minio -> arm

Manual fixes have been applied to all access keys.
Also minio has merged a patch, but that is not live yet.
Time to deploy an up-to-date version and pray.

This reverts commit 39aca2778d4e0a91e45f8bdc4184af35d4b7751d.

.drone.yml

@@ -0,0 +1,69 @@
+---
+kind: pipeline
+type: docker
+name: Ansible-Playbook
+
+trigger:
+  branch:
+    - main
+  event:
+    include:
+      - push
+      - custom
+
+environment:
+  ANSIBLE_FORCE_COLOR: true
+  ANSIBLE_HOME: /drone/src/.ansible
+  SUMMON_PROVIDER: /drone/src/summon-wrapper
+  PASSAGE_DIR: /drone/src/.passage/store
+  PASSAGE_IDENTITIES_FILE: /drone/src/ssh_key
+
+node:
+  ansible: "true"
+
+steps:
+  - name: Prepare Secrets
+    image: registry.tobiasmanske.de/ansible-runner:latest
+    pull: always
+    environment:
+      SSH_KEY:
+        from_secret: ssh_key
+      GIT_SSH_COMMAND: ssh -i /drone/src/ssh_key -o StrictHostKeyChecking=no
+    commands:
+      - echo $${SSH_KEY} | base64 -d > /drone/src/ssh_key
+      - chmod 600 /drone/src/ssh_key
+      - git clone ssh://git@git.tobiasmanske.de:7779/tobias/infrastructure-vault.git $${PASSAGE_DIR}
+  - name: Prepare Runner
+    image: registry.tobiasmanske.de/ansible-runner:latest
+    pull: always
+    commands:
+      - cd ansible
+      - mkdir $ANSIBLE_HOME
+      - ansible-galaxy install -r requirements.yaml
+      - summon ansible-playbook --inventory=inventory.yaml runner-pre.yaml
+  - name: Run Terraform
+    image: registry.tobiasmanske.de/terraform-runner:latest
+    pull: always
+    commands:
+      - cd tf-stage-1
+      - summon terraform init -input=false
+      - summon terraform apply -auto-approve -input=false
+  - name: Run Ansible
+    image: registry.tobiasmanske.de/ansible-runner:latest
+    pull: always
+    commands:
+      - cd ansible
+      - summon ansible-playbook --inventory=inventory.yaml playbook.yaml
+  - name: Validate Ansible
+    image: registry.tobiasmanske.de/ansible-runner:latest
+    pull: always
+    environment:
+      ANSIBLE_VAULT_PASSWORD_FILE: "/drone/src/vault_pass"
+      ANSIBLE_FORCE_COLOR: "true"
+    commands:
+      - cd ansible
+      - ansible-galaxy install -r requirements.yaml
+      - summon ansible-playbook --check --inventory=inventory.yaml playbook.yaml
+
+image_pull_secrets:
+  - registry

.gitea/issue_template/new_device.md

@@ -0,0 +1,18 @@
+---
+
+name: "New Machine Onboarding"
+about: "✅ Checklist for onboarding a new machine"
+title: "Machine: Onboard <hostname>"
+ref: "main"
+labels:
+- onboarding
+
+---
+
+- [ ] Add hostname entries to dns in `tf-stage-1`
+- [ ] Add host to ansible inventory
+- [ ] Add machine ssh-key to Backup Storagebox
+- [ ] `touch /etc/setup_complete` if no restore is needed
+- [ ] Update known_hosts `summon ansible-playbook regenerate-known-hosts.yaml`
+- [ ] Generate new ansible ssh key `summon ansible-playbook --inventory=inventory.yaml tasks/create_ssh_keys.yaml`
+- [ ] Run `summon ansible-playbook --tags setup playbook.yaml`

.gitignore

@@ -0,0 +1,44 @@
+# Created by https://www.toptal.com/developers/gitignore/api/terraform
+# Edit at https://www.toptal.com/developers/gitignore?templates=terraform
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+.terraform.lock.hcl
+
+# End of https://www.toptal.com/developers/gitignore/api/terraform
+
+.envrc

ansible/.envrc

@@ -0,0 +1,3 @@
+use nix
+#!/usr/bin/env bash
+export SUMMON_PROVIDER=$PWD/../summon-wrapper

ansible/.gitignore

@@ -126,3 +126,7 @@ backups/*
 render/
 borgbackup
 borgbackup.pub
+roles/*
+
+ENV/
+.envrc

ansible/ansible.cfg

@@ -0,0 +1,11 @@
+[defaults]
+roles_path=roles
+template_dir=templates
+
+[vault]
+username=ansible
+keyname=secrets
+
+[ssh_connection]
+pipelining = True
+ssh_args = -o ControlMaster=auto -o ControlPersist=1200

ansible/group_vars/all/kuma.yaml

@@ -0,0 +1,2 @@
+---
+heartbeat_timer_interval: 300

ansible/group_vars/all/main.yaml

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+30633036313361316363313630616632333931633635326666663935633061346237353362316132
+6364663462646639613862393263616661613838303962660a623233386637653363636531383535
+37623664636362666136643765633166373030663864613134313862373131646539313533303532
+3563666465396463330a613632643431316563383331373932366334386564646335393433366663
+36616239373630336430393065316433343536663062383563646235646365376539326636626230
+30643033656134613966643163323730353239666264343630613830393630653333643961363765
+37396462323539303736333734373332646633633463636162626634656632346165363134643234
+38316632323366303166663964663639616638643538626363633564626133366634323439393163
+33646462643035613963646131373339333863636231356163356630383133633839373561643835
+6264383563386437656563316539393139313137306164343631

ansible/group_vars/all/networks.yaml

@@ -0,0 +1,3 @@
+docker:
+  internal_networks:
+    - metrics

ansible/group_vars/all/vault.yaml

@@ -0,0 +1,34 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+65653135336239323262613466343039366465353930653632336330396136616465373338313237
+6635653631663132663266316664343566313561646663380a363630623637616332626666613731
+36336539626365346633346161383135313063323364663763353131323764373731393762333565
+3866353164323763390a373139396532393932666434643533626431323838363562353635333333
+33646130363435376337633965616137306165303938393134333630616332356662636463376362
+37663236653030373332386666393565363234363765386138663365313134323333383033633537
+63353162663634613963303666386137643535643632376464623433623234303363633039333038
+62653033633561373636356439373730376533373335373032376465396662623730313839393966
+63356633303739386265666266313966613835393165396336333538306634363937353036633836
+38393163313333623330353361316137336464356665356666646631643762373266626465626332
+38353637333039313166353430666138646538363364646334663437336266666430393438363833
+39303033313230373835363138363763376163353832356266633666666339646437363062663566
+35336539663263336464353964383565633132306136346563626637323933353136623238313364
+30316363346437626564633163353533643461396166363238633332306436383231393734666537
+35613964626435633061363934626465336131336236636630336161373964656261313765643534
+65663235613265353261383338356534643334333763643464633133646561366131373039363834
+62363931333464326230616135376165636263346436373930623530306637363235326639383031
+32646238366432623430313763616361393935336437336333626638663039663931346261383661
+62623937346233343965643837653834363662636436623964626133363238636538336231336465
+65343432366162346534396539656539396235333539623238636566366539303164333731383333
+66616430643733323764333462373562343163383764613737393864383532303962386238613462
+35613764303634663464393139333231333462316537346130333338656663633832316332373134
+32363437663163623635313933363963396166636466633230653331613530636636383266373064
+35323763343163363535623039323835343731353536303165616235613731303266376436616438
+62383065626363343363636433376463303363323034306362393236343765383565373938643639
+39326431643463326230363830333631313263663937386134313235623865383937626133656135
+63613136636337326632616236663532613466373662353932343366363862303664643337623662
+64343966366338373665373037646366613264626466323537333730333337383736613737636339
+35373733323838653461613361346439636263353861383666336434636366393635303232326134
+63663032383136303031353138376330363839396533393831653733613562633665613830356666
+34353337633339656463653063393335336564326230323831343663393464396561623937343531
+65663730323035366563663639653366306162613234653764363163623661653461656634353738
+39313133323638343862656530306361373862326134653934353334643333343235

