remove data volume

closes #25

.gitignore

@@ -1 +1,38 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+.terraform.lock.hcl
+*.tfbackend
+
 .vault_password

Makefile

@@ -1,8 +0,0 @@
-all:
-	ansible-playbook playbooks/all.yml
-
-backup:
-	ansible-playbook playbooks/backup.yml
-	
-%:
-	ansible-playbook playbooks/all.yml --tags "$@"

README.md

@@ -1,54 +1,23 @@
-# Homeservers
+# Max
 
-This repository contains Ansible scripts to setup our home servers.
+Max is our VM running all of our web servers, provisioned with Terraform and configured with Ansible.
-The `common` role executes some common OS tasks.
-The `docker` role installs Docker.
-The other roles are specifically for the various services we run.
 
 ## Running services
 
-All services below are running under Docker, except NSD and Borg.
+All services below are implemented using Docker:
 
-- Authoritative DNS using [NSD](https://www.nlnetlabs.nl/projects/nsd/about/) (ns.pizzapim.nl)
 - Reverse proxy using [Traefik](https://doc.traefik.io/traefik/)
-- Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl))
+- Git server using [Forgejo](https://forgejo.org/) ([git.pim.kunis.nl](https://git.pim.kunis.nl))
-- Static website using [Jekyll](https://jekyllrb.com/) ([pizzapim.nl](https://pizzapim.nl))
+- Static website using [Jekyll](https://jekyllrb.com/) ([pim.kunis.nl](https://pim.kunis.nl))
 - File sychronisation using [Syncthing](https://syncthing.net/)
 - Microblogging server using [Mastodon](https://joinmastodon.org/) ([social.pizzapim.nl](https://social.pizzapim.nl))
-- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl))
+- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pim.kunis.nl](https://dav.pim.kunis.nl))
 - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd)
 - Cloud file storage using [Seafile](https://www.seafile.com)
-- Inbucket disposable webmail, Mailinator alternative (https://inbucket.org)
+- Disposable mail server using [Inbucket](https://inbucket.org)
+- Digital toolbox using [Cyberchef](https://cyberchef.geokunis2.nl)
 - Jitsi Meet (https://meet.jit.si)
-- Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/)
 - RSS feed reader using [FreshRSS](https://miniflux.app/)
-
+- Metrics using [Prometheus](https://prometheus.io/)
-## Possible future services
+- Latex editor using [Overleaf](https://www.overleaf.com/) ([latex.pim.kunis.nl](https://latex.pim.kunis.nl))
-
+- Markdown editor using [Hedgedoc](https://hedgedoc.org/)
-- matrix
-- peertube?
-- Pixelfed?
-- Prometheus
-- Concourse CI?
-
-## TODO
-
-- Clear view of what services + which versions we are running. This way, we can track security updates better.
-- Delegate pim.kunis.nl to my server
-- Host tobb website?
-- Move from Ubuntu to Debian
-
-### NSD
-
-#### ZSK Rollover
-
-Could make automatic key rollovers with cron or some other tool.
-
-#### Idempotency
-
-Currently I always resign zones.
-But for idempotency I should probably only do it if the zone has changed or the keys have changed.
-
-### Firewall
-
-A little more difficult because of docker networking but probably doable.

ansible.cfg

@@ -1,5 +0,0 @@
-[defaults]
-# (pathspec) Colon separated paths in which Ansible will search for Roles.
-roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
-vault_password_file=./.vault_password
-inventory=inventory

ansible/ansible.cfg

@@ -0,0 +1,8 @@
+[defaults]
+roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
+inventory=inventory
+vault_password_file=util/secret-service-client.sh
+interpreter_python=/usr/bin/python3
+
+[diff]
+always = True

ansible/inventory/host_vars/max.yml

@@ -0,0 +1,15 @@
+base_data_dir: /mnt/data
+base_service_dir: /srv
+domain_name_pim: pim.kunis.nl
+
+# Additional open ports
+jitsi_videobridge_port: 54562
+git_ssh_port: 56287
+prometheus_port: 8081
+traefik_api_port: 8080
+internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container.
+
+docker_daemon_config:
+  default-address-pools:
+  - base: "10.204.0.0/16"
+    size: 24

ansible/inventory/hosts.yml

@@ -0,0 +1,5 @@
+all:
+  hosts:
+    max:
+      ansible_user: root
+      ansible_host: max.dmz

ansible/max.yml

@@ -0,0 +1,36 @@
+- name: Wait for servers to come up
+  hosts: max
+  gather_facts: no
+  roles:
+    - 'cloudinit-wait'
+
+- name: Start services
+  hosts: max
+  pre_tasks:
+  - name: Create base service directory
+    file:
+      path: "{{ base_service_dir }}"
+      state: directory
+  - name: Delete externally managed environment file
+    shell:
+      cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
+    register: rm
+    changed_when: "rm.rc == 0"
+    failed_when: "false"
+  roles:
+    - {role: 'setup-apt', tags: 'setup-apt'}
+    - {role: 'watchtower', tags: 'watchtower'}
+    - {role: 'forgejo', tags: 'forgejo'}
+    - {role: 'syncthing', tags: 'syncthing'}
+    - {role: 'kms', tags: 'kms'}
+    - {role: 'cyberchef', tags: 'cyberchef'}
+    - {role: 'radicale', tags: 'radicale'}
+    - {role: 'mastodon', tags: 'mastodon'}
+    - {role: 'seafile', tags: 'seafile'}
+    - {role: 'jitsi', tags: 'jitsi'}
+    - {role: 'freshrss', tags: 'freshrss'}
+    - {role: 'static', tags: 'static'}
+    - {role: 'inbucket', tags: 'inbucket'}
+    - {role: 'prometheus', tags: 'prometheus'}
+    - {role: 'overleaf', tags: 'overleaf'}
+    - {role: 'hedgedoc', tags: 'hedgedoc'}

