Memos: update to 0.26.0

Remove Kavita

.gitea/workflows/lint.yml

@@ -47,4 +47,4 @@ jobs:
           fi
 
       - name: Run ansible-lint
-        run: ansible-lint --profile production -vv
+        run: ansible-lint -vv

README.md

@@ -7,6 +7,7 @@
 
 ## Требования
 
+- [uv](https://docs.astral.sh/uv/)
 - [ansible](https://docs.ansible.com/ansible/latest/getting_started/index.html)
 - [task](https://taskfile.dev/)
 - [yq](https://github.com/mikefarah/yq)
@@ -14,17 +15,21 @@
 ## Установка
 
 ```bash
-$ cp ansible-vault-password-file.dist ansible-vault-password-file
+uv sync
-$ ansible-galaxy install --role-file requirements.yml
+
+cp ansible-vault-password-file.dist ansible-vault-password-file
+
+uv run ansible-galaxy install --role-file requirements.yml
 ```
 
 ## Структура
 
-- Для каждого приложения создается свой пользователь (опционально).
+- Для каждого приложения создается свой пользователь.
 - Для доступа используется ssh-ключ.
+- Безопасность осуществляется с помощью `ufw` и `fail2ban`.
 - Докер используется для запуска и изоляции приложений. Для загрузки образов настраивается Yandex Docker Registry.
 - Выход во внешнюю сеть через proxy server [Caddy](https://caddyserver.com/).
-- Чувствительные данные в `vars/vars.yaml` зашифрованы с помощью Ansible Vault.
+- Чувствительные данные в [secrets.yml](vars/secrets.yml) зашифрованы с помощью Ansible Vault.
 - Для мониторинга за сервером устанавливается [netdata](https://github.com/netdata/netdata).
 
 ## Настройка DNS
@@ -33,8 +38,14 @@ $ ansible-galaxy install --role-file requirements.yml
 
 ## Деплой приложений
 
-Деплой всех приложений через ansible:
+Деплой приложения через ansible:
 
 ```bash
-ansible-playbook -i production.yml --diff playbook-gitea.yml
+uv run ansible-playbook ansible-playbook -i production.yml --diff playbook-gitea.yml
+```
+
+## Удаление приложения <name>
+
+```bash
+uv run ansible-playbook -i production.yml --diff playbook-remove-user-and-app.yml --extra-vars user_name=<name>
 ```

files/caddyproxy/Caddyfile.j2

@@ -97,6 +97,14 @@ memos.vakhrushev.me {
 }
 
 calibre.vakhrushev.me {
+    tls anwinged@ya.ru
+
+    reverse_proxy {
+        to calibre_web_app:8083
+    }
+}
+
+wanderbase.vakhrushev.me {
     tls anwinged@ya.ru
 
     forward_auth authelia_app:9091 {

files/calibre/docker-compose.template.yml

@@ -0,0 +1,23 @@
+services:
+
+  calibre_web_app:
+    image: lscr.io/linuxserver/calibre-web:0.6.25
+    container_name: calibre_web_app
+    restart: unless-stopped
+    networks:
+      - "web_proxy_network"
+    volumes:
+      - "{{ config_dir }}:/config"
+      - "{{ books_dir }}:/books:ro"
+    environment:
+      - "PUID={{ owner_create_result.uid }}"
+      - "PGID={{ owner_create_result.group }}"
+      - TZ=Etc/UTC
+#      - DOCKER_MODS=linuxserver/mods:universal-calibre #optional
+#      - OAUTHLIB_RELAX_TOKEN_SCOPE=1 #optional
+#    ports:
+#      - 8083:8083
+
+networks:
+  web_proxy_network:
+    external: true

files/dozzle/docker-compose.template.yml

@@ -1,7 +1,7 @@
 services:
 
   dozzle_app:
-    image: amir20/dozzle:v8.14.11
+    image: amir20/dozzle:v9.0.3
     container_name: dozzle_app
     restart: unless-stopped
     volumes:

files/gitea/docker-compose.yml.j2

@@ -1,7 +1,7 @@
 services:
 
   gitea_app:
-    image: gitea/gitea:1.25.3
+    image: gitea/gitea:1.25.4
     restart: unless-stopped
     container_name: gitea_app
     ports:

files/gramps/docker-compose.template.yml

@@ -3,7 +3,7 @@
 services:
 
   gramps_app: &gramps_app
-    image: ghcr.io/gramps-project/grampsweb:25.12.0
+    image: ghcr.io/gramps-project/grampsweb:26.1.0
     container_name: gramps_app
     depends_on:
       - gramps_redis

files/memos/docker-compose.template.yml

@@ -3,7 +3,7 @@
 services:
 
   memos_app:
-    image: neosmemo/memos:0.25.3
+    image: neosmemo/memos:0.26.0
     container_name: memos_app
     restart: unless-stopped
     user: "{{ owner_create_result.uid }}:{{ owner_create_result.group }}"

files/netdata/docker-compose.template.yml

@@ -1,7 +1,7 @@
 services:
 
   netdata:
-    image: netdata/netdata:v2.8.4
+    image: netdata/netdata:v2.8.5
     container_name: netdata
     restart: unless-stopped
     cap_add:

files/outline/docker-compose.template.yml

@@ -3,7 +3,7 @@ services:
   # See sample https://github.com/outline/outline/blob/main/.env.sample
 
   outline_app:
-    image: outlinewiki/outline:1.1.0
+    image: outlinewiki/outline:1.4.0
     container_name: outline_app
     user: "{{ owner_create_result.uid }}:{{ owner_create_result.group }}"
     restart: unless-stopped

lefthook.yml

@@ -25,7 +25,7 @@ pre-commit:
     - name: "ansible-lint"
       glob: "**/*.{yml,yaml}"
       exclude:
-        - ".gitea"
+        - ".gitea/**"
       run: "uv run ansible-lint --profile production --offline -- {staged_files}"
 
