phil/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement comprehensive variable management system

Browse Source 
- Create standardized group_vars directory structure
- Add domains.yml with centralized subdomain mappings
- Add infrastructure.yml with network, SMTP, and path config
- Reorganize vault.yml secrets by service with consistent naming
- Update 15+ Docker compose templates to use new variable structure
- Simplify playbook commands by removing --extra-vars requirement
- Replace hardcoded domains/IPs with template variables
- Standardize secret references across all services

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Phil
2025-06-06 15:14:47 -06:00
parent 8d686c2aa5
commit 0268e49b4d
21 changed files with 365 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/docker/templates/audiobookshelf-compose.yml.j2
View File

@@ -10,11 +10,11 @@ services:
- TZ=America/Denver
- DISABLE_SSRF_REQUEST_FILTER=1
extra_hosts:
- 'auth.thesatelliteoflove.com:172.20.0.5'
- '{{ subdomains.auth }}:172.20.0.5'
labels:
glance.name: Audiobookshelf
glance.icon: si:audiobookshelf
glance.url: https://audio.thesatelliteoflove.com/
glance.url: https://{{ subdomains.audio }}/
glance.description: Audio book server
volumes:
audiobooks:
@@ -28,4 +28,4 @@ volumes:
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}

12
roles/docker/templates/authentik-env.j2
View File

@@ -1,15 +1,15 @@
PG_PASS={{ authentik_pg_pass }}
AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
PG_PASS={{ vault_authentik.postgres_password }}
AUTHENTIK_SECRET_KEY={{ vault_authentik.secret_key }}
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=smtp.resend.com
AUTHENTIK_EMAIL__HOST={{ smtp.host }}
AUTHENTIK_EMAIL__PORT=25
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME=resend
AUTHENTIK_EMAIL__PASSWORD={{ resend_key }}
AUTHENTIK_EMAIL__USERNAME={{ smtp.username }}
AUTHENTIK_EMAIL__PASSWORD={{ vault_smtp.password }}
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=true
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=auth@updates.thesatelliteoflove.com
AUTHENTIK_EMAIL__FROM=auth@{{ email_domains.updates }}

4
roles/docker/templates/calibre-compose.yml.j2
View File

@@ -16,7 +16,7 @@ services:
labels:
glance.name: Calibre
glance.icon: si:calibreweb
glance.url: https://books.thesatelliteoflove.com/
glance.url: https://{{ subdomains.books }}/
glance.description: Book server
volumes:
config:
@@ -26,4 +26,4 @@ volumes:
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}

8
roles/docker/templates/changedetection-compose.yml.j2
View File

@@ -5,11 +5,11 @@ services:
container_name: changedetection
hostname: changedetection
extra_hosts:
- 'chat.thesatelliteoflove.com:172.20.0.5'
- '{{ subdomains.chat }}:172.20.0.5'
labels:
glance.name: Changedetection
glance.icon: si:watchtower
glance.url: https://watcher.thesatelliteoflove.com/
glance.url: https://{{ subdomains.watcher }}/
glance.description: Changedetection
glance.id: changedetection
volumes:
@@ -50,7 +50,7 @@ services:
# - NO_PROXY="localhost,192.168.0.0/24"
#
# Base URL of your changedetection.io install (Added to the notification alert)
- BASE_URL=https://watcher.thesatelliteoflove.com
- BASE_URL=https://{{ subdomains.watcher }}
# Respect proxy_pass type settings, `proxy_set_header Host "localhost";` and `proxy_set_header X-Forwarded-Prefix /app;`
# More here https://github.com/dgtlmoon/changedetection.io/wiki/Running-changedetection.io-behind-a-reverse-proxy-sub-directory
# - USE_X_SETTINGS=1
@@ -130,4 +130,4 @@ volumes:
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}

