Set up wger

ansible/roles/wger/files/nginx.conf

@@ -0,0 +1,28 @@
+upstream wger {
+    server web:8000;
+}
+
+server {
+
+    listen 80;
+
+    location / {
+        proxy_pass http://wger;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+        proxy_redirect off;
+    }
+
+    location /static/ {
+        alias /wger/static/;
+    }
+
+    location /media/ {
+        alias /wger/media/;
+    }
+
+    # Increase max body size to allow for video uploads
+    client_max_body_size 100M;
+}

ansible/roles/wger/tasks/main.yml

@@ -0,0 +1,60 @@
+- name: Create install directory
+  file:
+    path: "{{ install_directory }}/{{ role_name }}"
+    state: directory
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Create database data directory
+  file:
+    path: "{{ data_dir }}/postgres/{{ role_name }}"
+    state: directory
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Create redis data directory
+  file:
+    path: "{{ data_dir }}/redis/{{ role_name }}"
+    state: directory
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Create data and config directories
+  file:
+    path: "{{ data_dir }}/{{ role_name }}/{{ item }}"
+    state: directory
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  loop:
+    - config
+    - static
+    - media
+    - celery-beat
+
+- name: Install wger config file (templatized)
+  template:
+    src: prod.env
+    dest: "{{ data_dir }}/{{ role_name }}/config/prod.env"
+
+- name: Install config files
+  copy:
+    src: ./
+    dest: "{{ data_dir }}/{{ role_name }}/config"
+
+- name: Copy docker-compose file to destination
+  template:
+    src: docker-compose.yml
+    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_file_mask }}"
+    validate: docker compose -f %s config
+  become: true
+
+- name: Start docker container
+  community.docker.docker_compose_v2:
+    project_src: "{{ install_directory }}/{{ role_name }}"
+    pull: always
+    remove_orphans: yes

ansible/roles/wger/templates/docker-compose.yml

@@ -0,0 +1,134 @@
+version: "3.9"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  web:
+    image: wger/server:latest
+    depends_on:
+      db:
+        condition: service_healthy
+      cache:
+        condition: service_healthy
+    networks:
+      - default
+    env_file:
+      - /mnt/tank/appdata/wger/config/prod.env
+    volumes:
+      - /mnt/tank/appdata/wger/static:/home/wger/static
+      - /mnt/tank/appdata/wger/media:/home/wger/media
+    expose:
+      - 8000
+    healthcheck:
+      test: wget --no-verbose --tries=1 --spider http://localhost:8000
+      interval: 10s
+      timeout: 5s
+      start_period: 300s
+      retries: 5
+    restart: unless-stopped
+
+  nginx:
+    image: nginx:stable
+    depends_on:
+      - web
+    networks:
+      - traefik
+      - default
+    volumes:
+      - /mnt/tank/appdata/wger/config/nginx.conf:/etc/nginx/conf.d/default.conf
+      - /mnt/tank/appdata/wger/static:/wger/static:ro
+      - /mnt/tank/appdata/wger/media:/wger/media:ro
+    healthcheck:
+      test: service nginx status
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.routers.wger.rule: "Host(`wger.mjwilson.org`)"
+      #traefik.http.services.wger.loadbalancer.server.port: 8000
+      #traefik.http.routers.wger.middlewares: lan-whitelist@file
+
+  db:
+    image: postgres:15-alpine
+    environment:
+      - POSTGRES_USER=wger
+      - POSTGRES_PASSWORD=wger
+      - POSTGRES_DB=wger
+      - TZ=Europe/Berlin
+    networks:
+      - default
+    volumes:
+      - /mnt/tank/appdata/postgres/wger:/var/lib/postgresql/data/
+    expose:
+      - 5432
+    healthcheck:
+      test: pg_isready -U wger
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    restart: unless-stopped
+
+  cache:
+    image: redis
+    expose:
+      - 6379
+    networks:
+      - default
+    volumes:
+      - /mnt/tank/appdata/wger/config/redis.conf:/usr/local/etc/redis/redis.conf
+      - /mnt/tank/appdata/redis/wger/data:/data
+    command: [ "redis-server", "/usr/local/etc/redis/redis.conf"]
+    healthcheck:
+      test: redis-cli ping
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    restart: unless-stopped
+
+    # You probably want to limit the memory usage of the cache, otherwise it might
+    # hog all the available memory. Remove or change according to your needs.
+    #mem_limit: 2gb
+
+  celery_worker:
+    image: wger/server:latest
+    command: /start-worker
+    networks:
+      - default
+    env_file:
+      - /mnt/tank/appdata/wger/config/prod.env
+    volumes:
+      - /mnt/tank/appdata/wger/media:/home/wger/media
+    depends_on:
+      web:
+        condition: service_healthy
+    healthcheck:
+      test: celery -A wger inspect ping
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+
+  celery_beat:
+    image: wger/server:latest
+    command: /start-beat
+    networks:
+      - default
+    volumes:
+      - /mnt/tank/appdata/wger/celery-beat:/home/wger/beat/
+    env_file:
+      - /mnt/tank/appdata/wger/config/prod.env
+    depends_on:
+      celery_worker:
+        condition: service_healthy
+
+
+  # Heads up, if you remove these volumes and use folders directly you need to chown them
+  # to the UID and GID 1000 even if it doesn't exist on your system. Also, they should
+  # be readable by everyone.

