Update mariadb Docker tag to v11

Install the plugin and use switch, rather than downloading an arbitrary binary. This way, it keeps getting updated.

.gitea/workflows/ci.yml

@@ -5,9 +5,9 @@ jobs:
   terraform:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
       - uses: taiki-e/install-action@just
       - name: Init
         run: just terraform init -backend=false
@@ -17,9 +17,9 @@ jobs:
   ansible:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.11
       - uses: taiki-e/install-action@just

README.md

@@ -22,3 +22,7 @@ Terraform secrets are stored in `terraform/.env`, and provisioned using `just up
 
 - `just ansible-deploy`
 - `juts terraform apply`
+
+## External configuration
+
+This repository contains most of my infrastructure configuration, but not everything is configured here. Some things are external, for various reasons.

ansible/.ansible-lint

@@ -6,6 +6,7 @@ skip_list:
   - name[casing]
   - name[play]
   - no-changed-when
+  - var-naming[no-role-prefix]
 
 exclude_paths:
   - galaxy_roles/

ansible/ansible.cfg

@@ -7,8 +7,6 @@ collections_path = $PWD/galaxy_collections
 inventory = ./hosts
 become_ask_pass = True
 interpreter_python = auto_silent
-# HACK: Force Ansible to find dokku plugins
-library = $PWD/galaxy_roles/dokku_bot.ansible_dokku/library
 
 [ssh_connection]
 pipelining = True

ansible/dev-requirements.txt

@@ -1,3 +1,4 @@
-ansible-lint==6.17.1
-yamllint==1.32.0
+ansible-lint==24.5.0
+yamllint==1.33.0
 ansible
+passlib

ansible/files/nginx-docker.conf

@@ -0,0 +1,24 @@
+# {{ ansible_managed }}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ server_name }};
+    set $upstream {{ upstream }};
+
+    ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
+    ssl_certificate_key {{ ssl_cert_path }}/privkey.pem;
+    ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem;
+    include includes/ssl.conf;
+
+    include includes/docker-resolver.conf;
+
+    location / {
+        proxy_pass http://$upstream;
+
+        {%- if location_extra is defined +%}
+        {{ location_extra }}
+        {%- endif +%}
+    }
+}

ansible/galaxy-requirements.yml

@@ -2,20 +2,21 @@ collections:
   - ansible.posix
   - community.general
   - community.docker
+  - kewlfft.aur
   - name: https://github.com/prometheus-community/ansible
     type: git
 
 roles:
   - src: geerlingguy.docker
-    version: 6.2.0
+    version: 7.3.0
   - src: geerlingguy.ntp
-    version: 2.3.3
+    version: 2.5.0
   - src: realorangeone.reflector
   - src: ironicbadger.proxmox_nag_removal
     version: 1.0.2
   - src: ironicbadger.snapraid
     version: 1.0.0
-  - src: dokku_bot.ansible_dokku
-    version: v2022.10.17
-  - src: nginxinc.nginx
-    version: 0.24.1
+  - src: geerlingguy.certbot
+    version: 5.1.0
+  - src: artis3n.tailscale
+    version: v4.5.0

ansible/group_vars/all/certbot.yml

@@ -0,0 +1,13 @@
+certbot_install_method: package
+certbot_auto_renew: true
+certbot_auto_renew_user: root
+certbot_auto_renew_hour: 23
+certbot_auto_renew_minute: 30
+certbot_auto_renew_options: --quiet --post-hook "systemctl reload nginx"
+certbot_admin_email: "{{ vault_certbot_admin_email }}"
+
+certbot_create_method: webroot
+
+certbot_webroot: /var/www/certbot-webroot
+
+certbot_create_if_missing: true

ansible/group_vars/all/docker.yml

@@ -2,7 +2,17 @@ docker_user:
   id: 3000
   name: dockeruser
 
+docker_users:
+  - "{{ me.user }}"
+
 docker_compose_file_mask: "664"
 docker_compose_directory_mask: "775"
 
+# HACK: Use compose-switch as the install for compose, so the commands still work.
+# Run this task manually, as version comparisons usually fail
+docker_compose_url: https://github.com/docker/compose-switch/releases/latest/download/docker-compose-linux-{{ docker_apt_arch }}
+docker_install_compose: false
+
+docker_install_compose_plugin: "{{ ansible_os_family == 'Debian' }}"
+
 docker_update_command: docker-compose pull && docker-compose down --remove-orphans && docker-compose rm && docker-compose up -d

ansible/group_vars/all/pve.yml

@@ -1,5 +1,6 @@
 pve_hosts:
   internal_cidr: 10.23.1.0/24
+  internal_cidr_ipv6: fde3:15e9:e883::1/48
   pve:
     ip: 10.23.1.1
     external_ip: 192.168.2.200
@@ -7,15 +8,17 @@ pve_hosts:
     ip: 10.23.1.11
   forrest:
     ip: 10.23.1.13
+    ipv6: fde3:15e9:e883::103
   jellyfin:
     ip: 10.23.1.101
-  dokku:
-    ip: 10.23.1.102
   docker:
     ip: 10.23.1.103
+    ipv6: fde3:15e9:e883::203
   ingress:
     ip: 10.23.1.10
     external_ip: 192.168.2.201
+    external_ipv6: "{{ vault_ingress_ipv6 }}"
+    ipv6: fde3:15e9:e883::100
   homeassistant:
     ip: 192.168.2.203
   qbittorrent:

ansible/group_vars/all/tailscale.yml

@@ -0,0 +1,7 @@
+# Just install for now, don't configure
+tailscale_up_skip: true
+
+tailscale_cidr: 100.64.0.0/24  # It's really /10, but I don't use that many IPs
+tailscale_cidr_ipv6: fd7a:115c:a1e0::/120  # It's really /48, but I don't use that many IPs
+
+tailscale_port: 41641

ansible/group_vars/all/vault.yml

@@ -1,38 +1,44 @@
 $ANSIBLE_VAULT;1.1;AES256
-64313263396466623131663462303837643566386538363331643866643630663237313165343936
-6661326238643732343035346436393737303234356533630a386166383135343135373135373036
-38336137316638633339656633363263633462363766643739306136306233663732613135306230
-6233653966313034350a616133663134343235643930396462613139326233396563633061623437
-63343464346239323030336261633964346331323465623461313762373863336361356533666130
-61613930616462373465316532376139373261616438616334643664383937303865386663316133
-30356564343334303764346433366265653663646231636666363065393465326237613236666536
-64663965633264373266386131366465393938343238366430306335346561303366343836323533
-38323033336361343431656233353662383463653232616137666266653332353039303438646466
-31666434666264303163643662323531376239666432616561363830643836313734363732363137
-66366630636465326631353464356465303939393766386332616661623133343735626338386661
-31346134663366386339383439363035376361313336393335656532363638616136323637333734
-38343261333533653833353461386537633635303739663432633766373634363832313030623665
-33663737393164643839373064383964376239333465363731643862303238353432623635656665
-38383265623034393631303638663633336466336566336231366334396532303934663538656666
-32316465626563306534653531646334336133343162623433623734653465346231323764393662
-35333930656435636539373862346631323839303335623364313436383432316437353731373463
-31373138326565626661613335663964623264336232393364336630306236396230316232306235
-66626131393966313739626432366463663335643263323237333534643036396537383339373932
-36343236643731646535346433363139363131623738633234336162383361326661353161656436
-34663463326264323239383066623038316639336666363230616535616631623637646539343335
-63633731323564636234313838306661616363306165356661343930616231666165613461366435
-39313938666431303930663763363462633466326665366432363334393333343766623061666135
-38636639626134663930333664396534646165383435613035393333383563616639393262333933
-30623861623638393838643561373834396431396538316662326134356639323431656631623137
-37666534326530623966343361393235303934323635313063623833353161643165386363373765
-31633461313062396633623561666537633239353035363932333064303338363632316632343031
-36323266343665356635643131613364616134666161353063356562343561633064666661623832
-61366538383631303030316535666639323236323536346635326563383033643538653761623930
-37336434386462363030363866636661656632663938623066636435316437663962303265353363
-30353734653334323536303330633865663963333839386632333336306637333335383532323039
-61666263663266313763353662353136646336646539333163303366323162323435616266626466
-34646134313732393164306463643261326439333565643036303663326263353434663762653263
-63636334363965313137306238393239393938626437353832326634663562653663663265633861
-62363630306364326136653234623764333063306138313037306363346435323435623661393630
-31656463313838313135386331386332333763336362393630643062643966646339386230663038
-36653632626663613536383331393336356333666334646633626363663965393563
+30343832393233616534663738346461303836323930373663613438353339353433636530323132
+3139396237376638376536653263346165323066623864650a666264643966386463353161306664
+61393739636336343338656635303462656232356162616666343238336161613730626363616133
+3663623465366130640a306164396662343262623065366431306163636564646136653730306434
+38346633376533646638396164613837663437356266646430373731383161626336373837303539
+37373939393431336435636336663739633335326430373864653831613964646137323136303634
+62346237313061356630323335306366643131366565343566376666643161666136376337666335
+30633262616666326464326436623136366639363930663061343434396138366336646538363135
+32393061663530333532666331376661623137343635646265613364346531383635366363613265
+65366265666538396438643130396437636562653538303634316465623136333036646432383735
+31643364323265363731383665316338366139343130346536303538623565633662653062323531
+38323630623231633032386663343736616566303166386433633062653530386561366661653663
+63353537623339323134386162376366313132393631613931663738356430623337333262633838
+31316362666639326365663164626263356464623139376166333962356238353637623431623137
+63633361336161373564306631646638386537303238616239646234646332393536316437336466
+61666235343466333539363566613530313761326161346464356363633330373862653033303936
+30666335633663393565303835306662666462633130353163383663333062633731306262613532
+33303866643334343535663632353235313262623231656536313636646564653636396663326632
+65353434633135363630356464636130303262363436633761353161356636646361626165316563
+31666165646135643961383032313532623431376531393231613436376337386537393466343036
+30633262316439303636393739393462653938313965643137373266323465663164653365376537
+30333361626335623836303463613734663138396535656664353730383933386530346130353064
+39653939623261306134323961353562623834333738613338396461343761346461386338333265
+65343932623634663033623163666663303735656633663236366235343066336162303136373332
+64383430653863333238656565383762623962636431323033396234646665616430383561366331
+32643230303962623633663632376566626534633935653832656263333236396366653035633561
+61646161356132383733636639653163346466316230303763623666376238653964376363656539
+63386238373266653732316539643261363662356261383834636637373639656137303935613663
+62653433646366326331636464303537386161383832376164303738353134653138393137313438
+63376262343335313832306466313338396266386535373465313765356638396665356332363539
+32643266636633343332653139636330656331313938613833333662666638366534346235613164
+39373431336637633936376632303131306339653131636163303539653862326566663239646366
+63643936343138663461303530623863663763633235373337616331326361386561663633373362
+31623234353832373961306663633262396437336665616335643064656534306136636236633662
+37646363386564336136396166306630653735313137373266326662376663626139373064326536
+39666633666262666263663265626634346333316466366661313538383734636361376261663333
+30636466306661353034623863616635666433646239343339613130633834303362633835366234
+65346632636166393664333266333266313062313734323239666239396364623162363861613661
+62623732633735666164663138323961666131656336633362373730306631633939343435323633
+31363834393365303530313837356264633262643264393639306236303163353933303830393566
+62316164393231326139623833666639623637616238383236303933323964386664623961336634
+39363062613439666433623863613435626133303032393938613934353562356436656564336339
+643332616661636236363164623461623466

