initial: no secrets

2026-06-20 01:52:37 +02:00 · 2024-02-12 17:01:18 +01:00
commit cf9efd55b5
186 changed files with 8697 additions and 0 deletions
@@ -0,0 +1,8 @@
+- name: reload async icinga settings
+  uri:
+    url: "http://localhost:5006/reload-configuration"
+    status_code: [ 200, 204 ]
+
+- name: restart hub
+  shell:
+    cmd: docker restart atlantis-hub_atlantis-hub_1
@@ -0,0 +1,215 @@
+- include_vars: services.yaml
+
+- name: Create data-dir
+  file:
+    name: /data/
+    state: directory
+
+- name: Create opt-dir
+  file:
+    name: /opt/
+    state: directory
+
+- name: Async Icinga mount directory
+  file:
+    name: /data/async-icinga
+    state: directory
+
+- name: Async Icinga database mount directory
+  file:
+    name: /data/async-icinga
+    state: directory
+
+- name: Async Icinga Service (static)
+  template:
+    src: async-config.json.j2
+    dest: /data/async-icinga/config.json
+  notify:
+    - reload async icinga settings
+
+- name: Async Icinga Service (static)
+  template:
+    src: async-icinga-config.json.j2
+    dest: /data/async-icinga/async-icinga-config.json
+  notify:
+    - reload async icinga settings
+
+- name: Async Icinga Service (dynamic from backup file)
+  copy:
+    src: async-icinga-config-dynamic.json
+    dest: /data/async-icinga/
+  notify:
+    - reload async icinga settings
+    
+- name: Create data directories
+  file:
+    name: "/data/{{ item }}/"
+    state: directory
+  with_items:
+    - tmnf-replay-server
+    - atlantis-hub
+    - grafana
+    - event-dispatcher
+    #- reactive-resume
+    - hedgedoc
+    - atlantis-verify
+    - soundlib-interface
+    - python-flask-picture-factory
+    - money-balancer
+    - atlantis-web-check
+    - gotify
+
+- name: Copy AtlantisHub config
+  copy:
+    src: "atlantis-hub-content/config.yaml"
+    dest: "/data/atlantis-hub/config.yaml"
+  notify: restart hub
+
+- name: Create AtlantisHubDirectories
+  file:
+    name: "/data/atlantis-hub/{{ item }}"
+    state: directory
+  with_items:
+    - static-icons
+    - instance
+    - static-cache
+
+- name: Copy AtlantisHub static icons
+  copy:
+    src: "atlantis-hub-content/static-icons/"
+    dest: "/data/atlantis-hub/static-icons/"
+
+- name: Copy AtlantisHub static icons
+  template:
+    src: "grafana.ini"
+    dest: "/data/grafana/grafana.ini"
+
+- name: Create compose directories
+  file:
+    name: "/opt/{{ item }}"
+    state: directory
+  with_items:
+    - athq-landing
+    - grafana
+    - potaris
+    - sector32
+    - async-icinga
+    - tmnf-replay-server
+    - atlantis-hub
+    - grafana
+    - event-dispatcher
+    - tor
+    #- reactive-resume
+    - hedgedoc
+    - atlantis-verify
+    - soundlib-interface
+    - python-flask-picture-factory
+    - money-balancer
+    - atlantis-web-check
+    - gotify
+
+- name: Copy compose templates
+  template:
+    src: "{{ item }}.yaml"
+    dest: "/opt/{{ item }}/"
+  with_items:
+    - athq-landing
+    - grafana
+    - potaris
+    - sector32
+    - async-icinga
+    - tmnf-replay-server
+    - atlantis-hub
+    - grafana
+    - event-dispatcher
+    - tor
+    - hedgedoc
+    - atlantis-verify
+    - soundlib-interface
+    - python-flask-picture-factory
+    - money-balancer
+    - atlantis-web-check
+    - gotify
+
+- name: Log into private registry
+  docker_login:
+    registry: registry.atlantishq.de
+    username: docker
+    password: ""
+
+- name: Deploy compose templates