10
roles/docker/templates/dawarich-compose.yml.j2
View File

@@ -10,7 +10,7 @@ services:
- dawarich_db_data:/var/lib/postgresql/data
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: {{ dawarich_db_password }}
POSTGRES_PASSWORD: {{ vault_dawarich.postgres_password }}
POSTGRES_DB: dawarich_production
restart: always
healthcheck:
@@ -25,7 +25,7 @@ services:
labels:
glance.name: Dawarich
glance.icon: si:openstreetmap
glance.url: https://loclog.thesatelliteoflove.com/
glance.url: https://{{ subdomains.loclog }}/
glance.description: Dawarich
glance.id: dawarich
volumes:
@@ -45,10 +45,10 @@ services:
DATABASE_HOST: dawarich_db
DATABASE_PORT: 5432
DATABASE_USERNAME: postgres
DATABASE_PASSWORD: {{ dawarich_db_password }}
DATABASE_PASSWORD: {{ vault_dawarich.postgres_password }}
DATABASE_NAME: dawarich_production
MIN_MINUTES_SPENT_IN_CITY: 60
APPLICATION_HOSTS: loclog.thesatelliteoflove.com,localhost,::1,127.0.0.1
APPLICATION_HOSTS: {{ subdomains.loclog }},localhost,::1,127.0.0.1
TIME_ZONE: America/Denver
APPLICATION_PROTOCOL: http
DISTANCE_UNIT: mi
@@ -85,4 +85,4 @@ volumes:
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}

8
roles/docker/templates/ghost-1-compose.yml.j2
View File

@@ -7,15 +7,15 @@ services:
- database__client=sqlite3
- database__connection__filename=/var/lib/ghost/content/data/ghost.db
- database__useNullAsDefault=true
- url=https://phlog.thesatelliteoflove.com
- url=https://{{ subdomains.phlog }}
volumes:
- ghost:/var/lib/ghost/content
extra_hosts:
- 'phlog.thesatelliteoflove.com:172.20.0.5'
- '{{ subdomains.phlog }}:172.20.0.5'
labels:
glance.name: Ghost
glance.icon: si:ghost
glance.url: https://phlog.thesatelliteoflove.com/
glance.url: https://{{ subdomains.phlog }}/
glance.description: Photo Blog
volumes:
@@ -24,4 +24,4 @@ volumes:
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}

24
roles/docker/templates/gitea-compose.yml.j2
View File

@@ -7,17 +7,17 @@ services:
- USER_UID=1000
- USER_GID=1000
- GITEA__mailer__ENABLED=true
- GITEA__mailer__FROM=git@updates.thesatelliteoflove.com
- GITEA__mailer__FROM=git@{{ email_domains.updates }}
- GITEA__mailer__PROTOCOL=smtps
- GITEA__mailer__SMTP_ADDR=smtp.resend.com
- GITEA__mailer__SMTP_ADDR={{ smtp.host }}
- GITEA__mailer__SMTP_PORT=465
- GITEA__mailer__USER=resend
- GITEA__mailer__PASSWD={{ resend_key }}
- GITEA__mailer__USER={{ smtp.username }}
- GITEA__mailer__PASSWD={{ vault_smtp.password }}
restart: unless-stopped
labels:
glance.name: Gitea
glance.icon: si:gitea
glance.url: https://git.thesatelliteoflove.com/
glance.url: https://{{ subdomains.git }}/
glance.description: Code repo
glance.id: gitea
volumes:
@@ -27,8 +27,8 @@ services:
ports:
- 222:22
extra_hosts:
- 'auth.thesatelliteoflove.com:172.20.0.5'
- 'git.thesatelliteoflove.com:172.20.0.5'
- '{{ subdomains.auth }}:{{ docker.hairpin_ip }}'
- '{{ subdomains.git }}:{{ docker.hairpin_ip }}'
runner:
image: gitea/act_runner:nightly
restart: unless-stopped
@@ -37,12 +37,12 @@ services:
environment:
- CONFIG_FILE=/config.yaml
- GITEA_INSTANCE_URL=http://gitea:3000
- GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea_runner_key }}
- GITEA_RUNNER_REGISTRATION_TOKEN={{ vault_infrastructure.gitea_runner_key }}
- GITEA_RUNNER_NAME=runner_1
- GITEA_RUNNER_LABELS=docker
extra_hosts:
- 'auth.thesatelliteoflove.com:172.20.0.5'
- 'git.thesatelliteoflove.com:172.20.0.5'
- '{{ subdomains.auth }}:{{ docker.hairpin_ip }}'
- '{{ subdomains.git }}:{{ docker.hairpin_ip }}'
labels:
glance.parent: gitea
glance.name: Worker
@@ -50,11 +50,11 @@ services:
- ./runner-config.yaml:/config.yaml
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
- /opt/stacks/caddy/site:/sites
- {{ paths.stacks }}/caddy/site:/sites
volumes:
gitea:
driver: local
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}