ansible/group_vars/all/vps-hosts.yml

@@ -1,3 +1,5 @@
 "vps_hosts":
   "casey_ip": "213.219.38.11"
-  "walker_ip": "192.248.168.230"
+  "private_ipv6_marker": "2a01:7e00:e000:7f7::1"
+  "private_ipv6_range": "2a01:7e00:e000:7f7::1/128"
+  "walker_ip": "162.55.181.67"

ansible/host_vars/casey.yml

@@ -1,3 +0,0 @@
-nebula_is_lighthouse: true
-nebula_listen_port: "{{ nebula_lighthouse_port }}"
-ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }}

ansible/host_vars/casey/main.yml

@@ -0,0 +1,16 @@
+nebula_is_lighthouse: true
+nebula_listen_port: "{{ nebula_lighthouse_port }}"
+
+nginx_https_redirect: true
+
+certbot_certs:
+  - domains:
+      - headscale.jakehoward.tech
+  - domains:
+      - whoami-cdn.theorangeone.net
+
+cdn_domains:
+  - whoami-cdn.theorangeone.net
+
+restic_backup_locations:
+  - /var/lib/headscale/

ansible/host_vars/casey/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30643138356634323666316163396138663836316261363966636335366534336330616635383663
+6461393538346263363164613930396266323930626335370a306165306663336538316163666364
+65383835386635336433393162613031386334646632666638613162623434646531356533346132
+3162373933336365660a353163316338303630633761336238363966376336643838616135303231
+32646530376561326635633563393066656232363734653464326665396236656232613362333461
+39393134626466656561346138633362653732333639333765303961383365623737666164326532
+66356263326366323435623834306439633061386364633132613362386663633733386637363266
+31393438326531353265

ansible/host_vars/ingress.yml

@@ -1,2 +1,4 @@
 # Listen on a static port so it can be opened in the firewall
 nebula_listen_port: "{{ nebula_lighthouse_port }}"
+
+nginx_https_redirect: true

ansible/host_vars/pve-docker/main.yml

@@ -3,8 +3,6 @@ private_ip: "{{ pve_hosts.docker.ip }}"
 traefik_provider_jellyfin: true
 traefik_provider_homeassistant: true
 traefik_provider_grafana: true
-traefik_provider_dokku: true
-
-with_fail2ban: true
+traefik_provider_uptime_kuma: true
 
 db_backups_dir: /mnt/tank/files/db-backups

ansible/host_vars/pve-dokku/main.yml

@@ -1,3 +0,0 @@
-ssh_extra_allowed_users: dokku
-
-db_backups_dir: /mnt/tank/files/db-backups

ansible/host_vars/pve-dokku/vault.yml

@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-38396636313062623661613537386337356130353839303930346333313062383935353932336230
-6637666434356666346361663131343962663963333638630a376631313531633865396566643032
-31323866386236356639306333393765616630363734326662366632656430323739306439366634
-3364666662623764630a353532373433616365383862633935373332663933386561316262633662
-37366233326439336535623339366565653732646434386639336533386261306238306630396638
-30633433636365663538656338303066353830626137613038323462353137326234356533323335
-39643832636466643864663737316239626161653833343633306435363636663264303165303334
-36383661316566316630

ansible/host_vars/pve/main.yml

@@ -25,7 +25,7 @@ sanoid_datasets:
 
 sanoid_templates:
   production:
-    frequently: 2
+    frequently: 4
     hourly: 48
     daily: 28
     monthly: 3

ansible/host_vars/qbittorrent.yml

@@ -0,0 +1 @@
+private_ip: "{{ pve_hosts.qbittorrent.ip }}"

ansible/host_vars/restic/main.yml

@@ -3,7 +3,6 @@ restic_backup_locations:
   - /mnt/host/mnt/speed
   - /mnt/host/etc/pve
   - /mnt/home-assistant
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
+  - /home/rclone/sync
 
 restic_forget: true
-restic_forget_healthchecks_id: "{{ vault_restic_forget_healthchecks_id }}"

ansible/host_vars/restic/vault.yml

@@ -1,12 +1,17 @@
 $ANSIBLE_VAULT;1.1;AES256
-31333338396531316366353161666432346634373335356464663837386231616632373833656130
-3361383732623965393533316366373864323064393530330a346565393462316561383733653437
-62363736356432363239373863303734323437333034343266313135383866303566396639646230
-3839333535393036390a383534346233633935393561353637353835663763343531613238653664
-39356365306630373036396132373562646130636439373964333363306431666565613434646365
-64353933656365653431386463623034643564303266396438353064373434336436366431366338
-31386637376165633731373633656336623531323965343534323031363163356239353031643165
-37663232636234663735613037666161393736663432656139646264313763303164386161626162
-65393363336435333738303061613738636666303961653361376131376161623264343666353061
-61663636656339363539666335643239653361383961333665646562613935396335623565306531
-643165653537326431373637303639343763
+32353739643531336665636334646135323336353562316362333266316263653364656132643661
+3736386461316563376134326638376261323734663032630a306530636166666561343264393266
+62326437343637363038646632396461303365646466666666386432306134313562356538623133
+6561323739386337630a623835656239633866666333616664366339333232303031343561633239
+62636636623462316536333334306562626637643936623963376663326164333962646134376566
+62646336353937316238333036376232323834346530626136316233626166326231633330646266
+36653263636266626233313263346263633734386339386664323331363263306465626165336337
+38653766366530373230623334386234303461336133323663626439383530373966363830633364
+37336635356334633338633161356161353133656633386563393363303064613761306137323261
+34626164663936306665613861343039666330613263303932333766306663616134316566313963
+66653263643134343363353637343636633936343165363934376537343538643434376434336633
+31613339613035633335643034336265376630326662393865626336303261363130333637643162
+32383863313139663066363766613865653966613430616631346432623164366663313838363164
+37613863326433653531656139633533353539366563653532626534346165626535643434333861
+34306433373134376137633836666162663130623130353062316439303466393035633636386234
+38333132376361376363

ansible/host_vars/tang/main.yml

@@ -1,2 +1,5 @@
 ssh_extra_allowed_users: jake
 private_ip: "{{ ansible_default_ipv4.address }}"
+
+restic_backup_locations:
+  - /var/lib/adguardhome/

ansible/host_vars/tang/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+62623062666237373636616333623434363662316639633962363833303663376331346338363365
+6633336638623237396134613033346665313964613538320a656134323135613834316462366161
+36633062623031306562313233356536643132346466376435303031333331643936613036616236
+3231613336396135340a376339396663343837353139393062353530626566626566366439353762
+37376236376437393863633730643531323762336536633034353132356266373361613434326333
+39663562353337666435653435623563383630383537663633336437613262323733363766666539
+66373538386163303731663331666138656435343436613633323766366261316337373830653837
+64313133396532376436

ansible/host_vars/walker/main.yml

@@ -1,3 +1,17 @@
 restic_backup_locations:
   - /opt
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
+
+nginx_https_redirect: true
+
+certbot_certs:
+  - domains:
+      - theorangeone.net
+  - domains:
+      - commento.theorangeone.net
+  - domains:
+      - plausible.theorangeone.net
+      - elbisualp.theorangeone.net
+  - domains:
+      - slides.jakehoward.tech
+  - domains:
+      - comentario.theorangeone.net

ansible/hosts

@@ -13,4 +13,3 @@ qbittorrent
 restic
 renovate
 gitea-runner
-pve-dokku

ansible/main.yml

@@ -8,9 +8,15 @@
 
 - hosts: casey
   roles:
+    - nginx
+    - role: geerlingguy.certbot
+      become: true
     - gateway
     - nebula
-    - fail2ban_ssh
+    - headscale
+    - restic
+    - artis3n.tailscale
+    - glinet_vpn
 
 - hosts:
     - pve
@@ -31,27 +37,20 @@
     - walker
     - renovate
     - gitea-runner
-    - pve-dokku
   roles:
     - role: geerlingguy.docker
       become: true
-      vars:
-        docker_install_compose_plugin: "{{ ansible_os_family == 'Debian' }}"
-        docker_users:
-          - "{{ me.user }}"
     - docker_cleanup
 
 - hosts:
     - pve-docker
     - forrest
     - walker
-    - pve-dokku
   roles:
     - db_auto_backup
 
 - hosts:
     - pve-docker
-    - walker
   roles:
     - traefik
 
@@ -66,13 +65,16 @@
     - mastodon
     - gitea
     - vikunja
+    - authentik
+    - minio
+    - ntfy
 
 - hosts: ingress
   roles:
-    - role: nginxinc.nginx  # The nginx in debian's repos is very old
-      become: true
+    - nginx
     - ingress
     - nebula
+    - artis3n.tailscale
 
 - hosts: pve
   roles:
@@ -87,22 +89,31 @@
 
 - hosts: forrest
   roles:
-    - forrest
+    - prometheus
+    - uptime_kuma
     - pve_nebula_route
+    - pve_tailscale_route
 
 - hosts: qbittorrent
   roles:
+    - nginx
     - qbittorrent
     - http_proxy
 
 - hosts: walker
   roles:
+    - nginx
+    - role: geerlingguy.certbot
+      become: true
     - nebula
-    - upload
+    - coredns_docker_proxy
     - plausible
     - restic
     - commento
     - website
+    - artis3n.tailscale
+    - slides
+    - comentario
 