ansible/roles/wger/templates/prod.env

@@ -0,0 +1,172 @@
+SECRET_KEY="{{ DJANGO_SECRET }}"
+SIGNING_KEY="{{ JWT_SECRET }}"
+
+TIME_ZONE=America/New_York
+TZ=America/New_York
+
+CSRF_TRUSTED_ORIGINS="https://wger.{{ personal_domain }}"
+X_FORWARDED_PROTO_HEADER_SET=True
+
+MEDIA_URL="https://wger.{{ personal_domain }}/media/"
+STATIC_URL="https://wger.{{ personal_domain }}/static/"
+
+#
+# These settings usually don't need changing
+#
+
+#
+# Application
+WGER_INSTANCE=https://wger.de # Wger instance from which to sync exercises, images, etc.
+ALLOW_REGISTRATION=True
+ALLOW_GUEST_USERS=True
+ALLOW_UPLOAD_VIDEOS=True
+# Users won't be able to contribute to exercises if their account age is
+# lower than this amount in days.
+MIN_ACCOUNT_AGE_TO_TRUST=21
+# Synchronzing exercises
+# It is recommended to keep the local database synchronized with the wger
+# instance specified in WGER_INSTANCE since there are new added or translations
+# improved. For this you have different possibilities:
+# - Sync exercises on startup:
+# SYNC_EXERCISES_ON_STARTUP=True
+# DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP=True
+# - Sync them in the background with celery. This will setup a job that will run
+#   once a week at a random time (this time is selected once when starting the server)
+SYNC_EXERCISES_CELERY=True
+SYNC_EXERCISE_IMAGES_CELERY=True
+SYNC_EXERCISE_VIDEOS_CELERY=True
+# - Manually trigger the process as needed:
+#   docker compose exec web python3 manage.py sync-exercises
+#   docker compose exec web python3 manage.py download-exercise-images
+#   docker compose exec web python3 manage.py download-exercise-videos
+
+# Synchronzing ingredients
+# You can also syncronize the ingredients from a remote wger instance, and have
+# basically the same options as for the ingredients:
+# - Sync them in the background with celery. This will setup a job that will run
+#   once a week at a random time (this time is selected once when starting the server)
+SYNC_INGREDIENTS_CELERY=True
+# - Manually trigger the process as needed:
+#   docker compose exec web python3 manage.py sync-ingredients
+
+# This option controls whether to download ingredients and their images from the
+# configured wger instance. When scanning products with the barcode scanner, it is
+# possible to dynamically fetch the ingredient if it is not known in the local database.
+# Possible values: WGER or None. Requires USE_CELERY to be set to true.
+DOWNLOAD_INGREDIENTS_FROM=WGER
+
+# Whether celery is configured and should be used. Can be left to true with
+# this setup but can be deactivated if you are using the app in some other way
+USE_CELERY=True
+
+#
+# Celery
+CELERY_BROKER=redis://cache:6379/2
+CELERY_BACKEND=redis://cache:6379/2
+CELERY_FLOWER_PASSWORD=adminadmin
+
+#
+# Database
+DJANGO_DB_ENGINE=django.db.backends.postgresql
+DJANGO_DB_DATABASE=wger
+DJANGO_DB_USER=wger
+DJANGO_DB_PASSWORD=wger
+DJANGO_DB_HOST=db
+DJANGO_DB_PORT=5432
+DJANGO_PERFORM_MIGRATIONS=True # Perform any new database migrations on startup
+
+#
+# Cache
+DJANGO_CACHE_BACKEND=django_redis.cache.RedisCache
+DJANGO_CACHE_LOCATION=redis://cache:6379/1
+DJANGO_CACHE_TIMEOUT=1296000 # in seconds - 60*60*24*15, 15 Days
+DJANGO_CACHE_CLIENT_CLASS=django_redis.client.DefaultClient
+# DJANGO_CACHE_CLIENT_PASSWORD=abcde... # Only if you changed the redis config
+# DJANGO_CACHE_CLIENT_SSL_KEYFILE=/path/to/ssl_keyfile # Path to an ssl private key.
+# DJANGO_CACHE_CLIENT_SSL_CERTFILE=/path/to/ssl_certfile # Path to an ssl certificate.
+# DJANGO_CACHE_CLIENT_SSL_CERT_REQS=<none | optional | required> # The string value for the verify_mode.
+# DJANGO_CACHE_CLIENT_SSL_CHECK_HOSTNAME=False # If set, match the hostname during the SSL handshake.
+
+#
+# Brute force login attacks
