Update mariadb Docker tag to v10.11

.gitea/workflows/ci.yml

@@ -5,9 +5,9 @@ jobs:
   terraform:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@v2
       - uses: taiki-e/install-action@just
       - name: Init
         run: just terraform init -backend=false
@@ -17,9 +17,9 @@ jobs:
   ansible:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v4
         with:
           python-version: 3.11
       - uses: taiki-e/install-action@just

.yamllint.yml

@@ -5,6 +5,7 @@ ignore: |
   ansible/galaxy_collections
   ansible/group_vars/all/vps-hosts.yml
   ansible/roles/traefik/files/traefik.yml
+  ansible/roles/nebula/files/nebula.yml
   env
 
 rules:

README.md

@@ -22,7 +22,3 @@ Terraform secrets are stored in `terraform/.env`, and provisioned using `just up
 
 - `just ansible-deploy`
 - `juts terraform apply`
-
-## External configuration
-
-This repository contains most of my infrastructure configuration, but not everything is configured here. Some things are external, for various reasons.

ansible/.ansible-lint

@@ -6,10 +6,10 @@ skip_list:
   - name[casing]
   - name[play]
   - no-changed-when
-  - var-naming[no-role-prefix]
 
 exclude_paths:
   - galaxy_roles/
   - galaxy_collections/
   - ~/.ansible
+  - roles/nebula/files/nebula.yml
   - roles/traefik/files/traefik.yml

ansible/ansible.cfg

@@ -5,11 +5,10 @@ retry_files_enabled = False
 roles_path = $PWD/galaxy_roles:$PWD/roles
 collections_path = $PWD/galaxy_collections
 inventory = ./hosts
-interpreter_python = auto_silent
-
-[privilege_escalation]
-become = True
 become_ask_pass = True
+interpreter_python = auto_silent
+# HACK: Force Ansible to find dokku plugins
+library = $PWD/galaxy_roles/dokku_bot.ansible_dokku/library
 
 [ssh_connection]
 pipelining = True

ansible/dev-requirements.txt

@@ -1,4 +1,3 @@
-ansible-lint==24.5.0
-yamllint==1.33.0
+ansible-lint==6.17.1
+yamllint==1.32.0
 ansible
-passlib

ansible/files/nginx-docker.conf

@@ -1,24 +0,0 @@
-# {{ ansible_managed }}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-
-    server_name {{ server_name }};
-    set $upstream {{ upstream }};
-
-    ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
-    ssl_certificate_key {{ ssl_cert_path }}/privkey.pem;
-    ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem;
-    include includes/ssl.conf;
-
-    include includes/docker-resolver.conf;
-
-    location / {
-        proxy_pass http://$upstream;
-
-        {%- if location_extra is defined +%}
-        {{ location_extra }}
-        {%- endif +%}
-    }
-}

ansible/galaxy-requirements.yml

@@ -2,21 +2,20 @@ collections:
   - ansible.posix
   - community.general
   - community.docker
-  - kewlfft.aur
   - name: https://github.com/prometheus-community/ansible
     type: git
 
 roles:
   - src: geerlingguy.docker
-    version: 7.3.0
+    version: 6.2.0
   - src: geerlingguy.ntp
-    version: 2.5.0
+    version: 2.3.3
   - src: realorangeone.reflector
   - src: ironicbadger.proxmox_nag_removal
     version: 1.0.2
   - src: ironicbadger.snapraid
     version: 1.0.0
-  - src: geerlingguy.certbot
-    version: 5.1.0
-  - src: artis3n.tailscale
-    version: v4.5.0
+  - src: dokku_bot.ansible_dokku
+    version: v2022.10.17
+  - src: nginxinc.nginx
+    version: 0.24.1

ansible/group_vars/all/certbot.yml

@@ -1,13 +0,0 @@
-certbot_install_method: package
-certbot_auto_renew: true
-certbot_auto_renew_user: root
-certbot_auto_renew_hour: 23
-certbot_auto_renew_minute: 30
-certbot_auto_renew_options: --quiet --post-hook "systemctl reload nginx"
-certbot_admin_email: "{{ vault_certbot_admin_email }}"
-
-certbot_create_method: webroot
-
-certbot_webroot: /var/www/certbot-webroot
-
-certbot_create_if_missing: true

ansible/group_vars/all/docker.yml

@@ -2,17 +2,7 @@ docker_user:
   id: 3000
   name: dockeruser
 
-docker_users:
-  - "{{ me.user }}"
-
 docker_compose_file_mask: "664"
 docker_compose_directory_mask: "775"
 
-# HACK: Use compose-switch as the install for compose, so the commands still work.
-# Run this task manually, as version comparisons usually fail
-docker_compose_url: https://github.com/docker/compose-switch/releases/latest/download/docker-compose-linux-{{ docker_apt_arch }}
-docker_install_compose: false
-
-docker_install_compose_plugin: "{{ ansible_os_family == 'Debian' }}"
-
 docker_update_command: docker-compose pull && docker-compose down --remove-orphans && docker-compose rm && docker-compose up -d

ansible/group_vars/all/nebula.yml

@@ -0,0 +1,9 @@
+nebula:
+  cidr: 10.23.2.0/24
+  clients:
+    casey:
+      ip: 10.23.2.1
+    walker:
+      ip: 10.23.2.4
+    ingress:
+      ip: 10.23.2.5

ansible/group_vars/all/network.yml

@@ -1 +1,2 @@
+private_ip: "{{ nebula.clients[hostname_slug].ip }}"
 ssh_port: 7743

ansible/group_vars/all/pve.yml

@@ -1,6 +1,5 @@
 pve_hosts:
   internal_cidr: 10.23.1.0/24
-  internal_cidr_ipv6: fde3:15e9:e883::1/48
   pve:
     ip: 10.23.1.1
     external_ip: 192.168.2.200
@@ -8,17 +7,15 @@ pve_hosts:
     ip: 10.23.1.11
   forrest:
     ip: 10.23.1.13
-    ipv6: fde3:15e9:e883::103
   jellyfin:
     ip: 10.23.1.101
+  dokku:
+    ip: 10.23.1.102
   docker:
     ip: 10.23.1.103
-    ipv6: fde3:15e9:e883::203
   ingress:
     ip: 10.23.1.10
     external_ip: 192.168.2.201
-    external_ipv6: "{{ vault_ingress_ipv6 }}"
-    ipv6: fde3:15e9:e883::100
   homeassistant:
     ip: 192.168.2.203
   qbittorrent:

ansible/group_vars/all/tailscale.yml

@@ -1,11 +0,0 @@
-# Just install for now, don't configure
-tailscale_up_skip: true
-
-tailscale_cidr: 100.64.0.0/24  # It's really /10, but I don't use that many IPs
-tailscale_cidr_ipv6: fd7a:115c:a1e0::/120  # It's really /48, but I don't use that many IPs
-
-tailscale_port: 41641
-
-tailscale_nodes:
-  casey:
-    ip: 100.64.0.6

ansible/group_vars/all/vault.yml

@@ -1,44 +1,38 @@
 $ANSIBLE_VAULT;1.1;AES256
-30343832393233616534663738346461303836323930373663613438353339353433636530323132
-3139396237376638376536653263346165323066623864650a666264643966386463353161306664
-61393739636336343338656635303462656232356162616666343238336161613730626363616133
-3663623465366130640a306164396662343262623065366431306163636564646136653730306434
-38346633376533646638396164613837663437356266646430373731383161626336373837303539
-37373939393431336435636336663739633335326430373864653831613964646137323136303634
-62346237313061356630323335306366643131366565343566376666643161666136376337666335
-30633262616666326464326436623136366639363930663061343434396138366336646538363135
-32393061663530333532666331376661623137343635646265613364346531383635366363613265
-65366265666538396438643130396437636562653538303634316465623136333036646432383735
-31643364323265363731383665316338366139343130346536303538623565633662653062323531
-38323630623231633032386663343736616566303166386433633062653530386561366661653663
-63353537623339323134386162376366313132393631613931663738356430623337333262633838
-31316362666639326365663164626263356464623139376166333962356238353637623431623137
-63633361336161373564306631646638386537303238616239646234646332393536316437336466
-61666235343466333539363566613530313761326161346464356363633330373862653033303936
-30666335633663393565303835306662666462633130353163383663333062633731306262613532
-33303866643334343535663632353235313262623231656536313636646564653636396663326632
-65353434633135363630356464636130303262363436633761353161356636646361626165316563
-31666165646135643961383032313532623431376531393231613436376337386537393466343036
-30633262316439303636393739393462653938313965643137373266323465663164653365376537
-30333361626335623836303463613734663138396535656664353730383933386530346130353064
-39653939623261306134323961353562623834333738613338396461343761346461386338333265
-65343932623634663033623163666663303735656633663236366235343066336162303136373332
-64383430653863333238656565383762623962636431323033396234646665616430383561366331
-32643230303962623633663632376566626534633935653832656263333236396366653035633561
-61646161356132383733636639653163346466316230303763623666376238653964376363656539
-63386238373266653732316539643261363662356261383834636637373639656137303935613663
-62653433646366326331636464303537386161383832376164303738353134653138393137313438
-63376262343335313832306466313338396266386535373465313765356638396665356332363539
-32643266636633343332653139636330656331313938613833333662666638366534346235613164
-39373431336637633936376632303131306339653131636163303539653862326566663239646366
-63643936343138663461303530623863663763633235373337616331326361386561663633373362
-31623234353832373961306663633262396437336665616335643064656534306136636236633662
-37646363386564336136396166306630653735313137373266326662376663626139373064326536
-39666633666262666263663265626634346333316466366661313538383734636361376261663333
-30636466306661353034623863616635666433646239343339613130633834303362633835366234
-65346632636166393664333266333266313062313734323239666239396364623162363861613661
-62623732633735666164663138323961666131656336633362373730306631633939343435323633
-31363834393365303530313837356264633262643264393639306236303163353933303830393566
-62316164393231326139623833666639623637616238383236303933323964386664623961336634
-39363062613439666433623863613435626133303032393938613934353562356436656564336339
-643332616661636236363164623461623466
+64313263396466623131663462303837643566386538363331643866643630663237313165343936
+6661326238643732343035346436393737303234356533630a386166383135343135373135373036
+38336137316638633339656633363263633462363766643739306136306233663732613135306230
+6233653966313034350a616133663134343235643930396462613139326233396563633061623437
+63343464346239323030336261633964346331323465623461313762373863336361356533666130
+61613930616462373465316532376139373261616438616334643664383937303865386663316133
+30356564343334303764346433366265653663646231636666363065393465326237613236666536
+64663965633264373266386131366465393938343238366430306335346561303366343836323533
+38323033336361343431656233353662383463653232616137666266653332353039303438646466
+31666434666264303163643662323531376239666432616561363830643836313734363732363137
+66366630636465326631353464356465303939393766386332616661623133343735626338386661
+31346134663366386339383439363035376361313336393335656532363638616136323637333734
+38343261333533653833353461386537633635303739663432633766373634363832313030623665
+33663737393164643839373064383964376239333465363731643862303238353432623635656665
+38383265623034393631303638663633336466336566336231366334396532303934663538656666
+32316465626563306534653531646334336133343162623433623734653465346231323764393662
+35333930656435636539373862346631323839303335623364313436383432316437353731373463
+31373138326565626661613335663964623264336232393364336630306236396230316232306235
+66626131393966313739626432366463663335643263323237333534643036396537383339373932
+36343236643731646535346433363139363131623738633234336162383361326661353161656436
+34663463326264323239383066623038316639336666363230616535616631623637646539343335
+63633731323564636234313838306661616363306165356661343930616231666165613461366435
+39313938666431303930663763363462633466326665366432363334393333343766623061666135
+38636639626134663930333664396534646165383435613035393333383563616639393262333933
+30623861623638393838643561373834396431396538316662326134356639323431656631623137
+37666534326530623966343361393235303934323635313063623833353161643165386363373765
+31633461313062396633623561666537633239353035363932333064303338363632316632343031
+36323266343665356635643131613364616134666161353063356562343561633064666661623832
+61366538383631303030316535666639323236323536346635326563383033643538653761623930
+37336434386462363030363866636661656632663938623066636435316437663962303265353363
+30353734653334323536303330633865663963333839386632333336306637333335383532323039
+61666263663266313763353662353136646336646539333163303366323162323435616266626466
+34646134313732393164306463643261326439333565643036303663326263353434663762653263
+63636334363965313137306238393239393938626437353832326634663562653663663265633861
+62363630306364326136653234623764333063306138313037306363346435323435623661393630
+31656463313838313135386331386332333763336362393630643062643966646339386230663038
+36653632626663613536383331393336356333666334646633626363663965393563

ansible/group_vars/all/vps-hosts.yml

@@ -1,5 +1,3 @@
 "vps_hosts":
   "casey_ip": "213.219.38.11"
-  "private_ipv6_marker": "2a01:7e00:e000:7f7::1"
-  "private_ipv6_range": "2a01:7e00:e000:7f7::1/128"
-  "walker_ip": "162.55.181.67"
+  "walker_ip": "192.248.168.230"

ansible/host_vars/casey.yml

@@ -0,0 +1,3 @@
+nebula_is_lighthouse: true
+nebula_listen_port: "{{ nebula_lighthouse_port }}"
+ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }}

ansible/host_vars/casey/main.yml

@@ -1,14 +0,0 @@
-private_ip: "{{ ansible_tailscale0.ipv4.address }}"
-nginx_https_redirect: true
-
-certbot_certs:
-  - domains:
-      - headscale.jakehoward.tech
-  - domains:
-      - whoami-cdn.theorangeone.net
-
-cdn_domains:
-  - whoami-cdn.theorangeone.net
-
-restic_backup_locations:
-  - /var/lib/headscale/

ansible/host_vars/casey/vault.yml

@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-30643138356634323666316163396138663836316261363966636335366534336330616635383663
-6461393538346263363164613930396266323930626335370a306165306663336538316163666364
-65383835386635336433393162613031386334646632666638613162623434646531356533346132
-3162373933336365660a353163316338303630633761336238363966376336643838616135303231
-32646530376561326635633563393066656232363734653464326665396236656232613362333461
-39393134626466656561346138633362653732333639333765303961383365623737666164326532
-66356263326366323435623834306439633061386364633132613362386663633733386637363266
-31393438326531353265

ansible/host_vars/ingress.yml

@@ -1,2 +1,2 @@
-private_ip: "{{ ansible_tailscale0.ipv4.address }}"
-nginx_https_redirect: true
+# Listen on a static port so it can be opened in the firewall
+nebula_listen_port: "{{ nebula_lighthouse_port }}"

ansible/host_vars/pve-docker/main.yml

@@ -3,6 +3,8 @@ private_ip: "{{ pve_hosts.docker.ip }}"
 traefik_provider_jellyfin: true
 traefik_provider_homeassistant: true
 traefik_provider_grafana: true
-traefik_provider_uptime_kuma: true
+traefik_provider_dokku: true
+
+with_fail2ban: true
 
 db_backups_dir: /mnt/tank/files/db-backups

ansible/host_vars/pve-dokku/main.yml

@@ -0,0 +1,3 @@
+ssh_extra_allowed_users: dokku
+
+db_backups_dir: /mnt/tank/files/db-backups

ansible/host_vars/pve-dokku/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+38396636313062623661613537386337356130353839303930346333313062383935353932336230
+6637666434356666346361663131343962663963333638630a376631313531633865396566643032
+31323866386236356639306333393765616630363734326662366632656430323739306439366634
+3364666662623764630a353532373433616365383862633935373332663933386561316262633662
+37366233326439336535623339366565653732646434386639336533386261306238306630396638
+30633433636365663538656338303066353830626137613038323462353137326234356533323335
+39643832636466643864663737316239626161653833343633306435363636663264303165303334
+36383661316566316630

ansible/host_vars/pve/main.yml

@@ -25,7 +25,7 @@ sanoid_datasets:
 
 sanoid_templates:
   production:
-    frequently: 4
+    frequently: 2
     hourly: 48
     daily: 28
     monthly: 3

ansible/host_vars/qbittorrent.yml

@@ -1 +0,0 @@
-private_ip: "{{ pve_hosts.qbittorrent.ip }}"

ansible/host_vars/restic/main.yml

@@ -3,6 +3,7 @@ restic_backup_locations:
   - /mnt/host/mnt/speed
   - /mnt/host/etc/pve
   - /mnt/home-assistant
-  - /home/rclone/sync
+restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
 
 restic_forget: true
+restic_forget_healthchecks_id: "{{ vault_restic_forget_healthchecks_id }}"

ansible/host_vars/restic/vault.yml

@@ -1,17 +1,12 @@
 $ANSIBLE_VAULT;1.1;AES256
-32353739643531336665636334646135323336353562316362333266316263653364656132643661
-3736386461316563376134326638376261323734663032630a306530636166666561343264393266
-62326437343637363038646632396461303365646466666666386432306134313562356538623133
-6561323739386337630a623835656239633866666333616664366339333232303031343561633239
-62636636623462316536333334306562626637643936623963376663326164333962646134376566
-62646336353937316238333036376232323834346530626136316233626166326231633330646266
-36653263636266626233313263346263633734386339386664323331363263306465626165336337
-38653766366530373230623334386234303461336133323663626439383530373966363830633364
-37336635356334633338633161356161353133656633386563393363303064613761306137323261
-34626164663936306665613861343039666330613263303932333766306663616134316566313963
-66653263643134343363353637343636633936343165363934376537343538643434376434336633
-31613339613035633335643034336265376630326662393865626336303261363130333637643162
-32383863313139663066363766613865653966613430616631346432623164366663313838363164
-37613863326433653531656139633533353539366563653532626534346165626535643434333861
-34306433373134376137633836666162663130623130353062316439303466393035633636386234
-38333132376361376363
+31333338396531316366353161666432346634373335356464663837386231616632373833656130
+3361383732623965393533316366373864323064393530330a346565393462316561383733653437
+62363736356432363239373863303734323437333034343266313135383866303566396639646230
+3839333535393036390a383534346233633935393561353637353835663763343531613238653664
+39356365306630373036396132373562646130636439373964333363306431666565613434646365
+64353933656365653431386463623034643564303266396438353064373434336436366431366338
+31386637376165633731373633656336623531323965343534323031363163356239353031643165
+37663232636234663735613037666161393736663432656139646264313763303164386161626162
+65393363336435333738303061613738636666303961653361376131376161623264343666353061
+61663636656339363539666335643239653361383961333665646562613935396335623565306531
+643165653537326431373637303639343763

ansible/host_vars/tang.yml

@@ -1,5 +1,2 @@
 ssh_extra_allowed_users: jake
 private_ip: "{{ ansible_default_ipv4.address }}"
-
-restic_backup_locations:
-  - /var/lib/adguardhome/

ansible/host_vars/tang/vault.yml

@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-62623062666237373636616333623434363662316639633962363833303663376331346338363365
-6633336638623237396134613033346665313964613538320a656134323135613834316462366161
-36633062623031306562313233356536643132346466376435303031333331643936613036616236
-3231613336396135340a376339396663343837353139393062353530626566626566366439353762
-37376236376437393863633730643531323762336536633034353132356266373361613434326333
-39663562353337666435653435623563383630383537663633336437613262323733363766666539
-66373538386163303731663331666138656435343436613633323766366261316337373830653837
-64313133396532376436

ansible/host_vars/walker/main.yml

@@ -1,17 +1,3 @@
-private_ip: "{{ ansible_tailscale0.ipv4.address }}"
-
 restic_backup_locations:
   - /opt
-
-nginx_https_redirect: true
-
-certbot_certs:
-  - domains:
-      - theorangeone.net
-  - domains:
-      - plausible.theorangeone.net
-      - elbisualp.theorangeone.net
-  - domains:
-      - slides.jakehoward.tech
-  - domains:
-      - comentario.theorangeone.net
+restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"

ansible/hosts

@@ -13,3 +13,4 @@ qbittorrent
 restic
 renovate
 gitea-runner
+pve-dokku

ansible/main.yml

@@ -8,12 +8,9 @@
 
 - hosts: casey
   roles:
-    - nginx
-    - geerlingguy.certbot
     - gateway
-    - headscale
-    - restic
-    - glinet_vpn
+    - nebula
+    - fail2ban_ssh
 
 - hosts:
     - pve
@@ -23,6 +20,7 @@
     - tang
   roles:
     - role: geerlingguy.ntp
+      become: true
       vars:
         ntp_timezone: "{{ timezone }}"
         ntp_manage_config: true
@@ -33,78 +31,78 @@
     - walker
     - renovate
     - gitea-runner
+    - pve-dokku
   roles:
-    - geerlingguy.docker
+    - role: geerlingguy.docker
+      become: true
+      vars:
+        docker_install_compose_plugin: "{{ ansible_os_family == 'Debian' }}"
+        docker_users:
+          - "{{ me.user }}"
     - docker_cleanup
 
 - hosts:
     - pve-docker
     - forrest
     - walker
+    - pve-dokku
   roles:
     - db_auto_backup
 