 - hosts: jellyfin
   roles:
@@ -111,6 +122,7 @@
 - hosts: restic
   roles:
     - restic
+    - s3_sync
 
 - hosts: gitea-runner
   roles:
@@ -122,10 +134,7 @@
 
 - hosts: tang
   roles:
-    - pihole
+    - adguardhome
     - role: prometheus.prometheus.node_exporter
       become: true
-
-- hosts: pve-dokku
-  roles:
-    - dokku
+    - restic

ansible/roles/adguardhome/files/Corefile

@@ -0,0 +1,33 @@
+(alias) {
+    errors
+    cancel
+
+    forward . tls://9.9.9.9 tls://149.112.112.112 tls://2620:fe::fe tls://2620:fe::9 {
+       tls_servername dns.quad9.net
+       health_check 15s
+    }
+
+    hosts {
+        {{ pve_hosts.ingress.external_ip }} pve.sys.theorangeone.net
+        {{ pve_hosts.ingress.external_ipv6 }} pve.sys.theorangeone.net
+        fallthrough
+        ttl 300
+    }
+
+    # HACK: Rewrite the CNAME to itself so it's reprocessed
+    rewrite cname exact pve.sys.theorangeone.net. pve.sys.theorangeone.net.
+}
+
+theorangeone.net:53053 {
+    import alias
+}
+
+jakehoward.tech:53053 {
+    import alias
+}
+
+.:53053 {
+    acl {
+        block
+    }
+}

ansible/roles/adguardhome/files/resolved-adguardhome.conf

@@ -0,0 +1,3 @@
+[Resolve]
+DNS=127.0.0.1
+DNSStubListener=no

ansible/roles/adguardhome/handlers/main.yml

@@ -0,0 +1,13 @@
+- name: restart coredns
+  service:
+    name: coredns
+    state: restarted
+    enabled: true
+  become: true
+
+- name: restart systemd-resolved
+  service:
+    name: systemd-resolved
+    state: restarted
+    enabled: true
+  become: true

ansible/roles/adguardhome/tasks/main.yml

@@ -0,0 +1,35 @@
+- name: Install adguardhome
+  kewlfft.aur.aur:
+    name: adguardhome-bin
+  become: true
+
+- name: Disable resolved stub
+  template:
+    src: files/resolved-adguardhome.conf
+    dest: /etc/systemd/resolved.conf.d/adguardhome.conf
+    owner: root
+    mode: "0644"
+  notify: restart systemd-resolved
+  become: true
+
+- name: Use resolved resolv.conf
+  file:
+    src: /run/systemd/resolve/resolv.conf
+    dest: /etc/resolv.conf
+    state: link
+  notify: restart systemd-resolved
+  become: true
+
+- name: Install coredns
+  kewlfft.aur.aur:
+    name: coredns
+  become: true
+
+- name: Install coredns config file
+  template:
+    src: files/Corefile
+    dest: /etc/coredns/Corefile
+    owner: coredns
+    mode: "0644"
+  notify: restart coredns
+  become: true

ansible/roles/authentik/files/docker-compose.yml

@@ -0,0 +1,76 @@
+x-env: &env
+  - TIMEZONE={{ timezone }}
+  - AUTHENTIK_REDIS__HOST=redis
+  - AUTHENTIK_POSTGRESQL__HOST=db
+  - AUTHENTIK_POSTGRESQL__USER=authentik
+  - AUTHENTIK_POSTGRESQL__NAME=authentik
+  - AUTHENTIK_POSTGRESQL__PASSWORD={{ vault_authentik_db_password }}
+  - AUTHENTIK_SECRET_KEY={{ vault_authentik_secret_key }}
+  - AUTHENTIK_WEB__WORKERS=1
+  - AUTHENTIK_DISABLE_UPDATE_CHECK=true
+  - AUTHENTIK_ERROR_REPORTING__ENABLED=false
+  - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+  - AUTHENTIK_EMAIL__HOST=smtp.eu.mailgun.org
+  - AUTHENTIK_EMAIL__PORT=465
+  - AUTHENTIK_EMAIL__USERNAME={{ vault_authentik_email_username }}
+  - AUTHENTIK_EMAIL__PASSWORD={{ vault_authentik_email_password }}
+  - AUTHENTIK_EMAIL__USE_TLS=true
+  - AUTHENTIK_EMAIL__FROM={{ vault_authentik_email_from }}
+
+services:
+  server:
+    image: ghcr.io/goauthentik/server:2024.6
+    restart: unless-stopped
+    command: server
+    user: "{{ docker_user.id }}"
+    environment: *env
+    volumes:
+      - "{{ app_data_dir }}/authentik/media:/media"
+      - "{{ app_data_dir }}/authentik/custom-templates:/templates"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.authentik.rule=Host(`auth.jakehoward.tech`)
+      - traefik.http.services.authentik-authentik.loadbalancer.server.port=9000
+      - traefik.http.middlewares.authentik-ratelimit.ratelimit.average=5
+      - traefik.http.middlewares.authentik-ratelimit.ratelimit.burst=1000
+      - traefik.http.routers.authentik.middlewares=authentik-ratelimit
+    depends_on:
+      - db
+      - redis
+    networks:
+      - default
+      - traefik
+
+  worker:
+    image: ghcr.io/goauthentik/server:2024.6
+    restart: unless-stopped
+    command: worker
+    user: "{{ docker_user.id }}"
+    environment: *env
+    volumes:
+      - "{{ app_data_dir }}/authentik/media:/media"
+      - "{{ app_data_dir }}/authentik/certs:/certs"
+      - "{{ app_data_dir }}/authentik/custom-templates:/templates"
+    depends_on:
+      - db
+      - redis
+      - server
+
+  db:
+    image: postgres:15-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/speed/dbs/postgres/authentik:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD={{ vault_authentik_db_password }}
+      - POSTGRES_USER=authentik
+
+  redis:
+    image: redis:7-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/speed/dbs/redis/authentik:/data
+
+networks:
+  traefik:
+    external: true

ansible/roles/authentik/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart authentik
+  shell:
+    chdir: /opt/authentik
+    cmd: "{{ docker_update_command }}"

ansible/roles/authentik/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Create install directory
+  file:
+    path: /opt/authentik
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/authentik/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart authentik
+  become: true

ansible/roles/authentik/vars/vault.yml

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+31633966386539623139356136333664326633646537366433626432363437336331333639636634
+6563646365666534393834636539376337666336376666300a313338336365383338633165646531
+35656231613762393636666332653434393966343039313863333566646434643630343438623362
+6466383362396539610a366438306332303331656237343466313135336431363335306636643363
+32383066353331383461613532323265353861663835663463383235303863306438386364303235
+31323264323732326231336162393438313262323263316564336266663565666361316564373332
+61616637306636353362633338616461646232616165323638346164346565353139666238323033
+36366537393530613464613033383438666362636166613062653930326663626337346636346434
+66396362656231613930653866386334393438336332383637356663323936623863313161323039
+34316639633235313132336238636162343936336163356135303034383434346561356365633636
+32633930313335343961653835656363333365656438393334303333373337353566666532373964
+38316362306362363464313237383130343239326238663062616533396230316438316536333139
+66353835333066346634366638323930616365386364643165666133666565383137303062636263
+64646639666235356264623663313762333666306565303237656434323365316165633866373964
+38326631656463373161356562303031643231623332653861616535333834336630363239363632
+31643862626639353132373232393966323461653361343331653261356431363933326130363433
+38323633343433346535633937373466666639353530653164313532623535653135613766336138
+64626631656431613937366563373934616364656536373437353563346165626535326464353439
+37353136376636633231393733613663633864616163373736386332316162333166303863663538
+63376461643263326362373434666138303635636165616564316432626564356138623032653737
+37323633353165623661343736363933323631646438383430303234326665613566

ansible/roles/base/files/ssh-jail.conf

@@ -4,4 +4,4 @@ bantime  = 600
 findtime = 30
 maxretry = 5
 port     = {{ ssh_port }},ssh
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}

ansible/roles/base/files/sshd_config

@@ -2,7 +2,7 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port {{ ssh_port }}
 
-AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }}
+AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
 
 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0

ansible/roles/comentario/files/docker-compose.yml

@@ -0,0 +1,27 @@
+services:
+  comentario:
+    image: registry.gitlab.com/comentario/comentario:v3.9.0
+    restart: unless-stopped
+    user: "{{ docker_user.id }}:{{ docker_user.id }}"
+    depends_on:
+      - db
+    networks:
+      - default
+      - coredns
+    volumes:
+      - ./secrets.yml:/comentario/secrets.yaml
+    environment:
+      - BASE_URL=https://comentario.theorangeone.net
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    volumes:
+      - ./postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=comentario
+      - POSTGRES_USER=comentario
+
+networks:
+  coredns:
+    external: true

ansible/roles/comentario/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart comentario
+  shell:
+    chdir: /opt/comentario
+    cmd: "{{ docker_update_command }}"

ansible/roles/comentario/tasks/main.yml

@@ -0,0 +1,41 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Create install directory
+  file:
+    path: /opt/comentario
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/comentario/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart comentario
+  become: true
+
+- name: Install secrets
+  copy:
+    content: "{{ comentario_secrets | to_nice_yaml }}"
+    dest: /opt/comentario/secrets.yml
+    mode: "600"
+    owner: "{{ docker_user.name }}"
+  notify: restart comentario
+  become: true
+
+- name: Install nginx config
+  template:
+    src: files/nginx-docker.conf
+    dest: /etc/nginx/http.d/comentario.conf
+    mode: "0644"
+  notify: reload nginx
+  become: true
+  vars:
+    server_name: comentario.theorangeone.net
+    upstream: comentario-comentario-1.docker:80
+    ssl_cert_path: /etc/letsencrypt/live/comentario.theorangeone.net

ansible/roles/comentario/vars/main.yml

@@ -0,0 +1,18 @@
+comentario_secrets:
+  postgres:
+    host: db
+    database: comentario
+    username: comentario
+    password: comentario
+  idp:
+    github:
+      key: "{{ vault_comentario_github_client_id }}"
+      secret: "{{ vault_comentario_github_client_secret }}"
+    gitlab:
+      key: "{{ vault_comentario_gitlab_application_id }}"
+      secret: "{{ vault_comentario_gitlab_application_secret }}"
+  smtpServer:
+    host: smtp.eu.mailgun.org
+    port: 587
+    username: "{{ vault_comentario_smtp_username }}"
+    password: "{{ vault_comentario_smtp_password }}"

