common/docker_dockerstats/templates/Dockerfile

-FROM node:14-alpine
+FROM node:19-alpine
 
 RUN apk update \
  && apk upgrade \

group_vars/test

+# Globale Variablen für alle produktiven Server
+
+
+# SMTP Settings 
+smtp_domain: enteentelos.com
+smtp_host: mailserver.enteentelos.com
+smtp_port: 587 
+noreply_email_user: noreply@enteentelos.com
+

host_vars/ogg

@@ -53,11 +53,24 @@ alert:
     crit: 4
   containers:
     - { name: "dockerstats_app_1" }    
+    - { name: "esphome_app_1" }    
+    - { name: "esphome-dev_app_1" }    
+    - { name: "fridgeserver_app_1" }    
+    - { name: "grafana_app_1" }    
+    - { name: "graylog_graylog_1" }    
+    - { name: "graylog_mongodb_1" }    
+    - { name: "graylog_opensearch_1" }    
+    - { name: "heimdall_app_1" }    
+    - { name: "homeassistant_app_1" }    
+    - { name: "homeassistant_influxdb_1" }    
     - { name: "mqtt_app_1" } 
     - { name: "mqtt_influxdb_1" } 
-    - { name: "mqtt_telegraf_1" } 
+    - { name: "mqtt_tgbinary_1" } 
+    - { name: "mqtt_tgfloat_1" } 
     - { name: "nodered_app_1" }
-    - { name: "unifi_app_1" }
+    - { name: "omada_app_1" }
+    - { name: "tasmoadmin_app_1" }
+    - { name: "traefik_app_1" }
   disks:
     - { mountpoint: "/", warn: "5 GB", crit: "1 GB" }
     - { mountpoint: "/srv", warn: "5 GB", crit: "1 GB" }

host_vars/verwaltung

@@ -86,35 +86,35 @@ alert:
 # Definition von Borgbackup Repositories 
 borgbackup_repos:
 
-  warpsrvint: 
+  # warpsrvint: 
 
-    # URL des Repos   
-    repo: "ssh://warpzone@192.168.0.201:22/data/warpzone/verwaltung"
+  #   # URL des Repos   
+  #   repo: "ssh://warpzone@192.168.0.201:22/data/warpzone/verwaltung"
     
-    # Repo-spezifische Optionen zum Aufruf von Borgbackup
-    # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
-    options: ""
+  #   # Repo-spezifische Optionen zum Aufruf von Borgbackup
+  #   # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
+  #   options: ""
 
-    # Compression Options, z,b. "zlib,5, "zstd,5"
-    compression: "zlib,5"
+  #   # Compression Options, z,b. "zlib,5, "zstd,5"
+  #   compression: "zlib,5"
 
-    # Prune Optionen 
-    prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
+  #   # Prune Optionen 
+  #   prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
     
-    # Backup Schedule 
-    weekday: "*"
-    hour: "10"
-    minute: "30"
-
-    #  Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen 
-    # directories:
-
-    # Monitoring
-    alert: true
-    warning_age: 26 
-    critical_age: 50
-    warning_count: 10
-    critical_count: 5
+  #   # Backup Schedule 
+  #   weekday: "*"
+  #   hour: "10"
+  #   minute: "30"
+
+  #   #  Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen 
+  #   # directories:
+
+  #   # Monitoring
+  #   alert: true
+  #   warning_age: 26 
+  #   critical_age: 50
+  #   warning_count: 10
+  #   critical_count: 5
 
   borgbase: 
 

host_vars/webserver

@@ -33,8 +33,6 @@ webserver_domains:
   - "warpzone.ms"
   - "api.warpzone.ms"
 #  - "auth.warpzone.ms"
-  - "autodiscover.warpzone.ms"
-  - "autoconfig.warpzone.ms"
   - "gitlab.warpzone.ms"
   - "matrix.warpzone.ms"
   - "mailserver.warpzone.ms"
@@ -65,7 +63,6 @@ administratorenteam:
 docker:
   # Interne Docker-Netzwerke 
   internal_networks:
-    - mail
     - web
     
 # Monitoring aktivieren 
@@ -74,9 +71,6 @@ alert:
     warn: 8
     crit: 16
   containers:
-    - { name: "autodiscover_warpzonems_1" }
-    - { name: "autodiscover_lists_warpzonems_1" }
-    - { name: "autodiscover_member_warpzonems_1" }
     - { name: "dockerstats_app_1" }
     - { name: "dokuwiki_app_1" }
     - { name: "coturn_coturn_1" }
@@ -93,27 +87,20 @@ alert:
     - { name: "keycloak_sync-group-active_1" }
     - { name: "ldap_openldap_1" }
     - { name: "ldap_phpldapadmin_1" }
-    - { name: "mail_dovecot-mailcow_1" }
-    - { name: "mail_dockerapi-mailcow_1" }
-    - { name: "mail_ipv6nat-mailcow_1" }
-    - { name: "mail_mailman-core" }
-    - { name: "mail_mailman-db" }
-    - { name: "mail_mailman-nginx" }
-    - { name: "mail_mailman-web" }
-    - { name: "mail_memcached-mailcow_1" }
-    - { name: "mail_mysql-mailcow_1" }
-    - { name: "mail_netfilter-mailcow_1" }
-    - { name: "mail_nginx-mailcow_1" }
-    - { name: "mail_olefy-mailcow_1" }
-    - { name: "mail_ofelia-mailcow_1" }
-    - { name: "mail_postfix-mailcow_1" }
-    - { name: "mail_postfix-exporter_1" }
-    - { name: "mail_php-fpm-mailcow_1" }
-    - { name: "mail_redis-mailcow_1" }
-    - { name: "mail_rspamd-mailcow_1" }
-    - { name: "mail_traefik-certdumper_1" }    
-    - { name: "mail_unbound-mailcow_1" }
-    - { name: "mail_watchdog-mailcow_1" }
+    - { name: "mail_admin_1" }
+    - { name: "mail_antispam_1" }
+    - { name: "mail_certdumper_1" }
+    - { name: "mail_db_1" }
+    - { name: "mail_front_1" }
+    - { name: "mail_imap_1" }
+    - { name: "mail_oletools_1" }
+    - { name: "mail_redis_1" }
+    - { name: "mail_resolver_1" }
+    - { name: "mail_smtp_1" }
+    - { name: "mail_webmail_1" }
+    - { name: "mail_mailman-core_1" }
+    - { name: "mail_mailman-web_1" }
+    - { name: "mail_mailman-nginx_1" }
     - { name: "matterbridge_cw_1" }
     - { name: "matterbridge_wz_1" }
     - { name: "matterbridge_web_1" }
@@ -138,35 +125,35 @@ alert:
 # Definition von Borgbackup Repositories 
 borgbackup_repos:
 
-  warpsrvint: 
+  # warpsrvint: 
 
-    # URL des Repos   
-    repo: "ssh://warpzone@192.168.0.201:22/data/warpzone/webserver"
+  #   # URL des Repos   
+  #   repo: "ssh://warpzone@192.168.0.201:22/data/warpzone/webserver"
     
-    # Repo-spezifische Optionen zum Aufruf von Borgbackup
-    # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
-    options: ""
+  #   # Repo-spezifische Optionen zum Aufruf von Borgbackup
+  #   # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
+  #   options: ""
 
-    # Compression Options, z,b. "zlib,5, "zstd,5"
-    compression: "zlib,5"
+  #   # Compression Options, z,b. "zlib,5, "zstd,5"
+  #   compression: "zlib,5"
 
-    # Prune Optionen 
-    prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
+  #   # Prune Optionen 
+  #   prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
     
-    # Backup Schedule 
-    weekday: "*"
-    hour: "6"
-    minute: "0"
-
-    #  Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen 
-    # directories:
-
-    # Monitoring
-    alert: true
-    warning_age: 26 
-    critical_age: 50
-    warning_count: 10
-    critical_count: 5
+  #   # Backup Schedule 
+  #   weekday: "*"
+  #   hour: "6"
+  #   minute: "0"
+
+  #   #  Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen 
+  #   # directories:
+
+  #   # Monitoring
+  #   alert: true
+  #   warning_age: 26 
+  #   critical_age: 50
+  #   warning_count: 10
+  #   critical_count: 5
 
   borgbase: 
 

hosts

 
 # Nameskonvention für Server: Pratchett Name/Charaktere
 # Namensliste: https://wiki.lspace.org/List_of_Pratchett_characters
-# Nächste freie Namen: vimes, cake, colon, detritus, dibbler, dorfl, gaspode, quirm, cherry, nobby, ramkin, ron, shoe, slant, angua, vetinary, bursar, coin, dean, hex, hix, worblehat, luggage. mustrum, rincewind, wrangler, stibbons, whitlow  
+# Nächste freie Namen: vimes, cake, colon, detritus, dibbler, dorfl, gaspode, quirm, cherry, nobby, ramkin, ron, shoe, slant, angua, vetinary, bursar, coin, dean, worblehat, luggage. mustrum, rincewind, wrangler, stibbons, whitlow  
+
+[test]
 
 [prod]
 
-# Interner Server Warpzone 
-# Umgebaute Watchguard im Serverschrank 
-# https://wiki.warpzone.ms/intern:warpzone_internal_it_infrastructure#host_fuer_interne_dienste_watchguard_xtm_505
+# Interner Proxmox-Server
 # Für Verbindungen über den Webserver als Jumphost folgende Parameter ergänzen: 
 # ansible_ssh_common_args='-o ForwardAgent=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="ssh -W %h:%p -q 159.69.57.51"'
-
-# Interner Proxmox-Server (neu ab 09-2022) 
 weatherwax   ansible_ssh_host=192.168.0.200
 
-# Server für interne Dienste (neu ab 09-2022)
+# Server für interne Dienste
 # Container auf dem internen Proxmox Server 
 # Wichtige Optionen: Nesting = Yes, keyctl = enabled
 ogg          ansible_ssh_host=192.168.0.201
@@ -44,4 +42,4 @@ hex         ansible_ssh_host=10.111.10.100
 # Virtueller Server für Infrastruktur-Dienste auf Veranstaltungen / Camps
 # Container auf dem warpzone.remote Proxmox-Server 
 # Wichtige Optionen: Nesting = Yes, keyctl = enabled
-hix         ansible_ssh_host=10.111.10.101
\ No newline at end of file
+hix         ansible_ssh_host=10.111.10.101

hosts.yml

+---
+# Nameskonvention für Server: Pratchett Name/Charaktere
+# Namensliste: https://wiki.lspace.org/List_of_Pratchett_characters
+# Nächste freie Namen: vimes, cake, colon, detritus, dibbler, dorfl, gaspode, quirm, cherry, nobby, ramkin, ron, shoe, slant, angua, vetinary, bursar, coin, dean, worblehat, luggage. mustrum, rincewind, wrangler, stibbons, whitlow  
+
+prod:
+  children:
+    pyhsical:
+      hosts:
+        # Interner Proxmox-Server
+        # Für Verbindungen über den Webserver als Jumphost folgende Parameter ergänzen: 
+        # ansible_ssh_common_args='-o ForwardAgent=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="ssh -W %h:%p -q 159.69.57.51"'
+        weatherwax:
+          ansible_ssh_host: 192.168.0.200
+
+        # Externe Server Warpzone
+        # Öffentlicher Root Server Warpzone bei Hetzner
+        tiffany:
+          ansible_ssh_host: 159.69.57.15
+
+    vms:
+      children:
+        weatherwax:
+          hosts:
+            # Server für interne Dienste
+            # Container auf dem internen Proxmox Server
+            # Wichtige Optionen: Nesting = Yes, keyctl = enabled
+            ogg:
+              ansible_ssh_host: 192.168.0.201
+
+            # Server für VPN Verbindung zum Webserver
+            # Container auf dem internen Proxmox Server
+            # Wichtige Optionen: Nesting = Yes, keyctl = enabled
+            carrot:
+              ansible_ssh_host: 192.168.0.202
+
+        tiffany:
+          hosts:
+            # Öffentlicher Webserver Warpzone
+            # VM auf Tiffany
+            webserver:
+              ansible_ssh_host: 159.69.57.51
+
+            # Vorstands-VM
+            # VM auf Tiffany
+            # Auch erreichbar unter verwaltung.warpzone.ms
+            verwaltung:
+              ansible_ssh_host: 195.201.179.60
+
+event:
+  children:
+    physical:
+      hosts:
+        # Physischer Server für Veranstaltungen / Camps
+        # warpzone.remote Proxmox-Server
+        hex:
+          ansible_ssh_host: 10.111.10.100
+
+    vms:
+      hosts:
+        # Virtueller Server für Infrastruktur-Dienste auf Veranstaltungen / Camps
+        # Container auf dem warpzone.remote Proxmox-Server
+        # Wichtige Optionen: Nesting = Yes, keyctl = enabled
+        hix:
+          ansible_ssh_host: 10.111.10.101

intern/docker_fridgeserver/templates/htaccess

+<Files *.php>
+deny from all

intern/docker_grafana/templates/provisioning/dashboards/dashboards.yml

+apiVersion: 1
+
+providers:
+  # <string> an unique provider name
+- name: 'Pixelflut'
+  # <int> org id. will default to orgId 1 if not specified
+  # orgId: 1
+  # <string, required> name of the dashboard folder. Required
+  folder: 'Pixelflut'
+  # <string> folder UID. will be automatically generated if not specified
+  # folderUid: ''
+  # <string, required> provider type. Required
+  type: file
+  # <bool> disable dashboard deletion
+  # disableDeletion: false
+  # <bool> enable dashboard editing
+  editable: true
+  # <int> how often Grafana will scan for changed dashboards
+  updateIntervalSeconds: 10
+  # <bool> allow updating provisioned dashboards from the UI
+  allowUiUpdates: true
+  options:
+    # <string, required> path to dashboard files on disk. Required
+    path: /etc/grafana/provisioning/dashboards/pixelflut
+

intern/docker_grafana/templates/provisioning/datasources/datasources.yml

+
+apiVersion: 1
+
+datasources:
+
+  - name: MQTT_Flux
+    type: influxdb
+    access: proxy
+    url: http://{{ int_ip4 }}:{{ mqtt_influxdb_port }}
+    jsonData:
+      version: Flux
+      organization: mqtt
+      defaultBucket: mqtt
+      tlsSkipVerify: true
+    secureJsonData:
+      token: {{ influxdb_token }}
+
+  - name: MQTT_InfluxQL
+    type: influxdb
+    access: proxy
+    url: http://{{ int_ip4 }}:{{ mqtt_influxdb_port }}
+    # This database should be mapped to a bucket
+    database: mqtt
+    jsonData:
+      httpMode: GET
+      httpHeaderName1: 'Authorization'
+    secureJsonData:
+      httpHeaderValue1: 'Token {{ influxdb_token }}'
+
+{% if inventory_hostname == 'hix' %}
+
+  - name: Prometheus
+    type: prometheus
+    access: proxy
+    url: http://{{ int_ip4 }}:9090
+
+{% endif %}
+
+{% if inventory_hostname == 'ogg' %}
+
+  - name: Pixelflut
+    type: prometheus
+    access: proxy
+    url: http://pixelflut.warpzone.lan:9090
+    uuid: P0FAC05DE14135586
+
+{% endif %}

keyfiles/jabertwo.pub

-ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBCxsaY88ZP/bk15JNs2zzVbpG4S4uLYlzfMVlqSZQJVZ0t65vJMKp2yepp6BdOb2rAuXnhPX5zrFEP/A8idR0DFLR5kp6pvdKOeWToND3V763WXJvOutyoKIXPGSuEJF+Q== jabertwo
-ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGR9N60F+0annoCi9cM+94jSxsw8KPgMf7GqKoFmxwpcDf6fd7Vc5sRQg0avnEg009D2nxihED0y2eTP2Tzn6eQQ/2LRXRfMCa+hRK99YYPUjpszH/y2bC2r/08CvcdeVA== jabertwo
+ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBCxsaY88ZP/bk15JNs2zzVbpG4S4uLYlzfMVlqSZQJVZ0t65vJMKp2yepp6BdOb2rAuXnhPX5zrFEP/A8idR0DFLR5kp6pvdKOeWToND3V763WXJvOutyoKIXPGSuEJF+Q== jabertwo-home
+ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGR9N60F+0annoCi9cM+94jSxsw8KPgMf7GqKoFmxwpcDf6fd7Vc5sRQg0avnEg009D2nxihED0y2eTP2Tzn6eQQ/2LRXRfMCa+hRK99YYPUjpszH/y2bC2r/08CvcdeVA== jabertwo-mob

site.yml

@@ -10,6 +10,9 @@
     - { role: all/common, tags: common }
     - { role: all/sysctl, tags: sysctl }
 
+##################################################
+# Test Server
+##################################################
 
 ##################################################
 # Produktive Server
@@ -26,6 +29,7 @@
   remote_user: root
   roles:
     - { role: common/proxmox, tags: proxmox }
+    - { role: common/prometheus-node, tags: prometheus-node }
     - { role: common/cronapt, tags: cronapt }
 
 
@@ -33,6 +37,7 @@
   remote_user: root
   roles:
     - { role: common/cronapt, tags: cronapt }
+    - { role: common/prometheus-node, tags: prometheus-node }
     - { role: common/wireguard, tags: wireguard }
 
 
@@ -159,11 +164,6 @@
         domain_default: "www.warpzone.ms", 
         matrix_federation: true
       }   
-    - { 
-        role: webserver/docker_autodiscover, tags: autodiscover,
-        servicename: autodiscover, 
-        basedir: /srv/autodiscover
-      }
     - { 
         role: webserver/docker_coturn, tags: coturn,
         servicename: "coturn",
@@ -202,10 +202,15 @@
       }
     - { 
         role: webserver/docker_mail, tags: mail, 
+        servicename: mail,
         basedir: /srv/mail, 
+        domain: "warpzone.ms",
+        mailserver: "mailserver.warpzone.ms",
+        listserver: "listserver.warpzone.ms"      
       }
     - { 
         role: webserver/docker_matterbridge, tags: matterbridge,
+        servicename: matterbridge,
         basedir: /srv/matterbridge, 
         domain: "www.warpzone.ms" 
       }

webserver/docker_autodiscover/tasks/main.yml

----
-
-- name: "create folder struct for {{ servicename }}"
-  file:
-    path: "{{ item }}"
-    state: "directory"
-  with_items:
-    - "{{ basedir }}"
-
-
-- name: deploy {{ servicename }} config
-  template:
-    dest:  "{{ basedir }}/{{ item }}"
-    src: "{{ item }}"
-  with_items:
-    - docker-compose.yml
-  register: config
-
-
-# Start containers
-- name: "stop {{ servicename }} docker"
-  docker_compose:
-    project_src: "{{ basedir }}"
-    state: absent
-  when: config.changed
-
-
-- name: "start {{ servicename }} docker"
-  docker_compose:
-    project_src: "{{ basedir }}"
-    state: present
-

webserver/docker_autodiscover/templates/docker-compose.yml

-version: '2.1'
-
-services:
-
-{% for domain in mail_domains %}
-
-  {{ domain }}:
-    image: monogramm/autodiscover-email-settings:1.4.0
-    restart: always
-    environment:
-      - DOMAIN={{ mail_domains[domain].maildomain }}
-      - IMAP_HOST={{ mail_domains[domain].mxserver }}
-      - IMAP_PORT=993
-      - IMAP_SOCKET=SSL
-      - POP_HOST={{ mail_domains[domain].mxserver }}
-      - POP_PORT=995
-      - POP_SOCKET=SSL
-      - SMTP_HOST={{ mail_domains[domain].mxserver }}
-      - SMTP_PORT=587
-      - SMTP_SOCKET=STARTTLS
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.{{ servicename }}-{{ domain }}.rule=Host(`autodiscover.{{ mail_domains[domain].maildomain }}`) || Host(`autoconfig.{{ mail_domains[domain].maildomain }}`)
-      - traefik.http.routers.{{ servicename }}-{{ domain }}.entrypoints=websecure
-      - traefik.http.services.{{ servicename }}-{{ domain }}.loadbalancer.server.port=8000
-    networks:
-      - default 
-      - web
-
-{% endfor %}
-
-networks:
-  web:
-    external: true
-

webserver/docker_dokuwiki/templates/docker-compose.yml

@@ -3,6 +3,7 @@ version: "3"
 services:
 
   app:
+    # values set in configuration: noreply_email_user - noreply_email_pass - smtp_host - smtp_port 
     build: .
     image: "dokuwiki--{{ ansible_date_time.date }}--{{ ansible_date_time.hour }}-{{ ansible_date_time.minute }}-{{ ansible_date_time.second }}"
     restart: always
@@ -16,11 +17,8 @@ services:
       - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80      
     networks:
       - default      
-      - mail
       - web  
-
+    
 networks:
-  mail:
-    external: true    
   web:
     external: true    

webserver/docker_gitlab/templates/conf/gitlab.rb

@@ -116,8 +116,8 @@ gitlab_rails['gitlab_email_enabled'] = true
 # gitlab_rails['gitlab_email_smime_key_file'] = '/etc/gitlab/ssl/gitlab_smime.key'
 # gitlab_rails['gitlab_email_smime_cert_file'] = '/etc/gitlab/ssl/gitlab_smime.crt'
 # gitlab_rails['gitlab_email_smime_ca_certs_file'] = '/etc/gitlab/ssl/gitlab_smime_cas.crt'
-gitlab_rails['gitlab_email_from'] = '{{ noreply_email_user }}'
-gitlab_rails['gitlab_email_display_name'] = 'Gitlab Warpzone'
+gitlab_rails['gitlab_email_from'] = 'gitlab@{{ smtp_domain }}'
+gitlab_rails['gitlab_email_display_name'] = 'Warpzone Gitlab'
 gitlab_rails['gitlab_email_reply_to'] = '{{ noreply_email_user }}'
 
 ### GitLab user privileges

webserver/docker_keycloak/tasks/main.yml

@@ -2,6 +2,7 @@
 
 - include_tasks: ../functions/get_secret.yml
   with_items:
+   - { path: /srv/shared/noreply_email_pass, length: -1 } 
    - { path: /srv/keycloak/keycloak_admin_pass,  length: 32 }
    - { path: /srv/keycloak/postgres_user_pass,  length: 24 }
 

webserver/docker_keycloak/templates/docker-compose.yml

@@ -6,7 +6,7 @@ services:
 
 
   app:
-
+    # values set in configuration: noreply_email_user - noreply_email_pass - smtp_host - smtp_port 
     image: jboss/keycloak:16.1.1
     restart: always
     depends_on:
@@ -31,7 +31,6 @@ services:
       - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8080
     networks:
       - default
-      - mail
       - web
 
 
@@ -64,7 +63,5 @@ services:
 
 
 networks:
-  mail:
-    external: true
   web:
     external: true

webserver/docker_mail/defaults/main.yaml

----
-servicename: mail
-basedir: /srv/mail