Update dependency geerlingguy.certbot to v5.2.0

Close another port, and hopefully get a little more reliability in weird network configurations

.gitea/workflows/ci.yml

@@ -5,9 +5,9 @@ jobs:
   terraform:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
       - uses: taiki-e/install-action@just
       - name: Init
         run: just terraform init -backend=false
@@ -17,9 +17,9 @@ jobs:
   ansible:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.11
       - uses: taiki-e/install-action@just

.yamllint.yml

@@ -5,7 +5,6 @@ ignore: |
   ansible/galaxy_collections
   ansible/group_vars/all/vps-hosts.yml
   ansible/roles/traefik/files/traefik.yml
-  ansible/roles/nebula/files/nebula.yml
   env
 
 rules:

README.md

@@ -22,3 +22,7 @@ Terraform secrets are stored in `terraform/.env`, and provisioned using `just up
 
 - `just ansible-deploy`
 - `juts terraform apply`
+
+## External configuration
+
+This repository contains most of my infrastructure configuration, but not everything is configured here. Some things are external, for various reasons.

ansible/.ansible-lint

@@ -6,10 +6,10 @@ skip_list:
   - name[casing]
   - name[play]
   - no-changed-when
+  - var-naming[no-role-prefix]
 
 exclude_paths:
   - galaxy_roles/
   - galaxy_collections/
   - ~/.ansible
-  - roles/nebula/files/nebula.yml
   - roles/traefik/files/traefik.yml

ansible/ansible.cfg

@@ -5,10 +5,11 @@ retry_files_enabled = False
 roles_path = $PWD/galaxy_roles:$PWD/roles
 collections_path = $PWD/galaxy_collections
 inventory = ./hosts
-become_ask_pass = True
 interpreter_python = auto_silent
-# HACK: Force Ansible to find dokku plugins
-library = $PWD/galaxy_roles/dokku_bot.ansible_dokku/library
+
+[privilege_escalation]
+become = True
+become_ask_pass = True
 
 [ssh_connection]
 pipelining = True

ansible/dev-requirements.txt

@@ -1,3 +1,4 @@
-ansible-lint==6.17.1
-yamllint==1.32.0
+ansible-lint==24.9.2
+yamllint==1.33.0
 ansible
+passlib

ansible/files/nginx-docker.conf

@@ -0,0 +1,26 @@
+# {{ ansible_managed }}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ server_name }};
+    set $upstream {{ upstream }};
+
+    access_log /var/log/nginx/{{ server_name|split|first }}.log main;
+
+    ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
+    ssl_certificate_key {{ ssl_cert_path }}/privkey.pem;
+    ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem;
+    include includes/ssl.conf;
+
+    include includes/docker-resolver.conf;
+
+    location / {
+        proxy_pass http://$upstream;
+
+        {%- if location_extra is defined +%}
+        {{ location_extra }}
+        {%- endif +%}
+    }
+}

ansible/galaxy-requirements.yml

@@ -2,20 +2,21 @@ collections:
   - ansible.posix
   - community.general
   - community.docker
+  - kewlfft.aur
   - name: https://github.com/prometheus-community/ansible
     type: git
 
 roles:
   - src: geerlingguy.docker
-    version: 6.2.0
+    version: 7.4.1
   - src: geerlingguy.ntp
-    version: 2.3.3
+    version: 2.5.0
   - src: realorangeone.reflector
   - src: ironicbadger.proxmox_nag_removal
     version: 1.0.2
   - src: ironicbadger.snapraid
     version: 1.0.0
-  - src: dokku_bot.ansible_dokku
-    version: v2022.10.17
-  - src: nginxinc.nginx
-    version: 0.24.1
+  - src: geerlingguy.certbot
+    version: 5.2.0
+  - src: artis3n.tailscale
+    version: v4.5.0

ansible/group_vars/all/certbot.yml

@@ -0,0 +1,13 @@
+certbot_install_method: package
+certbot_auto_renew: true
+certbot_auto_renew_user: root
+certbot_auto_renew_hour: 23
+certbot_auto_renew_minute: 30
+certbot_auto_renew_options: --quiet --post-hook "systemctl reload nginx"
+certbot_admin_email: "{{ vault_certbot_admin_email }}"
+
+certbot_create_method: webroot
+
+certbot_webroot: /var/www/certbot-webroot
+
+certbot_create_if_missing: true

ansible/group_vars/all/docker.yml

@@ -2,7 +2,17 @@ docker_user:
   id: 3000
   name: dockeruser
 
+docker_users:
+  - "{{ me.user }}"
+
 docker_compose_file_mask: "664"
 docker_compose_directory_mask: "775"
 
+# HACK: Use compose-switch as the install for compose, so the commands still work.
+# Run this task manually, as version comparisons usually fail
+docker_compose_url: https://github.com/docker/compose-switch/releases/latest/download/docker-compose-linux-{{ docker_apt_arch }}
+docker_install_compose: false
+
+docker_install_compose_plugin: "{{ ansible_os_family == 'Debian' }}"
+
 docker_update_command: docker-compose pull && docker-compose down --remove-orphans && docker-compose rm && docker-compose up -d

ansible/group_vars/all/nebula.yml

@@ -1,9 +0,0 @@
-nebula:
-  cidr: 10.23.2.0/24
-  clients:
-    casey:
-      ip: 10.23.2.1
-    walker:
-      ip: 10.23.2.4
-    ingress:
-      ip: 10.23.2.5

ansible/group_vars/all/network.yml

@@ -1,2 +1 @@
-private_ip: "{{ nebula.clients[hostname_slug].ip }}"
 ssh_port: 7743

ansible/group_vars/all/pve.yml

@@ -1,5 +1,6 @@
 pve_hosts:
   internal_cidr: 10.23.1.0/24
+  internal_cidr_ipv6: fde3:15e9:e883::1/48
   pve:
     ip: 10.23.1.1
     external_ip: 192.168.2.200
@@ -7,15 +8,17 @@ pve_hosts:
     ip: 10.23.1.11
   forrest:
     ip: 10.23.1.13
+    ipv6: fde3:15e9:e883::103
   jellyfin:
     ip: 10.23.1.101
-  dokku:
-    ip: 10.23.1.102
   docker:
     ip: 10.23.1.103
+    ipv6: fde3:15e9:e883::203
   ingress:
     ip: 10.23.1.10
     external_ip: 192.168.2.201
+    external_ipv6: "{{ vault_ingress_ipv6 }}"
+    ipv6: fde3:15e9:e883::100
   homeassistant:
     ip: 192.168.2.203
   qbittorrent:

ansible/group_vars/all/tailscale.yml

@@ -0,0 +1,11 @@
+# Just install for now, don't configure
+tailscale_up_skip: true
+
+tailscale_cidr: 100.64.0.0/24  # It's really /10, but I don't use that many IPs
+tailscale_cidr_ipv6: fd7a:115c:a1e0::/120  # It's really /48, but I don't use that many IPs
+
+tailscale_port: 41641
+
+tailscale_nodes:
+  casey:
+    ip: 100.64.0.6