ansible/roles/comentario/vars/vault.yml

@@ -0,0 +1,30 @@
+$ANSIBLE_VAULT;1.1;AES256
+33656462373736356363313738643335333930343461366666663532653264363963653732656366
+3034323730613334326462326332323763323665636165390a303639633036303831373966303037
+37376233383138323265396531303739316330396230333464383963333035343735303866626334
+6562393435303264620a633139616164303337363863616138306531656365353964346638646165
+35346539326339623364343662643038336238613535623964666562383662613661616564646433
+30653432666538616565373832353434303565386333643735313866396436393732303466376237
+64383236373364383338613530353830353334326331636436323766353565656664356138386532
+62366266656461663330396562316439393038666534663564633037623237363532363637356336
+63336633393666343064383735363664643936333130636465623139393838373134636265366439
+64326538653236306437346165333934303134313032383135313335626136626162363831613430
+30636436343162376637616262393633306330663362396638393166643131343564646162616530
+62343735343832636661326265396262643136346366663337636335656137393231646438633338
+61613137366661333462363134343732666330373864393636643665396435653064623030626466
+65633536346531383565616130626461376566316535316339326363646336626266376330393939
+33653438656438316532393665333939613334666464656635323566326439363964316535623233
+38636236616637336230363032396635613563313966353334313365663434653138303764393938
+37643561346338323934663936356563363833383435373933396138663334616563666562653935
+33666631373964396265393233636631336632386537663663366439313137656661653265323162
+64656333336165326563323333653036386334386566386664306638656130323665366136373732
+34383532303363646334356534316630363133303031343665353465656239306338386238313262
+30363438383164343661343730386162633430373765313834313739393638333963393234613564
+30356134646431353132316565346331613137353431383863383866306632626336633764393036
+66626466623034666335356539653136633331636365623061613433393335303535333433616137
+65383231373230653838316630303736353237666431366134353534366564656338646265396162
+61663366663532636635663337363063306466626463396630636236363736303963353062376163
+63653530346335393934656531386139663136383132306564383937396364626365373839613766
+62633264336335313932396164373363623061363262616330343735633862623234643365353035
+36616231636461323832663837323232396636363561376563386530306339333431613935613263
+30366335393834643066343763636561346336383463333535323932326663633338

ansible/roles/commento/files/docker-compose.yml

@@ -1,5 +1,3 @@
-version: "2.3"
-
 services:
   commento:
     image: ghcr.io/souramoo/commentoplusplus:latest
@@ -8,24 +6,21 @@ services:
       - db
     networks:
       - default
-      - traefik
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.commento.rule=Host(`commento.theorangeone.net`)
+      - coredns
     environment:
       - COMMENTO_POSTGRES=postgres://commento:commento@db:5432/commento?sslmode=disable
       - COMMENTO_ORIGIN=https://commento.theorangeone.net
       - COMMENTO_GZIP_STATIC=true
       - COMMENTO_FORBID_NEW_OWNERS=true
-      - COMMENTO_GITHUB_KEY={{ commento_github_client_id }}
-      - COMMENTO_GITHUB_SECRET={{ commento_github_client_secret }}
+      - COMMENTO_GITHUB_KEY={{ vault_commento_github_client_id }}
+      - COMMENTO_GITHUB_SECRET={{ vault_commento_github_client_secret }}
       - COMMENTO_SMTP_HOST=smtp.eu.mailgun.org
       - COMMENTO_SMTP_PORT=587
-      - COMMENTO_SMTP_USERNAME={{ commento_smtp_username }}
-      - COMMENTO_SMTP_PASSWORD={{ commento_smtp_password }}
-      - COMMENTO_SMTP_FROM_ADDRESS={{ commento_from_email }}
-      - COMMENTO_GITLAB_KEY={{ commento_gitlab_application_id }}
-      - COMMENTO_GITLAB_SECRET={{ commento_gitlab_application_secret }}
+      - COMMENTO_SMTP_USERNAME={{ vault_commento_smtp_username }}
+      - COMMENTO_SMTP_PASSWORD={{ vault_commento_smtp_password }}
+      - COMMENTO_SMTP_FROM_ADDRESS={{ vault_commento_from_email }}
+      - COMMENTO_GITLAB_KEY={{ vault_commento_gitlab_application_id }}
+      - COMMENTO_GITLAB_SECRET={{ vault_commento_gitlab_application_secret }}
 
   db:
     image: postgres:14-alpine
@@ -37,5 +32,5 @@ services:
       - POSTGRES_USER=commento
 
 networks:
-  traefik:
+  coredns:
     external: true

ansible/roles/commento/tasks/main.yml

@@ -18,3 +18,15 @@
     validate: docker-compose -f %s config
   notify: restart commento
   become: true
+
+- name: Install nginx config
+  template:
+    src: files/nginx-docker.conf
+    dest: /etc/nginx/http.d/commento.conf
+    mode: "0644"
+  notify: reload nginx
+  become: true
+  vars:
+    server_name: commento.theorangeone.net
+    upstream: commento-commento-1.docker:8080
+    ssl_cert_path: /etc/letsencrypt/live/commento.theorangeone.net

ansible/roles/commento/vars/main.yml

@@ -1,7 +0,0 @@
-commento_github_client_id: "{{ vault_commento_github_client_id }}"
-commento_github_client_secret: "{{ vault_commento_github_client_secret }}"
-commento_smtp_username: "{{ vault_commento_smtp_username }}"
-commento_smtp_password: "{{ vault_commento_smtp_password }}"
-commento_from_email: "{{ vault_commento_from_email }}"
-commento_gitlab_application_id: "{{ vault_commento_gitlab_application_id }}"
-commento_gitlab_application_secret: "{{ vault_commento_gitlab_application_secret }}"

ansible/roles/coredns_docker_proxy/files/Corefile

@@ -0,0 +1,21 @@
+. {
+    errors
+    cancel
+
+    # Only allow requests to `.docker` records
+    view docker {
+        expr name() endsWith '.docker.'
+    }
+
+    # Strip the `.docker` suffix
+    rewrite name suffix .docker . answer auto
+
+    # Forward requests to Docker's DNS server
+    forward . 127.0.0.11
+}
+
+. {
+    acl {
+        block
+    }
+}

ansible/roles/coredns_docker_proxy/files/docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  coredns:
+    image: coredns/coredns:latest
+    restart: unless-stopped
+    volumes:
+      - ./Corefile:/home/nonroot/Corefile:ro
+    ports:
+      - "{{ private_ip }}:53053:53/udp"
+    networks:
+      - default
+      - coredns
+
+networks:
+  coredns:
+    external: true

ansible/roles/coredns_docker_proxy/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart coredns
+  shell:
+    chdir: /opt/coredns
+    cmd: "{{ docker_update_command }}"

ansible/roles/coredns_docker_proxy/tasks/main.yml

@@ -0,0 +1,23 @@
+- name: Create network
+  docker_network:
+    name: coredns
+    internal: true
+  become: true
+
+- name: Create install directory
+  file:
+    path: /opt/coredns
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/coredns/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart coredns
+  become: true

ansible/roles/db_auto_backup/files/docker-compose.yml

@@ -1,5 +1,3 @@
-version: "2.3"
-
 services:
   backup:
     image: ghcr.io/realorangeone/db-auto-backup:latest
@@ -8,12 +6,12 @@ services:
       - "{{ db_backups_dir }}:/var/backups"
     environment:
       - DOCKER_HOST=tcp://docker_proxy:2375
-      - HEALTHCHECKS_ID={{ db_auto_backup_healthchecks_id }}
+      - HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
     depends_on:
       - docker_proxy
 
   docker_proxy:
-    image: tecnativa/docker-socket-proxy:latest
+    image: lscr.io/linuxserver/socket-proxy:latest
     restart: unless-stopped
     environment:
       - POST=1

ansible/roles/db_auto_backup/vars/main.yml

@@ -1 +0,0 @@
-db_auto_backup_healthchecks_id: "{{ vault_db_auto_backup_healthchecks_id }}"

ansible/roles/docker_cleanup/tasks/main.yml

@@ -4,6 +4,14 @@
   become: true
   when: ansible_os_family != 'Debian'
 
+- name: Install compose-switch
+  get_url:
+    url: "{{ docker_compose_url }}"
+    dest: "{{ docker_compose_path }}"
+    mode: "0755"
+  become: true
+  when: ansible_os_family == 'Debian'
+
 - name: Create docker group
   group:
     name: "{{ docker_user.name }}"

ansible/roles/dokku/files/nginx.conf

@@ -1,29 +0,0 @@
-worker_processes  auto;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    sendfile        on;
-
-    keepalive_timeout  65;
-
-    gzip  on;
-
-    # Block requests which don't have an explicit handler
-    server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
-
-        server_name _;
-        access_log off;
-        return 418;
-    }
-
-    # Load configuration files for the default server block.
-    include /etc/nginx/conf.d/*.conf;
-}

ansible/roles/dokku/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: restart nginx
-  service:
-    name: nginx
-    state: restarted
-  become: true

ansible/roles/dokku/tasks/main.yml

@@ -1,63 +0,0 @@
-# HACK: Fake include some tasks from `ansible_dokku`, so its library plugins can be used below
-- name: Run role without running any tasks
-  include_role:
-    name: dokku_bot.ansible_dokku
-    tasks_from: init.yml
-    apply:
-      when: false
-
-- name: Install Dokku
-  package:
-    name: dokku
-  become: true
-
-- name: List dokku plugins
-  command: dokku plugin:list
-  changed_when: false
-  register: installed_dokku_plugins
-
-- name: Install Dokku plugins
-  command: dokku plugin:install {{ item.url }} --name {{ item.name }}
-  when: installed_dokku_plugins.stdout.find(item.name) == -1
-  loop: "{{ dokku_plugins }}"
-  loop_control:
-    label: "{{ item.name }}"
-  become: true
-
-- name: Automatically update Dokku plugins
-  cron:
-    name: dokku plugin:update {{ item.name }}
-    minute: 0
-    hour: 12
-    user: root
-    job: /usr/bin/chronic /usr/bin/dokku plugin:update {{ item.name }}
-    cron_file: dokku-plugin-update-{{ item.name }}
-  loop: "{{ dokku_plugins }}"
-  loop_control:
-    label: "{{ item.name }}"
-  become: true
-
-- name: Set up global domain
-  dokku_domains:
-    global: true
-    domains: d.theorangeone.net
-  become: true
-
-- name: Install custom nginx config
-  template:
-    src: files/nginx.conf
-    dest: /etc/nginx/nginx.conf
-    validate: nginx -t -c %s
-    mode: "644"
-  notify: restart nginx
-  become: true
-
-# https://dokku.com/docs/advanced-usage/backup-recovery/
-- name: Sync data to app-data
-  cron:
-    name: clean up docker containers
-    hour: "*/6"
-    minute: 0
-    user: root
-    job: rsync --archive --progress -h /var/lib/dokku/{config,data,services} /home/dokku --exclude '/home/dokku/**/cache/*' /mnt/tank/app-data/dokku/
-    cron_file: dokku-data-sync

