mash-playbook + matrix-docker-ansible-deploy playbook

[Gregivy]

What is the best way to combine this playbook with the matrix playbook to run on the same machine?
Is there any nuances of using traefik/postgre? As traefik service is present in both playbooks will it be enough to use it from only one of the playbooks (e.g. if I already use matrix playbook, can skip turning on traefik in mash playbook)?

[spantaleev]

The recommended way is to have only one of those playbooks install Traefik. Preferrably matrix-docker-ansible-deploy, because its Traefik setup is more involved (handling the custom port tpc/8448 for federation, etc.).

Thus, the mash-playbook setup's vars.yml should include some configuration like this:

mash_playbook_reverse_proxy_type: other-traefik-container
mash_playbook_reverse_proxyable_services_additional_network: traefik

---

Also, just one of these playbooks should install Docker and timesync. It doesn't hurt if both have these installation steps, but it's somewhat wasteful.

---

This should be documented better somewhere

[thomsbe]

Same question about postgres. As @Gregivy already asked, what about 2 containers with postgres? I have the matrix-playbook running, this provides postgres. Mash has it's own postgres-container? How to combine these two, since I guess, one database-container is better than two with limited ressources.

[spantaleev]

It's possible to use a single Postgres instance, but easiest if you run a Postgres instance for each playbook.

By default, both playbooks automatically wire components to use their own Postgres instance, so you will be spared a lot of effort.

Here's an example of database credentials initialization:

mash-playbook/group_vars/mash_servers

Lines 231 to 333 in 2176f0b

	devture_postgres_managed_databases_auto: |
	{{
	([{
	'name': authentik_database_name,
	'username': authentik_database_username,
	'password': authentik_database_password,
	}] if authentik_enabled and authentik_database_hostname == devture_postgres_identifier else [])
	+([{
	'name': focalboard_database_name,
	'username': focalboard_database_username,
	'password': focalboard_database_password,
	}] if focalboard_enabled and focalboard_database_type == 'postgres' and focalboard_database_hostname == devture_postgres_identifier else [])
	+
	([{
	'name': funkwhale_database_name,
	'username': funkwhale_database_username,
	'password': funkwhale_database_password,
	}] if funkwhale_enabled and funkwhale_database_hostname == devture_postgres_identifier else [])
	+
	([{
	'name': gitea_config_database_name,
	'username': gitea_config_database_username,
	'password': gitea_config_database_password,
	}] if gitea_enabled else [])
	+
	([{
	'name': healthchecks_database_name,
	'username': healthchecks_database_username,
	'password': healthchecks_database_password,
	}] if healthchecks_enabled and healthchecks_database_hostname == devture_postgres_identifier else [])
	+
	([{
	'name': devture_woodpecker_ci_server_database_datasource_db_name,
	'username': devture_woodpecker_ci_server_database_datasource_username,
	'password': devture_woodpecker_ci_server_database_datasource_password,
	}] if devture_woodpecker_ci_server_enabled else [])
	+
	([{
	'name': gotosocial_database_name,
	'username': gotosocial_database_username,
	'password': gotosocial_database_password,
	}] if gotosocial_enabled else [])
	+
	([{
	'name': keycloak_database_name,
	'username': keycloak_database_username,
	'password': keycloak_database_password,
	}] if keycloak_enabled and keycloak_database_type == 'postgres' and keycloak_database_hostname == devture_postgres_identifier else [])
	+
	([{
	'name': lago_database_name,
	'username': lago_database_username,
	'password': lago_database_password,
	}] if lago_enabled and lago_database_hostname == devture_postgres_identifier else [])
	+
	([{
	'name': miniflux_database_name,
	'username': miniflux_database_username,
	'password': miniflux_database_password,
	}] if miniflux_enabled else [])
	+
	([{
	'name': redmine_database_name,
	'username': redmine_database_username,
	'password': redmine_database_password,
	}] if redmine_enabled else [])
	+
	([{
	'name': netbox_database_name,
	'username': netbox_database_username,
	'password': netbox_database_password,
	}] if netbox_enabled else [])
	+
	([{
	'name': nextcloud_database_name,
	'username': nextcloud_database_username,
	'password': nextcloud_database_password,
	}] if nextcloud_enabled else [])
	+
	([{
	'name': peertube_config_database_name,
	'username': peertube_config_database_username,
	'password': peertube_config_database_password,
	}] if peertube_enabled else [])
	+
	([{
	'name': prometheus_postgres_exporter_database_name,
	'username': prometheus_postgres_exporter_database_username,
	'password': prometheus_postgres_exporter_database_password,
	}] if prometheus_postgres_exporter_enabled else [])
	+
	([{
	'name': firezone_database_name,
	'username': firezone_database_user,
	'password': firezone_database_password,
	}] if firezone_enabled else [])
	+
	([{
	'name': vaultwarden_database_name,
	'username': vaultwarden_database_username,
	'password': vaultwarden_database_password,
	}] if vaultwarden_enabled else [])
	}}

Here's an example of one service (Miniflux) being connected to the Postgres container network:

mash-playbook/group_vars/mash_servers

Lines 1621 to 1626 in 2176f0b

	miniflux_container_additional_networks: |
	{{
	([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
	+
	([devture_postgres_container_network] if devture_postgres_enabled and miniflux_database_hostname == devture_postgres_identifier and miniflux_container_network != devture_postgres_container_network else [])
	}}

If you want mash services to use the Matrix playbook's Postgres, you need to do both of these things manually:

• prepare a database and credentials for each component - perhaps by wiring each component to the Matrix playbook's devture_postgres_managed_databases_additional variable (this is like devture_postgres_managed_databases_auto, but for your own custom entries)
• connect each component to that other (matix-postgres) Postgres instance's container network

[thomsbe]

Ok, I will stick with the two databases 😄

The traefik config results in a 404. The mash-containers are connected to the traefik-network. But it looks like there is no routing for the 2 new hostnames, "git" and "status". Traefik-log:

Jun 09 13:20:02 tbaer.de matrix-traefik[3962152]: 172.28.0.1 - - [09/Jun/2023:11:19:32 +0000] "GET /_matrix/client/r0/sync?filter=5&timeout=30000&since=s87124_1436984_122_33113_35512_10_5118_685_0_1 HTTP/1.1" 200 171 "-" "-" 130 "matrix-nginx-proxy-matrix-client@docker" "http://172.25.0.3:8080" 30014ms

Jun 09 13:20:02 tbaer.de matrix-traefik[3962152]: 172.28.0.1 - - [09/Jun/2023:11:20:02 +0000] "OPTIONS /_matrix/client/r0/sync?filter=5&timeout=30000&since=s87124_1436984_122_33113_35512_10_5118_685_0_1 HTTP/1.1" 204 0 "-" "-" 132 "matrix-nginx-proxy-matrix-client@docker" "http://172.25.0.3:8080" 4ms

Jun 09 13:20:03 tbaer.de matrix-traefik[3962152]: 172.28.0.1 - - [09/Jun/2023:11:20:03 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 134 "-" "-" 0ms

The last line here is the request resulting in a 404. It seems, there is a missing piece somewhere in the config. I can't get up the traefik-dashboard on the matrix-side, because of an parsing error in some template. I don't know traefik, but I can connect to the running container. But it looks like there is now way to show the routes via cli.
Is there a missing piece of config in the providers.yml or something?

Traefik is fronted by Caddyserver, I have added the 2 new hostnames to the other matrix-releated names in the same block. There are no other ports listening and the request from the outside reaches traefik, so I guess, this part is working, only the routing for the hostnames is missing to treafik.