ansible/requirements.yml

@@ -0,0 +1,9 @@
+- name: setup-apt
+  src: https://github.com/sunscrapers/ansible-role-apt.git
+  scm: git
+- name: cloudinit-wait
+  src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait
+  scm: git
+- name: docker
+  src: https://git.pim.kunis.nl/pim/ansible-role-docker
+  scm: git

ansible/roles/cyberchef/files/docker-compose.yml

@@ -0,0 +1,22 @@
+version: "3.7"
+
+services:
+   cyberchef-server:
+      image: mpepping/cyberchef
+      container_name: cyberchef
+      restart: always
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.cyberchef.entrypoints=websecure
+        - traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`)
+        - traefik.http.routers.cyberchef.tls=true
+        - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt
+        - traefik.http.services.cyberchef.loadbalancer.server.port=8000
+        - traefik.http.routers.cyberchef.service=cyberchef
+        - traefik.docker.network=traefik
+      networks: 
+        - traefik
+
+networks:
+  traefik:
+    external: true

ansible/roles/cyberchef/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: traefik

ansible/roles/cyberchef/tasks/main.yml

@@ -0,0 +1,13 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  copy:
+    src: "{{ role_path }}/files/docker-compose.yml"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true

ansible/roles/cyberchef/vars/main.yml

@@ -1,2 +1,2 @@
-service_name: borg
+service_name: cyberchef
 service_dir: "{{ base_service_dir }}/{{ service_name }}"

ansible/roles/forgejo/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: traefik

ansible/roles/forgejo/templates/app.ini.j2

@@ -4,6 +4,7 @@ RUN_USER = git
 
 [repository]
 ROOT = /data/git/repositories
+DEFAULT_BRANCH = master
 
 [repository.local]
 LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
@@ -13,8 +14,8 @@ TEMP_PATH = /data/gitea/uploads
 
 [server]
 APP_DATA_PATH    = /data/gitea
-DOMAIN           = git.pizzapim.nl
+DOMAIN           = {{ git_domain }}
-SSH_DOMAIN       = git.pizzapim.nl
+SSH_DOMAIN       = {{ git_domain }}
 HTTP_PORT        = 3000
 ROOT_URL         = {{ forgejo.root_url }}
 DISABLE_SSH      = false
@@ -38,6 +39,7 @@ CHARSET  = utf8
 
 [indexer]
 ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+ISSUE_INDEXER_TYPE = db
 
 [session]
 PROVIDER_CONFIG = /data/gitea/sessions

ansible/roles/forgejo/templates/docker-compose.yml.j2

@@ -14,17 +14,20 @@ services:
     restart: always
     networks:
       - traefik
+    ports:
+      - "{{ internal_forgejo_port }}:3000"
     volumes:
       - {{ data_dir }}:/data
       - {{ service_dir }}/conf:/data/gitea/conf
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     labels:
+      - traefik.enable=true
       - traefik.http.routers.forgejo.entrypoints=websecure
-      - traefik.http.routers.forgejo.rule=Host(`git.pizzapim.nl`)
+      - traefik.http.routers.forgejo.rule=Host(`{{ git_domain }}`)
       - traefik.http.routers.forgejo.tls=true
-      - traefik.http.routers.forgejo.tls.certresolver=pizzapim
+      - traefik.http.routers.forgejo.tls.certresolver=letsencrypt
-      - traefik.tcp.routers.forgejo.service=forgejo
+      - traefik.http.routers.forgejo.service=forgejo
       - traefik.http.services.forgejo.loadbalancer.server.port=3000
 
       - traefik.tcp.routers.forgejo-ssh.rule=HostSNI(`*`)

ansible/roles/forgejo/vars/main.yml

@@ -1,9 +1,10 @@
 service_name: forgejo
 data_dir: "{{ base_data_dir }}/{{ service_name }}"
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
+git_domain: "git.{{ domain_name_pim }}"
 
 forgejo:
-  root_url: "https://git.pizzapim.nl"
+  root_url: "https://{{ git_domain }}"
   mailer_host: "smtp.tweak.nl"
   mailer_from: "git@kunis.nl"
   lfs_jwt_secret: !vault |

ansible/roles/freshrss/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: traefik

ansible/roles/freshrss/templates/docker-compose.yml.j2

@@ -11,10 +11,8 @@ services:
       options:
         max-size: 10m
     volumes:
-      # Recommended volume for FreshRSS persistent data such as configuration and SQLite databases
+      - {{ data_dir }}/data:/var/www/FreshRSS/data
-      - /data/freshrss/data:/var/www/FreshRSS/data
+      - {{ data_dir }}/extensions:/var/www/FreshRSS/extensions
-      # Optional volume for storing third-party extensions
-      - /data/freshrss/extensions:/var/www/FreshRSS/extensions
     environment:
       TZ: Europe/Amsterdam
       CRON_MIN: '2,32'
@@ -24,11 +22,13 @@ services:
       ADMIN_API_PASSWORD: {{ admin_password }}
       PUBLISHED_PORT: 443
     labels:
+      - traefik.enable=true
       - traefik.http.routers.freshrss.entrypoints=websecure
-      - traefik.http.routers.freshrss.rule=Host(`rss.pizzapim.nl`)
+      - traefik.http.routers.freshrss.rule=Host(`{{ rss_domain }}`)
       - traefik.http.routers.freshrss.tls=true
-      - traefik.http.routers.freshrss.tls.certresolver=pizzapim
+      - traefik.http.routers.freshrss.tls.certresolver=letsencrypt
-      - traefik.tcp.routers.freshrss.service=freshrss
+      - traefik.http.routers.freshrss.service=freshrss
+      - traefik.http.services.freshrss.loadbalancer.server.port=80
 
 networks:
   traefik:

ansible/roles/freshrss/vars/main.yml

@@ -1,6 +1,7 @@
 service_name: freshrss
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 data_dir: "{{ base_data_dir }}/{{ service_name }}"
+rss_domain: "rss.{{ domain_name_pim }}"
 admin_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           38363734333534376665616439306566613632303739373661333338356533653334323366326130

ansible/roles/hedgedoc/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: traefik

ansible/roles/hedgedoc/tasks/main.yml

@@ -0,0 +1,22 @@
+- name: Create service directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Create data directory
+  file:
+    path: "{{ data_dir }}"
+    state: directory
+- name: Create uploads directory
+  file:
+    path: "{{ data_dir }}/uploads"
+    state: directory
+    mode: 0777
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true

ansible/roles/hedgedoc/templates/docker-compose.yml.j2

@@ -0,0 +1,51 @@
+version: '3'
+
+networks:
+  traefik:
+    external: true
+  internal:
+    external: false
+
+services:
+  database:
+    image: postgres:13.4-alpine
+    container_name: hedgedoc-database
+    environment:
+      - POSTGRES_USER=hedgedoc
+      - POSTGRES_PASSWORD=password
+      - POSTGRES_DB=hedgedoc
+    volumes:
+      - {{ data_dir }}/database:/var/lib/postgresql/data
+    restart: always
+    networks:
+      - internal
+
+  app:
+    image: quay.io/hedgedoc/hedgedoc:1.9.7
+    container_name: hedgedoc
+    environment:
+      - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
+      - CMD_DOMAIN={{ hedgedoc_domain }}
+      - CMD_PORT=3000
+      - CMD_URL_ADDPORT=false
+      - CMD_ALLOW_ANONYMOUS=true
+      - CMD_ALLOW_EMAIL_REGISTER=false
+      - CMD_PROTOCOL_USESSL=true
+      - CMD_SESSION_SECRET={{ session_secret }}
+    volumes:
+      - {{ data_dir }}/uploads:/hedgedoc/public/uploads
+    restart: always
+    depends_on:
+      - database
+    networks:
+      - traefik
+      - internal
+    labels:
+          - traefik.enable=true
+          - traefik.http.routers.hedgedoc.entrypoints=websecure
+          - traefik.http.routers.hedgedoc.rule=Host(`{{ hedgedoc_domain }}`)
+          - traefik.http.routers.hedgedoc.tls=true
+          - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt
+          - treafik.http.routers.hedgedoc.service=hedgedoc
+          - traefik.http.services.hedgedoc.loadbalancer.server.port=3000
+          - traefik.docker.network=traefik

ansible/roles/hedgedoc/vars/main.yml

@@ -0,0 +1,14 @@
+service_name: hedgedoc
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+hedgedoc_domain: "md.{{ domain_name_pim }}"
+session_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30633835386265643561343033326536653166343630396139303137613138383233666565666330
+          3032613865333836656566626435383165396539323837350a376331306464643766373839386638
+          65653865343539633636323833343964636332636461386434386432306230343833343431363134
+          6563373138626637650a633932313862326231666330343662343765666166373961376237396434
+          33396131353830323063326266623862353731653665626466653335656434303033353333353164
+          61613535373037646565386131383631366338616565373261396136616433393462313537313861
+          35313661616365373231373963323865393635626132343138363230313431636333363130346239
+          32656335333635613736

ansible/roles/inbucket/meta/main.yml

@@ -1,3 +1,2 @@
 dependencies:
-  - role: common
   - role: docker

ansible/roles/jitsi/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: traefik

ansible/roles/jitsi/templates/docker-compose.yml.j2

@@ -21,10 +21,11 @@ services:
             - meet.jitsi
             - traefik
         labels:
+            - traefik.enable=true
             - traefik.http.routers.jitsi-web.entrypoints=websecure
             - traefik.http.routers.jitsi-web.rule=Host(`{{ public_domain }}`)
             - traefik.http.routers.jitsi-web.tls=true
-            - traefik.http.routers.jitsi-web.tls.certresolver=pizzapim
+            - traefik.http.routers.jitsi-web.tls.certresolver=letsencrypt
             - traefik.http.services.jitsi-web.loadbalancer.server.port=80
             - traefik.http.routers.jitsi-web.service=jitsi-web
             - traefik.docker.network=traefik
@@ -96,6 +97,7 @@ services:
         networks:
             meet.jitsi:
         labels:
+            - traefik.enable=true
             - traefik.udp.routers.jitsi-videobridge.rule=HostSNI(`*`)
             - traefik.udp.routers.jitsi-videobridge.entrypoints=video
             - traefik.udp.routers.jitsi-videobridge.service=jitsi-videobridge

ansible/roles/jitsi/vars/main.yml

@@ -2,7 +2,7 @@ service_name: jitsi
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 data_dir: "{{ base_data_dir }}/{{ service_name }}"
 
-public_domain: "meet.pizzapim.nl"
+public_domain: "meet.{{ domain_name_pim }}"
 jvb_advertise_ips: "84.245.14.149,192.168.30.3"
 
 jvb_auth_password: !vault |

ansible/roles/kms/meta/main.yml

@@ -1,3 +1,2 @@
 dependencies:
-  - role: common
   - role: docker

ansible/roles/mastodon/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: traefik

ansible/roles/mastodon/templates/docker-compose.yml.j2

@@ -49,10 +49,11 @@ services:
       - {{ data_dir }}/public/system:/mastodon/public/system
       - {{ service_dir }}/cache:/mastodon/public/system/cache
     labels:
+      - traefik.enable=true
       - traefik.http.routers.mastodon.entrypoints=websecure
       - traefik.http.routers.mastodon.rule=Host(`social.pizzapim.nl`)
       - traefik.http.routers.mastodon.tls=true
-      - traefik.http.routers.mastodon.tls.certresolver=pizzapim
+      - traefik.http.routers.mastodon.tls.certresolver=letsencrypt
       - traefik.http.services.mastodon.loadbalancer.server.port=3000
       - traefik.http.routers.mastodon.service=mastodon
       - traefik.docker.network=traefik
@@ -73,6 +74,7 @@ services:
       - db
       - redis
     labels:
+      - traefik.enable=true
       - traefik.http.routers.mastodon-streaming.entrypoints=websecure
       - "traefik.http.routers.mastodon-streaming.rule=(Host(`social.pizzapim.nl`) && PathPrefix(`/api/v1/streaming`))"
       - traefik.http.routers.mastodon-streaming.service=mastodon-streaming