+  community.docker.docker_compose:
+    project_src: "/opt/{{ item }}/"
+    pull: true
+    files:
+      - "{{ item }}.yaml"
+  with_items:
+    - athq-landing
+    - grafana
+    - potaris
+    - sector32
+    - async-icinga
+    - tmnf-replay-server
+    - atlantis-hub
+    - grafana
+    - event-dispatcher
+    - tor
+    - hedgedoc
+    - atlantis-verify
+    - soundlib-interface
+    - python-flask-picture-factory
+    - money-balancer
+    - atlantis-web-check
+    - gotify
+
+- name: OAuth2Proxy directories
+  file:
+    path: "/opt/oauth2proxy/{{ item }}/"
+    state: directory
+    recurse: yes
+  with_items:
+    - tmnf-replay-server
+    - atlantis-hub
+    - grafana
+    - async-icinga
+    - atlantis-verify
+    - soundlib-interface
+    - python-flask-picture-factory
+    #- reactive-resume
+    - money-balancer
+    - atlantis-web-check
+
+- name: include services ports
+  include_vars: services.yaml
+
+- name: Deploy OAuth2Proxy compose files
+  template:
+    src: oauth-standalone-docker-compose.yaml
+    dest: "/opt/oauth2proxy/{{ item }}/docker-compose.yaml"
+  with_items:
+    - tmnf-replay-server
+    - atlantis-hub
+    - grafana
+    - async-icinga
+    - atlantis-verify
+    - soundlib-interface
+    - python-flask-picture-factory
+    #- reactive-resume
+    - money-balancer
+    - atlantis-web-check
+
+- name: Deploy OAuth2Proxy
+  community.docker.docker_compose:
+    project_src: /opt/oauth2proxy/{{ item }}/
+    pull: true
+  with_items:
+    - tmnf-replay-server
+    - atlantis-hub
+    - grafana
+    - async-icinga
+    - atlantis-verify
+    - soundlib-interface
+    - python-flask-picture-factory
+    #- reactive-resume
+    - money-balancer
+    - atlantis-web-check
@@ -0,0 +1,7 @@
+{
+    "ICINGA_API_USER" : "{{ icinga_api_user }}",
+    "ICINGA_API_PASS" : "{{ icinga_api_pass }}",
+    "ICINGA_API_URL"  : "{{ icinga_api_url }}",
+    "ICINGA_WEB_URL"  : "{{ icinga_web_url }}",
+    "ASYNC_ICINGA_DUMMY_HOST" : "ASYNC_ICINGA"
+}
@@ -0,0 +1,9 @@
+{ 
+{% for service in async_icinga_static_services %}
+    "{{ service['name'] }}" : {
+        "timeout" : "{{ service['timeout'] }}",
+        "token"   : "{{ service['token'] }}",
+        "owner"   : "{{ service['owner'] }}"
+    }{% if not loop.last %},{% endif %}
+{% endfor %}
+}
@@ -0,0 +1,8 @@
+async-icinga:
+    volumes:
+        - "/data/async-icinga/:/app/config"
+        - "/data/async-icinga/instance/:/app/instance/"
+    restart: always
+    ports:
+        - 6006:5000
+    image: harbor-registry.atlantishq.de/atlantishq/async-icinga
@@ -0,0 +1,5 @@
+athqlanding:
+    ports:
+        - 5002:5000
+    image: registry.atlantishq.de/athq/landing-page
+    restart: always
@@ -0,0 +1,10 @@
+atlantis-hub:
+    image: registry.atlantishq.de/atlantis-hub:latest
+    restart: always
+    ports:
+        - 6011:5000
+    volumes:
+        - /data/atlantis-hub/config.yaml:/app/config.yaml
+        - /data/atlantis-hub/static-icons/:/app/static/icons/
+        - /data/atlantis-hub/sqlite-instance/:/app/instance/
+        - /data/atlantis-hub/static-cache/:/app/static/cache/
@@ -0,0 +1,28 @@
+atlantis-verify:
+    image: harbor-registry.atlantishq.de/atlantishq/atlantis-verify:latest
+    restart: always
+    environment:
+
+        LDAP_SERVER: ldap://{{ ldap_server }}
+        LDAP_BIND_DN: {{ ldap_bind_dn }}
+        LDAP_BIND_PW: {{ ldap_password }}
+        LDAP_BASE_DN: {{ ldap_user_dn }}
+
+        DISPATCH_SERVER: {{ event_dispatcher_address }}
