all changes to make it work on Debian

test
2023-02-04 17:02:53 +01:00 · 2023-02-04 14:48:40 +01:00
131 changed files with 819 additions and 704 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,38 +1 @@
 # Local .terraform directories
 **/.terraform/*
 # .tfstate files
 *.tfstate
 *.tfstate.*
 # Crash log files
 crash.log
 crash.*.log
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
 # Include override files you do wish to add to version control using negated pattern
 # !example_override.tf
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
 .terraform.lock.hcl
 *.tfbackend
 .vault_password
--- a/8
+++ b/8
@ -0,0 +1,8 @@
 all:
 	ansible-playbook playbooks/all.yml
 backup:
 	ansible-playbook playbooks/backup.yml
 %:
 	ansible-playbook playbooks/all.yml --tags "$@"
--- a/README.md
+++ b/README.md
@ -1,23 +1,54 @@
-# Max
+# Homeservers
-Max is our VM running all of our web servers, provisioned with Terraform and configured with Ansible.
+This repository contains Ansible scripts to setup our home servers.
 The `common` role executes some common OS tasks.
 The `docker` role installs Docker.
 The other roles are specifically for the various services we run.
 ## Running services
-All services below are implemented using Docker:
+All services below are running under Docker, except NSD and Borg.
 - Authoritative DNS using [NSD](https://www.nlnetlabs.nl/projects/nsd/about/) (ns.pizzapim.nl)
 - Reverse proxy using [Traefik](https://doc.traefik.io/traefik/)
- Git server using [Forgejo](https://forgejo.org/) ([git.pim.kunis.nl](https://git.pim.kunis.nl))
+- Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl))
- Static website using [Jekyll](https://jekyllrb.com/) ([pim.kunis.nl](https://pim.kunis.nl))
+- Static website using [Jekyll](https://jekyllrb.com/) ([pizzapim.nl](https://pizzapim.nl))
 - File sychronisation using [Syncthing](https://syncthing.net/)
 - Microblogging server using [Mastodon](https://joinmastodon.org/) ([social.pizzapim.nl](https://social.pizzapim.nl))
- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pim.kunis.nl](https://dav.pim.kunis.nl))
+- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl))
 - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd)
 - Cloud file storage using [Seafile](https://www.seafile.com)
- Disposable mail server using [Inbucket](https://inbucket.org)
+- Inbucket disposable webmail, Mailinator alternative (https://inbucket.org)
 - Digital toolbox using [Cyberchef](https://cyberchef.geokunis2.nl)
 - Jitsi Meet (https://meet.jit.si)
 - Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/)
 - RSS feed reader using [FreshRSS](https://miniflux.app/)
- Metrics using [Prometheus](https://prometheus.io/)
+
- Latex editor using [Overleaf](https://www.overleaf.com/) ([latex.pim.kunis.nl](https://latex.pim.kunis.nl))
+## Possible future services
- Markdown editor using [Hedgedoc](https://hedgedoc.org/)
+
 - matrix
 - peertube?
 - Pixelfed?
 - Prometheus
 - Concourse CI?
 ## TODO
 - Clear view of what services + which versions we are running. This way, we can track security updates better.
 - Delegate pim.kunis.nl to my server
 - Host tobb website?
 - Move from Ubuntu to Debian
 ### NSD
 #### ZSK Rollover
 Could make automatic key rollovers with cron or some other tool.
 #### Idempotency
 Currently I always resign zones.
 But for idempotency I should probably only do it if the zone has changed or the keys have changed.
 ### Firewall
 A little more difficult because of docker networking but probably doable.
--- a/ansible.cfg
+++ b/ansible.cfg
@ -0,0 +1,5 @@
 [defaults]
 # (pathspec) Colon separated paths in which Ansible will search for Roles.
 roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
 vault_password_file=./.vault_password
 inventory=inventory
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -1,8 +0,0 @@
 [defaults]
 roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
 inventory=inventory
 vault_password_file=util/secret-service-client.sh
 interpreter_python=/usr/bin/python3
 [diff]
 always = True
--- a/ansible/inventory/host_vars/max.yml
+++ b/ansible/inventory/host_vars/max.yml
@ -1,15 +0,0 @@
 base_data_dir: /mnt/data
 base_service_dir: /srv
 domain_name_pim: pim.kunis.nl
 # Additional open ports
 jitsi_videobridge_port: 54562
 git_ssh_port: 56287
 prometheus_port: 8081
 traefik_api_port: 8080
 internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container.
 docker_daemon_config:
  default-address-pools:
  - base: "10.204.0.0/16"
    size: 24
--- a/ansible/inventory/hosts.yml
+++ b/ansible/inventory/hosts.yml
@ -1,5 +0,0 @@
 all:
  hosts:
    max:
      ansible_user: root
      ansible_host: max.dmz
--- a/ansible/max.yml
+++ b/ansible/max.yml
@ -1,36 +0,0 @@
 - name: Wait for servers to come up
  hosts: max
  gather_facts: no
  roles:
    - 'cloudinit-wait'
 - name: Start services
  hosts: max
  pre_tasks:
  - name: Create base service directory
    file:
      path: "{{ base_service_dir }}"
      state: directory
  - name: Delete externally managed environment file
    shell:
      cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
    register: rm
    changed_when: "rm.rc == 0"
    failed_when: "false"
  roles:
    - {role: 'setup-apt', tags: 'setup-apt'}
    - {role: 'watchtower', tags: 'watchtower'}
    - {role: 'forgejo', tags: 'forgejo'}
    - {role: 'syncthing', tags: 'syncthing'}
    - {role: 'kms', tags: 'kms'}
    - {role: 'cyberchef', tags: 'cyberchef'}
    - {role: 'radicale', tags: 'radicale'}
    - {role: 'mastodon', tags: 'mastodon'}
    - {role: 'seafile', tags: 'seafile'}
    - {role: 'jitsi', tags: 'jitsi'}
    - {role: 'freshrss', tags: 'freshrss'}
    - {role: 'static', tags: 'static'}
    - {role: 'inbucket', tags: 'inbucket'}
    - {role: 'prometheus', tags: 'prometheus'}
    - {role: 'overleaf', tags: 'overleaf'}
    - {role: 'hedgedoc', tags: 'hedgedoc'}
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -1,9 +0,0 @@
 - name: setup-apt
  src: https://github.com/sunscrapers/ansible-role-apt.git
  scm: git
 - name: cloudinit-wait
  src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait
  scm: git
 - name: docker
  src: https://git.pim.kunis.nl/pim/ansible-role-docker
  scm: git
--- a/ansible/roles/cyberchef/files/docker-compose.yml
+++ b/ansible/roles/cyberchef/files/docker-compose.yml
@ -1,22 +0,0 @@
 version: "3.7"
 services:
   cyberchef-server:
      image: mpepping/cyberchef
      container_name: cyberchef
      restart: always
      labels:
        - traefik.enable=true
        - traefik.http.routers.cyberchef.entrypoints=websecure
        - traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`)
        - traefik.http.routers.cyberchef.tls=true
        - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt
        - traefik.http.services.cyberchef.loadbalancer.server.port=8000
        - traefik.http.routers.cyberchef.service=cyberchef
        - traefik.docker.network=traefik
      networks: 
        - traefik
 networks:
  traefik:
    external: true
--- a/ansible/roles/cyberchef/meta/main.yml
+++ b/ansible/roles/cyberchef/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: traefik
--- a/ansible/roles/cyberchef/tasks/main.yml
+++ b/ansible/roles/cyberchef/tasks/main.yml
@ -1,13 +0,0 @@
 - name: Create app directory
  file:
    path: "{{ service_dir }}"
