diff --git a/legacy/projects/docker_swarm/ansible/README.md b/legacy/projects/docker_swarm/ansible/README.md
new file mode 100644
index 0000000..3be06a4
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/README.md
@@ -0,0 +1,5 @@
+# shoarma ansible
+
+This requires a rootless docker daemon on the Ansible host.
+See: https://docs.docker.com/engine/security/rootless/
+Also you need jsondiff for docker stack.
diff --git a/legacy/projects/docker_swarm/ansible/ansible.cfg b/legacy/projects/docker_swarm/ansible/ansible.cfg
new file mode 100644
index 0000000..2411e3a
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/ansible.cfg
@@ -0,0 +1,9 @@
+[defaults]
+roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
+inventory=inventory
+interpreter_python=/usr/bin/python3
+remote_user = root
+vault_password_file=$HOME/.config/home/ansible-vault-secret
+
+[diff]
+always = True
diff --git a/legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml b/legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml
new file mode 100644
index 0000000..ad74503
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml
@@ -0,0 +1,81 @@
+data_directory_base: /mnt/data
+git_ssh_port: 56287
+elasticsearch_port: 14653
+fluent_forward_port: 24224
+concourse_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSVLcr617iJt+hqLFSsOQy1JeueLIAj1eRfuI+KeZAu pim@x260"
+
+nfs_shares:
+ - name: nextcloud_data
+ path: /mnt/data/nextcloud/data
+ - name: radicale
+ path: /mnt/data/radicale
+ - name: freshrss_data
+ path: /mnt/data/freshrss/data
+ - name: freshrss_extensions
+ path: /mnt/data/freshrss/extensions
+ - name: pihole_data
+ path: /mnt/data/pihole/data
+ - name: pihole_dnsmasq
+ path: /mnt/data/pihole/dnsmasq
+ - name: hedgedoc_uploads
+ path: /mnt/data/hedgedoc/uploads
+ - name: traefik_acme
+ path: /mnt/data/traefik/acme
+ - name: seafile_data
+ path: /mnt/data/seafile/data
+ - name: seafile_db
+ path: /mnt/data/seafile/db
+ - name: mastodon_system
+ path: /mnt/data/mastodon/system
+ - name: mastodon_redis
+ path: /mnt/data/mastodon/redis
+ - name: forgejo
+ path: /mnt/data/forgejo
+ - name: overleaf
+ path: /mnt/data/overleaf/data
+ - name: overleaf_redis
+ path: /mnt/data/overleaf/redis
+ - name: overleaf_mongodb
+ path: /mnt/data/overleaf/mongodb
+ - name: prometheus_data
+ path: /mnt/data/prometheus/data
+ - name: elasticsearch_certs
+ path: /mnt/data/elasticsearch/certs
+ - name: elasticsearch_data
+ path: /mnt/data/elasticsearch/data
+ - name: grafana_data
+ path: /mnt/data/grafana/data
+ - name: kitchenowl_data
+ path: /mnt/data/kitchenowl/data
+ - name: ampache_mysql
+ path: /mnt/data/ampache/mysql
+ - name: ampache_config
+ path: /mnt/data/ampache/config
+ - name: music
+ path: /mnt/data/nextcloud/data/data/pim/files/Music
+
+database_passwords:
+ nextcloud: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 66326230303135303930363761316534313439383365376231623661316635393839336431313262
+ 3832626365376533646561653863316364313135343366330a356136343938666133356532613263
+ 39663037623232363266376335643834353735363431636535386566643763386463353962663930
+ 3466343563353162320a376437353933656166323364323166376663323531373338656563653463
+ 33346263626430616164613937363836343430383233393061643231346661656539623938333631
+ 3632373964346139316637663364646132636636373461613534
+ hedgedoc: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 63363464666633663762393135333362613966636338623533393132376338343339653431396465
+ 6634643863623163366235393434343662313735363438610a373065363361326565633766633835
+ 38383637343230363031636634623930666365333739323162313937656239646166613738393965
+ 3533666462303563360a313233306335396234393932396331313238376464363964363839396164
+ 66366662356135343035363935616664613831626131376330643133313530636431613266636165
+ 6265613666616164373637356235396165383662333561393939
+ mastodon: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 63616366396665663161376161373735626466353464393963333136336335376662326232613639
+ 6166333137376131633761623163306165386562666639640a313136386431373161306331626638
+ 34643433396232383962643964386631313632393161316261353331346163333261336666646563
+ 6232666231653732630a396638396462323464613033306662313463663262626430363432663465
+ 63623935303861663565633739363539326435623561396535623034663735373232336633303037
+ 6266323136316238343963613332396261346337646264646162
diff --git a/legacy/projects/docker_swarm/ansible/inventory/hosts.yml b/legacy/projects/docker_swarm/ansible/inventory/hosts.yml
new file mode 100644
index 0000000..68ec87a
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/inventory/hosts.yml
@@ -0,0 +1,13 @@
+all:
+ hosts:
+ manager:
+ ansible_host: maestro.dmz
+ thecloud:
+ ansible_host: thecloud.dmz
+ children:
+ workers:
+ hosts:
+ bancomart:
+ ansible_host: bancomart.dmz
+ vpay:
+ ansible_host: vpay.dmz
diff --git a/legacy/projects/docker_swarm/ansible/playbooks/remove_stack.yml b/legacy/projects/docker_swarm/ansible/playbooks/remove_stack.yml
new file mode 100644
index 0000000..3f505ce
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/playbooks/remove_stack.yml
@@ -0,0 +1,9 @@
+---
+- name: Remove a Docker swarm stack
+ hosts: manager
+
+ tasks:
+ - name: Remove the stack
+ docker_stack:
+ name: "{{ stack }}"
+ state: absent
diff --git a/legacy/projects/docker_swarm/ansible/playbooks/setup.yml b/legacy/projects/docker_swarm/ansible/playbooks/setup.yml
new file mode 100644
index 0000000..56ae015
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/playbooks/setup.yml
@@ -0,0 +1,72 @@
+---
+- name: Wait for Cloud-init to finish
+ hosts: manager, workers
+ gather_facts: no
+ roles:
+ - cloudinit_wait
+
+- name: Initialize Docker Swarm nodes
+ hosts: manager, workers
+ pre_tasks:
+ - name: Delete externally managed environment file
+ shell:
+ cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
+ register: rm
+ changed_when: "rm.rc == 0"
+ failed_when: "false"
+
+ roles:
+ - setup_apt
+
+ post_tasks:
+ - name: Install Docker
+ include_role:
+ name: docker
+ vars:
+ docker_daemon_config: {}
+ # log-driver: fluentd
+ # log-opts:
+ # fluentd-address: "localhost:22222"
+ # tag: "docker.{{ '{{' }}.Name{{ '}}' }}"
+
+- name: Setup Docker Swarm manager
+ hosts: manager
+ tasks:
+ - name: Install pip packages
+ pip:
+ name:
+ - jsondiff
+ - pyyaml
+
+ - name: Create Docker Swarm
+ docker_swarm:
+
+ - name: Get Docker Swarm manager info
+ docker_swarm_info:
+ nodes: yes
+ nodes_filters:
+ name: manager
+ register: swarm_info
+
+- hosts: workers
+ tasks:
+ - name: Join Docker Swarm
+ docker_swarm:
+ state: join
+ join_token: "{{ hostvars.manager.swarm_info.swarm_facts.JoinTokens.Worker }}"
+ remote_addrs:
+ - "{{ hostvars.manager.ansible_default_ipv4.address }}"
+
+- hosts: manager
+ tasks:
+ - name: Add concourse to authorized keys
+ authorized_key:
+ user: root
+ key: "{{ concourse_public_key }}"
+
+- hosts: manager, workers
+ tasks:
+ - name: Increase vm.max_map_count
+ sysctl:
+ name: vm.max_map_count
+ value: 262144
diff --git a/legacy/projects/docker_swarm/ansible/playbooks/stacks.yml b/legacy/projects/docker_swarm/ansible/playbooks/stacks.yml
new file mode 100644
index 0000000..f931587
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/playbooks/stacks.yml
@@ -0,0 +1,23 @@
+---
+- name: Start Docker stacks
+ hosts: manager
+ roles:
+ - {role: traefik, tags: traefik}
+ - {role: forgejo, tags: forgejo}
+ # - {role: seafile, tags: seafile}
+ - {role: radicale, tags: radicale}
+ # - {role: mastodon, tags: mastodon}
+ - {role: freshrss, tags: freshrss}
+ - {role: hedgedoc, tags: hedgedoc}
+ # - {role: overleaf, tags: overleaf}
+ - {role: cyberchef, tags: cyberchef}
+ - {role: inbucket, tags: inbucket}
+ - {role: kms, tags: kms}
+ - {role: swarm_dashboard, tags: swarm_dashboard}
+ # - {role: shephard, tags: shephard}
+ - {role: pihole, tags: pihole}
+ - {role: nextcloud, tags: nextcloud}
+ - {role: syncthing, tags: syncthing}
+ # - {role: monitoring, tags: monitoring}
+ - {role: kitchenowl, tags: kitchenowl}
+ # - {role: ampache, tags: ampache}
diff --git a/legacy/projects/docker_swarm/ansible/playbooks/thecloud.yml b/legacy/projects/docker_swarm/ansible/playbooks/thecloud.yml
new file mode 100644
index 0000000..7957bf8
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/playbooks/thecloud.yml
@@ -0,0 +1,25 @@
+---
+- name: Create databases and NFS shares
+ hosts: thecloud
+ handlers:
+ - name: reload nfs
+ systemd:
+ name: nfs-kernel-server
+ state: restarted
+
+ tasks:
+ - name: Create nfs shares
+ with_items: "{{ nfs_shares }}"
+ copy:
+ dest: "/etc/exports.d/{{ item.name }}.exports"
+ content: "{{ item.path }} *(rw,sync,no_subtree_check,no_root_squash)"
+ notify: reload nfs
+
+ - name: Create databases
+ with_items: "{{ database_passwords | dict2items }}"
+ include_role:
+ name: postgresql_database
+ vars:
+ database_name: "{{ item.key }}"
+ database_user: "{{ item.key }}"
+ database_password: "{{ item.value }}"
diff --git a/legacy/projects/docker_swarm/ansible/requirements.yml b/legacy/projects/docker_swarm/ansible/requirements.yml
new file mode 100644
index 0000000..eb97f58
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/requirements.yml
@@ -0,0 +1,14 @@
+---
+roles:
+ - name: setup_apt
+ src: https://github.com/sunscrapers/ansible-role-apt.git
+ scm: git
+ - name: docker
+ src: https://git.kun.is/pim/ansible-role-docker
+ scm: git
+ - name: cloudinit_wait
+ src: https://git.kun.is/pim/ansible-role-cloudinit-wait
+ scm: git
+ - name: postgresql_database
+ src: https://git.kun.is/home/ansible-role-postgresql-database
+ scm: git
diff --git a/legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2
new file mode 100644
index 0000000..0b5a2e7
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2
@@ -0,0 +1,56 @@
+# vi: ft=yaml
+version: '3.7'
+
+networks:
+ traefik:
+ external: true
+
+volumes:
+ ampache_mysql:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/ampache/mysql"
+ ampache_config:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/ampache/config"
+ music:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/nextcloud/data/data/pim/files/Music"
+
+services:
+ ampache:
+ image: ampache/ampache:6
+ volumes:
+ - type: volume
+ source: ampache_mysql
+ target: /var/lib/mysql
+ volume:
+ nocopy: true
+ - type: volume
+ source: ampache_config
+ target: /var/www/config
+ volume:
+ nocopy: true
+ - type: volume
+ source: music
+ target: /media
+ read_only: true
+ volume:
+ nocopy: true
+ networks:
+ - traefik
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.ampache.entrypoints=websecure
+ - traefik.http.routers.ampache.rule=Host(`music.kun.is`)
+ - traefik.http.routers.ampache.tls=true
+ - traefik.http.routers.ampache.tls.certresolver=letsencrypt
+ - traefik.http.routers.ampache.service=ampache
+ - traefik.http.services.ampache.loadbalancer.server.port=80
+ - traefik.docker.network=traefik
diff --git a/legacy/projects/docker_swarm/ansible/roles/ampache/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/ampache/tasks/main.yml
new file mode 100644
index 0000000..3e730ce
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/ampache/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: ampache
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/cyberchef/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/cyberchef/docker-stack.yml.j2
new file mode 100644
