diff --git a/ansible/auth.yaml b/ansible/auth.yaml index 3cee691..0ebf654 100644 --- a/ansible/auth.yaml +++ b/ansible/auth.yaml @@ -4,3 +4,5 @@ roles: - common - ldap_client + - docker + - pocketid diff --git a/ansible/inventories/production/host_vars/auth.home.jthan.io/vars.yaml b/ansible/inventories/production/host_vars/auth.home.jthan.io/vars.yaml new file mode 100644 index 0000000..c63b7cd --- /dev/null +++ b/ansible/inventories/production/host_vars/auth.home.jthan.io/vars.yaml @@ -0,0 +1,3 @@ +pocket_id_encryption_key: "{{ lookup('bitwarden.secrets.lookup', '6a5549a9-0f64-4791-94d1-b43b00254c42') }}" +pocket_id_version: 2.6.2 +pocket_id_sha256: "348c2cfb6457d31078327c203896c29509d0417982c78bfac185d07859dc5b86" diff --git a/ansible/roles/pocketid/tasks/main.yaml b/ansible/roles/pocketid/tasks/main.yaml new file mode 100644 index 0000000..78de554 --- /dev/null +++ b/ansible/roles/pocketid/tasks/main.yaml @@ -0,0 +1,44 @@ +- name: Create a pocketid group + group: + name: pocketid + state: present + gid: 1050 + +- name: Create a pocketid user + user: + name: pocketid + uid: 1050 + group: 1050 + comment: "pocketid user" + shell: /bin/bash + state: present + create_home: yes + +- name: Create pocketid directory + file: + path: /home/pocketid/pocketid + state: directory + mode: '0755' + +- name: Create encryption key file + template: + src: pocket_id_encryption_key.j2 + dest: /home/pocketid/pocketid/pocket_id_encryption_key + owner: pocketid + group: pocketid + mode: '0600' + no_log: true # Prevents secret from appearing in logs + +- name: Create or update docker-compose + template: + src: templates/docker-compose.yaml.j2 + dest: /home/pocketid/pocketid/docker-compose.yaml + owner: pocketid + group: pocketid + mode: 0600 + +- name: Create and start pocketid + community.docker.docker_compose_v2: + project_src: /home/pocketid/pocketid/pocketid + build: always + register: output diff --git a/ansible/roles/pocketid/tasks/templates/docker-compose.yaml.j2 b/ansible/roles/pocketid/tasks/templates/docker-compose.yaml.j2 new file mode 100644 index 0000000..57dc690 --- /dev/null +++ b/ansible/roles/pocketid/tasks/templates/docker-compose.yaml.j2 @@ -0,0 +1,21 @@ +secrets: + pocket_id_encryption_key: + file: ./pocket_id_encryption_key +services: + pocket-id: + image: ghcr.io/pocket-id/pocket-id:v{{ pocket_id_version }} + restart: unless-stopped + env_file: .env + ports: + - 1411:1411 + volumes: + - "./data:/app/data" + # Optional healthcheck + healthcheck: + test: [ "CMD", "/app/pocket-id", "healthcheck" ] + interval: 1m30s + timeout: 5s + retries: 2 + start_period: 10s + secrets: + - pocket_id_encryption_key diff --git a/ansible/roles/pocketid/tasks/templates/pocket_id_encryption_key.j2 b/ansible/roles/pocketid/tasks/templates/pocket_id_encryption_key.j2 new file mode 100644 index 0000000..366b6fe --- /dev/null +++ b/ansible/roles/pocketid/tasks/templates/pocket_id_encryption_key.j2 @@ -0,0 +1 @@ +{{ pocket_id_encryption_key }} diff --git a/ansible/roles/pocketid/tasks/templates/pocketid.env.j2 b/ansible/roles/pocketid/tasks/templates/pocketid.env.j2 new file mode 100644 index 0000000..343ec5f --- /dev/null +++ b/ansible/roles/pocketid/tasks/templates/pocketid.env.j2 @@ -0,0 +1,18 @@ +# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables + +# These variables must be configured for your deployment: +APP_URL=https://{{ inventory_hostname }} + +# Encryption key (choose one method): +# Method 1: Direct key (simple but less secure) +# Generate with: openssl rand -base64 32 +# ENCRYPTION_KEY= +# Method 2: File-based key (recommended) +# Put the base64 key in a file and point to it here. +ENCRYPTION_KEY_FILE=/run/secrets/pocket_id_encryption_key + +# These variables are optional but recommended to review: +TRUST_PROXY=false +MAXMIND_LICENSE_KEY= +PUID=1050 +PGID=1050