ansible/roles/dokku/vars/main.yml

@@ -1,9 +0,0 @@
-dokku_plugins:
-  - name: postgres
-    url: https://github.com/dokku/dokku-postgres.git
-  - name: redis
-    url: https://github.com/dokku/dokku-redis.git
-  - name: redirect
-    url: https://github.com/dokku/dokku-redirect.git
-  - name: http-auth
-    url: https://github.com/dokku/dokku-http-auth.git

ansible/roles/fail2ban_ssh/defaults/main.yml

@@ -1 +0,0 @@
-f2b_user: f2b

ansible/roles/fail2ban_ssh/files/f2b-entrypoint.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-# Remove `-c` argument
-shift
-
-sudo fail2ban-client $@

ansible/roles/fail2ban_ssh/files/f2b_key.pub

@@ -1,10 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-65656562376262323162613131353164623832616263313530383838623161333739393037363362
-3332616430663862363566613532396230643636376537620a356261383430643566323264343437
-39333034643632316130303136326433613333383738386531353530633539616661626664626430
-3230666237616165650a326536313835643135626135316437356363623562343538383132306539
-38366339356565393336396133616261363232356139623164623738633138363963353637353734
-33333334313864376131653535653132626366306630393764353464636331316564616230396663
-31363463643765386538643761666265383166353765633233323934663235316331346465653234
-31396139633936363738383766356135656434343338623137663436626436663866366663363534
-3364

ansible/roles/fail2ban_ssh/tasks/main.yml

@@ -1,34 +0,0 @@
-- name: Make user
-  user:
-    name: "{{ f2b_user }}"
-    comment: "{{ me.user }}"
-    shell: /home/{{ f2b_user }}/f2b-entrypoint.sh
-    system: false
-  become: true
-
-- name: Give user sudo access to client
-  lineinfile:
-    path: /etc/sudoers
-    line: "{{ f2b_user }} ALL=(ALL) NOPASSWD: /usr/bin/fail2ban-client"
-  become: true
-
-- name: Allow custom shell
-  lineinfile:
-    path: /etc/shells
-    line: /home/{{ f2b_user }}/f2b-entrypoint.sh
-  become: true
-
-- name: Create entrypoint
-  template:
-    src: files/f2b-entrypoint.sh
-    dest: /home/{{ f2b_user }}/f2b-entrypoint.sh
-    mode: "755"
-  become: true
-  register: sshd_config
-
-- name: Set up authorized keys
-  ansible.posix.authorized_key:
-    user: "{{ f2b_user }}"
-    state: present
-    key: "{{ lookup('file', 'files/f2b_key.pub') }}"
-  become: true

ansible/roles/forrest/files/prometheus/alertmanager.yml

@@ -1,15 +0,0 @@
-global:
-  resolve_timeout: 3m
-  smtp_smarthost: smtp.eu.mailgun.org:465
-  smtp_from: "{{ alertmanager_from_address }}"
-  smtp_auth_username: "{{ alertmanager_from_address }}"
-  smtp_auth_password: "{{ alertmanager_smtp_password }}"
-
-route:
-  receiver: default
-
-receivers:
-  - name: default
-    email_configs:
-      - to: "{{ alertmanager_to_address }}"
-        send_resolved: true

ansible/roles/forrest/tasks/main.yml

@@ -1,8 +0,0 @@
-- name: Include vault
-  include_vars: vault.yml
-
-- name: Grafana
-  include_tasks: grafana.yml
-
-- name: Prometheus
-  include_tasks: prometheus.yml

ansible/roles/forrest/vars/main.yml

@@ -1,11 +0,0 @@
-grafana_smtp_password: "{{ vault_grafana_smtp_password }}"
-grafana_smtp_user: "{{ vault_grafana_smtp_user }}"
-grafana_from_email: "{{ vault_grafana_from_email }}"
-homeassistant_token: "{{ vault_homeassistant_token }}"
-prometheus_healthcheck_uuid: "{{ vault_prometheus_healthcheck_uuid }}"
-healthchecks_project_uuid: "{{ vault_healthchecks_project_uuid }}"
-healthcheck_api_token: "{{ vault_healthcheck_api_token }}"
-alertmanager_from_address: "{{ vault_alertmanager_from_address }}"
-alertmanager_smtp_password: "{{ vault_alertmanager_smtp_password }}"
-alertmanager_to_address: "{{ vault_alertmanager_to_address }}"
-prometheus_api_token: "{{ vault_prometheus_api_token }}"

ansible/roles/forrest/vars/vault.yml

@@ -1,52 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36623535313964653161353330663436356239613837653837393939373034353031646535333535
-6439313832316239616233306632373934616134616466380a316361363263373938636161666535
-31613461333637373732626233623434316335353964353433643635653566613933393361336139
-3864373963396264320a376634346331373762313733323961386566646338633936303631303566
-66616534326430653266396635353932623661363533356537636662636537656434363562646230
-30613831336561376639393466373739373138313931333163353061633465623362666564313631
-66623235353531613737643937613430323934376433393836346339626137616561313062663234
-63363736326439623661376132613136383465393761653236663631613339653066356436653630
-66623865303735616335373231643233386639323838353534613337316161633765396234366533
-33616631663530643764373937346262633734366339303837393737666665363465333239343933
-35613962396534336232623833303034643639323931633966396439383463396261313862626335
-31323434613838353961336136613966636635646632393839663664376632373834313265643338
-30663132633362323831313231333164643665386535323231646262656631383631393539616639
-34343563353064303833383236626136666264316236316537333965313162616637323966363335
-32353936663162316564306337353861396634353935353935306135343665316262643831396537
-61393266383538666563363261646534636632303332343662636631316663343930303766623638
-35376565343638316339623061396536643636313966383633346231633631353032356661386132
-66623439336338616666626431303635373833666137326234653161336434346133636261363662
-39313732303736386137656664303365363234336265643064306562643435633838373864353862
-33366635333630373162656630666232333563623066333461653963363961623435646631373561
-64643738346138366566303233326663383835386132663034313461383161616164636332396332
-37663131386135393833373461663432666264363065666630646164633134303439663435616235
-35656234313761376532306264393637653433623863383830323935316332383338623134323366
-31336665386137323132363962363335623635336131373930353635353663333366363266303138
-35626262613261636561373730626635303836623561643436646430653365663432323938393863
-63633331663462323163646237386262376337313330323036613434383165616530643362616131
-63616562353964316634646434653138333266646633616631653663663838306163616633643234
-61333230373237613436343662363434303766383336376232353066313231666330613761643366
-36326638326439653966643430313366376661633636366565393461623438323366373333663633
-61633763623631333665363333646433656166633364303836623566333336343761613435353138
-37366165613263653564386334303030623333646164303662363065333831376334656537613130
-33373864663237383064653461616165653834393063663332643235316139333539623463343161
-38636564626466633631393938653066373764663935353763626133623762306164383831663061
-34333065326666373337663931313763383739383763333235333939376133363236643136346233
-62643833376631643036613963643939333133343036613332313866373032646332363231313139
-61373365653665343066636162356336373833393363373866343436323639623435383831363335
-30333033326638363930613030356664333233633339666366643062353634333161343838666231
-32346332663538653937623136653438636463323463376263303962353562313833373937303066
-65303037323030653434313164393766633134306435633263363335636561356264376665363639
-35613731373437386566663266656266343639326334303239613862353963323436633836383766
-35323930633039396535616265643234303639393035363865643236623838333337626135343665
-36373038666332376663333565623362303631663830336131343438353764653831633433363436
-36333839303433623966363561313564303037393165383732323763353232653564346138666438
-30653836626139356133346538616135313034633966373036303461393562363336386633626365
-33393565643730383634346238356462313435366538636234656237613864656165656439363061
-32626235323362333239373631383830653035383164646364343461376562636564343063353139
-61306535333466653937303635353962376162376431336563316130343530636431623537633332
-65373333376338353930316561636530343062653964323463653632653332376432343237656465
-63333437613064313438353134333566303033313339323162643061363836643931343135396130
-32623435653533326563616263323938343332306362383034663139653965626231336637383939
-313534343431303739396263303737303365

ansible/roles/gateway/files/nginx-cdn.conf

@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+
+proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cdncache:20m max_size=1g inactive=48h;
+
+{% for domain in cdn_domains %}
+server {
+    listen 8800 ssl http2 proxy_protocol;
+
+    server_name {{ domain }};
+
+    ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
+
+    include includes/ssl.conf;
+
+    real_ip_header proxy_protocol;
+
+    set_real_ip_from 127.0.0.1;
+
+    proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
+
+    location / {
+        proxy_cache cdncache;
+        add_header X-Cache-Status $upstream_cache_status;
+        proxy_pass https://{{ wireguard.clients.ingress.ip }}:443;
+    }
+}
+{% endfor %}

ansible/roles/gateway/files/nginx-fail2ban-jail.conf

@@ -6,9 +6,9 @@ maxretry = 100
 filter   = nginx-tcp
 logpath  = /var/log/nginx/ips.log
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
 
 [traefik]
 enabled = true
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}

ansible/roles/gateway/files/nginx.conf

@@ -1,56 +1,40 @@
-worker_processes auto;
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-    #                  '$status $body_bytes_sent "$http_referer" '
-    #                  '"$http_user_agent" "$http_x_forwarded_for"';
-
-    #access_log  logs/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    #keepalive_timeout  0;
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-    server_tokens off;
-
-    server {
-        listen 80;
-        server_name _;
-        return 308 https://$host$request_uri;
-    }
-}
-
-stream {
-
-    log_format access '$remote_addr [$time_local] '
+log_format gateway '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$ssl_preread_server_name" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
 
-    log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
+log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
 
+access_log /var/log/nginx/gateway.log gateway;
+access_log /var/log/nginx/ips.log ips;
 
