tobias/infrastructure
1
0
Fork 0
Code Issues 5 Pull Requests Projects Activity

Refactor: Dir structure

Browse Source
This commit is contained in:
Tobias Manske
2023-09-14 06:48:05 +02:00
parent c361625230
commit af3e66f901
157 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

132
ansible/.gitignore vendored Normal file
View File

@ -0,0 +1,132 @@
# Created by https://www.toptal.com/developers/gitignore/api/vagrant,git,vim,ansible,linux,windows,osx
# Edit at https://www.toptal.com/developers/gitignore?templates=vagrant,git,vim,ansible,linux,windows,osx
### Ansible ###
*.retry
### Git ###
# Created by git for backups. To disable backups in Git:
# $ git config --global mergetool.keepBackup false
*.orig
# Created by git when using merge tools for conflicts
*.BACKUP.*
*.BASE.*
*.LOCAL.*
*.REMOTE.*
*_BACKUP_*.txt
*_BASE_*.txt
*_LOCAL_*.txt
*_REMOTE_*.txt
### Linux ###
*~
# temporary files which can be created if a process still has a handle open of a deleted file
.fuse_hidden*
# KDE directory preferences
.directory
# Linux trash folder which might appear on any partition or disk
.Trash-*
# .nfs files are created when an open file is removed but is still being accessed
.nfs*
### OSX ###
# General
.DS_Store
.AppleDouble
.LSOverride
# Icon must end with two \r
Icon
# Thumbnails
._*
# Files that might appear in the root of a volume
.DocumentRevisions-V100
.fseventsd
.Spotlight-V100
.TemporaryItems
.Trashes
.VolumeIcon.icns
.com.apple.timemachine.donotpresent
# Directories potentially created on remote AFP share
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk
### Vagrant ###
# General
.vagrant/
# Log files (if you are creating logs in debug mode, uncomment this)
# *.log
### Vagrant Patch ###
*.box
### Vim ###
# Swap
[._]*.s[a-v][a-z]
!*.svg # comment out if you don't need vector files
[._]*.sw[a-p]
[._]s[a-rt-v][a-z]
[._]ss[a-gi-z]
[._]sw[a-p]
# Session
Session.vim
Sessionx.vim
# Temporary
.netrwhist
# Auto-generated tag files
tags
# Persistent undo
[._]*.un~
### Windows ###
# Windows thumbnail cache files
Thumbs.db
Thumbs.db:encryptable
ehthumbs.db
ehthumbs_vista.db
# Dump file
*.stackdump
# Folder config file
[Dd]esktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Windows Installer files
*.cab
*.msi
*.msix
*.msm
*.msp
# Windows shortcuts
*.lnk
# End of https://www.toptal.com/developers/gitignore/api/vagrant,git,vim,ansible,linux,windows,osx
/vagrant.ign
/setup.ign
backups/*
render/
borgbackup
borgbackup.pub
roles/*
ENV/

11
ansible/ansible.cfg Normal file
View File

@ -0,0 +1,11 @@
[defaults]
roles_path=roles
template_dir=templates
[vault]
username=ansible
keyname=secrets
[ssh_connection]
pipelining = True
ssh_args = -o ControlMaster=auto -o ControlPersist=1200

11
ansible/group_vars/all/main.yaml Normal file
View File

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
30633036313361316363313630616632333931633635326666663935633061346237353362316132
6364663462646639613862393263616661613838303962660a623233386637653363636531383535
37623664636362666136643765633166373030663864613134313862373131646539313533303532
3563666465396463330a613632643431316563383331373932366334386564646335393433366663
36616239373630336430393065316433343536663062383563646235646365376539326636626230
30643033656134613966643163323730353239666264343630613830393630653333643961363765
37396462323539303736333734373332646633633463636162626634656632346165363134643234
38316632323366303166663964663639616638643538626363633564626133366634323439393163
33646462643035613963646131373339333863636231356163356630383133633839373561643835
6264383563386437656563316539393139313137306164343631

3
ansible/group_vars/all/networks.yaml Normal file
View File

@ -0,0 +1,3 @@
docker:
internal_networks:
- metrics

15
ansible/group_vars/all/vault.yaml Normal file
View File

@ -0,0 +1,15 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
61326166343132303034623663646238316263313832303164636539643039653530323537613030
3733303163623763353765386332653832353862323262320a313766323336393933623736653834
34643932613563646332633437323135656437613335333362383464613061383935323661656433
3032376366323234660a316635626139373136316136633738663034613066653665353836383339
36383266633566653866363465633331303134373130626138616431313132333631646165326434
34303431376434346535373665633939643230646336653431373063333264393562303035383162
36323439346464336134343639366464636362363635306139323238363130383362323330653530
30643366623964643037353031626532313465303061666563616439666661653131313438316162
61373165393161633139633265363064353664613763616136383536633931323335306631356330
31373631353237346362633062326338366537643539363630396437373237633736366165393431
39363562373035353165336566613739303132373435616532363662633535356564303431626539
63376263623334643733613831343861343932363739363566303165666335306430396564343135
37626663656665383864326166313566643937656362396236356462623737343235313962633666
3838623136396663383432613764623266626533663866353762

431
ansible/host_vars/host.nc.chaoswg.org/vault.yaml Normal file
View File

@ -0,0 +1,431 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
62633435613830643035323333616538303436376466633231303963303836383035373263336534
6166383262373633366661653364633031313462653862660a323230316636626337373633373266
31663564643733343436613165383630323566626566663339323830316139363130643537343239
3533663830343938390a316330386161646163336662663261383138663764633566393736306239
36366638303161376362333261393433323837663431393665303439643033303834636265346438
32393363303864303466616235323235656435306134306634313433376538626339653965613736
36346439343437613738323633373466343165343630323130343765646165333033316164666638
34313435366232386664626238313539323363356361383161323037653331666130303235306161
61633231613838346661373265326165643138623965383636653864666531646163343732653938
66313438323538313661386436333864323930353361376562333433376431313334623036326364
66616631393333386639363561306165653538313866363438663936646263376135636432616561
38623732353338313965383237653339376161306166336436646165326533393034363237303834
35326537653036616461646639633531393638383365636135653238373265613230633862306131
65626166333331396139623563643432316665363231326437626533323832356632353736643232
65386661376332386130356438613166323361373162633339376561396665623539656537316263
36343965336666356437373538373865666161326538313532613366343134393637363032336635
64323361373739666366303333343864383063346534363562363262376462656161326438333037
39646465333430396266316261393131343339396331306435363566656437633766636632653065
37303732623530653934353732613337613935306262613432643931366362323435363733336332
30313338353535393536323763616133633230323034613835343763626139323330383763313662
34346438313633356538363832393864383262643635326438333763656161373631383331663837
31303335336531303665623333643032313032323463643763316534623935323466303661386334
30386231316435623439356565653834343535616139306436333862396261616566333432333830
61626434336233386233393235323435376539353437653538333664613365396437396461383063
66323838356364333636653765393462346665313836653462376565363631323862663434336631
61363864626561373335633238386163313137323634663837316430626139313530623535643037
64646230336336366365646433303637323333333531653965336336366434353166613139353235
31343230643563303232643938336337333331626531363335656665396365633531333132333666
38663833396661643431643430626562626330353564643939383234646230356532373638643734
30303433393539323063366430343033386462346164393430613462306235383565366239336636
37363132323131326661316432363562653566626566333734616466383366346536366561386662
65653030393436306639643634663336326233623637313463376138633639633164323466663066
39313530636166663538633131366232633432303434303865323032303937623732366262393936
30666266666535656463366130323535386433323663363037646231616632323636313638666130
38346364636234323038656230353736316262343234396333333638663164353133333431363066
62616235323866396439306163643932393234616231666631383736366361313334393138643539
32666635616463643039636235663939343363303333373064646134613765613330633663313066
66353535636161303461653862366434383566336164633131323738316539626130366362336237
62633435636161393765666662333963353764313035373937356264376666316233616364353838
33666265623462633330613866386331353365623764346664666662613365343763633963613639
34363665656335666436373737333464316263386461613733646266346635633464313765386632
39626632613061646635323431396436636463323734333332306165333432366164306632646137
33626634363765373632376331646165356565366561626232393163326462343762393939643638
61383930663463303166626432396136313535393966656531353332623233313338333538303038
30396237313433376433353266333065613832633861643666386635306266306535613462393765
30363233363731373938366139646536396136346135323633376265376431613632656363343065
62373165643534383738356434323139396338616262366663313263303336363235333332623735
30313061303030613830643935346165636438636230316263353136633335323632316265656431
32396538366432336231373335636131653365613732646438636664636537616239376262373464
32383261616438353632373637326439623539323561393238366630303663373331643932663262
62633536396532633363653164333834663564333336613435353464653235653032333433306162
66613834393366343566396335326266653338663765323364366435653437343136653761333136
38313131306463643639386639656438643236386633386663656465306530623235623736333335
64383364343533396563343961363534383132643238623463373033323531666163376266653563
31636361633564643137663638643261303435343263323231386265383233666134316561616266
62383465643231356339666338336437616630353132656131376139376634306665666361633431
62373139646165306439396337626433613734323438363834363661613866336136333462633233
66353733396432303230653836373635303763663938636461303461343561653938356432626335
33396163653132336634313934646266316339306339623739353761663639613634376461346437
37396435666565376162646137646466303363336636663339323731653238376237326263333932
38666133353735306232383735623561386661343663353831613663383136653634333439643030
32653635363237613135653937336432623237336439376339376132386563353235373237383937
65316534613365326131616664646436623561636263656663346435623666316666343464333262
38663364633763303234653230643935643939643064376534336364356638363636653831633038
36666633383861666265373366633830616166613135343665623462353530396134383263616534
65376164373730346639393433353837653363346336343239373766396530373031356266623030
33333066643835383261386430633965323535353261366436383335633935393437666139643933
37643937393537396531386533643332363539333931666666363533313338613465366263396438
62623264376534623237373235363036636339313766366531663133336561313863316565616263
31316536653935346230343534643439653861376661333065626362383631306133363163633833
33623566373134653632373763333762353038613739363935646133333466656239646235663263
34633663376262623435333834363230336239303433323231336330633939313934333438656238
62666635373831393663343761383464643238386138343338383062393431663061313939666163
36643630363936383030366538653432383339333630346233316266653635393861343565356532
63313463326136393266373539343330663063313736373831653662666462393763313231656661
65313935396166353934326136633030316138646431633933306337663764393933643637303935
31646535646132333363666462363465336363646533373339613633356661666333373131336239
61646334626462343931383838303736643361666433366238333837663136346365363736643330
33363165616663363733613930396330633230393461306530303936366234333762653035623938
66303563653532643562613631616362653562653132336261326261643836396335623764383430
38346539373733613938346464393061363137643537666165663836323966336561313331323033
31376135386563613262333934613931633963383039376339663631663665303533303166366235
66363936663736393034333832356330396334386238326633313762336536663063653835366662
38613733323365666161636331383865383330353139313362363835383261643638643436623230
36333162353137386538353536356633363237396531613061303139633761343962383530313534
62366237633235393639393834663936363762653938316532303564386330653833626162623137
66376439363138653739346336396164643566336232303561326631646331323836333365643837
39326436356637326431623262343466343933336133636337653335653266633461326563376539
38666361313934633662363638613932323030626139306331316333363463623263623935633364
38616233636436363339393263383463656438663532383064393334346233373637623062393765
36366363323039366138353762396437393736643735346336666235653862353138643132313764
35333939633738376633343131383861376565383866393635346132386434343865383634363761
62303532333334666638376131333733346135343534316339636130663936376339646435316466
31643034316366306138643634396333643136343033333134303137353430363661346539386231
39636631643164396463353731646531663432346662343930626364356130373961623430636362
66313130346231333637636661336664663838366632623135333161663836396233303430343739
36353330663165336261366231613661643363613038643462626435653463616664646531646138
61303930326233376338386539393166663034646130653266303265353531363538633566623438
63613163393864643533393562363166613834316465616639663737356136653331373561613434
61306635333333306333306639356433323738393230656630376161356331623532613939663564
63643239623230383663386132363437333039323538653161613163343936326662616536393931
30356362663962653832306466666437356661393835393665393737643465326562353862396131
37636630343839396635386365353636613466363235383961396336343637613234343239623731
36326539343236393262313134353130326362643534626436633966303332363965303430653030
36313866383037656261326164653838333866343665623964356166396635336235393764316430
33356235346263363036653262333264323332316236643364363931363865623464333562376533
62343462336130333233653966356665376461313032663466303961343439656262336632613564
66623639626433356138393332363831663136333238386430303135643365343965316261643533
36636263336138616134316162613535646434343864646666333432323766646164353631613435
61636361626530353162323763653130356633623861393333316235313665643639623461643964
37383737636262356564393365356237303737613366316537313331636536383331613330646163
63373434333130643066336135616438343237306338303838303533663039356332323638363435
62636633316663393131363736353862633264666234663566653066386163326438653866333363
35333437363864633232353130373333663736313036343035356366633533343731373665306330
35396134303432316162306333316163643262333965663435373832336463656265383338316663
34303231396432313533323133376363383230336239343862643038616363313734376133396363
65346435666133373138313137343962323635636439336431393931303134333734366563366262
30623039326463336638396632393632313130623337323466363537326566393461656564656237
30306133383439633139326366346534396131356439326638633333313737356635316137333532
38383937353635653836393462636334643666356233373034643733333639386535613338373135
37353836653830386337316538313761363565633237643034623737356461343235373437346164
62303138323366353361663263663464636666653636653232316135316436626532643137386664
35333431636635376439663933636663343736363664366236653833333836653930386435663332
66333864363736653436393561333365646236326535343362653539373535366164643833363233
61353539326231653932626262386634626336633730326636313962303739373731613333336238
30353139333135313766313537383839356262316365643263323830333832666266333038373666
34663065333932623633616437396630343535303464346265306265393565623133323238383433
65343466306637616539623332386236313562653235613332303664326139393030363863653831
64326361383831303561636536653738646665343030653966323034663165326630393130343965
36313035383233646437616331613138646663616263356563356535363763313131306161323437
34346233646465653363633832326465633137646231383162336236343463393433306530316633
64306431373165343665376333333837636337353532366638303762613132356130346561333939
32616161333866666230326336316130316431656561653834383236666566376163393165323863
62393165323630633265343532353739663233633438306237316432643332396131346163393938
61383061643739386638393365663734373131363530633365366431303035323738343038323738
35356164323864333333393738666466313962386133373463373733613831636236653135666631
62323932626430383365643234626239633365653732353732646261376465303666616261303134
30666231363265663965303237356536653333386664366434393561353830323835356237343939
37613265373932306631633937333231643061623264323063656562323231656662363532656261
30303932326161333662396131656366343765363962643038303939613230663136313834353564
31643466633566656166316133653162333063336634653964386234616561613839393831623832
63313734666564656530323535623263636566636334633865323036613030396333626232373734
32366638356339313463653833633861343032623964396365623530373636356465306634313163
35306332626436613737313830626432653635663237396265343838383939313434633939373435
39643964323463366639356137366634376637353564643864323533643131653636393435373039
33616135666463626134616531383564323065363766363430363032373235326433613039316335
30353835323261383235373462366431376465383031616237613930323230656565346134643534
39346134326336386163306639376536366663313739613132343463303863393833346361376333
66313636393565396365313638343966343035393033643964626137393738363637386162653433
34333362363762666663373164643864373935323537336235393565363736383761653637343736
63626663633835343365393234313061396461383133343865656237336435643433656163653039
64656633383765653866393562626263623762356538306461626464643837666337663364616630
31653064303766363363343232393363636438613766323761373437616338353035386363626332
36303831306464383265636164656637653864373537323934316338656363613938306561316333
30666234613662366464316237616633613961393939396662353836376434396631353933623036
32663233636264393235383165653636323536633733383238333234383136316363353434363662
31336165646431346466386630343031396363663835393864303236383762303263363166313735
34663762333132343834623238623930663335383335353934346239356637656336653666323834
39346532393837343939356533333130623863623035366566323038356166366233386537316431
31356638613137653230646562663032383639333230393966636433353264386661653665313334
37633237303034353461643361313730353538306465323938383263653033663365613265653135
39356663376439303634333134393661306638376539323165353765613230373665663834646532
63636463653463653332386235343864353534643561303936656637323333323532313937336531
38333932353934613161633438646138333262653838633531356361316631363537326136666632
38353735633063646230353838326362663031626330616634326234336432333533303037383636
64363531363761343063633132353963616561366138326566363332363130306536363165613437
34316565373539303830346465663063353734333861373337333837316261383430653739323363
64643266616366306165343736613563646630613033386335376362613833643036366633366638
35333838363864363362623337393931313530363962396239643965323739303966333436393938
31306636663539313331363136663534353331663365363863323866663964363630356433626337
37633237383162303139383231393230616437626539386633343433643339373332343266353836
62623032313434346537363238306436376237356562663966353961643337383835343333616461
62633933303161643138366533383266386636346161613966386438356239393138633937393132
66313662383261623434636463376437386162316334383063613836323234636133313863303831
37396133303730636537666461623830306263343865306132313364346661613833313766373135
32393561363061663335306561623234363561393134376635613366643730643036646339613231
33633164666131303966363032653763636434333636363564373463366264616636316135663565
61356361353530623734363331306232306661353735656238623036393330386431656636326330
64613264383336663665623934623732313230323131666437373133353138343334333733393336
66643437373334356537363335353664303138643031383463323030393437326634656334313165
65373665346566303236656234333832316662336135356239633230393939343861386431663334
66353339376163393536393162623361363836626161316138656538326265303432636161633138
61653063613831616135363633383062643939303431316565366433306361666232623064616139
31396138393830353235663965386638643934643863623233363062353365333866656637336639
65633233656535626634313939333761623965653133383362303965353736396235626261653330
30386561663136316230323563643936666539373566663830623434646165386261656262613237
31333835393733616430616134633731653637336662343165623634353863346239646263373739
34323033376637363362623438306238336637313033383862356666323238663361616161323734
31663934653035326462323034653163323333333833613264333431356162333262663261653031
34343265653533336365313938363465623033346231353661303566653463663236343762353138
35303865383963613337323066663639663833353030376138646133633734373032653761646164
66326464663039376461623962353863333232333438376666313539393933336662326538633666
35666534613738663835616465396637303731613661616661393866363264613765656263346138
61396361326162653831613336623339346237613434333237356531326530303565343461346431
66303130613664613137643663326663623931653663666334623439323961333631663532353261
38373661653137636437323639313562396462613437386233653334343166666163633665326536
63393935356436613864393361643635633563663365396131343231666165386264356564303763
63343839636564343033363663653663623330623939313637306633663536626162386232396338
33333735326563383539373862376334383963346436353363313737653334653733616437303962
32663336383239343863303865316631353761303036316366656530616666383136383730306639
32366431336139343965336363353539356330663864333463393730613736346533376235303833
61666663313031353331663061363932616362316531336139336239383366333232623134333862
33336438396561613537646535643737313131633235303335323332626333383562316566333262
62363337623938363538666664336532663435643037376161346566643361353066623664393564
66363834363162626633323432663931626639363062306464366165346533636165653036663033
36333535633566373136393065383137623833303839323434663935306534386463396661613634
31363166316138396330366137366237663464666338343666313932326436303530343136613433
31636364623739396530653531343533346630353065366236363065633338343133333735333638
34373636353163653339323433623539333666393166393265626439643933393638643361353439
65306365346137623433383532363864646365356563346130663261383535633864663462396531
64623563346639343531326333623533623764636462653436656363336534633538316439393030
61633464383765373264633639323565366534666434313130313264393435333765643832366337
30313962623166636439346438393833646262313165643233303837663337613033613730346438
34343338663830626431323534383965626536613034633566343331333639383838626235336365
65316166623131383965336337306161656238366638326633636536613135633032653932346530
37343338613035333361373431333635313634636338636638613839313634616664383131626563
36323438366161626261323333383761646332323333376631613434376137666662366266643730
64343766356533326331613337623764376562396238383566343138626238613337346631333164
30316261316137376633666638343935666336656633656137393534663735306364373263383730
65653363373732656537396230663630656336313063663638343664353663383736616363363135
63306232393732313137653738633732393963643066636331656531636536356130353234656639
32333932623031376265646138646135346434623162376134626439313730303464363033376463
39623732363663343332623930383230623833383430386138326534626261373932356364393235
63653330313031663561393630636539653163616161336439336261326139653863303733626664
34343936316366303362663762353966616263383165656462656462376463326334626435613634
34326238316662663535666431633465333463373931636564663761383039386333663738353964
65306462636435303765326231633861303862306264346131363263633266626566363533653833
35376665653763343837313931346535373432623836376264373262366339373330303639623137
31656632396261373837376137373633386233356636323231366632386133376665363961313535
65393465346461313537633661616438343136666532656666353538316636623830636464326337
32633766666136366561666130316538613532363538386337616464653862616432663837626233
62613735656462343731303261623362663465663861373266343036303730396534663634656462
37353636383966643037376536616464323639386264643966653262373737663437333166653739
38373564616436326466656235623263336466653736633162313539643634383636306562656666
36616264373832626531306134393135323638653831666566393033376435663864326563303135
38323464396262343764616536346332343734653131303562613439653935623338396634353838
35326631633832643331303237333439626239396363363932323461333065393534643935663165
37363863323363326266393061323335376164393866633734616538616664653863393933303035
36633435303163353734306430303964333265313834346663333962626333343935613264653337
35346530663365653737376439313863646466363439303365323939313033393136343536313064
32396336363732356236396531646264306532303762633363313635366132653132666131336334
66313632356434343562633162616361396564613736393361363566613735306238386365356337
65323763383635303733353439393039643034663835353463386333346332653036333635633566
37656165353330313736616431636263623234363337323839343338623739336262643462333266
34303562383036306364316539333966303665366662313066306663303038343737653337393465
65666334663530343335643236643166636131623837393766306234326437376132336133346231
65666434343465323961353136333339616563376430306439396264303838333333643766393030
39343035343466366431663765333134393239343736366232663130363630383665363962633033
63666130313739333463303938396139383537306638353734376665656565363130393366666132
63343236396365323531613666303239316165613836366464343764393337656638646237346131
30376664366561643937373466393437313363313364396432653837353866306537626535633535
62356433383565666531343532373264376532336437656334303564643966616535353262393030
36363233316430383936643866363964313531653137366336666566303633653735623431303963
33353333396364303962643135393837646630616364363536616562333638383036363966343161
35643939656237326134383066616362353938313464353064316663336535626431376231303932
36396362343536356563633731303263343531613166393638316562656334633964373433383062
39386331313162356637326530353930643466666262643064366562313463373331303061663463
36363830636565373065616263646133643839626338366664663030636131353435366239306534
31373265666232626234623330656565343233643338643630663863366134366163636461386661
34383036663961326465646532646338333062323731376638333234323963323765393231303539
38346339353866373033623430343039396136386363643862656231653965333430616235653737
65343365643661316138636465623037313834643961623863303365616330373932393132373761
36633734343062633737313062663436646135663830656234353565386466373837396161653736
38323334336161343432613138643933326165623937363238656565353366366534636231323839
30353766613562653735346434623530353163623361613162306565303263656364373435373132
65636630376234316436303930313065366462326436666262363535383961613138653734633735
66393766663232633462363032303165383534316361356465373936333163303165366430353464
36626434636633663634653036383738383131643365383631366366633063613663303134643538
66346462326635396366393933306330366661373835613133333435656265323532323762336562
32333731353731346661643865666337393931656538313532346461343834373436346135653431
64393936613137353265336262343939613635343935656538356163613433646236636461306261
66616432373132383938333239356532306266373631636564326234393531386263313730313733
62633431393931396536366535633839353161626563613538373461613938363034383537323435
33373861303461646466326330396435663830613566393639616430363463353139353964653636
34316336626362643933386661376539626664303339383238366130646266376430303666663331
30356137363561373031336130326638386136623132353437376239353661333264663739353166
30343062666235626537356363633032323737616237323666626161346230323735333430656661
62323839343236376337666166313534366438363461626137383537626166363962383863343739
64323331336232323961656235343265636466303865333436656232663238623962393238366561
65633538346365346465396635323265653962663839643634656366636630666533643939623762
35656562633933666161656363643834356566633466333835666338306261346162343834643639
30396130336661316237306631306432373331666333343934656534626631646234393465616564
63356364366435663963633737386136313734636234343834313861333133353037383739653165
31353234663365643361616638393730396437623239353361393732623865383035353665363438
32663130636130656536303230616236316261323963616631613432386262613862363066363832
30393730313161366533326235636336626564326565353761613330646630613830626461356531
34366664666434633330313965396531383465666330633139383934343965323438626433623632
62353438646361336535346430346561326635663562363930366661386633373761643063393064
61346132653864336162333932663731333330636637613062306463393462336539383463366238
36386630613634623934636438633564363338313232663939323439313534316633336139643130
64336334646539353135643035636666656562303035613535363736313133323136386665626462
38303034326538343962343762656163373332323166393364393663346566373361623837386233
33383031373561316132623866653437353861323263333866656237346533373033373634646362
65326262323163633532663132373063646439633439373430626434363265303537633162333338
33646331373766333339663265333239373238393463633632346237303534663562313862626661
63653530626264323365653137363538316565343231663438353764383730393435373234386234
62363237663262393732363338643165643762663939636361366234646162616363313761383134
33363863363833613165616431663563353032333365656531366666363037653530663439353135
34663861386134373239323165383265396239643536663839316661323062663737643864623335
35393531663334313531633266393130343966633337356566633735613065633434393934336263
33363765663530643332326535343763386239303734653132383937663663303731326265336662
64626664333830376534656535386331663066636666666561323030643463323631643031303064
33653932353432663433396531363738363461333534393831326466336235333463343064396665
33373635303161663733396131656264633730383834613934313136313337336538393330643238
38613536376237626132636363656333333161643631663361666466643334623632393462383131
30643963653338363264623763616535316232393934313266363037333463333066316538316565
35633065616132386638396265643533346266386665343434353633393637616564376363313362
36366630396338353231306632613234616635343564336131326435326238623238333634616637
31373338396436616438633936656433643539636237633730346637366266343431323964386265
36323035633330373234623561303636633430396463663762383633396664656463343362646164
61326136336261396465373733323836366130383736356365363434373866363337393635303434
37313864343039323437336535323564666636623331626661643736323766656431633936326534
62303836333662376133373663366235373331336530363466306438633232353233333539393564
66316132636663646136623366333938376338326362383735363230633237646663336532653661
35643639653362323064306132626337376631333862373331623861346563303433373434396463
66343739613938656631663530373539323734393563363638326465316534303537653931666133
39333139316639623933333130356337393861666361376536383136326533333834633835623466
33376237343266626564383665316236623165663837636664613935643933396465666566333336
32356636643533393333653761393939373566633566316535396363393531636536326239343934
38663830626439653734616639323366323832393532613537376534316432633562613633636439
32376464303666346431353364393139373064373831633638636238353762613532666435306566
64323663616330653737373233643163333437353762363636333061313061363939393062653739
64633337373936653434656238663131346631386438623362356532323132656466396533613562
65616233643563383732656335633036363564363336373537356633323237646436336237653363
37366233313964383666363664643832326364393734653265633035613536373361643765396136
38303539363039626339613962656635336435316464656533633032303435663766313133623538
39383865623766636165653532303731303066643066656634613139303162356434653661333132
65303932636661393137326638616131666561643664316166393932666234316432313237653562
30653632343565393430316563313530376331653537646262333965653934623031303136393333
35616162393731373333333566316564343134346237363961353736373536633965623864366639
32306463636266373737376563653561383332383538346263353661613761303932623964656166
66386331383737353861656333343935656461656236636564313466373139326161303231306335
34343861626434356139323738633531303139656264313236326435393333353066373061663130
66386635636536313362376434626435326537646437346365663532653135396164366430356631
30336564633935623866393865393230646537636539623630396432323232636637363833613236
32383031373962373463663839326164353836653666326332613162383931636262303062343533
63323861633634653466316632323034353464383231656431313734353933396565393433303339
65376532653063623462656539646365336634386339653166396431633064613835616365653730
30396163306236663065333637663333393262306462333532643062373637353666323630323364
30353030366239386232366631376663323265303237626135303663323565323531336435363438
61393039306339336638313264343836663363636232313032636564663133663030313332623264
32353665363536363238313438653062326631353066643564393634383639396338313530376338
64663662383534323030666639643134363936623731303239613733353438636264666233653734
30303966383862366339633264356436396434366235623137633264663131336662306632356132
37316130333830326462633937613333353266336335643436326638663163663461363965316333
34633631663566643164333564376630343462626532666662313762366532626161306366653539
31633065343930616532626335373138373434643162613735373062323862653737343237383034
65633531613236346634643735376563346438366330346630353161353763373562386365313335
64306339376130653734376161303435613864613936613034313164643165353935356364313232
38353731626238306566353938663666616365383939653934366331623530343365663463303564
31383532653135326134623038366430633165373935353939313930383233663563366262373738
34626666663835656332646263323637333261396435343765343664396461643230653430353632
64303537653030616337663434343731353364353334326237363032643763636165623833653031
64613637313163616238313731316634383930633634313834363836316261633435653765646565
31666564326533633266613537636536663637656162663530656638306666663134303033316338
31666465386561333561626135313937333764363437323834366162623439386438663164616630
31363633643435663237333166306539373162663266373239353137626437656466666339353232
32373936646132623430646363643236656163636132366561656134316438336261323761396530
32353435633661306133616231323730316561336534343936313164333437636336376166656333
61356565643438653533653866623466333530323563643134386237656137306265383936393865
38393264353231393834353766363833613762336364396265643630663264353331316463356462
37626633633361333432363466666635646463313832376530303139356334393038303130656662
39373464363934313734346434623835326430653333313239386264336637613161646464613066
36326665653233383832616232613365656236343439656334663635343135333165336662656562
34333335383932373037663462343762663936333639623038303435663133626536656265333636
39303961653336663862366638613764623463656263306263363464396131356130646466393663
37333130353362376431366138383935343835313037313763373562386238633066633639336432
65626434616561663239303566663166623533346634393066313533613530313362333137633664
39393739393134663534376430653833393263656565626666653836316533373433313261653131
63313439623965313362333732663865373762643638613034313037313831333733646531633136
61333037306563376464366362363833346364366233613361396432363738356465643439383034
33313434373535313261633562376439636337306333623637383532636635323265343438383538
36653963393838353535393532343063373332393961313438363665333266393566393266326530
64613261323331613336323033313533646135333235386661633561343734346131643964393837
32663635656466616438613336336138373931373337643637656239343835616433613431306261
37613030653431386161393431386330316661313734376663343763336165346238623764613236
39363735303833353830616462643963313736663531316365656463613830323964333732643634
32396236313433393535663765663739653766393065313037396562393266333466386566386365
66636330626330633433353661653434353966316664343339633736383133316537363832323838
39343735666638383336353538633736306433303136326632376634323733316531626239643532
34353630623562393632386334313763333731626334306165326436643439623039643839383765
36636531336137366463643132313731626135633135363963346130656634633633643336613133
30366662396662363166376430386365363837393166393632336664633731623230623065623938
64363864323630643061363338356661613266383739393961616135326662626134656462613235
39373064383166636631303965373632633139633432653061666132356633343961616437613833
39343032613234336535646663383466313234326664393735393831623233653266353131386563
64356262363335376434646136386537313538656532666464623539666338333164646136373563
62663139363333626563396165363263333735353634313837396663396637306339303861643833
65383239396161386335333136373361656334373463643432633661633362336363316562303166
65653330383134316661666666623336636335623565336265316431366630663763613833656262
63373732653639333633366233373966323464356666333137306132336534656637333237656662
30616361353434653438336364366131303335313736356365663737636331356436363462613736
66623037643637643733636364613433323432383439616131623763376663396434646165613236
35383963663137366238623865303238343162666462373538363764393965613532663634346166
63373834383537666132626237373434346565333332653239373832306466303737363432653337
63396361616664643466333939313564376462326533376537663735356563333737303731643263
35633966373330383766656338653666626137653333393837613666336264353131626363346339
30633837396263373230656561663034393264666531646633323334396161633762383564356135
34346263666163363430613264666639656631633230636336386433663863636565323837323134
35623533303764323139616339393865613634613831613034613366303531326233313133666364
32383366323961366364633563323332343537356263393736393464343534396363383534323537
30313230653166643930376566356266646232313566626434356433653335343131653265626330
62633836313437316235663866393663616362613434393833666461633330666661313538633561
36323038626161326666323535653364396530306265363738336139336635346339663864636137
32643938306137636336633333356664373737353339643465393163343235383665666231616634
34666562623761626139646537353731326466653834646337623464356462393930343636366566
66626632666232393035376234373762656435383037643839633736663766376162653937376563
33613532346162306561386561323732393731326265393233343639336362653230376665356364
64396631666338363437663964613232653434303235386330626430643832333634653862666164
30663761653134393266656264623630343764323831356535313262643738303664306134366338
63303036626434666530636231316534623264663230346531616537333064376661303366653432
37386336333636386665366239663430663837633235383839633562346231353063633761626463
64363133363631393631363637656562333639646364646465626131353536663438336535666166
35323137643638323039636437316432343233633466633837666630626237313066373134363562
39376262376335356437646337316535396463366565366434306233643466323764353635306233
36366332366638313664386230343166336239613530393335656664396535636461633235663231
61323665313363303334313262326532323939353361623038386665353336643261393337326637
31393232666231366239376162633832353831326531313830396138646432636431306537626131
31316664366431306431393966633332386435393336666538393839303563376466353365613432
65633734343930303133623233366161626538383530363635353932353736383966333631643366
34316431386164616332386265306439633539393463356261653735343232373863396533393439
63316435303938373934643136333365646461633364386331376263646234313033653863326439
39623863633665313337656436353632353437666531353161376436643837353737373836613734
66386337653436393165386661376438393466653039633633646139343737386339353566386539
37613666303166656565333164353866613132303831366331303737343336643134666632663030
63316265346137323938663863316137636361343838613936353936326632373962623036663631
61313534363133383663653865303333343031346163643665646336333432333839366163386665
63383032343935386433633839383362323335333764393131646266323535633133343361653636
38306131633462346330646162646261663631326534623864343665633036386561396638636636
3163623930323231613236373031353461393965303335373439