ansible/host_vars/filehost.unruhig.eu/main.yml

@@ -0,0 +1,7 @@
+known_hosts:
+  - filehost.unruhig.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXlm4q3UBK2ChZCujrc9nv45tnntj6E+80UOOzZ6EEFWeUkJ0R+o4z4bnLsWBfFxfwgMDUvFCUCuS7R7xo2pE6vlRhPeD6eTitqNmRMfgmMZLJCdWD5eechg2FNSIht+wB61KEwMBuARXX45nmvIknWiRBK0qAGMLgy46hAx60hf/2uzSuyF6cxQdRqH7TNKZ/06aC7fCo9MCvHbiWvOSKbRx+jYSw8L27DW8WbPTqTGhywidij3nQEjwCFof/IN/hdp7NLpF/8qAoxW9iLWHh7ghESSwHxDF+QC1NjyA1g9QvyX+4p/hzR71wvQ2OVT/R9qx45jJiEi4dVQtsPGbcMzY9gQNbzyzl898cvnp2OuS50kGxuJZaJLMOj2UClbpW+lTrrkKvBZKkAF85v+C6Xcx/waY01eH0PaDBpoo40Y+vS9nWLmnKcvz5iDC6DVL8gUyDxuQj6/qMQuVsr5GL7GnvqIF/jjz6rNqES5Lr88c18ZyWeaupAHNnSgxaGV8=
+  - filehost.unruhig.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNxa8vbJ70oM2PlEKegPu3/SUO7oXz2lM6PvR74Ad+RYjjAQZr/j3WMpeDn15ugexlYmYoHgxgeT0xA6E/ZAM/0=
+  - filehost.unruhig.eu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvXX75sXWRgslMW/Ufq0t0OJQnTFiWPL4yBUBdGIU9k
+ssh:
+  authorized_keys:
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpGyOWzNNTW7e8PBZCRZ8q4JygBKKtOMWng09b3mnNo9GPvb+V7RhnMf0rnGbwp9q89QFjYbZ8ZKqCoBpgtlT4= backup.unruhig.eu_22

ansible/host_vars/filehost.unruhig.eu/vault.yaml

@@ -0,0 +1,17 @@
+$ANSIBLE_VAULT;1.1;AES256
+36336235613033366466623936373035353462656137303937626535653237646633663035363435
+3935323464336235353134623634343539383930653066370a623435326437643362386638623735
+64393933303561303833326364613736643632376464383632613964313265356565636237653432
+6338326433623539310a393261376134626164316230386533333766336130326236333562636665
+65663865653663623838656237376262626139643733356461383539383164653338613636383935
+39366133623933366631643938643832373264613031393430623132386166643836616362613333
+39326666356434343263383934613238663635613234323264363930396136356461386365666538
+38376564386339623462646138646461633732313866306365303463356330316535383137666230
+31313132663030626562313437623735376338333061306438343761396637613535373633386536
+37303535386566303564343938333037356363383561656462393239323736643331646536626633
+34663534653165663930663939363936323630643065306462353261616535666338353962643930
+30353439653331613165333137626636363064366164626136643234353030336139336535333132
+36373934343431363665643631373336396433383732326539663336366234613364363663323238
+34333530366634613933363530373935383831653864633462336465366136613730643932303935
+35363935343233383733623233316332653061666262633435346532326365326462366366333966
+33366364343330313238

ansible/host_vars/host.nc.chaoswg.org/main.yaml

@@ -0,0 +1,4 @@
+ssh:
+  authorized_keys:
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHrm5yQLJMKOScBDc8ek0nfinzYSvQdN22kSEKRN9/UUlcSDmqFUHpQNtvysCZr4l9WRKxTYDhy3rY8HaMSQaGY= host.nc.chaoswg.org_22
+

