tweaks

README.md

@@ -1,23 +1,69 @@
 # Max
 
-Max is our VM running all of our web servers, provisioned with Terraform and configured with Ansible.
+This repository contains Ansible scripts to setup our main home server `max`.
+The `common` role executes some common OS tasks.
+The `docker` role installs Docker.
+The other roles are specifically for the various services we run.
 
 ## Running services
 
-All services below are implemented using Docker:
+All services below are running under Docker, except NSD and Borg.
 
 - Reverse proxy using [Traefik](https://doc.traefik.io/traefik/)
-- Git server using [Forgejo](https://forgejo.org/) ([git.pim.kunis.nl](https://git.pim.kunis.nl))
-- Static website using [Jekyll](https://jekyllrb.com/) ([pim.kunis.nl](https://pim.kunis.nl))
+- Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl))
+- Static website using [Jekyll](https://jekyllrb.com/) ([pizzapim.nl](https://pizzapim.nl))
 - File sychronisation using [Syncthing](https://syncthing.net/)
 - Microblogging server using [Mastodon](https://joinmastodon.org/) ([social.pizzapim.nl](https://social.pizzapim.nl))
-- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pim.kunis.nl](https://dav.pim.kunis.nl))
+- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl))
 - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd)
 - Cloud file storage using [Seafile](https://www.seafile.com)
-- Disposable mail server using [Inbucket](https://inbucket.org)
-- Digital toolbox using [Cyberchef](https://cyberchef.geokunis2.nl)
+- Inbucket disposable webmail, Mailinator alternative (https://inbucket.org)
+- Cyberchef (https://cyberchef.geokunis2.nl)
 - Jitsi Meet (https://meet.jit.si)
 - RSS feed reader using [FreshRSS](https://miniflux.app/)
 - Metrics using [Prometheus](https://prometheus.io/)
-- Latex editor using [Overleaf](https://www.overleaf.com/) ([latex.pim.kunis.nl](https://latex.pim.kunis.nl))
-- Markdown editor using [Hedgedoc](https://hedgedoc.org/)
+
+## Virtualization
+
+Currently this repository is ran as a physical server, but we intend to virtualize it.
+First, the whole server should be virtualized on a single virtual machine.
+After that, it will be split up into several virtual machines.
+The services on each virtual machine should have similar services/security properties.
+
+Provisional split of services on virtual machines:
+- "public web" VM: Mastodon, static HTML server, cyberchef, jitsi meet, inbucket
+- "data" VM: seafile, radicale, syncthing, freshrss
+- "management" VM: reverse proxy, prometheus, kms
+- "git" VM: forgejo. Because forgejo is a somewhat single point of failure, it should have its own VM.
+
+## Possible future services
+
+- matrix
+- peertube?
+- Pixelfed?
+- Prometheus
+- Concourse CI?
+
+## TODO
+
+- Clear view of what services + which versions we are running. This way, we can track security updates better.
+- Host tobb website?
+- Move from Ubuntu to Debian
+- move Mastodon to pim.kunis.nl
+- Podman
+- Replace watchtower with Podman features
+
+### NSD
+
+#### ZSK Rollover
+
+Could make automatic key rollovers with cron or some other tool.
+
+#### Idempotency
+
+Currently I always resign zones.
+But for idempotency I should probably only do it if the zone has changed or the keys have changed.
+
+### Firewall
+
+A little more difficult because of docker networking but probably doable.

ansible/max.yml

@@ -1,36 +0,0 @@
-- name: Wait for servers to come up
-  hosts: max
-  gather_facts: no
-  roles:
-    - 'cloudinit-wait'
-
-- name: Start services
-  hosts: max
-  pre_tasks:
-  - name: Create base service directory
-    file:
-      path: "{{ base_service_dir }}"
-      state: directory
-  - name: Delete externally managed environment file
-    shell:
-      cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
-    register: rm
-    changed_when: "rm.rc == 0"
-    failed_when: "false"
-  roles:
-    - {role: 'setup-apt', tags: 'setup-apt'}
-    - {role: 'watchtower', tags: 'watchtower'}
-    - {role: 'forgejo', tags: 'forgejo'}
-    - {role: 'syncthing', tags: 'syncthing'}
-    - {role: 'kms', tags: 'kms'}
-    - {role: 'cyberchef', tags: 'cyberchef'}
-    - {role: 'radicale', tags: 'radicale'}
-    - {role: 'mastodon', tags: 'mastodon'}
-    - {role: 'seafile', tags: 'seafile'}
-    - {role: 'jitsi', tags: 'jitsi'}
-    - {role: 'freshrss', tags: 'freshrss'}
-    - {role: 'static', tags: 'static'}
-    - {role: 'inbucket', tags: 'inbucket'}
-    - {role: 'prometheus', tags: 'prometheus'}
-    - {role: 'overleaf', tags: 'overleaf'}
-    - {role: 'hedgedoc', tags: 'hedgedoc'}