ansible/roles/overleaf/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: traefik

ansible/roles/overleaf/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: Create app directory
+- name: Create service directory
   file:
     path: "{{ service_dir }}"
     state: directory
@@ -6,10 +6,6 @@
   template:
     src: "{{ role_path }}/templates/docker-compose.yml.j2"
     dest: "{{ service_dir }}/docker-compose.yml"
-- name: Create data directory
-  file:
-    path: "{{ data_dir }}"
-    state: directory
 - name: Start the Docker Compose
   docker_compose:
     project_src: "{{ service_dir }}"

ansible/roles/overleaf/templates/docker-compose.yml.j2

@@ -0,0 +1,107 @@
+version: '2.2'
+
+networks:
+  traefik:
+    external: true
+  internal:
+    external: false
+
+services:
+    sharelatex:
+        restart: always
+        image: sharelatex/sharelatex
+        container_name: overleaf
+        networks:
+          - traefik
+          - internal
+        depends_on:
+            overleaf-mongodb:
+                condition: service_healthy
+            overleaf-redis:
+                condition: service_started
+        links:
+            - overleaf-mongodb
+            - overleaf-redis
+        stop_grace_period: 60s
+        volumes:
+            - {{ data_dir }}/overleaf/sharelatex_data:/var/lib/sharelatex
+        labels:
+          - traefik.enable=true
+          - traefik.http.routers.overleaf.entrypoints=websecure
+          - traefik.http.routers.overleaf.rule=Host(`latex.pim.kunis.nl`)
+          - traefik.http.routers.overleaf.tls=true
+          - traefik.http.routers.overleaf.tls.certresolver=letsencrypt
+          - treafik.http.routers.overleaf.service=overleaf
+          - traefik.http.services.overleaf.loadbalancer.server.port=80
+          - traefik.docker.network=traefik
+        environment:
+            SHARELATEX_APP_NAME: Overleaf Community Edition
+
+            SHARELATEX_MONGO_URL: mongodb://overleaf-mongodb:27017/sharelatex
+
+            # Same property, unfortunately with different names in
+            # different locations
+            SHARELATEX_REDIS_HOST: overleaf-redis
+            REDIS_HOST: overleaf-redis
+
+            ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file'
+
+            # Enables Thumbnail generation using ImageMagick
+            ENABLE_CONVERSIONS: 'true'
+
+            # Disables email confirmation requirement
+            EMAIL_CONFIRMATION_DISABLED: 'true'
+
+            # temporary fix for LuaLaTex compiles
+            # see https://github.com/overleaf/overleaf/issues/695
+            TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var
+
+            ## Set for SSL via nginx-proxy
+            #VIRTUAL_HOST: 103.112.212.22
+
+            SHARELATEX_SITE_URL: https://latex.pim.kunis.nl
+            # SHARELATEX_NAV_TITLE: Our ShareLaTeX Instance
+            # SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png
+            SHARELATEX_ADMIN_EMAIL: pim@kunis.nl
+
+            # SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"},{"text": "Another page I want to link to can be found <a href=\"here\">here</a>"} ]'
+            # SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]'
+
+            SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@kunis.nl"
+
+            SHARELATEX_EMAIL_SMTP_HOST: "smtp.tweak.nl"
+            SHARELATEX_EMAIL_SMTP_PORT: 587
+            SHARELATEX_EMAIL_SMTP_USER: ""
+            SHARELATEX_EMAIL_SMTP_PASS: ""
+            # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
+            # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
+            # SHARELATEX_EMAIL_SMTP_NAME: '127.0.0.1'
+            # SHARELATEX_EMAIL_SMTP_LOGGER: true
+            # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x"
+
+    overleaf-mongodb:
+        restart: always
+        image: mongo:4.4
+        container_name: overleaf-mongodb
+        networks:
+          - internal
+        expose:
+            - 27017
+        volumes:
+            - {{ data_dir }}/overleaf/mongo_data:/data/db
+        healthcheck:
+            test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
+            interval: 10s
+            timeout: 10s
+            retries: 5
+
+    overleaf-redis:
+        restart: always
+        image: redis:5
+        container_name: overleaf-redis
+        networks:
+          - internal
+        expose:
+            - 6379
+        volumes:
+            - {{ data_dir }}/overleaf/redis_data:/data

ansible/roles/overleaf/vars/main.yml

@@ -0,0 +1,3 @@
+service_name: overleaf
+data_dir: "{{ base_data_dir}}/{{service_name}}"
+service_dir: "{{ base_service_dir}}/{{service_name}}"

ansible/roles/prometheus/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
   - role: docker
-  

ansible/roles/prometheus/tasks/main.yml

@@ -0,0 +1,19 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Copy prometheus.yml
+  template:
+    src: "{{ role_path }}/templates/prometheus.yml.j2"
+    dest: "{{ service_dir }}/prometheus.yml"
+  register: config
+- name: Start Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+    restarted: "{{ config.changed }}"

ansible/roles/prometheus/templates/docker-compose.yml.j2

@@ -0,0 +1,13 @@
+version: "3.8"
+
+services:
+  prometheus:
+    image: prom/prometheus
+    container_name: prometheus
+    restart: always
+    volumes:
+      - "{{ service_dir }}/prometheus.yml:/etc/prometheus/prometheus.yml"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    ports:
+      - "{{ prometheus_port }}:9090"

