change directory structure

2023-04-13 17:24:01 +02:00 · 2023-04-13 17:24:01 +02:00 · 9eb52229f1
commit 9eb52229f1
parent b89713643d
83 changed files with 0 additions and 0 deletions
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -0,0 +1,8 @@
+[defaults]
+roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
+inventory=inventory
+vault_password_file=util/secret-service-client.sh
+interpreter_python=/usr/bin/python3
+
+[diff]
+always = True
--- a/ansible/inventory/host_vars/max.yml
+++ b/ansible/inventory/host_vars/max.yml
@ -0,0 +1,11 @@
+base_data_dir: /mnt/data
+base_service_dir: /srv
+
+# Additional open ports
+jitsi_videobridge_port: 54562
+git_ssh_port: 56287
+prometheus_port: 8081
+traefik_api_port: 8080
+internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container.
+
+domain_name_pim: pim.kunis.nl
--- a/ansible/inventory/hosts.yml
+++ b/ansible/inventory/hosts.yml
@ -0,0 +1,5 @@
+all:
+  hosts:
+    max:
+      ansible_user: root
+      ansible_host: max.dmz
--- a/ansible/max.yml
+++ b/ansible/max.yml
@ -0,0 +1,39 @@
+- name: Setup homeserver
+  hosts: max
+  gather_facts: no
+
+  pre_tasks:
+  - name: Wait for host to come up
+    tags: always
+    block:
+    - name: Wait for SSH connection
+      wait_for:
+        state: started
+        port: 22
+        host: max.dmz
+        timeout: 300
+        connect_timeout: 300
+        search_regex: OpenSSH
+      delegate_to: localhost
+    - name: Wait for cloud-init to finish
+      shell:
+        cmd: "cloud-init status --wait"
+      register: cloudinit
+      changed_when: "'..' in cloudinit.stdout"
+    - name: Gather facts
+      setup:
+
+  roles:
+    - {role: 'watchtower', tags: 'watchtower'}
+    - {role: 'forgejo', tags: 'forgejo'}
+    - {role: 'syncthing', tags: 'syncthing'}
+    - {role: 'kms', tags: 'kms'}
+    - {role: 'cyberchef', tags: 'cyberchef'}
+    - {role: 'radicale', tags: 'radicale'}
+    - {role: 'mastodon', tags: 'mastodon'}
+    - {role: 'seafile', tags: 'seafile'}
+    - {role: 'jitsi', tags: 'jitsi'}
+    - {role: 'freshrss', tags: 'freshrss'}
+    - {role: 'static', tags: 'static'}
+    - {role: 'inbucket', tags: 'inbucket'}
+    - {role: 'prometheus', tags: 'prometheus'}
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@ -0,0 +1,17 @@
+- name: APT upgrade
+  apt:
+    autoremove: true
+    upgrade: yes
+    state: latest
+    update_cache: yes
+    cache_valid_time: 86400 # One day
+- name: Create base service directory
+  file:
+    path: "{{ base_service_dir }}"
+    state: directory
+- name: Delete externally managed environment file
+  shell:
+    cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
+  register: rm
+  changed_when: "rm.rc == 0"
+  failed_when: "false"
--- a/ansible/roles/cyberchef/files/docker-compose.yml
+++ b/ansible/roles/cyberchef/files/docker-compose.yml
@ -0,0 +1,22 @@
+version: "3.7"
+
+services:
+   cyberchef-server:
+      image: mpepping/cyberchef
+      container_name: cyberchef
+      restart: always
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.cyberchef.entrypoints=websecure
+        - traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`)
+        - traefik.http.routers.cyberchef.tls=true
+        - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt
+        - traefik.http.services.cyberchef.loadbalancer.server.port=8000
+        - traefik.http.routers.cyberchef.service=cyberchef
+        - traefik.docker.network=traefik
+      networks: 
+        - traefik
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/cyberchef/meta/main.yml
+++ b/ansible/roles/cyberchef/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  
--- a/ansible/roles/cyberchef/tasks/main.yml
+++ b/ansible/roles/cyberchef/tasks/main.yml
@ -0,0 +1,14 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  copy:
+    src: "{{ role_path }}/files/docker-compose.yml"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+
--- a/ansible/roles/cyberchef/vars/main.yml
+++ b/ansible/roles/cyberchef/vars/main.yml
@ -0,0 +1,2 @@
+service_name: cyberchef
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
--- a/ansible/roles/docker/files/daemon.json
+++ b/ansible/roles/docker/files/daemon.json
@ -0,0 +1,7 @@
+{
+"default-address-pools":
+[
+{"base":"10.204.0.0/16","size":24}
+
+]
+}
--- a/ansible/roles/docker/tasks/main.yml
+++ b/ansible/roles/docker/tasks/main.yml
@ -0,0 +1,41 @@
+- name: Install Docker prerequisites
+  apt:
+    pkg:
+      - ca-certificates
+      - curl
+      - gnupg
+      - lsb-release
+      - python3-pip
+- name: Add Docker APT key
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    keyring: /etc/apt/keyrings/docker.gpg
+- name: Add Docker repository
+  apt_repository:
+    repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
+  register: apt_repository
+- name: Update APT cache
+  apt:
+    update_cache: true
+  when: apt_repository.changed
+- name: Install Docker packages
+  apt:
+    pkg:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-compose-plugin
+- name: Install Docker modules for Python
+  pip:
+    name:
+      - docker
+      - docker-compose
+- name: Copy daemon.json
+  copy:
+    src: "{{ role_path }}/files/daemon.json"
+    dest: /etc/docker/daemon.json
+- name: Start Docker
+  systemd:
+    name: docker
+    enabled: true
+    state: started
--- a/ansible/roles/firewall/tasks/main.yml
+++ b/ansible/roles/firewall/tasks/main.yml
@ -0,0 +1,16 @@
+- name: Install firewalld
+  apt:
+    pkg:
+      - firewalld
+    state: latest
+    update_cache: true
+- name: Allow SSH
+  firewalld:
+    service: ssh
+    permanent: yes
+    state: enabled
+- name: Start firewalld
+  systemd:
+    enabled: true
+    name: sshd
+    state: started
--- a/ansible/roles/forgejo/meta/main.yml
+++ b/ansible/roles/forgejo/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik
--- a/ansible/roles/forgejo/tasks/main.yml
+++ b/ansible/roles/forgejo/tasks/main.yml
@ -0,0 +1,31 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Create data directory
+  file:
+    path: "{{ data_dir }}"
+    state: directory
+    owner: 1000
+    group: 1000
+- name: Copy conf directory
+  file:
+    path: "{{ service_dir }}/conf"
+    state: directory
+    owner: 1000
+    group: 1000
+- name: Copy app.ini
+  template:
+    src: "{{ role_path }}/templates/app.ini.j2"
+    dest: "{{ service_dir }}/conf/app.ini"
+  register: config
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+    restarted: "{{ config.changed }}"
--- a/ansible/roles/forgejo/templates/app.ini.j2
+++ b/ansible/roles/forgejo/templates/app.ini.j2
@ -0,0 +1,103 @@
+APP_NAME = Forgejo: Beyond coding. We forge.