index 0000000..209b2b3
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/cyberchef/docker-stack.yml.j2
@@ -0,0 +1,20 @@
+# vi: ft=yaml
+version: "3.7"
+
+networks:
+ traefik:
+ external: true
+
+services:
+ cyberchef:
+ image: mpepping/cyberchef
+ networks:
+ - traefik
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.cyberchef.entrypoints=websecure
+ - traefik.http.services.cyberchef.loadbalancer.server.port=8000
+ - traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`)
+ - traefik.http.routers.cyberchef.tls=true
+ - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt
diff --git a/legacy/projects/docker_swarm/ansible/roles/cyberchef/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/cyberchef/tasks/main.yml
new file mode 100644
index 0000000..553f2e8
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/cyberchef/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: cyberchef
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/discourse/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/discourse/docker-stack.yml.j2
new file mode 100644
index 0000000..4736a50
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/discourse/docker-stack.yml.j2
@@ -0,0 +1,106 @@
+# vi: ft=yaml
+version: '3'
+
+networks:
+ traefik:
+ external: true
+ discourse:
+
+services:
+ discourse-app:
+ image: tiredofit/discourse:latest
+ deploy:
+ placement:
+ constraints:
+ - "node.labels.discourse == true"
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.discourse.entrypoints=localsecure
+ - traefik.http.routers.discourse.rule=Host(`tuindersweijde.geokunis2.nl`)
+ - traefik.http.services.discourse.loadbalancer.server.port=3000
+ - traefik.http.routers.discourse.tls=true
+ - traefik.http.routers.discourse.tls.certresolver=letsencrypt
+ volumes:
+ - type: bind
+ source: /mnt/data/discourse/logs
+ target: /data/logs
+ - type: bind
+ source: /mnt/data/discourse/uploads
+ target: /data/uploads
+ - type: bind
+ source: /mnt/data/discourse/backups
+ target: /data/backups
+ environment:
+ - TIMEZONE=Europe/Amsterdam
+ - CONTAINER_NAME=discourse-app
+
+ - DB_HOST=discourse-db
+ - DB_NAME=discourse
+ - DB_USER=discourse
+ - DB_PASS={{ database_password }}
+
+ - REDIS_HOST=discourse-redis
+ - SITE_HOSTNAME=discourse.pim.kunis.nl
+
+ - SMTP_PORT=25
+ - SMTP_HOST=smtp.tweak.nl
+
+ - DEVELOPER_EMAILS=niels@kunis.nl
+ networks:
+ - traefik
+ - discourse
+
+ discourse-db:
+ image: tiredofit/postgres:15-latest
+ deploy:
+ placement:
+ constraints:
+ - "node.labels.discourse == true"
+ volumes:
+ - type: bind
+ source: /mnt/data/discourse/database
+ target: /var/lib/postgresql/data
+ environment:
+ - TIMEZONE=Europe/Amsterdam
+ - CONTAINER_NAME=discourse-db
+
+ - POSTGRES_DB=discourse
+ - POSTGRES_USER=discourse
+ - POSTGRES_PASSWORD={{ database_password }}
+ - SUPERUSER_PASS={{ database_password }}
+ networks:
+ - discourse
+
+ discourse-redis:
+ image: tiredofit/redis:7
+ deploy:
+ placement:
+ constraints:
+ - "node.labels.discourse == true"
+ volumes:
+ - type: bind
+ source: /mnt/data/discourse/redis
+ target: /var/lib/redis
+ environment:
+ - TIMEZONE=Europe/Amsterdam
+ - CONTAINER_NAME=discourse-redis
+ networks:
+ - discourse
+
+ # discourse-db-backup:
+ # image: tiredofit/db-backup
+ # volumes:
+ # - ./dbbackup:/backup
+ # environment:
+ # - TIMEZONE=America/Vancouver
+ # - CONTAINER_NAME=discourse-db-backup
+ # - DB_HOST=discourse-db
+ # - DB_TYPE=postgres
+ # - DB_NAME=discourse
+ # - DB_USER=discourse
+ # - DB_PASS=password
+ # - DB_DUMP_FREQ=1440
+ # - DB_DUMP_BEGIN=0000
+ # - DB_CLEANUP_TIME=8640
+ # networks:
+ # - discourse
\ No newline at end of file
diff --git a/legacy/projects/docker_swarm/ansible/roles/discourse/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/discourse/tasks/main.yml
new file mode 100644
index 0000000..c7c9a16
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/discourse/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: discourse
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/discourse/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/discourse/vars/main.yml
new file mode 100644
index 0000000..05d4fef
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/discourse/vars/main.yml
@@ -0,0 +1,7 @@
+database_password: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 32323538323136633363393961343364363933396431376437633361333232383938336531396537
+ 3730306164303364363739376633633431383534646135380a326663396338396461623037613637
+ 37666630333433393764373864346262383536656664343631386234386438333263626166363633
+ 3735633562323361330a353735366562663631363634343438326562646533663839383932343263
+ 38366538336466373733313130616330326238653966623037343336326132356565
diff --git a/legacy/projects/docker_swarm/ansible/roles/forgejo/app.ini.j2 b/legacy/projects/docker_swarm/ansible/roles/forgejo/app.ini.j2
new file mode 100644
index 0000000..f33b650
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/forgejo/app.ini.j2
@@ -0,0 +1,109 @@
+APP_NAME = Forgejo: Beyond coding. We forge.
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH=/data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+DEFAULT_BRANCH = master
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = {{ git_domain }}
+SSH_DOMAIN = {{ git_domain }}
+HTTP_PORT = 3000
+ROOT_URL = {{ root_url }}
+DISABLE_SSH = false
+SSH_PORT = {{ git_ssh_port }}
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = {{ lfs_jwt_secret }}
+OFFLINE_MODE = false
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = sqlite3
+HOST = localhost:3306
+NAME = gitea
+USER = root
+PASSWD =
+LOG_SQL = false
+SCHEMA =
+SSL_MODE = disable
+CHARSET = utf8
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+ISSUE_INDEXER_TYPE = db
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+ENABLE_FEDERATED_AVATAR = false
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+logger.router.MODE = console
+ROOT_PATH = /data/gitea/log
+logger.access.MODE=console
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY =
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN = {{ internal_token }}
+PASSWORD_HASH_ALGO = pbkdf2
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localhost
+
+[lfs]
+PATH = /data/git/lfs
+
+[mailer]
+ENABLED = true
+SMTP_ADDR = {{ mailer_host }}
+SMTP_PORT = 587
+FROM = {{ mailer_from }}
+USER =
+PASSWD =
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[ui]
+DEFAULT_THEME = forgejo-light
+
+[oauth2]
+ENABLE=false
diff --git a/legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2
new file mode 100644
index 0000000..fe4dd53
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2
@@ -0,0 +1,56 @@
+# vi: ft=yaml
+version: "3"
+
+networks:
+ traefik:
+ external: true
+
+configs:
+ config:
+ external: true
+ name: "{{ config.config_name }}"
+
+volumes:
+ forgejo:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/forgejo"
+
+services:
+ forgejo:
+ image: codeberg.org/forgejo/forgejo:1.20
+ environment:
+ - USER_UID=1000
+ - USER_GID=1000
+ networks:
+ - traefik
+ ports:
+ - "{{ git_ssh_port }}:22"
+ volumes:
+ - type: volume
+ source: forgejo
+ target: /data
+ volume:
+ nocopy: true
+ - /etc/timezone:/etc/timezone:ro
+ - /etc/localtime:/etc/localtime:ro
+ deploy:
+ placement:
+ constraints:
+ - node.role == manager
+ labels:
+ - traefik.port=443
+ - traefik.enable=true
+ - traefik.http.routers.forgejo.entrypoints=websecure
+ - traefik.http.routers.forgejo.rule=Host(`{{ git_domain }}`)
+ - traefik.http.routers.forgejo.tls=true
+ - traefik.http.routers.forgejo.tls.certresolver=letsencrypt
+ - traefik.http.routers.forgejo.service=forgejo
+ - traefik.http.services.forgejo.loadbalancer.server.port=3000
+ - traefik.docker.network=traefik
+ - traefik.http.middlewares.set-forwarded-for.headers.hostsProxyHeaders=X-Forwarded-For
+ - traefik.http.routers.forgejo.middlewares=set-forwarded-for
+ configs:
+ - source: config
+ target: /data/gitea/conf/app.ini
diff --git a/legacy/projects/docker_swarm/ansible/roles/forgejo/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/forgejo/tasks/main.yml
new file mode 100644
index 0000000..0e47f9e
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/forgejo/tasks/main.yml
@@ -0,0 +1,13 @@
+- name: Create Docker config
+ docker_config:
+ name: forgejo_config
+ data: "{{ lookup('template', '{{ role_path }}/app.ini.j2') }}"
+ use_ssh_client: true
+ rolling_versions: true
+ register: config
+
+- name: Deploy Docker stack
+ docker_stack:
+ name: forgejo
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/forgejo/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/forgejo/vars/main.yml
new file mode 100644
index 0000000..20376a9
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/forgejo/vars/main.yml
@@ -0,0 +1,23 @@
+git_domain: "git.kun.is"
+root_url: "https://{{ git_domain }}"
+mailer_host: "smtp.tweak.nl"
+mailer_from: "git@kunis.nl"
+lfs_jwt_secret: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 66613032363837346461326131303839646332646233633736623865346135623739343233396165
+ 6530326162323466623939393133623336366466343837620a613532616365646137326138383235
+ 32313264653262656564336531646662323039623865393366616536633531306430336137313862
+ 3361373539373561390a653236306433393737616561306236343362396438366134313032656233
+ 35626364373961613361366138383566353463626136393861383934326263383336393766623063
+ 3434656437663165376635326139383065383861386133623765
+internal_token: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 62633334656235613035343830326237633637626639363465313861323734393766636464303862
+ 3936306561343863316630616164616537323537333262650a336337303232623832636666353038
+ 64313134383330646537356432383332386238373835656663313431373939373630373566396339
+ 6561643037383666340a643464326531623731303564646464376239613263643761643766623930
+ 37623362326561346262306331376663313661633635323435333339396138383134303364306532
+ 37353264363737643965643932356336633734316534303262336461313038626538396536333964
+ 36353635323731353061393430656166363263366437313434336139616666326335633037663336
+ 37353665613938613731316330396461343632643039643864343164303937613263343262623964
+ 33366364636339623633653035313736653563363064646233383437373431373232
diff --git a/legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2
new file mode 100644
index 0000000..2a23a77
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2
@@ -0,0 +1,52 @@
+# vi: ft=yaml
+version: "3"
+
+networks:
+ traefik:
+ external: true
+
+volumes:
+ data:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/freshrss/data"
+ extensions:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/freshrss/extensions"
+
+services:
+ freshrss:
+ image: freshrss/freshrss:edge
+ networks:
+ - traefik
+ volumes:
+ - type: volume
+ source: data
+ target: /var/www/FreshRSS/data
+ volume:
+ nocopy: true
+ - type: volume
+ source: extensions
+ target: /var/www/FreshRSS/extensions
+ volume:
+ nocopy: true
+ environment:
+ TZ: Europe/Amsterdam
+ CRON_MIN: '2,32'
+ ADMIN_EMAIL: pim@kunis.nl
+ ADMIN_PASSWORD: {{ admin_password }}
+ ADMIN_API_PASSWORD: {{ admin_password }}
+ PUBLISHED_PORT: 443
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.freshrss.entrypoints=websecure
+ - traefik.http.routers.freshrss.rule=Host(`rss.kun.is`)
+ - traefik.http.routers.freshrss.tls=true
+ - traefik.http.routers.freshrss.tls.certresolver=letsencrypt
+ - traefik.http.routers.freshrss.service=freshrss