ansible/roles/prometheus/templates/prometheus.yml.j2

@@ -0,0 +1,14 @@
+global:
+  scrape_interval:     15s
+
+scrape_configs:
+
+  - job_name: 'prometheus'
+    scrape_interval: 5s
+    static_configs:
+      - targets: ['localhost:9090']
+
+  - job_name: 'traefik'
+    scrape_interval: 5s
+    static_configs:
+      - targets: ['host.docker.internal:{{ traefik_api_port }}']

ansible/roles/prometheus/vars/main.yml

@@ -0,0 +1,3 @@
+service_name: prometheus
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+service_dir: "{{ base_service_dir }}/{{ service_name }}"

ansible/roles/radicale/files/radicale.conf

@@ -9,7 +9,7 @@ stock = utf-8
 [auth]
 realm = Radicale - Password Required
 type = htpasswd
-htpasswd_filename = /radicale/users
+htpasswd_filename = /config/users
 htpasswd_encryption = md5
 
 [rights]

ansible/roles/radicale/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: traefik

ansible/roles/radicale/tasks/main.yml

@@ -13,7 +13,7 @@
 - name: Copy radicale.conf
   copy:
     src: "{{ role_path }}/files/radicale.conf"
-    dest: "{{ service_dir }}/config/radicale.conf"
+    dest: "{{ service_dir }}/config/config"
 - name: Copy users file
   copy:
     src: "{{ role_path }}/files/users"

ansible/roles/radicale/templates/docker-compose.yml.j2

@@ -0,0 +1,39 @@
+version: '3.7'
+
+services:
+  radicale:
+    image: tomsquest/docker-radicale
+    container_name: radicale
+    init: true
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETUID
+      - SETGID
+      - CHOWN
+      - KILL
+    healthcheck:
+      test: curl -f http://127.0.0.1:5232 || exit 1
+      interval: 30s
+      retries: 3
+    restart: unless-stopped
+    volumes:
+      - {{ data_dir }}:/data
+      - {{ service_dir }}/config:/config:ro
+    networks:
+      - traefik
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.radicale.entrypoints=websecure
+      - traefik.http.routers.radicale.rule=Host(`{{ dav_domain }}`)
+      - traefik.http.routers.radicale.tls=true
+      - traefik.http.routers.radicale.tls.certresolver=letsencrypt
+      - traefik.http.routers.radicale.service=radicale
+      - traefik.http.services.radicale.loadbalancer.server.port=5232
+
+networks:
+  traefik:
+    external: true

ansible/roles/radicale/vars/main.yml

@@ -0,0 +1,5 @@
+service_name: radicale
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+
+dav_domain: "dav.{{ domain_name_pim }}"

ansible/roles/seafile/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: traefik

ansible/roles/seafile/templates/docker-compose.yml.j2

@@ -35,10 +35,11 @@ services:
       - SEAFILE_SERVER_LETSENCRYPT=false   # Whether to use https or not. 
       - SEAFILE_SERVER_HOSTNAME={{ seafile_domain }} # Specifies your host name if https is enabled. 
     labels:
+      - traefik.enable=true
       - traefik.http.routers.seafile.entrypoints=websecure
       - traefik.http.routers.seafile.rule=Host(`files.geokunis2.nl`)
       - traefik.http.routers.seafile.tls=true
-      - traefik.http.routers.seafile.tls.certresolver=geokunis
+      - traefik.http.routers.seafile.tls.certresolver=letsencrypt
       - traefik.http.services.seafile.loadbalancer.server.port=80
       - traefik.http.routers.seafile.service=seafile
       - traefik.docker.network=traefik

ansible/roles/static/files/security.txt

@@ -0,0 +1 @@
+testje

ansible/roles/static/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: traefik

ansible/roles/static/tasks/main.yml

@@ -17,13 +17,17 @@
     cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build"
     chdir: "{{ service_dir }}"
   when: repo.changed
+- name: Copy security.txt
+  copy:
+    src: "{{ role_path }}/files/security.txt"
+    dest: "{{ service_dir }}/security.txt"
 - name: Copy docker compose file
   template:
     src: "{{ role_path }}/templates/docker-compose.yml.j2"
     dest: "{{ service_dir }}/docker-compose.yml"
 - name: Copy nginx config
-  copy:
+  template:
-    src: "{{ role_path }}/files/nginx.conf"
+    src: "{{ role_path }}/templates/nginx.conf.j2"
     dest: "{{ service_dir }}/nginx.conf"
   register: nginx_conf
 - name: Start docker compose

ansible/roles/static/templates/docker-compose.yml.j2

@@ -9,13 +9,15 @@ services:
       - {{ service_dir }}/git/templates:/etc/nginx/templates
       - {{ service_dir }}/git/_site:/var/www/blog
       - {{ service_dir }}/nginx.conf:/etc/nginx/conf.d/default.conf
+      - {{ service_dir }}/security.txt:/var/www/blog/security.txt
     networks:
       - traefik
     labels:
+      - traefik.enable=true
       - traefik.http.routers.blog.entrypoints=websecure
-      - traefik.http.routers.blog.rule=Host(`pizzapim.nl`)
+      - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`))"
       - traefik.http.routers.blog.tls=true
-      - traefik.http.routers.blog.tls.certresolver=pizzapim
+      - traefik.http.routers.blog.tls.certresolver=letsencrypt
       - traefik.http.routers.blog.service=blog
       - traefik.http.services.blog.loadbalancer.server.port=80
 