    state: directory
 - name: Copy Docker Compose script
  copy:
    src: "{{ role_path }}/files/docker-compose.yml"
    dest: "{{ service_dir }}/docker-compose.yml"
 - name: Start the Docker Compose
  docker_compose:
    project_src: "{{ service_dir }}"
    pull: true
    remove_orphans: true
--- a/ansible/roles/forgejo/meta/main.yml
+++ b/ansible/roles/forgejo/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: traefik
--- a/ansible/roles/freshrss/meta/main.yml
+++ b/ansible/roles/freshrss/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: traefik
--- a/ansible/roles/hedgedoc/meta/main.yml
+++ b/ansible/roles/hedgedoc/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: traefik
--- a/ansible/roles/hedgedoc/tasks/main.yml
+++ b/ansible/roles/hedgedoc/tasks/main.yml
@ -1,22 +0,0 @@
 - name: Create service directory
  file:
    path: "{{ service_dir }}"
    state: directory
 - name: Copy Docker Compose script
  template:
    src: "{{ role_path }}/templates/docker-compose.yml.j2"
    dest: "{{ service_dir }}/docker-compose.yml"
 - name: Create data directory
  file:
    path: "{{ data_dir }}"
    state: directory
 - name: Create uploads directory
  file:
    path: "{{ data_dir }}/uploads"
    state: directory
    mode: 0777
 - name: Start the Docker Compose
  docker_compose:
    project_src: "{{ service_dir }}"
    pull: true
    remove_orphans: true
--- a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2
+++ b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2
@ -1,51 +0,0 @@
 version: '3'
 networks:
  traefik:
    external: true
  internal:
    external: false
 services:
  database:
    image: postgres:13.4-alpine
    container_name: hedgedoc-database
    environment:
      - POSTGRES_USER=hedgedoc
      - POSTGRES_PASSWORD=password
      - POSTGRES_DB=hedgedoc
    volumes:
      - {{ data_dir }}/database:/var/lib/postgresql/data
    restart: always
    networks:
      - internal
  app:
    image: quay.io/hedgedoc/hedgedoc:1.9.7
    container_name: hedgedoc
    environment:
      - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
      - CMD_DOMAIN={{ hedgedoc_domain }}
      - CMD_PORT=3000
      - CMD_URL_ADDPORT=false
      - CMD_ALLOW_ANONYMOUS=true
      - CMD_ALLOW_EMAIL_REGISTER=false
      - CMD_PROTOCOL_USESSL=true
      - CMD_SESSION_SECRET={{ session_secret }}
    volumes:
      - {{ data_dir }}/uploads:/hedgedoc/public/uploads
    restart: always
    depends_on:
      - database
    networks:
      - traefik
      - internal
    labels:
          - traefik.enable=true
          - traefik.http.routers.hedgedoc.entrypoints=websecure
          - traefik.http.routers.hedgedoc.rule=Host(`{{ hedgedoc_domain }}`)
          - traefik.http.routers.hedgedoc.tls=true
          - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt
          - treafik.http.routers.hedgedoc.service=hedgedoc
          - traefik.http.services.hedgedoc.loadbalancer.server.port=3000
          - traefik.docker.network=traefik
--- a/ansible/roles/hedgedoc/vars/main.yml
+++ b/ansible/roles/hedgedoc/vars/main.yml
@ -1,14 +0,0 @@
 service_name: hedgedoc
 data_dir: "{{ base_data_dir }}/{{ service_name }}"
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 hedgedoc_domain: "md.{{ domain_name_pim }}"
 session_secret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          30633835386265643561343033326536653166343630396139303137613138383233666565666330
          3032613865333836656566626435383165396539323837350a376331306464643766373839386638
          65653865343539633636323833343964636332636461386434386432306230343833343431363134
          6563373138626637650a633932313862326231666330343662343765666166373961376237396434
          33396131353830323063326266623862353731653665626466653335656434303033353333353164
          61613535373037646565386131383631366338616565373261396136616433393462313537313861
          35313661616365373231373963323865393635626132343138363230313431636333363130346239
          32656335333635613736
--- a/ansible/roles/jitsi/meta/main.yml
+++ b/ansible/roles/jitsi/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: traefik
--- a/ansible/roles/mastodon/meta/main.yml
+++ b/ansible/roles/mastodon/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: traefik
--- a/ansible/roles/overleaf/meta/main.yml
+++ b/ansible/roles/overleaf/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: traefik
--- a/ansible/roles/overleaf/templates/docker-compose.yml.j2
+++ b/ansible/roles/overleaf/templates/docker-compose.yml.j2
@ -1,107 +0,0 @@
 version: '2.2'
 networks:
  traefik:
    external: true
  internal:
    external: false
 services:
    sharelatex:
        restart: always
        image: sharelatex/sharelatex
        container_name: overleaf
        networks:
          - traefik
          - internal
        depends_on:
            overleaf-mongodb:
                condition: service_healthy
            overleaf-redis:
                condition: service_started
        links:
            - overleaf-mongodb
            - overleaf-redis
        stop_grace_period: 60s
        volumes:
            - {{ data_dir }}/overleaf/sharelatex_data:/var/lib/sharelatex
        labels:
          - traefik.enable=true
          - traefik.http.routers.overleaf.entrypoints=websecure
          - traefik.http.routers.overleaf.rule=Host(`latex.pim.kunis.nl`)
          - traefik.http.routers.overleaf.tls=true
          - traefik.http.routers.overleaf.tls.certresolver=letsencrypt
          - treafik.http.routers.overleaf.service=overleaf
          - traefik.http.services.overleaf.loadbalancer.server.port=80
          - traefik.docker.network=traefik
        environment:
            SHARELATEX_APP_NAME: Overleaf Community Edition
            SHARELATEX_MONGO_URL: mongodb://overleaf-mongodb:27017/sharelatex
            # Same property, unfortunately with different names in
            # different locations
            SHARELATEX_REDIS_HOST: overleaf-redis
            REDIS_HOST: overleaf-redis
            ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file'
            # Enables Thumbnail generation using ImageMagick
            ENABLE_CONVERSIONS: 'true'
            # Disables email confirmation requirement
            EMAIL_CONFIRMATION_DISABLED: 'true'
            # temporary fix for LuaLaTex compiles
            # see https://github.com/overleaf/overleaf/issues/695
            TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var
            ## Set for SSL via nginx-proxy
            #VIRTUAL_HOST: 103.112.212.22
            SHARELATEX_SITE_URL: https://latex.pim.kunis.nl
            # SHARELATEX_NAV_TITLE: Our ShareLaTeX Instance
            # SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png
            SHARELATEX_ADMIN_EMAIL: pim@kunis.nl
            # SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"},{"text": "Another page I want to link to can be found <a href=\"here\">here</a>"} ]'
            # SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]'
            SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@kunis.nl"
            SHARELATEX_EMAIL_SMTP_HOST: "smtp.tweak.nl"
            SHARELATEX_EMAIL_SMTP_PORT: 587
            SHARELATEX_EMAIL_SMTP_USER: ""
            SHARELATEX_EMAIL_SMTP_PASS: ""
            # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
            # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
            # SHARELATEX_EMAIL_SMTP_NAME: '127.0.0.1'
            # SHARELATEX_EMAIL_SMTP_LOGGER: true
            # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x"
    overleaf-mongodb:
        restart: always
        image: mongo:4.4
        container_name: overleaf-mongodb
        networks:
          - internal
        expose:
            - 27017
        volumes:
            - {{ data_dir }}/overleaf/mongo_data:/data/db
        healthcheck:
            test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
            interval: 10s
            timeout: 10s
            retries: 5
    overleaf-redis:
        restart: always
        image: redis:5
        container_name: overleaf-redis
        networks:
          - internal
        expose:
            - 6379
        volumes:
            - {{ data_dir }}/overleaf/redis_data:/data
--- a/ansible/roles/overleaf/vars/main.yml
+++ b/ansible/roles/overleaf/vars/main.yml
@ -1,3 +0,0 @@
 service_name: overleaf
 data_dir: "{{ base_data_dir}}/{{service_name}}"
 service_dir: "{{ base_service_dir}}/{{service_name}}"
--- a/ansible/roles/prometheus/tasks/main.yml
+++ b/ansible/roles/prometheus/tasks/main.yml
@ -1,19 +0,0 @@
 - name: Create app directory
  file:
    path: "{{ service_dir }}"
    state: directory
 - name: Copy Docker Compose script
  template:
    src: "{{ role_path }}/templates/docker-compose.yml.j2"
    dest: "{{ service_dir }}/docker-compose.yml"
 - name: Copy prometheus.yml
  template:
    src: "{{ role_path }}/templates/prometheus.yml.j2"
    dest: "{{ service_dir }}/prometheus.yml"
  register: config
 - name: Start Docker Compose
  docker_compose:
    project_src: "{{ service_dir }}"
    pull: true
    remove_orphans: true
    restarted: "{{ config.changed }}"
--- a/ansible/roles/prometheus/templates/docker-compose.yml.j2
+++ b/ansible/roles/prometheus/templates/docker-compose.yml.j2
@ -1,13 +0,0 @@
 version: "3.8"
 services:
  prometheus:
    image: prom/prometheus
    container_name: prometheus
    restart: always
    volumes:
      - "{{ service_dir }}/prometheus.yml:/etc/prometheus/prometheus.yml"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    ports:
      - "{{ prometheus_port }}:9090"
--- a/ansible/roles/prometheus/templates/prometheus.yml.j2
+++ b/ansible/roles/prometheus/templates/prometheus.yml.j2
@ -1,14 +0,0 @@
 global:
  scrape_interval:     15s
 scrape_configs:
  - job_name: 'prometheus'
    scrape_interval: 5s
    static_configs:
      - targets: ['localhost:9090']
  - job_name: 'traefik'
    scrape_interval: 5s
    static_configs:
      - targets: ['host.docker.internal:{{ traefik_api_port }}']
--- a/ansible/roles/prometheus/vars/main.yml
+++ b/ansible/roles/prometheus/vars/main.yml
@ -1,3 +0,0 @@
 service_name: prometheus
 data_dir: "{{ base_data_dir }}/{{ service_name }}"
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
--- a/ansible/roles/radicale/meta/main.yml
+++ b/ansible/roles/radicale/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: traefik
--- a/ansible/roles/radicale/templates/docker-compose.yml.j2
+++ b/ansible/roles/radicale/templates/docker-compose.yml.j2
@ -1,39 +0,0 @@
 version: '3.7'
 services:
  radicale:
    image: tomsquest/docker-radicale
    container_name: radicale
    init: true
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID
      - CHOWN
      - KILL
    healthcheck:
      test: curl -f http://127.0.0.1:5232 || exit 1
      interval: 30s
      retries: 3
    restart: unless-stopped
    volumes:
      - {{ data_dir }}:/data
      - {{ service_dir }}/config:/config:ro
    networks:
      - traefik
    labels:
      - traefik.enable=true
      - traefik.http.routers.radicale.entrypoints=websecure
      - traefik.http.routers.radicale.rule=Host(`{{ dav_domain }}`)
      - traefik.http.routers.radicale.tls=true
      - traefik.http.routers.radicale.tls.certresolver=letsencrypt
      - traefik.http.routers.radicale.service=radicale
      - traefik.http.services.radicale.loadbalancer.server.port=5232
 networks:
  traefik:
    external: true
--- a/ansible/roles/radicale/vars/main.yml
+++ b/ansible/roles/radicale/vars/main.yml
@ -1,5 +0,0 @@
 service_name: radicale
 data_dir: "{{ base_data_dir }}/{{ service_name }}"
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 dav_domain: "dav.{{ domain_name_pim }}"
--- a/ansible/roles/seafile/meta/main.yml
+++ b/ansible/roles/seafile/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: traefik
--- a/ansible/roles/static/files/security.txt
+++ b/ansible/roles/static/files/security.txt
@ -1 +0,0 @@
 testje
--- a/ansible/roles/static/meta/main.yml
+++ b/ansible/roles/static/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: traefik
--- a/ansible/roles/static/templates/nginx.conf.j2
+++ b/ansible/roles/static/templates/nginx.conf.j2
@ -1,43 +0,0 @@
 server {
 	listen 80 default_server;
 	location /security.txt {
 		return 301 https://{{ domain_name_pim }}/.well-known/security.txt;
 	}
 	location /.well-known/security.txt {
 		return 301 https://{{ domain_name_pim }}/.well-known/security.txt;
 	}
 }
 server {
 	listen 80;
 	server_name {{ domain_name_pim }};
 	index index.html index.htm;
 	root /var/www/blog;
 	location /security.txt {
 		return 301 https://$host/.well-known/security.txt;
 	}
 	location /.well-known/security.txt {
 		add_header Content-Type 'text/plain';
 		add_header Cache-Control 'no-cache, no-store, must-revalidate';
 		add_header Pragma 'no-cache';
 		add_header Expires '0';
 		add_header Vary '*';
 		return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n";
 	}
 	location / {
 	    try_files $uri $uri/ /index.html;
 	}
 	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
 	    expires 30d;
 	    add_header Pragma public;
 	    add_header Cache-Control "public";
 	}
 	error_page 404 /404.html;
 }
--- a/ansible/roles/static/vars/main.yml
+++ b/ansible/roles/static/vars/main.yml
@ -1,3 +0,0 @@
 service_name: static
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 git_origin: "http://git.pim.kunis.nl/pim/static.git"
--- a/ansible/roles/traefik/meta/main.yml
+++ b/ansible/roles/traefik/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: docker
--- a/ansible/roles/watchtower/files/docker-compose.yml
+++ b/ansible/roles/watchtower/files/docker-compose.yml
@ -1,8 +0,0 @@
 version: "3"
 services:
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: --schedule "0 0 4 * * *" --cleanup --include-stopped --no-startup-message
    restart: always
--- a/ansible/roles/watchtower/meta/main.yml
+++ b/ansible/roles/watchtower/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
  - role: docker
--- a/ansible/roles/watchtower/tasks/main.yml
+++ b/ansible/roles/watchtower/tasks/main.yml
@ -1,14 +0,0 @@
 - name: Create app directory
  file:
    path: "{{ service_dir }}"
    state: directory
 - name: Copy Docker Compose script
  copy:
    src: "{{ role_path }}/files/docker-compose.yml"
    dest: "{{ service_dir }}/docker-compose.yml"
 - name: Start the Docker Compose
  docker_compose:
    project_src: "{{ service_dir }}"
    pull: true
    remove_orphans: true
--- a/ansible/util/secret-service-client.sh
+++ b/ansible/util/secret-service-client.sh
@ -1,9 +0,0 @@
 #!/bin/bash
 pass=`secret-tool lookup ansible_vault homeservers`
 retval=$?