8
roles/docker/templates/glance-compose.yml.j2
View File

@@ -8,16 +8,16 @@ services:
- /var/run/docker.sock:/var/run/docker.sock
restart: unless-stopped
extra_hosts:
- 'thesatelliteoflove.com:172.20.0.5'
- 'watcher.thesatelliteoflove.com:172.20.0.5'
- '{{ primary_domain }}:172.20.0.5'
- '{{ subdomains.watcher }}:172.20.0.5'
labels:
glance.name: Glance
glance.icon: si:homepage
glance.url: https://home.thesatelliteoflove.com/
glance.url: https://{{ subdomains.home }}/
glance.description: Homepage app
glance.id: glance
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}

30
roles/docker/templates/gotosocial-compose.yml.j2
View File

@@ -4,28 +4,28 @@ services:
container_name: gotosocial
user: 1000:1000
extra_hosts:
- 'auth.thesatelliteoflove.com:172.20.0.5'
- '{{ subdomains.auth }}:{{ docker.hairpin_ip }}'
environment:
GTS_HOST: social.thesatelliteoflove.com
GTS_HOST: {{ subdomains.social }}
GTS_DB_TYPE: sqlite
GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db
GTS_WAZERO_COMPILATION_CACHE: /gotosocial/.cache
GTS_LETSENCRYPT_ENABLED: "false"
GTS_LETSENCRYPT_EMAIL_ADDRESS: ""
GTS_TRUSTED_PROXIES: "172.20.0.5"
GTS_ACCOUNT_DOMAIN: thesatelliteoflove.com
GTS_TRUSTED_PROXIES: "{{ docker.hairpin_ip }}"
GTS_ACCOUNT_DOMAIN: {{ primary_domain }}
GTS_OIDC_ENABLED: "true"
GTS_OIDC_IDP_NAME: "Authentik"
GTS_OIDC_ISSUER: https://auth.thesatelliteoflove.com/application/o/gotosocial/
GTS_OIDC_CLIENT_ID: {{ gts_oidc_client_id }}
GTS_OIDC_CLIENT_SECRET: {{ gts_oidc_client_secret }}
GTS_OIDC_ISSUER: https://{{ subdomains.auth }}/application/o/gotosocial/
GTS_OIDC_CLIENT_ID: {{ vault_gotosocial.oidc.client_id }}
GTS_OIDC_CLIENT_SECRET: {{ vault_gotosocial.oidc.client_secret }}
GTS_OIDC_LINK_EXISTING: "true"
GTS_HTTP_CLIENT: "20s"
GTS_SMTP_HOST: "smtp.resend.com"
GTS_SMTP_HOST: "{{ smtp.host }}"
GTS_SMTP_PORT: "587"
GTS_SMTP_USERNAME: "resend"
GTS_SMTP_PASSWORD: {{ resend_key }}
GTS_SMTP_FROM: "social@updates.thesatelliteoflove.com"
GTS_SMTP_USERNAME: "{{ smtp.username }}"
GTS_SMTP_PASSWORD: {{ vault_smtp.password }}
GTS_SMTP_FROM: "social@{{ email_domains.updates }}"
TZ: UTC
volumes:
- gotosocial:/gotosocial/storage
@@ -34,7 +34,7 @@ services:
docker-volume-backup.stop-during-backup: true
glance.name: GoToSocial
glance.icon: si:mastodon
glance.url: https://social.thesatelliteoflove.com/
glance.url: https://{{ subdomains.social }}/
glance.description: Fediverse server
glance.id: gotosocial
@@ -52,8 +52,8 @@ services:
BACKUP_RETENTION_DAYS: 1
AWS_S3_BUCKET_NAME: tsolbackups
AWS_ENDPOINT: s3.us-west-004.backblazeb2.com
AWS_ACCESS_KEY_ID: {{ backup_key_id }}
AWS_SECRET_ACCESS_KEY: {{ backup_key }}
AWS_ACCESS_KEY_ID: {{ vault_backup.access_key_id }}
AWS_SECRET_ACCESS_KEY: {{ vault_backup.secret_access_key }}
BACKUP_SKIP_BACKENDS_FROM_PRUNE: s3
@@ -69,4 +69,4 @@ volumes:
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}