+RUN_MODE = prod
+RUN_USER = git
+
+[repository]
+ROOT = /data/git/repositories
+DEFAULT_BRANCH = master
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH    = /data/gitea
+DOMAIN           = {{ git_domain }}
+SSH_DOMAIN       = {{ git_domain }}
+HTTP_PORT        = 3000
+ROOT_URL         = {{ forgejo.root_url }}
+DISABLE_SSH      = false
+SSH_PORT         = {{ git_ssh_port }}
+SSH_LISTEN_PORT  = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET   = {{ forgejo.lfs_jwt_secret }}
+OFFLINE_MODE     = false
+
+[database]
+PATH     = /data/gitea/gitea.db
+DB_TYPE  = sqlite3
+HOST     = localhost:3306
+NAME     = gitea
+USER     = root
+PASSWD   = 
+LOG_SQL  = false
+SCHEMA   = 
+SSL_MODE = disable
+CHARSET  = utf8
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER        = file
+
+[picture]
+AVATAR_UPLOAD_PATH            = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+ENABLE_FEDERATED_AVATAR       = false
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE      = console
+LEVEL     = info
+ROUTER    = console
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK                  = true
+SECRET_KEY                    = 
+REVERSE_PROXY_LIMIT           = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN                = {{ forgejo.internal_token }}
+PASSWORD_HASH_ALGO            = pbkdf2
+
+[service]
+DISABLE_REGISTRATION              = true
+REQUIRE_SIGNIN_VIEW               = false
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
+
+[lfs]
+PATH = /data/git/lfs
+
+[mailer]
+ENABLED   = true
+SMTP_ADDR = {{ forgejo.mailer_host }}
+SMTP_PORT = 587
+FROM      = {{ forgejo.mailer_from }}
+USER      = 
+PASSWD    = 
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[ui]
+DEFAULT_THEME = forgejo-light
--- a/ansible/roles/forgejo/templates/docker-compose.yml.j2
+++ b/ansible/roles/forgejo/templates/docker-compose.yml.j2
@ -0,0 +1,36 @@
+version: "3"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  server:
+    image: codeberg.org/forgejo/forgejo:1.18
+    container_name: forgejo
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    restart: always
+    networks:
+      - traefik
+    ports:
+      - "{{ internal_forgejo_port }}:3000"
+    volumes:
+      - {{ data_dir }}:/data
+      - {{ service_dir }}/conf:/data/gitea/conf
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.forgejo.entrypoints=websecure
+      - traefik.http.routers.forgejo.rule=Host(`{{ git_domain }}`)
+      - traefik.http.routers.forgejo.tls=true
+      - traefik.http.routers.forgejo.tls.certresolver=letsencrypt
+      - traefik.http.routers.forgejo.service=forgejo
+      - traefik.http.services.forgejo.loadbalancer.server.port=3000
+
+      - traefik.tcp.routers.forgejo-ssh.rule=HostSNI(`*`)
+      - traefik.tcp.routers.forgejo-ssh.entrypoints=ssh
+      - traefik.tcp.routers.forgejo-ssh.service=forgejo-ssh
+      - traefik.tcp.services.forgejo-ssh.loadbalancer.server.port=22
--- a/ansible/roles/forgejo/vars/main.yml
+++ b/ansible/roles/forgejo/vars/main.yml
@ -0,0 +1,29 @@
+service_name: forgejo
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+git_domain: "git.{{ domain_name_pim }}"
+
+
+forgejo:
+  root_url: "https://{{ git_domain }}"
+  mailer_host: "smtp.tweak.nl"
+  mailer_from: "git@kunis.nl"
+  lfs_jwt_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          66613032363837346461326131303839646332646233633736623865346135623739343233396165
+          6530326162323466623939393133623336366466343837620a613532616365646137326138383235
+          32313264653262656564336531646662323039623865393366616536633531306430336137313862
+          3361373539373561390a653236306433393737616561306236343362396438366134313032656233
+          35626364373961613361366138383566353463626136393861383934326263383336393766623063
+          3434656437663165376635326139383065383861386133623765
+  internal_token: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62633334656235613035343830326237633637626639363465313861323734393766636464303862
+          3936306561343863316630616164616537323537333262650a336337303232623832636666353038
+          64313134383330646537356432383332386238373835656663313431373939373630373566396339
+          6561643037383666340a643464326531623731303564646464376239613263643761643766623930
+          37623362326561346262306331376663313661633635323435333339396138383134303364306532
+          37353264363737643965643932356336633734316534303262336461313038626538396536333964
+          36353635323731353061393430656166363263366437313434336139616666326335633037663336
+          37353665613938613731316330396461343632643039643864343164303937613263343262623964
+          33366364636339623633653035313736653563363064646233383437373431373232
--- a/ansible/roles/freshrss/meta/main.yml
+++ b/ansible/roles/freshrss/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik
--- a/ansible/roles/freshrss/tasks/main.yml
+++ b/ansible/roles/freshrss/tasks/main.yml
@ -0,0 +1,17 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Create data directory
+  file:
+    path: "{{ data_dir }}"
+    state: directory
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
--- a/ansible/roles/freshrss/templates/docker-compose.yml.j2
+++ b/ansible/roles/freshrss/templates/docker-compose.yml.j2
@ -0,0 +1,35 @@
+version: "2.4"
+
+services:
+  freshrss:
+    image: freshrss/freshrss:edge
+    container_name: freshrss
+    restart: unless-stopped
+    networks:
+      - traefik
+    logging:
+      options:
+        max-size: 10m
+    volumes:
+      - {{ data_dir }}/data:/var/www/FreshRSS/data
+      - {{ data_dir }}/extensions:/var/www/FreshRSS/extensions
+    environment:
+      TZ: Europe/Amsterdam
+      CRON_MIN: '2,32'
+      FRESHRSS_ENV: development
+      ADMIN_EMAIL: pim@kunis.nl
+      ADMIN_PASSWORD: {{ admin_password }}
+      ADMIN_API_PASSWORD: {{ admin_password }}
+      PUBLISHED_PORT: 443
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.freshrss.entrypoints=websecure
+      - traefik.http.routers.freshrss.rule=Host(`{{ rss_domain }}`)
+      - traefik.http.routers.freshrss.tls=true
+      - traefik.http.routers.freshrss.tls.certresolver=letsencrypt
+      - traefik.http.routers.freshrss.service=freshrss
+      - traefik.http.services.freshrss.loadbalancer.server.port=80
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/freshrss/vars/main.yml
+++ b/ansible/roles/freshrss/vars/main.yml
@ -0,0 +1,12 @@
+service_name: freshrss
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+rss_domain: "rss.{{ domain_name_pim }}"
+admin_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38363734333534376665616439306566613632303739373661333338356533653334323366326130
+          3031316133383432366639613565656134666338326639360a633263363066613964643665316334
+          63373830663239393137653131326630326465343333346430376536393162383836333130353562
+          3336306561636134650a646433633063316431643466326161303666313765323034343233646566
+          66613330616463346561343561616438643763643465373839303861356133313831303338356430
+          6634653635383833303265316662663631376163636134666565
--- a/ansible/roles/inbucket/files/docker-compose.yml
+++ b/ansible/roles/inbucket/files/docker-compose.yml
@ -0,0 +1,11 @@
+version: "3.7"
+
+services:
+   kms-server:
+      image: inbucket/inbucket
+      container_name: inbucket
+      ports:
+        - 2500:2500
+        - 9000:9000
+      restart: always
+
--- a/ansible/roles/inbucket/meta/main.yml
+++ b/ansible/roles/inbucket/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  
--- a/ansible/roles/inbucket/tasks/main.yml
+++ b/ansible/roles/inbucket/tasks/main.yml
@ -0,0 +1,14 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  copy:
+    src: "{{ role_path }}/files/docker-compose.yml"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+
--- a/ansible/roles/inbucket/vars/main.yml
+++ b/ansible/roles/inbucket/vars/main.yml
@ -0,0 +1,2 @@
+service_name: inbucket
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
--- a/ansible/roles/jitsi/meta/main.yml
+++ b/ansible/roles/jitsi/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik
--- a/ansible/roles/jitsi/tasks/main.yml
+++ b/ansible/roles/jitsi/tasks/main.yml
@ -0,0 +1,17 @@
+- name: Create Jitsi Meet app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy docker-compose.yml file
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Create Jitsi Meet data directory
+  file:
+    path: "{{ data_dir }}"
+    state: directory
+- name: Start Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
--- a/ansible/roles/jitsi/templates/docker-compose.yml.j2
+++ b/ansible/roles/jitsi/templates/docker-compose.yml.j2
@ -0,0 +1,109 @@
+version: '3.5'
+
+services:
+    web:
+        image: jitsi/web:stable-8218
+        container_name: jitsi-web
+        restart: unless-stopped
+        volumes:
+            - {{ data_dir }}/web:/config:Z
+            - {{ data_dir }}/web/crontabs:/var/spool/cron/crontabs:Z
+            - {{ data_dir }}/transcripts:/usr/share/jitsi-meet/transcripts:Z
+        environment:
+            - DISABLE_HTTPS=1
+            - ENABLE_AUTH=1
+            - ENABLE_GUESTS=1
+            - ENABLE_IPV6=1
+            - ENABLE_LETSENCRYPT=0
+            - PUBLIC_URL=https://{{ public_domain }}
+            - TZ=Europe/Amsterdam
+        networks:
+            - meet.jitsi
+            - traefik
+        labels:
+            - traefik.enable=true
+            - traefik.http.routers.jitsi-web.entrypoints=websecure
+            - traefik.http.routers.jitsi-web.rule=Host(`{{ public_domain }}`)
+            - traefik.http.routers.jitsi-web.tls=true
+            - traefik.http.routers.jitsi-web.tls.certresolver=letsencrypt
+            - traefik.http.services.jitsi-web.loadbalancer.server.port=80
+            - traefik.http.routers.jitsi-web.service=jitsi-web
+            - traefik.docker.network=traefik
+
+    prosody:
+        image: jitsi/prosody:stable-8218
+        container_name: jitsi-xmpp
+        restart: unless-stopped
+        expose:
+            - '5222'
+            - '5347'
+            - '5280'
+        volumes:
+            - {{ data_dir }}/prosody/config:/config:Z
+            - {{ data_dir }}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
+        environment:
+            - AUTH_TYPE=internal
+            - ENABLE_AUTH=1
+            - ENABLE_GUESTS=1
+            - ENABLE_IPV6=1
+            - ENABLE_LOBBY=1
+            - JIBRI_RECORDER_PASSWORD={{ jibri_recorder_password }}
+            - JIBRI_XMPP_PASSWORD={{ jibri_xmpp_password }}
+            - JICOFO_AUTH_PASSWORD={{ jicofo_auth_password }}
+            - JIGASI_XMPP_PASSWORD={{ jigasi_xmpp_password }}
+            - JVB_AUTH_PASSWORD={{ jvb_auth_password }}
+            - PUBLIC_URL=https://{{ public_domain }}
+            - TZ=Europe/Amsterdam
+        networks:
+            meet.jitsi:
+                aliases:
+                    - xmpp.meet.jitsi
+
+    jicofo:
+        image: jitsi/jicofo:stable-8218
+        container_name: jitsi-focus
+        restart: unless-stopped
+        volumes:
+            - {{ data_dir }}/jicofo:/config:Z
+        environment:
+            - AUTH_TYPE=internal
+            - ENABLE_AUTH=1
+            - JICOFO_AUTH_PASSWORD={{ jicofo_auth_password }}
+            - SENTRY_DSN=0
+            - TZ=Europe/Amsterdam
+        depends_on:
+            - prosody
+        networks:
+            meet.jitsi:
+
+    jvb:
+        image: jitsi/jvb:stable-8218
+        container_name: jitsi-videobridge