+
+        SQLALCHEMY_DATABASE_URI: "instance/database.sqlite"
+        
+        KEYCLOAK_URL: https://{{ keycloak_address }}
+        KEYCLOAK_REALM: master
+        KEYCLOAK_ADMIN_USER: admin
+        KEYCLOAK_ADMIN_PASS: {{ keycloak_admin_password }}
+
+        MAIN_HOME: https://hub.atlantishq.de
+
+        DISPATCH_AUTH_USER: {{ event_dispatcher_user }}
+        DISPATCH_AUTH_PASSWORD: {{ event_dispatcher_pass }}
+
+    ports:
+        - {{ services[item].port + 1000 }}:5000
+    volumes:
+        - /data/atlantis-verify/instance/:/app/instance/
@@ -0,0 +1,39 @@
+version: "3.3"
+services:
+    master:
+        image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-master:latest
+        restart: always
+        ports:
+            - {{ services[item].port + 1000 }}:5000
+        depends_on:
+            - queue
+        volumes:
+            - /data/atlantis-web-check/instance/:/app/instance/
+        environment:
+            - QUEUE_HOST=queue
+            - QUEUE_NAME=scheduled
+            - DISPATCH_SERVER={{ event_dispatcher_address }}
+            - DISPATCH_AUTH_USER={{ event_dispatcher_user }}
+            - DISPATCH_AUTH_PASSWORD={{ event_dispatcher_pass }}
+    scheduler:
+        image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-scheduler:latest
+        restart: always
+        depends_on:
+            - master
+        environment:
+            - MASTER_HOST=master:5000
+            - SLEEP_TIME=1
+    queue:
+        image: rabbitmq
+        restart: always
+        ports:
+            - 5672:5672
+    worker:
+        image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-worker:latest
+        restart: always
+        depends_on:
+            - master
+        environment:
+            - MASTER_HOST=master:5000
+            - QUEUE_HOST=queue
+            - QUEUE_NAME=scheduled
@@ -0,0 +1,9 @@
+version: 3
+service:
+    collabora:
+        ports:
+            - 9980:9980
+        image: collabora/code
+        restart: unless-stopped
+        environment:
+          - "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
@@ -0,0 +1,14 @@
+event-dispatcher:
+    ports:
+        - 5007:5000
+    image: registry.atlantishq.de/athq/event-dispatcher
+    restart: always
+    volumes:
+        - "/data/event-dispatcher/instance/:/app/instance/"
+    environment:
+        SIGNAL_API_PASS: "{{ event_dispatcher_pass }}"
+        LDAP_SERVER : "{{ ldap_connection_url }}"
+        LDAP_BIND_DN : "{{ ldap_bind_dn }}"
+        LDAP_BIND_PW : "{{ ldap_password }}"
+        LDAP_BASE_DN : "{{ ldap_user_dn }}"
+        SIGNAL_GATEWAY_PASS: "{{ event_dispatcher_token }}"
@@ -0,0 +1,11 @@
+gotify:
+    image: gotify/server
+    restart: always
+    environment:
+        - TZ="Europe/Berlin"
+        - GOTIFY_DEFAULTUSER_NAME={{ gotify_user }}
+        - GOTIFY_DEFAULTUSER_PASS={{ gotify_password }}
+    ports:
+        - 4001:80
+    volumes:
+        - /data/gotify/data:/app/data
@@ -0,0 +1,10 @@
+grafana:
+    ports:
+        - 4000:3000
+    image: grafana/grafana-oss
+    restart: always
+    volumes:
+        - "/data/grafana/grafana-var/:/var/lib/grafana"
+        - "/data/grafana/grafana.ini:/etc/grafana/grafana.ini"
+    environment:
+        GF_INSTALL_PLUGINS : "grafana-clock-panel,grafana-simple-json-datasource"
@@ -0,0 +1,39 @@
+version: '3'
+services:
+  database:
+    image: postgres:13.4-alpine
+    environment:
+      - POSTGRES_USER=hedgedoc