18
roles/docker/templates/heyform-compose.yml.j2
View File

@@ -11,21 +11,21 @@ services:
labels:
glance.name: Heyform
glance.icon: si:googleforms
glance.url: https://forms.nerder.land/
glance.url: https://{{ subdomains.heyform }}/
glance.description: Forms server
glance.id: heyform
environment:
- APP_HOMEPAGE_URL=http://forms.nerder.land
- SESSION_KEY={{ heyform_session_key }}
- FORM_ENCRYPTION_KEY={{ heyform_encryption_key }}
- APP_HOMEPAGE_URL=http://{{ subdomains.heyform }}
- SESSION_KEY={{ vault_heyform.session_key }}
- FORM_ENCRYPTION_KEY={{ vault_heyform.encryption_key }}
- MONGO_URI='mongodb://mongo:27017/heyform'
- REDIS_HOST=keydb
- REDIS_PORT=6379
- SMTP_FROM=nerderland@updates.thesatelliteoflove.com
- SMTP_HOST=smtp.resend.com
- SMTP_FROM=nerderland@{{ email_domains.updates }}
- SMTP_HOST={{ smtp.host }}
- SMTP_PORT=465
- SMTP_USER=resend
- SMTP_PASSWORD={{ resend_key }}
- SMTP_USER={{ smtp.username }}
- SMTP_PASSWORD={{ vault_smtp.password }}
- SMTP_SECURE=true
mongo:
@@ -60,4 +60,4 @@ volumes:
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}

12
roles/docker/templates/hoarder-env.j2
View File

@@ -1,10 +1,10 @@
KARAKEEP_VERSION=release
NEXTAUTH_SECRET={{ hoarder_nextauth_secret }}
MEILI_MASTER_KEY={{ hoarder_meili_master_key }}
NEXTAUTH_URL=https://bookmarks.thesatelliteoflove.com
OPENAI_API_KEY={{ openai_api_key }}
OAUTH_CLIENT_SECRET={{ hoarder_oidc_client_secret }}
NEXTAUTH_SECRET={{ vault_hoarder.nextauth_secret }}
MEILI_MASTER_KEY={{ vault_hoarder.meili_master_key }}
NEXTAUTH_URL=https://{{ subdomains.bookmarks }}
OPENAI_API_KEY={{ vault_infrastructure.openai_api_key }}
OAUTH_CLIENT_SECRET={{ vault_hoarder.oidc.client_secret }}
OAUTH_CLIENT_ID=GTi0QBRH5TiTqZfxfAkYSQVVFouGdlOFMc2sjivN
OAUTH_PROVIDER_NAME=Authentik
OAUTH_WELLKNOWN_URL=https://auth.thesatelliteoflove.com/application/o/hoarder/.well-known/openid-configuration
OAUTH_WELLKNOWN_URL=https://{{ subdomains.auth }}/application/o/hoarder/.well-known/openid-configuration
OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true

12
roles/docker/templates/mmdl-compose.yml.j2
View File

@@ -9,12 +9,12 @@ services:
- .env.local
extra_hosts:
- "host.docker.internal:host-gateway"
- "auth.thesatelliteoflove.com:172.20.0.5"
- "cal.thesatelliteoflove.com:172.20.0.5"
- "{{ subdomains.auth }}:{{ docker.hairpin_ip }}"
- "{{ subdomains.cal }}:{{ docker.hairpin_ip }}"
labels:
glance.name: MMDL
glance.icon: si:task
glance.url: https://tasks.thesatelliteoflove.com/
glance.url: https://{{ subdomains.tasks }}/
glance.description: Task and calendar management
glance.id: mmdl
@@ -26,8 +26,8 @@ services:
environment:
MYSQL_DATABASE: mmdl
MYSQL_USER: mmdl
MYSQL_PASSWORD: "{{ vault_mmdl_mysql_password }}"
MYSQL_ROOT_PASSWORD: "{{ vault_mmdl_mysql_root_password }}"
MYSQL_PASSWORD: "{{ vault_mmdl.mysql_password }}"
MYSQL_ROOT_PASSWORD: "{{ vault_mmdl.mysql_root_password }}"
MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
MYSQL_ROOT_HOST: "%"
volumes:
@@ -43,4 +43,4 @@ volumes:
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}

