Use ipv4 for wireguard >.>

Manual fixes have been applied to all access keys.
Also minio has merged a patch, but that is not live yet.
Time to deploy an up-to-date version and pray.

This reverts commit 39aca2778d.

.drone.yml

@@ -0,0 +1,69 @@
+---
+kind: pipeline
+type: docker
+name: Ansible-Playbook
+
+trigger:
+  branch:
+    - main
+  event:
+    include:
+      - push
+      - custom
+
+environment:
+  ANSIBLE_FORCE_COLOR: true
+  ANSIBLE_HOME: /drone/src/.ansible
+  SUMMON_PROVIDER: /drone/src/summon-wrapper
+  PASSAGE_DIR: /drone/src/.passage/store
+  PASSAGE_IDENTITIES_FILE: /drone/src/ssh_key
+
+node:
+  ansible: "true"
+
+steps:
+  - name: Prepare Secrets
+    image: registry.tobiasmanske.de/ansible-runner:latest
+    pull: always
+    environment:
+      SSH_KEY:
+        from_secret: ssh_key
+      GIT_SSH_COMMAND: ssh -i /drone/src/ssh_key -o StrictHostKeyChecking=no
+    commands:
+      - echo $${SSH_KEY} | base64 -d > /drone/src/ssh_key
+      - chmod 600 /drone/src/ssh_key
+      - git clone ssh://git@git.tobiasmanske.de:7779/tobias/infrastructure-vault.git $${PASSAGE_DIR}
+  - name: Prepare Runner
+    image: registry.tobiasmanske.de/ansible-runner:latest
+    pull: always
+    commands:
+      - cd ansible
+      - mkdir $ANSIBLE_HOME
+      - ansible-galaxy install -r requirements.yaml
+      - summon ansible-playbook --inventory=inventory.yaml runner-pre.yaml
+  - name: Run Terraform
+    image: registry.tobiasmanske.de/terraform-runner:latest
+    pull: always
+    commands:
+      - cd tf-stage-1
+      - summon terraform init -input=false
+      - summon terraform apply -auto-approve -input=false
+  - name: Run Ansible
+    image: registry.tobiasmanske.de/ansible-runner:latest
+    pull: always
+    commands:
+      - cd ansible
+      - summon ansible-playbook --inventory=inventory.yaml playbook.yaml
+  - name: Validate Ansible
+    image: registry.tobiasmanske.de/ansible-runner:latest
+    pull: always
+    environment:
+      ANSIBLE_VAULT_PASSWORD_FILE: "/drone/src/vault_pass"
+      ANSIBLE_FORCE_COLOR: "true"
+    commands:
+      - cd ansible
+      - ansible-galaxy install -r requirements.yaml
+      - summon ansible-playbook --check --inventory=inventory.yaml playbook.yaml
+
+image_pull_secrets:
+  - registry

.gitea/issue_template/new_device.md

@@ -0,0 +1,18 @@
+---
+
+name: "New Machine Onboarding"
+about: "✅ Checklist for onboarding a new machine"
+title: "Machine: Onboard <hostname>"
+ref: "main"
+labels:
+- onboarding
+
+---
+
+- [ ] Add hostname entries to dns in `tf-stage-1`
+- [ ] Add host to ansible inventory
+- [ ] Add machine ssh-key to Backup Storagebox
+- [ ] `touch /etc/setup_complete` if no restore is needed
+- [ ] Update known_hosts `summon ansible-playbook regenerate-known-hosts.yaml`
+- [ ] Generate new ansible ssh key `summon ansible-playbook --inventory=inventory.yaml tasks/create_ssh_keys.yaml`
+- [ ] Run `summon ansible-playbook --tags setup playbook.yaml`

.gitignore

@@ -0,0 +1,44 @@
+# Created by https://www.toptal.com/developers/gitignore/api/terraform
+# Edit at https://www.toptal.com/developers/gitignore?templates=terraform
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+.terraform.lock.hcl
+
+# End of https://www.toptal.com/developers/gitignore/api/terraform
+
+.envrc

ansible/.gitignore

@@ -126,3 +126,7 @@ backups/*
 render/
 borgbackup
 borgbackup.pub
+roles/*
+
+ENV/
+.envrc

ansible/ansible.cfg

@@ -0,0 +1,11 @@
+[defaults]
+roles_path=roles
+template_dir=templates
+
+[vault]
+username=ansible
+keyname=secrets
+
+[ssh_connection]
+pipelining = True
+ssh_args = -o ControlMaster=auto -o ControlPersist=1200

ansible/group_vars/all/kuma.yaml

@@ -0,0 +1,2 @@
+---
+heartbeat_timer_interval: 300

ansible/group_vars/all/main.yaml

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+30633036313361316363313630616632333931633635326666663935633061346237353362316132
+6364663462646639613862393263616661613838303962660a623233386637653363636531383535
+37623664636362666136643765633166373030663864613134313862373131646539313533303532
+3563666465396463330a613632643431316563383331373932366334386564646335393433366663
+36616239373630336430393065316433343536663062383563646235646365376539326636626230
+30643033656134613966643163323730353239666264343630613830393630653333643961363765
+37396462323539303736333734373332646633633463636162626634656632346165363134643234
+38316632323366303166663964663639616638643538626363633564626133366634323439393163
+33646462643035613963646131373339333863636231356163356630383133633839373561643835
+6264383563386437656563316539393139313137306164343631

ansible/group_vars/all/networks.yaml

@@ -0,0 +1,3 @@
+docker:
+  internal_networks:
+    - metrics

ansible/group_vars/all/vault.yaml

@@ -0,0 +1,38 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+34613833383438313433616164313331333135316336323234613833393833376439373634383635
+3739393762373132336237376138313430316534393035660a393135343164356163636435646234
+32623662323363636563313532393337376435343562386463663835616161366566643038633430
+3835363732363263340a613531393234346461623263646533326465643862373564316666613032
+66373136373463303665613334356363376264613536383463323435333036323466303138653136
+37633335666664343463336239393137386136306239303536306364616237353937316338396433
+30303035626231623361363336663364313463376335373237366465353066343334623233323537
+61626263306262373265363165393538393735343933356535666161653762626337656634623235
+64373038396530643931383536653066303666313236366163373031303561366331623635666535
+62326664343536386566366565633034373762613464326233643633393761336464333532303735
+30373037316361633038373934626337616439343636623832616261383734656635323731646537
+64303137663532306238306636353635336136653361663038333664356132306162393136326432
+31633464376666333263306433366233346163303338646139663238616464633238306535623435
+62666164343536643536636366376666303463313339363137343866643430386337323263363833
+34356561303437633538323638303130653433313263356131343937653063643161623766646161
+66363663643162306237626233613762323737663661393236343534613464393335326133613764
+35396438323235373161396537356532383462643463396437363064316665376138633631333339
+38326261306338636339316538316663383066313338633335666337303838653536663631323266
+65666565316664323636346636316331356533306132386663623833373638393638316361613366
+38643335613136326534343261333963353934306361313062666534356339323462386465616137
+31343566303164656463373661383031643833613263663131373834383632666536666231313836
+36386665353338346564306535396434656134623032303838646637373632376531633031623632
+35303336616135333930376633303432373862646437643162623364366261363035333831643265
+65373636373131633034336263376438366134616436643863383130333761343731353461363533
+39313831626134636261393766396130366536363463336333656633376533356463373966636431
+30356463363732323636396365376638643435636464383837353762373665343437663666393130
+36633434366238336133313536313138353434636432633562333538633830653163383633383630
+61633461356234633831336234303436633330646130663431336431356636656162346238393931
+33316432623037653964623935333736623262666430646363346239353863636634363061353939
+37393166653634353535663630356362383963656162356539383532656163333664623162363032
+63336463616133363165656337613137636534323133316334316166353964343162666235386136
+38656234623136653935393461336235323961643336306539303037363061366637653564303431
+61356566336230663931613331386333656236323761666462393635366333623835643134343966
+34306166383838393736373634393536633631333234373731643737653837663230306130333536
+39643837383339633533313761656637393830613633613036373332306632396237326634656666
+61383364336438353637323638376134656663333331666562666335633535663363643731323438
+3864

ansible/host_vars/filehost.unruhig.eu/main.yml

@@ -0,0 +1,7 @@
+known_hosts:
+  - filehost.unruhig.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXlm4q3UBK2ChZCujrc9nv45tnntj6E+80UOOzZ6EEFWeUkJ0R+o4z4bnLsWBfFxfwgMDUvFCUCuS7R7xo2pE6vlRhPeD6eTitqNmRMfgmMZLJCdWD5eechg2FNSIht+wB61KEwMBuARXX45nmvIknWiRBK0qAGMLgy46hAx60hf/2uzSuyF6cxQdRqH7TNKZ/06aC7fCo9MCvHbiWvOSKbRx+jYSw8L27DW8WbPTqTGhywidij3nQEjwCFof/IN/hdp7NLpF/8qAoxW9iLWHh7ghESSwHxDF+QC1NjyA1g9QvyX+4p/hzR71wvQ2OVT/R9qx45jJiEi4dVQtsPGbcMzY9gQNbzyzl898cvnp2OuS50kGxuJZaJLMOj2UClbpW+lTrrkKvBZKkAF85v+C6Xcx/waY01eH0PaDBpoo40Y+vS9nWLmnKcvz5iDC6DVL8gUyDxuQj6/qMQuVsr5GL7GnvqIF/jjz6rNqES5Lr88c18ZyWeaupAHNnSgxaGV8=
+  - filehost.unruhig.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNxa8vbJ70oM2PlEKegPu3/SUO7oXz2lM6PvR74Ad+RYjjAQZr/j3WMpeDn15ugexlYmYoHgxgeT0xA6E/ZAM/0=
+  - filehost.unruhig.eu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvXX75sXWRgslMW/Ufq0t0OJQnTFiWPL4yBUBdGIU9k
+ssh:
+  authorized_keys:
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpGyOWzNNTW7e8PBZCRZ8q4JygBKKtOMWng09b3mnNo9GPvb+V7RhnMf0rnGbwp9q89QFjYbZ8ZKqCoBpgtlT4= backup.unruhig.eu_22

ansible/host_vars/filehost.unruhig.eu/vault.yaml

@@ -0,0 +1,17 @@
+$ANSIBLE_VAULT;1.1;AES256
+36336235613033366466623936373035353462656137303937626535653237646633663035363435
+3935323464336235353134623634343539383930653066370a623435326437643362386638623735
+64393933303561303833326364613736643632376464383632613964313265356565636237653432
+6338326433623539310a393261376134626164316230386533333766336130326236333562636665
+65663865653663623838656237376262626139643733356461383539383164653338613636383935
+39366133623933366631643938643832373264613031393430623132386166643836616362613333
+39326666356434343263383934613238663635613234323264363930396136356461386365666538
+38376564386339623462646138646461633732313866306365303463356330316535383137666230
+31313132663030626562313437623735376338333061306438343761396637613535373633386536
+37303535386566303564343938333037356363383561656462393239323736643331646536626633
+34663534653165663930663939363936323630643065306462353261616535666338353962643930
+30353439653331613165333137626636363064366164626136643234353030336139336535333132
+36373934343431363665643631373336396433383732326539663336366234613364363663323238
+34333530366634613933363530373935383831653864633462336465366136613730643932303935
+35363935343233383733623233316332653061666262633435346532326365326462366366333966
+33366364343330313238

ansible/host_vars/host.nc.chaoswg.org/main.yaml

@@ -0,0 +1,4 @@
+ssh:
+  authorized_keys:
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHrm5yQLJMKOScBDc8ek0nfinzYSvQdN22kSEKRN9/UUlcSDmqFUHpQNtvysCZr4l9WRKxTYDhy3rY8HaMSQaGY= host.nc.chaoswg.org_22
+

ansible/host_vars/host.nc.chaoswg.org/vault.yaml

@@ -0,0 +1,418 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+35363566626539663638343063313962633435333461363562623237663535353331613334343161
+6264363235383562363262356139323936326336616438310a383137366164613339376137366265
+32623464313765626636666134333665396661383432653533646665646562623135346136373864
+6536323039383238630a353566643435326166346265316530383036653064626364643739306233
+35633831653039363039333964663534643061653130663634616231613639653736313363306330
+36306136653532393838306531333866656536646136663565316630373963643366666462303933
+61316435336233383435366664303331396164363239326432616662343336303736366361353963
+34363532373831353365373539363630353735333233633238313532333266313335643938643638
+64386231356437646630386133323730656238303364653366653138373337383036613333343630
+34346330303163386230343033303238303334343461333039616335303035306238623463646635
+63663565393666633162633238646166633561363265336162346437363661343431323734343932
+32653338663061653265626332366338383065613736306561306462316435303234363264656534
+64643864306335313531633235363366346232313437353162663364323365383263336235353666
+62386232653831633765346633393332376538643239306164336534656332366234393538386564
+35313930353362336165613335643465656138626430393464313765313534303634633739656232
+66643535663336613865373339663664343166633534326434306162366635386366663230373464
+62303937393435633237373239666231643930626432663361346166356533366530303234373561
+61636132316362633136353062663231663738313265376532643631633162613264333963623235
+61393661623232396463326666653231363030656565336565346334336138633165323064343564
+35303831303262343831363466646265376231616237666266393537356365383466303662336336
+38323633376261633431386662646664386161613463343962313134303537306439396363373230
+34613935383165643163386135383830653562303264626331326136316464383938626532623730
+30363562633335343735623230633132303162323264323932663831396431333830353137396132
+30333736343639366335393763623739393233343065646237396630643634663066383866323737
+61613836363461633833363562323335623132353035343539613630356334396463386137663739
+35653065613031653766326235666334303965306434363330366262353539326365336131666362
+33313164653838303565346335643136323734633231343131623534653633653261353063633862
+63353139383562643731343462396635326537666636303337313038313862373639643036623333
+62323439633438613961396631363332353761653563313037326132303634633036633136346238
+64653566663936616236383534363966313133396237376130656332396562656564353032326331
+36336238366636336237663737373637306132643462336337383034383533666362333636663737
+38323262346334326339353937386164656332366264313832326463616235343535393631643530
+38373332613561656562383263386662316439363362343763663139623161353163383035373339
+66383730306231323334646666623432643032343531363862353762636265373232333431306134
+62623334646438383337323762623338383537343733616666376238333239393364303764656561
+31366632663535623936646161363063316263643835346336376538383734383733613762336466
+34643132333432393432376235396666663934376566396338396164636533316434346135626163
+39316565393139356439323538383164323835343633646637386137653931396238356666313535
+34396365616235313533313730366463323235326134313837363465363237333934663934393130
+39303163383862646633623236303361393537666239396230323164356139646262396536303437
+37336237333265626163626635303331653365613735373364633961616130616537376330353566
+62383437383465336338326130653163323465616232613331316566623130646466363163373031
+63333261343264333338616633613663316661393831383338386237633839613765653630386638
+33623665663739666634316238353735363231336165376438383966613661323132306562396464
+32363131306137303536326131643434326535656631613735323736653533373839666134336463
+31663939613236326564303939653431653931663134643436333962636331363064643939333239
+37353539396563333266396233306231336630363534343034306134336533313035326636363264
+39346361356366383037383765336636633531616538363639383232636536313561666333373863
+35356633656638383430303364663962306230386163623261656131366438376131613930326533
+38383231646162333937393832323231356461616237656534306266353263333561323566363933
+36663063316436326566646233643762396332383366383565633438383663643832626533666235
+30346532613833333761613437386564393635656537313166643865636437333436393337663335
+38643065386632626163376565626164653235633337323364633837613665393866653230313734
+64636563333137636436616464323839633133363137303734386261323034313437373238653535
+37373361663765333434316565626532383338303736626239366535616635313639663834653931
+33356139616265613262343730346664363034646133653333366666343333373339346663353262
+39626532386232393533376232613964316636316237616363303632386538363038643033373361
+65323339343333663863323262353336643934353438363965343665633432323832666139653430
+38383334653031343063393463643834663064343265626566373662393163363330383237663333
+39393236643638396633383439306365623639646130666337353765656337643832616363313432
+63343066333863663734363866363965376536396530633966316535643237653363383965363339
+61646263386661343733616637363164323038646538653136666232386363653735343539323434
+66613263646332386264323431326462303862303561393831666363333037393232343761306662
+64303837393363353538303564353465333330306432643934313233336131653931343538623763
+33303163663530386136323632376238303232343238396666353663383261616337383033336138
+62303233393261396339383462376336623866643664636233313138313964376266343535346666
+62323765343663623264326234366431616633316139386234623963393166303936343732326166
+35623661656461306236323231666138316161613534343863633039653837623935333063353738
+66373834343233336463373832653836326565333731363133356333363636653261313731393732
+64613730626464313736376133333465323464363536643736353063633966363536653437656533
+64333464643339343637343634386630623961373565306630373038633866343365323833623962
+65666330633539323739373636623238346237643732663736623330353038303830396666656261
+30356531376235643661393566333033653238633639353935643535313134316562343536336639
+38303463383037303431383764323238323463646430366233323433363535336234616566363531
+32306636353136326335643865393462663465633634356437663865383765396135383038656234
+66336336353864373231353032313236323034633534376362323461636263363436313430323133
+66613564636137306266376566633930353036623161613530313563336432373038343265313733
+32656332373733326636333936383235353535363636653335313766663536613162303564613437
+34663366373636636465623562633339376334306232656630643635376136396131616533303466
+39353531326536393663306338306630336534623935666564333730393330373330653532313230
+38393230333964623763316266353932316535376633666237373339653433303762653835336439
+36316563366638396437343964663433623531343061313439363630623933636538323034643832
+65643632623332393733383166313563636266356233383639323830303661363161333261383630
+65353237376139653839323438343965313735353436336561623065646466343139656339373163
+66303064383062323266623634386263653765353166633261353666323430346330363739613038
+64303837393533663633623837356438636166646435343035396633366238663661336565643065
+65353230323731623534316364313464616335663266663263326266373162623561383530653963
+64313664333839363565303030316666333365333335373339313032303462653531386136643966
+32373537373763363361316435626463393433333563633735353562356435353937303364396136
+30383339613238306237646566383232373432613336653762303934666231626432613933653966
+31396436356166653261663330633036633963613433373436383433666632663231643935396262
+65633266613261626234393934333837613033366338383839623231663366373231306337373336
+65373132663964613334376332316466363032383536623239386164313532656530663266346162
+35333063373137363536663761616133646162353139313364386235323537393462373562613962
+38353630653436633030616664633462393039363665623362616663356234336266306261343230
+62323864376334376161346437376536653532346265633066306536346439373834656465626661
+32393837363161386435636538666265616365333366363834366634333239376463623736643163
+36346135643937386566356362336566313165383630353634353133623137663332393261356462
+65613564666666343163386663613262653161633165376165366465373532383736333165396662
+33376133343332353839313139323363383134636331386239656661366536653434316362346235
+36666439333661303266333934363332383235366165613561333239343233363065313538363334
+36633530666230376532626466656432383436636636383035663838366331363362336139646664
+33346230383939306161396263346661333165333866353635633233323934313435386563363363
+31343765656336626335303636346366613265366138623331663735383739396338313337306538
+36656337663033623330646538303436623466313233343330303262376433333833653865363634
+39376438613531343332316466633465613439646631323061383230633564316331346137376665
+61663962343134386438376137393031656563303634336566303635356238383936366133656361
+39323834316432303232323833623738356462313537623739333539393331303463303336613235
+33366132343435333832323864343137663361353839633239623738316261333366663630646134
+61376431376637356664376465663136666461393934333161343461373634356532326165396430
+30393933383063373963366562616439656535353565396635656432613163306239323036383263
+31363237393730323466386238646165326530643131636436303262363432656135633633656435
+36323861393531336534373364326262366465656433633163323233616230333263393835643230
+63313039353566663463393334653939383937633539306435666636616339376164653737336531
+62303430633532323266336633656437666163653561343566396565393533656637373064333833
+36666430663862353837623662333236313463313937323732366535383664393261363765343837
+33373037313531343337646134356466393964623935386430356239336565316166363730616532
+36666631353439656138393162303764323737633966333665653634353433373434653439353865
+36323536363431303361646363646463643336316530643961343034643230653635613133316437
+34333036373039633937656562623631656363376661623536623438373839663066663730623933
+62356132373637333534636532616337383931626431366539383466396562303733363537356331
+38393765653638306537363264336233363134663462396530643262643965333432626437366633
+38333135653464643832323263323139663063333433356465383039386561616661666338646131
+35653730393030326431653432313135393132313061613664323433373331623265303230353163
+31616630623936643732316135333838343131636565393234663033613163316138336436393262
+63333963393537626230376562383237633736333337643063383632343236343633313336336338
+37343638666534616164323638646539393166373736363566323161393463326233383832643266
+39336639386230373166386638613935656163336538663030313738353735346262653437643762
+63306166386662356265326637306139373532343666343239373130643537396438613465663466
+36303435393033326563626665646665303831633266313364643534303366366266366439356166
+63333262643637643165343632663666663739306230346336346364376161323461633163383865
+62613036643063383237616433383830383932623931633337373436636461373362333962343432
+38333236306330323566386661373961656338663561303833383136653363363737303966393937
+30396138633363613964343832653830653066373334303836346535643633663334323738333535
+66396234613530666431353963633638373238303037613566383562376665663138623263643161
+37363235366332663038323638623262336331653066343635366162613037323061393865366466
+38353466356366373362366630373535323733333930343061363363623439373063363261613237
+62326531353736303432313136353732396336383436623861346134666132393265346632613361
+36346361356332363966356465373962636435323939386661643934343466313430386162373132
+32646336336662626338323334633462653861336262316633663731646365636266613664366165
+64333233633534303434326638373866353661633330623261363366343363666562376331633735
+39333464653031623865316436616366653263333938306335373062306563353138366663376564
+37653161376332373234313761333261623665306436386362386566393566306537663934663465
+32636634373966313536623430343335386666396536383838643931366664616435313266373338
+32666134663132336466356463643938393137626439323863653135646430303265393462313066
+34613430653135646330316535316439626331326662616237616539343262666431396335616665
+30393039326661633737303734383538663261616462636437653464663333663235383761323831
+30623435636662316662643537613632343138343435386161613866383031646261303635343431
+38366265356338626431346230306635303837303833613365643638356363303533363837323462
+32333232313130376132303235636432356432343339653635396530653236343636373261343661
+39383239313137333065366137636137363930313932623030616336363463616464663833613534
+63626165316433303333376566633463646464633063396637663631323038386461303962633465
+30353230663132653035663837383832646239646539636361326165336131303631396539363935
+38356130646463633238613734626261323032333264383631656465313361366663643636623238
+37623038303739626235613365316162613065356538366531366662636132383265343764373661
+63356137623365343337643937663933373164613866353765626364316338376136316439636461
+39346132383165356638383638663938346363636364626566373962396562386539393762316131
+39376264323463343238363432316163643935333430386333313633353434613561313736386337
+66643532376465356462323032383237353562386162613465656234383938336439393763646133
+36613766333032306464646431656566363464356161383162383639333139666237363163393033
+31313265653766323563393937653862323639386639316465396334386163656663616464336431
+62393830626632326663626461663530373163623430316332306138363433613463666462373162
+32323066346365653162636430303937333865376166626434633165643633373237383264316164
+62653931636630626635323434346336616530356333303735646232353461653539666361343439
+39346564353761326163386466356461616439333061623034373831653534636466323438313662
+35633239376232643830633139316531386164333034353266633232613136333364643033313264
+38653935626530313238626462643462666164303861613266663166373539303432396337393934
+31646232643538636432613763383335393739623832336633663733613938303461306234356566
+65356438343865643166356464636333633634366430316664323430646431363532656561366431
+30663531373638343936393164393137303335356661663835336638376666353039396565353164
+30613462636663316138393363353631393362613638626535663435666330626161383464666533
+64633335656237353239363633653530653862393837636366353731653033363365643039633463
+61376431626461616664313737353538396562326566626461623930373861303161353434626634
+30623631363132636566353437343964376535663461326662303330626562313738636163613131
+37303731633966386434363736356634663165313163346335356362643336616435363261653937
+65626536396533386262386563626366393930376437306333663165643034623461633936663264
+37386365303730613965326138646132356234636661343765383030396561333965656162616566
+63343637353265376631663266313766353135326465663561323761336663623538306265366564
+38616563313636383630376638323239303666306238353861363863626134626434383864376265
+36383832333031376665366232393338343838656562303866616664616362613765393234383130
+62333065396639646239313832323365643935653235333935383464643736356162336332633363
+34333330373833326432373665633634616532396434653630306163623762396338386162353931
+39636531363833616234636565313132353164353930653465363831363634313135363430613035
+39613438633665366264366265316538613239353036346231643234323837623335373432373730
+62373061633361323362373233626564333135303436646363396661323130336565373630653732
+37363730663737346234316530383532326537616131643234383030623366326336333733663062
+35366630386233366333656463643531373937316463383462626662633963396662633338363166
+65616438326132336438356666633938626365616361636465636433623664363933656337346161
+38316462366536353966326637323663343533393061323463303231396664333061343064363964
+37626336323863343761636561383333636162343935613832613662653865343061393033373039
+62613064613135323637396633303964356136396535333638383165653532656363656362663034
+38373139626365396165336562383363656431393336653130613531633032623036653365393037
+64343532343537353866636430343162643562373438636666663234306437666266323763336230
+38396565373161393832366630343063323637656433336431616532333161336562353138653764
+66333433303539373831656632643166663136613263356266363037383737643836663565386634
+30326334396632353131633533386461656166633066636235663566313035333337373961383161
+34346331363738653265313763383137643363633361313963353961353333373837366235663666
+37663163363833666461613562323039343361343163323131303365663634353536356365333264
+32626162316665373436313632386636656439653562353238386436363830313731383337306464
+35303135636335643764666465373637323034336566343431303030663565326162326231383464
+66303330316266336662656234303234393136366665656130656131386139336139313630386432
+38666364613837386565663733626363313665663865623165313834666466636261646236333732
+38303366646537613663363362663461653363306130353862363732666363323261356662653763
+36333938653763636561646464656566336335343465666562323066646330343037363563343434
+63643032613932383637323036653864656166336630666430623835353332653731393662653136
+34333339346636636537643765353235373737643636386663383362326561343831643661343439
+37633364396166303533386235323234653737313430666435343039366235393537663033656634
+34346533323562336264323436626435623637383161313737646561376161633439323661343662
+37613238666464333563363230643631323666323330643235623330383462373265373933633531
+61643634333133376539313166623762626139303865653665333330353765363934613038363530
+38626665383732303336326237353365633164373238633732663933636662646531383435366238
+63613538323539336362653835363939393037353066303330323365613135396630623132313433
+63653161353035383335666436613463636133366433366666313732633965396236323533313963
+33626633336163373436613034663333663762386263373438303662333031316138333861333132
+65623239313634333035613833363263623834303639343538663262313232623263353165303963
+61303137656465643234616234313734313663303537306265323265656634653136343537313433
+64396566353363636434393938333566323238336562646632383137343638386564626663663733
+63383765353965666633383934373135303134366661633164616337343639613261646661353461
+63393933353238623961633230366538343233333632383834363237636261333764626531356265
+38646335646234386532653038646438346437656637333739373137363861626462306461393239
+63336532393638363061663337373463336539363730636332643838623133653931643433373136
+31343335373662663865393863633433356163663139616563393365656662336161363938623265
+66393731663234356665353636336465353464383066353663633736326464353034616366666265
+33643530383133313436326166323138613866356361386632373862313632323735313733346231
+39393831346463373534363565613361363661633666666631633731373935316561613030373130
+31333539386361336661393537663066383962663139376266376433393762316161313661656332
+30366265343435323132356233306231393265656464333237616534623331363335623132343366
+66633463643830666536633738363036343932393036383162303261356139356633343363623739
+36383330323962313937666131636364306461653763626433363831633562316335306630626236
+34346536383037663835373761346139666336656465366362633138333631326331313830656563
+31653765636239343561653137323032303634623362633564636262383665663436666234396436
+62633765643637363434316536326338663463346661343762356233613163633631663038323033
+63636665363766663163326663316331613232636238623330643234636239313035656565366132
+63323434616537383633653763316237643032363038316533313766343530653335383935656134
+36343033316136653738376233393834383561356462393765636639353333346465373539393462
+36393638656130653037353765336332633030373536653135663138393463626335366562346366
+37663737396237656232643630393566366365613839663830386631323664393138316234366262
+64623337396636323163303638636635643061353530633764343831623536643163316230386338
+31373831633232326336663763633165653265646239343838343838396535396631323535376163
+35653262366432363363653966343665383139356435633462346263323966316235646639303336
+36643039343035393965386661393761353335373434373931636365386430363764306339393436
+64356636653934313135643865393737393238623730626533323266373039316535613538383165
+64373337633362366231333932373633656231363331333335383564373337303864336431393938
+63613637666664363735393365353663383862376531373433353237613861323339343465376331
+36383038623134623835396532356537323063353934656435633631646138643633626232386433
+34316538616238643735323864623934363732336238623965316535353934383430323036333235
+34373938326534626535336433383066656335323430613735346365643130383932323333343931
+66306233346366303664303266373735353264636433356564663935623563666663366135306535
+39313361303365643764613064303063333436626561636432636333666638353161313734643865
+33343734323064363634633430343339643262326565323133376635323463346135313861333232
+39623935316136616239353264353663343431306239646161633439633839336239393430363438
+36376335333633343838353763363635636136643037396539613638623938303164623634336537
+34323630333635303937313334356633333636626265306636646437663664663936636437373030
+34393731333335303663393135393861386130646234333061613034656233323032326530353730
+33656366326666343230663561663033326337616330376636633963346533613839376439366664
+63356232663866616362323065323364373663386462396530663537366332636634316434613765
+61393865613965386331643339663735316165303761336232393837393034303361643466653237
+31343334663133363562353135306334616236353961326335663766366162346565393262353031
+62346565313935376239613865376431356432303437623038656234623836633463333331376366
+31326235396166313031646164363231653662636463613164396266326239303435613463396361
+63653639316538653662336236393432313531316663333633386262636562356531336338326466
+62303737313765356566666433666464663065646338393930656439393163646532666331393239
+37666263353534623465346463376439653665393530326539663331626134333637313461633365
+38643035373665363032613830343630663765653037656534656131613333393763363736336630
+63383163643765343735663934613230636363616535353761663861323230343564623434316132
+35373063626365646332386535376466643932663336633062326136666565306330353031316463
+30343030333664636635303638343864636333373662313330373138326330663135343538373932
+31613364663130353263353465643264613534633061623363376361623336313463306662373132
+33313561663637373139366233613738373336303533343530396238633832363538323530313435
+37623162636362313366353563346334663764373137613638613036653531333733323932663532
+33356630353666636138303461616434396139623838316130396138653638303334613962366334
+37386563393461326436356638303462376536343464383338313234626531613962663731333562
+65393266656565666139313465393836313037356338376161313337616663623232366163633134
+66356662313065326364313130356331393233653336383936373530626465616237656332323833
+66303331346538373063373132393639313765353766366464393037323333663830316134356435
+33616538343764633861303531646161343734343939356166623337363331333032323133346332
+32356236326634343931633536393865313633353735343434623262396331393162373733353630
+30663365356631396436623833613537643830643363373533313832636266613435636166316264
+38393464323263333339363338383233353061303239393263663262646531363535313562363831
+63323633636430623337656335356635613339353534303663363066643332633637626538356662
+64646561366531343836353662353365323363353132646531616430363937396333646139313564
+32306362636665336337613063626166336336643536383935323436326534343161303664613661
+37376262393465343631653639663339613238366136393437346230306539663231346633333836
+36633361346132336230353239353337613863333837343836336539656330383263323037666364
+39643133626139383632383433386133613563643633356665663032343161333361633034356236
+64333031663130656633363436393136343539376239383834633330646433336633636239393166
+36346563623038616539373330363461323865666365383936313333333932326632393665376565
+66353433373666353533636563343633316563333163333537316638376463656366623831616436
+65303135663364383237363632663562373563393735643631353336316632373231326431343637
+65346535303563656666353066306330396134343535663966303965343232316339393933363731
+36356235633864393032393138643538313835323730306462333564666166663335636463333766
+63643439393962373063316531326631346564643132373937666335363166353435366339623438
+39353464346538646436306665653538636265616533356163366631623162386531643265366266
+66383239373836336664376431393765383462623334386634656338393330383264383037643032
+34396661353834346133306430333163623636363736663131303664373033353161336138363637
+31313663373534613531376231373737323739343435393530373966303232646364323831646461
+35656635636364313231343231396262373530653831663737333036313634366262303338323165
+36633233396161653339383162633036663735653439323138306666376135653162336339636438
+31636236303537346137376266366532613338653038653861356139323335653866303966316634
+31383538633930303939623535373131623631373266613762313438323437336666343564653164
+66643430303762646563386363356636366439396261326637306137653531333730373030646434
+66383931643961613136613739343066333035623731363632306338393939626562336633363332
+35613261303530653964363032653837323536373137656665646365626635636437653266316433
+33336539303761306635383363373733613463643436353730313563373765363261366263366634
+30376237653865366366396266306566383063356566653963646362646339626238313834353733
+66323439373862353964393633316264633635323039393631333237356261393062633161646663
+63343763373836613036396666376262363165636337646337313032373437333561303933616566
+63393631343130396261633231643330396335373963646563393964376439336362306634636563
+38313864363361303533313738633139643663363166633632376638326535356264363832386436
+66326366636434343530646137346235373636323330633032326137653364643634366239626664
+61323130613966343966623564346464643066613933626565323036653861306538303733313664
+34616339663364383735656639303562303536616334346362613739626132336635326364373935
+66386335646438623533383538636435356231616534643930646461616261306265343563633262
+37396436373830303638623032623863393731336566356165326430626461343231343538656338
+66613530386165343033346163353863326333393333356564386636396232623961363037333937
+30386666656235373664313665633530366434366466323735336630383438343331393763656434
+66653133356465353939366538316662326262333863373233396135323464363763313735623665
+37356237636365396266653766326535396162653165326362363134316263313462323933313763
+35333933313331613938323130623965633932346134356262313930333563656136316336653438
+39393766353338323035306534646539613039333764636437613534623265333832333231366366
+61396130623231666632623363626430666636373234303030396439333665343165313032636135
+36336338323438313134333965306662333363613734336337393661626632343239333364666534
+33313366633036386563306538633762643866633739393535663630303663343038666666383666
+61376139393065316166613032343063643037323363646165343663646635343736366164616537
+36613336663461316531653136633639363832376464666563323264663664383763366635316431
+39393736306163323830643163613762373134303664653765356532663637383834386535336231
+30353532346239333433386537396462626634306639643863613365636433626561656539353662
+64366333633938643464636231313130303035393439366638386139373537386433373334306636
+34613838623732346266333463346161666631336366656532386463333539346137613463386330
+39363662333466396563623162313837346563623166343865373734666137386664376633306439
+38386363313931393366633937356133323430653138323238663236363235643831653835363966
+37326264363361653837323665646436316464333563383538393661626665356261666631383733
+32356362323137636362323131316634653733356333316336353063636463373139613338353237
+32346466343232366338616561643163613337356238326237663866396561303335656538366561
+61346166323962353435656265613038656131303539346132646139386339653437346461616663
+61643634646434343131656139336532653433316333626661613161613762336438343861383331
+65353238626436343636663666636333396463636538303664393137643033363461373363383738
+32613434333239376439323666626363613937373739393130363166353664363436386435323661
+37363438353966653833326132646565613734336234396662663566396561366334376231353830
+65393465393539333162383332663230323437323930623762636239383431333433353862303335
+64633463663239363230386438393965663636333735626532373031393637626665363265653962
+38633231613037306130336162343939616266623430343536663038656238356435643230356563
+34346631376464326264663764356363626431313961303230396432653332303863393761386164
+33396237643461346437653432376135646562613139636530386132396537343235383634666135
+65383565643739666536373737616133313163393362393762656635663334373532623965393835
+65396233346237343832336665366465643834333837373834313963333332323734323130666463
+61663437633836353664626336363639656362343533343538613031373032343762636435303632
+37373435623633376262643336316431613830393266393363343332636439393938333433633362
+61323133633539636630656631613336393136306661363738346339633534613837303735396138
+33346137356134303362343863643264323565306561326438336235616432363232373235653565
+30316262653765363534336131656262376365663738643631346630353164646438363935616563
+33316338643238653265376363656533383262613061343965373862366439646534383866663331
+65376435366539396439653632316361636335323661306262386232353733373762663633396638
+64333661393438663938613631343565333437623963313032346134393738653434383561643066
+39663331613864656434626166366530363534353037623134333930383930383630626664346634
+64623034623335343061646239363163396461306331653539393163393537623233393230636439
+34643936303764393564363263373934363866343062623733313435643761303465393232613266
+33316561386238306334303565333435303539353230636563343162333661353464386632666635
+32616631306334633736346166623437646430383761346638616635363034306535336665613163
+62353761383639356337653262323339363866616635623734343232626533393638353461336333
+37333962313031346332393832366435383533393066656637646338386430633335346464353863
+66353066643561613935613331666261396165646332356130343438336664623132636536306539
+35343630336464313638643332363462623138323933646231383963353135653866373061366462
+63373164386530373938393066343331303662333266666133636464313063633233393665623835
+66306634623238616438613835386338653935323762653936666130653637396435346532373866
+65303337376562303364313365343733343739663937313333356561373764636435663934653338
+32333737626639306262623935303563303438383430306236666661643031306230383262373032
+34383065303037393137363235653038626566653930353733396461333339666230666532303162
+32616234613739616265653665313232323236666266613965346136663134373437633463323362
+61373761326635313862643831643363616465653333306465336530623135663639343565383064
+32383231663735323739353937333165333031383039323438343964633832333234333332366661
+62323935383338626131316334643933666666636263383837323637356631376134643266336331
+35326163646639616362633236353261653466323363393864653138656534383631366133333138
+62383435636365633530313936366462373136623262336439373962623465336637336161653561
+64396561336233326232656538363936656637326438313866353537313435653062393662363638
+38626138636239396665343435363939393962343035386338653166636366653433323266343533
+36366564353037313766316639376663363538343264333266323064313234646662366438633732
+62323934373039613338353330373235346461393463663832643366303461363738303632623336
+64666362613736653635616266613333333439653235393464383462623661666631336332386663
+63613435353865393166366430653464316439643363643030336164613064346265393136626263
+33326133353631346237353962633539383439346531613035616239656665336463366366386237
+35333231373061323234326337353461323236356636343332616563343663666165306139363163
+61366465333734386137623739303832366465343064626131373431326561643464646633313835
+62383464336165653861346462393332393133373465323062383063633339383831383764666232
+66306566666431613631636366373266346466326139303539363737643662643931323739356230
+33623331666638346539396137383532633035373761346336393933333966356633383533333463
+65316231353838623138656338626230346163633432376238396433386134353963396538383962
+37633438666262386539346633666334323966353133653534336333316464366163346537313133
+34366133393834636565646665633566646337373063313532373035393236626430623332656261
+64323763616463313231333934636664666139373436353239643032313835373633666634626635
+34633431633233646534386261666632306430356336666632656362383332636463363730336234
+35383031663232626562626464323665633634623664363032333932333832636164663561313965
+64326639643038613633303834353863663333326536613036663434356239633662663933376635
+36303131326430623666366363393132393662396231653337323133333161623338373561663632
+62636266316664643333626637386535313130376336636630393363313831333566653562353939
+32626337626531353435646462313161663033663263393436613266383662373539666465366637
+35613862636538633432353330313536356265313964303133623639653938396462616263383731
+36346536613536633038326363306465396266303333356262386130656234333631663738363439
+61613033306233343931373262303339333432336331366237373164363363353838626263373865
+37623966343864313836363437323530633461643831383238316132323032306336343833663861
+32663363626330313862366261626463366365666335643532303436336130373061373737346261
+61313937383762633463623337313562383039313165643436336465353261346639346466336163
+31313037306264663462316535623333376264643662373634353335303766346233313738323964
+62366439393066336136373437663666353765623663376261623730323639363732626264376563
+37656162666265303335363231626364623630373664356330653132316461376231623033653565
+32386138303264346430373838373764613835363161666362616630353264393632646432323639
+34366264636266633832623037353364666336656561323661333061623131356237363362393030
+39336134346564313263396333636366666538643961623835656638323439386539653237383630
+35656365633363386461383038383931633166373266663864636133323536326561643335393938
+32363438656630646134306237393233376634613263303762383034616137333833373337343330
+63323062303562343836613939326230363835663636643531616530396636363438653762643566
+61623034396665373437363631393566363638393462643337643733653034623536653462393861
+33616235316666646563623139636336363661356433663132316134346131613931623630366431
+39616162333965363264336662303664333638646631323633326432626434396636376338303163
+37373436656239346539383134643638623738373835323335363034393434653335313461306365
+32653037626162326135346437633039613334373430633662343231336335326663313362393839
+3661

ansible/host_vars/host.nc.chaoswg.org/wireguard-peers.yaml

@@ -0,0 +1,59 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+32353562343735616233303364363161306331663637303632363534333933653164363238623164
+6461653239666330336666356462656232663033366666370a633938353466313937376361633537
+36653764393235393135393638383661613732396162303633376361616430386334626535393935
+3534363530343635630a333531313565646639663135396535343736353932373334623837396134
+66383633303533646537616364346137623265616137616266373939393163623537373635343763
+37326232363530323561336562386465623135626661636139653837343334666230616561323966
+33623864386436326437323737666365663637353761663433383439393238623030393865623633
+34323031643739613765386261333533653462383432313532643065313063333563386666393165
+35366565363561366239363733386436303763626362373632353964303361313132353030346366
+31333834306631643563653366613038396133356630316536613537376639626362616163666363
+65616538623233626631393362626638396661653337373433373839353066343164646230303464
+31373061616132643665373334376535313562353732663065303966343638356330353738653038
+37623634373563306664323765653365316131316261333438623332363830336662383030646666
+64326133633339316462323563623939306163353665613964393335323439626336353762363265
+66663133373033323734303230396463623230663162363438653065303462323339313930386331
+32626431313337623737353532386435376262613632353439656265333964633365323335613338
+64316534613963626339663336303766393066636562323233323837383330633639666634646466
+39333738313234383761636234336439323164376637653032316237613239336165373962353931
+65623662613030653335336433396665353466316561333039383937323065383162613635386264
+38623333386631343938383064323136616435643062356130376364643832393335313662353861
+38623866363639353765663265366266346330633363396139626639373437306463653331663337
+66306435663165366463623831663663623137373463316664666463616663623432323134333164
+36396463326664333832336531376638633832363431383032633738643435323732316561313139
+66303166363662376566393261363064356131313630303861363138613835366331363932356130
+64383131373435323062626138393766303134653836353939613230623232346236656331323435
+66363030303334373633363063653033306663343234646533333164343534666635336432306334
+66376137353064373865636663303532303836616138313536373239373462613438623334336566
+39643531366332306162346536313139393037643063383532306566356165396636393436626664
+35383962636339316434663062396262613862363533623534623236633363646265323633393533
+63656231616437656436336261616464363565356666653131336433343162323432653237663764
+61343736333737376535663230616530303631663064323036643963386430316630333861376564
+36373435313532356462353339633839653161393862356636353262666366343764623066616264
+64643730346236333236303735626164326662376432613534353331316261343332373062363838
+37376365383336666633353833316137383036323736393437373763663465663330666265303933
+30326661343162306639346439386666303363343633633532666634383537376131333234633062
+34376635346231343162393866326338656333643233366331343430373038326237613635646561
+65316632343837646332633166333537646539376362346632653164323735623732303365663334
+35393933316461363663633434373565323131616435313331306232653663343235663531373935
+63343064393865396161653832626133343638623739343837346239366637383363393035316332
+65356161636461343366356236643531373066623331313132326232343864393861326162333133
+33646466376463346136623064373066393536376134353132626366363034323336346561636565
+61303363383563653433376464363238336339346430306330656131653164663632656338353636
+35376132393665663631613464313237333466303663373762373136363737313239393838326261
+66666363363338646435326163363134646639616539386665303735623864313633623634303632
+33656166653264636436373637373835653636343364386234336133353432643639663261663263
+37633938313265363238633733353734393735613232613634336334316530626638633233616463
+33393036366664313162323037343665363765346535666561653034636131326337323637366365
+35626233323338663165373737316133623365623431356566393635376163646365356338636536
+63653635373066323532313133336538666661326333626632386165323836643138373939646237
+30636333663165306233303239333837313638666336613437336161346165316234393836306239
+66316336333632313961343662393762613063616163663066313938303761356666623038663732
+66393337386166306133663939333730396362306639636534663731303461343864343365333663
+62366231613935306638343936313265643935376135313235303161373665353033363636373430
+63643634316162636331386538323165306161383736373239366138323537393261393330376166
+64616137656434666432323536396636343739383065393162653638366634326630343134343539
+33656434383032623430383632323530356439623132393062623463396636653336636435313262
+34656139373838336635636562333063613464383431313737643436333736393530393237373838
+6137343965336430346665333437363937343762316539316631

ansible/host_vars/infra.unruhig.eu/main.yaml

@@ -0,0 +1,4 @@
+ssh:
+  authorized_keys:
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD/pWrMOC24gEe75cvMUiOxLN1yixAyhd9uhKw2/tGn0MsqeVtiNtbHqb0vVFUPISDqKK5SxGsqYkikyTAfZSKI= infra.unruhig.eu_22
+

ansible/host_vars/infra.unruhig.eu/metrics.yaml

@@ -0,0 +1,21 @@
+metrics:
+  additional_scrape_rules:
+    - job_name: minio-job
+      bearer_token: "{{ prometheus.scrape.s3.bearer_token }}"
+      metrics_path: /minio/v2/metrics/cluster
+      scheme: https
+      static_configs:
+      - targets: [s3.tobiasmanske.de]
+    - job_name: drone-job
+      bearer_token: "{{ prometheus.scrape.drone.bearer_token }}"
+      scheme: https
+      static_configs:
+      - targets: [drone.tobiasmanske.de]
+    - job_name: 'uptime-kuma-job'
+      scrape_interval: 30s
+      scheme: https
+      static_configs:
+        - targets: [status.tobiasmanske.de]
+      basic_auth:
+        username: "{{ prometheus.scrape.kuma.user }}"
+        password: "{{ prometheus.scrape.kuma.password }}"

ansible/host_vars/infra.unruhig.eu/vault.yaml

@@ -0,0 +1,85 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+37646239383161613330383037643836616464613635376538333738646164653535343365646637
+3265333661656565653135653837666462623364346665310a653033613838643633313062343334
+39343866623636386235343731643637656332306132303065393231643935643234306630343833
+6562626632333534630a306661353739336266336661646132333862663231306135353564323762
+62613433653737356564323538626666656434613966346631613934396238626531616631383433
+39326532316439663632333331613135316134353531646362653432333734313534343037663433
+39333566336265356532396434623836366166363961346439373635363334636133643831373132
+64353939313135343338386638633136333931353839316236346634616430383263366137663565
+36303733306163363332613964343162613337386263613032663539623430666639323062646565
+61646463393338383934663665363837626532326630383930353236613161356230346162393031
+39643531663565633666333032306235323038363234346264656239336535393539306439643833
+33363035393864616664363463656361366365316230663031383037376139623039303361313131
+34386361393930373430323961303039653561323430356139393434643763346563306266623366
+36333265643738656362616363333638396139373137383366303263613031383237353435326562
+34633839316335613766306134343333373032353635383964663336656134646634613164366465
+66326533613363383337616437666333376133386231326336653934663233613333343464306238
+30386338303730383836663262373239656438313361373331343364623231356134643631323565
+31336464333838356265323938623133636536313736376136663330346630663837613937336436
+33386639383465363333343566646337633236393130326439323536393830323331393862616361
+36346162363166646537666666383464633165373263326532623061613065373030313439623039
+30646632333964323330396464383535303261613237353535613438336163323235333534313434
+31346233346335336230653337363337653763643535373532396362316131653665386539636432
+30663735616136316639633333303732336239393435653239336133383362613061306537623063
+31653634653233346634353136653763333833613337633530363338643336666463373465306434
+66363939313434333364323931663766393564353663666262363037323761653339316637386532
+39663538333664663139663262376137623765373931393833313130626135366436396636303062
+36623362343432633462373733373235353034373335356534653965393131613831636237666163
+65653463633961386266313534343833666136366235343639636561393534373830393434353363
+31363536616664373935346331633335643536313432346133356637363566633564633963313639
+62326439643333663362633739343465316431616234663233353066623861653165343461663830
+37316464653138386135656662663465333932306263396235626434356666373762356264336534
+66303664383630333064383363313864346234643639623037363437306638363937636162633362
+30313263376262636164363064626538386161653964663130326134636166633735633966386332
+61643566373233326362323034366537623830353463306363643866636439616430306362363863
+35306530666266623734653235313835323536343837396631393134343835303464393335653639
+39613530326562323764646662643439383639353661666231336433326564663463323638666639
+63333434353364656264303361636234623266326364346230613033343433376639356537643530
+30373631663165623035396139346165306335663263636434626336316265356535393034633832
+35653264313331396434636131396531613833643331643235306130373132643636376638663432
+32646539316138313234613536653538373638623330316236356431346461663034343932386536
+32383334633238373465636164653766323132386337653861396362353937353963636136373136
+66316331323132616337393438363636653561393432663238363764633938623531616538613865
+61346563643966623362366131313635656336326363346231373636323930623563646137303861
+39393064393965643638653462343631613466616366663232353864373236316438626135643537
+64363862393839356664336632623765656264366630383836323233333836626637653461386163
+66393263346539356363643566323366343631393139613864383764656465613033633038333661
+64336636383737313163306363333634633966356439333432636635393064306231663533646139
+65343637616532323366326239356263343432626238366333316238633366663734386332613631
+63336466326163663338393363626635306436653166363239393263333731366261313963383466
+38626665356463633439653932303033386464363862393439376635393961323530333566663263
+65613333303036303764636131323630303737336561373733663930323863393566313665613231
+32613962313935323432626230613334363163623836383135653931346132363538383632633031
+31346566383364333062646334346433336235623636326436343230666537383635383332613963
+63393366646266356130653339623439326230366234306235643332383261633739353039333039
+35336165383061303863623031313033623865346366366235363262326266383033613961373933
+33623832383934386563653662363461303939363533336561623430643865656232353731633263
+33656432386165326566656432663665633461306365633164303061373264383532626361666437
+62643533323136326539653263393663303365666532663262636165646561383333376336383332
+30653161313336393033363061343633346230393337393966343134323436623537383532346361
+61623661653132633234626631363430333837656633396365613834616635626139383731323837
+38346533353061363766633634346231373339656463376634366533643861343161633435633138
+39356165386635326535626161303462303939383461313834396333633565353634643362343539
+64653530303663663032353138383934373837306437643962333339363366353966333437383932
+30363934346638356565306365386335336530616532306465373163353562363235623937333832
+62663963306663306462373838636436366661333565303736393731636562663332326363656636
+39353161616134623433646539366664363935313866383163316665646236666237393762393563
+62633062646536633437666362363531646234326666386561613863633934663462643634333362
+65336431623836323334393934613133653262626134373838356238373031613737613965613761
+34643539373230396362633761626339356362613730383831316565393030623930616364313430
+35653935616662306130633263356165336130336363366532393735343137643831636462616334
+65343437396566346263346463326361303862623164346365346132633936303230323838303361
+62303663363834633635626331343531373639613763363537333539653631636462616437656135
+34333633633565306663666338646339326564663936373963353465313065633434613435376261
+30313963336664313465323036643035386463646561373235646134303930333961393639353639
+35376135363235623730663932313337366564346636333464623234346237346162356262333764
+62626563393261373838353663343430663763383365303766343665333231343861373534383739
+37353437383966376664383438323430316237626232376134656134346362316335396331346531
+63343933396636393332303636613133396162643132643765646664373438653732316633366338
+65653963333633303963623362353739313635663266643236666334323262616531356165363330
+66633131343461623231663832643138663563326264313036306438613837336333656361373166
+62666261626430393830396636376434376233636639666432316165346237383261626530623539
+63353530643065373734613664333239636433343262366637376130373130663766656563643931
+38393334343836386533643839643232386165636566646434616662336334366263633835376564
+38626339383631336638

ansible/host_vars/mon1.hel1.chaoswg.org/main.yaml

@@ -0,0 +1,3 @@
+ssh:
+  authorized_keys:
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMeX2lqjaVHJicNohQLi64Bk6Oo9PMm6UaoULL7G+sMGsZthWryjoIB9hwgBJPbhDXBpO3rNn6wwWumAUXWEsE= mon1.hel1.chaoswg.org_22

ansible/host_vars/mon1.hel1.chaoswg.org/vault.yaml

@@ -0,0 +1,24 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+32366236633933396537643061353531643566663930626366343333643234653363653336613138
+6563306263656136333235353164383562323237613763650a393734356261393330306539373562
+62633332643737333137316433316363333338666538303636636461626161303638383465646565
+3564643732376137640a386131646339326633333633366162613064646432636630393035373562
+33373537653866333661633634356361663366336236313932636630623539316130356431303530
+38636534616264366235316638346437356162303331303763306437363438663632353730653236
+30333065306261383664636563336631383263376135356663363633626130326265336261316632
+31393635613264386463306265303137366330656339386363393061356434393162336237373737
+38626331336138313636333363653264376463326238383335613964333438303835353239303135
+38343837613562316463313366363931373134306635356465313532623663613666353935336234
+30323063633664653835356138313363333736323265396434313632333832316163303063373465
+63376136643337666166633732656532333235366636633739653665336637363436333433636164
+34623539353839376232363564336633666433353262366637623930663865623966343762643530
+37346433376662613966633436663833643065646632373135363663396564626136343635613333
+61633739646230633630373364343232646533653239346632663130353833343464633862343136
+30623337633766383530383333626331333839363532363734613333333763636264313539383939
+34323438373530653235666235633037393965353738373365633566313830623761663265363337
+34343030373065393765333038343865626161373134623837643037306230306435313834636634
+30323033343236396234386338623930353065346134343564653439306535313934616135346533
+37353363323732326333616165636331396234646564303738343265366465336563383333626432
+37623165663435313033383665353030363031373833653266356638353734313536626366373863
+61393937623165613563366138393533666166663266323864626537363066666338363261336265
+393938326530663531363535333061666332

ansible/host_vars/thonkpad.ka.chaoswg.org/main.yaml

@@ -0,0 +1,4 @@
+ssh:
+  authorized_keys:
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKmN5g3jN6tsA8qcEaLTPzFp5c/p65wjAo31nUO5TtT7TDUDCvU68yi11HuZc9mhK7v3e2ZgCEnua/0g8lCyCoE= 192.168.0.73_22
+

ansible/host_vars/thonkpad.ka.chaoswg.org/override.yaml

@@ -0,0 +1,2 @@
+---
+heartbeat_timer_interval: 60

ansible/host_vars/thonkpad.ka.chaoswg.org/vault.yaml

@@ -0,0 +1,42 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+30343065306563343765353231366539356463646634363230643639616338663138376666343962
+6164333837646563356334613035383365636337393362350a343334643838303562363932336263
+33363432393565623631356331343063333332663937343639343739666130646262623364353237
+6366346434366236370a393063356266333430326362643932303130633635363732623361323736
+63386266333362653530333262383064366462313938646362386338643661343165363839636536
+62613561363637346538323062643664303932666566393537616539353730306164623535313636
+32656230663861363635633839643731326363393838636263313665313466313833363638346566
+33386566346564363963363166326564613366393531366135633430616634323261386263376565
+63663962653039623434643136393564336631613433613433636632623938306365376639326338
+38393465393764666636373430323736303235363238393038353632646365373536313566333238
+32616631666263353132333439653334643737336633663164356337363732366534366537343532
+30383531303663656263353461343166616139306634396432653032313366356265326664666339
+39393432343734336565303034636435623336646639373438363363613538643435653230326630
+32393362376164646335613166643632323861313834386630613932666166303438346461646564
+37646362316662373231666332666530353537376239633664316561363332313565633361393464
+65623635623166613430396638613061613737303739343266643663626134303361633561376135
+32336339356462353864646664633632306338353230663532303963636238636266383137393063
+37663064666539653362376662356265626630636230393230306565313264663961653135363238
+39623436646138656565383662653037623835333631323836343262353830323764663266396634
+62636536653833653932613661373438356138643334363034656339626365613761333764333732
+34303538313134666238663732393933613537383661636463336538393035626438323039353661
+36663939303366386136643335356131643032313934363361373563313965383734613632373631
+38333961613838313863333436356263363432326366353266623266616561323666383931343362
+32616265643133653532383732393739343366366532343461636338333463336466363331303931
+30373833363037643637343662313737383565363164323235306335303938363937626466643066
+62336261373865383234626463333535383662306330306663353438343061383761393165306231
+33303434303734623564616331646166376432343035393231306136343762653038656434653436
+66626639616139666133373063626237616133626334326530636162333930336539613336316330
+62653964353633376164646664376234336535633765616634663266636464393464653435393538
+34363865363338616336363561306461363532363131366534663366353463383134666239393230
+65653864643562333962323832363732616434343736376561643361666138343330653337313266
+31363339356536313832383162643035663538656463373133346265353437323634346539383933
+64613539333566333262656566643935323138393266656361316131623566663164333138656437
+34363830356431666531343938643934373562643232653239373837363336633030666631656361
+36393765333463643365663938636134666664653763663264613032386135356266636236623035
+64326239343730326639363133653666643534326362303339373733643164623634613633613138
+61313130613434336463363739623430626638323939306462316235663963313233633833313734
+66333461613766343130393539613332353131643730623466623365643237653865363262333734
+64623164663366326538386331343162336433393466386133323537623536636461613732323734
+39613639306562326366336634376263633062386163333964396532326666643539613739313365
+31343132313837646235313764396130653764623838396635626462626531303732

ansible/host_vars/thonkpad.ka.chaoswg.org/wireguard-peers.yaml

@@ -0,0 +1,15 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+32643663326666316663626638303839353966356532333066313561656234393139656333346438
+3961633439383530323266323933303866656362306363630a333034666135303430363435656231
+30353630643162326664383232613161376137653638396363343735306336656432623766386638
+3832333632353536320a383365363037343161623364303837666238306336376463346236396566
+34323666383935363737656632666532383435626132313534393437383162663232623534336664
+64383839656561333064346536376561333666356535366232383636663665666464336462636161
+32363964613332353735336164646363643430656330653635616663656263353837313232633838
+36666165613530653832313538306434643862313161663662323434343236306666656634393261
+31303039343363323638333434383765633362353365666264646564323436386335663435363635
+35336162346635333062613639663434666339343662656465326439656533646262396436326631
+66303539363365323133336633373431353065613935616638343831326435623832616136313731
+30663863656465396139303931366565326362303036303761326132383164393361623664386566
+35316335383036393539386663343638366262666139373232636561383135333963313365386566
+6162666432623037666433636663643262316264323061363961

ansible/inventory.yaml

@@ -0,0 +1,61 @@
+---
+all:
+  hosts:
+    host.nc.chaoswg.org:
+      ansible_user: core
+      network_interface: ens3
+      network_ipv6_addr: "2a03:4000:4f:9f2::1"
+      wg_addr: 10.1.0.1
+    mon1.hel1.chaoswg.org:
+      ansible_user: core
+      network_interface: ens3
+      network_ipv6_addr: "2a03:4000:65:f3b::1"
+      wg_addr: 10.1.0.2
+    thonkpad.ka.chaoswg.org:
+      ansible_user: core
+      network_interface: ens3
+      wg_addr: 10.1.0.3
+    infra.unruhig.eu:
+      ansible_user: core
+      network_interface: ens3
+      network_ipv6_addr: "2a03:4000:9:176::1"
+      wg_addr: 10.1.0.4
+    filehost.unruhig.eu:
+      ansible_user: core
+      network_interface: ens3
+      network_ipv6_addr: "2a03:4000:56:e17::1"
+      wg_addr: 10.1.0.5
+    # localhost:
+    #   ansible_interpreter_python: ./ENV/bin/python
+    #   ansible_connection: local
+  vars:
+    service_base: "{{ playbook_dir }}/services"
+    wg_keepalive: 30
+    ansible_ssh_extra_args: "-o UserKnownHostsFile=./known_hosts"
+    ansible_ssh_private_key_file: "{{ lookup('ansible.builtin.env', 'SSH_KEY_' ~ inventory_hostname | mandatory | regex_replace('[^A-Za-z0-9]', '_')) }}"
+  children:
+    unprovisioned:
+      hosts:
+        # host.nc.chaoswg.org: null
+    prometheus:
+      hosts:
+        host.nc.chaoswg.org: null
+        thonkpad.ka.chaoswg.org: null
+        infra.unruhig.eu: null
+        filehost.unruhig.eu: null
+        mon1.hel1.chaoswg.org: null
+    backup:
+      hosts:
+        host.nc.chaoswg.org: null
+        thonkpad.ka.chaoswg.org: null
+        mon1.hel1.chaoswg.org: null
+        infra.unruhig.eu: null
+    monitoring:
+      hosts:
+        mon1.hel1.chaoswg.org: null
+    network_config:
+      hosts:
+        host.nc.chaoswg.org: null
+        mon1.hel1.chaoswg.org: null
+        infra.unruhig.eu: null
+        filehost.unruhig.eu: null

ansible/known_hosts

@@ -0,0 +1,15 @@
+filehost.unruhig.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNxa8vbJ70oM2PlEKegPu3/SUO7oXz2lM6PvR74Ad+RYjjAQZr/j3WMpeDn15ugexlYmYoHgxgeT0xA6E/ZAM/0=
+filehost.unruhig.eu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvXX75sXWRgslMW/Ufq0t0OJQnTFiWPL4yBUBdGIU9k
+filehost.unruhig.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXlm4q3UBK2ChZCujrc9nv45tnntj6E+80UOOzZ6EEFWeUkJ0R+o4z4bnLsWBfFxfwgMDUvFCUCuS7R7xo2pE6vlRhPeD6eTitqNmRMfgmMZLJCdWD5eechg2FNSIht+wB61KEwMBuARXX45nmvIknWiRBK0qAGMLgy46hAx60hf/2uzSuyF6cxQdRqH7TNKZ/06aC7fCo9MCvHbiWvOSKbRx+jYSw8L27DW8WbPTqTGhywidij3nQEjwCFof/IN/hdp7NLpF/8qAoxW9iLWHh7ghESSwHxDF+QC1NjyA1g9QvyX+4p/hzR71wvQ2OVT/R9qx45jJiEi4dVQtsPGbcMzY9gQNbzyzl898cvnp2OuS50kGxuJZaJLMOj2UClbpW+lTrrkKvBZKkAF85v+C6Xcx/waY01eH0PaDBpoo40Y+vS9nWLmnKcvz5iDC6DVL8gUyDxuQj6/qMQuVsr5GL7GnvqIF/jjz6rNqES5Lr88c18ZyWeaupAHNnSgxaGV8=
+host.nc.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE+xbsYUu5fNjUZuJMER9VMx7aPCPCVcZvBpnNjxySRrkUSOgLV6n2IYj+aTfrxT3sCJFzkXzNS8R25Fyqw53WE=
+host.nc.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfZWpJz8JiM6F5zXcUg9K7OsCx0UbrK4z9sijpmUn3F
+host.nc.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCiVZ57grUnL7JNyUTlU2LVVCS5cfC4dasBGvdQDlN36VNGxo3HDzu9ppichlXUO2KNT5J86sgh6o9KeAmu/mqIasNm2JQC+FIRc1xKQU1xufLVHm9LZqUfk18olHm8tTIxE3yOpcPYJRRlBe+l66OYary9huJfQZPvHik5umQ4fWg+l1VBd8p6IMOQHNA8AyGlb/VKg79c1Qk9fxzKxqkSAc0LCIwrNPSQNF8BzjiBXaw1AuHwvPDmMFjb3cFv4I8GwNSH/A1xRHXg2ymqE818A9eXim/RHDHNiyEf7HPC0kuT95x5ii9pd8WRqa5GXULSHMz1vajAMtgfnGawz8pvY+MnfOFqF2i5WLcaPSqK9IdFst6lFp2ThBCAijW2Wa8o8gQeazr3twhC9Dd5C3+HkNq2MpEYM8ck0yZUFhAkRPUc3laX+8y9KsiqDMbfg1aErEbrezlSb6h19oWVAhFy+d8xVUX53a/9C9uF3P8hFwy4o76lTHVwmB8rTD8DXT8=
+infra.unruhig.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGpspDDbmZt71/g8R4K+jn3A4n7z+8lO3unv8Pm8xLKhr3mDD0MErbRrP/ucYtsBRauMc+IOmBsDtM2Ayp/0zio=
+infra.unruhig.eu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8dLUAnoazcq9Tl2zeLP0Ed8QlMs6226raruQhP/0y8
+infra.unruhig.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0cOVaDYrycZ89VpBoysO2f5ihYGpz4Fxw2tpOSW16JztwGA7mksI9sSJUus69RtsFwgzxW9XNfKA1V63yVc5lE2f8PJg4zTTLtHRJk6V6mjWgIKQV6Ro9lxVW1g+bxVnRmkC2JC7OPE/k4qQcVKF7JMsCD8oG6uV4ghGaisDBifmixyGAwtsJ+Ev9M92HvWLvRRVLgMXozLgWfJUZJvz4p/xgKqrfS1WmjCRRqQT+FeI3BqWoA6l1jgY5xa/qeie5SYEClEp3K30wfI9bLBCSZiKYOHBnhrWtPcNw8z0G2pdLIbWpH6nM78nZ60UiK5yHjbR4XcxDxaZ695SKolyOjDazkt8yjuLM2kz//C+Tj/+1/rrUkEn8bT6zdJmmFzz++d+o6sYAPczcsmc40rs9+DHp7lFcgv7/RSVryXkdK71plhb4Uj/xpf2VlriiUe8+FzxMHu8NH5B3NlZAKLyhEQVPIHxsY0/7MjKdF2igGNgJZ7UA8BNYfTZ+9+Wx7cs=
+mon1.hel1.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFGUIZFzyXd6QAA4Xn+SikYIdfZ+c2R4aFXCY6/Gh2oZGjpq4xtHLw7AFyadnC1UGVNNINNJY1FLfgbavIkeh6M=
+mon1.hel1.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsSgW6MyvR0YJWn61UZLG8hgj/ewvlRqiHIZDAkYDtV
+mon1.hel1.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCl6bzWEhtuyKLLOUjRv0mxkmzpnjGzzdkc2DFZU+ueiMG4cTxCpwO5cXOST8RXC5WU49HtEpW0ZX4oCWxdEKhFeUXpij1Ins9Hvx31nHMot7sTLa745QcR0feQGYFl9DXfK1OADvstzWBL4n/UO70psK2Ir6aoBV1CM18w2Gk+DVSh5coLsMRczPczzG08ALIvhWa/1l3ObX7tULjs2y5Pf0F6Ukns8wcfxarUfUihdgnRwHdyc4yxaLHBvizAs3bl1G7zXdOh4SMOjw219J1ORbO/+n9fTSwhs78jU0IQCSZgI86Tp+EaLk+6RmA9SIGhI0+s3qk6UfwqMFM6VPxbiCUMbUeAhGcOo8UD3PMlLeTHWBwADHl2ee/mUmXBUh6Smyr9YlpbSCfcTNgXX2enkByidIgy+tEhJzaTub9vFRt8q0nj7fEimqQ63NecMzMZXPTGxnCma5Y3/TSLeBPE1aUNLGea6MFwUevCamdn9qB/KTAmMoyRTRR8pREsdfs=
+thonkpad.ka.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDq68XLq1mlFsHDfa1mlpNJZ83wCR3ZO5C/fkNe+kVwG9apKmGdCaAWZs9n1MKe08maSLf5Dx01B+m79+l9KrKQ=
+thonkpad.ka.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOY8bK8R5aUnXr/8vxZ6NSznTNGcTu4iQJJo5GYVXflR
+thonkpad.ka.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8b0SqPTmmJYJEcGYMjeeyEZlEjjQTIj+XKZ3Sonbb6xT32SedabIJ8k+xw+yeRjDOhBnx1wl7KrfBhZqZ18qGbB3214d7QmgylWpC5KkQV89ow0c24JI2zSLfC3kMYbGvSSwch+ql8rLUBXGRczzMYuh9kWrXhkK9vF7821/pxBSsO4XD/9fZwEa/VfpakuFJUU0bmFGgi/OmlHf80U08B0LHlg/IYdM+3JemwWbx1swx7ylXwDUWGjyK5mxYR2SEBbwnHuCoanj8SW9xwPLfUOT9t5+IADtFya7J3o0cDAk+6ZjJOZcdtmY6WO1hR/K82aFnecAV4mjr8+fx/GpnbGCt8Jpv88bdhG7LWxzKESrZDbQDiZ2z4itkkq5fbOGeXeUrFuff8Vva/VtsUoLPToS6bctgVqZ2slbI+6J6YJXPE4LzUa57NRj2qyXSbr+q5q9URfrkOmFDwaBq5jLiFcDEDOS7UpAjoN5A1rAkxN7v+uP3gwYainkbx2+7DrM=

ansible/playbook.yaml

@@ -0,0 +1,31 @@
+---
+
+- name: Wait for hosts to be ready
+  hosts: all
+  gather_facts: false
+  tasks:
+  - name: Wait for system to become reachable
+    wait_for_connection:
+      timeout: 300
+      sleep: 10
+  - name: gather facts
+    ansible.builtin.setup:
+      gather_subset: all
+
+- name: Common
+  ansible.builtin.import_playbook: plays/common.yaml
+
+- name: host.nc.chaoswg.org
+  ansible.builtin.import_playbook: plays/vps.yaml
+- name: mon1.hel1.chaoswg.org
+  ansible.builtin.import_playbook: plays/monitoring.yaml
+- name: thonkpad.ka.chaoswg.org
+  ansible.builtin.import_playbook: plays/thonkpad.yaml
+- name: infra.unruhig.eu
+  ansible.builtin.import_playbook: plays/infra.yaml
+- name: filehost.unruhig.eu
+  ansible.builtin.import_playbook: plays/filehost.yaml
+
+- name: grp_prometheus
+  ansible.builtin.import_playbook: plays/grp_prometheus.yaml
+...

ansible/plays/common.yaml

@@ -0,0 +1,330 @@
+- name: Setup SSH Config
+  hosts: all
+  become: true
+  become_user: root
+  tags:
+    - setup_ssh
+    - setup
+  tasks:
+    - name: Authorized_keys dir present
+      ansible.builtin.file:
+        state: directory
+        path: /etc/ssh/authorized_keys
+        owner: root
+        group: root
+        mode: '0755'
+    - name: Obtain Machine Pubkey
+      delegate_to: localhost
+      become: false
+      changed_when: false
+      register: pubkey
+      ansible.builtin.command:
+        cmd: "ssh-keygen -y -f {{ ansible_ssh_private_key_file }}"
+    - name: Deploy SSH-Keys
+      vars:
+        machine_key: "{{ pubkey.stdout }}"
+      ansible.builtin.template:
+        src: "authorized_keys.j2"
+        dest: "/etc/ssh/authorized_keys/{{ ansible_user }}"
+        owner: root
+        group: root
+        mode: '0644'
+    - name: Ensure authorized_keys ownership
+      ansible.builtin.file:
+        state: directory
+        path: /etc/ssh/authorized_keys
+        owner: root
+        group: root
+        mode: "u=rwX,g=rX,o=rX"
+        recurse: true
+    - name: Configure sshd
+      ansible.builtin.template:
+        src: 'sshd_config.j2'
+        dest: '/etc/ssh/sshd_config.d/99-override.conf'
+        owner: root
+        group: root
+        mode: '0600'
+    - name: Remove Keys Config
+      ansible.builtin.file:
+        state: absent
+        path: /etc/ssh/ssh_config.d/40-ssh-key-dir.conf
+
+- name: Setup Networks
+  hosts: network_config
+  become: true
+  become_user: root
+  tasks:
+    - name: Setup wired interface
+      ansible.builtin.template:
+        src: "connection.nmconnection.j2"
+        dest: "/etc/NetworkManager/system-connections/Wired Connection 1.nmconnection"
+        owner: root
+        group: root
+        mode: '0600'
+      notify: Restart Network
+    - name: Setup DNS
+      ansible.builtin.lineinfile:
+        path: /etc/systemd/resolved.conf
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+      notify: Restart systemd-resolved
+      loop:
+        - regexp: "^DNS="
+          line: "DNS=1.1.1.1"
+        - regexp: "^FallbackDNS="
+          line: "FallbackDNS=8.8.8.8"
+  handlers:
+    - name: Restart Network
+      ansible.builtin.systemd:
+        name: NetworkManager.service
+        state: restarted
+    - name: Restart systemd-resolved
+      ansible.builtin.systemd:
+        name: systemd-resolved.service
+        state: restarted
+
+
+- name: Backup
+  hosts: backup
+  become: true
+  become_user: root
+  vars:
+    repo_path: "/var/home/backup/storagebox/{{ inventory_hostname }}"
+    password: "{{ backup.password }}"
+    pushkey: "{{ backup.pushkey }}"
+  tasks:
+    - name: Install backup script
+      vars:
+        repo: "ssh://{{ common.backup.user }}@{{ common.backup.url }}{{ repo_path }}"
+      ansible.builtin.template:
+        src: backup.sh.j2
+        dest: /root/backup.sh
+        mode: '0700'
+        owner: root
+    - name: Generate SSH directory
+      ansible.builtin.file:
+        path: /root/.ssh
+        owner: root
+        state: directory
+        mode: '0700'
+    - name: Generate SSH Key
+      community.crypto.openssh_keypair:
+        path: /root/.ssh/borgbackup
+        type: ed25519
+        owner: root
+        mode: '0600'
+      register: keypair
+    - name: Register SSH Key with backup server
+      become: true
+      become_user: root
+      delegate_to: filehost.unruhig.eu
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/authorized_keys/backup
+        state: present
+        search_string: "{{ keypair.public_key }}"
+        line: 'command="borg serve --append-only --restrict-to-repository {{ repo_path }}",restrict {{ keypair.public_key }}'
+    - name: Add Known Hosts entries
+      ansible.builtin.known_hosts:
+        path: "/root/.ssh/known_hosts"
+        name: "filehost.unruhig.eu"
+        key: "{{ item }}"
+      loop: "{{ hostvars['filehost.unruhig.eu']['known_hosts'] }}"
+- name: Restore from Backup
+  hosts: backup
+  become: true
+  become_user: root
+  gather_facts: true
+  vars:
+    repo_path: "/var/home/backup/storagebox/{{ inventory_hostname }}"
+    password: "{{ backup.password }}"
+    pushkey: "{{ backup.pushkey }}"
+  tasks:
+    - name: Check if restore is needed
+      ansible.builtin.stat:
+        path: "/etc/setup_complete"
+      register: setup_complete
+    - block:
+        - name: Install restore script
+          vars:
+            repo: "ssh://{{ common.backup.user }}@{{ common.backup.url }}{{ repo_path }}"
+          ansible.builtin.template:
+            src: restore.sh.j2
+            dest: /root/restore.sh
+            mode: '0700'
+            owner: root
+        - name: Stop and mask backup service
+          become: true
+          become_user: root
+          ansible.builtin.systemd:
+            name: "borgbackup.service"
+            state: stopped
+            masked: true
+        - name: Restore from Borg
+          become: true
+          become_user: root
+          ansible.builtin.command:
+            chdir: /
+            cmd: bash /root/restore.sh
+        - name: Remove script from host
+          ansible.builtin.file:
+            path: /root/restore.sh
+            state: absent
+        - name: Mark setup as complete
+          ansible.builtin.file:
+            path: "/etc/setup_complete"
+            state: touch
+            owner: root
+            group: root
+            mode: 0600
+        - name: Unmask backup service
+          become: true
+          become_user: root
+          ansible.builtin.systemd:
+            name: "borgbackup.service"
+            state: stopped
+            masked: false
+      when: not setup_complete.stat.exists
+- name: Setup Registry credentials
+  hosts: all
+  tasks:
+    - ansible.builtin.file:
+        path: /home/core/.docker
+        owner: core
+        state: directory
+        mode: '0700'
+    - ansible.builtin.template:
+        src: docker-config.json.j2
+        dest: /home/core/.docker/config.json
+        mode: '0600'
+        owner: core
+- name: Setup Docker Config
+  hosts: all
+  become: true
+  become_user: root
+  tasks:
+    - ansible.builtin.file:
+        path: /etc/docker
+        owner: root
+        state: directory
+        mode: '0700'
+    - name: Template Config
+      ansible.builtin.template:
+        src: "docker-daemon.json.j2"
+        dest: /etc/docker/daemon.json
+        owner: root
+        group: root
+        mode: '0600'
+      notify: Restart Docker
+    - name: Check if sysconfig exists
+      ansible.builtin.stat:
+        path: /etc/sysconfig/docker
+      register: sysconfig
+    - name: Remove ulimits from sysconfig
+      ansible.builtin.lineinfile:
+        path: /etc/sysconfig/docker
+        search_string: '--default-ulimit nofile='
+        state: absent
+      when: sysconfig.stat.exists
+      notify: Restart Docker
+    - name: Remove log-driver from sysconfig
+      ansible.builtin.lineinfile:
+        path: /etc/sysconfig/docker
+        search_string: '--log-driver='
+        state: absent
+      when: sysconfig.stat.exists
+      notify: Restart Docker
+    - name: Restart Docker if necessary
+      meta: flush_handlers
+  handlers:
+    - name: Restart Docker
+      ansible.builtin.systemd:
+        state: restarted
+        name: docker.service
+- name: Setup internal networks
+  hosts: all
+  tasks:
+    - name: Setup network
+      community.docker.docker_network:
+        name: "{{ item }}"
+        internal: true
+      loop: "{{ docker.internal_networks | default([]) }}"
+- name: Setup Push Monitoring
+  hosts: all
+  tags:
+    - never
+    - setup_monitoring
+    - setup
+  tasks:
+    - name: Login to Kuma
+      delegate_to: localhost
+      check_mode: false
+      lucasheld.uptime_kuma.login:
+        api_url: "{{ kuma.api_url }}"
+        api_username: "{{ kuma.api_username }}"
+        api_password: "{{ kuma.api_password }}"
+      register: kumalogin
+    - name: Create Kuma Monitor
+      delegate_to: localhost
+      check_mode: false
+      lucasheld.uptime_kuma.monitor:
+        api_url: "{{ kuma.api_url }}"
+        api_token: "{{ kumalogin.token }}"
+        name: "{{ inventory_hostname }}"
+        description: "Managed by Ansible"
+        type: push
+        interval: "{{ heartbeat_timer_interval|mandatory + 30 }}"
+        maxretries: 2
+        notification_names:
+          - "Kuma Statusmonitor"
+        state: present
+    - name: Obtain Kuma Push Token
+      delegate_to: localhost
+      check_mode: false
+      lucasheld.uptime_kuma.monitor_info:
+        api_url: "{{ kuma.api_url }}"
+        api_token: "{{ kumalogin.token }}"
+        name: "{{ inventory_hostname }}"
+      register: monitor
+    - name: Check if user is lingering
+      stat:
+        path: "/var/lib/systemd/linger/{{ ansible_user }}"
+      register: user_lingering
+    - name: Enable lingering for user if needed
+      command: "loginctl enable-linger {{ ansible_user }}"
+      when:
+        - not user_lingering.stat.exists
+    - name: Create systemd config dir
+      file:
+        state: directory
+        path: "/home/{{ ansible_user }}/.config/systemd/user"
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: '0755'
+    - name: Copy Push Monitor Service and Timer
+      ansible.builtin.template:
+        src: "{{ item }}.j2"
+        dest: "/home/{{ ansible_user }}/.config/systemd/user/{{ item }}"
+        mode: '0600'
+        owner: "{{ ansible_user }}"
+      vars:
+        monitor_url: "{{ kuma.api_url }}/api/push/{{ monitor.monitors[0].pushToken }}?status=up&msg=OK"
+      loop:
+        - heartbeat.service
+        - heartbeat.timer
+    - name: Enable timer
+      ansible.builtin.systemd:
+        scope: user
+        name: heartbeat.timer
+        state: started
+        enabled: true
+        masked: false
+        daemon_reload: true
+- name: Setup Infrastructure Wireguard
+  tags:
+    - never
+    - setup
+    - setup_wireguard
+    - setup_vpn
+  ansible.builtin.import_playbook: vpn.yaml
+
+# vim: ft=yaml.ansible

ansible/plays/docker.yaml

@@ -0,0 +1,41 @@
+- name: Migrate to docker compose v2
+  hosts: all
+  become: true
+  become_user: root
+  pre_tasks:
+    - name: Find deployed projects
+      ansible.builtin.find:
+        paths: /home/core/compose
+        recurse: no
+        file_type: directory
+      register: find_challenges
+    - name: Register Projects Fact
+      ansible.builtin.set_fact:
+        deployed_challenges: "{{ find_challenges.files | map(attribute='path') | map('basename') }}"
+    - name: Undeploy
+      include_tasks: undeploy.yaml
+      loop: "{{ deployed_challenges | mandatory }}"
+      loop_control:
+        loop_var: item
+        label: "{{ item }}"
+  tasks:
+    - name: Install Repo
+      copy:
+        dest: /etc/yum.repos.d/docker-ce.repo
+        src: docker.repo
+        owner: root
+        group: root
+        mode: '0644'
+    - name: Remove legacy versions
+      command: "rpm-ostree override remove --reboot docker containerd runc"
+      async: true
+      poll: 0
+      ignore_errors: true
+    - name: Wait for host
+      ansible.builtin.wait_for_connection:
+        delay: 90
+    - name: Install new docker versions
+      command: "rpm-ostree install -A -y --idempotent docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-buildx-plugin"
+
+- name: Redeploy
+  ansible.builtin.import_playbook: ../playbook.yaml

ansible/plays/filehost.yaml

@@ -0,0 +1,78 @@
+- name: Setup Users
+  hosts: filehost.unruhig.eu
+  gather_facts: false
+  tasks:
+    - name: Create user [backup]
+      become: true
+      ansible.builtin.user:
+        name: backup
+        comment: Used for receiving borg backups
+        shell: /bin/bash
+        create_home: true
+        state: present
+        generate_ssh_key: true
+        ssh_key_type: "ed25519"
+        ssh_key_file: ".ssh/storagebox"
+    - name: Create mount directory
+      become: true
+      become_user: backup
+      ansible.builtin.file:
+        path: "/home/backup/storagebox"
+        state: directory
+        owner: backup
+        group: backup
+        mode: '0700'
+    - name: Create user [files]
+      become: true
+      ansible.builtin.user:
+        name: files
+        comment: Used for providing access to files
+        shell: /bin/bash
+        create_home: true
+        state: present
+        generate_ssh_key: true
+        ssh_key_type: "ed25519"
+        ssh_key_file: ".ssh/storagebox"
+    - name: Create mount directory
+      become: true
+      become_user: files
+      ansible.builtin.file:
+        path: "/home/files/data"
+        state: directory
+        owner: files
+        group: files
+        mode: '0700'
+
+- name: Setup mounts
+  hosts: filehost.unruhig.eu
+  become: true
+  become_user: root
+  pre_tasks:
+    - name: Info user [backup]
+      become: true
+      ansible.builtin.user:
+        name: backup
+        state: present
+      register: user_backup
+    - name: Info user [files]
+      become: true
+      ansible.builtin.user:
+        name: files
+        state: present
+      register: user_files
+  roles:
+    - role: ansible_systemd_mounts
+      mounts:
+        backup:
+          share: "//{{ backup.cifs.host }}/{{ backup.cifs.user }}"
+          mount: "{{ user_backup.home }}/storagebox"
+          type: "cifs"
+          options: "_netdev,iocharset=utf8,seal,x-systemd.automount,username={{ backup.cifs.user }},password={{ backup.cifs.password }},uid={{ user_backup.uid }},gid={{ user_backup.group }}"
+          automount: true
+        files:
+          share: "//{{ files.cifs.host }}/{{ files.cifs.user }}"
+          mount: "{{ user_files.home }}/data"
+          type: "cifs"
+          options: "_netdev,iocharset=utf8,seal,x-systemd.automount,username={{ files.cifs.user }},password={{ files.cifs.password }},uid={{ user_files.uid }},gid={{ user_files.group }}"
+          automount: true
+# vim: ft=yaml.ansible

ansible/plays/files/docker.repo

@@ -0,0 +1,6 @@
+[docker-ce-stable]
+name=Docker CE Stable - $basearch
+baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/stable
+enabled=1
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg

ansible/plays/grp_prometheus.yaml

@@ -0,0 +1,8 @@
+- name: Deploy Metrics exporter
+  hosts: prometheus
+  vars:
+    state: running
+  roles:
+    - {role: compose_project, service: metric-export}
+
+# vim: ft=yaml.ansible

ansible/plays/infra.yaml

@@ -0,0 +1,16 @@
+- name: Setup Infra Meta Host
+  hosts: infra.unruhig.eu
+  gather_facts: false
+  vars:
+    state: running
+    base_domain: "tobiasmanske.de"
+  roles:
+    - {role: compose_project, service: traefik}
+    - {role: compose_project, service: keycloak}
+    # - {role: compose_project, service: db} # database used for terraform state
+    # - {role: compose_project, service: monitoring-stack} # mimir, loki, grafana
+    - {role: compose_project, service: pantalaimon}
+    - {role: compose_project, service: watchtower}
+    - {role: compose_project, service: vaultwarden}
+
+# vim: ft=yaml.ansible

ansible/plays/monitoring.yaml

@@ -0,0 +1,30 @@
+- name: Base Setup Monitoring
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: running
+  roles:
+    - {role: compose_project, service: traefik}
+    - {role: compose_project, service: pantalaimon}
+    - {role: compose_project, service: watchtower}
+- name: Setup Monitoring Kuma 1
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: running
+  roles:
+    - role: compose_project
+      service: kuma
+      vars:
+        service_name: "tobias"
+        urls:
+          - "status.tobiasmanske.de"
+          - "monitor.chaoswg.org"
+- name: Setup Monitoring Kuma 2
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: running
+  roles:
+    - role: compose_project
+      service: kuma
+      vars:
+        service_name: "istannen"
+        urls: ["monitor.ialistannen.de"]

ansible/plays/services/ba-gitlab-runner/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=gitlab-ba

ansible/plays/services/ba-gitlab-runner/docker-compose.yaml

@@ -0,0 +1,39 @@
+---
+version: "3.4"
+
+services:
+  dind:
+    image: docker:dind
+    restart: unless-stopped
+    privileged: true
+    volumes:
+      - /lib/modules:/lib/modules:ro
+    environment:
+      DOCKER_TLS_CERTDIR: ""
+    networks:
+      - backend
+      - default
+
+  runner:
+    image: gitlab/gitlab-runner:alpine
+    restart: unless-stopped
+    depends_on:
+      - dind
+    networks:
+      - default
+      - backend
+    volumes:
+      - runner_cfg:/etc/gitlab-runner:z
+    environment:
+      - DOCKER_HOST=tcp://dind:2375
+      - CI_SERVER_URL={{ ba_gitlab_runner.server }}
+      - REGISTRATION_TOKEN={{ ba_gitlab_runner.token }}
+
+volumes:
+  runner_cfg:
+
+networks:
+  backend:
+    internal: true
+
+...

ansible/plays/services/blog/docker-compose.yaml

@@ -6,15 +6,9 @@ services:
     image: registry.tobiasmanske.de/tobiasmanske.de:latest
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.tobiasmanskede.rule=Host(`tobiasmanske.de`) || Host(`www.tobiasmanske.de`)"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.tobiasmanskede.rule=(Host(`tobiasmanske.de`) || Host(`www.tobiasmanske.de`)) && !PathPrefix(`/{path:(_matrix|_synapse|.well-known/matrix|.well-known/openpgpkey)}/`)"
       - "traefik.http.routers.tobiasmanskede.entryPoints=websecure"
       - "traefik.http.services.tobiasmanskede.loadbalancer.server.port=80"
-      - "com.centurylinklabs.watchtower.scope=http"
     restart: always
-    networks:
-      - gateway
-
-networks:
-  gateway:
-    external: true
 ...

ansible/plays/services/caddy/Caddyfile

@@ -0,0 +1,14 @@
+{
+    auto_https off
+}
+
+{% for rule in redirect.hosts %}
+http://{{ rule.from }} {
+    {% if rule.keepUri %}
+    redir https://{{ rule.to }}{uri}
+    {% else %}
+    redir https://{{ rule.to }}
+    {% endif %}
+}
+
+{% endfor %}

ansible/plays/services/caddy/docker-compose.yaml

@@ -8,15 +8,9 @@ services:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro,z
     labels:
       - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
       - "traefik.http.routers.caddyredir.rule={{ redirect.hosts | map(attribute='from') | map('regex_replace', '^(.*)$', 'Host(`\\1`)') | join(' || ') }}"
       - "traefik.http.routers.caddyredir.entryPoints=websecure"
       - "traefik.http.services.caddyredir.loadbalancer.server.port=80"
-      - "com.centurylinklabs.watchtower.scope=update"
     restart: always
-    networks:
-      - gateway
-
-networks:
-  gateway:
-    external: true
 ...

ansible/plays/services/diun/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=diun

ansible/plays/services/diun/diun.yml

@@ -0,0 +1,19 @@
+watch:
+  workers: 20
+  schedule: "0 */6 * * *"
+  firstCheckNotif: false
+
+notif:
+  matrix:
+    homeserverURL: http://pantalaimon:8008
+    user: "{{ diun.matrix.user }}"
+    password: "{{ diun.matrix.password }}"
+    roomID: "{{ diun.matrix.roomID }}"
+    msgType: notice
+    templateBody: |
+      {% raw %}Docker tag {{ if .Entry.Image.HubLink }}[**{{ .Entry.Image }}**]({{ .Entry.Image.HubLink }}){{ else }}**{{ .Entry.Image }}**{{ end }} which you subscribed to through {{ .Entry.Provider }} provider {{ if (eq .Entry.Status "new") }}is available{{ else }}has been updated{{ end }} on {{ .Entry.Image.Domain }} registry.
+      {{ if and (eq .Entry.Status "new") (eq .Entry.Image "docker.io/jitsi/web") }}See https://github.com/jitsi/docker-jitsi-meet/releases/tag/{{ .Entry.Image.Tag }}{{ end }}{% endraw %}
+
+providers:
+  file:
+    filename: /watch.yml

ansible/plays/services/diun/docker-compose.yaml

@@ -0,0 +1,29 @@
+---
+version: "3.4"
+
+services:
+  diun:
+    image: crazymax/diun:latest
+    container_name: diun
+    command: serve
+    volumes:
+      - "data:/data"
+      - "./diun.yml:/diun.yml:ro,Z"
+      - "./watch.yml:/watch.yml:ro,Z"
+    environment:
+      - "TZ=Europe/Berlin"
+      - "LOG_LEVEL=info"
+      - "LOG_JSON=false"
+    restart: always
+    networks:
+      - default
+      - pantalaimon
+
+volumes:
+  data:
+
+networks:
+  pantalaimon:
+    external: true
+
+...

ansible/plays/services/diun/watch.yml

@@ -0,0 +1,6 @@
+- name: docker.io/jitsi/web
+  watch_repo: true
+  notify_on:
+    - new
+  include_tags:
+    - ^stable-\d+

ansible/plays/services/filestash/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=filestash

ansible/plays/services/filestash/docker-compose.yaml

@@ -0,0 +1,21 @@
+version: "3.4"
+services:
+  filestash:
+    container_name: filestash
+    image: machines/filestash:latest
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.filestash.rule=Host(`stash.unruhig.eu`)"
+      - "traefik.http.routers.filestash.entryPoints=websecure"
+      - "traefik.http.services.filestash.loadbalancer.server.port=8334"
+    environment:
+      - "APPLICATION_URL=https://stash.unruhig.eu"
+    volumes:
+    - data:/app/data/state/
+    networks:
+      - default
+
+volumes:
+  data:

ansible/plays/services/gitea-runner/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=gitea-runner

ansible/plays/services/gitea-runner/docker-compose.yaml

@@ -0,0 +1,44 @@
+---
+version: '3.9'
+
+services:
+  dind:
+    image: docker:dind
+    restart: unless-stopped
+    privileged: true
+    volumes:
+      - /lib/modules:/lib/modules:ro
+    environment:
+      DOCKER_TLS_CERTDIR: ""
+    command:
+      - '--tls=false' # Do not force TLS; note that this service is NOT exposed to the internet
+    networks:
+      - backend
+      - default
+
+  drone_runner:
+    image: drone/drone-runner-docker:1
+    restart: always
+    environment:
+      - "DOCKER_HOST=tcp://dind:2375"
+      - "DRONE_LIMIT_MEM=8192000000"
+      - "DRONE_RPC_SECRET={{ gitea.drone.rpc_secret }}"
+      - "DRONE_RPC_HOST=drone.tobiasmanske.de"
+      - "DRONE_RPC_PROTO=https"
+      - "DRONE_RUNNER_CAPACITY={{ gitea.drone.runner_capacity }}"
+      - "DRONE_RUNNER_NAME={{ gitea.drone.runner_name }}"
+{% if gitea.drone.runner_labels is defined %}
+      - "DRONE_RUNNER_LABELS={{ gitea.drone.runner_labels | join(',') }}"
+{% endif %}
+      - "DRONE_RUNNER_CLONE_IMAGE=drone/git:linux-amd64"
+      - "DRONE_RUNNER_VOLUMES=/etc/hosts:/etc/hosts"
+    depends_on:
+      - dind
+    networks:
+      - backend
+      - default
+
+networks:
+  backend:
+    internal: true
+...

ansible/plays/services/gitea/docker-compose.yaml

@@ -1,3 +1,4 @@
+{% import 'macro/postgres.j2' as pg with context %}
 ---
 version: '3.9'
 
@@ -14,44 +15,36 @@ services:
       - "GITEA__database__USER={{ gitea.db.user }}"
       - "GITEA__database__PASSWD={{ gitea.db.password }}"
       - "GITEA__webhook__ALLOWED_HOST_LIST=*.tobiasmanske.de"
+      - "GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true"
+      - "GITEA__service__DISABLE_REGISTRATION=true"
     restart: always
     networks:
+      - default # mirror service needs internet
       - backend
-      - gateway
     volumes:
       - gitea_data:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     labels:
       - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
       - "traefik.http.routers.gitea.rule=Host(`git.tobiasmanske.de`)"
       - "traefik.http.routers.gitea.entryPoints=websecure"
       - "traefik.http.services.gitea.loadbalancer.server.port=3000"
-      - "com.centurylinklabs.watchtower.scope=update"
     ports:
       - "7779:22"
     depends_on:
-      - db
+      db:
+        condition: service_healthy
 
-  db:
-    image: postgres:14
-    restart: always
-    labels:
-      - "com.centurylinklabs.watchtower.scope=update"
-    environment:
-      - POSTGRES_USER="{{ gitea.db.user }}"
-      - POSTGRES_PASSWORD="{{ gitea.db.password }}"
-      - POSTGRES_DB="{{ gitea.db.name }}"
-    networks:
-      - backend
-    volumes:
-      - pg_data:/var/lib/postgresql/data
+{{ pg.postgres("db", gitea.db.user, gitea.db.password, gitea.db.name, ["backend"], version="14" ) }}
 
   drone:
     image: drone/drone:2
     restart: always
     environment:
       - "DRONE_GITEA_SERVER=https://git.tobiasmanske.de"
+      - "DRONEC_COOKIE_SECRET={{ gitea.drone.cookie_secret }}"
       - "DRONE_GITEA_CLIENT_ID={{ gitea.drone.client_id }}"
       - "DRONE_GIT_ALWAYS_AUTH=true"
       - "DRONE_GITEA_CLIENT_SECRET={{ gitea.drone.client_secret }}"
@@ -59,48 +52,31 @@ services:
       - "DRONE_SERVER_HOST=drone.tobiasmanske.de"
       - "DRONE_SERVER_PROTO=https"
       - "DRONE_IMAGE_CLONE=openjdk:17-bullseye"
+      - "DRONE_USER_CREATE=username:tobias,admin:true"
     networks:
+      - default
       - backend
-      - gateway
     volumes:
       - drone_data:/data
     labels:
       - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
       - "traefik.http.routers.drone.rule=Host(`drone.tobiasmanske.de`)"
       - "traefik.http.routers.drone.entryPoints=websecure"
       - "traefik.http.services.drone.loadbalancer.server.port=80"
-      - "com.centurylinklabs.watchtower.scope=update"
     depends_on:
       - gitea
 
-  drone_runner:
-    image: drone/drone-runner-docker:1.8
-    restart: always
-    privileged: true
-    labels:
-      - "com.centurylinklabs.watchtower.scope=update"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    environment:
-      - "DRONE_RPC_SECRET={{ gitea.drone.rpc_secret }}"
-      - "DRONE_RPC_HOST=drone.tobiasmanske.de"
-      - "DRONE_RPC_PROTO=https"
-      - "DRONE_RUNNER_CAPACITY=2"
-      - "DRONE_RUNNER_NAME=docker-01"
-      - "DRONE_RUNNER_CLONE_IMAGE=drone/git:linux-amd64"
-      - "DRONE_RUNNER_VOLUMES=/etc/hosts:/etc/hosts"
-    networks:
-      - backend
-      - default
-
 networks:
+  postgres:
+    internal: true
+  default:
+    enable_ipv6: true
   backend:
     internal: true
-  gateway:
-    external: true
 
 volumes:
   gitea_data:
   drone_data:
-  pg_data:
+  db_data:
 ...

ansible/plays/services/gotosocial/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=gotosocial

ansible/plays/services/gotosocial/docker-compose.yaml

@@ -0,0 +1,69 @@
+{% import 'macro/postgres.j2' as pg with context %}
+---
+version: '3'
+services:
+  gotosocial:
+    image: superseriousbusiness/gotosocial:latest
+    restart: unless-stopped
+    user: "1000:1000"
+    depends_on:
+      db:
+        condition: service_healthy
+    environment:
+      GTS_LOG_LEVEL: "info"
+      GTS_HOST: "social.unruhig.eu"
+      GTS_ACCOUNT_DOMAIN: "unruhig.eu"
+      GTS_DB_TYPE: "postgres"
+      GTS_DB_ADDRESS: "db"
+      GTS_DB_PORT: "5432"
+      GTS_DB_DATABASE: "{{ gotosocial.db.user }}"
+      GTS_DB_USER: "{{ gotosocial.db.user }}"
+      GTS_DB_PASSWORD: "{{ gotosocial.db.password }}"
+      GTS_TRUSTED_PROXIES: "127.0.0.1/32,10.254.0.0/17,fd64:2::/104,::1"
+      GTS_INSTANCE_LANGUAGES: "de,en-gb"
+      GTS_LETSENCRYPT_ENABLED: "false"
+      GTS_METRICS_ENABLED: "true"
+      GTS_LANDING_PAGE_USER: "admin"
+      # STORAGE
+      GTS_STORAGE_BACKEND: "s3"
+      GTS_STORAGE_S3_ENDPOINT: "{{ gotosocial.s3.endpoint }}"
+      GTS_STORAGE_S3_BUCKET: "{{ gotosocial.s3.bucket }}"
+      GTS_STORAGE_S3_ACCESS_KEY: "{{ gotosocial.s3.access_key }}"
+      GTS_STORAGE_S3_SECRET_KEY: "{{ gotosocial.s3.secret_key | mandatory }}"
+      # OPENID CONNECT
+      GTS_OIDC_ENABLED: "true"
+      GTS_OIDC_IDP_NAME: "KeyCloak"
+      GTS_OIDC_ISSUER: "{{ gotosocial.oidc.issuer }}"
+      GTS_OIDC_CLIENT_ID: "{{ gotosocial.oidc.client_id }}"
+      GTS_OIDC_CLIENT_SECRET: "{{ gotosocial.oidc.client_secret }}"
+      GTS_OIDC_ADMIN_GROUPS: "gotosocial-admin,service-admin"
+      GTS_OIDC_SCOPES: "openid,email,profile"
+      # GTS_ACCOUNTS_REGISTRATION_OPEN: "false"
+      TZ: "Europe/Berlin"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.gotosocial.rule=(Host(`social.unruhig.eu`) || (Host(`unruhig.eu`) && Path(`/.well-known/{a:(webfinger|nodeinfo|host-meta)}`)))"
+      - "traefik.http.routers.gotosocial.entryPoints=websecure"
+      - "traefik.http.services.gotosocial.loadbalancer.server.port=8080"
+      - "traefik.http.routers.gotosocial.middlewares=deny-metrics@file"
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=8080"
+    networks:
+      - backend
+      - default
+      - metrics
+
+{{ pg.postgres("db", gotosocial.db.user, gotosocial.db.password, gotosocial.db.user, ["backend"]) }}
+
+volumes:
+  db_data:
+
+networks:
+  backend:
+    internal: true
+  metrics:
+    external: true
+  postgres:
+    internal: true
+...

ansible/plays/services/grafana/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=grafana

ansible/plays/services/grafana/docker-compose.yaml

@@ -0,0 +1,48 @@
+version: "3.4"
+services:
+  grafana:
+    image: grafana/grafana:latest
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.grafana.rule=Host(`grafana.tobiasmanske.de`)"
+      - "traefik.http.routers.grafana.entryPoints=websecure"
+      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
+    environment:
+      - "GF_SERVER_ROOT_URL=https://grafana.tobiasmanske.de"
+      - "GF_SECURITY_ADMIN_USER={{ grafana.admin.user }}"
+      - "GF_SECURITY_ADMIN_PASSWORD={{ grafana.admin.password }}"
+      - "GF_AUTH_GENERIC_OAUTH_NAME=Keycloak"
+      - "GF_AUTH_GENERIC_OAUTH_ENABLED=true"
+      - "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true"
+      - "GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ grafana.oidc.client_id }}"
+      - "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ grafana.oidc.client_secret }}"
+      - "GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile offline_access roles"
+      - "GF_AUTH_GENERIC_OAUTH_GROUP_ATTRIBUTE_PATH=groups"
+      - "GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email"
+      - "GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username"
+      - "GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=full_name"
+      - "GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/auth"
+      - "GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/token"
+      - "GF_AUTH_GENERIC_OAUTH_API_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/userinfo"
+      - "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(resource_access.grafana.roles[*], 'serveradmin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || contains(resource_access.grafana.roles[*], 'viewer') && 'Viewer' || 'None'"
+      - "GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true"
+    volumes:
+      - data:/var/lib/grafana
+      - ./grafana-ds.yml:/etc/grafana/provisioning/datasources/datasource.yml:ro,Z
+      - ./grafana-db.yml:/etc/grafana/provisioning/dashboards/datasource.yml:ro,Z
+      - ./grafana-dashboards:/var/lib/grafana/dashboards:ro,Z
+    networks:
+      - default
+      - metrics
+
+volumes:
+  data:
+networks:
+  backend:
+    internal: true
+  metrics:
+    external: true
+  postgres:
+    internal: true

ansible/plays/services/grafana/grafana-dashboards/droneci.json

@@ -0,0 +1,602 @@
+{% raw %}
+{
+  "__inputs": [
+    {
+      "name": "DS_PROMETHEUS",
+      "label": "Prometheus",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
+  "__elements": {},
+  "__requires": [
+    {
+      "type": "grafana",
+      "id": "grafana",
+      "name": "Grafana",
+      "version": "10.0.3"
+    },
+    {
+      "type": "datasource",
+      "id": "prometheus",
+      "name": "Prometheus",
+      "version": "1.0.0"
+    },
+    {
+      "type": "panel",
+      "id": "stat",
+      "name": "Stat",
+      "version": ""
+    },
+    {
+      "type": "panel",
+      "id": "timeseries",
+      "name": "Time series",
+      "version": ""
+    }
+  ],
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "description": "Dashboard for Drone CI",
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "gnetId": 16720,
+  "graphTooltip": 2,
+  "id": null,
+  "links": [],
+  "liveNow": false,
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "match": "null",
+                "result": {
+                  "text": "N/A"
+                }
+              },
+              "type": "special"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "none"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 4,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "links": [],
+      "maxDataPoints": 100,
+      "options": {
+        "colorMode": "none",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "horizontal",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "sum(drone_build_count) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "refId": "A"
+        }
+      ],
+      "title": "Total Builds",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "match": "null",
+                "result": {
+                  "text": "N/A"
+                }
+              },
+              "type": "special"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "none"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 4,
+        "x": 4,
+        "y": 0
+      },
+      "id": 4,
+      "links": [],
+      "maxDataPoints": 100,
+      "options": {
+        "colorMode": "none",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "horizontal",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "sum(drone_repo_count) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "refId": "A"
+        }
+      ],
+      "title": "Activated Repos",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "match": "null",
+                "result": {
+                  "text": "N/A"
+                }
+              },
+              "type": "special"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "none"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 4,
+        "x": 8,
+        "y": 0
+      },
+      "id": 7,
+      "links": [],
+      "maxDataPoints": 100,
+      "options": {
+        "colorMode": "none",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "horizontal",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(drone_user_count) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Total Users",
+      "type": "stat"
+    },
+    {
+      "gridPos": {
+        "h": 1,
+        "w": 24,
+        "x": 0,
+        "y": 4
+      },
+      "id": 10,
+      "title": "Metrics",
+      "type": "row"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "decimals": 0,
+          "links": [],
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 5
+      },
+      "id": 6,
+      "links": [],
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "9.0.7",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(drone_running_builds) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "legendFormat": "running builds",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(drone_pending_builds) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "legendFormat": "pending builds",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Builds",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "decimals": 0,
+          "links": [],
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 5
+      },
+      "id": 8,
+      "links": [],
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "9.0.7",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(drone_running_jobs) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "legendFormat": "running jobs",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(drone_pending_jobs) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "legendFormat": "pending jobs",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Jobs",
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "1m",
+  "schemaVersion": 38,
+  "style": "dark",
+  "tags": [
+    "drone",
+    "drone-ci",
+    "ci/cd"
+  ],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "selected": true,
+          "text": "Prometheus",
+          "value": "Prometheus"
+        },
+        "hide": 0,
+        "includeAll": false,
+        "label": "datasource",
+        "multi": false,
+        "name": "DS_PROMETHEUS",
+        "options": [],
+        "query": "prometheus",
+        "queryValue": "",
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "type": "datasource"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-12h",
+    "to": "now"
+  },
+  "timepicker": {
+    "refresh_intervals": [
+      "5s",
+      "10s",
+      "30s",
+      "1m",
+      "5m",
+      "15m",
+      "30m",
+      "1h",
+      "2h",
+      "1d"
+    ],
+    "time_options": [
+      "5m",
+      "15m",
+      "1h",
+      "6h",
+      "12h",
+      "24h",
+      "2d",
+      "7d",
+      "30d"
+    ]
+  },
+  "timezone": "",
+  "title": "Drone CI",
+  "uid": "IT4-bnNik",
+  "version": 2,
+  "weekStart": ""
+}
+{% endraw %}

ansible/plays/services/grafana/grafana-dashboards/kuma.json

@@ -0,0 +1,440 @@
+{% raw %}
+{
+  "__inputs": [
+    {
+      "name": "DS_PROMETHEUS",
+      "label": "Prometheus",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
+  "__elements": {},
+  "__requires": [
+    {
+      "type": "grafana",
+      "id": "grafana",
+      "name": "Grafana",
+      "version": "10.0.3"
+    },
+    {
+      "type": "datasource",
+      "id": "prometheus",
+      "name": "Prometheus",
+      "version": "1.0.0"
+    },
+    {
+      "type": "panel",
+      "id": "stat",
+      "name": "Stat",
+      "version": ""
+    },
+    {
+      "type": "panel",
+      "id": "timeseries",
+      "name": "Time series",
+      "version": ""
+    }
+  ],
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "description": "A dashboard to show the data from the excellent Uptime Kuma project!",
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "gnetId": 14847,
+  "graphTooltip": 0,
+  "id": null,
+  "links": [],
+  "liveNow": false,
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "0": {
+                  "color": "red",
+                  "index": 0,
+                  "text": "DOWN"
+                },
+                "1": {
+                  "color": "green",
+                  "index": 1,
+                  "text": "UP"
+                }
+              },
+              "type": "value"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 17,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 4,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "area",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "text": {},
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "exemplar": true,
+          "expr": "monitor_status ",
+          "interval": "",
+          "legendFormat": "{{ monitor_name }}",
+          "refId": "A"
+        }
+      ],
+      "title": "Site Status",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "red",
+                "value": null
+              },
+              {
+                "color": "#EAB839",
+                "value": 30
+              },
+              {
+                "color": "green",
+                "value": 60
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 13,
+        "x": 0,
+        "y": 17
+      },
+      "id": 6,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "area",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "text": {},
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "exemplar": true,
+          "expr": "monitor_cert_days_remaining",
+          "interval": "",
+          "legendFormat": "{{ monitor_name }}",
+          "refId": "A"
+        }
+      ],
+      "title": "TLS Certificate Remaining Days",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "0": {
+                  "color": "red",
+                  "index": 0,
+                  "text": "EXPIRED"
+                },
+                "1": {
+                  "color": "green",
+                  "index": 1,
+                  "text": "VALID"
+                }
+              },
+              "type": "value"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "red",
+                "value": null
+              },
+              {
+                "color": "green",
+                "value": 1
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 11,
+        "x": 13,
+        "y": 17
+      },
+      "id": 5,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "area",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "text": {},
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "exemplar": true,
+          "expr": "monitor_cert_is_valid",
+          "interval": "",
+          "legendFormat": "{{ monitor_name }}",
+          "refId": "A"
+        }
+      ],
+      "title": "TLS Certificate Status",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "ms"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 24,
+        "x": 0,
+        "y": 26
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "calcs": [
+            "max",
+            "min",
+            "lastNotNull"
+          ],
+          "displayMode": "table",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "exemplar": true,
+          "expr": "sum(monitor_response_time{}) by (monitor_name)",
+          "interval": "",
+          "legendFormat": "{{ monitor_name }}",
+          "refId": "A"
+        }
+      ],
+      "title": "Response Times",
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "30s",
+  "revision": 1,
+  "schemaVersion": 38,
+  "style": "dark",
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "selected": false,
+          "text": "Prometheus",
+          "value": "Prometheus"
+        },
+        "hide": 0,
+        "includeAll": false,
+        "multi": false,
+        "name": "DS_PROMETHEUS",
+        "options": [],
+        "query": "prometheus",
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "type": "datasource"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-5m",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Uptime Kuma",
+  "uid": "CN8E-vZ7k",
+  "version": 4,
+  "weekStart": ""
+}
+{% endraw %}

ansible/plays/services/grafana/grafana-dashboards/smokeping.json

@@ -0,0 +1,562 @@
+{% raw %}
+{
+  "__inputs": [
+    {
+      "name": "DS_MIMIR_NETCUP",
+      "label": "Mimir Netcup",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
+  "__elements": {},
+  "__requires": [
+    {
+      "type": "grafana",
+      "id": "grafana",
+      "name": "Grafana",
+      "version": "10.2.3"
+    },
+    {
+      "type": "panel",
+      "id": "heatmap",
+      "name": "Heatmap",
+      "version": ""
+    },
+    {
+      "type": "datasource",
+      "id": "prometheus",
+      "name": "Prometheus",
+      "version": "1.0.0"
+    },
+    {
+      "type": "panel",
+      "id": "timeseries",
+      "name": "Time series",
+      "version": ""
+    }
+  ],
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "description": "Smoke Ping using https://github.com/SuperQ/smokeping_prober\r\nwith \r\nlatency heatmap\r\nlatency graph\r\npacket loss gragh\r\n",
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "gnetId": 11335,
+  "graphTooltip": 0,
+  "id": null,
+  "links": [],
+  "liveNow": false,
+  "panels": [
+    {
+      "cards": {},
+      "color": {
+        "cardColor": "#FF9830",
+        "colorScale": "sqrt",
+        "colorScheme": "interpolateOranges",
+        "exponent": 0.5,
+        "mode": "opacity"
+      },
+      "dataFormat": "tsbuckets",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_MIMIR_NETCUP}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "scaleDistribution": {
+              "type": "linear"
+            }
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "heatmap": {},
+      "hideZeroBuckets": false,
+      "highlightCards": true,
+      "id": 2,
+      "legend": {
+        "show": false
+      },
+      "links": [],
+      "options": {
+        "calculate": false,
+        "calculation": {},
+        "cellGap": 2,
+        "cellValues": {},
+        "color": {
+          "exponent": 0.5,
+          "fill": "#FF9830",
+          "mode": "opacity",
+          "reverse": false,
+          "scale": "exponential",
+          "scheme": "Oranges",
+          "steps": 128
+        },
+        "exemplars": {
+          "color": "rgba(255,0,255,0.7)"
+        },
+        "filterValues": {
+          "le": 1e-9
+        },
+        "legend": {
+          "show": true
+        },
+        "rowsFrame": {
+          "layout": "auto"
+        },
+        "showValue": "never",
+        "tooltip": {
+          "show": true,
+          "showColorScale": false,
+          "yHistogram": false
+        },
+        "yAxis": {
+          "axisPlacement": "right",
+          "decimals": 0,
+          "min": "0",
+          "reverse": false,
+          "unit": "s"
+        }
+      },
+      "pluginVersion": "10.2.3",
+      "reverseYBuckets": false,
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_MIMIR_NETCUP}"
+          },
+          "editorMode": "code",
+          "expr": "sum(rate(smokeping_response_duration_seconds_bucket{host=\"$target\", __tenant_id__=\"$source\"}[1m])) by (le)",
+          "format": "heatmap",
+          "intervalFactor": 1,
+          "legendFormat": "{{le}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Smoke Ping - $target",
+      "tooltip": {
+        "show": true,
+        "showHistogram": false
+      },
+      "transparent": true,
+      "type": "heatmap",
+      "xAxis": {
+        "show": true
+      },
+      "yAxis": {
+        "decimals": 0,
+        "format": "s",
+        "logBase": 1,
+        "min": "0",
+        "show": true
+      },
+      "yBucketBound": "auto"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_MIMIR_NETCUP}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "Loss %",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "links": [],
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "percentunit"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Count"
+            },
+            "properties": [
+              {
+                "id": "custom.fillOpacity",
+                "value": 0
+              },
+              {
+                "id": "unit",
+                "value": "none"
+              },
+              {
+                "id": "decimals",
+                "value": 0
+              },
+              {
+                "id": "custom.axisLabel",
+                "value": "Loss Packet"
+              },
+              {
+                "id": "custom.lineStyle",
+                "value": {
+                  "dash": [
+                    10,
+                    10
+                  ],
+                  "fill": "dash"
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "displayMode": "table",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "10.2.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_MIMIR_NETCUP}"
+          },
+          "editorMode": "code",
+          "expr": "(smokeping_requests_total{host=\"$target\", __tenant_id__=\"$source\"} - smokeping_response_duration_seconds_count{host=\"$target\", __tenant_id__=\"$source\"})/smokeping_requests_total{host=\"$target\", __tenant_id__=\"$source\"} ",
+          "legendFormat": "Percentage",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_MIMIR_NETCUP}"
+          },
+          "editorMode": "code",
+          "expr": "(smokeping_requests_total{host=\"$target\", __tenant_id__=\"$source\"} - smokeping_response_duration_seconds_count{host=\"$target\", __tenant_id__=\"$source\"})",
+          "legendFormat": "Count",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Packet Loss - $target",
+      "transparent": true,
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_MIMIR_NETCUP}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "links": [],
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Count"
+            },
+            "properties": [
+              {
+                "id": "custom.fillOpacity",
+                "value": 0
+              },
+              {
+                "id": "unit",
+                "value": "none"
+              },
+              {
+                "id": "decimals",
+                "value": 0
+              },
+              {
+                "id": "custom.axisPlacement",
+                "value": "hidden"
+              },
+              {
+                "id": "custom.axisLabel",
+                "value": "Loss Packet"
+              },
+              {
+                "id": "custom.lineStyle",
+                "value": {
+                  "dash": [
+                    10,
+                    10
+                  ],
+                  "fill": "dash"
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 24,
+        "x": 0,
+        "y": 10
+      },
+      "id": 5,
+      "options": {
+        "legend": {
+          "calcs": [
+            "mean",
+            "lastNotNull",
+            "max",
+            "min"
+          ],
+          "displayMode": "table",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "10.2.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_MIMIR_NETCUP}"
+          },
+          "editorMode": "code",
+          "expr": "smokeping_response_duration_seconds_sum{host=\"$target\", __tenant_id__=\"$source\"} / smokeping_response_duration_seconds_count{host=\"$target\", __tenant_id__=\"$source\"}",
+          "legendFormat": "{{host}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Latency - $target",
+      "transparent": true,
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "30s",
+  "schemaVersion": 39,
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {},
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_MIMIR_NETCUP}"
+        },
+        "definition": "label_values(smokeping_response_duration_seconds_bucket, host)",
+        "hide": 0,
+        "includeAll": false,
+        "multi": false,
+        "name": "target",
+        "options": [],
+        "query": "label_values(smokeping_response_duration_seconds_bucket, host)",
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 1,
+        "tagValuesQuery": "",
+        "tagsQuery": "",
+        "type": "query",
+        "useTags": false
+      },
+      {
+        "current": {},
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_MIMIR_NETCUP}"
+        },
+        "definition": "label_values(__tenant_id__)",
+        "description": "Host to query from",
+        "hide": 0,
+        "includeAll": false,
+        "label": "Host",
+        "multi": false,
+        "name": "source",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(__tenant_id__)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 0,
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-30m",
+    "to": "now"
+  },
+  "timepicker": {
+    "refresh_intervals": [
+      "5s",
+      "10s",
+      "30s",
+      "1m",
+      "5m",
+      "15m",
+      "30m",
+      "1h",
+      "2h",
+      "1d"
+    ],
+    "time_options": [
+      "5m",
+      "15m",
+      "1h",
+      "6h",
+      "12h",
+      "24h",
+      "2d",
+      "7d",
+      "30d"
+    ]
+  },
+  "timezone": "",
+  "title": "Smoke Ping",
+  "uid": "i5aRaLaik",
+  "version": 4,
+  "weekStart": ""
+}
+{% endraw %}

ansible/plays/services/grafana/grafana-db.yml

@@ -0,0 +1,12 @@
+apiVersion: 1
+
+providers:
+  - name: "Dashboard provider"
+    orgId: 1
+    type: file
+    disableDeletion: false
+    updateIntervalSeconds: 10
+    allowUiUpdates: true
+    options:
+      path: /var/lib/grafana/dashboards
+      foldersFromFilesStructure: true

ansible/plays/services/grafana/grafana-ds.yml

@@ -0,0 +1,28 @@
+apiVersion: 1
+
+datasources:
+- name: Mimir Netcup
+  type: prometheus
+  basicAuth: true
+  basicAuthUser: {{ common.mimir.username }}
+  jsonData:
+    httpHeaderName1: "X-Scope-OrgID"
+  secureJsonData:
+    basicAuthPassword: {{ common.mimir.password }}
+    httpHeaderValue1: "{{ groups['prometheus']|map('extract', hostvars, 'inventory_hostname')|join('|')|replace('.','-') }}"
+  url: https://{{ common.mimir.host }}/prometheus
+  isDefault: false
+  access: proxy
+  editable: true
+- name: Loki
+  type: loki
+  access: proxy
+  orgId: 1
+  url: https://{{ common.loki.host }}
+  basicAuth: true
+  basicAuthUser: {{ common.loki.username }}
+  secureJsonData:
+    basicAuthPassword: {{ common.loki.password }}
+  isDefault: false
+  version: 1
+  editable: true

ansible/plays/services/hedgedoc/docker-compose.yaml

@@ -1,25 +1,12 @@
+{% import 'macro/postgres.j2' as pg with context %}
 ---
 version: '3'
 services:
-  database:
-    image: postgres:13-alpine
-    environment:
-      - POSTGRES_USER={{ hedgedoc.db.user }}
-      - POSTGRES_PASSWORD={{ hedgedoc.db.password }}
-      - POSTGRES_DB={{ hedgedoc.db.name }}
-    volumes:
-      - database:/var/lib/postgresql/data
-    labels:
-      - "com.centurylinklabs.watchtower.scope=update"
-    restart: always
-    networks:
-      - backend
-
   app:
     # Make sure to use the latest release from https://hedgedoc.org/latest-release
     image: quay.io/hedgedoc/hedgedoc:1.9.3
     environment:
-      - CMD_DB_URL=postgres://{{ hedgedoc.db.user }}:{{ hedgedoc.db.password }}@database:5432/{{ hedgedoc.db.name }}
+      - CMD_DB_URL=postgres://{{ hedgedoc.db.user }}:{{ hedgedoc.db.password }}@db:5432/{{ hedgedoc.db.name }}
       - CMD_DOMAIN=doc.tobiasmanske.de
       - CMD_ALLOW_ORIGIN=doc.tobiasmanske.de,localhost
       - CMD_CSP_ENABLE=true
@@ -34,33 +21,48 @@ services:
       - CMD_OAUTH2_CLIENT_ID={{ hedgedoc.cmd.client_id }}
       - CMD_OAUTH2_CLIENT_SECRET={{ hedgedoc.cmd.client_secret }}
       - CMD_OAUTH2_AUTHORIZATION_URL={{ hedgedoc.cmd.authorization_url }}
+      - CMD_OAUTH2_SCOPE=openid email profile
       - CMD_OAUTH2_TOKEN_URL={{ hedgedoc.cmd.token_url }}
       - CMD_OAUTH2_USER_PROFILE_URL={{ hedgedoc.cmd.user_profile_url }}
-      - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=ocs.data.id
-      - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=ocs.data.display-name
-      - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=ocs.data.email
-    volumes:
-      - uploads:/hedgedoc/public/uploads
+      - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
+      - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
+      - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
+      - CMD_OAUTH2_PROVIDERNAME=Keycloak
+      - CMD_IMAGE_UPLOAD_TYPE=minio
+      - CMD_MINIO_ACCESS_KEY={{ hedgedoc.cmd.s3.access_key }}
+      - CMD_MINIO_SECRET_KEY={{ hedgedoc.cmd.s3.secret_key }}
+      - CMD_MINIO_ENDPOINT={{ hedgedoc.cmd.s3.endpoint }}
+      - CMD_MINIO_PORT={{ hedgedoc.cmd.s3.port }}
+      - CMD_MINIO_SECURE={{ hedgedoc.cmd.s3.secure }}
+      - CMD_S3_BUCKET=hedgedoc
+      - CMD_S3_FOLDER=uploads
     restart: always
     labels:
       - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
       - "traefik.http.routers.hedgedoc.rule=Host(`doc.tobiasmanske.de`)"
+      - "traefik.http.routers.hedgedoc.middlewares=deny-metrics@file"
       - "traefik.http.routers.hedgedoc.entryPoints=websecure"
       - "traefik.http.services.hedgedoc.loadbalancer.server.port=3000"
-      - "com.centurylinklabs.watchtower.scope=update"
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=3000"
     depends_on:
-      - database
+      db:
+        condition: service_healthy
     networks:
       - backend
-      - gateway
+      - metrics
+      - default # oauth
+{{ pg.postgres("db", hedgedoc.db.user, hedgedoc.db.password, hedgedoc.db.name, ["backend"], version="13-alpine") }}
 
 volumes:
-  database:
-  uploads:
+  db_data:
 
 networks:
-  gateway:
-    external: true
   backend:
     internal: true
+  metrics:
+    external: true
+  postgres:
+    internal: true
 ...