+        restart: unless-stopped
+        ports:
+          - '{{ jitsi_videobridge_port }}:{{ jitsi_videobridge_port }}/udp'
+        volumes:
+            - {{ data_dir }}/jvb:/config:Z
+        environment:
+            - JVB_ADVERTISE_IPS={{ jvb_advertise_ips }}
+            - JVB_AUTH_PASSWORD={{ jvb_auth_password }}
+            - JVB_PORT={{ jitsi_videobridge_port }}
+            - PUBLIC_URL=https://{{ public_domain }}
+            - SENTRY_DSN=0
+            - COLIBRI_REST_ENABLED=0
+            - TZ=Europe/Amsterdam
+        depends_on:
+            - prosody
+        networks:
+            meet.jitsi:
+        labels:
+            - traefik.enable=true
+            - traefik.udp.routers.jitsi-videobridge.rule=HostSNI(`*`)
+            - traefik.udp.routers.jitsi-videobridge.entrypoints=video
+            - traefik.udp.routers.jitsi-videobridge.service=jitsi-videobridge
+            - traefik.udp.services.jitsi-videobridge.loadbalancer.server.port={{ jitsi_videobridge_port }}
+
+networks:
+    meet.jitsi:
+    traefik:
+      external: true
--- a/ansible/roles/jitsi/vars/main.yml
+++ b/ansible/roles/jitsi/vars/main.yml
@ -0,0 +1,47 @@
+service_name: jitsi
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+
+public_domain: "meet.{{ domain_name_pim }}"
+jvb_advertise_ips: "84.245.14.149,192.168.30.3"
+
+jvb_auth_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          32613939646334396165386233353938306165326532336564343762616465323734653564353939
+          6363616139653932326436656530613661326135303738370a653530663733343431663535373663
+          64656565386266613463623036346438636635343061623533343434663131623334333661363135
+          3633646237393563610a353763333332653462653136373139666566333062386265633234613065
+          32616565303764646365653165663862383233643839663563353838663663636332323939373665
+          6131666537326333326332383164333730623865646639353230
+jibri_recorder_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65386136383631626262393861313161363563376662623964633138376462386366353035363930
+          6637353263633731613037623030646365613364303232620a646366356338383665316432613965
+          35613636343832623731646161373938343866616230613461373964303566323761663536376466
+          6365616132373532350a316639383266393835636233626562636466663737386234333362663066
+          65353534303835636430306536653062636466303265623836643030323237323332353431343066
+          6138383630643735393565363931343162383963343635336138
+jibri_xmpp_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          34323665313961613830346662346137643339316237316532646330393366373236323036373035
+          3530376164303730643832393865643231316537303133340a383562633937353139646231343265
+          33353933633463373366383236643364366631663136313164643231366537303437653962656166
+          3031333735346538370a616539323531653734663533303463623865613739373433656537613636
+          39306363313264306535666237376561633439666232303338343832303637366237323339373431
+          6131333434393931613437383061653238656165356136306331
+jicofo_auth_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          39613461623132346632623664633866356261653737393534366665653966623437323962636430
+          3230656535333631333661653263343663323732376562350a616662353030646164336231366239
+          32373263303962646232383539656435633436633137383837633162363232336134346461386165
+          3633613665393264640a323030666235366363313532623732623862346433343336343035663661
+          63326636386330363362313665643466373935363161383932623839373462613032326331366333
+          3661313266306166633532643333623266316631386532653834
+jigasi_xmpp_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35303333613961616236623134333063366261336239633836633435323235343864636237626136
+          3635356538663637656639323161316361663636323933370a326430333066383234643064303961
+          36393564646131313938363664636266653362373732656634653966663736313231613163313461
+          6565373230333635650a653630373339376637653634383733613531633535343438326631633739
+          31303966353235333533353730346135323438343266303431376563393330343563363432626639
+          3539636136386563376162383835346166663630633463336132
--- a/ansible/roles/kms/files/docker-compose.yml
+++ b/ansible/roles/kms/files/docker-compose.yml
@ -0,0 +1,9 @@
+version: "3.7"
+
+services:
+   kms-server:
+      image: teddysun/kms
+      container_name: kms
+      ports:
+         - 1688:1688
+      restart: always
--- a/ansible/roles/kms/meta/main.yml
+++ b/ansible/roles/kms/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  
--- a/ansible/roles/kms/tasks/main.yml
+++ b/ansible/roles/kms/tasks/main.yml
@ -0,0 +1,14 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  copy:
+    src: "{{ role_path }}/files/docker-compose.yml"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+
--- a/ansible/roles/kms/vars/main.yml
+++ b/ansible/roles/kms/vars/main.yml
@ -0,0 +1,2 @@
+service_name: kms
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
--- a/ansible/roles/mastodon/files/.env.production
+++ b/ansible/roles/mastodon/files/.env.production
@ -0,0 +1,126 @@
+$ANSIBLE_VAULT;1.1;AES256
+33623964663363323234633464633463323862636234306262386163306633613537303434663137
+6234333035336362613132333830373865656531643062660a313234363335303635323261643063
+35633830616433306265616332616139656438303736363436396434626366393666666665343366
+3830326265393663640a313535353661653266616634643334623034626630376536313063633731
+66306333393064623939643330323639393134653761386131343738636235623364316139633536
+32306532663766663362623238386134663864393964353332366634613262346566303465343038
+66333836666236306139366138393136366566626636646335393336313439613335303935346638
+61623230663334353835376330366531343331663732613065333938613436343132326338643964
+62343665333163326631626231336535343363306631363464383039366563366537356637303065
+39393265393736326433656361646631363334356338316231343265663438623364613531646533
+62616133333731643761623133343435623836343662663132643430376636336531626539643563
+61323836633839353333313338666137646664663539383266386537623962373563326161373131
+36653337353563383065626564326666373836363830336263653535353361363761386530653033
+39656136313838303062366637346362346333353461356432306562336432353263303938326532
+62323437376334336332373131653461373164306533383865646262326163393337633366643832
+33326232353934323733613039393966366434336665623366386466303062633265396238663533
+35343335393766386563386538663133313763613736313330353963353936346236653663616363
+33373261626265633436353630333237326537393135636164306165616531613236333362303937
+32373331316466363965616339656235663436353165303432626636633335633431663231336463
+38336634636466373638666336373735356134383639323939333233343566616564366661393264
+39633664316134643637613133393466626134306437306431666365346238313261346661363361
+65333138333732626339363539363765373036356266366634613566393939636562616261316662
+65396532373037313761303136663365363138396633623430323038306236363362623564636333
+65343862356139343363343039666363386565396164353631656265356635373836313538373832
+38353537323830663362633635326132633632646234396238323338363632663661643237636562
+31336237353863333365313361646638643839393138346634623136373761323130333731343230
+61393662343631373332383566386333333662363661336433326634396561386632373965326138
+32643861333035316362313935393934636632616664653037356462303664333839633865343661
+65623961353038663330333539636335393030316562363935373430653233646533323363653932
+39303139323738313939633161653332323935366432383261306164666564626330633439643065
+62656464393466376162373666396439633464313662613238373163646234326465303332393431
+30363863313034626330636564616639376431623365323464316139326438336662653939633664
+37653930616433633266333265623938323638353533663932666432383866663362366530353837
+66643162616531623130663564343762363663353135633231666530663930393436316232343132
+66323130383935643232346535633830303266613232613232353561323839386235646231383130
+39323638663531306639373233376362336136396261306631646264663832383761373331323331
+35633466333063653136313433326164366666396237613465623237656162633731613037376333
+32616631386434663435343562633930623431666635623830626466343038333032383937336233
+37353536303262626562343030663934343638646638356333396263383135343634366232316431
+34363464386333656333643333666164633537323839313363663536623733373235616237646436
+31356533393332646463313932636238383161613264303439396464616633303430373938333664
+39306337353732306466633230333463613166636662326539393137643939656232663237613933
+65636638396138616339656434633237383237633431636365396236343165346661363330306433
+32653237333830663663333961336639613632373633366131666136616237623335373334363231
+34353039313431626266396134643434326366663638336363363430663065306432353130353662
+63313637333639383038386535646330663234343462646264316634336230343831663736383634
+64646430643337316432333639616431316130383564343466306365636234613964633538313336
+30323539396232386434656133633864313332373064306462353630393236303431336666353238
+30363638653137353165653537636166303238626237643334376432653732393930623638303363
+35383939353365303663356337653135353363383233393635303532323136663038623132646566
+34666463383361616661666133653230643166366631306339636339303561363438613264386662
+61303033323631373062303833326434633031363035366633323036313761646639326262333761
+62333834383664616163663039326465653365383063303939323438313134366265653564383539
+33646433353835353736343966363663366430323462363138626334656334316238633936336130
+66636437386363316365306637346537323263613133313239653633323039363463356666303035
+35333833326631623438383063393263363163363036333537313237356262326465373937363831
+30363462303231303931626138326661323561666436353865643961663737393332376665386337
+30666131623566336436373863366634316162393831366635353832323034356634653533366163
+61343461643633343261343536636131363262653361326661353636626131393766653463336439
+36313036376336633338346265383637383333653161383230633733313862643932383030633566
+64363164636264643365366630333439653466356339373237653636393361386565636433356136
+38656338313636663739343130363166333061653130303432353238633362366265663664356561
+36353332643738656231313037653135303233396632363338643666313039353431623233626336
+64363962323466363230303633633663343463333461303534346264346632353133313561323435
+61336634393262386339636232316365363338656633633064333331636163313432633337373434
+33393762393932656137383232616136396238613163323638323437633239656562396164383839
+66343064363663363938333631643661616536646130346136373930363635656131316334316430
+37613337366239633862326461663034383430373062366332663534653439306231636263353832
+38363262333365343539643331396633363361663239303064663163373837333164386430313333
+35653234366363306630303262663437346330353762633534616231633537326330623237393938
+63393531613431663663613164373636323766363430623761336533343238633136623866383432
+62363238636532646638656336313130626534326634663031636165636162313630383933306266
+61356533633661663364336261616363666436313532303736333836343466353165396163656561
+36643265653061356130393535646563633330366466343165336639633261306639393163313539
+37346236396130653462313333373738356366333832623337386538623639623432656338306339
+37363161663639656464373862386662656563316333623531323035383130396134313866663039
+65346561636235623761646436646261383936396263333235386134363466326331373166356361