ansible/group_vars/all/vault.yml

@@ -1,38 +1,44 @@
 $ANSIBLE_VAULT;1.1;AES256
-64313263396466623131663462303837643566386538363331643866643630663237313165343936
-6661326238643732343035346436393737303234356533630a386166383135343135373135373036
-38336137316638633339656633363263633462363766643739306136306233663732613135306230
-6233653966313034350a616133663134343235643930396462613139326233396563633061623437
-63343464346239323030336261633964346331323465623461313762373863336361356533666130
-61613930616462373465316532376139373261616438616334643664383937303865386663316133
-30356564343334303764346433366265653663646231636666363065393465326237613236666536
-64663965633264373266386131366465393938343238366430306335346561303366343836323533
-38323033336361343431656233353662383463653232616137666266653332353039303438646466
-31666434666264303163643662323531376239666432616561363830643836313734363732363137
-66366630636465326631353464356465303939393766386332616661623133343735626338386661
-31346134663366386339383439363035376361313336393335656532363638616136323637333734
-38343261333533653833353461386537633635303739663432633766373634363832313030623665
-33663737393164643839373064383964376239333465363731643862303238353432623635656665
-38383265623034393631303638663633336466336566336231366334396532303934663538656666
-32316465626563306534653531646334336133343162623433623734653465346231323764393662
-35333930656435636539373862346631323839303335623364313436383432316437353731373463
-31373138326565626661613335663964623264336232393364336630306236396230316232306235
-66626131393966313739626432366463663335643263323237333534643036396537383339373932
-36343236643731646535346433363139363131623738633234336162383361326661353161656436
-34663463326264323239383066623038316639336666363230616535616631623637646539343335
-63633731323564636234313838306661616363306165356661343930616231666165613461366435
-39313938666431303930663763363462633466326665366432363334393333343766623061666135
-38636639626134663930333664396534646165383435613035393333383563616639393262333933
-30623861623638393838643561373834396431396538316662326134356639323431656631623137
-37666534326530623966343361393235303934323635313063623833353161643165386363373765
-31633461313062396633623561666537633239353035363932333064303338363632316632343031
-36323266343665356635643131613364616134666161353063356562343561633064666661623832
-61366538383631303030316535666639323236323536346635326563383033643538653761623930
-37336434386462363030363866636661656632663938623066636435316437663962303265353363
-30353734653334323536303330633865663963333839386632333336306637333335383532323039
-61666263663266313763353662353136646336646539333163303366323162323435616266626466
-34646134313732393164306463643261326439333565643036303663326263353434663762653263
-63636334363965313137306238393239393938626437353832326634663562653663663265633861
-62363630306364326136653234623764333063306138313037306363346435323435623661393630
-31656463313838313135386331386332333763336362393630643062643966646339386230663038
-36653632626663613536383331393336356333666334646633626363663965393563
+30343832393233616534663738346461303836323930373663613438353339353433636530323132
+3139396237376638376536653263346165323066623864650a666264643966386463353161306664
+61393739636336343338656635303462656232356162616666343238336161613730626363616133
+3663623465366130640a306164396662343262623065366431306163636564646136653730306434
+38346633376533646638396164613837663437356266646430373731383161626336373837303539
+37373939393431336435636336663739633335326430373864653831613964646137323136303634
+62346237313061356630323335306366643131366565343566376666643161666136376337666335
+30633262616666326464326436623136366639363930663061343434396138366336646538363135
+32393061663530333532666331376661623137343635646265613364346531383635366363613265
+65366265666538396438643130396437636562653538303634316465623136333036646432383735
+31643364323265363731383665316338366139343130346536303538623565633662653062323531
+38323630623231633032386663343736616566303166386433633062653530386561366661653663
+63353537623339323134386162376366313132393631613931663738356430623337333262633838
+31316362666639326365663164626263356464623139376166333962356238353637623431623137
+63633361336161373564306631646638386537303238616239646234646332393536316437336466
+61666235343466333539363566613530313761326161346464356363633330373862653033303936
+30666335633663393565303835306662666462633130353163383663333062633731306262613532
+33303866643334343535663632353235313262623231656536313636646564653636396663326632
+65353434633135363630356464636130303262363436633761353161356636646361626165316563
+31666165646135643961383032313532623431376531393231613436376337386537393466343036
+30633262316439303636393739393462653938313965643137373266323465663164653365376537
+30333361626335623836303463613734663138396535656664353730383933386530346130353064
+39653939623261306134323961353562623834333738613338396461343761346461386338333265
+65343932623634663033623163666663303735656633663236366235343066336162303136373332
+64383430653863333238656565383762623962636431323033396234646665616430383561366331
+32643230303962623633663632376566626534633935653832656263333236396366653035633561
+61646161356132383733636639653163346466316230303763623666376238653964376363656539
+63386238373266653732316539643261363662356261383834636637373639656137303935613663
+62653433646366326331636464303537386161383832376164303738353134653138393137313438
+63376262343335313832306466313338396266386535373465313765356638396665356332363539
+32643266636633343332653139636330656331313938613833333662666638366534346235613164
+39373431336637633936376632303131306339653131636163303539653862326566663239646366
+63643936343138663461303530623863663763633235373337616331326361386561663633373362
+31623234353832373961306663633262396437336665616335643064656534306136636236633662
+37646363386564336136396166306630653735313137373266326662376663626139373064326536
+39666633666262666263663265626634346333316466366661313538383734636361376261663333
+30636466306661353034623863616635666433646239343339613130633834303362633835366234
+65346632636166393664333266333266313062313734323239666239396364623162363861613661
+62623732633735666164663138323961666131656336633362373730306631633939343435323633
+31363834393365303530313837356264633262643264393639306236303163353933303830393566
+62316164393231326139623833666639623637616238383236303933323964386664623961336634
+39363062613439666433623863613435626133303032393938613934353562356436656564336339
+643332616661636236363164623461623466

ansible/group_vars/all/vps-hosts.yml

@@ -1,3 +1,5 @@
 "vps_hosts":
   "casey_ip": "213.219.38.11"
-  "walker_ip": "192.248.168.230"
+  "private_ipv6_marker": "2a01:7e00:e000:7f7::1"
+  "private_ipv6_range": "2a01:7e00:e000:7f7::1/128"
+  "walker_ip": "162.55.181.67"

ansible/host_vars/casey.yml

@@ -1,3 +0,0 @@
-nebula_is_lighthouse: true
-nebula_listen_port: "{{ nebula_lighthouse_port }}"
-ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }}

ansible/host_vars/casey/main.yml

@@ -0,0 +1,14 @@
+private_ip: "{{ ansible_tailscale0.ipv4.address }}"
+nginx_https_redirect: true
+
+certbot_certs:
+  - domains:
+      - headscale.jakehoward.tech
+  - domains:
+      - whoami-cdn.theorangeone.net
+
+cdn_domains:
+  - whoami-cdn.theorangeone.net
+
+restic_backup_locations:
+  - /var/lib/headscale/

ansible/host_vars/casey/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30643138356634323666316163396138663836316261363966636335366534336330616635383663
+6461393538346263363164613930396266323930626335370a306165306663336538316163666364
+65383835386635336433393162613031386334646632666638613162623434646531356533346132
+3162373933336365660a353163316338303630633761336238363966376336643838616135303231
+32646530376561326635633563393066656232363734653464326665396236656232613362333461
+39393134626466656561346138633362653732333639333765303961383365623737666164326532
+66356263326366323435623834306439633061386364633132613362386663633733386637363266
+31393438326531353265

ansible/host_vars/ingress.yml

@@ -1,2 +1,2 @@
-# Listen on a static port so it can be opened in the firewall
-nebula_listen_port: "{{ nebula_lighthouse_port }}"
+private_ip: "{{ ansible_tailscale0.ipv4.address }}"
+nginx_https_redirect: true

ansible/host_vars/pve-docker/main.yml

@@ -3,8 +3,6 @@ private_ip: "{{ pve_hosts.docker.ip }}"
 traefik_provider_jellyfin: true
 traefik_provider_homeassistant: true
 traefik_provider_grafana: true
-traefik_provider_dokku: true
-
-with_fail2ban: true
+traefik_provider_uptime_kuma: true
 
 db_backups_dir: /mnt/tank/files/db-backups

ansible/host_vars/pve-dokku/main.yml

@@ -1,3 +0,0 @@
-ssh_extra_allowed_users: dokku
-
-db_backups_dir: /mnt/tank/files/db-backups

ansible/host_vars/pve-dokku/vault.yml

@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-38396636313062623661613537386337356130353839303930346333313062383935353932336230
-6637666434356666346361663131343962663963333638630a376631313531633865396566643032
-31323866386236356639306333393765616630363734326662366632656430323739306439366634
-3364666662623764630a353532373433616365383862633935373332663933386561316262633662
-37366233326439336535623339366565653732646434386639336533386261306238306630396638
-30633433636365663538656338303066353830626137613038323462353137326234356533323335
-39643832636466643864663737316239626161653833343633306435363636663264303165303334
-36383661316566316630

ansible/host_vars/pve/main.yml

@@ -25,7 +25,7 @@ sanoid_datasets:
 
 sanoid_templates:
   production:
-    frequently: 2
+    frequently: 4
     hourly: 48
     daily: 28
     monthly: 3

ansible/host_vars/qbittorrent.yml

@@ -0,0 +1 @@
+private_ip: "{{ pve_hosts.qbittorrent.ip }}"

ansible/host_vars/restic/main.yml

@@ -3,7 +3,6 @@ restic_backup_locations:
   - /mnt/host/mnt/speed
   - /mnt/host/etc/pve
   - /mnt/home-assistant
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
+  - /home/rclone/sync
 
 restic_forget: true
-restic_forget_healthchecks_id: "{{ vault_restic_forget_healthchecks_id }}"

ansible/host_vars/restic/vault.yml

@@ -1,12 +1,17 @@
 $ANSIBLE_VAULT;1.1;AES256
-31333338396531316366353161666432346634373335356464663837386231616632373833656130
-3361383732623965393533316366373864323064393530330a346565393462316561383733653437
-62363736356432363239373863303734323437333034343266313135383866303566396639646230
-3839333535393036390a383534346233633935393561353637353835663763343531613238653664
-39356365306630373036396132373562646130636439373964333363306431666565613434646365
-64353933656365653431386463623034643564303266396438353064373434336436366431366338
-31386637376165633731373633656336623531323965343534323031363163356239353031643165
-37663232636234663735613037666161393736663432656139646264313763303164386161626162
-65393363336435333738303061613738636666303961653361376131376161623264343666353061
-61663636656339363539666335643239653361383961333665646562613935396335623565306531
-643165653537326431373637303639343763
+32353739643531336665636334646135323336353562316362333266316263653364656132643661
+3736386461316563376134326638376261323734663032630a306530636166666561343264393266
+62326437343637363038646632396461303365646466666666386432306134313562356538623133
+6561323739386337630a623835656239633866666333616664366339333232303031343561633239
+62636636623462316536333334306562626637643936623963376663326164333962646134376566
+62646336353937316238333036376232323834346530626136316233626166326231633330646266
+36653263636266626233313263346263633734386339386664323331363263306465626165336337
+38653766366530373230623334386234303461336133323663626439383530373966363830633364
+37336635356334633338633161356161353133656633386563393363303064613761306137323261
+34626164663936306665613861343039666330613263303932333766306663616134316566313963
+66653263643134343363353637343636633936343165363934376537343538643434376434336633
+31613339613035633335643034336265376630326662393865626336303261363130333637643162
+32383863313139663066363766613865653966613430616631346432623164366663313838363164
+37613863326433653531656139633533353539366563653532626534346165626535643434333861
+34306433373134376137633836666162663130623130353062316439303466393035633636386234
+38333132376361376363

ansible/host_vars/tang/main.yml

@@ -1,2 +1,5 @@
 ssh_extra_allowed_users: jake
 private_ip: "{{ ansible_default_ipv4.address }}"
+
+restic_backup_locations:
+  - /var/lib/adguardhome/

ansible/host_vars/tang/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+62623062666237373636616333623434363662316639633962363833303663376331346338363365
+6633336638623237396134613033346665313964613538320a656134323135613834316462366161
+36633062623031306562313233356536643132346466376435303031333331643936613036616236
+3231613336396135340a376339396663343837353139393062353530626566626566366439353762
+37376236376437393863633730643531323762336536633034353132356266373361613434326333
+39663562353337666435653435623563383630383537663633336437613262323733363766666539
+66373538386163303731663331666138656435343436613633323766366261316337373830653837
+64313133396532376436

ansible/host_vars/walker/main.yml

@@ -1,3 +1,17 @@
+private_ip: "{{ ansible_tailscale0.ipv4.address }}"
+
 restic_backup_locations:
   - /opt
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
+
+nginx_https_redirect: true
+
+certbot_certs:
+  - domains:
+      - theorangeone.net
+  - domains:
+      - plausible.theorangeone.net
+      - elbisualp.theorangeone.net
+  - domains:
+      - slides.jakehoward.tech
+  - domains:
+      - comentario.theorangeone.net

ansible/hosts

@@ -13,4 +13,3 @@ qbittorrent
 restic
 renovate
 gitea-runner
-pve-dokku

ansible/main.yml

@@ -8,9 +8,12 @@
 
 - hosts: casey
   roles:
+    - nginx
+    - geerlingguy.certbot
     - gateway
-    - nebula
-    - fail2ban_ssh
+    - headscale
+    - restic
+    - glinet_vpn
 