+ - traefik.http.services.freshrss.loadbalancer.server.port=80
+ - traefik.docker.network=traefik
diff --git a/legacy/projects/docker_swarm/ansible/roles/freshrss/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/freshrss/tasks/main.yml
new file mode 100644
index 0000000..ac6c8bd
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/freshrss/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: freshrss
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/freshrss/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/freshrss/vars/main.yml
new file mode 100644
index 0000000..0a4891c
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/freshrss/vars/main.yml
@@ -0,0 +1,8 @@
+admin_password: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 38363734333534376665616439306566613632303739373661333338356533653334323366326130
+ 3031316133383432366639613565656134666338326639360a633263363066613964643665316334
+ 63373830663239393137653131326630326465343333346430376536393162383836333130353562
+ 3336306561636134650a646433633063316431643466326161303666313765323034343233646566
+ 66613330616463346561343561616438643763643465373839303861356133313831303338356430
+ 6634653635383833303265316662663631376163636134666565
diff --git a/legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2
new file mode 100644
index 0000000..346ec26
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2
@@ -0,0 +1,44 @@
+# vi: ft=yaml
+version: '3'
+
+networks:
+ traefik:
+ external: true
+
+volumes:
+ uploads:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/hedgedoc/uploads"
+
+services:
+ hedgedoc:
+ image: quay.io/hedgedoc/hedgedoc:1.9.7
+ environment:
+ - CMD_DB_URL=postgres://hedgedoc:{{ database_passwords.hedgedoc }}@192.168.30.10:5432/hedgedoc
+ - CMD_DOMAIN=md.kun.is
+ - CMD_PORT=3000
+ - CMD_URL_ADDPORT=false
+ - CMD_ALLOW_ANONYMOUS=true
+ - CMD_ALLOW_EMAIL_REGISTER=false
+ - CMD_PROTOCOL_USESSL=true
+ - CMD_SESSION_SECRET={{ session_secret }}
+ volumes:
+ - type: volume
+ source: uploads
+ target: /hedgedoc/public/uploads
+ volume:
+ nocopy: true
+ networks:
+ - traefik
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.hedgedoc.entrypoints=websecure
+ - traefik.http.routers.hedgedoc.rule=Host(`md.kun.is`)
+ - traefik.http.routers.hedgedoc.tls=true
+ - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt
+ - traefik.http.routers.hedgedoc.service=hedgedoc
+ - traefik.http.services.hedgedoc.loadbalancer.server.port=3000
+ - traefik.docker.network=traefik
diff --git a/legacy/projects/docker_swarm/ansible/roles/hedgedoc/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/tasks/main.yml
new file mode 100644
index 0000000..e3ca514
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: hedgedoc
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/hedgedoc/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/vars/main.yml
new file mode 100644
index 0000000..56fb537
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/vars/main.yml
@@ -0,0 +1,10 @@
+session_secret: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 30633835386265643561343033326536653166343630396139303137613138383233666565666330
+ 3032613865333836656566626435383165396539323837350a376331306464643766373839386638
+ 65653865343539633636323833343964636332636461386434386432306230343833343431363134
+ 6563373138626637650a633932313862326231666330343662343765666166373961376237396434
+ 33396131353830323063326266623862353731653665626466653335656434303033353333353164
+ 61613535373037646565386131383631366338616565373261396136616433393462313537313861
+ 35313661616365373231373963323865393635626132343138363230313431636333363130346239
+ 32656335333635613736
diff --git a/legacy/projects/docker_swarm/ansible/roles/inbucket/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/inbucket/docker-stack.yml.j2
new file mode 100644
index 0000000..4a35d2a
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/inbucket/docker-stack.yml.j2
@@ -0,0 +1,24 @@
+# vi: ft=yaml
+version: "3.7"
+
+networks:
+ traefik:
+ external: true
+
+services:
+ inbucket:
+ image: inbucket/inbucket
+ networks:
+ - traefik
+ ports:
+ - 2500:2500
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.inbucket.entrypoints=localsecure
+ - traefik.http.routers.inbucket.rule=Host(`inbucket.geokunis2.nl`)
+ - traefik.http.routers.inbucket.service=inbucket
+ - traefik.http.routers.inbucket.tls=true
+ - traefik.http.routers.inbucket.tls.certresolver=letsencrypt
+ - traefik.docker.network=traefik
+ - traefik.http.services.inbucket.loadbalancer.server.port=9000
diff --git a/legacy/projects/docker_swarm/ansible/roles/inbucket/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/inbucket/tasks/main.yml
new file mode 100644
index 0000000..ffcad7e
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/inbucket/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: inbucket
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/jitsi/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/jitsi/docker-stack.yml.j2
new file mode 100644
index 0000000..0eaa9ac
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/jitsi/docker-stack.yml.j2
@@ -0,0 +1,87 @@
+# vi: ft=yaml
+version: '3.5'
+
+networks:
+ traefik:
+ external: true
+ jitsi:
+
+services:
+ web:
+ image: jitsi/web:stable-8218
+ environment:
+ - DISABLE_HTTPS=1
+ - ENABLE_AUTH=0
+ - ENABLE_GUESTS=1
+ - ENABLE_IPV6=1
+ - ENABLE_LETSENCRYPT=0
+ - PUBLIC_URL=https://meet.pim.kunis.nl
+ - TZ=Europe/Amsterdam
+ networks:
+ - jitsi
+ - traefik
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.jitsi-web.entrypoints=websecure
+ - traefik.http.routers.jitsi-web.rule=Host(`meet.pim.kunis.nl`)
+ - traefik.http.routers.jitsi-web.tls=true
+ - traefik.http.routers.jitsi-web.tls.certresolver=letsencrypt
+ - traefik.http.services.jitsi-web.loadbalancer.server.port=80
+ - traefik.http.routers.jitsi-web.service=jitsi-web
+ - traefik.docker.network=traefik
+
+ prosody:
+ image: jitsi/prosody:stable-8218
+ expose:
+ - '5222'
+ - '5347'
+ - '5280'
+ environment:
+ - AUTH_TYPE=internal
+ - ENABLE_AUTH=0
+ - ENABLE_GUESTS=1
+ - ENABLE_IPV6=1
+ - ENABLE_LOBBY=1
+ - JIBRI_RECORDER_PASSWORD={{ jitsi_password }}
+ - JIBRI_XMPP_PASSWORD={{ jitsi_password }}
+ - JICOFO_AUTH_PASSWORD={{ jitsi_password }}
+ - JIGASI_XMPP_PASSWORD={{ jitsi_password }}
+ - JVB_AUTH_PASSWORD={{ jitsi_password }}
+ - PUBLIC_URL=https://meet.pim.kunis.nl
+ - TZ=Europe/Amsterdam
+ networks:
+ jitsi:
+ aliases:
+ - xmpp.meet.jitsi
+
+ jicofo:
+ image: jitsi/jicofo:stable-8218
+ environment:
+ - AUTH_TYPE=internal
+ - ENABLE_AUTH=0
+ - JICOFO_AUTH_PASSWORD={{ jitsi_password }}
+ - SENTRY_DSN=0
+ - TZ=Europe/Amsterdam
+ depends_on:
+ - prosody
+ networks:
+ - jitsi
+
+ jvb:
+ image: jitsi/jvb:stable-8218
+ ports:
+ - '54562:54562/udp'
+ environment:
+ - JVB_ADVERTISE_IPS=84.245.14.149,192.168.30.8
+ - JVB_AUTH_PASSWORD={{ jitsi_password }}
+ - JVB_PORT=54562
+ - PUBLIC_URL=https://meet.pim.kunis.nl
+ - SENTRY_DSN=0
+ - COLIBRI_REST_ENABLED=0
+ - TZ=Europe/Amsterdam
+ depends_on:
+ - prosody
+ networks:
+ - jitsi
+ - traefik
diff --git a/legacy/projects/docker_swarm/ansible/roles/jitsi/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/jitsi/tasks/main.yml
new file mode 100644
index 0000000..1e46217
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/jitsi/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: jitsi
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/jitsi/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/jitsi/vars/main.yml
new file mode 100644
index 0000000..090d3aa
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/jitsi/vars/main.yml
@@ -0,0 +1,8 @@
+jitsi_password: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 66633139653639396435333239316536326366613338646531373063306333383562613462316561
+ 6630373435326631376362643961343936626238663332630a623631613532366539633637333032
+ 35383031306566613466643066366361663039633864643733356366386339366265326237653739
+ 3062313832313638330a636131393130646564366563626430346436656236333961306363633435
+ 39353934386631633132306562396430303738393235656363356666663934626161363365343162
+ 6130346338333734653961633037386133396332643831363939
diff --git a/legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2
new file mode 100644
index 0000000..1f4a57e
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2
@@ -0,0 +1,45 @@
+# vi: ft=yaml
+version: '3.7'
+
+networks:
+ traefik:
+ external: true
+ kitchenowl:
+
+volumes:
+ data:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/kitchenowl/data"
+
+services:
+ front:
+ image: tombursch/kitchenowl-web:v0.4.17
+ depends_on:
+ - back
+ networks:
+ - traefik
+ - kitchenowl
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.kitchenowl.entrypoints=websecure
+ - traefik.http.routers.kitchenowl.rule=Host(`boodschappen.kun.is`)
+ - traefik.http.routers.kitchenowl.tls=true
+ - traefik.http.routers.kitchenowl.tls.certresolver=letsencrypt
+ - traefik.http.routers.kitchenowl.service=kitchenowl
+ - traefik.http.services.kitchenowl.loadbalancer.server.port=80
+ - traefik.docker.network=traefik
+ back:
+ image: tombursch/kitchenowl:v88
+ networks:
+ - kitchenowl
+ environment:
+ - JWT_SECRET_KEY={{ jwt_secret_key }}
+ volumes:
+ - type: volume
+ source: data
+ target: /data
+ volume:
+ nocopy: true
diff --git a/legacy/projects/docker_swarm/ansible/roles/kitchenowl/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/tasks/main.yml
new file mode 100644
index 0000000..67a45e9
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: kitchenowl
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/kitchenowl/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/vars/main.yml
new file mode 100644
index 0000000..4317036
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/vars/main.yml
@@ -0,0 +1,7 @@
+jwt_secret_key: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 37376338663532376135613331303737626633666138643132316336306164393134633639303865
+ 3134613830323335663466373262316262353464323535300a636163633439323035643033623363
+ 36316361656133663235333834343233363134313938656664356538366166653336656562623664
+ 3332393330616636630a646139393937313932373963623764346134323635336539346562346635
+ 36613637396133383664323561666464346336386233363434653765356334633831
diff --git a/legacy/projects/docker_swarm/ansible/roles/kms/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/kms/docker-stack.yml.j2
new file mode 100644
index 0000000..a42d741
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/kms/docker-stack.yml.j2
@@ -0,0 +1,8 @@
+# vi: ft=yaml
+version: '3.7'
+
+services:
+ kms:
+ image: teddysun/kms
+ ports:
+ - 1688:1688
diff --git a/legacy/projects/docker_swarm/ansible/roles/kms/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/kms/tasks/main.yml
new file mode 100644
index 0000000..9e1738c
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/kms/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: kms
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2
new file mode 100644
index 0000000..c00ecd9
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2
@@ -0,0 +1,131 @@
+# vi: ft=yaml
+version: '3'
+
+networks:
+ traefik:
+ external: true
+ mastodon:
+
+volumes:
+ system:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/mastodon/system"
+ redis:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/mastodon/redis"
+
