systems/infrastructure
1
Fork 0
Code Issues1 Pull requests20 Activity Actions

Merge remote-tracking branch 'origin/master' into gandi-dns

Browse source
This commit is contained in:
Jake Howard 2025-04-06 09:15:14 +01:00
commit de3a9228c7
Signed by: jake
GPG key ID: 57AFB45680EDD477
132 changed files with 789 additions and 545 deletions
.yamllint.yml
ansible
.ansible-lintansible.cfgdev-requirements.txt
files
nginx-docker.conf
galaxy-requirements.yml
group_vars/all
tailscale.ymlvault.yml
host_vars
casey
main.ymlvault.yml
ingress.yml
restic
main.ymlvault.yml
tang
main.ymlvault.yml
walker
vault.yml
main.yml
roles
adguardhome
files
Corefile
handlers
main.yml
tasks
main.yml
authentik
files
docker-compose.yml
tasks
main.yml
baby_buddy
files
docker-compose.yml
handlers
main.yml
tasks
main.yml
vars
vault.yml
base/tasks
fail2ban.ymllogrotate.ymlpackages.ymlssh.ymluser.yml
bsky
files
docker-compose.ymlpds.env
handlers
main.yml
tasks
main.yml
vars
vault.yml
comentario
files
docker-compose.yml
tasks
main.yml
vars
main.ymlvault.yml
coredns_docker_proxy
files
docker-compose.yml
tasks
main.yml
db_auto_backup
files
docker-compose.yml
tasks
main.yml
docker_cleanup/tasks
main.ymlzfs-override.yml
forgejo
files
docker-compose.yml
tasks
main.yml
forgejo_runner
files
config.ymldocker-compose.yml
tasks
main.yml
gateway/tasks
fail2ban.ymlnginx.ymlwireguard.yml
glinet_vpn
handlers
main.yml
tasks
main.yml
headscale
files
acls.jsonheadscale.yml
handlers
main.yml
tasks
main.yml
http_proxy
handlers
main.yml
tasks
main.yml
immich
files
docker-compose.ymlipp-config.json
handlers
main.yml
tasks
main.yml
ingress
handlers
main.yml
tasks
firewall.ymlnginx.ymlwireguard.yml
jellyfin/tasks
main.yml
mastodon
files
docker-compose.yml
tasks
main.yml
vars
vault.yml
minio/tasks
main.yml
nginx
handlers
main.yml
tasks
main.yml
ntfy/tasks
main.yml
paccache/tasks
main.yml
plausible/tasks
main.yml
privatebin/tasks
main.yml
prometheus/tasks
grafana.ymlmain.ymlprometheus.yml
pve_docker
files
nextcloud
config.phpdocker-compose.yml
wallabag
docker-compose.yml
whoami
docker-compose.yml
tasks
calibre.ymllibrespeed.ymlnextcloud.ymlquassel.ymlsynapse.ymltt-rss.ymlwallabag.ymlwhoami.yml
pve_tailscale_route/tasks
main.yml
qbittorrent
handlers
main.yml
tasks
nginx.ymlqbittorrent.yml
Show more

1
.yamllint.yml
View file

@ -5,6 +5,7 @@ ignore: |
ansible/galaxy_collections
ansible/group_vars/all/vps-hosts.yml
ansible/roles/traefik/files/traefik.yml
ansible/roles/forgejo_runner/files/config.yml
env
rules:

1
ansible/.ansible-lint
View file

@ -13,3 +13,4 @@ exclude_paths:
- galaxy_collections/
- ~/.ansible
- roles/traefik/files/traefik.yml
- roles/forgejo_runner/files/config.yml

5
ansible/ansible.cfg
View file

@ -5,8 +5,11 @@ retry_files_enabled = False
roles_path = $PWD/galaxy_roles:$PWD/roles
collections_path = $PWD/galaxy_collections
inventory = ./hosts
become_ask_pass = True
interpreter_python = auto_silent
[privilege_escalation]
become = True
become_ask_pass = True
[ssh_connection]
pipelining = True

4
ansible/dev-requirements.txt
View file

@ -1,4 +1,4 @@
ansible-lint==24.5.0
yamllint==1.33.0
ansible-lint==25.1.1
yamllint==1.35.1
ansible
passlib

2
ansible/files/nginx-docker.conf
View file

@ -7,6 +7,8 @@ server {
server_name {{ server_name }};
set $upstream {{ upstream }};
access_log /var/log/nginx/{{ server_name|split|first }}.log main;
ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
ssl_certificate_key {{ ssl_cert_path }}/privkey.pem;
ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem;

6
ansible/galaxy-requirements.yml
View file

@ -8,15 +8,15 @@ collections:
roles:
- src: geerlingguy.docker
version: 7.3.0
version: 7.4.3
- src: geerlingguy.ntp
version: 2.5.0
version: 2.6.0
- src: realorangeone.reflector
- src: ironicbadger.proxmox_nag_removal
version: 1.0.2
- src: ironicbadger.snapraid
version: 1.0.0
- src: geerlingguy.certbot
version: 5.1.0
version: 5.2.1
- src: artis3n.tailscale
version: v4.5.0

2
ansible/group_vars/all/tailscale.yml
View file

@ -8,4 +8,4 @@ tailscale_port: 41641
tailscale_nodes:
casey:
ip: 100.64.0.1
ip: 100.64.0.6

85
ansible/group_vars/all/vault.yml generated
View file

@ -1,44 +1,43 @@
$ANSIBLE_VAULT;1.1;AES256
30343832393233616534663738346461303836323930373663613438353339353433636530323132
3139396237376638376536653263346165323066623864650a666264643966386463353161306664
61393739636336343338656635303462656232356162616666343238336161613730626363616133
3663623465366130640a306164396662343262623065366431306163636564646136653730306434
38346633376533646638396164613837663437356266646430373731383161626336373837303539
37373939393431336435636336663739633335326430373864653831613964646137323136303634
62346237313061356630323335306366643131366565343566376666643161666136376337666335
30633262616666326464326436623136366639363930663061343434396138366336646538363135
32393061663530333532666331376661623137343635646265613364346531383635366363613265
65366265666538396438643130396437636562653538303634316465623136333036646432383735
31643364323265363731383665316338366139343130346536303538623565633662653062323531
38323630623231633032386663343736616566303166386433633062653530386561366661653663
63353537623339323134386162376366313132393631613931663738356430623337333262633838
31316362666639326365663164626263356464623139376166333962356238353637623431623137
63633361336161373564306631646638386537303238616239646234646332393536316437336466
61666235343466333539363566613530313761326161346464356363633330373862653033303936
30666335633663393565303835306662666462633130353163383663333062633731306262613532
33303866643334343535663632353235313262623231656536313636646564653636396663326632
65353434633135363630356464636130303262363436633761353161356636646361626165316563
31666165646135643961383032313532623431376531393231613436376337386537393466343036
30633262316439303636393739393462653938313965643137373266323465663164653365376537
30333361626335623836303463613734663138396535656664353730383933386530346130353064
39653939623261306134323961353562623834333738613338396461343761346461386338333265
65343932623634663033623163666663303735656633663236366235343066336162303136373332
64383430653863333238656565383762623962636431323033396234646665616430383561366331
32643230303962623633663632376566626534633935653832656263333236396366653035633561
61646161356132383733636639653163346466316230303763623666376238653964376363656539
63386238373266653732316539643261363662356261383834636637373639656137303935613663
62653433646366326331636464303537386161383832376164303738353134653138393137313438
63376262343335313832306466313338396266386535373465313765356638396665356332363539
32643266636633343332653139636330656331313938613833333662666638366534346235613164
39373431336637633936376632303131306339653131636163303539653862326566663239646366
63643936343138663461303530623863663763633235373337616331326361386561663633373362
31623234353832373961306663633262396437336665616335643064656534306136636236633662
37646363386564336136396166306630653735313137373266326662376663626139373064326536
39666633666262666263663265626634346333316466366661313538383734636361376261663333
30636466306661353034623863616635666433646239343339613130633834303362633835366234
65346632636166393664333266333266313062313734323239666239396364623162363861613661
62623732633735666164663138323961666131656336633362373730306631633939343435323633
31363834393365303530313837356264633262643264393639306236303163353933303830393566
62316164393231326139623833666639623637616238383236303933323964386664623961336634
39363062613439666433623863613435626133303032393938613934353562356436656564336339
643332616661636236363164623461623466
64303132366363396166373735383831343938666662306631666633623662336665393763656266
6535356334376336386330383938656530313936633961330a333765376264663866613064653838
37653362666336343938376438656463663734343164616264326561316165343961363465303030
3865306435626432360a323739346631663032316537386166366430656261306466303931646462
36393636343962326233336132633464653836306633313132303165383138656138656530383031
62393833386536626362373236366136386139363461636232633539623931646236366236623763
37373031333032663066373934376565636333636134343436653135343037333335616136303239
63646537343561623634636230653463323665356466363564373462383435326439616236376166
37613535386137356561383732656565646663393762623764643536636633633363386436343834
39373133643930353037636530643065646565353637663931363266333934623532366436333430
33366337343436316563633133313031616233306263393237623034333364623932373631313338
37663566313837616532353665613331393637663233386366363133623536326137386538663166
63323536376135393838646261353630346232396536616263333664653061383934663337653335
62353637613439393764313035373363306332636532373939326464343562303230316435633138
39326166303761393162613962626137666465363661396534653334343864313762333533396166
61643832306362666261376336613665333031303331373363653962636266663139303064643834
35316332323466356230353833326332643962653433316366313534393263383033336636373863
63386463626666366663303764336337623036313632353063343732623034643466663837653731
64373930623132653463383964636239656139333530366434303261333837613834373536313965
33616631373230626538343135386661623535306334656166623434666533363838613436656364
33636135356433636466393764633761393231353131303636336264366233353137386234613961
61613632353838383035613233653730643638336266663466396332376335306636313131313065
39336664653435653832376331336666303361313235643665333739393937353161386531666261
65663264363862363138366134633335353639313865613165623131313933323935353735396630
39663230353433333237333633303932353062383435393565633932376361396136326133643463
33313062353338323539333732346130636261646430623035303930393037373236616262393762
38386236343163653161376237653064646362653062373432393539653664613236663434643432
31356339363039636336303039386132343761653564653333383935383939633562383034336462
63326239386166366565626363316536646131653166373566653065313263366234643639343366
62373763333738336164313632623265323365393062316334383964326235313733643438346464
31356433303930663130343433316332663565383838623362653332373236373030363664363865
61343265396562336533663731303534663031323264333863393436393262306665633263356362
31623736363833326130663135626166386565316661353439623134393331616466383861303234
64366231623531613336323834623139663333393963353764653262666536633165653836306439
62346431636161326631613464636634386233386132643564616266313366393236303538343138
34353739623763323339333266343861336164393835633835646433633665383161663163643830
35626431656336326139643461333765303837393234383462663432613533643933323137333866
38333964313964356634316636623938616639343030323763646230346135643536613537616135
30366431343161613534656238646565333666323062323563313936313433666634303931383532
64613930306362373536366531633763393766333932633965663964643765613961663833643830
64316466636366663765623538343133636635363762626564303935626437656336666435303334
3165653833396332353339343562313033393666393565616161

1
ansible/host_vars/casey/main.yml
View file

@ -1,3 +1,4 @@
private_ip: "{{ ansible_tailscale0.ipv4.address }}"
nginx_https_redirect: true
certbot_certs:

28
ansible/host_vars/casey/vault.yml generated
View file

@ -1,9 +1,21 @@
$ANSIBLE_VAULT;1.1;AES256
30643138356634323666316163396138663836316261363966636335366534336330616635383663
6461393538346263363164613930396266323930626335370a306165306663336538316163666364
65383835386635336433393162613031386334646632666638613162623434646531356533346132
3162373933336365660a353163316338303630633761336238363966376336643838616135303231
32646530376561326635633563393066656232363734653464326665396236656232613362333461
39393134626466656561346138633362653732333639333765303961383365623737666164326532
66356263326366323435623834306439633061386364633132613362386663633733386637363266
31393438326531353265
65613137336266343033333338323734396266363431356166316233646663383039336634343936
3939353039396237396432336361653838323161356330360a393962313733363734323666666361
34303239633739383432323337356535613636376466323931323237626264333534626566386630
3839613338316530360a396364363163623633333362636238316463313732613562386161306661
38396361393837613137633830636333653565323331643937323863383963383739623235656636
30393033393031393733653335633462383062613039613332653466313439366161303533366264
39626132643534366639623230383233353332363836356132363130306637653465633663333665
34656636316439626230663037656130346635636232336561346361396166643465313565363963
32303962386635653264306530653132353238356336656634363136323564313261336638376136
63306333303763633362663238396434663066386235666163383135353232633236623832356439
62613664663164363838303531326363623465343036656530663562323231613737383464303664
35646137373233643966323363623961393361316463313464666261653636623937646464613133
39363863643835316330626435343166363931613430303966383263663639646463616133363463
33346665616263666635306162383333313063636364623838306462303438373832333965633236
61346161376161353736633332386538643839333261646432323466653962653964643438323130
64663133346564336334653430616363643662313732356634353764613466346638353833316332
31323364356265313263383138626234343239383063373066613666663330653431346630393937
34636464383766623662623136636363316530643534306366616333396465636264616531363863
33616237386132373034346132333766343030313039336531613837366265346539366264303634
65383731656130373464

1
ansible/host_vars/ingress.yml
View file

@ -1 +1,2 @@
private_ip: "{{ ansible_tailscale0.ipv4.address }}"
nginx_https_redirect: true

2
ansible/host_vars/restic/main.yml
View file

@ -5,4 +5,4 @@ restic_backup_locations:
- /mnt/home-assistant
- /home/rclone/sync
restic_forget: true
restic_dir: ""

41
ansible/host_vars/restic/vault.yml generated
View file

@ -1,17 +1,26 @@
$ANSIBLE_VAULT;1.1;AES256
32353739643531336665636334646135323336353562316362333266316263653364656132643661
3736386461316563376134326638376261323734663032630a306530636166666561343264393266
62326437343637363038646632396461303365646466666666386432306134313562356538623133
6561323739386337630a623835656239633866666333616664366339333232303031343561633239
62636636623462316536333334306562626637643936623963376663326164333962646134376566
62646336353937316238333036376232323834346530626136316233626166326231633330646266
36653263636266626233313263346263633734386339386664323331363263306465626165336337
38653766366530373230623334386234303461336133323663626439383530373966363830633364
37336635356334633338633161356161353133656633386563393363303064613761306137323261
34626164663936306665613861343039666330613263303932333766306663616134316566313963
66653263643134343363353637343636633936343165363934376537343538643434376434336633
31613339613035633335643034336265376630326662393865626336303261363130333637643162
32383863313139663066363766613865653966613430616631346432623164366663313838363164
37613863326433653531656139633533353539366563653532626534346165626535643434333861
34306433373134376137633836666162663130623130353062316439303466393035633636386234
38333132376361376363
37616635326362383437633735343430663563653561636338646666323631333135313465623933
6363373730633062343966663735376666623439633139650a323537313831386537383133336461
63353034663931363663383766653465386335383238306636666531353062316263356362386230
3330356164373731390a363439656564666364323530363464623736313165353465346163623037
62383238386330623662343835306563353831396666643862653965323438373332363364383333
35343230396564343161393963666438613865316137356139393361636661373335303735323664
36383632643534623237353562386638336533626362636363396635393533656631326337383465
32633239643464353465626165393261323033623062313930353764386465623332613534613636
39613563623135306232356235613862353437393062646464633732383735343362316462326561
34346262656461643237353366303138653764363337343439656330393833333233386436646661
62343631323035613132656665636661643162323632323363396362306266323631343161316230
34666363383861323231353734336165393335646537326162343430653337653739376232343033
63663731653836393232323731323965643262653836353565383261393539616536346237323166
36633339303038613635333537393933383732303332366366326666343066316337383535333566
65396636666238616339633839323763383732326364386138306439353030396561336262306632
32383934383463326532363235333062363631363131616466316638366631663930366461393564
31646330386161626463633931363439366433646439363035396364366332346339623661333562
37633136343838666338356533643230393331636136333931653937363731623434653364393464
31623937656231363262343366343565616134313466313835636139306164393638626263623833
62623564396232373565393131366366383335366631373031656235326365373137613031653665
35616265663064363832623132356365643065343830306539646635383737666231343830323261
66633032373737653966623930386661386634316339303762383431613332643134323731636563
34313832623430623964626139306535323139346162626332366438623630356639616630376230
34656138323234386238373036363335353430366139363964323437623833653361613333383537
6466

2
ansible/host_vars/tang/main.yml
View file

@ -2,4 +2,4 @@ ssh_extra_allowed_users: jake
private_ip: "{{ ansible_default_ipv4.address }}"
restic_backup_locations:
- /var/lib/adguardhome/
- /var/lib/private/adguardhome/

28
ansible/host_vars/tang/vault.yml generated
View file

@ -1,9 +1,21 @@
$ANSIBLE_VAULT;1.1;AES256
62623062666237373636616333623434363662316639633962363833303663376331346338363365
6633336638623237396134613033346665313964613538320a656134323135613834316462366161
36633062623031306562313233356536643132346466376435303031333331643936613036616236
3231613336396135340a376339396663343837353139393062353530626566626566366439353762
37376236376437393863633730643531323762336536633034353132356266373361613434326333
39663562353337666435653435623563383630383537663633336437613262323733363766666539
66373538386163303731663331666138656435343436613633323766366261316337373830653837
64313133396532376436
66303032306566656332616563633936393036326332646664366430383635363534363037303065
3164383833353062633336313163336364616230653338390a636234663832636666623864623464
65373739396235383536363631326333623533613064303961333637613664386161656432613638
3466623664326632310a363338363433323132626537396665333766366161393832663537623837
62626166353230626334633735323164316663353936303439656336653130613963666530356630
31346465663437663630663839613530323064383066323633363435616431346231396130383032
32623730376363353938663834346665333133666661303162323030623462633234363139626633
36623039363838646336623464313662333962326335653561383633306263366130366362626466
33633366653036363935316239396161323663393263323435313032363862326637663732663839
34663432663333666666303538623566633330313037623662616565373733636432373430333436
65386331623439313066613437396566643062333062666437363365363134626333353332393534
38343764383036343836346439363162363733646335616136616463396635323239636264303735
34393533643730343432316661633736653161396161343431623862353136313035353933666537
34346330663866323864666366363030613663643363346433303266643434643239643062303632
30306638303534633833626532653462663337376435626533316230323638653861393130343763
35376331333135343130303062333436643639353733653862383732363030396432386461346632
30653230616231666665383564346565656461613561666139393234626263656137343530353136
36376561333833633435353861336538636633633064633739313831366633633861303437306234
39353538323563396632353936316330643961636665356439376666346135323563663631653365
35633533643731373861