ansible/requirements.yml

@@ -1,9 +0,0 @@
-- name: setup-apt
-  src: https://github.com/sunscrapers/ansible-role-apt.git
-  scm: git
-- name: cloudinit-wait
-  src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait
-  scm: git
-- name: docker
-  src: https://git.pim.kunis.nl/pim/ansible-role-docker
-  scm: git

ansible/roles/cyberchef/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: traefik

ansible/roles/forgejo/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: traefik

ansible/roles/freshrss/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: traefik

ansible/roles/hedgedoc/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: traefik

ansible/roles/hedgedoc/tasks/main.yml

@@ -1,22 +0,0 @@
-- name: Create service directory
-  file:
-    path: "{{ service_dir }}"
-    state: directory
-- name: Copy Docker Compose script
-  template:
-    src: "{{ role_path }}/templates/docker-compose.yml.j2"
-    dest: "{{ service_dir }}/docker-compose.yml"
-- name: Create data directory
-  file:
-    path: "{{ data_dir }}"
-    state: directory
-- name: Create uploads directory
-  file:
-    path: "{{ data_dir }}/uploads"
-    state: directory
-    mode: 0777
-- name: Start the Docker Compose
-  docker_compose:
-    project_src: "{{ service_dir }}"
-    pull: true
-    remove_orphans: true

ansible/roles/hedgedoc/templates/docker-compose.yml.j2

@@ -1,51 +0,0 @@
-version: '3'
-
-networks:
-  traefik:
-    external: true
-  internal:
-    external: false
-
-services:
-  database:
-    image: postgres:13.4-alpine
-    container_name: hedgedoc-database
-    environment:
-      - POSTGRES_USER=hedgedoc
-      - POSTGRES_PASSWORD=password
-      - POSTGRES_DB=hedgedoc
-    volumes:
-      - {{ data_dir }}/database:/var/lib/postgresql/data
-    restart: always
-    networks:
-      - internal
-
-  app:
-    image: quay.io/hedgedoc/hedgedoc:1.9.7
-    container_name: hedgedoc
-    environment:
-      - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
-      - CMD_DOMAIN={{ hedgedoc_domain }}
-      - CMD_PORT=3000
-      - CMD_URL_ADDPORT=false
-      - CMD_ALLOW_ANONYMOUS=true
-      - CMD_ALLOW_EMAIL_REGISTER=false
-      - CMD_PROTOCOL_USESSL=true
-      - CMD_SESSION_SECRET={{ session_secret }}
-    volumes:
-      - {{ data_dir }}/uploads:/hedgedoc/public/uploads
-    restart: always
-    depends_on:
-      - database
-    networks:
-      - traefik
-      - internal
-    labels:
-          - traefik.enable=true
-          - traefik.http.routers.hedgedoc.entrypoints=websecure
-          - traefik.http.routers.hedgedoc.rule=Host(`{{ hedgedoc_domain }}`)
-          - traefik.http.routers.hedgedoc.tls=true
-          - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt
-          - treafik.http.routers.hedgedoc.service=hedgedoc
-          - traefik.http.services.hedgedoc.loadbalancer.server.port=3000
-          - traefik.docker.network=traefik

ansible/roles/hedgedoc/vars/main.yml

@@ -1,14 +0,0 @@
-service_name: hedgedoc
-data_dir: "{{ base_data_dir }}/{{ service_name }}"
-service_dir: "{{ base_service_dir }}/{{ service_name }}"
-hedgedoc_domain: "md.{{ domain_name_pim }}"
-session_secret: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          30633835386265643561343033326536653166343630396139303137613138383233666565666330
-          3032613865333836656566626435383165396539323837350a376331306464643766373839386638
-          65653865343539633636323833343964636332636461386434386432306230343833343431363134
-          6563373138626637650a633932313862326231666330343662343765666166373961376237396434
-          33396131353830323063326266623862353731653665626466653335656434303033353333353164
-          61613535373037646565386131383631366338616565373261396136616433393462313537313861
-          35313661616365373231373963323865393635626132343138363230313431636333363130346239
-          32656335333635613736

ansible/roles/jitsi/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: traefik

ansible/roles/mastodon/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: traefik

ansible/roles/overleaf/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: traefik

ansible/roles/overleaf/tasks/main.yml

@@ -1,13 +0,0 @@
-- name: Create service directory
-  file:
-    path: "{{ service_dir }}"
-    state: directory
-- name: Copy Docker Compose script
-  template:
-    src: "{{ role_path }}/templates/docker-compose.yml.j2"
-    dest: "{{ service_dir }}/docker-compose.yml"
-- name: Start the Docker Compose
-  docker_compose:
-    project_src: "{{ service_dir }}"
-    pull: true
-    remove_orphans: true

ansible/roles/overleaf/templates/docker-compose.yml.j2

@@ -1,107 +0,0 @@
-version: '2.2'
-
-networks:
-  traefik:
-    external: true
-  internal:
-    external: false
-
-services:
-    sharelatex:
-        restart: always
-        image: sharelatex/sharelatex
-        container_name: overleaf
-        networks:
-          - traefik
-          - internal
-        depends_on:
-            overleaf-mongodb:
-                condition: service_healthy
-            overleaf-redis:
-                condition: service_started
-        links:
-            - overleaf-mongodb
-            - overleaf-redis
-        stop_grace_period: 60s
-        volumes:
-            - {{ data_dir }}/overleaf/sharelatex_data:/var/lib/sharelatex
-        labels:
-          - traefik.enable=true
-          - traefik.http.routers.overleaf.entrypoints=websecure
-          - traefik.http.routers.overleaf.rule=Host(`latex.pim.kunis.nl`)
-          - traefik.http.routers.overleaf.tls=true
-          - traefik.http.routers.overleaf.tls.certresolver=letsencrypt
-          - treafik.http.routers.overleaf.service=overleaf
-          - traefik.http.services.overleaf.loadbalancer.server.port=80
-          - traefik.docker.network=traefik
-        environment:
-            SHARELATEX_APP_NAME: Overleaf Community Edition
-
-            SHARELATEX_MONGO_URL: mongodb://overleaf-mongodb:27017/sharelatex
-
-            # Same property, unfortunately with different names in
-            # different locations
-            SHARELATEX_REDIS_HOST: overleaf-redis
-            REDIS_HOST: overleaf-redis
-
-            ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file'
-
-            # Enables Thumbnail generation using ImageMagick
-            ENABLE_CONVERSIONS: 'true'
-
-            # Disables email confirmation requirement
-            EMAIL_CONFIRMATION_DISABLED: 'true'
-
-            # temporary fix for LuaLaTex compiles
-            # see https://github.com/overleaf/overleaf/issues/695
-            TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var
-
-            ## Set for SSL via nginx-proxy
-            #VIRTUAL_HOST: 103.112.212.22
-
-            SHARELATEX_SITE_URL: https://latex.pim.kunis.nl
-            # SHARELATEX_NAV_TITLE: Our ShareLaTeX Instance
-            # SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png
-            SHARELATEX_ADMIN_EMAIL: pim@kunis.nl
-
-            # SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"},{"text": "Another page I want to link to can be found <a href=\"here\">here</a>"} ]'
-            # SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]'
-
-            SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@kunis.nl"
-
-            SHARELATEX_EMAIL_SMTP_HOST: "smtp.tweak.nl"
-            SHARELATEX_EMAIL_SMTP_PORT: 587
-            SHARELATEX_EMAIL_SMTP_USER: ""
-            SHARELATEX_EMAIL_SMTP_PASS: ""
-            # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
-            # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
-            # SHARELATEX_EMAIL_SMTP_NAME: '127.0.0.1'
-            # SHARELATEX_EMAIL_SMTP_LOGGER: true
-            # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x"
-
-    overleaf-mongodb:
-        restart: always
-        image: mongo:4.4
-        container_name: overleaf-mongodb
-        networks:
-          - internal
-        expose:
-            - 27017
-        volumes:
-            - {{ data_dir }}/overleaf/mongo_data:/data/db
-        healthcheck:
-            test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
-            interval: 10s
-            timeout: 10s
-            retries: 5
-
-    overleaf-redis:
-        restart: always
-        image: redis:5
-        container_name: overleaf-redis
-        networks:
-          - internal
-        expose:
-            - 6379
-        volumes:
-            - {{ data_dir }}/overleaf/redis_data:/data

ansible/roles/overleaf/vars/main.yml

@@ -1,3 +0,0 @@
-service_name: overleaf
-data_dir: "{{ base_data_dir}}/{{service_name}}"
-service_dir: "{{ base_service_dir}}/{{service_name}}"

ansible/roles/radicale/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: traefik

ansible/roles/seafile/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: traefik

ansible/roles/static/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: traefik

ansible/roles/traefik/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: docker

ansible/roles/watchtower/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: docker

data/main.tf

@@ -0,0 +1,30 @@
+terraform {
+  backend "pg" {
+    schema_name = "max-data"
+    conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
+  }
+
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+  }
+}
+
+provider "libvirt" {
+  uri = "qemu+ssh://root@atlas.lan/system"
+}
+
+resource "libvirt_volume" "data" {
+  name = "max-data"
+  pool = "data"
+  size = 1024 * 1024 * 1024 * 65
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+output "data_disk_id" {
+  value = libvirt_volume.data.id
+}

inventory/host_vars/max.yml

@@ -1,6 +1,5 @@
 base_data_dir: /mnt/data
 base_service_dir: /srv
-domain_name_pim: pim.kunis.nl
 
 # Additional open ports
 jitsi_videobridge_port: 54562
@@ -9,7 +8,4 @@ prometheus_port: 8081
 traefik_api_port: 8080
 internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container.
 
-docker_daemon_config:
-  default-address-pools:
-  - base: "10.204.0.0/16"
-    size: 24
+domain_name_pim: pim.kunis.nl

inventory/hosts.yml

@@ -2,4 +2,4 @@ all:
   hosts:
     max:
       ansible_user: root
-      ansible_host: max.dmz
+      ansible_host: max2.dmz

main.tf

@@ -0,0 +1,27 @@
+terraform {
+  backend "pg" {
+    schema_name = "max"
+    conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
+  }
+
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+  }
+}
+
+provider "libvirt" {
+  uri = "qemu+ssh://root@atlas.lan/system"
+}
+
+module "tf-datatest" {
+  source            = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian"
+  name              = "max2"
+  domain_name       = "tf-max"
+  data_disk         = "/kvm/data/max-data"
+  fixed_address     = "192.168.30.66/24"
+  ansible_command   = "ansible-playbook max.yml"
+  insecure_password = true
+  memory            = 1024 * 8
+}

max.yml

@@ -0,0 +1,36 @@
+- name: Setup homeserver
+  hosts: max
+  gather_facts: no
+
+  pre_tasks:
+  - name: Wait for host to come up
+    wait_for:
+      state: started
+      port: 22
+      host: max2.dmz
+      timeout: 300
+      connect_timeout: 300
+      search_regex: OpenSSH
+    delegate_to: localhost
+  - name: Wait for cloud-init to finish
+    shell:
+      cmd: "cloud-init status --wait"
+    register: cloudinit
+    changed_when: "'..' in cloudinit.stdout"
+  - name: Gather facts
+    setup:
+
+  roles:
+    - {role: 'watchtower', tags: 'watchtower'}
+    - {role: 'forgejo', tags: 'forgejo'}
+    # - {role: 'syncthing', tags: 'syncthing'}
+    - {role: 'kms', tags: 'kms'}
+    - {role: 'cyberchef', tags: 'cyberchef'}
+      #- {role: 'radicale', tags: 'radicale'}
+    - {role: 'mastodon', tags: 'mastodon'}
+    - {role: 'seafile', tags: 'seafile'}
+    - {role: 'jitsi', tags: 'jitsi'}
+    - {role: 'freshrss', tags: 'freshrss'}
+    - {role: 'static', tags: 'static'}
+    - {role: 'inbucket', tags: 'inbucket'}
+    - {role: 'prometheus', tags: 'prometheus'}

roles/common/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: APT upgrade
+  apt:
+    autoremove: true
+    upgrade: yes
+    state: latest
+    update_cache: yes
+    cache_valid_time: 86400 # One day
+- name: Create base service directory
+  file:
+    path: "{{ base_service_dir }}"
+    state: directory
+- name: Delete externally managed environment file
+  shell:
+    cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
+  register: rm
+  changed_when: "rm.rc == 0"
+  failed_when: "false"

roles/cyberchef/meta/main.yml

@@ -1,2 +1,4 @@
 dependencies:
+  - role: common
   - role: docker
+  

roles/docker/files/daemon.json

@@ -0,0 +1,7 @@
+{
+"default-address-pools":
+[
+{"base":"10.204.0.0/16","size":24}
+
+]
+}

roles/docker/tasks/main.yml

@@ -0,0 +1,41 @@
+- name: Install Docker prerequisites
+  apt:
+    pkg:
+      - ca-certificates
+      - curl
+      - gnupg
+      - lsb-release
+      - python3-pip
+- name: Add Docker APT key
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    keyring: /etc/apt/keyrings/docker.gpg
+- name: Add Docker repository
+  apt_repository:
+    repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
+  register: apt_repository
+- name: Update APT cache
+  apt:
+    update_cache: true
+  when: apt_repository.changed
+- name: Install Docker packages
+  apt:
+    pkg:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-compose-plugin
+- name: Install Docker modules for Python
+  pip:
+    name:
+      - docker
+      - docker-compose
+- name: Copy daemon.json
+  copy:
+    src: "{{ role_path }}/files/daemon.json"
+    dest: /etc/docker/daemon.json
+- name: Start Docker
+  systemd:
+    name: docker
+    enabled: true
+    state: started

roles/firewall/tasks/main.yml

@@ -0,0 +1,16 @@
+- name: Install firewalld
+  apt:
+    pkg:
+      - firewalld
+    state: latest
+    update_cache: true
+- name: Allow SSH
+  firewalld:
+    service: ssh
+    permanent: yes
+    state: enabled
+- name: Start firewalld
+  systemd:
+    enabled: true
+    name: sshd
+    state: started

roles/forgejo/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik

roles/forgejo/templates/app.ini.j2

@@ -39,7 +39,6 @@ CHARSET  = utf8
 
 [indexer]
 ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
-ISSUE_INDEXER_TYPE = db
 
 [session]
 PROVIDER_CONFIG = /data/gitea/sessions

roles/forgejo/vars/main.yml

@@ -3,6 +3,7 @@ data_dir: "{{ base_data_dir }}/{{ service_name }}"
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
 git_domain: "git.{{ domain_name_pim }}"
 
+
 forgejo:
   root_url: "https://{{ git_domain }}"
   mailer_host: "smtp.tweak.nl"

roles/freshrss/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik

roles/freshrss/templates/docker-compose.yml.j2

@@ -11,8 +11,10 @@ services:
       options:
         max-size: 10m
     volumes:
-      - {{ data_dir }}/data:/var/www/FreshRSS/data
-      - {{ data_dir }}/extensions:/var/www/FreshRSS/extensions
+      # Recommended volume for FreshRSS persistent data such as configuration and SQLite databases
+      - /data/freshrss/data:/var/www/FreshRSS/data
+      # Optional volume for storing third-party extensions
+      - /data/freshrss/extensions:/var/www/FreshRSS/extensions
     environment:
       TZ: Europe/Amsterdam
       CRON_MIN: '2,32'

roles/inbucket/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  

roles/jitsi/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik

roles/kms/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  

roles/mastodon/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik

roles/prometheus/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
+  - role: common
   - role: docker

roles/radicale/files/radicale.conf

@@ -9,7 +9,7 @@ stock = utf-8
 [auth]
 realm = Radicale - Password Required
 type = htpasswd
-htpasswd_filename = /config/users
+htpasswd_filename = /radicale/users
 htpasswd_encryption = md5
 
 [rights]

roles/radicale/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik

roles/radicale/tasks/main.yml

@@ -13,7 +13,7 @@
 - name: Copy radicale.conf
   copy:
     src: "{{ role_path }}/files/radicale.conf"
-    dest: "{{ service_dir }}/config/config"
+    dest: "{{ service_dir }}/config/radicale.conf"
 - name: Copy users file
   copy:
     src: "{{ role_path }}/files/users"

roles/radicale/templates/docker-compose.yml.j2

@@ -1,28 +1,18 @@
-version: '3.7'
+version: '3'
+
+networks:
+  traefik:
+    external: true
 
 services:
   radicale:
-    image: tomsquest/docker-radicale
+    restart: always
+    image: mailu/radicale:1.9
     container_name: radicale
-    init: true
-    read_only: true
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
-    cap_add:
-      - SETUID
-      - SETGID
-      - CHOWN
-      - KILL
-    healthcheck:
-      test: curl -f http://127.0.0.1:5232 || exit 1
-      interval: 30s
-      retries: 3
-    restart: unless-stopped
     volumes:
       - {{ data_dir }}:/data
-      - {{ service_dir }}/config:/config:ro
+      - {{ service_dir }}/config:/radicale
+    command: radicale -S -C /radicale/radicale.conf
     networks:
       - traefik
     labels:
@@ -33,7 +23,3 @@ services:
       - traefik.http.routers.radicale.tls.certresolver=letsencrypt
       - traefik.http.routers.radicale.service=radicale
       - traefik.http.services.radicale.loadbalancer.server.port=5232
-
-networks:
-  traefik:
-    external: true

roles/seafile/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik

roles/ssh/files/ssh_config

@@ -0,0 +1,54 @@
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Include /etc/ssh/ssh_config.d/*.conf
+
+Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   ForwardX11Trusted yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_ecdsa
+#   IdentityFile ~/.ssh/id_ed25519
+#   Port 22
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   RekeyLimit 1G 1h
+#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+    SendEnv LANG LC_*
+
+#   set HashKnownHosts to no to make known_hosts human readable and reviewable. 
+#    HashKnownHosts yes
+#    GSSAPIAuthentication yes

roles/ssh/files/sshd_config

@@ -0,0 +1,41 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+HostKeyAlgorithms ssh-ed25519
+CASignatureAlgorithms ssh-ed25519
+HostbasedAcceptedKeyTypes ssh-ed25519
+HostKeyAlgorithms ssh-ed25519
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+X11Forwarding yes
+PrintMotd no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp	/usr/lib/openssh/sftp-server
+

roles/ssh/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: common

roles/ssh/tasks/main.yml

@@ -0,0 +1,16 @@
+- name: Copy sshd config
+  copy:
+    src: "{{ role_path }}/files/sshd_config"
+    dest: /etc/ssh/sshd_config
+  register: sshd_config
+- name: Copy ssh config
+  copy:
+    src: "{{ role_path }}/files/ssh_config"
+    dest: /etc/ssh/ssh_config
+  register: ssh_config
+- name: Restart SSH service
+  systemd:
+    enabled: true
+    name: sshd
+    state: reloaded
+  when: sshd_config.changed

roles/static/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik

roles/syncthing/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
+  - role: common
   - role: docker

roles/traefik/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
+  - role: common
   - role: docker

roles/traefik/tasks/main.yml

@@ -2,14 +2,10 @@
   file:
     path: "{{ service_dir }}"
     state: directory
-- name: Create data directory
-  file:
-    path: "{{ data_dir }}"
-    state: directory
 - name: Create acme file
   copy:
     content: ""
-    dest: "{{ data_dir }}/acme.json"
+    dest: "{{ service_dir }}/acme.json"
     force: no
     mode: 0600
 - name: Copy Docker Compose script

roles/traefik/templates/docker-compose.yml.j2

@@ -18,7 +18,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml
       - {{ service_dir }}/services.toml:/etc/traefik/services.toml
-      - {{ data_dir }}/acme.json:/acme.json
+      - {{ service_dir }}/acme.json:/acme.json
     networks:
       - traefik
     labels:

roles/traefik/vars/main.yml

@@ -1,3 +1,2 @@
 service_name: traefik
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
-data_dir: "{{ base_data_dir }}/{{ service_name }}"