+      - POSTGRES_PASSWORD=D7OIx5VBUa7nEzdy6f
+      - POSTGRES_DB=hedgedoc
+    volumes:
+      - /data/hedgedoc/pgsql:/var/lib/postgresql/data
+    restart: always
+  app:
+    # Make sure to use the latest release from https://hedgedoc.org/latest-release
+    image: quay.io/hedgedoc/hedgedoc:1.9.9
+    environment:
+      - CMD_DB_URL=postgres://hedgedoc:D7OIx5VBUa7nEzdy6f@database:5432/hedgedoc
+      - CMD_DOMAIN=hedgedoc.atlantishq.de
+      - CMD_PROTOCOL_USESSL=true
+      - CMD_ALLOW_ORIGIN=['hedgedoc.atlantishq.de']
+      - CMD_EMAIL=false
+      - CMD_ALLOW_EMAIL_REGISTER=false
+      - CMD_OAUTH2_USER_PROFILE_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/userinfo
+      - CMD_OAUTH2_TOKEN_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token
+      - CMD_OAUTH2_AUTHORIZATION_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/auth
+      - CMD_OAUTH2_CLIENT_ID=z_hedgedoc
+      - CMD_OAUTH2_CLIENT_SECRET=T4kvtI0ZF1JepEbmTm9bCksCJkuDOicGd
+      - CMD_OAUTH2_SCOPE=openid email profile
+      - CMD_OAUTH2_ROLES_CLAIM=roles
+      - CMD_OAUTH2_PROVIDERNAME=AtlantisHQ Auth
+      - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
+      - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
+      - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
+    volumes:
+      - /data/hedgedoc/uploads:/hedgedoc/public/uploads
+    ports:
+      - "5012:3000"
+    restart: always
+    depends_on:
+      - database
@@ -0,0 +1,10 @@
+heimdall:
+    image: linuxserver/heimdall:latest
+    restart: always
+    ports:
+        - 6011:80
+    volumes:
+        - /data/heimdall/:/config/
+    environment:
+        - PGID=1000
+        - PUID=1000
@@ -0,0 +1,15 @@
+version: "3"
+services:
+  money-balancer:
+    image: ghcr.io/dorianim/money-balancer
+    restart: unless-stopped
+    ports:
+      - {{ services[item].port + 1000 }}:8000
+    volumes:
+      - /data/money-balancer:/data
+    environment:
+      - MONEYBALANCER_JWT_SECRET=Opta7EkHqgBWUDZULVypcP8FCxw511
+      - MONEYBALANCER_AUTH_LOCAL_ENABLED=false
+      - MONEYBALANCER_AUTH_PROXY_ENABLED=true
+      - MONEYBALANCER_AUTH_PROXY_HEADERS_USERNAME=x-forwarded-preferred-username
+      - MONEYBALANCER_AUTH_PROXY_HEADERS_NICKNAME=x-forwarded-preferred-username
@@ -0,0 +1,6 @@
+potaris:
+    ports:
+        - 5003:5000
+        - 5004:5000
+    image: harbor-registry.atlantishq.de/atlantishq/potaris-next-gen-web
+    restart: always
@@ -0,0 +1,12 @@
+version: '3'
+services:
+  image-factory:
+    image: harbor-registry.atlantishq.de/atlantishq/atlantis-image-factory:latest
+    restart: always
+    ports:
+      - "{{ services[item].port + 1000 }}:5000"
+    environment:
+      UPLOAD_ENABLED: "yes"
+      PICTURES_DIRECTORY: pictures
+    volumes:
+      - "/data/image-factory/pictures/:/app/pictures/"
@@ -0,0 +1,93 @@
+version: "3.8"
+services:
+  minio:
+    image: minio/minio
+    restart: unless-stopped
+    command: server /data
+    ports:
+      - 9000:9000
+    volumes:
+      - /data/reactive-resume/minio/:/data
+    networks:
+      - resume
+    environment:
+      MINIO_ROOT_USER: minioadmin
+      MINIO_ROOT_PASSWORD: WGTVrFT73kwv0CbKa0PR
+
+  db:
+    image: postgres:13
+    environment:
+      - POSTGRES_USER=reactiveresume
+      - POSTGRES_PASSWORD=pwMOJntCfXdwF9ExnjNi
+      - POSTGRES_DB=reactiveresume
+    restart: always
+    volumes:
+      - /data/reative-resume-postgres/:/var/lib/postgresql/data
+    networks:
+      - resume
+