ansible/roles/static/templates/nginx.conf.j2

@@ -0,0 +1,43 @@
+server {
+	listen 80 default_server;
+
+	location /security.txt {
+		return 301 https://{{ domain_name_pim }}/.well-known/security.txt;
+	}
+
+	location /.well-known/security.txt {
+		return 301 https://{{ domain_name_pim }}/.well-known/security.txt;
+	}
+}
+
+server {
+	listen 80;
+	server_name {{ domain_name_pim }};
+	index index.html index.htm;
+	root /var/www/blog;
+
+	location /security.txt {
+		return 301 https://$host/.well-known/security.txt;
+	}
+
+	location /.well-known/security.txt {
+		add_header Content-Type 'text/plain';
+		add_header Cache-Control 'no-cache, no-store, must-revalidate';
+		add_header Pragma 'no-cache';
+		add_header Expires '0';
+		add_header Vary '*';
+		return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n";
+	}
+
+	location / {
+	    try_files $uri $uri/ /index.html;
+	}
+
+	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
+	    expires 30d;
+	    add_header Pragma public;
+	    add_header Cache-Control "public";
+	}
+
+	error_page 404 /404.html;
+}

ansible/roles/static/vars/main.yml

@@ -0,0 +1,3 @@
+service_name: static
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+git_origin: "http://git.pim.kunis.nl/pim/static.git"

ansible/roles/syncthing/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
   - role: docker
-  

ansible/roles/syncthing/templates/config.xml.j2

@@ -90,6 +90,53 @@
             <maxTotalSize>4096</maxTotalSize>
         </xattrFilter>
     </folder>
+    <folder id="sjpmp-qavt4" label="Uni" path="/data/uni" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+        <filesystemType>basic</filesystemType>
+        <device id="IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <device id="QW4NXKY-Y56F7ON-SIABMBI-EHMQANC-AVWEREO-B6WNTCN-NP2O7VI-6SGYMQS" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <device id="VL7HPMP-CKHKLPH-MHSN6PG-MFGKPYP-RBEMD3R-RLXT2ZI-KU36NKF-TRK5JAU" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <minDiskFree unit="%">1</minDiskFree>
+        <versioning>
+            <cleanupIntervalS>3600</cleanupIntervalS>
+            <fsPath></fsPath>
+            <fsType>basic</fsType>
+        </versioning>
+        <copiers>0</copiers>
+        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+        <hashers>0</hashers>
+        <order>random</order>
+        <ignoreDelete>false</ignoreDelete>
+        <scanProgressIntervalS>0</scanProgressIntervalS>
+        <pullerPauseS>0</pullerPauseS>
+        <maxConflicts>10</maxConflicts>
+        <disableSparseFiles>false</disableSparseFiles>
+        <disableTempIndexes>false</disableTempIndexes>
+        <paused>false</paused>
+        <weakHashThresholdPct>25</weakHashThresholdPct>
+        <markerName>.stfolder</markerName>
+        <copyOwnershipFromParent>false</copyOwnershipFromParent>
+        <modTimeWindowS>0</modTimeWindowS>
+        <maxConcurrentWrites>2</maxConcurrentWrites>
+        <disableFsync>false</disableFsync>
+        <blockPullOrder>standard</blockPullOrder>
+        <copyRangeMethod>standard</copyRangeMethod>
+        <caseSensitiveFS>false</caseSensitiveFS>
+        <junctionsAsDirs>false</junctionsAsDirs>
+        <syncOwnership>false</syncOwnership>
+        <sendOwnership>false</sendOwnership>
+        <syncXattrs>false</syncXattrs>
+        <sendXattrs>false</sendXattrs>
+        <xattrFilter>
+            <maxSingleEntrySize>1024</maxSingleEntrySize>
+            <maxTotalSize>4096</maxTotalSize>
+        </xattrFilter>
+    </folder>
     <folder id="tj35a-felne" label="Keepass" path="/data/keepass" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
         <filesystemType>basic</filesystemType>
         <device id="B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ" introducedBy="">
@@ -101,6 +148,9 @@
         <device id="QW4NXKY-Y56F7ON-SIABMBI-EHMQANC-AVWEREO-B6WNTCN-NP2O7VI-6SGYMQS" introducedBy="">
             <encryptionPassword></encryptionPassword>
         </device>
+        <device id="VL7HPMP-CKHKLPH-MHSN6PG-MFGKPYP-RBEMD3R-RLXT2ZI-KU36NKF-TRK5JAU" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
         <minDiskFree unit="%">1</minDiskFree>
         <versioning>
             <cleanupIntervalS>3600</cleanupIntervalS>
@@ -167,6 +217,16 @@
         <untrusted>false</untrusted>
         <remoteGUIPort>0</remoteGUIPort>
     </device>
+    <device id="VL7HPMP-CKHKLPH-MHSN6PG-MFGKPYP-RBEMD3R-RLXT2ZI-KU36NKF-TRK5JAU" name="OS3" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>dynamic</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+    </device>
     <gui enabled="true" tls="false" debugging="false">
         <address>0.0.0.0:8384</address>
         <apikey>{{ syncthing.apikey }}</apikey>

ansible/roles/syncthing/templates/docker-compose.yml.j2

@@ -4,6 +4,8 @@ services:
   syncthing:
     image: lscr.io/linuxserver/syncthing:latest
     container_name: syncthing
+    labels:
+      - "com.centurylinklabs.watchtower.enable=false"
     hostname: syncthing
     environment:
       - PUID=1000

ansible/roles/traefik/files/services.toml

@@ -3,4 +3,4 @@
     [http.services.esrom]
       [http.services.esrom.loadBalancer]
         [[http.services.esrom.loadBalancer.servers]]
-          url = "http://192.168.30.2:80/"
+          url = "http://esrom.dmz:80/"

ansible/roles/traefik/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: docker