59
ansible/host_vars/host.nc.chaoswg.org/wireguard-peers.yaml Normal file
View File

@ -0,0 +1,59 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
32353562343735616233303364363161306331663637303632363534333933653164363238623164
6461653239666330336666356462656232663033366666370a633938353466313937376361633537
36653764393235393135393638383661613732396162303633376361616430386334626535393935
3534363530343635630a333531313565646639663135396535343736353932373334623837396134
66383633303533646537616364346137623265616137616266373939393163623537373635343763
37326232363530323561336562386465623135626661636139653837343334666230616561323966
33623864386436326437323737666365663637353761663433383439393238623030393865623633
34323031643739613765386261333533653462383432313532643065313063333563386666393165
35366565363561366239363733386436303763626362373632353964303361313132353030346366
31333834306631643563653366613038396133356630316536613537376639626362616163666363
65616538623233626631393362626638396661653337373433373839353066343164646230303464
31373061616132643665373334376535313562353732663065303966343638356330353738653038
37623634373563306664323765653365316131316261333438623332363830336662383030646666
64326133633339316462323563623939306163353665613964393335323439626336353762363265
66663133373033323734303230396463623230663162363438653065303462323339313930386331
32626431313337623737353532386435376262613632353439656265333964633365323335613338
64316534613963626339663336303766393066636562323233323837383330633639666634646466
39333738313234383761636234336439323164376637653032316237613239336165373962353931
65623662613030653335336433396665353466316561333039383937323065383162613635386264
38623333386631343938383064323136616435643062356130376364643832393335313662353861
38623866363639353765663265366266346330633363396139626639373437306463653331663337
66306435663165366463623831663663623137373463316664666463616663623432323134333164
36396463326664333832336531376638633832363431383032633738643435323732316561313139
66303166363662376566393261363064356131313630303861363138613835366331363932356130
64383131373435323062626138393766303134653836353939613230623232346236656331323435
66363030303334373633363063653033306663343234646533333164343534666635336432306334
66376137353064373865636663303532303836616138313536373239373462613438623334336566
39643531366332306162346536313139393037643063383532306566356165396636393436626664
35383962636339316434663062396262613862363533623534623236633363646265323633393533
63656231616437656436336261616464363565356666653131336433343162323432653237663764
61343736333737376535663230616530303631663064323036643963386430316630333861376564
36373435313532356462353339633839653161393862356636353262666366343764623066616264
64643730346236333236303735626164326662376432613534353331316261343332373062363838
37376365383336666633353833316137383036323736393437373763663465663330666265303933
30326661343162306639346439386666303363343633633532666634383537376131333234633062
34376635346231343162393866326338656333643233366331343430373038326237613635646561
65316632343837646332633166333537646539376362346632653164323735623732303365663334
35393933316461363663633434373565323131616435313331306232653663343235663531373935
63343064393865396161653832626133343638623739343837346239366637383363393035316332
65356161636461343366356236643531373066623331313132326232343864393861326162333133
33646466376463346136623064373066393536376134353132626366363034323336346561636565
61303363383563653433376464363238336339346430306330656131653164663632656338353636
35376132393665663631613464313237333466303663373762373136363737313239393838326261
66666363363338646435326163363134646639616539386665303735623864313633623634303632
33656166653264636436373637373835653636343364386234336133353432643639663261663263
37633938313265363238633733353734393735613232613634336334316530626638633233616463
33393036366664313162323037343665363765346535666561653034636131326337323637366365
35626233323338663165373737316133623365623431356566393635376163646365356338636536
63653635373066323532313133336538666661326333626632386165323836643138373939646237
30636333663165306233303239333837313638666336613437336161346165316234393836306239
66316336333632313961343662393762613063616163663066313938303761356666623038663732
66393337386166306133663939333730396362306639636534663731303461343864343365333663
62366231613935306638343936313265643935376135313235303161373665353033363636373430
63643634316162636331386538323165306161383736373239366138323537393261393330376166
64616137656434666432323536396636343739383065393162653638366634326630343134343539
33656434383032623430383632323530356439623132393062623463396636653336636435313262
34656139373838336635636562333063613464383431313737643436333736393530393237373838
6137343965336430346665333437363937343762316539316631

73
ansible/host_vars/infra.unruhig.eu/vault.yaml Normal file
View File

@ -0,0 +1,73 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
31613761613563653331623437653961356132333436626235326637323338616239356365386365
6163663762373765346335356432346338336166313530300a306231626336343562306431386665
32663631633063396639306530363665333662303462386430386233666164643466323935653161
6533316462663339380a396161366266373831626530633765656632383432383139646631646135
33353031383434653235623832396266623731373035303636373037393736643739363438376235
65313061623462633431353833343465373765336435316562646338343236656435663436663131
37626530616238623766363261326661613462396564326532616232353961353661383039653233
61396365336362396665306633653565663430386337326662316265393039343766643737313363
33303332313266373061323563343132643337376338306166386230313337333834623561326434
65626138346639346133316636346631376432643938313261633563663531633439393666323336
39633131353265363261633663666339343532316661333764383134346437376361373334343739
64616130363766623761353130333564393231643964646539326139343431623938396431346563
66393233313631316436306161393937616132353237363738633362643062306662613233386637
36393665633864356134383432336439323431386536303762626439373464323634323766643063
63333132323836313430323632306566323361626634343336373731623934636632656433336161
62343734393266356163346566356435633135373037383738316265613164666134323864326165
64383037353165343332323736643366356563343932633036626636376663626136396631323262
66383337383339373563633030643431616132373631656234313566323861336135316233393165
65646534356166396666393237613463316566333730346362666338346564616564616639323238
30633666353661363337623633366438346237653037616636303466353137306136376431383431
38383463353964343739336261353738613135373966613133386437333235323535633336356465
38633530376234653131386564613762666463373833363033316436306131613334653535643031
64306332613563303365643936643633333732346137303132333331636237646365393432363066
33333631323335613563383865666134373236613564643363303061343361653139646463343730
37626136393139656130333065663266323032303264326361646333373838653930666364313363
35376639393063326261393261636435366337633336336136623066373135633738393836343832
36653031313434623034663535386138646136326462376239343239353864313734343130666236
66323566343565613330633261636163653564373432393364663539316663326633323339613261
61386538626333323935383564303231333633376239656136376535646534643031316565653837
62363630393639666562393033363964393363373462343438396633613037613837306566386630
38383262653434613731646335663139633138663135386233316234333661346230333264613361
36393035363933663631373739663061626366656437346461643732656133316165663236373539
37343431663330353437666366353230643631636237633334623566346639303630623363303431
30313234386434333538653661666435346133333364326166643139313666383365653066646635
61623565656432323936653436333337363139646335303764386330386238656562663964613537
35653630333435363437336237653961316663623962376565623062663162383064346266333834
30363665346166376233663039373236636461646337326135353964643163316665396665353931
36363435633834663639313731343431393936373264326532333662623234626437313732356663
30623731643266613733323037376235653731343430623530623062363434373633353963303965
35346664613534376130653237336235623165346132653963373033653837376563363431303839
37656665313566343363333638646365653232646462613166366635346565376538353836383333
30323064363561336239616266333966626230666137636335326364666263623435373761303738
64613033393135383836316430366166653638343031643937356135313438643836656264383764
64383761333531653535336363373532393033393232383130323030353064383132383562386132
64306333646530326637346338313234646231333861643961343432643961633164356562626539
31383531313436633731316334396236306331653232343338356134613736373164663362363262
36356135376265313663663264383736626533333361396435306235656335336135383435313866
34656664393035393366333330626634373763663762633735393862353339333761366430356633
32383265643139666637613365363765393964303731353937386638373065393265303337656232
33346434336631613466376134366233613963623163393439656634646466366134653932336239
38386539373637613835653533333031663266383866653265623433663132633938343536333964
66623561373966343862396630383636323862663937636562396231303662666335393931323034
63353934613731326631626334616264386135303031393239356537303962336639356262623534
31643739613831306461623436363638306663373562643535306630303464323662316566356232
38646237653464363338323638316436663939626365323662353162643636376432326161656430
30336366623134646361663134623633333933633666376337663164626232346435666238376139
63323266653966656135663062643233396331383639663030653361633966616563353266366633
30303864646133386363663138303063373135333233363332653433363636623161326264346133
38666634353466626666646133653433636533313136663434613230393335333530663533373131
35613861666439363731653138643332346332326562376666323766663134636564623838366634
32623165346133333065393136383138303065663362613036353432373666343038653536306666
63386631656137333037303034306636666333373437376666396238623866393338333637343438
64646361383766613936323162353764636636303238303533373632336162646338383834363530
65343631636134333737613535386365646632643532323364323336393465633339323836333636
63656234373837346438383963363766346465643531383364333435313666616662643264316334
34623839396465643833643164386234333838363731396535646434313832343466373337663134
35373065633866363262373231383765373837643538643661366538326632643065383263313164
34323530636462393565663732373238346235303638613638653932396361663139303735373330
35366332316238343536646138376432316138306634616364373364303830303162353939643737
33353333353930636163636130393833376436353939323361623532313336643561613239396164
39393165326565326539356462333063323662646432626364386362646231353161613830316462
62653630313461393137

60
ansible/host_vars/mon1.hel1.chaoswg.org/vault.yaml Normal file
View File

@ -0,0 +1,60 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
65326565323064646166366638346639363264353665633833626538326635363438313432353836
6431376464323662666665626231343138376334363564380a646535626362386531393262383364
34636430343431623432373231313461626638633061393265383231336162316663333763303066
6165656436393561390a633336616631623334616536356163643362383634653839373532316133
36623231313934623066316439663466666164323266613466323234623137666333613265366432
34356561336164326330363237623037613434326366356335356639626635653166333630613162
62333734666135353836613332363037303537373839303939323531346138366465316365626437
32633031323332386130656431323636666333663333396462336137353261613866353163393937
62383266663261316539616361656130366535656664616565353164633535366635373234643734
35383333376434363634386536643431356637633664653034306664656566616665616130366335
31353037646631653066616230666161313032356663366432346331363964643132376464336339
37643631666264353733396464613332643161613031636164333935626666323135373638653330
37343036613439633738643732313361386131633630366236663466353562666235323365643436
36393731333363373165636666326336663537366365333232623962346238656566336232323039
66646637363461393734613162373561663637323366363538623061653738313234663931646465
37613630363863633663326466393339643564646666346538386430616336323361373935313661
32373432643265353336623231666636366265326332343933343634363737306362663738353930
36386435343931646232343438336237356335316130663663373862616365643561393136376163
61363534623464346338383036376666336631353537333862643737663634366664663463633764
65643430373130666230376337333064653362663834616131633334306138316331666262653539
65646234333563383532363362653766306239363334666432643032396236396335336539323362
34396334333630373735316630323931666331616636366235663535613938613061313065613361
37646138363039633466336138373036393930613431353535616434393962316264643265343934
62373133623066646332323934363862363237353637363533386565636330323561306232636434
35333062396130323837646437373633636332393935383161373038623266363138386535396561
33313164333236373739663065316238306461383634396435316330393161333965333865613139
36353836386464646662646635393463366364663739623661323934396665626632663635643130
34336563383030366164376465356132643166396239396662383930643866373166313735626462
37386230396465663933643361316239323337646235643865336466633139373236303465653364
39623063343264313135623631316334623465356234316133323066656330626138653436343531
34633035353834636132306236613930353634616366373865373835656162336661326466383861
35313139336539656364616437633433643262343338353439636362383039346636623838343031
63303132356466323538323761393463656661303032353062316434393831336461633133313331
31613535333761303234373533363931393763396335643666323565336237656366326366613961
39353761613932653536333830313163343136363665326336393964643363333963613633333733
39616131663635376263396630656333326237383537656363326236373237376465653030383661
34333263383466363735393565653038333536343466663865333036633637323562623731626632
30663166303732633230653132323637653464353766373636653064666663393537643232633538
64313333343335333362323164336562623233643764383264646136363666653630666535356366
66376234316338356161383935353738303936353261323031313730313438666665306138333232
32613039393134396333396561373639323735643531323034323164653737613765393565643637
62313666663132316261363730643032373430386633323565633938313534613936303461343434
64393435333538373062656330616632653635393935656236633335356334343132353130636463
31343033303166313031363365313265396333333736346536616632356134633432373739323765
36626566366138333930623032366165306438383334396663323864643765663034316534316162
65383366373161363831343562376136636166616362356338656532663339616661326230343830
31666536313134643231623535383632393463313232356331653836306437313734396433323864
39333731323634396461613262343434366636386238346262646566333331383566646239633938
63646139613766316230326466303431656530646666343864333964356164303338666630633631
39346566646439313433323532303237346633663733343030653263303436363936313139653130
39653035383436633164383936313331303363346635373338373839303263656136646132343834
35393662373138316664393335303736383830393663366361353266353536353339643232353338
62373733656636636563353361666133666564656538363632656165666534626533303335353138
33613837373964633864373463656534663666666364326161323133376336303738666563656434
37356234373566623430323134363061623538616262646166323231336637356365653961323565
61366565613362306465646663303666366432626139393939653039613434656466343739336139
37383363313036646539323538343535363233393962306533336230633838333966396561386665
38333736336638386639666665316533326133373531353763396636633537336636313565633438
623461306536663830613562636530353562

74
ansible/host_vars/thonkpad.ka.chaoswg.org/vault.yaml Normal file
View File

@ -0,0 +1,74 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
35396639666234633461333531626364376563383431323731303635373430316461363663653631
3337383338633430313464613230613236626163663265380a326465326465613732323533666133
63363565353539303237313933396337383165363635356165363839326132363539376362323335
6365303938626536630a643830653265343732376266383465653633356436623366656338336330
65633665373163653738396566353839646636366635633739303930383364386433383163353130
31326564643435623130643535313163616331386263346232626564353530666334643964363034
64373965376237366465653263656234373163663134633932346131626530303739393664386532
64303561626631656134346664636335333130313765666364336436313466353131396562323737
35336434366164656261323562313532643564613966636363323434343430393739363665653231
66353636313466663066303936373439333831623736663361323632303461643136336466383737
66313130376465363337373339336262613839626161393932353532646161323739653962616531
64633763303336613630363361366631353965353239323438393765396161323337396235303863
34393565636466383163326239353530323161613065616436663934313238626233653938663436
34386633336462323839333630646236306138383938303339343838646464336462666330636531
63363163343130396636636662323963306332373131396139376430376263363663616464386565
38333736303362643636643836633166336163626238306538333466363263626430653835363962
33626234356461623265336465633831613066343138653564323461343533333937356534653930
66383631333834643263336432363438383761353962343931646466386134343166353837353731
38336565626565626637626136303161363661333963323539353834613330316437643438343038
33356532333031666139396138303935316562346563303430353034393735306364323636313861
37643137663733643530373165366535353135316237653264333839386431646139663233356534
38353861616135643434303165313562356337646237613235356137616365376361356136316262
32653834363262313039363734323231636331366464646337613539336364303962313538313630
35323135303762313739393936323834396436353462653533346135383162663937316364303732
38626633616238343735656537323737613432313831616565336162646330366235303962343163
61613136383635313036386666346439623066303937616263666138626335616565373332353437
33643237613534353164383837306632343834336335643738613664356331333661373933636162
32626437396234366338363337616561333063326335643036656139663838303434646333323131
35383764363332326133643136616565373933316430646434393935616363386237373463383761
64653761363233313232666134623936336137396366356164653366303563303031623333353231
64316336316537383034386665326665393661393966323137363161643131323933633435653365
36643964616131336364326465326130326431616665313032373931393462383532663132343361
61396335386461396339653064363231366337656337386536636231303734643161323539363535
62343165366363393565323163653534623864343434346535623733303333636134636666663834
64323661646335646638393864613535386134626431396564353662656337316261336366393935
62343231633239356633323533633263633338363834363234343130376633653164343133306635
66316562313263643331323062633336643937356530343062653666343564343730386338303932
33366337666336616236373339616662363765343963343731313938333535626330636339333461
37363230626164623933323137373137376439333661663161346231313561363639653937383765
61353437313765356362633135643833353830623136306334663838323063623564343461356235
35363836303466646466306463333432326461653638346531346361363562333835366531386561
35366461646335643038376161663636386462623862636361363564333234363837646362393939
63363962333135633232626632396231646334353364383963313733643964616232336233643364
63353432326362383864663031633336653838333665363132626536393639326663363761666565
61396530363463633338323732353263326666323130396465323339323966343334643139623233
64343765373930356631333539626237636232663234313937666265623539636238346536336361
37313232663434616638326165616633343735636366616661396634363662613234313636366663
33663962646665643938363636613063366464616665643466663637323565633038653966633130
61303630333636346338313933363137376230363831323831646163303334373661393861313864
31393938323232386533323536333237383764313036623163356434616234666233626539333235
34303164343137643732393364633263626530666662653334386365636663646535646262363065
37323237663366396231636432633836333166313438353531643734373963636438623464326163
35316433613731383735313432303230383662383865313235613137313730313931386466373165
36356535396462383063343334383538373765653638396638373031396638343236383663633732
39333636373935616663343362343530346166383035386463396134363161393636636333316536
66633932613236323464613538316665633733616334396465613734313534396136623066326665
36643838386564376566346337666162613062356530376438386166653531633038373464323663
34393237613363393965393037323034343632316431323233343732626263343261626339336463
37316233343263353334616535613462353265393738333637656564323939303664323162623564
36333135633038393637313732323233383831353465376465653866633534333039356339613536
39626462313066336262373031656635643266363039666630653734356462393436363165653766
39343361623364656362636163343662323834653264616532323432666165663364336231343532
30633136366361643633336562356131316435313862383164636164666632633339643262323662
38353463303238646137663738316537333961653938666432373936633061383861656137373663
65376535313336313939643861643631373330303136623237616434336337346637303839623932
38373835666335373237666163383162333632303138333132396535666161636438353266303833
37393665643130383834643131616463326361313764633738363835386165333231633966323764
62366132633637386439633832663331386139323537366232346261663432616635313262373133
62383761646634343062613765386335616132626664363833373935313862323036646339623133
31326635393834383034346661323366656331643164353533323463376464333839393861306135
62643433636433336566623034383232386333636533316564383238333962623465393334623462
66633665626438643439383733346265646339356565383735323635323132633266353836326463
6664

15
ansible/host_vars/thonkpad.ka.chaoswg.org/wireguard-peers.yaml Normal file
View File

@ -0,0 +1,15 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
32643663326666316663626638303839353966356532333066313561656234393139656333346438
3961633439383530323266323933303866656362306363630a333034666135303430363435656231
30353630643162326664383232613161376137653638396363343735306336656432623766386638
3832333632353536320a383365363037343161623364303837666238306336376463346236396566
34323666383935363737656632666532383435626132313534393437383162663232623534336664
64383839656561333064346536376561333666356535366232383636663665666464336462636161
32363964613332353735336164646363643430656330653635616663656263353837313232633838
36666165613530653832313538306434643862313161663662323434343236306666656634393261
31303039343363323638333434383765633362353365666264646564323436386335663435363635
35336162346635333062613639663434666339343662656465326439656533646262396436326631
66303539363365323133336633373431353065613935616638343831326435623832616136313731
30663863656465396139303931366565326362303036303761326132383164393361623664386566
35316335383036393539386663343638366262666139373232636561383135333963313365386566
6162666432623037666433636663643262316264323061363961

47
ansible/inventory.yaml Normal file
View File

@ -0,0 +1,47 @@
---
all:
hosts:
host.nc.chaoswg.org:
ansible_user: core
network_interface: ens3
network_ipv6_addr: "2a03:4000:4f:9f2::1"
wg_addr: 10.1.0.1
mon1.hel1.chaoswg.org:
ansible_user: core
network_interface: ens3
network_ipv6_addr: "2a03:4000:65:f3b::1"
wg_addr: 10.1.0.2
thonkpad.ka.chaoswg.org:
ansible_user: core
network_interface: ens3
wg_addr: 10.1.0.3
infra.unruhig.eu:
ansible_user: core
network_interface: ens3
network_ipv6_addr: "2a03:4000:9:176::1"
wg_addr: 10.1.0.4
# localhost:
# ansible_interpreter_python: ./ENV/bin/python
# ansible_connection: local
vars:
service_base: "{{ playbook_dir }}/services"
wg_keepalive: 30
ansible_ssh_extra_args: "-o UserKnownHostsFile=./known_hosts"
children:
unprovisioned:
hosts:
# host.nc.chaoswg.org: null
backup:
hosts:
host.nc.chaoswg.org: null
thonkpad.ka.chaoswg.org: null
mon1.hel1.chaoswg.org: null
infra.unruhig.eu: null
monitoring:
hosts:
mon1.hel1.chaoswg.org: null
network_config:
hosts:
host.nc.chaoswg.org: null
mon1.hel1.chaoswg.org: null
infra.unruhig.eu: null

12
ansible/known_hosts Normal file
View File

@ -0,0 +1,12 @@
thonkpad.ka.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8b0SqPTmmJYJEcGYMjeeyEZlEjjQTIj+XKZ3Sonbb6xT32SedabIJ8k+xw+yeRjDOhBnx1wl7KrfBhZqZ18qGbB3214d7QmgylWpC5KkQV89ow0c24JI2zSLfC3kMYbGvSSwch+ql8rLUBXGRczzMYuh9kWrXhkK9vF7821/pxBSsO4XD/9fZwEa/VfpakuFJUU0bmFGgi/OmlHf80U08B0LHlg/IYdM+3JemwWbx1swx7ylXwDUWGjyK5mxYR2SEBbwnHuCoanj8SW9xwPLfUOT9t5+IADtFya7J3o0cDAk+6ZjJOZcdtmY6WO1hR/K82aFnecAV4mjr8+fx/GpnbGCt8Jpv88bdhG7LWxzKESrZDbQDiZ2z4itkkq5fbOGeXeUrFuff8Vva/VtsUoLPToS6bctgVqZ2slbI+6J6YJXPE4LzUa57NRj2qyXSbr+q5q9URfrkOmFDwaBq5jLiFcDEDOS7UpAjoN5A1rAkxN7v+uP3gwYainkbx2+7DrM=
thonkpad.ka.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDq68XLq1mlFsHDfa1mlpNJZ83wCR3ZO5C/fkNe+kVwG9apKmGdCaAWZs9n1MKe08maSLf5Dx01B+m79+l9KrKQ=
thonkpad.ka.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOY8bK8R5aUnXr/8vxZ6NSznTNGcTu4iQJJo5GYVXflR
host.nc.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCiVZ57grUnL7JNyUTlU2LVVCS5cfC4dasBGvdQDlN36VNGxo3HDzu9ppichlXUO2KNT5J86sgh6o9KeAmu/mqIasNm2JQC+FIRc1xKQU1xufLVHm9LZqUfk18olHm8tTIxE3yOpcPYJRRlBe+l66OYary9huJfQZPvHik5umQ4fWg+l1VBd8p6IMOQHNA8AyGlb/VKg79c1Qk9fxzKxqkSAc0LCIwrNPSQNF8BzjiBXaw1AuHwvPDmMFjb3cFv4I8GwNSH/A1xRHXg2ymqE818A9eXim/RHDHNiyEf7HPC0kuT95x5ii9pd8WRqa5GXULSHMz1vajAMtgfnGawz8pvY+MnfOFqF2i5WLcaPSqK9IdFst6lFp2ThBCAijW2Wa8o8gQeazr3twhC9Dd5C3+HkNq2MpEYM8ck0yZUFhAkRPUc3laX+8y9KsiqDMbfg1aErEbrezlSb6h19oWVAhFy+d8xVUX53a/9C9uF3P8hFwy4o76lTHVwmB8rTD8DXT8=
host.nc.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE+xbsYUu5fNjUZuJMER9VMx7aPCPCVcZvBpnNjxySRrkUSOgLV6n2IYj+aTfrxT3sCJFzkXzNS8R25Fyqw53WE=
host.nc.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfZWpJz8JiM6F5zXcUg9K7OsCx0UbrK4z9sijpmUn3F
mon1.hel1.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCl6bzWEhtuyKLLOUjRv0mxkmzpnjGzzdkc2DFZU+ueiMG4cTxCpwO5cXOST8RXC5WU49HtEpW0ZX4oCWxdEKhFeUXpij1Ins9Hvx31nHMot7sTLa745QcR0feQGYFl9DXfK1OADvstzWBL4n/UO70psK2Ir6aoBV1CM18w2Gk+DVSh5coLsMRczPczzG08ALIvhWa/1l3ObX7tULjs2y5Pf0F6Ukns8wcfxarUfUihdgnRwHdyc4yxaLHBvizAs3bl1G7zXdOh4SMOjw219J1ORbO/+n9fTSwhs78jU0IQCSZgI86Tp+EaLk+6RmA9SIGhI0+s3qk6UfwqMFM6VPxbiCUMbUeAhGcOo8UD3PMlLeTHWBwADHl2ee/mUmXBUh6Smyr9YlpbSCfcTNgXX2enkByidIgy+tEhJzaTub9vFRt8q0nj7fEimqQ63NecMzMZXPTGxnCma5Y3/TSLeBPE1aUNLGea6MFwUevCamdn9qB/KTAmMoyRTRR8pREsdfs=
mon1.hel1.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFGUIZFzyXd6QAA4Xn+SikYIdfZ+c2R4aFXCY6/Gh2oZGjpq4xtHLw7AFyadnC1UGVNNINNJY1FLfgbavIkeh6M=
mon1.hel1.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsSgW6MyvR0YJWn61UZLG8hgj/ewvlRqiHIZDAkYDtV
infra.unruhig.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAcuxMyUl5L/gs1+hqrtz1ywzWo4DiuwUGaPyMgCSZbReAFZ6LVmmMwllKJyF6IhEDhvMckNxraMtLQHLA7kyDY=
infra.unruhig.eu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAdD0VzFKRzUJ9lZQ7viRY3jJKB6LTUdLintKDHzvdjG
infra.unruhig.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0l2SDWE+RROnCgR2kIWr58ozcSHfS0jKH90Lr+w5Gd6ddiz1oRPPlTA3drQb6LRQo+TfPxeajzJdpxXHDKOtD6C7aSg0YbXAWu9D2t5PwAlCLfslpD7W3O6NKjfuT7rgtp+W15CYhWGOMxJZt0EORZFvpV9kf5XFADRJymay9MEU7LL4HDoEO0chqsodW1aYZMcZxSwPh4XmKEpS6fraCUMulsmkka4RtVysOhl/qvOWut+KckERKMg2RFLPpfqRUAG6oZbRLksni7TYPULJqaucHUmtiK2RP4D4woISz4orC5cIbDOpZP7lcovFSVlD2rbSiLbCfjIt8pQVShFnDEOZkRGyhS9/0F4/vFQXhX/zpCasUlIL+TpCUBUfX5d0QX7/yBQPogMQDo4sxXe5Eq3eR2Qgv61yrxQpbkWQHb/7WFCBorlroD6YWp1aR0VkJ9s31TjPhSVAoVRVbKUh65QgiAXh6VUbw22+AyVZ9hHYobSrYItoULNPBNtxoRVk=

24
ansible/playbook.yaml Normal file
View File

@ -0,0 +1,24 @@
---
- name: Wait for hosts to be ready
hosts: all
gather_facts: false
tasks:
- name: Wait for system to become reachable
wait_for_connection:
timeout: 300
sleep: 10
- name: gather facts
ansible.builtin.setup:
gather_subset: all
- name: Common
ansible.builtin.import_playbook: plays/common.yaml
- name: host.nc.chaoswg.org
ansible.builtin.import_playbook: plays/vps.yaml
- name: mon1.hel1.chaoswg.org
ansible.builtin.import_playbook: plays/monitoring.yaml
- name: thonkpad.ka.chaoswg.org
ansible.builtin.import_playbook: plays/thonkpad.yaml
...

294
ansible/plays/common.yaml Normal file
View File

@ -0,0 +1,294 @@
- name: Setup SSH Config
hosts: all
become: true
become_user: root
tags:
- setup_ssh
- setup
tasks:
- name: Authorized_keys dir present
ansible.builtin.file:
state: directory
path: /etc/ssh/authorized_keys
owner: root
group: root
mode: '0755'
- name: Deploy CI SSH-Key
ansible.posix.authorized_key:
user: "{{ ansible_user }}"
state: present
manage_dir: false
path: "/etc/ssh/authorized_keys/{{ ansible_user }}"
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/2H7n27J7/xFAyQpE7r29UxTP5jttLRe6RhAC/Ndam drone-deploy"
- name: Deploy Common SSH-Keys
ansible.posix.authorized_key:
user: "{{ ansible_user }}"
state: present
manage_dir: false
path: "/etc/ssh/authorized_keys/{{ ansible_user }}"
key: "{{ item }}"
loop: "{{ common.ssh.authorized_keys }}"
- name: Ensure authorized_keys ownership
ansible.builtin.file:
state: directory
path: /etc/ssh/authorized_keys
owner: root
group: root
mode: "u=rwX,g=rX,o=rX"
recurse: true
- name: Configure sshd
ansible.builtin.template:
src: 'sshd_config.j2'
dest: '/etc/ssh/sshd_config.d/99-override.conf'
owner: root
group: root
mode: '0600'
- name: Remove Keys Config
ansible.builtin.file:
state: absent
path: /etc/ssh/ssh_config.d/40-ssh-key-dir.conf
- name: Setup Networks
hosts: network_config
become: true
become_user: root
tasks:
- name: Setup wired interface
ansible.builtin.template:
src: "connection.nmconnection.j2"
dest: "/etc/NetworkManager/system-connections/Wired Connection 1.nmconnection"
owner: root
group: root
mode: '0600'
notify: Restart Network
- name: Setup DNS
ansible.builtin.lineinfile:
path: /etc/systemd/resolved.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: Restart systemd-resolved
loop:
- regexp: "^DNS="
line: "DNS=1.1.1.1"
- regexp: "^FallbackDNS="
line: "FallbackDNS=8.8.8.8"
handlers:
- name: Restart Network
ansible.builtin.systemd:
name: NetworkManager.service
state: restarted
- name: Restart systemd-resolved
ansible.builtin.systemd:
name: systemd-resolved.service
state: restarted
- name: Backup
hosts: backup
become: true
become_user: root
tasks:
- name: Install backup script
ansible.builtin.template:
src: backup.sh.j2
dest: /root/backup.sh
mode: '0700'
owner: root
- ansible.builtin.file:
path: /root/.ssh
owner: root
state: directory
mode: '0700'
- name: Install SSH Keys
ansible.builtin.template:
src: storagebox.j2
dest: /root/.ssh/storagebox
mode: '0600'
owner: root
- name: Add Known Hosts entries
ansible.builtin.known_hosts:
path: "/root/.ssh/known_hosts"
name: "{{ backup.known_hosts.name }}"
key: "{{ backup.known_hosts.key }}"
- name: Restore from Backup
hosts: backup
become: true
become_user: root
gather_facts: true
tasks:
- name: Check if restore is needed
ansible.builtin.stat:
path: "/etc/setup_complete"
register: setup_complete
- block:
- name: Install restore script
ansible.builtin.template:
src: restore.sh.j2
dest: /root/restore.sh
mode: '0700'
owner: root
- name: Setup ssh directory
ansible.builtin.file:
path: /root/.ssh
owner: root
state: directory
mode: '0700'
- name: Install SSH Keys
ansible.builtin.template:
src: storagebox.j2
dest: /root/.ssh/storagebox
mode: '0600'
owner: root
- name: Add Known Hosts entries
ansible.builtin.known_hosts:
path: "/root/.ssh/known_hosts"
name: "{{ backup.known_hosts.name }}"
key: "{{ backup.known_hosts.key }}"
- name: Restore from Borg
become: true
become_user: root
ansible.builtin.command:
chdir: /
cmd: bash /root/restore.sh
- name: Remove script from host
ansible.builtin.file:
path: /root/restore.sh
state: absent
- name: Mark setup as complete
ansible.builtin.file:
path: "/etc/setup_complete"
state: touch
owner: root
group: root
mode: 0600
when: not setup_complete.stat.exists
- name: Setup Registry credentials
hosts: all
tasks:
- ansible.builtin.file:
path: /home/core/.docker
owner: core
state: directory
mode: '0700'
- ansible.builtin.template:
src: docker-config.json.j2
dest: /home/core/.docker/config.json
mode: '0600'
owner: core
- name: Setup Docker Config
hosts: all
become: true
become_user: root
tasks:
- name: Template Config
ansible.builtin.template:
src: "docker-daemon.json.j2"
dest: /etc/docker/daemon.json
owner: root
group: root
mode: '0600'
notify: Restart Docker
- name: Setup default ulimts
ansible.builtin.lineinfile:
path: /etc/sysconfig/docker
search_string: '--default-ulimit nofile='
line: ' --default-ulimit nofile=4096:4096 \'
notify: Restart Docker
- name: Remove log-driver from sysconfig
ansible.builtin.lineinfile:
path: /etc/sysconfig/docker
search_string: '--log-driver='
state: absent
notify: Restart Docker
- name: Restart Docker if necessary
meta: flush_handlers
handlers:
- name: Restart Docker
ansible.builtin.systemd:
state: restarted
name: docker.service
- name: Setup internal networks
hosts: all
tasks:
- name: Setup network
community.docker.docker_network:
name: "{{ item }}"
internal: true
loop: "{{ docker.internal_networks | default([]) }}"
- name: Setup Push Monitoring
hosts: all
tags:
- never
- setup_monitoring
- setup
tasks:
- name: Login to Kuma
delegate_to: localhost
check_mode: false
lucasheld.uptime_kuma.login:
api_url: "{{ kuma.api_url }}"
api_username: "{{ kuma.api_username }}"
api_password: "{{ kuma.api_password }}"
register: kumalogin
- name: Create Kuma Monitor
delegate_to: localhost
check_mode: false
lucasheld.uptime_kuma.monitor:
api_url: "{{ kuma.api_url }}"
api_token: "{{ kumalogin.token }}"
name: "{{ inventory_hostname }}"
description: "Managed by Ansible"
type: push
interval: 330
maxretries: 2
notification_names:
- "Kuma Statusmonitor"
state: present
- name: Obtain Kuma Push Token
delegate_to: localhost
check_mode: false
lucasheld.uptime_kuma.monitor_info:
api_url: "{{ kuma.api_url }}"
api_token: "{{ kumalogin.token }}"
name: "{{ inventory_hostname }}"
register: monitor
- name: Check if user is lingering
stat:
path: "/var/lib/systemd/linger/{{ ansible_user }}"
register: user_lingering
- name: Enable lingering for user if needed
command: "loginctl enable-linger {{ ansible_user }}"
when:
- not user_lingering.stat.exists
- name: Create systemd config dir
file:
state: directory
path: "/home/{{ ansible_user }}/.config/systemd/user"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0755'
- name: Copy Push Monitor Service and Timer
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/home/{{ ansible_user }}/.config/systemd/user/{{ item }}"
mode: '0600'
owner: "{{ ansible_user }}"
vars:
monitor_url: "{{ kuma.api_url }}/api/push/{{ monitor.monitors[0].pushToken }}?status=up&msg=OK"
loop:
- heartbeat.service
- heartbeat.timer
- name: Enable timer
ansible.builtin.systemd:
scope: user
name: heartbeat.timer
state: started
enabled: true
masked: false
daemon_reload: true
- name: Setup Infrastructure Wireguard
tags:
- setup
- setup_wireguard
- setup_vpn
ansible.builtin.import_playbook: vpn.yaml

15
ansible/plays/infra.yaml Normal file
View File

@ -0,0 +1,15 @@
- name: Setup Infra Meta Host
hosts: infra.unruhig.eu
gather_facts: false
vars:
state: running
base_domain: "tobiasmanske.de"
roles:
- {role: compose_project, service: traefik}
- {role: compose_project, service: keycloak}
# - {role: compose_project, service: db} # database used for terraform state
# - {role: compose_project, service: monitoring-stack} # mimir, loki, grafana
- {role: compose_project, service: pantalaimon}
- {role: compose_project, service: watchtower}
# vim: ft=yaml.ansible

30
ansible/plays/monitoring.yaml Normal file
View File

@ -0,0 +1,30 @@
- name: Base Setup Monitoring
hosts: mon1.hel1.chaoswg.org
vars:
state: running
roles:
- {role: compose_project, service: traefik}
- {role: compose_project, service: pantalaimon}
- {role: compose_project, service: watchtower}
- name: Setup Monitoring Kuma 1
hosts: mon1.hel1.chaoswg.org
vars:
state: running
roles:
- role: compose_project
service: kuma
vars:
service_name: "tobias"
urls:
- "status.tobiasmanske.de"
- "monitor.chaoswg.org"
- name: Setup Monitoring Kuma 2
hosts: mon1.hel1.chaoswg.org
vars:
state: running
roles:
- role: compose_project
service: kuma
vars:
service_name: "istannen"
urls: ["monitor.ialistannen.de"]

1
ansible/plays/services/ba-gitlab-runner/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=gitlab-ba

39
ansible/plays/services/ba-gitlab-runner/docker-compose.yaml Normal file
View File

@ -0,0 +1,39 @@
---
version: "3.4"
services:
dind:
image: docker:dind
restart: unless-stopped
privileged: true
volumes:
- /lib/modules:/lib/modules:ro
environment:
DOCKER_TLS_CERTDIR: ""
networks:
- backend
- default
runner:
image: gitlab/gitlab-runner:alpine
restart: unless-stopped
depends_on:
- dind
networks:
- default
- backend
volumes:
- runner_cfg:/etc/gitlab-runner:z
environment:
- DOCKER_HOST=tcp://dind:2375
- CI_SERVER_URL={{ ba_gitlab_runner.server }}
- REGISTRATION_TOKEN={{ ba_gitlab_runner.token }}
volumes:
runner_cfg:
networks:
backend:
internal: true
...

1
ansible/plays/services/blog/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=blog

13
ansible/plays/services/blog/docker-compose.yaml Normal file
View File

@ -0,0 +1,13 @@
---
version: "3.4"
services:
tobiasmanske.de:
image: registry.tobiasmanske.de/tobiasmanske.de:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.tobiasmanskede.rule=(Host(`tobiasmanske.de`) || Host(`www.tobiasmanske.de`)) && !PathPrefix(`/{path:(_matrix|_synapse|.well-known/matrix|.well-known/openpgpkey)}/`)"
- "traefik.http.routers.tobiasmanskede.entryPoints=websecure"
- "traefik.http.services.tobiasmanskede.loadbalancer.server.port=80"
restart: always
...

1
ansible/plays/services/caddy/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=caddy

14
ansible/plays/services/caddy/Caddyfile Normal file
View File

@ -0,0 +1,14 @@
{
auto_https off
}
{% for rule in redirect.hosts %}
http://{{ rule.from }} {
{% if rule.keepUri %}
redir https://{{ rule.to }}{uri} permanent
{% else %}
redir https://{{ rule.to }} permanent
{% endif %}
}
{% endfor %}

15
ansible/plays/services/caddy/docker-compose.yaml Normal file
View File

@ -0,0 +1,15 @@
---
version: "3.4"
services:
redirect:
image: caddy:2
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro,z
labels:
- "traefik.enable=true"
- "traefik.http.routers.caddyredir.rule={{ redirect.hosts | map(attribute='from') | map('regex_replace', '^(.*)$', 'Host(`\\1`)') | join(' || ') }}"
- "traefik.http.routers.caddyredir.entryPoints=websecure"
- "traefik.http.services.caddyredir.loadbalancer.server.port=80"
restart: always
...

1
ansible/plays/services/diun/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=diun

19
ansible/plays/services/diun/diun.yml Normal file
View File

@ -0,0 +1,19 @@
watch:
workers: 20
schedule: "0 */6 * * *"
firstCheckNotif: false
notif:
matrix:
homeserverURL: http://pantalaimon:8008
user: "{{ diun.matrix.user }}"
password: "{{ diun.matrix.password }}"
roomID: "{{ diun.matrix.roomID }}"
msgType: notice
templateBody: |
{% raw %}Docker tag {{ if .Entry.Image.HubLink }}[**{{ .Entry.Image }}**]({{ .Entry.Image.HubLink }}){{ else }}**{{ .Entry.Image }}**{{ end }} which you subscribed to through {{ .Entry.Provider }} provider {{ if (eq .Entry.Status "new") }}is available{{ else }}has been updated{{ end }} on {{ .Entry.Image.Domain }} registry.
{{ if and (eq .Entry.Status "new") (eq .Entry.Image "docker.io/jitsi/web") }}See https://github.com/jitsi/docker-jitsi-meet/releases/tag/{{ .Entry.Image.Tag }}{{ end }}{% endraw %}
providers:
file:
filename: /watch.yml

29
ansible/plays/services/diun/docker-compose.yaml Normal file
View File

@ -0,0 +1,29 @@
---
version: "3.4"
services:
diun:
image: crazymax/diun:latest
container_name: diun
command: serve
volumes:
- "data:/data"
- "./diun.yml:/diun.yml:ro,Z"
- "./watch.yml:/watch.yml:ro,Z"
environment:
- "TZ=Europe/Berlin"
- "LOG_LEVEL=info"
- "LOG_JSON=false"
restart: always
networks:
- default
- pantalaimon
volumes:
data:
networks:
pantalaimon:
external: true
...

6
ansible/plays/services/diun/watch.yml Normal file
View File

@ -0,0 +1,6 @@
- name: docker.io/jitsi/web
watch_repo: true
notify_on:
- new
include_tags:
- ^stable-\d+

1
ansible/plays/services/gitea-runner/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=gitea-runner

44
ansible/plays/services/gitea-runner/docker-compose.yaml Normal file
View File

@ -0,0 +1,44 @@
---
version: '3.9'
services:
dind:
image: docker:dind
restart: unless-stopped
privileged: true
volumes:
- /lib/modules:/lib/modules:ro
environment:
DOCKER_TLS_CERTDIR: ""
command:
- '--tls=false' # Do not force TLS; note that this service is NOT exposed to the internet
networks:
- backend
- default
drone_runner:
image: drone/drone-runner-docker:1
restart: always
environment:
- "DOCKER_HOST=tcp://dind:2375"
- "DRONE_LIMIT_MEM=8192000000"
- "DRONE_RPC_SECRET={{ gitea.drone.rpc_secret }}"
- "DRONE_RPC_HOST=drone.tobiasmanske.de"
- "DRONE_RPC_PROTO=https"
- "DRONE_RUNNER_CAPACITY={{ gitea.drone.runner_capacity }}"
- "DRONE_RUNNER_NAME={{ gitea.drone.runner_name }}"
{% if gitea.drone.runner_labels is defined %}
- "DRONE_RUNNER_LABELS={{ gitea.drone.runner_labels | join(',') }}"
{% endif %}
- "DRONE_RUNNER_CLONE_IMAGE=drone/git:linux-amd64"
- "DRONE_RUNNER_VOLUMES=/etc/hosts:/etc/hosts"
depends_on:
- dind
networks:
- backend
- default
networks:
backend:
internal: true
...

1
ansible/plays/services/gitea/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=gitea

89
ansible/plays/services/gitea/docker-compose.yaml Normal file
View File

@ -0,0 +1,89 @@
---
version: '3.9'
services:
gitea:
image: gitea/gitea:1
container_name: gitea
environment:
- "USER_UID=1000"
- "USER_GID=1000"
- "GITEA__database__DB_TYPE=postgres"
- "GITEA__database__HOST=db:5432"
- "GITEA__database__NAME={{ gitea.db.name }}"
- "GITEA__database__USER={{ gitea.db.user }}"
- "GITEA__database__PASSWD={{ gitea.db.password }}"
- "GITEA__webhook__ALLOWED_HOST_LIST=*.tobiasmanske.de"
- "GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true"
- "GITEA__service__DISABLE_REGISTRATION=true"
restart: always
networks:
- default # mirror service needs internet
- backend
volumes:
- gitea_data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`git.tobiasmanske.de`)"
- "traefik.http.routers.gitea.entryPoints=websecure"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
ports:
- "7779:22"
depends_on:
db:
condition: service_healthy
db:
image: postgres:14
restart: always
environment:
- "POSTGRES_USER={{ gitea.db.user }}"
- "POSTGRES_PASSWORD={{ gitea.db.password }}"
- "POSTGRES_DB={{ gitea.db.name }}"
networks:
- backend
volumes:
- pg_data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready"]
interval: 10s
timeout: 5s
retries: 5
drone:
image: drone/drone:2
restart: always
environment:
- "DRONE_GITEA_SERVER=https://git.tobiasmanske.de"
- "DRONEC_COOKIE_SECRET={{ gitea.drone.cookie_secret }}"
- "DRONE_GITEA_CLIENT_ID={{ gitea.drone.client_id }}"
- "DRONE_GIT_ALWAYS_AUTH=true"
- "DRONE_GITEA_CLIENT_SECRET={{ gitea.drone.client_secret }}"
- "DRONE_RPC_SECRET={{ gitea.drone.rpc_secret }}"
- "DRONE_SERVER_HOST=drone.tobiasmanske.de"
- "DRONE_SERVER_PROTO=https"
- "DRONE_IMAGE_CLONE=openjdk:17-bullseye"
- "DRONE_USER_CREATE=username:tobias,admin:true"
networks:
- backend
volumes:
- drone_data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.drone.rule=Host(`drone.tobiasmanske.de`)"
- "traefik.http.routers.drone.entryPoints=websecure"
- "traefik.http.services.drone.loadbalancer.server.port=80"
depends_on:
- gitea
networks:
backend:
internal: true
volumes:
gitea_data:
drone_data:
pg_data:
...

1
ansible/plays/services/hedgedoc/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=hedgedoc

79
ansible/plays/services/hedgedoc/docker-compose.yaml Normal file
View File

@ -0,0 +1,79 @@
---
version: '3'
services:
database:
image: postgres:13-alpine
environment:
- POSTGRES_USER={{ hedgedoc.db.user }}
- POSTGRES_PASSWORD={{ hedgedoc.db.password }}
- POSTGRES_DB={{ hedgedoc.db.name }}
volumes:
- database:/var/lib/postgresql/data
restart: always
networks:
- backend
healthcheck:
test: ["CMD-SHELL", "pg_isready"]
interval: 10s
timeout: 5s
retries: 5
app:
# Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:1.9.3
environment:
- CMD_DB_URL=postgres://{{ hedgedoc.db.user }}:{{ hedgedoc.db.password }}@database:5432/{{ hedgedoc.db.name }}
- CMD_DOMAIN=doc.tobiasmanske.de
- CMD_ALLOW_ORIGIN=doc.tobiasmanske.de,localhost
- CMD_CSP_ENABLE=true
- CMD_PROTOCOL_USESSL=true
- CMD_PROTOCOL_USE_SSL=true
- CMD_ALLOW_EMAIL_REGISTER=false
- CMD_ALLOW_ANONYMOUS=false
- CMD_ALLOW_ANONYMOUS_EDITS=true
- CMD_ALLOW_FREEURL=true
- CMD_DEFAULT_PERMISSION=private
- CMD_SESSION_SECRET={{ hedgedoc.cmd.session_secret }}
- CMD_OAUTH2_CLIENT_ID={{ hedgedoc.cmd.client_id }}
- CMD_OAUTH2_CLIENT_SECRET={{ hedgedoc.cmd.client_secret }}
- CMD_OAUTH2_AUTHORIZATION_URL={{ hedgedoc.cmd.authorization_url }}
- CMD_OAUTH2_SCOPE=openid email profile
- CMD_OAUTH2_TOKEN_URL={{ hedgedoc.cmd.token_url }}
- CMD_OAUTH2_USER_PROFILE_URL={{ hedgedoc.cmd.user_profile_url }}
- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
- CMD_OAUTH2_PROVIDERNAME=Keycloak
- CMD_IMAGE_UPLOAD_TYPE=minio
- CMD_MINIO_ACCESS_KEY={{ hedgedoc.cmd.s3.access_key }}
- CMD_MINIO_SECRET_KEY={{ hedgedoc.cmd.s3.secret_key }}
- CMD_MINIO_ENDPOINT={{ hedgedoc.cmd.s3.endpoint }}
- CMD_MINIO_PORT={{ hedgedoc.cmd.s3.port }}
- CMD_MINIO_SECURE={{ hedgedoc.cmd.s3.secure }}
- CMD_S3_BUCKET=hedgedoc
- CMD_S3_FOLDER=uploads
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.hedgedoc.rule=Host(`doc.tobiasmanske.de`)"
- "traefik.http.routers.hedgedoc.middlewares=deny-metrics@file"
- "traefik.http.routers.hedgedoc.entryPoints=websecure"
- "traefik.http.services.hedgedoc.loadbalancer.server.port=3000"
- "prometheus-scrape.enabled=true"
- "prometheus-scrape.port=3000"
depends_on:
database:
condition: service_healthy
networks:
- backend
- metrics
volumes:
database:
networks:
backend:
internal: true
metrics:
external: true
...

1
ansible/plays/services/keycloak/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=keycloak

54
ansible/plays/services/keycloak/docker-compose.yaml Normal file
View File

@ -0,0 +1,54 @@
---
version: '3.9'
services:
postgres:
image: postgres:15
restart: always
environment:
- "POSTGRES_DB={{ auth.db.name }}"
- "POSTGRES_USER={{ auth.db.user }}"
- "POSTGRES_PASSWORD={{ auth.db.password }}"
volumes:
- pg_data:/var/lib/postgresql/data
networks:
- backend
healthcheck:
test: ["CMD-SHELL", "pg_isready", "-U", "keycloak"]
interval: 10s
timeout: 5s
retries: 5
keycloak:
image: registry.tobiasmanske.de/keycloak:main
command: start
depends_on:
postgres:
condition: service_healthy
environment:
- "KC_DB=postgres"
- "KC_DB_URL_HOST=postgres"
- "KC_DB_URL_DATABASE={{ auth.db.name }}"
- "KC_DB_USERNAME={{ auth.db.user }}"
- "KC_DB_PASSWORD={{ auth.db.password }}"
- "KEYCLOAK_ADMIN={{ auth.keycloak.user }}"
- "KEYCLOAK_ADMIN_PASSWORD={{ auth.keycloak.password }}"
- "KC_PROXY=edge"
- "KC_HOSTNAME=auth.tobiasmanske.de"
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(`auth.tobiasmanske.de`)"
- "traefik.http.routers.keycloak.entryPoints=websecure"
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
restart: always
networks:
- backend
- default # keycloak needs to talk to social logins
networks:
backend:
internal: true
volumes:
pg_data:
...

1
ansible/plays/services/kuma/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=kuma-{{ service_name|default("kuma") }}

25
ansible/plays/services/kuma/docker-compose.yaml Normal file
View File

@ -0,0 +1,25 @@
{% set _name = service_name|default("kuma") %}
{% set _urls = urls|default(kuma.urls)|mandatory %}
---
services:
kuma:
image: louislam/uptime-kuma:latest
restart: unless-stopped
volumes:
- data:/app/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.kuma-{{ _name }}.rule={{ _urls | map('regex_replace', '^(.*)$', 'Host(`\\1`)') | join(' || ') }}"
- "traefik.http.routers.kuma-{{ _name }}.entryPoints=websecure"
- "traefik.http.services.kuma-{{ _name }}.loadbalancer.server.port=3001"
networks:
- default
- pantalaimon
volumes:
data:
networks:
pantalaimon:
external: true
...

1
ansible/plays/services/linktree/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=linktree

13
ansible/plays/services/linktree/docker-compose.yaml Normal file
View File

@ -0,0 +1,13 @@
---
version: "3.4"
services:
unruhig.eu:
image: registry.tobiasmanske.de/unruhig.eu:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.unruhigeu.rule=(Host(`unruhig.eu`) || Host(`www.unruhig.eu`))"
- "traefik.http.routers.unruhigeu.entryPoints=websecure"
- "traefik.http.services.unruhigeu.loadbalancer.server.port=80"
restart: always
...

1
ansible/plays/services/matrix/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=matrix

15
ansible/plays/services/matrix/Caddyfile Normal file
View File

@ -0,0 +1,15 @@
{
auto_https off
}
http://{{ matrix.baseurl }} {
header {
Content-Type application/json
Access-Control-Allow-Origin *
}
respond /.well-known/matrix/client "{\"m.homeserver\": {\"base_url\": \"https://synapse.{{ matrix.baseurl }}\"} }" 200
respond /.well-known/matrix/server "{\"m.server\": \"synapse.{{ matrix.baseurl }}:443\"}" 200
respond /.well-known/matrix/support "{\"admins\":[{\"matrix_id\":\"@tobi:{{ matrix.baseurl }}\",\"email_address\":\"matrix@{{ matrix.baseurl }}\",\"role\":\"admin\"}]}" 200
respond 404
}

12
ansible/plays/services/matrix/cinny-config.json Normal file
View File

@ -0,0 +1,12 @@
{
"defaultHomeserver": 0,
"homeserverList": [
"unruhig.eu",
"entropia.de",
"matrix.org",
"archlinux.org",
"kit.edu",
"mozilla.org"
],
"allowCustomHomeservers": true
}

228
ansible/plays/services/matrix/docker-compose.yaml Normal file
View File

@ -0,0 +1,228 @@
---
version: '3.9'
services:
synapse:
image: registry.tobiasmanske.de/matrixdotorg/synapse:latest
user: "1000:1000"
# Since synapse does not retry to connect to the database, restart upon
# failure
restart: unless-stopped
# See the readme for a full documentation of the environment settings
# NOTE: You must edit homeserver.yaml to use postgres, it defaults to sqlite
environment:
- SYNAPSE_CONFIG_DIR=/config
- SYNAPSE_CONFIG_PATH=/config/homeserver.yaml
- TZ=Europe/Berlin
ulimits:
nofile:
soft: 10000
hard: 40000
volumes:
- synapse_data:/data
- ./synapse-config:/config:ro,Z
- ./mautrix-telegram/registration.yaml:/data/reg-mautrix-tg.yaml:ro,Z
- ./mautrix-slack/registration.yaml:/data/reg-mautrix-slack.yaml:ro,Z
- ./mautrix-signal/registration.yaml:/data/reg-mautrix-signal.yaml:ro,Z
depends_on:
- db
- redis
networks:
- default
- backend
- metrics
labels:
- "traefik.enable=true"
- "traefik.http.routers.http-synapse.rule=Host(`synapse.{{ matrix.baseurl }}`)"
- "traefik.http.routers.http-synapse.entryPoints=websecure"
- "traefik.http.routers.http-synapse.service=matrix-synapse"
- "traefik.http.routers.matrix-synapse.rule=Host(`{{ matrix.baseurl }}`) && PathPrefix(`/_{path:(matrix|synapse)}/`)"
- "traefik.http.routers.matrix-synapse.entryPoints=websecure"
- "traefik.http.routers.matrix-synapse.service=matrix-synapse"
- "traefik.http.services.matrix-synapse.loadbalancer.server.port=8008"
- "prometheus-scrape.enabled=true"
- "prometheus-scrape.port=9091"
- "prometheus-scrape.metrics_path=/_synapse/metrics"
db:
image: postgres:15
restart: always
environment:
- POSTGRES_USER={{ matrix.db.user }}
- POSTGRES_DB={{ matrix.db.database }}
- POSTGRES_PASSWORD={{ matrix.db.password }}
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
networks:
- backend
volumes:
- db_data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready"]
interval: 10s
timeout: 5s
retries: 5
caddy:
image: caddy:2
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro,z
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.matrix-well-known.rule=Host(`{{ matrix.baseurl }}`) && PathPrefix(`/.well-known/matrix/`)"
- "traefik.http.routers.matrix-well-known.entrypoints=websecure"
- "traefik.http.services.matrix-well-known.loadbalancer.server.port=80"
cinny:
image: registry.tobiasmanske.de/cinnyapp/cinny:latest
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.matrix-cinny.rule=Host(`cinny.{{ matrix.baseurl }}`)"
- "traefik.http.routers.matrix-cinny.entryPoints=websecure"
- "traefik.http.services.matrix-cinny.loadbalancer.server.port=80"
volumes:
- ./cinny-config.json:/app/config.json:ro,Z
networks:
- default
redis:
image: redis:latest
restart: unless-stopped
networks:
- backend
### BRIDGES
#### Telegram
mautrix-telegram:
image: dock.mau.dev/mautrix/telegram:latest
user: "1000:1000"
restart: unless-stopped
environment:
- "MAUTRIX_DIRECT_STARTUP=1"
volumes:
- bridge_tg_data:/data
- ./mautrix-telegram/config.yaml:/data/config.yaml:ro,Z
- ./mautrix-telegram/registration.yaml:/data/registration.yaml:ro,Z
networks:
- backend
- default # Needs to contact UFOs in the sky
depends_on:
- db-bridge-tg
- synapse
db-bridge-tg:
image: postgres:15
restart: always
environment:
- POSTGRES_USER={{ matrix.bridge.tg.dbuser }}
- POSTGRES_DB={{ matrix.bridge.tg.dbname }}
- POSTGRES_PASSWORD={{ matrix.bridge.tg.dbpass }}
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
networks:
- backend
volumes:
- bridge_tg_db:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready"]
interval: 10s
timeout: 5s
retries: 5
#### SLACK
mautrix-slack:
image: dock.mau.dev/mautrix/slack:latest
environment:
- "UID=1000"
- "GID=1000"
restart: unless-stopped
volumes:
- bridge_slack_data:/data
- ./mautrix-slack/config.yaml:/data/config.yaml:ro,Z
- ./mautrix-slack/registration.yaml:/data/registration.yaml:ro,Z
networks:
- backend
- default # Needs to contact UFOs in the sky
depends_on:
- db-bridge-slack
- synapse
db-bridge-slack:
image: postgres:15
restart: always
environment:
- POSTGRES_USER={{ matrix.bridge.slack.dbuser }}
- POSTGRES_DB={{ matrix.bridge.slack.dbname }}
- POSTGRES_PASSWORD={{ matrix.bridge.slack.dbpass }}
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
networks:
- backend
volumes:
- bridge_slack_db:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready"]
interval: 10s
timeout: 5s
retries: 5
#### SIGNAL
mautrix-signal:
image: dock.mau.dev/mautrix/signal:latest
user: "1000:1000"
restart: unless-stopped
environment:
- "MAUTRIX_DIRECT_STARTUP=1"
networks:
- default
- backend
volumes:
- bridge_signal_data:/data
- signald_data:/signald
- ./mautrix-signal/config.yaml:/data/config.yaml:ro,Z
- ./mautrix-signal/registration.yaml:/data/registration.yaml:ro,Z
depends_on:
- signald
- db-bridge-signal
signald:
image: docker.io/signald/signald:latest
restart: unless-stopped
networks:
- default
- backend
volumes:
- signald_data:/signald
db-bridge-signal:
image: postgres:15
restart: unless-stopped
networks:
- backend
environment:
- POSTGRES_USER={{ matrix.bridge.signal.dbuser }}
- POSTGRES_DB={{ matrix.bridge.signal.dbname }}
- POSTGRES_PASSWORD={{ matrix.bridge.signal.dbpass }}
volumes:
- bridge_signal_db:/var/lib/postgresql/data
networks:
backend:
internal: true
metrics:
external: true
volumes:
synapse_data:
bridge_tg_data:
bridge_tg_db:
bridge_slack_data:
bridge_slack_db:
bridge_signal_data:
bridge_signal_db:
signald_data:
db_data:
...

334
ansible/plays/services/matrix/mautrix-signal/config.yaml Normal file
View File

@ -0,0 +1,334 @@
# Homeserver details
# {% set config = matrix.bridge.signal %}
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://synapse.{{ matrix.baseurl }}
# The domain of the homeserver (also known as server_name, used for MXIDs, etc).
domain: {{ matrix.baseurl }}
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: true
# What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# Number of retries for all HTTP requests if the homeserver isn't reachable.
http_retry_count: 4
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint:
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint:
# Maximum number of simultaneous HTTP connections to the homeserver.
connection_limit: 100
# Whether asynchronous uploads via MSC2246 should be enabled for media.
# Requires a media repo that supports MSC2246.
async_media: false
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://mautrix-signal:29328
# When using https:// the TLS certificate and key files for the address.
tls_cert: false
tls_key: false
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29328
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are supported.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgres://username:password@hostname/dbname
database: postgres://{{ config.dbuser }}:{{ config.dbpass }}@db-bridge-signal/{{ config.dbname }}?sslmode=disable
# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
# Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs).
database_opts:
min_size: 1
max_size: 10
id: signal
# Username of the appservice bot.
bot_username: signalbot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: Signal bridge bot
bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: true
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: "{{ config.as_token }}"
hs_token: "{{ config.hs_token }}"
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
listen_port: 8000
# Manhole config.
manhole:
# Whether or not opening the manhole is allowed.
enabled: false
# The path for the unix socket.
path: /var/tmp/mautrix-signal.manhole
# The list of UIDs who can be added to the whitelist.
# If empty, any UIDs can be specified in the open-manhole command.
whitelist:
- 0
signal:
# Path to signald unix socket
socket_path: /signald/signald.sock
# Directory for temp files when sending files to Signal. This should be an
# absolute path that signald can read. For attachments in the other direction,
# make sure signald is configured to use an absolute path as the data directory.
outgoing_attachment_dir: /signald/attachments
# Directory where signald stores avatars for groups.
avatar_dir: /signald/avatars
# Directory where signald stores auth data. Used to delete data when logging out.
data_dir: /signald/data
# Whether or not unknown signald accounts should be deleted when the bridge is started.
# When this is enabled, any UserInUse errors should be resolved by restarting the bridge.
delete_unknown_accounts_on_start: false
# Whether or not message attachments should be removed from disk after they're bridged.
remove_file_after_handling: true
# Whether or not users can register a primary device
registration_enabled: true
# Whether or not to enable disappearing messages in groups. If enabled, then the expiration
# time of the messages will be determined by the first users to read the message, rather
# than individually. If the bridge has a single user, this can be turned on safely.
enable_disappearing_messages_in_groups: false
# Bridge config
bridge:
# {% raw %}
# Localpart template of MXIDs for Signal users.
# {userid} is replaced with the UUID of the Signal user.
username_template: signal_{userid}
# Displayname template for Signal users.
# {displayname} is replaced with the displayname of the Signal user, which is the first
# available variable in displayname_preference. The variables in displayname_preference
# can also be used here directly.
displayname_template: '{displayname} (Signal)'
# {% endraw %}
# Whether or not contact list displaynames should be used.
# Possible values: disallow, allow, prefer
#
# Multi-user instances are recommended to disallow contact list names, as otherwise there can
# be conflicts between names from different users' contact lists.
contact_list_names: disallow
# Available variables: full_name, first_name, last_name, phone, uuid
displayname_preference:
- full_name
- phone
autocreate_group_portal: true
# Whether or not to create portals for all contacts on login/connect.
autocreate_contact_portal: false
# Whether or not to make portals of Signal groups in which joining via invite link does
# not need to be approved by an administrator publicly joinable on Matrix.
public_portals: false
# Whether or not to use /sync to get read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: false
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
double_puppet_server_map:
{{ matrix.baseurl }}: https://{{ matrix.baseurl }}
login_shared_secret_map:
{{ matrix.baseurl }}: {{ matrix.authenticator.shared_secret }}
federate_rooms: false
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: true
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: true
# Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
appservice: false
# Require encryption, drop any unencrypted messages.
require: true
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: false
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
receive: unverified
# Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# Options for Megolm room key rotation. These options allow you to
# configure the m.room.encryption event content. See:
# https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# more information about that event.
rotation:
# Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is
# set.
enable_custom: false
# The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# Whether or not to explicitly set the avatar and room name for private
# chat portal rooms. This will be implicitly enabled if encryption.default is true.
private_chat_portal_meta: true
# Whether or not the bridge should send a read receipt from the bridge bot when a message has
# been sent to Signal. This let's you check manually whether the bridge is receiving your
# messages.
# Note that this is not related to Signal delivery receipts.
delivery_receipts: true
# Whether or not delivery errors should be reported as messages in the Matrix room.
delivery_error_reports: true
# Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it,
# except if the config file is not writable.
resend_bridge_info: false
# Interval at which to resync contacts (in seconds).
periodic_sync: 0
# Should leaving the room on Matrix make the user leave on Signal?
bridge_matrix_leave: false
# Should the bridge auto-create a group chat on Signal when a ghost is invited to a room?
# Requires the user to have sufficient power level and double puppeting enabled.
create_group_on_invite: true
hacky_contact_name_mixup_detection: false
# Provisioning API part of the web server for automated portal creation and fetching information.
# Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
provisioning:
# Whether or not the provisioning API should be enabled.
enabled: false
# The prefix to use in the provisioning API endpoints.
prefix: /_matrix/provision
# The shared secret to authorize users of the API.
# Set to "generate" to generate and save a new token.
shared_secret: disabled
# Segment API key to enable analytics tracking for web server
# endpoints. Set to null to disable.
# Currently the only events are login start, QR code scan, and login
# success/failure.
segment_key:
# Optional user_id to use when sending Segment events. If null, defaults to using mxID.
segment_user_id:
# The prefix for commands. Only required in non-management rooms.
command_prefix: '!signal'
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: Hello, I'm a Signal bridge bot.
# Sent when joining a management room and the user is already logged in.
welcome_connected: Use `help` for help.
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: Use `help` for help or `link` to log in.
# Optional extra text sent when joining a management room.
additional_help: ''
# Send each message separately (for readability in some clients)
management_room_multiple_messages: false
# Permissions for using the bridge.
# Permitted values:
# relay - Allowed to be relayed through the bridge, no access to commands.
# user - Use the bridge with puppeting.
# admin - Use and administrate the bridge.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
'*': relay
{{ matrix.baseurl }}: user
'@tobi:{{ matrix.baseurl }}': admin
relay:
# Whether relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
# authenticated user into a relaybot for that chat.
enabled: false
# The formats to use when sending messages to Signal via a relay user.
#
# Available variables:
# $sender_displayname - The display name of the sender (e.g. Example User)
# $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
# $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
# $message - The message content
message_formats:
m.text: '$sender_displayname: $message'
m.notice: '$sender_displayname: $message'
m.emote: '* $sender_displayname $message'
m.file: $sender_displayname sent a file
m.image: $sender_displayname sent an image
m.audio: $sender_displayname sent an audio file
m.video: $sender_displayname sent a video
m.location: $sender_displayname sent a location
relaybot: '@relaybot:example.com'
# Whether or not invites from non-logged-in users should be relayed
invite: true
# Format for generating URLs from location messages for sending to Signal
# Google Maps: 'https://www.google.com/maps/place/{lat},{long}'
# OpenStreetMap: 'https://www.openstreetmap.org/?mlat={lat}&mlon={long}'
location_format: https://www.google.com/maps/place/{lat},{long}
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): mautrix_signal.util.ColorFormatter
format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
normal:
format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
handlers:
console:
class: logging.StreamHandler
formatter: colored
loggers:
mau:
level: DEBUG
aiohttp:
level: INFO
root:
level: DEBUG
handlers: [console]

31
ansible/plays/services/matrix/mautrix-signal/registration.yaml Normal file
View File

@ -0,0 +1,31 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
31353638336331613430353931626330366132643736326566343536343666643965333163313831
3062336363343836666163393763326332623730623930620a333666373365306536636264613732
64373937373062303332306166393833656239333862343836626364613639633762376138383964
3033623639636530320a613233643736383637396131636434306435346637353966393639363239
30336461616464303031386164393433373831353435333466323166643436626234623262633237
30373830366430636230633962643439363666363031633936313934616332306437623138373535
65343062336461663861376664383138636333353338666231623436666366303431363438323632
31313739376439323665386130323338363930366361646361383831643337653963353639353738
36383866313262616135633231623964663266643030343561363735323039376338373165356366
30643738313331333733343739366435383936373135666433666663353039316331366463623362
38343430663432396332623662633533396433366564656263393735663839666566376139656261
65323664616463626430653734393433626231386230633664653264373034633731633239363135
35333366333039623764386330613130373263316436316266303461626463373939336134363039
62653363613064373731616137333663333334636336623363343034383263656631653864336439
65623762666538383766393939303832373566623666383761623234636638303566336438616136
33333939323061333431656435383731326633323135313839343761613231623537356333636336
65323063653239623166313938386133366565313336643161323564386338363839393434616535
63373038383334633238303336386261343639393537333735383439346164633962343033633533
64353138373161323639613434653939326265336239366364336630666634356439303564653833
31333765303030376330396261376161636563306133363137313435376133373363653031356333
62663737646165626366363230663262346563633236366238646339303763383161663033356232
34343434363833386330636535663333356364633332616431613431386534336133386638333034
35633363333366306435656137303866636232323765313164363636636366653364326332613233
32643866663032313431663463666364326633376332323335336131376131663865616232653065
34633338333237636336333062646561376331363138346132386430633462666634646462656431
65373562323539636165313038643839623132643539346539343338346366366362323230653935
34323834393961376234343564383635623865303765663439316535396263363265626265613761
33343034343666663834363133663734343838623132666561393862623136613035656434626233
31666434656535393536623461393630346262643331336364353932326337376132333631616635
3963306630613238323633666264316462393063383639656333

231
ansible/plays/services/matrix/mautrix-slack/config.yaml Normal file
View File

@ -0,0 +1,231 @@
# Homeserver details.
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://synapse.{{ matrix.baseurl }}
# The domain of the homeserver (for MXIDs, etc).
domain: {{ matrix.baseurl }}
# What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's slack connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
async_media: false
# Application service host/registration related details.
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://mautrix-slack:29335
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29335
# Database config.
database:
# The database type. "sqlite3" and "postgres" are supported.
type: postgres
# The database URI.
# SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string
# Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
# To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
uri: postgres://{{ matrix.bridge.slack.dbuser }}:{{ matrix.bridge.slack.dbpass }}@db-bridge-slack/{{ matrix.bridge.slack.dbname }}?sslmode=disable
# Maximum number of connections. Mostly relevant for Postgres.
max_open_conns: 20
max_idle_conns: 2
# Maximum connection idle time and lifetime before they're closed. Disabled if null.
# Parsed with https://pkg.go.dev/time#ParseDuration
max_conn_idle_time: null
max_conn_lifetime: null
# The unique ID of this appservice.
id: slack
# Appservice bot details.
bot:
# Username of the appservice bot.
username: slackbot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
displayname: Slack bridge bot
avatar: mxc://maunium.net/pVtzLmChZejGxLqmXtQjFxem
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: true
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: "{{ matrix.bridge.slack.as_token }}"
hs_token: "{{ matrix.bridge.slack.hs_token }}"
# Bridge config
bridge:
{% raw %}
# Localpart template of MXIDs for Slack users.
# {{.}} is replaced with the internal ID of the Slack user.
username_template: slack_{{.}}
# Displayname template for Slack users.
# TODO: document variables
displayname_template: '{{.DisplayName}} (Slack)'
bot_displayname_template: '{{.Name}} (bot)'
channel_name_template: '#{{.Name}}'
{% endraw %}
portal_message_buffer: 128
# Should the bridge send a read receipt from the bridge bot when a message has been sent to Slack?
delivery_receipts: true
# Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# Whether the bridge should send error notices via m.notice events when a message fails to bridge.
message_error_notices: true
# Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices.
sync_with_custom_puppets: false
# Should the bridge update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Servers to always allow double puppeting from
double_puppet_server_map:
{{ matrix.baseurl }}: https://{{ matrix.baseurl }}
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, double puppeting will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
login_shared_secret_map:
{{ matrix.baseurl }}: "{{ matrix.authenticator.shared_secret }}"
message_handling_timeout:
# Send an error message after this timeout, but keep waiting for the response until the deadline.
# This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
# If the message is older than this when it reaches the bridge, the message won't be handled at all.
error_after: 10s
# Drop messages after this timeout. They may still go through if the message got sent to the servers.
# This is counted from the time the bridge starts handling the message.
deadline: 60s
# The prefix for commands. Only required in non-management rooms.
command_prefix: '!slack'
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: "Hello, I'm a Slack bridge bot."
# Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help, or `login-token` or `login-password` to log in."
# Optional extra text sent when joining a management room.
additional_help: ""
backfill:
# Allow backfilling at all? Requires MSC2716 support on homeserver.
enable: true
# If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Slack.
# Set to -1 to let any chat be unread.
unread_hours_threshold: 720
# Number of messages to immediately backfill when creating a portal.
immediate_messages: 10
# Settings for incremental backfill of history.
incremental:
# Maximum number of messages to backfill per batch.
messages_per_batch: 100
# The number of seconds to wait after backfilling the batch of messages.
post_batch_delay: 20
# The maximum number of messages to backfill per portal, split by the chat type.
# If set to -1, all messages in the chat will eventually be backfilled.
max_messages:
# Channels
channel: -1
# Group direct messages
group_dm: -1
# 1:1 direct messages
dm: -1
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: true
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: true
# Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
appservice: false
# Require encryption, drop any unencrypted messages.
require: false
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: true
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
receive: unverified
# Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# Options for Megolm room key rotation. These options allow you to
# configure the m.room.encryption event content. See:
# https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# more information about that event.
rotation:
# Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is
# set.
enable_custom: false
# The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# Settings for provisioning API
provisioning:
# Prefix for the provisioning API paths.
prefix: /_matrix/provision
# Shared secret for authentication. If set to "generate", a random secret will be generated,
# or if set to "disable", the provisioning API will be disabled.
shared_secret: disable
# Permissions for using the bridge.
# Permitted values:
# relay - Talk through the relaybot (if enabled), no access otherwise
# user - Access to use the bridge to chat with a Slack account.
# admin - User level and some additional administration tools
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
"*": relay
"{{ matrix.baseurl }}": user
"@tobi:{{ matrix.baseurl }}": admin
{% raw %}
logging:
directory: ./logs
file_name_format: '{{.Date}}-{{.Index}}.log'
file_date_format: "2006-01-02"
file_mode: 384
timestamp_format: Jan _2, 2006 15:04:05
print_level: debug
print_json: false
file_json: false
{% endraw %}

26
ansible/plays/services/matrix/mautrix-slack/registration.yaml Normal file
View File

@ -0,0 +1,26 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
63643764313434366534636536373233613163353932353332353034386638623463323265356366
3033666637643563393537636263366338643736303663620a376138656235653238386131623864
33356331386265613436626337356436373439376434633135626339373931346166313834323938
3833636339306137360a383230386236333632613037363139356230663563333266353030616133
39343037343234386465646433613465646363343237346432373934623431336163303233323263
65356133373264323664663238306266336332353632643533373038653938623939353931613964
33383638653061313961363033343435316130666337393034356664653933626466623734643239
63663864316464343631313533653931376561303830366665333635613666346139623937373663
65393234326533623364626666353763396437386330386563333432306566316161626561363836
62613630623864323163616639396233393031373734373332383064626562623563363266383065
61613738323034313431333333656530346566333165363430333962373930363736396265636663
65646632356265633665633930343231636138366364653038336563333234326139333437643063
39653437303565343739306237653832616265323138643234313731343339353161333363366538
35373864666436306438303037363766373532633533666335303137346337633265613630653637
39356237663665333533363030653735333535653861353866363362343830366562383661666137
37623436336531363230356233656235666238663537616437353636353732643639386534616561
30656264316535636437653032343634643036363838626234303837393935393430323537643231
64363534313033396362326530663430373661613362346364356262386433663731313866363438
30653966343436656430326434646337386230333432383861333635326431346332663332313437
35636162323834616437383563353932333137653639616532363162663365393437386333613439
35343937333034303934623962653132323837643430303230383163393833316233636233643736
33666530653033613762313364653734633765326432613032386535333335633834633430356165
64396132386133326464376163326236373131316266343634306163313235616236383239366639
38373235643763616236356266663534356230643131653130323338393262616337346635633835
39386236643562653738383037376334303138623966316637386464386139613431

593
ansible/plays/services/matrix/mautrix-telegram/config.yaml Normal file
View File

@ -0,0 +1,593 @@
# Homeserver details
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://synapse.{{ matrix.baseurl }}
# The domain of the homeserver (for MXIDs, etc).
domain: {{ matrix.baseurl }}
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: true
# What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# Number of retries for all HTTP requests if the homeserver isn't reachable.
http_retry_count: 4
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# Whether asynchronous uploads via MSC2246 should be enabled for media.
# Requires a media repo that supports MSC2246.
async_media: false
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://mautrix-telegram:29317
# When using https:// the TLS certificate and key files for the address.
tls_cert: false
tls_key: false
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29317
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are supported.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgres://username:password@hostname/dbname
database: postgres://{{ matrix.bridge.tg.dbuser }}:{{ matrix.bridge.tg.dbpass }}@db-bridge-tg/{{ matrix.bridge.tg.dbname }}
# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
# Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs).
database_opts:
min_size: 1
max_size: 10
# Public part of web server for out-of-Matrix interaction with the bridge.
# Used for things like login if the user wants to make sure the 2FA password isn't stored in
# the HS database.
public:
# Whether or not the public-facing endpoints should be enabled.
enabled: false
# The prefix to use in the public-facing endpoints.
prefix: /public
# The base URL where the public-facing endpoints are available. The prefix is not added
# implicitly.
external: https://example.com/public
# Provisioning API part of the web server for automated portal creation and fetching information.
# Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
provisioning:
# Whether or not the provisioning API should be enabled.
enabled: false
# The prefix to use in the provisioning API endpoints.
prefix: /_matrix/provision
# The shared secret to authorize users of the API.
# Set to "generate" to generate and save a new token.
shared_secret: generate
# The unique ID of this appservice.
id: telegram
# Username of the appservice bot.
bot_username: telegrambot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: Telegram bridge bot
bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: true
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: "{{ matrix.bridge.tg.as_token }}"
hs_token: "{{ matrix.bridge.tg.hs_token }}"
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
listen_port: 8000
# Manhole config.
manhole:
# Whether or not opening the manhole is allowed.
enabled: false
# The path for the unix socket.
path: /var/tmp/mautrix-telegram.manhole
# The list of UIDs who can be added to the whitelist.
# If empty, any UIDs can be specified in the open-manhole command.
whitelist:
- 0
# Bridge config
bridge:
# Localpart template of MXIDs for Telegram users.
# {userid} is replaced with the user ID of the Telegram user.
username_template: "telegram_{userid}"
# Localpart template of room aliases for Telegram portal rooms.
# {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
alias_template: "telegram_{groupname}"
# Displayname template for Telegram users.
# {displayname} is replaced with the display name of the Telegram user.
displayname_template: "{displayname} (Telegram)"
# Set the preferred order of user identifiers which to use in the Matrix puppet display name.
# In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
# ID is used.
#
# If the bridge is working properly, a phone number or an username should always be known, but
# the other one can very well be empty.
#
# Valid keys:
# "full name" (First and/or last name)
# "full name reversed" (Last and/or first name)
# "first name"
# "last name"
# "username"
# "phone number"
displayname_preference:
- full name
- username
- phone number
# Maximum length of displayname
displayname_max_length: 100
# Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
# as there's no way to determine whether an avatar is removed or just hidden from some users. If
# you're on a single-user instance, this should be safe to enable.
allow_avatar_remove: false
# Maximum number of members to sync per portal when starting up. Other members will be
# synced when they send messages. The maximum is 10000, after which the Telegram server
# will not send any more members.
# -1 means no limit (which means it's limited to 10000 by the server)
max_initial_member_sync: 100
# Maximum number of participants in chats to bridge. Only applies when the portal is being created.
# If there are more members when trying to create a room, the room creation will be cancelled.
# -1 means no limit (which means all chats can be bridged)
max_member_count: -1
# Whether or not to sync the member list in channels.
# If no channel admins have logged into the bridge, the bridge won't be able to sync the member
# list regardless of this setting.
sync_channel_members: true
# Whether or not to skip deleted members when syncing members.
skip_deleted_members: true
# Whether or not to automatically synchronize contacts and chats of Matrix users logged into
# their Telegram account at startup.
startup_sync: true
# Number of most recently active dialogs to check when syncing chats.
# Set to 0 to remove limit.
sync_update_limit: 0
# Number of most recently active dialogs to create portals for when syncing chats.
# Set to 0 to remove limit.
sync_create_limit: 15
# Should all chats be scheduled to be created later?
# This is best used in combination with MSC2716 infinite backfill.
sync_deferred_create_all: false
# Whether or not to sync and create portals for direct chats at startup.
sync_direct_chats: true
# The maximum number of simultaneous Telegram deletions to handle.
# A large number of simultaneous redactions could put strain on your homeserver.
max_telegram_delete: 10
# Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
# at startup and when creating a bridge.
sync_matrix_state: true
# Allow logging in within Matrix. If false, users can only log in using login-qr or the
# out-of-Matrix login website (see appservice.public config section)
allow_matrix_login: true
# Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
public_portals: false
# Whether or not to use /sync to get presence, read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: false
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Servers to always allow double puppeting from
double_puppet_server_map:
{{ matrix.baseurl }}: https://{{ matrix.baseurl }}
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, custom puppets will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
# If using this for other servers than the bridge's server,
# you must also set the URL in the double_puppet_server_map.
login_shared_secret_map:
{{ matrix.baseurl }}: {{ matrix.authenticator.shared_secret }}
# Set to false to disable link previews in messages sent to Telegram.
telegram_link_preview: true
# Whether or not the !tg join command should do a HTTP request
# to resolve redirects in invite links.
invite_link_resolve: false
# Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
# This is currently not supported in most clients.
caption_in_message: false
# Maximum size of image in megabytes before sending to Telegram as a document.
image_as_file_size: 10
# Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 4096x4096 = 16777216.
image_as_file_pixels: 16777216
# Enable experimental parallel file transfer, which makes uploads/downloads much faster by
# streaming from/to Matrix and using many connections for Telegram.
# Note that generating HQ thumbnails for videos is not possible with streamed transfers.
# This option uses internal Telethon implementation details and may break with minor updates.
parallel_file_transfer: false
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: false
# Should the bridge send all unicode reactions as custom emoji reactions to Telegram?
# By default, the bridge only uses custom emojis for unicode emojis that aren't allowed in reactions.
always_custom_emoji_reaction: true
# Settings for converting animated stickers.
animated_sticker:
# Format to which animated stickers should be converted.
# disable - No conversion, send as-is (gzipped lottie)
# png - converts to non-animated png (fastest),
# gif - converts to animated gif
# webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
# webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
target: gif
# Should video stickers be converted to the specified format as well?
convert_from_webm: false
# Arguments for converter. All converters take width and height.
args:
width: 256
height: 256
fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
# Settings for converting animated emoji.
# Same as animated_sticker, but webm is not supported as the target
# (because inline images can only contain images, not videos).
animated_emoji:
target: webp
args:
width: 64
height: 64
fps: 25
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: true
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: true
# Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
appservice: false
# Require encryption, drop any unencrypted messages.
require: false
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: true
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
receive: unverified
# Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# Options for Megolm room key rotation. These options allow you to
# configure the m.room.encryption event content. See:
# https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# more information about that event.
rotation:
# Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is
# set.
enable_custom: false
# The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# Whether or not to explicitly set the avatar and room name for private
# chat portal rooms. This will be implicitly enabled if encryption.default is true.
private_chat_portal_meta: false
# Whether or not the bridge should send a read receipt from the bridge bot when a message has
# been sent to Telegram.
delivery_receipts: false
# Whether or not delivery errors should be reported as messages in the Matrix room.
delivery_error_reports: true
# Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it,
# except if the config file is not writable.
resend_bridge_info: false
# When using double puppeting, should muted chats be muted in Matrix?
mute_bridging: false
# When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
# The favorites tag is `m.favourite`.
pinned_tag: "m.favorite"
# Same as above for archived chats, the low priority tag is `m.lowpriority`.
archive_tag: "m.lowpriority"
# Whether or not mute status and tags should only be bridged when the portal room is created.
tag_only_on_create: true
# Should leaving the room on Matrix make the user leave on Telegram?
bridge_matrix_leave: true
# Should the user be kicked out of all portals when logging out of the bridge?
kick_on_logout: true
# Should the "* user joined Telegram" notice always be marked as read automatically?
always_read_joined_telegram_notice: true
# Should the bridge auto-create a group chat on Telegram when a ghost is invited to a room?
# Requires the user to have sufficient power level and double puppeting enabled.
create_group_on_invite: true
# Settings for backfilling messages from Telegram.
backfill:
# Allow backfilling at all?
enable: true
# Use MSC2716 for backfilling?
#
# This requires a server with MSC2716 support, which is currently an experimental feature in Synapse.
# It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml.
msc2716: false
# Use double puppets for backfilling?
#
# If using MSC2716, the double puppets must be in the appservice's user ID namespace
# (because the bridge can't use the double puppet access token with batch sending).
#
# Even without MSC2716, bridging old messages with correct timestamps requires the double
# puppets to be in an appservice namespace, or the server to be modified to allow
# overriding timestamps anyway.
double_puppet_backfill: false
# Whether or not to enable backfilling in normal groups.
# Normal groups have numerous technical problems in Telegram, and backfilling normal groups
# will likely cause problems if there are multiple Matrix users in the group.
normal_groups: false
# If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Telegram.
# Set to -1 to let any chat be unread.
unread_hours_threshold: 720
# Forward backfilling limits. These apply to both MSC2716 and legacy backfill.
#
# Using a negative initial limit is not recommended, as it would try to backfill everything in a single batch.
# MSC2716 and the incremental settings are meant for backfilling everything incrementally rather than at once.
forward:
# Number of messages to backfill immediately after creating a portal.
initial_limit: 10
# Number of messages to backfill when syncing chats.
sync_limit: 100
# Settings for incremental backfill of history. These only apply when using MSC2716.
incremental:
# Maximum number of messages to backfill per batch.
messages_per_batch: 100
# The number of seconds to wait after backfilling the batch of messages.
post_batch_delay: 20
# The maximum number of batches to backfill per portal, split by the chat type.
# If set to -1, all messages in the chat will eventually be backfilled.
max_batches:
# Direct chats
user: -1
# Normal groups. Note that the normal_groups option above must be enabled
# for these to be backfilled.
normal_group: -1
# Supergroups
supergroup: 10
# Broadcast channels
channel: -1
# Overrides for base power levels.
initial_power_level_overrides:
user: {}
group: {}
# Whether to bridge Telegram bot messages as m.notices or m.texts.
bot_messages_as_notices: true
bridge_notices:
# Whether or not Matrix bot messages (type m.notice) should be bridged.
default: false
# List of user IDs for whom the previous flag is flipped.
# e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
# notices from users listed here will be bridged.
exceptions: []
# An array of possible values for the $distinguisher variable in message formats.
# Each user gets one of the values here, based on a hash of their user ID.
# If the array is empty, the $distinguisher variable will also be empty.
relay_user_distinguishers: ["\U0001F7E6", "\U0001F7E3", "\U0001F7E9", "⭕️", "\U0001F536", "⬛️", "\U0001F535", "\U0001F7E2"]
# The formats to use when sending messages to Telegram via the relay bot.
# Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
#
# Available variables:
# $sender_displayname - The display name of the sender (e.g. Example User)
# $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
# $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
# $distinguisher - A random string from the options in the relay_user_distinguishers array.
# $message - The message content
message_formats:
m.text: "$distinguisher <b>$sender_displayname</b>: $message"
m.notice: "$distinguisher <b>$sender_displayname</b>: $message"
m.emote: "* $distinguisher <b>$sender_displayname</b> $message"
m.file: "$distinguisher <b>$sender_displayname</b> sent a file: $message"
m.image: "$distinguisher <b>$sender_displayname</b> sent an image: $message"
m.audio: "$distinguisher <b>$sender_displayname</b> sent an audio file: $message"
m.video: "$distinguisher <b>$sender_displayname</b> sent a video: $message"
m.location: "$distinguisher <b>$sender_displayname</b> sent a location: $message"
# Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
# users are sent to telegram. All fields in message_formats are supported. Additionally, the
# Telegram user info is available in the following variables:
# $displayname - Telegram displayname
# $username - Telegram username (may not exist)
# $mention - Telegram @username or displayname mention (depending on which exists)
emote_format: "* $mention $formatted_body"
# The formats to use when sending state events to Telegram via the relay bot.
#
# Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
# In name_change events, `$prev_displayname` is the previous displayname.
#
# Set format to an empty string to disable the messages for that event.
state_event_formats:
join: "$distinguisher <b>$displayname</b> joined the room."
leave: "$distinguisher <b>$displayname</b> left the room."
name_change: "$distinguisher <b>$prev_displayname</b> changed their name to $distinguisher <b>$displayname</b>"
# Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
# `filter-mode` management commands.
#
# Filters do not affect direct chats.
# An empty blacklist will essentially disable the filter.
filter:
# Filter mode to use. Either "blacklist" or "whitelist".
# If the mode is "blacklist", the listed chats will never be bridged.
# If the mode is "whitelist", only the listed chats can be bridged.
mode: blacklist
# The list of group/channel IDs to filter.
list: []
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!tg"
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: "Hello, I'm a Telegram bridge bot."
# Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help or `login` to log in."
# Optional extra text sent when joining a management room.
additional_help: ""
# Send each message separately (for readability in some clients)
management_room_multiple_messages: false
# Permissions for using the bridge.
# Permitted values:
# relaybot - Only use the bridge via the relaybot, no access to commands.
# user - Relaybot level + access to commands to create bridges.
# puppeting - User level + logging in with a Telegram account.
# full - Full access to use the bridge, i.e. previous levels + Matrix login.
# admin - Full access to use the bridge and some extra administration commands.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
"*": "relaybot"
"{{ matrix.baseurl }}": "full"
"@tobi:{{ matrix.baseurl }}": "admin"
# Options related to the message relay Telegram bot.
relaybot:
private_chat:
# List of users to invite to the portal when someone starts a private chat with the bot.
# If empty, private chats with the bot won't create a portal.
invite: []
# Whether or not to bridge state change messages in relaybot private chats.
state_changes: true
# When private_chat_invite is empty, this message is sent to users /starting the
# relaybot. Telegram's "markdown" is supported.
message: This is a Matrix bridge relaybot and does not support direct chats
# List of users to invite to all group chat portals created by the bridge.
group_chat_invite: []
# Whether or not the relaybot should not bridge events in unbridged group chats.
# If false, portals will be created when the relaybot receives messages, just like normal
# users. This behavior is usually not desirable, as it interferes with manually bridging
# the chat to another room.
ignore_unbridged_group_chat: true
# Whether or not to allow creating portals from Telegram.
authless_portals: true
# Whether or not to allow Telegram group admins to use the bot commands.
whitelist_group_admins: true
# Whether or not to ignore incoming events sent by the relay bot.
ignore_own_incoming_events: true
# List of usernames/user IDs who are also allowed to use the bot commands.
whitelist:
- myusername
- 12345678
# Telegram config
telegram:
# Get your own API keys at https://my.telegram.org/apps
api_id: {{ matrix.bridge.tg.api_id }}
api_hash: {{ matrix.bridge.tg.api_hash }}
# (Optional) Create your own bot at https://t.me/BotFather
bot_token: disabled
# Should the bridge request missed updates from Telegram when restarting?
catch_up: true
# Should incoming updates be handled sequentially to make sure order is preserved on Matrix?
sequential_updates: true
exit_on_update_error: false
# Telethon connection options.
connection:
# The timeout in seconds to be used when connecting.
timeout: 120
# How many times the reconnection should retry, either on the initial connection or when
# Telegram disconnects us. May be set to a negative or null value for infinite retries, but
# this is not recommended, since the program can get stuck in an infinite loop.
retries: 5
# The delay in seconds to sleep between automatic reconnections.
retry_delay: 1
# The threshold below which the library should automatically sleep on flood wait errors
# (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
# is 20s, the library will sleep automatically. If the error was for 21s, it would raise
# the error instead. Values larger than a day (86400) will be changed to a day.
flood_sleep_threshold: 60
# How many times a request should be retried. Request are retried when Telegram is having
# internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
# there's a migrate error. May take a negative or null value for infinite retries, but this
# is not recommended, since some requests can always trigger a call fail (such as searching
# for messages).
request_retries: 5
# Device info sent to Telegram.
device_info:
# "auto" = OS name+version.
device_model: mautrix-telegram
# "auto" = Telethon version.
system_version: auto
# "auto" = mautrix-telegram version.
app_version: auto
lang_code: en
system_lang_code: en
# Custom server to connect to.
server:
# Set to true to use these server settings. If false, will automatically
# use production server assigned by Telegram. Set to false in production.
enabled: false
# The DC ID to connect to.
dc: 2
# The IP to connect to.
ip: 149.154.167.40
# The port to connect to. 443 may not work, 80 is better and both are equally secure.
port: 80
# Telethon proxy configuration.
# You must install PySocks from pip for proxies to work.
proxy:
# Allowed types: disabled, socks4, socks5, http, mtproxy
type: disabled
# Proxy IP address and port.
address: 127.0.0.1
port: 1080
# Whether or not to perform DNS resolving remotely. Only for socks/http proxies.
rdns: true
# Proxy authentication (optional). Put MTProxy secret in password field.
username: ""
password: ""
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): mautrix_telegram.util.ColorFormatter
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
normal:
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
handlers:
console:
class: logging.StreamHandler
formatter: colored
loggers:
mau:
level: DEBUG
telethon:
level: INFO
aiohttp:
level: INFO
root:
level: DEBUG
handlers: [console]

31
ansible/plays/services/matrix/mautrix-telegram/registration.yaml Normal file
View File

@ -0,0 +1,31 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
31303639303562306630323132376333316332636534613834326662396237396634313233646364
6335353833616135373439633136356339333737363437660a316634366334376339656466646437
39323131363163393931356331306434613035626239356631303032646664303838386635613930
6232663031663765370a653936623761313937383233313739313166353335346465363265613762
35643335646637343534373966626632336363646231353732643831346563356464386133393166
32613134656431656561316335656463653462656166373433386633666338633132663032633461
66376265633233323662313930323737316166613262383434626264353462386236636139383835
33613830316361373434623435376162653930616631323764653539306235363530326165353037
32303432356630376363613839313831363537363735613833306163616130336631386337366234
33373633306161653163333635366637313266346634656633376237346566663461353962376239
34386237373565313362383532363931333337366336316363663734343333386663653466396139
36633735356561346531376337346635383666376635346361333162376339333839306632666562
63363761623136643031653030666437306361396232383738366533396561373932323563363566
38306333393662333634613139643930626664666139363039333735363538396339373634356365
66633637316432323762353964313237396338613834336532636164333564363839353061336636
63316163626334353231386463313535313866336431613234353533636533343662653933393132
37353065333431366662363530333863646131313737336538396332396238656239366531366337
63633563636531616664313930626266323266613466656636636361653731623666636333666164
39356535363939653232326633383837666262643834326137646363393935613132366663396364
30666266366163316563613665356535633766626335343762333765643837373034646633336432
64373366313962333563336535346436346536386633343366336535363236306338343832373763
36663663353533383939323234333535316162303033313833616533373237613335303662393032
66316163343938383330663133613333346535393264636264366533343938653730316163366363
66373866316264656361613935383334323133636164366630333264343931663461333138656131
31353631393336323166663765613461356437306234653263393030316564363431353566316531
35336665633133386134656361323063303531336263643764353666636364343537363136666632
66333033373766336230393131343434666536653061353032663264636565636361336138653931
34303233613637633165303431626361623132363530666238386336383463656136383965343563
63616131376239356163353464333864363164363666646435353038323565386536326639366565
3134646366666134646665366533396466366233343666613761

122
ansible/plays/services/matrix/synapse-config/homeserver.yaml Normal file
View File

@ -0,0 +1,122 @@
# Configuration file for Synapse.
#
# This is a YAML file: see [1] for a quick introduction. Note in particular
# that *indentation is important*: all the elements of a list or dictionary
# should have the same indentation.
#
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
server_name: "{{ matrix.baseurl }}"
pid_file: /data/homeserver.pid
enable_metrics: true
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
resources:
- names: [client, federation]
compress: false
- port: 9091
tls: false
type: metrics
database:
name: psycopg2
args:
user: {{ matrix.db.user }}
password: {{ matrix.db.password }}
database: {{ matrix.db.database }}
host: db
cp_min: 5
cp_max: 10
log_config: "/config/tobiasmanske.de.log.config"
media_store_path: /data/media_store
report_stats: true
macaroon_secret_key: "{{ matrix.secrets.macaroon }}"
form_secret: "{{ matrix.secrets.form }}"
signing_key_path: "/config/tobiasmanske.de.signing.key"
trusted_key_servers:
- server_name: "matrix.org"
oidc_providers:
- idp_id: keycloak
idp_name: "KeyCloak"
issuer: "{{ matrix.oidc.issuer }}"
client_id: "{{ matrix.oidc.client_id }}"
client_secret: "{{ matrix.oidc.client_secret }}"
scopes: ["openid", "profile"]
user_mapping_provider:
config:
{% raw %}
localpart_template: "{{ user.mx_localpart }}"
display_name_template: "{{ user.name }}"
{% endraw %}
backchannel_logout_enabled: true # Optional
enable_registration: true
registration_requires_token: true
registration_shared_secret: "{{ matrix.secrets.registration }}"
password_config:
enabled: true
redis:
enabled: true
host: redis
port: 6379
app_service_config_files:
- /data/reg-mautrix-tg.yaml
- /data/reg-mautrix-slack.yaml
- /data/reg-mautrix-signal.yaml
rc_message:
per_second: 100
burst_count: 100
rc_joins:
local:
per_second: 100
burst_count: 100
server_notices:
system_mxid_localpart: "server"
system_mxid_display_name: "Server Notices"
system_mxid_avatar_url: "mxc://unruhig.eu/khyOCChmyYSOsIFIbUWGGEWq"
room_name: "Server Notices"
modules:
- module: shared_secret_authenticator.SharedSecretAuthProvider
config:
shared_secret: "{{ matrix.authenticator.shared_secret }}"
# By default, only login requests of type `com.devture.shared_secret_auth` are supported.
# Below, we explicitly enable support for the old `m.login.password` login type,
# which was used in v1 of matrix-synapse-shared-secret-auth and still widely supported by external software.
# If you don't need such legacy support, consider setting this to `false` or omitting it entirely.
m_login_password_support_enabled: true
# By default, only login requests of type `com.devture.shared_secret_auth` are supported.
# Advertising support for such an authentication type causes a problem with Element, however.
# See: https://github.com/vector-im/element-web/issues/19605
#
# Uncomment the line below to disable `com.devture.shared_secret_auth` support.
# You will then need to:
# - have `m_login_password_support_enabled: true` to enable the `m.login.password` login type
# - authenticate using `m.login.password` requests, instead of ``com.devture.shared_secret_auth` requests
# com_devture_shared_secret_auth_support_enabled: false
media_storage_providers:
- module: s3_storage_provider.S3StorageProviderBackend
store_local: True
store_remote: True
store_synchronous: True
config:
bucket: "{{ matrix.storage.s3.bucket }}"
# All of the below options are optional, for use with non-AWS S3-like
# services, or to specify access tokens here instead of some external method.
endpoint_url: "{{ matrix.storage.s3.endpoint_url }}"
access_key_id: "{{ matrix.storage.s3.access_key_id }}"
secret_access_key: "{{ matrix.storage.s3.secret_access_key }}"
# vim:ft=yaml

