Merge branch 'main' of https://skulldev.de/Skull-IT/iac_stack

.gitignore

@@ -7,6 +7,7 @@ ansible/inventory/
 *.secret
 ansible/.vault-*
 ansible/.ansible
+.ansible
 
 # Packer Files
 packer/credentials.pkr.hcl

ansible/playbooks/heyer.systems/docker1.yml

@@ -73,3 +73,13 @@
         - sso
         - auth
         - docker-container
+
+    - role: deploy_container_habitica
+      tags:
+        - habitica
+        - docker-container
+
+    - role: deploy_container_mailarchive
+      tags:
+        - mailarchive
+        - docker-container

ansible/roles/create_image_debian-minimal/defaults/main.yml

@@ -5,9 +5,8 @@ ssh_key_url: "https://skulldev.de/Skull-IT/trusted-ssh-keys/raw/branch/main/trus
 
 image_output_dir: "/tmp/packer_images"
 
-debian_iso_url: "https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.11.0-amd64-netinst.iso"
-debian_iso_checksum_url: "https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS"
-# https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS
+debian_iso_url: "https://cdimage.debian.org/mirror/cdimage/archive/12.11.0/amd64/iso-cd/debian-12.11.0-amd64-netinst.iso"
+debian_iso_checksum_url: "https://cdimage.debian.org/mirror/cdimage/archive/12.11.0/amd64/iso-cd/SHA256SUMS"
 debian_iso_filename: "debian-12.11.0-amd64-netinst.iso"
 
 ssh_username: "localadmin"

ansible/roles/create_image_debian-minimal/tasks/main.yml

@@ -56,21 +56,51 @@
     dest: "{{ image_output_dir }}/http/preseed.cfg"
     mode: '0644'
 
+- name: Remove old Debian ISO checksums file if exists
+  ansible.builtin.file:
+    path: /tmp/debian_sha256sums.txt
+    state: absent
+
 - name: Download Debian ISO checksums
   ansible.builtin.get_url:
     url: "{{ debian_iso_checksum_url }}"
     dest: /tmp/debian_sha256sums.txt
     mode: '0644'
 
+- name: Download Debian ISO checksums
+  ansible.builtin.get_url:
+    url: "{{ debian_iso_checksum_url }}"
+    dest: /tmp/debian_sha256sums.txt
+    mode: '0644'
+
+- name: Debug - show checksum file content (with special chars visible)
+  ansible.builtin.shell: cat -A /tmp/debian_sha256sums.txt
+  register: checksum_file_content
+  changed_when: false
+
+- debug:
+    var: checksum_file_content.stdout_lines
+
+- name: Debug - show variable value
+  debug:
+    var: debian_iso_filename
+
 - name: Extract checksum for ISO
   ansible.builtin.shell: |
-    grep "{{ debian_iso_filename }}" /tmp/debian_sha256sums.txt | awk '{ print $1 }'
+    awk '{gsub(/\r/, ""); if ($2 == "{{ debian_iso_filename }}") {print $1; exit}}' /tmp/debian_sha256sums.txt
+  args:
+    executable: /bin/bash
   register: debian_iso_checksum_result
   changed_when: false
 
+- name: Fail if checksum not found
+  ansible.builtin.fail:
+    msg: "Could not find SHA256 for {{ debian_iso_filename }} in {{ debian_iso_checksum_url }}"
+  when: (debian_iso_checksum_result.stdout | trim) == ""
+
 - name: Set fact with full checksum string
   ansible.builtin.set_fact:
-    debian_iso_checksum: "sha256:{{ debian_iso_checksum_result.stdout }}"
+    debian_iso_checksum: "sha256:{{ debian_iso_checksum_result.stdout | trim }}"
 
 - name: Template Packer HCL config
   ansible.builtin.template:

ansible/roles/deploy_container_habitica/defaults/main.yml

@@ -1,7 +1,7 @@
 ############
 # Habitica #
 ############
-container_habitica_version: "latest"
+container_habitica_version: "latest" # https://hub.docker.com/r/awinterstein/habitica-server/tags
 container_habitica_mongo_version: "6.0"
 container_habitica_domain: "habitica.example.com"
 container_habitica_mail_server: "mail.example.com"

ansible/roles/deploy_container_mailarchive/defaults/main.yml

@@ -0,0 +1,13 @@
+container_mailarchive_version: latest # https://hub.docker.com/r/s1t5/mailarchiver/tags
+container_mailarchive_domain: mailarchive.example.com
+container_mailarchive_postgres_version: 17-alpine
+container_mailarchive_postgres_user: postgres_user
+container_mailarchive_postgres_password: postgres_password
+container_mailarchive_auth_enable: true
+container_mailarchive_auth_user: login_user
+container_mailarchive_auth_password: login_password
+container_mailarchive_session_timeout: 60 # Minutes
+container_mailarchive_sync_interval: 15 # Minutes
+container_mailarchive_sync_timeout: 60 # Minutes
+container_mailarchive_connection_timeout: 180 # Seconds
+container_mailarchive_command_timeout: 60 # Seconds