ansible/host_vars/host.nc.chaoswg.org/vault.yaml

@@ -0,0 +1,421 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+65393036616464626639333161343232393964353137663236393732366661303363613363386162
+3630616534663334306637636161373661656239363961660a646137303939323465353334396534
+38346331306136393832653138373438623264303261633762646531383961643836373465356464
+6262333763643766300a363763353564653165313431613633393336623539636634336133306661
+32323764396239396630383533626336643638396632393337613634353831313336613532616561
+62363465306133636566373433313332306561636231383965346165346439393634393038636662
+39336535363262396538376664663239653838343465313465643334366431303631323166313738
+66303230386137343661343161643166643935636664306233316166353561323631643463623664
+63316533653431653732623238336233303937656263663039656634613861313836613363643636
+30396336373037653031393432333033373132386236383438336364303930343533636632313735
+37613436393035396536313334653966313439393234643863303137386466313866323033393464
+39343862333535646162613539323936386430306461346337393262306234626162353438313334
+66303536616137613036386331626234313136646336373536343862623364633266353963353566
+36363238373666646362376239396536623264633461353637393765336438323364386463636362
+33383365626239373435663565346431316331366332383261346138323239363364666631383633
+33633035623530376137363832373230643965356338633334316232613033386634326566333539
+36366539373034613133326562636137306237613232303665633839363530636633636562323135
+63643862636361666463313865626438633631613236346563663034376363626565333230643930
+66363464653536373930633431616263383662393539303861626666613163343861343566313830
+32306535343962306232363138343839386430623032643364323233393837623538616335653039
+62343730666134613362656466316261613161653137363861353163653232333865663365396533
+38313764343537326233376634626261636632613831353833613463613738653766653535663439
+37383665393462376234343866623431373065613266313933653365316230363232623362306463
+39613937636338633632333264343365323431656662626565396165336164356437643430333039
+34623866316639633138653566613832386166303837633764623538336161313861666231313438
+31366336646265653063333866663164633332343264653564306138383562633730643765646563
+33666133356663646135376661343065326133396665363032333134393562363864653434633231
+37313266333032323237313762373537386234346463303538346361323231383261383763616333
+34383366326239653631613937663037636465633230323138386163306332323732346362646565
+33336137616562373930633335396532313761393331306336356339616663333537303961373461
+61373636626466306330326638376237383431626538616432376338643162393535333862303232
+30363233633230653664373865653439383234323661303930666631313935653561623637643534
+66616363353234346162613032333462343763396565616331623362336235343337613863613461
+37343735366465643039616565313566626262346365633339626363636263663266613665343130
+39353837353535643435346631616362306430653534363662383537656236383766386135393938
+31316561383736333439303732316161613663376263386330643035626334303738313330666637
+61393662333633633035363735656138633536313961343833373566373234613334626561346331
+34303333306233636335333366363936383633626538366661303066633961346237376133323031
+35333038663961373561316162616233366131373134353534643162666238636662383930383834
+64316135376132666539656639303066343735313364666466653534386336613033363134633037
+31343165643463663334316335303437343833333233306564613035616237653664363638313431
+33333164353134643031653131626437363333393664323563343632343562623966646233313831
+62353336333732643731313062646664343966646362616233313461326435386534643138306138
+63653137393739303438363332353862313563613237633734326539323864316261363762343932
+37393030376161313364626432393131306136666139303166303538663464363038363362376134
+37333832396162333266333238346561663764383761653065396130366534653838303165306436
+33633239393330323765313033303635303833343736333364373536356631313462643231376464
+39353164326163323238333738326235613766356337373936656664666364323836326166616562
+32303565356465356130323439373435666339313930343366303430623039656138643262633831
+34396463313565666536626332613530626235663837373766366139636662663139643839613364
+64666464306433383561626364343562643532633936393230373137663666316531336236393330
+65343639383835646463663466623032336339366462353732313835323437323736633436376332
+32323934323462323438366434643937653630626637393734613635613166393761353133646335
+38303636346661663063636331323737306566343662653762373761303839663632656539383633
+63303161383837653139356237613761656636313861303536393363323662306561303130343964
+31653732326237303364643464313234383536376335396130336462656338386562353730653962
+66616130363162346662623462343964623465303765653666653463336466623737656530393164
+65323865323635653563353130346132633636346466366366656233306636323836326161313836
+31643865303839393439326633353465313636373061393963356330366432336461636561396137
+31613165643837376138616334343363333362616339326636633031633630643364393535316362
+31373336303765616161656165646231613838643837653037633733653763346664306566343362
+62646236636439363662326639346231373764303332393762666237346130343962626336323762
+33343738333361356438383063653830396163363232343862313363653130366539666362653236
+31653030353365633766386238336132393838623233646635373436343038363265616432306630
+36366462666639616265356233333430643065663431346539373636316238306339373262343130
+61363531383139316432663432653830376534336334643661363432373137613735346336316334
+35383162366130663061623261366563613438626161663031373163626339363936343364376564
+34653033653834393264663130373065343638363838303331333030393563633963346630636433
+64666239663964646163626537323038323165303066643663396432323664633462313736663638
+35663439646136356233663936306536373963366462396331633737653065373032303530623064
+37323336346661353535636538623666663530383266306464386165613366366137623430633931
+39353062396335313733363766663236393737623564366364313038323839343637613530393738
+61383037306135306262333435623339626237316436626237303864353061363436323433613163
+38623965313261616366386465633466396239366234393637343734396136636630353062333262
+31353265306134393865663365636135343639383164663033363435313037346138616265356135
+36613664623336303031313531396136643334666638353965376233333934366463653833633265
+39636363306431326332623566623131613866386463643835643363623834363231373765383532
+64666331393635666135306432393937313539613264656134323066376434623531613730356566
+30636135623837626331376238353937343665613161346439396663666530343163633763613833
+34303863313365343765616630316362326639323830663030356561616263633062343338356335
+61313865393039663164353235653233393438663366653035353831663536353663356139303438
+62353037626435313231633861383633366161306530616536356134303239343436633535346230
+37363939373438363864336236323337656433333234623933646236623735616132643566666535
+33343938323036653038633462313663366133333536663636656262626138393762383865326536
+63626266643834656164356361356332336638613364633363663735653037333566343336323635
+35643135666131376636346236303630336332623465396566663337636539633565383839633365
+32653838333531303863376636333861666134613466326166626263363436363038656664313533
+35333863613737623532313264636562363861313465666532636363633636376233643735373662
+38353865383262633731613531383764333733643566323566393838623761353939633732663363
+62393765383539376439363233376465313636336664613431626238333561376562313962343836
+31653235353334353037653437343463343833396266386138656162373338303833326662623235
+65393339653630663866663366313264643133326234343031666364343039306561333731613637
+31333564313531666539326634313035386464653866663831316634356366373632643966366166
+65643938386665333431353335303231303433396534343730656235333937643261363030303535
+30623235303536353364306539633436346437376166306264616234656562353830333739613330
+63633862383336316633643031613662626165363437653638623034656630343262646538663530
+35323437363939306233303563643533633462666634383639633261613665626435626634646565
+30393138363232303239333430643733643035613561656534363036306338356539666234323139
+35616631306531633266623138383533313539323237633634326135386236643735653237666366
+64373230626462646239376239303030303862623537613562666235373563366337376539653635
+30616465363261653664383162396362306164393264373736383830363132633533353162653034
+65343261323138643630653163633836626234306633663033313532306237373832353636313562
+65366162613637666162663564616430383631366333666232323036646166656463666533393764
+38383730646331633032393737306637656363666239613166333534353230326664643465633035
+39393438343834356461653139396166336239636166336161353931336135653166636166313439
+39623366636639303364376564656231333365333964386566363535613537613861623762306136
+32643833616237303633633964373731393133653565343831623835346239383532353434623131
+63663832343937643266373766316432623334313739393337363565303936633864373664633465
+66336361366335646463383164353135386338656630356636353136343739323530663039636263
+31613030393832303165373865323536636233366231373737373536633238303337333764373835
+62373831313534303731333237323036303266646136383532626466623165356234646637383636
+61626663633465373161353330343261646163346561353861316633663236346539353133353366
+35313139326464323631303863656133643665653934363139386362346437366139313132356334
+39653731636665653838613064326439383830333436626234366166373637393739623137373264
+38656630636333306363613763326166343634663161333162396138666661636333393832616435
+39623538396339336437376363346463363061616633356537653438633033643061353465346132
+64646234653033356162393933333933373064306238393334393564326433353565353066383433
+64386436363238653561363031303735386366656639373835326137373436323537356665666231
+34356663353062636165306232313235663634653932653465386537643031366237646436626639
+36376339313635323534343031656263333365323164346363353637306131393739373066313335
+30626666376236363334643765656639383661323131393661303632623131366439653866333833
+39373562663639306161383166316165343130613561656234313333303632356161623261333530
+38366535623635313934613237653637336231313533303036386461313739623166343564366464
+34323639643366633836616133393630386530333330346638366265303234313133633261643362
+30343736613933366635333734353863616461313262653731363730343966396538653232336330
+31666132303933633464646562653466393661323363656339636563633430643734303439363065
+39623638643663323366386561633732653937636431363038316234616537363030396362396331
+38343662353466373065666264616564396636396330346337633634363131323666363032626566
+61663030346530356435643338633162326230366631333863636332346636306638383932383365
+36313839636235323264653733383438383030623330626235643232343432333237633634393262
+62326564396663333134326132613537636333383931383533656134373863316665353266323862
+32363265363433663637333861626331333137306630353263356563346239316362656134653663
+38346137373965393537633835313662653531343966326461653830373166336534623764306564