+  redis:
+    image: redis:latest
+    environment:
+      - TZ=Europe/Berlin
+    restart: unless-stopped
+    networks:
+      - resume
+
+  chrome:
+    image: browserless/chrome:latest
+    networks:
+      - resume
+
+  app:
+    image: amruthpillai/reactive-resume:latest
+    restart: unless-stopped
+    ports:
+      - {{ services[item].port + 1000 }}:3000
+    networks:
+      - resume
+    depends_on:
+      - db
+      - minio
+      - redis
+      - chrome
+    environment:
+      # -- Environment Variables --
+      PORT: 3000
+      NODE_ENV: production
+
+      # -- URLs --
+      PUBLIC_URL: https://resume.atlantishq.de
+      STORAGE_URL: http://localhost:9000
+
+      # -- Printer (Chrome) --
+      CHROME_TOKEN: chrome_token
+      CHROME_URL: ws://chrome:3000
+
+      # -- Database (Postgres) --
+      DATABASE_URL: postgresql://reactiveresume:pwMOJntCfXdwF9ExnjNi@db:5432/postgres
+
+      # -- Auth --
+      ACCESS_TOKEN_SECRET: 2EkPnUqJIE2EkPnUqJIE
+      REFRESH_TOKEN_SECRET: cihib7NzMxcihib7NzMx
+
+      # -- Emails --
+      MAIL_FROM: noreply@atlantishq.de
+      SMTP_URL: smtp://{{ smtp_service_user }}@atlantishq.de:{{ smtp_service_pass }}@{{ smtp_internal_host }}:{{ smtp_internal_host_port }}
+
+      # -- Storage (Minio) --
+      STORAGE_ENDPOINT: minio
+      STORAGE_PORT: 9000
+      STORAGE_BUCKET: default
+      STORAGE_ACCESS_KEY: minioadmin
+      STORAGE_SECRET_KEY: WGTVrFT73kwv0CbKa0PR
+
+      # -- Cache (Redis) --
+      REDIS_URL: redis://default:password@redis:6379
+
+      # -- Email (Optional) --
+      # DISABLE_EMAIL_AUTH: true
+      # VITE_DISABLE_SIGNUPS: true
+
+networks:
+  resume:
@@ -0,0 +1,5 @@
+sector32:
+    ports:
+        - 5001:5000
+    image: registry.atlantishq.de/athq/sector32
+    restart: always
@@ -0,0 +1,14 @@
+version: '3'
+services:
+  soundlib:
+    image: harbor-registry.atlantishq.de/atlantishq/atlantis-soundlib:latest
+    restart: always
+    ports:
+      - "{{ services[item].port + 1000 }}:5000"
+    environment:
+      S3_BUCKET: soundlib
+      AWS_ACCESS_KEY_ID: {{ SOUNDLIB_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: {{ SOUNDLIB_AWS_SECRET_ACCESS_KEY }}
+      S3_ENDPOINT: {{ SOUNDLIB_S3_ENDPOINT }}
+    volumes:
+      - /data/soundlib/instance/:/app/instance/
@@ -0,0 +1,14 @@
+tmnf-replay-server:
+    image: harbor-registry.atlantishq.de/atlantishq/tmnf-replay-server:latest
+    restart: always
+    ports:
+        - 6010:5000
+    volumes:
+        - /data/tmnf-replay-server/data/:/app/data/
+        - /data/tmnf-replay-server/uploads/:/app/uploads/
+    environment:
+        SQLITE_LOCATION: sqlite:////app/data/sqlite.db
+        DISPATCH_SERVER: {{ event_dispatcher_address }}
+        DISPATCH_AUTH_USER: {{ event_dispatcher_user }}
+        DISPATCH_AUTH_PASSWORD: {{ event_dispatcher_pass }}
+
@@ -0,0 +1,27 @@
+version: "3.4"
+services:
+  obfs4-bridge:
+    image: thetorproject/obfs4-bridge:latest
+    networks:
+      - obfs4_bridge_external_network
+    environment:
+      - OR_PORT=20000
+      - PT_PORT=20001
+      - EMAIL=nobody@nowhere.com
+      - NICKNAME=nowhere
+      - OBFS4_ENABLE_ADDITIONAL_VARIABLES=1
+      - OBFS4V_AddressDisableIPv6=1
+      # - OBFS4V_PublishServerDescriptor=0
+    volumes:
+      - data:/var/lib/tor
+    ports:
+      - 20000:20000
+      - 20001:20001
+    restart: unless-stopped
+
+volumes:
+  data:
+    name: tor-datadir-20000-20001
+
+networks:
+    obfs4_bridge_external_network: