Update mariadb Docker tag to v11

.yamllint.yml

@@ -5,6 +5,7 @@ ignore: |
   ansible/galaxy_collections
   ansible/group_vars/all/vps-hosts.yml
   ansible/roles/traefik/files/traefik.yml
+  ansible/roles/nebula/files/nebula.yml
   env
 
 rules:

ansible/.ansible-lint

@@ -12,4 +12,5 @@ exclude_paths:
   - galaxy_roles/
   - galaxy_collections/
   - ~/.ansible
+  - roles/nebula/files/nebula.yml
   - roles/traefik/files/traefik.yml

ansible/ansible.cfg

@@ -5,11 +5,8 @@ retry_files_enabled = False
 roles_path = $PWD/galaxy_roles:$PWD/roles
 collections_path = $PWD/galaxy_collections
 inventory = ./hosts
-interpreter_python = auto_silent
-
-[privilege_escalation]
-become = True
 become_ask_pass = True
+interpreter_python = auto_silent
 
 [ssh_connection]
 pipelining = True

ansible/dev-requirements.txt

@@ -1,4 +1,4 @@
-ansible-lint==24.9.2
+ansible-lint==24.5.0
 yamllint==1.33.0
 ansible
 passlib

ansible/files/nginx-docker.conf

@@ -7,8 +7,6 @@ server {
     server_name {{ server_name }};
     set $upstream {{ upstream }};
 
-    access_log /var/log/nginx/{{ server_name|split|first }}.log main;
-
     ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
     ssl_certificate_key {{ ssl_cert_path }}/privkey.pem;
     ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem;

ansible/galaxy-requirements.yml

@@ -8,7 +8,7 @@ collections:
 
 roles:
   - src: geerlingguy.docker
-    version: 7.4.1
+    version: 7.3.0
   - src: geerlingguy.ntp
     version: 2.5.0
   - src: realorangeone.reflector
@@ -17,6 +17,6 @@ roles:
   - src: ironicbadger.snapraid
     version: 1.0.0
   - src: geerlingguy.certbot
-    version: 5.2.0
+    version: 5.1.0
   - src: artis3n.tailscale
     version: v4.5.0

ansible/group_vars/all/nebula.yml

@@ -0,0 +1,9 @@
+nebula:
+  cidr: 10.23.2.0/24
+  clients:
+    casey:
+      ip: 10.23.2.1
+    walker:
+      ip: 10.23.2.4
+    ingress:
+      ip: 10.23.2.5

ansible/group_vars/all/network.yml

@@ -1 +1,2 @@
+private_ip: "{{ nebula.clients[hostname_slug].ip }}"
 ssh_port: 7743

ansible/group_vars/all/tailscale.yml

@@ -5,7 +5,3 @@ tailscale_cidr: 100.64.0.0/24  # It's really /10, but I don't use that many IPs
 tailscale_cidr_ipv6: fd7a:115c:a1e0::/120  # It's really /48, but I don't use that many IPs
 
 tailscale_port: 41641
-
-tailscale_nodes:
-  casey:
-    ip: 100.64.0.6

ansible/host_vars/casey/main.yml

@@ -1,4 +1,6 @@
-private_ip: "{{ ansible_tailscale0.ipv4.address }}"
+nebula_is_lighthouse: true
+nebula_listen_port: "{{ nebula_lighthouse_port }}"
+
 nginx_https_redirect: true
 
 certbot_certs:

ansible/host_vars/ingress.yml

@@ -1,2 +1,4 @@
-private_ip: "{{ ansible_tailscale0.ipv4.address }}"
+# Listen on a static port so it can be opened in the firewall
+nebula_listen_port: "{{ nebula_lighthouse_port }}"
+
 nginx_https_redirect: true

ansible/host_vars/walker/main.yml

@@ -1,5 +1,3 @@
-private_ip: "{{ ansible_tailscale0.ipv4.address }}"
-
 restic_backup_locations:
   - /opt
 
@@ -8,6 +6,8 @@ nginx_https_redirect: true
 certbot_certs:
   - domains:
       - theorangeone.net
+  - domains:
+      - commento.theorangeone.net
   - domains:
       - plausible.theorangeone.net
       - elbisualp.theorangeone.net

ansible/main.yml

@@ -9,10 +9,13 @@
 - hosts: casey
   roles:
     - nginx
-    - geerlingguy.certbot
+    - role: geerlingguy.certbot
+      become: true
     - gateway
+    - nebula
     - headscale
     - restic
+    - artis3n.tailscale
     - glinet_vpn
 
 - hosts:
@@ -23,6 +26,7 @@
     - tang
   roles:
     - role: geerlingguy.ntp
+      become: true
       vars:
         ntp_timezone: "{{ timezone }}"
         ntp_manage_config: true
@@ -34,7 +38,8 @@
     - renovate
     - gitea-runner
   roles:
-    - geerlingguy.docker
+    - role: geerlingguy.docker
+      become: true
     - docker_cleanup
 
 - hosts:
@@ -49,23 +54,16 @@
   roles:
     - traefik
 
-- hosts:
-    - ingress
-    - walker
-    - casey
-  become: false  # Forcefully run as current user
-  roles:
-    - artis3n.tailscale
-
 - hosts: pve-docker
   roles:
     - pve_docker
     - yourls
+    - pve_nebula_route
     - privatebin
     - vaultwarden
     - tandoor
     - mastodon
-    - forgejo
+    - gitea
     - vikunja
     - authentik
     - minio
@@ -75,18 +73,25 @@
   roles:
     - nginx
     - ingress
+    - nebula
+    - artis3n.tailscale
 
 - hosts: pve
   roles:
-    - ironicbadger.proxmox_nag_removal
+    - role: ironicbadger.proxmox_nag_removal
+      become: true
     - zfs
-    - ironicbadger.snapraid
+    - pve_nebula_route
-    - prometheus.prometheus.node_exporter
+    - role: ironicbadger.snapraid
+      become: true
+    - role: prometheus.prometheus.node_exporter
+      become: true
 
 - hosts: forrest
   roles:
     - prometheus
     - uptime_kuma
+    - pve_nebula_route
     - pve_tailscale_route
 
 - hosts: qbittorrent
@@ -98,11 +103,15 @@
 - hosts: walker
   roles:
     - nginx
-    - geerlingguy.certbot
+    - role: geerlingguy.certbot
+      become: true
+    - nebula
     - coredns_docker_proxy
     - plausible
     - restic
+    - commento
     - website
+    - artis3n.tailscale
     - slides
     - comentario
 
@@ -117,7 +126,7 @@
 
 - hosts: gitea-runner
   roles:
-    - forgejo_runner
+    - gitea_runner
 
 - hosts: renovate
   roles:
@@ -126,5 +135,6 @@
 - hosts: tang
   roles:
     - adguardhome
-    - prometheus.prometheus.node_exporter
+    - role: prometheus.prometheus.node_exporter
+      become: true
     - restic

ansible/roles/adguardhome/handlers/main.yml

@@ -3,9 +3,11 @@
     name: coredns
     state: restarted
     enabled: true
+  become: true
 
 - name: restart systemd-resolved
   service:
     name: systemd-resolved
     state: restarted
     enabled: true
+  become: true

ansible/roles/adguardhome/tasks/main.yml

@@ -1,6 +1,7 @@
 - name: Install adguardhome
   kewlfft.aur.aur:
     name: adguardhome-bin
+  become: true
 
 - name: Disable resolved stub
   template:
@@ -9,6 +10,7 @@
     owner: root
     mode: "0644"
   notify: restart systemd-resolved
+  become: true
 
 - name: Use resolved resolv.conf
   file:
@@ -16,10 +18,12 @@
     dest: /etc/resolv.conf
     state: link
   notify: restart systemd-resolved
+  become: true
 
 - name: Install coredns
   kewlfft.aur.aur:
     name: coredns
+  become: true
 
 - name: Install coredns config file
   template:
@@ -28,3 +32,4 @@
     owner: coredns
     mode: "0644"
   notify: restart coredns
+  become: true

ansible/roles/authentik/files/docker-compose.yml

@@ -19,7 +19,7 @@ x-env: &env
 
 services:
   server:
-    image: ghcr.io/goauthentik/server:2024.8
+    image: ghcr.io/goauthentik/server:2024.6
     restart: unless-stopped
     command: server
     user: "{{ docker_user.id }}"
@@ -42,7 +42,7 @@ services:
       - traefik
 
   worker:
-    image: ghcr.io/goauthentik/server:2024.8
+    image: ghcr.io/goauthentik/server:2024.6
     restart: unless-stopped
     command: worker
     user: "{{ docker_user.id }}"

ansible/roles/authentik/tasks/main.yml

@@ -7,6 +7,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
@@ -16,3 +17,4 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart authentik
+  become: true

ansible/roles/base/files/ssh-jail.conf

@@ -4,4 +4,4 @@ bantime  = 600
 findtime = 30
 maxretry = 5
 port     = {{ ssh_port }},ssh
-ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}

ansible/roles/base/files/sshd_config

@@ -2,7 +2,7 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port {{ ssh_port }}
 
-AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
+AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
 
 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0

ansible/roles/base/tasks/fail2ban.yml

@@ -1,21 +1,25 @@
 - name: Install fail2ban
   package:
     name: fail2ban
+  become: true
 
 - name: Enable fail2ban
   service:
     name: fail2ban
     enabled: true
+  become: true
 
 - name: fail2ban SSH jail
   template:
     src: files/ssh-jail.conf
     dest: /etc/fail2ban/jail.d/ssh.conf
     mode: "0600"
+  become: true
   register: fail2ban_jail
 
 - name: Restart fail2ban
   service:
     name: fail2ban
     state: restarted
+  become: true
   when: fail2ban_jail.changed

ansible/roles/base/tasks/logrotate.yml

@@ -1,11 +1,13 @@
 - name: Install logrotate
   package:
     name: logrotate
+  become: true
 
 - name: Enable logrotate timer
   service:
     name: logrotate.timer
     enabled: true
+  become: true
   when: ansible_os_family == 'Archlinux'
 
 - name: logrotate fail2ban config
@@ -13,3 +15,4 @@
     src: files/fail2ban-logrotate
     dest: /etc/logrotate.d/fail2ban
     mode: "0600"
+  become: true

ansible/roles/base/tasks/packages.yml

@@ -1,6 +1,7 @@
 - name: Install Base Packages
   package:
     name: "{{ item }}"
+  become: true
   loop:
     - htop
     - neofetch

ansible/roles/base/tasks/ssh.yml

@@ -1,11 +1,13 @@
 - name: Install OpenSSH for Debian
   package:
     name: openssh-server
+  become: true
   when: ansible_os_family == 'Debian'
 
 - name: Install OpenSSH for Arch
   package:
     name: openssh
+  become: true
   when: ansible_os_family == 'Archlinux'
 
 - name: Define context
@@ -20,6 +22,7 @@
     validate: /usr/sbin/sshd -t -f %s
     backup: true
     mode: "644"
+  become: true
   register: sshd_config
 
 - name: Set up authorized keys
@@ -35,9 +38,11 @@
   service:
     name: sshd
     enabled: true
+  become: true
 
 - name: Restart SSH Daemon
   service:
     name: sshd
     state: reloaded
   when: sshd_config.changed
+  become: true

ansible/roles/base/tasks/user.yml

@@ -5,9 +5,11 @@
     comment: "{{ me.name }}"
     shell: /bin/bash
     system: true
+  become: true
 
 - name: Give user sudo access
   user:
     name: "{{ me.user }}"
     groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}"
     append: true
+  become: true

ansible/roles/comentario/files/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   comentario:
-    image: registry.gitlab.com/comentario/comentario:v3.11.0
+    image: registry.gitlab.com/comentario/comentario:v3.9.0
     restart: unless-stopped
     user: "{{ docker_user.id }}:{{ docker_user.id }}"
     depends_on:

ansible/roles/comentario/tasks/main.yml

@@ -7,6 +7,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
@@ -16,6 +17,7 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart comentario
+  become: true
 
 - name: Install secrets
   copy:
@@ -24,6 +26,7 @@
     mode: "600"
     owner: "{{ docker_user.name }}"
   notify: restart comentario
+  become: true
 
 - name: Install nginx config
   template:
@@ -31,6 +34,7 @@
     dest: /etc/nginx/http.d/comentario.conf
     mode: "0644"
   notify: reload nginx
+  become: true
   vars:
     server_name: comentario.theorangeone.net
     upstream: comentario-comentario-1.docker:80

ansible/roles/comentario/vars/main.yml

@@ -11,9 +11,6 @@ comentario_secrets:
     gitlab:
       key: "{{ vault_comentario_gitlab_application_id }}"
       secret: "{{ vault_comentario_gitlab_application_secret }}"
-    twitter:
-      key: "{{ vault_comentario_twitter_api_key }}"
-      secret: "{{ vault_comentario_twitter_api_secret  }}"
   smtpServer:
     host: smtp.eu.mailgun.org
     port: 587

ansible/roles/comentario/vars/vault.yml

@@ -1,38 +1,30 @@
 $ANSIBLE_VAULT;1.1;AES256
-36376264363334643335646564636336613234393261326366386234663464633966666133383933
+33656462373736356363313738643335333930343461366666663532653264363963653732656366
-3731363234333962306638323737336237343230653439650a343362336166626633666161313863
+3034323730613334326462326332323763323665636165390a303639633036303831373966303037
-33623130623239626532663063633436616665653135343266336330353538306265323739326262
+37376233383138323265396531303739316330396230333464383963333035343735303866626334
-3066643432643465350a643436366637623765663265316665386564663933663730383264396336
+6562393435303264620a633139616164303337363863616138306531656365353964346638646165
-39396139396238653065366663333533343336363631616332616362386639313766656136666532
+35346539326339623364343662643038336238613535623964666562383662613661616564646433
-63336131346563323733333139636233353465643766643562643632653062373737353364336536
+30653432666538616565373832353434303565386333643735313866396436393732303466376237
-64653162656233383136363339623933643834363931663830656364396637333632613838323461
+64383236373364383338613530353830353334326331636436323766353565656664356138386532
-38666362663831363363636363346164343032376366346530393864306332326339323836643062
+62366266656461663330396562316439393038666534663564633037623237363532363637356336
-66346265643039663636616464383330366539343832373839663361393661353861643364633534
+63336633393666343064383735363664643936333130636465623139393838373134636265366439
-38383461323031626161663938326339386634363165303238333365323235303535333765613734
+64326538653236306437346165333934303134313032383135313335626136626162363831613430
-30363032386333353962306131373466356137666334303230343561616639363238633630386330
+30636436343162376637616262393633306330663362396638393166643131343564646162616530
-32383537646430666331313530343033376238646334313335343661313665626631663331656638
+62343735343832636661326265396262643136346366663337636335656137393231646438633338
-31303637343263343566386634623362373366323136663032663966313836353136616564646563
+61613137366661333462363134343732666330373864393636643665396435653064623030626466
-66653938326539343130346439666264663962323661386131643432663237643334633837376163
+65633536346531383565616130626461376566316535316339326363646336626266376330393939
-62393330336434393232646163353539303831336638663135393734393064353964623032616233
+33653438656438316532393665333939613334666464656635323566326439363964316535623233
-32393037313965313933363236653537306634613265633764636436653332623339316132373964
+38636236616637336230363032396635613563313966353334313365663434653138303764393938
-39313334653831366533663661653934633338393539326564396236373462623262333530346436
+37643561346338323934663936356563363833383435373933396138663334616563666562653935
-66646266623666333034346634613365356333343934363963366137303030646638373466643564
+33666631373964396265393233636631336632386537663663366439313137656661653265323162
-66356265363634623363646266633137363966666361366463383266663032316665373430383031
+64656333336165326563323333653036386334386566386664306638656130323665366136373732
-33303530323561366531356133363035353732333135303762316337626330333530303563643935
+34383532303363646334356534316630363133303031343665353465656239306338386238313262
-35303465633536373833386435336638386662353032383861633965393564303839666463616263
+30363438383164343661343730386162633430373765313834313739393638333963393234613564
-39353934343965316134663634363135616338353734656361343433313837313639303931356233
+30356134646431353132316565346331613137353431383863383866306632626336633764393036
-39643135353661306461393962646238613062356361386533316362633233353235666262653738
+66626466623034666335356539653136633331636365623061613433393335303535333433616137
-33616465653435303736636165343239336139383162616463613232656639393338363766396434
+65383231373230653838316630303736353237666431366134353534366564656338646265396162
-32353965363537666366623066313461316463373130653637343430366231366263616261393564
+61663366663532636635663337363063306466626463396630636236363736303963353062376163
-36323038383238633239323365326334393132643832373033643432653032613665646666336338
+63653530346335393934656531386139663136383132306564383937396364626365373839613766
-30316565346630396537363431366337656236363462646435393731323866313366373438386265
+62633264336335313932396164373363623061363262616330343735633862623234643365353035
-61373366383865336334356638653065333839303663636266393933663833313931333133663966
+36616231636461323832663837323232396636363561376563386530306339333431613935613263
-35306163373462613335616265316563313062623139343061306465656463336162396266636437
+30366335393834643066343763636561346336383463333535323932326663633338
-36646439613433306464383133636466383430363363393762646534343133333732613530626162
-31633430313039643636666365613232373335336235633832666139643937373766336563303266
-34396137656436373438383035316133343132313130636536393536393862386531386531303761
-64613337353463383032636636643963636235346262646366366539646233313939633864306335
-38373465373863383964633038373334386632666236303436376438666132623964396434626439
-38356235353430323236623962396461346438633962333163393535373362373164313132356232
-63313639333862313565396165613265623135626635373134626137633638333561353732313036
-3837

ansible/roles/commento/files/docker-compose.yml

@@ -0,0 +1,36 @@
+services:
+  commento:
+    image: ghcr.io/souramoo/commentoplusplus:latest
+    restart: unless-stopped
+    depends_on:
+      - db
+    networks:
+      - default
+      - coredns
+    environment:
+      - COMMENTO_POSTGRES=postgres://commento:commento@db:5432/commento?sslmode=disable
+      - COMMENTO_ORIGIN=https://commento.theorangeone.net
+      - COMMENTO_GZIP_STATIC=true
+      - COMMENTO_FORBID_NEW_OWNERS=true
+      - COMMENTO_GITHUB_KEY={{ vault_commento_github_client_id }}
+      - COMMENTO_GITHUB_SECRET={{ vault_commento_github_client_secret }}
+      - COMMENTO_SMTP_HOST=smtp.eu.mailgun.org
+      - COMMENTO_SMTP_PORT=587
+      - COMMENTO_SMTP_USERNAME={{ vault_commento_smtp_username }}
+      - COMMENTO_SMTP_PASSWORD={{ vault_commento_smtp_password }}
+      - COMMENTO_SMTP_FROM_ADDRESS={{ vault_commento_from_email }}
+      - COMMENTO_GITLAB_KEY={{ vault_commento_gitlab_application_id }}
+      - COMMENTO_GITLAB_SECRET={{ vault_commento_gitlab_application_secret }}
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    volumes:
+      - ./postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=commento
+      - POSTGRES_USER=commento
+
+networks:
+  coredns:
+    external: true

ansible/roles/commento/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart commento
+  shell:
+    chdir: /opt/commento
+    cmd: "{{ docker_update_command }}"

ansible/roles/commento/tasks/main.yml

@@ -0,0 +1,32 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Create install directory
+  file:
+    path: /opt/commento
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/commento/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart commento
+  become: true
+
+- name: Install nginx config
+  template:
+    src: files/nginx-docker.conf
+    dest: /etc/nginx/http.d/commento.conf
+    mode: "0644"
+  notify: reload nginx
+  become: true
+  vars:
+    server_name: commento.theorangeone.net
+    upstream: commento-commento-1.docker:8080
+    ssl_cert_path: /etc/letsencrypt/live/commento.theorangeone.net

ansible/roles/commento/vars/vault.yml

@@ -0,0 +1,32 @@
+$ANSIBLE_VAULT;1.1;AES256
+35343736363532306236303339356634316461383639333836393761356165633662326332613666
+3830323961313939316336393566363163646538623532310a363165666238653535353236383839
+35363730353939656330346639323331393562393339393562383034663231396164333261646438
+6564336362306636300a613634336337326534626263386466626238343130633864623862336563
+66326262613330373035663863663532626437303435333432383839303331333538363139643633
+64633465383135653265393033656135356166323238356130353633363030396366613164303033
+63303832376462616464333031366337626564633135386230313538353166343532643035336636
+31336531643766346438653333376364316162313765656330666330643261653433363339323665
+30623164373931336238303265316665373361336338346336646439356538333266393934343139
+34643433326330386564653461626264626231353863333935313665663462323234666463306266
+38626538666262333934393733626562313432393566643435376163653432613363663035333165
+36616431363563663235646433343564346164393034613436666362383233646636373163616666
+36376133346634653738376137393265303261626562366666303137313338633237313834386432
+66643264643532306364366562333837366636616237653033306538663435316163613266343565
+31633437353963313733326339666331323061363963303132363262343966653433303835323337
+31313363366631313930633061346265633261643238313762353932623230353938656264323437
+39346634383135306135326338616664336435343235383863393830386662393036383161303465
+33353261613537666464313437613335643830343336343535646665356333616266666233353065
+64313131306663313064633631663536386531343733643534336631666266613165313330653962
+35346262373437623333333234383531633238343463653862663236666337363738303463373664
+62343363323465313561376232633630303965306238316161383139316133343233343033376262
+63303264366536346234383063653838353638313561626433616462383339326631643533356639
+39653762633733363237383762356134366264356437346430343830616233373732616261613231
+62646639353132653038303536613738373137623236616631643738323737383637313633396135
+37613037313437613836336332346162383832613938356638333564346237373032356438363464
+31343464306131393362343433316666366632633036653262633361333165643735393231623932
+31643261326266323232383630353534326662303965393161343938663131343263363461303430
+31376161393038376262616333333362323033313436396164313438613532663564623633303365
+32656630663834633039316561663231656131383535653766316138313138346363633537373164
+62333532316135303366386261613131333364383031346364303938356631393865396133386633
+636462653562653538636531356537353133

ansible/roles/coredns_docker_proxy/tasks/main.yml

@@ -2,6 +2,7 @@
   docker_network:
     name: coredns
     internal: true
+  become: true
 
 - name: Create install directory
   file:
@@ -9,6 +10,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
@@ -18,3 +20,4 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart coredns
+  become: true

ansible/roles/db_auto_backup/files/docker-compose.yml

@@ -9,9 +9,6 @@ services:
       - HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
     depends_on:
       - docker_proxy
-    networks:
-      - default
-      - backup_private
 
   docker_proxy:
     image: lscr.io/linuxserver/socket-proxy:latest
@@ -23,13 +20,5 @@ services:
       - EXEC=1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - backup_private
-    tmpfs:
-      - /run
     logging:
       driver: none
-
-networks:
-  backup_private:
-    internal: true

ansible/roles/db_auto_backup/tasks/main.yml

@@ -4,6 +4,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
@@ -13,3 +14,4 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart db-auto-backup
+  become: true

ansible/roles/docker_cleanup/tasks/main.yml

@@ -1,6 +1,7 @@
 - name: Install docker-compose
   package:
     name: docker-compose
+  become: true
   when: ansible_os_family != 'Debian'
 
 - name: Install compose-switch
@@ -8,6 +9,7 @@
     url: "{{ docker_compose_url }}"
     dest: "{{ docker_compose_path }}"
     mode: "0755"
+  become: true
   when: ansible_os_family == 'Debian'
 
 - name: Create docker group
@@ -15,6 +17,7 @@
     name: "{{ docker_user.name }}"
     state: present
     gid: "{{ docker_user.id }}"
+  become: true
 
 - name: Create docker user
   user:
@@ -22,18 +25,21 @@
     uid: "{{ docker_user.id }}"
     group: "{{ docker_user.name }}"
     create_home: false
+  become: true
 
 - name: Add user to docker user group
   user:
     name: "{{ me.user }}"
     groups: "{{ docker_user.name }}"
     append: true
+  become: true
 
 - name: Add user to docker group
   user:
     name: "{{ me.user }}"
     groups: docker
     append: true
+  become: true
 
 - name: Clean up docker containers
   cron:
@@ -41,8 +47,6 @@
     hour: 1
     minute: 0
     job: docker system prune -af --volumes
-    cron_file: docker_cleanup
-    user: root
 
 - name: Install util scripts
   copy:
@@ -50,7 +54,6 @@
     dest: "{{ me.home }}"
     mode: "755"
     directory_mode: "755"
-    owner: "{{ me.user }}"
 
 - name: override docker service for zfs dependencies
   include_tasks: zfs-override.yml

ansible/roles/docker_cleanup/tasks/zfs-override.yml

@@ -3,6 +3,7 @@
     path: /etc/systemd/system/docker.service.d
     state: directory
     mode: "0755"
+  become: true
 
 - name: Create override.conf
   copy:
@@ -11,3 +12,4 @@
     owner: root
     group: root
     mode: "0644"
+  become: true

ansible/roles/forgejo_runner/files/config.yml

@@ -1,82 +0,0 @@
-# based on https://gitea.com/gitea/act_runner/src/tag/v0.2.6/internal/pkg/config/config.example.yaml
-
-log:
-  # The level of logging, can be trace, debug, info, warn, error, fatal
-  level: info
-
-runner:
-  # Where to store the registration result.
-  file: /data/.runner
-  # Execute how many tasks concurrently at the same time.
-  capacity: "{{ ansible_processor_nproc }}"
-  # Extra environment variables to run jobs.
-  envs: {}
-  # Extra environment variables to run jobs from a file.
-  # It will be ignored if it's empty or the file doesn't exist.
-  env_file: /data/.env
-  # The timeout for a job to be finished.
-  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
-  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
-  timeout: 3h
-  # Whether skip verifying the TLS certificate of the Gitea instance.
-  insecure: false
-  # The timeout for fetching the job from the Gitea instance.
-  fetch_timeout: 5s
-  # The interval for fetching the job from the Gitea instance.
-  fetch_interval: 5s
-  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
-  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `daemon`, will use labels in `.runner` file.
-  # labels: []
-
-cache:
-  # Enable cache server to use actions/cache.
-  enabled: true
-  # The directory to store the cache data.
-  # If it's empty, the cache data will be stored in /data/.cache/actcache.
-  dir: /data/cache/server
-  # The host of the cache server.
-  # It's not for the address to listen, but the address to connect from job containers.
-  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
-  host: ""
-  # The port of the cache server.
-  # 0 means to use a random available port.
-  port: 0
-  # The external cache server URL. Valid only when enable is true.
-  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
-  # The URL should generally end with "/".
-  external_server: ""
-
-container:
-  # Specifies the network to which the container will connect.
-  # Could be host, bridge or the name of a custom network.
-  # If it's empty, act_runner will create a network automatically.
-  network: bridge
-  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
-  privileged: false
-  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
-  options: ""
-  # The parent directory of a job's working directory.
-  # If it's empty, /workspace will be used.
-  workdir_parent: /workspace
-  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
-  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
-  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
-  # valid_volumes:
-  #   - data
-  #   - /src/*.json
-  # If you want to allow any volume, please use the following configuration:
-  # valid_volumes:
-  #   - '**'
-  # overrides the docker client host with the specified one.
-  # If it's empty, act_runner will find an available docker host automatically.
-  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
-  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
-  docker_host: ""
-  force_pull: false
-
-host:
-  # The parent directory of a job's working directory.
-  # If it's empty, /data/.cache/act/ will be used.
-  workdir_parent: /data/cache/actions

ansible/roles/forgejo_runner/files/docker-compose.yml

@@ -1,44 +0,0 @@
-services:
-  forgejo-runner:
-    image: code.forgejo.org/forgejo/runner:4.0.1
-    user: "{{ docker_user.id }}"
-    volumes:
-      - /mnt/data:/data
-      - ./config.yml:/data/config.yml
-    environment:
-      - TZ={{ timezone }}
-      - DOCKER_HOST=tcp://docker_proxy:2375
-    restart: unless-stopped
-    command: forgejo-runner daemon
-    networks:
-      - default
-      - forgejo_private
-    depends_on:
-      - docker_proxy
-
-  docker_proxy:
-    image: lscr.io/linuxserver/socket-proxy:latest
-    restart: unless-stopped
-    environment:
-      - POST=1
-      - CONTAINERS=1
-      - INFO=1
-      - IMAGES=1
-      - VOLUMES=1
-      - NETWORKS=1
-      - ALLOW_START=1
-      - ALLOW_STOP=1
-      - ALLOW_RESTARTS=1
-      - EXEC=1
-    tmpfs:
-      - /run
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - forgejo_private
-    logging:
-      driver: none
-
-networks:
-  forgejo_private:
-    internal: true

ansible/roles/forgejo_runner/handlers/main.yml

@@ -1,4 +0,0 @@
-- name: restart forgejo-runner
-  shell:
-    chdir: /opt/forgejo-runner
-    cmd: "{{ docker_update_command }}"

ansible/roles/gateway/files/nginx-fail2ban-jail.conf

@@ -6,9 +6,9 @@ maxretry = 100
 filter   = nginx-tcp
 logpath  = /var/log/nginx/ips.log
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
 
 [traefik]
 enabled = true
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}

ansible/roles/gateway/tasks/fail2ban.yml

@@ -3,6 +3,7 @@
     src: files/nginx-fail2ban-filter.conf
     dest: /etc/fail2ban/filter.d/nginx-tcp.conf
     mode: "0600"
+  become: true
   register: fail2ban_filter
 
 - name: fail2ban jail
@@ -10,10 +11,12 @@
     src: files/nginx-fail2ban-jail.conf
     dest: /etc/fail2ban/jail.d/nginx.conf
     mode: "0600"
+  become: true
   register: fail2ban_jail
 
 - name: Restart fail2ban
   service:
     name: fail2ban
     state: restarted
+  become: true
   when: fail2ban_filter.changed or fail2ban_jail.changed

ansible/roles/gateway/tasks/nginx.yml

@@ -3,6 +3,7 @@
     src: files/nginx.conf
     dest: /etc/nginx/stream.d/gateway.conf
     mode: "0644"
+  become: true
   register: nginx_config
 
 - name: Install CDN config
@@ -10,10 +11,12 @@
     src: files/nginx-cdn.conf
     dest: /etc/nginx/http.d/cdn.conf
     mode: "0644"
+  become: true
   register: nginx_config
 
 - name: Reload Nginx
   service:
     name: nginx
     state: reloaded
+  become: true
   when: nginx_config.changed

ansible/roles/gateway/tasks/wireguard.yml

@@ -1,6 +1,7 @@
 - name: Install wireguard tools
   package:
     name: "{{ item }}"
+  become: true
   loop:
     - wireguard-tools
     - qrencode
@@ -11,18 +12,21 @@
     dest: /etc/wireguard/wg0.conf
     mode: "0600"
     backup: true
+  become: true
   register: wireguard_conf
 
 - name: Enable wireguard
   service:
     name: wg-quick@wg0
     enabled: true
+  become: true
 
 - name: Restart wireguard
   service:
     name: wg-quick@wg0
     state: restarted
   when: wireguard_conf.changed
+  become: true
 
 - name: Create wireguard client directory
   file:

ansible/roles/gitea/files/app.ini

@@ -1,4 +1,4 @@
-APP_NAME = Forgejo
+APP_NAME = Gitea: Git with a cup of orange juice
 
 [repository]
 ROOT = /mnt/repositories
@@ -32,7 +32,7 @@ PASSWD   = gitea
 
 [session]
 PROVIDER        = db
-COOKIE_NAME     = forgejo_session
+COOKIE_NAME     = gitea_session
 
 [log]
 LEVEL = warn
@@ -42,8 +42,8 @@ INSTALL_LOCK                  = true
 SECRET_KEY                    = {{ vault_secret_key }}
 INTERNAL_TOKEN                = {{ vault_internal_token }}
 PASSWORD_HASH_ALGO            = pbkdf2
-COOKIE_USERNAME               = forgejo_username
+COOKIE_USERNAME               = gitea_username
-COOKIE_REMEMBER_NAME          = forgejo_remember
+COOKIE_REMEMBER_NAME          = gitea_remember
 LOGIN_REMEMBER_DAYS           = 30
 REVERSE_PROXY_TRUSTED_PROXIES = *
 
@@ -64,8 +64,9 @@ REPO_PAGING_NUM = 100
 [ui]
 SITEMAP_PAGING_NUM   = 100
 FEED_PAGING_NUM      = 100
-DEFAULT_THEME        = forgejo-auto
+DEFAULT_THEME        = gitea-auto
 ISSUE_PAGING_NUM     = 100
+THEME_COLOR_META_TAG = "#ff7f00"
 FEED_MAX_COMMIT_NUM  = 30
 SHOW_USER_EMAIL      = false
 EXPLORE_PAGING_NUM   = 100

ansible/roles/gitea/files/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
-  forgejo:
+  gitea:
-    image: code.forgejo.org/forgejo/forgejo:9-rootless
+    image: gitea/gitea:1.22-rootless
     user: "{{ docker_user.id }}:{{ docker_user.id }}"
     environment:
       - TZ={{ timezone }}
@@ -22,8 +22,8 @@ services:
       - redis
     labels:
       - traefik.enable=true
-      - traefik.http.routers.forgejo.rule=Host(`git.theorangeone.net`)
+      - traefik.http.routers.gitea.rule=Host(`git.theorangeone.net`)
-      - traefik.http.services.forgejo-forgejo.loadbalancer.server.port=3000
+      - traefik.http.services.gitea-gitea.loadbalancer.server.port=3000
     networks:
       - default
       - traefik

ansible/roles/gitea/files/footer.html

@@ -1,3 +1,3 @@
-{{ if not .IsSigned }}
+{{ if not .SignedUserName}}
   <script defer data-domain="git.theorangeone.net" src="https://elbisualp.theorangeone.net/js/script.js"></script>
 {{ end }}

ansible/roles/gitea/tasks/main.yml

@@ -7,6 +7,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
@@ -16,6 +17,7 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart gitea
+  become: true
 
 - name: Install config file
   template:
@@ -24,6 +26,15 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: restart gitea
+  become: true
+
+- name: Create public images directory
+  file:
+    path: "{{ app_data_dir }}/gitea/data/custom/public/assets/img"
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Create custom templates directory
   file:
@@ -32,6 +43,15 @@
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
     recurse: true
+  become: true
+
+- name: Install custom branding
+  unarchive:
+    src: https://git.theorangeone.net/api/packages/sys/generic/gitea-branding/latest/branding.zip
+    dest: "{{ app_data_dir }}/gitea/data/custom/public/assets/img"
+    remote_src: true
+    owner: "{{ docker_user.name }}"
+  become: true
 
 - name: Install custom footer
   copy:
@@ -40,3 +60,4 @@
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_file_mask }}"
   notify: restart gitea
+  become: true

ansible/roles/gitea_runner/files/docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+  act-runner:
+    image: vegardit/gitea-act-runner:latest
+    network_mode: host
+    volumes:
+      - /mnt/data:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - TZ={{ timezone }}
+      - GITEA_INSTANCE_URL=https://git.theorangeone.net
+      - GITEA_RUNNER_REGISTRATION_TOKEN={{ vault_gitea_runner_registration_token }}
+      - GITEA_RUNNER_NAME={{ ansible_hostname }}
+      - GITEA_RUNNER_FETCH_INTERVAL=5s
+      - GITEA_RUNNER_MAX_PARALLEL_JOBS={{ ansible_processor_nproc }}
+      - GITEA_RUNNER_UID={{ docker_user.id }}
+      - GITEA_RUNNER_GID={{ docker_user.id }}
+    restart: unless-stopped

ansible/roles/gitea_runner/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart act-runner
+  shell:
+    chdir: /opt/act-runner
+    cmd: "{{ docker_update_command }}"

ansible/roles/gitea_runner/tasks/main.yml

@@ -1,23 +1,20 @@
+- name: Include vault
+  include_vars: vault.yml
+
 - name: Create install directory
   file:
-    path: /opt/forgejo-runner
+    path: /opt/act-runner
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
-
+  become: true
-- name: Install config file
-  template:
-    src: files/config.yml
-    dest: /opt/forgejo-runner/config.yml
-    mode: "600"
-    owner: "{{ docker_user.name }}"
-  notify: restart forgejo-runner
 
 - name: Install compose file
   template:
     src: files/docker-compose.yml
-    dest: /opt/forgejo-runner/docker-compose.yml
+    dest: /opt/act-runner/docker-compose.yml
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
-  notify: restart forgejo-runner
+  notify: restart act-runner
+  become: true

ansible/roles/gitea_runner/vars/vault.yml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+39356636363738343339633132326666373534646563366335363336356362343438313030353466
+6564373739333030393666333438386533316332626136350a626439316537343030323761383863
+33666632636132386335393833636232373662626562326531666330373438613738613634643061
+3864336432626338320a373866356363613166366239356630663534646566636131353530623266
+66326334636361386338663739333134333761376239373133396534376139633364336433663362
+30313736303539663839313830336164346536383066393635323366363433616264373165356431
+35663832323132356538666333653135383332653232336336646265356665313165623035363561
+65306666393331383661353961306531636266393765626363616265326566316163396531373638
+3735

ansible/roles/glinet_vpn/handlers/main.yml

@@ -2,3 +2,4 @@
   service:
     name: wg-quick@glinet
     state: restarted
+  become: true

ansible/roles/glinet_vpn/tasks/main.yml

@@ -4,6 +4,7 @@
 - name: Install wireguard tools
   package:
     name: "{{ item }}"
+  become: true
   loop:
     - wireguard-tools
     - qrencode
@@ -14,6 +15,7 @@
     dest: /etc/wireguard/glinet.conf
     mode: "0600"
     backup: true
+  become: true
   notify: restart wireguard
 
 - name: Wireguard client config
@@ -22,9 +24,11 @@
     dest: "{{ me.home }}/glinet-vpn.conf"
     mode: "0600"
     owner: "{{ me.user }}"
+  become: true
   notify: restart wireguard
 
 - name: Enable wireguard
   service:
     name: wg-quick@glinet
     enabled: true
+  become: true

ansible/roles/headscale/files/acls.json

@@ -1,7 +1,6 @@
 {
     "tagOwners": {
-        "tag:client": [],
+        "tag:client": []
-        "tag:private-svcs": []
 
     },
     "acls": [
@@ -9,11 +8,6 @@
             "action": "accept",
             "src": ["tag:client"],
             "dst": ["*:*"]
-        },
-        {
-            "action": "accept",
-            "src": ["tag:private-svcs"],
-            "dst": ["{{ vps_hosts.private_ipv6_marker }}:80,443"]
         }
     ]
 }

ansible/roles/headscale/files/headscale.yml

@@ -63,11 +63,9 @@ noise:
 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
 # Any other range is NOT supported, and it will cause unexpected issues.
-prefixes:
+ip_prefixes:
-  v6: fd7a:115c:a1e0::/48
+  - fd7a:115c:a1e0::/48
-  v4: 100.64.0.0/10
+  - 100.64.0.0/10
-
-  allocation: sequential
 
 # DERP is a relay system that Tailscale uses when a direct
 # connection cannot be established.
@@ -79,7 +77,7 @@ derp:
   server:
     # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
     # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
-    enabled: false
+    enabled: true
 
     # Region ID to use for the embedded DERP server.
     # The local DERP prevails if the region ID collides with other region ID coming from
@@ -97,8 +95,7 @@ derp:
     stun_listen_addr: 0.0.0.0:3478
 
   # List of externally available DERP maps encoded in JSON
-  urls:
+  urls: []
-    - https://controlplane.tailscale.com/derpmap/default
 
   # Locally available DERP map files encoded in YAML
   #
@@ -131,25 +128,10 @@ ephemeral_node_inactivity_timeout: 30m
 node_update_check_interval: 20s
 
 # SQLite config
-database:
+db_type: sqlite3
-  type: sqlite
 
-  gorm:
+# For production:
-    # Enable prepared statements.
+db_path: /var/lib/headscale/db.sqlite
-    prepare_stmt: true
-
-    # Enable parameterized queries.
-    parameterized_queries: true
-
-    # Skip logging "record not found" errors.
-    skip_err_record_not_found: true
-
-    # Threshold for slow queries in milliseconds.
-    slow_threshold: 3000
-
-  sqlite:
-    path: /var/lib/headscale/db.sqlite
-    write_ahead_log: true
 
 # # Postgres config
 # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
@@ -206,9 +188,7 @@ log:
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
-policy:
+acl_policy_path: /etc/headscale/acls.json
-  mode: file
-  path: /etc/headscale/acls.json
 
 ## DNS
 #
@@ -219,13 +199,13 @@ policy:
 # - https://tailscale.com/kb/1081/magicdns/
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
-dns:
+dns_config:
   # Whether to prefer using Headscale provided DNS or use local.
   override_local_dns: false
 
   # List of DNS servers to expose to clients.
   nameservers:
-    global: []
+    - 1.1.1.1
 
   # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
   # "abc123" is example NextDNS ID, replace with yours.
@@ -271,7 +251,7 @@ dns:
   # `base_domain` must be a FQDNs, without the trailing dot.
   # The FQDN of the hosts will be
   # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
-  base_domain: hs.sys.theorangeone.net
+  base_domain: headscale.jakehoward.tech
 
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
@@ -282,12 +262,12 @@ unix_socket_permission: "0770"
 # headscale supports experimental OpenID connect support,
 # it is still being tested and might have some bugs, please
 # help us test it.
-# oidc:
+oidc:
-#   only_start_if_oidc_is_available: true
+  only_start_if_oidc_is_available: true
-#   issuer: "{{ vault_oidc_issuer }}"
+  issuer: "{{ vault_oidc_issuer }}"
-#   client_id: "{{ vault_oidc_client_id }}"
+  client_id: "{{ vault_oidc_client_id }}"
-#   client_secret: "{{ vault_oidc_client_secret }}"
+  client_secret: "{{ vault_oidc_client_secret }}"
-#   expiry: 0
+  expiry: 0
 
 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel

ansible/roles/headscale/handlers/main.yml

@@ -3,3 +3,4 @@
     name: headscale
     state: restarted
     enabled: true
+  become: true

ansible/roles/headscale/tasks/main.yml

@@ -4,6 +4,7 @@
 - name: Install Headscale
   package:
     name: headscale
+  become: true
 
 - name: Install headscale config file
   template:
@@ -12,6 +13,7 @@
     owner: headscale
     mode: "0600"
   notify: restart headscale
+  become: true
 
 - name: Install ACLs
   template:
@@ -20,10 +22,12 @@
     owner: headscale
     mode: "0600"
   notify: restart headscale
+  become: true
 
 - name: Install nginx config
   template:
     src: files/nginx.conf
     dest: /etc/nginx/http.d/headscale.conf
     mode: "0644"
+  become: true
   notify: reload nginx

ansible/roles/http_proxy/files/squid.conf

@@ -2,7 +2,7 @@
 # Recommended minimum configuration:
 #
 
-acl hide_internal dst {{ wireguard.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }}
+acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }}
 
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing

ansible/roles/http_proxy/handlers/main.yml

@@ -2,3 +2,4 @@
   service:
     name: squid
     state: restarted
+  become: true

ansible/roles/http_proxy/tasks/main.yml

@@ -1,15 +1,18 @@
 - name: Install squid
   package:
     name: squid
+  become: true
 
 - name: Squid config
   template:
     src: files/squid.conf
     dest: /etc/squid/squid.conf
     mode: "0600"
+  become: true
   notify: restart squid
 
 - name: Enable squid
   service:
     name: squid
     enabled: true
+  become: true

ansible/roles/ingress/files/nftables.conf

@@ -17,6 +17,9 @@ table inet filter {
 
         tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
 
+        # Allow nebula
+        udp dport {{ nebula_listen_port }} accept;
+
         # Allow Tailscale
         udp dport {{ tailscale_port }} accept;
     }
@@ -26,6 +29,7 @@ table inet filter {
         policy accept
 
         # NAT - because the proxmox machines may not have routes back
+        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
         ip saddr {{ tailscale_cidr }} counter masquerade
     }
 
@@ -33,8 +37,12 @@ table inet filter {
         type filter hook forward priority mangle
         policy drop
 
-        # Allow monitoring of Tailscale network
+        # Allow traffic from nebula to proxmox network
-        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ tailscale_cidr }} accept
+        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
+        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
+
+        # Allow monitoring of nebula network
+        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
 
         # Allow Tailscale exit node
         ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop

ansible/roles/ingress/handlers/main.yml

@@ -2,11 +2,13 @@
   service:
     name: wg-quick@wg0
     state: restarted
+  become: true
 
 - name: reload nginx
   service:
     name: nginx
     state: reloaded
+  become: true
 
 - name: reload nftables
   command:
@@ -14,3 +16,4 @@
       - nft
       - -f
       - /etc/nftables.conf
+  become: true

ansible/roles/ingress/tasks/firewall.yml

@@ -1,6 +1,7 @@
 - name: Install nftables
   package:
     name: nftables
+  become: true
 
 - name: Copy firewall config
   template:
@@ -8,6 +9,7 @@
     dest: /etc/nftables.conf
     validate: nft -c -f %s
     mode: "644"
+  become: true
   notify: reload nftables
 
 - name: Enable nftables
@@ -15,3 +17,4 @@
     name: nftables
     enabled: true
     state: started
+  become: true

ansible/roles/ingress/tasks/nginx.yml

@@ -3,4 +3,5 @@
     src: files/nginx.conf
     dest: /etc/nginx/stream.d/ingress.conf
     mode: "0644"
+  become: true
   notify: reload nginx

ansible/roles/ingress/tasks/wireguard.yml

@@ -1,6 +1,8 @@
 - name: Install Wireguard
   package:
-    name: wireguard
+    name:
+      - wireguard
+  become: true
 
 - name: Get wireguard credentials
   set_fact:
@@ -12,12 +14,14 @@
     dest: /etc/wireguard/wg0.conf
     mode: "0600"
     backup: true
+  become: true
   notify: restart wireguard
 
 - name: Enable wireguard
   service:
     name: wg-quick@wg0
     enabled: true
+  become: true
 
 - name: Enable p2p communication
   sysctl:
@@ -27,3 +31,4 @@
     state: present
     reload: true
     sysctl_file: /etc/sysctl.d/99-sysctl.conf
+  become: true

ansible/roles/jellyfin/tasks/main.yml

@@ -2,19 +2,23 @@
   ansible.builtin.apt_key:
     url: https://repo.jellyfin.org/jellyfin_team.gpg.key
     state: present
+  become: true
 
 - name: Add Jellyfin repository
   apt_repository:
     repo: deb [arch=amd64] https://repo.jellyfin.org/debian {{ ansible_distribution_release }} main
     filename: jellyfin
     state: present
+  become: true
 
 - name: Install jellyfin
   package:
     name: jellyfin
+  become: true
 
 - name: Set media dir permissions
   cron:
     name: Set media permissions
     special_time: daily
     job: chown -R jellyfin:jellyfin /mnt/media
+  become: true

ansible/roles/mastodon/files/docker-compose.yml

@@ -1,22 +1,19 @@
 services:
   mastodon:
-    image: lscr.io/linuxserver/mastodon:4.3.1
+    image: lscr.io/linuxserver/mastodon:4.2.10
     environment:
       - TZ={{ timezone }}
       - PUID={{ docker_user.id }}
       - PGID={{ docker_user.id }}
       - LOCAL_DOMAIN=theorangeone.net
       - WEB_DOMAIN=mastodon.theorangeone.net
-      - DATABASE_URL=postgresql://mastodon:mastodon@db:5432/mastodon
+      - DATABASE_URL=postgresql://mastodon:mastodon@db/mastodon
       - REDIS_URL=redis://redis
       - SIDEKIQ_REDIS_URL=redis://redis/1
       - SECRET_KEY_BASE={{ vault_secret_key_base }}
       - OTP_SECRET={{ vault_otp_secret }}
       - VAPID_PRIVATE_KEY={{ vault_vapid_private_key }}
       - VAPID_PUBLIC_KEY={{ vault_vapid_public_key }}
-      - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY={{ vault_active_record_encryption_deterministic_key }}
-      - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{ vault_active_record_encryption_key_derivation_salt }}
-      - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{ vault_active_record_encryption_primary_key }}
       - SINGLE_USER_MODE=true
       - DEFAULT_LOCALE=en
       - STREAMING_CLUSTER_NUM=1

ansible/roles/mastodon/tasks/main.yml

@@ -7,6 +7,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
@@ -16,6 +17,7 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart mastodon
+  become: true
 
 - name: Install media cleanup script
   template:
@@ -23,6 +25,7 @@
     dest: /opt/mastodon/purge-media.sh
     mode: "0755"
     owner: "{{ docker_user.name }}"
+  become: true
 
 - name: Schedule media cleanup
   cron:
@@ -32,3 +35,4 @@
     weekday: 1
     job: /opt/mastodon/purge-media.sh
     user: "{{ me.user }}"
+  become: true

ansible/roles/mastodon/vars/vault.yml

@@ -1,42 +1,30 @@
 $ANSIBLE_VAULT;1.1;AES256
-61313731363564306234653163633231356330313936636631393536356434396530643065333731
+63646161653431383335313735643535313434613362343161373961633539373932313338343633
-3534663665643665613164343931646262643231356337350a333262356130636265643465323263
+6637323935616636353731336531663635656532383166640a633335666633363136333433343266
-34333463353131323930636566633462613561333733636230363066343834316664363036346635
+37383237623837616464613561633931613230623633313533393464646464646566366330323365
-6666363330383337340a316635663663343034613039353835633035633036646131303365626466
+6563396262363238320a303433636266616635313536396132366239343230656432626639653230
-38636438323537303134356162633666376236346635366161356430376366626637343362363039
+63336165323337393664373635616532643935343363303766376533366661663366623939653564
-33356332333362363834373137633130306161393430393830643363636463633234646634306265
+35363335396266363532653038623038383836383236366466366339343433393338343566653834
-34366438333132633937303661356134383831373765306339363161643132393737356434653832
+30393761626537313531346466373136666565653731663430376664353737663039643263303533
-31346166333539643161346130386565376630333435376661343666636239666138316337633463
+35663836626462333262356330616131316432326139616165363831393036343235663736626661
-37633237393063313633393732616364653930353661366136346139663030393530383533646265
+35666264346563306133306565636261633766616135616366376430643763333031353534373033
-34393236643439316364376236373431643536333561613135616338643538313238303530356136
+35373739333562313639376264343562363130373531313563643834613533653034316536323339
-34393864323365633166643434363262346233393938313463643162343761643831373639313830
+39646337376462656362666330643831653730393562316661326433633334353963306664396264
-31363837393934333064316463313562393939613034653762303764333730353165623765653430
+30373238653832613861633263383663616538366361336163373861613538613132353963373666
-32383961353162306431393331643262353635383761663330323239383732346535636138636634
+34376464333462633839396263396335613233356261666661313763333033376434626463663133
-64616631373765393033306562343433373733646331643930373663323837393438643331663062
+32646130333635656665396335393232346661303861626566663931303637653065313031323936
-39323564376436353032303362653261363730383062346664663462656230613238303430303561
+64333931393165343761376630666462343136353335343632323435306261633232633662353137
-63663461376139616237333864643461343130326637616264353132613930306238613634343636
+32323863343365623566316537343062393638393434323134633535313531333135666535323439
-62393835393336646133616438336266653762366163623032323131656638393234383532333237
+35613439373737396562613834373638356534326438646330663564366436333962626135363833
-34333030356638326139333636343865636335333665656534656466333135663562303637333136
+63653731383163653932383632306239663365323237363562306639643662393530633430386164
-62386134633330663364323730646134383534623835636633653236653232393232653163613435
+61613137663734636666633966663366393832353166343239656335396630323138366338616430
-64663437383233323435386163653933383634666630383862323831316166353837323461333961
+37653036303735383664656530626630616437373762343263643661343464326466353234316363
-39626563323364653731316361333534616361366435643266626164666463613836336639373835
+64643733363435656365343537626364643430316630663666373932663564623835646336633034
-64393038336333356431326532626463333332373465613364386461623533646266626264383332
+65646264346439356161353838353064626230636664373035336433356530326632613035316434
-61393338663162343831616566346133646166353431396139393237356332616437353538313236
+31613434366530323263383337316432316432373835343164313963643733626362393334623266
-35323263383036623761643430336462656430356164313561663437383530346434306438386533
+65356131626135336337383139643838333134616137366530353730646634633364353333646563
-34366262663261636365323235326532393436333962383032353236323761373239613836646564
+66333134616639363932613238346538623764663831353031383834613230393936386432623434
-33316433656636313261653364663966633431663762363133666631653835386131643061626161
+37393935346238633338323432613638616466623264656434393761623363356330623632323261
-39633065326130643134343139363266363362393938623261646231333833643034633638386162
+36393064316263666432663633323535363035323535653834323064383437343530306166306239
-37376263613839353365336563623830333338373339393830323834326234373833336237326365
+37316236313533393062623066336561373138636339393631313866303433643832383230656532
-63366664323136303638643237366265653235363266333738343437313636663163663134363262
+3137
-32663533363539313238663237366330633738613733363932653031356263643935666166363536
-61383532373565383730363662613533333265636361333230333233396534353337653662363065
-38393937396337633430303831353831376666623061356239363534333537323662306530303639
-65303735343431623561356361373330343033643130393235336535623530303236356432353834
-62376163646362616465643730353866333464666365336336383466653462346334646231633736
-62336132343737303061396636313334333538396333626263396361386631313730363766653530
-66663461616530326261343931343330313836633966646661626361643064316261313234386635
-30306534396136656432653236343337656433396337393064313466653165396562393665363938
-63393232646164333263313136303236353465636139376232626563613835303561653935316332
-61373432613632663366383933343839363765396637306339363162616237366361306237336464
-37353336306536396466356432393766623061363938633736323431313237663464646364666131
-3737

ansible/roles/minio/tasks/main.yml

@@ -7,6 +7,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
@@ -16,3 +17,4 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart minio
+  become: true

ansible/roles/nebula/defaults/main.yml

@@ -0,0 +1,2 @@
+nebula_is_lighthouse: false
+nebula_listen_port: 0

ansible/roles/nebula/files/ca.crt

@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.1;AES256
+35346565636566303064316339396339363831623963306131303331366338643338326261626137
+3031333365383139383466323931353339346534366136350a353034373561653238643039373766
+37316638363166303162373739393934653936373639323038663639656138313035666132646136
+6339386166383137320a363536336166343539633238336364663633306562313965636536303663
+35376234336566626232383231326362393664386464346363643262393932316130623936383366
+63313539653035383665373962376165336533396565643263666634333434663432386635663434
+31613064653739363637643433653639343930623038626539353534393861646165366166616638
+38313036303261336635666161383135353637633966646462376439313539383962343564626336
+37343566306638626337316135663763343961653065616531396332303966643638646163393461
+63353630393364666336633630653765613331386233386130366636393965323231373561333163
+38613165623533396531383031316631346434333239616335373162333637363830636263613338
+38316165343632313361633362383934653832306332663732303061333135393234306232636464
+36346465633166303335363365336336383333636165633230626263633663356336366662313263
+36353231623930653361313466643064356234656639616332326534306133396338363538366136
+30643633626230613364353434323262333335363132303865646130653733623032346166653031
+63653761393935333430636230353966353765626235336439383331333436623061373835616462
+3661

ansible/roles/nebula/files/certs/casey.crt

@@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.1;AES256
+63636434323163343761373034626236333037376261336634366531393035356435653037326238
+3839323731623165633234613132376534646266373466310a356635313261333263366632336664
+39326533333462373831663132633733666136623938313164313265326637333332616463386363
+6634333536313132310a613766363630313933343365333633333663613035313362343437383534
+32636433613365643633643536633862376231316135376437333835353164613839323562333430
+39323331353639333539356165616661663262386363386239346664643364653137633332626661
+35393332653530373162666365326135663633663265313634643135373562663763376530623038
+63343231333933616237666465306461663634363261656237383236383663336235363161623265
+30343366643637326135356636626564343436396635613566393636643264333933656265346333
+61363335303737666238393665633265393835633838636561393534343437366639636361373761
+34366334366236373633613037346463373632323265343034343335333436373733613465663464
+65643863303037643338366537336562613232313331323366663835316437376535623635383463
+38386539353834383236663766393563393063333233623661303335396534353166316230396566
+34393034333864346534383665616666633836376439646632303566613633376138313961636637
+37313635393739656161313466633231396539393666663635623034613765393438633735636666
+33326635373966353633356166313138656462373962663666653961366438383936626338663439
+36643039613061646531366462623064623837666633326532663232616139623737343732346130
+64646337356266353261363438326237313833323765663336346635353236396638376530663033
+306365363634643665646230366332653632

ansible/roles/nebula/files/certs/casey.key

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+31646561316237653338613966616162363239323863393862376136623639613730633339396230
+3830343834383934333236633462663734366432666331620a393739313230656636653432646532
+65386466633832623663386131393866666664303439613738303933656239393761653263386466
+3561656162343632350a383737343661663037306461636264353239373865613861393034626237
+37633134636638633539346534346365346332643939653737626136393961343864386438323731
+39353663353362623563326230643961623231646361396561623431376139626236313362343938
+38336138376133656130633161363766393861656466363565646264653963396539386266616631
+66333965383862633061623961316334326134326630623064323562373937323338313838353066
+38343830316665326663313331613561393238373161326637396630383030666137623633616365
+6461333239666365363339613533323536613839356332373530

ansible/roles/nebula/files/certs/ingress.crt

@@ -0,0 +1,21 @@
+$ANSIBLE_VAULT;1.1;AES256
+62613762323836666136313634353965643132326439656165623938326130633631623939336434
+3931613737633935363439316362613663363335626134340a306631376131363635326337333234
+34373262383861626564383834306462306633376332353630666265303766333731613839333231
+6666343965353866320a313930383762646431656433393433336436623064643864343639393465
+37613062336430646130653833363130343266303833353739393839376235646433663236636532
+31303439663030353934383862396234663633343932646234353566313833613038366262373862
+62646262393431343638373936333339373230346134313661303138656563613463613836643634
+33343236633235316364336438613932316431383839393136343662333365396639313931663461
+33363336323532376566316532373832306662373538343361336239346163626330333736636566
+33306435306136643563643465373964383336376566383539613530313830353961623861323936
+64633336323438353238616663323338396536386161326132633466643135636162363536656665
+39653734653839366362383034366437613734373830386533363138373036323231363764633335
+34633163353237656266663035616463383165623634353062636464373361376438653230343661
+35343434656335623533623836313335616162666665313064653730356537633666336163616132
+31663432396564613538303662396538643131656137343434646333666634653938353363316363
+38623730623532663133343937643663633961353034316234663931646331656636303739383464
+37623264663038656632343262336165343635633566393535343663393163313234396463373766
+35313337353833306262363532616265656461356536633430383234633464613839303562356565
+39643738616262383734656535636566323831373035306166343039666334633264303435663865
+39623533653333323766

ansible/roles/nebula/files/certs/ingress.key

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+37626435646463663062363233393732353239386231366436653663623035656339633136346138
+3963626465363538653430343733663965373865376263330a373638663731656435646438646134
+38663334363137666530653934356337326264356664343633623432613265643139353464666136
+6236383631366130310a386265373334663831333137303538303737663062656239663839326338
+35613739313935373362333933653636383033343164363964353935633061636635353464643831
+64626363646136663166373632343830333634356565336138393436313864646333386561396663
+65636436663830633661396531643838333938366236633762323231363966643035643539383438
+30396136633264396561353034653161343536313461623532303265663531323937363737353566
+32363564333536306166346165393662353234363131383733396338633839333439373538623362
+3738616565663331353362633939343832323238383930643263

ansible/roles/nebula/files/certs/walker.crt

@@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.1;AES256
+32636232306462356330643137616236306261373438653332326239343662363234313765356563
+6361383264626665636130373539613936373036343061350a316438383266306538303836636138
+39643434323831303337336230623463633138633436386539363531626633633364663031376131
+3162363530393734380a303162386436396338383864333439313365383665666361313666373538
+35666262616466663061383463653361303230653036643033376434303236656638343134316262
+31303663396231623065316261353938613934303934613331393836663061653731316163663230
+39653337373230386337383665303638346136353031373931616166663437313431353832633239
+62343063323765636466353031353930636132373263306631616365623332646639333265653235
+61636237326561613364303538323861393061303839383532323136306134633437363731616464
+32633538376130613164646264666332303762386436383566663563346536663935323165323939
+65666333363163373165316633383430653066663938303562613739303835316661623437613863
+32383330336261356364353163666432353130343564366333626336306332643936623166386261
+35656431366431663830336631346164333362376262663365623635376161373864303831306462
+61326462343039376363663139636638663239306362353232366166623030376464336634643130
+65373532393034623730663431373763636261393035346639653137383235633265386365613063
+37303435363136613365633139316133386332373665626566346161343665626365656639346661
+30396133366566306238303564633662306561303830613937666264303731666230356633373662
+33656133323364313461353562373337356232666536643633336663326334353231613336646461
+376435366338383534623436353434623334

ansible/roles/nebula/files/certs/walker.key

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+65626437643961386636343536313832353663373863313963383430363465333965363031653635
+3038636237383665653135313962643434386135346630360a666239663139353063623436633038
+38613062393337373232343338626334353033633738306138373464313739323334373637366334
+3335623465633164310a646162376139373838643731326361373366623765323263643934616432
+66626333653335343234393936653931306132333933616138616665626139396164386437633338
+36653637346532376564306537643330343135313331343163326331363664663761616533353563
+66643964313736653263666466643134656532643536343464356464663465313438643466643130
+35643738313337663663343466353232396264356163343234653032333032336134666437306139
+63653239363132396465376565306666363131366131376466356530386438653433613063646365
+6432616539316163376162613630623066626539666135366664

ansible/roles/nebula/files/nebula.yml

@@ -0,0 +1,59 @@
+pki:
+  ca: /etc/nebula/ca.crt
+  cert: /etc/nebula/{{ ansible_hostname }}.crt
+  key: /etc/nebula/{{ ansible_hostname }}.key
+
+static_host_map:
+  "{{ nebula_lighthouse_ip }}": ["{{ nebula_lighthouse_public_ip }}:{{ nebula_lighthouse_port }}"]
+
+
+lighthouse:
+  am_lighthouse: "{{ nebula_is_lighthouse | lower }}"
+  interval: 60
+  hosts:
+{% if not nebula_is_lighthouse %}
+    - "{{ nebula_lighthouse_ip }}"
+{% endif %}
+
+listen:
+  host: 0.0.0.0
+  port: "{{ nebula_listen_port }}"
+
+punchy:
+  punch: true
+
+tun:
+  disabled: false
+  dev: nebula1
+  drop_local_broadcast: false
+  drop_multicast: false
+  tx_queue: 500
+  mtu: 1300
+  routes:
+  unsafe_routes:
+{% if ansible_hostname != "ingress" %}
+    - route: "{{ pve_hosts.internal_cidr }}"
+      via: "{{ nebula.clients.ingress.ip }}"
+{% endif %}
+
+
+logging:
+  level: info
+  format: text
+
+firewall:
+  conntrack:
+    tcp_timeout: 12m
+    udp_timeout: 3m
+    default_timeout: 10m
+    max_connections: 100000
+
+  outbound:
+    - port: any
+      proto: any
+      host: any
+
+  inbound:
+    - port: any
+      proto: any
+      host: any

ansible/roles/nebula/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart nebula
+  service:
+    name: nebula
+    state: restarted
+  become: true

