fix image act runner reference

Fix act_runner cache host configuration
Enable gitea emails
2026-05-09 08:14:52 +00:00 · 2026-03-13 14:41:16 -07:00 · 2025-07-17 19:34:31 +02:00 · 2025-03-25 15:29:13 +01:00 · 2024-09-26 11:23:33 +02:00 · 2024-09-25 20:13:38 +02:00
17 changed files with 829 additions and 115 deletions
--- a/containers/act_runner/tasks.yml
+++ b/containers/act_runner/tasks.yml
@@ -0,0 +1,99 @@
 ---
 - hosts: all
  name: Gitea web server
  tasks:
    - name: Get containers UID
      ansible.builtin.command: "id -u containers"
      register: uid_containers
      changed_when: uid_containers.rc != 0
    - name: Stop running containers
      become_user: containers
      become: true
      ansible.builtin.systemd:
        scope: user
        name: container-{{ item }}.service
        state: stopped
      loop:
        - act_runner
      failed_when: false
    - name: Create podman volumes
      containers.podman.podman_volume:
        state: present
        name: "{{ item }}"
      become_user: containers
      become: true
      loop:
        - act_runner
    - name: Pull container images
      become_user: containers
      become: true
      containers.podman.podman_image:
        name: docker.io/{{ item }}
      loop:
        - gitea/runner:1.0.0
    - name: Change permission to act_runner folder
      become_user: root
      become: true
      ansible.builtin.file:
        path: /etc/act_runner
        owner: containers
        group: containers
        mode: "0700"
        state: directory
    - name: Copy config directory
      become_user: root
      become: true
      ansible.builtin.template:
        src: "templates/{{ item }}.j2"
        dest: "/etc/act_runner/{{ item }}"
        owner: containers
        group: containers
        mode: "0600"
      loop:
        - configuration.yml
    - name: Create act_runner instance
      become_user: containers
      become: true
      containers.podman.podman_container:
        name: act_runner
        image: docker.io/gitea/runner:1.0.0
        state: present
        security_opt:
          # - label=type:container_runtime_t
          - label=disable
        device:
          - /dev/fuse
        publish:
          - "8088:8088"
        volume:
          - act_runner:/data:Z
          - /etc/act_runner:/config:Z
          - /run/user/{{ uid_containers.stdout }}/podman/podman.sock:/var/run/docker.sock:z
        env:
          GITEA_INSTANCE_URL: "{{ vault_act_runner_host }}"
          GITEA_RUNNER_REGISTRATION_TOKEN: "{{ vault_act_runner_token }}"
          GITEA_RUNNER_NAME: "{{ inventory_hostname_short }}"
          CONFIG_FILE: "/config/configuration.yml"
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
          names: true
          new: true
    - name: Start containers at boot
      become_user: containers
      become: true
      ansible.builtin.systemd:
        scope: user
        name: container-{{ item }}.service
        enabled: true
        state: started
        daemon_reload: true
      loop:
        - act_runner
--- a/containers/act_runner/templates/configuration.yml.j2
+++ b/containers/act_runner/templates/configuration.yml.j2
@@ -0,0 +1,87 @@
 # Example configuration file, it's safe to copy this as the default config file without any modification.
 # You don't have to copy this file to your instance,
 # just run `./gitea-runner generate-config > config.yaml` to generate a config file.
 log:
  # The level of logging, can be trace, debug, info, warn, error, fatal
  level: info
 runner:
  # Where to store the registration result.
  file: .runner
  # Execute how many tasks concurrently at the same time.
  capacity: {{ vault_act_runner_capacity }}
  # Extra environment variables to run jobs.
  #envs:
  # Extra environment variables to run jobs from a file.
  # It will be ignored if it's empty or the file doesn't exist.
  #env_file: .env
  # The timeout for a job to be finished.
  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
  timeout: 3h
  # Whether skip verifying the TLS certificate of the Gitea instance.
  insecure: false
  # The timeout for fetching the job from the Gitea instance.
  fetch_timeout: 5s
  # The interval for fetching the job from the Gitea instance.
  fetch_interval: 2s
  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
  # If it's empty when registering, it will ask for inputting labels.
  # If it's empty when execute `deamon`, will use labels in `.runner` file.
  labels: [linux,self-hosted]
 cache:
  # Enable cache server to use actions/cache.
  enabled: true
  # The directory to store the cache data.
  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
  dir: ""
  # The host of the cache server.
  # It's not for the address to listen, but the address to connect from job containers.
  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
  # Prefer an explicit override; otherwise use the default routed IPv4 instead of
  # an arbitrary interface-specific address.
  host: "{{ vault_act_runner_cache_host | default(ansible_facts.get('default_ipv4', {}).get('address', ansible_facts[vault_act_net_interface_name]['ipv4']['address']), true) }}"
  # The port of the cache server.
  # 0 means to use a random available port.
  port: 8088
  # The external cache server URL. Valid only when enable is true.
  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
  # The URL should generally end with "/".
  external_server: ""
 container:
  # Specifies the network to which the container will connect.
  # Could be host, bridge or the name of a custom network.
  # If it's empty, act_runner will create a network automatically.
  network: ""
  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
  privileged: false
  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
  options:
  # The parent directory of a job's working directory.
  # If it's empty, /workspace will be used.
  workdir_parent:
  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
  # valid_volumes:
  #   - data
  #   - /src/*.json
  # If you want to allow any volume, please use the following configuration:
  # valid_volumes:
  #   - '**'
  valid_volumes: [build_cache]
  # overrides the docker client host with the specified one.
  # If it's empty, act_runner will find an available docker host automatically.
  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
  docker_host: "-"
 host:
  # The parent directory of a job's working directory.
  # If it's empty, $HOME/.cache/act/ will be used.
  workdir_parent:
--- a/containers/collabora/tasks.yml
+++ b/containers/collabora/tasks.yml
@@ -13,6 +13,7 @@
        state: stopped
      loop:
        - collabora
      failed_when: false
    # - name: Create podman volumes
    #   containers.podman.podman_volume:
@@ -49,8 +50,6 @@
        name: collabora
        image: docker.io/collabora/code:latest
        state: present
        cap_add:
          - MKNOD
        network:
          - traefik-collabora
          - nextcloud-collabora
@@ -60,7 +59,7 @@
          io.containers.autoupdate: "registry"
          traefik.enable: "true"
          traefik.http.routers.collabora.entrypoints: "https"
-          traefik.http.routers.collabora.rule: "Host(`{{ vault_domain }}`) && PathPrefix(`/collabora`,`/browser`)"
+          traefik.http.routers.collabora.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/collabora`) || Path(`/browser`))"
          traefik.http.routers.collabora.tls: "true"
          traefik.http.routers.collabora.tls.certresolver: "wildcard"
          traefik.http.routers.collabora.service: "collabora"
@@ -69,16 +68,32 @@
        env:
          domain: "chef\\.heaplab\\.deib\\.polimi\\.it"
          aliasgroup1: "chef\\.heaplab\\.deib\\.polimi\\.it"
          server_name: "chef.heaplab.deib.polimi.it"
          username: "{{ vault_collabora_user }}"
          password: "{{ vault_collabora_password }}"
-          extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:net.service_root=/collabora"
+          extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:net.service_root=/collabora --o:net.server_name=chef.heaplab.deib.polimi.it/collabora"
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
-          time: 3600
+          requires: [container-nextcloud.service, container-traefik.service]
          names: true
          new: true
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-collabora.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Start containers at boot
      become_user: containers
      become: true
--- a/containers/drone-runner/tasks.yml
+++ b/containers/drone-runner/tasks.yml
@@ -13,6 +13,7 @@
        state: stopped
      loop:
        - drone-runner
      failed_when: false
    - name: Get containers UID
      ansible.builtin.command: "id -u containers"
@@ -83,10 +84,24 @@
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
          time: 3600
          names: true
          new: true
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-drone-runner.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Start containers at boot
      become_user: containers
      become: true
--- a/containers/drone-server/tasks.yml
+++ b/containers/drone-server/tasks.yml
@@ -13,6 +13,7 @@
        state: stopped
      loop:
        - drone-server
      failed_when: false
    - name: Create podman volumes
      containers.podman.podman_volume:
@@ -84,10 +85,25 @@
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
-          time: 3600
+          requires: [container-traefik.service]
          names: true
          new: true
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-drone-server.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Start containers at boot
      become_user: containers
      become: true
--- a/containers/gitea/tasks.yml
+++ b/containers/gitea/tasks.yml
@@ -14,6 +14,7 @@
      loop:
        - gitea
        - db_gitea
      failed_when: false
    - name: Permit traffic from any IP to ssh port
      become: true
@@ -62,7 +63,7 @@
        dest: /etc/gitea/mariadb/
        owner: containers
        group: containers
-        mode: 0600
+        mode: "0600"
    - name: Create mariadb instance
      become_user: containers
@@ -88,7 +89,6 @@
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
          time: 3600
          names: true
          new: true
@@ -155,16 +155,46 @@
          GITEA__service__SIGNIN_VIEW: false
          GITEA__service__REGISTER_EMAIL_CONFIRM: true
          GITEA__service__ENABLE_CAPTCHA: true
          GITEA__service__ENABLE_NOTIFY_MAIL: true
          GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE: false
          GITEA__ui__THEMES: "auto,gitea,arc-green,gitea-modern"
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
-          requires: [container-db_gitea]
+          requires: [container-db_gitea.service, container-traefik.service]
          time: 3600
          names: true
          new: true
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-gitea.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-db_gitea.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Start containers at boot
      become_user: containers
      become: true
--- a/containers/heimdall/tasks.yml
+++ b/containers/heimdall/tasks.yml
@@ -13,6 +13,7 @@
        state: stopped
      loop:
        - heimdall
      failed_when: false
    - name: Create podman volumes
      containers.podman.podman_volume:
@@ -77,10 +78,25 @@
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
-          time: 3600
+          requires: [container-traefik.service]
          names: true
          new: true
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-heimdall.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Start containers at boot
      become_user: containers
      become: true
--- a/containers/mattermost/tasks.yml
+++ b/containers/mattermost/tasks.yml
@@ -0,0 +1,183 @@
 # code: language=ansible
 ---
 - hosts: all
  name: Mattermost server
  tasks:
    - name: Stop running containers
      become_user: containers
      become: true
      ansible.builtin.systemd:
        scope: user
        name: container-{{ item }}.service
        state: stopped
      loop:
        - mattermost
        - db_mattermost
      failed_when: false
    - name: Create podman volumes
      containers.podman.podman_volume:
        state: present
        name: "{{ item }}"
      become_user: containers
      become: true
      loop:
        - mattermost-config
        - mattermost-data
        - mattermost-logs
        - mattermost-plugins
        - mattermost-clientplugins
        - mattermost-bleveindexes
        - mattermost-db
    - name: Create podman networks
      containers.podman.podman_network:
        name: "{{ item }}"
        recreate: false
        state: "present"
      become_user: containers
      become: true
      loop:
        - traefik-mattermost
        - postgres-mattermost
    - name: Pull container images
      become_user: containers
      become: true
      containers.podman.podman_image:
        name: docker.io/{{ item }}
      loop:
        - mattermost/mattermost-team-edition:release-9
        - postgres:13-alpine
    - name: Create postgres instance
      become_user: containers
      become: true
      containers.podman.podman_container:
        name: db_mattermost
        image: docker.io/postgres:13-alpine
        state: present
        volume:
          - mattermost-db:/var/lib/postgresql/data/pgdata:Z
        network:
          - postgres-mattermost
        env:
          POSTGRES_DB: "{{ vault_mattermost_db_database }}"
          POSTGRES_USER: "{{ vault_mattermost_db_user }}"
          POSTGRES_PASSWORD: "{{ vault_mattermost_db_password }}"
          PGDATA: /var/lib/postgresql/data/pgdata
          TZ: "{{ vault_timezone }}"
        security_opt:
          - no-new-privileges=true
        pids_limit: "100"
        read_only: true
        tmpfs:
          "/tmp": "rw"
          "/var/run/postgresql": "rw"
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
          names: true
          new: true
    - name: Add a mattermost container
      become_user: containers
      become: true
      containers.podman.podman_container:
        name: mattermost
        image: docker.io/mattermost/mattermost-team-edition:release-9
        state: present
        network:
          - traefik-mattermost
          - postgres-mattermost
        volume:
          - mattermost-config:/mattermost/config:Z
          - mattermost-data:/mattermost/data:Z
          - mattermost-logs:/mattermost/logs:Z
          - mattermost-plugins:/mattermost/plugins:Z
          - mattermost-clientplugins:/mattermost/client/plugins:Z
          - mattermost-bleveindexes:/mattermost/bleve-indexes:Z
        security_opt:
          - no-new-privileges=true
        pids_limit: "100"
        tmpfs:
          "/tmp": "rw"
        label:
          io.containers.autoupdate: "registry"
          traefik.enable: "true"
          traefik.http.routers.mattermost.entrypoints: "https"
          traefik.http.routers.mattermost.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/mattermost/`) || Path(`/mattermost`))"
          traefik.http.routers.mattermost.tls: "true"
          traefik.http.routers.mattermost.tls.certresolver: "wildcard"
          traefik.http.routers.mattermost.service: "mattermost"
          traefik.http.routers.mattermost.middlewares: "http-compress@file"
          traefik.http.services.mattermost.loadbalancer.server.port: "8065"
          traefik.http.services.mattermost.loadbalancer.passhostheader: "true"
          traefik.udp.routers.mm-call-rtr.service: "mm-call-svc"
          traefik.udp.routers.mm-call-rtr.entrypoints: "mmcalls"
          traefik.udp.services.mm-call-svc.loadBalancer.server.port: "8443"
          traefik.docker.network: "traefik-mattermost"
        env:
          TZ: "{{ vault_timezone }}"
          # https://docs.mattermost.com/configure/environment-configuration-settings.html
          MM_SQLSETTINGS_DRIVERNAME: "postgres"
          MM_SQLSETTINGS_DATASOURCE: "postgres://{{ vault_mattermost_db_user }}:{{ vault_mattermost_db_password }}@db_mattermost:5432/{{ vault_mattermost_db_database }}?sslmode=disable&connect_timeout=10"
          MM_BLEVESETTINGS_INDEXDIR: "/mattermost/bleve-indexes"
          MM_SERVICESETTINGS_SITEURL: "https://{{ vault_domain }}/mattermost"
          MM_EMAILSETTINGS_SMTPSERVER: "{{ vault_smtp_host }}"
          MM_EMAILSETTINGS_SMTPPORT: "{{ vault_smtp_port }}"
          MM_EMAILSETTINGS_ENABLESMTPAUTH: "false"
          MM_EMAILSETTINGS_SMTPUSERNAME: "{{ vault_smtp_user }}"
          MM_EMAILSETTINGS_SMTPPASSWORD: "{{ vault_smtp_password }}"
          MM_EMAILSETTINGS_CONNECTIONSECURITY: "{{ vault_smtp_protocol }}"
          MM_SERVICESETTINGS_ENABLESECURITYFIXALERT: "true"
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
          requires: [container-db_mattermost.service, container-traefik.service]
          names: true
          new: true
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-mattermost.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-db_mattermost.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Start containers at boot
      become_user: containers
      become: true
      ansible.builtin.systemd:
        scope: user
        name: container-{{ item }}.service
        enabled: true
        state: started
        daemon_reload: true
      loop:
        - mattermost
        - db_mattermost
--- a/containers/nextcloud/files/systemd/nextcloudcron.service
+++ b/containers/nextcloud/files/systemd/nextcloudcron.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Nextcloud cron.php job
 Wants=nextcloudcron.timer
 Requires=container-nextcloud.service
 [Service]
 ExecStart=/bin/podman exec -u www-data nextcloud php -f /var/www/html/cron.php