+62383132323563303036653135633439366533323966616533616237313736306164653235303335
+65623763613662316132323064663264383133633361383833633766326333613265616530656638
+64323162336163613865623162336533396432336163313435623932323136653937653333323436
+33386637623730633037323838316430666331396230326439363032303336396336656139623564
+63326363393432313434653762623062656539333261633663396664656562333761383337393462
+37373361633732663131666231633366316238396233666339313263323933336362613062613463
+34383238323663636332663961656130336263333138303438623664376433656137363536376532
+39636663383365346335613635303238343633643531323931643236303662613065363836366162
+30613438316332333962383763613061636134313338626530373966373263663765626334303161
+62613966393434336437346132316239323934393532313637363531343637313962323435653437
+65303863333164383363386266386333363439666666616331393561373630613739643666313538
+33383434366364373334623237323766316362383663326633633737323336396462316361633563
+66646364666539333961303832303234373533663037666265626335343231393235386430633837
+36316432383936306535383235636233326439363533343461306431373139393361623935376331
+34613130633237363536366431323632346238356564633331326463636661353830663433636536
+34373339646265343437386430653436353662636235656632353039663634316131646330373636
+65346531373830343937333163613565663631326534653838346633383963626139343865356662
+36623331666330316330376637666536636538303739366237383830323534303335643866373336
+34363833636665616537313734366631633536306639313438633930333764643938376562326439
+62393561336161343461623761353230636230666233386363393566366662393966636638653730
+39646561366432363338383363383934633963626434613466326439643235653136383463653630
+33303738636139386331336639363337393936363338643438633233373732376339353566323264
+39343336383336303430323338393064323730656235343861363236336432376365396334366466
+61306362376261396133303237663561353066636462653634393839643966346134363431646636
+38396461666261343238383631623666636661393565373962323537623263313731353939313237
+34376638666531356537316437343834306530623538336666303132336236306533373238383330
+32303036336134663631336232393833613265373137373161336461643630396431326562383935
+39316631316263396263336661333237386536306438633435313565343362393035613464343132
+32303032666339666164393762343534633065616235303161666137653065646466363732653137
+62643536616636366233323864313230636366356162356462313931363030353630343737326137
+61313765636336613731363035626631633661383562623565383363643364393932326366393638
+33323135376461313362373937656435626633663166386636623335636130396562363833336431
+31656136316537633765616261333837646231646162323938333531353665613530626137623063
+62386561316135663933303531306630623736626465623630313265353630396166343331383333
+37623430653638636166623637643762376432323764616235323533386334656262343339323134
+30373539336436336635633265623130656336373661636265336530303335383965363732386236
+30353935393539313165653432343463353236323338366338346234306364303137663864653737
+65626533393262633131623965363332396430343637323939323935306531343561313334373232
+30366236633433396439653866666438343261396239323465623034363531643261323234353365
+61336330643932303566346332393630356232636463353833313264396535346266663933396162
+35636166616631373666613364633033323764613930663763346333633038333032386237343539
+31323835616338376464363764623637323430656431343864663034666436633537663362306262
+61613064376637323164643964626261346131303931343866373866373861663933626264343032
+36616437333561376165343364623835636431646131623661316438386239386635336661356164
+39613164376233616633303364303439376562363932366562343262653535663330376666643735
+65346130303436613132306231396265313361373534393430326366363563646430376236326563
+62666134356539663836653837646438343564656637643532313930313130333766383966663133
+34336463343935646338653463313933386639343230663866373665633635343731
--- a/ansible/roles/mastodon/meta/main.yml
+++ b/ansible/roles/mastodon/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik
--- a/ansible/roles/mastodon/tasks/main.yml
+++ b/ansible/roles/mastodon/tasks/main.yml
@ -0,0 +1,27 @@
+- name: Create Mastodon app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy .env.production
+  copy:
+    src: "{{ role_path }}/files/.env.production"
+    dest: "{{ service_dir }}/.env.production"
+- name: Copy Docker Compose script
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Create data directory
+  file:
+    path: "{{ data_dir }}"
+    state: directory
+    mode: 0777
+- name: Create cache directory
+  file:
+    path: "{{ service_dir }}/cache"
+    state: directory
+    mode: 0777
+- name: Start Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
--- a/ansible/roles/mastodon/templates/docker-compose.yml.j2
+++ b/ansible/roles/mastodon/templates/docker-compose.yml.j2
@ -0,0 +1,103 @@
+version: '3'
+services:
+  db:
+    restart: always
+    image: postgres:14-alpine
+    container_name: mastodon-db
+    shm_size: 256mb
+    networks:
+      - default
+    healthcheck:
+      test: ['CMD', 'pg_isready', '-U', 'postgres']
+    volumes:
+      - {{ data_dir }}/postgres14:/var/lib/postgresql/data
+    environment:
+      - 'POSTGRES_HOST_AUTH_METHOD=trust'
+      - 'POSTGRES_PASSWORD={{ mastodon_postgres_password }}'
+      - 'POSTGRES_DB=mastodon_production'
+      - 'POSTGRES_USER=mastodon'
+
+  redis:
+    restart: always
+    image: redis:7-alpine
+    container_name: mastodon-redis
+    networks:
+      - default
+    healthcheck:
+      test: ['CMD', 'redis-cli', 'ping']
+    volumes:
+      - {{ data_dir }}/redis:/data
+    environment:
+      - 'REDIS_PASSWORD={{ mastodon_redis_password }}'
+
+  web:
+    image: tootsuite/mastodon:v3.5.3
+    container_name: mastodon-web
+    restart: always
+    env_file: .env.production
+    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
+    networks:
+      - default
+      - traefik
+    healthcheck:
+      # prettier-ignore
+      test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
+    depends_on:
+      - db
+      - redis
+    volumes:
+      - {{ data_dir }}/public/system:/mastodon/public/system
+      - {{ service_dir }}/cache:/mastodon/public/system/cache
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.mastodon.entrypoints=websecure
+      - traefik.http.routers.mastodon.rule=Host(`social.pizzapim.nl`)
+      - traefik.http.routers.mastodon.tls=true
+      - traefik.http.routers.mastodon.tls.certresolver=letsencrypt
+      - traefik.http.services.mastodon.loadbalancer.server.port=3000
+      - traefik.http.routers.mastodon.service=mastodon
+      - traefik.docker.network=traefik
+
+  streaming:
+    image: tootsuite/mastodon:v3.5.3
+    container_name: mastodon-streaming
+    restart: always
+    env_file: .env.production
+    command: node ./streaming
+    networks:
+      - default
+      - traefik
+    healthcheck:
+      # prettier-ignore
+      test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
+    depends_on:
+      - db
+      - redis
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.mastodon-streaming.entrypoints=websecure
+      - "traefik.http.routers.mastodon-streaming.rule=(Host(`social.pizzapim.nl`) && PathPrefix(`/api/v1/streaming`))"
+      - traefik.http.routers.mastodon-streaming.service=mastodon-streaming
+      - traefik.http.services.mastodon-streaming.loadbalancer.server.port=4000
+      - traefik.docker.network=traefik
+
+  sidekiq:
+    image: tootsuite/mastodon:v3.5.3
+    container_name: mastodon-sidekiq
+    restart: always
+    env_file: .env.production
+    command: bundle exec sidekiq
+    depends_on:
+      - db
+      - redis
+    networks:
+      - default
+    volumes:
+      - {{ data_dir }}/public/system:/mastodon/public/system
+      - {{ service_dir }}/cache:/mastodon/public/system/cache
+    healthcheck:
+      test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/mastodon/vars/main.yml
+++ b/ansible/roles/mastodon/vars/main.yml
@ -0,0 +1,20 @@
+service_name: mastodon
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+
+mastodon_postgres_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          34643131323762373635383736636432643161646130373565333432323337646435656233383131
+          3066353734373938353162656335666536323265643162620a663562303636383737393061396331
+          30353538326333393031373736363933666636383866373763303237376561333061323131303062
+          3532316632613062310a343566393237363364613931353062636537663864383839623930383836
+          32613634616335616462336261303632646266326663383166366236643438616538626263343835
+          6539616439636364626466333163316164633631616132623665
+mastodon_redis_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35643365666261333939303162366366393933613034306438323031393763343065613034366331
+          3537383364313562623234363465363937613736616536360a323664306562653337616534313737
+          62343433333033376363386333663632663965373963386432316136376563383763623631326133
+          3430346364303334380a613932336534346437346539623864306233626265336663343565303866
+          33393665633236653536383636616537396432366532366438316135303437313736336536336264
+          3366643332306236376466386630666230366235333662663161
--- a/ansible/roles/prometheus/meta/main.yml
+++ b/ansible/roles/prometheus/meta/main.yml
@ -0,0 +1,3 @@
+dependencies:
+  - role: common
+  - role: docker
--- a/ansible/roles/prometheus/tasks/main.yml
+++ b/ansible/roles/prometheus/tasks/main.yml
@ -0,0 +1,19 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Copy prometheus.yml
+  template:
+    src: "{{ role_path }}/templates/prometheus.yml.j2"
+    dest: "{{ service_dir }}/prometheus.yml"
+  register: config
+- name: Start Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+    restarted: "{{ config.changed }}"
--- a/ansible/roles/prometheus/templates/docker-compose.yml.j2
+++ b/ansible/roles/prometheus/templates/docker-compose.yml.j2
@ -0,0 +1,13 @@
+version: "3.8"
+
+services:
+  prometheus:
+    image: prom/prometheus
+    container_name: prometheus
+    restart: always
+    volumes:
+      - "{{ service_dir }}/prometheus.yml:/etc/prometheus/prometheus.yml"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    ports:
+      - "{{ prometheus_port }}:9090"
--- a/ansible/roles/prometheus/templates/prometheus.yml.j2
+++ b/ansible/roles/prometheus/templates/prometheus.yml.j2
@ -0,0 +1,14 @@
+global:
+  scrape_interval:     15s
+
+scrape_configs:
+
+  - job_name: 'prometheus'
+    scrape_interval: 5s
+    static_configs:
+      - targets: ['localhost:9090']
+
+  - job_name: 'traefik'
+    scrape_interval: 5s
+    static_configs:
+      - targets: ['host.docker.internal:{{ traefik_api_port }}']
--- a/ansible/roles/prometheus/vars/main.yml
+++ b/ansible/roles/prometheus/vars/main.yml
@ -0,0 +1,3 @@
+service_name: prometheus
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
--- a/ansible/roles/radicale/files/radicale.conf
+++ b/ansible/roles/radicale/files/radicale.conf
@ -0,0 +1,24 @@
+[server]
+hosts = 0.0.0.0:5232, [::]:5232
+ssl = False
+
+[encoding]
+request = utf-8
+stock = utf-8
+
+[auth]
+realm = Radicale - Password Required
+type = htpasswd
+htpasswd_filename = /config/users
+htpasswd_encryption = md5
+
+[rights]
+type = owner_only
+
+[storage]
+type = multifilesystem
+filesystem_folder = /data
+
+[logging]
+
+[headers]
--- a/ansible/roles/radicale/files/users
+++ b/ansible/roles/radicale/files/users
@ -0,0 +1 @@
+pim:$apr1$GUiTihkS$dDCkaUxFx/O86m6NCy/yQ.