 - hosts:
     - pve
@@ -20,7 +23,6 @@
     - tang
   roles:
     - role: geerlingguy.ntp
-      become: true
       vars:
         ntp_timezone: "{{ timezone }}"
         ntp_manage_config: true
@@ -31,78 +33,78 @@
     - walker
     - renovate
     - gitea-runner
-    - pve-dokku
   roles:
-    - role: geerlingguy.docker
-      become: true
-      vars:
-        docker_install_compose_plugin: "{{ ansible_os_family == 'Debian' }}"
-        docker_users:
-          - "{{ me.user }}"
+    - geerlingguy.docker
     - docker_cleanup
 
 - hosts:
     - pve-docker
     - forrest
     - walker
-    - pve-dokku
   roles:
     - db_auto_backup
 
 - hosts:
     - pve-docker
-    - walker
   roles:
     - traefik
 
+- hosts:
+    - ingress
+    - walker
+    - casey
+  become: false  # Forcefully run as current user
+  roles:
+    - artis3n.tailscale
+
 - hosts: pve-docker
   roles:
     - pve_docker
     - yourls
-    - pve_nebula_route
     - privatebin
     - vaultwarden
     - tandoor
     - mastodon
-    - gitea
+    - forgejo
     - vikunja
+    - authentik
+    - minio
+    - ntfy
 
 - hosts: ingress
   roles:
-    - role: nginxinc.nginx  # The nginx in debian's repos is very old
-      become: true
+    - nginx
     - ingress
-    - nebula
 
 - hosts: pve
   roles:
-    - role: ironicbadger.proxmox_nag_removal
-      become: true
+    - ironicbadger.proxmox_nag_removal
     - zfs
-    - pve_nebula_route
-    - role: ironicbadger.snapraid
-      become: true
-    - role: prometheus.prometheus.node_exporter
-      become: true
+    - ironicbadger.snapraid
+    - prometheus.prometheus.node_exporter
 
 - hosts: forrest
   roles:
-    - forrest
-    - pve_nebula_route
+    - prometheus
+    - uptime_kuma
+    - pve_tailscale_route
 
 - hosts: qbittorrent
   roles:
+    - nginx
     - qbittorrent
     - http_proxy
 
 - hosts: walker
   roles:
-    - nebula
-    - upload
+    - nginx
+    - geerlingguy.certbot
+    - coredns_docker_proxy
     - plausible
     - restic
-    - commento
     - website
+    - slides
+    - comentario
 
 - hosts: jellyfin
   roles:
@@ -111,10 +113,11 @@
 - hosts: restic
   roles:
     - restic
+    - s3_sync
 
 - hosts: gitea-runner
   roles:
-    - gitea_runner
+    - forgejo_runner
 
 - hosts: renovate
   roles:
@@ -122,10 +125,6 @@
 
 - hosts: tang
   roles:
-    - pihole
-    - role: prometheus.prometheus.node_exporter
-      become: true
-
-- hosts: pve-dokku
-  roles:
-    - dokku
+    - adguardhome
+    - prometheus.prometheus.node_exporter
+    - restic

ansible/roles/adguardhome/files/Corefile

@@ -0,0 +1,33 @@
+(alias) {
+    errors
+    cancel
+
+    forward . tls://9.9.9.9 tls://149.112.112.112 tls://2620:fe::fe tls://2620:fe::9 {
+       tls_servername dns.quad9.net
+       health_check 15s
+    }
+
+    hosts {
+        {{ pve_hosts.ingress.external_ip }} pve.sys.theorangeone.net
+        {{ pve_hosts.ingress.external_ipv6 }} pve.sys.theorangeone.net
+        fallthrough
+        ttl 300
+    }
+
+    # HACK: Rewrite the CNAME to itself so it's reprocessed
+    rewrite cname exact pve.sys.theorangeone.net. pve.sys.theorangeone.net.
+}
+
+theorangeone.net:53053 {
+    import alias
+}
+
+jakehoward.tech:53053 {
+    import alias
+}
+
+.:53053 {
+    acl {
+        block
+    }
+}

ansible/roles/adguardhome/files/resolved-adguardhome.conf

@@ -0,0 +1,3 @@
+[Resolve]
+DNS=127.0.0.1
+DNSStubListener=no

ansible/roles/adguardhome/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: restart coredns
+  service:
+    name: coredns
+    state: restarted
+    enabled: true
+
+- name: restart systemd-resolved
+  service:
+    name: systemd-resolved
+    state: restarted
+    enabled: true

ansible/roles/adguardhome/tasks/main.yml

@@ -0,0 +1,30 @@
+- name: Install adguardhome
+  kewlfft.aur.aur:
+    name: adguardhome-bin
+
+- name: Disable resolved stub
+  template:
+    src: files/resolved-adguardhome.conf
+    dest: /etc/systemd/resolved.conf.d/adguardhome.conf
+    owner: root
+    mode: "0644"
+  notify: restart systemd-resolved
+
+- name: Use resolved resolv.conf
+  file:
+    src: /run/systemd/resolve/resolv.conf
+    dest: /etc/resolv.conf
+    state: link
+  notify: restart systemd-resolved
+
+- name: Install coredns
+  kewlfft.aur.aur:
+    name: coredns
+
+- name: Install coredns config file
+  template:
+    src: files/Corefile
+    dest: /etc/coredns/Corefile
+    owner: coredns
+    mode: "0644"
+  notify: restart coredns

ansible/roles/authentik/files/docker-compose.yml

@@ -0,0 +1,76 @@
+x-env: &env
+  - TIMEZONE={{ timezone }}
+  - AUTHENTIK_REDIS__HOST=redis
+  - AUTHENTIK_POSTGRESQL__HOST=db
+  - AUTHENTIK_POSTGRESQL__USER=authentik
+  - AUTHENTIK_POSTGRESQL__NAME=authentik
+  - AUTHENTIK_POSTGRESQL__PASSWORD={{ vault_authentik_db_password }}
+  - AUTHENTIK_SECRET_KEY={{ vault_authentik_secret_key }}
+  - AUTHENTIK_WEB__WORKERS=1
+  - AUTHENTIK_DISABLE_UPDATE_CHECK=true
+  - AUTHENTIK_ERROR_REPORTING__ENABLED=false
+  - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+  - AUTHENTIK_EMAIL__HOST=smtp.eu.mailgun.org
+  - AUTHENTIK_EMAIL__PORT=465
+  - AUTHENTIK_EMAIL__USERNAME={{ vault_authentik_email_username }}
+  - AUTHENTIK_EMAIL__PASSWORD={{ vault_authentik_email_password }}
+  - AUTHENTIK_EMAIL__USE_TLS=true
+  - AUTHENTIK_EMAIL__FROM={{ vault_authentik_email_from }}
+
+services:
+  server:
+    image: ghcr.io/goauthentik/server:2024.8
+    restart: unless-stopped
+    command: server
+    user: "{{ docker_user.id }}"
+    environment: *env
+    volumes:
+      - "{{ app_data_dir }}/authentik/media:/media"
+      - "{{ app_data_dir }}/authentik/custom-templates:/templates"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.authentik.rule=Host(`auth.jakehoward.tech`)
+      - traefik.http.services.authentik-authentik.loadbalancer.server.port=9000
+      - traefik.http.middlewares.authentik-ratelimit.ratelimit.average=5
+      - traefik.http.middlewares.authentik-ratelimit.ratelimit.burst=1000
+      - traefik.http.routers.authentik.middlewares=authentik-ratelimit
+    depends_on:
+      - db
+      - redis
+    networks:
+      - default
+      - traefik
+
+  worker:
+    image: ghcr.io/goauthentik/server:2024.8
+    restart: unless-stopped
+    command: worker
+    user: "{{ docker_user.id }}"
+    environment: *env
+    volumes:
+      - "{{ app_data_dir }}/authentik/media:/media"
+      - "{{ app_data_dir }}/authentik/certs:/certs"
+      - "{{ app_data_dir }}/authentik/custom-templates:/templates"
+    depends_on:
+      - db
+      - redis
+      - server
+
+  db:
+    image: postgres:15-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/speed/dbs/postgres/authentik:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD={{ vault_authentik_db_password }}
+      - POSTGRES_USER=authentik
+
+  redis:
+    image: redis:7-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/speed/dbs/redis/authentik:/data
+
+networks:
+  traefik:
+    external: true

ansible/roles/authentik/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart authentik
+  shell:
+    chdir: /opt/authentik
+    cmd: "{{ docker_update_command }}"

ansible/roles/authentik/tasks/main.yml

@@ -3,18 +3,16 @@
 
 - name: Create install directory
   file:
-    path: /opt/commento
+    path: /opt/authentik
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
-  become: true
 
 - name: Install compose file
   template:
     src: files/docker-compose.yml
-    dest: /opt/commento/docker-compose.yml
+    dest: /opt/authentik/docker-compose.yml
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
-  notify: restart commento
-  become: true
+  notify: restart authentik

ansible/roles/authentik/vars/vault.yml

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+31633966386539623139356136333664326633646537366433626432363437336331333639636634
+6563646365666534393834636539376337666336376666300a313338336365383338633165646531
+35656231613762393636666332653434393966343039313863333566646434643630343438623362
+6466383362396539610a366438306332303331656237343466313135336431363335306636643363
+32383066353331383461613532323265353861663835663463383235303863306438386364303235
+31323264323732326231336162393438313262323263316564336266663565666361316564373332
+61616637306636353362633338616461646232616165323638346164346565353139666238323033
+36366537393530613464613033383438666362636166613062653930326663626337346636346434
+66396362656231613930653866386334393438336332383637356663323936623863313161323039
+34316639633235313132336238636162343936336163356135303034383434346561356365633636
+32633930313335343961653835656363333365656438393334303333373337353566666532373964
+38316362306362363464313237383130343239326238663062616533396230316438316536333139
+66353835333066346634366638323930616365386364643165666133666565383137303062636263
+64646639666235356264623663313762333666306565303237656434323365316165633866373964
+38326631656463373161356562303031643231623332653861616535333834336630363239363632
+31643862626639353132373232393966323461653361343331653261356431363933326130363433
+38323633343433346535633937373466666639353530653164313532623535653135613766336138
+64626631656431613937366563373934616364656536373437353563346165626535326464353439
+37353136376636633231393733613663633864616163373736386332316162333166303863663538
+63376461643263326362373434666138303635636165616564316432626564356138623032653737
+37323633353165623661343736363933323631646438383430303234326665613566

ansible/roles/base/files/ssh-jail.conf

@@ -4,4 +4,4 @@ bantime  = 600
 findtime = 30
 maxretry = 5
 port     = {{ ssh_port }},ssh
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}

ansible/roles/base/files/sshd_config

@@ -2,7 +2,7 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port {{ ssh_port }}
 
-AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }}
+AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
 
 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0

ansible/roles/base/tasks/fail2ban.yml

@@ -1,25 +1,21 @@
 - name: Install fail2ban
   package:
     name: fail2ban
-  become: true
 
 - name: Enable fail2ban
   service:
     name: fail2ban
     enabled: true
-  become: true
 
 - name: fail2ban SSH jail
   template:
     src: files/ssh-jail.conf
     dest: /etc/fail2ban/jail.d/ssh.conf
     mode: "0600"
-  become: true
   register: fail2ban_jail
 
 - name: Restart fail2ban
   service:
     name: fail2ban
     state: restarted
-  become: true
   when: fail2ban_jail.changed

ansible/roles/base/tasks/logrotate.yml

@@ -1,13 +1,11 @@
 - name: Install logrotate
   package:
     name: logrotate
-  become: true
 
 - name: Enable logrotate timer
   service:
     name: logrotate.timer
     enabled: true
-  become: true
   when: ansible_os_family == 'Archlinux'
 
 - name: logrotate fail2ban config
@@ -15,4 +13,3 @@
     src: files/fail2ban-logrotate
     dest: /etc/logrotate.d/fail2ban
     mode: "0600"
-  become: true

ansible/roles/base/tasks/packages.yml

@@ -1,7 +1,6 @@
 - name: Install Base Packages
   package:
     name: "{{ item }}"
-  become: true
   loop:
     - htop
     - neofetch

ansible/roles/base/tasks/ssh.yml

@@ -1,13 +1,11 @@
 - name: Install OpenSSH for Debian
   package:
     name: openssh-server
-  become: true
   when: ansible_os_family == 'Debian'
 
 - name: Install OpenSSH for Arch
   package:
     name: openssh
-  become: true
   when: ansible_os_family == 'Archlinux'
 
 - name: Define context
@@ -22,7 +20,6 @@
     validate: /usr/sbin/sshd -t -f %s
     backup: true
     mode: "644"
-  become: true
   register: sshd_config
 
 - name: Set up authorized keys
@@ -38,11 +35,9 @@
   service:
     name: sshd
     enabled: true
-  become: true
 
 - name: Restart SSH Daemon
   service:
     name: sshd
     state: reloaded
   when: sshd_config.changed
-  become: true

ansible/roles/base/tasks/user.yml

@@ -5,11 +5,9 @@
     comment: "{{ me.name }}"
     shell: /bin/bash
     system: true
-  become: true
 
 - name: Give user sudo access
   user:
     name: "{{ me.user }}"
     groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}"
     append: true
-  become: true

ansible/roles/comentario/files/docker-compose.yml

@@ -0,0 +1,27 @@
+services:
+  comentario:
+    image: registry.gitlab.com/comentario/comentario:v3.11.0
+    restart: unless-stopped
+    user: "{{ docker_user.id }}:{{ docker_user.id }}"
+    depends_on:
+      - db
+    networks:
+      - default
+      - coredns
+    volumes:
+      - ./secrets.yml:/comentario/secrets.yaml
+    environment:
+      - BASE_URL=https://comentario.theorangeone.net
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    volumes:
+      - ./postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=comentario
+      - POSTGRES_USER=comentario
+
+networks:
+  coredns:
+    external: true

ansible/roles/comentario/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart comentario
+  shell:
+    chdir: /opt/comentario
+    cmd: "{{ docker_update_command }}"

ansible/roles/comentario/tasks/main.yml

@@ -0,0 +1,37 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Create install directory
+  file:
+    path: /opt/comentario
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/comentario/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart comentario
+
+- name: Install secrets
+  copy:
+    content: "{{ comentario_secrets | to_nice_yaml }}"
+    dest: /opt/comentario/secrets.yml
+    mode: "600"
+    owner: "{{ docker_user.name }}"
+  notify: restart comentario
+
+- name: Install nginx config
+  template:
+    src: files/nginx-docker.conf
+    dest: /etc/nginx/http.d/comentario.conf
+    mode: "0644"
+  notify: reload nginx
+  vars:
+    server_name: comentario.theorangeone.net
+    upstream: comentario-comentario-1.docker:80
+    ssl_cert_path: /etc/letsencrypt/live/comentario.theorangeone.net

ansible/roles/comentario/vars/main.yml

@@ -0,0 +1,21 @@
+comentario_secrets:
+  postgres:
+    host: db
+    database: comentario
+    username: comentario
+    password: comentario
+  idp:
+    github:
+      key: "{{ vault_comentario_github_client_id }}"
+      secret: "{{ vault_comentario_github_client_secret }}"
+    gitlab:
+      key: "{{ vault_comentario_gitlab_application_id }}"
+      secret: "{{ vault_comentario_gitlab_application_secret }}"
+    twitter:
+      key: "{{ vault_comentario_twitter_api_key }}"
+      secret: "{{ vault_comentario_twitter_api_secret  }}"
+  smtpServer:
+    host: smtp.eu.mailgun.org
+    port: 587
+    username: "{{ vault_comentario_smtp_username }}"
+    password: "{{ vault_comentario_smtp_password }}"

ansible/roles/comentario/vars/vault.yml

@@ -0,0 +1,38 @@
+$ANSIBLE_VAULT;1.1;AES256
+36376264363334643335646564636336613234393261326366386234663464633966666133383933
+3731363234333962306638323737336237343230653439650a343362336166626633666161313863
+33623130623239626532663063633436616665653135343266336330353538306265323739326262
+3066643432643465350a643436366637623765663265316665386564663933663730383264396336
+39396139396238653065366663333533343336363631616332616362386639313766656136666532
+63336131346563323733333139636233353465643766643562643632653062373737353364336536
+64653162656233383136363339623933643834363931663830656364396637333632613838323461
+38666362663831363363636363346164343032376366346530393864306332326339323836643062
+66346265643039663636616464383330366539343832373839663361393661353861643364633534
+38383461323031626161663938326339386634363165303238333365323235303535333765613734
+30363032386333353962306131373466356137666334303230343561616639363238633630386330
+32383537646430666331313530343033376238646334313335343661313665626631663331656638
+31303637343263343566386634623362373366323136663032663966313836353136616564646563
+66653938326539343130346439666264663962323661386131643432663237643334633837376163
+62393330336434393232646163353539303831336638663135393734393064353964623032616233
+32393037313965313933363236653537306634613265633764636436653332623339316132373964
+39313334653831366533663661653934633338393539326564396236373462623262333530346436
+66646266623666333034346634613365356333343934363963366137303030646638373466643564
+66356265363634623363646266633137363966666361366463383266663032316665373430383031
+33303530323561366531356133363035353732333135303762316337626330333530303563643935
+35303465633536373833386435336638386662353032383861633965393564303839666463616263
+39353934343965316134663634363135616338353734656361343433313837313639303931356233
+39643135353661306461393962646238613062356361386533316362633233353235666262653738
+33616465653435303736636165343239336139383162616463613232656639393338363766396434
+32353965363537666366623066313461316463373130653637343430366231366263616261393564
+36323038383238633239323365326334393132643832373033643432653032613665646666336338
+30316565346630396537363431366337656236363462646435393731323866313366373438386265
+61373366383865336334356638653065333839303663636266393933663833313931333133663966
+35306163373462613335616265316563313062623139343061306465656463336162396266636437
+36646439613433306464383133636466383430363363393762646534343133333732613530626162
+31633430313039643636666365613232373335336235633832666139643937373766336563303266
+34396137656436373438383035316133343132313130636536393536393862386531386531303761
+64613337353463383032636636643963636235346262646366366539646233313939633864306335
+38373465373863383964633038373334386632666236303436376438666132623964396434626439
+38356235353430323236623962396461346438633962333163393535373362373164313132356232
+63313639333862313565396165613265623135626635373134626137633638333561353732313036
+3837

ansible/roles/commento/files/docker-compose.yml

@@ -1,41 +0,0 @@
-version: "2.3"
-
-services:
-  commento:
-    image: ghcr.io/souramoo/commentoplusplus:latest
-    restart: unless-stopped
-    depends_on:
-      - db
-    networks:
-      - default
-      - traefik
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.commento.rule=Host(`commento.theorangeone.net`)
-    environment:
-      - COMMENTO_POSTGRES=postgres://commento:commento@db:5432/commento?sslmode=disable
-      - COMMENTO_ORIGIN=https://commento.theorangeone.net
-      - COMMENTO_GZIP_STATIC=true
-      - COMMENTO_FORBID_NEW_OWNERS=true
-      - COMMENTO_GITHUB_KEY={{ commento_github_client_id }}
-      - COMMENTO_GITHUB_SECRET={{ commento_github_client_secret }}
-      - COMMENTO_SMTP_HOST=smtp.eu.mailgun.org
-      - COMMENTO_SMTP_PORT=587
-      - COMMENTO_SMTP_USERNAME={{ commento_smtp_username }}
-      - COMMENTO_SMTP_PASSWORD={{ commento_smtp_password }}
-      - COMMENTO_SMTP_FROM_ADDRESS={{ commento_from_email }}
-      - COMMENTO_GITLAB_KEY={{ commento_gitlab_application_id }}
-      - COMMENTO_GITLAB_SECRET={{ commento_gitlab_application_secret }}
-
-  db:
-    image: postgres:14-alpine
-    restart: unless-stopped
-    volumes:
-      - ./postgres:/var/lib/postgresql/data
-    environment:
-      - POSTGRES_PASSWORD=commento
-      - POSTGRES_USER=commento
-
-networks:
-  traefik:
-    external: true

ansible/roles/commento/handlers/main.yml

@@ -1,4 +0,0 @@
-- name: restart commento
-  shell:
-    chdir: /opt/commento
-    cmd: "{{ docker_update_command }}"

ansible/roles/commento/vars/main.yml

@@ -1,7 +0,0 @@
-commento_github_client_id: "{{ vault_commento_github_client_id }}"
-commento_github_client_secret: "{{ vault_commento_github_client_secret }}"
-commento_smtp_username: "{{ vault_commento_smtp_username }}"
-commento_smtp_password: "{{ vault_commento_smtp_password }}"
-commento_from_email: "{{ vault_commento_from_email }}"
-commento_gitlab_application_id: "{{ vault_commento_gitlab_application_id }}"
-commento_gitlab_application_secret: "{{ vault_commento_gitlab_application_secret }}"

ansible/roles/commento/vars/vault.yml

@@ -1,32 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-35343736363532306236303339356634316461383639333836393761356165633662326332613666
-3830323961313939316336393566363163646538623532310a363165666238653535353236383839
-35363730353939656330346639323331393562393339393562383034663231396164333261646438
-6564336362306636300a613634336337326534626263386466626238343130633864623862336563
-66326262613330373035663863663532626437303435333432383839303331333538363139643633
-64633465383135653265393033656135356166323238356130353633363030396366613164303033
-63303832376462616464333031366337626564633135386230313538353166343532643035336636
-31336531643766346438653333376364316162313765656330666330643261653433363339323665
-30623164373931336238303265316665373361336338346336646439356538333266393934343139
-34643433326330386564653461626264626231353863333935313665663462323234666463306266
-38626538666262333934393733626562313432393566643435376163653432613363663035333165
-36616431363563663235646433343564346164393034613436666362383233646636373163616666
-36376133346634653738376137393265303261626562366666303137313338633237313834386432
-66643264643532306364366562333837366636616237653033306538663435316163613266343565
-31633437353963313733326339666331323061363963303132363262343966653433303835323337
-31313363366631313930633061346265633261643238313762353932623230353938656264323437
-39346634383135306135326338616664336435343235383863393830386662393036383161303465
-33353261613537666464313437613335643830343336343535646665356333616266666233353065
-64313131306663313064633631663536386531343733643534336631666266613165313330653962
-35346262373437623333333234383531633238343463653862663236666337363738303463373664
-62343363323465313561376232633630303965306238316161383139316133343233343033376262
-63303264366536346234383063653838353638313561626433616462383339326631643533356639
-39653762633733363237383762356134366264356437346430343830616233373732616261613231
-62646639353132653038303536613738373137623236616631643738323737383637313633396135
-37613037313437613836336332346162383832613938356638333564346237373032356438363464
-31343464306131393362343433316666366632633036653262633361333165643735393231623932
-31643261326266323232383630353534326662303965393161343938663131343263363461303430
-31376161393038376262616333333362323033313436396164313438613532663564623633303365
-32656630663834633039316561663231656131383535653766316138313138346363633537373164
-62333532316135303366386261613131333364383031346364303938356631393865396133386633
-636462653562653538636531356537353133

ansible/roles/coredns_docker_proxy/files/Corefile

@@ -0,0 +1,21 @@
+. {
+    errors
+    cancel
+
+    # Only allow requests to `.docker` records
+    view docker {
+        expr name() endsWith '.docker.'
+    }
+
+    # Strip the `.docker` suffix
+    rewrite name suffix .docker . answer auto
+
+    # Forward requests to Docker's DNS server
+    forward . 127.0.0.11
+}
+
+. {
+    acl {
+        block
+    }
+}

ansible/roles/coredns_docker_proxy/files/docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  coredns:
+    image: coredns/coredns:latest
+    restart: unless-stopped
+    volumes:
+      - ./Corefile:/home/nonroot/Corefile:ro
+    ports:
+      - "{{ private_ip }}:53053:53/udp"
+    networks:
+      - default
+      - coredns
+
+networks:
+  coredns:
+    external: true

ansible/roles/coredns_docker_proxy/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart coredns
+  shell:
+    chdir: /opt/coredns
+    cmd: "{{ docker_update_command }}"

ansible/roles/coredns_docker_proxy/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: Create network
+  docker_network:
+    name: coredns
+    internal: true
+
+- name: Create install directory
+  file:
+    path: /opt/coredns
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/coredns/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart coredns

ansible/roles/db_auto_backup/files/docker-compose.yml

@@ -1,5 +1,3 @@
-version: "2.3"
-
 services:
   backup:
     image: ghcr.io/realorangeone/db-auto-backup:latest
@@ -8,12 +6,15 @@ services:
       - "{{ db_backups_dir }}:/var/backups"
     environment:
       - DOCKER_HOST=tcp://docker_proxy:2375
-      - HEALTHCHECKS_ID={{ db_auto_backup_healthchecks_id }}
+      - HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
     depends_on:
       - docker_proxy
+    networks:
+      - default
+      - backup_private
 
   docker_proxy:
-    image: tecnativa/docker-socket-proxy:latest
+    image: lscr.io/linuxserver/socket-proxy:latest
     restart: unless-stopped
     environment:
       - POST=1
@@ -22,5 +23,13 @@ services:
       - EXEC=1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - backup_private
+    tmpfs:
+      - /run
     logging:
       driver: none
+
+networks:
+  backup_private:
+    internal: true

ansible/roles/db_auto_backup/tasks/main.yml

@@ -4,7 +4,6 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
-  become: true
 
 - name: Install compose file
   template:
@@ -14,4 +13,3 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart db-auto-backup
-  become: true

ansible/roles/db_auto_backup/vars/main.yml

@@ -1 +0,0 @@
-db_auto_backup_healthchecks_id: "{{ vault_db_auto_backup_healthchecks_id }}"

ansible/roles/docker_cleanup/tasks/main.yml

@@ -1,15 +1,20 @@
 - name: Install docker-compose
   package:
     name: docker-compose
-  become: true
   when: ansible_os_family != 'Debian'
 
+- name: Install compose-switch
+  get_url:
+    url: "{{ docker_compose_url }}"
+    dest: "{{ docker_compose_path }}"
+    mode: "0755"
+  when: ansible_os_family == 'Debian'
+
 - name: Create docker group
   group:
     name: "{{ docker_user.name }}"
     state: present
     gid: "{{ docker_user.id }}"
-  become: true
 
 - name: Create docker user
   user:
@@ -17,21 +22,18 @@
     uid: "{{ docker_user.id }}"
     group: "{{ docker_user.name }}"
     create_home: false
-  become: true
 
 - name: Add user to docker user group
   user:
     name: "{{ me.user }}"
     groups: "{{ docker_user.name }}"
     append: true
-  become: true
 
 - name: Add user to docker group
   user:
     name: "{{ me.user }}"
     groups: docker
     append: true
-  become: true
 
 - name: Clean up docker containers
   cron:
@@ -39,6 +41,8 @@
     hour: 1
     minute: 0
     job: docker system prune -af --volumes
+    cron_file: docker_cleanup
+    user: root
 
 - name: Install util scripts
   copy:
@@ -46,6 +50,7 @@
     dest: "{{ me.home }}"
     mode: "755"
     directory_mode: "755"
+    owner: "{{ me.user }}"
 