+services:
+ redis:
+ image: redis:7-alpine
+ networks:
+ mastodon:
+ aliases:
+ - redis
+ healthcheck:
+ test: ['CMD', 'redis-cli', 'ping']
+ volumes:
+ - type: volume
+ source: redis
+ target: /data
+ volume:
+ nocopy: true
+
+ web:
+ image: tootsuite/mastodon:v4.1
+ environment:
+ - 'OTP_SECRET={{ otp_secret }}'
+ - 'SECRET_KEY_BASE={{ secret_key_base }}'
+ - 'REDIS_HOST=redis'
+ - 'DB_HOST=192.168.30.10'
+ - 'DB_USER=mastodon'
+ - 'DB_NAME=mastodon'
+ - 'DB_PASS={{ database_passwords.mastodon }}'
+ - 'VAPID_PRIVATE_KEY={{ vapid_private_key }}'
+ - 'VAPID_PUBLIC_KEY=BDcpOP2ThgD13i2ENjnlVXG7QH-m3xuNE4rySx6_NBYQz34UxSM3N4nT7GUxN5zBF-Kehlv0CpqBDDa78QFiS0g='
+ - 'SMTP_SERVER=smtp.tweak.nl'
+ - 'SMTP_PORT=587'
+ - 'SMTP_LOGIN='
+ - 'SMTP_PASSWORD='
+ - 'SMTP_FROM_ADDRESS=mastodon@kunis.nl'
+ - 'LOCAL_DOMAIN=social.pizzapim.nl'
+ command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
+ networks:
+ - mastodon
+ - traefik
+ healthcheck:
+ test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
+ volumes:
+ - type: volume
+ source: system
+ target: /mastodon/public/system
+ volume:
+ nocopy: true
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.mastodon.entrypoints=websecure
+ - traefik.http.routers.mastodon.rule=Host(`social.pizzapim.nl`)
+ - traefik.http.routers.mastodon.tls=true
+ - traefik.http.routers.mastodon.tls.certresolver=letsencrypt
+ - traefik.http.services.mastodon.loadbalancer.server.port=3000
+ - traefik.http.routers.mastodon.service=mastodon
+ - traefik.docker.network=traefik
+ depends_on:
+ - redis
+
+ streaming:
+ image: tootsuite/mastodon:v4.1
+ command: node ./streaming
+ environment:
+ - 'REDIS_HOST=redis'
+ - 'LOCAL_DOMAIN=social.pizzapim.nl'
+ - 'DB_HOST=192.168.30.10'
+ - 'DB_USER=mastodon'
+ - 'DB_NAME=mastodon'
+ - 'DB_PASS={{ database_passwords.mastodon }}'
+ networks:
+ - mastodon
+ - traefik
+ healthcheck:
+ # prettier-ignore
+ test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.mastodon-streaming.entrypoints=websecure
+ - "traefik.http.routers.mastodon-streaming.rule=(Host(`social.pizzapim.nl`) && PathPrefix(`/api/v1/streaming`))"
+ - traefik.http.routers.mastodon-streaming.service=mastodon-streaming
+ - traefik.http.services.mastodon-streaming.loadbalancer.server.port=4000
+ - traefik.http.routers.mastodon-streaming.tls=true
+ - traefik.http.routers.mastodon-streaming.tls.certresolver=letsencrypt
+ - traefik.docker.network=traefik
+ depends_on:
+ - redis
+
+ sidekiq:
+ image: tootsuite/mastodon:v4.1
+ command: bundle exec sidekiq
+ environment:
+ - 'OTP_SECRET={{ otp_secret }}'
+ - 'SECRET_KEY_BASE={{ secret_key_base }}'
+ - 'REDIS_HOST=redis'
+ - 'DB_HOST=192.168.30.10'
+ - 'DB_USER=mastodon'
+ - 'DB_NAME=mastodon'
+ - 'DB_PASS={{ database_passwords.mastodon }}'
+ networks:
+ - mastodon
+ volumes:
+ - type: volume
+ source: system
+ target: /mastodon/public/system
+ volume:
+ nocopy: true
+ healthcheck:
+ test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
+ depends_on:
+ - redis
diff --git a/legacy/projects/docker_swarm/ansible/roles/mastodon/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/mastodon/tasks/main.yml
new file mode 100644
index 0000000..531e13e
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/mastodon/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: mastodon
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/mastodon/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/mastodon/vars/main.yml
new file mode 100644
index 0000000..eed2d71
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/mastodon/vars/main.yml
@@ -0,0 +1,42 @@
+mastodon_postgres_password: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 34643131323762373635383736636432643161646130373565333432323337646435656233383131
+ 3066353734373938353162656335666536323265643162620a663562303636383737393061396331
+ 30353538326333393031373736363933666636383866373763303237376561333061323131303062
+ 3532316632613062310a343566393237363364613931353062636537663864383839623930383836
+ 32613634616335616462336261303632646266326663383166366236643438616538626263343835
+ 6539616439636364626466333163316164633631616132623665
+otp_secret: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 33303436663063313039636335623937343530323636346363306234333135306138653337313034
+ 3337363432363734353363623738653630373536653433350a356336383235383430613934623937
+ 36316638343439376134383635336630313065623138326630303131333136626636386361313661
+ 6134613862366463300a313765366136343431343838363230363134613164373931623564626466
+ 32623137666364326234383264396336636561313132313930383964656434656535663861343337
+ 65316331323335626464626231653236313932663334316134633837646330303563633162373036
+ 66326135656531393839343138376666623337616162653137393764306265323065356431343162
+ 36373135303339356366356263623334373361326561396562353332323363623738626132303738
+ 38383638616363386536386461353465353765366234353862653765376330663661326138626266
+ 30633134643632393630323834323538326339373361363235666133303761323261336637663862
+ 326633383933663530653230336364653461
+secret_key_base: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 32373731376166613238303535646633326162613137366165643037643966643637316265653832
+ 3035393061616431666162373133393666653634386338350a376136653961646239656534336230
+ 33366235343365653234333866393965643131306636373566623665646562353234323065393262
+ 6264313430333262390a626338333932363137356338636132636133613239633537623064666438
+ 32343063653664393530353536643963353364373830303563346163613862653161343165363062
+ 61396630353036333634313033663962613930336637323461313731633136366365623732306337
+ 37646265613639306133373736353365366461373264356665623236313836633565343764626238
+ 38353637613064306162393430323662616231623965643933383339616561353963663366396363
+ 33346332343336386266636165616135343732353365336630653334383533633831636138623733
+ 34396266643166386130383334666565303865396135613863336261656135343564376537383634
+ 353635336365613765363931373636363465
+vapid_private_key: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 33376430313539346137343237313061653164343861623563656638306539373837393364326235
+ 3435396264613533633138346231303137663763323361360a356137306330343939353732356535
+ 33396336633966623266396265356435343633373766363637616635326563623130653039343665
+ 3465306562306261660a303131666436333137306139366636646232333061383935353263396534
+ 63376635393966653636316236316538656361393631626465383233386136313366363531363663
+ 3436326431353435653666356266333835303061616436323061
diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2
new file mode 100644
index 0000000..b6adf49
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2
@@ -0,0 +1,132 @@
+# vi: ft=yaml
+version: "3.8"
+
+networks:
+ traefik:
+ external: true
+ grafana:
+
+configs:
+ esdatasource:
+ external: true
+ name: "{{ esdatasource.config_name }}"
+ fluentconf:
+ external: true
+ name: "{{ fluentconf.config_name }}"
+
+volumes:
+ escerts:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/elasticsearch/certs"
+ esdata:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/elasticsearch/data"
+ grafanadata:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/grafana/data"
+
+services:
+ elasticsearch:
+ image: docker.elastic.co/elasticsearch/elasticsearch:8.8.1
+ volumes:
+ - type: volume
+ source: escerts
+ target: /usr/share/elasticsearch/config/certs
+ volume:
+ nocopy: true
+ - type: volume
+ source: esdata
+ target: /usr/share/elasticsearch/data
+ volume:
+ nocopy: true
+ ports:
+ - {{ elasticsearch_port }}:9200
+ environment:
+ - node.name=es01
+ - cluster.name=shoarma
+ - discovery.type=single-node
+ - bootstrap.memory_lock=true
+ - xpack.security.enabled=false
+ - xpack.security.http.ssl.enabled=false
+ - xpack.security.http.ssl.key=certs/es01/es01.key
+ - xpack.security.http.ssl.certificate=certs/es01/es01.crt
+ - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
+ - xpack.security.transport.ssl.enabled=false
+ - xpack.security.transport.ssl.key=certs/es01/es01.key
+ - xpack.security.transport.ssl.certificate=certs/es01/es01.crt
+ - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
+ - xpack.security.transport.ssl.verification_mode=certificate
+ - xpack.license.self_generated.type=basic
+ ulimits:
+ memlock:
+ soft: -1
+ hard: -1
+ healthcheck:
+ test:
+ [
+ "CMD-SHELL",
+ "curl http://localhost:9200 | grep -q 'You Know, for Search'",
+ ]
+ interval: 10s
+ timeout: 10s
+ retries: 120
+
+ grafana:
+ image: grafana/grafana-oss
+ depends_on:
+ - elasticsearch
+ networks:
+ - traefik
+ - grafana
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.grafana.entrypoints=localsecure
+ - traefik.http.routers.grafana.rule=Host(`grafana.kun.is`)
+ - traefik.http.routers.grafana.tls=true
+ - traefik.http.routers.grafana.tls.certresolver=letsencrypt
+ - traefik.http.routers.grafana.service=grafana
+ - traefik.http.services.grafana.loadbalancer.server.port=3000
+ - traefik.docker.network=traefik
+ volumes:
+ - type: volume
+ source: grafanadata
+ target: /var/lib/grafana
+ volume:
+ nocopy: true
+ configs:
+ - source: esdatasource
+ target: /etc/grafana/provisioning/datasources/elasticsearch.yaml
+
+ grafana-ntfy:
+ image: kittyandrew/grafana-to-ntfy:master
+ depends_on:
+ - grafana
+ ports:
+ - 8080:8080
+ networks:
+ grafana:
+ aliases:
+ - grafana-ntfy
+ environment:
+ - NTFY_URL=https://ntfy.kun.is/alerts
+ - NTFY_BAUTH_USER=pim
+ - NTFY_BAUTH_PASS={{ ntfy_password }}
+ - BAUTH_USER=admin
+ - BAUTH_PASS=test
+
+ fluentd:
+ image: git.kun.is/pim/fluentd:1.0.3
+ depends_on:
+ - elasticsearch
+ ports:
+ - {{ fluent_forward_port }}:24224
+ configs:
+ - source: fluentconf
+ target: /fluentd/etc/fluent.conf
diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/elasticsearch.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/monitoring/elasticsearch.yml.j2
new file mode 100644
index 0000000..90fee48
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/elasticsearch.yml.j2
@@ -0,0 +1,35 @@
+# vi: ft=yaml
+apiVersion: 1
+
+datasources:
+ - name: cpu
+ type: elasticsearch
+ access: proxy
+ url: http://maestro.dmz:{{ elasticsearch_port }}
+ jsonData:
+ index: 'fluentd.cpu-*'
+ timeField: '@timestamp'
+
+ - name: memory
+ type: elasticsearch
+ access: proxy
+ url: http://maestro.dmz:{{ elasticsearch_port }}
+ jsonData:
+ index: 'fluentd.memory-*'
+ timeField: '@timestamp'
+
+ - name: diskfree
+ type: elasticsearch
+ access: proxy
+ url: http://maestro.dmz:{{ elasticsearch_port }}
+ jsonData:
+ index: 'fluentd.diskfree-*'
+ timeField: '@timestamp'
+
+ - name: traefik_access
+ type: elasticsearch
+ access: proxy
+ url: http://maestro.dmz:{{ elasticsearch_port }}
+ jsonData:
+ index: 'fluentd.access.traefik-*'
+ timeField: '@timestamp'
diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/fluent.conf.j2 b/legacy/projects/docker_swarm/ansible/roles/monitoring/fluent.conf.j2
new file mode 100644
index 0000000..dd030ba
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/fluent.conf.j2
@@ -0,0 +1,35 @@
+# vi: ft=yaml
+# Receive events from 24224/tcp
+# This is used by log forwarding and the fluent-cat command
+
+
+
+ @type geoip
+ geoip_lookup_keys host
+ backend_library geoip2_c
+
+ latitude ${location.latitude["host"]}
+ longitude ${location.longitude["host"]}
+
+ skip_adding_null_record true
+
+
+
+ @type elasticsearch
+ host maestro.dmz
+ port {{ elasticsearch_port }}
+ include_timestamp true
+ logstash_format true
+ logstash_prefix fluentd.${tag}
+
+
+
+ @type null
+
+
+
+ log_level info
+
diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/monitoring/tasks/main.yml
new file mode 100644
index 0000000..191f846
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/tasks/main.yml
@@ -0,0 +1,21 @@
+- name: Create fluentd config
+ docker_config:
+ name: fluentconf
+ data: "{{ lookup('template', '{{ role_path }}/fluent.conf.j2') }}"
+ use_ssh_client: true
+ rolling_versions: true
+ register: fluentconf
+
+- name: Create elasticsearch data source config
+ docker_config:
+ name: esdatasource
+ data: "{{ lookup('template', '{{ role_path }}/elasticsearch.yml.j2') }}"
+ use_ssh_client: true
+ rolling_versions: true
+ register: esdatasource
+
+- name: Deploy Docker stack
+ docker_stack:
+ name: monitoring
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/monitoring/vars/main.yml
new file mode 100644
index 0000000..326b722
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/vars/main.yml
@@ -0,0 +1,8 @@
+ntfy_password: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 36333232393635383732336630626463633038353862333430396437333733376239343531663339
+ 6364643930636566326463393963316263323061613032350a383930376537373437633333623639
+ 66613439636531393761366534333134383231303637643063633537393535356536636530666665
+ 6537653731666130610a346135373562333931646237396233613065353165623336373935386137
+ 36313830623931313238333430346238626562353661616465333736346230396162386137363435
+ 3362636565336639643832626165613236643466633537633236
diff --git a/legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2
new file mode 100644
index 0000000..6519069
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2
@@ -0,0 +1,40 @@
+# vi: ft=yaml
+version: '3.8'
+
+networks:
+ traefik:
+ external: true
+
+volumes:
+ data:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/nextcloud/data"
+
+services:
+ nextcloud:
+ image: nextcloud:27
+ volumes:
+ - type: volume
+ source: data
+ target: /var/www/html
+ volume:
+ nocopy: true
+ environment:
+ - POSTGRES_USER=nextcloud
+ - POSTGRES_DB=nextcloud
+ - POSTGRES_PASSWORD={{ database_passwords.nextcloud }}
+ - POSTGRES_HOST=192.168.30.10
+ networks:
+ - traefik
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.nextcloud.entrypoints=websecure
+ - traefik.http.routers.nextcloud.rule=Host(`cloud.kun.is`)
+ - traefik.http.routers.nextcloud.tls=true
+ - traefik.http.routers.nextcloud.tls.certresolver=letsencrypt
+ - traefik.http.routers.nextcloud.service=nextcloud
+ - traefik.http.services.nextcloud.loadbalancer.server.port=80
+ - traefik.docker.network=traefik
diff --git a/legacy/projects/docker_swarm/ansible/roles/nextcloud/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/nextcloud/tasks/main.yml
new file mode 100644
index 0000000..9b3430e
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/nextcloud/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: nextcloud
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2
new file mode 100644
index 0000000..76904a8
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2
@@ -0,0 +1,112 @@
+# vi: ft=yaml
+version: '3'
+networks:
+ traefik:
+ external: true
+ overleaf:
+
+volumes:
+ data:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/overleaf/data"
+ redis:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/overleaf/redis"
+ mongodb:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/overleaf/mongodb"
+
+services:
+ sharelatex:
+ image: sharelatex/sharelatex:3
+ networks:
+ - traefik
+ - overleaf
+ depends_on:
+ - overleaf-mongodb
+ - overleaf-redis
+ stop_grace_period: 60s
+ volumes:
+ - type: volume
+ source: data
+ target: /var/lib/sharelatex
+ volume:
+ nocopy: true
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.overleaf.entrypoints=websecure
+ - traefik.http.routers.overleaf.rule=Host(`latex.kun.is`)
+ - traefik.http.routers.overleaf.tls=true
+ - traefik.http.routers.overleaf.tls.certresolver=letsencrypt
+ - traefik.http.routers.overleaf.service=overleaf
+ - traefik.http.services.overleaf.loadbalancer.server.port=80
+ - traefik.docker.network=traefik
+ environment:
+ SHARELATEX_APP_NAME: Overleaf Community Edition
+
+ SHARELATEX_MONGO_URL: mongodb://overleaf-mongodb:27017/sharelatex
+
+ # Same property, unfortunately with different names in
+ # different locations
+ SHARELATEX_REDIS_HOST: overleaf-redis
+ REDIS_HOST: overleaf-redis
+
+ ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file'
+
+ # Enables Thumbnail generation using ImageMagick
+ ENABLE_CONVERSIONS: 'true'
+
+ # Disables email confirmation requirement
+ EMAIL_CONFIRMATION_DISABLED: 'true'
+
+ # temporary fix for LuaLaTex compiles
+ # see https://github.com/overleaf/overleaf/issues/695
+ TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var
+
+ SHARELATEX_SITE_URL: https://latex.kun.is
+ SHARELATEX_ADMIN_EMAIL: pim@kunis.nl
+
+ SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@kunis.nl"
+
+ SHARELATEX_EMAIL_SMTP_HOST: "smtp.tweak.nl"
+ SHARELATEX_EMAIL_SMTP_PORT: 587
+ SHARELATEX_EMAIL_SMTP_USER: ""
+ SHARELATEX_EMAIL_SMTP_PASS: ""
+
+ overleaf-mongodb:
+ image: mongo:4.4
+ networks:
+ - overleaf
+ expose:
+ - 27017
+ volumes:
+ - type: volume
+ source: mongodb
+ target: /data/db
+ volume:
+ nocopy: true
+ healthcheck:
+ test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
+ interval: 10s
+ timeout: 10s
+ retries: 5
+
+ overleaf-redis:
+ image: redis:5
+ networks:
+ - overleaf
+ expose:
+ - 6379
+ volumes:
+ - type: volume
+ source: redis
+ target: /data
+ volume:
+ nocopy: true
diff --git a/legacy/projects/docker_swarm/ansible/roles/overleaf/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/overleaf/tasks/main.yml
new file mode 100644
index 0000000..fc3a917
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/overleaf/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: overleaf
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2
new file mode 100644
index 0000000..9581831
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2
@@ -0,0 +1,57 @@
+# vi: ft=yaml
+version: "3.8"
+
+networks:
+ traefik:
+ external: true
+ pihole:
+
+volumes:
+ data:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/pihole/data"
+ dnsmasq:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/pihole/dnsmasq"
+
+services:
+ pihole:
+ image: pihole/pihole:latest
+ ports:
+ - "53:53/tcp"
+ - "53:53/udp"
+ network_mode: "host"
+ environment:
+ TZ: 'Europe/Amsterdam'
+ WEBPASSWORD: {{ pihole_password }}
+ PIHOLE_DNS_: '192.168.30.1'
+ volumes:
+ - type: volume
+ source: data
+ target: /etc/pihole
+ volume:
+ nocopy: true
+ - type: volume
+ source: dnsmasq
+ target: /etc/dnsmasq.d
+ volume:
+ nocopy: true
+ networks:
+ - traefik
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.pihole.entrypoints=localsecure
+ - traefik.http.routers.pihole.rule=Host(`pihole.kun.is`)
+ - traefik.http.routers.pihole.tls=true
+ - traefik.http.routers.pihole.tls.certresolver=letsencrypt
+ - traefik.http.routers.pihole.service=pihole
+ - traefik.http.services.pihole.loadbalancer.server.port=80
+ - traefik.docker.network=traefik
+ placement:
+ constraints:
+ - node.role == manager
diff --git a/legacy/projects/docker_swarm/ansible/roles/pihole/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/pihole/tasks/main.yml
new file mode 100644
index 0000000..999eb7d
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/pihole/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: pihole
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/pihole/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/pihole/vars/main.yml
new file mode 100644
index 0000000..8bb3b29
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/pihole/vars/main.yml
@@ -0,0 +1,8 @@
+pihole_password: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 38616134666661363535303137373633613063613731383766303633336533373233363736333263
+ 3461336138663861623134633031663631633666393939340a396561643132333665373430343466
+ 36626633366232376236383434336166353638653733666566336266373739663236636334373866
+ 3261303962613966610a643765613762396335643233383432613737316361386234663365656566
+ 30336535326437336437383336393838306161333662346165333262383735616137653766653165
+ 3361333436346130376261316133323963393338633838303031
diff --git a/legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2
new file mode 100644
index 0000000..61fba13
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2
@@ -0,0 +1,61 @@
+# vi: ft=yaml
+version: '3.7'
+
+networks:
+ traefik:
+ external: true
+
+configs:
+ config:
+ external: true
+ name: "{{ config.config_name }}"
+ users:
+ external: true
+ name: "{{ users.config_name }}"
+
+volumes:
+ data:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/radicale"
+
+services:
+ radicale:
+ image: tomsquest/docker-radicale
+ init: true
+ read_only: true
+ cap_drop:
+ - ALL
+ cap_add:
+ - SETUID
+ - SETGID
+ - CHOWN
+ - KILL
+ healthcheck:
+ test: curl -f http://127.0.0.1:5232 || exit 1
+ interval: 30s
+ retries: 3
+ volumes:
+ - type: volume
+ source: data
+ target: /data
+ volume:
+ nocopy: true
+ networks:
+ - traefik
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.radicale.entrypoints=websecure
+ - traefik.http.routers.radicale.rule=Host(`dav.kun.is`)
+ - traefik.http.routers.radicale.tls=true
+ - traefik.http.routers.radicale.tls.certresolver=letsencrypt
+ - traefik.http.routers.radicale.service=radicale
+ - traefik.http.services.radicale.loadbalancer.server.port=5232
+ - traefik.docker.network=traefik
+ configs:
+ - source: config
+ target: /config/config
+ - source: users
+ target: /config/users
diff --git a/legacy/projects/docker_swarm/ansible/roles/radicale/radicale.conf b/legacy/projects/docker_swarm/ansible/roles/radicale/radicale.conf
new file mode 100644
index 0000000..eb9df16
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/radicale/radicale.conf
@@ -0,0 +1,24 @@
+[server]
+hosts = 0.0.0.0:5232, [::]:5232
+ssl = False
+
+[encoding]
+request = utf-8
+stock = utf-8
+
+[auth]
+realm = Radicale - Password Required
+type = htpasswd
+htpasswd_filename = /config/users
+htpasswd_encryption = md5
+
+[rights]
+type = owner_only
+
+[storage]
+type = multifilesystem
+filesystem_folder = /data
+
+[logging]
+
+[headers]
diff --git a/legacy/projects/docker_swarm/ansible/roles/radicale/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/radicale/tasks/main.yml
new file mode 100644
index 0000000..eb07f13
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/radicale/tasks/main.yml
@@ -0,0 +1,21 @@
+- name: Create radicale config
+ docker_config:
+ name: radicale_config
+ data: "{{ lookup('file', '{{ role_path }}/radicale.conf') }}"
+ use_ssh_client: true
+ rolling_versions: true
+ register: config
+
+- name: Create radicale users
+ docker_config:
+ name: radicale_users
+ data: "{{ lookup('file', '{{ role_path }}/users') }}"
+ use_ssh_client: true
+ rolling_versions: true
+ register: users
+
+- name: Deploy Docker stack
+ docker_stack:
+ name: radicale
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/radicale/users b/legacy/projects/docker_swarm/ansible/roles/radicale/users
new file mode 100644
index 0000000..edbdb46
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/radicale/users
@@ -0,0 +1 @@
+pim:$apr1$GUiTihkS$dDCkaUxFx/O86m6NCy/yQ.
diff --git a/legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2
new file mode 100644
index 0000000..b510050
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2
@@ -0,0 +1,73 @@
+# vi: ft=yaml
+version: '3'
+
+networks:
+ traefik:
+ external: true
+ seafile:
+
+volumes:
+ data:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/seafile/data"
+ db:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/seafile/db"
+
+services:
+ db:
+ image: mariadb:10.5
+ environment:
+ - MYSQL_ROOT_PASSWORD={{ db_root_passwd }}
+ - MYSQL_LOG_CONSOLE=true
+ volumes:
+ - type: volume
+ source: db
+ target: /var/lib/mysql
+ volume:
+ nocopy: true
+ networks:
+ - seafile
+
+ memcached:
+ image: memcached:1.6
+ entrypoint: memcached -m 256
+ networks:
+ - seafile
+
+ seafile:
+ image: seafileltd/seafile-mc:9.0.10
+ volumes:
+ - type: volume
+ source: data
+ target: /shared
+ volume:
+ nocopy: true
+ environment:
+ - DB_HOST=db
+ - DB_ROOT_PASSWD={{ db_root_passwd }}
+ - TIME_ZONE=Europe/Amsterdam
+ - SEAFILE_ADMIN_EMAIL={{ seafile_admin_email }}
+ - SEAFILE_ADMIN_PASSWORD={{ seafile_admin_password }}
+ - SEAFILE_SERVER_LETSENCRYPT=false
+ - SEAFILE_SERVER_HOSTNAME={{ seafile_domain }}
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.seafile.entrypoints=websecure
+ - traefik.http.routers.seafile.rule=Host(`{{ seafile_domain }}`)
+ - traefik.http.routers.seafile.tls=true
+ - traefik.http.routers.seafile.tls.certresolver=letsencrypt
+ - traefik.http.services.seafile.loadbalancer.server.port=80
+ - traefik.http.routers.seafile.service=seafile
+ - traefik.docker.network=traefik
+ depends_on:
+ - db
+ - memcached
+ networks:
+ - traefik
+ - seafile
diff --git a/legacy/projects/docker_swarm/ansible/roles/seafile/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/seafile/tasks/main.yml
new file mode 100644
index 0000000..c63c02d
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/seafile/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: seafile
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/seafile/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/seafile/vars/main.yml
new file mode 100644
index 0000000..3245d42
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/seafile/vars/main.yml
@@ -0,0 +1,18 @@
+db_root_passwd: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 62376163363033396161363264613836623734623835316439666331356464636633393237313236
+ 3731383961393939366165393537663435356166643966650a353132616166353630333733636639
+ 63616163346566336461313264326562393964643661613831316233326165623463613865636637
+ 6363363331333430320a366661356232393036383765353066623334656133313661636130666238
+ 32336561323431303730373262343534326539383932613533623232376330646230363363636135
+ 3266336663623037663838643936366437663831356634333930
+seafile_admin_email: niels@kunis.nl
+seafile_admin_password: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 34366163396632343065636232363435633039373236363461383563363162626561653763383438
+ 3263393539663030363532353238633262616339343436370a613631323064303637623266653832
+ 64323834356664316265376132633863666136316239623862643962366637306238343933386134
+ 6237396238383232360a386637303639646136653134643737393735383661626539386134643333
+ 35313536323963303734353338636162666236343430623062373464653531353230366238326231
+ 6661363038393534373861643261383561386536613337396539
+seafile_domain: files.geokunis2.nl
diff --git a/legacy/projects/docker_swarm/ansible/roles/shephard/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/shephard/docker-stack.yml.j2
new file mode 100644
index 0000000..2ac91e8
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/shephard/docker-stack.yml.j2
@@ -0,0 +1,60 @@
+# vi: ft=yaml
+version: "3"
+
+networks:
+ shephard:
+
+services:
+ app:
+ image: mazzolino/shepherd
+ networks:
+ - shephard
+ environment:
+ TZ: 'Europe/Amsterdam'
+ FILTER_SERVICES: ''
+ IGNORELIST_SERVICES: ""
+ RUN_ONCE_AND_EXIT: "true"
+ APPRISE_SIDECAR_URL: apprise:5000
+ volumes:
+ - type: bind
+ source: /var/run/docker.sock
+ target: /var/run/docker.sock
+ read_only: true
+ deploy:
+ replicas: 0
+ restart_policy:
+ condition: none
+ labels:
+ - swarm.cronjob.enable=true
+ - "swarm.cronjob.schedule=0 2 * * *"
+ - swarm.cronjob.skip-running=true
+ placement:
+ constraints:
+ - node.role == manager
+
+ scheduler:
+ image: crazymax/swarm-cronjob:latest
+ volumes:
+ - type: bind
+ source: /var/run/docker.sock
+ target: /var/run/docker.sock
+ read_only: true
+ environment:
+ - "TZ=Europe/Amsterdam"
+ - "LOG_LEVEL=info"
+ - "LOG_JSON=false"
+ deploy:
+ placement:
+ constraints:
+ - node.role == manager
+
+ apprise:
+ image: mazzolino/apprise-microservice:0.1
+ environment:
+ NOTIFICATION_URLS: {{ apprise_urls }}
+ networks:
+ - shephard
+ deploy:
+ placement:
+ constraints:
+ - node.role == manager
diff --git a/legacy/projects/docker_swarm/ansible/roles/shephard/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/shephard/tasks/main.yml
new file mode 100644
index 0000000..41bf642
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/shephard/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: shephard
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/shephard/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/shephard/vars/main.yml
new file mode 100644
index 0000000..f02cab7
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/shephard/vars/main.yml
@@ -0,0 +1 @@
+apprise_urls: "apprises://apprise.kun.is:444/shephard"
diff --git a/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/docker-stack.yml.j2
new file mode 100644
index 0000000..217376d
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/docker-stack.yml.j2
@@ -0,0 +1,31 @@
+# vi: ft=yaml
+version: "3"
+
+networks:
+ traefik:
+ external: true
+
+services:
+ swarm-dashboard:
+ image: charypar/swarm-dashboard
+ volumes:
+ - type: bind
+ source: /var/run/docker.sock
+ target: /var/run/docker.sock
+ environment:
+ PORT: 80
+ networks:
+ - traefik
+ deploy:
+ placement:
+ constraints:
+ - node.role == manager
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.swarm-dashboard.entrypoints=localsecure
+ - traefik.http.routers.swarm-dashboard.rule=Host(`swarm.kun.is`)
+ - traefik.http.routers.swarm-dashboard.tls=true
+ - traefik.http.routers.swarm-dashboard.tls.certresolver=letsencrypt
+ - traefik.http.routers.swarm-dashboard.service=swarm-dashboard
+ - traefik.http.services.swarm-dashboard.loadbalancer.server.port=80
+ - traefik.docker.network=traefik
diff --git a/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/tasks/main.yml
new file mode 100644
index 0000000..bb1f97c
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+ docker_stack:
+ name: swarm_dashboard
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/cert.pem b/legacy/projects/docker_swarm/ansible/roles/syncthing/cert.pem
new file mode 100644
index 0000000..eeb08f2
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/cert.pem
@@ -0,0 +1,45 @@
+$ANSIBLE_VAULT;1.1;AES256
+37326262373466303939623263623234616338316165316466656131326339306233303834396263
+3139663539356264323038306635363934363364653437350a666438396563643339353765306131
+39653434373966346166323938666364323562313334323262643666373463623536363635643163
+3430353230326634320a643532663765663632623031313463653765643134313538633131613663
+64393533636138323833343630363639656539376163353239313231646662316532666631623734
+31343364393363623164336339303631366162376131613736636131396165663835653433303134
+62323265633039633865326366613366653435653261633662613737353463633663383635303562
+39303933343139363132393035336332363438656333646136333330326533623763393263663563
+36343038393264383639346436316134386531383338386461363538613135663863363434623339
+31373236353337653838396333643638343232653066313662393165343062396137326630646430
+31646566356565386532626433383163643635643930326164353766323263616665636435323339
+38373837393035343737356134373831303831316464666637333231343434316632316464356564
+31613464633761306330303637386230333430396665383262333530336137336236623838326333
+30393861666439623536336231616563303764646563393065353432313965343330633463313564
+66373539373265353765636438393633613839393830366135323139666533393165653736666335
+35303736623534653635343636383662316134376332393239633262363939396263363264616637
+35396261346264373930396462393638316335363833333132393061633337626331323439363131
+39306264386133316137633039366638356130616438373433333635666231366136613363626133
+31316230336534616430633232623430666234643836636338613730356335623434373433643935
+62623266313834353163623439616533623135396134346164373363643364373939396163363837
+36313432393965653664633231393564323936323933313565323337346333313233396666626361
+65383031326630313263343862653063613839373131643265656237623232663761383665333939
+33376531623665653037333563333034363363333435343439663761633734616461353961323434
+66643833353539623265616262383265396237636631346433386638643436383230333438653462
+37383235316634353262316436653163316164356261353663663565396630613434396231353538
+38633330326266303838346365663839646163623264633934363938666234393131356138656439
+31333161643136633836343262326136393964393635623634316532393837376162383835303435
+30643339356434386264643163316165396534373064346334636132316230346437363665636563
+38333835306666626637386562306433373031366136616635623765393630383939353335393930
+61663832383239643363626137343661366436653864643339316537383738323335333866633537
+39316339383239323131653232633833363536313431643364313937633037336564386339383433
+38303939303835386263633430383061336436383062663462353762376666613530313663623261
+66616266373136326433363338303365653230663763636630353034383832633239383932616365
+37373236396631623866656330623632313538326330626363316262653566383633666531383738
+34353830373137343236343765393665356534356238353861326165303939363236626130626363
+64623164383866393630656232373164343163363433643835396236363132346235356134613564
+66383364623962316564373564363631356234386535653465633864313365396438356235313163
+35633366663836666337653537336334353935323364306635383238373664613530353365323366
+31373831383336336237633064313938393637636231356165656631386132313734333439643733
+62666435363535303530323866623139653138643831623838316432366539316236306133393764
+63386133333832356365396137623332643539633236343762353138386434303632373932336139
+39396364653864316435356434383761306238633164643939363864356362633135623438363861
+64626339663931383133383862313031383638653266306539643061316238616266656136656530
+63666239303034396133
diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/config.xml.j2 b/legacy/projects/docker_swarm/ansible/roles/syncthing/config.xml.j2
new file mode 100644
index 0000000..1920a68
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/config.xml.j2
@@ -0,0 +1,189 @@
+
+ {% for folder in st.folders %}
+
+ basic
+ {% for device in folder.devices %}
+
+
+
+ {% endfor %}
+
+
+
+ 1
+
+ 3600
+
+ basic
+
+ 0
+ 0
+ 0
+ random
+ false
+ 0
+ 0
+ 10
+ false
+ false
+ false
+ 25
+ .stfolder
+ false
+ 0
+ 2
+ false
+ standard
+ standard
+ false
+ false
+ false
+ false
+ false
+ false
+
+ 1024
+ 4096
+
+
+ {% endfor %}
+ {% for peer in st.peers %}
+
+ dynamic
+ false
+ false
+ 0
+ 0
+ 0
+ false
+ 0
+
+ {% endfor %}
+
+ dynamic
+ false
+ false
+ 0
+ 0
+ 0
+ false
+ 0
+
+
+ {{ st.gui.address }}
+ {{ st.gui.user }}
+ {{ st.gui.password }}
+ {{ st.gui.apikey }}
+ {{ st.gui.theme }}
+
+
+
+ default
+ default
+ true
+ true
+ 21027
+ [ff12::8384]:21027
+ 0
+ 0
+ 60
+ true
+ 10
+ true
+ true
+ 60
+ 30
+ 10
+ 3
+ 3
+
+ https://data.syncthing.net/newdata
+ false
+ 1800
+ 12
+ false
+ 24
+ false
+ 5
+ false
+ 1
+ https://upgrades.syncthing.net/meta.json
+ false
+ 10
+ 0
+ true
+ 0
+ https://crash.syncthing.net/newcrash
+ true
+ 180
+ 20
+ default
+ auto
+ 0
+ true
+ false
+ 0
+ 0
+ false
+ 10
+ 20
+ 30
+ 40
+ 50
+ 0
+
+
+
+ basic
+
+
+
+ 1
+
+ 3600
+
+ basic
+
+ 0
+ 0
+ 0
+ random
+ false
+ 0
+ 0
+ 10
+ false
+ false
+ false
+ 25
+ .stfolder
+ false
+ 0
+ 2
+ false
+ standard
+ standard
+ false
+ false
+ false
+ false
+ false
+ false
+
+ 1024
+ 4096
+
+
+
+ dynamic
+ false
+ false
+ 0
+ 0
+ 0
+ false
+ 0
+
+
+
+
diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2
new file mode 100644
index 0000000..6701dd2
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2
@@ -0,0 +1,62 @@
+# vi: ft=yaml
+version: "3"
+
+networks:
+ traefik:
+ external: true
+
+configs:
+ config:
+ external: true
+ name: "{{ config.config_name }}"
+ private_key:
+ external: true
+ name: "{{ key.config_name }}"
+ certificate:
+ external: true
+ name: "{{ cert.config_name }}"
+
+volumes:
+ nextcloud_data:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/nextcloud/data"
+
+services:
+ syncthing:
+ image: lscr.io/linuxserver/syncthing:1.23.6
+ networks:
+ - traefik
+ deploy:
+ labels:
+ - traefik.enable=true
+ - traefik.docker.network=traefik
+
+ - traefik.http.routers.syncthing.entrypoints=localsecure
+ - traefik.http.routers.syncthing.rule=Host(`sync.kun.is`)
+ - traefik.http.routers.syncthing.service=syncthing
+ - traefik.http.routers.syncthing.tls=true
+ - traefik.http.routers.syncthing.tls.certresolver=letsencrypt
+ - traefik.http.services.syncthing.loadbalancer.server.port=8384
+ environment:
+ - PUID=33
+ - PGID=33
+ - TZ=Europe/Amsterdam
+ volumes:
+ - type: volume
+ source: nextcloud_data
+ target: /data
+ volume:
+ nocopy: true
+ configs:
+ - source: config
+ target: /config/config.xml
+ - source: private_key
+ target: /config/key.pem
+ uid: '33'
+ gid: '33'
+ - source: certificate
+ target: /config/cert.pem
+ uid: '33'
+ gid: '33'
diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/key.pem b/legacy/projects/docker_swarm/ansible/roles/syncthing/key.pem
new file mode 100644
index 0000000..d858202
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/key.pem
@@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.1;AES256
+31373963666334633437386361353532396162653439373964333935643065383836383537336238
+3065306235363835343330393366326630383163633664300a653635653932663566376165623030
+33666262643032383764343134326439363536353439363134353432373263316164373139633838
+6336363735333862360a386235366434656336333762343330633030613437626262353934636163
+38376431343934373637343631373962653262613766393561383631303563383935616630663833
+62363533616235303834376233663033373531666632313237303661653265613061373131646266
+31643839386134383934623632336538386462626261613039306432366564616162366435363331
+34663464386630373134346264386334376334336363623137363831326338323234373662653932
+33373331663065336230313731303139653036646261643535393662633165356632306536393530
+30363066373064353936313461663235386465323734636263323063333365633066633736336436
+38623966353634356636343833653131646131633536383339663433306130386461303735323632
+64646465373533306266353932653561623363396137383532373734653462346239646562353136
+64313539383566663939663734333565643637376239383337363066373639613934303633343762
+37646565666635363231396139326536356533343065333731656363613731333136636561376430
+35356432373537363034653231636465303135363534323766333530353433663462653837643162
+39616664636464343435643039646362336634333561356438386262653231323033343662383138
+66633534336232663438666632373966613335396639383836666333656235376339343538313838
+39356165323361386535306664643537363764393365363639366637343332306537653962396339
+323030323036393662646636303330666561
diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/syncthing/tasks/main.yml
new file mode 100644
index 0000000..af3b970
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/tasks/main.yml
@@ -0,0 +1,29 @@
+- name: Create cert.pem config
+ docker_config:
+ name: syncthing_cert
+ data: "{{ lookup('file', '{{ role_path }}/cert.pem') }}"
+ use_ssh_client: true
+ rolling_versions: true
+ register: cert
+
+- name: Create key.pem config
+ docker_config:
+ name: syncthing_key
+ data: "{{ lookup('file', '{{ role_path }}/key.pem') }}"
+ use_ssh_client: true
+ rolling_versions: true
+ register: key
+
+- name: Create config.xml config
+ docker_config:
+ name: syncthing_config
+ data: "{{ lookup('template', '{{ role_path }}/config.xml.j2') }}"
+ use_ssh_client: true
+ rolling_versions: true
+ register: config
+
+- name: Deploy Docker stack
+ docker_stack:
+ name: syncthing
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/syncthing/vars/main.yml
new file mode 100644
index 0000000..1e1abcb
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/vars/main.yml
@@ -0,0 +1,34 @@
+st:
+ server:
+ id: "IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC"
+ name: "dd219859eab5"
+ gui:
+ address: "127.0.0.1:8384"
+ user: pim
+ password: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 66383234373561373935313863393338623331393233626635653637383734623539376633326561
+ 3464633966383864306131383334633633356363636163300a393562383730613934613439663431
+ 63653465316130626232663132626466643164313830613933363535336634313164386162643839
+ 6235303662633931390a313230363636656639653531636131333862356363663535313133663138
+ 38356566656161646636313766353937373433663631636265303464633437303464396537663264
+ 66326530313661636264336634613633316462343034386134636365383736636436613065323236
+ 323933363666353232393635376136363239
+ apikey: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 31633162323338303133353838613336623961626635623165626335353263336130393166666535
+ 3763336662326336333436333635656230393838366163660a393737303132373466633265306433
+ 66336636666132373235646638653130633263343532353831653533656538663038326463306232
+ 3132646634376166620a663339346239643561616362333036633363396263323761663134373630
+ 30613730373131636262636266623363663561363863323938613832393864396633656664356534
+ 3563626633643766643339316132383434303538636666623934
+ theme: default
+ peers:
+ - id: "B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ"
+ name: "Pixel 4a"
+ folders:
+ - id: "rthas-wdjsw"
+ label: "pim"
+ path: "/data/data/pim/files"
+ devices:
+ - "B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ"
diff --git a/legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2
new file mode 100644
index 0000000..a865683
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2
@@ -0,0 +1,135 @@
+# vi: ft=yaml
+version: "3.7"
+
+networks:
+ traefik:
+ external: true
+
+configs:
+ services:
+ external: true
+ name: "{{ services.config_name }}"
+
+volumes:
+ acme:
+ driver_opts:
+ type: "nfs"
+ o: "addr=192.168.30.10,nolock,soft,rw"
+ device: ":/mnt/data/traefik/acme"
+
+services:
+ traefik:
+ image: traefik:3.0.0-beta2
+ networks:
+ - traefik
+ ports:
+ - mode: host
+ protocol: tcp
+ published: 443
+ target: 443
+ - mode: host
+ protocol: tcp
+ published: 80
+ target: 80
+ - mode: host
+ protocol: tcp
+ published: 444
+ target: 444
+ deploy:
+ placement:
+ constraints:
+ - node.role == manager
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.dashboard.entrypoints=localsecure
+ - traefik.http.routers.dashboard.rule=Host(`traefik.kun.is`)
+ - traefik.http.routers.dashboard.service=api@internal
+ - traefik.http.services.dashboard.loadbalancer.server.port=8080
+ - traefik.http.routers.dashboard.tls=true
+ - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
+ - traefik.docker.network=traefik
+
+ - traefik.http.routers.esrom.entrypoints=websecure
+ - traefik.http.routers.esrom.service=esrom@file
+ - traefik.http.routers.esrom.rule=Host(`geokunis2.nl`)
+ - traefik.http.routers.esrom.tls=true
+ - traefik.http.routers.esrom.tls.certresolver=letsencrypt
+
+ - traefik.http.routers.uptime.entrypoints=localsecure
+ - traefik.http.routers.uptime.rule=Host(`uptime.kun.is`)
+ - traefik.http.routers.uptime.service=uptime@file
+ - traefik.http.routers.uptime.tls=true
+ - traefik.http.routers.uptime.tls.certresolver=letsencrypt
+
+ - traefik.http.routers.ntfy.entrypoints=websecure
+ - traefik.http.routers.ntfy.rule=Host(`ntfy.kun.is`)
+ - traefik.http.routers.ntfy.service=ntfy@file
+ - traefik.http.routers.ntfy.tls=true
+ - traefik.http.routers.ntfy.tls.certresolver=letsencrypt
+
+ - traefik.http.routers.apprise.entrypoints=localsecure
+ - traefik.http.routers.apprise.rule=Host(`apprise.kun.is`)
+ - traefik.http.routers.apprise.service=apprise@file
+ - traefik.http.routers.apprise.tls=true
+ - traefik.http.routers.apprise.tls.certresolver=letsencrypt
+
+ - traefik.http.routers.concourse.entrypoints=websecure
+ - traefik.http.routers.concourse.rule=Host(`ci.kun.is`)
+ - traefik.http.routers.concourse.service=concourse@file
+ - traefik.http.routers.concourse.tls=true
+ - traefik.http.routers.concourse.tls.certresolver=letsencrypt
+
+ - traefik.http.routers.discourse.entrypoints=websecure
+ - traefik.http.routers.discourse.rule=Host(`tuindersweijde.geokunis2.nl`)
+ - traefik.http.routers.discourse.service=discourse@file
+ - traefik.http.routers.discourse.tls=true
+ - traefik.http.routers.discourse.tls.certresolver=letsencrypt
+ volumes:
+ - type: bind
+ source: /var/run/docker.sock
+ target: /var/run/docker.sock
+ - type: volume
+ source: acme
+ target: /acme
+ volume:
+ nocopy: true
+ configs:
+ - source: services
+ target: /etc/traefik/services.yml
+ command:
+ - --providers.docker
+ - --providers.docker.swarmmode
+ - --providers.docker.watch
+ - --providers.docker.exposedbydefault=false
+
+ - --providers.file.filename=/etc/traefik/services.yml
+
+ - --api
+ - --api.insecure=false
+ - --api.dashboard=true
+
+ - --entrypoints.web.address=:80
+ - --entrypoints.web.http.redirections.entrypoint=true
+ - --entrypoints.web.http.redirections.entrypoint.to=websecure
+ - --entrypoints.web.http.redirections.entrypoint.scheme=https
+ - --entrypoints.web.http.redirections.entrypoint.permanent=true
+
+ - --entrypoints.websecure.address=:443
+
+ - --entrypoints.localsecure.address=:444
+
+ - --certificatesresolvers.letsencrypt.acme=true
+ - --certificatesresolvers.letsencrypt.acme.email=pim@kunis.nl
+ - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
+ - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
+ - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
+
+ - --serversTransport.insecureSkipVerify=true
+
+ - --accesslog=true
+ - --accesslog.fields.defaultmode=keep
+ - --accesslog.fields.names.ClientUsername=drop
+ - --accesslog.fields.headers.defaultmode=keep
+ - --accesslog.fields.headers.names.User-Agent=keep
+ - --accesslog.fields.headers.names.Authorization=drop
+ - --accesslog.fields.headers.names.Content-Type=keep
diff --git a/legacy/projects/docker_swarm/ansible/roles/traefik/services.yml b/legacy/projects/docker_swarm/ansible/roles/traefik/services.yml
new file mode 100644
index 0000000..648519a
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/traefik/services.yml
@@ -0,0 +1,26 @@
+http:
+ services:
+ esrom:
+ loadBalancer:
+ servers:
+ - url: http://esrom.dmz:80/
+ uptime:
+ loadBalancer:
+ servers:
+ - url: http://iris.dmz:3001
+ ntfy:
+ loadBalancer:
+ servers:
+ - url: http://iris.dmz:3002
+ apprise:
+ loadBalancer:
+ servers:
+ - url: http://iris.dmz:3003
+ concourse:
+ loadBalancer:
+ servers:
+ - url: http://concourse.dmz:3000
+ discourse:
+ loadBalancer:
+ servers:
+ - url: http://forum.dmz:80
diff --git a/legacy/projects/docker_swarm/ansible/roles/traefik/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/traefik/tasks/main.yml
new file mode 100644
index 0000000..462bf49
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/traefik/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Create Traefik network
+ docker_network:
+ name: traefik
+ driver: overlay
+
+- name: Create Docker config
+ docker_config:
+ name: traefik_services
+ data: "{{ lookup('file', '{{ role_path }}/services.yml') }}"
+ use_ssh_client: true
+ rolling_versions: true
+ register: services
+
+- name: Deploy Docker stack
+ docker_stack:
+ name: traefik
+ compose:
+ - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/main.tf b/legacy/projects/docker_swarm/vm/main.tf
similarity index 84%
