diff --git a/infra/finance/0000_proxmox_playbook.yaml b/infra/finance/0000_proxmox_playbook.yaml new file mode 100644 index 0000000..5839aba --- /dev/null +++ b/infra/finance/0000_proxmox_playbook.yaml @@ -0,0 +1,112 @@ +- name: Provision finance Proxmox VM + hosts: finance + connection: ansible.builtin.local + gather_facts: false + vars: + api_user: "{{ lookup('ansible.builtin.env', 'PROXMOX_USER') }}" + api_host: "{{ lookup('ansible.builtin.env', 'PROXMOX_HOST' ) }}" + api_token_id: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_ID') }}" + api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}" + ssh_public: "{{ lookup('ansible.builtin.env', 'SSH_PUBLIC') }}" + vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}" + node: pve2 + module_defaults: + community.general.proxmox_kvm: + api_user: "{{ api_user }}" + api_host: "{{ api_host }}" + api_token_id: "{{ api_token_id }}" + api_token_secret: "{{ api_token_secret }}" + name: "{{ vmname }}" + node: "{{ node }}" + community.general.proxmox_nic: + api_user: "{{ api_user }}" + api_host: "{{ api_host }}" + api_token_id: "{{ api_token_id }}" + api_token_secret: "{{ api_token_secret }}" + name: "{{ vmname }}" + community.general.proxmox_disk: + api_user: "{{ api_user }}" + api_host: "{{ api_host }}" + api_token_id: "{{ api_token_id }}" + api_token_secret: "{{ api_token_secret }}" + name: "{{ vmname }}" + tasks: + # Initial setup + - name: Create VM + community.general.proxmox_kvm: + clone: "{{ node }}-debian-12" + storage: nvme + notify: Initial boot + - name: Wait for status + community.general.proxmox_kvm: + state: current + register: vm + retries: 30 + delay: 10 + until: vm.status is defined + + # Networking and initial config + - name: Add PUB NIC + community.general.proxmox_nic: + interface: net0 + firewall: false + bridge: PUB + - name: Add SRV NIC + community.general.proxmox_nic: + interface: net1 + firewall: false + bridge: SRV + - name: Configure cloud-init + community.general.proxmox_kvm: + update: true + ciuser: debian + sshkeys: "{{ ssh_public }}" + ipconfig: + ipconfig0: ip=dhcp,ip6=auto + ipconfig1: ip=dhcp + + - name: Force all notified handlers to run + ansible.builtin.meta: flush_handlers + + # VM Configuration + - name: Resize root disk + community.general.proxmox_disk: + disk: scsi0 + size: 16G + state: resized + - name: Create data disk + community.general.proxmox_disk: + disk: scsi1 + backup: true + storage: nvme + size: 64 + - name: Update VM + community.general.proxmox_kvm: + update: true + agent: enabled=1 + tags: + - debian-12 + - managed + onboot: true + cores: 4 + memory: 8192 + + - name: Retart VM + community.general.proxmox_kvm: + state: restarted + timeout: 60 + handlers: + # Initial boot + # For some reason debian cloud images don't use + # cloud-init for networking on first boot (cloud-init files + # are regenerated AFTER networking starts). But we need the + # hostname to be registered with DHCP later on so ¯\_(ツ)_/¯ + - name: Initial boot + block: + - name: Start + community.general.proxmox_kvm: + state: started + register: start + - name: Wait 1.5 min # Initial apt update, apt upgrade, cloud-init + ansible.builtin.wait_for: + timeout: 90 diff --git a/infra/finance/0001_initialise_playbook.yaml b/infra/finance/0001_initialise_playbook.yaml new file mode 100644 index 0000000..e6dc182 --- /dev/null +++ b/infra/finance/0001_initialise_playbook.yaml @@ -0,0 +1,42 @@ +- name: Initialise VM + hosts: finance + gather_facts: false + tasks: + - name: Wait for connection + ansible.builtin.wait_for_connection: + timeout: 300 + - name: Install system packages + ansible.builtin.apt: + update_cache: true + pkg: + - qemu-guest-agent + - parted + become: true + - name: Enable qemu-guest-agent + ansible.builtin.systemd: + name: qemu-guest-agent + state: started + enabled: true + become: true + + - name: Create data partition + community.general.parted: + device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1 + label: gpt + name: data + number: 1 + state: present + become: true + - name: Create data filesystem + community.general.filesystem: + dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1 + fstype: ext4 + become: true + - name: Mount data partition + ansible.posix.mount: + src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1 + path: /var/lib/docker + fstype: ext4 + opts: rw,errors=remount-ro,x-systemd.growfs + state: mounted + become: true diff --git a/infra/finance/0002_docker_playbook.yaml b/infra/finance/0002_docker_playbook.yaml new file mode 100644 index 0000000..b9e33c4 --- /dev/null +++ b/infra/finance/0002_docker_playbook.yaml @@ -0,0 +1,47 @@ +- name: Install docker + hosts: finance + gather_facts: false + tasks: + - name: Wait for connection + ansible.builtin.wait_for_connection: + timeout: 300 + - name: Install dependencies + ansible.builtin.apt: + update_cache: true + pkg: + - curl + - python3-apt + - gpg + become: true + - name: Add docker key + ansible.builtin.apt_key: + url: https://download.docker.com/linux/debian/gpg + keyring: /etc/apt/keyrings/docker.gpg + become: true + - name: Add docker repo + ansible.builtin.apt_repository: + repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable + become: true + - name: Install docker + ansible.builtin.apt: + update_cache: true + pkg: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + become: true + - name: Add user to docker group + ansible.builtin.user: + user: debian + groups: + - docker + append: true + become: true + - name: Enable docker + ansible.builtin.systemd: + name: docker + state: started + enabled: true + become: true diff --git a/infra/finance/0003_firefly-iii_playbook.yaml b/infra/finance/0003_firefly-iii_playbook.yaml new file mode 100644 index 0000000..1fc3ef2 --- /dev/null +++ b/infra/finance/0003_firefly-iii_playbook.yaml @@ -0,0 +1,59 @@ +- name: Deploy app + hosts: finance + gather_facts: false + vars: + app: firefly-iii + tasks: + - name: Wait for connection + ansible.builtin.wait_for_connection: + timeout: 300 + - name: Docker compose down + community.docker.docker_compose_v2: + project_src: "$HOME/{{ app }}" + state: absent + - name: Copy project + ansible.builtin.copy: + src: "./{{ app }}" + dest: "$HOME" + mode: "0744" + + - name: Replace APP_KEY secret + ansible.builtin.replace: + path: "$HOME/{{ app }}/.env" + regexp: "APP_KEY_VALUE" + replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/finance', secret_name='APP_KEY')['value'] }}" + - name: Replace DB secret + ansible.builtin.replace: + path: "$HOME/{{ app }}/.env" + regexp: "DB_PASSWORD_VALUE" + replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/finance', secret_name='DB_PASSWORD')['value'] }}" + - name: Replace cron token secret + ansible.builtin.replace: + path: "$HOME/{{ app }}/.env" + regexp: "STATIC_CRON_TOKEN_VALUE" + replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/finance', secret_name='STATIC_CRON_TOKEN')['value'] }}" + - name: Replace SMTP Password secret (app) + ansible.builtin.replace: + path: "$HOME/{{ app }}/.env" + regexp: "SMTP_PASSWORD_VALUE" + replace: "{{ lookup('ansible.builtin.env', 'SMTP_PASSWORD') }}" + + - name: Replace Nordigen ID secret + ansible.builtin.replace: + path: "$HOME/{{ app }}/.importer.env" + regexp: "NORDIGEN_ID_VALUE" + replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/finance', secret_name='NORDIGEN_ID')['value'] }}" + - name: Replace Nordigen Key secret + ansible.builtin.replace: + path: "$HOME/{{ app }}/.importer.env" + regexp: "NORDIGEN_KEY_VALUE" + replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/finance', secret_name='NORDIGEN_KEY')['value'] }}" + - name: Replace SMTP Password secret (importer) + ansible.builtin.replace: + path: "$HOME/{{ app }}/.importer.env" + regexp: "SMTP_PASSWORD_VALUE" + replace: "{{ lookup('ansible.builtin.env', 'SMTP_PASSWORD') }}" + + - name: Docker compose up -d + community.docker.docker_compose_v2: + project_src: "$HOME/{{ app }}" diff --git a/infra/finance/firefly-iii/.env b/infra/finance/firefly-iii/.env new file mode 100644 index 0000000..703964f --- /dev/null +++ b/infra/finance/firefly-iii/.env @@ -0,0 +1,349 @@ +# You can leave this on "local". If you change it to production most console commands will ask for extra confirmation. +# Never set it to "testing". +APP_ENV=production + +# Set to true if you want to see debug information in error screens. +APP_DEBUG=false + +# This should be your email address. +# If you use Docker or similar, you can set this variable from a file by using SITE_OWNER_FILE +# The variable is used in some errors shown to users who aren't admin. +SITE_OWNER=gleb@koval.net + +# The encryption key for your sessions. Keep this very secure. +# Change it to a string of exactly 32 chars or use something like `php artisan key:generate` to generate it. +# If you use Docker or similar, you can set this variable from a file by using APP_KEY_FILE +# +# Avoid the "#" character in your APP_KEY, it may break things. +# +APP_KEY=APP_KEY_VALUE + +# Firefly III will launch using this language (for new users and unauthenticated visitors) +# For a list of available languages: https://github.com/firefly-iii/firefly-iii/tree/main/resources/lang +# +# If text is still in English, remember that not everything may have been translated. +DEFAULT_LANGUAGE=en_GB + +# The locale defines how numbers are formatted. +# by default this value is the same as whatever the language is. +DEFAULT_LOCALE=equal + +# Change this value to your preferred time zone. +# Example: Europe/Amsterdam +# For a list of supported time zones, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones +TZ=Europe/London + +# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy. +# Set it to ** and reverse proxies work just fine. +TRUSTED_PROXIES=10.4.0.1 + +# The log channel defines where your log entries go to. +# Several other options exist. You can use 'single' for one big fat error log (not recommended). +# Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself. +# A rotating log option is 'daily', creates 5 files that (surprise) rotate. +# A cool option is 'papertrail' for cloud logging +# Default setting 'stack' will log to 'daily' and to 'stdout' at the same time. +LOG_CHANNEL=stack + +# Log level. You can set this from least severe to most severe: +# debug, info, notice, warning, error, critical, alert, emergency +# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably +# nothing will get logged, ever. +APP_LOG_LEVEL=notice + +# Audit log level. +# The audit log is used to log notable Firefly III events on a separate channel. +# These log entries may contain sensitive financial information. +# The audit log is disabled by default. +# +# To enable it, set AUDIT_LOG_LEVEL to "info" +# To disable it, set AUDIT_LOG_LEVEL to "emergency" +AUDIT_LOG_LEVEL=emergency + +# +# If you want, you can redirect the audit logs to another channel. +# Set 'audit_stdout', 'audit_syslog', 'audit_errorlog' to log to the system itself. +# Use audit_daily to log to a rotating file. +# Use audit_papertrail to log to papertrail. +# +# If you do this, the audit logs may be mixed with normal logs because the settings for these channels +# are often the same as the settings for the normal logs. +AUDIT_LOG_CHANNEL= + +# +# Used when logging to papertrail: +# Also used when audit logs log to papertrail: +# +PAPERTRAIL_HOST= +PAPERTRAIL_PORT= + +# Database credentials. Make sure the database exists. I recommend a dedicated user for Firefly III +# For other database types, please see the FAQ: https://docs.firefly-iii.org/references/faq/install/#i-want-to-use-sqlite +# If you use Docker or similar, you can set these variables from a file by appending them with _FILE +# Use "pgsql" for PostgreSQL +# Use "mysql" for