--- a/ansible/roles/radicale/meta/main.yml
+++ b/ansible/roles/radicale/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik
--- a/ansible/roles/radicale/tasks/main.yml
+++ b/ansible/roles/radicale/tasks/main.yml
@ -0,0 +1,29 @@
+- name: Create Radicale app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy docker-compose.yml file
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Create Radicale config directory
+  file:
+    path: "{{ service_dir }}/config"
+    state: directory
+- name: Copy radicale.conf
+  copy:
+    src: "{{ role_path }}/files/radicale.conf"
+    dest: "{{ service_dir }}/config/config"
+- name: Copy users file
+  copy:
+    src: "{{ role_path }}/files/users"
+    dest: "{{ service_dir }}/config/users"
+- name: Create Radicale data directory
+  file:
+    path: "{{ data_dir }}"
+    state: directory
+- name: Start Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
--- a/ansible/roles/radicale/templates/docker-compose.yml.j2
+++ b/ansible/roles/radicale/templates/docker-compose.yml.j2
@ -0,0 +1,39 @@
+version: '3.7'
+
+services:
+  radicale:
+    image: tomsquest/docker-radicale
+    container_name: radicale
+    init: true
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETUID
+      - SETGID
+      - CHOWN
+      - KILL
+    healthcheck:
+      test: curl -f http://127.0.0.1:5232 || exit 1
+      interval: 30s
+      retries: 3
+    restart: unless-stopped
+    volumes:
+      - {{ data_dir }}:/data
+      - {{ service_dir }}/config:/config:ro
+    networks:
+      - traefik
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.radicale.entrypoints=websecure
+      - traefik.http.routers.radicale.rule=Host(`{{ dav_domain }}`)
+      - traefik.http.routers.radicale.tls=true
+      - traefik.http.routers.radicale.tls.certresolver=letsencrypt
+      - traefik.http.routers.radicale.service=radicale
+      - traefik.http.services.radicale.loadbalancer.server.port=5232
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/radicale/vars/main.yml
+++ b/ansible/roles/radicale/vars/main.yml
@ -0,0 +1,5 @@
+service_name: radicale
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+
+dav_domain: "dav.{{ domain_name_pim }}"
--- a/ansible/roles/seafile/meta/main.yml
+++ b/ansible/roles/seafile/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik
--- a/ansible/roles/seafile/tasks/main.yml
+++ b/ansible/roles/seafile/tasks/main.yml
@ -0,0 +1,17 @@
+- name: Create Seafile app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Create data directory
+  file:
+    path: "{{ data_dir }}"
+    state: directory
+- name: Start Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
--- a/ansible/roles/seafile/templates/docker-compose.yml.j2
+++ b/ansible/roles/seafile/templates/docker-compose.yml.j2
@ -0,0 +1,55 @@
+version: '2.0' 
+services: 
+  db: 
+    image: mariadb:10.5 
+    container_name: seafile-mysql 
+    restart: always 
+    environment: 
+      - MYSQL_ROOT_PASSWORD={{ db_root_passwd }}  # Requested, set the root's password of MySQL service. 
+      - MYSQL_LOG_CONSOLE=true 
+    volumes: 
+      - {{ data_dir }}/db:/var/lib/mysql  # Requested, specifies the path to MySQL data persistent store. 
+    networks: 
+      - default 
+ 
+  memcached: 
+    image: memcached:1.6 
+    container_name: seafile-memcached 
+    restart: always 
+    entrypoint: memcached -m 256 
+    networks: 
+      - default 
+           
+  seafile: 
+    image: seafileltd/seafile-mc:9.0.10 
+    container_name: seafile 
+    restart: always 
+    volumes: 
+      - {{ data_dir }}/data:/shared   # Requested, specifies the path to Seafile data persistent store. 
+    environment: 
+      - DB_HOST=db 
+      - DB_ROOT_PASSWD={{ db_root_passwd }}   # Requested, the value shuold be root's password of MySQL service. 
+      - TIME_ZONE=Europe/Amsterdam 
+      - SEAFILE_ADMIN_EMAIL={{ seafile_admin_email }} # Specifies Seafile admin user, default is 'me@example.com'. 
+      - SEAFILE_ADMIN_PASSWORD={{ seafile_admin_password }}     # Specifies Seafile admin password.
+      - SEAFILE_SERVER_LETSENCRYPT=false   # Whether to use https or not. 
+      - SEAFILE_SERVER_HOSTNAME={{ seafile_domain }} # Specifies your host name if https is enabled. 
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.seafile.entrypoints=websecure
+      - traefik.http.routers.seafile.rule=Host(`files.geokunis2.nl`)
+      - traefik.http.routers.seafile.tls=true
+      - traefik.http.routers.seafile.tls.certresolver=letsencrypt
+      - traefik.http.services.seafile.loadbalancer.server.port=80
+      - traefik.http.routers.seafile.service=seafile
+      - traefik.docker.network=traefik
+    depends_on: 
+      - db 
+      - memcached 
+    networks: 
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/seafile/vars/main.yml
+++ b/ansible/roles/seafile/vars/main.yml
@ -0,0 +1,22 @@
+service_name: seafile
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+
+db_root_passwd: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62376163363033396161363264613836623734623835316439666331356464636633393237313236
+          3731383961393939366165393537663435356166643966650a353132616166353630333733636639
+          63616163346566336461313264326562393964643661613831316233326165623463613865636637
+          6363363331333430320a366661356232393036383765353066623334656133313661636130666238
+          32336561323431303730373262343534326539383932613533623232376330646230363363636135
+          3266336663623037663838643936366437663831356634333930
+seafile_admin_email: niels@kunis.nl
+seafile_admin_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          34366163396632343065636232363435633039373236363461383563363162626561653763383438
+          3263393539663030363532353238633262616339343436370a613631323064303637623266653832
+          64323834356664316265376132633863666136316239623862643962366637306238343933386134
+          6237396238383232360a386637303639646136653134643737393735383661626539386134643333
+          35313536323963303734353338636162666236343430623062373464653531353230366238326231
+          6661363038393534373861643261383561386536613337396539
+seafile_domain: files.geokunis2.nl
--- a/ansible/roles/ssh/files/ssh_config
+++ b/ansible/roles/ssh/files/ssh_config
@ -0,0 +1,54 @@
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Include /etc/ssh/ssh_config.d/*.conf
+
+Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   ForwardX11Trusted yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_ecdsa
+#   IdentityFile ~/.ssh/id_ed25519
+#   Port 22
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   RekeyLimit 1G 1h
+#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+    SendEnv LANG LC_*
+
+#   set HashKnownHosts to no to make known_hosts human readable and reviewable. 