35
ansible/host_vars/walker/vault.yml generated
View file

@ -1,12 +1,25 @@
$ANSIBLE_VAULT;1.1;AES256
65616232306563653238306536316238353432656365303665343830323833376436303231646230
6633613632646639326266333639663734326135373165660a616534353763643737646363363635
35316462343935666362313735376164343238313564366232346330313565613039643735626535
3335366566303730640a656665323266386430383263326161376435663062353763396264316462
62663166326262633437643065396132326366646331323330316565626637656632643162636563
63623563386164333638633638633061616266316333336133313166373639643633643631386136
39633565343862333134323737393761323365636534303863646233646639636437656335633836
66356237386162316365376238343430373866623463633635383634383336393264363364663139
32613761643030343764396339386538333663376633646332613330373838343137373833643235
61303762336132326339363366623231366565316139383561656364376564336230346533323638
626365336439666234343531666266646437
61616639316338623739306163363831303664633965666134373335353038323065306538303465
3462346437303139393738613031363637383731333438630a393862353436376264386264626531
37326431643130373566633431313431653538636662623135386364373634373761303365646564
3735633436323231390a386661336431656266616136626261373132393862386163396336643366
31366463656363363363666438653762653332313336303561313961393236613065303966386535
34396239366138613330366361323562663132343762333536646131643466643533303163636139
34626135613731653033313236386162613037386464613531633063656564336566386461666639
65653635326232643937313465343763326464613231383932393262323062316136353538626464
31383361643164303330653531333439613665313136393833366334323931373963313033646163
37363231616232353565636634646235383564356461393831323430363965333265656166363265
62353130323939313931316430393636336634323930376337373130363362396561373835633731
30383633333864623336353937623438616562346361626333306162626331326635363365353939
32636637396461396662626633323034383034353630633565363439636261333063306638373063
63363932623635393465336132343337633765646339376638326635373930353734666461636538
39613538313462633836343664333034326436336139343865643135383736656132343866663263
64323562383963396237383537306261643331646533616233326435386164336237316462623438
30623662303835653039393739396535613264373031336637616165333837343939363564613339
37633831653361373038643438623732323535653230626364653936383736363364313632656538
63646361323733656362366433353136643038643039633231326638346636653861616437653562
65343237623039386339326564316333636362376266316661333632313034366565383139323564
30343531333038323438393461326335386439373365323031366562363966616437616265386234
33646562626564386639376130623366303063313739343435656434356230636630333834666433
35663035663137666537633335613737383563356266336433396531366166313435653934663433
63646162663563643962

36
ansible/main.yml
View file

@ -9,12 +9,10 @@
- hosts: casey
roles:
- nginx
- role: geerlingguy.certbot
become: true
- geerlingguy.certbot
- gateway
- headscale
- restic
- artis3n.tailscale
- glinet_vpn
- hosts:
@ -25,7 +23,6 @@
- tang
roles:
- role: geerlingguy.ntp
become: true
vars:
ntp_timezone: "{{ timezone }}"
ntp_manage_config: true
@ -37,8 +34,7 @@
- renovate
- gitea-runner
roles:
- role: geerlingguy.docker
become: true
- geerlingguy.docker
- docker_cleanup
- hosts:
@ -53,6 +49,14 @@
roles:
- traefik
- hosts:
- ingress
- walker
- casey
become: false # Forcefully run as current user
roles:
- artis3n.tailscale
- hosts: pve-docker
roles:
- pve_docker
@ -66,22 +70,21 @@
- authentik
- minio
- ntfy
- baby_buddy
- bsky
- immich
- hosts: ingress
roles:
- nginx
- ingress
- artis3n.tailscale
- hosts: pve
roles:
- role: ironicbadger.proxmox_nag_removal
become: true
- ironicbadger.proxmox_nag_removal
- zfs
- role: ironicbadger.snapraid
become: true
- role: prometheus.prometheus.node_exporter
become: true
- ironicbadger.snapraid
- prometheus.prometheus.node_exporter
- hosts: forrest
roles:
@ -98,13 +101,11 @@
- hosts: walker
roles:
- nginx
- role: geerlingguy.certbot
become: true
- geerlingguy.certbot
- coredns_docker_proxy
- plausible
- restic
- website
- artis3n.tailscale
- slides
- comentario
@ -128,6 +129,5 @@
- hosts: tang
roles:
- adguardhome
- role: prometheus.prometheus.node_exporter
become: true
- prometheus.prometheus.node_exporter
- restic

1
ansible/roles/adguardhome/files/Corefile
View file

@ -1,6 +1,7 @@
(alias) {
errors
cancel
cache 600
forward . tls://9.9.9.9 tls://149.112.112.112 tls://2620:fe::fe tls://2620:fe::9 {
tls_servername dns.quad9.net

2
ansible/roles/adguardhome/handlers/main.yml
View file

@ -3,11 +3,9 @@
name: coredns
state: restarted
enabled: true
become: true
- name: restart systemd-resolved
service:
name: systemd-resolved
state: restarted
enabled: true
become: true

9
ansible/roles/adguardhome/tasks/main.yml
View file

@ -1,7 +1,6 @@
- name: Install adguardhome
kewlfft.aur.aur:
name: adguardhome-bin
become: true
package:
name: adguardhome
- name: Disable resolved stub
template:
@ -10,7 +9,6 @@
owner: root
mode: "0644"
notify: restart systemd-resolved
become: true
- name: Use resolved resolv.conf
file:
@ -18,12 +16,10 @@
dest: /etc/resolv.conf
state: link
notify: restart systemd-resolved
become: true
- name: Install coredns
kewlfft.aur.aur:
name: coredns
become: true
- name: Install coredns config file
template:
@ -32,4 +28,3 @@
owner: coredns
mode: "0644"
notify: restart coredns
become: true

4
ansible/roles/authentik/files/docker-compose.yml
View file

@ -19,7 +19,7 @@ x-env: &env
services:
server:
image: ghcr.io/goauthentik/server:2024.6
image: ghcr.io/goauthentik/server:2025.2
restart: unless-stopped
command: server
user: "{{ docker_user.id }}"
@ -42,7 +42,7 @@ services:
- traefik
worker:
image: ghcr.io/goauthentik/server:2024.6
image: ghcr.io/goauthentik/server:2025.2
restart: unless-stopped
command: worker
user: "{{ docker_user.id }}"

2
ansible/roles/authentik/tasks/main.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
@ -17,4 +16,3 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart authentik
become: true

38
ansible/roles/baby_buddy/files/docker-compose.yml Normal file
View file

@ -0,0 +1,38 @@
services:
baby-buddy:
image: lscr.io/linuxserver/babybuddy:latest
restart: unless-stopped
environment:
- PUID={{ docker_user.id }}
- PGID={{ docker_user.id }}
- TZ={{ timezone }}
- DATABASE_URL=postgres://baby-buddy:baby-buddy@db/baby-buddy
- ALLOWED_HOSTS=baby-buddy.jakehoward.tech
- CSRF_COOKIE_SECURE=True
- SECRET_KEY={{ vault_secret_key }}
- SECURE_PROXY_SSL_HEADER=True
- SESSION_COOKIE_SECURE=True
labels:
- traefik.enable=true
- traefik.http.routers.baby-buddy.rule=Host(`baby-buddy.jakehoward.tech`)
- traefik.http.routers.baby-buddy.middlewares=tailscale-only@file
volumes:
- "{{ app_data_dir }}/baby-buddy:/config"
depends_on:
- db
networks:
- default
- traefik
db:
image: postgres:14-alpine
restart: unless-stopped
volumes:
- /mnt/speed/dbs/postgres/baby-buddy:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=baby-buddy
- POSTGRES_USER=baby-buddy
networks:
traefik:
external: true

4
ansible/roles/baby_buddy/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
- name: restart baby-buddy
shell:
chdir: /opt/baby-buddy
cmd: "{{ docker_update_command }}"

18
ansible/roles/baby_buddy/tasks/main.yml Normal file
View file

@ -0,0 +1,18 @@
- name: Include vault
include_vars: vault.yml
- name: Create install directory
file:
path: /opt/baby-buddy
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
- name: Install compose file
template:
src: files/docker-compose.yml
dest: /opt/baby-buddy/docker-compose.yml
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart baby-buddy

8
ansible/roles/baby_buddy/vars/vault.yml generated Normal file
View file

@ -0,0 +1,8 @@
$ANSIBLE_VAULT;1.1;AES256
31663462633839636531393633633938376534316230626362353733653862623964626232333265
3733313066313639363131353963373431363761383537300a613662393631623832613537363034
30623931653839636361646231386465383333343535646436656565663137303166366533353866
3634643437303034330a646236353831363638633835666239383430636532396466623461303535
31383238633430393935653366646666303066316232643733366264353034626461613038323834
35383961316663356136363562646636313133346438343965383931353336643434303938373766
303432363965616134613933643635626565

4
ansible/roles/base/tasks/fail2ban.yml
View file

@ -1,25 +1,21 @@
- name: Install fail2ban
package:
name: fail2ban
become: true
- name: Enable fail2ban
service:
name: fail2ban
enabled: true
become: true
- name: fail2ban SSH jail
template:
src: files/ssh-jail.conf
dest: /etc/fail2ban/jail.d/ssh.conf
mode: "0600"
become: true
register: fail2ban_jail
- name: Restart fail2ban
service:
name: fail2ban
state: restarted
become: true
when: fail2ban_jail.changed

3
ansible/roles/base/tasks/logrotate.yml
View file

@ -1,13 +1,11 @@
- name: Install logrotate
package:
name: logrotate
become: true
- name: Enable logrotate timer
service:
name: logrotate.timer
enabled: true
become: true
when: ansible_os_family == 'Archlinux'
- name: logrotate fail2ban config
@ -15,4 +13,3 @@
src: files/fail2ban-logrotate
dest: /etc/logrotate.d/fail2ban
mode: "0600"
become: true

1
ansible/roles/base/tasks/packages.yml
View file

@ -1,7 +1,6 @@
- name: Install Base Packages
package:
name: "{{ item }}"
become: true
loop:
- htop
- neofetch

5
ansible/roles/base/tasks/ssh.yml
View file

@ -1,13 +1,11 @@
- name: Install OpenSSH for Debian
package:
name: openssh-server
become: true
when: ansible_os_family == 'Debian'
- name: Install OpenSSH for Arch
package:
name: openssh
become: true
when: ansible_os_family == 'Archlinux'
- name: Define context
@ -22,7 +20,6 @@
validate: /usr/sbin/sshd -t -f %s
backup: true
mode: "644"
become: true
register: sshd_config
- name: Set up authorized keys
@ -38,11 +35,9 @@
service:
name: sshd
enabled: true
become: true
- name: Restart SSH Daemon
service:
name: sshd
state: reloaded
when: sshd_config.changed
become: true

2
ansible/roles/base/tasks/user.yml
View file

@ -5,11 +5,9 @@
comment: "{{ me.name }}"
shell: /bin/bash
system: true
become: true
- name: Give user sudo access
user:
name: "{{ me.user }}"
groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}"
append: true
become: true

19
ansible/roles/bsky/files/docker-compose.yml Normal file
View file

@ -0,0 +1,19 @@
services:
pds:
image: ghcr.io/bluesky-social/pds:latest
user: "{{ docker_user.id }}"
restart: unless-stopped
env_file:
- /opt/bsky/pds.env
labels:
- traefik.enable=true
- traefik.http.routers.bsky.rule=Host(`bsky.theorangeone.net`)
volumes:
- "{{ app_data_dir }}/bsky:/pds"
networks:
- default
- traefik
networks:
traefik:
external: true

17
ansible/roles/bsky/files/pds.env Normal file
View file

@ -0,0 +1,17 @@
TZ={{ timezone }}
PDS_HOSTNAME=bsky.theorangeone.net
PDS_JWT_SECRET={{ vault_jwt_secret }}
PDS_ADMIN_PASSWORD={{ vault_admin_password }}
PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX={{ vault_plc_rotation_private_key }}
PDS_DATA_DIRECTORY=/pds
PDS_BLOBSTORE_DISK_LOCATION=/pds/blocks
PDS_BLOB_UPLOAD_LIMIT=52428800
PDS_DID_PLC_URL=https://plc.directory
PDS_BSKY_APP_VIEW_URL=https://api.bsky.app
PDS_BSKY_APP_VIEW_DID=did:web:api.bsky.app
PDS_REPORT_SERVICE_URL=https://mod.bsky.app
PDS_REPORT_SERVICE_DID=did:plc:ar7c4by46qjdydhdevvrndac
PDS_CRAWLERS=https://bsky.network
LOG_ENABLED=false
PDS_EMAIL_SMTP_URL={{ vault_smtp_url }}
PDS_EMAIL_FROM_ADDRESS={{ vault_smtp_from_address }}

4
ansible/roles/bsky/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
- name: restart bsky
shell:
chdir: /opt/bsky
cmd: "{{ docker_update_command }}"

26
ansible/roles/bsky/tasks/main.yml Normal file
View file

@ -0,0 +1,26 @@
- name: Include vault
include_vars: vault.yml
- name: Create install directory
file:
path: /opt/bsky
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
- name: Install environment variables
template:
src: files/pds.env
dest: /opt/bsky/pds.env
mode: "660"
owner: "{{ docker_user.name }}"
notify: restart bsky
- name: Install compose file
template:
src: files/docker-compose.yml
dest: /opt/bsky/docker-compose.yml
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart bsky

24
ansible/roles/bsky/vars/vault.yml generated Normal file
View file

@ -0,0 +1,24 @@
$ANSIBLE_VAULT;1.1;AES256
35316238376465633461333439343331636238346532623336316231653664653963643331346362
3763363363333066636166356465373233323138643961390a343232623866303961316431363534
31653234383465356637363636363838393130396364623261353266396533326563303838643366
6339666332326439610a666235636432616565643839663234336134343632316538353331396337
33303836373037336533623864613966646463333161663965653663326266376234633530393530
63303938376338613531623065316339653938666439643035663231646566643334356337343861
65353264613465626532643935313262323766666538386239613163366536636335616562613635
31643637333266373336323035366465636261346263666239323934616238616366383330336661
38386536326137363531636635626232333465613031633031336330316337303237303736656639
37313331346165363465326336663536646438363835393138646238353661303937346430303333
39663236663530396562626133666434396132356638643563626362636563373464356636313337
63303730656338313036313937323462326366366231363265363335636536396335323561663235
65333666333033376334303463376666373738376361316463343836323839383735666530656135
33316238356536663362646437633866323531353439393561626331326562663366663839393438
35653262653262326532386431373336393737363665393030363538356262346435343333373636
34343261623832306139623337353137646435613433346630643865333965303334393666336534
61353035373034323864356636643930333638396564616134353536663164363932643364656162
35366139363939663632353066373932363961656464393131373239356663303736653334336531
35303236303065363764313432643664333532343134393965323963636664663536376632323538
38356335383934636631643436356563636364646136333637666331363261656236346539373233
37306330306531623464663031626337346339613630363635633161336366653638626339356662
63383836613863646436346233376563353037373666313631393161333133633132666633663361
326132663033396335306165333862666433

4
ansible/roles/comentario/files/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
comentario:
image: registry.gitlab.com/comentario/comentario:v3.9.0
image: registry.gitlab.com/comentario/comentario:v3.13.0
restart: unless-stopped
user: "{{ docker_user.id }}:{{ docker_user.id }}"
depends_on:
@ -12,6 +12,8 @@ services:
- ./secrets.yml:/comentario/secrets.yaml
environment:
- BASE_URL=https://comentario.theorangeone.net
- NO_PAGE_VIEW_STATS=true
- LOG_FULL_IPS=true
db:
image: postgres:14-alpine

4
ansible/roles/comentario/tasks/main.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
@ -17,7 +16,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart comentario
become: true
- name: Install secrets
copy:
@ -26,7 +24,6 @@
mode: "600"
owner: "{{ docker_user.name }}"
notify: restart comentario
become: true
- name: Install nginx config
template:
@ -34,7 +31,6 @@
dest: /etc/nginx/http.d/comentario.conf
mode: "0644"
notify: reload nginx
become: true
vars:
server_name: comentario.theorangeone.net
upstream: comentario-comentario-1.docker:80

3
ansible/roles/comentario/vars/main.yml
View file

@ -11,6 +11,9 @@ comentario_secrets:
gitlab:
key: "{{ vault_comentario_gitlab_application_id }}"
secret: "{{ vault_comentario_gitlab_application_secret }}"
twitter:
key: "{{ vault_comentario_twitter_api_key }}"
secret: "{{ vault_comentario_twitter_api_secret }}"
smtpServer:
host: smtp.eu.mailgun.org
port: 587

66
ansible/roles/comentario/vars/vault.yml generated
View file

@ -1,30 +1,38 @@
$ANSIBLE_VAULT;1.1;AES256
33656462373736356363313738643335333930343461366666663532653264363963653732656366
3034323730613334326462326332323763323665636165390a303639633036303831373966303037
37376233383138323265396531303739316330396230333464383963333035343735303866626334
6562393435303264620a633139616164303337363863616138306531656365353964346638646165
35346539326339623364343662643038336238613535623964666562383662613661616564646433
30653432666538616565373832353434303565386333643735313866396436393732303466376237
64383236373364383338613530353830353334326331636436323766353565656664356138386532
62366266656461663330396562316439393038666534663564633037623237363532363637356336
63336633393666343064383735363664643936333130636465623139393838373134636265366439
64326538653236306437346165333934303134313032383135313335626136626162363831613430
30636436343162376637616262393633306330663362396638393166643131343564646162616530
62343735343832636661326265396262643136346366663337636335656137393231646438633338
61613137366661333462363134343732666330373864393636643665396435653064623030626466
65633536346531383565616130626461376566316535316339326363646336626266376330393939
33653438656438316532393665333939613334666464656635323566326439363964316535623233
38636236616637336230363032396635613563313966353334313365663434653138303764393938
37643561346338323934663936356563363833383435373933396138663334616563666562653935
33666631373964396265393233636631336632386537663663366439313137656661653265323162
64656333336165326563323333653036386334386566386664306638656130323665366136373732
34383532303363646334356534316630363133303031343665353465656239306338386238313262
30363438383164343661343730386162633430373765313834313739393638333963393234613564
30356134646431353132316565346331613137353431383863383866306632626336633764393036
66626466623034666335356539653136633331636365623061613433393335303535333433616137
65383231373230653838316630303736353237666431366134353534366564656338646265396162
61663366663532636635663337363063306466626463396630636236363736303963353062376163
63653530346335393934656531386139663136383132306564383937396364626365373839613766
62633264336335313932396164373363623061363262616330343735633862623234643365353035
36616231636461323832663837323232396636363561376563386530306339333431613935613263
30366335393834643066343763636561346336383463333535323932326663633338
36376264363334643335646564636336613234393261326366386234663464633966666133383933
3731363234333962306638323737336237343230653439650a343362336166626633666161313863
33623130623239626532663063633436616665653135343266336330353538306265323739326262
3066643432643465350a643436366637623765663265316665386564663933663730383264396336
39396139396238653065366663333533343336363631616332616362386639313766656136666532
63336131346563323733333139636233353465643766643562643632653062373737353364336536
64653162656233383136363339623933643834363931663830656364396637333632613838323461
38666362663831363363636363346164343032376366346530393864306332326339323836643062
66346265643039663636616464383330366539343832373839663361393661353861643364633534
38383461323031626161663938326339386634363165303238333365323235303535333765613734
30363032386333353962306131373466356137666334303230343561616639363238633630386330
32383537646430666331313530343033376238646334313335343661313665626631663331656638
31303637343263343566386634623362373366323136663032663966313836353136616564646563
66653938326539343130346439666264663962323661386131643432663237643334633837376163
62393330336434393232646163353539303831336638663135393734393064353964623032616233
32393037313965313933363236653537306634613265633764636436653332623339316132373964
39313334653831366533663661653934633338393539326564396236373462623262333530346436
66646266623666333034346634613365356333343934363963366137303030646638373466643564
66356265363634623363646266633137363966666361366463383266663032316665373430383031
33303530323561366531356133363035353732333135303762316337626330333530303563643935
35303465633536373833386435336638386662353032383861633965393564303839666463616263
39353934343965316134663634363135616338353734656361343433313837313639303931356233
39643135353661306461393962646238613062356361386533316362633233353235666262653738
33616465653435303736636165343239336139383162616463613232656639393338363766396434
32353965363537666366623066313461316463373130653637343430366231366263616261393564
36323038383238633239323365326334393132643832373033643432653032613665646666336338
30316565346630396537363431366337656236363462646435393731323866313366373438386265
61373366383865336334356638653065333839303663636266393933663833313931333133663966
35306163373462613335616265316563313062623139343061306465656463336162396266636437
36646439613433306464383133636466383430363363393762646534343133333732613530626162
31633430313039643636666365613232373335336235633832666139643937373766336563303266
34396137656436373438383035316133343132313130636536393536393862386531386531303761
64613337353463383032636636643963636235346262646366366539646233313939633864306335
38373465373863383964633038373334386632666236303436376438666132623964396434626439
38356235353430323236623962396461346438633962333163393535373362373164313132356232
63313639333862313565396165613265623135626635373134626137633638333561353732313036
3837