32
ansible/plays/services/matrix/synapse-config/tobiasmanske.de.log.config Normal file
View File

@ -0,0 +1,32 @@
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
handlers:
console:
class: logging.StreamHandler
formatter: precise
loggers:
synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens.
level: INFO
root:
level: WARNING
handlers: [console]
disable_existing_loggers: false

8
ansible/plays/services/matrix/synapse-config/tobiasmanske.de.signing.key Normal file
View File

@ -0,0 +1,8 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
64326434386632376335333966336365333663393130323464333266383639383264616662623333
6437306539633766376336663263393038306162333234340a383237386331636366616266316265
39626638623562623835633035643231656263653437346266333264643830323062353930356462
3936633165633434320a656463656536383539346138383630343137383861613538323735393131
61383237626533316433633866396434663230633239396661333831653531363732646561656164
35353264613364613832653536333632356132666434616134316339383934616264323261366366
633838383264646531663039343639383036

1
ansible/plays/services/maubot/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=maubot

11
ansible/plays/services/maubot/docker-compose.yaml Normal file
View File

@ -0,0 +1,11 @@
services:
maubot:
image: dock.mau.dev/maubot/maubot:latest
restart: unless-stopped
ports:
- "{{ maubot.port }}:29316"
volumes:
- data:/data:z
volumes:
data:

1
ansible/plays/services/miniflux/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=miniflux

66
ansible/plays/services/miniflux/docker-compose.yaml Normal file
View File

@ -0,0 +1,66 @@
---
version: '3'
services:
miniflux:
image: miniflux/miniflux:latest
restart: unless-stopped
depends_on:
db:
condition: service_healthy
environment:
- FETCH_YOUTUBE_WATCH_TIME=1
- DATABASE_URL=postgres://{{ miniflux.db.user }}:{{ miniflux.db.password }}@db/{{ miniflux.db.name }}?sslmode=disable
- RUN_MIGRATIONS=1
- CREATE_ADMIN=1
- ADMIN_USERNAME={{ miniflux.admin.user }}
- ADMIN_PASSWORD={{ miniflux.admin.password }}
- BASE_URL=https://rss.tobiasmanske.de
- CLEANUP_ARCHIVE_READ_DAYS=-1
- OAUTH2_CLIENT_ID={{ miniflux.oauth.client_id }}
- OAUTH2_CLIENT_SECRET={{ miniflux.oauth.client_secret }}
- OAUTH2_OIDC_DISCOVERY_ENDPOINT={{ miniflux.oauth.discovery_endpoint }}
- OAUTH2_PROVIDER=oidc
- OAUTH2_REDIRECT_URL={{ miniflux.oauth.redirect_url }}
- OAUTH2_USER_CREATION=1
- METRICS_COLLECTOR=1
- METRICS_ALLOWED_NETWORKS=0.0.0.0/0
labels:
- "traefik.enable=true"
- "traefik.http.routers.miniflux.rule=Host(`rss.tobiasmanske.de`)"
- "traefik.http.routers.miniflux.entryPoints=websecure"
- "traefik.http.routers.miniflux.middlewares=deny-metrics@file"
- "traefik.http.services.miniflux.loadbalancer.server.port=8080"
- "prometheus-scrape.enabled=true"
- "prometheus-scrape.port=8080"
networks:
- backend
- pantalaimon
- default
- metrics
db:
image: postgres:13
restart: unless-stopped
environment:
- POSTGRES_USER={{ miniflux.db.user }}
- POSTGRES_PASSWORD={{ miniflux.db.password }}
volumes:
- database:/var/lib/postgresql/data
healthcheck:
test: ["CMD", "pg_isready", "-U", "miniflux"]
interval: 10s
start_period: 30s
networks:
- backend
volumes:
database:
networks:
backend:
internal: true
pantalaimon:
external: true
metrics:
external: true
...

3
ansible/plays/services/minio/.env Normal file
View File

@ -0,0 +1,3 @@
COMPOSE_PROJECT_NAME=minio
MINIO_URL=s3.tobiasmanske.de
DASHBOARD_URL=minio.tobiasmanske.de

39
ansible/plays/services/minio/docker-compose.yaml Normal file
View File

@ -0,0 +1,39 @@
---
version: "3.9"
services:
minio:
image: minio/minio:latest
restart: always
ulimits:
nofile:
soft: 4096
hard: 16000
environment:
- "MINIO_ROOT_USER={{ minio.user | mandatory }}"
- "MINIO_ROOT_PASSWORD={{ minio.password | mandatory }}"
- "MINIO_SERVER_URL=https://${MINIO_URL}"
- "MINIO_BROWSER_REDIRECT_URL=https://${DASHBOARD_URL}"
volumes:
- data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.minio.rule=Host(`${MINIO_URL}`)||Host(`s3.unruhig.eu`)"
- "traefik.http.routers.minio.entryPoints=websecure"
- "traefik.http.services.minio.loadbalancer.server.port=9000"
- "traefik.http.routers.minio.service=minio"
- "traefik.http.routers.minio-dashboard.rule=Host(`${DASHBOARD_URL}`)"
- "traefik.http.routers.minio-dashboard.entryPoints=websecure"
- "traefik.http.services.minio-dashboard.loadbalancer.server.port=9001"
- "traefik.http.routers.minio-dashboard.service=minio-dashboard"
command: "server /data --console-address ':9001' --anonymous"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
interval: 30s
timeout: 20s
retries: 3
volumes:
data:
...

1
ansible/plays/services/pantalaimon/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=pentalaimon

23
ansible/plays/services/pantalaimon/docker-compose.yaml Normal file
View File

@ -0,0 +1,23 @@
---
services:
pantalaimon:
image: matrixdotorg/pantalaimon:latest
container_name: pantalaimon
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
volumes:
- pantalaimon_data:/data
- ./pantalaimon.conf:/data/pantalaimon.conf:ro,Z
restart: always
networks:
- pantalaimon
volumes:
pantalaimon_data:
networks:
pantalaimon:
name: pantalaimon
internal: false
...

7
ansible/plays/services/pantalaimon/pantalaimon.conf Normal file
View File

@ -0,0 +1,7 @@
[unruhigeu]
Homeserver = https://unruhig.eu
ListenAddress = 0.0.0.0
ListenPort = 8008
SSL = True
UseKeyring = False
IgnoreVerification = True

1
ansible/plays/services/prometheus/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=prometheus

50
ansible/plays/services/prometheus/alertmanager.yml Normal file
View File

@ -0,0 +1,50 @@
global:
resolve_timeout: 5m
route:
group_by: ['alertname']
group_wait: 5s
group_interval: 5m
repeat_interval: 1h
receiver: 'matrix-monitoring'
routes:
- receiver: 'hcio'
repeat_interval: 1h
matchers:
- alertname="PrometheusAlertmanagerE2eDeadManSwitch"
- receiver: 'email'
group_interval: 1m
matchers:
- job="matrix_synapse_1"
- receiver: 'matrix-monitoring'
group_wait: 30s
group_interval: 1h
matchers:
- alertname="PrometheusAllTargetsMissing"
- receiver: 'matrix-monitoring'
group_wait: 30s
group_interval: 1h
matchers:
- alertname="PrometheusTargetMissing"
receivers:
- name: 'email'
email_configs:
- to: '{{ prometheus.alertmanager.smtp.target }}'
from: '"Alertmanager" <{{ prometheus.alertmanager.smtp.username }}>'
smarthost: 'mxe8cf.netcup.net:587'
auth_username: '{{ prometheus.alertmanager.smtp.username }}'
auth_identity: '{{ prometheus.alertmanager.smtp.username }}'
auth_password: '{{ prometheus.alertmanager.smtp.password }}'
- name: 'hcio'
email_configs:
- to: '{{ prometheus.alertmanager.hcio.mail }}'
from: '"Alertmanager" <{{ prometheus.alertmanager.smtp.username }}>'
smarthost: 'mxe8cf.netcup.net:587'
auth_username: '{{ prometheus.alertmanager.smtp.username }}'
auth_identity: '{{ prometheus.alertmanager.smtp.username }}'
auth_password: '{{ prometheus.alertmanager.smtp.password }}'
- name: 'matrix-monitoring'
webhook_configs:
- url: 'http://alertmanager-matrix:3000/alerts?secret={{ prometheus.alertmanager.matrix.alertmanager_token }}'

223
ansible/plays/services/prometheus/docker-compose.yaml Normal file
View File

@ -0,0 +1,223 @@
version: "3.4"
services:
prometheus:
image: prom/prometheus:latest
restart: unless-stopped
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--web.external-url=https://prometheus.tobiasmanske.de'
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml:ro,Z
- prom_data:/prometheus
- label_discovery:/label_discovery:ro
- ./rules:/rules:ro,Z
labels:
- "traefik.enable=true"
- "traefik.http.routers.prometheus.rule=Host(`prometheus.tobiasmanske.de`)"
- "traefik.http.routers.prometheus.entryPoints=websecure"
- "traefik.http.services.prometheus.loadbalancer.server.port=9090"
- "traefik.http.routers.prometheus.middlewares=oauth@file"
depends_on:
- prometheus-docker-sd
- cadvisor
- node-exporter
networks:
- backend
- alertmanager
- metrics
prometheus-docker-sd:
image: registry.tobiasmanske.de/prometheus-docker-sd:latest
restart: unless-stopped
privileged: true
networks:
- backend
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro,Z
- label_discovery:/prometheus-docker-sd:rw
logging: # this service generates a HUGE amout of logs.
driver: "none"
alertmanager:
image: prom/alertmanager:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.alertmanager.rule=Host(`alertmanager.tobiasmanske.de`)"
- "traefik.http.routers.alertmanager.entryPoints=websecure"
- "traefik.http.services.alertmanager.loadbalancer.server.port=9093"
- "traefik.http.routers.alertmanager.middlewares=oauth@file"
volumes:
- ./alertmanager.yml:/etc/alertmanager/config.yml:ro,Z
- alertmanager_data:/data
networks:
- alertmanager
restart: unless-stopped
command:
- '--config.file=/etc/alertmanager/config.yml'
- '--web.external-url=https://alertmanager.tobiasmanske.de'
- '--storage.path=/data'
alertmanager-matrix:
image: jaywink/matrix-alertmanager:latest
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.alertmanager-matrix.rule=Host(`alertmanager.tobiasmanske.de`) && PathPrefix(`/matrix/`)"
- "traefik.http.routers.alertmanager-matrix.middlewares=matrix-strip"
- "traefik.http.middlewares.matrix-strip.stripprefix.prefixes=/matrix"
- "traefik.http.middlewares.matrix-strip.stripprefix.forceslash=false"
- "traefik.http.routers.alertmanager-matrix.entryPoints=websecure"
- "traefik.http.services.alertmanager-matrix.loadbalancer.server.port=3000"
environment:
- APP_PORT=3000
- APP_ALERTMANAGER_SECRET={{ prometheus.alertmanager.matrix.alertmanager_token }}
- MATRIX_HOMESERVER_URL=http://pantalaimon:8008
- MATRIX_ROOMS={{ prometheus.alertmanager.matrix.rooms | join('|') }}
- MATRIX_TOKEN={{ prometheus.alertmanager.matrix.matrix_token }}
- MATRIX_USER=@alertmanager:{{ matrix.baseurl }}
- MENTION_ROOM=1
networks:
- alertmanager
- pantalaimon
grafana:
image: grafana/grafana:latest
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.grafana.rule=Host(`grafana.tobiasmanske.de`)"
- "traefik.http.routers.grafana.entryPoints=websecure"
- "traefik.http.services.grafana.loadbalancer.server.port=3000"
networks:
- backend
environment:
- "GF_SERVER_ROOT_URL=https://grafana.tobiasmanske.de"
- "GF_SECURITY_ADMIN_USER={{ grafana.admin.user }}"
- "GF_SECURITY_ADMIN_PASSWORD={{ grafana.admin.password }}"
- "GF_AUTH_GENERIC_OAUTH_NAME=Keycloak"
- "GF_AUTH_GENERIC_OAUTH_ENABLED=true"
- "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true"
- "GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ grafana.oidc.client_id }}"
- "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ grafana.oidc.client_secret }}"
- "GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile offline_access roles"
- "GF_AUTH_GENERIC_OAUTH_GROUP_ATTRIBUTE_PATH=groups"
- "GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email"
- "GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username"
- "GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=full_name"
- "GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/auth"
- "GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/token"
- "GF_AUTH_GENERIC_OAUTH_API_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/userinfo"
- "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(resource_access.grafana.roles[*], 'serveradmin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || 'Viewer'"
- "GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true"
volumes:
- grafana_data:/var/lib/grafana
- ./grafana-ds.yml:/etc/grafana/provisioning/datasources/datasource.yml:ro,Z
- ./grafana-db.yml:/etc/grafana/provisioning/dashboards/datasource.yml:ro,Z
- ./grafana-dashboards:/var/lib/grafana/dashboards:ro,Z
node-exporter:
image: quay.io/prometheus/node-exporter:latest
container_name: host-nc-chaoswg-org-node-exporter
privileged: true
labels:
- "prometheus-scrape.enabled=true"
- "prometheus-scrape.port=9100"
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/rootfs:ro
- /:/host:ro,rslave
- /run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro
command:
- '--path.rootfs=/host'
- '--path.procfs=/host/proc'
- '--path.sysfs=/host/sys'
- '--collector.filesystem.ignored-mount-points'
- "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)"
- '--collector.systemd'
networks:
- metrics
restart: unless-stopped
cadvisor:
image: gcr.io/cadvisor/cadvisor:latest
privileged: true
labels:
- "prometheus-scrape.enabled=true"
- "prometheus-scrape.port=8080"
command:
- "-docker_only=true"
- "-housekeeping_interval=10s"
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
networks:
- metrics
restart: unless-stopped
loki:
image: grafana/loki:latest
restart: unless-stopped
command: -config.file=/etc/loki/loki.yaml
volumes:
- ./loki.yml:/etc/loki/loki.yaml:ro,Z
- loki_data:/loki
labels:
- "prometheus-scrape.enabled=true"
- "prometheus-scrape.port=3100"
networks:
- backend
promtail:
image: grafana/promtail:latest
security_opt:
- label:disable
restart: unless-stopped
volumes:
- ./promtail.yml:/etc/promtail/config.yml:ro
- /var/log:/var/log:ro
- /var/lib/docker/containers:/var/lib/docker/containers:ro
- /var/run/docker.sock:/var/run/docker.sock
command: -config.file=/etc/promtail/config.yml
labels:
- "prometheus-scrape.enabled=true"
- "prometheus-scrape.port=8080"
networks:
- backend
- metrics
mimir:
image: grafana/mimir:latest
restart: unless-stopped
volumes:
- mimir_data:/mimir
- ./mimir.yml:/etc/mimir-config/mimir.yaml:ro,Z
entrypoint:
- /bin/mimir
- -config.file=/etc/mimir-config/mimir.yaml
- -validation.max-label-names-per-series=60
labels:
- "prometheus-scrape.enabled=true"
- "prometheus-scrape.port=8080"
networks:
- backend
- metrics
volumes:
prom_data:
grafana_data:
loki_data:
label_discovery:
alertmanager_data:
mimir_data:
networks:
pantalaimon:
external: true
backend:
internal: true
alertmanager:
metrics:
external: true

1313
ansible/plays/services/prometheus/grafana-dashboards/cadvisor.json Normal file
View File

File diff suppressed because it is too large Load Diff

602
ansible/plays/services/prometheus/grafana-dashboards/droneci.json Normal file
View File

@ -0,0 +1,602 @@
{% raw %}
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.0.3"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "stat",
"name": "Stat",
"version": ""
},
{
"type": "panel",
"id": "timeseries",
"name": "Time series",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"description": "Dashboard for Drone CI",
"editable": true,
"fiscalYearStartMonth": 0,
"gnetId": 16720,
"graphTooltip": 2,
"id": null,
"links": [],
"liveNow": false,
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"match": "null",
"result": {
"text": "N/A"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
},
"unit": "none"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 0,
"y": 0
},
"id": 2,
"links": [],
"maxDataPoints": 100,
"options": {
"colorMode": "none",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"textMode": "auto"
},
"pluginVersion": "10.0.3",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"expr": "sum(drone_build_count) by (application_name)",
"format": "time_series",
"intervalFactor": 1,
"refId": "A"
}
],
"title": "Total Builds",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"match": "null",
"result": {
"text": "N/A"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "none"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 4,
"y": 0
},
"id": 4,
"links": [],
"maxDataPoints": 100,
"options": {
"colorMode": "none",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"textMode": "auto"
},
"pluginVersion": "10.0.3",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"expr": "sum(drone_repo_count) by (application_name)",
"format": "time_series",
"intervalFactor": 1,
"refId": "A"
}
],
"title": "Activated Repos",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"match": "null",
"result": {
"text": "N/A"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "none"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 4,
"x": 8,
"y": 0
},
"id": 7,
"links": [],
"maxDataPoints": 100,
"options": {
"colorMode": "none",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"textMode": "auto"
},
"pluginVersion": "10.0.3",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"expr": "sum(drone_user_count) by (application_name)",
"format": "time_series",
"intervalFactor": 1,
"range": true,
"refId": "A"
}
],
"title": "Total Users",
"type": "stat"
},
{
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 4
},
"id": 10,
"title": "Metrics",
"type": "row"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "never",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"decimals": 0,
"links": [],
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 5
},
"id": 6,
"links": [],
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
"pluginVersion": "9.0.7",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"expr": "sum(drone_running_builds) by (application_name)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "running builds",
"range": true,
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"expr": "sum(drone_pending_builds) by (application_name)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "pending builds",
"range": true,
"refId": "B"
}
],
"title": "Builds",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "never",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"decimals": 0,
"links": [],
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 12,
"y": 5
},
"id": 8,
"links": [],
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
"pluginVersion": "9.0.7",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"expr": "sum(drone_running_jobs) by (application_name)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "running jobs",
"range": true,
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"editorMode": "code",
"expr": "sum(drone_pending_jobs) by (application_name)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "pending jobs",
"range": true,
"refId": "B"
}
],
"title": "Jobs",
"type": "timeseries"
}
],
"refresh": "1m",
"schemaVersion": 38,
"style": "dark",
"tags": [
"drone",
"drone-ci",
"ci/cd"
],
"templating": {
"list": [
{
"current": {
"selected": true,
"text": "Prometheus",
"value": "Prometheus"
},
"hide": 0,
"includeAll": false,
"label": "datasource",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"queryValue": "",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
}
]
},
"time": {
"from": "now-12h",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
},
"timezone": "",
"title": "Drone CI",
"uid": "IT4-bnNik",
"version": 2,
"weekStart": ""
}
{% endraw %}

4506
ansible/plays/services/prometheus/grafana-dashboards/hedgedoc.json Normal file
View File

File diff suppressed because it is too large Load Diff

440
ansible/plays/services/prometheus/grafana-dashboards/kuma.json Normal file
View File

@ -0,0 +1,440 @@
{% raw %}
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.0.3"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "stat",
"name": "Stat",
"version": ""
},
{
"type": "panel",
"id": "timeseries",
"name": "Time series",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"description": "A dashboard to show the data from the excellent Uptime Kuma project!",
"editable": true,
"fiscalYearStartMonth": 0,
"gnetId": 14847,
"graphTooltip": 0,
"id": null,
"links": [],
"liveNow": false,
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"0": {
"color": "red",
"index": 0,
"text": "DOWN"
},
"1": {
"color": "green",
"index": 1,
"text": "UP"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 17,
"w": 24,
"x": 0,
"y": 0
},
"id": 4,
"options": {
"colorMode": "background",
"graphMode": "area",
"justifyMode": "center",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "auto"
},
"pluginVersion": "10.0.3",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"exemplar": true,
"expr": "monitor_status ",
"interval": "",
"legendFormat": "{{ monitor_name }}",
"refId": "A"
}
],
"title": "Site Status",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "red",
"value": null
},
{
"color": "#EAB839",
"value": 30
},
{
"color": "green",
"value": 60
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 9,
"w": 13,
"x": 0,
"y": 17
},
"id": 6,
"options": {
"colorMode": "background",
"graphMode": "area",
"justifyMode": "center",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "auto"
},
"pluginVersion": "10.0.3",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"exemplar": true,
"expr": "monitor_cert_days_remaining",
"interval": "",
"legendFormat": "{{ monitor_name }}",
"refId": "A"
}
],
"title": "TLS Certificate Remaining Days",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"0": {
"color": "red",
"index": 0,
"text": "EXPIRED"
},
"1": {
"color": "green",
"index": 1,
"text": "VALID"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "red",
"value": null
},
{
"color": "green",
"value": 1
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 9,
"w": 11,
"x": 13,
"y": 17
},
"id": 5,
"options": {
"colorMode": "background",
"graphMode": "area",
"justifyMode": "center",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "auto"
},
"pluginVersion": "10.0.3",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"exemplar": true,
"expr": "monitor_cert_is_valid",
"interval": "",
"legendFormat": "{{ monitor_name }}",
"refId": "A"
}
],
"title": "TLS Certificate Status",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "ms"
},
"overrides": []
},
"gridPos": {
"h": 9,
"w": 24,
"x": 0,
"y": 26
},
"id": 2,
"options": {
"legend": {
"calcs": [
"max",
"min",
"lastNotNull"
],
"displayMode": "table",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "single",
"sort": "none"
}
},
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"exemplar": true,
"expr": "sum(monitor_response_time{}) by (monitor_name)",
"interval": "",
"legendFormat": "{{ monitor_name }}",
"refId": "A"
}
],
"title": "Response Times",
"type": "timeseries"
}
],
"refresh": "30s",
"revision": 1,
"schemaVersion": 38,
"style": "dark",
"tags": [],
"templating": {
"list": [
{
"current": {
"selected": false,
"text": "Prometheus",
"value": "Prometheus"
},
"hide": 0,
"includeAll": false,
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
}
]
},
"time": {
"from": "now-5m",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "Uptime Kuma",
"uid": "CN8E-vZ7k",
"version": 4,
"weekStart": ""
}
{% endraw %}

1565
ansible/plays/services/prometheus/grafana-dashboards/miniflux.json Normal file
View File

File diff suppressed because it is too large Load Diff

3214
ansible/plays/services/prometheus/grafana-dashboards/minio.json Normal file
View File

File diff suppressed because it is too large Load Diff

1598
ansible/plays/services/prometheus/grafana-dashboards/prometheus-stats.json Normal file
View File

File diff suppressed because it is too large Load Diff

12765
ansible/plays/services/prometheus/grafana-dashboards/synapse.json Normal file
View File

File diff suppressed because it is too large Load Diff

1445
ansible/plays/services/prometheus/grafana-dashboards/traefik2.json Normal file
View File

File diff suppressed because it is too large Load Diff

12
ansible/plays/services/prometheus/grafana-db.yml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: 1
providers:
- name: "Dashboard provider"
orgId: 1
type: file
disableDeletion: false
updateIntervalSeconds: 10
allowUiUpdates: true
options:
path: /var/lib/grafana/dashboards
foldersFromFilesStructure: true

28
ansible/plays/services/prometheus/grafana-ds.yml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
url: http://prometheus:9090
isDefault: true
access: proxy
editable: true
- name: Mimir Netcup
type: prometheus
jsonData:
httpHeaderName1: "X-Scope-OrgID"
secureJsonData:
httpHeaderValue1: "host-nc-chaoswg-org"
url: http://mimir:8080/prometheus
isDefault: false
access: proxy
editable: true
- name: Loki
type: loki
access: proxy
orgId: 1
url: http://loki:3100
basicAuth: false
isDefault: false
version: 1
editable: true

51
ansible/plays/services/prometheus/loki.yml Normal file
View File

@ -0,0 +1,51 @@
auth_enabled: false
server:
http_listen_port: 3100
grpc_listen_port: 9096
query_range:
results_cache:
cache:
embedded_cache:
enabled: true
max_size_mb: 100
schema_config:
configs:
- from: 2020-10-24
store: boltdb-shipper
object_store: aws
schema: v11
index:
prefix: index_
period: 24h
common:
path_prefix: /loki
storage:
s3:
endpoint: s3.tobiasmanske.de
bucketnames: loki-data
access_key_id: "{{ loki.s3.access_key }}"
secret_access_key: "{{ loki.s3.secret_key }}"
s3forcepathstyle: true
replication_factor: 1
ring:
kvstore:
store: inmemory
compactor:
working_directory: /loki/compactor
shared_store: s3
storage_config:
boltdb_shipper:
active_index_directory: /loki/active
cache_location: /loki/cache
cache_ttl: 24h
resync_interval: 5s
shared_store: s3
aws:
s3: "s3://{{ loki.s3.access_key }}:{{ loki.s3.secret_key }}@s3.tobiasmanske.de.:443/loki-data"
s3forcepathstyle: true

47
ansible/plays/services/prometheus/mimir.yml Normal file
View File

@ -0,0 +1,47 @@
# Do not use this configuration in production.
# It is for demonstration purposes only.
# Run Mimir in single process mode, with all components running in 1 process.
target: all
# ,alertmanager,overrides-exporter
# Configure Mimir to use Minio as object storage backend.
common:
storage:
backend: s3
s3:
endpoint: s3.tobiasmanske.de
access_key_id: "{{ mimir.s3.access_key }}"
secret_access_key: "{{ mimir.s3.secret_key }}"
bucket_name: mimir
# Blocks storage requires a prefix when using a common object storage bucket.
blocks_storage:
s3:
bucket_name: mimir-blocks
tsdb:
dir: /mimir/tsdb
flush_blocks_on_shutdown: true
ingester:
ring:
replication_factor: 1
store_gateway:
sharding_ring:
replication_factor: 1
# ruler:
# rule_path: /data/ruler
# alertmanager_url: http://127.0.0.1:8080/alertmanager
# ring:
# # Quickly detect unhealthy rulers to speed up the tutorial.
# heartbeat_period: 2s
# heartbeat_timeout: 10s
#
# alertmanager:
# data_dir: /data/alertmanager
# fallback_config_file: /etc/alertmanager-fallback-config.yaml
# external_url: http://localhost:9009/alertmanager
server:
log_level: warn