MySQL and MariaDB. +# Use "sqlite" for SQLite. +DB_CONNECTION=mysql +DB_HOST=db +DB_PORT=3306 +DB_DATABASE=firefly +DB_USERNAME=firefly +DB_PASSWORD=DB_PASSWORD_VALUE +# leave empty or omit when not using a socket connection +DB_SOCKET= + +# MySQL supports SSL. You can configure it here. +# If you use Docker or similar, you can set these variables from a file by appending them with _FILE +MYSQL_USE_SSL=false +MYSQL_SSL_VERIFY_SERVER_CERT=true +# You need to set at least of these options +MYSQL_SSL_CAPATH=/etc/ssl/certs/ +MYSQL_SSL_CA= +MYSQL_SSL_CERT= +MYSQL_SSL_KEY= +MYSQL_SSL_CIPHER= + +# PostgreSQL supports SSL. You can configure it here. +# If you use Docker or similar, you can set these variables from a file by appending them with _FILE +PGSQL_SSL_MODE=prefer +PGSQL_SSL_ROOT_CERT=null +PGSQL_SSL_CERT=null +PGSQL_SSL_KEY=null +PGSQL_SSL_CRL_FILE=null + +# more PostgreSQL settings +PGSQL_SCHEMA=public + +# If you're looking for performance improvements, you could install memcached or redis +CACHE_DRIVER=file +SESSION_DRIVER=file + +# If you set either of the options above to 'redis', you might want to update these settings too +# If you use Docker or similar, you can set REDIS_HOST_FILE, REDIS_PASSWORD_FILE or +# REDIS_PORT_FILE to set the value from a file instead of from an environment variable + +# can be tcp or unix. http is not supported +REDIS_SCHEME=tcp + +# use only when using 'unix' for REDIS_SCHEME. Leave empty otherwise. +REDIS_PATH= + +# use only when using 'tcp' or 'http' for REDIS_SCHEME. Leave empty otherwise. +REDIS_HOST=127.0.0.1 +REDIS_PORT=6379 + +# Use only with Redis 6+ with proper ACL set. Leave empty otherwise. +REDIS_USERNAME= +REDIS_PASSWORD= + +# always use quotes and make sure redis db "0" and "1" exists. Otherwise change accordingly. +REDIS_DB="0" +REDIS_CACHE_DB="1" + +# Cookie settings. Should not be necessary to change these. +# If you use Docker or similar, you can set COOKIE_DOMAIN_FILE to set +# the value from a file instead of from an environment variable +# Setting samesite to "strict" may give you trouble logging in. +COOKIE_PATH="/" +COOKIE_DOMAIN= +COOKIE_SECURE=false +COOKIE_SAMESITE=lax + +# If you want Firefly III to email you, update these settings +# For instructions, see: https://docs.firefly-iii.org/how-to/firefly-iii/advanced/notifications/#email +# If you use Docker or similar, you can set these variables from a file by appending them with _FILE +MAIL_MAILER=smtp +MAIL_HOST=mx.koval.net +MAIL_PORT=587 +MAIL_FROM=no-reply@koval.net +MAIL_USERNAME=no-reply@koval.net +MAIL_PASSWORD=SMTP_PASSWORD_VALUE +MAIL_ENCRYPTION=tls +MAIL_SENDMAIL_COMMAND= + +# Other mail drivers: +# If you use Docker or similar, you can set these variables from a file by appending them with _FILE +MAILGUN_DOMAIN= +MAILGUN_SECRET= + +# If you are on EU region in mailgun, use api.eu.mailgun.net, otherwise use api.mailgun.net +# If you use Docker or similar, you can set this variable from a file by appending it with _FILE +MAILGUN_ENDPOINT=api.mailgun.net + +# If you use Docker or similar, you can set these variables from a file by appending them with _FILE +MANDRILL_SECRET= +SPARKPOST_SECRET= + +# Firefly III can send you the following messages. +SEND_ERROR_MESSAGE=true + +# These messages contain (sensitive) transaction information: +SEND_REPORT_JOURNALS=true + +# Set this value to true if you want to set the location of certain things, like transactions. +# Since this involves an external service, it's optional and disabled by default. +ENABLE_EXTERNAL_MAP=false + +# +# Enable or disable exchange rate conversion. This function isn't used yet by Firefly III +# +ENABLE_EXCHANGE_RATES=false + +# Set this value to true if you want Firefly III to download currency exchange rates +# from the internet. These rates are hosted by the creator of Firefly III inside +# an Azure Storage Container. +# Not all currencies may be available. Rates may be wrong. +ENABLE_EXTERNAL_RATES=true + +# The map will default to this location: +MAP_DEFAULT_LAT=51 +MAP_DEFAULT_LONG=0 +MAP_DEFAULT_ZOOM=6 + +# +# Some objects have room for an URL, like transactions and webhooks. +# By default, the following protocols are allowed: +# http, https, ftp, ftps, mailto +# +# To change this, set your preferred comma separated set below. +# Be sure to include http, https and other default ones if you need to. +# +VALID_URL_PROTOCOLS= + +# +# Firefly III authentication settings +# + +# +# Firefly III supports a few authentication methods: +# - 'web' (default, uses built in DB) +# - 'remote_user_guard' for Authelia etc +# Read more about these settings in the documentation. +# https://docs.firefly-iii.org/how-to/firefly-iii/advanced/authentication/ +# +# LDAP is no longer supported :( +# +AUTHENTICATION_GUARD=web + +# +# Remote user guard settings +# +AUTHENTICATION_GUARD_HEADER=REMOTE_USER +AUTHENTICATION_GUARD_EMAIL= + +# +# Firefly III generates a basic keypair for your OAuth tokens. +# If you want, you can overrule the key with your own (secure) value. +# It's also possible to set PASSPORT_PUBLIC_KEY_FILE or PASSPORT_PRIVATE_KEY_FILE +# if you're using Docker secrets or similar solutions for secret management +# +PASSPORT_PRIVATE_KEY= +PASSPORT_PUBLIC_KEY= + +# +# Extra authentication settings +# +CUSTOM_LOGOUT_URL= + +# You can disable the X-Frame-Options header if it interferes with tools like +# Organizr. This is at your own risk. Applications running in frames run the risk +# of leaking information to their parent frame. +DISABLE_FRAME_HEADER=false + +# You can disable the Content Security Policy header when you're using an ancient browser +# or any version of Microsoft Edge / Internet Explorer (which amounts to the same thing really) +# This leaves you with the risk of not being able to stop XSS bugs should they ever surface. +# This is at your own risk. +DISABLE_CSP_HEADER=false + +# If you wish to track your own behavior over Firefly III, set valid analytics tracker information here. +# Nobody uses this except for me on the demo site. But hey, feel free to use this if you want to. +# Do not prepend the TRACKER_URL with http:// or https:// +# The only tracker supported is Matomo. +# You can set the following variables from a file by appending them with _FILE: +TRACKER_SITE_ID= +TRACKER_URL= + +# +# Firefly III supports webhooks. These are security sensitive and must be enabled manually first. +# +ALLOW_WEBHOOKS=false + +# +# The static cron job token can be useful when you use Docker and wish to manage cron jobs. +# 1. Set this token to any 32-character value (this is important!). +# 2. Use this token in the cron URL instead of a user's command line token that you can find in /profile +# +# For more info: https://docs.firefly-iii.org/how-to/firefly-iii/advanced/cron/ +# +# You can set this variable from a file by appending it with _FILE +# +STATIC_CRON_TOKEN=STATIC_CRON_TOKEN_VALUE + +# You can fine tune the start-up of a Docker container by editing these environment variables. +# Use this at your own risk. Disabling certain checks and features may result in lots of inconsistent data. +# However if you know what you're doing you can significantly speed up container start times. +# Set each value to true to enable, or false to disable. + +# Set this to true to build all locales supported by Firefly III. +# This may take quite some time (several minutes) and is generally not recommended. +# If you wish to change or alter the list of locales, start your Docker container with +# `docker run -v locale.gen:/etc/locale.gen -e DKR_BUILD_LOCALE=true` +# and make sure your preferred locales are in your own locale.gen. +DKR_BUILD_LOCALE=false + +# Check if the SQLite database exists. Can be skipped if you're not using SQLite. +# Won't significantly speed up things. +DKR_CHECK_SQLITE=true + +# Run database creation and migration commands. Disable this only if you're 100% sure the DB exists +# and is up to date. +DKR_RUN_MIGRATION=true + +# Run database upgrade commands. Disable this only when you're 100% sure your DB is up-to-date +# with the latest fixes (outside of migrations!) +DKR_RUN_UPGRADE=true + +# Verify database integrity. Includes all data checks and verifications. +# Disabling this makes Firefly III assume your DB is intact. +DKR_RUN_VERIFY=true + +# Run database reporting commands. When disabled, Firefly III won't go over your data to report current state. +# Disabling this should have no impact on data integrity or safety but it won't warn you of possible issues. +DKR_RUN_REPORT=true + +# Generate OAuth2 keys. +# When disabled, Firefly III won't attempt to generate OAuth2 Passport keys. This won't be an issue, IFF (if and only if) +# you had previously generated keys already and they're stored in your database for restoration. +DKR_RUN_PASSPORT_INSTALL=true + +# Leave the following configuration vars as is. +# Unless you like to tinker and know what you're doing. +APP_NAME=FireflyIII +BROADCAST_DRIVER=log +QUEUE_DRIVER=sync +CACHE_PREFIX=firefly +PUSHER_KEY= +IPINFO_TOKEN= +PUSHER_SECRET= +PUSHER_ID= +DEMO_USERNAME= +DEMO_PASSWORD= + +# +# The v2 layout is very experimental. If it breaks you get to keep both parts. +# Be wary of data loss. +# +FIREFLY_III_LAYOUT=v1 + +# +# Please make sure this URL matches the external URL of your Firefly III installation. +# It is used to validate specific requests and to generate URLs in emails. +# +APP_URL=https://finance.koval.net + +# MySQL +MYSQL_RANDOM_ROOT_PASSWORD=yes +MYSQL_USER=$DB_USERNAME +MYSQL_PASSWORD=$DB_PASSWORD +MYSQL_DATABASE=$DB_DATABASE diff --git a/infra/finance/firefly-iii/.gitignore b/infra/finance/firefly-iii/.gitignore new file mode 100644 index 0000000..fab02bf --- /dev/null +++ b/infra/finance/firefly-iii/.gitignore @@ -0,0 +1 @@ +!*.env diff --git a/infra/finance/firefly-iii/.importer.env b/infra/finance/firefly-iii/.importer.env new file mode 100644 index 0000000..82b02c9 --- /dev/null +++ b/infra/finance/firefly-iii/.importer.env @@ -0,0 +1,255 @@ +# Firefly Data Importer (FIDI) configuration file + +# Where is Firefly III? +# +# 1) Make sure you ADD http:// or https:// +# 2) Make sure you REMOVE any trailing slash from the end of the URL. +# 3) In case of Docker, refer to the internal IP of your Firefly III installation. +# +# Setting this value is not mandatory. But it is very useful. +# +# This variable can be set from a file if you append it with _FILE +# +FIREFLY_III_URL=http://app:8080 + +# +# Imagine Firefly III can be reached at "http://172.16.0.2:8082" (internal Docker network or something). +# But you have a fancy URL: "https://personal-finances.bill.microsoft.com/" +# +# In those cases, you can overrule the URL so when the data importer links back to Firefly III, it uses the correct URL. +# +# 1) Make sure you ADD http:// or https:// +# 2) Make sure you REMOVE any trailing slash from the end of the URL. +# +# IF YOU SET THIS VALUE, YOU MUST ALSO SET THE FIREFLY_III_URL +# +# This variable can be set from a file if you append it with _FILE +# +VANITY_URL=https://finance.koval.net + +# +# Set your Firefly III Personal Access Token (OAuth) +# You can create a Personal Access Token on the /profile page: +# go to the OAuth tab, then Personal Access Token and "Create token". +# +# - Do not use the "command line token". That's the WRONG one. +# - Do not use "APP_KEY" value from your Firefly III installation. That's the WRONG one. +# +# Setting this value is not mandatory. Instructions will follow if you omit this field. +# +# This variable can be set from a file if you append it with _FILE +# +FIREFLY_III_ACCESS_TOKEN= + +# +# You can also use a public client ID. This is available in Firefly III 5.4.0-alpha.3 and higher. +# This is a number (1, 2, 3). If you use