 - name: override docker service for zfs dependencies
   include_tasks: zfs-override.yml

ansible/roles/docker_cleanup/tasks/zfs-override.yml

@@ -3,7 +3,6 @@
     path: /etc/systemd/system/docker.service.d
     state: directory
     mode: "0755"
-  become: true
 
 - name: Create override.conf
   copy:
@@ -12,4 +11,3 @@
     owner: root
     group: root
     mode: "0644"
-  become: true

ansible/roles/dokku/files/nginx.conf

@@ -1,29 +0,0 @@
-worker_processes  auto;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    sendfile        on;
-
-    keepalive_timeout  65;
-
-    gzip  on;
-
-    # Block requests which don't have an explicit handler
-    server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
-
-        server_name _;
-        access_log off;
-        return 418;
-    }
-
-    # Load configuration files for the default server block.
-    include /etc/nginx/conf.d/*.conf;
-}

ansible/roles/dokku/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: restart nginx
-  service:
-    name: nginx
-    state: restarted
-  become: true

ansible/roles/dokku/tasks/main.yml

@@ -1,63 +0,0 @@
-# HACK: Fake include some tasks from `ansible_dokku`, so its library plugins can be used below
-- name: Run role without running any tasks
-  include_role:
-    name: dokku_bot.ansible_dokku
-    tasks_from: init.yml
-    apply:
-      when: false
-
-- name: Install Dokku
-  package:
-    name: dokku
-  become: true
-
-- name: List dokku plugins
-  command: dokku plugin:list
-  changed_when: false
-  register: installed_dokku_plugins
-
-- name: Install Dokku plugins
-  command: dokku plugin:install {{ item.url }} --name {{ item.name }}
-  when: installed_dokku_plugins.stdout.find(item.name) == -1
-  loop: "{{ dokku_plugins }}"
-  loop_control:
-    label: "{{ item.name }}"
-  become: true
-
-- name: Automatically update Dokku plugins
-  cron:
-    name: dokku plugin:update {{ item.name }}
-    minute: 0
-    hour: 12
-    user: root
-    job: /usr/bin/chronic /usr/bin/dokku plugin:update {{ item.name }}
-    cron_file: dokku-plugin-update-{{ item.name }}
-  loop: "{{ dokku_plugins }}"
-  loop_control:
-    label: "{{ item.name }}"
-  become: true
-
-- name: Set up global domain
-  dokku_domains:
-    global: true
-    domains: d.theorangeone.net
-  become: true
-
-- name: Install custom nginx config
-  template:
-    src: files/nginx.conf
-    dest: /etc/nginx/nginx.conf
-    validate: nginx -t -c %s
-    mode: "644"
-  notify: restart nginx
-  become: true
-
-# https://dokku.com/docs/advanced-usage/backup-recovery/
-- name: Sync data to app-data
-  cron:
-    name: clean up docker containers
-    hour: "*/6"
-    minute: 0
-    user: root
-    job: rsync --archive --progress -h /var/lib/dokku/{config,data,services} /home/dokku --exclude '/home/dokku/**/cache/*' /mnt/tank/app-data/dokku/
-    cron_file: dokku-data-sync

ansible/roles/dokku/vars/main.yml

@@ -1,9 +0,0 @@
-dokku_plugins:
-  - name: postgres
-    url: https://github.com/dokku/dokku-postgres.git
-  - name: redis
-    url: https://github.com/dokku/dokku-redis.git
-  - name: redirect
-    url: https://github.com/dokku/dokku-redirect.git
-  - name: http-auth
-    url: https://github.com/dokku/dokku-http-auth.git

ansible/roles/fail2ban_ssh/defaults/main.yml

@@ -1 +0,0 @@
-f2b_user: f2b

ansible/roles/fail2ban_ssh/files/f2b-entrypoint.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-# Remove `-c` argument
-shift
-
-sudo fail2ban-client $@

ansible/roles/fail2ban_ssh/files/f2b_key.pub

@@ -1,10 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-65656562376262323162613131353164623832616263313530383838623161333739393037363362
-3332616430663862363566613532396230643636376537620a356261383430643566323264343437
-39333034643632316130303136326433613333383738386531353530633539616661626664626430
-3230666237616165650a326536313835643135626135316437356363623562343538383132306539
-38366339356565393336396133616261363232356139623164623738633138363963353637353734
-33333334313864376131653535653132626366306630393764353464636331316564616230396663
-31363463643765386538643761666265383166353765633233323934663235316331346465653234
-31396139633936363738383766356135656434343338623137663436626436663866366663363534
-3364

ansible/roles/fail2ban_ssh/tasks/main.yml

@@ -1,34 +0,0 @@
-- name: Make user
-  user:
-    name: "{{ f2b_user }}"
-    comment: "{{ me.user }}"
-    shell: /home/{{ f2b_user }}/f2b-entrypoint.sh
-    system: false
-  become: true
-
-- name: Give user sudo access to client
-  lineinfile:
-    path: /etc/sudoers
-    line: "{{ f2b_user }} ALL=(ALL) NOPASSWD: /usr/bin/fail2ban-client"
-  become: true
-
-- name: Allow custom shell
-  lineinfile:
-    path: /etc/shells
-    line: /home/{{ f2b_user }}/f2b-entrypoint.sh
-  become: true
-
-- name: Create entrypoint
-  template:
-    src: files/f2b-entrypoint.sh
-    dest: /home/{{ f2b_user }}/f2b-entrypoint.sh
-    mode: "755"
-  become: true
-  register: sshd_config
-
-- name: Set up authorized keys
-  ansible.posix.authorized_key:
-    user: "{{ f2b_user }}"
-    state: present
-    key: "{{ lookup('file', 'files/f2b_key.pub') }}"
-  become: true

ansible/roles/forgejo/files/app.ini

@@ -1,9 +1,12 @@
-APP_NAME = Gitea: Git with a cup of orange juice
+APP_NAME = Forgejo
 
 [repository]
 ROOT = /mnt/repositories
 DEFAULT_BRANCH = master
 DISABLE_STARS  = true
+DEFAULT_REPO_UNITS = repo.code
+DEFAULT_FORK_REPO_UNITS = repo.code
+
 
 [server]
 SSH_DOMAIN              = git.theorangeone.net
@@ -18,7 +21,7 @@ PROTOCOL                = http  # TLS termination done by Traefik
 ENABLE_GZIP             = true
 OFFLINE_MODE            = true
 LANDING_PAGE            = explore
-LFS_JWT_SECRET          = {{ lfs_jwt_secret }}
+LFS_JWT_SECRET          = {{ vault_lfs_jwt_secret }}
 
 [database]
 DB_TYPE  = postgres
@@ -29,18 +32,18 @@ PASSWD   = gitea
 
 [session]
 PROVIDER        = db
-COOKIE_NAME     = gitea_session
+COOKIE_NAME     = forgejo_session
 
 [log]
 LEVEL = warn
 
 [security]
 INSTALL_LOCK                  = true
-SECRET_KEY                    = {{ secret_key }}
-INTERNAL_TOKEN                = {{ internal_token }}
+SECRET_KEY                    = {{ vault_secret_key }}
+INTERNAL_TOKEN                = {{ vault_internal_token }}
 PASSWORD_HASH_ALGO            = pbkdf2
-COOKIE_USERNAME               = gitea_username
-COOKIE_REMEMBER_NAME          = gitea_remember
+COOKIE_USERNAME               = forgejo_username
+COOKIE_REMEMBER_NAME          = forgejo_remember
 LOGIN_REMEMBER_DAYS           = 30
 REVERSE_PROXY_TRUSTED_PROXIES = *
 
@@ -61,9 +64,8 @@ REPO_PAGING_NUM = 100
 [ui]
 SITEMAP_PAGING_NUM   = 100
 FEED_PAGING_NUM      = 100
-DEFAULT_THEME        = gitea
+DEFAULT_THEME        = forgejo-auto
 ISSUE_PAGING_NUM     = 100
-THEME_COLOR_META_TAG = "#ff7f00"
 FEED_MAX_COMMIT_NUM  = 30
 SHOW_USER_EMAIL      = false
 EXPLORE_PAGING_NUM   = 100
@@ -115,9 +117,9 @@ ALLOW_LOCALNETWORKS = true
 ENABLED        = true
 SMTP_ADDR      = smtp.eu.mailgun.org
 SMTP_PORT      = 465
-FROM           = "{{ mailer_from_address }}"
-USER           = "{{ mailer_user }}"
-PASSWD         = "{{ mailer_password }}"
+FROM           = "{{ vault_mailer_from_address }}"
+USER           = "{{ vault_mailer_user }}"
+PASSWD         = "{{ vault_mailer_password }}"
 PROTOCOL    = smtps
 
 [packages]
@@ -126,8 +128,8 @@ STORAGE_TYPE = backblaze
 [storage.backblaze]
 STORAGE_TYPE = minio
 MINIO_ENDPOINT = s3.eu-central-003.backblazeb2.com
-MINIO_ACCESS_KEY_ID = {{ backblaze_access_key_id }}
-MINIO_SECRET_ACCESS_KEY = {{ backblaze_secret_access_key }}
+MINIO_ACCESS_KEY_ID = {{ vault_backblaze_access_key_id }}
+MINIO_SECRET_ACCESS_KEY = {{ vault_backblaze_secret_access_key }}
 MINIO_BUCKET = 0rng-gitea
 MINIO_LOCATION = eu-central-003
 SERVE_DIRECT = true
@@ -137,4 +139,4 @@ MINIO_USE_SSL = true
 PATH = /mnt/repo-archive
 
 [oauth2]
-JWT_SECRET = {{ oauth2_jwt_secret }}
+JWT_SECRET = {{ vault_oauth2_jwt_secret }}

ansible/roles/forgejo/files/docker-compose.yml

@@ -1,8 +1,6 @@
-version: "2.3"
-
 services:
-  gitea:
-    image: gitea/gitea:1.20.5-rootless
+  forgejo:
+    image: code.forgejo.org/forgejo/forgejo:9-rootless
     user: "{{ docker_user.id }}:{{ docker_user.id }}"
     environment:
       - TZ={{ timezone }}
@@ -24,8 +22,8 @@ services:
       - redis
     labels:
       - traefik.enable=true
-      - traefik.http.routers.gitea.rule=Host(`git.theorangeone.net`)
-      - traefik.http.services.gitea-gitea.loadbalancer.server.port=3000
+      - traefik.http.routers.forgejo.rule=Host(`git.theorangeone.net`)
+      - traefik.http.services.forgejo-forgejo.loadbalancer.server.port=3000
     networks:
       - default
       - traefik

ansible/roles/forgejo/files/footer.html

@@ -1,3 +1,3 @@
-{{ if not .SignedUserName}}
+{{ if not .IsSigned }}
   <script defer data-domain="git.theorangeone.net" src="https://elbisualp.theorangeone.net/js/script.js"></script>
 {{ end }}

ansible/roles/forgejo/tasks/main.yml

@@ -7,7 +7,6 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
-  become: true
 
 - name: Install compose file
   template:
@@ -17,7 +16,6 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart gitea
-  become: true
 
 - name: Install config file
   template:
@@ -26,24 +24,6 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: restart gitea
-  become: true
-
-- name: Install robots.txt
-  template:
-    src: files/robots.txt
-    dest: "{{ app_data_dir }}/gitea/data/custom/robots.txt"
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-  notify: restart gitea
-  become: true
-
-- name: Create public images directory
-  file:
-    path: "{{ app_data_dir }}/gitea/data/custom/public/img"
-    state: directory
-    owner: "{{ docker_user.name }}"
-    mode: "{{ docker_compose_directory_mask }}"
-  become: true
 
 - name: Create custom templates directory
   file:
@@ -52,15 +32,6 @@
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
     recurse: true
-  become: true
-
-- name: Install custom branding
-  unarchive:
-    src: https://git.theorangeone.net/api/packages/sys/generic/gitea-branding/latest/branding.zip
-    dest: "{{ app_data_dir }}/gitea/data/custom/public/img"
-    remote_src: true
-    owner: "{{ docker_user.name }}"
-  become: true
 
 - name: Install custom footer
   copy:
@@ -69,4 +40,3 @@
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_file_mask }}"
   notify: restart gitea
-  become: true

ansible/roles/forgejo_runner/files/config.yml

@@ -0,0 +1,82 @@
+# based on https://gitea.com/gitea/act_runner/src/tag/v0.2.6/internal/pkg/config/config.example.yaml
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: /data/.runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: "{{ ansible_processor_nproc }}"
+  # Extra environment variables to run jobs.
+  envs: {}
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: /data/.env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 5s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  # labels: []
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in /data/.cache/actcache.
+  dir: /data/cache/server
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: bridge
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options: ""
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent: /workspace
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  force_pull: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, /data/.cache/act/ will be used.
+  workdir_parent: /data/cache/actions

ansible/roles/forgejo_runner/files/docker-compose.yml

@@ -0,0 +1,44 @@
+services:
+  forgejo-runner:
+    image: code.forgejo.org/forgejo/runner:4.0.1
+    user: "{{ docker_user.id }}"
+    volumes:
+      - /mnt/data:/data
+      - ./config.yml:/data/config.yml
+    environment:
+      - TZ={{ timezone }}
+      - DOCKER_HOST=tcp://docker_proxy:2375
+    restart: unless-stopped
+    command: forgejo-runner daemon
+    networks:
+      - default
+      - forgejo_private
+    depends_on:
+      - docker_proxy
+
+  docker_proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    restart: unless-stopped
+    environment:
+      - POST=1
+      - CONTAINERS=1
+      - INFO=1
+      - IMAGES=1
+      - VOLUMES=1
+      - NETWORKS=1
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+      - EXEC=1
+    tmpfs:
+      - /run
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - forgejo_private
+    logging:
+      driver: none
+
+networks:
+  forgejo_private:
+    internal: true

ansible/roles/forgejo_runner/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart forgejo-runner
+  shell:
+    chdir: /opt/forgejo-runner
+    cmd: "{{ docker_update_command }}"

ansible/roles/forgejo_runner/tasks/main.yml

@@ -0,0 +1,23 @@
+- name: Create install directory
+  file:
+    path: /opt/forgejo-runner
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+
+- name: Install config file
+  template:
+    src: files/config.yml
+    dest: /opt/forgejo-runner/config.yml
+    mode: "600"
+    owner: "{{ docker_user.name }}"
+  notify: restart forgejo-runner
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/forgejo-runner/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart forgejo-runner

ansible/roles/forrest/files/prometheus/alertmanager.yml

@@ -1,15 +0,0 @@
-global:
-  resolve_timeout: 3m
-  smtp_smarthost: smtp.eu.mailgun.org:465
-  smtp_from: "{{ alertmanager_from_address }}"
-  smtp_auth_username: "{{ alertmanager_from_address }}"
-  smtp_auth_password: "{{ alertmanager_smtp_password }}"
-
-route:
-  receiver: default
-
-receivers:
-  - name: default
-    email_configs:
-      - to: "{{ alertmanager_to_address }}"
-        send_resolved: true

ansible/roles/forrest/tasks/main.yml

@@ -1,8 +0,0 @@
-- name: Include vault
-  include_vars: vault.yml
-
-- name: Grafana
-  include_tasks: grafana.yml
-
-- name: Prometheus
-  include_tasks: prometheus.yml

ansible/roles/forrest/vars/main.yml

@@ -1,11 +0,0 @@
-grafana_smtp_password: "{{ vault_grafana_smtp_password }}"
-grafana_smtp_user: "{{ vault_grafana_smtp_user }}"
-grafana_from_email: "{{ vault_grafana_from_email }}"
-homeassistant_token: "{{ vault_homeassistant_token }}"
-prometheus_healthcheck_uuid: "{{ vault_prometheus_healthcheck_uuid }}"
-healthchecks_project_uuid: "{{ vault_healthchecks_project_uuid }}"
-healthcheck_api_token: "{{ vault_healthcheck_api_token }}"
-alertmanager_from_address: "{{ vault_alertmanager_from_address }}"
-alertmanager_smtp_password: "{{ vault_alertmanager_smtp_password }}"
-alertmanager_to_address: "{{ vault_alertmanager_to_address }}"
-prometheus_api_token: "{{ vault_prometheus_api_token }}"

ansible/roles/forrest/vars/vault.yml

@@ -1,52 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36623535313964653161353330663436356239613837653837393939373034353031646535333535
-6439313832316239616233306632373934616134616466380a316361363263373938636161666535
-31613461333637373732626233623434316335353964353433643635653566613933393361336139
-3864373963396264320a376634346331373762313733323961386566646338633936303631303566
-66616534326430653266396635353932623661363533356537636662636537656434363562646230
-30613831336561376639393466373739373138313931333163353061633465623362666564313631
-66623235353531613737643937613430323934376433393836346339626137616561313062663234
-63363736326439623661376132613136383465393761653236663631613339653066356436653630
-66623865303735616335373231643233386639323838353534613337316161633765396234366533
-33616631663530643764373937346262633734366339303837393737666665363465333239343933
-35613962396534336232623833303034643639323931633966396439383463396261313862626335
-31323434613838353961336136613966636635646632393839663664376632373834313265643338
-30663132633362323831313231333164643665386535323231646262656631383631393539616639
-34343563353064303833383236626136666264316236316537333965313162616637323966363335
-32353936663162316564306337353861396634353935353935306135343665316262643831396537
-61393266383538666563363261646534636632303332343662636631316663343930303766623638
-35376565343638316339623061396536643636313966383633346231633631353032356661386132
-66623439336338616666626431303635373833666137326234653161336434346133636261363662
-39313732303736386137656664303365363234336265643064306562643435633838373864353862
-33366635333630373162656630666232333563623066333461653963363961623435646631373561
-64643738346138366566303233326663383835386132663034313461383161616164636332396332
-37663131386135393833373461663432666264363065666630646164633134303439663435616235
-35656234313761376532306264393637653433623863383830323935316332383338623134323366
-31336665386137323132363962363335623635336131373930353635353663333366363266303138
-35626262613261636561373730626635303836623561643436646430653365663432323938393863
-63633331663462323163646237386262376337313330323036613434383165616530643362616131
-63616562353964316634646434653138333266646633616631653663663838306163616633643234
-61333230373237613436343662363434303766383336376232353066313231666330613761643366
-36326638326439653966643430313366376661633636366565393461623438323366373333663633
-61633763623631333665363333646433656166633364303836623566333336343761613435353138
-37366165613263653564386334303030623333646164303662363065333831376334656537613130
-33373864663237383064653461616165653834393063663332643235316139333539623463343161
-38636564626466633631393938653066373764663935353763626133623762306164383831663061
-34333065326666373337663931313763383739383763333235333939376133363236643136346233
-62643833376631643036613963643939333133343036613332313866373032646332363231313139
-61373365653665343066636162356336373833393363373866343436323639623435383831363335
-30333033326638363930613030356664333233633339666366643062353634333161343838666231
-32346332663538653937623136653438636463323463376263303962353562313833373937303066
-65303037323030653434313164393766633134306435633263363335636561356264376665363639
-35613731373437386566663266656266343639326334303239613862353963323436633836383766
-35323930633039396535616265643234303639393035363865643236623838333337626135343665
-36373038666332376663333565623362303631663830336131343438353764653831633433363436
-36333839303433623966363561313564303037393165383732323763353232653564346138666438
-30653836626139356133346538616135313034633966373036303461393562363336386633626365
-33393565643730383634346238356462313435366538636234656237613864656165656439363061
-32626235323362333239373631383830653035383164646364343461376562636564343063353139
-61306535333466653937303635353962376162376431336563316130343530636431623537633332
-65373333376338353930316561636530343062653964323463653632653332376432343237656465
-63333437613064313438353134333566303033313339323162643061363836643931343135396130
-32623435653533326563616263323938343332306362383034663139653965626231336637383939
-313534343431303739396263303737303365

ansible/roles/gateway/files/nginx-cdn.conf

@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+
+proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cdncache:20m max_size=1g inactive=48h;
+
+{% for domain in cdn_domains %}
+server {
+    listen 8800 ssl http2 proxy_protocol;
+
+    server_name {{ domain }};
+
+    ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
+
+    include includes/ssl.conf;
+
+    real_ip_header proxy_protocol;
+
+    set_real_ip_from 127.0.0.1;
+
+    proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
+
+    location / {
+        proxy_cache cdncache;
+        add_header X-Cache-Status $upstream_cache_status;
+        proxy_pass https://{{ wireguard.clients.ingress.ip }}:443;
+    }
+}
+{% endfor %}

ansible/roles/gateway/files/nginx-fail2ban-jail.conf

@@ -6,9 +6,9 @@ maxretry = 100
 filter   = nginx-tcp
 logpath  = /var/log/nginx/ips.log
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }}
+ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
 
 [traefik]
 enabled = true
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }}
+ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}

ansible/roles/gateway/files/nginx.conf

@@ -1,56 +1,40 @@
-worker_processes auto;
+log_format gateway '$remote_addr [$time_local] '
+                '$protocol $status $bytes_sent $bytes_received '
+                '$session_time "$ssl_preread_server_name" '
+                '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
 
-events {
-    worker_connections  1024;
+log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
+
+access_log /var/log/nginx/gateway.log gateway;
+access_log /var/log/nginx/ips.log ips;
+
+map $ssl_preread_server_name $gateway_destination {
+    default                      {{ wireguard.clients.ingress.ip }}:8443;
+
+    headscale.jakehoward.tech    127.0.0.1:8888;
+
+    {% for domain in cdn_domains %}
+    {{ domain }}  127.0.0.1:8800;
+    {% endfor %}
 }
 
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-    #                  '$status $body_bytes_sent "$http_referer" '
-    #                  '"$http_user_agent" "$http_x_forwarded_for"';
-
-    #access_log  logs/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    #keepalive_timeout  0;
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-    server_tokens off;
-
-    server {
-        listen 80;
-        server_name _;
-        return 308 https://$host$request_uri;
-    }
+server {
+    listen 443;
+    listen 8448;
+    listen [::]:443;
+    listen [::]:8448;
+    proxy_pass $gateway_destination;
+    proxy_protocol on;
 }
 
-stream {
+server {
+    listen [{{ vps_hosts.private_ipv6_marker }}]:443;
+    listen [{{ vps_hosts.private_ipv6_marker }}]:8448;
 
-    log_format access '$remote_addr [$time_local] '
-                    '$protocol $status $bytes_sent $bytes_received '
-                    '$session_time "$ssl_preread_server_name" '
-                    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+    access_log off;
 
-    log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
+    deny all;
 
-
-    access_log /var/log/nginx/access.log access;
-    access_log /var/log/nginx/ips.log ips;
-
-    ssl_preread on;
-
-    server {
-        listen 443;
-        listen 8448;
-        proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
-        proxy_protocol on;
-    }
+    # This is never used, but need to keep nginx happy
+    proxy_pass 127.0.0.1:80;
 }

ansible/roles/gateway/tasks/fail2ban.yml

@@ -3,7 +3,6 @@
     src: files/nginx-fail2ban-filter.conf
     dest: /etc/fail2ban/filter.d/nginx-tcp.conf
     mode: "0600"
-  become: true
   register: fail2ban_filter
 
 - name: fail2ban jail
@@ -11,12 +10,10 @@
     src: files/nginx-fail2ban-jail.conf
     dest: /etc/fail2ban/jail.d/nginx.conf
     mode: "0600"
-  become: true
   register: fail2ban_jail
 
 - name: Restart fail2ban
   service:
     name: fail2ban
     state: restarted
-  become: true
   when: fail2ban_filter.changed or fail2ban_jail.changed

ansible/roles/gateway/tasks/nginx.yml

@@ -1,26 +1,19 @@
-- name: Install nginx
-  package:
-    name: nginx
-  become: true
-
 - name: Nginx config
   template:
     src: files/nginx.conf
-    dest: /etc/nginx/nginx.conf
-    validate: nginx -t -c %s
+    dest: /etc/nginx/stream.d/gateway.conf
     mode: "0644"
-  become: true
   register: nginx_config
 
-- name: Enable Nginx
-  service:
-    name: nginx
-    enabled: true
-  become: true
+- name: Install CDN config
+  template:
+    src: files/nginx-cdn.conf
+    dest: /etc/nginx/http.d/cdn.conf
+    mode: "0644"
+  register: nginx_config
 
-- name: Restart Nginx
+- name: Reload Nginx
   service:
     name: nginx
-    state: restarted
-  become: true
+    state: reloaded
   when: nginx_config.changed

ansible/roles/gateway/tasks/wireguard.yml

@@ -1,7 +1,6 @@
 - name: Install wireguard tools
   package:
     name: "{{ item }}"
-  become: true
   loop:
     - wireguard-tools
     - qrencode
@@ -12,21 +11,18 @@
     dest: /etc/wireguard/wg0.conf
     mode: "0600"
     backup: true
-  become: true
   register: wireguard_conf
 
 - name: Enable wireguard
   service:
     name: wg-quick@wg0
     enabled: true
-  become: true
 
 - name: Restart wireguard
   service:
     name: wg-quick@wg0
     state: restarted
   when: wireguard_conf.changed
-  become: true
 
 - name: Create wireguard client directory
   file:

ansible/roles/gitea/files/robots.txt

@@ -1,4 +0,0 @@
-User-agent: *
-
-# Ignore mirrored repos
-Disallow: /mirror/

ansible/roles/gitea/vars/main.yml

@@ -1,9 +0,0 @@
-lfs_jwt_secret: "{{ vault_lfs_jwt_secret }}"
-secret_key: "{{ vault_secret_key }}"
-internal_token: "{{ vault_internal_token }}"
-oauth2_jwt_secret: "{{ vault_oauth2_jwt_secret }}"
-mailer_from_address: "{{ vault_mailer_from_address }}"
-mailer_user: "{{ vault_mailer_user }}"
-mailer_password: "{{ vault_mailer_password }}"
-backblaze_access_key_id: "{{ vault_backblaze_access_key_id }}"
-backblaze_secret_access_key: "{{ vault_backblaze_secret_access_key }}"

ansible/roles/gitea_runner/files/docker-compose.yml

@@ -1,19 +0,0 @@
-version: "2.3"
-
-services:
-  act-runner:
-    image: vegardit/gitea-act-runner:latest
-    network_mode: host
-    volumes:
-      - /mnt/data:/data
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    environment:
-      - TZ={{ timezone }}
-      - GITEA_INSTANCE_URL=https://git.theorangeone.net
-      - GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea_runner_registration_token }}
-      - GITEA_RUNNER_NAME={{ ansible_hostname }}
-      - GITEA_RUNNER_FETCH_INTERVAL=5s
-      - GITEA_RUNNER_MAX_PARALLEL_JOBS={{ ansible_processor_nproc }}
-      - GITEA_RUNNER_UID={{ docker_user.id }}
-      - GITEA_RUNNER_GID={{ docker_user.id }}
-    restart: unless-stopped

ansible/roles/gitea_runner/handlers/main.yml

@@ -1,4 +0,0 @@
-- name: restart act-runner
-  shell:
-    chdir: /opt/act-runner
-    cmd: "{{ docker_update_command }}"

ansible/roles/gitea_runner/vars/main.yml

@@ -1 +0,0 @@
-gitea_runner_registration_token: "{{ vault_gitea_runner_registration_token }}"

ansible/roles/gitea_runner/vars/vault.yml

@@ -1,10 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-39356636363738343339633132326666373534646563366335363336356362343438313030353466
-6564373739333030393666333438386533316332626136350a626439316537343030323761383863
-33666632636132386335393833636232373662626562326531666330373438613738613634643061
-3864336432626338320a373866356363613166366239356630663534646566636131353530623266
-66326334636361386338663739333134333761376239373133396534376139633364336433663362
-30313736303539663839313830336164346536383066393635323366363433616264373165356431
-35663832323132356538666333653135383332653232336336646265356665313165623035363561
-65306666393331383661353961306531636266393765626363616265326566316163396531373638
-3735

ansible/roles/glinet_vpn/files/client.conf

@@ -0,0 +1,10 @@
+[Interface]
+Address = {{ client_cidr }}
+PrivateKey = {{ client_private_key }}
+
+[Peer]
+PublicKey = {{ server_public_key }}
+Endpoint = {{ server_public_ip }}:53
+AllowedIPs = 0.0.0.0/0 ::/0
+
+PersistentKeepalive = 25