ansible/roles/traefik/tasks/main.yml

@@ -2,10 +2,14 @@
   file:
     path: "{{ service_dir }}"
     state: directory
+- name: Create data directory
+  file:
+    path: "{{ data_dir }}"
+    state: directory
 - name: Create acme file
   copy:
     content: ""
-    dest: "{{ service_dir }}/acme.json"
+    dest: "{{ data_dir }}/acme.json"
     force: no
     mode: 0600
 - name: Copy Docker Compose script
@@ -16,10 +20,12 @@
   template:
     src: "{{ role_path }}/templates/traefik.toml.j2"
     dest: "{{ service_dir }}/traefik.toml"
+  register: traefik
 - name: Copy services.toml
   copy:
     src: "{{ role_path }}/files/services.toml"
     dest: "{{ service_dir }}/services.toml"
+  register: services
 - name: Create traefik network
   docker_network:
     name: "traefik"
@@ -28,3 +34,4 @@
     project_src: "{{ service_dir }}"
     pull: true
     remove_orphans: true
+    restarted: "{{ traefik.changed or services.changed }}"

ansible/roles/traefik/templates/docker-compose.yml.j2

@@ -13,11 +13,12 @@ services:
       - "443:443"
       - "80:80"
       - "{{ git_ssh_port }}:{{ git_ssh_port }}"
+      - "{{ traefik_api_port }}:{{ traefik_api_port }}"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml
       - {{ service_dir }}/services.toml:/etc/traefik/services.toml
-      - {{ service_dir }}/acme.json:/acme.json
+      - {{ data_dir }}/acme.json:/acme.json
     networks:
       - traefik
     labels:
@@ -27,12 +28,8 @@ services:
       - traefik.http.routers.esrom.service=esrom@file
       - traefik.http.routers.esrom.rule=Host(`geokunis2.nl`)
       - traefik.http.routers.esrom.tls=true
-      - traefik.http.routers.esrom.tls.certresolver=geokunis
+      - traefik.http.routers.esrom.tls.certresolver=letsencrypt
 
-      - traefik.http.routers.traefik.rule=Host(`traefik.pizzapim.nl`)
+      - traefik.http.routers.traefik.rule=Host(`max.dmz`)
-      - traefik.http.routers.traefik.entrypoints=websecure
+      - traefik.http.routers.traefik.entrypoints=internal
-      - traefik.http.routers.traefik.tls=true
-      - traefik.http.routers.traefik.tls.certresolver=pizzapim
       - traefik.http.routers.traefik.service=api@internal
-      - traefik.http.routers.traefik.middlewares=whitelist-local
-      - "traefik.http.middlewares.whitelist-local.ipwhitelist.sourcerange=127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,::1,fc00::/7"

ansible/roles/traefik/templates/traefik.toml.j2

@@ -13,25 +13,26 @@ loglevel = "DEBUG"
     address = ":{{ git_ssh_port }}"
   [entryPoints.video]
     address = ":{{ jitsi_videobridge_port }}/udp"
+  [entryPoints.internal]
+    address = ":{{ traefik_api_port }}"
 
 [api]
   insecure = false
   dashboard = true
 
+[metrics]
+  [metrics.prometheus]
+    entryPoint = "internal"
+
 [providers.docker]
   endpoint = "unix:///var/run/docker.sock"
+  exposedByDefault = false
 
 [providers.file]
   filename = "/etc/traefik/services.toml"
 
-[certificatesResolvers.geokunis.acme]
+[certificatesResolvers.letsencrypt.acme]
   email = "pim@kunis.nl"
   storage = "acme.json"
-  [certificatesResolvers.geokunis.acme.httpChallenge]
+  [certificatesResolvers.letsencrypt.acme.httpChallenge]
-    entryPoint = "web"
-
-[certificatesResolvers.pizzapim.acme]
-  email = "pim@kunis.nl"
-  storage = "acme.json"
-  [certificatesResolvers.pizzapim.acme.httpChallenge]
     entryPoint = "web"

ansible/roles/traefik/vars/main.yml

@@ -1,3 +1,3 @@
-service_name: radicale
+service_name: traefik
-data_dir: "{{ base_data_dir }}/{{ service_name }}"
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
+data_dir: "{{ base_data_dir }}/{{ service_name }}"

ansible/roles/watchtower/files/docker-compose.yml

@@ -0,0 +1,8 @@
+version: "3"
+services:
+  watchtower:
+    image: containrrr/watchtower
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    command: --schedule "0 0 4 * * *" --cleanup --include-stopped --no-startup-message
+    restart: always

ansible/roles/watchtower/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: docker

ansible/roles/watchtower/tasks/main.yml

@@ -0,0 +1,14 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  copy:
+    src: "{{ role_path }}/files/docker-compose.yml"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+

ansible/roles/watchtower/vars/main.yml

@@ -1,2 +1,2 @@
-service_name: traefik
+service_name: watchtower
 service_dir: "{{ base_service_dir }}/{{ service_name }}"

ansible/util/secret-service-client.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+pass=`secret-tool lookup ansible_vault homeservers`
+retval=$?
+
+if [ $retval -ne 0 ]; then
+	read -s pass
+fi
+echo $pass

inventory/group_vars/all.yml

@@ -1,8 +0,0 @@
-borg_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM"
-dataserver_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D"
-kingston1tb_mount_point: "/mnt/kingston1TB"
-backup_location: "{{ kingston1tb_mount_point }}/homeserver_backup"
-
-admin_public_keys:
-  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
-  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"

inventory/group_vars/dataserver.yml

@@ -1 +0,0 @@
-kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609"

inventory/group_vars/homeserver.yml

@@ -1,5 +0,0 @@
-base_data_dir: /data
-base_service_dir: /srv
-jitsi_videobridge_port: 54562
-git_ssh_port: 56287
-

inventory/hosts.yml

@@ -1,12 +0,0 @@
-all:
-  children:
-    homeserver:
-      hosts:
-        max:
-          ansible_user: root
-          ansible_host: max.lan
-    dataserver:
-      hosts:
-        lewis:
-          ansible_user: root
-          ansible_host: lewis.lan