the client ID, you can leave the access token empty and vice versa. +# +# This value is not mandatory to set. Instructions will follow if you omit this field. +# +# This variable can be set from a file if you append it with _FILE +# +FIREFLY_III_CLIENT_ID= + +# +# Nordigen information. +# The key and ID can be set from a file if you append it with _FILE +# +NORDIGEN_ID=NORDIGEN_ID_VALUE +NORDIGEN_KEY=NORDIGEN_KEY_VALUE +NORDIGEN_SANDBOX=false + +# +# Spectre information +# +# The ID and secret can be set from a file if you append it with _FILE +SPECTRE_APP_ID= +SPECTRE_SECRET= + +# +# Use cache. No need to do this. +# +USE_CACHE=false + +# +# If set to true, the data import will not complain about running into duplicates. +# This will give you cleaner import mails if you run regular imports. +# +# This means that the data importer will not import duplicates, but it will not complain about them either. +# +# This setting has no influence on the settings in your configuration(.json). +# +# Of course, if something goes wrong *because* the transaction is a duplicate you will +# NEVER know unless you start digging in your log files. So be careful with this. +# +IGNORE_DUPLICATE_ERRORS=false + +# +# Auto import settings. Due to security constraints, you MUST enable each feature individually. +# You must also set a secret. The secret is used for the web routes. +# +# The auto-import secret must be a string of at least 16 characters. +# Visit this page for inspiration: https://www.random.org/passwords/?num=1&len=16&format=html&rnd=new +# +# Submit it using ?secret=X +# +# This variable can be set from a file if you append it with _FILE +# +AUTO_IMPORT_SECRET= + +# +# Is the /autoimport even endpoint enabled? +# By default it's disabled, and the secret alone will not enable it. +# +CAN_POST_AUTOIMPORT=false + +# +# Is the /autoupload endpoint enabled? +# By default it's disabled, and the secret alone will not enable it. +# +CAN_POST_FILES=false + +# +# Import directory white list. You need to set this before the auto importer will accept a directory to import from. +# +# This variable can be set from a file if you append it with _FILE +# +IMPORT_DIR_ALLOWLIST= + +# +# If you import from a directory, you can save a fallback configuration file in the directory. +# This file must be called "_fallback.json" and will be used when your CSV or CAMT.053 file is not accompanied +# by a configuration file. +# +# This fallback configuration will only be used if this variable is set to true. +# https://docs.firefly-iii.org/how-to/data-importer/advanced/post/#importing-a-local-directory +# +FALLBACK_IN_DIR=false + +# +# When you're running Firefly III under a (self-signed) certificate, +# the data importer may have trouble verifying the TLS connection. +# +# You have a few options to make sure the data importer can connect +# to Firefly III: +# - 'true': will verify all certificates. The most secure option and the default. +# - 'file.pem': refer to a file (you must provide it) to your custom root or intermediate certificates. +# - 'false': will verify NO certificates. Not very secure. +VERIFY_TLS_SECURITY=true + +# +# If you want, you can set a directory here where the data importer will look for import configurations. +# This is a separate setting from the /import directory that the auto-import uses. +# Setting this variable isn't necessary. The default value is "storage/configurations". +# +# This variable can be set from a file if you append it with _FILE +# +JSON_CONFIGURATION_DIR= + +# +# Time out when connecting with Firefly III. +# π*10 seconds is usually fine. +# +CONNECTION_TIMEOUT=31.41 + +# The following variables can be useful when debugging the application +APP_ENV=local +APP_DEBUG=false +LOG_CHANNEL=stack + +# +# If you turn this on, expect massive logs with lots of privacy sensitive data +# +LOG_RETURN_JSON=false + +# Log level. You can set this