a password for the mariadb root user
         type: dict
         required: false
+      docker_postgres_tag:
+        description: 'Postgresql version to use. Can be debian (n) or alpine-based (n-alpine), where n can be major version like 14 or minor like 14.13.'
+        type: str
+        required: false
+        default: 14-alpine
       docker_mariadb_config:
         description: |
           A dict specifying config for mariadb. For example
@@ -163,6 +168,10 @@ argument_specs:
       docker_vhost_domains:
         description: "docker_vhost_domains[docker_service] is a list which defines which domains should be proxied to the container. Required if reverse_proxy_type is not none. docker_vhost_domains[docker_service + '-phpmyadmin'] is used for phpmyadmin"
         type: dict
+      docker_vhost_additional_locations:
+        description: "Passed to vhost role as vhost_locations variable"
+        required: false
+        default: []
       docker_published_ports:
         description: "A list of published ports in docker format (<host listen address>:<host port>:<container port>)"
         type: list

roles/service/tasks/database.yml

@@ -2,7 +2,7 @@
 
 - name: Set postgres container vars
   ansible.builtin.set_fact:
-    db_container_image: 'postgres:14-alpine'
+    db_container_image: 'postgres:{{ docker_postgres_tag }}'
     db_container_env:
       POSTGRES_USER: "{{ docker_service_underscore_name }}"
       POSTGRES_PASSWORD: "{{ database_passwords[docker_service_name] }}"
@@ -54,7 +54,7 @@
     docker_image: "{{ db_container_image }}"
     reverse_proxy_type: none
     docker_mounts: "{{ db_container_mounts }}"
-    docker_published_ports: "{{ db_published_ports | default([]) }}"
+    docker_published_ports: "{{ db_published_ports }}"
     docker_env: "{{ db_container_env | default({}) }}"
     docker_additional_env: {}
     docker_networks: []

roles/service/tasks/image.yml

@@ -68,4 +68,4 @@
     image_user: "{{ container_image.Config.User }}"
   when:
     - not ansible_check_mode
-    - container_image.Config.User | int
+    - container_image.Config.User | int != 0

roles/service/tasks/init.yml

@@ -10,6 +10,7 @@
     _docker_service_name: "{{ docker_service_name }}"
     _docker_mount_definition: "{{ docker_mount_definition }}"
     _container_published_ports: "{{ container_published_ports }}"
+    _docker_published_ports: "{{ docker_published_ports }}"
     _container_image: "{{ container_image }}"
     _container_networks: "{{ container_networks }}"
     _template_mounts_needed: "{{ template_mounts_needed }}"
@@ -34,6 +35,7 @@
     container_image: ''
     image_user: ''
     container_networks: []
+    db_published_ports: []
 
 - name: Add suffix to docker_service_name
   ansible.builtin.set_fact:

roles/service/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: Container role initialization
+- name: Role initialization
   import_tasks: init.yml
 
 - name: Docker network
@@ -68,8 +68,8 @@
       ansible.builtin.file:
         path: "{{ docker_mounts_dir }}"
         state: directory
-        owner: "{{ user.uid | default(omit) }}"
+        owner: "{{ user.uid if docker_host_user else omit }}"
-        group: "{{ user.group | default(omit) }}"
+        group: "{{ user.group if docker_host_user else omit }}"
         mode: 0700
 
 - name: Database container
@@ -123,6 +123,7 @@
     docker_service_name: "{{ _docker_service_name }}"
     docker_mount_definition: "{{ _docker_mount_definition }}"
     container_published_ports: "{{ _container_published_ports }}"
+    docker_published_ports: "{{ _docker_published_ports }}"
     container_image: "{{ _container_image }}"
     container_networks: "{{ _container_networks }}"
     template_mounts_needed: "{{ _template_mounts_needed }}"

roles/service/tasks/mounts.yml

@@ -41,7 +41,8 @@
       copy:
         src: "files/{{ item.copypath }}"
         dest: "{{ docker_mounts_dir }}/"
-        mode: "{{ item.mode | default('0755') }}"
+        directory_mode: "{{ item.mode | default('0755') }}"
+        mode: "{{ item.mode | default('0644') }}"
       when: item.copypath is defined
       loop: "{{ docker_mounts }}"
       notify: Restart container

roles/service/tasks/proxy.yml

@@ -16,7 +16,8 @@
     vhost_id: "{{ docker_service_name }}"
     vhost_proxy_target_protocol: "{{ docker_proxy_target_protocol }}"
     vhost_domains: "{{ docker_vhost_domains[docker_service_name] }}"
-    vhost_proxy_target_port: "{{ ports[docker_service_name][proxy_target_protocol] }}"
+    vhost_proxy_target_port: "{{ ports[docker_service_name][vhost_proxy_target_protocol] }}"
+    vhost_locations: "{{ docker_vhost_additional_locations }}"
   when: reverse_proxy_type != 'traefik'
 
 - name: Set published ports variable to http port

roles/uisp/README.md

@@ -1 +0,0 @@
-Sets up an UISP docker container.

roles/uisp/tasks/main.yml

@@ -1,18 +0,0 @@
----
-
-- name: UISP container
-  import_role:
-    name: container
-  vars:
-    docker_service: uisp
-    docker_proxy_target_protocol: https
-    docker_image: nico640/docker-unms
-    docker_image_http_port: 8443
-    docker_mounts:
-      - name: config
-        path: /config
-    docker_published_ports:
-      - "0.0.0.0:{{ ports.uisp.netflow }}:2055"
-    docker_env:
-      HTTPS_PORT: "8443"
-      PUBLIC_HTTPS_PORT: "443"

roles/wekan/meta/main.yml

@@ -7,7 +7,7 @@ dependencies:
     docker_image_http_port: 8080
     docker_database: mongo
     docker_mounts:
-      - name: wekan_data
+      - name: data
         path: /data
     docker_env:
       MONGO_URL: mongodb://wekan_db:27017/wekan

roles/wekan/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Get wekan data volume path from container creation output
   set_fact:
     wekan_data_volume: "{{ container_out.container.Mounts | selectattr('Destination', 'equalto', '/data') | join }}"