ansible/roles/deploy_container_mailarchive/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Ensure data directories exist
+  ansible.builtin.file:
+    path: "{{ container_base_dir }}/{{ item.dir }}"
+    state: directory
+    mode: '0755'
+  become: false
+  loop:
+    - {dir: "data/db"}
+
+- name: Deploy Docker Compose and .env files
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ container_base_dir }}/{{ item.dest }}"
+    mode: '0644'
+  loop:
+    - { src: 'docker-compose.yml.j2', dest: 'docker-compose.yml' }
+    - { src: '.env.j2', dest: '.env' }
+  become: false
+
+- name: Start Container
+  community.docker.docker_compose_v2:
+    project_src: "{{ container_base_dir }}"
+    pull: always
+    docker_host: "unix:///run/user/1000/docker.sock"
+  become: false

ansible/roles/deploy_container_mailarchive/templates/.env.j2

@@ -0,0 +1,13 @@
+MAILARCHIVE_VERSION={{ container_mailarchive_version }}
+MAILARCHIVE_DOMAIN={{ container_mailarchive_domain }}
+POSTGRES_VERSION={{ container_mailarchive_postgres_version }}
+DB_USER={{ container_mailarchive_postgres_user }}
+DB_PASSWORD={{ container_mailarchive_postgres_password }}
+AUTH_ENABLE={{ container_mailarchive_auth_enable }}
+AUTH_USER={{ container_mailarchive_auth_user }}
+AUTH_PASSWORD={{ container_mailarchive_auth_password }}
+AUTH_SESSION_TIMEOUT_IN_MINUTES={{ container_mailarchive_session_timeout }}
+MAIL_SYNC_INTERVAL_IN_MINUTES={{ container_mailarchive_sync_interval }}
+MAIL_SYNC_TIMEOUT_IN_MINUTES={{ container_mailarchive_sync_timeout }}
+MAIL_CONNECTION_TIMEOUT_IN_SECONDS={{ container_mailarchive_connection_timeout }}
+MAIL_COMMAND_TIMEOUT_IN_SECONDS={{ container_mailarchive_command_timeout }}

ansible/roles/deploy_container_mailarchive/templates/docker-compose.yml.j2

@@ -0,0 +1,80 @@
+---
+services:
+  mailarchive:
+    image: s1t5/mailarchiver:${MAILARCHIVE_VERSION}
+    container_name: mailarchive
+    restart: always
+    networks:
+      - traefik
+      - mailarchive
+    environment:
+      # Database Connection
+      - ConnectionStrings__DefaultConnection=Host=postgres;Database=MailArchiver;Username=${DB_USER};Password=${DB_PASSWORD};
+
+      # Authentication Settings
+      - Authentication__Enabled=${AUTH_ENABLE}
+      - Authentication__Username=${AUTH_USER}
+      - Authentication__Password=${AUTH_PASSWORD}
+      - Authentication__SessionTimeoutMinutes=${AUTH_SESSION_TIMEOUT_IN_MINUTES}
+      - Authentication__CookieName=MailArchiverAuth
+
+      # MailSync Settings
+      - MailSync__IntervalMinutes=${MAIL_SYNC_INTERVAL_IN_MINUTES}
+      - MailSync__TimeoutMinutes=${MAIL_SYNC_TIMEOUT_IN_MINUTES}
+      - MailSync__ConnectionTimeoutSeconds=${MAIL_CONNECTION_TIMEOUT_IN_SECONDS}
+      - MailSync__CommandTimeoutSeconds=${MAIL_COMMAND_TIMEOUT_IN_SECONDS}
+
+      # BatchRestore Settings
+      - BatchRestore__AsyncThreshold=50
+      - BatchRestore__MaxSyncEmails=150
+      - BatchRestore__MaxAsyncEmails=50000
+      - BatchRestore__SessionTimeoutMinutes=30
+      - BatchRestore__DefaultBatchSize=50
+
+      # BatchOperation Settings
+      - BatchOperation__BatchSize=50
+      - BatchOperation__PauseBetweenEmailsMs=50
+      - BatchOperation__PauseBetweenBatchesMs=250
+
+      # Npgsql Settings
+      - Npgsql__CommandTimeout=900
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.mailarchive.entrypoints=http"
+      - "traefik.http.routers.mailarchive.rule=Host(`${MAILARCHIVE_DOMAIN}`)"
+      - "traefik.http.middlewares.mailarchive-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.mailarchive.middlewares=mailarchive-https-redirect"
+      - "traefik.http.routers.mailarchive-secure.entrypoints=https"
+      - "traefik.http.routers.mailarchive-secure.rule=Host(`${MAILARCHIVE_DOMAIN}`)"
+      - "traefik.http.routers.mailarchive-secure.tls=true"
+      - "traefik.http.routers.mailarchive-secure.service=mailarchive"
+      - "traefik.http.services.mailarchive.loadbalancer.server.port=5000"
+    depends_on:
+      postgres:
+        condition: service_healthy
+
+
+  postgres:
+    image: postgres:${POSTGRES_VERSION}
+    container_name: mailarchive-db
+    restart: always
+    environment:
+      POSTGRES_DB: MailArchiver
+      POSTGRES_USER: ${DB_USER}
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+    volumes:
+      - ./data/db:/var/lib/postgresql/data
+    networks:
+      - mailarchive
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U mailuser -d MailArchiver"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
+
+networks:
+  traefik:
+    external: true
+  mailarchive:

ansible/roles/deploy_container_mailarchive/vars/main.yml

@@ -0,0 +1 @@
+container_base_dir: /opt/docker/mailarchive