+#    HashKnownHosts yes
+#    GSSAPIAuthentication yes
--- a/ansible/roles/ssh/files/sshd_config
+++ b/ansible/roles/ssh/files/sshd_config
@ -0,0 +1,41 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+HostKeyAlgorithms ssh-ed25519
+CASignatureAlgorithms ssh-ed25519
+HostbasedAcceptedKeyTypes ssh-ed25519
+HostKeyAlgorithms ssh-ed25519
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+X11Forwarding yes
+PrintMotd no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp	/usr/lib/openssh/sftp-server
+
--- a/ansible/roles/ssh/meta/main.yml
+++ b/ansible/roles/ssh/meta/main.yml
@ -0,0 +1,2 @@
+dependencies:
+  - role: common
--- a/ansible/roles/ssh/tasks/main.yml
+++ b/ansible/roles/ssh/tasks/main.yml
@ -0,0 +1,16 @@
+- name: Copy sshd config
+  copy:
+    src: "{{ role_path }}/files/sshd_config"
+    dest: /etc/ssh/sshd_config
+  register: sshd_config
+- name: Copy ssh config
+  copy:
+    src: "{{ role_path }}/files/ssh_config"
+    dest: /etc/ssh/ssh_config
+  register: ssh_config
+- name: Restart SSH service
+  systemd:
+    enabled: true
+    name: sshd
+    state: reloaded
+  when: sshd_config.changed
--- a/ansible/roles/static/files/security.txt
+++ b/ansible/roles/static/files/security.txt
@ -0,0 +1 @@
+testje
--- a/ansible/roles/static/meta/main.yml
+++ b/ansible/roles/static/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik
--- a/ansible/roles/static/tasks/main.yml
+++ b/ansible/roles/static/tasks/main.yml
@ -0,0 +1,38 @@
+- name: Create service directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Clone git repo
+  git:
+    repo: "{{ git_origin }}"
+    dest: "{{ service_dir }}/git"
+  register: repo
+- name: Add open permissions for git repo
+  file:
+    path: "{{ service_dir }}/git"
+    state: directory
+    mode: 0757
+- name: Generate static files
+  command:
+    cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build"
+    chdir: "{{ service_dir }}"
+  when: repo.changed
+- name: Copy security.txt
+  copy:
+    src: "{{ role_path }}/files/security.txt"
+    dest: "{{ service_dir }}/security.txt"
+- name: Copy docker compose file
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Copy nginx config
+  template:
+    src: "{{ role_path }}/templates/nginx.conf.j2"
+    dest: "{{ service_dir }}/nginx.conf"
+  register: nginx_conf
+- name: Start docker compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+    restarted: "{{ nginx_conf.changed }}"
--- a/ansible/roles/static/templates/docker-compose.yml.j2
+++ b/ansible/roles/static/templates/docker-compose.yml.j2
@ -0,0 +1,26 @@
+version: "3.8"
+
+services:
+  blog:
+    image: nginx
+    container_name: blog
+    restart: always
+    volumes:
+      - {{ service_dir }}/git/templates:/etc/nginx/templates
+      - {{ service_dir }}/git/_site:/var/www/blog
+      - {{ service_dir }}/nginx.conf:/etc/nginx/conf.d/default.conf
+      - {{ service_dir }}/security.txt:/var/www/blog/security.txt
+    networks:
+      - traefik
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.blog.entrypoints=websecure
+      - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`))"
+      - traefik.http.routers.blog.tls=true
+      - traefik.http.routers.blog.tls.certresolver=letsencrypt
+      - traefik.http.routers.blog.service=blog
+      - traefik.http.services.blog.loadbalancer.server.port=80
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/static/templates/nginx.conf.j2
+++ b/ansible/roles/static/templates/nginx.conf.j2
@ -0,0 +1,43 @@
+server {
+	listen 80 default_server;
+
+	location /security.txt {
+		return 301 https://{{ domain_name_pim }}/.well-known/security.txt;
+	}
+
+	location /.well-known/security.txt {
+		return 301 https://{{ domain_name_pim }}/.well-known/security.txt;
+	}
+}
+
+server {
+	listen 80;
+	server_name {{ domain_name_pim }};
+	index index.html index.htm;
+	root /var/www/blog;
+
+	location /security.txt {
+		return 301 https://$host/.well-known/security.txt;
+	}
+
+	location /.well-known/security.txt {
+		add_header Content-Type 'text/plain';
+		add_header Cache-Control 'no-cache, no-store, must-revalidate';
+		add_header Pragma 'no-cache';
+		add_header Expires '0';
+		add_header Vary '*';
+		return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n";
+	}
+
+	location / {
+	    try_files $uri $uri/ /index.html;
+	}
+
+	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
+	    expires 30d;
+	    add_header Pragma public;
+	    add_header Cache-Control "public";
+	}
+
+	error_page 404 /404.html;
+}
--- a/ansible/roles/static/vars/main.yml
+++ b/ansible/roles/static/vars/main.yml
@ -0,0 +1,3 @@
+service_name: static
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+git_origin: "http://git.pim.kunis.nl/pim/static.git"
--- a/ansible/roles/syncthing/files/cert.pem
+++ b/ansible/roles/syncthing/files/cert.pem
@ -0,0 +1,45 @@
+$ANSIBLE_VAULT;1.1;AES256
+37326262373466303939623263623234616338316165316466656131326339306233303834396263
+3139663539356264323038306635363934363364653437350a666438396563643339353765306131
+39653434373966346166323938666364323562313334323262643666373463623536363635643163
+3430353230326634320a643532663765663632623031313463653765643134313538633131613663
+64393533636138323833343630363639656539376163353239313231646662316532666631623734
+31343364393363623164336339303631366162376131613736636131396165663835653433303134
+62323265633039633865326366613366653435653261633662613737353463633663383635303562
+39303933343139363132393035336332363438656333646136333330326533623763393263663563
+36343038393264383639346436316134386531383338386461363538613135663863363434623339
+31373236353337653838396333643638343232653066313662393165343062396137326630646430
+31646566356565386532626433383163643635643930326164353766323263616665636435323339
+38373837393035343737356134373831303831316464666637333231343434316632316464356564
+31613464633761306330303637386230333430396665383262333530336137336236623838326333
+30393861666439623536336231616563303764646563393065353432313965343330633463313564
+66373539373265353765636438393633613839393830366135323139666533393165653736666335
+35303736623534653635343636383662316134376332393239633262363939396263363264616637
+35396261346264373930396462393638316335363833333132393061633337626331323439363131
+39306264386133316137633039366638356130616438373433333635666231366136613363626133
+31316230336534616430633232623430666234643836636338613730356335623434373433643935
+62623266313834353163623439616533623135396134346164373363643364373939396163363837
+36313432393965653664633231393564323936323933313565323337346333313233396666626361
+65383031326630313263343862653063613839373131643265656237623232663761383665333939
+33376531623665653037333563333034363363333435343439663761633734616461353961323434
+66643833353539623265616262383265396237636631346433386638643436383230333438653462
+37383235316634353262316436653163316164356261353663663565396630613434396231353538
+38633330326266303838346365663839646163623264633934363938666234393131356138656439
+31333161643136633836343262326136393964393635623634316532393837376162383835303435
+30643339356434386264643163316165396534373064346334636132316230346437363665636563
+38333835306666626637386562306433373031366136616635623765393630383939353335393930
+61663832383239643363626137343661366436653864643339316537383738323335333866633537
+39316339383239323131653232633833363536313431643364313937633037336564386339383433
+38303939303835386263633430383061336436383062663462353762376666613530313663623261
+66616266373136326433363338303365653230663763636630353034383832633239383932616365
+37373236396631623866656330623632313538326330626363316262653566383633666531383738
+34353830373137343236343765393665356534356238353861326165303939363236626130626363
+64623164383866393630656232373164343163363433643835396236363132346235356134613564
+66383364623962316564373564363631356234386535653465633864313365396438356235313163
+35633366663836666337653537336334353935323364306635383238373664613530353365323366
+31373831383336336237633064313938393637636231356165656631386132313734333439643733
+62666435363535303530323866623139653138643831623838316432366539316236306133393764
+63386133333832356365396137623332643539633236343762353138386434303632373932336139
+39396364653864316435356434383761306238633164643939363864356362633135623438363861
+64626339663931383133383862313031383638653266306539643061316238616266656136656530
+63666239303034396133
--- a/ansible/roles/syncthing/files/key.pem
+++ b/ansible/roles/syncthing/files/key.pem
@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.1;AES256
+31373963666334633437386361353532396162653439373964333935643065383836383537336238
+3065306235363835343330393366326630383163633664300a653635653932663566376165623030
+33666262643032383764343134326439363536353439363134353432373263316164373139633838
+6336363735333862360a386235366434656336333762343330633030613437626262353934636163
+38376431343934373637343631373962653262613766393561383631303563383935616630663833
+62363533616235303834376233663033373531666632313237303661653265613061373131646266
+31643839386134383934623632336538386462626261613039306432366564616162366435363331
+34663464386630373134346264386334376334336363623137363831326338323234373662653932
+33373331663065336230313731303139653036646261643535393662633165356632306536393530
+30363066373064353936313461663235386465323734636263323063333365633066633736336436
+38623966353634356636343833653131646131633536383339663433306130386461303735323632
+64646465373533306266353932653561623363396137383532373734653462346239646562353136
+64313539383566663939663734333565643637376239383337363066373639613934303633343762
+37646565666635363231396139326536356533343065333731656363613731333136636561376430
+35356432373537363034653231636465303135363534323766333530353433663462653837643162
+39616664636464343435643039646362336634333561356438386262653231323033343662383138
+66633534336232663438666632373966613335396639383836666333656235376339343538313838
+39356165323361386535306664643537363764393365363639366637343332306537653962396339
+323030323036393662646636303330666561
--- a/ansible/roles/syncthing/meta/main.yml
+++ b/ansible/roles/syncthing/meta/main.yml
@ -0,0 +1,3 @@
+dependencies:
+  - role: common
+  - role: docker
--- a/ansible/roles/syncthing/tasks/main.yml
+++ b/ansible/roles/syncthing/tasks/main.yml
@ -0,0 +1,34 @@
+- name: Create Syncthing app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Create Syncthing configuration directory
+  file:
+    path: "{{ service_dir }}/config"
+    state: directory
+- name: Copy Syncthing private key
+  copy:
+    src: "{{ role_path }}/files/key.pem"
+    dest: "{{ service_dir }}/config/key.pem"