--- a/containers/nextcloud/tasks.yml
+++ b/containers/nextcloud/tasks.yml
@@ -15,6 +15,7 @@
        - nextcloud
        - redis_nextcloud
        - db_nextcloud
      failed_when: false
    - name: Pull container images
      become_user: containers
@@ -47,7 +48,7 @@
        path: /etc/nextcloud
        owner: containers
        group: containers
-        mode: 0700
+        mode: "0700"
        state: directory
    - name: Copy nextcloud config directory
@@ -57,7 +58,7 @@
        dest: /etc/nextcloud/config/
        owner: containers
        group: containers
-        mode: 0600
+        mode: "0600"
    - name: Copy systemd service and timer
      become: true
@@ -67,7 +68,7 @@
        dest: "/home/containers/.config/systemd/user/"
        owner: containers
        group: containers
-        mode: 0644
+        mode: "0644"
    - name: Copy mariadb config directory
      become: true
@@ -76,7 +77,7 @@
        dest: /etc/nextcloud/mariadb/
        owner: containers
        group: containers
-        mode: 0600
+        mode: "0600"
    - name: Create podman networks
      containers.podman.podman_network:
@@ -105,7 +106,6 @@
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
          time: 3600
          names: true
          new: true
@@ -133,7 +133,6 @@
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
          time: 3600
          names: true
          new: true
@@ -184,8 +183,8 @@
          SMTP_SECURE: "{{ vault_smtp_protocol }}"
          SMTP_PORT: "{{ vault_smtp_port }}"
          SMTP_AUTHTYPE: "None"
-          SMTP_NAME: ""
+          SMTP_NAME: "{{ vault_smtp_auth_name }}"
-          SMTP_PASSWORD: ""
+          SMTP_PASSWORD: "{{ vault_smtp_password }}"
          MAIL_FROM_ADDRESS: "{{ vault_smtp_from }}"
          MAIL_DOMAIN: "{{ vault_smtp_domain }}"
          TRUSTED_PROXIES: "traefik"
@@ -195,11 +194,42 @@
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
-          requires: [container-db_nextcloud, container-redis_nextcloud]
+          requires: [container-db_nextcloud.service, container-redis_nextcloud.service, container-traefik.service]
          time: 3600
          names: true
          new: true
    - name: Change start timeout limit
      become_user: containers
      become: true
      community.general.ini_file:
        path: "/home/containers/.config/systemd/user/container-{{ item }}.service"
        section: Service
        option: TimeoutStartSec
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - nextcloud
        - redis_nextcloud
        - db_nextcloud
    - name: Change stop timeout limit
      become_user: containers
      become: true
      community.general.ini_file:
        path: "/home/containers/.config/systemd/user/container-{{ item }}.service"
        section: Service
        option: TimeoutStopSec
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - nextcloud
        - redis_nextcloud
        - db_nextcloud
    - name: Start containers at boot
      become_user: containers
      become: true
--- a/containers/portainer/tasks.yml
+++ b/containers/portainer/tasks.yml
@@ -18,6 +18,7 @@
        state: stopped
      loop:
        - portainer
      failed_when: false
    - name: Pull portainer image
      become_user: containers
@@ -69,10 +70,25 @@
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
-          time: 3600
+          requires: [container-traefik.service]
          names: true
          new: true
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-portainer.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Start containers at boot
      become_user: containers
      become: true
--- a/containers/traefik/tasks.yml
+++ b/containers/traefik/tasks.yml
@@ -18,6 +18,7 @@
        state: stopped
      loop:
        - traefik
      failed_when: false
    - name: Permit traffic from any IP to http port
      become: true
@@ -37,6 +38,15 @@
        to_port: 443
        rule: allow
    - name: Permit traffic from any IP to mattermost port
      become: true
      community.general.ufw:
        direction: in
        from_ip: any
        proto: udp
        to_port: 8443
        rule: allow
    - name: Pull traefik image
      become_user: containers
      become: true
@@ -49,7 +59,7 @@
        path: /etc/traefik
        owner: containers
        group: containers
-        mode: 0700
+        mode: "0700"
        state: directory
    - name: Copy config directory
@@ -59,7 +69,7 @@
        dest: /etc/traefik/
        owner: containers
        group: containers
-        mode: 0600
+        mode: "0600"
    - name: Copy config files from templates
      become: true
@@ -68,7 +78,7 @@
        dest: "/etc/traefik/{{ item }}"
        owner: containers
        group: containers
-        mode: 0600
+        mode: "0600"
      loop:
        - traefik.yml
        - conf/cockpit.yml
@@ -87,6 +97,7 @@
        - traefik-gitea
        - traefik-collabora
        - traefik-heimdall
        - traefik-mattermost
    - name: Create traefik instance
      become_user: containers
@@ -98,6 +109,7 @@
        publish:
          - "80:80"
          - "443:443"
          - "8443:8443"
        security_opt:
          - label=type:container_runtime_t
        volume:
@@ -110,6 +122,7 @@
          - traefik-gitea
          - traefik-collabora
          - traefik-heimdall
          - traefik-mattermost
        cap_add:
          - NET_ADMIN
        label:
@@ -117,7 +130,7 @@
          traefik.enable: "true"
          traefik.http.middlewares.traefik-auth.basicauth.users: "{{ vault_traefik_basic_auth }}"
          traefik.http.routers.traefik.entrypoints: "https"
-          traefik.http.routers.traefik.rule: "Host(`{{ vault_domain }}`) && PathPrefix(`/api`,`/dashboard`)"
+          traefik.http.routers.traefik.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/api/`) || Path(`/api`) || PathPrefix(`/dashboard/`) || Path(`/dashboard`))"