24
roles/docker/templates/mmdl-env.j2
View File

@@ -1,32 +1,32 @@
# Database Configuration
DB_HOST=mmdl_db
DB_USER=mmdl
DB_PASS={{ vault_mmdl_mysql_password }}
DB_PASS={{ vault_mmdl.mysql_password }}
DB_PORT=3306
DB_DIALECT=mysql
DB_CHARSET=utf8mb4
DB_NAME=mmdl
# Encryption
AES_PASSWORD={{ vault_mmdl_aes_password }}
AES_PASSWORD={{ vault_mmdl.aes_password }}
# SMTP Settings
SMTP_HOST=smtp.resend.com
SMTP_USERNAME=resend
SMTP_PASSWORD={{ resend_key }}
SMTP_FROM=tasks@updates.thesatelliteoflove.com
SMTP_HOST={{ smtp.host }}
SMTP_USERNAME={{ smtp.username }}
SMTP_PASSWORD={{ vault_smtp.password }}
SMTP_FROM=tasks@{{ email_domains.updates }}
SMTP_PORT=587
SMTP_SECURE=true
# Authentication
USE_NEXT_AUTH=true
NEXTAUTH_URL=https://tasks.thesatelliteoflove.com
NEXTAUTH_SECRET={{ vault_mmdl_nextauth_secret }}
NEXTAUTH_URL=https://{{ subdomains.tasks }}
NEXTAUTH_SECRET={{ vault_mmdl.nextauth_secret }}
# Authentik OIDC Configuration
AUTHENTIK_ISSUER=https://auth.thesatelliteoflove.com/application/o/mmdl
AUTHENTIK_CLIENT_ID={{ vault_mmdl_oidc_client_id }}
AUTHENTIK_CLIENT_SECRET={{ vault_mmdl_oidc_client_secret }}
AUTHENTIK_ISSUER=https://{{ subdomains.auth }}/application/o/mmdl
AUTHENTIK_CLIENT_ID={{ vault_mmdl.oidc.client_id }}
AUTHENTIK_CLIENT_SECRET={{ vault_mmdl.oidc.client_secret }}
# User and Session Management
ALLOW_USER_REGISTRATION=false
@@ -35,7 +35,7 @@ OTP_VALIDITY_PERIOD=300
SESSION_VALIDITY_PERIOD=30
# Application Settings
API_URL=https://tasks.thesatelliteoflove.com
API_URL=https://{{ subdomains.tasks }}
DEBUG_MODE=false
TEST_MODE=false
SUBTASK_RECURSION_DEPTH=5

6
roles/docker/templates/paperlessngx.env.j2
View File

@@ -24,11 +24,11 @@
# This is required if you will be exposing Paperless-ngx on a public domain
# (if doing so please consider security measures such as reverse proxy)
PAPERLESS_URL=https://paper.thesatelliteoflove.com
PAPERLESS_URL=https://{{ subdomains.papers }}
# Adjust this key if you plan to make paperless available publicly. It should
# be a very long sequence of random characters. You don't need to remember it.
PAPERLESS_SECRET_KEY={{ paperlessngx_secret }}
PAPERLESS_SECRET_KEY={{ vault_paperlessngx.secret_key }}
# Use this variable to set a timezone for the Paperless Docker containers. If not specified, defaults to UTC.
PAPERLESS_TIME_ZONE=America/Denver
@@ -43,4 +43,4 @@ PAPERLESS_TIME_ZONE=America/Denver
# authentik
PAPERLESS_APPS: "allauth.socialaccount.providers.openid_connect"
PAPERLESS_SOCIALACCOUNT_PROVIDERS: '{"openid_connect": {"APPS": [{"provider_id": "authentik","name": "Authentik SSO","client_id": "{{ paperless_oauth_client_id }}","secret": "{{ paperless_oauth_client_secret }}","settings": { "server_url": "https://auth.thesatelliteoflove.com/application/o/paperlessngx/.well-known/openid-configuration"}}]}}'
PAPERLESS_SOCIALACCOUNT_PROVIDERS: '{"openid_connect": {"APPS": [{"provider_id": "authentik","name": "Authentik SSO","client_id": "{{ vault_paperlessngx.oidc.client_id }}","secret": "{{ vault_paperlessngx.oidc.client_secret }}","settings": { "server_url": "https://{{ subdomains.auth }}/application/o/paperlessngx/.well-known/openid-configuration"}}]}}'

4
roles/docker/templates/pinry-compose.yml.j2
View File

@@ -5,7 +5,7 @@ services:
labels:
glance.name: Pinry
glance.icon: si:pinterest
glance.url: https://pin.thesatelliteoflove.com
glance.url: https://{{ subdomains.pin }}
glance.description: Pinterest clone
glance.id: pinterest
environment:
@@ -18,4 +18,4 @@ volumes:
networks:
default:
external: true
name: lava
name: {{ docker.network_name }}