Introduce kimai service

proxy_resources/etc/wireguard/wg0.conf

@@ -11,49 +11,65 @@ ListenPort = {{ proxy_server_vpn_port }}
 [Peer]
 PublicKey = {{ mail_service_pubkey }}
 AllowedIPs = 10.0.0.2/32
+PersistentKeepalive = 25
 
 # Git Service
 [Peer]
 PublicKey = {{ git_service_pubkey }}
 AllowedIPs = 10.0.0.3/32
+PersistentKeepalive = 25
 
 # Invidious Service
 [Peer]
 PublicKey = {{ invidious_service_pubkey }}
 AllowedIPs = 10.0.0.3/32
+PersistentKeepalive = 25
 
 # Searxng Service
 [Peer]
 PublicKey = {{ searxng_service_pubkey }}
 AllowedIPs = 10.0.0.4/32
+PersistentKeepalive = 25
 
 # Nextcloud Service
 [Peer]
 PublicKey = {{ nextcloud_service_pubkey }}
 AllowedIPs = 10.0.0.5/32
+PersistentKeepalive = 25
 
 # Chat Service
 [Peer]
 PublicKey = {{ chat_service_pubkey }}
 AllowedIPs = 10.0.0.6/32
+PersistentKeepalive = 25
 
 # Minecraft Service
 [Peer]
 PublicKey = {{ minecraft_service_pubkey }}
 AllowedIPs = 10.0.0.7/32
+PersistentKeepalive = 25
+
+# Kimai Service
+[Peer]
+PublicKey = {{ kimai_service_pubkey }}
+AllowedIPs = 10.0.0.8/32
+PersistentKeepalive = 25
 
 
 # Connection to backend server for icinga2
 [Peer]
 PublicKey = {{ icinga2_backend_pubkey }}
 AllowedIPs = 10.0.0.198/32
+PersistentKeepalive = 25
 
 # Connection to backend server for cockpit
 [Peer]
 PublicKey = {{ cockpit_backend_pubkey }}
 AllowedIPs = 10.0.0.199/32
+PersistentKeepalive = 25
 
 # User Key for Phone/Desktop/Laptop use 
 [Peer]
 PublicKey = {{ user_pubkey }}
 AllowedIPs = 10.0.0.200/32
+PersistentKeepalive = 25

serversecrets.example

@@ -31,6 +31,7 @@ searxng_service_privkey: temp
 nextcloud_service_privkey: temp 
 chat_service_privkey: temp 
 minecraft_service_privkey: temp 
+kimai_service_privkey: temp
 icinga2_backend_privkey: temp
 cockpit_backend_privkey: temp
 user_privkey: temp
@@ -43,6 +44,7 @@ searxng_service_pubkey: temp
 nextcloud_service_pubkey: temp
 chat_service_pubkey: temp
 minecraft_service_pubkey: temp
+kimai_service_pubkey: temp
 icinga2_backend_pubkey: temp
 cockpit_backend_pubkey: temp
 user_pubkey: temp

services/service_kimai/ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+inventory = ../../hosts
+
+[privilege_escalation]
+become_method=doas
+become_ask_pass=True

services/service_kimai/deploy-service.yml

@@ -0,0 +1,26 @@
+- hosts: localhost
+  become: 'yes'
+  vars:
+    ansible_become_method: doas
+  tasks:
+    - name: Create necessary directories
+      ansible.builtin.file:
+        path: "{{ item }}" 
+        owner: service_kimai
+        group: service_kimai
+        state: directory
+      loop:
+        - "{{ services_directory }}/service_kimai/kimai-data"
+        - "{{ services_directory }}/service_kimai/mysql-data"
+    - name: Copy docker compose config and other kimai files
+      ansible.builtin.template:
+        src: "{{ item }}" 
+        dest: "{{ services_directory }}/service_kimai/{{ item }}"
+        owner: service_kimai
+        group: service_kimai
+      loop:
+        - docker-compose.yml 
+
+    - name: Debug Finish message
+      debug:
+        msg: Ansible playbook has finished!