58
ansible/plays/services/prometheus/prometheus.yml Normal file
View File

@ -0,0 +1,58 @@
global:
scrape_interval: 15s
scrape_timeout: 10s
evaluation_interval: 15s
alerting:
alertmanagers:
- scheme: http
static_configs:
- targets: [ 'alertmanager:9093' ]
- static_configs:
- targets: []
scheme: http
timeout: 10s
api_version: v1
rule_files:
- "/rules/*.yaml"
scrape_configs:
- job_name: prometheus
honor_timestamps: true
scrape_interval: 15s
scrape_timeout: 10s
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- localhost:9090
- job_name: 'service_discovery'
metric_relabel_configs:
- source_labels:
- "container_name"
target_label: "instance"
action: replace
file_sd_configs:
- files:
- /label_discovery/docker-targets.json
- job_name: minio-job
bearer_token: "{{ prometheus.scrape.s3.bearer_token }}"
metrics_path: /minio/v2/metrics/cluster
scheme: https
static_configs:
- targets: [s3.tobiasmanske.de]
- job_name: drone-job
bearer_token: "{{ prometheus.scrape.drone.bearer_token }}"
scheme: https
static_configs:
- targets: [drone.tobiasmanske.de]
- job_name: 'uptime-kuma-job'
scrape_interval: 30s
scheme: https
static_configs:
- targets: [status.tobiasmanske.de]
basic_auth:
username: "{{ prometheus.scrape.kuma.user }}"
password: "{{ prometheus.scrape.kuma.password }}"
remote_write:
- url: http://mimir:8080/api/v1/push
headers:
X-Scope-OrgID: host-nc-chaoswg-org

24
ansible/plays/services/prometheus/promtail.yml Normal file
View File

@ -0,0 +1,24 @@
positions:
filename: /positions.yaml
server:
http_listen_port: 8080
clients:
- url: http://loki:3100/loki/api/v1/push
scrape_configs:
- job_name: flog_scrape
docker_sd_configs:
- host: unix:///var/run/docker.sock
refresh_interval: 5s
# filters:
# - name: label
# values: ["logging=promtail"]
relabel_configs:
- source_labels: ['__meta_docker_container_name']
regex: '/(.*)'
target_label: 'container'
- source_labels: ['__meta_docker_container_log_stream']
target_label: 'logstream'
- source_labels: ['__meta_docker_container_label_logging_jobname']
target_label: 'job'

54
ansible/plays/services/prometheus/rules/cadvisor.yaml Normal file
View File

@ -0,0 +1,54 @@
# {% raw %}
groups:
- name: GoogleCadvisor
rules:
# - alert: ContainerKilled
# expr: 'time() - container_last_seen > 60'
# for: 0m
# labels:
# severity: warning
# annotations:
# summary: Container killed (instance {{ $labels.instance }})
# description: "A container has disappeared\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
# - alert: ContainerAbsent
# expr: 'absent(container_last_seen)'
# for: 5m
# labels:
# severity: warning
# annotations:
# summary: Container absent (instance {{ $labels.instance }})
# description: "A container is absent for 5 min\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: ContainerCpuUsage
expr: '(sum(rate(container_cpu_usage_seconds_total{name!=""}[3m])) BY (instance, name) * 100) > 80'
for: 2m
labels:
severity: warning
annotations:
summary: Container CPU usage (instance {{ $labels.instance }})
description: "Container CPU usage is above 80%\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: ContainerMemoryUsage
expr: '(sum(container_memory_working_set_bytes{name!=""}) BY (instance, name) / sum(container_spec_memory_limit_bytes > 0) BY (instance, name) * 100) > 80'
for: 2m
labels:
severity: warning
annotations:
summary: Container Memory usage (instance {{ $labels.instance }})
description: "Container Memory usage is above 80%\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
# - alert: ContainerVolumeUsage
# expr: '(1 - (sum(container_fs_inodes_free{name!=""}) BY (instance) / sum(container_fs_inodes_total) BY (instance))) * 100 > 80'
# for: 2m
# labels:
# severity: warning
# annotations:
# summary: Container Volume usage (instance {{ $labels.instance }})
# description: "Container Volume usage is above 80%\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: ContainerHighThrottleRate
expr: 'rate(container_cpu_cfs_throttled_seconds_total[3m]) > 1'
for: 2m
labels:
severity: warning
annotations:
summary: Container high throttle rate (instance {{ $labels.instance }})
description: "Container is being throttled\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
# {% endraw %}

303
ansible/plays/services/prometheus/rules/node.yaml Normal file
View File

@ -0,0 +1,303 @@
# {% raw %}
groups:
- name: NodeExporter
rules:
- alert: HostOutOfMemory
expr: 'node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 10'
for: 2m
labels:
severity: warning
annotations:
summary: Host out of memory (instance {{ $labels.instance }})
description: "Node memory is filling up (< 10% left)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostMemoryUnderMemoryPressure
expr: 'rate(node_vmstat_pgmajfault[1m]) > 1000'
for: 2m
labels:
severity: warning
annotations:
summary: Host memory under memory pressure (instance {{ $labels.instance }})
description: "The node is under heavy memory pressure. High rate of major page faults\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
# - alert: HostMemoryIsUnderUtilized
# expr: '100 - (rate(node_memory_MemAvailable_bytes[30m]) / node_memory_MemTotal_bytes * 100) < 20'
# for: 1w
# labels:
# severity: info
# annotations:
# summary: Host Memory is under utilized (instance {{ $labels.instance }})
# description: "Node memory is < 20% for 1 week. Consider reducing memory space.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualNetworkThroughputIn
expr: 'sum by (instance) (rate(node_network_receive_bytes_total[2m])) / 1024 / 1024 > 100'
for: 5m
labels:
severity: warning
annotations:
summary: Host unusual network throughput in (instance {{ $labels.instance }})
description: "Host network interfaces are probably receiving too much data (> 100 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualNetworkThroughputOut
expr: 'sum by (instance) (rate(node_network_transmit_bytes_total[2m])) / 1024 / 1024 > 100'
for: 5m
labels:
severity: warning
annotations:
summary: Host unusual network throughput out (instance {{ $labels.instance }})
description: "Host network interfaces are probably sending too much data (> 100 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualDiskReadRate
expr: 'sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50'
for: 5m
labels:
severity: warning
annotations:
summary: Host unusual disk read rate (instance {{ $labels.instance }})
description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualDiskWriteRate
expr: 'sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50'
for: 2m
labels:
severity: warning
annotations:
summary: Host unusual disk write rate (instance {{ $labels.instance }})
description: "Disk is probably writing too much data (> 50 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostOutOfDiskSpace
expr: '(node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes < 10 and ON (instance, device, mountpoint) node_filesystem_readonly == 0'
for: 2m
labels:
severity: warning
annotations:
summary: Host out of disk space (instance {{ $labels.instance }})
description: "Disk is almost full (< 10% left)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostDiskWillFillIn24Hours
expr: '(node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes < 10 and ON (instance, device, mountpoint) predict_linear(node_filesystem_avail_bytes{fstype!~"tmpfs"}[1h], 24 * 3600) < 0 and ON (instance, device, mountpoint) node_filesystem_readonly == 0'
for: 2m
labels:
severity: warning
annotations:
summary: Host disk will fill in 24 hours (instance {{ $labels.instance }})
description: "Filesystem is predicted to run out of space within the next 24 hours at current write rate\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostOutOfInodes
expr: 'node_filesystem_files_free / node_filesystem_files * 100 < 10 and ON (instance, device, mountpoint) node_filesystem_readonly == 0'
for: 2m
labels:
severity: warning
annotations:
summary: Host out of inodes (instance {{ $labels.instance }})
description: "Disk is almost running out of available inodes (< 10% left)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostInodesWillFillIn24Hours
expr: 'node_filesystem_files_free / node_filesystem_files * 100 < 10 and predict_linear(node_filesystem_files_free[1h], 24 * 3600) < 0 and ON (instance, device, mountpoint) node_filesystem_readonly == 0'
for: 2m
labels:
severity: warning
annotations:
summary: Host inodes will fill in 24 hours (instance {{ $labels.instance }})
description: "Filesystem is predicted to run out of inodes within the next 24 hours at current write rate\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualDiskReadLatency
expr: 'rate(node_disk_read_time_seconds_total[1m]) / rate(node_disk_reads_completed_total[1m]) > 0.1 and rate(node_disk_reads_completed_total[1m]) > 0'
for: 2m
labels:
severity: warning
annotations:
summary: Host unusual disk read latency (instance {{ $labels.instance }})
description: "Disk latency is growing (read operations > 100ms)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualDiskWriteLatency
expr: 'rate(node_disk_write_time_seconds_total[1m]) / rate(node_disk_writes_completed_total[1m]) > 0.1 and rate(node_disk_writes_completed_total[1m]) > 0'
for: 2m
labels:
severity: warning
annotations:
summary: Host unusual disk write latency (instance {{ $labels.instance }})
description: "Disk latency is growing (write operations > 100ms)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostHighCpuLoad
expr: '(100 - (avg by(instance) (rate(node_cpu_seconds_total{mode="idle"}[2m])) * 100)) > 80'
for: 2m
labels:
severity: warning
annotations:
summary: Host high CPU load (instance {{ $labels.instance }})
description: "CPU load is > 80%\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
# - alert: HostCpuIsUnderUtilized
# expr: '100 - (rate(node_cpu_seconds_total{mode="idle"}[30m]) * 100) < 20'
# for: 1w
# labels:
# severity: info
# annotations:
# summary: Host CPU is under utilized (instance {{ $labels.instance }})
# description: "CPU load is < 20% for 1 week. Consider reducing the number of CPUs.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostCpuStealNoisyNeighbor
expr: 'avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m])) * 100 > 10'
for: 0m
labels:
severity: warning
annotations:
summary: Host CPU steal noisy neighbor (instance {{ $labels.instance }})
description: "CPU steal is > 10%. A noisy neighbor is killing VM performances or a spot instance may be out of credit.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostCpuHighIowait
expr: 'avg by (instance) (rate(node_cpu_seconds_total{mode="iowait"}[5m])) * 100 > 15'
for: 0m
labels:
severity: warning
annotations:
summary: Host CPU high iowait (instance {{ $labels.instance }})
description: "CPU iowait > 15%. A high iowait means that you are disk or network bound.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualDiskIo
expr: 'rate(node_disk_io_time_seconds_total[1m]) > 0.5'
for: 5m
labels:
severity: warning
annotations:
summary: Host unusual disk IO (instance {{ $labels.instance }})
description: "Time spent in IO is too high on {{ $labels.instance }}. Check storage for issues.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
# - alert: HostContextSwitching
# expr: '(rate(node_context_switches_total[5m])) / (count without(cpu, mode) (node_cpu_seconds_total{mode="idle"})) > 1000'
# for: 0m
# labels:
# severity: warning
# annotations:
# summary: Host context switching (instance {{ $labels.instance }})
# description: "Context switching is growing on node (> 1000 / s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostSwapIsFillingUp
expr: '(1 - (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes)) * 100 > 80'
for: 2m
labels:
severity: warning
annotations:
summary: Host swap is filling up (instance {{ $labels.instance }})
description: "Swap is filling up (>80%)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostSystemdServiceCrashed
expr: 'node_systemd_unit_state{state="failed"} == 1'
for: 0m
labels:
severity: warning
annotations:
summary: Host systemd service crashed (instance {{ $labels.instance }})
description: "systemd service crashed\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostPhysicalComponentTooHot
expr: 'node_hwmon_temp_celsius * ignoring(label) group_left(instance, job, node, sensor) node_hwmon_sensor_label{label!="tctl"} > 75'
for: 5m
labels:
severity: warning
annotations:
summary: Host physical component too hot (instance {{ $labels.instance }})
description: "Physical hardware component too hot\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostNodeOvertemperatureAlarm
expr: 'node_hwmon_temp_crit_alarm_celsius == 1'
for: 0m
labels:
severity: critical
annotations:
summary: Host node overtemperature alarm (instance {{ $labels.instance }})
description: "Physical node temperature alarm triggered\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostRaidArrayGotInactive
expr: 'node_md_state{state="inactive"} > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Host RAID array got inactive (instance {{ $labels.instance }})
description: "RAID array {{ $labels.device }} is in degraded state due to one or more disks failures. Number of spare drives is insufficient to fix issue automatically.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostRaidDiskFailure
expr: 'node_md_disks{state="failed"} > 0'
for: 2m
labels:
severity: warning
annotations:
summary: Host RAID disk failure (instance {{ $labels.instance }})
description: "At least one device in RAID array on {{ $labels.instance }} failed. Array {{ $labels.md_device }} needs attention and possibly a disk swap\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostKernelVersionDeviations
expr: 'count(sum(label_replace(node_uname_info, "kernel", "$1", "release", "([0-9]+.[0-9]+.[0-9]+).*")) by (kernel)) > 1'
for: 6h
labels:
severity: warning
annotations:
summary: Host kernel version deviations (instance {{ $labels.instance }})
description: "Different kernel versions are running\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostOomKillDetected
expr: 'increase(node_vmstat_oom_kill[1m]) > 0'
for: 0m
labels:
severity: warning
annotations:
summary: Host OOM kill detected (instance {{ $labels.instance }})
description: "OOM kill detected\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostEdacCorrectableErrorsDetected
expr: 'increase(node_edac_correctable_errors_total[1m]) > 0'
for: 0m
labels:
severity: info
annotations:
summary: Host EDAC Correctable Errors detected (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} has had {{ printf \"%.0f\" $value }} correctable memory errors reported by EDAC in the last 5 minutes.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostEdacUncorrectableErrorsDetected
expr: 'node_edac_uncorrectable_errors_total > 0'
for: 0m
labels:
severity: warning
annotations:
summary: Host EDAC Uncorrectable Errors detected (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} has had {{ printf \"%.0f\" $value }} uncorrectable memory errors reported by EDAC in the last 5 minutes.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostNetworkReceiveErrors
expr: 'rate(node_network_receive_errs_total[2m]) / rate(node_network_receive_packets_total[2m]) > 0.01'
for: 2m
labels:
severity: warning
annotations:
summary: Host Network Receive Errors (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf \"%.0f\" $value }} receive errors in the last two minutes.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostNetworkTransmitErrors
expr: 'rate(node_network_transmit_errs_total[2m]) / rate(node_network_transmit_packets_total[2m]) > 0.01'
for: 2m
labels:
severity: warning
annotations:
summary: Host Network Transmit Errors (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf \"%.0f\" $value }} transmit errors in the last two minutes.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostNetworkInterfaceSaturated
expr: '(rate(node_network_receive_bytes_total{device!~"^tap.*|^vnet.*|^veth.*|^tun.*"}[1m]) + rate(node_network_transmit_bytes_total{device!~"^tap.*|^vnet.*|^veth.*|^tun.*"}[1m])) / node_network_speed_bytes{device!~"^tap.*|^vnet.*|^veth.*|^tun.*"} > 0.8 < 10000'
for: 1m
labels:
severity: warning
annotations:
summary: Host Network Interface Saturated (instance {{ $labels.instance }})
description: "The network interface \"{{ $labels.device }}\" on \"{{ $labels.instance }}\" is getting overloaded.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostNetworkBondDegraded
expr: '(node_bonding_active - node_bonding_slaves) != 0'
for: 2m
labels:
severity: warning
annotations:
summary: Host Network Bond Degraded (instance {{ $labels.instance }})
description: "Bond \"{{ $labels.device }}\" degraded on \"{{ $labels.instance }}\".\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostConntrackLimit
expr: 'node_nf_conntrack_entries / node_nf_conntrack_entries_limit > 0.8'
for: 5m
labels:
severity: warning
annotations:
summary: Host conntrack limit (instance {{ $labels.instance }})
description: "The number of conntrack is approaching limit\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostClockSkew
expr: '(node_timex_offset_seconds > 0.05 and deriv(node_timex_offset_seconds[5m]) >= 0) or (node_timex_offset_seconds < -0.05 and deriv(node_timex_offset_seconds[5m]) <= 0)'
for: 2m
labels:
severity: warning
annotations:
summary: Host clock skew (instance {{ $labels.instance }})
description: "Clock skew detected. Clock is out of sync. Ensure NTP is configured correctly on this host.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostClockNotSynchronising
expr: 'min_over_time(node_timex_sync_status[1m]) == 0 and node_timex_maxerror_seconds >= 16'
for: 2m
labels:
severity: warning
annotations:
summary: Host clock not synchronising (instance {{ $labels.instance }})
description: "Clock not synchronising. Ensure NTP is configured on this host.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostRequiresReboot
expr: 'node_reboot_required > 0'
for: 4h
labels:
severity: info
annotations:
summary: Host requires reboot (instance {{ $labels.instance }})
description: "{{ $labels.instance }} requires a reboot.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
# {% endraw %}

231
ansible/plays/services/prometheus/rules/prometheus.yaml Normal file
View File

@ -0,0 +1,231 @@
# {% raw %}
groups:
- name: EmbeddedExporter
rules:
- alert: PrometheusJobMissing
expr: 'absent(up{job="prometheus"})'
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus job missing (instance {{ $labels.instance }})
description: "A Prometheus job has disappeared\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTargetMissing
expr: 'up == 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus target missing (instance {{ $labels.instance }})
description: "A Prometheus target has disappeared. An exporter might be crashed.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusAllTargetsMissing
expr: 'sum by (job) (up) == 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus all targets missing (instance {{ $labels.instance }})
description: "A Prometheus job does not have living target anymore.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTargetMissingWithWarmupTime
expr: 'sum by (instance, job) ((up == 0) * on (instance) group_right(job) (node_time_seconds - node_boot_time_seconds > 600))'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus target missing with warmup time (instance {{ $labels.instance }})
description: "Allow a job time to start up (10 minutes) before alerting that it's down.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusConfigurationReloadFailure
expr: 'prometheus_config_last_reload_successful != 1'
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus configuration reload failure (instance {{ $labels.instance }})
description: "Prometheus configuration reload error\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTooManyRestarts
expr: 'changes(process_start_time_seconds{job=~"prometheus|pushgateway|alertmanager"}[15m]) > 2'
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus too many restarts (instance {{ $labels.instance }})
description: "Prometheus has restarted more than twice in the last 15 minutes. It might be crashlooping.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
# - alert: PrometheusAlertmanagerJobMissing
# expr: 'absent(up{job="alertmanager"})'
# for: 0m
# labels:
# severity: warning
# annotations:
# summary: Prometheus AlertManager job missing (instance {{ $labels.instance }})
# description: "A Prometheus AlertManager job has disappeared\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusAlertmanagerConfigurationReloadFailure
expr: 'alertmanager_config_last_reload_successful != 1'
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus AlertManager configuration reload failure (instance {{ $labels.instance }})
description: "AlertManager configuration reload error\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusAlertmanagerConfigNotSynced
expr: 'count(count_values("config_hash", alertmanager_config_hash)) > 1'
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus AlertManager config not synced (instance {{ $labels.instance }})
description: "Configurations of AlertManager cluster instances are out of sync\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusAlertmanagerE2eDeadManSwitch
expr: 'vector(1)'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus AlertManager E2E dead man switch (instance {{ $labels.instance }})
description: "Prometheus DeadManSwitch is an always-firing alert. It's used as an end-to-end test of Prometheus through the Alertmanager.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusNotConnectedToAlertmanager
expr: 'prometheus_notifications_alertmanagers_discovered < 1'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus not connected to alertmanager (instance {{ $labels.instance }})
description: "Prometheus cannot connect the alertmanager\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusRuleEvaluationFailures
expr: 'increase(prometheus_rule_evaluation_failures_total[3m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus rule evaluation failures (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} rule evaluation failures, leading to potentially ignored alerts.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTemplateTextExpansionFailures
expr: 'increase(prometheus_template_text_expansion_failures_total[3m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus template text expansion failures (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} template text expansion failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusRuleEvaluationSlow
expr: 'prometheus_rule_group_last_duration_seconds > prometheus_rule_group_interval_seconds'
for: 5m
labels:
severity: warning
annotations:
summary: Prometheus rule evaluation slow (instance {{ $labels.instance }})
description: "Prometheus rule evaluation took more time than the scheduled interval. It indicates a slower storage backend access or too complex query.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusNotificationsBacklog
expr: 'min_over_time(prometheus_notifications_queue_length[10m]) > 0'
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus notifications backlog (instance {{ $labels.instance }})
description: "The Prometheus notification queue has not been empty for 10 minutes\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusAlertmanagerNotificationFailing
expr: 'rate(alertmanager_notifications_failed_total[1m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus AlertManager notification failing (instance {{ $labels.instance }})
description: "Alertmanager is failing sending notifications\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
# - alert: PrometheusTargetEmpty
# expr: 'prometheus_sd_discovered_targets == 0'
# for: 0m
# labels:
# severity: critical
# annotations:
# summary: Prometheus target empty (instance {{ $labels.instance }})
# description: "Prometheus has no target in service discovery\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTargetScrapingSlow
expr: 'prometheus_target_interval_length_seconds{quantile="0.9"} / on (interval, instance, job) prometheus_target_interval_length_seconds{quantile="0.5"} > 1.05'
for: 5m
labels:
severity: warning
annotations:
summary: Prometheus target scraping slow (instance {{ $labels.instance }})
description: "Prometheus is scraping exporters slowly since it exceeded the requested interval time. Your Prometheus server is under-provisioned.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusLargeScrape
expr: 'increase(prometheus_target_scrapes_exceeded_sample_limit_total[10m]) > 10'
for: 5m
labels:
severity: warning
annotations:
summary: Prometheus large scrape (instance {{ $labels.instance }})
description: "Prometheus has many scrapes that exceed the sample limit\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTargetScrapeDuplicate
expr: 'increase(prometheus_target_scrapes_sample_duplicate_timestamp_total[5m]) > 0'
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus target scrape duplicate (instance {{ $labels.instance }})
description: "Prometheus has many samples rejected due to duplicate timestamps but different values\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTsdbCheckpointCreationFailures
expr: 'increase(prometheus_tsdb_checkpoint_creations_failed_total[1m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB checkpoint creation failures (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} checkpoint creation failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTsdbCheckpointDeletionFailures
expr: 'increase(prometheus_tsdb_checkpoint_deletions_failed_total[1m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB checkpoint deletion failures (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} checkpoint deletion failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTsdbCompactionsFailed
expr: 'increase(prometheus_tsdb_compactions_failed_total[1m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB compactions failed (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} TSDB compactions failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTsdbHeadTruncationsFailed
expr: 'increase(prometheus_tsdb_head_truncations_failed_total[1m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB head truncations failed (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} TSDB head truncation failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTsdbReloadFailures
expr: 'increase(prometheus_tsdb_reloads_failures_total[1m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB reload failures (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} TSDB reload failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTsdbWalCorruptions
expr: 'increase(prometheus_tsdb_wal_corruptions_total[1m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB WAL corruptions (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} TSDB WAL corruptions\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTsdbWalTruncationsFailed
expr: 'increase(prometheus_tsdb_wal_truncations_failed_total[1m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB WAL truncations failed (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} TSDB WAL truncation failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: PrometheusTimeserieCardinality
expr: 'label_replace(count by(__name__) ({__name__=~".+"}), "name", "$1", "__name__", "(.+)") > 10000'
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus timeserie cardinality (instance {{ $labels.instance }})
description: "The \"{{ $labels.name }}\" timeserie cardinality is getting very high: {{ $value }}\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
# {% endraw %}

1
ansible/plays/services/radicale/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=radicale

122
ansible/plays/services/radicale/config Normal file
View File

@ -0,0 +1,122 @@
# -*- mode: conf -*-
# vim:ft=cfg
# Config file for Radicale - A simple calendar server
#
# Place it into /etc/radicale/config (global)
# or ~/.config/radicale/config (user)
#
# The current values are the default ones
[server]
# CalDAV server hostnames separated by a comma
# IPv4 syntax: address:port
# IPv6 syntax: [address]:port
# For example: 0.0.0.0:9999, [::]:9999
#hosts = localhost:5232
hosts = 0.0.0.0:5232
# Max parallel connections
#max_connections = 8
# Max size of request body (bytes)
#max_content_length = 100000000
# Socket timeout (seconds)
#timeout = 30
# SSL flag, enable HTTPS protocol
#ssl = False
# SSL certificate path
#certificate = /etc/ssl/radicale.cert.pem
# SSL private key
#key = /etc/ssl/radicale.key.pem
# CA certificate for validating clients. This can be used to secure
# TCP traffic between Radicale and a reverse proxy
#certificate_authority =
[encoding]
# Encoding for responding requests
#request = utf-8
# Encoding for storing local collections
#stock = utf-8
[auth]
# Authentication method
# Value: none | htpasswd | remote_user | http_x_remote_user
type = htpasswd
# Htpasswd filename
htpasswd_filename = /config/users
# Htpasswd encryption method
# Value: plain | bcrypt | md5
# bcrypt requires the installation of radicale[bcrypt].
htpasswd_encryption = bcrypt
# Incorrect authentication delay (seconds)
#delay = 1
# Message displayed in the client when a password is needed
realm = Radicale - Password Required
[rights]
# Rights backend
# Value: none | authenticated | owner_only | owner_write | from_file
type = owner_only
# File for rights management from_file
#file = /etc/radicale/rights
[storage]
# Storage backend
# Value: multifilesystem | multifilesystem_nolock
#type = multifilesystem
# Folder for storing local collections, created if not present
#filesystem_folder = /var/lib/radicale/collections
filesystem_folder = /data/collections
# Delete sync token that are older (seconds)
#max_sync_token_age = 2592000
# Command that is run after changes to storage
# Example: ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)
hook = ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)
[web]
# Web interface backend
# Value: none | internal
#type = internal
[logging]
# Threshold for the logger
# Value: debug | info | warning | error | critical
#level = warning
# Don't include passwords in logs
#mask_passwords = True
[headers]
# Additional HTTP headers
#Access-Control-Allow-Origin = *

36
ansible/plays/services/radicale/docker-compose.yaml Normal file
View File

@ -0,0 +1,36 @@
---
version: "3.4"
services:
radicale:
image: registry.tobiasmanske.de/radicale:latest
init: true
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- SETUID
- SETGID
- KILL
healthcheck:
test: curl -f http://127.0.0.1:5232 || exit 1
interval: 30s
retries: 3
volumes:
- ./config:/config/config:ro,Z
- ./users:/config/users:ro,Z
- data:/data
environment:
- TAKE_FILE_OWNERSHIP=false
labels:
- "traefik.enable=true"
- "traefik.http.routers.radicale.rule=Host(`calendar.tobiasmanske.de`)"
- "traefik.http.routers.radicale.entryPoints=websecure"
- "traefik.http.services.radicale.loadbalancer.server.port=5232"
restart: always
volumes:
data:
...