 if [ $retval -ne 0 ]; then
 	read -s pass
 fi
 echo $pass
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@ -0,0 +1,8 @@
 borg_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM"
 dataserver_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D"
 kingston1tb_mount_point: "/mnt/kingston1TB"
 backup_location: "{{ kingston1tb_mount_point }}/homeserver_backup"
 admin_public_keys:
  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
--- a/inventory/group_vars/dataserver.yml
+++ b/inventory/group_vars/dataserver.yml
@ -0,0 +1 @@
 kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609"
--- a/inventory/group_vars/homeserver.yml
+++ b/inventory/group_vars/homeserver.yml
@ -0,0 +1,5 @@
 base_data_dir: /data
 base_service_dir: /srv
 jitsi_videobridge_port: 54562
 git_ssh_port: 56287
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@ -0,0 +1,12 @@
 all:
  children:
    homeserver:
      hosts:
        max:
          ansible_user: root
          ansible_host: max.lan
    dataserver:
      hosts:
        lewis:
          ansible_user: root
          ansible_host: lewis.lan
--- a/playbooks/all.yml
+++ b/playbooks/all.yml
@ -0,0 +1,20 @@
 - name: Setup homeserver
  hosts: homeserver
  roles:
    - {role: 'ssh', tags: 'ssh'}
    - {role: 'borg', tags: 'borg'}
    - {role: 'nsd', tags: 'nsd'}
    - {role: 'forgejo', tags: 'forgejo'}
    - {role: 'syncthing', tags: 'syncthing'}
    - {role: 'kms', tags: 'kms'}
    - {role: 'radicale', tags: 'radicale'}
    - {role: 'mastodon', tags: 'mastodon'}
    - {role: 'seafile', tags: 'seafile'}
    - {role: 'jitsi', tags: 'jitsi'}
    - {role: 'freshrss', tags: 'freshrss'}
    - {role: 'blog', tags: 'blog'}
    - {role: 'inbucket', tags: 'inbucket'}
 - name: Setup dataserver
  hosts: dataserver
  roles:
    - {role: 'dataserver', tags: 'dataserver'}
--- a/playbooks/backup.yml
+++ b/playbooks/backup.yml
@ -0,0 +1,7 @@
 - name: Create backup
  hosts: homeserver
  tasks:
    - name: Create backup
      command:
        cmd: systemctl start backup.service
--- a/roles/blog/files/nginx.conf
+++ b/roles/blog/files/nginx.conf
@ -0,0 +1,18 @@
 server {
 	listen 80;
 	server_name pizzapim.nl;
 	index index.html index.htm;
 	root /var/www/blog;
 	location / {
 	    try_files $uri $uri/ /index.html;
 	}
 	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
 	    expires 30d;
 	    add_header Pragma public;
 	    add_header Cache-Control "public";
 	}
 	error_page 404 /404.html;
 }
--- a/roles/blog/meta/main.yml
+++ b/roles/blog/meta/main.yml
@ -0,0 +1,4 @@
 dependencies:
  - role: common
  - role: docker
  - role: traefik
--- a/ansible/roles/static/tasks/main.yml
+++ b/ansible/roles/static/tasks/main.yml
@ -17,17 +17,13 @@
    cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build"
    chdir: "{{ service_dir }}"
  when: repo.changed
 - name: Copy security.txt
  copy:
    src: "{{ role_path }}/files/security.txt"
    dest: "{{ service_dir }}/security.txt"
 - name: Copy docker compose file
  template:
    src: "{{ role_path }}/templates/docker-compose.yml.j2"
    dest: "{{ service_dir }}/docker-compose.yml"
 - name: Copy nginx config
-  template:
+  copy:
-    src: "{{ role_path }}/templates/nginx.conf.j2"
+    src: "{{ role_path }}/files/nginx.conf"
    dest: "{{ service_dir }}/nginx.conf"
  register: nginx_conf
 - name: Start docker compose
--- a/ansible/roles/static/templates/docker-compose.yml.j2
+++ b/ansible/roles/static/templates/docker-compose.yml.j2
@ -9,15 +9,13 @@ services:
      - {{ service_dir }}/git/templates:/etc/nginx/templates
      - {{ service_dir }}/git/_site:/var/www/blog
      - {{ service_dir }}/nginx.conf:/etc/nginx/conf.d/default.conf
      - {{ service_dir }}/security.txt:/var/www/blog/security.txt
    networks:
      - traefik
    labels:
      - traefik.enable=true
      - traefik.http.routers.blog.entrypoints=websecure
-      - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`))"
+      - traefik.http.routers.blog.rule=Host(`pizzapim.nl`)
      - traefik.http.routers.blog.tls=true
-      - traefik.http.routers.blog.tls.certresolver=letsencrypt
+      - traefik.http.routers.blog.tls.certresolver=pizzapim
      - traefik.http.routers.blog.service=blog
      - traefik.http.services.blog.loadbalancer.server.port=80
--- a/roles/blog/vars/main.yml
+++ b/roles/blog/vars/main.yml
@ -0,0 +1,3 @@
 service_name: blog
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 git_origin: https://git.pizzapim.nl/pim/blog.git
--- a/roles/borg/files/backup.timer
+++ b/roles/borg/files/backup.timer
@ -0,0 +1,10 @@
 [Unit]
 Description=Backup data daily 
 [Timer]
 OnCalendar=*-*-* 3:00:00
 Persistent=true
 RandomizedDelaySec=1h
 [Install]
 WantedBy=timers.target
--- a/roles/borg/files/id_ed25519
+++ b/roles/borg/files/id_ed25519
@ -0,0 +1,25 @@
 $ANSIBLE_VAULT;1.1;AES256
 39646436383433653539316135323332303832633864366363313031636534353531386638323037
 6364366663313964633239613261373733333736316534390a306262373634303536353365396138
 35626433353935633534353636613232623531303765636139363139646265653361353164656363
 3465316438373734330a636563346263633332353962353033336565356435353739646263343339
 38633832343230393631633434323231313438336537383930646562356264346534663235323035
 31643861306134663662353938643861393861333838633338613131363136333766353131313666
 30393437616539643263386331343166636434323435666636386562353239373330336462653636
 38306161393634356636613334323038366365626138326365303063313564653365313063643432
 66306664356662326638363736366462343636393466303432323661323431393337306132386531
 65663736643565363634373461666631356439373935353734636535636538626630666462653636
 33363730626662313336633132393437666533363136643464653462646561393861376464366238
 35383136333939653265366336356234613166353162366365346462633639396335653432353964
 35303964633339356531343437393231303936623465383265666134316335666531636337383563
 30326530396439363438396439313264643765366663343439646333326664633231626662666463
 38616235353730346239396265306230623135626332636330666461333864306664346637396233
 61343535396230363938306162313938363063353934323764656538666337656431363634333739
 62373234356131373931333736373136343166636465643065643337386539376361383965343762
 33633837626637393832366332343332303361306230626131346539323538383365316535666532
 30666439643263653835666430393439396239333464336133316264323234643361336434343763
 61306133373335353563646331303562326139613133356139366632363738316461633739333161
 33666531653239626362363364346566373430656538356166346363333531656433393034333232
 65353139623435383330353864336132313031656362386538626464313264333231653831373834
 33363632616430303763616366356131323265313337323836396264623539316436616333383933
 62653865623831626330
--- a/roles/borg/meta/main.yml
+++ b/roles/borg/meta/main.yml
@ -0,0 +1,2 @@
 dependencies:
  - role: common
--- a/roles/borg/tasks/main.yml
+++ b/roles/borg/tasks/main.yml
@ -0,0 +1,38 @@
 - name: Install borg
  apt:
    pkg:
      - borgbackup
      - borgmatic
 - name: Create borg service directory
  file:
    path: "{{ service_dir }}"
    state: directory
 - name: Copy borg backup configuration
  template:
    src: "{{ role_path }}/templates/backup.yml.j2"
    dest: "{{ service_dir }}/backup.yml"
 - name: Copy private key
  copy:
    src: "{{ role_path }}/files/id_ed25519"
    dest: "{{ service_dir }}/id_ed25519"
    mode: 0600
 - name: Copy systemd timer backup service
  template:
    src: "{{ role_path }}/templates/backup.service.j2"
    dest: "/etc/systemd/system/backup.service"
  register: service
 - name: Copy systemd timer backup timer
  copy:
    src: "{{ role_path }}/files/backup.timer"
    dest: "/etc/systemd/system/backup.timer"
  register: timer
 - name: Enable systemd timer
  systemd:
    name: backup.timer
    enabled: true
    state: started
    daemon_reload: "{{ 'yes' if service.changed or timer.changed else 'no' }}"
 - name: Restore backup
  command:
    cmd: "borgmatic extract --archive latest --destination / --config {{ service_dir }}/backup.yml"
    creates: /data
--- a/roles/borg/templates/backup.service.j2
+++ b/roles/borg/templates/backup.service.j2
@ -0,0 +1,6 @@
 [Unit]
 Description=Backup data using borgmatic
 [Service]
 ExecStart=/usr/bin/borgmatic --config {{ service_dir }}/backup.yml
 Type=oneshot
--- a/roles/borg/templates/backup.yml.j2
+++ b/roles/borg/templates/backup.yml.j2
@ -0,0 +1,17 @@
 location:
    source_directories:
        - {{ base_data_dir }}
    repositories:
        - ssh://root@lewis.lan/{{ backup_location }}
 retention:
    keep_daily: 7
    keep_weekly: 4
    keep_monthly: 6
 storage:
    ssh_command: ssh -i {{ service_dir }}/id_ed25519
    unknown_unencrypted_repo_access_is_ok: true
 hooks:
    before_everything:
        - systemctl stop docker docker.socket
    after_everything:
        - systemctl start docker
--- a/ansible/roles/cyberchef/vars/main.yml
+++ b/ansible/roles/cyberchef/vars/main.yml
@ -1,2 +1,2 @@
-service_name: cyberchef
+service_name: borg
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -0,0 +1,16 @@
 - name: APT upgrade
  apt:
    autoremove: true
    upgrade: yes
    state: latest
    update_cache: yes
    cache_valid_time: 86400 # One day
 - name: Create base service directory
  file:
    path: "{{ base_service_dir }}"
    state: directory
 - name: Add dataserver to known hosts
  known_hosts:
    name: "lewis.lan"
    key: "lewis.lan ssh-ed25519 {{ dataserver_public_key }}"
    state: present
--- a/roles/dataserver/files/ssh_host_ed25519_key
+++ b/roles/dataserver/files/ssh_host_ed25519_key
@ -0,0 +1,25 @@
 $ANSIBLE_VAULT;1.1;AES256
 38633038656332643033396338303864343332636434633331366266383235316235313236646361
 6634313931303637616535373966316165656564366437330a393465356237626631303063363061
 62323737343635316139636664663937333233323737376238656566633037613938383737306132
 6237633230623962320a643433323532646261366532346234653332323336653162366433626465
 31386461393535303730333865356364646137386634643630353831383039353763396536313439
 30333335623364306166346232303862633636633066323062313531363234396362653232316261
 36666132623030323332623334323632636639646239363032626364646334643461346662616366
 39656266643937663531656137353031353130366238326535383261333539353439353566313537
 38353632353039643530613766313033313063333331333733613939383731663262623766626266
 64363061306166353633333634363332633461346538316661666364626639366132356434343631
 61373432633863643237386435386633366161393934646562343261386335353638353033343932
 62393633366163613064393966663830646237613265396462376238396639363566363865303861
 36343666326632626166323430303137323236346137346131623636653236353061343633383437
 61396534636166353038626162376335363137636164616631646261366332303135306237356432
 61626261656332666536343039316333303431653931666233363366613166663266663130656633
 39316363326532653665626136393135373863383234326638303466353930653038303433643536
 30666237363230306634333162396562623034386232666465343631306433373764626634613635
 63343965623163356536626162613863373033396565366361353538323933656165653932653937
 34666538353139636366333765363733336134396566613134303530633666326165306131353535
 33653133663166333964326330366530643730363861626261666366383334613661303762636663
 34376531343732346630643466616638323537633665373333346162306361393836326533636630
 61656335306337643930613662613832626530653630343566643661356666313331316438366538
 37333166636639363838303665626137643731626338356662656338393335343239376635303633
 35663237653238313133
--- a/roles/dataserver/tasks/main.yml
+++ b/roles/dataserver/tasks/main.yml
@ -0,0 +1,44 @@
 - name: Add admins' authorized keys
  authorized_key:
    key: "{{ item }}"
    user: "{{ ansible_user_id }}"
  loop: "{{ admin_public_keys }}"
 - name: Copy host public key
  template:
    src: "{{ role_path }}/templates/ssh_host_ed25519_key.pub.j2"
    dest: "/etc/ssh/ssh_host_ed25519_key.pub"
    mode: 0644
 - name: Copy host private key
  copy:
    src: "{{ role_path }}/files/ssh_host_ed25519_key"
    dest: "/etc/ssh/ssh_host_ed25519_key"
    mode: 0600
 - name: APT upgrade
  apt:
    autoremove: true
    upgrade: yes
    state: latest
    update_cache: yes
    cache_valid_time: 86400 # One day
 - name: Create extra disk moint point
  file:
    path: "{{ kingston1tb_mount_point }}"
    state: directory
 - name: Mount extra disk
  ansible.posix.mount:
    path: "{{kingston1tb_mount_point }}"
    src: "UUID={{ kingston1tb_uuid }}"
    fstype: ext4
    passno: 1
    state: present
 - name: Install borg
  apt:
    name: borgbackup
 - name: Add Borg public key
  authorized_key:
    key: "ssh-ed25519 {{ borg_public_key }} root@max"
    user: "{{ ansible_user_id }}"
 - name: Create Borg repository
  command:
    cmd: "borg init -e none {{ backup_location }}"
    creates: "{{ backup_location }}"
--- a/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2
+++ b/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2
@ -0,0 +1 @@
 ssh-ed25519 {{ dataserver_public_key }} root@lewis
--- a/roles/docker/files/daemon.json
+++ b/roles/docker/files/daemon.json
@ -0,0 +1,7 @@
 {
 "default-address-pools":
 [
 {"base":"10.204.0.0/16","size":24}
 ]
 }
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -0,0 +1,46 @@
 - name: Install Docker prerequisites
  apt:
    pkg:
      - ca-certificates
      - curl
      - gnupg
      - lsb-release
      - python3-pip
 - name: Add Docker APT key
  apt_key:
    url: https://download.docker.com/linux/debian/gpg
    state: present
 - name: Add Docker repository
  apt_repository:
    repo: "deb https://download.docker.com/linux/debian bullseye stable"
    state: present
  register: apt_repository
 - name: Update APT cache
  apt:
    update_cache: true
  when: apt_repository.changed
 - name: Install Docker packages
  apt:
    pkg:
      - docker-ce
      - docker-ce-cli
      - containerd.io
      - docker-compose-plugin
 - name: Install Docker modules for Python
  pip:
    name:
      - docker
      - docker-compose
 - name: Create /etc/docker directory
  file:
    path: "/etc/docker"
    state: directory
 - name: Copy daemon.json
  copy:
    src: "{{ role_path }}/files/daemon.json"
    dest: /etc/docker/daemon.json
 - name: Start Docker
  systemd:
    name: docker
    enabled: true
    state: started
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@ -0,0 +1,16 @@
 - name: Install firewalld
  apt:
    pkg:
      - firewalld
    state: latest
    update_cache: true
 - name: Allow SSH
  firewalld:
    service: ssh
    permanent: yes
    state: enabled
 - name: Start firewalld
  systemd:
    enabled: true
    name: sshd
    state: started
--- a/roles/forgejo/meta/main.yml
+++ b/roles/forgejo/meta/main.yml
@ -0,0 +1,4 @@
 dependencies:
  - role: common
  - role: docker
  - role: traefik
--- a/ansible/roles/forgejo/tasks/main.yml
+++ b/ansible/roles/forgejo/tasks/main.yml
--- a/ansible/roles/forgejo/templates/app.ini.j2
+++ b/ansible/roles/forgejo/templates/app.ini.j2
@ -4,7 +4,6 @@ RUN_USER = git
 [repository]
 ROOT = /data/git/repositories
 DEFAULT_BRANCH = master
 [repository.local]
 LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
@ -14,8 +13,8 @@ TEMP_PATH = /data/gitea/uploads
 [server]
 APP_DATA_PATH    = /data/gitea
-DOMAIN           = {{ git_domain }}
+DOMAIN           = git.pizzapim.nl
-SSH_DOMAIN       = {{ git_domain }}
+SSH_DOMAIN       = git.pizzapim.nl
 HTTP_PORT        = 3000
 ROOT_URL         = {{ forgejo.root_url }}
 DISABLE_SSH      = false
@ -39,7 +38,6 @@ CHARSET  = utf8
 [indexer]
 ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 ISSUE_INDEXER_TYPE = db
 [session]
 PROVIDER_CONFIG = /data/gitea/sessions
--- a/ansible/roles/forgejo/templates/docker-compose.yml.j2
+++ b/ansible/roles/forgejo/templates/docker-compose.yml.j2
@ -14,20 +14,17 @@ services:
    restart: always
    networks:
      - traefik
    ports:
      - "{{ internal_forgejo_port }}:3000"
    volumes:
      - {{ data_dir }}:/data
      - {{ service_dir }}/conf:/data/gitea/conf
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    labels:
      - traefik.enable=true
      - traefik.http.routers.forgejo.entrypoints=websecure
-      - traefik.http.routers.forgejo.rule=Host(`{{ git_domain }}`)
+      - traefik.http.routers.forgejo.rule=Host(`git.pizzapim.nl`)
      - traefik.http.routers.forgejo.tls=true
-      - traefik.http.routers.forgejo.tls.certresolver=letsencrypt
+      - traefik.http.routers.forgejo.tls.certresolver=pizzapim
-      - traefik.http.routers.forgejo.service=forgejo
+      - traefik.tcp.routers.forgejo.service=forgejo
      - traefik.http.services.forgejo.loadbalancer.server.port=3000
      - traefik.tcp.routers.forgejo-ssh.rule=HostSNI(`*`)
--- a/ansible/roles/forgejo/vars/main.yml
+++ b/ansible/roles/forgejo/vars/main.yml
@ -1,10 +1,9 @@
 service_name: forgejo
 data_dir: "{{ base_data_dir }}/{{ service_name }}"
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 git_domain: "git.{{ domain_name_pim }}"
 forgejo:
-  root_url: "https://{{ git_domain }}"
+  root_url: "https://git.pizzapim.nl"
  mailer_host: "smtp.tweak.nl"
  mailer_from: "git@kunis.nl"
  lfs_jwt_secret: !vault |
--- a/ansible/roles/freshrss/tasks/main.yml
+++ b/ansible/roles/freshrss/tasks/main.yml
--- a/ansible/roles/freshrss/templates/docker-compose.yml.j2
+++ b/ansible/roles/freshrss/templates/docker-compose.yml.j2
@ -11,8 +11,10 @@ services:
      options:
        max-size: 10m
    volumes:
-      - {{ data_dir }}/data:/var/www/FreshRSS/data
+      # Recommended volume for FreshRSS persistent data such as configuration and SQLite databases
-      - {{ data_dir }}/extensions:/var/www/FreshRSS/extensions
+      - /data/freshrss/data:/var/www/FreshRSS/data
      # Optional volume for storing third-party extensions
      - /data/freshrss/extensions:/var/www/FreshRSS/extensions
    environment:
      TZ: Europe/Amsterdam
      CRON_MIN: '2,32'
@ -22,13 +24,11 @@ services:
      ADMIN_API_PASSWORD: {{ admin_password }}
      PUBLISHED_PORT: 443
    labels:
      - traefik.enable=true
      - traefik.http.routers.freshrss.entrypoints=websecure
-      - traefik.http.routers.freshrss.rule=Host(`{{ rss_domain }}`)
+      - traefik.http.routers.freshrss.rule=Host(`rss.pizzapim.nl`)
      - traefik.http.routers.freshrss.tls=true
-      - traefik.http.routers.freshrss.tls.certresolver=letsencrypt
+      - traefik.http.routers.freshrss.tls.certresolver=pizzapim
-      - traefik.http.routers.freshrss.service=freshrss
+      - traefik.tcp.routers.freshrss.service=freshrss
      - traefik.http.services.freshrss.loadbalancer.server.port=80
 networks:
  traefik:
--- a/ansible/roles/freshrss/vars/main.yml
+++ b/ansible/roles/freshrss/vars/main.yml
@ -1,7 +1,6 @@
 service_name: freshrss
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 data_dir: "{{ base_data_dir }}/{{ service_name }}"
 rss_domain: "rss.{{ domain_name_pim }}"
 admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          38363734333534376665616439306566613632303739373661333338356533653334323366326130
--- a/ansible/roles/inbucket/files/docker-compose.yml
+++ b/ansible/roles/inbucket/files/docker-compose.yml
--- a/ansible/roles/prometheus/meta/main.yml
+++ b/ansible/roles/prometheus/meta/main.yml
@ -1,2 +1,4 @@
 dependencies:
  - role: common
  - role: docker
--- a/ansible/roles/inbucket/tasks/main.yml
+++ b/ansible/roles/inbucket/tasks/main.yml
--- a/ansible/roles/inbucket/vars/main.yml
+++ b/ansible/roles/inbucket/vars/main.yml
--- a/roles/jitsi/meta/main.yml
+++ b/roles/jitsi/meta/main.yml
@ -0,0 +1,4 @@
 dependencies:
  - role: common
  - role: docker
  - role: traefik
--- a/ansible/roles/jitsi/tasks/main.yml
+++ b/ansible/roles/jitsi/tasks/main.yml
--- a/ansible/roles/jitsi/templates/docker-compose.yml.j2
+++ b/ansible/roles/jitsi/templates/docker-compose.yml.j2
@ -21,11 +21,10 @@ services:
            - meet.jitsi
            - traefik
        labels:
            - traefik.enable=true
            - traefik.http.routers.jitsi-web.entrypoints=websecure
            - traefik.http.routers.jitsi-web.rule=Host(`{{ public_domain }}`)
            - traefik.http.routers.jitsi-web.tls=true
-            - traefik.http.routers.jitsi-web.tls.certresolver=letsencrypt
+            - traefik.http.routers.jitsi-web.tls.certresolver=pizzapim
            - traefik.http.services.jitsi-web.loadbalancer.server.port=80
            - traefik.http.routers.jitsi-web.service=jitsi-web
            - traefik.docker.network=traefik
@ -97,7 +96,6 @@ services:
        networks:
            meet.jitsi:
        labels:
            - traefik.enable=true
            - traefik.udp.routers.jitsi-videobridge.rule=HostSNI(`*`)
            - traefik.udp.routers.jitsi-videobridge.entrypoints=video
            - traefik.udp.routers.jitsi-videobridge.service=jitsi-videobridge
--- a/ansible/roles/jitsi/vars/main.yml
+++ b/ansible/roles/jitsi/vars/main.yml
@ -2,7 +2,7 @@ service_name: jitsi
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 data_dir: "{{ base_data_dir }}/{{ service_name }}"
-public_domain: "meet.{{ domain_name_pim }}"
+public_domain: "meet.pizzapim.nl"
 jvb_advertise_ips: "84.245.14.149,192.168.30.3"
 jvb_auth_password: !vault |
--- a/ansible/roles/kms/files/docker-compose.yml
+++ b/ansible/roles/kms/files/docker-compose.yml
--- a/ansible/roles/syncthing/meta/main.yml
+++ b/ansible/roles/syncthing/meta/main.yml
@ -1,2 +1,4 @@
 dependencies:
  - role: common
  - role: docker
--- a/ansible/roles/kms/tasks/main.yml
+++ b/ansible/roles/kms/tasks/main.yml
--- a/ansible/roles/kms/vars/main.yml
+++ b/ansible/roles/kms/vars/main.yml
--- a/ansible/roles/mastodon/files/.env.production
+++ b/ansible/roles/mastodon/files/.env.production
--- a/roles/mastodon/meta/main.yml
+++ b/roles/mastodon/meta/main.yml
@ -0,0 +1,4 @@
 dependencies:
  - role: common
  - role: docker
  - role: traefik
--- a/ansible/roles/mastodon/tasks/main.yml
+++ b/ansible/roles/mastodon/tasks/main.yml
--- a/ansible/roles/mastodon/templates/docker-compose.yml.j2
+++ b/ansible/roles/mastodon/templates/docker-compose.yml.j2
@ -49,11 +49,10 @@ services:
      - {{ data_dir }}/public/system:/mastodon/public/system
      - {{ service_dir }}/cache:/mastodon/public/system/cache
    labels:
      - traefik.enable=true
      - traefik.http.routers.mastodon.entrypoints=websecure
      - traefik.http.routers.mastodon.rule=Host(`social.pizzapim.nl`)
      - traefik.http.routers.mastodon.tls=true
-      - traefik.http.routers.mastodon.tls.certresolver=letsencrypt
+      - traefik.http.routers.mastodon.tls.certresolver=pizzapim
      - traefik.http.services.mastodon.loadbalancer.server.port=3000
      - traefik.http.routers.mastodon.service=mastodon
      - traefik.docker.network=traefik
@ -74,7 +73,6 @@ services:
      - db
      - redis
    labels:
      - traefik.enable=true
      - traefik.http.routers.mastodon-streaming.entrypoints=websecure
      - "traefik.http.routers.mastodon-streaming.rule=(Host(`social.pizzapim.nl`) && PathPrefix(`/api/v1/streaming`))"
      - traefik.http.routers.mastodon-streaming.service=mastodon-streaming
--- a/ansible/roles/mastodon/vars/main.yml
+++ b/ansible/roles/mastodon/vars/main.yml
--- a/roles/miniflux/meta/main.yml
+++ b/roles/miniflux/meta/main.yml
@ -0,0 +1,4 @@
 dependencies:
  - role: common
  - role: docker
  - role: traefik
--- a/ansible/roles/overleaf/tasks/main.yml
+++ b/ansible/roles/overleaf/tasks/main.yml
@ -1,4 +1,4 @@
- name: Create service directory
+- name: Create app directory
  file:
    path: "{{ service_dir }}"
    state: directory
@ -6,6 +6,10 @@
  template:
    src: "{{ role_path }}/templates/docker-compose.yml.j2"
    dest: "{{ service_dir }}/docker-compose.yml"
 - name: Create data directory
  file:
    path: "{{ data_dir }}"
    state: directory
 - name: Start the Docker Compose
  docker_compose:
    project_src: "{{ service_dir }}"
--- a/roles/miniflux/templates/docker-compose.yml.j2
+++ b/roles/miniflux/templates/docker-compose.yml.j2
@ -0,0 +1,39 @@
 version: '3.4'
 services:
  miniflux:
    image: miniflux/miniflux:latest
    container_name: miniflux-web
    depends_on:
      - db
    environment:
      - DATABASE_URL=postgres://{{ database_user }}:{{ database_password }}@db/miniflux?sslmode=disable
    networks:
      - default
      - traefik
    labels:
      - traefik.http.routers.miniflux.entrypoints=websecure
      - traefik.http.routers.miniflux.rule=Host(`rss.pizzapim.nl`)
      - traefik.http.routers.miniflux.tls=true
      - traefik.http.routers.miniflux.tls.certresolver=pizzapim
      - traefik.tcp.routers.miniflux.service=miniflux
      - traefik.http.services.miniflux.loadbalancer.server.port=8080
  db:
    image: postgres:15
    container_name: miniflux_db
    environment:
      - POSTGRES_USER={{ database_user }}
      - POSTGRES_PASSWORD={{ database_password }}
    volumes:
      - {{ data_dir }}:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "miniflux"]
      interval: 10s
      start_period: 30s
    networks:
      - default
 networks:
  traefik:
    external: true
--- a/roles/miniflux/vars/main.yml
+++ b/roles/miniflux/vars/main.yml
@ -0,0 +1,13 @@
 service_name: miniflux
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 data_dir: "{{ base_data_dir }}/{{ service_name }}"
 database_user: miniflux
 database_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          61306531373964613837363565376137363538626632613564313266396231346233356130383531
          3030336565333663643233303034336366326632386666650a303232373838353065333930643633
          34326663363833303666666538386165613734303939343062376230366666346134626533396165
          3837383263353264640a633865653865383866303431383762653363656133656135626238366539
          64633732333230303339626234623534656463353232373234366161356364313566336637316339
          6634373066326536393064643162663139323835303233333131
--- a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key
+++ b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key
@ -0,0 +1 @@
 geokunis2.nl.	IN	DNSKEY	257 3 15 8DFshejNxv4d9ZkSRY53kEay06aOhHm77EOYNSZFp/w= ;{id = 64014 (ksk), size = 256b}
--- a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private
+++ b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private
@ -0,0 +1,10 @@
 $ANSIBLE_VAULT;1.1;AES256
 33306239336639653065343862633935396534373739613332356638343037646530333331343835
 6464303336356534653431663938383732383863366238320a663430613133363134336264343734
 31343731373239613330633935636137646133616334353565663061356566666465326261306362
 3463633863626666330a383461656632346361646365383234653963333561366463373331346539
 30633237346532633634636537663936353337353331393663363363363566663738643632363761
 66323032383862306635656130366261303161636232633561313630316537626262356532313131
 63616437633333346431303539306433613130373934393036356563316365373966346536353764
 39343038373162303933653335393432636332613038366531353432346332333936656464626536
 64633030353336616561656539313863306534633863633835333531306533313930
--- a/roles/nsd/files/keys/Kpizzapim.nl.ksk.key
+++ b/roles/nsd/files/keys/Kpizzapim.nl.ksk.key
@ -0,0 +1 @@
 pizzapim.nl.	IN	DNSKEY	257 3 15 PL2LJmmaooqVFVIrvdFzS+X0YiEgz+fLlr7jm54nX/E= ;{id = 47515 (ksk), size = 256b}
--- a/roles/nsd/files/keys/Kpizzapim.nl.ksk.private
+++ b/roles/nsd/files/keys/Kpizzapim.nl.ksk.private
@ -0,0 +1,10 @@
 $ANSIBLE_VAULT;1.1;AES256
 36343534663736653462386238363734646238306365393233633530663039656335623961663131
 6436373566336464336330326438656137646536656333370a386539613239343962373562653264
 66616530343235333964343332386234666266643933393531323066666164623862633962376666
 3230333539393335630a653532396665383536633164643534303461636135653737616137313034
 33653838653538623934353631393636363937333831313036643334343261363836393235313235
 36613966343431333364336437393430653366643263643130376437663164353361633735616332
 35656666353037643739356133303064633166323535323265323134363963316566323165643165
 36656264353962346530323830623432616238653966613433616235336539396461376162316564
 61643465323165643961303639653466663961333531663133636666643437333233
--- a/roles/nsd/files/nsd.conf
+++ b/roles/nsd/files/nsd.conf
@ -0,0 +1,20 @@
 server:
        ip-address: enp3s0
        server-count: 1
        verbosity: 1
        hide-version: yes
        zonesdir: "/etc/nsd/zones"
        ip-transparent: yes
        ip-freebind: yes
 zone:
        name: pizzapim.nl
        zonefile: pizzapim.nl.signed
        provide-xfr: 87.253.155.96/27 NOKEY
        provide-xfr: 157.97.168.160/27 NOKEY
 zone:
        name: geokunis2.nl
        zonefile: geokunis2.nl.signed
        provide-xfr: 87.253.155.96/27 NOKEY
        provide-xfr: 157.97.168.160/27 NOKEY
--- a/roles/nsd/files/zones/geokunis2.nl
+++ b/roles/nsd/files/zones/geokunis2.nl
@ -0,0 +1,26 @@
 $ORIGIN geokunis2.nl.
 $TTL 60
 geokunis2.nl.	IN	SOA	ns.geokunis2.nl. niels.kunis.nl. 2023012500 1800 3600 1209600 3600
 			NS	ns.geokunis2.nl.
 			NS	ns0.transip.net.
 			NS	ns1.transip.nl.
 			NS	ns2.transip.eu.
 			A	84.245.14.149
 			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
 ;			MX	0 .
 ;			TXT	"v=spf1 -all"
 			CAA	0 issue "letsencrypt.org"
 mail		IN	A 84.245.14.149
 			MX	10	mail.geokunis2.nl
 jenl		IN	A	217.123.41.225
 wg			IN	A	84.245.14.149
 wg			IN	AAAA	2a02:58:19a:f710:45aa:5179:2b45:376d
 wg4			IN	A	84.245.14.149
 wg6			IN	AAAA	2a02:58:19a:f710:45aa:5179:2b45:376d
 kms			IN	A	84.245.14.149
 files		IN	A	84.245.14.149
 files		IN	AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
 _dmarc		IN	TXT	"v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject"
 ns			A	84.245.14.149
 			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
pizzaniels	3f9bac7f35	all changes to make it work on Debian	2023-02-04 17:02:53 +01:00
pizzaniels	392014dbd8	test	2023-02-04 14:48:40 +01:00
		`@ -0,0 +1 @@`
							`kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609"`
`@ -1,2 +1,2 @@`
	`service_name: cyberchef`	`service_name: borg`
	`service_dir: "{{ base_service_dir }}/{{ service_name }}"`	`service_dir: "{{ base_service_dir }}/{{ service_name }}"`
		`@ -0,0 +1 @@`
							`ssh-ed25519 {{ dataserver_public_key }} root@lewis`
		`@ -0,0 +1 @@`
							`geokunis2.nl. IN DNSKEY 257 3 15 8DFshejNxv4d9ZkSRY53kEay06aOhHm77EOYNSZFp/w= ;{id = 64014 (ksk), size = 256b}`
		`@ -0,0 +1 @@`
							`pizzapim.nl. IN DNSKEY 257 3 15 PL2LJmmaooqVFVIrvdFzS+X0YiEgz+fLlr7jm54nX/E= ;{id = 47515 (ksk), size = 256b}`