playbooks/all.yml

@@ -1,20 +0,0 @@
-- name: Setup homeserver
-  hosts: homeserver
-  roles:
-    - {role: 'ssh', tags: 'ssh'}
-    - {role: 'borg', tags: 'borg'}
-    - {role: 'nsd', tags: 'nsd'}
-    - {role: 'forgejo', tags: 'forgejo'}
-    - {role: 'syncthing', tags: 'syncthing'}
-    - {role: 'kms', tags: 'kms'}
-    - {role: 'radicale', tags: 'radicale'}
-    - {role: 'mastodon', tags: 'mastodon'}
-    - {role: 'seafile', tags: 'seafile'}
-    - {role: 'jitsi', tags: 'jitsi'}
-    - {role: 'freshrss', tags: 'freshrss'}
-    - {role: 'blog', tags: 'blog'}
-    - {role: 'inbucket', tags: 'inbucket'}
-- name: Setup dataserver
-  hosts: dataserver
-  roles:
-    - {role: 'dataserver', tags: 'dataserver'}

playbooks/backup.yml

@@ -1,7 +0,0 @@
-- name: Create backup
-  hosts: homeserver
-  
-  tasks:
-    - name: Create backup
-      command:
-        cmd: systemctl start backup.service

roles/blog/files/nginx.conf

@@ -1,18 +0,0 @@
-server {
-	listen 80;
-	server_name pizzapim.nl;
-	index index.html index.htm;
-	root /var/www/blog;
-
-	location / {
-	    try_files $uri $uri/ /index.html;
-	}
-
-	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
-	    expires 30d;
-	    add_header Pragma public;
-	    add_header Cache-Control "public";
-	}
-
-	error_page 404 /404.html;
-}

roles/blog/meta/main.yml

@@ -1,4 +0,0 @@
-dependencies:
-  - role: common
-  - role: docker
-  - role: traefik

roles/blog/vars/main.yml

@@ -1,3 +0,0 @@
-service_name: blog
-service_dir: "{{ base_service_dir }}/{{ service_name }}"
-git_origin: https://git.pizzapim.nl/pim/blog.git

roles/borg/files/backup.timer

@@ -1,10 +0,0 @@
-[Unit]
-Description=Backup data daily 
-
-[Timer]
-OnCalendar=*-*-* 3:00:00
-Persistent=true
-RandomizedDelaySec=1h
-
-[Install]
-WantedBy=timers.target

roles/borg/files/id_ed25519

@@ -1,25 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-39646436383433653539316135323332303832633864366363313031636534353531386638323037
-6364366663313964633239613261373733333736316534390a306262373634303536353365396138
-35626433353935633534353636613232623531303765636139363139646265653361353164656363
-3465316438373734330a636563346263633332353962353033336565356435353739646263343339
-38633832343230393631633434323231313438336537383930646562356264346534663235323035
-31643861306134663662353938643861393861333838633338613131363136333766353131313666
-30393437616539643263386331343166636434323435666636386562353239373330336462653636
-38306161393634356636613334323038366365626138326365303063313564653365313063643432
-66306664356662326638363736366462343636393466303432323661323431393337306132386531
-65663736643565363634373461666631356439373935353734636535636538626630666462653636
-33363730626662313336633132393437666533363136643464653462646561393861376464366238
-35383136333939653265366336356234613166353162366365346462633639396335653432353964
-35303964633339356531343437393231303936623465383265666134316335666531636337383563
-30326530396439363438396439313264643765366663343439646333326664633231626662666463
-38616235353730346239396265306230623135626332636330666461333864306664346637396233
-61343535396230363938306162313938363063353934323764656538666337656431363634333739
-62373234356131373931333736373136343166636465643065643337386539376361383965343762
-33633837626637393832366332343332303361306230626131346539323538383365316535666532
-30666439643263653835666430393439396239333464336133316264323234643361336434343763
-61306133373335353563646331303562326139613133356139366632363738316461633739333161
-33666531653239626362363364346566373430656538356166346363333531656433393034333232
-65353139623435383330353864336132313031656362386538626464313264333231653831373834
-33363632616430303763616366356131323265313337323836396264623539316436616333383933
-62653865623831626330

roles/borg/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: common

roles/borg/tasks/main.yml

@@ -1,38 +0,0 @@
-- name: Install borg
-  apt:
-    pkg:
-      - borgbackup
-      - borgmatic
-- name: Create borg service directory
-  file:
-    path: "{{ service_dir }}"
-    state: directory
-- name: Copy borg backup configuration
-  template:
-    src: "{{ role_path }}/templates/backup.yml.j2"
-    dest: "{{ service_dir }}/backup.yml"
-- name: Copy private key
-  copy:
-    src: "{{ role_path }}/files/id_ed25519"
-    dest: "{{ service_dir }}/id_ed25519"
-    mode: 0600
-- name: Copy systemd timer backup service
-  template:
-    src: "{{ role_path }}/templates/backup.service.j2"
-    dest: "/etc/systemd/system/backup.service"
-  register: service
-- name: Copy systemd timer backup timer
-  copy:
-    src: "{{ role_path }}/files/backup.timer"
-    dest: "/etc/systemd/system/backup.timer"
-  register: timer
-- name: Enable systemd timer
-  systemd:
-    name: backup.timer
-    enabled: true
-    state: started
-    daemon_reload: "{{ 'yes' if service.changed or timer.changed else 'no' }}"
-- name: Restore backup
-  command:
-    cmd: "borgmatic extract --archive latest --destination / --config {{ service_dir }}/backup.yml"
-    creates: /data

roles/borg/templates/backup.service.j2

@@ -1,6 +0,0 @@
-[Unit]
-Description=Backup data using borgmatic
-
-[Service]
-ExecStart=/usr/bin/borgmatic --config {{ service_dir }}/backup.yml
-Type=oneshot