 - hosts:
     - pve-docker
+    - walker
   roles:
     - traefik
 
-- hosts:
-    - ingress
-    - walker
-    - casey
-  become: false  # Forcefully run as current user
-  roles:
-    - artis3n.tailscale
-
 - hosts: pve-docker
   roles:
     - pve_docker
     - yourls
+    - pve_nebula_route
     - privatebin
     - vaultwarden
     - tandoor
     - mastodon
-    - forgejo
+    - gitea
     - vikunja
-    - authentik
-    - minio
-    - ntfy
 
 - hosts: ingress
   roles:
-    - nginx
+    - role: nginxinc.nginx  # The nginx in debian's repos is very old
+      become: true
     - ingress
+    - nebula
 
 - hosts: pve
   roles:
-    - ironicbadger.proxmox_nag_removal
+    - role: ironicbadger.proxmox_nag_removal
+      become: true
     - zfs
-    - ironicbadger.snapraid
-    - prometheus.prometheus.node_exporter
+    - pve_nebula_route
+    - role: ironicbadger.snapraid
+      become: true
+    - role: prometheus.prometheus.node_exporter
+      become: true
 
 - hosts: forrest
   roles:
-    - prometheus
-    - uptime_kuma
-    - pve_tailscale_route
+    - forrest
+    - pve_nebula_route
 
 - hosts: qbittorrent
   roles:
-    - nginx
     - qbittorrent
     - http_proxy
 
 - hosts: walker
   roles:
-    - nginx
-    - geerlingguy.certbot
-    - coredns_docker_proxy
+    - nebula
+    - upload
     - plausible
     - restic
+    - commento
     - website
-    - slides
-    - comentario
 
 - hosts: jellyfin
   roles:
@@ -113,11 +111,10 @@
 - hosts: restic
   roles:
     - restic
-    - s3_sync
 
 - hosts: gitea-runner
   roles:
-    - forgejo_runner
+    - gitea_runner
 
 - hosts: renovate
   roles:
@@ -125,6 +122,10 @@
 
 - hosts: tang
   roles:
-    - adguardhome
-    - prometheus.prometheus.node_exporter
-    - restic
+    - pihole
+    - role: prometheus.prometheus.node_exporter
+      become: true
+
+- hosts: pve-dokku
+  roles:
+    - dokku

ansible/roles/adguardhome/files/Corefile

@@ -1,33 +0,0 @@
-(alias) {
-    errors
-    cancel
-
-    forward . tls://9.9.9.9 tls://149.112.112.112 tls://2620:fe::fe tls://2620:fe::9 {
-       tls_servername dns.quad9.net
-       health_check 15s
-    }
-
-    hosts {
-        {{ pve_hosts.ingress.external_ip }} pve.sys.theorangeone.net
-        {{ pve_hosts.ingress.external_ipv6 }} pve.sys.theorangeone.net
-        fallthrough
-        ttl 300
-    }
-
-    # HACK: Rewrite the CNAME to itself so it's reprocessed
-    rewrite cname exact pve.sys.theorangeone.net. pve.sys.theorangeone.net.
-}
-
-theorangeone.net:53053 {
-    import alias
-}
-
-jakehoward.tech:53053 {
-    import alias
-}
-
-.:53053 {
-    acl {
-        block
-    }
-}

ansible/roles/adguardhome/files/resolved-adguardhome.conf

@@ -1,3 +0,0 @@
-[Resolve]
-DNS=127.0.0.1
-DNSStubListener=no

ansible/roles/adguardhome/handlers/main.yml

@@ -1,11 +0,0 @@
-- name: restart coredns
-  service:
-    name: coredns
-    state: restarted
-    enabled: true
-
-- name: restart systemd-resolved
-  service:
-    name: systemd-resolved
-    state: restarted
-    enabled: true

ansible/roles/adguardhome/tasks/main.yml

@@ -1,30 +0,0 @@
-- name: Install adguardhome
-  kewlfft.aur.aur:
-    name: adguardhome-bin
-
-- name: Disable resolved stub
-  template:
-    src: files/resolved-adguardhome.conf
-    dest: /etc/systemd/resolved.conf.d/adguardhome.conf
-    owner: root
-    mode: "0644"
-  notify: restart systemd-resolved
-
-- name: Use resolved resolv.conf
-  file:
-    src: /run/systemd/resolve/resolv.conf
-    dest: /etc/resolv.conf
-    state: link
-  notify: restart systemd-resolved
-
-- name: Install coredns
-  kewlfft.aur.aur:
-    name: coredns
-
-- name: Install coredns config file
-  template:
-    src: files/Corefile
-    dest: /etc/coredns/Corefile
-    owner: coredns
-    mode: "0644"
-  notify: restart coredns

ansible/roles/authentik/files/docker-compose.yml

@@ -1,76 +0,0 @@
-x-env: &env
-  - TIMEZONE={{ timezone }}
-  - AUTHENTIK_REDIS__HOST=redis
-  - AUTHENTIK_POSTGRESQL__HOST=db
-  - AUTHENTIK_POSTGRESQL__USER=authentik
-  - AUTHENTIK_POSTGRESQL__NAME=authentik
-  - AUTHENTIK_POSTGRESQL__PASSWORD={{ vault_authentik_db_password }}
-  - AUTHENTIK_SECRET_KEY={{ vault_authentik_secret_key }}
-  - AUTHENTIK_WEB__WORKERS=1
-  - AUTHENTIK_DISABLE_UPDATE_CHECK=true
-  - AUTHENTIK_ERROR_REPORTING__ENABLED=false
-  - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
-  - AUTHENTIK_EMAIL__HOST=smtp.eu.mailgun.org
-  - AUTHENTIK_EMAIL__PORT=465
-  - AUTHENTIK_EMAIL__USERNAME={{ vault_authentik_email_username }}
-  - AUTHENTIK_EMAIL__PASSWORD={{ vault_authentik_email_password }}
-  - AUTHENTIK_EMAIL__USE_TLS=true
-  - AUTHENTIK_EMAIL__FROM={{ vault_authentik_email_from }}
-
-services:
-  server:
-    image: ghcr.io/goauthentik/server:2024.8
-    restart: unless-stopped
-    command: server
-    user: "{{ docker_user.id }}"
-    environment: *env
-    volumes:
-      - "{{ app_data_dir }}/authentik/media:/media"
-      - "{{ app_data_dir }}/authentik/custom-templates:/templates"
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.authentik.rule=Host(`auth.jakehoward.tech`)
-      - traefik.http.services.authentik-authentik.loadbalancer.server.port=9000
-      - traefik.http.middlewares.authentik-ratelimit.ratelimit.average=5
-      - traefik.http.middlewares.authentik-ratelimit.ratelimit.burst=1000
-      - traefik.http.routers.authentik.middlewares=authentik-ratelimit
-    depends_on:
-      - db
-      - redis
-    networks:
-      - default
-      - traefik
-
-  worker:
-    image: ghcr.io/goauthentik/server:2024.8
-    restart: unless-stopped
-    command: worker
-    user: "{{ docker_user.id }}"
-    environment: *env
-    volumes:
-      - "{{ app_data_dir }}/authentik/media:/media"
-      - "{{ app_data_dir }}/authentik/certs:/certs"
-      - "{{ app_data_dir }}/authentik/custom-templates:/templates"
-    depends_on:
-      - db
-      - redis
-      - server
-
-  db:
-    image: postgres:17-alpine
-    restart: unless-stopped
-    volumes:
-      - /mnt/speed/dbs/postgres/authentik:/var/lib/postgresql/data
-    environment:
-      - POSTGRES_PASSWORD={{ vault_authentik_db_password }}
-      - POSTGRES_USER=authentik
-
-  redis:
-    image: redis:7-alpine
-    restart: unless-stopped
-    volumes:
-      - /mnt/speed/dbs/redis/authentik:/data
-
-networks:
-  traefik:
-    external: true

ansible/roles/authentik/handlers/main.yml

@@ -1,4 +0,0 @@
-- name: restart authentik
-  shell:
-    chdir: /opt/authentik
-    cmd: "{{ docker_update_command }}"

ansible/roles/authentik/vars/vault.yml

@@ -1,22 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-31633966386539623139356136333664326633646537366433626432363437336331333639636634
-6563646365666534393834636539376337666336376666300a313338336365383338633165646531
-35656231613762393636666332653434393966343039313863333566646434643630343438623362
-6466383362396539610a366438306332303331656237343466313135336431363335306636643363
-32383066353331383461613532323265353861663835663463383235303863306438386364303235
-31323264323732326231336162393438313262323263316564336266663565666361316564373332
-61616637306636353362633338616461646232616165323638346164346565353139666238323033
-36366537393530613464613033383438666362636166613062653930326663626337346636346434
-66396362656231613930653866386334393438336332383637356663323936623863313161323039
-34316639633235313132336238636162343936336163356135303034383434346561356365633636
-32633930313335343961653835656363333365656438393334303333373337353566666532373964
-38316362306362363464313237383130343239326238663062616533396230316438316536333139
-66353835333066346634366638323930616365386364643165666133666565383137303062636263
-64646639666235356264623663313762333666306565303237656434323365316165633866373964
-38326631656463373161356562303031643231623332653861616535333834336630363239363632
-31643862626639353132373232393966323461653361343331653261356431363933326130363433
-38323633343433346535633937373466666639353530653164313532623535653135613766336138
-64626631656431613937366563373934616364656536373437353563346165626535326464353439
-37353136376636633231393733613663633864616163373736386332316162333166303863663538
-63376461643263326362373434666138303635636165616564316432626564356138623032653737
-37323633353165623661343736363933323631646438383430303234326665613566

ansible/roles/base/files/ssh-jail.conf

@@ -4,4 +4,4 @@ bantime  = 600
 findtime = 30
 maxretry = 5
 port     = {{ ssh_port }},ssh
-ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}

ansible/roles/base/files/sshd_config

@@ -2,7 +2,7 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port {{ ssh_port }}
 
-AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
+AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }}
 
 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0

ansible/roles/base/tasks/fail2ban.yml

@@ -1,21 +1,25 @@
 - name: Install fail2ban
   package:
     name: fail2ban
+  become: true
 
 - name: Enable fail2ban
   service:
     name: fail2ban
     enabled: true
+  become: true
 
 - name: fail2ban SSH jail
   template:
     src: files/ssh-jail.conf
     dest: /etc/fail2ban/jail.d/ssh.conf
     mode: "0600"
+  become: true
   register: fail2ban_jail
 
 - name: Restart fail2ban
   service:
     name: fail2ban
     state: restarted
+  become: true
   when: fail2ban_jail.changed

ansible/roles/base/tasks/logrotate.yml

@@ -1,11 +1,13 @@
 - name: Install logrotate
   package:
     name: logrotate
+  become: true
 
 - name: Enable logrotate timer
   service:
     name: logrotate.timer
     enabled: true
+  become: true
   when: ansible_os_family == 'Archlinux'
 
 - name: logrotate fail2ban config
@@ -13,3 +15,4 @@
     src: files/fail2ban-logrotate
     dest: /etc/logrotate.d/fail2ban
     mode: "0600"
+  become: true

ansible/roles/base/tasks/packages.yml

@@ -1,6 +1,7 @@
 - name: Install Base Packages
   package:
     name: "{{ item }}"
+  become: true
   loop:
     - htop
     - neofetch

ansible/roles/base/tasks/ssh.yml

@@ -1,11 +1,13 @@
 - name: Install OpenSSH for Debian
   package:
     name: openssh-server
+  become: true
   when: ansible_os_family == 'Debian'
 
 - name: Install OpenSSH for Arch
   package:
     name: openssh
+  become: true
   when: ansible_os_family == 'Archlinux'
 
 - name: Define context
@@ -20,6 +22,7 @@
     validate: /usr/sbin/sshd -t -f %s
     backup: true
     mode: "644"
+  become: true
   register: sshd_config
 
 - name: Set up authorized keys
@@ -35,9 +38,11 @@
   service:
     name: sshd
     enabled: true
+  become: true
 
 - name: Restart SSH Daemon
   service:
     name: sshd
     state: reloaded
   when: sshd_config.changed
+  become: true

ansible/roles/base/tasks/user.yml

@@ -5,9 +5,11 @@
     comment: "{{ me.name }}"
     shell: /bin/bash
     system: true
+  become: true
 
 - name: Give user sudo access
   user:
     name: "{{ me.user }}"
     groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}"
     append: true
+  become: true

ansible/roles/comentario/files/docker-compose.yml

@@ -1,27 +0,0 @@
-services:
-  comentario:
-    image: registry.gitlab.com/comentario/comentario:v3.10.0
-    restart: unless-stopped
-    user: "{{ docker_user.id }}:{{ docker_user.id }}"
-    depends_on:
-      - db
-    networks:
-      - default
-      - coredns
-    volumes:
-      - ./secrets.yml:/comentario/secrets.yaml
-    environment:
-      - BASE_URL=https://comentario.theorangeone.net
-
-  db:
-    image: postgres:17-alpine
-    restart: unless-stopped
-    volumes:
-      - ./postgres:/var/lib/postgresql/data
-    environment:
-      - POSTGRES_PASSWORD=comentario
-      - POSTGRES_USER=comentario
-
-networks:
-  coredns:
-    external: true

ansible/roles/comentario/handlers/main.yml

@@ -1,4 +0,0 @@
-- name: restart comentario
-  shell:
-    chdir: /opt/comentario
-    cmd: "{{ docker_update_command }}"

ansible/roles/comentario/tasks/main.yml

@@ -1,37 +0,0 @@
-- name: Include vault
-  include_vars: vault.yml
-
-- name: Create install directory
-  file:
-    path: /opt/comentario
-    state: directory
-    owner: "{{ docker_user.name }}"
-    mode: "{{ docker_compose_directory_mask }}"
-
-- name: Install compose file
-  template:
-    src: files/docker-compose.yml
-    dest: /opt/comentario/docker-compose.yml
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-    validate: docker-compose -f %s config
-  notify: restart comentario
-
-- name: Install secrets
-  copy:
-    content: "{{ comentario_secrets | to_nice_yaml }}"
-    dest: /opt/comentario/secrets.yml
-    mode: "600"
-    owner: "{{ docker_user.name }}"
-  notify: restart comentario
-
-- name: Install nginx config
-  template:
-    src: files/nginx-docker.conf
-    dest: /etc/nginx/http.d/comentario.conf
-    mode: "0644"
-  notify: reload nginx
-  vars:
-    server_name: comentario.theorangeone.net
-    upstream: comentario-comentario-1.docker:80
-    ssl_cert_path: /etc/letsencrypt/live/comentario.theorangeone.net

ansible/roles/comentario/vars/main.yml

@@ -1,21 +0,0 @@
-comentario_secrets:
-  postgres:
-    host: db
-    database: comentario
-    username: comentario
-    password: comentario
-  idp:
-    github:
-      key: "{{ vault_comentario_github_client_id }}"
-      secret: "{{ vault_comentario_github_client_secret }}"
-    gitlab:
-      key: "{{ vault_comentario_gitlab_application_id }}"
-      secret: "{{ vault_comentario_gitlab_application_secret }}"
-    twitter:
-      key: "{{ vault_comentario_twitter_api_key }}"
-      secret: "{{ vault_comentario_twitter_api_secret  }}"
-  smtpServer:
-    host: smtp.eu.mailgun.org
-    port: 587
-    username: "{{ vault_comentario_smtp_username }}"
-    password: "{{ vault_comentario_smtp_password }}"

ansible/roles/comentario/vars/vault.yml

@@ -1,38 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36376264363334643335646564636336613234393261326366386234663464633966666133383933
-3731363234333962306638323737336237343230653439650a343362336166626633666161313863
-33623130623239626532663063633436616665653135343266336330353538306265323739326262
-3066643432643465350a643436366637623765663265316665386564663933663730383264396336
-39396139396238653065366663333533343336363631616332616362386639313766656136666532
-63336131346563323733333139636233353465643766643562643632653062373737353364336536
-64653162656233383136363339623933643834363931663830656364396637333632613838323461
-38666362663831363363636363346164343032376366346530393864306332326339323836643062
-66346265643039663636616464383330366539343832373839663361393661353861643364633534
-38383461323031626161663938326339386634363165303238333365323235303535333765613734
-30363032386333353962306131373466356137666334303230343561616639363238633630386330
-32383537646430666331313530343033376238646334313335343661313665626631663331656638
-31303637343263343566386634623362373366323136663032663966313836353136616564646563
-66653938326539343130346439666264663962323661386131643432663237643334633837376163
-62393330336434393232646163353539303831336638663135393734393064353964623032616233
-32393037313965313933363236653537306634613265633764636436653332623339316132373964
-39313334653831366533663661653934633338393539326564396236373462623262333530346436
-66646266623666333034346634613365356333343934363963366137303030646638373466643564
-66356265363634623363646266633137363966666361366463383266663032316665373430383031
-33303530323561366531356133363035353732333135303762316337626330333530303563643935
-35303465633536373833386435336638386662353032383861633965393564303839666463616263
-39353934343965316134663634363135616338353734656361343433313837313639303931356233
-39643135353661306461393962646238613062356361386533316362633233353235666262653738
-33616465653435303736636165343239336139383162616463613232656639393338363766396434
-32353965363537666366623066313461316463373130653637343430366231366263616261393564
-36323038383238633239323365326334393132643832373033643432653032613665646666336338
-30316565346630396537363431366337656236363462646435393731323866313366373438386265
-61373366383865336334356638653065333839303663636266393933663833313931333133663966
-35306163373462613335616265316563313062623139343061306465656463336162396266636437
-36646439613433306464383133636466383430363363393762646534343133333732613530626162
-31633430313039643636666365613232373335336235633832666139643937373766336563303266
-34396137656436373438383035316133343132313130636536393536393862386531386531303761
-64613337353463383032636636643963636235346262646366366539646233313939633864306335
-38373465373863383964633038373334386632666236303436376438666132623964396434626439
-38356235353430323236623962396461346438633962333163393535373362373164313132356232
-63313639333862313565396165613265623135626635373134626137633638333561353732313036
-3837

ansible/roles/commento/files/docker-compose.yml

@@ -0,0 +1,41 @@
+version: "2.3"
+
+services:
+  commento:
+    image: ghcr.io/souramoo/commentoplusplus:latest
+    restart: unless-stopped
+    depends_on:
+      - db
+    networks:
+      - default
+      - traefik
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.commento.rule=Host(`commento.theorangeone.net`)
+    environment:
+      - COMMENTO_POSTGRES=postgres://commento:commento@db:5432/commento?sslmode=disable
+      - COMMENTO_ORIGIN=https://commento.theorangeone.net
+      - COMMENTO_GZIP_STATIC=true
+      - COMMENTO_FORBID_NEW_OWNERS=true
+      - COMMENTO_GITHUB_KEY={{ commento_github_client_id }}
+      - COMMENTO_GITHUB_SECRET={{ commento_github_client_secret }}
+      - COMMENTO_SMTP_HOST=smtp.eu.mailgun.org
+      - COMMENTO_SMTP_PORT=587
+      - COMMENTO_SMTP_USERNAME={{ commento_smtp_username }}
+      - COMMENTO_SMTP_PASSWORD={{ commento_smtp_password }}
+      - COMMENTO_SMTP_FROM_ADDRESS={{ commento_from_email }}
+      - COMMENTO_GITLAB_KEY={{ commento_gitlab_application_id }}
+      - COMMENTO_GITLAB_SECRET={{ commento_gitlab_application_secret }}
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    volumes:
+      - ./postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=commento
+      - POSTGRES_USER=commento
+
+networks:
+  traefik:
+    external: true

ansible/roles/commento/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart commento
+  shell:
+    chdir: /opt/commento
+    cmd: "{{ docker_update_command }}"

ansible/roles/commento/tasks/main.yml

@@ -3,16 +3,18 @@
 
 - name: Create install directory
   file:
-    path: /opt/ntfy
+    path: /opt/commento
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
     src: files/docker-compose.yml
-    dest: /opt/ntfy/docker-compose.yml
+    dest: /opt/commento/docker-compose.yml
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
-  notify: restart ntfy
+  notify: restart commento
+  become: true

ansible/roles/commento/vars/main.yml

@@ -0,0 +1,7 @@
+commento_github_client_id: "{{ vault_commento_github_client_id }}"
+commento_github_client_secret: "{{ vault_commento_github_client_secret }}"
+commento_smtp_username: "{{ vault_commento_smtp_username }}"
+commento_smtp_password: "{{ vault_commento_smtp_password }}"
+commento_from_email: "{{ vault_commento_from_email }}"
+commento_gitlab_application_id: "{{ vault_commento_gitlab_application_id }}"
+commento_gitlab_application_secret: "{{ vault_commento_gitlab_application_secret }}"