9
ansible/plays/services/radicale/users Normal file
View File

@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
62313133646234613734343031616261396636356563363934653635373435613237623833643733
6233383934636436323037393533326335366434623764320a653531306439306337363839356535
63646637396437333335343666653463616437316338313933333236373537623036376266333564
3334323432656261340a393336323737653333306136313337323064653033656533356262636461
39663138623639373965353862363836626266633139656132636233353334613939303764306539
36393534663466653863383037393534666138316666326264353165643136333635363761316135
38383062343062653963666639343137633466623232386264636437386136366338353538306139
39623065616461373237

1
ansible/plays/services/registry/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=registry

39
ansible/plays/services/registry/auth_config.yaml Normal file
View File

@ -0,0 +1,39 @@
# To configure Docker Registry to talk to this server, put the following in the registry config file:
#
# auth:
# token:
# realm: "https://127.0.0.1:5001/auth"
# service: "Docker registry"
# issuer: "Acme auth server"
# autoredirect: false
# rootcertbundle: "/path/to/server.pem"
server: # Server settings.
addr: ":5001"
token: # Settings for the tokens.
issuer: "docker-auth" # Must match issuer in the Registry config.
expiration: 900
certificate: "/server.pem"
key: "/server.key"
users:
# {% for entry in registry.auth %}
"{{ entry.user }}":
password: "{{ entry.password }}"
# {% endfor %}
"": {}
acl:
- match: {account: "tobi"}
actions: ["*"]
comment: "Admin has full access to everything."
- match: {account: "user"}
actions: ["*"] # todo: Split off gitea
comment: "User \"user\" can pull stuff."
- match: {account: "", name: "public/*"}
actions: ["pull"]
comment: "Allow everyone to pull public/"
- match: {account: "", name: "git"}
actions: ["pull"]
comment: "Allow everyone to pull the git image"

34
ansible/plays/services/registry/config.yaml Normal file
View File

@ -0,0 +1,34 @@
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
delete:
enabled: true
auth:
token:
realm: "https://registry-auth.tobiasmanske.de/auth"
service: "Docker registry"
issuer: "docker-auth"
autoredirect: false
rootcertbundle: "/server.pem"
http:
addr: :5000
headers:
Access-Control-Expose-Headers: ['Docker-Content-Digest']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Allow-Origin: ['https://registry-ui.tobiasmanske.de']
Access-Control-Allow-Credentials: [true]
Access-Control-Allow-Headers: ['Authorization', 'Accept']
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3

47
ansible/plays/services/registry/docker-compose.yaml Normal file
View File

@ -0,0 +1,47 @@
---
services:
registry:
container_name: registry
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.registry.rule=Host(`registry.tobiasmanske.de`)"
- "traefik.http.routers.registry.entryPoints=websecure"
- "traefik.http.services.registry.loadbalancer.server.port=5000"
image: 'registry:2'
networks:
- backend
volumes:
- registry_data:/var/lib/registry
- ./config.yaml:/etc/docker/registry/config.yml:ro,z
- ./server.pem:/server.pem:ro,Z
auth:
restart: always
image: 'cesanta/docker_auth:1'
command:
- '--logtostderr'
- '/config/auth_config.yaml'
labels:
- "traefik.enable=true"
- "traefik.http.routers.registry-auth.rule=Host(`registry-auth.tobiasmanske.de`)"
- "traefik.http.routers.registry-auth.entryPoints=websecure"
- "traefik.http.services.registry-auth.loadbalancer.server.port=5001"
- "traefik.http.middlewares.registry-auth-headers.headers.accesscontrolalloworiginlist=https://registry-ui.tobiasmanske.de"
- "traefik.http.middlewares.registry-auth-headers.headers.accesscontrolallowheaders=Authorization,Accept,Cache-Control"
- "traefik.http.middlewares.registry-auth-headers.headers.accesscontrolallowmethods=HEAD,GET,OPTIONS,DELETE"
- "traefik.http.routers.registry-auth.middlewares=registry-auth-headers"
networks:
- backend
volumes:
- ./auth_config.yaml:/config/auth_config.yaml:ro,Z
- ./server.pem:/server.pem:ro,Z
- ./server.key:/server.key:ro,Z
volumes:
registry_data:
networks:
backend:
internal: true
...

169
ansible/plays/services/registry/server.key Normal file
View File

@ -0,0 +1,169 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
33343736613436623665366662633737343037373161643436313637386339613438343038393864
3532626339613437353637326237366362343533613664630a626334636365623437663435633464
32623066663064646239613537356536616462343035383661346637333061333638636538376235
3136393736656433320a653836623139306137353264626531653031333464376434626536363937
37646363663730333264613766653031393233386333656438663238383730333636363938393739
64363530393337353733666236343031343135636431386161336433343431303631336134343861
39343430633265313532383336633362646131373934306636303434623137663764373263623539
33356137326139616134616636383466623134383064613137633264656331356637363630643436
31376632386565663735336364623830303461623561326165613039663837636362613664393836
34366366303763303734623932306235613032353933666130616262663238386437633032636562
35653936333565303335653463623438656134626134613331326363626365396539343237393433
32333834616637303437313965366230623338623664306361616435663434666236373463336161
33656561646261363866363663383065663961303165656638353838313531623731303864333862
32363332663561333564633264656666343162626333373930623931373435353664633931333736
39633330623734353039636635333762616634646635623264313363643639346632326661613035
39373365666338623338343562363939623231663365393034666531646436336165323633623065
32663536313465326231646138616133333433353166653465306662326264656663343635663964
64636134393939363931303132393466656561353262613435316438316532653766363265326661
65663832366563623065383739666139653861313632613234643337336533653263393034346265
37323063383534373734616236393138383134663531356265313638643137303732613939373230
64636433323063633165316637373661383566386430393831386561363361383564363964633439
66353537376366373437346332376536623165396166326661356236613364613162373164336465
39616266366530336532623130346633383738626438386139656436323065336132666561336162
64626462656266383165663264363264333462346232643533353763356539313236343739333364
33376461313330303632386539666637383965353161323037383866626330623236633265326562
65623039646164383766656362303435316131656165353963313538323037623265653464383330
39643063643438666664303065636535396133653230366366333832343937396339363931656138
34636262633065636339633339316465383136326362626536613234373938333162353264313631
38623138306333343266616631653531646537646264343634366431313463316366396461633335
66623132623938343730313861323866306562616561623731663330666437616235373037323564
38653236663461373734323665623864616432613935383365636330343662316437333834643665
32376437646330333430363436346435666330343130393937333365396466333930336562613561
35343730626663636466316235663363636633656633303535303965346639316531616436333632
36633265633264316263643137633336613830653239653730333364353431313030333636313632
64353130633837663531346333623439383263663766326664386230303239323831636436353636
62373164343938343335613063363865656532666335653264343634393330613164386235383135
32653439663161353865323532363638303362386639636430656231336363373861333133616136
31646666333030343738636538393230346432616130613034663766353661313964633737383236
62323637363763356336633161353531633839356434626439323561383736383032313162313664
33343330663662356536613130356630376563353836613031313662383961326636353961643638
39383765396165393437373261636562353231326564313764393962656537386435613166353965
32663936306438663462313538353631613666633238636136356363613738353164373661313562
34383663633436333337626333376363653861613863613466343363343833336462363830646133
35336466366133343337623936316638626232303932333230633836616566666535313934383932
61643930303163396431653362373464383362366262303639623633653933386265333462313735
62313165373061353462393265646135353039633837326564396630613164373236653364643337
30643735356165333464396139633766303631613565386433633835623132666337333330353630
32656365373731353030636566623461353431313633666565616564393165353933326436333063
34653839643666366639323032393733346366356363633363626265316364393962333033666235
33353564333830663137646363326263396162323831383635303262333130636464633863343534
63323163643966316634656664653432353037396337383465353238663636393630313962383933
32306639636462333662363437643839333562613161663639363664316433613736383236386439
64303038363638333566363733633636633633633261393664633130383435306235396430613536
30623866323137333130323164313561313630333830616365366537303634666666313538303261
33643433393264633537643039303030383166343738353733303734613563343235363566623664
39633861333438363237653266353561333530363338303133333762643537663434656264623366
32313132396163353536356662393431323837393532656464616132646365343866656464613235
61656139626566316534666439393565323766616132616136336633643232336334373637383839
36343361333434633335376537333236643965336364636334353764363461616264653761356464
37333961653034626235336264353532313236613034343661303162613437316433393134333737
39653638383037623564663334306565343739373162366661313737323666393938366639343363
62373965616530653664383963303239333236653534643061656134313136336334613731353439
64336463396134333132336166353838633137333732363634356634343534373339663335646530
33636238353734303135306437343634306631386363366665633136663134663339613362353966
39343938336537303232626334313130623836366530346662386263343262616236616130363762
37653032656465646136626432303630626663393832656336383064623163356535616535663364
66373661326666663435313239333066616237396130303765363764626330393231663130616365
31383261373734373761643366636666346433316537663630643461326263633430343863323965
61646535643632353433323961633230626235393865363336383732326333356338653838383066
36386333343664633135386232626439316664393732623263306534623565643138356430366139
34316635656461333363643737386638326661633935646234616638323537303765393833346131
34356639346638633539643166373234633233366433343966316332333765643431316466303666
64326538666638346561306563653137343961373861643738383466313335666336393465623265
33656335316261386137326238346333613065333165666239333562373865623539376262653362
39636362333262396237316438353566643038353435303537646432326238313539343862396364
35656433393230303435616230623065633232313461313937653262303032386664376464383564
38653134666661666161323366343633333037353832323233613366616439643764343765306332
39303437626635616661646330653165313131643535353737303562626439653337343639363535
36306133333434666362613232656233633831386634373132646236373264653963326162383136
36333334363239333364623362646462336162326364663633383135666535636335326237363863
32333934376566363134613534616136666462343733383034633961356366663635393632383963
38646635616131313533306433633137666132653634643161623135626538373761306464383531
31303263666363613565363262643361336335333432366362363932633866316332303031383230
33333339613337333766306266366464376332626366366166343664356337343531656438343732
36636536376539363638386364616566653061356265323364393465616433616664383330346262
62646539356264376130383165306132356665623237323430323834653636383430633763636639
30616136353935333335656532306133613662633763613734333464333436396133666562633236
33356437303230386561343934613161343938356534653262633435363564343531613363363233
35663236393033393566303637613834383162633366396633343465666565363838383637626664
61353236616136366630353532313139363034646265666537643239633930623664666561613433
34376163316665613961333330623935373164373763623466646661306662646130366561383535
64393431653963343733666165343935326332373766656466323533373039623730356334363237
31343333663263323461396537666364373131323537303133383334633166333030643664346232
34346535316432383837333863346134393063303934343039393633343466653632666335373738
32646163373733303565663866373466346539633437356561393430663037343833383033393864
39363432353139383331323565633036313666313464643866656636313630303232663035653863
63323862643730623039343438613564366236636266346534643632653865613663663133663639
65343564633562353963333161386337633037626463653066303862366365306132346535393937
64353464666265383365346231363261396332666262313564396635333265333636613566393536
31336134383063633861656639636337376631373566623635376663326536363665323461663238
38383836316431353730623836376334303966616435396131363166306336343065376632393038
30353437623733313339343562613832383135626133353863653231313631346139313737373761
31386632303632633635326262613239343332393536323266633531653939623331656462303466
35363634626332333235383461376237396139326661376135366330623834626435373932326438
37623232646365313730333336646363323236323061663665343932323133623833643133636435
35636639303939303165383135633537616333336436303061663161663735623561323062663838
31303462636634336564363731333463613833363464616637393134363234383432643064386166
63383933633065343766363132393735356661626231333765666638626638613233396262313465
32376266373566333066656134313235336335373064383739393132383636346630636632663236
36643035396433386535363536613632333961336337656136376262383537636636336130356537
33366637346362663030323936623462633664646666393236373031313761623636663438363664
31373265343131396566653464306237333335643031343362613966306364396338383162393332
35346230333136653361646432343065653935386137373939636465366637623232623064323136
31653430383563343861663734633634393133333737393130613962616234303061643365346137
37383131656164636164343836623034663062613766323963343362393935326130623764316232
35393364306362616266633764623263323166643963306366643539663839383435366432363332
34326339336231663462376562653535623439333336656461326563393335613366616136333731
63383362363036323864333531396533356134656139353761626565383864313939643461626439
33643966353963393433376333303666306162663335333162333936373934363637313961383139
61366633613431393266346531386539323639663766643366306436353039386631623565333734
66383131663330633563363233643136346432303465373838346534336165303633306238383230
31313763373765353436346233373164653361306266653130356133626334623832363335376433
37663331303939393561303264333330383366363532303065643839656239323762616662643135
64313362373536653836376135323630663332646564376232656262643634633230663464653139
39346536653963666166353766343364616264383032306138623766613132336431633332326337
66623165663733386338666139373062323638316561396637376665333938323262363362323265
61343762303336363465353732653562313134626639613836333733666530376236613939663937
34353133333732663663383934613537613534396431663964333666613432613138626361333732
65356137616331323235353661623237316235393436353437336463393861366631326234663264
38366465353261313966396532626134656331633032363064313165376563346535623765626264
38336564346132343936653430643332313837353739313437383030373662663366396366663034
36313734336231316663376162623963306665393764373034643866306639356534323261306461
39633961366663383765353337323131336437396464393132303137386437636462623739383662
39313535616632666135623230373135323537636538323737356134613130303365306335663237
61666661313936363333303332333933626130613462303037616265663362653431626137623536
63383265393061383465333364653530396534363561353531323965323033353836666430306630
35383162643733306664373238333235303835646462623464383834373533333861366565303532
33616238333330396330393136636666363738376639373437353966363361636433383664623833
39623863383965393736623935396330353164383663376137343663396439316636653566313837
37623763616462343761343936636332633966393233363165636231326163316630323033366663
33386534643735373831333463336461656135373162623162306532646130306362373937353936
38633939333361643965626435626230643164316132373033336566633536316661353861663030
31663764346137346135396162623262303832323739313163393963623363393935653838343935
33313263616639326265363661303538393963353765613365623237383630353539393238393430
66323832646331303134643739343735353064356539363961303131383034323738633733633134
61333337356431653163613438353261393064373737396537393961383436643036313933396638
38393763303461306338336366646463666134326466653630303035373361313037383461646134
39316132346564303936356134613530396138303536343862323664373661316338323735663034
30333036343133346534653533646537363532623536666237636436646138373439393936393461
66643863336235646532393165663433306465386438666433346532376466393065636632626461
61316661643132656563623861363630653862636335316531626466373565373261633234643132
64386133613937316439386466653236626632313531363339623866363839366464633162376638
38333039343637316462616236346538626361353632343737383931313133333139653533363136
66643938353235613861653838333638623336373431613631363838646434383062306534643330
33313430366335363335336465623132313438333332323630343835633835373235323239303032
31346563303061333836653361373066343061376664616232643333613461666132336261333564
36616265313135353634363066386165393762653433396232393133383261656231333761326431
64356261353736336162316161396665346466393935386161303264376665396537376631656237
37383963383639653839333761393639333438383061623732373839393634386366653666386436
32346235613935666232643764623834323732326361383765623935313565386664616439363063
35366434393766313239343662333632356430613136393233343064633262623735376530613239
31376636386232306265613435623965336437383166633166316235333530653861343533366362
30316564653332306335376137623430653930333135653737386332386330313937333730323232
36666332636438663733396464656337303634656565363932363039386231656261646437343137
32376338326362356537616232336638623936306164643166383837653464323534313234396463
33666562343135386432633966636134333063363765356132323131393738643030326633626565
62626363666662306362323964326435653631323535393031306132366637313465323330633538
34343063643436333961

104
ansible/plays/services/registry/server.pem Normal file
View File

@ -0,0 +1,104 @@
$ANSIBLE_VAULT;1.2;AES256;secrets
37656462363331336562376461666163316562343233326538323462313838386564643635616237
3335356462666331383533613132613765313838306566620a663364613031346462393165646364
65393236386661346331376230366237643962613136356538303830393236393439626538376263
3835353030343531640a393164633663363832373764366331396666663665313265613366373732
31616463373338353436363164346636343665653335376361386531323735383238393165313033
39303236643135303431633438396539303435313561326132343032623962613635643361363765
33356564303835653834653763653438633134633863666564383861343262303330313733313964
38653038623039303264303132373437393839666366326337323465633036656561393565613136
31313438343335303439303631633634316139303932656666333335336533313439636335623639
31393936386534343036653330666262623562623365656333616536343936343464656531306638
38306134303735383536663634396135656364363663343839383735383530323336376631666161
66373561613863613634353931336332646432313333366436643534613661393737363239353637
34663166636232636634353366326564393630616164306563623135376637386663333564636233
36663865323833386666363435316535376434313361343231326331353832336162313737343863
31653439346635333231346232626635366339613839323963353933663664663939643563353036
66323339633737646238353235636265396362373631396138653363393339633431333932386561
62383635303034613535616463326365613634653163313265623864326232663832373163383131
38653238656662343735353336356563303638663064366435663964353138383738373939396334
38313239646336626466393761333032356265623436326435346466343061313663616363386539
66373261313038653831623931643263633138633639396130363338656638373836326664386133
64333330613062626265666635393334633932393938383938323763386264626335313437343738
39303664373533623562316138373431333931663165373531313363303835366431383833646265
61623032656136666337363733633437316464333234326362643239393665386632356636636637
38383662306464643565386538633031333731303634373837373838313961626161363132393034
61653664623137666134343636636565333866333364306131373963343832376239353236316136
64373030306532626439303664386565656430633966323632353366386364383238306266333466
66366132363335303663626431666437383031633733343266633432303664326437353336336236
39663435623565373034646464396336613964666438373765613366336432373337343064633739
35633065326432316630636561363033383462656566363238356465623537373337373930663461
63346334373565613365373031333764633761643365643136343130303530636537336631333038
37626436396336393337633366633864316163376631333563336238613938323030356137383337
35373861396136656334353563663936323563333634383132386166333430336334626135396432
30656363616432303436663332656463616431313462303338366363663463356664633339303738
63643839346162313061303638616236666233323164386239303339646663316435633531313565
62326464323732383064333738363666333838666636623834616334643833306433353265383831
30336464326161653533363632346465303231323535326265626166383231346334636165363938
30643661303733393263383431613263363861643261663538663130653833343661373733373733
61386136356435306263353337623262646462323638613632366264623137643731616239646462
38343031373632396665393366643061363366396530333039346464396235373832336165393530
33313637633562653263336134653761366366353833626330303533303162393633666534653264
64656437653732346439346264313939613765633734616566323934663930653733393639616363
64353631376236303361643730393338383932393432316665653561363266356632646164326465
63636631353764356139333935633837663833656364386134303332633636663336306361373133
61386531396539333161313666313337333534616238646635323736393763623133393537656262
36343836373835303739303839663230666632303165346635383236666431633030356536373034
32633564633431346433656231383730373438356362633130643162613738626363666135336535
30386361613834316232623630383266376234613166386663323564626133636437656638313130
30353739383833656139346237323261666364396331633739653064613437393930333666653339
39333833316239303230326135303736646536643033316563343262333263656564613862356465
64616662313833373863353662663731313336363839336638643261626233323862343761633564
34653434386436356564343930313435313331313564353931396436366661363030353661323739
64666636343834326638373339366532336562633734316162636638373465663865363661356333
35343837343463336533376461613865346261386664313061643464643838333361303835333930
35343863333830383466363734306137633936323562656437663935633962336165333264316537
35643063393036333863646530366632373639343235666633396532393361656339346461666234
35656232373735363863376332636137636235366138383036323762633633353435353466373830
30316462376231313134353437626637343936633463326166653332613636353639303761306461
32656637353566303564323839396261613635363161353239633262366137386639306432613663
38636262663136626437653362663864323335303165653063336337353566306334336161666163
37356438363732376665356263646463303961393938326364336566396637323031613964343535
63656265626339373639306466666531636631383862316536303436343932303837383931663532
35303033363031363130393435386266306264646232383334623033336266393632643133333536
38353934616661346435323633643833653261333139663966656665303865333565316238633061
35616261306631316130343764656530663332396663303663373063653132643662323832383833
39393066336334666164646364326530643462653338383661386663653531666234383435636332
32653037666261333965323833633566616561326633356564323962663439313363626265363532
32343039373536326363656366346235373238333034616366366636663061373038626261663232
30623230396637626663653638353934373238353738363666656536636631326431656261383738
32636161613664613061326432346264343863346230646231333035663930656565306666653162
63373339323164343132363366666539326265616665346237393136623639643932333931306538
62666662353135356333313165323531313932363436623030643465306665363831656439303830
66643738616533303566353035633834343538393766633565333561633339313533323830623537
33313263383266353834303966303837383536343932393430323765316437383332313136356538
35393061393237393036623832646236643637663332623630373964326135396263373861666234
33343932363865643330643930333963666339303665393761646532376636653332373961313935
62316439636532366139366139616137663633366137636232363939653933663939616438356166
61616334313031363130303161386565333761383530353031383530623331303035313234656364
64353066333262663830623530653264383133643435353531636333626566393566613962313033
32613061353363626361323136613165326335373636643837306365613633303034383337303235
36666364313031663534333365383462346231393065313636326430666162316634306130636466
63343032303166666435343264383236373363656461343566343331616131346661363936663235
38303737636665363537653037336265656534333537393331323735343963656163346530643165
33656334383965353638333935316238376235366464316233326536633961633639323634383735
31633031333163633331383338376135316136656138633333386331343462346539616132343566
62303930333166663630633463316333383431366132383030613933303033306333336531343834
66323761383036653563393037646262383964363335326132366666383737356139373939653362
36373965396339623633373561366639356362636164386638306235353633333334666531326261
39633665646465376363613730343436323361626238613332303033333866653362363533653839
33326131633230366231326664613866353665363231323633663763616132616665336331333366
31313237343034663734643135386262386339366330363333393237653466353366653237633337
39633136623866306632643364366561643964666631626363643661323034333533316361343232
38383236633338336638376461363965326332643365336133343234356633653035656630333562
62353536326433633565323666653965336330636333373365616231656662636265373964313834
62623963303831383063613930333831316431353734646230353464656564323036313934303839
37366338343166623534636466333131653438303565356261613139623431653636313962346531
33653961333234383761623231646630643637623663343430653534663966333266623832303937
64626236323634376664303263316632653161323764616466363535303134646637326139383931
62666631333431653661366231376430373936633261383666366364613061653931313833373765
31316231613662663833343438386264303432313739623032613633643063613232643466303335
33393630656535626633626438643934316666613438313639656235643034643736306235643163
32396231343534623466623833623364323363623563383634396537386261356535343137373532
64313435336231336563613533383062313339373636346338383437633061616162333830376136
633731613464646231386261373935366161

1
ansible/plays/services/repo_proxy/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=repo_proxy

21
ansible/plays/services/repo_proxy/Caddyfile Normal file
View File

@ -0,0 +1,21 @@
{
auto_https off
}
http://repo.tobiasmanske.de {
@uncomressed {
path *.db
path *.files
path *.db.sig
path *.files.sig
}
uri @uncomressed replace db db.tar.xz
uri @uncomressed replace files files.tar.xz
uri /os/* replace /os/ /repo/
reverse_proxy /repo/* https://s3.tobiasmanske.de {
header_up Host s3.tobiasmanske.de
}
root * /var/www
file_server
}

16
ansible/plays/services/repo_proxy/docker-compose.yaml Normal file
View File

@ -0,0 +1,16 @@
---
version: "3.4"
services:
redirect:
image: caddy:2
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro,z
- ./www:/var/www:ro,Z
labels:
- "traefik.enable=true"
- "traefik.http.routers.repoproxy.rule=Host(`repo.tobiasmanske.de`)"
- "traefik.http.routers.repoproxy.entryPoints=websecure"
- "traefik.http.services.repoproxy.loadbalancer.server.port=80"
restart: always
...

1
ansible/plays/services/repo_proxy/www/index.html Normal file
View File

@ -0,0 +1 @@
Hello World

1
ansible/plays/services/search/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=searxng

43
ansible/plays/services/search/docker-compose.yaml Normal file
View File

@ -0,0 +1,43 @@
---
version: '3.9'
services:
searxng:
image: searxng/searxng:latest # >.<
container_name: searxng
restart: always
networks:
- default
- backend
volumes:
- ./settings.yml:/etc/searxng/settings.yml:ro,z
- ./uwsgi.ini:/etc/searxng/uwsgi.ini:ro,z
- ./limiter.toml:/etc/searxng/limiter.toml:ro,z
labels:
- "traefik.enable=true"
- "traefik.http.routers.searxng.rule=Host(`search.tobiasmanske.de`)"
- "traefik.http.routers.searxng.entryPoints=websecure"
- "traefik.http.services.searxng.loadbalancer.server.port=8080"
- "traefik.http.middlewares.compression.compress=true"
- "traefik.http.routers.searxng.middlewares=compression"
redis:
container_name: redis
image: "redis:alpine"
restart: always
command: redis-server --save "" --appendonly "no"
networks:
- backend
tmpfs:
- /var/lib/redis
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
- DAC_OVERRIDE
networks:
backend:
internal: true
...

43
ansible/plays/services/search/limiter.toml Normal file
View File

@ -0,0 +1,43 @@
[real_ip]
# Number of values to trust for X-Forwarded-For.
x_for = 1
# The prefix defines the number of leading bits in an address that are compared
# to determine whether or not an address is part of a (client) network.
ipv4_prefix = 32
ipv6_prefix = 48
[botdetection.ip_limit]
# To get unlimited access in a local network, by default link-lokal addresses
# (networks) are not monitored by the ip_limit
filter_link_local = false
# activate link_token method in the ip_limit method
link_token = false
[botdetection.ip_lists]
# In the limiter, the ip_lists method has priority over all other methods -> if
# an IP is in the pass_ip list, it has unrestricted access and it is also not
# checked if e.g. the "user agent" suggests a bot (e.g. curl).
block_ip = [
# '93.184.216.34', # IPv4 of example.org
# '257.1.1.1', # invalid IP --> will be ignored, logged in ERROR class
]
pass_ip = [
{% for host in groups['monitoring'] %}
'{{ hostvars[host].ansible_default_ipv4.address }}', # Monitoring
{% endfor %}
# '192.168.0.0/16', # IPv4 private network
# 'fe80::/10' # IPv6 linklocal / wins over botdetection.ip_limit.filter_link_local
]
# Activate passlist of (hardcoded) IPs from the SearXNG organization,
# e.g. `check.searx.space`.
pass_searxng_org = true

Some files were not shown because too many files have changed in this diff Show More