ansible/plays/services/jellyfin/.env

@@ -0,0 +1,3 @@
+COMPOSE_PROJECT_NAME=jellyfin
+UID=64001
+GID=64001

ansible/plays/services/jellyfin/docker-compose.yaml

@@ -0,0 +1,25 @@
+---
+version: "3.4"
+
+services:
+  jellyfin:
+    image: jellyfin/jellyfin:latest
+    user: "$UID:$GID"
+    ports:
+      - "8096:8096/tcp"
+    restart: always
+    volumes:
+      - "library:/media"
+      - "cache:/cache"
+      - "config:/config"
+
+volumes:
+  library:
+    driver: local
+    driver_opts:
+      type: cifs
+      device: "{{ jellyfin.cifs.address }}"
+      o: "username={{ jellyfin.cifs.username }},password={{ jellyfin.cifs.password }},vers=3.0,uid=$UID,gid=$GID"
+  cache:
+  config:
+...

ansible/plays/services/keycloak/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=keycloak

ansible/plays/services/keycloak/docker-compose.yaml

@@ -0,0 +1,43 @@
+{% import 'macro/postgres.j2' as pg with context %}
+---
+version: '3.9'
+
+services:
+  keycloak:
+    image: registry.tobiasmanske.de/keycloak:main
+    command: start
+    depends_on:
+      pg:
+        condition: service_healthy
+    environment:
+      - "KC_DB=postgres"
+      - "KC_DB_URL_HOST=pg"
+      - "KC_DB_URL_DATABASE={{ auth.db.name }}"
+      - "KC_DB_USERNAME={{ auth.db.user }}"
+      - "KC_DB_PASSWORD={{ auth.db.password }}"
+      - "KEYCLOAK_ADMIN={{ auth.keycloak.user }}"
+      - "KEYCLOAK_ADMIN_PASSWORD={{ auth.keycloak.password }}"
+      - "KC_PROXY=edge"
+      - "KC_HOSTNAME=auth.tobiasmanske.de"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.keycloak.rule=Host(`auth.tobiasmanske.de`)"
+      - "traefik.http.routers.keycloak.entryPoints=websecure"
+      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+    restart: always
+    networks:
+      - backend
+      - default # keycloak needs to talk to social logins
+
+{{ pg.postgres("pg", auth.db.user, auth.db.password, auth.db.name, ["backend"]) }}
+
+networks:
+  postgres:
+    internal: true
+  backend:
+    internal: true
+
+volumes:
+  pg_data:
+...

ansible/plays/services/kuma/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=kuma-{{ service_name|default("kuma") }}

ansible/plays/services/kuma/docker-compose.yaml

@@ -0,0 +1,26 @@
+{% set _name = service_name|default("kuma") %}
+{% set _urls = urls|default(kuma.urls)|mandatory %}
+---
+services:
+  kuma:
+    image: louislam/uptime-kuma:latest
+    restart: unless-stopped
+    volumes:
+      - data:/app/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.kuma-{{ _name }}.rule={{ _urls | map('regex_replace', '^(.*)$', 'Host(`\\1`)') | join(' || ') }}"
+      - "traefik.http.routers.kuma-{{ _name }}.entryPoints=websecure"
+      - "traefik.http.services.kuma-{{ _name }}.loadbalancer.server.port=3001"
+    networks:
+      - default
+      - pantalaimon
+
+volumes:
+  data:
+
+networks:
+  pantalaimon:
+    external: true
+...

ansible/plays/services/linktree/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=linktree

ansible/plays/services/linktree/docker-compose.yaml

@@ -0,0 +1,14 @@
+---
+version: "3.4"
+
+services:
+  unruhig.eu:
+    image: registry.tobiasmanske.de/unruhig.eu:latest
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.unruhigeu.rule=(Host(`unruhig.eu`) || Host(`www.unruhig.eu`))"
+      - "traefik.http.routers.unruhigeu.entryPoints=websecure"
+      - "traefik.http.services.unruhigeu.loadbalancer.server.port=80"
+    restart: always
+...

ansible/plays/services/loki/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=loki

ansible/plays/services/loki/docker-compose.yaml

@@ -0,0 +1,28 @@
+version: "3.4"
+services:
+  loki:
+    image: grafana/loki:latest
+    restart: unless-stopped
+    command: -config.file=/etc/loki/loki.yaml
+    volumes:
+      - ./loki.yml:/etc/loki/loki.yaml:ro,Z
+      - loki_data:/loki
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.loki.rule=Host(`loki.tobiasmanske.de`)"
+      - "traefik.http.middlewares.loki-auth.basicauth.users={{ common.loki.username }}:{{ common.loki.password_hash | mandatory }}"
+      - "traefik.http.routers.loki.entryPoints=websecure"
+      - "traefik.http.services.loki.loadbalancer.server.port=3100"
+      - "traefik.http.routers.loki.middlewares=loki-auth"
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=3100"
+    networks:
+      - metrics
+      - default
+
+volumes:
+  loki_data:
+networks:
+  metrics:
+    external: true

ansible/plays/services/loki/loki.yml

@@ -0,0 +1,51 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+
+query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: boltdb-shipper
+      object_store: aws
+      schema: v11
+      index:
+        prefix: index_
+        period: 24h
+
+common:
+  path_prefix: /loki
+  storage:
+    s3:
+      endpoint: s3.tobiasmanske.de
+      bucketnames: loki-data
+      access_key_id: "{{ loki.s3.access_key }}"
+      secret_access_key: "{{ loki.s3.secret_key }}"
+      s3forcepathstyle: true
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+compactor:
+  working_directory: /loki/compactor
+  shared_store: s3
+
+storage_config:
+  boltdb_shipper:
+    active_index_directory: /loki/active
+    cache_location: /loki/cache
+    cache_ttl: 24h
+    resync_interval: 5s
+    shared_store: s3
+  aws:
+    s3: "s3://{{ loki.s3.access_key }}:{{ loki.s3.secret_key }}@s3.tobiasmanske.de.:443/loki-data"
+    s3forcepathstyle: true

ansible/plays/services/matrix/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=matrix

ansible/plays/services/matrix/Caddyfile

@@ -0,0 +1,15 @@
+{
+  auto_https off
+}
+
+http://{{ matrix.baseurl }} {
+  header {
+    Content-Type application/json
+    Access-Control-Allow-Origin *
+  }
+  respond /.well-known/matrix/client "{\"m.homeserver\": {\"base_url\": \"https://synapse.{{ matrix.baseurl }}\"}, \"org.matrix.msc3575.proxy\": { \"url\": \"https://syncv3.{{ matrix.baseurl }}\" } }" 200
+  respond /.well-known/matrix/server "{\"m.server\": \"synapse.{{ matrix.baseurl }}:443\"}" 200
+  respond /.well-known/matrix/support "{\"admins\":[{\"matrix_id\":\"@tobi:{{ matrix.baseurl }}\",\"email_address\":\"matrix@{{ matrix.baseurl }}\",\"role\":\"admin\"}]}" 200
+
+  respond 404
+}

ansible/plays/services/matrix/cinny-config.json

@@ -0,0 +1,12 @@
+{
+  "defaultHomeserver": 0,
+  "homeserverList": [
+    "unruhig.eu",
+    "entropia.de",
+    "matrix.org",
+    "archlinux.org",
+    "kit.edu",
+    "mozilla.org"
+  ],
+  "allowCustomHomeservers": true
+}

ansible/plays/services/matrix/docker-compose.yaml

@@ -0,0 +1,207 @@
+{% import 'macro/postgres.j2' as pg with context %}
+---
+version: '3.9'
+
+services:
+
+  synapse:
+    image: registry.tobiasmanske.de/matrixdotorg/synapse:latest
+    user: "1000:1000"
+    # Since synapse does not retry to connect to the database, restart upon
+    # failure
+    restart: unless-stopped
+    # See the readme for a full documentation of the environment settings
+    # NOTE: You must edit homeserver.yaml to use postgres, it defaults to sqlite
+    environment:
+      - SYNAPSE_CONFIG_DIR=/config
+      - SYNAPSE_CONFIG_PATH=/config/homeserver.yaml
+      - TZ=Europe/Berlin
+    ulimits:
+      nofile:
+        soft: 10000
+        hard: 40000
+    volumes:
+      - synapse_data:/data
+      - ./synapse-config:/config:ro,Z
+      - ./mautrix-telegram/registration.yaml:/data/reg-mautrix-tg.yaml:ro,Z
+      - ./mautrix-slack/registration.yaml:/data/reg-mautrix-slack.yaml:ro,Z
+      - ./mautrix-signal/registration.yaml:/data/reg-mautrix-signal.yaml:ro,Z
+    depends_on:
+      - db
+      - redis
+    networks:
+      - default
+      - backend
+      - metrics
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.http-synapse.rule=Host(`synapse.{{ matrix.baseurl }}`)"
+      - "traefik.http.routers.http-synapse.entryPoints=websecure"
+      - "traefik.http.routers.http-synapse.service=matrix-synapse"
+      - "traefik.http.routers.matrix-synapse.rule=Host(`{{ matrix.baseurl }}`) && PathPrefix(`/_{path:(matrix|synapse)}/`)"
+      - "traefik.http.routers.matrix-synapse.entryPoints=websecure"
+      - "traefik.http.routers.matrix-synapse.service=matrix-synapse"
+      - "traefik.http.services.matrix-synapse.loadbalancer.server.port=8008"
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=9091"
+      - "prometheus-scrape.metrics_path=/_synapse/metrics"
+
+{{ pg.postgres("db", matrix.db.user, matrix.db.password, matrix.db.database, ["backend"] ) }}
+
+  caddy:
+    image: caddy:2
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro,z
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.matrix-well-known.rule=Host(`{{ matrix.baseurl }}`) && PathPrefix(`/.well-known/matrix/`)"
+      - "traefik.http.routers.matrix-well-known.entrypoints=websecure"
+      - "traefik.http.services.matrix-well-known.loadbalancer.server.port=80"
+
+  cinny:
+    image: ghcr.io/cinnyapp/cinny:latest
+    # image: registry.tobiasmanske.de/cinnyapp/cinny:latest
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.matrix-cinny.rule=Host(`cinny.{{ matrix.baseurl }}`)"
+      - "traefik.http.routers.matrix-cinny.entryPoints=websecure"
+      - "traefik.http.services.matrix-cinny.loadbalancer.server.port=80"
+    volumes:
+      - ./cinny-config.json:/app/config.json:ro,Z
+    networks:
+      - default
+
+  redis:
+    image: redis:latest
+    restart: unless-stopped
+    networks:
+      - backend
+
+### SLIDING SYNC
+
+{{ pg.postgres("db-syncv3", matrix.syncv3.user, matrix.syncv3.password, matrix.syncv3.database, ["syncv3"] ) }}
+
+  syncv3-proxy:
+    image: ghcr.io/matrix-org/sliding-sync:latest
+    restart: always
+    environment:
+      - "SYNCV3_SERVER=https://synapse.{{ matrix.baseurl }}"
+      - "SYNCV3_SECRET={{ matrix.syncv3.secret }}"
+      - "SYNCV3_BINDADDR=:8008"
+      - "SYNCV3_PROM=:2112"
+      - "SYNCV3_DB=user={{ matrix.syncv3.user }} dbname={{ matrix.syncv3.database }} sslmode=disable host=db-syncv3 password='{{ matrix.syncv3.password }}'"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.matrix-syncv3-proxy.rule=Host(`syncv3.{{ matrix.baseurl }}`)"
+      - "traefik.http.routers.matrix-syncv3-proxy.entrypoints=websecure"
+      - "traefik.http.services.matrix-syncv3-proxy.loadbalancer.server.port=8008"
+      - "prometheus-scrape.enabled=false"
+      - "prometheus-scrape.port=2112"
+    networks:
+      - syncv3
+      - default
+
+### BRIDGES
+
+#### Telegram
+
+  mautrix-telegram:
+    image: dock.mau.dev/mautrix/telegram:latest
+    user: "1000:1000"
+    restart: unless-stopped
+    environment:
+      - "MAUTRIX_DIRECT_STARTUP=1"
+    volumes:
+      - bridge_tg_data:/data
+      - ./mautrix-telegram/config.yaml:/data/config.yaml:ro,Z
+      - ./mautrix-telegram/registration.yaml:/data/registration.yaml:ro,Z
+    networks:
+      - backend
+      - default # Needs to contact UFOs in the sky
+    depends_on:
+      - db-bridge-tg
+      - synapse
+
+{{ pg.postgres("db-bridge-tg", matrix.bridge.tg.dbuser, matrix.bridge.tg.dbpass, matrix.bridge.tg.dbname, ["backend"] ) }}
+
+#### SLACK
+
+  mautrix-slack:
+    image: dock.mau.dev/mautrix/slack:latest
+    environment:
+      - "UID=1000"
+      - "GID=1000"
+    restart: unless-stopped
+    volumes:
+      - bridge_slack_data:/data
+      - ./mautrix-slack/config.yaml:/data/config.yaml:ro,Z
+      - ./mautrix-slack/registration.yaml:/data/registration.yaml:ro,Z
+    networks:
+      - backend
+      - default # Needs to contact UFOs in the sky
+    depends_on:
+      - db-bridge-slack
+      - synapse
+
+{{ pg.postgres("db-bridge-slack", matrix.bridge.slack.dbuser, matrix.bridge.slack.dbpass, matrix.bridge.slack.dbname, ["backend"] ) }}
+
+#### SIGNAL
+  mautrix-signal:
+    image: dock.mau.dev/mautrix/signal:latest
+    restart: unless-stopped
+    environment:
+      - "MAUTRIX_DIRECT_STARTUP=1"
+      - "UID=1000"
+    networks:
+      - default
+      - backend
+    volumes:
+      - bridge_signal_data:/data
+      - signald_data:/signald
+      - ./mautrix-signal/config.yaml:/data/config.yaml:ro,Z
+      - ./mautrix-signal/registration.yaml:/data/registration.yaml:ro,Z
+    depends_on:
+      - signald
+      - db-bridge-signal
+
+  signald:
+    image: docker.io/signald/signald:latest
+    restart: unless-stopped
+    networks:
+      - default
+      - backend
+    volumes:
+      - signald_data:/signald
+
+{{ pg.postgres("db-bridge-signal", matrix.bridge.signal.dbuser, matrix.bridge.signal.dbpass, matrix.bridge.signal.dbname, ["backend"] ) }}
+
+networks:
+  default:
+    enable_ipv6: true
+  postgres:
+    internal: true
+  backend:
+    internal: true
+  syncv3:
+    internal: true
+  metrics:
+    external: true
+
+volumes:
+  bridge_signal_data:
+  bridge_slack_data:
+  bridge_tg_data:
+  db-bridge-signal_data:
+  db-bridge-slack_data:
+  db-bridge-tg_data:
+  db-syncv3_data:
+  db_data:
+  signald_data:
+  synapse_data:
+...

ansible/plays/services/matrix/mautrix-signal/config.yaml

@@ -0,0 +1,306 @@
+# Homeserver details
+# {% set config = matrix.bridge.signal %}
+
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: https://synapse.{{ matrix.baseurl }}
+    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
+    domain: {{ matrix.baseurl }}
+    # Whether or not to verify the SSL certificate of the homeserver.
+    # Only applies if address starts with https://
+    verify_ssl: true
+    # What software is the homeserver running?
+    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+    software: standard
+    # Number of retries for all HTTP requests if the homeserver isn't reachable.
+    http_retry_count: 4
+    # The URL to push real-time bridge status to.
+    # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
+    # The bridge will use the appservice as_token to authorize requests.
+    status_endpoint:
+    # Endpoint for reporting per-message status.
+    message_send_checkpoint_endpoint:
+    # Maximum number of simultaneous HTTP connections to the homeserver.
+    connection_limit: 100
+    # Whether asynchronous uploads via MSC2246 should be enabled for media.
+    # Requires a media repo that supports MSC2246.
+    async_media: false
+
+# Application service host/registration related details
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: http://mautrix-signal:29328
+    # When using https:// the TLS certificate and key files for the address.
+    tls_cert: false
+    tls_key: false
+
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 29328
+    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+    max_body_size: 1
+
+    # The full URI to the database. SQLite and Postgres are supported.
+    # Format examples:
+    #   SQLite:   sqlite:///filename.db
+    #   Postgres: postgres://username:password@hostname/dbname
+    database: postgres://{{ config.dbuser }}:{{ config.dbpass }}@db-bridge-signal/{{ config.dbname }}?sslmode=disable
+    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
+    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
+    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
+    # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
+    # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs).
+    database_opts:
+        min_size: 1
+        max_size: 10
+    id: signal
+    # Username of the appservice bot.
+    bot_username: signalbot
+    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+    # to leave display name/avatar as-is.
+    bot_displayname: Signal bridge bot
+    bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
+
+    # Whether or not to receive ephemeral events via appservice transactions.
+    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+    ephemeral_events: true
+
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+    as_token: "{{ config.as_token }}"
+    hs_token: "{{ config.hs_token }}"
+
+# Prometheus telemetry config. Requires prometheus-client to be installed.
+metrics:
+    enabled: false
+    listen_port: 8000
+
+# Manhole config.
+manhole:
+    # Whether or not opening the manhole is allowed.
+    enabled: false
+    # The path for the unix socket.
+    path: /var/tmp/mautrix-signal.manhole
+    # The list of UIDs who can be added to the whitelist.
+    # If empty, any UIDs can be specified in the open-manhole command.
+    whitelist:
+    - 0
+signal:
+    # Path to signald unix socket
+    socket_path: /signald/signald.sock
+    # Directory for temp files when sending files to Signal. This should be an
+    # absolute path that signald can read. For attachments in the other direction,
+    # make sure signald is configured to use an absolute path as the data directory.
+    outgoing_attachment_dir: /signald/attachments
+    # Directory where signald stores avatars for groups.
+    avatar_dir: /signald/avatars
+    # Directory where signald stores auth data. Used to delete data when logging out.
+    data_dir: /signald/data
+    # Whether or not unknown signald accounts should be deleted when the bridge is started.
+    # When this is enabled, any UserInUse errors should be resolved by restarting the bridge.
+    delete_unknown_accounts_on_start: false
+    # Whether or not message attachments should be removed from disk after they're bridged.
+    remove_file_after_handling: true
+    # Whether or not users can register a primary device
+    registration_enabled: true
+    # Whether or not to enable disappearing messages in groups. If enabled, then the expiration
+    # time of the messages will be determined by the first users to read the message, rather
+    # than individually. If the bridge has a single user, this can be turned on safely.
+    enable_disappearing_messages_in_groups: false
+
+# Bridge config
+bridge:
+    # {% raw %}
+    # Localpart template of MXIDs for Signal users.
+    # {userid} is replaced with the UUID of the Signal user.
+    username_template: "signal_{{.}}"
+    # Displayname template for Signal users.
+    # {displayname} is replaced with the displayname of the Signal user, which is the first
+    # available variable in displayname_preference. The variables in displayname_preference
+    # can also be used here directly.
+    # FIXME: ContactName is not save for multi-user instances.
+    displayname_template: '{{or .ProfileName .ContactName .PhoneNumber "Unknown User"}} (Signal)'
+    # {% endraw %}
+    autocreate_group_portal: true
+    # Whether or not to create portals for all contacts on login/connect.
+    autocreate_contact_portal: false
+    # Whether or not to make portals of Signal groups in which joining via invite link does
+    # not need to be approved by an administrator publicly joinable on Matrix.
+    public_portals: false
+    # Whether or not to use /sync to get read receipts and typing notifications
+    # when double puppeting is enabled
+    sync_with_custom_puppets: false
+    # Whether or not to update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
+    double_puppet_server_map:
+        {{ matrix.baseurl }}: https://{{ matrix.baseurl }}
+    login_shared_secret_map:
+        {{ matrix.baseurl }}: {{ matrix.authenticator.shared_secret }}
+    federate_rooms: false
+    # End-to-bridge encryption support options.
+    #
+    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+    encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: true
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        default: true
+        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+        appservice: false
+        # Require encryption, drop any unencrypted messages.
+        require: true
+        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+        # You must use a client that supports requesting keys from other users to use this feature.
+        allow_key_sharing: false
+        # What level of device verification should be required from users?
+        #
+        # Valid levels:
+        #   unverified - Send keys to all device in the room.
+        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+        #                           Note that creating user signatures from the bridge bot is not currently possible.
+        #   verified - Require manual per-device verification
+        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+        verification_levels:
+            # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
+            receive: unverified
+            # Minimum level that the bridge should accept for incoming Matrix messages.
+            send: unverified
+            # Minimum level that the bridge should require for accepting key requests.
+            share: cross-signed-tofu
+        # Options for Megolm room key rotation. These options allow you to
+        # configure the m.room.encryption event content. See:
+        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+        # more information about that event.
+        rotation:
+            # Enable custom Megolm room key rotation settings. Note that these
+            # settings will only apply to rooms created after this option is
+            # set.
+            enable_custom: false
+            # The maximum number of milliseconds a session should be used
+            # before changing it. The Matrix spec recommends 604800000 (a week)
+            # as the default.
+            milliseconds: 604800000
+            # The maximum number of messages that should be sent with a given a
+            # session before changing it. The Matrix spec recommends 100 as the
+            # default.
+            messages: 100
+
+    # Whether or not to explicitly set the avatar and room name for private
+    # chat portal rooms. This will be implicitly enabled if encryption.default is true.
+    private_chat_portal_meta: "default"
+    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
+    # been sent to Signal. This let's you check manually whether the bridge is receiving your
+    # messages.
+    # Note that this is not related to Signal delivery receipts.
+    delivery_receipts: true
+    # Whether or not delivery errors should be reported as messages in the Matrix room.
+    delivery_error_reports: true
+    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+    message_status_events: false
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # This field will automatically be changed back to false after it,
+    # except if the config file is not writable.
+    resend_bridge_info: false
+    # Interval at which to resync contacts (in seconds).
+    periodic_sync: 0
+    # Should leaving the room on Matrix make the user leave on Signal?
+    bridge_matrix_leave: false
+    # Should the bridge auto-create a group chat on Signal when a ghost is invited to a room?
+    # Requires the user to have sufficient power level and double puppeting enabled.
+    create_group_on_invite: true
+    hacky_contact_name_mixup_detection: false
+
+    # Provisioning API part of the web server for automated portal creation and fetching information.
+    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
+    provisioning:
+        # Whether or not the provisioning API should be enabled.
+        enabled: false
+        # The prefix to use in the provisioning API endpoints.
+        prefix: /_matrix/provision
+        # The shared secret to authorize users of the API.
+        # Set to "generate" to generate and save a new token.
+        shared_secret: disabled
+        # Segment API key to enable analytics tracking for web server
+        # endpoints. Set to null to disable.
+        # Currently the only events are login start, QR code scan, and login
+        # success/failure.
+        segment_key:
+        # Optional user_id to use when sending Segment events. If null, defaults to using mxID.
+        segment_user_id:
+
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: '!signal'
+
+    # Messages sent upon joining a management room.
+    # Markdown is supported. The defaults are listed below.
+    management_room_text:
+        # Sent when joining a room.
+        welcome: Hello, I'm a Signal bridge bot.
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: Use `help` for help.
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: Use `help` for help or `link` to log in.
+        # Optional extra text sent when joining a management room.
+        additional_help: ''
+
+    # Send each message separately (for readability in some clients)
+    management_room_multiple_messages: false
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #      relay - Allowed to be relayed through the bridge, no access to commands.
+    #       user - Use the bridge with puppeting.
+    #      admin - Use and administrate the bridge.
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions:
+        '*': relay
+        {{ matrix.baseurl }}: user
+        '@tobi:{{ matrix.baseurl }}': admin
+    relay:
+        # Whether relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
+        # authenticated user into a relaybot for that chat.
+        enabled: false
+        # The formats to use when sending messages to Signal via a relay user.
+        #
+        # Available variables:
+        #   $sender_displayname - The display name of the sender (e.g. Example User)
+        #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
+        #   $sender_mxid        - The Matrix ID of the sender (e.g. @exampleuser:example.com)
+        #   $message            - The message content
+        message_formats:
+            m.text: '$sender_displayname: $message'
+            m.notice: '$sender_displayname: $message'
+            m.emote: '* $sender_displayname $message'
+            m.file: $sender_displayname sent a file
+            m.image: $sender_displayname sent an image
+            m.audio: $sender_displayname sent an audio file
+            m.video: $sender_displayname sent a video
+            m.location: $sender_displayname sent a location
+        relaybot: '@relaybot:example.com'
+        # Whether or not invites from non-logged-in users should be relayed
+        invite: true
+
+    # Format for generating URLs from location messages for sending to Signal
+    # Google Maps: 'https://www.google.com/maps/place/{lat},{long}'
+    # OpenStreetMap: 'https://www.openstreetmap.org/?mlat={lat}&mlon={long}'
+    location_format: https://www.google.com/maps/place/{lat},{long}
+
+logging:
+    min_level: debug
+    writers:
+    - type: stdout
+      format: json
+

