Update galaxy.yml, make ansible-lint happier

README.md

@@ -7,3 +7,6 @@ To add a new role:
   1. usually meta/main.yml with depend on container
   1. README.md
 1. Add docs to docs/
+
+The following roles have default versions which should probably be overridden:
+- wordpress: `wordpress_tag`

docs/container.md

@@ -0,0 +1,60 @@
+# Required variables
+These variables are required. Example values included. Some general variables might also be required for this role.
+
+```
+docker_service: gitea
+docker_image: gitea/gitea:latest
+
+ports:
+  gitea:
+    http: 8080 # ports[docker_service].http (or https) needed for reverse proxy
+
+```
+
+# Variables for http reverse proxy
+
+```
+reverse_proxy_type: caddy # Defaults to caddy, set to none if no reverse proxy is needed. Supported values: none, caddy, traefik
+docker_image_http_port: 3000 # the port used inside the container for http
+
+docker_vhost_domains: 
+  gitea:
+    - git.domain.tld
+
+
+```
+
+# Other optional variables
+
+```
+docker_service_suffix: production # For running multiple instances of the same service
+
+docker_host_user: true # Creates a user on the host and makes the docker container use the same uid/gid. Bind mount volume directories will be owned by this user
+
+docker_database: postgres # Database to set up in a separate container, supports postgres, mariadb and mongo
+database_passwords: # Needed for postgres and mariadb
+  gitea: secret
+
+docker_additional_services:
+  - memcached
+
+docker_volumes:
+  - name: data
+    path: /data
+  - src: /var/lib/gitea/.ssh
+    path: /data/git/.ssh
+
+docker_published_ports:
+  - "127.0.0.1:{{ ports.gitea.ssh }}:22"
+docker_env:
+  USER_UID: 2132
+  GITEA__database__DB_TYPE: postgres
+
+docker_network_mode: host # Usually you don't want to define this
+
+dockerfile: # For building a custom container image locally
+  run:
+    - "apt-get update && apt-get install -y libmemcached-dev zlib1g-dev && pecl install memcached-3.2.0 && docker-php-ext-enable memcached"
+
+
+```

docs/jitsi.md

@@ -7,3 +7,11 @@ ports:
 
 jitsi_domain: 'jitsi.domain.tld'
 ```
+
+These vars are optional:
+
+```
+# for TURN, no turn server is used if not defined
+turn_domain: turn.domain.tld
+turn_secret: secret
+```

docs/unifi.md

@@ -0,0 +1,14 @@
+Unifi is installed with host network mode.
+
+# Required variables
+These variables are required. Example values included. Some general variables might also be required for this role.
+
+```
+ports:
+  unifi:
+    https: 8443
+
+docker_vhost_domains: 
+  unifi:
+    - unifi.domain.tld
+```

docs/wordpress.md

@@ -0,0 +1,21 @@
+# Required variables
+These variables are required. Example values included.
+
+```
+ports:
+  wordpress_http: 8080
+
+docker_vhost_domains:
+  wordpress:
+    - wordpress.domain.tld
+
+database_passwords:
+  wordpress: secret
+```
+
+# Optional variables
+These variables have default values listed below
+
+```
+wordpress_tag: php8.1
+```

galaxy.yml

@@ -2,11 +2,12 @@
 
 namespace: uumas
 name: docker
-version: 0.5.3
+description: Roles for installing services in docker containers
+version: 0.6.0
 readme: README.md
 repository: https://git.uumas.fi/uumas/ansible-docker
 license_file: LICENSE
 dependencies:
-  uumas.general: '>=0.5.0'
+  uumas.general: '>=0.5.5'
 authors:
   - uumas

roles/container/defaults/main.yml

@@ -1,5 +1,12 @@
 ---
 
+docker_service_name: "{{ docker_service }}"
+
+docker_host_user: false
+
 reverse_proxy_type: caddy
+docker_proxy_target_protocol: http
+docker_volume_type: named
+
 docker_additional_env: {}
 docker_published_ports: []

roles/container/meta/main.yml

@@ -1,10 +1,4 @@
 ---
 
 dependencies:
-  - docker
-  - role: uumas.general.reverse_proxy
-    vhost_id: "{{ docker_service }}"
-    vhost_domains: "{{ docker_vhost_domains[docker_service] }}"
-    proxy_target_protocol: "{{ docker_proxy_target_protocol | default('http') }}"
-    proxy_target_port: "{{ ports[docker_service][proxy_target_protocol] }}"
-    when: reverse_proxy_type != 'none' and reverse_proxy_type != 'traefik'
+  - role: docker

roles/container/tasks/main.yml

@@ -1,59 +1,224 @@
 ---
 
-- name: "{{ docker_service }} docker network"
-  docker_network:
-    name: "{{ docker_service }}"
-  when: docker_network_mode is not defined or docker_network_mode != 'host'
-
-- name: Set published ports variable
+- name: Set docker service full name
   set_fact:
-    container_published_ports: ["127.0.0.1:{{ ports[docker_service][proxy_target_protocol] }}:{{ docker_image_http_port }}"]
-  when: reverse_proxy_type != 'traefik' and (docker_network_mode is not defined or docker_network_mode != 'host')
+    docker_service_name: "{{ docker_service }}_{{ docker_service_suffix }}"
+  when: docker_service_suffix is defined
+
+- name: Convert docker_volumes from legacy format
+  when: docker_volumes is defined and docker_volumes[0] is not mapping
+  block:
+    - name: Warn about docker_volumes legacy format
+      debug:
+        msg: "docker_volumes is set in a legacy, deprecated format. This support may be removed after december 2022."
+
+    - name: Add legacy docker volumes to docker_volumes_new using the new format
+      set_fact:
+        docker_volumes_new: "{{ docker_volumes_new | default([]) + [{'name': item.split(':')[0], 'path': item.split(':')[1]}] }}"
+      when: "'/' not in item.split(':')[0]"
+      loop: "{{ docker_volumes }}"
+    - name: Add legacy docker src bind mounts to docker_volumes_new using the new format
+      set_fact:
+        docker_volumes_new: "{{ docker_volumes_new | default([]) + [{'src': item.split(':')[0], 'path': item.split(':')[1]}] }}"
+      when: "'/' in item.split(':')[0]"
+      loop: "{{ docker_volumes }}"
+    - name: Set final_docker_volumes variable
+      set_fact:
+        final_docker_volumes: "{{ docker_volumes_new }}"
+
+- name: Docker network {{ docker_service_name }}
+  docker_network:
+    name: "{{ docker_service_name }}"
+  when: docker_network_mode is not defined or docker_network_mode != 'host'
 
 - name: Set networks variable
   set_fact:
     container_networks:
-      - name: "{{ docker_service }}"
+      - name: "{{ docker_service_name }}"
   when: docker_network_mode is not defined or docker_network_mode != 'host'
 
+- name: Reverse proxy
+  include_role:
+    name: uumas.general.reverse_proxy
+  vars:
+    vhost_id: "{{ docker_service_name }}"
+    proxy_target_protocol: "{{ docker_proxy_target_protocol }}"
+    vhost_domains: "{{ docker_vhost_domains[docker_service_name] }}"
+    proxy_target_port: "{{ ports[docker_service_name][proxy_target_protocol] }}"
+  when: reverse_proxy_type != 'none' and reverse_proxy_type != 'traefik'
+
+- name: Set published ports variable
+  set_fact:
+    container_published_ports: ["127.0.0.1:{{ ports[docker_service_name][docker_proxy_target_protocol] }}:{{ docker_image_http_port }}"]
+  when: reverse_proxy_type != 'traefik' and (docker_network_mode is not defined or docker_network_mode != 'host')
+
 - name: Include traefik vars
   include_vars: traefik.yml
   when: reverse_proxy_type == 'traefik'
 
-- name: Set postgres container env
+- name: Database container
+  when: docker_database is defined
+  block:
+    - name: Set postgres container vars
       set_fact:
         db_container_image: 'postgres:14-alpine'
         db_container_env:
-      POSTGRES_USER: "{{ docker_service }}"
-      POSTGRES_PASSWORD: "{{ database_passwords[docker_service] }}"
+          POSTGRES_USER: "{{ docker_service_name }}"
+          POSTGRES_PASSWORD: "{{ database_passwords[docker_service_name] }}"
         db_container_data: /var/lib/postgresql/data
-  when: docker_database is defined and docker_database == 'postgres'
-- name: Set mongo container env
+      when: docker_database == 'postgres'
+    - name: Set mariadb container vars
+      set_fact:
+        db_container_image: mariadb:10
+        db_container_env:
+          MARIADB_USER: "{{ docker_service_name }}"
+          MARIADB_DATABASE: "{{ docker_service_name }}"
+          MARIADB_PASSWORD: "{{ database_passwords[docker_service_name] }}"
+          MARIADB_RANDOM_ROOT_PASSWORD: "{{ database_passwords[docker_service_name + '_root'] is not defined | string }}"
+          MARIADB_ROOT_PASSOWRD: "{{ database_passwords[docker_service_name + '_root'] | default(omit) }}"
+        db_container_data: /var/lib/mysql
+        db_image_port: 3306
+      when: docker_database == 'mariadb'
+    - name: Set mongo container vars
       set_fact:
         db_container_image: 'mongo:latest'
         db_container_data: /data/db
-  when: docker_database is defined and docker_database == 'mongo'
+      when: docker_database == 'mongo'
+    - name: Set db published ports var
+      set_fact:
+        db_published_ports: ["127.0.0.1:{{ ports[docker_service_name].db }}:{{ db_image_port }}"]
+      when: ports[docker_service_name].db is defined
 
-- name: "{{ docker_database }} database container for {{ docker_service }}"
+    - name: Database container for {{ docker_service_name + ' (' + docker_database + ')' }}
       docker_container:
-    name: "{{ docker_service }}_db"
+        name: "{{ docker_service_name }}_db"
         image: "{{ db_container_image }}"
-    pull: yes
-    container_default_behavior: no_defaults
+        pull: true
         env: "{{ db_container_env | default(omit) }}"
+        published_ports: "{{ db_published_ports | default(omit) }}"
         restart_policy: always
         volumes:
-      - "{{ docker_service }}_db:{{ db_container_data }}"
+          - "{{ docker_service_name }}_db:{{ db_container_data }}"
         networks: "{{ container_networks | default(omit) }}"
-  when: docker_database is defined
+        log_driver: local
 
-- name: "Container for {{ docker_service }}"
+- name: Additional services
+  when: docker_additional_services is defined
+  block:
+    - name: "Memcached container for {{ docker_service_name }}"
       docker_container:
-    name: "{{ docker_service }}"
-    image: "{{ docker_image }}"
+        name: "{{ docker_service_name }}_memcached"
+        image: memcached:alpine
         pull: true
-    container_default_behavior: no_defaults
-    volumes: "{{ docker_volumes | default(omit) }}"
+        restart_policy: always
+        networks: "{{ container_networks | default(omit) }}"
+        log_driver: local
+      when: "'memcached' in docker_additional_services"
+
+- name: Create directory /opt/{{ docker_service }}
+  file:
+    path: "/opt/{{ docker_service }}"
+    state: directory
+    mode: 0755
+  when: (dockerfile is defined and dockerfile | length > 0) or docker_host_user or docker_volume_type == 'bind'
+
+- name: Image build
+  when: dockerfile is defined and dockerfile | length > 0
+  block:
+    - name: Put dockerfile in place
+      template:
+        src: Dockerfile.j2
+        dest: "/opt/{{ docker_service }}/Dockerfile"
+        mode: 0644
+
+    - name: Build docker image for {{ docker_service }}
+      docker_image:
+        name: "local_{{ docker_service }}"
+        source: build
+        force_source: true
+        build:
+          pull: true
+          path: "/opt/{{ docker_service }}"
+      register: docker_built_image
+
+- name: Container user
+  when: docker_host_user
+  block:
+    - name: "Create user for {{ docker_service_name }}"
+      user:
+        name: "{{ docker_service_name }}"
+        home: "/opt/{{ docker_service }}/{{ docker_service_suffix | default('') }}"
+        create_home: false
+        system: true
+        shell: /bin/bash
+      register: user
+
+    - name: Set docker container user
+      set_fact:
+        docker_user: "{{ user.uid }}:{{ user.group }}"
+
+- name: Bind mounts
+  when: "docker_volume_type == 'bind'"
+  block:
+    - name: Create directory /opt/{{ docker_service + '/' + docker_service_suffix }}
+      file:
+        path: "/opt/{{ docker_service }}/{{ docker_service_suffix }}"
+        state: directory
+        owner: "{{ user.uid | default(omit) }}"
+        group: "{{ user.group | default(omit) }}"
+        mode: 0755
+      when: docker_service_suffix is defined
+
+    - name: Set docker_mounts_dir
+      set_fact:
+        docker_mounts_dir: "/opt/{{ docker_service }}/{{ docker_service_suffix }}/mounts"
+      when: docker_service_suffix is defined
+    - name: Set docker_mounts_dir
+      set_fact:
+        docker_mounts_dir: "/opt/{{ docker_service }}/mounts"
+      when: docker_service_suffix is not defined
+
+    - name: Create directory {{ docker_mounts_dir }}
+      file:
+        path: "{{ docker_mounts_dir }}"
+        state: directory
+        mode: 0755
+
+    - name: "Create docker bind mount directories for {{ docker_service_name }}"
+      file:
+        path: "{{ docker_mounts_dir }}/{{ item.name }}"
+        state: directory
+        owner: "{{ user.uid if item.set_owner is not defined or item.set_owner else omit | default(omit) }}"
+        group: "{{ user.group if item.set_group is not defined or item.set_group else omit | default(omit) }}"
+        mode: 0750
+      when: item.name is defined
+      loop: "{{ docker_volumes }}"
+
+    - name: Set docker_volume_definition for named binds
+      set_fact:
+        docker_volume_definition: "{{ docker_volume_definition | default([]) + [docker_mounts_dir + '/' + item.name + ':' + item.path] }}"
+      when: item.name is defined
+      loop: "{{ docker_volumes }}"
+
+- name: Set docker_volume_definition for src binds
+  set_fact:
+    docker_volume_definition: "{{ docker_volume_definition | default([]) + [item.src + ':' + item.path] }}"
+  when: item.src is defined
+  loop: "{{ final_docker_volumes }}"
+
+- name: Set docker_volume_definition for named volumes
+  set_fact:
+    docker_volume_definition: "{{ docker_volume_definition | default([]) + [item.name + ':' + item.path] }}"
+  when: docker_volume_type == 'named' and item.name is defined
+  loop: "{{ final_docker_volumes }}"
+
+- name: "Container for {{ docker_service_name }}"
+  docker_container:
+    name: "{{ docker_service_name }}"
+    image: "{{ docker_built_image.image.Id if dockerfile is defined and not ansible_check_mode else docker_image }}"
+    user: "{{ docker_user | default(omit) }}"
+    pull: "{{ dockerfile is not defined }}"
+    volumes: "{{ docker_volume_definition | default(omit) }}"
     published_ports: "{{ container_published_ports | default([]) + docker_published_ports | default(omit) }}"
     labels: "{{ traefik_labels | default(omit) }}"
     env: "{{ docker_env | combine(docker_additional_env) }}"
@@ -61,5 +226,13 @@
     restart_policy: always
     network_mode: "{{ docker_network_mode | default(omit) }}"
     networks: "{{ container_networks | default(omit) }}"
+    log_driver: local
   register: container_out
 
+- name: "Reset bind mount directory permissions"
+  file:
+    path: "{{ docker_mounts_dir }}/{{ item.name }}"
+    state: directory
+    mode: 0750
+  when: "docker_volume_type == 'bind' and item.name is defined"
+  loop: "{{ final_docker_volumes }}"

roles/container/templates/Dockerfile.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+FROM {{ docker_image }}
+{% if dockerfile.run is iterable %}
+{% for cmd in dockerfile.run %}
+RUN {{ cmd }}
+{% endfor %}
+{% endif %}
+

roles/container/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+final_docker_volumes: "{{ docker_volumes }}"

roles/docker/tasks/main.yml

@@ -25,7 +25,7 @@
     url: 'https://download.docker.com/linux/debian/gpg'
 - name: Add docker repo
   apt_repository:
-    repo: "deb [arch={{ dpkg_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable"
+    repo: "deb [arch={{ dpkg_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
     filename: 'docker'
     mode: '644'
 

roles/element/meta/main.yml

@@ -1,7 +1,7 @@
 ---
 
 dependencies:
-  - docker
+  - role: docker
   - role: uumas.general.reverse_proxy
     vhost_id: element
     vhost_domains: "{{ element_domains }}"

roles/element/tasks/main.yml

@@ -33,4 +33,3 @@
     content: "{{ element_config }}"
     dest: "{{ element_config_volume.Source }}/config.json"
     mode: '644'
-

roles/gitea/tasks/main.yml

@@ -4,16 +4,16 @@
   group:
     name: git
     gid: 2132
-    system: yes
+    system: true
 
 - name: Create git user on host for gitea ssh
   user:
     name: git
     uid: 2132
     group: git
-    system: yes
+    system: true
     home: /var/lib/gitea
-    generate_ssh_key: yes
+    generate_ssh_key: true
   register: git_user
 
 - name: Add git user's own ssh key to its authorized keys

roles/hedgedoc/meta/main.yml

@@ -15,4 +15,3 @@ dependencies:
       CMD_ALLOW_ANONYMOUS: "false"
       CMD_ALLOW_ANONYMOUS_EDITS: "true"
       CMD_ALLOW_FREEURL: "true"
-

roles/jitsi/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+jitsi_docker_tag: stable

roles/jitsi/meta/main.yml

@@ -1,7 +1,7 @@
 ---
 
 dependencies:
-  - docker
+  - role: docker
   - role: uumas.general.reverse_proxy
     vhost_id: jitsi
     vhost_domains:

roles/jitsi/tasks/main.yml

@@ -16,7 +16,7 @@
 - name: Jitsi meet web
   docker_container:
     name: 'jitsi_meet_web'
-    image: 'jitsi/web:latest'
+    image: "jitsi/web:{{ jitsi_docker_tag }}"
     pull: true
     container_default_behavior: no_defaults
     published_ports: "{{ jitsi_web_published_ports | default(omit) }}"
@@ -41,23 +41,10 @@
           - meet.jitsi
   register: jitsi_meet_web_out
 
-- set_fact:
-    jitsi_meet_web_config_volume: "{{ jitsi_meet_web_out.container.Mounts | selectattr('Destination', 'equalto', '/config') | join }}"
-
-- name: Disable recording and livestreaming
-  lineinfile:
-    path: "{{ jitsi_meet_web_config_volume.Source }}/config.js"
-    regexp: "^    (\/\/ )?{{ item }}: .*,$"
-    line: "    {{ item }}: false,"
-    state: present
-  loop:
-    - fileRecordingsEnabled
-    - liveStreamingEnabled
-
 - name: Jitsi meet prosody
   docker_container:
     name: 'jitsi_meet_prosody'
-    image: 'jitsi/prosody:latest'
+    image: "jitsi/prosody:{{ jitsi_docker_tag }}"
     pull: true
     container_default_behavior: no_defaults
     env:
@@ -69,6 +56,11 @@
       JICOFO_AUTH_PASSWORD: "{{ jitsi_pw.jicofo_auth }}"
       JVB_AUTH_USER: jvb
       JVB_AUTH_PASSWORD: "{{ jitsi_pw.jvb_auth }}"
+      TURN_CREDENTIALS: "{{ turn_secret | default(omit) }}"
+      TURN_HOST: "{{ turn_domain | default(omit) }}"
+      TURN_PORT: "{{ '443' if turn_domain is defined else omit }}"
+      TURNS_HOST: "{{ turn_domain | default(omit) }}"
+      TURNS_PORT: "{{ '443' if turn_domain is defined else omit }}"