rename from legacy/projects/docker_swarm/main.tf
rename to legacy/projects/docker_swarm/vm/main.tf
index 7dfc05c..02b1002 100644
--- a/legacy/projects/docker_swarm/main.tf
+++ b/legacy/projects/docker_swarm/vm/main.tf
@@ -24,14 +24,14 @@ provider "libvirt" {
}
module "setup_jefke" {
- source = "../../terraform_modules/setup"
+ source = "../../../terraform_modules/setup"
providers = {
libvirt = libvirt.jefke
}
}
module "bancomart" {
- source = "../../terraform_modules/debian"
+ source = "../../../terraform_modules/debian"
name = "bancomart"
ram = 4096
storage = 25
@@ -41,14 +41,14 @@ module "bancomart" {
}
module "setup_atlas" {
- source = "../../terraform_modules/setup"
+ source = "../../../terraform_modules/setup"
providers = {
libvirt = libvirt.atlas
}
}
module "maestro" {
- source = "../../terraform_modules/debian"
+ source = "../../../terraform_modules/debian"
name = "maestro"
ram = 8192
storage = 35
diff --git a/legacy/projects/hermes/vm/main.tf b/legacy/projects/hermes/vm/main.tf
index ba4b00f..a77bfd8 100644
--- a/legacy/projects/hermes/vm/main.tf
+++ b/legacy/projects/hermes/vm/main.tf
@@ -19,7 +19,7 @@ provider "libvirt" {
}
module "hermes" {
- source = "../../terraform_modules/debian"
+ source = "../../../terraform_modules/debian"
name = "hermes"
ram = 1024
storage = 25
diff --git a/legacy/projects/thecloud/ansible/ansible.cfg b/legacy/projects/thecloud/ansible/ansible.cfg
new file mode 100644
index 0000000..1cf41a8
--- /dev/null
+++ b/legacy/projects/thecloud/ansible/ansible.cfg
@@ -0,0 +1,8 @@
+[defaults]
+roles_path=~/.ansible/roles:roles:/usr/share/ansible/roles:/etc/ansible/roles
+inventory=inventory
+vault_password_file=$HOME/.config/home/ansible-vault-secret
+interpreter_python=/usr/bin/python3
+
+[diff]
+always = True
diff --git a/legacy/projects/thecloud/ansible/inventory/host_vars/thecloud.yml b/legacy/projects/thecloud/ansible/inventory/host_vars/thecloud.yml
new file mode 100644
index 0000000..04c7e52
--- /dev/null
+++ b/legacy/projects/thecloud/ansible/inventory/host_vars/thecloud.yml
@@ -0,0 +1,19 @@
+apt_install_packages:
+ - postgresql
+ - python3-psycopg2
+ - nfs-kernel-server
+ - qemu-guest-agent
+
+nfs_exports: []
+
+redis_bind_interface: 0.0.0.0
+redis_requirepass: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 37323965303638333264653936616563323235363463396330363836653865393835346263383838
+ 3030386166316365633538353539623066626434313332390a616131303434373264633934356361
+ 30356335643638656433326230363462373533396533366261346630353163353137333865303132
+ 3536636165366631310a643538353331366130663464386565343331653031333061333330613532
+ 34663932653734336239303536323331396435386332666133343033373566386562326136656330
+ 63393766353063646361643565323238376334333637363232626139333664643065613237666532
+ 31623032613763303136353232323837376637336431306534306336356165363039666634336433
+ 30376464323862373833
diff --git a/legacy/projects/thecloud/ansible/inventory/hosts.yml b/legacy/projects/thecloud/ansible/inventory/hosts.yml
new file mode 100644
index 0000000..19e626d
--- /dev/null
+++ b/legacy/projects/thecloud/ansible/inventory/hosts.yml
@@ -0,0 +1,5 @@
+all:
+ hosts:
+ thecloud:
+ ansible_user: root
+ ansible_host: thecloud.dmz
diff --git a/legacy/projects/thecloud/ansible/requirements.yml b/legacy/projects/thecloud/ansible/requirements.yml
new file mode 100644
index 0000000..866196a
--- /dev/null
+++ b/legacy/projects/thecloud/ansible/requirements.yml
@@ -0,0 +1,6 @@
+- name: apt
+ src: https://github.com/sunscrapers/ansible-role-apt.git
+ scm: git
+- name: cloudinit_wait
+ src: https://git.kun.is/pim/ansible-role-cloudinit-wait
+ scm: git
diff --git a/legacy/projects/thecloud/ansible/roles/postgresql/handlers/main.yml b/legacy/projects/thecloud/ansible/roles/postgresql/handlers/main.yml
new file mode 100644
index 0000000..a09812e
--- /dev/null
+++ b/legacy/projects/thecloud/ansible/roles/postgresql/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart postgres
+ systemd:
+ name: postgresql
+ state: restarted
diff --git a/legacy/projects/thecloud/ansible/roles/postgresql/tasks/main.yml b/legacy/projects/thecloud/ansible/roles/postgresql/tasks/main.yml
new file mode 100644
index 0000000..d3e811e
--- /dev/null
+++ b/legacy/projects/thecloud/ansible/roles/postgresql/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: Open postgres port
+ ini_file:
+ path: /etc/postgresql/15/main/postgresql.conf
+ section: null
+ option: listen_addresses
+ value: "'*'"
+ notify: restart postgres
+
+- name: Change data directory
+ ini_file:
+ path: /etc/postgresql/15/main/postgresql.conf
+ section: null
+ option: data_directory
+ value: "'/mnt/data/postgresql'"
+ notify: restart postgres
diff --git a/legacy/projects/thecloud/ansible/thecloud.yml b/legacy/projects/thecloud/ansible/thecloud.yml
new file mode 100644
index 0000000..f019457
--- /dev/null
+++ b/legacy/projects/thecloud/ansible/thecloud.yml
@@ -0,0 +1,31 @@
+---
+- name: Wait for Cloud-Init to finish
+ hosts: all
+ gather_facts: no
+ roles:
+ - cloudinit_wait
+
+- name: Setup NFS
+ hosts: thecloud
+
+ roles:
+ - {role: apt, tags: apt}
+ - {role: postgresql, tags: postgresql}
+
+ post_tasks:
+ - name: Ensure NFS exports directory exists
+ file:
+ path: /etc/exports.d
+ state: directory
+
+ - name: Start NFS
+ systemd:
+ name: nfs-kernel-server
+ state: started
+ enabled: true
+
+ - name: Enable Qemu guest agent
+ systemd:
+ name: qemu-guest-agent
+ state: started
+ enabled: true
diff --git a/legacy/projects/thecloud/data/main.tf b/legacy/projects/thecloud/data/main.tf
new file mode 100644
index 0000000..cf09328
--- /dev/null
+++ b/legacy/projects/thecloud/data/main.tf
@@ -0,0 +1,32 @@
+terraform {
+ backend "pg" {
+ schema_name = "thecloud-data"
+ conn_str = "postgresql://terraform@jefke.hyp/terraformstates"
+ }
+
+ required_providers {
+ libvirt = {
+ source = "dmacvicar/libvirt"
+ version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040
+ }
+ }
+}
+
+# https://libvirt.org/uri.html#libssh-and-libssh2-transport
+provider "libvirt" {
+ uri = "qemu+ssh://root@lewis.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts"
+}
+
+module "data_pool" {
+ source = "../../../terraform_modules/setup/data"
+}
+
+resource "libvirt_volume" "data" {
+ name = "thecloud-data.qcow2"
+ pool = "data"
+ size = 1024 * 1024 * 1024 * 150
+}
+
+output "data_disk_id" {
+ value = libvirt_volume.data.id
+}
diff --git a/legacy/projects/thecloud/vm/main.tf b/legacy/projects/thecloud/vm/main.tf
new file mode 100644
index 0000000..25307cb
--- /dev/null
+++ b/legacy/projects/thecloud/vm/main.tf
@@ -0,0 +1,40 @@
+terraform {
+ backend "pg" {
+ schema_name = "thecloud"
+ conn_str = "postgresql://terraform@jefke.hyp/terraformstates"
+ }
+
+ required_providers {
+ libvirt = {
+ source = "dmacvicar/libvirt"
+ version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040
+ }
+ }
+}
+
+# https://libvirt.org/uri.html#libssh-and-libssh2-transport
+provider "libvirt" {
+ alias = "lewis"
+ uri = "qemu+ssh://root@lewis.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts"
+}
+
+module "setup_lewis" {
+ source = "../../../terraform_modules/setup"
+ providers = {
+ libvirt = libvirt.lewis
+ }
+}
+
+module "thecloud" {
+ source = "../../../terraform_modules/debian"
+ name = "thecloud"
+ ram = 1024
+ storage = 25
+ mac = "CA:FE:C0:FF:EE:0A"
+ data_disk = "/mnt/data/volumes/thecloud-data.qcow2"
+ providers = {
+ libvirt = libvirt.lewis
+ }
+
+ depends_on = [ module.setup_lewis ]
+}
diff --git a/legacy/terraform_modules/README.md b/legacy/terraform_modules/README.md
index 70e2b7d..8d90a18 100644
--- a/legacy/terraform_modules/README.md
+++ b/legacy/terraform_modules/README.md
@@ -4,4 +4,4 @@ Terraform modules we use for the virtual machines in our home network.
These are all personalized and probably of little use outside our network.
The modules are currently:
- `debian`: Personalized Debian VM using Terraform's `libvirt` provider
-- `invariants`: Invariants for our home network we use in multiple places.
+- `setup`: Prepares the physical machine with required libvirt pools and other prerequisites.
diff --git a/legacy/terraform_modules/debian/files/cloud_init.cfg.tftpl b/legacy/terraform_modules/debian/files/cloud_init.cfg.tftpl
index 1df897e..6523220 100644
--- a/legacy/terraform_modules/debian/files/cloud_init.cfg.tftpl
+++ b/legacy/terraform_modules/debian/files/cloud_init.cfg.tftpl
@@ -13,7 +13,21 @@ ssh_authorized_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
-ssh_pwauth: false
+%{ if data_disk != null }
+device_aliases:
+ data: /dev/vdb
+disk_setup:
+ data:
+ table_type: 'gpt'
+ layout: true
+ overwrite: false
+fs_type:
+ - label: 'data'
+ filesystem: 'ext4'
+ overwrite: false
+mounts:
+ - ["data.1", "/mnt/data"]
+%{ endif }
# TODO: Do we need this?
runcmd:
diff --git a/legacy/terraform_modules/debian/main.tf b/legacy/terraform_modules/debian/main.tf
index fd8597c..c806519 100644
--- a/legacy/terraform_modules/debian/main.tf
+++ b/legacy/terraform_modules/debian/main.tf
@@ -25,6 +25,7 @@ resource "libvirt_cloudinit_disk" "main" {
pool = "cloudinit"
user_data = templatefile("${path.module}/files/cloud_init.cfg.tftpl", {
hostname = var.name
+ data_disk = var.data_disk
})
network_config = templatefile("${path.module}/files/network_config.cfg.tftpl", {
static_ip = var.static_ip
@@ -41,6 +42,14 @@ resource "libvirt_domain" "main" {
volume_id = libvirt_volume.os.id
}
+ dynamic "disk" {
+ for_each = var.data_disk != null ? [1] : []
+
+ content {
+ volume_id = var.data_disk
+ }
+ }
+
network_interface {
bridge = "bridgedmz"
hostname = var.name
diff --git a/legacy/terraform_modules/debian/variables.tf b/legacy/terraform_modules/debian/variables.tf
index db7ab43..23cc02d 100644
--- a/legacy/terraform_modules/debian/variables.tf
+++ b/legacy/terraform_modules/debian/variables.tf
@@ -22,3 +22,8 @@ variable "static_ip" {
type = string
default = null
}
+
+variable "data_disk" {
+ type = string
+ default = null
+}
diff --git a/legacy/terraform_modules/setup/data/main.tf b/legacy/terraform_modules/setup/data/main.tf
new file mode 100644
index 0000000..974029d
--- /dev/null
+++ b/legacy/terraform_modules/setup/data/main.tf
@@ -0,0 +1,13 @@
+terraform {
+ required_providers {
+ libvirt = {
+ source = "dmacvicar/libvirt"
+ }
+ }
+}
+
+resource "libvirt_pool" "data" {
+ name = "data"
+ type = "dir"
+ path = "/mnt/data/volumes"
+}
diff --git a/machines/default.nix b/machines/default.nix
index 36e9fe5..ece24b4 100644
--- a/machines/default.nix
+++ b/machines/default.nix
@@ -32,23 +32,23 @@
};
};
- # lewis = {
- # name = "lewis";
- # hostName = "lewis.hyp";
+ lewis = {
+ name = "lewis";
+ hostName = "lewis.hyp";
- # nixosModule.custom = {
- # disko.osDiskDevice = "/dev/sda";
+ nixosModule.custom = {
+ disko.osDiskDevice = "/dev/sda";
- # dataDisk = {
- # enable = true;
- # devicePath = "/dev/nvme0n1p1";
- # };
+ dataDisk = {
+ enable = true;
+ devicePath = "/dev/nvme0n1p1";
+ };
- # ssh = {
- # useCertificates = true;
- # hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub;
- # userCert = builtins.readFile ./atlas_user_ed25519-cert.pub;
- # };
- # };
- # };
+ ssh = {
+ useCertificates = true;
+ hostCert = builtins.readFile ./lewis_host_ed25519-cert.pub;
+ userCert = builtins.readFile ./lewis_user_ed25519-cert.pub;
+ };
+ };
+ };
}
diff --git a/secrets/lewis_host_ed25519.age b/secrets/lewis_host_ed25519.age
new file mode 100644
index 0000000..78333f6
Binary files /dev/null and b/secrets/lewis_host_ed25519.age differ
diff --git a/secrets/lewis_user_ed25519.age b/secrets/lewis_user_ed25519.age
new file mode 100644
index 0000000..6639453
--- /dev/null
+++ b/secrets/lewis_user_ed25519.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 aqswPA eCaomN/OCSet7JteG5GE1xArpi+zLdVjD415HRSa1hE
+lgBm3ZCSzQlSOxLtLR6NW33TQcWgmU0nIMzZXpaTdsQ
+--- z8b1blOyH3Ne62B4YO0UcwgGorWXHtguz453oHYUEV0
+
+"]kRqї+f*/# ܢ,U,5ЈūQ9K><%/P@%#;0+Te
? "S
+)bYZ}-ܙ7U%:i
+2;T1jN#sYԑdR檸}W?ؠZ0*UQdrɪu]ۏ$E#=hA
k+Z"sɑ_5%(
˪W1GƀdҰw!WpȿJ2_.
+x%G/'PdWI