-    access_log /var/log/nginx/access.log access;
-    access_log /var/log/nginx/ips.log ips;
+map $ssl_preread_server_name $gateway_destination {
+    default                      {{ wireguard.clients.ingress.ip }}:8443;
 
-    ssl_preread on;
+    headscale.jakehoward.tech    127.0.0.1:8888;
 
-    server {
+    {% for domain in cdn_domains %}
+    {{ domain }}  127.0.0.1:8800;
+    {% endfor %}
+}
+
+server {
     listen 443;
     listen 8448;
-        proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
+    listen [::]:443;
+    listen [::]:8448;
+    proxy_pass $gateway_destination;
     proxy_protocol on;
-    }
+}
+
+server {
+    listen [{{ vps_hosts.private_ipv6_marker }}]:443;
+    listen [{{ vps_hosts.private_ipv6_marker }}]:8448;
+
+    access_log off;
+
+    deny all;
+
+    # This is never used, but need to keep nginx happy
+    proxy_pass 127.0.0.1:80;
 }

ansible/roles/gateway/tasks/nginx.yml

@@ -1,26 +1,22 @@
-- name: Install nginx
-  package:
-    name: nginx
-  become: true
-
 - name: Nginx config
   template:
     src: files/nginx.conf
-    dest: /etc/nginx/nginx.conf
-    validate: nginx -t -c %s
+    dest: /etc/nginx/stream.d/gateway.conf
     mode: "0644"
   become: true
   register: nginx_config
 
-- name: Enable Nginx
-  service:
-    name: nginx
-    enabled: true
+- name: Install CDN config
+  template:
+    src: files/nginx-cdn.conf
+    dest: /etc/nginx/http.d/cdn.conf
+    mode: "0644"
   become: true
+  register: nginx_config
 
-- name: Restart Nginx
+- name: Reload Nginx
   service:
     name: nginx
-    state: restarted
+    state: reloaded
   become: true
   when: nginx_config.changed

ansible/roles/gitea/files/app.ini

@@ -4,6 +4,9 @@ APP_NAME = Gitea: Git with a cup of orange juice
 ROOT = /mnt/repositories
 DEFAULT_BRANCH = master
 DISABLE_STARS  = true
+DEFAULT_REPO_UNITS = repo.code
+DEFAULT_FORK_REPO_UNITS = repo.code
+
 
 [server]
 SSH_DOMAIN              = git.theorangeone.net
@@ -18,7 +21,7 @@ PROTOCOL                = http  # TLS termination done by Traefik
 ENABLE_GZIP             = true
 OFFLINE_MODE            = true
 LANDING_PAGE            = explore
-LFS_JWT_SECRET          = {{ lfs_jwt_secret }}
+LFS_JWT_SECRET          = {{ vault_lfs_jwt_secret }}
 
 [database]
 DB_TYPE  = postgres
@@ -36,8 +39,8 @@ LEVEL = warn
 
 [security]
 INSTALL_LOCK                  = true
-SECRET_KEY                    = {{ secret_key }}
-INTERNAL_TOKEN                = {{ internal_token }}
+SECRET_KEY                    = {{ vault_secret_key }}
+INTERNAL_TOKEN                = {{ vault_internal_token }}
 PASSWORD_HASH_ALGO            = pbkdf2
 COOKIE_USERNAME               = gitea_username
 COOKIE_REMEMBER_NAME          = gitea_remember
@@ -61,7 +64,7 @@ REPO_PAGING_NUM = 100
 [ui]
 SITEMAP_PAGING_NUM   = 100
 FEED_PAGING_NUM      = 100
-DEFAULT_THEME        = gitea
+DEFAULT_THEME        = gitea-auto
 ISSUE_PAGING_NUM     = 100
 THEME_COLOR_META_TAG = "#ff7f00"
 FEED_MAX_COMMIT_NUM  = 30
@@ -115,9 +118,9 @@ ALLOW_LOCALNETWORKS = true
 ENABLED        = true
 SMTP_ADDR      = smtp.eu.mailgun.org
 SMTP_PORT      = 465
-FROM           = "{{ mailer_from_address }}"
-USER           = "{{ mailer_user }}"
-PASSWD         = "{{ mailer_password }}"
+FROM           = "{{ vault_mailer_from_address }}"
+USER           = "{{ vault_mailer_user }}"
+PASSWD         = "{{ vault_mailer_password }}"
 PROTOCOL    = smtps
 
 [packages]
@@ -126,8 +129,8 @@ STORAGE_TYPE = backblaze
 [storage.backblaze]
 STORAGE_TYPE = minio
 MINIO_ENDPOINT = s3.eu-central-003.backblazeb2.com
-MINIO_ACCESS_KEY_ID = {{ backblaze_access_key_id }}
-MINIO_SECRET_ACCESS_KEY = {{ backblaze_secret_access_key }}
+MINIO_ACCESS_KEY_ID = {{ vault_backblaze_access_key_id }}
+MINIO_SECRET_ACCESS_KEY = {{ vault_backblaze_secret_access_key }}
 MINIO_BUCKET = 0rng-gitea
 MINIO_LOCATION = eu-central-003
 SERVE_DIRECT = true
@@ -137,4 +140,4 @@ MINIO_USE_SSL = true
 PATH = /mnt/repo-archive
 
 [oauth2]
-JWT_SECRET = {{ oauth2_jwt_secret }}
+JWT_SECRET = {{ vault_oauth2_jwt_secret }}

ansible/roles/gitea/files/docker-compose.yml

@@ -1,8 +1,6 @@
-version: "2.3"
-
 services:
   gitea:
-    image: gitea/gitea:1.20.5-rootless
+    image: gitea/gitea:1.22-rootless
     user: "{{ docker_user.id }}:{{ docker_user.id }}"
     environment:
       - TZ={{ timezone }}

ansible/roles/gitea/files/robots.txt

@@ -1,4 +0,0 @@
-User-agent: *
-
-# Ignore mirrored repos
-Disallow: /mirror/

ansible/roles/gitea/tasks/main.yml

@@ -28,18 +28,9 @@
   notify: restart gitea
   become: true
 
-- name: Install robots.txt
-  template:
-    src: files/robots.txt
-    dest: "{{ app_data_dir }}/gitea/data/custom/robots.txt"
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-  notify: restart gitea
-  become: true
-
 - name: Create public images directory
   file:
-    path: "{{ app_data_dir }}/gitea/data/custom/public/img"
+    path: "{{ app_data_dir }}/gitea/data/custom/public/assets/img"
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
@@ -57,7 +48,7 @@
 - name: Install custom branding
   unarchive:
     src: https://git.theorangeone.net/api/packages/sys/generic/gitea-branding/latest/branding.zip
-    dest: "{{ app_data_dir }}/gitea/data/custom/public/img"
+    dest: "{{ app_data_dir }}/gitea/data/custom/public/assets/img"
     remote_src: true
     owner: "{{ docker_user.name }}"
   become: true

ansible/roles/gitea/vars/main.yml

@@ -1,9 +0,0 @@
-lfs_jwt_secret: "{{ vault_lfs_jwt_secret }}"
-secret_key: "{{ vault_secret_key }}"
-internal_token: "{{ vault_internal_token }}"
-oauth2_jwt_secret: "{{ vault_oauth2_jwt_secret }}"
-mailer_from_address: "{{ vault_mailer_from_address }}"
-mailer_user: "{{ vault_mailer_user }}"
-mailer_password: "{{ vault_mailer_password }}"
-backblaze_access_key_id: "{{ vault_backblaze_access_key_id }}"
-backblaze_secret_access_key: "{{ vault_backblaze_secret_access_key }}"

ansible/roles/gitea_runner/files/docker-compose.yml

@@ -1,5 +1,3 @@
-version: "2.3"
-
 services:
   act-runner:
     image: vegardit/gitea-act-runner:latest
@@ -10,7 +8,7 @@ services:
     environment:
       - TZ={{ timezone }}
       - GITEA_INSTANCE_URL=https://git.theorangeone.net
-      - GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea_runner_registration_token }}
+      - GITEA_RUNNER_REGISTRATION_TOKEN={{ vault_gitea_runner_registration_token }}
       - GITEA_RUNNER_NAME={{ ansible_hostname }}
       - GITEA_RUNNER_FETCH_INTERVAL=5s
       - GITEA_RUNNER_MAX_PARALLEL_JOBS={{ ansible_processor_nproc }}

ansible/roles/gitea_runner/vars/main.yml

@@ -1 +0,0 @@
-gitea_runner_registration_token: "{{ vault_gitea_runner_registration_token }}"

ansible/roles/glinet_vpn/files/client.conf

@@ -0,0 +1,10 @@
+[Interface]
+Address = {{ client_cidr }}
+PrivateKey = {{ client_private_key }}
+
+[Peer]
+PublicKey = {{ server_public_key }}
+Endpoint = {{ server_public_ip }}:53
+AllowedIPs = 0.0.0.0/0 ::/0
+
+PersistentKeepalive = 25

ansible/roles/glinet_vpn/files/server.conf

@@ -0,0 +1,14 @@
+[Interface]
+Address = {{ server_ip }}
+PrivateKey = {{ server_private_key }}
+ListenPort = 53
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ client_public_key }}
+AllowedIPs = {{ client_cidr }}

ansible/roles/glinet_vpn/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart wireguard
+  service:
+    name: wg-quick@glinet
+    state: restarted
+  become: true

ansible/roles/glinet_vpn/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Install wireguard tools
+  package:
+    name: "{{ item }}"
+  become: true
+  loop:
+    - wireguard-tools
+    - qrencode
+
+- name: Wireguard server config
+  template:
+    src: files/server.conf
+    dest: /etc/wireguard/glinet.conf
+    mode: "0600"
+    backup: true
+  become: true
+  notify: restart wireguard
+
+- name: Wireguard client config
+  template:
+    src: files/client.conf
+    dest: "{{ me.home }}/glinet-vpn.conf"
+    mode: "0600"
+    owner: "{{ me.user }}"
+  become: true
+  notify: restart wireguard
+
+- name: Enable wireguard
+  service:
+    name: wg-quick@glinet
+    enabled: true
+  become: true

ansible/roles/glinet_vpn/vars/main.yml

@@ -0,0 +1,8 @@
+client_public_key: "{{ vault_client_public_key }}"
+client_private_key: "{{ vault_client_private_key }}"
+client_cidr: 10.23.4.2/24
+
+server_public_key: "{{ vault_server_public_key }}"
+server_private_key: "{{ vault_server_private_key }}"
+server_public_ip: "{{ ansible_default_ipv4.address }}"
+server_ip: 10.23.4.1

ansible/roles/glinet_vpn/vars/vault.yml

@@ -0,0 +1,19 @@
+$ANSIBLE_VAULT;1.1;AES256
+35366163656631633636333937333238346539653236323463316333356637623263326436623130
+3333616234643935306337386165623734333265663237610a326538636532643835373137316333
+30363133343035353235616639613637353435303863393130396261623063633836383430326530
+3634313639353264310a393266313230646132656561393737363834646566313765633235343139
+36303834353039303134393061386634373735316135656564386464363863376265633239313037
+62616535313239353233376163343437303933346264323266386533336138656135663664356164
+65643262303436343164613133333361393438616234616566336131636461383538326130623264
+62313134386430636665646539306661383039323339373838346164653836326536386332616634
+34313331623166356137363131356130623863313339663938386138643538323666616239656662
+36313534323237306631663931633830346565616139313864333762356330643131343630653535
+62323939376163363436336633386433323435316535623462353138386430333332653966383262
+33636534346466326631333362343638616332633163623533613364326665376565643739666261
+34646533613133313034366636623134613336623134356562393335313337336336623634336633
+66623365353866396564386536386330353537383866616665373762306530356333643265326537
+38353138626331623433643636623130613766616638343034633536306232316133303133356463
+36616665643264396137336234316466306238303461363531653461623834376361653334326235
+31366530636565383062313562663639393534373737363465656538393266363936333136636161
+3239303565613865633433313237393932306632633633373261

ansible/roles/headscale/files/acls.json

@@ -0,0 +1,13 @@
+{
+    "tagOwners": {
+        "tag:client": []
+
+    },
+    "acls": [
+        {
+            "action": "accept",
+            "src": ["tag:client"],
+            "dst": ["*:*"]
+        }
+    ]
+}

ansible/roles/headscale/files/headscale.yml

@@ -0,0 +1,284 @@
+# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
+#
+# - `/etc/headscale`
+# - `~/.headscale`
+# - current working directory
+
+# The url clients will connect to.
+# Typically this will be a domain like:
+#
+# https://myheadscale.example.com:443
+#
+server_url: https://headscale.jakehoward.tech
+
+# Address to listen to / bind to on the server
+#
+# For production:
+# listen_addr: 0.0.0.0:8080
+listen_addr: 127.0.0.1:8416
+
+# Address to listen to /metrics, you may want
+# to keep this endpoint private to your internal
+# network
+#
+metrics_listen_addr: "{{ private_ip }}:9090"
+
+# Address to listen for gRPC.
+# gRPC is used for controlling a headscale server
+# remotely with the CLI
+# Note: Remote access _only_ works if you have
+# valid certificates.
+#
+# For production:
+# grpc_listen_addr: 0.0.0.0:50443
+grpc_listen_addr: 127.0.0.1:50443
+
+# Allow the gRPC admin interface to run in INSECURE
+# mode. This is not recommended as the traffic will
+# be unencrypted. Only enable if you know what you
+# are doing.
+grpc_allow_insecure: false
+
+# Private key used to encrypt the traffic between headscale
+# and Tailscale clients.
+# The private key file will be autogenerated if it's missing.
+#
+private_key_path: /var/lib/headscale/private.key
+
+# The Noise section includes specific configuration for the
+# TS2021 Noise protocol
+noise:
+  # The Noise private key is used to encrypt the
+  # traffic between headscale and Tailscale clients when
+  # using the new Noise-based protocol. It must be different
+  # from the legacy private key.
+  private_key_path: /var/lib/headscale/noise_private.key
+
+# List of IP prefixes to allocate tailaddresses from.
+# Each prefix consists of either an IPv4 or IPv6 address,
+# and the associated prefix length, delimited by a slash.
+# It must be within IP ranges supported by the Tailscale
+# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
+# See below:
+# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
+# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
+# Any other range is NOT supported, and it will cause unexpected issues.
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+
+# DERP is a relay system that Tailscale uses when a direct
+# connection cannot be established.
+# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
+#
+# headscale needs a list of DERP servers that can be presented
+# to the clients.
+derp:
+  server:
+    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
+    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
+    enabled: true
+
+    # Region ID to use for the embedded DERP server.
+    # The local DERP prevails if the region ID collides with other region ID coming from
+    # the regular DERP config.
+    region_id: 999
+
+    # Region code and name are displayed in the Tailscale UI to identify a DERP region
+    region_code: headscale
+    region_name: Headscale Embedded DERP
+
+    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
+    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
+    #
+    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
+    stun_listen_addr: 0.0.0.0:3478
+
+  # List of externally available DERP maps encoded in JSON
+  urls: []
+
+  # Locally available DERP map files encoded in YAML
+  #
+  # This option is mostly interesting for people hosting
+  # their own DERP servers:
+  # https://tailscale.com/kb/1118/custom-derp-servers/
+  #
+  # paths:
+  #   - /etc/headscale/derp-example.yaml
+  paths: []
+
+  # If enabled, a worker will be set up to periodically
+  # refresh the given sources and update the derpmap
+  # will be set up.
+  auto_update_enabled: true
+
+  # How often should we check for DERP updates?
+  update_frequency: 24h
+
+# Disables the automatic check for headscale updates on startup
+disable_check_updates: true
+
+# Time before an inactive ephemeral node is deleted?
+ephemeral_node_inactivity_timeout: 30m
+
+# Period to check for node updates within the tailnet. A value too low will severely affect
+# CPU consumption of Headscale. A value too high (over 60s) will cause problems
+# for the nodes, as they won't get updates or keep alive messages frequently enough.
+# In case of doubts, do not touch the default 10s.
+node_update_check_interval: 20s
+
+# SQLite config
+db_type: sqlite3
+
+# For production:
+db_path: /var/lib/headscale/db.sqlite
+
+# # Postgres config
+# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
+# db_type: postgres
+# db_host: localhost
+# db_port: 5432
+# db_name: headscale
+# db_user: foo
+# db_pass: bar
+
+# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
+# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
+# db_ssl: false
+
+### TLS configuration
+#
+## Let's encrypt / ACME
+#
+# headscale supports automatically requesting and setting up
+# TLS for a domain with Let's Encrypt.
+#
+# URL to ACME directory
+acme_url: https://acme-v02.api.letsencrypt.org/directory
+
+# Email to register with ACME provider
+acme_email: ""
+
+# Domain name to request a TLS certificate for:
+tls_letsencrypt_hostname: ""
+
+# Path to store certificates and metadata needed by
+# letsencrypt
+# For production:
+tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+
+# Type of ACME challenge to use, currently supported types:
+# HTTP-01 or TLS-ALPN-01
+# See [docs/tls.md](docs/tls.md) for more information
+tls_letsencrypt_challenge_type: HTTP-01
+# When HTTP-01 challenge is chosen, letsencrypt must set up a
+# verification endpoint, and it will be listening on:
+# :http = port 80
+tls_letsencrypt_listen: :http
+
+## Use already defined certificates:
+tls_cert_path: ""
+tls_key_path: ""
+
+log:
+  # Output formatting for logs: text or json
+  format: text
+  level: info
+
+# Path to a file containg ACL policies.
+# ACLs can be defined as YAML or HUJSON.
+# https://tailscale.com/kb/1018/acls/
+acl_policy_path: /etc/headscale/acls.json
+
+## DNS
+#
+# headscale supports Tailscale's DNS configuration and MagicDNS.
+# Please have a look to their KB to better understand the concepts:
+#
+# - https://tailscale.com/kb/1054/dns/
+# - https://tailscale.com/kb/1081/magicdns/
+# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
+#
+dns_config:
+  # Whether to prefer using Headscale provided DNS or use local.
+  override_local_dns: false
+
+  # List of DNS servers to expose to clients.
+  nameservers:
+    - 1.1.1.1
+
+  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+  # "abc123" is example NextDNS ID, replace with yours.
+  #
+  # With metadata sharing:
+  # nameservers:
+  #   - https://dns.nextdns.io/abc123
+  #
+  # Without metadata sharing:
+  # nameservers:
+  #   - 2a07:a8c0::ab:c123
+  #   - 2a07:a8c1::ab:c123
+
+  # Split DNS (see https://tailscale.com/kb/1054/dns/),
+  # list of search domains and the DNS to query for each one.
+  #
+  # restricted_nameservers:
+  #   foo.bar.com:
+  #     - 1.1.1.1
+  #   darp.headscale.net:
+  #     - 1.1.1.1
+  #     - 8.8.8.8
+
+  # Search domains to inject.
+  domains: []
+
+  # Extra DNS records
+  # so far only A-records are supported (on the tailscale side)
+  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
+  # extra_records:
+  #   - name: "grafana.myvpn.example.com"
+  #     type: "A"
+  #     value: "100.64.0.3"
+  #
+  #   # you can also put it in one line
+  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
+
+  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+  # Only works if there is at least a nameserver defined.
+  magic_dns: false
+
+  # Defines the base domain to create the hostnames for MagicDNS.
+  # `base_domain` must be a FQDNs, without the trailing dot.
+  # The FQDN of the hosts will be
+  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
+  base_domain: headscale.jakehoward.tech
+
+# Unix socket used for the CLI to connect without authentication
+# Note: for production you will want to set this to something like:
+unix_socket: /var/run/headscale/headscale.sock
+unix_socket_permission: "0770"
+
+
+# headscale supports experimental OpenID connect support,
+# it is still being tested and might have some bugs, please
+# help us test it.
+oidc:
+  only_start_if_oidc_is_available: true
+  issuer: "{{ vault_oidc_issuer }}"
+  client_id: "{{ vault_oidc_client_id }}"
+  client_secret: "{{ vault_oidc_client_secret }}"
+  expiry: 0
+
+# Logtail configuration
+# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
+# to instruct tailscale nodes to log their activity to a remote server.
+logtail:
+  # Enable logtail for this headscales clients.
+  # As there is currently no support for overriding the log server in headscale, this is
+  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
+  enabled: false
+
+# Enabling this option makes devices prefer a random port for WireGuard traffic over the
+# default static port 41641. This option is intended as a workaround for some buggy
+# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
+randomize_client_port: false