ansible/roles/commento/vars/vault.yml

@@ -0,0 +1,32 @@
+$ANSIBLE_VAULT;1.1;AES256
+35343736363532306236303339356634316461383639333836393761356165633662326332613666
+3830323961313939316336393566363163646538623532310a363165666238653535353236383839
+35363730353939656330346639323331393562393339393562383034663231396164333261646438
+6564336362306636300a613634336337326534626263386466626238343130633864623862336563
+66326262613330373035663863663532626437303435333432383839303331333538363139643633
+64633465383135653265393033656135356166323238356130353633363030396366613164303033
+63303832376462616464333031366337626564633135386230313538353166343532643035336636
+31336531643766346438653333376364316162313765656330666330643261653433363339323665
+30623164373931336238303265316665373361336338346336646439356538333266393934343139
+34643433326330386564653461626264626231353863333935313665663462323234666463306266
+38626538666262333934393733626562313432393566643435376163653432613363663035333165
+36616431363563663235646433343564346164393034613436666362383233646636373163616666
+36376133346634653738376137393265303261626562366666303137313338633237313834386432
+66643264643532306364366562333837366636616237653033306538663435316163613266343565
+31633437353963313733326339666331323061363963303132363262343966653433303835323337
+31313363366631313930633061346265633261643238313762353932623230353938656264323437
+39346634383135306135326338616664336435343235383863393830386662393036383161303465
+33353261613537666464313437613335643830343336343535646665356333616266666233353065
+64313131306663313064633631663536386531343733643534336631666266613165313330653962
+35346262373437623333333234383531633238343463653862663236666337363738303463373664
+62343363323465313561376232633630303965306238316161383139316133343233343033376262
+63303264366536346234383063653838353638313561626433616462383339326631643533356639
+39653762633733363237383762356134366264356437346430343830616233373732616261613231
+62646639353132653038303536613738373137623236616631643738323737383637313633396135
+37613037313437613836336332346162383832613938356638333564346237373032356438363464
+31343464306131393362343433316666366632633036653262633361333165643735393231623932
+31643261326266323232383630353534326662303965393161343938663131343263363461303430
+31376161393038376262616333333362323033313436396164313438613532663564623633303365
+32656630663834633039316561663231656131383535653766316138313138346363633537373164
+62333532316135303366386261613131333364383031346364303938356631393865396133386633
+636462653562653538636531356537353133

ansible/roles/coredns_docker_proxy/files/Corefile

@@ -1,21 +0,0 @@
-. {
-    errors
-    cancel
-
-    # Only allow requests to `.docker` records
-    view docker {
-        expr name() endsWith '.docker.'
-    }
-
-    # Strip the `.docker` suffix
-    rewrite name suffix .docker . answer auto
-
-    # Forward requests to Docker's DNS server
-    forward . 127.0.0.11
-}
-
-. {
-    acl {
-        block
-    }
-}

ansible/roles/coredns_docker_proxy/files/docker-compose.yml

@@ -1,15 +0,0 @@
-services:
-  coredns:
-    image: coredns/coredns:latest
-    restart: unless-stopped
-    volumes:
-      - ./Corefile:/home/nonroot/Corefile:ro
-    ports:
-      - "{{ private_ip }}:53053:53/udp"
-    networks:
-      - default
-      - coredns
-
-networks:
-  coredns:
-    external: true

ansible/roles/coredns_docker_proxy/handlers/main.yml

@@ -1,4 +0,0 @@
-- name: restart coredns
-  shell:
-    chdir: /opt/coredns
-    cmd: "{{ docker_update_command }}"

ansible/roles/coredns_docker_proxy/tasks/main.yml

@@ -1,20 +0,0 @@
-- name: Create network
-  docker_network:
-    name: coredns
-    internal: true
-
-- name: Create install directory
-  file:
-    path: /opt/coredns
-    state: directory
-    owner: "{{ docker_user.name }}"
-    mode: "{{ docker_compose_directory_mask }}"
-
-- name: Install compose file
-  template:
-    src: files/docker-compose.yml
-    dest: /opt/coredns/docker-compose.yml
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-    validate: docker-compose -f %s config
-  notify: restart coredns

ansible/roles/db_auto_backup/files/docker-compose.yml

@@ -1,3 +1,5 @@
+version: "2.3"
+
 services:
   backup:
     image: ghcr.io/realorangeone/db-auto-backup:latest
@@ -6,15 +8,12 @@ services:
       - "{{ db_backups_dir }}:/var/backups"
     environment:
       - DOCKER_HOST=tcp://docker_proxy:2375
-      - HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
+      - HEALTHCHECKS_ID={{ db_auto_backup_healthchecks_id }}
     depends_on:
       - docker_proxy
-    networks:
-      - default
-      - backup_private
 
   docker_proxy:
-    image: lscr.io/linuxserver/socket-proxy:latest
+    image: tecnativa/docker-socket-proxy:latest
     restart: unless-stopped
     environment:
       - POST=1
@@ -23,13 +22,5 @@ services:
       - EXEC=1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - backup_private
-    tmpfs:
-      - /run
     logging:
       driver: none
-
-networks:
-  backup_private:
-    internal: true

ansible/roles/db_auto_backup/tasks/main.yml

@@ -4,6 +4,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install compose file
   template:
@@ -13,3 +14,4 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart db-auto-backup
+  become: true

ansible/roles/db_auto_backup/vars/main.yml

@@ -0,0 +1 @@
+db_auto_backup_healthchecks_id: "{{ vault_db_auto_backup_healthchecks_id }}"

ansible/roles/docker_cleanup/tasks/main.yml

@@ -1,20 +1,15 @@
 - name: Install docker-compose
   package:
     name: docker-compose
+  become: true
   when: ansible_os_family != 'Debian'
 
-- name: Install compose-switch
-  get_url:
-    url: "{{ docker_compose_url }}"
-    dest: "{{ docker_compose_path }}"
-    mode: "0755"
-  when: ansible_os_family == 'Debian'
-
 - name: Create docker group
   group:
     name: "{{ docker_user.name }}"
     state: present
     gid: "{{ docker_user.id }}"
+  become: true
 
 - name: Create docker user
   user:
@@ -22,18 +17,21 @@
     uid: "{{ docker_user.id }}"
     group: "{{ docker_user.name }}"
     create_home: false
+  become: true
 
 - name: Add user to docker user group
   user:
     name: "{{ me.user }}"
     groups: "{{ docker_user.name }}"
     append: true
+  become: true
 
 - name: Add user to docker group
   user:
     name: "{{ me.user }}"
     groups: docker
     append: true
+  become: true
 
 - name: Clean up docker containers
   cron:
@@ -41,8 +39,6 @@
     hour: 1
     minute: 0
     job: docker system prune -af --volumes
-    cron_file: docker_cleanup
-    user: root
 
 - name: Install util scripts
   copy:
@@ -50,7 +46,6 @@
     dest: "{{ me.home }}"
     mode: "755"
     directory_mode: "755"
-    owner: "{{ me.user }}"
 
 - name: override docker service for zfs dependencies
   include_tasks: zfs-override.yml

ansible/roles/docker_cleanup/tasks/zfs-override.yml

@@ -3,6 +3,7 @@
     path: /etc/systemd/system/docker.service.d
     state: directory
     mode: "0755"
+  become: true
 
 - name: Create override.conf
   copy:
@@ -11,3 +12,4 @@
     owner: root
     group: root
     mode: "0644"
+  become: true

ansible/roles/dokku/files/nginx.conf

@@ -0,0 +1,29 @@
+worker_processes  auto;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+
+    keepalive_timeout  65;
+
+    gzip  on;
+
+    # Block requests which don't have an explicit handler
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        server_name _;
+        access_log off;
+        return 418;
+    }
+
+    # Load configuration files for the default server block.
+    include /etc/nginx/conf.d/*.conf;
+}

ansible/roles/dokku/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+  become: true

ansible/roles/dokku/tasks/main.yml

@@ -0,0 +1,63 @@
+# HACK: Fake include some tasks from `ansible_dokku`, so its library plugins can be used below
+- name: Run role without running any tasks
+  include_role:
+    name: dokku_bot.ansible_dokku
+    tasks_from: init.yml
+    apply:
+      when: false
+
+- name: Install Dokku
+  package:
+    name: dokku
+  become: true
+
+- name: List dokku plugins
+  command: dokku plugin:list
+  changed_when: false
+  register: installed_dokku_plugins
+
+- name: Install Dokku plugins
+  command: dokku plugin:install {{ item.url }} --name {{ item.name }}
+  when: installed_dokku_plugins.stdout.find(item.name) == -1
+  loop: "{{ dokku_plugins }}"
+  loop_control:
+    label: "{{ item.name }}"
+  become: true
+
+- name: Automatically update Dokku plugins
+  cron:
+    name: dokku plugin:update {{ item.name }}
+    minute: 0
+    hour: 12
+    user: root
+    job: /usr/bin/chronic /usr/bin/dokku plugin:update {{ item.name }}
+    cron_file: dokku-plugin-update-{{ item.name }}
+  loop: "{{ dokku_plugins }}"
+  loop_control:
+    label: "{{ item.name }}"
+  become: true
+
+- name: Set up global domain
+  dokku_domains:
+    global: true
+    domains: d.theorangeone.net
+  become: true
+
+- name: Install custom nginx config
+  template:
+    src: files/nginx.conf
+    dest: /etc/nginx/nginx.conf
+    validate: nginx -t -c %s
+    mode: "644"
+  notify: restart nginx
+  become: true
+
+# https://dokku.com/docs/advanced-usage/backup-recovery/
+- name: Sync data to app-data
+  cron:
+    name: clean up docker containers
+    hour: "*/6"
+    minute: 0
+    user: root
+    job: rsync --archive --progress -h /var/lib/dokku/{config,data,services} /home/dokku --exclude '/home/dokku/**/cache/*' /mnt/tank/app-data/dokku/
+    cron_file: dokku-data-sync

ansible/roles/dokku/vars/main.yml

@@ -0,0 +1,9 @@
+dokku_plugins:
+  - name: postgres
+    url: https://github.com/dokku/dokku-postgres.git
+  - name: redis
+    url: https://github.com/dokku/dokku-redis.git
+  - name: redirect
+    url: https://github.com/dokku/dokku-redirect.git
+  - name: http-auth
+    url: https://github.com/dokku/dokku-http-auth.git

ansible/roles/fail2ban_ssh/defaults/main.yml

@@ -0,0 +1 @@
+f2b_user: f2b

ansible/roles/fail2ban_ssh/files/f2b-entrypoint.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -e
+
+# Remove `-c` argument
+shift
+
+sudo fail2ban-client $@

ansible/roles/fail2ban_ssh/files/f2b_key.pub

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+65656562376262323162613131353164623832616263313530383838623161333739393037363362
+3332616430663862363566613532396230643636376537620a356261383430643566323264343437
+39333034643632316130303136326433613333383738386531353530633539616661626664626430
+3230666237616165650a326536313835643135626135316437356363623562343538383132306539
+38366339356565393336396133616261363232356139623164623738633138363963353637353734
+33333334313864376131653535653132626366306630393764353464636331316564616230396663
+31363463643765386538643761666265383166353765633233323934663235316331346465653234
+31396139633936363738383766356135656434343338623137663436626436663866366663363534
+3364

ansible/roles/fail2ban_ssh/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: Make user
+  user:
+    name: "{{ f2b_user }}"
+    comment: "{{ me.user }}"
+    shell: /home/{{ f2b_user }}/f2b-entrypoint.sh
+    system: false
+  become: true
+
+- name: Give user sudo access to client
+  lineinfile:
+    path: /etc/sudoers
+    line: "{{ f2b_user }} ALL=(ALL) NOPASSWD: /usr/bin/fail2ban-client"
+  become: true
+
+- name: Allow custom shell
+  lineinfile:
+    path: /etc/shells
+    line: /home/{{ f2b_user }}/f2b-entrypoint.sh
+  become: true
+
+- name: Create entrypoint
+  template:
+    src: files/f2b-entrypoint.sh
+    dest: /home/{{ f2b_user }}/f2b-entrypoint.sh
+    mode: "755"
+  become: true
+  register: sshd_config
+
+- name: Set up authorized keys
+  ansible.posix.authorized_key:
+    user: "{{ f2b_user }}"
+    state: present
+    key: "{{ lookup('file', 'files/f2b_key.pub') }}"
+  become: true

ansible/roles/forgejo_runner/files/config.yml

@@ -1,82 +0,0 @@
-# based on https://gitea.com/gitea/act_runner/src/tag/v0.2.6/internal/pkg/config/config.example.yaml
-
-log:
-  # The level of logging, can be trace, debug, info, warn, error, fatal
-  level: info
-
-runner:
-  # Where to store the registration result.
-  file: /data/.runner
-  # Execute how many tasks concurrently at the same time.
-  capacity: "{{ ansible_processor_nproc }}"
-  # Extra environment variables to run jobs.
-  envs: {}
-  # Extra environment variables to run jobs from a file.
-  # It will be ignored if it's empty or the file doesn't exist.
-  env_file: /data/.env
-  # The timeout for a job to be finished.
-  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
-  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
-  timeout: 3h
-  # Whether skip verifying the TLS certificate of the Gitea instance.
-  insecure: false
-  # The timeout for fetching the job from the Gitea instance.
-  fetch_timeout: 5s
-  # The interval for fetching the job from the Gitea instance.
-  fetch_interval: 5s
-  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
-  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `daemon`, will use labels in `.runner` file.
-  # labels: []
-
-cache:
-  # Enable cache server to use actions/cache.
-  enabled: true
-  # The directory to store the cache data.
-  # If it's empty, the cache data will be stored in /data/.cache/actcache.
-  dir: /data/cache/server
-  # The host of the cache server.
-  # It's not for the address to listen, but the address to connect from job containers.
-  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
-  host: ""
-  # The port of the cache server.
-  # 0 means to use a random available port.
-  port: 0
-  # The external cache server URL. Valid only when enable is true.
-  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
-  # The URL should generally end with "/".
-  external_server: ""
-
-container:
-  # Specifies the network to which the container will connect.
-  # Could be host, bridge or the name of a custom network.
-  # If it's empty, act_runner will create a network automatically.
-  network: bridge
-  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
-  privileged: false
-  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
-  options: ""
-  # The parent directory of a job's working directory.
-  # If it's empty, /workspace will be used.
-  workdir_parent: /workspace
-  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
-  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
-  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
-  # valid_volumes:
-  #   - data
-  #   - /src/*.json
-  # If you want to allow any volume, please use the following configuration:
-  # valid_volumes:
-  #   - '**'
-  # overrides the docker client host with the specified one.
-  # If it's empty, act_runner will find an available docker host automatically.
-  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
-  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
-  docker_host: ""
-  force_pull: false
-
-host:
-  # The parent directory of a job's working directory.
-  # If it's empty, /data/.cache/act/ will be used.
-  workdir_parent: /data/cache/actions

ansible/roles/forgejo_runner/files/docker-compose.yml

@@ -1,44 +0,0 @@
-services:
-  forgejo-runner:
-    image: code.forgejo.org/forgejo/runner:3.5.1
-    user: "{{ docker_user.id }}"
-    volumes:
-      - /mnt/data:/data
-      - ./config.yml:/data/config.yml
-    environment:
-      - TZ={{ timezone }}
-      - DOCKER_HOST=tcp://docker_proxy:2375
-    restart: unless-stopped
-    command: forgejo-runner daemon
-    networks:
-      - default
-      - forgejo_private
-    depends_on:
-      - docker_proxy
-
-  docker_proxy:
-    image: lscr.io/linuxserver/socket-proxy:latest
-    restart: unless-stopped
-    environment:
-      - POST=1
-      - CONTAINERS=1
-      - INFO=1
-      - IMAGES=1
-      - VOLUMES=1
-      - NETWORKS=1
-      - ALLOW_START=1
-      - ALLOW_STOP=1
-      - ALLOW_RESTARTS=1
-      - EXEC=1
-    tmpfs:
-      - /run
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - forgejo_private
-    logging:
-      driver: none
-
-networks:
-  forgejo_private:
-    internal: true

ansible/roles/forgejo_runner/handlers/main.yml

@@ -1,4 +0,0 @@
-- name: restart forgejo-runner
-  shell:
-    chdir: /opt/forgejo-runner
-    cmd: "{{ docker_update_command }}"

ansible/roles/forgejo_runner/tasks/main.yml

@@ -1,23 +0,0 @@
-- name: Create install directory
-  file:
-    path: /opt/forgejo-runner
-    state: directory
-    owner: "{{ docker_user.name }}"
-    mode: "{{ docker_compose_directory_mask }}"
-
-- name: Install config file
-  template:
-    src: files/config.yml
-    dest: /opt/forgejo-runner/config.yml
-    mode: "600"
-    owner: "{{ docker_user.name }}"
-  notify: restart forgejo-runner
-
-- name: Install compose file
-  template:
-    src: files/docker-compose.yml
-    dest: /opt/forgejo-runner/docker-compose.yml
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-    validate: docker-compose -f %s config
-  notify: restart forgejo-runner

ansible/roles/forrest/files/grafana/docker-compose.yml

@@ -1,3 +1,5 @@
+version: "2.3"
+
 services:
   grafana:
     image: grafana/grafana:latest
@@ -11,16 +13,11 @@ services:
       - GF_DEFAULT_FORCE_MIGRATION=true
       - GF_FEATURE_TOGGLES_ENABLE=publicDashboards
 
-      - GF_ANALYTICS_ENABLED=false
-      - GF_ANALYTICS_REPORTING_ENABLED=false
-      - GF_ANALYTICS_CHECK_FOR_UPDATES=false
-      - GF_ANALYTICS_CHECK_FOR_PLUGIN_UPDATES=false
-
       - GF_SMTP_ENABLED=true
       - GF_SMTP_HOST=smtp.eu.mailgun.org:465
-      - GF_SMTP_USER={{ vault_grafana_smtp_user }}
-      - GF_SMTP_PASSWORD={{ vault_grafana_smtp_password }}
-      - GF_SMTP_FROM_ADDRESS={{ vault_grafana_from_email }}
+      - GF_SMTP_USER={{ grafana_smtp_user }}
+      - GF_SMTP_PASSWORD={{ grafana_smtp_password }}
+      - GF_SMTP_FROM_ADDRESS={{ grafana_from_email }}
       - GF_SMTP_FROM_NAME=grafana
     volumes:
       - "{{ app_data_dir }}/grafana:/var/lib/grafana"
@@ -35,7 +32,7 @@ services:
       - renderer
 
   db:
-    image: postgres:17-alpine
+    image: postgres:14-alpine
     restart: unless-stopped
     volumes:
       - /mnt/speed/dbs/postgres/grafana/:/var/lib/postgresql/data

ansible/roles/forrest/files/prometheus/alertmanager.yml

@@ -0,0 +1,15 @@
+global:
+  resolve_timeout: 3m
+  smtp_smarthost: smtp.eu.mailgun.org:465
+  smtp_from: "{{ alertmanager_from_address }}"
+  smtp_auth_username: "{{ alertmanager_from_address }}"
+  smtp_auth_password: "{{ alertmanager_smtp_password }}"
+
+route:
+  receiver: default
+
+receivers:
+  - name: default
+    email_configs:
+      - to: "{{ alertmanager_to_address }}"
+        send_resolved: true

ansible/roles/forrest/files/prometheus/blackbox.yml

@@ -2,6 +2,8 @@ modules:
   http:
     prober: http
     timeout: 10s
+    http:
+      preferred_ip_protocol: ip4  # Docker network is v4 only
 
   https_redir:
     prober: http
@@ -14,6 +16,7 @@ modules:
       fail_if_header_not_matches:
         - header: Location
           regexp: ^https
+      preferred_ip_protocol: ip4  # Docker network is v4 only
 
   icmp:
     prober: icmp

ansible/roles/forrest/files/prometheus/docker-compose.yml

@@ -1,3 +1,12 @@
+version: "2.3"
+
+x-blackbox: &blackbox
+  image: prom/blackbox-exporter:latest
+  restart: unless-stopped
+  user: "{{ docker_user.id }}"
+  volumes:
+    - ./blackbox.yml:/etc/blackbox_exporter/config.yml:ro
+
 services:
   prometheus:
     image: prom/prometheus:latest
@@ -14,11 +23,14 @@ services:
       - "{{ pve_hosts.forrest.ip }}:9090:9090"
 
   blackbox:
-    image: prom/blackbox-exporter:latest
-    restart: unless-stopped
-    user: "{{ docker_user.id }}"
-    volumes:
-      - ./blackbox.yml:/etc/blackbox_exporter/config.yml:ro
+    <<: *blackbox
+
+  blackbox-external:
+    <<: *blackbox
+    # Don't use my internal DNS servers
+    dns:
+      - 9.9.9.9
+      - 149.112.112.112
 
   alertmanager:
     image: prom/alertmanager:latest
@@ -33,7 +45,7 @@ services:
     environment:
       - PVE_USER=prometheus@pve
       - PVE_TOKEN_NAME=prometheus
-      - PVE_TOKEN_VALUE={{ vault_prometheus_api_token }}
+      - PVE_TOKEN_VALUE={{ prometheus_api_token }}
       - PVE_VERIFY_SSL=false
 
   speedtest_exporter:
@@ -44,5 +56,3 @@ services:
 networks:
   grafana:
     external: true
-  default:
-    enable_ipv6: true

ansible/roles/forrest/files/prometheus/prometheus.yml

@@ -28,12 +28,13 @@ scrape_configs:
         action: drop
     static_configs:
       - targets:
+          - "{{ nebula.clients.walker.ip }}:8080"
           - "{{ pve_hosts.docker.ip }}:8080"
 
   - job_name: homeassistant
     metrics_path: /api/prometheus
     authorization:
-      credentials: "{{ vault_homeassistant_token }}"
+      credentials: "{{ homeassistant_token }}"
     metric_relabel_configs:
       - source_labels: [__name__]
         regex: python_.+
@@ -41,6 +42,41 @@ scrape_configs:
     static_configs:
       - targets: ["{{ pve_hosts.homeassistant.ip }}:8123"]
 
+  - job_name: blackbox_http_external
+    scrape_interval: 1m
+    metrics_path: /probe
+    params:
+      module: [http]
+    static_configs:
+      - targets:
+          - https://0rng.one
+          - https://bin.theorangeone.net
+          - https://git.theorangeone.net/api/healthz
+          - https://grafana.jakehoward.tech/api/health
+          - https://homeassistant.jakehoward.tech
+          - https://intersect.jakehoward.tech
+          - https://mastodon.theorangeone.net/health
+          - https://matrix.jakehoward.tech:8448/_matrix/federation/v1/version
+          - https://matrix.jakehoward.tech/_matrix/federation/v1/version
+          - https://media.jakehoward.tech
+          - https://notes.theorangeone.net
+          - https://plausible.theorangeone.net
+          - https://recipes.jakehoward.tech
+          - https://tasks.jakehoward.tech/health
+          - https://theorangeone.net
+          - https://tt-rss.jakehoward.tech
+          - https://vaultwarden.jakehoward.tech/alive
+    relabel_configs:
+      - source_labels: [__address__]
+        target_label: __param_target
+      - source_labels: [__param_target]
+        target_label: instance
+      - target_label: __address__
+        replacement: blackbox-external:9115
+      - source_labels: [instance]
+        regex: https?://([^/]+)/?.*
+        target_label: hostname
+
   - job_name: blackbox_icmp
     scrape_interval: 10m
     metrics_path: /probe
@@ -73,7 +109,7 @@ scrape_configs:
       - source_labels: [__param_target]
         target_label: instance
       - target_label: __address__
-        replacement: blackbox:9115
+        replacement: blackbox-external:9115
 
   - job_name: blackbox_healthcheck
     scrape_interval: 10m
@@ -82,7 +118,7 @@ scrape_configs:
       module: [http]
     static_configs:
       - targets:
-          - https://hc-ping.com/{{ vault_prometheus_healthcheck_uuid }}
+          - https://hc-ping.com/{{ prometheus_healthcheck_uuid }}
     relabel_configs:
       - source_labels: [__address__]
         target_label: __param_target
@@ -93,7 +129,7 @@ scrape_configs:
 
   - job_name: healthchecks
     scheme: https
-    metrics_path: /projects/{{ vault_healthchecks_project_uuid }}/metrics/{{ vault_healthcheck_api_token }}
+    metrics_path: /projects/{{ healthchecks_project_uuid }}/metrics/{{ healthcheck_api_token }}
     static_configs:
       - targets: [healthchecks.io]
 
@@ -102,7 +138,7 @@ scrape_configs:
     static_configs:
       - targets:
           - "{{ pve_hosts.pve.ip }}:9100"
-          - 192.168.1.53:9100  # adguardhome
+          - pi.hole:9100
     metric_relabel_configs:
       - source_labels: [__name__]
         regex: go_.+
@@ -115,29 +151,3 @@ scrape_configs:
     static_configs:
       - targets:
           - speedtest_exporter:9516
-
-  - job_name: headscale
-    metrics_path: /metrics
-    static_configs:
-      - targets:
-          - "{{ tailscale_nodes.casey.ip }}:9090"
-    metric_relabel_configs:
-      - source_labels: [__name__]
-        regex: go_.+
-        action: drop
-
-  - job_name: uptime_kuma
-    basic_auth:
-      username: ""
-      password: "{{ vault_uptime_kuma_token }}"
-    metrics_path: /metrics
-    static_configs:
-      - targets:
-          - uptime.jakehoward.tech
-    metric_relabel_configs:
-      - source_labels: [__name__]
-        regex: nodejs_.+
-        action: drop
-      - source_labels: [__name__]
-        regex: process_.+
-        action: drop

ansible/roles/forrest/tasks/grafana.yml

@@ -8,6 +8,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install grafana compose file
   template:
@@ -17,3 +18,4 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart grafana
+  become: true

ansible/roles/forrest/tasks/main.yml

@@ -0,0 +1,8 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Grafana
+  include_tasks: grafana.yml
+
+- name: Prometheus
+  include_tasks: prometheus.yml

ansible/roles/forrest/tasks/prometheus.yml

@@ -4,6 +4,7 @@
     state: directory
     owner: "{{ docker_user.name }}"
     mode: "{{ docker_compose_directory_mask }}"
+  become: true
 
 - name: Install prometheus config
   template:
@@ -12,6 +13,7 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: reload prometheus
+  become: true
 
 - name: Install prometheus compose file
   template:
@@ -21,6 +23,7 @@
     owner: "{{ docker_user.name }}"
     validate: docker-compose -f %s config
   notify: restart prometheus
+  become: true
 
 - name: Install blackbox config
   template:
@@ -29,6 +32,7 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: restart prometheus
+  become: true
 
 - name: Install alertmanager config
   template:
@@ -37,6 +41,7 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: restart prometheus
+  become: true
 
 - name: Install prometheus alert rules
   copy:
@@ -45,3 +50,4 @@
     mode: "{{ docker_compose_file_mask }}"
     owner: "{{ docker_user.name }}"
   notify: reload prometheus
+  become: true

ansible/roles/forrest/vars/main.yml

@@ -0,0 +1,11 @@
+grafana_smtp_password: "{{ vault_grafana_smtp_password }}"
+grafana_smtp_user: "{{ vault_grafana_smtp_user }}"
+grafana_from_email: "{{ vault_grafana_from_email }}"
+homeassistant_token: "{{ vault_homeassistant_token }}"
+prometheus_healthcheck_uuid: "{{ vault_prometheus_healthcheck_uuid }}"
+healthchecks_project_uuid: "{{ vault_healthchecks_project_uuid }}"
+healthcheck_api_token: "{{ vault_healthcheck_api_token }}"
+alertmanager_from_address: "{{ vault_alertmanager_from_address }}"
+alertmanager_smtp_password: "{{ vault_alertmanager_smtp_password }}"
+alertmanager_to_address: "{{ vault_alertmanager_to_address }}"
+prometheus_api_token: "{{ vault_prometheus_api_token }}"

ansible/roles/forrest/vars/vault.yml

@@ -0,0 +1,52 @@
+$ANSIBLE_VAULT;1.1;AES256
+36623535313964653161353330663436356239613837653837393939373034353031646535333535
+6439313832316239616233306632373934616134616466380a316361363263373938636161666535
+31613461333637373732626233623434316335353964353433643635653566613933393361336139
+3864373963396264320a376634346331373762313733323961386566646338633936303631303566
+66616534326430653266396635353932623661363533356537636662636537656434363562646230
+30613831336561376639393466373739373138313931333163353061633465623362666564313631
+66623235353531613737643937613430323934376433393836346339626137616561313062663234
+63363736326439623661376132613136383465393761653236663631613339653066356436653630
+66623865303735616335373231643233386639323838353534613337316161633765396234366533
+33616631663530643764373937346262633734366339303837393737666665363465333239343933
+35613962396534336232623833303034643639323931633966396439383463396261313862626335
+31323434613838353961336136613966636635646632393839663664376632373834313265643338
+30663132633362323831313231333164643665386535323231646262656631383631393539616639
+34343563353064303833383236626136666264316236316537333965313162616637323966363335
+32353936663162316564306337353861396634353935353935306135343665316262643831396537
+61393266383538666563363261646534636632303332343662636631316663343930303766623638
+35376565343638316339623061396536643636313966383633346231633631353032356661386132
+66623439336338616666626431303635373833666137326234653161336434346133636261363662
+39313732303736386137656664303365363234336265643064306562643435633838373864353862
+33366635333630373162656630666232333563623066333461653963363961623435646631373561
+64643738346138366566303233326663383835386132663034313461383161616164636332396332
+37663131386135393833373461663432666264363065666630646164633134303439663435616235
+35656234313761376532306264393637653433623863383830323935316332383338623134323366
+31336665386137323132363962363335623635336131373930353635353663333366363266303138
+35626262613261636561373730626635303836623561643436646430653365663432323938393863
+63633331663462323163646237386262376337313330323036613434383165616530643362616131
+63616562353964316634646434653138333266646633616631653663663838306163616633643234
+61333230373237613436343662363434303766383336376232353066313231666330613761643366
+36326638326439653966643430313366376661633636366565393461623438323366373333663633
+61633763623631333665363333646433656166633364303836623566333336343761613435353138
+37366165613263653564386334303030623333646164303662363065333831376334656537613130
+33373864663237383064653461616165653834393063663332643235316139333539623463343161
+38636564626466633631393938653066373764663935353763626133623762306164383831663061
+34333065326666373337663931313763383739383763333235333939376133363236643136346233
+62643833376631643036613963643939333133343036613332313866373032646332363231313139
+61373365653665343066636162356336373833393363373866343436323639623435383831363335
+30333033326638363930613030356664333233633339666366643062353634333161343838666231
+32346332663538653937623136653438636463323463376263303962353562313833373937303066
+65303037323030653434313164393766633134306435633263363335636561356264376665363639
+35613731373437386566663266656266343639326334303239613862353963323436633836383766
+35323930633039396535616265643234303639393035363865643236623838333337626135343665
+36373038666332376663333565623362303631663830336131343438353764653831633433363436
+36333839303433623966363561313564303037393165383732323763353232653564346138666438
+30653836626139356133346538616135313034633966373036303461393562363336386633626365
+33393565643730383634346238356462313435366538636234656237613864656165656439363061
+32626235323362333239373631383830653035383164646364343461376562636564343063353139
+61306535333466653937303635353962376162376431336563316130343530636431623537633332
+65373333376338353930316561636530343062653964323463653632653332376432343237656465
+63333437613064313438353134333566303033313339323162643061363836643931343135396130
+32623435653533326563616263323938343332306362383034663139653965626231336637383939
+313534343431303739396263303737303365

ansible/roles/gateway/files/nginx-cdn.conf

@@ -1,29 +0,0 @@
-# {{ ansible_managed }}
-
-proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cdncache:20m max_size=1g inactive=48h;
-
-{% for domain in cdn_domains %}
-server {
-    listen 8800 ssl http2 proxy_protocol;
-
-    server_name {{ domain }};
-
-    ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
-
-    include includes/ssl.conf;
-
-    real_ip_header proxy_protocol;
-
-    set_real_ip_from 127.0.0.1;
-
-    proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
-
-    location / {
-        proxy_cache cdncache;
-        add_header X-Cache-Status $upstream_cache_status;
-        proxy_pass https://{{ wireguard.clients.ingress.ip }}:443;
-    }
-}
-{% endfor %}

ansible/roles/gateway/files/nginx-fail2ban-jail.conf

@@ -6,9 +6,9 @@ maxretry = 100
 filter   = nginx-tcp
 logpath  = /var/log/nginx/ips.log
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }}
 
 [traefik]
 enabled = true
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }}

ansible/roles/gateway/files/nginx.conf

@@ -1,40 +1,56 @@
-log_format gateway '$remote_addr [$time_local] '
-                '$protocol $status $bytes_sent $bytes_received '
-                '$session_time "$ssl_preread_server_name" '
-                '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+worker_processes auto;
 
-log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
-
-access_log /var/log/nginx/gateway.log gateway;
-access_log /var/log/nginx/ips.log ips;
-
-map $ssl_preread_server_name $gateway_destination {
-    default                      {{ wireguard.clients.ingress.ip }}:8443;
-
-    headscale.jakehoward.tech    127.0.0.1:8888;
-
-    {% for domain in cdn_domains %}
-    {{ domain }}  127.0.0.1:8800;
-    {% endfor %}
+events {
+    worker_connections  1024;
 }
 
-server {
-    listen 443;
-    listen 8448;
-    listen [::]:443;
-    listen [::]:8448;
-    proxy_pass $gateway_destination;
-    proxy_protocol on;
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                  '$status $body_bytes_sent "$http_referer" '
+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    server_tokens off;
+
+    server {
+        listen 80;
+        server_name _;
+        return 308 https://$host$request_uri;
+    }
 }
 
-server {
-    listen [{{ vps_hosts.private_ipv6_marker }}]:443;
-    listen [{{ vps_hosts.private_ipv6_marker }}]:8448;
+stream {
 
-    access_log off;
+    log_format access '$remote_addr [$time_local] '
+                    '$protocol $status $bytes_sent $bytes_received '
+                    '$session_time "$ssl_preread_server_name" '
+                    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
 
-    deny all;
+    log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
 
-    # This is never used, but need to keep nginx happy
-    proxy_pass 127.0.0.1:80;
+
+    access_log /var/log/nginx/access.log access;
+    access_log /var/log/nginx/ips.log ips;
+
+    ssl_preread on;
+
+    server {
+        listen 443;
+        listen 8448;
+        proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
+        proxy_protocol on;
+    }
 }

ansible/roles/gateway/tasks/fail2ban.yml

@@ -3,6 +3,7 @@
     src: files/nginx-fail2ban-filter.conf
     dest: /etc/fail2ban/filter.d/nginx-tcp.conf
     mode: "0600"
+  become: true
   register: fail2ban_filter
 
 - name: fail2ban jail
@@ -10,10 +11,12 @@
     src: files/nginx-fail2ban-jail.conf
     dest: /etc/fail2ban/jail.d/nginx.conf
     mode: "0600"
+  become: true
   register: fail2ban_jail
 
 - name: Restart fail2ban
   service:
     name: fail2ban
     state: restarted
+  become: true
   when: fail2ban_filter.changed or fail2ban_jail.changed

ansible/roles/gateway/tasks/nginx.yml

@@ -1,19 +1,26 @@
+- name: Install nginx
+  package:
+    name: nginx
+  become: true
+
 - name: Nginx config
   template:
     src: files/nginx.conf
-    dest: /etc/nginx/stream.d/gateway.conf
+    dest: /etc/nginx/nginx.conf
+    validate: nginx -t -c %s
     mode: "0644"
+  become: true
   register: nginx_config
 
-- name: Install CDN config
-  template:
-    src: files/nginx-cdn.conf
-    dest: /etc/nginx/http.d/cdn.conf
-    mode: "0644"
-  register: nginx_config
-
-- name: Reload Nginx
+- name: Enable Nginx
   service:
     name: nginx
-    state: reloaded
+    enabled: true
+  become: true
+
+- name: Restart Nginx
+  service:
+    name: nginx
+    state: restarted
+  become: true
   when: nginx_config.changed

ansible/roles/gateway/tasks/wireguard.yml

@@ -1,6 +1,7 @@
 - name: Install wireguard tools
   package:
     name: "{{ item }}"
+  become: true
   loop:
     - wireguard-tools
     - qrencode
@@ -11,18 +12,21 @@
     dest: /etc/wireguard/wg0.conf
     mode: "0600"
     backup: true
+  become: true
   register: wireguard_conf
 
 - name: Enable wireguard
   service:
     name: wg-quick@wg0
     enabled: true
+  become: true
 
 - name: Restart wireguard
   service:
     name: wg-quick@wg0
     state: restarted
   when: wireguard_conf.changed
+  become: true
 
 - name: Create wireguard client directory
   file:

ansible/roles/gitea/files/app.ini

@@ -1,12 +1,9 @@
-APP_NAME = Forgejo
+APP_NAME = Gitea: Git with a cup of orange juice
 
 [repository]
 ROOT = /mnt/repositories
 DEFAULT_BRANCH = master
 DISABLE_STARS  = true
-DEFAULT_REPO_UNITS = repo.code
-DEFAULT_FORK_REPO_UNITS = repo.code
-
 
 [server]
 SSH_DOMAIN              = git.theorangeone.net
@@ -21,7 +18,7 @@ PROTOCOL                = http  # TLS termination done by Traefik
 ENABLE_GZIP             = true
 OFFLINE_MODE            = true
 LANDING_PAGE            = explore
-LFS_JWT_SECRET          = {{ vault_lfs_jwt_secret }}
+LFS_JWT_SECRET          = {{ lfs_jwt_secret }}
 
 [database]
 DB_TYPE  = postgres
@@ -32,18 +29,18 @@ PASSWD   = gitea
 
 [session]
 PROVIDER        = db
-COOKIE_NAME     = forgejo_session
+COOKIE_NAME     = gitea_session
 
 [log]
 LEVEL = warn
 
 [security]
 INSTALL_LOCK                  = true
-SECRET_KEY                    = {{ vault_secret_key }}
-INTERNAL_TOKEN                = {{ vault_internal_token }}
+SECRET_KEY                    = {{ secret_key }}
+INTERNAL_TOKEN                = {{ internal_token }}
 PASSWORD_HASH_ALGO            = pbkdf2
-COOKIE_USERNAME               = forgejo_username
-COOKIE_REMEMBER_NAME          = forgejo_remember
+COOKIE_USERNAME               = gitea_username
+COOKIE_REMEMBER_NAME          = gitea_remember
 LOGIN_REMEMBER_DAYS           = 30
 REVERSE_PROXY_TRUSTED_PROXIES = *
 
@@ -64,8 +61,9 @@ REPO_PAGING_NUM = 100
 [ui]
 SITEMAP_PAGING_NUM   = 100
 FEED_PAGING_NUM      = 100
-DEFAULT_THEME        = forgejo-auto
+DEFAULT_THEME        = gitea
 ISSUE_PAGING_NUM     = 100
+THEME_COLOR_META_TAG = "#ff7f00"
 FEED_MAX_COMMIT_NUM  = 30
 SHOW_USER_EMAIL      = false
 EXPLORE_PAGING_NUM   = 100
@@ -117,9 +115,9 @@ ALLOW_LOCALNETWORKS = true
 ENABLED        = true
 SMTP_ADDR      = smtp.eu.mailgun.org
 SMTP_PORT      = 465
-FROM           = "{{ vault_mailer_from_address }}"
-USER           = "{{ vault_mailer_user }}"
-PASSWD         = "{{ vault_mailer_password }}"
+FROM           = "{{ mailer_from_address }}"
+USER           = "{{ mailer_user }}"
+PASSWD         = "{{ mailer_password }}"
 PROTOCOL    = smtps
 
 [packages]
@@ -128,8 +126,8 @@ STORAGE_TYPE = backblaze
 [storage.backblaze]
 STORAGE_TYPE = minio
 MINIO_ENDPOINT = s3.eu-central-003.backblazeb2.com
-MINIO_ACCESS_KEY_ID = {{ vault_backblaze_access_key_id }}
-MINIO_SECRET_ACCESS_KEY = {{ vault_backblaze_secret_access_key }}
+MINIO_ACCESS_KEY_ID = {{ backblaze_access_key_id }}
+MINIO_SECRET_ACCESS_KEY = {{ backblaze_secret_access_key }}
 MINIO_BUCKET = 0rng-gitea
 MINIO_LOCATION = eu-central-003
 SERVE_DIRECT = true
@@ -139,4 +137,4 @@ MINIO_USE_SSL = true
 PATH = /mnt/repo-archive
 
 [oauth2]
-JWT_SECRET = {{ vault_oauth2_jwt_secret }}
+JWT_SECRET = {{ oauth2_jwt_secret }}

ansible/roles/gitea/files/docker-compose.yml

@@ -1,6 +1,8 @@
+version: "2.3"
+
 services:
-  forgejo:
-    image: code.forgejo.org/forgejo/forgejo:8-rootless
+  gitea:
+    image: gitea/gitea:1.20.5-rootless
     user: "{{ docker_user.id }}:{{ docker_user.id }}"
     environment:
       - TZ={{ timezone }}
@@ -22,14 +24,14 @@ services:
       - redis
     labels:
       - traefik.enable=true
-      - traefik.http.routers.forgejo.rule=Host(`git.theorangeone.net`)
-      - traefik.http.services.forgejo-forgejo.loadbalancer.server.port=3000
+      - traefik.http.routers.gitea.rule=Host(`git.theorangeone.net`)
+      - traefik.http.services.gitea-gitea.loadbalancer.server.port=3000
     networks:
       - default
       - traefik
 
   db:
-    image: postgres:17-alpine
+    image: postgres:14-alpine
     restart: unless-stopped
     volumes:
       - /mnt/speed/dbs/postgres/gitea:/var/lib/postgresql/data

ansible/roles/gitea/files/footer.html

@@ -1,3 +1,3 @@
-{{ if not .IsSigned }}
+{{ if not .SignedUserName}}
   <script defer data-domain="git.theorangeone.net" src="https://elbisualp.theorangeone.net/js/script.js"></script>
 {{ end }}

ansible/roles/gitea/files/robots.txt

@@ -0,0 +1,4 @@
+User-agent: *
+
+# Ignore mirrored repos
+Disallow: /mirror/