+- name: Copy Syncthing certificate
+  copy:
+    src: "{{ role_path }}/files/cert.pem"
+    dest: "{{ service_dir }}/config/cert.pem"
+- name: Copy Syncthing configuration
+  template:
+    src: "{{ role_path }}/templates/config.xml.j2"
+    dest: "{{ service_dir }}/config/config.xml"
+- name: Create Syncthing data directory
+  file:
+    path: "{{ data_dir }}"
+    state: directory
+    mode: 0777
+- name: Copy Docker Compose script
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Start Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
--- a/ansible/roles/syncthing/templates/config.xml.j2
+++ b/ansible/roles/syncthing/templates/config.xml.j2
@ -0,0 +1,339 @@
+<configuration version="37">
+    <folder id="6pgsm-opvsv" label="Sync" path="/data/sync" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+        <filesystemType>basic</filesystemType>
+        <device id="IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <device id="QW4NXKY-Y56F7ON-SIABMBI-EHMQANC-AVWEREO-B6WNTCN-NP2O7VI-6SGYMQS" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <minDiskFree unit="%">1</minDiskFree>
+        <versioning>
+            <cleanupIntervalS>3600</cleanupIntervalS>
+            <fsPath></fsPath>
+            <fsType>basic</fsType>
+        </versioning>
+        <copiers>0</copiers>
+        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+        <hashers>0</hashers>
+        <order>random</order>
+        <ignoreDelete>false</ignoreDelete>
+        <scanProgressIntervalS>0</scanProgressIntervalS>
+        <pullerPauseS>0</pullerPauseS>
+        <maxConflicts>10</maxConflicts>
+        <disableSparseFiles>false</disableSparseFiles>
+        <disableTempIndexes>false</disableTempIndexes>
+        <paused>false</paused>
+        <weakHashThresholdPct>25</weakHashThresholdPct>
+        <markerName>.stfolder</markerName>
+        <copyOwnershipFromParent>false</copyOwnershipFromParent>
+        <modTimeWindowS>0</modTimeWindowS>
+        <maxConcurrentWrites>2</maxConcurrentWrites>
+        <disableFsync>false</disableFsync>
+        <blockPullOrder>standard</blockPullOrder>
+        <copyRangeMethod>standard</copyRangeMethod>
+        <caseSensitiveFS>false</caseSensitiveFS>
+        <junctionsAsDirs>false</junctionsAsDirs>
+        <syncOwnership>false</syncOwnership>
+        <sendOwnership>false</sendOwnership>
+        <syncXattrs>false</syncXattrs>
+        <sendXattrs>false</sendXattrs>
+        <xattrFilter>
+            <maxSingleEntrySize>1024</maxSingleEntrySize>
+            <maxTotalSize>4096</maxTotalSize>
+        </xattrFilter>
+    </folder>
+    <folder id="gfx9s-zaxrt" label="Music" path="/data/music" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+        <filesystemType>basic</filesystemType>
+        <device id="B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <device id="IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <device id="QW4NXKY-Y56F7ON-SIABMBI-EHMQANC-AVWEREO-B6WNTCN-NP2O7VI-6SGYMQS" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <minDiskFree unit="%">1</minDiskFree>
+        <versioning>
+            <cleanupIntervalS>3600</cleanupIntervalS>
+            <fsPath></fsPath>
+            <fsType>basic</fsType>
+        </versioning>
+        <copiers>0</copiers>
+        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+        <hashers>0</hashers>
+        <order>random</order>
+        <ignoreDelete>false</ignoreDelete>
+        <scanProgressIntervalS>0</scanProgressIntervalS>
+        <pullerPauseS>0</pullerPauseS>
+        <maxConflicts>10</maxConflicts>
+        <disableSparseFiles>false</disableSparseFiles>
+        <disableTempIndexes>false</disableTempIndexes>
+        <paused>false</paused>
+        <weakHashThresholdPct>25</weakHashThresholdPct>
+        <markerName>.stfolder</markerName>
+        <copyOwnershipFromParent>false</copyOwnershipFromParent>
+        <modTimeWindowS>0</modTimeWindowS>
+        <maxConcurrentWrites>2</maxConcurrentWrites>
+        <disableFsync>false</disableFsync>
+        <blockPullOrder>standard</blockPullOrder>
+        <copyRangeMethod>standard</copyRangeMethod>
+        <caseSensitiveFS>false</caseSensitiveFS>
+        <junctionsAsDirs>false</junctionsAsDirs>
+        <syncOwnership>false</syncOwnership>
+        <sendOwnership>false</sendOwnership>
+        <syncXattrs>false</syncXattrs>
+        <sendXattrs>false</sendXattrs>
+        <xattrFilter>
+            <maxSingleEntrySize>1024</maxSingleEntrySize>
+            <maxTotalSize>4096</maxTotalSize>
+        </xattrFilter>
+    </folder>
+    <folder id="sjpmp-qavt4" label="Uni" path="/data/uni" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+        <filesystemType>basic</filesystemType>
+        <device id="IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <device id="QW4NXKY-Y56F7ON-SIABMBI-EHMQANC-AVWEREO-B6WNTCN-NP2O7VI-6SGYMQS" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <device id="VL7HPMP-CKHKLPH-MHSN6PG-MFGKPYP-RBEMD3R-RLXT2ZI-KU36NKF-TRK5JAU" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <minDiskFree unit="%">1</minDiskFree>
+        <versioning>
+            <cleanupIntervalS>3600</cleanupIntervalS>
+            <fsPath></fsPath>
+            <fsType>basic</fsType>
+        </versioning>
+        <copiers>0</copiers>
+        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+        <hashers>0</hashers>
+        <order>random</order>
+        <ignoreDelete>false</ignoreDelete>
+        <scanProgressIntervalS>0</scanProgressIntervalS>
+        <pullerPauseS>0</pullerPauseS>
+        <maxConflicts>10</maxConflicts>
+        <disableSparseFiles>false</disableSparseFiles>
+        <disableTempIndexes>false</disableTempIndexes>
+        <paused>false</paused>
+        <weakHashThresholdPct>25</weakHashThresholdPct>
+        <markerName>.stfolder</markerName>
+        <copyOwnershipFromParent>false</copyOwnershipFromParent>
+        <modTimeWindowS>0</modTimeWindowS>
+        <maxConcurrentWrites>2</maxConcurrentWrites>
+        <disableFsync>false</disableFsync>
+        <blockPullOrder>standard</blockPullOrder>
+        <copyRangeMethod>standard</copyRangeMethod>
+        <caseSensitiveFS>false</caseSensitiveFS>
+        <junctionsAsDirs>false</junctionsAsDirs>
+        <syncOwnership>false</syncOwnership>
+        <sendOwnership>false</sendOwnership>
+        <syncXattrs>false</syncXattrs>
+        <sendXattrs>false</sendXattrs>
+        <xattrFilter>
+            <maxSingleEntrySize>1024</maxSingleEntrySize>
+            <maxTotalSize>4096</maxTotalSize>
+        </xattrFilter>
+    </folder>
+    <folder id="tj35a-felne" label="Keepass" path="/data/keepass" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+        <filesystemType>basic</filesystemType>
+        <device id="B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <device id="IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <device id="QW4NXKY-Y56F7ON-SIABMBI-EHMQANC-AVWEREO-B6WNTCN-NP2O7VI-6SGYMQS" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <device id="VL7HPMP-CKHKLPH-MHSN6PG-MFGKPYP-RBEMD3R-RLXT2ZI-KU36NKF-TRK5JAU" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <minDiskFree unit="%">1</minDiskFree>
+        <versioning>
+            <cleanupIntervalS>3600</cleanupIntervalS>
+            <fsPath></fsPath>
+            <fsType>basic</fsType>
+        </versioning>
+        <copiers>0</copiers>
+        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+        <hashers>0</hashers>
+        <order>random</order>
+        <ignoreDelete>false</ignoreDelete>
+        <scanProgressIntervalS>0</scanProgressIntervalS>
+        <pullerPauseS>0</pullerPauseS>
+        <maxConflicts>10</maxConflicts>
+        <disableSparseFiles>false</disableSparseFiles>
+        <disableTempIndexes>false</disableTempIndexes>
+        <paused>false</paused>
+        <weakHashThresholdPct>25</weakHashThresholdPct>
+        <markerName>.stfolder</markerName>
+        <copyOwnershipFromParent>false</copyOwnershipFromParent>
+        <modTimeWindowS>0</modTimeWindowS>
+        <maxConcurrentWrites>2</maxConcurrentWrites>
+        <disableFsync>false</disableFsync>
+        <blockPullOrder>standard</blockPullOrder>
+        <copyRangeMethod>standard</copyRangeMethod>
+        <caseSensitiveFS>false</caseSensitiveFS>
+        <junctionsAsDirs>false</junctionsAsDirs>
+        <syncOwnership>false</syncOwnership>
+        <sendOwnership>false</sendOwnership>
+        <syncXattrs>false</syncXattrs>
+        <sendXattrs>false</sendXattrs>
+        <xattrFilter>
+            <maxSingleEntrySize>1024</maxSingleEntrySize>
+            <maxTotalSize>4096</maxTotalSize>
+        </xattrFilter>
+    </folder>
+    <device id="B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ" name="Smartphone" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>dynamic</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+    </device>
+    <device id="IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" name="max" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>dynamic</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+    </device>
+    <device id="QW4NXKY-Y56F7ON-SIABMBI-EHMQANC-AVWEREO-B6WNTCN-NP2O7VI-6SGYMQS" name="Laptop" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>dynamic</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+    </device>
+    <device id="VL7HPMP-CKHKLPH-MHSN6PG-MFGKPYP-RBEMD3R-RLXT2ZI-KU36NKF-TRK5JAU" name="OS3" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>dynamic</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+    </device>
+    <gui enabled="true" tls="false" debugging="false">
+        <address>0.0.0.0:8384</address>
+        <apikey>{{ syncthing.apikey }}</apikey>
+        <theme>light</theme>
+    </gui>
+    <ldap></ldap>
+    <options>
+        <listenAddress>default</listenAddress>
+        <globalAnnounceServer>default</globalAnnounceServer>
+        <globalAnnounceEnabled>true</globalAnnounceEnabled>
+        <localAnnounceEnabled>true</localAnnounceEnabled>
+        <localAnnouncePort>21027</localAnnouncePort>
+        <localAnnounceMCAddr>[ff12::8384]:21027</localAnnounceMCAddr>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <reconnectionIntervalS>60</reconnectionIntervalS>
+        <relaysEnabled>true</relaysEnabled>
+        <relayReconnectIntervalM>10</relayReconnectIntervalM>
+        <startBrowser>true</startBrowser>
+        <natEnabled>true</natEnabled>
+        <natLeaseMinutes>60</natLeaseMinutes>
+        <natRenewalMinutes>30</natRenewalMinutes>
+        <natTimeoutSeconds>10</natTimeoutSeconds>