ansible/roles/nebula/tasks/main.yml

@@ -0,0 +1,65 @@
+- name: Create config directory
+  file:
+    path: /etc/nebula
+    state: directory
+    mode: "0700"
+  become: true
+
+- name: Install nebula
+  package:
+    name: nebula
+  when: ansible_os_family == 'Archlinux'
+  become: true
+
+- name: Manually install nebula
+  block:
+    - name: Install binaries
+      unarchive:
+        src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz
+        dest: /usr/bin
+        remote_src: true
+        mode: "0755"
+
+    - name: Install service
+      get_url:
+        url: https://raw.githubusercontent.com/slackhq/nebula/v{{ nebula_version }}/dist/arch/nebula.service
+        dest: /usr/lib/systemd/system/nebula.service
+        mode: "0644"
+  when: ansible_os_family != 'Archlinux'
+  tags:
+    - skip_ansible_lint
+  notify: restart nebula
+  become: true
+
+- name: Install config
+  template:
+    src: files/nebula.yml
+    dest: /etc/nebula/config.yml
+    mode: "0600"
+  become: true
+  notify: restart nebula
+
+- name: Install CA certificate
+  template:
+    src: files/ca.crt
+    dest: /etc/nebula/ca.crt
+    mode: "0600"
+  become: true
+  notify: restart nebula
+
+- name: Install client certificates
+  template:
+    src: files/certs/{{ item }}
+    dest: /etc/nebula/{{ item }}
+    mode: "0600"
+  loop:
+    - "{{ ansible_hostname }}.key"
+    - "{{ ansible_hostname }}.crt"
+  become: true
+  notify: restart nebula
+
+- name: Enable service
+  service:
+    name: nebula
+    enabled: true
+  become: true

ansible/roles/nebula/vars/main.yml

@@ -0,0 +1,5 @@
+nebula_lighthouse_public_ip: "{{ vps_hosts.casey_ip }}"
+nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}"
+nebula_lighthouse_port: 6328
+
+nebula_version: 1.8.1

ansible/roles/nginx/handlers/main.yml

@@ -2,3 +2,4 @@
   service:
     name: nginx
     state: reloaded
+  become: true

ansible/roles/nginx/tasks/main.yml

@@ -1,6 +1,7 @@
 - name: Install nginx
   package:
     name: nginx
+  become: true
 
 - name: Install nginx modules
   package:
@@ -10,6 +11,7 @@
     - libnginx-mod-http-brotli-filter
     - libnginx-mod-stream
   when: ansible_os_family != 'Archlinux'
+  become: true
 
 - name: Install nginx modules (on Arch)
   kewlfft.aur.aur:
@@ -18,10 +20,12 @@
     - nginx-mod-headers-more
     - nginx-mod-brotli
   when: ansible_os_family == 'Archlinux'
+  become: true
 
 - name: Generate Diffie-Hellman parameters
   community.crypto.openssl_dhparam:
     path: /etc/nginx/dhparams.pem
+  become: true
 
 - name: Create config directories
   file:
@@ -32,6 +36,7 @@
     - http.d
     - stream.d
     - includes
+  become: true
 
 - name: Copy config files
   template:
@@ -39,6 +44,7 @@
     dest: /etc/nginx/includes/{{ item | basename }}
     mode: "0644"
   with_fileglob: files/includes/*.conf
+  become: true
   notify: reload nginx
 
 - name: Install config
@@ -46,6 +52,7 @@
     src: files/nginx.conf
     dest: /etc/nginx/nginx.conf
     mode: "0644"
+  become: true
   notify: reload nginx
 
 - name: Install HTTPS redirect
@@ -53,5 +60,6 @@
     src: files/nginx-https-redirect.conf
     dest: /etc/nginx/http.d/https-redirect.conf
     mode: "0644"
+  become: true
   notify: reload nginx
   when: nginx_https_redirect

ansible/roles/ntfy/tasks/main.yml

@@ -7,6 +7,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
@@ -16,3 +17,4 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart ntfy
+  become: true

ansible/roles/paccache/tasks/main.yml

@@ -1,15 +1,18 @@
 - name: Install Pacman utils
   package:
     name: pacman-contrib
+  become: true
 
 - name: Create hooks directory
   file:
     path: /etc/pacman.d/hooks/
     state: directory
     mode: "0755"
+  become: true
 
 - name: Install pacman hook
   template:
     src: files/paccache.hook
     dest: /etc/pacman.d/hooks/clean_package_cache.hook
     mode: "0644"
+  become: true

ansible/roles/plausible/tasks/main.yml

@@ -7,6 +7,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install clickhouse config
   template:
@@ -14,6 +15,7 @@
     dest: /opt/plausible/docker_related_config.xml
     mode: "0644"
   notify: restart plausible
+  become: true
 
 - name: Install clickhouse user config
   template:
@@ -21,6 +23,7 @@
     dest: /opt/plausible/docker_related_user_config.xml
     mode: "0644"
   notify: restart plausible
+  become: true
 
 - name: Install compose file
   template:
@@ -30,6 +33,7 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart plausible
+  become: true
 
 - name: Install nginx config
   template:
@@ -37,6 +41,7 @@
     dest: /etc/nginx/http.d/plausible.conf
     mode: "0644"
   notify: reload nginx
+  become: true
   vars:
     server_name: plausible.theorangeone.net elbisualp.theorangeone.net
     upstream: plausible-plausible-1.docker:8000

ansible/roles/privatebin/tasks/main.yml

@@ -4,6 +4,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
@@ -13,6 +14,7 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart privatebin
+  become: true
 
 - name: Install config file
   template:
@@ -21,3 +23,4 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: restart privatebin
+  become: true

ansible/roles/prometheus/files/prometheus/prometheus.yml

@@ -120,7 +120,7 @@ scrape_configs:
     metrics_path: /metrics
     static_configs:
       - targets:
-          - "{{ tailscale_nodes.casey.ip }}:9090"
+          - "{{ nebula.clients.casey.ip }}:9090"
     metric_relabel_configs:
       - source_labels: [__name__]
         regex: go_.+

ansible/roles/prometheus/tasks/grafana.yml

@@ -8,6 +8,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install grafana compose file
   template:
@@ -17,3 +18,4 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart grafana
+  become: true

ansible/roles/prometheus/tasks/main.yml

@@ -17,6 +17,7 @@
       - "{{ vps_hosts.private_ipv6_range }}"
   register: routes
   changed_when: false
+  become: true
 
 - name: Add route to private services via ingress
   command:
@@ -30,4 +31,5 @@
       - "{{ pve_hosts.ingress.ipv6 }}"
       - dev
       - eth0
+  become: true
   when: vps_hosts.private_ipv6_marker not in routes.stdout

ansible/roles/prometheus/tasks/prometheus.yml

@@ -4,6 +4,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install prometheus config
   template:
@@ -12,6 +13,7 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: reload prometheus
+  become: true
 
 - name: Install prometheus compose file
   template:
@@ -21,6 +23,7 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart prometheus
+  become: true
 
 - name: Install blackbox config
   template:
@@ -29,6 +32,7 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: restart prometheus
+  become: true
 
 - name: Install alertmanager config
   template:
@@ -37,6 +41,7 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: restart prometheus
+  become: true
 
 - name: Install prometheus alert rules
   copy:
@@ -45,3 +50,4 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: reload prometheus
+  become: true

ansible/roles/pve_docker/files/nextcloud/config.php

@@ -19,7 +19,7 @@ $CONFIG = array (
     0 => 'intersect.jakehoward.tech',
   ),
   'dbtype' => 'mysql',
-  'version' => '30.0.1.2',
+  'version' => '29.0.4.1',
   'overwrite.cli.url' => 'https://intersect.jakehoward.tech',
   'dbname' => 'nextcloud',
   'dbhost' => 'mariadb',

ansible/roles/pve_docker/files/nextcloud/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   nextcloud:
-    image: lscr.io/linuxserver/nextcloud:30.0.1
+    image: lscr.io/linuxserver/nextcloud:29.0.4
     environment:
       - PUID={{ docker_user.id }}
       - PGID={{ docker_user.id }}
@@ -45,7 +45,7 @@ services:
       - /tmp
 
   mariadb:
-    image: mariadb:10.6
+    image: mariadb:11.5
     restart: unless-stopped
     volumes:
       - /mnt/speed/dbs/mariadb/nextcloud:/var/lib/mysql

ansible/roles/pve_docker/files/synapse/docker-compose.yml

@@ -1,4 +1,5 @@
 services:
+
   synapse:
     image: ghcr.io/element-hq/synapse:latest
     restart: unless-stopped
@@ -16,7 +17,7 @@ services:
       - db
     labels:
       - traefik.enable=true
-      - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) || Host(`matrix.theorangeone.net`)
+      - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`)
     networks:
       - default
       - traefik

ansible/roles/pve_docker/files/whoami/docker-compose.yml

@@ -4,7 +4,7 @@ services:
     restart: unless-stopped
     labels:
       - traefik.enable=true
-      - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`) || Host(`who.0rng.one`)
+      - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`)
 
       - traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`)
       - traefik.http.routers.whoami-private.middlewares=tailscale-only@file

ansible/roles/pve_docker/tasks/calibre.yml

@@ -4,6 +4,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install calibre compose file
   template:
@@ -13,6 +14,7 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   register: compose_file
+  become: true
 
 - name: restart calibre
   shell: