Add Firefly III again

inventories/production/group_vars/all.yml

@@ -82,6 +82,23 @@ secret_ara_secret_key: !vault |
           31346465336361316433383865613233373836643366346538633330616232386132636662643963
           303938396531623561653335646231616239
 
+# For Firefly III
+secret_firefly_app_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36326365626537313464373434303833373261303835643035666431326335633634376364376233
+          3664323235383337313266316466363734643331313862630a636164616462623965353331373266
+          65653363353039653231316464653366303938656363333239313165313662636163323366303433
+          6432633664666339660a383938333531333536666361633762633831363132366563396237346330
+          32323266346363656336396264626231653331343862636632646466353236393438363037623466
+          6535373866616238323339326338316330383064336138646663
+secret_firefly_db_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31386133326239313637393462633930626634653562303361326634323633363037303862313361
+          3133356362333833653636623761386163646435633239370a613632646461303534353134346431
+          36613930393235653862376639626238326561633064333565383564626330636639633136643365
+          3565316233663262360a353631323762313130326361643532626334363263636539313233646362
+          37633961633162353936386366623136633436306235336235363566616563366563
+
 # For GVM
 secret_gvm_db_pass: !vault |
           $ANSIBLE_VAULT;1.1;AES256

playbooks/local_dns.yml

@@ -93,6 +93,8 @@
         # Public
         - record: ara.desu.ltd
           value: vm-general-1.ashburn.mgmt.desu.ltd
+        - record: firefly.desu.ltd
+          value: vm-general-1.ashburn.mgmt.desu.ltd
         - record: git.desu.ltd
           value: vm-general-1.ashburn.mgmt.desu.ltd
         - record: gitlab.desu.ltd

playbooks/prod_db.yml

@@ -25,6 +25,8 @@
         postgresql_users:
           - name: ara-desultd
             password: "{{ secret_ara_db_pass }}"
+          - name: firefly-desultd
+            password: "{{ secret_firefly_db_pass }}"
           - name: gitea-desultd
             password: "{{ secret_gitea_db_pass }}"
           - name: gitlab-desultd
@@ -48,6 +50,8 @@
         postgresql_databases:
           - name: ara-desultd
             owner: ara-desultd
+          - name: firefly-desultd
+            owner: firefly-desultd
           - name: gitea-desultd
             owner: gitea-desultd
           - name: gitlab-desultd

playbooks/prod_web.yml

@@ -23,6 +23,7 @@
         - web/ara.yml
         - web/desultd.yml
         - web/element-web.yml
+        - web/firefly-iii.yml
         - web/gitea.yml
         - web/netbox.yml
         - web/nextcloud.yml
@@ -222,6 +223,8 @@
                 contents: |
                   default_type application/json;
                   return 200 '{"m.homeserver":{"base_url":"https://matrix.desu.ltd"}}';
+          - name: firefly.desu.ltd
+            proxy_pass: http://firefly:8080
           - name: git.desu.ltd
             proxy_pass: http://gitea:3000
           - name: matrix.desu.ltd

playbooks/tasks/web/firefly-iii.yml

@@ -0,0 +1,24 @@
+# vim:ft=ansible:
+- name: docker deploy firefly
+  docker_container:
+    name: firefly
+    image: fireflyiii/core:latest
+    env:
+      APP_KEY: "{{ secret_firefly_app_key }}"
+      APP_URL: "https://firefly.desu.ltd"
+      # We set TRUSTED_PROXIES to * here, which allows any app in the docker
+      # network to proxy this. I'm considering this a fine security concession
+      # since we can't guarantee the IP of the ingress container
+      TRUSTED_PROXIES: "*"
+      DB_HOST: "10.0.0.2"
+      DB_PORT: "5432"
+      DB_CONNECTION: pgsql
+      DB_DATABASE: "firefly-desultd"
+      DB_USERNAME: "firefly-desultd"
+      DB_PASSWORD: "{{ secret_firefly_db_pass }}"
+    networks:
+      - name: web
+        aliases: [ "firefly" ]
+    volumes:
+      - /data/firefly/upload:/var/www/html/storage/upload
+  tags: [ docker, firefly ]