2
ansible/roles/coredns_docker_proxy/files/docker-compose.yml
View file

@ -3,7 +3,7 @@ services:
image: coredns/coredns:latest
restart: unless-stopped
volumes:
- ./Corefile:/home/nonroot/Corefile:ro
- ./Corefile:/Corefile:ro
ports:
- "{{ private_ip }}:53053:53/udp"
networks:

12
ansible/roles/coredns_docker_proxy/tasks/main.yml
View file

@ -1,8 +1,6 @@
- name: Create network
docker_network:
name: coredns
internal: true
become: true
- name: Create install directory
file:
@ -10,7 +8,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
@ -20,4 +17,11 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart coredns
become: true
- name: Install Corefile
template:
src: files/Corefile
dest: /opt/coredns/Corefile
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: restart coredns

11
ansible/roles/db_auto_backup/files/docker-compose.yml
View file

@ -9,6 +9,9 @@ services:
- HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
depends_on:
- docker_proxy
networks:
- default
- backup_private
docker_proxy:
image: lscr.io/linuxserver/socket-proxy:latest
@ -20,5 +23,13 @@ services:
- EXEC=1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- backup_private
tmpfs:
- /run
logging:
driver: none
networks:
backup_private:
internal: true

2
ansible/roles/db_auto_backup/tasks/main.yml
View file

@ -4,7 +4,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
@ -14,4 +13,3 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart db-auto-backup
become: true

9
ansible/roles/docker_cleanup/tasks/main.yml
View file

@ -1,7 +1,6 @@
- name: Install docker-compose
package:
name: docker-compose
become: true
when: ansible_os_family != 'Debian'
- name: Install compose-switch
@ -9,7 +8,6 @@
url: "{{ docker_compose_url }}"
dest: "{{ docker_compose_path }}"
mode: "0755"
become: true
when: ansible_os_family == 'Debian'
- name: Create docker group
@ -17,7 +15,6 @@
name: "{{ docker_user.name }}"
state: present
gid: "{{ docker_user.id }}"
become: true
- name: Create docker user
user:
@ -25,21 +22,18 @@
uid: "{{ docker_user.id }}"
group: "{{ docker_user.name }}"
create_home: false
become: true
- name: Add user to docker user group
user:
name: "{{ me.user }}"
groups: "{{ docker_user.name }}"
append: true
become: true
- name: Add user to docker group
user:
name: "{{ me.user }}"
groups: docker
append: true
become: true
- name: Clean up docker containers
cron:
@ -47,6 +41,8 @@
hour: 1
minute: 0
job: docker system prune -af --volumes
cron_file: docker_cleanup
user: root
- name: Install util scripts
copy:
@ -54,6 +50,7 @@
dest: "{{ me.home }}"
mode: "755"
directory_mode: "755"
owner: "{{ me.user }}"
- name: override docker service for zfs dependencies
include_tasks: zfs-override.yml

2
ansible/roles/docker_cleanup/tasks/zfs-override.yml
View file

@ -3,7 +3,6 @@
path: /etc/systemd/system/docker.service.d
state: directory
mode: "0755"
become: true
- name: Create override.conf
copy:
@ -12,4 +11,3 @@
owner: root
group: root
mode: "0644"
become: true

2
ansible/roles/forgejo/files/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
forgejo:
image: code.forgejo.org/forgejo/forgejo:8-rootless
image: code.forgejo.org/forgejo/forgejo:10-rootless
user: "{{ docker_user.id }}:{{ docker_user.id }}"
environment:
- TZ={{ timezone }}

5
ansible/roles/forgejo/tasks/main.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
@ -17,7 +16,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart gitea
become: true
- name: Install config file
template:
@ -26,7 +24,6 @@
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: restart gitea
become: true
- name: Create custom templates directory
file:
@ -35,7 +32,6 @@
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
recurse: true
become: true
- name: Install custom footer
copy:
@ -44,4 +40,3 @@
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_file_mask }}"
notify: restart gitea
become: true

6
ansible/roles/forgejo_runner/files/config.yml
View file

@ -8,7 +8,7 @@ runner:
# Where to store the registration result.
file: /data/.runner
# Execute how many tasks concurrently at the same time.
capacity: "{{ ansible_processor_nproc }}"
capacity: {{ ansible_processor_nproc }}
# Extra environment variables to run jobs.
envs: {}
# Extra environment variables to run jobs from a file.
@ -39,10 +39,10 @@ cache:
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
host: "{{ ansible_default_ipv4.address }}"
# The port of the cache server.
# 0 means to use a random available port.
port: 0
port: 4000
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".

44
ansible/roles/forgejo_runner/files/docker-compose.yml
View file

@ -1,20 +1,46 @@
services:
forgejo-runner:
image: code.forgejo.org/forgejo/runner:3.5.1
image: code.forgejo.org/forgejo/runner:5.0.4
user: "{{ docker_user.id }}"
volumes:
- /mnt/data:/data
- ./config.yml:/data/config.yml
environment:
- TZ={{ timezone }}
- DOCKER_HOST=tcp://dind:2375
- DOCKER_HOST=tcp://docker_proxy:2375
restart: unless-stopped
command: forgejo-runner daemon
command: forgejo-runner --config config.yml daemon
networks:
- default
- forgejo_private
depends_on:
dind:
condition: service_started
- docker_proxy
ports:
- "{{ ansible_default_ipv4.address }}:4000:4000"
dind:
image: docker:dind
privileged: true
command: [dockerd, -H, tcp://0.0.0.0:2375, --tls=false]
docker_proxy:
image: lscr.io/linuxserver/socket-proxy:latest
restart: unless-stopped
environment:
- POST=1
- CONTAINERS=1
- INFO=1
- IMAGES=1
- VOLUMES=1
- NETWORKS=1
- ALLOW_START=1
- ALLOW_STOP=1
- ALLOW_RESTARTS=1
- EXEC=1
tmpfs:
- /run
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- forgejo_private
logging:
driver: none
networks:
forgejo_private:
internal: true

13
ansible/roles/forgejo_runner/tasks/main.yml
View file

@ -4,24 +4,14 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Create data directory
file:
path: /opt/forgejo-runner/data
state: directory
mode: "700"
owner: "{{ docker_user.name }}"
become: true
- name: Install config file
template:
src: files/config.yml
dest: /opt/forgejo-runner/data/config.yml
dest: /opt/forgejo-runner/config.yml
mode: "600"
owner: "{{ docker_user.name }}"
notify: restart forgejo-runner
become: true
- name: Install compose file
template:
@ -31,4 +21,3 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart forgejo-runner
become: true

3
ansible/roles/gateway/tasks/fail2ban.yml
View file

@ -3,7 +3,6 @@
src: files/nginx-fail2ban-filter.conf
dest: /etc/fail2ban/filter.d/nginx-tcp.conf
mode: "0600"
become: true
register: fail2ban_filter
- name: fail2ban jail
@ -11,12 +10,10 @@
src: files/nginx-fail2ban-jail.conf
dest: /etc/fail2ban/jail.d/nginx.conf
mode: "0600"
become: true
register: fail2ban_jail
- name: Restart fail2ban
service:
name: fail2ban
state: restarted
become: true
when: fail2ban_filter.changed or fail2ban_jail.changed

3
ansible/roles/gateway/tasks/nginx.yml
View file

@ -3,7 +3,6 @@
src: files/nginx.conf
dest: /etc/nginx/stream.d/gateway.conf
mode: "0644"
become: true
register: nginx_config
- name: Install CDN config
@ -11,12 +10,10 @@
src: files/nginx-cdn.conf
dest: /etc/nginx/http.d/cdn.conf
mode: "0644"
become: true
register: nginx_config
- name: Reload Nginx
service:
name: nginx
state: reloaded
become: true
when: nginx_config.changed

4
ansible/roles/gateway/tasks/wireguard.yml
View file

@ -1,7 +1,6 @@
- name: Install wireguard tools
package:
name: "{{ item }}"
become: true
loop:
- wireguard-tools
- qrencode
@ -12,21 +11,18 @@
dest: /etc/wireguard/wg0.conf
mode: "0600"
backup: true
become: true
register: wireguard_conf
- name: Enable wireguard
service:
name: wg-quick@wg0
enabled: true
become: true
- name: Restart wireguard
service:
name: wg-quick@wg0
state: restarted
when: wireguard_conf.changed
become: true
- name: Create wireguard client directory
file:

1
ansible/roles/glinet_vpn/handlers/main.yml
View file

@ -2,4 +2,3 @@
service:
name: wg-quick@glinet
state: restarted
become: true

4
ansible/roles/glinet_vpn/tasks/main.yml
View file

@ -4,7 +4,6 @@
- name: Install wireguard tools
package:
name: "{{ item }}"
become: true
loop:
- wireguard-tools
- qrencode
@ -15,7 +14,6 @@
dest: /etc/wireguard/glinet.conf
mode: "0600"
backup: true
become: true
notify: restart wireguard
- name: Wireguard client config
@ -24,11 +22,9 @@
dest: "{{ me.home }}/glinet-vpn.conf"
mode: "0600"
owner: "{{ me.user }}"
become: true
notify: restart wireguard
- name: Enable wireguard
service:
name: wg-quick@glinet
enabled: true
become: true

8
ansible/roles/headscale/files/acls.json
View file

@ -1,6 +1,7 @@
{
"tagOwners": {
"tag:client": []
"tag:client": [],
"tag:private-svcs": []
},
"acls": [
@ -8,6 +9,11 @@
"action": "accept",
"src": ["tag:client"],
"dst": ["*:*"]
},
{
"action": "accept",
"src": ["tag:private-svcs"],
"dst": ["{{ vps_hosts.private_ipv6_marker }}:80,443"]
}
]
}

46
ansible/roles/headscale/files/headscale.yml
View file

@ -63,9 +63,11 @@ noise:
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
# Any other range is NOT supported, and it will cause unexpected issues.
ip_prefixes:
- fd7a:115c:a1e0::/48
- 100.64.0.0/10
prefixes:
v6: fd7a:115c:a1e0::/48
v4: 100.64.0.0/10
allocation: sequential
# DERP is a relay system that Tailscale uses when a direct
# connection cannot be established.
@ -94,6 +96,13 @@ derp:
# For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
stun_listen_addr: 0.0.0.0:3478
automatically_add_embedded_derp_region: true
private_key_path: /var/lib/headscale/derp_server_private.key
ipv4: "{{ ansible_default_ipv4.address }}"
ipv6: "{{ ansible_default_ipv6.address }}"
# List of externally available DERP maps encoded in JSON
urls: []
@ -128,10 +137,25 @@ ephemeral_node_inactivity_timeout: 30m
node_update_check_interval: 20s
# SQLite config
db_type: sqlite3
database:
type: sqlite
# For production:
db_path: /var/lib/headscale/db.sqlite
gorm:
# Enable prepared statements.
prepare_stmt: true
# Enable parameterized queries.
parameterized_queries: true
# Skip logging "record not found" errors.
skip_err_record_not_found: true
# Threshold for slow queries in milliseconds.
slow_threshold: 3000
sqlite:
path: /var/lib/headscale/db.sqlite
write_ahead_log: true
# # Postgres config
# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
@ -188,7 +212,9 @@ log:
# Path to a file containg ACL policies.
# ACLs can be defined as YAML or HUJSON.
# https://tailscale.com/kb/1018/acls/
acl_policy_path: /etc/headscale/acls.json
policy:
mode: file
path: /etc/headscale/acls.json
## DNS
#
@ -199,13 +225,13 @@ acl_policy_path: /etc/headscale/acls.json
# - https://tailscale.com/kb/1081/magicdns/
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
#
dns_config:
dns:
# Whether to prefer using Headscale provided DNS or use local.
override_local_dns: false
# List of DNS servers to expose to clients.
nameservers:
- 1.1.1.1
global: []
# NextDNS (see https://tailscale.com/kb/1218/nextdns/).
# "abc123" is example NextDNS ID, replace with yours.
@ -251,7 +277,7 @@ dns_config:
# `base_domain` must be a FQDNs, without the trailing dot.
# The FQDN of the hosts will be
# `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
base_domain: headscale.jakehoward.tech
base_domain: hs.sys.theorangeone.net
# Unix socket used for the CLI to connect without authentication
# Note: for production you will want to set this to something like:

1
ansible/roles/headscale/handlers/main.yml
View file

@ -3,4 +3,3 @@
name: headscale
state: restarted
enabled: true
become: true

4
ansible/roles/headscale/tasks/main.yml
View file

@ -4,7 +4,6 @@
- name: Install Headscale
package:
name: headscale
become: true
- name: Install headscale config file
template:
@ -13,7 +12,6 @@
owner: headscale
mode: "0600"
notify: restart headscale
become: true
- name: Install ACLs
template:
@ -22,12 +20,10 @@
owner: headscale
mode: "0600"
notify: restart headscale
become: true
- name: Install nginx config
template:
src: files/nginx.conf
dest: /etc/nginx/http.d/headscale.conf
mode: "0644"
become: true
notify: reload nginx

1
ansible/roles/http_proxy/handlers/main.yml
View file

@ -2,4 +2,3 @@
service:
name: squid
state: restarted
become: true

3
ansible/roles/http_proxy/tasks/main.yml
View file

@ -1,18 +1,15 @@
- name: Install squid
package:
name: squid
become: true
- name: Squid config
template:
src: files/squid.conf
dest: /etc/squid/squid.conf
mode: "0600"
become: true
notify: restart squid
- name: Enable squid
service:
name: squid
enabled: true
become: true

84
ansible/roles/immich/files/docker-compose.yml Normal file
View file

@ -0,0 +1,84 @@
services:
immich-server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:release
user: "{{ docker_user.id }}"
volumes:
- /mnt/tank/files/immich:/usr/src/app/upload
- /etc/localtime:/etc/localtime:ro
- /mnt/tank/files/photos:/mnt/photos:ro
depends_on:
- redis
- database
- immich-machine-learning
restart: unless-stopped
environment:
- DATABASE_URL=postgres://postgres:postgres@database/immich
- TZ={{ timezone }}
devices:
- /dev/dri:/dev/dri
labels:
- traefik.enable=true
- traefik.http.routers.immich.rule=Host(`immich.jakehoward.tech`)
- traefik.http.routers.immich.middlewares=tailscale-only@file
networks:
- default
- traefik
immich-machine-learning:
container_name: immich_machine_learning
image: ghcr.io/immich-app/immich-machine-learning:release
user: "{{ docker_user.id }}"
volumes:
- /mnt/scratch/immich-model-cache:/cache
- /mnt/scratch/immich-ml-cache:/.cache
- /mnt/scratch/immich-ml-config:/.config
environment:
- DATABASE_URL=postgres://postgres:postgres@database/immich
- MACHINE_LEARNING_WORKER_TIMEOUT=240
restart: unless-stopped
devices:
- /dev/dri:/dev/dri
depends_on:
- database
- redis
redis:
image: redis:7-alpine
restart: unless-stopped
volumes:
- /mnt/speed/dbs/redis/immich:/data
database:
container_name: immich_postgres
image: tensorchord/pgvecto-rs:pg14-v0.2.0
environment:
POSTGRES_PASSWORD: postgres
POSTGRES_USER: postgres
POSTGRES_DB: immich
POSTGRES_INITDB_ARGS: --data-checksums
volumes:
- /mnt/speed/dbs/postgres/immich:/var/lib/postgresql/data
restart: unless-stopped
# yamllint disable-line rule:quoted-strings rule:line-length
command: [postgres, -c, shared_preload_libraries=vectors.so, -c, 'search_path="$$user", public, vectors', -c, logging_collector=on, -c, max_wal_size=2GB, -c, shared_buffers=512MB, -c, wal_compression=on]
immich-public-proxy:
image: alangrainger/immich-public-proxy:latest
user: "{{ docker_user.id }}"
restart: unless-stopped
environment:
- IMMICH_URL=http://immich-server:2283
volumes:
- ./ipp-config.json:/app/config.json:ro
labels:
- traefik.enable=true
- traefik.http.routers.immich-public-proxy.rule=Host(`photos.jakehoward.tech`)
- traefik.http.services.immich-public-proxy-immich.loadbalancer.server.port=3000
networks:
- default
- traefik
networks:
traefik:
external: true

6
ansible/roles/immich/files/ipp-config.json Normal file
View file

@ -0,0 +1,6 @@
{
"ipp": {
"showHomePage": false,
"allowDownloadAll": 1
}
}

4
ansible/roles/immich/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
- name: restart immich
shell:
chdir: /opt/immich
cmd: "{{ docker_update_command }}"

23
ansible/roles/immich/tasks/main.yml Normal file
View file

@ -0,0 +1,23 @@
- name: Create install directory
file:
path: /opt/immich
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
- name: Install compose file
template:
src: files/docker-compose.yml
dest: /opt/immich/docker-compose.yml
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart immich
- name: Install IPP config
template:
src: files/ipp-config.json
dest: /opt/immich/ipp-config.json
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: restart immich