from least severe to most severe: +# debug, info, notice, warning, error, critical, alert, emergency +# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably +# nothing will get logged, ever. +LOG_LEVEL=debug + +# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy. +# Set it to ** and reverse proxies work just fine. +TRUSTED_PROXIES= + +# +# Time zone +# +TZ=Europe/London + +# +# Use ASSET_URL when you're running the data importer in a sub-directory. +# +ASSET_URL= + +# +# Email settings. +# The data importer can send you a message with all errors, warnings and messages +# after a successful import. This is disabled by default +# +ENABLE_MAIL_REPORT=false + +# +# Force Firefly III URL to be secure? +# +# +EXPECT_SECURE_URL=false + +# If enabled, define which mailer you want to use. +# Options include: smtp, mailgun, postmark, sendmail, log, array +# Amazon SES is not supported. +# log = drop mails in the logs instead of sending them +# array = debug mailer that does nothing. +MAIL_MAILER=smtp + +# where to send the report? +MAIL_DESTINATION=gleb+fireflyiii@koval.net + +# other mail settings +# These variables can be set from a file if you append it with _FILE +MAIL_FROM_ADDRESS=no-reply@koval.net +MAIL_HOST=smtp.mailtrap.io +MAIL_PORT=587 +MAIL_USERNAME=no-reply@koval.net +MAIL_PASSWORD=SMTP_PASSWORD_VALUE +MAIL_ENCRYPTION=tls + +# Extra settings depending on your mail configuration above. +# These variables can be set from a file if you append it with _FILE +MAILGUN_DOMAIN= +MAILGUN_SECRET= +MAILGUN_ENDPOINT= +POSTMARK_TOKEN= + +# +# You probably won't need to change these settings. +# +BROADCAST_DRIVER=log +CACHE_DRIVER=file +QUEUE_CONNECTION=sync +SESSION_DRIVER=file +SESSION_LIFETIME=120 +IS_EXTERNAL=false + +REDIS_HOST=127.0.0.1 +REDIS_PASSWORD=null +REDIS_PORT=6379 + +# always use quotes +REDIS_DB="0" +REDIS_CACHE_DB="1" + +# The only tracker supported is Matomo. +# This is used on the public instance over at https://data-importer.firefly-iii.org +TRACKER_SITE_ID= +TRACKER_URL= + +APP_NAME=DataImporter + +# +# The APP_URL environment variable is NOT used anywhere. +# Don't bother setting it to fix your reverse proxy problems. It won't help. +# Don't open issues telling me it doesn't help because it's not supposed to. +# Laravel uses this to generate links on the command line, which is a feature the data importer does not use. +# +APP_URL=http://localhost diff --git a/infra/finance/firefly-iii/docker-compose.yaml b/infra/finance/firefly-iii/docker-compose.yaml new file mode 100644 index 0000000..fc73c48 --- /dev/null +++ b/infra/finance/firefly-iii/docker-compose.yaml @@ -0,0 +1,42 @@ +version: "3" + +services: + app: + image: fireflyiii/core:latest + restart: unless-stopped + volumes: + - firefly_iii_upload:/var/www/html/storage/upload + env_file: .env + ports: + - 80:8080 + depends_on: + - db + db: + image: mariadb:lts + restart: unless-stopped + env_file: .env + volumes: + - firefly_iii_db:/var/lib/mysql + + importer: + image: fireflyiii/data-importer:latest + restart: unless-stopped + ports: + - 81:8080 + depends_on: + - app + env_file: .importer.env + + cron: + # + # To make this work, set STATIC_CRON_TOKEN in your .env file or as an environment variable and replace REPLACEME below + # The STATIC_CRON_TOKEN must be *exactly* 32 characters long + # + image: alpine + restart: unless-stopped + env_file: .env + command: sh -c "echo \"0 3 * * * wget -qO- http://app:8080/api/v1/cron/$STATIC_CRON_TOKEN\" | crontab - && crond -f -L /dev/stdout" + +volumes: + firefly_iii_upload: + firefly_iii_db: diff --git a/inventory/proxmox.yaml b/inventory/proxmox.yaml index ced713a..e38e2c4 100644 --- a/inventory/proxmox.yaml +++ b/inventory/proxmox.yaml @@ -23,6 +23,9 @@ proxmox: samba: hosts: samba.srv.home.local.koval.net: + finance: + hosts: + finance.srv.home.local.koval.net: vars: ansible_user: debian ansible_ssh_private_key_file: ~/.ssh/id_rsa