ansible/plays/services/matrix/mautrix-signal/registration.yaml

@@ -0,0 +1,31 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+31353638336331613430353931626330366132643736326566343536343666643965333163313831
+3062336363343836666163393763326332623730623930620a333666373365306536636264613732
+64373937373062303332306166393833656239333862343836626364613639633762376138383964
+3033623639636530320a613233643736383637396131636434306435346637353966393639363239
+30336461616464303031386164393433373831353435333466323166643436626234623262633237
+30373830366430636230633962643439363666363031633936313934616332306437623138373535
+65343062336461663861376664383138636333353338666231623436666366303431363438323632
+31313739376439323665386130323338363930366361646361383831643337653963353639353738
+36383866313262616135633231623964663266643030343561363735323039376338373165356366
+30643738313331333733343739366435383936373135666433666663353039316331366463623362
+38343430663432396332623662633533396433366564656263393735663839666566376139656261
+65323664616463626430653734393433626231386230633664653264373034633731633239363135
+35333366333039623764386330613130373263316436316266303461626463373939336134363039
+62653363613064373731616137333663333334636336623363343034383263656631653864336439
+65623762666538383766393939303832373566623666383761623234636638303566336438616136
+33333939323061333431656435383731326633323135313839343761613231623537356333636336
+65323063653239623166313938386133366565313336643161323564386338363839393434616535
+63373038383334633238303336386261343639393537333735383439346164633962343033633533
+64353138373161323639613434653939326265336239366364336630666634356439303564653833
+31333765303030376330396261376161636563306133363137313435376133373363653031356333
+62663737646165626366363230663262346563633236366238646339303763383161663033356232
+34343434363833386330636535663333356364633332616431613431386534336133386638333034
+35633363333366306435656137303866636232323765313164363636636366653364326332613233
+32643866663032313431663463666364326633376332323335336131376131663865616232653065
+34633338333237636336333062646561376331363138346132386430633462666634646462656431
+65373562323539636165313038643839623132643539346539343338346366366362323230653935
+34323834393961376234343564383635623865303765663439316535396263363265626265613761
+33343034343666663834363133663734343838623132666561393862623136613035656434626233
+31666434656535393536623461393630346262643331336364353932326337376132333631616635
+3963306630613238323633666264316462393063383639656333

ansible/plays/services/matrix/mautrix-slack/config.yaml

@@ -0,0 +1,233 @@
+# Homeserver details.
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: https://synapse.{{ matrix.baseurl }}
+    # The domain of the homeserver (for MXIDs, etc).
+    domain: {{ matrix.baseurl }}
+    # What software is the homeserver running?
+    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+    software: standard
+    # The URL to push real-time bridge status to.
+    # If set, the bridge will make POST requests to this URL whenever a user's slack connection state changes.
+    # The bridge will use the appservice as_token to authorize requests.
+    status_endpoint: null
+    # Endpoint for reporting per-message status.
+    message_send_checkpoint_endpoint: null
+    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
+    async_media: false
+
+# Application service host/registration related details.
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: http://mautrix-slack:29335
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 29335
+
+    # Database config.
+    database:
+        # The database type. "sqlite3" and "postgres" are supported.
+        type: postgres
+        # The database URI.
+        #   SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string
+        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+        uri: postgres://{{ matrix.bridge.slack.dbuser }}:{{ matrix.bridge.slack.dbpass }}@db-bridge-slack/{{ matrix.bridge.slack.dbname }}?sslmode=disable
+        # Maximum number of connections. Mostly relevant for Postgres.
+        max_open_conns: 20
+        max_idle_conns: 2
+        # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+        # Parsed with https://pkg.go.dev/time#ParseDuration
+        max_conn_idle_time: null
+        max_conn_lifetime: null
+
+    # The unique ID of this appservice.
+    id: slack
+    # Appservice bot details.
+    bot:
+        # Username of the appservice bot.
+        username: slackbot
+        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+        # to leave display name/avatar as-is.
+        displayname: Slack bridge bot
+        avatar: mxc://maunium.net/pVtzLmChZejGxLqmXtQjFxem
+    # Whether or not to receive ephemeral events via appservice transactions.
+    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+    ephemeral_events: true
+
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+    as_token: "{{ matrix.bridge.slack.as_token }}"
+    hs_token: "{{ matrix.bridge.slack.hs_token }}"
+
+# Bridge config
+bridge:
+{% raw %}
+    # Localpart template of MXIDs for Slack users.
+    # {{.}} is replaced with the internal ID of the Slack user.
+    username_template: slack_{{.}}
+    # Displayname template for Slack users.
+    # TODO: document variables
+    displayname_template: '{{if not .DisplayName}}{{.RealName}}{{else}}{{.DisplayName}}{{end}} (Slack)'
+    bot_displayname_template: '{{.Name}} (bot)'
+    channel_name_template: '#{{.Name}}'
+{% endraw %}
+    portal_message_buffer: 128
+    # Should the bridge send a read receipt from the bridge bot when a message has been sent to Slack?
+    delivery_receipts: true
+    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+    message_status_events: false
+    # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
+    message_error_notices: true
+    # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices.
+    sync_with_custom_puppets: false
+    # Should the bridge update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    private_chat_portal_meta: always
+    federate_rooms: false
+    # Servers to always allow double puppeting from
+    double_puppet_server_map:
+      {{ matrix.baseurl }}: https://{{ matrix.baseurl }}
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+    #
+    # If set, double puppeting will be enabled automatically for local users
+    # instead of users having to find an access token and run `login-matrix`
+    # manually.
+    login_shared_secret_map:
+      {{ matrix.baseurl }}: "{{ matrix.authenticator.shared_secret }}"
+    message_handling_timeout:
+        # Send an error message after this timeout, but keep waiting for the response until the deadline.
+        # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
+        # If the message is older than this when it reaches the bridge, the message won't be handled at all.
+        error_after: 10s
+        # Drop messages after this timeout. They may still go through if the message got sent to the servers.
+        # This is counted from the time the bridge starts handling the message.
+        deadline: 60s
+
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: '!slack'
+
+    # Messages sent upon joining a management room.
+    # Markdown is supported. The defaults are listed below.
+    management_room_text:
+        # Sent when joining a room.
+        welcome: "Hello, I'm a Slack bridge bot."
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: "Use `help` for help."
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: "Use `help` for help, or `login-token` or `login-password` to log in."
+        # Optional extra text sent when joining a management room.
+        additional_help: ""
+    backfill:
+        # Allow backfilling at all? Requires MSC2716 support on homeserver.
+        enable: false
+        # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Slack.
+        # Set to -1 to let any chat be unread.
+        unread_hours_threshold: 720
+        # Number of messages to immediately backfill when creating a portal.
+        immediate_messages: 10
+        # Settings for incremental backfill of history.
+        incremental:
+            # Maximum number of messages to backfill per batch.
+            messages_per_batch: 100
+            # The number of seconds to wait after backfilling the batch of messages.
+            post_batch_delay: 20
+            # The maximum number of messages to backfill per portal, split by the chat type.
+            # If set to -1, all messages in the chat will eventually be backfilled.
+            max_messages:
+                # Channels
+                channel: -1
+                # Group direct messages
+                group_dm: -1
+                # 1:1 direct messages
+                dm: -1
+
+    # End-to-bridge encryption support options.
+    #
+    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+    encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: true
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        default: true
+        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+        appservice: false
+        # Require encryption, drop any unencrypted messages.
+        require: false
+        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+        # You must use a client that supports requesting keys from other users to use this feature.
+        allow_key_sharing: true
+        # What level of device verification should be required from users?
+        #
+        # Valid levels:
+        #   unverified - Send keys to all device in the room.
+        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+        #                           Note that creating user signatures from the bridge bot is not currently possible.
+        #   verified - Require manual per-device verification
+        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+        verification_levels:
+            # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
+            receive: unverified
+            # Minimum level that the bridge should accept for incoming Matrix messages.
+            send: unverified
+            # Minimum level that the bridge should require for accepting key requests.
+            share: cross-signed-tofu
+        # Options for Megolm room key rotation. These options allow you to
+        # configure the m.room.encryption event content. See:
+        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+        # more information about that event.
+        rotation:
+            # Enable custom Megolm room key rotation settings. Note that these
+            # settings will only apply to rooms created after this option is
+            # set.
+            enable_custom: false
+            # The maximum number of milliseconds a session should be used
+            # before changing it. The Matrix spec recommends 604800000 (a week)
+            # as the default.
+            milliseconds: 604800000
+            # The maximum number of messages that should be sent with a given a
+            # session before changing it. The Matrix spec recommends 100 as the
+            # default.
+            messages: 100
+
+    # Settings for provisioning API
+    provisioning:
+        # Prefix for the provisioning API paths.
+        prefix: /_matrix/provision
+        # Shared secret for authentication. If set to "generate", a random secret will be generated,
+        # or if set to "disable", the provisioning API will be disabled.
+        shared_secret: disable
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #    relay - Talk through the relaybot (if enabled), no access otherwise
+    #     user - Access to use the bridge to chat with a Slack account.
+    #    admin - User level and some additional administration tools
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions:
+        "*": relay
+        "{{ matrix.baseurl }}": user
+        "@tobi:{{ matrix.baseurl }}": admin
+
+{% raw %}
+logging:
+    directory: ./logs
+    file_name_format: '{{.Date}}-{{.Index}}.log'
+    file_date_format: "2006-01-02"
+    file_mode: 384
+    timestamp_format: Jan _2, 2006 15:04:05
+    print_level: debug
+    print_json: false
+    file_json: false
+{% endraw %}

ansible/plays/services/matrix/mautrix-slack/registration.yaml

@@ -0,0 +1,26 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+63643764313434366534636536373233613163353932353332353034386638623463323265356366
+3033666637643563393537636263366338643736303663620a376138656235653238386131623864
+33356331386265613436626337356436373439376434633135626339373931346166313834323938
+3833636339306137360a383230386236333632613037363139356230663563333266353030616133
+39343037343234386465646433613465646363343237346432373934623431336163303233323263
+65356133373264323664663238306266336332353632643533373038653938623939353931613964
+33383638653061313961363033343435316130666337393034356664653933626466623734643239
+63663864316464343631313533653931376561303830366665333635613666346139623937373663
+65393234326533623364626666353763396437386330386563333432306566316161626561363836
+62613630623864323163616639396233393031373734373332383064626562623563363266383065
+61613738323034313431333333656530346566333165363430333962373930363736396265636663
+65646632356265633665633930343231636138366364653038336563333234326139333437643063
+39653437303565343739306237653832616265323138643234313731343339353161333363366538
+35373864666436306438303037363766373532633533666335303137346337633265613630653637
+39356237663665333533363030653735333535653861353866363362343830366562383661666137
+37623436336531363230356233656235666238663537616437353636353732643639386534616561
+30656264316535636437653032343634643036363838626234303837393935393430323537643231
+64363534313033396362326530663430373661613362346364356262386433663731313866363438
+30653966343436656430326434646337386230333432383861333635326431346332663332313437
+35636162323834616437383563353932333137653639616532363162663365393437386333613439
+35343937333034303934623962653132323837643430303230383163393833316233636233643736
+33666530653033613762313364653734633765326432613032386535333335633834633430356165
+64396132386133326464376163326236373131316266343634306163313235616236383239366639
+38373235643763616236356266663534356230643131653130323338393262616337346635633835
+39386236643562653738383037376334303138623966316637386464386139613431

ansible/plays/services/matrix/mautrix-telegram/config.yaml

@@ -0,0 +1,593 @@
+# Homeserver details
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: https://synapse.{{ matrix.baseurl }}
+    # The domain of the homeserver (for MXIDs, etc).
+    domain: {{ matrix.baseurl }}
+    # Whether or not to verify the SSL certificate of the homeserver.
+    # Only applies if address starts with https://
+    verify_ssl: true
+    # What software is the homeserver running?
+    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+    software: standard
+    # Number of retries for all HTTP requests if the homeserver isn't reachable.
+    http_retry_count: 4
+    # The URL to push real-time bridge status to.
+    # If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
+    # The bridge will use the appservice as_token to authorize requests.
+    status_endpoint: null
+    # Endpoint for reporting per-message status.
+    message_send_checkpoint_endpoint: null
+    # Whether asynchronous uploads via MSC2246 should be enabled for media.
+    # Requires a media repo that supports MSC2246.
+    async_media: false
+# Application service host/registration related details
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: http://mautrix-telegram:29317
+    # When using https:// the TLS certificate and key files for the address.
+    tls_cert: false
+    tls_key: false
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 29317
+    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+    max_body_size: 1
+    # The full URI to the database. SQLite and Postgres are supported.
+    # Format examples:
+    #   SQLite:   sqlite:///filename.db
+    #   Postgres: postgres://username:password@hostname/dbname
+    database: postgres://{{ matrix.bridge.tg.dbuser }}:{{ matrix.bridge.tg.dbpass }}@db-bridge-tg/{{ matrix.bridge.tg.dbname }}
+    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
+    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
+    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
+    # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
+    # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs).
+    database_opts:
+        min_size: 1
+        max_size: 10
+    # Public part of web server for out-of-Matrix interaction with the bridge.
+    # Used for things like login if the user wants to make sure the 2FA password isn't stored in
+    # the HS database.
+    public:
+        # Whether or not the public-facing endpoints should be enabled.
+        enabled: false
+        # The prefix to use in the public-facing endpoints.
+        prefix: /public
+        # The base URL where the public-facing endpoints are available. The prefix is not added
+        # implicitly.
+        external: https://example.com/public
+    # Provisioning API part of the web server for automated portal creation and fetching information.
+    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
+    provisioning:
+        # Whether or not the provisioning API should be enabled.
+        enabled: false
+        # The prefix to use in the provisioning API endpoints.
+        prefix: /_matrix/provision
+        # The shared secret to authorize users of the API.
+        # Set to "generate" to generate and save a new token.
+        shared_secret: generate
+    # The unique ID of this appservice.
+    id: telegram
+    # Username of the appservice bot.
+    bot_username: telegrambot
+    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+    # to leave display name/avatar as-is.
+    bot_displayname: Telegram bridge bot
+    bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
+    # Whether or not to receive ephemeral events via appservice transactions.
+    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+    ephemeral_events: true
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+    as_token: "{{ matrix.bridge.tg.as_token }}"
+    hs_token: "{{ matrix.bridge.tg.hs_token }}"
+# Prometheus telemetry config. Requires prometheus-client to be installed.
+metrics:
+    enabled: false
+    listen_port: 8000
+# Manhole config.
+manhole:
+    # Whether or not opening the manhole is allowed.
+    enabled: false
+    # The path for the unix socket.
+    path: /var/tmp/mautrix-telegram.manhole
+    # The list of UIDs who can be added to the whitelist.
+    # If empty, any UIDs can be specified in the open-manhole command.
+    whitelist:
+        - 0
+# Bridge config
+bridge:
+    # Localpart template of MXIDs for Telegram users.
+    # {userid} is replaced with the user ID of the Telegram user.
+    username_template: "telegram_{userid}"
+    # Localpart template of room aliases for Telegram portal rooms.
+    # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
+    alias_template: "telegram_{groupname}"
+    # Displayname template for Telegram users.
+    # {displayname} is replaced with the display name of the Telegram user.
+    displayname_template: "{displayname} (Telegram)"
+    # Set the preferred order of user identifiers which to use in the Matrix puppet display name.
+    # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
+    # ID is used.
+    #
+    # If the bridge is working properly, a phone number or an username should always be known, but
+    # the other one can very well be empty.
+    #
+    # Valid keys:
+    #   "full name"          (First and/or last name)
+    #   "full name reversed" (Last and/or first name)
+    #   "first name"
+    #   "last name"
+    #   "username"
+    #   "phone number"
+    displayname_preference:
+        - full name
+        - username
+        - phone number
+    # Maximum length of displayname
+    displayname_max_length: 100
+    # Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
+    # as there's no way to determine whether an avatar is removed or just hidden from some users. If
+    # you're on a single-user instance, this should be safe to enable.
+    allow_avatar_remove: false
+    # Maximum number of members to sync per portal when starting up. Other members will be
+    # synced when they send messages. The maximum is 10000, after which the Telegram server
+    # will not send any more members.
+    # -1 means no limit (which means it's limited to 10000 by the server)
+    max_initial_member_sync: 100
+    # Maximum number of participants in chats to bridge. Only applies when the portal is being created.
+    # If there are more members when trying to create a room, the room creation will be cancelled.
+    # -1 means no limit (which means all chats can be bridged)
+    max_member_count: -1
+    # Whether or not to sync the member list in channels.
+    # If no channel admins have logged into the bridge, the bridge won't be able to sync the member
+    # list regardless of this setting.
+    sync_channel_members: true
+    # Whether or not to skip deleted members when syncing members.
+    skip_deleted_members: true
+    # Whether or not to automatically synchronize contacts and chats of Matrix users logged into
+    # their Telegram account at startup.
+    startup_sync: true
+    # Number of most recently active dialogs to check when syncing chats.
+    # Set to 0 to remove limit.
+    sync_update_limit: 0
+    # Number of most recently active dialogs to create portals for when syncing chats.
+    # Set to 0 to remove limit.
+    sync_create_limit: 15
+    # Should all chats be scheduled to be created later?
+    # This is best used in combination with MSC2716 infinite backfill.
+    sync_deferred_create_all: false
+    # Whether or not to sync and create portals for direct chats at startup.
+    sync_direct_chats: true
+    # The maximum number of simultaneous Telegram deletions to handle.
+    # A large number of simultaneous redactions could put strain on your homeserver.
+    max_telegram_delete: 10
+    # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
+    # at startup and when creating a bridge.
+    sync_matrix_state: true
+    # Allow logging in within Matrix. If false, users can only log in using login-qr or the
+    # out-of-Matrix login website (see appservice.public config section)
+    allow_matrix_login: true
+    # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
+    public_portals: false
+    # Whether or not to use /sync to get presence, read receipts and typing notifications
+    # when double puppeting is enabled
+    sync_with_custom_puppets: false
+    # Whether or not to update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    # Servers to always allow double puppeting from
+    double_puppet_server_map:
+        {{ matrix.baseurl }}: https://{{ matrix.baseurl }}
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+    #
+    # If set, custom puppets will be enabled automatically for local users
+    # instead of users having to find an access token and run `login-matrix`
+    # manually.
+    # If using this for other servers than the bridge's server,
+    # you must also set the URL in the double_puppet_server_map.
+    login_shared_secret_map:
+        {{ matrix.baseurl }}: {{ matrix.authenticator.shared_secret }}
+    # Set to false to disable link previews in messages sent to Telegram.
+    telegram_link_preview: true
+    # Whether or not the !tg join command should do a HTTP request
+    # to resolve redirects in invite links.
+    invite_link_resolve: false
+    # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
+    # This is currently not supported in most clients.
+    caption_in_message: false
+    # Maximum size of image in megabytes before sending to Telegram as a document.
+    image_as_file_size: 10
+    # Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 4096x4096 = 16777216.
+    image_as_file_pixels: 16777216
+    # Enable experimental parallel file transfer, which makes uploads/downloads much faster by
+    # streaming from/to Matrix and using many connections for Telegram.
+    # Note that generating HQ thumbnails for videos is not possible with streamed transfers.
+    # This option uses internal Telethon implementation details and may break with minor updates.
+    parallel_file_transfer: false
+    # Whether or not created rooms should have federation enabled.
+    # If false, created portal rooms will never be federated.
+    federate_rooms: false
+    # Should the bridge send all unicode reactions as custom emoji reactions to Telegram?
+    # By default, the bridge only uses custom emojis for unicode emojis that aren't allowed in reactions.
+    always_custom_emoji_reaction: true
+    # Settings for converting animated stickers.
+    animated_sticker:
+        # Format to which animated stickers should be converted.
+        # disable - No conversion, send as-is (gzipped lottie)
+        # png - converts to non-animated png (fastest),
+        # gif - converts to animated gif
+        # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
+        # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
+        target: gif
+        # Should video stickers be converted to the specified format as well?
+        convert_from_webm: false
+        # Arguments for converter. All converters take width and height.
+        args:
+            width: 256
+            height: 256
+            fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
+    # Settings for converting animated emoji.
+    # Same as animated_sticker, but webm is not supported as the target
+    # (because inline images can only contain images, not videos).
+    animated_emoji:
+        target: webp
+        args:
+            width: 64
+            height: 64
+            fps: 25
+    # End-to-bridge encryption support options.
+    #
+    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+    encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: true
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        default: true
+        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+        appservice: false
+        # Require encryption, drop any unencrypted messages.
+        require: false
+        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+        # You must use a client that supports requesting keys from other users to use this feature.
+        allow_key_sharing: true
+        # What level of device verification should be required from users?
+        #
+        # Valid levels:
+        #   unverified - Send keys to all device in the room.
+        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+        #                           Note that creating user signatures from the bridge bot is not currently possible.
+        #   verified - Require manual per-device verification
+        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+        verification_levels:
+            # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
+            receive: unverified
+            # Minimum level that the bridge should accept for incoming Matrix messages.
+            send: unverified
+            # Minimum level that the bridge should require for accepting key requests.
+            share: cross-signed-tofu
+        # Options for Megolm room key rotation. These options allow you to
+        # configure the m.room.encryption event content. See:
+        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+        # more information about that event.
+        rotation:
+            # Enable custom Megolm room key rotation settings. Note that these
+            # settings will only apply to rooms created after this option is
+            # set.
+            enable_custom: false
+            # The maximum number of milliseconds a session should be used
+            # before changing it. The Matrix spec recommends 604800000 (a week)
+            # as the default.
+            milliseconds: 604800000
+            # The maximum number of messages that should be sent with a given a
+            # session before changing it. The Matrix spec recommends 100 as the
+            # default.
+            messages: 100
+    # Whether or not to explicitly set the avatar and room name for private
+    # chat portal rooms. This will be implicitly enabled if encryption.default is true.
+    private_chat_portal_meta: false
+    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
+    # been sent to Telegram.
+    delivery_receipts: false
+    # Whether or not delivery errors should be reported as messages in the Matrix room.
+    delivery_error_reports: true
+    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+    message_status_events: false
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # This field will automatically be changed back to false after it,
+    # except if the config file is not writable.
+    resend_bridge_info: false
+    # When using double puppeting, should muted chats be muted in Matrix?
+    mute_bridging: false
+    # When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
+    # The favorites tag is `m.favourite`.
+    pinned_tag: "m.favorite"
+    # Same as above for archived chats, the low priority tag is `m.lowpriority`.
+    archive_tag: "m.lowpriority"
+    # Whether or not mute status and tags should only be bridged when the portal room is created.
+    tag_only_on_create: true
+    # Should leaving the room on Matrix make the user leave on Telegram?
+    bridge_matrix_leave: true
+    # Should the user be kicked out of all portals when logging out of the bridge?
+    kick_on_logout: false
+    # Should the "* user joined Telegram" notice always be marked as read automatically?
+    always_read_joined_telegram_notice: true
+    # Should the bridge auto-create a group chat on Telegram when a ghost is invited to a room?
+    # Requires the user to have sufficient power level and double puppeting enabled.
+    create_group_on_invite: true
+    # Settings for backfilling messages from Telegram.
+    backfill:
+        # Allow backfilling at all?
+        enable: true
+        # Use MSC2716 for backfilling?
+        #
+        # This requires a server with MSC2716 support, which is currently an experimental feature in Synapse.
+        # It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml.
+        msc2716: false
+        # Use double puppets for backfilling?
+        #
+        # If using MSC2716, the double puppets must be in the appservice's user ID namespace
+        # (because the bridge can't use the double puppet access token with batch sending).
+        #
+        # Even without MSC2716, bridging old messages with correct timestamps requires the double
+        # puppets to be in an appservice namespace, or the server to be modified to allow
+        # overriding timestamps anyway.
+        double_puppet_backfill: false
+        # Whether or not to enable backfilling in normal groups.
+        # Normal groups have numerous technical problems in Telegram, and backfilling normal groups
+        # will likely cause problems if there are multiple Matrix users in the group.
+        normal_groups: false
+        # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Telegram.
+        # Set to -1 to let any chat be unread.
+        unread_hours_threshold: 720
+        # Forward backfilling limits. These apply to both MSC2716 and legacy backfill.
+        #
+        # Using a negative initial limit is not recommended, as it would try to backfill everything in a single batch.
+        # MSC2716 and the incremental settings are meant for backfilling everything incrementally rather than at once.
+        forward:
+            # Number of messages to backfill immediately after creating a portal.
+            initial_limit: 10
+            # Number of messages to backfill when syncing chats.
+            sync_limit: 100
+        # Settings for incremental backfill of history. These only apply when using MSC2716.
+        incremental:
+            # Maximum number of messages to backfill per batch.
+            messages_per_batch: 100
+            # The number of seconds to wait after backfilling the batch of messages.
+            post_batch_delay: 20
+            # The maximum number of batches to backfill per portal, split by the chat type.
+            # If set to -1, all messages in the chat will eventually be backfilled.
+            max_batches:
+                # Direct chats
+                user: -1
+                # Normal groups. Note that the normal_groups option above must be enabled
+                # for these to be backfilled.
+                normal_group: -1
+                # Supergroups
+                supergroup: 10
+                # Broadcast channels
+                channel: -1
+    # Overrides for base power levels.
+    initial_power_level_overrides:
+        user: {}
+        group: {}
+    # Whether to bridge Telegram bot messages as m.notices or m.texts.
+    bot_messages_as_notices: true
+    bridge_notices:
+        # Whether or not Matrix bot messages (type m.notice) should be bridged.
+        default: false
+        # List of user IDs for whom the previous flag is flipped.
+        # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
+        #      notices from users listed here will be bridged.
+        exceptions: []
+    # An array of possible values for the $distinguisher variable in message formats.
+    # Each user gets one of the values here, based on a hash of their user ID.
+    # If the array is empty, the $distinguisher variable will also be empty.
+    relay_user_distinguishers: ["\U0001F7E6", "\U0001F7E3", "\U0001F7E9", "⭕️", "\U0001F536", "⬛️", "\U0001F535", "\U0001F7E2"]
+    # The formats to use when sending messages to Telegram via the relay bot.
+    # Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
+    #
+    # Available variables:
+    #   $sender_displayname - The display name of the sender (e.g. Example User)
+    #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
+    #   $sender_mxid        - The Matrix ID of the sender (e.g. @exampleuser:example.com)
+    #   $distinguisher      - A random string from the options in the relay_user_distinguishers array.
+    #   $message            - The message content
+    message_formats:
+        m.text: "$distinguisher <b>$sender_displayname</b>: $message"
+        m.notice: "$distinguisher <b>$sender_displayname</b>: $message"
+        m.emote: "* $distinguisher <b>$sender_displayname</b> $message"
+        m.file: "$distinguisher <b>$sender_displayname</b> sent a file: $message"
+        m.image: "$distinguisher <b>$sender_displayname</b> sent an image: $message"
+        m.audio: "$distinguisher <b>$sender_displayname</b> sent an audio file: $message"
+        m.video: "$distinguisher <b>$sender_displayname</b> sent a video: $message"
+        m.location: "$distinguisher <b>$sender_displayname</b> sent a location: $message"
+    # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
+    # users are sent to telegram. All fields in message_formats are supported. Additionally, the
+    # Telegram user info is available in the following variables:
+    #    $displayname - Telegram displayname
+    #    $username    - Telegram username (may not exist)
+    #    $mention     - Telegram @username or displayname mention (depending on which exists)
+    emote_format: "* $mention $formatted_body"
+    # The formats to use when sending state events to Telegram via the relay bot.
+    #
+    # Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
+    # In name_change events, `$prev_displayname` is the previous displayname.
+    #
+    # Set format to an empty string to disable the messages for that event.
+    state_event_formats:
+        join: "$distinguisher <b>$displayname</b> joined the room."
+        leave: "$distinguisher <b>$displayname</b> left the room."
+        name_change: "$distinguisher <b>$prev_displayname</b> changed their name to $distinguisher <b>$displayname</b>"
+    # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
+    # `filter-mode` management commands.
+    #
+    # Filters do not affect direct chats.
+    # An empty blacklist will essentially disable the filter.
+    filter:
+        # Filter mode to use. Either "blacklist" or "whitelist".
+        # If the mode is "blacklist", the listed chats will never be bridged.
+        # If the mode is "whitelist", only the listed chats can be bridged.
+        mode: blacklist
+        # The list of group/channel IDs to filter.
+        list: []
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: "!tg"
+    # Messages sent upon joining a management room.
+    # Markdown is supported. The defaults are listed below.
+    management_room_text:
+        # Sent when joining a room.
+        welcome: "Hello, I'm a Telegram bridge bot."
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: "Use `help` for help."
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: "Use `help` for help or `login` to log in."
+        # Optional extra text sent when joining a management room.
+        additional_help: ""
+    # Send each message separately (for readability in some clients)
+    management_room_multiple_messages: false
+    # Permissions for using the bridge.
+    # Permitted values:
+    #   relaybot - Only use the bridge via the relaybot, no access to commands.
+    #       user - Relaybot level + access to commands to create bridges.
+    #  puppeting - User level + logging in with a Telegram account.
+    #       full - Full access to use the bridge, i.e. previous levels + Matrix login.
+    #      admin - Full access to use the bridge and some extra administration commands.
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions:
+        "*": "relaybot"
+        "{{ matrix.baseurl }}": "full"
+        "@tobi:{{ matrix.baseurl }}": "admin"
+    # Options related to the message relay Telegram bot.
+    relaybot:
+        private_chat:
+            # List of users to invite to the portal when someone starts a private chat with the bot.
+            # If empty, private chats with the bot won't create a portal.
+            invite: []
+            # Whether or not to bridge state change messages in relaybot private chats.
+            state_changes: true
+            # When private_chat_invite is empty, this message is sent to users /starting the
+            # relaybot. Telegram's "markdown" is supported.
+            message: This is a Matrix bridge relaybot and does not support direct chats
+        # List of users to invite to all group chat portals created by the bridge.
+        group_chat_invite: []
+        # Whether or not the relaybot should not bridge events in unbridged group chats.
+        # If false, portals will be created when the relaybot receives messages, just like normal
+        # users. This behavior is usually not desirable, as it interferes with manually bridging
+        # the chat to another room.
+        ignore_unbridged_group_chat: true
+        # Whether or not to allow creating portals from Telegram.
+        authless_portals: true
+        # Whether or not to allow Telegram group admins to use the bot commands.
+        whitelist_group_admins: true
+        # Whether or not to ignore incoming events sent by the relay bot.
+        ignore_own_incoming_events: true
+        # List of usernames/user IDs who are also allowed to use the bot commands.
+        whitelist:
+            - myusername
+            - 12345678
+# Telegram config
+telegram:
+    # Get your own API keys at https://my.telegram.org/apps
+    api_id: {{ matrix.bridge.tg.api_id }}
+    api_hash: {{ matrix.bridge.tg.api_hash }}
+    # (Optional) Create your own bot at https://t.me/BotFather
+    bot_token: disabled
+    # Should the bridge request missed updates from Telegram when restarting?
+    catch_up: true
+    # Should incoming updates be handled sequentially to make sure order is preserved on Matrix?
+    sequential_updates: true
+    exit_on_update_error: false
+    # Telethon connection options.
+    connection:
+        # The timeout in seconds to be used when connecting.
+        timeout: 120
+        # How many times the reconnection should retry, either on the initial connection or when
+        # Telegram disconnects us. May be set to a negative or null value for infinite retries, but
+        # this is not recommended, since the program can get stuck in an infinite loop.
+        retries: 5
+        # The delay in seconds to sleep between automatic reconnections.
+        retry_delay: 1
+        # The threshold below which the library should automatically sleep on flood wait errors
+        # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
+        # is 20s, the library will sleep automatically. If the error was for 21s, it would raise
+        # the error instead. Values larger than a day (86400) will be changed to a day.
+        flood_sleep_threshold: 60
+        # How many times a request should be retried. Request are retried when Telegram is having
+        # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
+        # there's a migrate error. May take a negative or null value for infinite retries, but this
+        # is not recommended, since some requests can always trigger a call fail (such as searching
+        # for messages).
+        request_retries: 5
+    # Device info sent to Telegram.
+    device_info:
+        # "auto" = OS name+version.
+        device_model: mautrix-telegram
+        # "auto" = Telethon version.
+        system_version: auto
+        # "auto" = mautrix-telegram version.
+        app_version: auto
+        lang_code: en
+        system_lang_code: en
+    # Custom server to connect to.
+    server:
+        # Set to true to use these server settings. If false, will automatically
+        # use production server assigned by Telegram. Set to false in production.
+        enabled: false
+        # The DC ID to connect to.
+        dc: 2
+        # The IP to connect to.
+        ip: 149.154.167.40
+        # The port to connect to. 443 may not work, 80 is better and both are equally secure.
+        port: 80
+    # Telethon proxy configuration.
+    # You must install PySocks from pip for proxies to work.
+    proxy:
+        # Allowed types: disabled, socks4, socks5, http, mtproxy
+        type: disabled
+        # Proxy IP address and port.
+        address: 127.0.0.1
+        port: 1080
+        # Whether or not to perform DNS resolving remotely. Only for socks/http proxies.
+        rdns: true
+        # Proxy authentication (optional). Put MTProxy secret in password field.
+        username: ""
+        password: ""
+# Python logging configuration.
+#
+# See section 16.7.2 of the Python documentation for more info:
+# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
+logging:
+    version: 1
+    formatters:
+        colored:
+            (): mautrix_telegram.util.ColorFormatter
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+        normal:
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+    handlers:
+        console:
+            class: logging.StreamHandler
+            formatter: colored
+    loggers:
+        mau:
+            level: DEBUG
+        telethon:
+            level: INFO
+        aiohttp:
+            level: INFO
+    root:
+        level: DEBUG
+        handlers: [console]

ansible/plays/services/matrix/mautrix-telegram/registration.yaml

@@ -0,0 +1,31 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+31303639303562306630323132376333316332636534613834326662396237396634313233646364
+6335353833616135373439633136356339333737363437660a316634366334376339656466646437
+39323131363163393931356331306434613035626239356631303032646664303838386635613930
+6232663031663765370a653936623761313937383233313739313166353335346465363265613762
+35643335646637343534373966626632336363646231353732643831346563356464386133393166
+32613134656431656561316335656463653462656166373433386633666338633132663032633461
+66376265633233323662313930323737316166613262383434626264353462386236636139383835
+33613830316361373434623435376162653930616631323764653539306235363530326165353037
+32303432356630376363613839313831363537363735613833306163616130336631386337366234
+33373633306161653163333635366637313266346634656633376237346566663461353962376239
+34386237373565313362383532363931333337366336316363663734343333386663653466396139
+36633735356561346531376337346635383666376635346361333162376339333839306632666562
+63363761623136643031653030666437306361396232383738366533396561373932323563363566
+38306333393662333634613139643930626664666139363039333735363538396339373634356365
+66633637316432323762353964313237396338613834336532636164333564363839353061336636
+63316163626334353231386463313535313866336431613234353533636533343662653933393132
+37353065333431366662363530333863646131313737336538396332396238656239366531366337
+63633563636531616664313930626266323266613466656636636361653731623666636333666164
+39356535363939653232326633383837666262643834326137646363393935613132366663396364
+30666266366163316563613665356535633766626335343762333765643837373034646633336432
+64373366313962333563336535346436346536386633343366336535363236306338343832373763
+36663663353533383939323234333535316162303033313833616533373237613335303662393032
+66316163343938383330663133613333346535393264636264366533343938653730316163366363
+66373866316264656361613935383334323133636164366630333264343931663461333138656131
+31353631393336323166663765613461356437306234653263393030316564363431353566316531
+35336665633133386134656361323063303531336263643764353666636364343537363136666632
+66333033373766336230393131343434666536653061353032663264636565636361336138653931
+34303233613637633165303431626361623132363530666238386336383463656136383965343563
+63616131376239356163353464333864363164363666646435353038323565386536326639366565
+3134646366666134646665366533396466366233343666613761

ansible/plays/services/matrix/synapse-config/homeserver.yaml

@@ -0,0 +1,126 @@
+# Configuration file for Synapse.
+#
+# This is a YAML file: see [1] for a quick introduction. Note in particular
+# that *indentation is important*: all the elements of a list or dictionary
+# should have the same indentation.
+#
+# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
+#
+# For more information on how to configure Synapse, including a complete accounting of
+# each option, go to docs/usage/configuration/config_documentation.md or
+# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
+server_name: "{{ matrix.baseurl }}"
+pid_file: /data/homeserver.pid
+enable_metrics: true
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    resources:
+      - names: [client, federation]
+        compress: false
+  - port: 9091
+    tls: false
+    type: metrics
+database:
+  name: psycopg2
+  args:
+    user: {{ matrix.db.user }}
+    password: {{ matrix.db.password }}
+    database: {{ matrix.db.database }}
+    host: db
+    cp_min: 5
+    cp_max: 10
+log_config: "/config/tobiasmanske.de.log.config"
+media_store_path: /data/media_store
+report_stats: true
+macaroon_secret_key: "{{ matrix.secrets.macaroon }}"
+form_secret: "{{ matrix.secrets.form }}"
+signing_key_path: "/config/tobiasmanske.de.signing.key"
+trusted_key_servers:
+  - server_name: "matrix.org"
+oidc_providers:
+  - idp_id: keycloak
+    idp_name: "KeyCloak"
+    issuer: "{{ matrix.oidc.issuer }}"
+    client_id: "{{ matrix.oidc.client_id }}"
+    client_secret: "{{ matrix.oidc.client_secret }}"
+    scopes: ["openid", "profile"]
+    user_mapping_provider:
+      config:
+{% raw %}
+        localpart_template: "{{ user.mx_localpart }}"
+        display_name_template: "{{ user.name }}"
+{% endraw %}
+    backchannel_logout_enabled: true # Optional
+
+enable_registration: true
+registration_requires_token: true
+registration_shared_secret: "{{ matrix.secrets.registration }}"
+password_config:
+  enabled: true
+
+redis:
+  enabled: true
+  host: redis
+  port: 6379
+
+app_service_config_files:
+  - /data/reg-mautrix-tg.yaml
+  - /data/reg-mautrix-slack.yaml
+  - /data/reg-mautrix-signal.yaml
+
+rc_message:
+  per_second: 100
+  burst_count: 100
+rc_joins:
+  local:
+    per_second: 100
+    burst_count: 100
+rc_login:
+  address:
+    per_second: 1000
+    burst_count: 1000
+server_notices:
+   system_mxid_localpart: "server"
+   system_mxid_display_name: "Server Notices"
+   system_mxid_avatar_url: "mxc://unruhig.eu/khyOCChmyYSOsIFIbUWGGEWq"
+   room_name: "Server Notices"
+
+modules:
+  - module: shared_secret_authenticator.SharedSecretAuthProvider
+    config:
+        shared_secret: "{{ matrix.authenticator.shared_secret }}"
+
+        # By default, only login requests of type `com.devture.shared_secret_auth` are supported.
+        # Below, we explicitly enable support for the old `m.login.password` login type,
+        # which was used in v1 of matrix-synapse-shared-secret-auth and still widely supported by external software.
+        # If you don't need such legacy support, consider setting this to `false` or omitting it entirely.
+        m_login_password_support_enabled: true
+
+        # By default, only login requests of type `com.devture.shared_secret_auth` are supported.
+        # Advertising support for such an authentication type causes a problem with Element, however.
+        # See: https://github.com/vector-im/element-web/issues/19605
+        #
+        # Uncomment the line below to disable `com.devture.shared_secret_auth` support.
+        # You will then need to:
+        # - have `m_login_password_support_enabled: true` to enable the `m.login.password` login type
+        # - authenticate using `m.login.password` requests, instead of ``com.devture.shared_secret_auth` requests
+        # com_devture_shared_secret_auth_support_enabled: false
+
+media_storage_providers:
+  - module: s3_storage_provider.S3StorageProviderBackend
+    store_local: True
+    store_remote: True
+    store_synchronous: True
+    config:
+      bucket: "{{ matrix.storage.s3.bucket }}"
+      # All of the below options are optional, for use with non-AWS S3-like
+      # services, or to specify access tokens here instead of some external method.
+      endpoint_url: "{{ matrix.storage.s3.endpoint_url }}"
+      access_key_id: "{{ matrix.storage.s3.access_key_id }}"
+      secret_access_key: "{{ matrix.storage.s3.secret_access_key }}"
+
+
+# vim:ft=yaml

ansible/plays/services/matrix/synapse-config/tobiasmanske.de.log.config

@@ -0,0 +1,32 @@
+version: 1
+
+formatters:
+  precise:
+
+    format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+
+handlers:
+
+
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+
+
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+
+root:
+    level: WARNING
+
+
+    handlers: [console]
+
+
+disable_existing_loggers: false

ansible/plays/services/matrix/synapse-config/tobiasmanske.de.signing.key

@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+64326434386632376335333966336365333663393130323464333266383639383264616662623333
+6437306539633766376336663263393038306162333234340a383237386331636366616266316265
+39626638623562623835633035643231656263653437346266333264643830323062353930356462
+3936633165633434320a656463656536383539346138383630343137383861613538323735393131
+61383237626533316433633866396434663230633239396661333831653531363732646561656164
+35353264613364613832653536333632356132666434616134316339383934616264323261366366
+633838383264646531663039343639383036

ansible/plays/services/maubot/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=maubot

ansible/plays/services/maubot/docker-compose.yaml

@@ -0,0 +1,11 @@
+services:
+  maubot:
+    image: dock.mau.dev/maubot/maubot:latest
+    restart: unless-stopped
+    ports:
+      - "{{ maubot.port }}:29316"
+    volumes:
+      - data:/data:z
+
+volumes:
+  data:

ansible/plays/services/metric-export/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=metrics

ansible/plays/services/metric-export/docker-compose.yaml

@@ -0,0 +1,120 @@
+version: "3.4"
+services:
+  prometheus:
+    image: prom/prometheus:latest
+    restart: unless-stopped
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+    volumes:
+      - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro,Z
+      - prom_data:/prometheus
+      - label_discovery:/label_discovery:ro
+    labels:
+      - "traefik.enable=false"
+    depends_on:
+      - prometheus-docker-sd
+      - cadvisor
+      - node-exporter
+    extra_hosts:
+      - host.docker.internal:host-gateway
+    networks:
+      - default # send
+      - backend
+      - metrics
+
+  prometheus-docker-sd:
+    image: registry.tobiasmanske.de/prometheus-docker-sd:latest
+    restart: unless-stopped
+    privileged: true
+    networks:
+      - backend
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro,Z
+      - label_discovery:/prometheus-docker-sd:rw
+    logging: # this service generates a HUGE amout of logs.
+      driver: "none"
+
+  node-exporter:
+    image: quay.io/prometheus/node-exporter:latest
+    container_name: "{{ inventory_hostname | replace('.', '-') }}-node-exporter"
+    privileged: true
+    labels:
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=9100"
+    volumes:
+      - /proc:/host/proc:ro
+      - /sys:/host/sys:ro
+      - /:/rootfs:ro
+      - /:/host:ro,rslave
+      - /run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro
+    command:
+      - '--path.rootfs=/host'
+      - '--path.procfs=/host/proc'
+      - '--path.sysfs=/host/sys'
+      - '--collector.filesystem.ignored-mount-points'
+      - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)"
+      - '--collector.systemd'
+    networks:
+      - backend
+    restart: unless-stopped
+
+  cadvisor:
+    image: gcr.io/cadvisor/cadvisor:latest
+    container_name: "{{ inventory_hostname | replace('.', '-') }}-cadvisor"
+    privileged: true
+    labels:
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=8080"
+    command:
+      - "-docker_only=true"
+      - "-housekeeping_interval=10s"
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:rw
+      - /sys:/sys:ro
+      - /var/lib/docker/:/var/lib/docker:ro
+    networks:
+      - backend
+    restart: unless-stopped
+
+  smokeping_prober:
+    image: quay.io/superq/smokeping-prober@sha256:25d07dfc1d7e47d7bf8305c7c813a030fc6b03959da596ab93f40ae4d49b63a1 # latest @ 2024-01-10
+    restart: unless-stopped
+    labels:
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=9374"
+    command:
+      - "-i" # interval
+      - "5s"
+      - "google.com"
+      - "ipv6.google.com"
+      - "discord.com"
+      - "wikipedia.com"
+
+  promtail:
+    image: grafana/promtail:latest
+    security_opt:
+      - label:disable
+    restart: unless-stopped
+    volumes:
+      - ./promtail.yml:/etc/promtail/config.yml:ro
+      - /var/log:/var/log:ro
+      - /var/lib/docker/containers:/var/lib/docker/containers:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+    command: -config.file=/etc/promtail/config.yml
+    labels:
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=8080"
+    networks:
+      - default # send
+      - backend
+      - metrics
+
+volumes:
+  prom_data:
+  label_discovery:
+networks:
+  backend:
+    internal: true
+  metrics:
+    external: true

ansible/plays/services/metric-export/prometheus.yml

@@ -0,0 +1,33 @@
+global:
+  scrape_interval: 15s
+  scrape_timeout: 10s
+  evaluation_interval: 15s
+scrape_configs:
+- job_name: prometheus
+  honor_timestamps: true
+  scrape_interval: 15s
+  scrape_timeout: 10s
+  metrics_path: /metrics
+  scheme: http
+  static_configs:
+  - targets:
+    - localhost:9090
+- job_name: 'service_discovery'
+  metric_relabel_configs:
+    - source_labels:
+        - "container_name"
+      target_label: "instance"
+      action: replace
+  file_sd_configs:
+    - files:
+      - /label_discovery/docker-targets.json
+{% if metrics.additional_scrape_rules is defined %}
+{{ metrics.additional_scrape_rules | to_nice_yaml}}
+{% endif %}
+remote_write:
+  - url: https://{{ common.mimir.host | mandatory }}/api/v1/push
+    headers:
+      X-Scope-OrgID: "{{ inventory_hostname | replace('.', '-') }}"
+    basic_auth:
+      username: "{{ common.mimir.username | mandatory }}"
+      password: "{{ common.mimir.password | mandatory }}"

ansible/plays/services/metric-export/promtail.yml

@@ -0,0 +1,28 @@
+positions:
+  filename: /positions.yaml
+server:
+  http_listen_port: 8080
+
+clients:
+  - url: https://{{ common.loki.host | mandatory }}/loki/api/v1/push
+    tenant_id: "{{ inventory_hostname | replace('.', '-') }}"
+    basic_auth:
+      username: "{{ common.loki.username | mandatory }}"
+      password: "{{ common.loki.password | mandatory }}"
+
+scrape_configs:
+  - job_name: flog_scrape
+    docker_sd_configs:
+      - host: unix:///var/run/docker.sock
+        refresh_interval: 5s
+        # filters:
+        #   - name: label
+        #     values: ["logging=promtail"]
+    relabel_configs:
+      - source_labels: ['__meta_docker_container_name']
+        regex: '/(.*)'
+        target_label: 'container'
+      - source_labels: ['__meta_docker_container_log_stream']
+        target_label: 'logstream'
+      - source_labels: ['__meta_docker_container_label_logging_jobname']
+        target_label: 'job'

ansible/plays/services/mimir/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=mimir

ansible/plays/services/mimir/alertmanager.yml

@@ -0,0 +1,50 @@
+global:
+  resolve_timeout: 5m
+
+route:
+  group_by: ['alertname']
+  group_wait: 5s
+  group_interval: 5m
+  repeat_interval: 1h
+  receiver: 'matrix-monitoring'
+  routes:
+    - receiver: 'hcio'
+      repeat_interval: 1h
+      matchers:
+        - alertname="PrometheusAlertmanagerE2eDeadManSwitch"
+    - receiver: 'email'
+      group_interval: 1m
+      matchers:
+        - job="matrix_synapse_1"
+    - receiver: 'matrix-monitoring'
+      group_wait: 30s
+      group_interval: 1h
+      matchers:
+        - alertname="PrometheusAllTargetsMissing"
+    - receiver: 'matrix-monitoring'
+      group_wait: 30s
+      group_interval: 1h
+      matchers:
+        - alertname="PrometheusTargetMissing"
+
+
+receivers:
+  - name: 'email'
+    email_configs:
+      - to: '{{ mimir.alertmanager.smtp.target }}'
+        from: '"Alertmanager" <{{ mimir.alertmanager.smtp.username }}>'
+        smarthost: 'mxe8cf.netcup.net:587'
+        auth_username: '{{ mimir.alertmanager.smtp.username }}'
+        auth_identity: '{{ mimir.alertmanager.smtp.username }}'
+        auth_password: '{{ mimir.alertmanager.smtp.password }}'
+  - name: 'hcio'
+    email_configs:
+      - to: '{{ mimir.alertmanager.hcio.mail }}'
+        from: '"Alertmanager" <{{ mimir.alertmanager.smtp.username }}>'
+        smarthost: 'mxe8cf.netcup.net:587'
+        auth_username: '{{ mimir.alertmanager.smtp.username }}'
+        auth_identity: '{{ mimir.alertmanager.smtp.username }}'
+        auth_password: '{{ mimir.alertmanager.smtp.password }}'
+  - name: 'matrix-monitoring'
+    webhook_configs:
+      - url: 'http://alertmanager-matrix:3000/alerts?secret={{ mimir.alertmanager.matrix.alertmanager_token }}'