Commit graph

976 commits

Author SHA1 Message Date
4562b60517
Update Traefik to 2.6 2022-02-08 08:55:50 +00:00
af0eb65cce
Update synapse to 1.51 2022-02-08 08:55:41 +00:00
5df4a2c79a
Rotate nebula keys
Turns out they expired last night...
2022-01-30 21:00:38 +00:00
b91072b0da
Create a pages user for user with status checks 2022-01-29 22:18:07 +00:00
a5d9463f80
Ensure webdav pages is also accessible to Traefik 2022-01-29 22:11:19 +00:00
f07b5d9b7b
Migrate include: to include_tasks 2022-01-22 20:21:32 +00:00
106a89d72f
Use groups to manage sudo access rather than editing sudoers file 2022-01-22 20:10:16 +00:00
7e6e630808
Don't provision occ script on every machine
It only makes sense on 1
2022-01-21 22:28:13 +00:00
6db0500e1b
Provision remote f2b key with ansible 2022-01-21 22:11:49 +00:00
e8d4244946
Restart nebula, rather than reloading it
Reloading doesn't actually work it seems
2022-01-21 21:52:48 +00:00
af396a21cb
Provision a new caseyon Linode 2022-01-21 21:52:21 +00:00
188b7c9dd6
Install wireguard tools before provisioning config 2022-01-21 20:29:34 +00:00
c1319a134a
Forget snapshots in groups by host
By default, it includes the path, which means path changes result in very old snapshots

