diff --git a/inventories/chaosknoten/host_vars/zammad.yaml b/inventories/chaosknoten/host_vars/zammad.yaml new file mode 100644 index 0000000..be2c445 --- /dev/null +++ b/inventories/chaosknoten/host_vars/zammad.yaml @@ -0,0 +1,12 @@ +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/zammad/compose.yaml.j2') }}" +docker_compose__configuration_files: [] + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + - "zammad.hamburg.ccc.de" + +nginx__version_spec: "" +nginx__configurations: + - name: zammad.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/zammad/nginx/zammad.hamburg.ccc.de.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 30d9e72..0686c25 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -36,6 +36,11 @@ all: ansible_host: wiki-intern.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de:42666 + zammad: + ansible_host: zammad-intern.hamburg.ccc.de + ansible_port: 42666 + ansible_user: chaos + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de:42666 docker_compose_hosts: hosts: hackertours: @@ -43,6 +48,7 @@ all: lists: onlyoffice: pad: + zammad: nextcloud_hosts: hosts: cloud: @@ -55,6 +61,7 @@ all: pad: public-reverse-proxy: wiki: + zammad: public_reverse_proxy_hosts: hosts: public-reverse-proxy: @@ -70,6 +77,7 @@ all: onlyoffice: pad: wiki: + zammad: infrastructure_authorized_keys_hosts: hosts: hackertours: @@ -79,3 +87,4 @@ all: pad: public-reverse-proxy: wiki: + zammad: diff --git a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf index b1fa401..dad37c4 100644 --- a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf +++ b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf @@ -13,6 +13,7 @@ map $host $upstream_acme_challenge_host { branding-resources.hamburg.ccc.de 172.31.17.151:31820; next.hamburg.ccc.de 172.31.17.151:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; + zammad.hamburg.ccc.de 172.31.17.152:31820; default ""; } diff --git a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf index 2428037..a4e221f 100644 --- a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf +++ b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf @@ -31,6 +31,7 @@ stream { element.hamburg.ccc.de 172.31.17.151:8443; branding-resources.hamburg.ccc.de 172.31.17.151:8443; next.hamburg.ccc.de 172.31.17.151:8443; + zammad.hamburg.ccc.de 172.31.17.152:8443; } server { diff --git a/playbooks/files/chaosknoten/configs/zammad/nginx/zammad.hamburg.ccc.de.conf b/playbooks/files/chaosknoten/configs/zammad/nginx/zammad.hamburg.ccc.de.conf new file mode 100644 index 0000000..39a7856 --- /dev/null +++ b/playbooks/files/chaosknoten/configs/zammad/nginx/zammad.hamburg.ccc.de.conf @@ -0,0 +1,43 @@ +# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +server { + # Listen on a custom port for the proxy protocol. + listen 8443 ssl http2 proxy_protocol; + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + server_name zammad.hamburg.ccc.de; + + ssl_certificate /etc/letsencrypt/live/zammad.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/zammad.hamburg.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/zammad.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + + location / { + proxy_pass http://127.0.0.1:8080/; + } + +} diff --git a/playbooks/templates/chaosknoten/configs/zammad/compose.yaml.j2 b/playbooks/templates/chaosknoten/configs/zammad/compose.yaml.j2 new file mode 100644 index 0000000..83efc2c --- /dev/null +++ b/playbooks/templates/chaosknoten/configs/zammad/compose.yaml.j2 @@ -0,0 +1,158 @@ +--- +version: '3.8' + +{# +https://github.com/zammad/zammad-docker-compose +Docker Compose does not allow defining variables in the compose file (only in .env files), so we use Jinja variables instead +see https://github.com/zammad/zammad-docker-compose/blob/master/.env +#} +{%- set ELASTICSEARCH_VERSION = "8" | quote -%} +{%- set IMAGE_REPO = "ghcr.io/zammad/zammad" | quote -%} +{%- set MEMCACHE_SERVERS = "zammad-memcached:11211" | quote -%} +{%- set MEMCACHE_VERSION = "1.6-alpine" | quote -%} +{%- set POSTGRES_DB = "zammad_production" | quote -%} +{%- set POSTGRES_HOST = "zammad-postgresql" | quote -%} +{%- set POSTGRES_USER = "zammad" | quote -%} +{%- set POSTGRES_PASS = lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/zammad/DB_PASSWORD", create=false, missing="error") | quote -%} +{%- set POSTGRES_PORT = "5432" | quote -%} +{%- set POSTGRES_VERSION = "15-alpine" | quote -%} +{%- set REDIS_URL = "redis://zammad-redis:6379" | quote -%} +{%- set REDIS_VERSION = "7-alpine" | quote -%} +{%- set RESTART = "always" | quote -%} +{%- set VERSION = "6" | quote -%} +x-shared: + zammad-service: &zammad-service + environment: &zammad-environment + MEMCACHE_SERVERS: {{ MEMCACHE_SERVERS }} + POSTGRESQL_DB: {{ POSTGRES_DB }} + POSTGRESQL_HOST: {{ POSTGRES_HOST }} + POSTGRESQL_USER: {{ POSTGRES_USER }} + POSTGRESQL_PASS: {{ POSTGRES_PASS }} + POSTGRESQL_PORT: {{ POSTGRES_PORT }} + REDIS_URL: {{ REDIS_URL }} + # Allow passing in these variables via .env: + AUTOWIZARD_JSON: + AUTOWIZARD_RELATIVE_PATH: + ELASTICSEARCH_ENABLED: + ELASTICSEARCH_HOST: + ELASTICSEARCH_PORT: + ELASTICSEARCH_SCHEMA: + ELASTICSEARCH_NAMESPACE: + ELASTICSEARCH_REINDEX: + ELASTICSEARCH_SSL_VERIFY: + NGINX_PORT: + NGINX_SERVER_NAME: + NGINX_SERVER_SCHEME: https + POSTGRESQL_DB_CREATE: + POSTGRESQL_OPTIONS: + RAILS_TRUSTED_PROXIES: + ZAMMAD_WEB_CONCURRENCY: + ZAMMAD_SESSION_JOBS: + ZAMMAD_PROCESS_SCHEDULED: + ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS: + image: {{ IMAGE_REPO }}:{{ VERSION }} + restart: {{ RESTART }} + volumes: + - zammad-storage:/opt/zammad/storage + - zammad-var:/opt/zammad/var + depends_on: + - zammad-memcached + - zammad-postgresql + - zammad-redis + +services: + + zammad-backup: + command: ["zammad-backup"] + depends_on: + - zammad-railsserver + - zammad-postgresql + entrypoint: /usr/local/bin/backup.sh + environment: + <<: *zammad-environment + BACKUP_TIME: "03:00" + HOLD_DAYS: "10" + TZ: Europe/Berlin + image: postgres:{{ POSTGRES_VERSION }} + restart: {{ RESTART }} + volumes: + - zammad-backup:/var/tmp/zammad + - zammad-storage:/opt/zammad/storage:ro + - zammad-var:/opt/zammad/var:ro + - ./scripts/backup.sh:/usr/local/bin/backup.sh:ro + + zammad-elasticsearch: + image: bitnami/elasticsearch:{{ ELASTICSEARCH_VERSION }} + restart: {{ RESTART }} + volumes: + - elasticsearch-data:/bitnami/elasticsearch/data + + zammad-init: + <<: *zammad-service + command: ["zammad-init"] + depends_on: + - zammad-postgresql + restart: on-failure + user: 0:0 + volumes: + - zammad-storage:/opt/zammad/storage + - zammad-var:/opt/zammad/var + + zammad-memcached: + command: memcached -m 256M + image: memcached:{{ MEMCACHE_VERSION }} + restart: {{ RESTART }} + + zammad-nginx: + <<: *zammad-service + command: ["zammad-nginx"] + expose: + - "8080" + ports: + - "8080:8080" + depends_on: + - zammad-railsserver + volumes: + - zammad-var:/opt/zammad/var:ro # required for the zammad-ready check file + + zammad-postgresql: + environment: + POSTGRES_DB: {{ POSTGRES_DB }} + POSTGRES_USER: {{ POSTGRES_USER }} + POSTGRES_PASSWORD: {{ POSTGRES_PASS }} + image: postgres:{{ POSTGRES_VERSION }} + restart: {{ RESTART }} + volumes: + - postgresql-data:/var/lib/postgresql/data + + zammad-railsserver: + <<: *zammad-service + command: ["zammad-railsserver"] + + zammad-redis: + image: redis:{{ REDIS_VERSION }} + restart: {{ RESTART }} + volumes: + - redis-data:/data + + zammad-scheduler: + <<: *zammad-service + command: ["zammad-scheduler"] + + zammad-websocket: + <<: *zammad-service + command: ["zammad-websocket"] + +volumes: + elasticsearch-data: + driver: local + postgresql-data: + driver: local + redis-data: + driver: local + zammad-backup: + driver: local + zammad-storage: + driver: local + zammad-var: + driver: local