     - name: "gitleaks"

playbook-all-applications.yml

@@ -31,6 +31,9 @@
 - name: 'Configure wanderer'
   ansible.builtin.import_playbook: playbook-wanderer.yml
 
+- name: 'Configure calibre'
+  ansible.builtin.import_playbook: playbook-calibre.yml
+
 #
 
 - name: 'Configure homepage'

playbook-calibre.yml

@@ -0,0 +1,65 @@
+---
+- name: "Configure calibre application"
+  hosts: all
+
+  vars_files:
+    - vars/secrets.yml
+
+  vars:
+    app_name: "calibre"
+    app_user: "{{ app_name }}"
+    app_owner_uid: 1102
+    app_owner_gid: 1102
+    base_dir: "{{ (application_dir, app_name) | path_join }}"
+    config_dir: "{{ (base_dir, 'config') | path_join }}"
+    books_dir: "{{ (base_dir, 'books') | path_join }}"
+
+  tasks:
+    - name: "Create user and environment"
+      ansible.builtin.import_role:
+        name: owner
+      vars:
+        owner_name: "{{ app_user }}"
+        owner_uid: "{{ app_owner_uid }}"
+        owner_gid: "{{ app_owner_gid }}"
+        owner_extra_groups: ["docker"]
+
+    - name: "Create application internal directories"
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: "directory"
+        owner: "{{ app_user }}"
+        group: "{{ app_user }}"
+        mode: "0750"
+      loop:
+        - "{{ base_dir }}"
+        - "{{ books_dir }}"
+        - "{{ config_dir }}"
+
+    - name: "Create backup targets file"
+      ansible.builtin.lineinfile:
+        path: "{{ base_dir }}/backup-targets"
+        line: "{{ item }}"
+        create: true
+        owner: "{{ app_user }}"
+        group: "{{ app_user }}"
+        mode: "0750"
+      loop:
+        - "{{ books_dir }}"
+        - "{{ config_dir }}"
+
+    - name: "Copy docker compose file"
+      ansible.builtin.template:
+        src: "./files/{{ app_name }}/docker-compose.template.yml"
+        dest: "{{ base_dir }}/docker-compose.yml"
+        owner: "{{ app_user }}"
+        group: "{{ app_user }}"
+        mode: "0640"
+
+    - name: "Run application with docker compose"
+      community.docker.docker_compose_v2:
+        project_src: "{{ base_dir }}"
+        state: "present"
+        remove_orphans: true
+      tags:
+        - run-app

playbook-remove-user-and-app.yml

@@ -25,6 +25,11 @@
         path: "/var/www/{{ user_name }}"
         state: absent
 
+    - name: "Remove application dir"
+      ansible.builtin.file:
+        path: "/mnt/applications/{{ user_name }}"
+        state: absent
+
     - name: "Remove home dir"
       ansible.builtin.file:
         path: "/home/{{ user_name }}"

playbook-ufw.yml

@@ -0,0 +1,58 @@
+---
+- name: "Configure UFW firewall"
+  hosts: all
+
+  vars_files:
+    - vars/secrets.yml
+
+  tasks:
+    - name: "Ensure UFW is installed"
+      ansible.builtin.apt:
+        name: ufw
+        state: present
+        update_cache: true
+
+    - name: "Set default incoming policy to deny"
+      community.general.ufw:
+        direction: incoming
+        policy: deny
+
+    - name: "Set default outgoing policy to allow"
+      community.general.ufw:
+        direction: outgoing
+        policy: allow
+
+    - name: "Allow SSH on port 22"
+      community.general.ufw:
+        rule: allow
+        port: "22"
+        proto: tcp
+
+    - name: "Allow Gitea SSH on port 2222"
+      community.general.ufw:
+        rule: allow
+        port: "2222"
+        proto: tcp
+
+    - name: "Allow HTTP on port 80/tcp"
+      community.general.ufw:
+        rule: allow
+        port: "80"
+        proto: tcp
+
+    - name: "Allow HTTPS on port 443/tcp"
+      community.general.ufw:
+        rule: allow
+        port: "443"
+        proto: tcp
+
+    - name: "Allow HTTPS QUIC on port 443/udp"
+      community.general.ufw:
+        rule: allow
+        port: "443"
+        proto: udp
+
+    - name: "Enable UFW"
+      community.general.ufw:
+        state: enabled
+        logging: true

requirements.yml

@@ -11,3 +11,4 @@ roles:
 
 collections:
   - name: 'community.docker'
+  - name: 'community.general'