ansible/roles/headscale/files/nginx.conf

@@ -0,0 +1,35 @@
+# {{ ansible_managed }}
+
+limit_req_zone $binary_remote_addr zone=headscale:10m rate=1r/m;
+
+server {
+    listen 8888 ssl http2 proxy_protocol;
+
+    server_name headscale.jakehoward.tech;
+
+    ssl_certificate /etc/letsencrypt/live/headscale.jakehoward.tech/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/headscale.jakehoward.tech/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/headscale.jakehoward.tech/chain.pem;
+    include includes/ssl.conf;
+
+    real_ip_header proxy_protocol;
+
+    set_real_ip_from 127.0.0.1;
+
+    location / {
+        proxy_pass http://localhost:8416;
+    }
+
+    location /oidc {
+        # 3 should be enough for the redirect, callback plus 1 error
+        limit_req zone=headscale burst=3 nodelay;
+        limit_req_status 429;
+
+        proxy_pass http://localhost:8416;
+    }
+
+    # Block access to the API entirely - I'm not using it
+    location /api {
+        return 403;
+    }
+}

ansible/roles/headscale/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: restart headscale
+  service:
+    name: headscale
+    state: restarted
+    enabled: true
+  become: true

ansible/roles/headscale/tasks/main.yml

@@ -0,0 +1,33 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Install Headscale
+  package:
+    name: headscale
+  become: true
+
+- name: Install headscale config file
+  template:
+    src: files/headscale.yml
+    dest: /etc/headscale/config.yaml
+    owner: headscale
+    mode: "0600"
+  notify: restart headscale
+  become: true
+
+- name: Install ACLs
+  template:
+    src: files/acls.json
+    dest: /etc/headscale/acls.json
+    owner: headscale
+    mode: "0600"
+  notify: restart headscale
+  become: true
+
+- name: Install nginx config
+  template:
+    src: files/nginx.conf
+    dest: /etc/nginx/http.d/headscale.conf
+    mode: "0644"
+  become: true
+  notify: reload nginx

ansible/roles/headscale/vars/vault.yml

@@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.1;AES256
+38616264313731363865383762393566306366653037373633393433626264646563353765316631
+3366613332663439616266373566646435646237626465350a363731396436376262313831393632
+37646330343763343732336239393364303664303562373937663662643162313863333363323534
+6361333166363339390a356130633130663132393766636261346262363138656335646366643966
+30383933303536353165343363386239316139346165613366323731666664303638613862303139
+38353033633765633731656537626166316566613732633239356238393033386131626535383462
+33343064306162393733643165343266623931643136623934303861353064363235303539353935
+30636338613132323262626338623366393965316239616132346330646537636238363631643038
+39306465616131343666353865336231643966313830386164336539626134323030353561636165
+37623338656134316130653236643339636339303632653536366665653830386562313734626130
+31663335323630343666386337363564313633323766623535303564633132346165303462353436
+64303863303631613237343762653938646537646534343234656465316330356361643163623631
+36396535343061323962386135633736333261323965646266366637666564623666306365356135
+37346666343634306137393663646362333062303636616332333235313634633261333136303837
+37363835313563323035313465626261353365653261326463313461616430643335316661386365
+34333161373164306335646161346437643039663638353134613533383364363065373433383561
+66653335393262333739376364356639316530626664656438353861303134383833393236656134
+66353563313661393062656636393331386263333566303938303038643135646431653663363931
+656663316137373831346432356438386639

ansible/roles/http_proxy/files/squid.conf

@@ -2,7 +2,7 @@
 # Recommended minimum configuration:
 #
 
-acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }}
+acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }}
 
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing

ansible/roles/ingress/files/nftables.conf

@@ -19,6 +19,9 @@ table inet filter {
 
         # Allow nebula
         udp dport {{ nebula_listen_port }} accept;
+
+        # Allow Tailscale
+        udp dport {{ tailscale_port }} accept;
     }
 
     chain POSTROUTING {
@@ -27,6 +30,7 @@ table inet filter {
 
         # NAT - because the proxmox machines may not have routes back
         ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
+        ip saddr {{ tailscale_cidr }} counter masquerade
     }
 
     chain FORWARD {
@@ -36,5 +40,13 @@ table inet filter {
         # Allow traffic from nebula to proxmox network
         ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
         ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
+
+        # Allow monitoring of nebula network
+        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
+
+        # Allow Tailscale exit node
+        ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop
+        ip saddr {{ tailscale_cidr }} accept
+        ip daddr {{ tailscale_cidr }} ct state related,established accept
     }
 }

ansible/roles/ingress/files/nginx.conf

@@ -1,60 +1,27 @@
-worker_processes auto;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-    #                  '$status $body_bytes_sent "$http_referer" '
-    #                  '"$http_user_agent" "$http_x_forwarded_for"';
-
-    #access_log  logs/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    #keepalive_timeout  0;
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-    server_tokens off;
-
-    server {
-        listen 80;
-        server_name _;
-        return 308 https://$host$request_uri;
-    }
-}
-
-stream {
-
-    log_format access '$remote_addr [$time_local] '
+log_format access '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$ssl_preread_server_name" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
 
-    access_log /var/log/nginx/access.log access;
+access_log /var/log/nginx/access.log access;
 
-    ssl_preread on;
-
-    # Internal LAN route
-    server {
+# Internal LAN route
+server {
     listen 443;
     listen 8448;
+    listen [::]:443;
+    listen [::]:8448;
     proxy_pass {{ pve_hosts.docker.ip }}:443;
     proxy_protocol on;
-    }
+    proxy_socket_keepalive on;
+    proxy_timeout 1h;
+}
 
-    # External routes
-    server {
+# External routes
+server {
     listen 8443 proxy_protocol;
     proxy_protocol on;
     proxy_pass {{ pve_hosts.docker.ip }}:443;
     set_real_ip_from {{ wireguard.server.ip }};
-    }
+    proxy_socket_keepalive on;
 }

ansible/roles/ingress/handlers/main.yml

@@ -4,10 +4,10 @@
     state: restarted
   become: true
 
-- name: restart nginx
+- name: reload nginx
   service:
     name: nginx
-    state: restarted
+    state: reloaded
   become: true
 
 - name: reload nftables

ansible/roles/ingress/tasks/nginx.yml

@@ -1,19 +1,7 @@
-- name: Install nginx
-  package:
-    name: nginx
-  become: true
-
 - name: Nginx config
   template:
     src: files/nginx.conf
-    dest: /etc/nginx/nginx.conf
-    validate: nginx -t -c %s
+    dest: /etc/nginx/stream.d/ingress.conf
     mode: "0644"
   become: true
-  notify: restart nginx
-
-- name: Enable nginx
-  service:
-    name: nginx
-    enabled: true
-  become: true
+  notify: reload nginx

ansible/roles/mastodon/files/docker-compose.yml

@@ -1,8 +1,6 @@
-version: "2.3"
-
 services:
   mastodon:
-    image: lscr.io/linuxserver/mastodon:4.2.1
+    image: lscr.io/linuxserver/mastodon:4.2.10
     environment:
       - TZ={{ timezone }}
       - PUID={{ docker_user.id }}
@@ -12,17 +10,16 @@ services:
       - DATABASE_URL=postgresql://mastodon:mastodon@db/mastodon
       - REDIS_URL=redis://redis
       - SIDEKIQ_REDIS_URL=redis://redis/1
-      - SECRET_KEY_BASE={{ secret_key_base }}
-      - OTP_SECRET={{ otp_secret }}
-      - VAPID_PRIVATE_KEY={{ vapid_private_key }}
-      - VAPID_PUBLIC_KEY={{ vapid_public_key }}
-      - TRUSTED_PROXY_IP=172.20.0.1
+      - SECRET_KEY_BASE={{ vault_secret_key_base }}
+      - OTP_SECRET={{ vault_otp_secret }}
+      - VAPID_PRIVATE_KEY={{ vault_vapid_private_key }}
+      - VAPID_PUBLIC_KEY={{ vault_vapid_public_key }}
       - SINGLE_USER_MODE=true
       - DEFAULT_LOCALE=en
       - STREAMING_CLUSTER_NUM=1
       - WEB_CONCURRENCY=0  # 0 means 1, but not in clustered mode
       - SIDEKIQ_THREADS=1
-      - MAX_THREADS={{ ansible_processor_nproc }}
+      - SIDEKIQ_CONCURRENCY=1
       - HTTP_PROXY={{ pve_hosts.qbittorrent.ip }}:3128
       - HTTPS_PROXY={{ pve_hosts.qbittorrent.ip }}:3128
     restart: unless-stopped

ansible/roles/mastodon/vars/main.yml

@@ -1,4 +0,0 @@
-secret_key_base: "{{ vault_secret_key_base }}"
-otp_secret: "{{ vault_otp_secret }}"
-vapid_private_key: "{{ vault_vapid_private_key }}"
-vapid_public_key: "{{ vault_vapid_public_key }}"

ansible/roles/minio/files/docker-compose.yml

@@ -0,0 +1,29 @@
+services:
+  minio:
+    image: quay.io/minio/minio:latest
+    command: server /data --console-address ":9090"
+    user: "{{ docker_user.id }}"
+    environment:
+      - TZ=Europe/London
+      - MINIO_ROOT_USER=jake
+      - MINIO_ROOT_PASSWORD={{ vault_minio_root_password }}
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+
+      - traefik.http.routers.minio-console.rule=Host(`minio.jakehoward.tech`)
+      - traefik.http.routers.minio-console.service=minio-console
+      - traefik.http.services.minio-console.loadbalancer.server.port=9090
+
+      - traefik.http.routers.minio-s3.rule=Host(`s3.jakehoward.tech`)
+      - traefik.http.routers.minio-s3.service=minio-s3
+      - traefik.http.services.minio-s3.loadbalancer.server.port=9000
+    volumes:
+      - /mnt/tank/files/minio:/data
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true

ansible/roles/minio/handlers/main.yml

@@ -1,4 +1,4 @@
-- name: restart upload
+- name: restart minio
   shell:
-    chdir: /opt/upload
+    chdir: /opt/minio
     cmd: "{{ docker_update_command }}"

ansible/roles/minio/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Create install directory
+  file:
+    path: /opt/minio
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/minio/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart minio
+  become: true

ansible/roles/minio/vars/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+38666632613233313534666339373331396438323131643238356235323535303430373733353737
+6330313565333032333461623361333232633836343163650a663762653233303832333936646364
+66623566393464323537376666353631383464373030616263383536393735316336636636356332
+6639383839666563330a323166336565636634306538633761333338366637643162633133353164
+39306166373131303464373530373163626538623735393962306237663634326264323339643634
+37323564373839356434343836373631323162663038393861383934306538313262326637653537
+62653766623734343231633262636237366433363932316631393237633135636538623362373963
+39303531656431623733