          traefik.http.routers.traefik.middlewares: "traefik-auth@docker"
          traefik.http.routers.traefik.tls: "true"
          traefik.http.routers.traefik.tls.certresolver: "wildcard"
@@ -126,10 +139,24 @@
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
          time: 3600
          names: true
          new: true
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-traefik.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Start containers at boot
      become_user: containers
      become: true
--- a/containers/traefik/templates/traefik.yml.j2
+++ b/containers/traefik/templates/traefik.yml.j2
@@ -21,6 +21,8 @@ entryPoints:
          permanent: true
  https:
    address: ":443"
  mmcalls:
    address: ":8443/udp"
 providers:
  docker:
--- a/containers/vikunja/tasks.yml
+++ b/containers/vikunja/tasks.yml
@@ -0,0 +1,154 @@
 ---
 - name: Online project management tool
  hosts: all
  tasks:
    - name: Stop running containers
      become_user: containers
      become: true
      ansible.builtin.systemd:
        scope: user
        name: container-{{ item }}.service
        state: stopped
      loop:
        - vikunja
        - db_vikunja
      failed_when: false
    - name: Pull container images
      become_user: containers
      become: true
      containers.podman.podman_image:
        name: docker.io/{{ item }}
      loop:
        - vikunja/vikunja:latest
        - mariadb:latest
    - name: Create podman volumes
      containers.podman.podman_volume:
        state: present
        name: "{{ item }}"
      become_user: containers
      become: true
      loop:
        - vikunja-data
        - vikunja-db
    - name: Create podman networks
      containers.podman.podman_network:
        name: "{{ item }}"
        recreate: false
        state: present
      become_user: containers
      become: true
      loop:
        - traefik-vikunja
        - mariadb-vikunja
    - name: Create mariadb instance
      become_user: containers
      become: true
      containers.podman.podman_container:
        name: db_vikunja
        image: docker.io/mariadb:latest
        state: present
        volume:
          - vikunja-db:/var/lib/mysql:Z
        network:
          - mariadb-vikunja
        command:
          - --character-set-server=utf8mb4
          - --collation-server=utf8mb4_unicode_ci
          - --max-connections=1000
        env:
          MARIADB_ROOT_PASSWORD: "{{ vault_vikunja_mariadb_root_password }}"
          MARIADB_DATABASE: "{{ vault_vikunja_mariadb_database }}"
          MARIADB_USER: "{{ vault_vikunja_mariadb_user }}"
          MARIADB_PASSWORD: "{{ vault_vikunja_mariadb_password }}"
          MARIADB_AUTO_UPGRADE: "true"
        healthcheck: "mysqladmin ping --silent"
        healthcheck_interval: 2s
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
          names: true
          new: true
    - name: Create vikunja instance
      become_user: containers
      become: true
      containers.podman.podman_container:
        name: vikunja
        image: docker.io/vikunja/vikunja:latest
        state: present
        volume:
          - vikunja-data:/app/vikunja/files:Z
        network:
          - traefik-vikunja
          - mariadb-vikunja
        env:
          VIKUNJA_DATABASE_HOST: db_vikunja
          VIKUNJA_DATABASE_PASSWORD: "{{ vault_vikunja_mariadb_password }}"
          VIKUNJA_DATABASE_TYPE: mysql
          VIKUNJA_DATABASE_USER: "{{ vault_vikunja_mariadb_user }}"
          VIKUNJA_DATABASE_DATABASE: "{{ vault_vikunja_mariadb_database }}"
          VIKUNJA_SERVICE_JWTSECRET: "{{ vault_vikunja_jwt_secret }}"
          VIKUNJA_SERVICE_PUBLICURL: https://{{ vault_domain }}/vikunja/
          VIKUNJA_FRONTEND_BASE: /vikunja/
        label:
          io.containers.autoupdate: registry
          traefik.enable: "true"
          traefik.http.routers.vikunja.entrypoints: https
          traefik.http.routers.vikunja.rule: Host(`{{ vault_domain }}`)  && (PathPrefix(`/vikunja/`) || Path(`/vikunja`))
          traefik.http.routers.vikunja.tls: "true"
          traefik.http.routers.vikunja.tls.certresolver: wildcard
          traefik.http.routers.vikunja.service: vikunja
          traefik.http.services.vikunja.loadbalancer.server.port: "3456"
          traefik.docker.network: traefik-vikunja
        generate_systemd:
          path: /home/containers/.config/systemd/user/
          restart_policy: on-failure
          names: true
          new: true
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-vikunja.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Change start and stop timeout limits
      become_user: containers
      become: true
      community.general.ini_file:
        path: /home/containers/.config/systemd/user/container-db_vikunja.service
        section: Service
        option: "{{ item }}"
        value: 3600
        mode: "0664"
        state: "present"
        no_extra_spaces: true
      loop:
        - TimeoutStartSec
        - TimeoutStopSec
    - name: Start containers at boot
      become_user: containers
      become: true
      ansible.builtin.systemd:
        scope: user
        name: container-{{ item }}.service
        enabled: true
        state: started
        daemon_reload: true
      loop:
        - db_vikunja
        - vikunja
--- a/host_vars/chef.heaplab.deib.polimi.it.yml
+++ b/host_vars/chef.heaplab.deib.polimi.it.yml
@@ -1,86 +1,108 @@
 $ANSIBLE_VAULT;1.1;AES256
-30663733363338333134613333316434633861386238613634303762653635326631353737323330
+37356439333438353336646130636665356661636631376334306233366531373530326664333866
-6466356331313639613666616631633036376339343236660a323631613662313162316537366136
+3238313865373230633861333462373433313236623735310a616537336564316133393364646566
-62653630643732643735363136356230356333363232663632373730653264643563343061303930
+32313361616437643936363266363763636138346135313634303662336432656661656237383535
-6530366261643938320a353264663234346465356666333233643533303962303134393331373137
+3266326230643635330a326436646339333437316232643339626365316666643966326563633237
-64316365363035346435613734656338333161613066393863363531646230346233633430623239
+32376635363739633638313862646664363438333934336531623032326532666264323062643736
-61353437386434393135376234356464313533303861663662376434333838616437623132353438
+37666638363337383530343165633630653635303262646236613438636531373161633163346466
-63333365353837313738313464306431313137356634323563356234356630316166303030313765
+35663633613763666161373836303731383262643534323139323632666430313966353634386363
-61333134346237323261626662383833616236366132353333373532373130376332303664353164
+66626633636137646466386530376330326430306134326432633062396561306338383562383938
-62363735613933626338376666353364366239353466646434373961623666663033363630306663
+63363162663731356434333339616465323266376134636531626435656132653739643633626662
-32623132363836666365306161646631386631633966363034303932303361333834313931363034
+65333432323632633032383139343135326434646634623563316663393464353765333932313934
-36643364353363323331643735636363323132336438383765363937356239666662336330653330
+63653638363463366465636537333066323763363335643339306463373235366439633835343632
-32653364316363626636386232353334343337643163383435303339313937613965313963646666
+34323666656430666435303161633763613835656435396165346433336535656462313036663163
-30356465653162336638313439613965316630656661333061663033643033653564353635386233
+38623931353366633661383462646233363162646163636662353534633736346132313765613566
-38656636313137333464636431646239376661343833333239646161613838333131363031396233
+63383065663265646266626531396166363634343536646430653536393338613035303466353234
-65326431323763336334613262363162643335656265326364383237386561366434656630666533
+32663761663864363064616338383632336531356635363734323961623033623162393834613835
-63623037316264373865616230623465333638306561633332663366363461613935653462623863
+31396331393330623237303330653666623066333733633162633662363330376232623764326237
-63346432383336333664346333623366323031316137313139303738306135636136346664376232
+38333539396262623735306335323561313130376630666436373436346166306563363265303339
-65633030373838643363333839303432306632623437646331623336386264393439376139343464
+35646336396637326465313833333063313539663438323862626263313065366366366532316435
-64346330623530663531653031316561646534663762653739363064353962386538666138323635
+36626261333036353734393666323162393037666230613066336662663231653230353339613830
-66663639646264623765363763663030393564396335653864343061343036623135376463663565
+32366138656461373830346137326632636265396237303130356265623364363035346631313439
-39343839333635636434336239353536363130396337633065643039316233666436623464633166
+63386530303861343266633463666433366337643462333063353436656361383132393465306539
-64626461656634353239343239326130303935303663303464336633643961396664386265653339
+35636639613730346566323264353363613931626261656564333164373633323936316631633763
-31343236376364316566363437653765373236653463623132626530626363373364353633376131
+33343965633835623665623637666233363064653937356638623664633232376263336335313430
-37623831323334323439313563653734376361363361373431653862343561323133346532646161
+65636638333432336164303162306134313866366239373638323231396137316366636335623036
-62633239363736643531623338353930396261303836646137393333373466363963336265656166
+66306138623931323164663332336536376166383637386263363637396133313461303962383539
-37373631323836343833333263303037356435333961356466343438666663373965663563646533
+31363134316331306562353838626637333862613535636266396235346430376264663833373935
-64366163366534333739366466656265326234333137313933663363653161393062363336393466
+36633863653631303737306234316562336266396238333461636634333833643034646239353838
-30616635313737346133663163366331333161303163346239653266353862343564326434373935
+33353234353431363139376530623366633961393964376436613062386331666637326661343231
-37626533646331346263333737633330373364396433323634313365343463373539626665343463
+30386235333930663664616336396462323739303334376165306562313166393464306134343934
-39323635323161396238323439316334333362376561636565333939303562396534376337303662
+64663435393136666466366639633637636162323837313630316635373461633330353762353333
-37373832386337326430386531623163353265303763363561353035653562666532316261323662
+66306633323531653733313165623938356465323665323264636436623536636332353735306431
-33303536326437653065343464373261303062633930336564626539333163626530333363643033
+62346566323435653362303364633166633734336464363639666631626238636238666165636236
-36383839386531613031383835623239366235393233373263373635656532646362343639356333
+66336636333464623235366631653766323534323434616235623036393961656537336464343334
-62663934646237646134376238653265663539383039346138623065386564366138333461653639
+66353336616137643734336566643636326634386137666266396265326332313338633032363661
-38363366386534663430636436613836383230663063326665636237656366376366653833396437
+37383530333463623663386239613861393963333437633834656665303333336435656630333235
-66653162316138363037346165313235633935353038333465623238373337626134663531313135
+39326165383262636164323737653834363734646435333631316436393962613361663961333931
-33666533396238306232366666666433653537643431363733643261663363336339633538386561
+33373962313531343361653065653265386436313766336663616261363239373935393437316238
-64356161663737663566636361663038343331636437373462336665316337666232393135663563
+31386534666265626336636462663939333834306266633863653430653066306230663036376564
-64323032343337626633356236356538366432643734383037336666366630633162386335363764
+65313366316434313966356338636134333432366630343730306438336233613964306561643163
-34383035636639316362313962353439373062616165323163313963616464393866353638643930
+66613636306463636635653561663338356664643134623036356534323765383235373331373966
-63633434366165306662383436643039653263386430623831623230616331333433346262636165
+63373263306233633933356432393865363864363531643931346537366538653234326432313730
-62333863653634343530326335656666373731303236653636663739313031363334333038393662
+65383063646437313032353538393539376435316433343038326264323032393734323866663732
-38616435646461646438303865666230636561643635626636393465313133646565356362643761
+61373434316537343465633130383964396335643963643335303265343261353032653037353963
-62303565666132626534653734666237633762386266613330663237323631333562663232373731
+35323465653263323063393839623530656263653363326464356262383466346636663531613931
-33353861313238363165626337363939376563343465306364373137623231313062633838303161
+61316634353531626339343564363730343865613363353461393165663464383037653131343635
-66333038306666363030326566613966303036636563633862333738346233336335363238343966
+34623938356631356636366233303639306131306364316662386366343932353335303932333464
-31656634376436366135643731663939353332633566323437653163323931393334633937656131
+31393562393862346437613136626563353630386137653763636266353865613035663537653634
-34363133623865613061303338373038663165656230643030663037313934343231313233636236
+37373333353730353138613366376330656663323366346362316539303535373764653966333462
-65623865623137333732303536393265353363393630343837656666616234393037316136343038
+34636331663337653036373164343138626530353737306332323861356532666461373064643633
-39326466363836643937656163306661396239333665303133363133613066613034386162633361
+33303563396538313966633530343736366235396138343464396132373335636238393833316363
-63353731393861396337313266633564396462393364643831333235366433303764303266613163
+31633534396132346639376236336465643638303564366139356434616534373031373462636139
-30646630363862303965376636346133316135666535643135393935326138346162336436626533
+35653664386134366362363930356335366137376466366465336434306463343632363539616661
-62346661333263636363313134336435323330646262303934346138663131333631326234353263
+39326663353030303832343562306634613231386366356333303636623037656236623165333139
-38643165646131656639363235366530353366353464343361656536373639653238366438643335
+65636233383265313536333030356339376231623665663430633532393238396233343133346462
-36376331316264333263613037636263386630306430623437383061383631366662633435643337
+65653235323162306666363364653335353830363137633032613236666362393234303137646163
-37336236336164303839386536333630343363373066373534626330653532313335383863623866
+37653031333937363065623566333536613465343463316665353065393530363037373038383531
-62376438616162343832613365333765306462636535346330373230333634383263323961363563
+30373933636638383061663464393962363464313763373165363836636139336430306337373837
-62326363383464353536643035653966643239306338346238393838323363643134373363613231
+62383862383635326332306364666364666564383539633435326661373363653666356230303235
-63653063333931303739623935626531376433333766666562633837623431313031653163373731
+61363364326361333234666164313663623030313062343765386339656136313265373462376335
-39363238643064366133626662326335656331646238366565316463663265393630653839656331
+66643563396163353531646636333665393938646230313132336663646239346235313561353133
-62323865346565323030396261316566656265346331316261393861303634363266323435303930
+38633464356432653835626364623835643030303136316437303730396236313033666438316136
-37633765626637653666623663366664333837336166333464313865383234643531363438393837
+32376432626538653530633061666165343463326339376539373864356265306462363334376661
-35656363396265666633316533376337323733363737633264326230663161623365653033376431
+38366563623666356233366565353230636339636161373130333366656561636234643236663761
-38323332383635313339356339396535396263343036343861633530313537643766633432373336
+65663463306264393566353836303334333430303031393861613164393465616232333135393266
-65316161316232326432623363633365326265653531613532396438623961326632636235396661
+33376264636235376236316131313130333362633935376463663437333566313664666532613336
-37343939663837323864326237393632343537366166346537666136303961373436626663326463
+38306436643031376265326562636166653263316132386537386136393833343062323936636636
-37376230646565343739376438633335613062633061333239326332656666623031393135376139
+36646538643934323235393561306462663238643039313062336439663934383832663338353461
-66373665383935353830666535343965333637356561653066346364656665383134613931356261
+31666439646538633063326337396434386363306333663935613435303436653866646139393437
-63623432353532373462613365326165643130393662366462303631396464306265363837306463
+31636465346132656666663964323033336366363238313335333134306233643038633336633631
-37373262623864333833383463346233326130323662313763623861323430306163383538623331
+30646664666230616232356266343963623732303331333734313531633864313634643833626665
-66366566626135623838656163373932386234333361383133623031663434373732356366303930
+63343565363665613133346662336463353361323431613131626362376464316537373764636334
-30316662663534333765366531313162336361623065363061396135343837633962613165666435
+30386439303363343164386439393831313135653939323661626263623335386330363532336433
-34653435353635653061656665363261613430623766333564343030326438343334363562373364
+39303136343362346331363566623164633435393930363534346462616364376336323138633565
-36653034653631643566666562383663303434383238633033316330386664373764626330363837
+65316135666535633436633264396162323064643565613139303937616233353835393031656337
-32313330373138386362366364326665373538613737343563343130623365373065363337353834
+65353866303438666561326363366537353435326164656461653765616530313437613031386265
-35323935346466313564346261316633616133396532356131346635343038323434336535316633
+36386562363638303466306435643261633931353462376232663534666265373065663463386535
-35613666323234633962313063333861643466643336386161623335386136663137643632623461
+62363165636233323665626239363630336532616634646138653537313564303734306539376339
-30356665343234353061633163656230636233303634326663643336623739326639643735343237
+33613933663261366261313130303161386435663734623234343538623064363033313666623833
-30633265386239306462643134323164393032363663353738633464313362666563303539326636
+34613235393536636562333264363663633734343261313366343462323562343462353839366531
-61373738663932353137303639326435363062346234656561313039636365373133313331363634
+33393565623761333961336366393133366631363939303735626564386164656636313939653732
-33336466373436663030623039306130346464356563303461633731316637336464353164356331
+62373936646337366564663961306238366339303139633663616361656466353235303933336635
-32323764396431343763666363653430353232633563383436393533613234346237323735396435
+63633963666437636236626436373130306634663466393130306331653566343863653466363964
-62666233366436333461626561613666643930626130623037643332386263366431376638623030
+61366462383134383530333664343230373139353961613661303064636131363832383836336566
-31646538643130623261303662393338396338653939343066633863653439643263303364303334
+61366434626335303435383731373431303765306533643264303530396361393935356632656332
-3666
+31613261323961333230313064383432653836393961613064313461336531343739633961326266
 31383063343334383135623036353233376665343762663934363030323765343565326231656238
 31353635636134313463343834623664316334643962306439353235333664363963356331326438
 66313735373664626464643431626233306436353137623031366433306131623164643564303638
 31363066356131373134356466376562616431326664363063653465643935363166346132363166
 39316361626439306264323466643863363162383164336136613564663035356431666132643364
 36376662613938366437383761393763393832303665323031623534396233613733663765396261
 38613135316530653036623865343632346336373531666634353834643730333366373561306365
 30623762623465343933316362303466333631663263336234663132326531363563613238383263
 31393165636266363932626164643730646165646530393364616330383461336266313739393036
 62393861613133306439363736383838336239616431366437303662316636343132363062633132
 61336665343066663435373735613830313936633563316531623036376166383966373836636436
 38383631646463346564316534663739356666623935383135376263663864613534653639333935
 30653261346237623938316664383937616532303562353036316339373930626436336339646566
 64303833653637653537383161363362326537333263383733643866623337333466333661633230
 38343739613362353035333262623766316334636237303365613336656431643663386239623633
 65313832323166373932626631626237326662393739383732613337336262393131623438336231
 32333932376265376365613635656139633334303234636437386335663230373837393234623863
 33326335663364323632383231393834326538616661623765633362646336373962343532646165
 36343831353239663962623737376332633030383637626666333535336132623034356530666630
 62303339353030616566353661376566646561383230636361316230333936313731313733343936
 33643834353638306436643534333137636438643534393362393434616330333136383963343739
 303230626164663735623634623637353661
--- a/roles/cockpit/tasks/main.yml
+++ b/roles/cockpit/tasks/main.yml
@@ -28,7 +28,7 @@
    dest: /etc/cockpit/cockpit.conf
    owner: root
    group: root
-    mode: 0644
+    mode: "0644"
 # https://cockpit-project.org/faq.html#error-message-about-being-offline
 - name: Allow NetworkManager to manage network interfaces
--- a/roles/podman/tasks/main.yml
+++ b/roles/podman/tasks/main.yml
@@ -65,6 +65,7 @@
    state: started
 - name: Enable podman auto-update timer
  become_user: containers
  become: true
  ansible.builtin.systemd:
    name: podman-auto-update.timer
@@ -76,7 +77,7 @@
    remote_src: true
    src: /usr/share/containers/containers.conf
    dest: /etc/containers/containers.conf
-    mode: 0644
+    mode: "0644"
 - name: Set podman default subnet into small /24 networks
  become: true
Author	SHA1	Message	Date
gianfi12	dbc14129fc	fix image act runner reference	2026-05-09 08:14:52 +00:00
gianfi12	741daad8b5	Fix act_runner cache host configuration	2026-03-13 14:41:16 -07:00
Francesco Antognazza	19a76f7af1	Enable gitea emails	2025-07-17 19:34:31 +02:00
Francesco Antognazza	1fdd3818b7	[MATTERMOST] allow unencrypted authentication	2025-03-25 15:29:13 +01:00
Francesco Antognazza	ee108bd190	Downgrade MM to release 9 as subpath (URL prefix) are not entirely supported in release 10	2024-09-26 11:23:33 +02:00
Francesco Antognazza	976079c4ab	Add mattermost service	2024-09-25 20:13:38 +02:00
Francesco Antognazza	3628e853d1	Fix incorrect definition of multiple URL prefix paths in a traefik rule	2024-09-25 15:20:35 +02:00
Francesco Antognazza	2fd17c1319	Specify dependency of containers	2024-04-12 14:12:01 +02:00
Francesco Antognazza	2e1ca1d1b6	Increase start and stop timeout limits	2024-04-12 14:11:55 +02:00
Francesco Antognazza	377113c098	Fix connection to act cache internal server	2023-08-23 12:18:04 +02:00
Francesco Antognazza	a0aaf0e5a5	Do not fail playbook on first run	2023-08-01 10:59:37 +02:00
Francesco Antognazza	92fc0ffb1c	Add github CI runner for gitea	2023-08-01 10:57:16 +02:00
Francesco Antognazza	a8b33418d2	Fix illegal octal number representation	2023-08-01 10:42:11 +02:00
Francesco Antognazza	6ae079a032	Fix podman auto-update timer not enabled for 'containers' user	2023-08-01 10:42:10 +02:00