+# https://django-axes.readthedocs.io/en/latest/index.html
+AXES_ENABLED=True
+AXES_FAILURE_LIMIT=10
+AXES_COOLOFF_TIME=30 # in minutes
+AXES_HANDLER=axes.handlers.cache.AxesCacheHandler
+AXES_LOCKOUT_PARAMETERS=ip_address
+AXES_IPWARE_PROXY_COUNT=1
+AXES_IPWARE_META_PRECEDENCE_ORDER=HTTP_X_FORWARDED_FOR,REMOTE_ADDR
+#
+# Others
+DJANGO_DEBUG=False
+WGER_USE_GUNICORN=True
+EXERCISE_CACHE_TTL=18000 # in seconds - 5*60*60, 5 hours
+SITE_URL=http://localhost
+
+#
+# JWT auth
+ACCESS_TOKEN_LIFETIME=10 # The lifetime duration of the access token, in minutes
+REFRESH_TOKEN_LIFETIME=24 # The lifetime duration of the refresh token, in hours
+
+#
+# Auth Proxy Authentication
+#
+# Please read the documentation before enabling this feature:
+# https://wger.readthedocs.io/en/latest/administration/auth_proxy.html
+AUTH_PROXY_HEADER=''
+AUTH_PROXY_TRUSTED_IPS=''
+AUTH_PROXY_CREATE_UNKNOWN_USER=False
+AUTH_PROXY_USER_EMAIL_HEADER=''
+AUTH_PROXY_USER_NAME_HEADER=''
+
+#
+# Other possible settings
+
+# Recaptcha keys. You will need to create an account and register your domain
+# https://www.google.com/recaptcha/
+# RECAPTCHA_PUBLIC_KEY=abcde...
+# RECAPTCHA_PRIVATE_KEY=abcde...
+USE_RECAPTCHA=False
+
+# Clears the static files before copying the new ones (i.e. just calls collectstatic
+# with the appropriate flag: "manage.py collectstatic --no-input --clear"). Usually
+# This can be left like this but if you have problems and new static files are not
+# being copied correctly, clearing everything might help
+DJANGO_CLEAR_STATIC_FIRST=False
+
+#
+# Email
+# https://docs.djangoproject.com/en/4.1/topics/email/#smtp-backend
+# ENABLE_EMAIL=False
+# EMAIL_HOST=email.example.com
+# EMAIL_PORT=587
+# EMAIL_HOST_USER=username
+# EMAIL_HOST_PASSWORD=password
+# EMAIL_USE_TLS=True
+# EMAIL_USE_SSL=False
+FROM_EMAIL='wger Workout Manager <wger@example.com>'
+
+# Set your name and email to be notified if an internal server error occurs.
+# Needs a working email configuration
+# DJANGO_ADMINS=your name,email@example.com
+
+# Whether to compress css and js files into one (of each)
+# COMPRESS_ENABLED=True
+
+#
+# Django Rest Framework
+# The number of proxies in front of the application. In the default configuration
+# only nginx is. Change as approtriate if your setup differs. Also note that this
+# is only used when throttling API requests.
+NUMBER_OF_PROXIES=1
+
+#
+# Gunicorn
+#
+# Additional gunicorn options, change as needed.
+# For the number of workers to spawn, a usually recommended value is (2 x $num_cores) + 1
+# see:
+#   - https://docs.gunicorn.org/en/stable/settings.html
+#   - https://github.com/wger-project/wger/blob/master/extras/docker/production/entrypoint.sh#L95
+GUNICORN_CMD_ARGS="--workers 3 --threads 2 --worker-class gthread --proxy-protocol True --timeout 240"

ansible/roles/wger/vars/main.yml

@@ -0,0 +1,16 @@
+DJANGO_SECRET: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  64326466343139613339363438386534363564626662366266353732383831613735613130666663
+  6464623832646233653332313434303939666633613261640a393132616662326637356263373966
+  30623465363333306430636462653738353737376635393366623162383437343430336163373832
+  3931363133376466330a373565353636353932653436306165303664366539333263626566393436
+  35386366633735373137616238303462616162636362306563343064383764383136
+
+JWT_SECRET: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  36306265373261313533313237653432663230666162373062373166323061373932366434616532
+  6538393830396535633434373530626566316538313732620a636439363632666430613938326164
+  36363432363361653665303965353566623861323331306630316265633430616266363462636362
+  6132636138306335620a393662663431623566663165383362663138356237343063363239353063
+  61336633373963356533396132316432356534373930613434326235346639326634
+