services/service_kimai/docker-compose.yml

@@ -0,0 +1,82 @@
+services:
+
+  # Gluetun is used to connect container to VPN
+  kimai-gluetun:
+    image: qmcgaw/gluetun
+    cap_add:
+      - NET_ADMIN
+    environment:
+      - VPN_SERVICE_PROVIDER=custom
+      - VPN_TYPE=wireguard
+      - VPN_ENDPOINT_IP={{ proxy_server_ip }}
+      - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
+      - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
+      - WIREGUARD_PRIVATE_KEY={{ kimai_service_privkey }}
+      - WIREGUARD_ADDRESSES=10.0.0.8/32
+      - FIREWALL_VPN_INPUT_PORTS=8001,3306
+    ports:
+      - "8001:8001"
+        #    networks:
+        #      kimai:
+    deploy:
+      resources:
+        limits:
+          cpus: '0.10'
+          memory: 512M
+
+  kimai:
+    image: kimai/kimai2:apache
+    network_mode: "service:kimai-gluetun"
+    environment:
+      - ADMINMAIL=admin@{{ domain_name }}
+      - ADMINPASS={{ service_kimai_admin_password }}
+      - "DATABASE_URL=mysql://kimaiuser:{{ service_kimai_mysql_password }}@127.0.0.1/kimai?charset=utf8mb4&serverVersion=8.3.0"
+      - TRUSTED_HOSTS=nginx,localhost,127.0.0.1
+    restart: always
+    volumes:
+      - ./kimai-data:/opt/kimai/var/data
+    deploy:
+      resources:
+        limits:
+          cpus: '0.25'
+          memory: 512M
+    depends_on:
+      - kimai-db
+
+  kimai-db:
+    image: mysql:8.4.0
+    network_mode: "service:kimai-gluetun"
+    environment:
+      - MYSQL_DATABASE=kimai
+      - MYSQL_USER=kimaiuser
+      - MYSQL_PASSWORD={{ service_kimai_mysql_password }}
+      - MYSQL_ROOT_PASSWORD={{ service_kimai_mysql_root_password }}
+    command: --default-storage-engine innodb
+    restart: unless-stopped
+    healthcheck:
+      test: mysqladmin -p$$MYSQL_ROOT_PASSWORD ping -h localhost
+      interval: 20s
+      start_period: 10s
+      timeout: 10s
+      retries: 3
+    volumes:
+      - ./mysql-data:/var/lib/mysql
+        #    networks:
+        #      kimai:
+        #        ipv4_address: 12.1.0.22
+    deploy:
+      resources:
+        limits:
+          cpus: '0.10'
+          memory: 512M
+
+            #networks:
+            #  kimai:
+            #    driver: bridge
+            #    driver_opts:
+            #      com.docker.network.bridge.name: kimai
+            #        #      com.docker.network.driver.enable_ip_masquerade: 0
+            #    ipam:
+            #      config:
+            #        - subnet: 12.1.0.0/16
+            #          #          gateway: 11.5.0.1

services/service_kimai/proxy_resources/etc/nginx/sites-available/kimai.domain

@@ -0,0 +1,49 @@
+# {{ ansible_managed }}
+
+# Kimai Instance Proxy
+server {
+    
+    	server_name kimai.{{ domain_name }} www.kimai.{{ domain_name }};
+        
+    	location / {
+        	proxy_pass http://10.0.0.8:8001;
+		#proxy_set_header X-Forwarded-For $remote_addr;
+        	#proxy_set_header Host $host;    # so kimai knows domain
+        	#proxy_http_version 1.1;     # to keep alive
+        	#proxy_set_header Connection ""; # to keep alive
+        	include proxy_params;
+    	}
+
+    client_max_body_size 512M;
+
+    listen [::]:443 ssl; 
+    listen 443 ssl; 
+    ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem; 
+    ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem; 
+    include /etc/letsencrypt/options-ssl-nginx.conf; 
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 
+
+
+}
+
+server {
+    if ($host = www.kimai.{{ domain_name }}) {
+        return 301 https://$host$request_uri;
+    } 
+
+
+    if ($host = kimai.{{ domain_name }}) {
+        return 301 https://$host$request_uri;
+    } 
+
+
+    	listen 80;
+    	listen [::]:80;
+    
+    	server_name kimai.{{ domain_name }} www.kimai.{{ domain_name }};
+    return 404; 
+
+
+
+
+}

services/service_kimai/servicesecrets.example

@@ -0,0 +1,4 @@
+# Example service secrets for kimai docker service, to be encrypted with ansible vault and called servicesecrets.enc
+service_kimai_admin_password: ***
+service_kimai_mysql_password: ***
+service_kimai_mysql_root_password: ***