+        <urAccepted>-1</urAccepted>
+        <urSeen>3</urSeen>
+        <urUniqueID></urUniqueID>
+        <urURL>https://data.syncthing.net/newdata</urURL>
+        <urPostInsecurely>false</urPostInsecurely>
+        <urInitialDelayS>1800</urInitialDelayS>
+        <autoUpgradeIntervalH>12</autoUpgradeIntervalH>
+        <upgradeToPreReleases>false</upgradeToPreReleases>
+        <keepTemporariesH>24</keepTemporariesH>
+        <cacheIgnoredFiles>false</cacheIgnoredFiles>
+        <progressUpdateIntervalS>5</progressUpdateIntervalS>
+        <limitBandwidthInLan>false</limitBandwidthInLan>
+        <minHomeDiskFree unit="%">1</minHomeDiskFree>
+        <releasesURL>https://upgrades.syncthing.net/meta.json</releasesURL>
+        <overwriteRemoteDeviceNamesOnConnect>false</overwriteRemoteDeviceNamesOnConnect>
+        <tempIndexMinBlocks>10</tempIndexMinBlocks>
+        <trafficClass>0</trafficClass>
+        <setLowPriority>true</setLowPriority>
+        <maxFolderConcurrency>0</maxFolderConcurrency>
+        <crashReportingURL>https://crash.syncthing.net/newcrash</crashReportingURL>
+        <crashReportingEnabled>true</crashReportingEnabled>
+        <stunKeepaliveStartS>180</stunKeepaliveStartS>
+        <stunKeepaliveMinS>20</stunKeepaliveMinS>
+        <stunServer>default</stunServer>
+        <databaseTuning>auto</databaseTuning>
+        <maxConcurrentIncomingRequestKiB>0</maxConcurrentIncomingRequestKiB>
+        <announceLANAddresses>true</announceLANAddresses>
+        <sendFullIndexOnUpgrade>false</sendFullIndexOnUpgrade>
+        <connectionLimitEnough>0</connectionLimitEnough>
+        <connectionLimitMax>0</connectionLimitMax>
+        <insecureAllowOldTLSVersions>false</insecureAllowOldTLSVersions>
+    </options>
+    <defaults>
+        <folder id="" label="" path="~" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+            <filesystemType>basic</filesystemType>
+            <device id="IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" introducedBy="">
+                <encryptionPassword></encryptionPassword>
+            </device>
+            <minDiskFree unit="%">1</minDiskFree>
+            <versioning>
+                <cleanupIntervalS>3600</cleanupIntervalS>
+                <fsPath></fsPath>
+                <fsType>basic</fsType>
+            </versioning>
+            <copiers>0</copiers>
+            <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+            <hashers>0</hashers>
+            <order>random</order>
+            <ignoreDelete>false</ignoreDelete>
+            <scanProgressIntervalS>0</scanProgressIntervalS>
+            <pullerPauseS>0</pullerPauseS>
+            <maxConflicts>10</maxConflicts>
+            <disableSparseFiles>false</disableSparseFiles>
+            <disableTempIndexes>false</disableTempIndexes>
+            <paused>false</paused>
+            <weakHashThresholdPct>25</weakHashThresholdPct>
+            <markerName>.stfolder</markerName>
+            <copyOwnershipFromParent>false</copyOwnershipFromParent>
+            <modTimeWindowS>0</modTimeWindowS>
+            <maxConcurrentWrites>2</maxConcurrentWrites>
+            <disableFsync>false</disableFsync>
+            <blockPullOrder>standard</blockPullOrder>
+            <copyRangeMethod>standard</copyRangeMethod>
+            <caseSensitiveFS>false</caseSensitiveFS>
+            <junctionsAsDirs>false</junctionsAsDirs>
+            <syncOwnership>false</syncOwnership>
+            <sendOwnership>false</sendOwnership>
+            <syncXattrs>false</syncXattrs>
+            <sendXattrs>false</sendXattrs>
+            <xattrFilter>
+                <maxSingleEntrySize>1024</maxSingleEntrySize>
+                <maxTotalSize>4096</maxTotalSize>
+            </xattrFilter>
+        </folder>
+        <device id="" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+            <address>dynamic</address>
+            <paused>false</paused>
+            <autoAcceptFolders>false</autoAcceptFolders>
+            <maxSendKbps>0</maxSendKbps>
+            <maxRecvKbps>0</maxRecvKbps>
+            <maxRequestKiB>0</maxRequestKiB>
+            <untrusted>false</untrusted>
+            <remoteGUIPort>0</remoteGUIPort>
+        </device>
+        <ignores></ignores>
+    </defaults>
+</configuration>
--- a/ansible/roles/syncthing/templates/docker-compose.yml.j2
+++ b/ansible/roles/syncthing/templates/docker-compose.yml.j2
@ -0,0 +1,22 @@
+---
+version: "2.1"
+services:
+  syncthing:
+    image: lscr.io/linuxserver/syncthing:latest
+    container_name: syncthing
+    labels:
+      - "com.centurylinklabs.watchtower.enable=false"
+    hostname: syncthing
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Amsterdam
+    volumes:
+      - {{ service_dir }}/config:/config
+      - {{ data_dir }}:/data
+    ports:
+      - 8384:8384
+      - 22000:22000/tcp
+      - 22000:22000/udp
+      - 21027:21027/udp
+    restart: unless-stopped
--- a/ansible/roles/syncthing/vars/main.yml
+++ b/ansible/roles/syncthing/vars/main.yml
@ -0,0 +1,13 @@
+service_name: syncthing
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+
+syncthing:
+  apikey: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30323136343566306566323232343538306565653135303536363234636365383234366332316339
+          6363383637653032643637373662383331633933633765340a366538616134613365653261353861
+          34326533633239353339326636303762306639653839386535316639643762636239633732386165
+          3932636432643631340a633831663833323633623461646131356566383539613835613738656633
+          32336138363032613833613736333739613762343833383563633337626361363566353066636536
+          6434333037653732626537363938613463333863336134313664
--- a/ansible/roles/traefik/files/services.toml
+++ b/ansible/roles/traefik/files/services.toml
@ -0,0 +1,6 @@
+[http]
+  [http.services]
+    [http.services.esrom]
+      [http.services.esrom.loadBalancer]
+        [[http.services.esrom.loadBalancer.servers]]
+          url = "http://esrom.dmz:80/"
--- a/ansible/roles/traefik/meta/main.yml
+++ b/ansible/roles/traefik/meta/main.yml
@ -0,0 +1,3 @@
+dependencies:
+  - role: common
+  - role: docker
--- a/ansible/roles/traefik/tasks/main.yml
+++ b/ansible/roles/traefik/tasks/main.yml
@ -0,0 +1,33 @@
+- name: Create traefik app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Create acme file
+  copy:
+    content: ""
+    dest: "{{ service_dir }}/acme.json"
+    force: no
+    mode: 0600
+- name: Copy Docker Compose script
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Copy traefik.toml
+  template:
+    src: "{{ role_path }}/templates/traefik.toml.j2"
+    dest: "{{ service_dir }}/traefik.toml"
+  register: traefik
+- name: Copy services.toml
+  copy:
+    src: "{{ role_path }}/files/services.toml"
+    dest: "{{ service_dir }}/services.toml"
+  register: services
+- name: Create traefik network
+  docker_network:
+    name: "traefik"
+- name: Start Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+    restarted: "{{ traefik.changed or services.changed }}"
--- a/ansible/roles/traefik/templates/docker-compose.yml.j2
+++ b/ansible/roles/traefik/templates/docker-compose.yml.j2
@ -0,0 +1,35 @@
+version: '3'
+
+networks:
+  traefik:
+    external: true
+
+services:
+  reverse-proxy:
+    restart: always
+    image: traefik:v2.9
+    container_name: traefik
+    ports:
+      - "443:443"
+      - "80:80"
+      - "{{ git_ssh_port }}:{{ git_ssh_port }}"
+      - "{{ traefik_api_port }}:{{ traefik_api_port }}"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml
+      - {{ service_dir }}/services.toml:/etc/traefik/services.toml
+      - {{ service_dir }}/acme.json:/acme.json
+    networks:
+      - traefik
+    labels:
+      - traefik.enable=true
+
+      - traefik.http.routers.esrom.entrypoints=websecure
+      - traefik.http.routers.esrom.service=esrom@file
+      - traefik.http.routers.esrom.rule=Host(`geokunis2.nl`)
+      - traefik.http.routers.esrom.tls=true
+      - traefik.http.routers.esrom.tls.certresolver=letsencrypt
+
+      - traefik.http.routers.traefik.rule=Host(`max.dmz`)
+      - traefik.http.routers.traefik.entrypoints=internal
+      - traefik.http.routers.traefik.service=api@internal
--- a/ansible/roles/traefik/templates/traefik.toml.j2
+++ b/ansible/roles/traefik/templates/traefik.toml.j2
@ -0,0 +1,38 @@
+loglevel = "DEBUG"
+
+[entryPoints]
+  [entryPoints.web]
+  address = ":80"
+  [entryPoints.web.http.redirections.entryPoint]
+    to = "websecure"
+    scheme = "https"
+    permanent = true
+  [entryPoints.websecure]
+    address = ":443"
+  [entryPoints.ssh]
+    address = ":{{ git_ssh_port }}"
+  [entryPoints.video]
+    address = ":{{ jitsi_videobridge_port }}/udp"
+  [entryPoints.internal]
+    address = ":{{ traefik_api_port }}"
+
+[api]
+  insecure = false
+  dashboard = true
+
+[metrics]
+  [metrics.prometheus]
+    entryPoint = "internal"
+
+[providers.docker]
+  endpoint = "unix:///var/run/docker.sock"
+  exposedByDefault = false
+
+[providers.file]
+  filename = "/etc/traefik/services.toml"
+
+[certificatesResolvers.letsencrypt.acme]
+  email = "pim@kunis.nl"
+  storage = "acme.json"
+  [certificatesResolvers.letsencrypt.acme.httpChallenge]
+    entryPoint = "web"
--- a/ansible/roles/traefik/vars/main.yml
+++ b/ansible/roles/traefik/vars/main.yml
@ -0,0 +1,2 @@
+service_name: traefik
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
--- a/ansible/roles/watchtower/files/docker-compose.yml
+++ b/ansible/roles/watchtower/files/docker-compose.yml
@ -0,0 +1,8 @@
+version: "3"
+services:
+  watchtower:
+    image: containrrr/watchtower
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    command: --schedule "0 0 4 * * *" --cleanup --include-stopped --no-startup-message
+    restart: always
--- a/ansible/roles/watchtower/meta/main.yml
+++ b/ansible/roles/watchtower/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  
--- a/ansible/roles/watchtower/tasks/main.yml
+++ b/ansible/roles/watchtower/tasks/main.yml
@ -0,0 +1,14 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  copy:
+    src: "{{ role_path }}/files/docker-compose.yml"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+
--- a/ansible/roles/watchtower/vars/main.yml
+++ b/ansible/roles/watchtower/vars/main.yml
@ -0,0 +1,2 @@
+service_name: watchtower
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
--- a/ansible/util/secret-service-client.sh
+++ b/ansible/util/secret-service-client.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+
+pass=`secret-tool lookup ansible_vault homeservers`
+retval=$?
+
+if [ $retval -ne 0 ]; then
+	read -s pass
+fi
+echo $pass