https://twitter.com/RealOrangeOne/status/1484217495124852748
2022-01-20 17:43:56 +00:00
1db289b604
Show domain in logs rather than upstream
The upstream is always the same, and no use to us
2022-01-19 09:00:20 +00:00
9404f71dc6
Remove old DB backups dir from backups 2022-01-16 17:56:45 +00:00
a07b1dbad5
Ensure grimes backs up its databases 2022-01-16 17:56:13 +00:00
5cc552d0eb
Add container to automatically backup DBs 2022-01-16 17:51:03 +00:00
6c0314b758
Add an nginx container to do crazy things with traefik 2022-01-16 14:08:38 +00:00
d5c7d94ac8
Run traefik as dockeruser, and without host networking
This required port forwarding, a docker proxy, and a docker network, but the end result should be much more secure!
2022-01-15 23:44:06 +00:00
1348eb8b1c
Prefent yourls redirect page being indexed 2022-01-11 21:20:23 +00:00
89a99d2db2
Make ansible a dev dependency
It's required by `ansible-lint` to work properly
2022-01-11 21:19:02 +00:00
c5215e330b
Update yamllint to fix dependency issue
I think this still validates everything we need it to
2022-01-11 20:51:12 +00:00
cf0e718bfb
Migrate decker services to linode
Mostly just uptime-kuma
2022-01-11 09:07:48 +00:00
41289ab359
Reduce ZFS memory usage to 5GB
That's still more than 1GB per usable TB of space. Should really be ample
2022-01-08 12:29:35 +00:00
1f6c6858e5
Fix NTP timesyncd issue
https://github.com/geerlingguy/ansible-role-ntp/pull/110
2022-01-08 12:29:13 +00:00
02cfd37a02
Update uptime-kuma 2022-01-08 12:18:25 +00:00
1a74e05a7c
Create a dedicated machine for renovate
This way it can do what it wants with docker. Because apparently it's very picky about how it's setup
2022-01-01 22:59:13 +00:00
78b0161585
Install renovate
It doesn't quite work, as really it needs docker to correctly update packages. But it's a start for now
2022-01-01 18:23:32 +00:00
b81f250d02
Update clickhouse config to reference new tables to remove 2021-12-29 17:34:07 +00:00
062c4a25fb
Keep just 2 weeks of backrest logs
That's ample
2021-12-28 12:57:57 +00:00
711d78bfd3
Only try and rotate the log files
Previously, this was also rotating the compressed logs, for some reason
2021-12-28 12:57:08 +00:00
3a7d2194cc
Update tt-rss DB to postgres 14 2021-12-22 22:39:46 +00:00
66c48c4a69
Remove old domain for vaultwarden
It's been long enough
2021-12-22 15:41:14 +00:00
e6ecffdf62
Update vaultwarden DB to postgres 14 2021-12-22 15:33:40 +00:00
ec9ca428a3
Update synapse DB to postgres 14 2021-12-22 15:24:37 +00:00
fbdbc8afb5
Update quassel DB to postgres 14 2021-12-22 13:17:01 +00:00
da41fcd7bc
Update grafana DB to postgres 14 2021-12-22 13:10:06 +00:00
6681ad43fb
Update plausible DB to postgres 14 2021-12-22 12:57:49 +00:00
31b7811b1f
Use new clickhouse docker repository 2021-12-22 12:01:25 +00:00
b6a0fdfd1d
Unpin the version of yourls
It's a very simple, non-critical application, which I keep forgetting to update
2021-12-21 21:48:41 +00:00
1c645fa106
Update yourls mariadb to 10.7 2021-12-21 21:40:56 +00:00
c5beb223be
Update clickhouse to 21.12 2021-12-21 21:31:53 +00:00
0734ff42d8
Move grafana variables to vault file 2021-12-21 20:22:47 +00:00
7b6675a9d0
Move gitlab variables to single vault 2021-12-21 20:12:05 +00:00
4cbc15fe0b
Move gitlab runner secrets to dedicated vault 2021-12-21 20:00:54 +00:00
66662594d0
Extract plausible secrets to dedicated vault 2021-12-21 19:57:43 +00:00
fcda77e750
Extract vault items from host vars 2021-12-21 19:36:52 +00:00
0b352e22d1
Merge all group vars into single vault file
This will make tracking down where a secret is defined much simpler
2021-12-21 18:04:03 +00:00
dce7c782ec
Move wireguard keys into a separate vault file 2021-12-21 17:58:52 +00:00
3f37cd4448
Be quiet on interpreter warnings
It works fine, I don't need to be screamed at
2021-12-20 21:17:42 +00:00
8d40a49780
Move traefik pages secret into full vault file
Trialing a new pattern for vault storage
2021-12-20 21:17:25 +00:00
9e473265a5
Read vault password from bitwarden instead of filesystem
https://theorangeone.net/posts/ansible-vault-bitwarden/
2021-12-20 17:25:18 +00:00
b50659ab5d
Update nextcloud to 23 2021-12-19 21:18:09 +00:00
a5329665c0
Update vaultwarden to 1.23.1 2021-12-15 20:21:01 +00:00
9834a45ec5
Update uptime-kuma to 1.11.1 2021-12-15 20:20:50 +00:00
699673c3b5
Update Synapse to 1.49.0 2021-12-15 20:19:51 +00:00
9e899d0f52
Update nebula to 1.5.2 2021-12-15 20:18:25 +00:00
bbfd872a24
Mount the whole host into the restic LXC, so I can backup PVE config 2021-12-11 13:17:58 +00:00
4452cc4eeb
Update synapse to 1.47.1 2021-11-23 22:04:42 +00:00
eed75d8648
Mount homeassistant data into restic for external backup 2021-11-21 21:53:35 +00:00
47bcbd855e
Update nextcloud to 22.2.3 2021-11-16 21:04:54 +00:00
5c0987de4d
Update uptime-kuma 2021-11-15 20:26:29 +00:00
e1205564cb
Update nebula to 1.5.0 2021-11-15 20:26:20 +00:00
ccaff503da
Move decker from AMS to Paris
The AMS DC has a bit of a flaky network connection, which isn't what you want for monitoring.
2021-11-06 16:45:09 +00:00
64695c3be1
Don't pipe dat ainto curl for healthchecks
See https://github.com/IronicBadger/ansible-role-snapraid/pull/9
2021-11-04 16:46:59 +00:00
ef22a43293
Update uptime-kuma to fix security issue 2021-10-29 21:52:09 +01:00
1b4d5de701
Rename plausible embed router
There's nothing really "bare" about it
2021-10-29 20:47:02 +01:00
0cb2a70d24
Upgrade Plausible to 1.4 2021-10-29 20:46:28 +01:00
090745456f
Update vaultwarden to 1.23.0 2021-10-23 16:24:42 +01:00
41fadd892e
Update uptime-kuma 2021-10-23 16:24:29 +01:00
4cdaba4692
Swap certificates for wildcards 2021-10-18 21:59:10 +01:00
ebb571bf20
Increase GC frequenc to work around restic's high memory usage
https://github.com/restic/restic/issues/1988
2021-10-15 12:39:16 +01:00
6cc7d0b89e
Update synapse 2021-10-14 18:34:49 +01:00
31208856c2
Pin uptime-kuma version
It's pretty important now
2021-10-14 18:34:00 +01:00
6f0d4b60df
Run more web processes for tt-rss 2021-10-03 16:45:18 +01:00
c867efbe3b
Use alternative container registries where available 2021-10-03 16:26:10 +01:00
3727dd473c
Update synapse to 1.43 2021-10-01 21:17:13 +01:00
7fd176466d
Update nextcloud to 22.2.0
Required quite some hacks around federatedfilesharing app not wanting to update
2021-10-01 20:52:07 +01:00
4293d030d4
Don't lint globally installed roles 2021-09-27 14:50:08 +01:00
4db474034e
Ignore my VMs from a fail2ban 2021-09-27 14:49:56 +01:00
7e2d01c612
Change domain
Now there's a status page, we can consider it public
2021-09-25 21:34:18 +01:00
3daf939b32
Update uptime-kuma container
Now does user management itself
2021-09-25 21:08:42 +01:00
8a37a9d41b
Move uptime-kuma to decker 2021-09-25 21:03:56 +01:00
a135aae5f3
Provision new VM
This will be used for monitoring
2021-09-25 16:59:23 +01:00
48934ad2c5
Apply gzip to everything
The middleware is smart enough to only apply it when needed, and only when it's not already compressed, so it's fine.
2021-09-19 22:48:48 +01:00
83ed8879dc
Correctly set smtp user for GitLab
The user and from are different in my case.
2021-09-19 22:34:40 +01:00
178ca6b2c4
Add privatebin config
Disable super long expirations, among other things
2021-09-19 19:29:05 +01:00
d70f450e2d
Change forget resolution to 30d
Restic is really annoying with its retention arguments, not really allowing what I want, so this is the easiest way to get decent retention.
2021-09-07 22:04:23 +01:00
0a8167c839
Remove stray expose
Traefik picks up the port just fine
2021-09-07 21:04:19 +01:00
eedba465c4
Update synapse 2021-09-07 21:04:04 +01:00
a866938207
Fix hostname of restic server 2021-09-06 21:07:10 +01:00
2db8ca5059
Add basic auth to dokku 2021-09-05 23:11:28 +01:00
a278443850
Use auto on nginx configs
Let nginx work it out, and default to 1 per core
2021-09-04 22:41:30 +01:00
6e25403b3d
Update synapse to 1.41.1 2021-08-31 19:08:38 +01:00
86e9d12ce6
Update nextcloud to 22.1.1 2021-08-31 19:03:19 +01:00
c2cd2e6e34
Add backups for grimes 2021-08-30 21:50:55 +01:00
07b2ea2ccb
Add the ability to exclude certain paths from backup 2021-08-30 21:49:58 +01:00
259b0ca7a6
Use upstream telegraf role
https://github.com/rossmcdonald/telegraf/pull/54 shipped
2021-08-30 21:22:26 +01:00
dcbe6e8e72
Use upstream version of ansible-role-snapraid
https://github.com/IronicBadger/ansible-role-snapraid/pull/7 shipped
2021-08-30 21:21:58 +01:00
95216b32c4
Consolidate server blocks 2021-08-24 14:31:12 +01:00
453a374801
Replace ingress proxy with nginx
This enables HTTPS redirecting at it too much more easily, and matches the gateway configuration.

Requires using upstream versions of nginx to enable https://nginx.org/en/docs/stream/ngx_stream_realip_module.html
2021-08-24 14:21:51 +01:00
f14e723d40
Fix service name on ingress
It's not alpine
2021-08-24 11:52:35 +01:00
601b916b43
Remove deprecated clients from wireguard server
I use nebula now for all that
2021-08-24 11:14:04 +01:00
edc5c325b7
Correctly check hostname against PVE hosts
Some of the hostnames have `-` in instead, which caused issues with the SSH config detecting which users to allow
2021-08-23 19:56:04 +01:00
ecb946bab4
Remove nginx version from headers 2021-08-23 16:12:34 +01:00
93cba46dd1
Redirect to HTTPS at the edge 2021-08-23 16:10:37 +01:00
a54d373526
Replace edge proxy with nginx
The config makes more sense, and it has more of the features I need, which will come later.
2021-08-22 22:35:09 +01:00
23fc7bbb12
Use slightly less memory for ZFS 2021-08-22 15:58:49 +01:00
1d5616a36f
Update roles so they support newer Debian versions
I'm monitoring the PRs, don't worry
2021-08-22 15:22:11 +01:00
8fabd11e31
Remove unnecessary pve role
no-subscription is handled by the nag removal role
2021-08-22 15:20:27 +01:00
f0a3585592
Use distribution name in repo URL 2021-08-22 14:44:34 +01:00
0874158a91
Update traefik to 2.5 2021-08-22 11:16:37 +01:00
c04e8b628a
Update synapse to 1.40.0 2021-08-22 11:16:19 +01:00
c99afdd446
Disable gzip on qbittorrent egress
It's mostly used over the internal network, so the additional gzip isn't going to gain anything when the disk is the bottleneck
2021-08-21 16:46:21 +01:00
55e3b81f06
Install release version of gitlab-dater onto GitLab server
Rather than than hacky development one I was using before
2021-08-10 22:51:12 +01:00
e421657619
Ensure restic gets the correct permissions when it's updated
Yes it's weird to modify the system package like this, but it's very handy.

See also https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
2021-08-10 08:45:59 +01:00
ab46c30df2
Start graphing some speeds 2021-08-07 10:59:42 +01:00
d0e472b51a
Update synapse to 1.39.0 2021-08-06 18:20:48 +01:00
11bf501d8a
Update nextcloud to 22.1.0 2021-08-06 18:20:38 +01:00
9755974647
Update vaultwarden to 1.22.2 2021-08-06 18:17:22 +01:00
f3bc72d2ba
Provision uptime-kuma 2021-07-31 16:43:12 +01:00
1399529a47
Move stray storage to tank 2021-07-17 20:32:26 +01:00
8f831c8191
Update synapse to 1.37.1 2021-07-11 20:20:56 +01:00
501fe81979
Update nextcloud to v22 2021-07-11 20:20:48 +01:00
3daf3ef8ed
Pin clickhouse to 21.6
21.7 doesn't work
2021-07-11 16:11:09 +01:00
b2d226300b
Update nextcloud to 21.0.3 2021-07-04 21:17:03 +01:00
19eb233ffa
Update vaultwarden to 1.22.1 2021-07-03 11:27:27 +01:00
797c44a27d
Use proxy protocol v2
Apparently it's better for chaining, and may be faster anyway
2021-07-01 22:28:25 +01:00
b6adc53746
Revert "Capture stderr in logs, too"
This reverts commit 8696f6d93f.

Yeah, this doesn't work. Syntax and intention.
2021-06-28 08:33:08 +01:00
41a8fe3b4d
Use logrotate for backrest logging rather than nuking immediately
Just in case something goes wrong with healthchecks
2021-06-27 10:58:01 +01:00
8696f6d93f
Capture stderr in logs, too 2021-06-27 10:53:13 +01:00
1c07534c40
Stop resetting dokku hostname to default 2021-06-26 21:27:39 +01:00
40e785de38
Add yet more metric sources 2021-06-26 12:52:55 +01:00
32f17908ad
Collect metrics on disk usage 2021-06-26 12:36:00 +01:00
77d2b82761
Add healthchecks for snapraid 2021-06-26 11:45:56 +01:00
18603d726e
Add username to proxmox-nag-removal role
Makes it obviously not one of mine
2021-06-25 22:47:21 +01:00
09a010f28e
Version snapraid config
Using fork of role at https://github.com/IronicBadger/ansible-role-snapraid/pull/7
2021-06-25 22:43:26 +01:00
b82e87c04b
Remove unnecessary which
`cron` doesn't need a full path
2021-06-25 20:57:19 +01:00
50c5ed68e3
Install some dokku plugins 2021-06-22 22:57:02 +01:00
83c84abc62
Use dokku role to install it
I also switched the host to debian, as the arch install didn't quite work.
2021-06-22 22:08:01 +01:00
9296c88ae4
Remove date from DB backups 2021-06-20 15:23:15 +01:00
bb5bbf16f5
Remove alpine special case
https://github.com/ansible-collections/community.general/pull/1722 has shipped.
2021-06-20 12:43:59 +01:00
8948437b66
Use official extension 2021-06-20 12:39:58 +01:00
e3502ae1e0
Provision dokku server 2021-06-20 12:12:34 +01:00
b20ffb27c4
Remove gotify
Never used it
2021-06-12 19:00:39 +01:00
4e5fa59c58
Add redis
This isn't really used as a cache, but it is for a couple bits, so nice to enable it anyway, and it might become so in future
2021-06-12 18:53:50 +01:00
290b147821
Thin out synapse config
Previously it was the vast majority of code in the whole repo. Now we only define the necessary keys, and rely much more on defaults, which is nice!
2021-06-12 18:49:29 +01:00
47e546d51a
Add synapse-admin
Useful to see what's going on on the server
2021-06-12 18:09:18 +01:00
3485f8e1f0
Actually version the ingress haproxy config 2021-06-12 17:32:47 +01:00
33fcf1a9e5
Fix matrix federation
Apparently this has been broken since like March...

It seems communication over port 8448 is required for server-to-server
comms, even if the client doesn't use it.
2021-06-12 17:32:47 +01:00