3
ansible/roles/ingress/handlers/main.yml
View file

@ -2,13 +2,11 @@
service:
name: wg-quick@wg0
state: restarted
become: true
- name: reload nginx
service:
name: nginx
state: reloaded
become: true
- name: reload nftables
command:
@ -16,4 +14,3 @@
- nft
- -f
- /etc/nftables.conf
become: true

3
ansible/roles/ingress/tasks/firewall.yml
View file

@ -1,7 +1,6 @@
- name: Install nftables
package:
name: nftables
become: true
- name: Copy firewall config
template:
@ -9,7 +8,6 @@
dest: /etc/nftables.conf
validate: nft -c -f %s
mode: "644"
become: true
notify: reload nftables
- name: Enable nftables
@ -17,4 +15,3 @@
name: nftables
enabled: true
state: started
become: true

1
ansible/roles/ingress/tasks/nginx.yml
View file

@ -3,5 +3,4 @@
src: files/nginx.conf
dest: /etc/nginx/stream.d/ingress.conf
mode: "0644"
become: true
notify: reload nginx

7
ansible/roles/ingress/tasks/wireguard.yml
View file

@ -1,8 +1,6 @@
- name: Install Wireguard
package:
name:
- wireguard
become: true
name: wireguard
- name: Get wireguard credentials
set_fact:
@ -14,14 +12,12 @@
dest: /etc/wireguard/wg0.conf
mode: "0600"
backup: true
become: true
notify: restart wireguard
- name: Enable wireguard
service:
name: wg-quick@wg0
enabled: true
become: true
- name: Enable p2p communication
sysctl:
@ -31,4 +27,3 @@
state: present
reload: true
sysctl_file: /etc/sysctl.d/99-sysctl.conf
become: true

4
ansible/roles/jellyfin/tasks/main.yml
View file

@ -2,23 +2,19 @@
ansible.builtin.apt_key:
url: https://repo.jellyfin.org/jellyfin_team.gpg.key
state: present
become: true
- name: Add Jellyfin repository
apt_repository:
repo: deb [arch=amd64] https://repo.jellyfin.org/debian {{ ansible_distribution_release }} main
filename: jellyfin
state: present
become: true
- name: Install jellyfin
package:
name: jellyfin
become: true
- name: Set media dir permissions
cron:
name: Set media permissions
special_time: daily
job: chown -R jellyfin:jellyfin /mnt/media
become: true

7
ansible/roles/mastodon/files/docker-compose.yml
View file

@ -1,19 +1,22 @@
services:
mastodon:
image: lscr.io/linuxserver/mastodon:4.2.12
image: lscr.io/linuxserver/mastodon:4.3.6
environment:
- TZ={{ timezone }}
- PUID={{ docker_user.id }}
- PGID={{ docker_user.id }}
- LOCAL_DOMAIN=theorangeone.net
- WEB_DOMAIN=mastodon.theorangeone.net
- DATABASE_URL=postgresql://mastodon:mastodon@db/mastodon
- DATABASE_URL=postgresql://mastodon:mastodon@db:5432/mastodon
- REDIS_URL=redis://redis
- SIDEKIQ_REDIS_URL=redis://redis/1
- SECRET_KEY_BASE={{ vault_secret_key_base }}
- OTP_SECRET={{ vault_otp_secret }}
- VAPID_PRIVATE_KEY={{ vault_vapid_private_key }}
- VAPID_PUBLIC_KEY={{ vault_vapid_public_key }}
- ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY={{ vault_active_record_encryption_deterministic_key }}
- ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{ vault_active_record_encryption_key_derivation_salt }}
- ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{ vault_active_record_encryption_primary_key }}
- SINGLE_USER_MODE=true
- DEFAULT_LOCALE=en
- STREAMING_CLUSTER_NUM=1

4
ansible/roles/mastodon/tasks/main.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
@ -17,7 +16,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart mastodon
become: true
- name: Install media cleanup script
template:
@ -25,7 +23,6 @@
dest: /opt/mastodon/purge-media.sh
mode: "0755"
owner: "{{ docker_user.name }}"
become: true
- name: Schedule media cleanup
cron:
@ -35,4 +32,3 @@
weekday: 1
job: /opt/mastodon/purge-media.sh
user: "{{ me.user }}"
become: true

70
ansible/roles/mastodon/vars/vault.yml generated
View file

@ -1,30 +1,42 @@
$ANSIBLE_VAULT;1.1;AES256
63646161653431383335313735643535313434613362343161373961633539373932313338343633
6637323935616636353731336531663635656532383166640a633335666633363136333433343266
37383237623837616464613561633931613230623633313533393464646464646566366330323365
6563396262363238320a303433636266616635313536396132366239343230656432626639653230
63336165323337393664373635616532643935343363303766376533366661663366623939653564
35363335396266363532653038623038383836383236366466366339343433393338343566653834
30393761626537313531346466373136666565653731663430376664353737663039643263303533
35663836626462333262356330616131316432326139616165363831393036343235663736626661
35666264346563306133306565636261633766616135616366376430643763333031353534373033
35373739333562313639376264343562363130373531313563643834613533653034316536323339
39646337376462656362666330643831653730393562316661326433633334353963306664396264
30373238653832613861633263383663616538366361336163373861613538613132353963373666
34376464333462633839396263396335613233356261666661313763333033376434626463663133
32646130333635656665396335393232346661303861626566663931303637653065313031323936
64333931393165343761376630666462343136353335343632323435306261633232633662353137
32323863343365623566316537343062393638393434323134633535313531333135666535323439
35613439373737396562613834373638356534326438646330663564366436333962626135363833
63653731383163653932383632306239663365323237363562306639643662393530633430386164
61613137663734636666633966663366393832353166343239656335396630323138366338616430
37653036303735383664656530626630616437373762343263643661343464326466353234316363
64643733363435656365343537626364643430316630663666373932663564623835646336633034
65646264346439356161353838353064626230636664373035336433356530326632613035316434
31613434366530323263383337316432316432373835343164313963643733626362393334623266
65356131626135336337383139643838333134616137366530353730646634633364353333646563
66333134616639363932613238346538623764663831353031383834613230393936386432623434
37393935346238633338323432613638616466623264656434393761623363356330623632323261
36393064316263666432663633323535363035323535653834323064383437343530306166306239
37316236313533393062623066336561373138636339393631313866303433643832383230656532
3137
61313731363564306234653163633231356330313936636631393536356434396530643065333731
3534663665643665613164343931646262643231356337350a333262356130636265643465323263
34333463353131323930636566633462613561333733636230363066343834316664363036346635
6666363330383337340a316635663663343034613039353835633035633036646131303365626466
38636438323537303134356162633666376236346635366161356430376366626637343362363039
33356332333362363834373137633130306161393430393830643363636463633234646634306265
34366438333132633937303661356134383831373765306339363161643132393737356434653832
31346166333539643161346130386565376630333435376661343666636239666138316337633463
37633237393063313633393732616364653930353661366136346139663030393530383533646265
34393236643439316364376236373431643536333561613135616338643538313238303530356136
34393864323365633166643434363262346233393938313463643162343761643831373639313830
31363837393934333064316463313562393939613034653762303764333730353165623765653430
32383961353162306431393331643262353635383761663330323239383732346535636138636634
64616631373765393033306562343433373733646331643930373663323837393438643331663062
39323564376436353032303362653261363730383062346664663462656230613238303430303561
63663461376139616237333864643461343130326637616264353132613930306238613634343636
62393835393336646133616438336266653762366163623032323131656638393234383532333237
34333030356638326139333636343865636335333665656534656466333135663562303637333136
62386134633330663364323730646134383534623835636633653236653232393232653163613435
64663437383233323435386163653933383634666630383862323831316166353837323461333961
39626563323364653731316361333534616361366435643266626164666463613836336639373835
64393038336333356431326532626463333332373465613364386461623533646266626264383332
61393338663162343831616566346133646166353431396139393237356332616437353538313236
35323263383036623761643430336462656430356164313561663437383530346434306438386533
34366262663261636365323235326532393436333962383032353236323761373239613836646564
33316433656636313261653364663966633431663762363133666631653835386131643061626161
39633065326130643134343139363266363362393938623261646231333833643034633638386162
37376263613839353365336563623830333338373339393830323834326234373833336237326365
63366664323136303638643237366265653235363266333738343437313636663163663134363262
32663533363539313238663237366330633738613733363932653031356263643935666166363536
61383532373565383730363662613533333265636361333230333233396534353337653662363065
38393937396337633430303831353831376666623061356239363534333537323662306530303639
65303735343431623561356361373330343033643130393235336535623530303236356432353834
62376163646362616465643730353866333464666365336336383466653462346334646231633736
62336132343737303061396636313334333538396333626263396361386631313730363766653530
66663461616530326261343931343330313836633966646661626361643064316261313234386635
30306534396136656432653236343337656433396337393064313466653165396562393665363938
63393232646164333263313136303236353465636139376232626563613835303561653935316332
61373432613632663366383933343839363765396637306339363162616237366361306237336464
37353336306536396466356432393766623061363938633736323431313237663464646364666131
3737

2
ansible/roles/minio/tasks/main.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
@ -17,4 +16,3 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart minio
become: true

1
ansible/roles/nginx/handlers/main.yml
View file

@ -2,4 +2,3 @@
service:
name: nginx
state: reloaded
become: true

8
ansible/roles/nginx/tasks/main.yml
View file

@ -1,7 +1,6 @@
- name: Install nginx
package:
name: nginx
become: true
- name: Install nginx modules
package:
@ -11,7 +10,6 @@
- libnginx-mod-http-brotli-filter
- libnginx-mod-stream
when: ansible_os_family != 'Archlinux'
become: true
- name: Install nginx modules (on Arch)
kewlfft.aur.aur:
@ -20,12 +18,10 @@
- nginx-mod-headers-more
- nginx-mod-brotli
when: ansible_os_family == 'Archlinux'
become: true
- name: Generate Diffie-Hellman parameters
community.crypto.openssl_dhparam:
path: /etc/nginx/dhparams.pem
become: true
- name: Create config directories
file:
@ -36,7 +32,6 @@
- http.d
- stream.d
- includes
become: true
- name: Copy config files
template:
@ -44,7 +39,6 @@
dest: /etc/nginx/includes/{{ item | basename }}
mode: "0644"
with_fileglob: files/includes/*.conf
become: true
notify: reload nginx
- name: Install config
@ -52,7 +46,6 @@
src: files/nginx.conf
dest: /etc/nginx/nginx.conf
mode: "0644"
become: true
notify: reload nginx
- name: Install HTTPS redirect
@ -60,6 +53,5 @@
src: files/nginx-https-redirect.conf
dest: /etc/nginx/http.d/https-redirect.conf
mode: "0644"
become: true
notify: reload nginx
when: nginx_https_redirect

2
ansible/roles/ntfy/tasks/main.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
@ -17,4 +16,3 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart ntfy
become: true

3
ansible/roles/paccache/tasks/main.yml
View file

@ -1,18 +1,15 @@
- name: Install Pacman utils
package:
name: pacman-contrib
become: true
- name: Create hooks directory
file:
path: /etc/pacman.d/hooks/
state: directory
mode: "0755"
become: true
- name: Install pacman hook
template:
src: files/paccache.hook
dest: /etc/pacman.d/hooks/clean_package_cache.hook
mode: "0644"
become: true

5
ansible/roles/plausible/tasks/main.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install clickhouse config
template:
@ -15,7 +14,6 @@
dest: /opt/plausible/docker_related_config.xml
mode: "0644"
notify: restart plausible
become: true
- name: Install clickhouse user config
template:
@ -23,7 +21,6 @@
dest: /opt/plausible/docker_related_user_config.xml
mode: "0644"
notify: restart plausible
become: true
- name: Install compose file
template:
@ -33,7 +30,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart plausible
become: true
- name: Install nginx config
template:
@ -41,7 +37,6 @@
dest: /etc/nginx/http.d/plausible.conf
mode: "0644"
notify: reload nginx
become: true
vars:
server_name: plausible.theorangeone.net elbisualp.theorangeone.net
upstream: plausible-plausible-1.docker:8000

3
ansible/roles/privatebin/tasks/main.yml
View file

@ -4,7 +4,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
@ -14,7 +13,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart privatebin
become: true
- name: Install config file
template:
@ -23,4 +21,3 @@
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: restart privatebin
become: true

2
ansible/roles/prometheus/tasks/grafana.yml
View file

@ -8,7 +8,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install grafana compose file
template:
@ -18,4 +17,3 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart grafana
become: true

2
ansible/roles/prometheus/tasks/main.yml
View file

@ -17,7 +17,6 @@
- "{{ vps_hosts.private_ipv6_range }}"
register: routes
changed_when: false
become: true
- name: Add route to private services via ingress
command:
@ -31,5 +30,4 @@
- "{{ pve_hosts.ingress.ipv6 }}"
- dev
- eth0
become: true
when: vps_hosts.private_ipv6_marker not in routes.stdout

6
ansible/roles/prometheus/tasks/prometheus.yml
View file

@ -4,7 +4,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install prometheus config
template:
@ -13,7 +12,6 @@
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: reload prometheus
become: true
- name: Install prometheus compose file
template:
@ -23,7 +21,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart prometheus
become: true
- name: Install blackbox config
template:
@ -32,7 +29,6 @@
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: restart prometheus
become: true
- name: Install alertmanager config
template:
@ -41,7 +37,6 @@
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: restart prometheus
become: true
- name: Install prometheus alert rules
copy:
@ -50,4 +45,3 @@
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: reload prometheus
become: true

2
ansible/roles/pve_docker/files/nextcloud/config.php
View file

@ -19,7 +19,7 @@ $CONFIG = array (
0 => 'intersect.jakehoward.tech',
),
'dbtype' => 'mysql',
'version' => '29.0.4.1',
'version' => '30.0.6.2',
'overwrite.cli.url' => 'https://intersect.jakehoward.tech',
'dbname' => 'nextcloud',
'dbhost' => 'mariadb',

2
ansible/roles/pve_docker/files/nextcloud/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
nextcloud:
image: lscr.io/linuxserver/nextcloud:29.0.4
image: lscr.io/linuxserver/nextcloud:30.0.6
environment:
- PUID={{ docker_user.id }}
- PGID={{ docker_user.id }}

2
ansible/roles/pve_docker/files/wallabag/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
wallabag:
image: wallabag/wallabag:2.6.9
image: wallabag/wallabag:2.6.10
restart: unless-stopped
environment:
- SYMFONY__ENV__SECRET={{ wallabag_secret }}

2
ansible/roles/pve_docker/files/whoami/docker-compose.yml
View file

@ -4,7 +4,7 @@ services:
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`)
- traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`) || Host(`who.0rng.one`)
- traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`)
- traefik.http.routers.whoami-private.middlewares=tailscale-only@file

2
ansible/roles/pve_docker/tasks/calibre.yml
View file

@ -4,7 +4,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install calibre compose file
template:
@ -14,7 +13,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
register: compose_file
become: true
- name: restart calibre
shell:

2
ansible/roles/pve_docker/tasks/librespeed.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install librespeed compose file
template:
@ -17,7 +16,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
register: compose_file
become: true
- name: restart librespeed
shell:

5
ansible/roles/pve_docker/tasks/nextcloud.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install nextcloud compose file
template:
@ -17,7 +16,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
register: compose_file
become: true
- name: Install nextcloud config
template:
@ -26,7 +24,6 @@
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
register: config_file
become: true
- name: Install occ script
template:
@ -34,7 +31,6 @@
dest: /opt/nextcloud/occ
mode: "0755"
owner: "{{ docker_user.name }}"
become: true
- name: restart nextcloud
shell:
@ -47,4 +43,3 @@
name: Set nextcloud data permissions
special_time: daily
job: chown -R {{ docker_user.name }}:{{ docker_user.name }} /mnt/tank/files/nextcloud
become: true

2
ansible/roles/pve_docker/tasks/quassel.yml
View file

@ -4,7 +4,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install quassel compose file
template:
@ -14,7 +13,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
register: compose_file
become: true
- name: restart quassel
shell:

3
ansible/roles/pve_docker/tasks/synapse.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install synapse compose file
template:
@ -17,7 +16,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
register: compose_file
become: true
- name: Install synapse config
template:
@ -26,7 +24,6 @@
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
register: homeserver_config
become: true
- name: restart synapse
shell:

4
ansible/roles/pve_docker/tasks/tt-rss.yml
View file

@ -4,7 +4,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Create tt-rss plugins directory
file:
@ -13,7 +12,6 @@
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
register: plugins_dir
become: true
- name: Install tt-rss compose file
template:
@ -23,7 +21,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
register: compose_file
become: true
- name: Install fever plugin
git:
@ -41,7 +38,6 @@
owner: "{{ docker_user.name }}"
mode: u=rwX,g=rwX,o=rX
recurse: true
become: true
when: fever_plugin.changed
- name: restart tt-rss

2
ansible/roles/pve_docker/tasks/wallabag.yml
View file

@ -7,7 +7,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install wallabag compose file
template:
@ -17,7 +16,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
register: compose_file
become: true
- name: restart wallabag
shell:

2
ansible/roles/pve_docker/tasks/whoami.yml
View file

@ -4,7 +4,6 @@
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install whoami compose file
template:
@ -14,7 +13,6 @@
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
register: compose_file
become: true
- name: restart whoami
shell:

2
ansible/roles/pve_tailscale_route/tasks/main.yml
View file

@ -7,7 +7,6 @@
- "{{ tailscale_cidr }}"
register: routes
changed_when: false
become: true
- name: Add route to tailscale hosts via ingress
command:
@ -18,5 +17,4 @@
- "{{ tailscale_cidr }}"
- via
- "{{ pve_hosts.ingress.ip }}"
become: true
when: tailscale_cidr not in routes.stdout

2
ansible/roles/qbittorrent/handlers/main.yml
View file

@ -2,10 +2,8 @@
service:
name: nginx
state: reloaded
become: true
- name: restart qbittorrent
service:
name: qbittorrent-nox@{{ qbittorrent_user.name }}
state: restarted
become: true

1
ansible/roles/qbittorrent/tasks/nginx.yml
View file

@ -3,5 +3,4 @@
src: files/nginx.conf
dest: /etc/nginx/http.d/downloads.conf
mode: "0644"
become: true
notify: reload nginx

4
ansible/roles/qbittorrent/tasks/qbittorrent.yml
View file

@ -1,20 +1,17 @@
- name: Install qbittorrent
package:
name: qbittorrent-nox
become: true
- name: Create user
user:
name: qbittorrent
system: true
become: true
register: qbittorrent_user
- name: Enable service
service:
name: qbittorrent-nox@{{ qbittorrent_user.name }}
enabled: true
become: true
- name: Set configuration
ini_file:
@ -42,5 +39,4 @@
- {section: Preferences, option: Bittorrent\MaxConnecsPerTorrent, value: -1"}
- {section: Preferences, option: Bittorrent\MaxUploads, value: -1"}
- {section: Preferences, option: Bittorrent\MaxUploadsPerTorrent, value: -1"}
become: true
notify: restart qbittorrent

Some files were not shown because too many files have changed in this diff Show more