       XMPP_DOMAIN: meet.jitsi
       XMPP_AUTH_DOMAIN: auth.meet.jitsi
       XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.jitsi
@@ -85,7 +77,7 @@
 - name: Jitsi meet jicofo
   docker_container:
     name: 'jitsi_meet_jicofo'
-    image: 'jitsi/jicofo:latest'
+    image: "jitsi/jicofo:{{ jitsi_docker_tag }}"
     pull: true
     container_default_behavior: no_defaults
     env:
@@ -108,7 +100,7 @@
 - name: Jitsi meet video bridge
   docker_container:
     name: 'jitsi_meet_jvb'
-    image: 'jitsi/jvb:latest'
+    image: "jitsi/jvb:{{ jitsi_docker_tag }}"
     pull: true
     container_default_behavior: no_defaults
     published_ports:
@@ -132,4 +124,3 @@
       - name: meet.jitsi
         aliases:
           - meet.jitsi
-

roles/keycloak/meta/main.yml

@@ -20,4 +20,3 @@ dependencies:
       KC_DB_URL: jdbc:postgresql://keycloak_db/keycloak
       KC_DB_USERNAME: keycloak
       KC_DB_PASSWORD: "{{ database_passwords.keycloak }}"
-

roles/unifi/meta/main.yml

@@ -11,4 +11,3 @@ dependencies:
     docker_env:
       UNIFI_HTTPS_PORT: "{{ ports.unifi.https }}"
       PORTAL_HTTP_PORT: "8808"
-

roles/wekan/meta/main.yml

@@ -12,4 +12,3 @@ dependencies:
       MONGO_URL: mongodb://wekan_db:27017/wekan
       ROOT_URL: "https://{{ docker_vhost_domains.wekan[0] }}"
       WRITABLE_PATH: /data
-

roles/wekan/tasks/main.yml

@@ -10,3 +10,4 @@
     state: directory
     owner: 999
     group: 999
+    mode: 0755

roles/wordpress/README.md

@@ -0,0 +1 @@
+Installs wordpress in docker and configures cron

roles/wordpress/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+
+wordpress_tag: php8.1
+
+dockerfile: {}
+docker_additional_services: []
+
+docker_host_user: false
+wordpress_symlinks: false
+
+wordpress_docker_volumes:
+  - name: html
+    path: /var/www/html

roles/wordpress/tasks/main.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Add memcached php extension to container
+  set_fact:
+    dockerfile: "{{ dockerfile | combine({'run': \
+      ['apt-get update && apt-get install -y libmemcached-dev zlib1g-dev && \
+      pecl install memcached-3.2.0 && docker-php-ext-enable memcached']}, list_merge='append') }}"
+  when: "'memcached' in docker_additional_services"
+
+- name: Add pdo_mysql php extension to container
+  set_fact:
+    dockerfile: "{{ dockerfile | combine({'run': ['docker-php-ext-install -j$(nproc) pdo_mysql']}, list_merge='append') }}"
+  when: "'pdo_mysql' in wordpress_php_extensions"
+
+- name: Include additional volume vars
+  include_vars: "{{ item }}_volume.yml"
+  loop: "{{ wordpress_additional_volumes | default([]) }}"
+
+- name: Wordpress container setup
+  include_role:
+    name: container
+  vars:
+    docker_service: wordpress
+    docker_image: wordpress:{{ wordpress_tag }}
+    docker_image_http_port: 80
+    docker_database: mariadb
+    docker_volumes: "{{ wordpress_docker_volumes + wordpress_www_volume + wordpress_log_volume }}"
+    docker_volume_type: bind
+    docker_env:
+      WORDPRESS_DB_HOST: "{{ docker_service_name }}_db"
+      WORDPRESS_DB_NAME: "{{ docker_service_name }}"
+      WORDPRESS_DB_USER: "{{ docker_service_name }}"
+      WORDPRESS_DB_PASSWORD: "{{ database_passwords[docker_service_name] }}"
+      WORDPRESS_CONFIG_EXTRA: |
+        define('WP_SITEURL', 'https://{{ docker_vhost_domains[docker_service_name][0] }}');
+        define('WP_HOME', 'https://{{ docker_vhost_domains[docker_service_name][0] }}');

roles/wordpress/vars/log_volume.yml

@@ -0,0 +1,5 @@
+---
+
+wordpress_log_volume:
+  - name: logs
+    path: /var/log/apache2

roles/wordpress/vars/www_volume.yml

@@ -0,0 +1,5 @@
+---
+
+wordpress_www_volume:
+  - name: www
+    path: /var/www