+35393733373664303465303935623963396233656336363762616566383137373564623063636265
+62353734353139616365363161626265613036623865643034383362313733613439363337336430
+35666333343232636530373237616537383165316366353162613661666335623337663564633261
+65313033343865363034663763616533623065353164376561333239353839396663313739656432
+64656465323865393935303163663236663363393336303763636165323035386632363732353465
+34623731636535626237643765313232336161336265396539343861643131346165613638613438
+31326364393065626538346465396264303738353566366538663963653331376633643865666261
+38646466643137373436386335383733616532343263633163326135356133323437363637393638
+65633633303136636237666236633632306265366465383266356333386633626566316438313162
+63376637636639306438626431613637323561633137316362383735386563656462663130646563
+39663338633166353061376466313032336339336135353165343138333338303231666165396632
+64353062306131396337623664653462366466363561333637346463313937366634653237343039
+32623530383966323331636464333936643537623764383031343933363263316631386362356365
+62666530346463373363653133363937343030623233666262623933376439333135386532343063
+38323236353563323863376132646532363163643535313634626566386130396434326239376432
+36623266306134303437636565306137376437663831313866643261383865303035373535646565
+64623730636139663637373239653533353262363661376336643464666661353563306638356563
+31313064343734323734363037396161336564306133326338366166326665303062383539353435
+36346137393136313937656133643039353866366461656130393266653432313061373938306232
+31393332373331663238616335343738633962613535323639306435616666373164326665623964
+34383632633135656362333965343536376365333732653734643932323764303932373934313537
+34373064396564343832626332313438376164306330366532323733323930393939633634616264
+33636234396631363864353661383539653961363334333633376132666434326336623034366535
+65376632343437313965336562356631366163656263663365626237643438326338386635326466
+65663537306337353866646137333166653735633961656137363333643963613730356633333364
+63303263343339373364383265376633653835333737346434346238386631326632616164323335
+32393631626535623930633930643263313935663765656563646230393761356663393636393938
+38633562363737326532623937373835646131656437373065383166323535376433373836343639
+33363335613231323233356164653930393737636261616131346638653037313266386332393330
+39366433333566623861306134666332306634626638633434396232386561623231633033653836
+61623237343039613234343438333730393637636462393038666137343735323066303536616530
+36623337613831346463313964633735373033666539316239396264663266636463623037313335
+61653134646231326163636632343863653961373665343166623065363232396165666564386162
+63323032653361646366343432376338383637326666356538343266613535636261383062323234
+38323362623539356635363731626663663034626539666239643335323130633136306665663666
+32613736326462326536346661373465346135373234323861396237343862303232373537336537
+34393737643433386338326135616432666566636166386563663937343232633738323531353732
+39353661333065373334653461313036363262306438633939353663343962353462323631353031
+63333034346366306261653137363762353433613231656163343966613634633737386639323365
+33316531353531323463333738313733353064616564613363383532623861626661386634313966
+30316235316238666463626335643938353835356236323164613033343365323533313365376565
+34336236353532373061363036303239343965643235633336626463313539393039626562626332
+65363237656633383064353363386265346239353238623834343038636432306330366462376337
+31313632623063346136346365373563363139346139356635306264316663356433633431346533
+61636363656366353361646332643932386630383834646233313430653161663763303761393636
+38633462666437336134376335353230393964346633343263343030383463396134373930316436
+30663830326163613230653331333534333233633631663532343336636637653164303931366338
+63656561306262613661336261393966666536393266333564666535316637653863376336326161
+62333764653462353937396335633764393766316338303961646130353061393161653231323235
+33303762393266613264323134373536633032366235346634663932313236336235353164393461
+35343166626438353164333061333331656133306530366538346464376136303632353437326462
+39336631333461643036653133353833346164663637303962336433323939386364323562333432
+61656533343934393862643261616235333030313637613063626331336133333230303165373138
+64396264616432346663643736316463396662356566373833663564393030663532343263363231
+37616438663635373263303763363263363539393339663134353937353031633061323938323633
+39343165363837353036636239343565363930333861643634366330623739386461376234323837
+63366430346264373765306638353061323435366638306464636130626365373965316663646261
+62396265643365623162396565626535353661383434343163636339616465646638393930373239
+39623864336361353165623833366133396637346564626433636166396366376239633937336534
+33383734306638333437666233326236393931633334646535326531303363613431656161373336
+34653839383332383065393630653737373231323963373633353832396164393766333265646261
+34376532646265356564643866613166383261366466643262363832363036623563363830313430
+33636333336266353966343035343861363033326566633264643262303637353362323934616364
+35353535313238366564653632666431396266643538383435393265333764356539623330383238
+61306433396639373438393731326639623138623661356634353232393935336636313631363835
+30326165643663356430373666316261376339353663373161613739396161653330366339643463
+30396266646561313435313331643830363334383365363061323463306164636638636139336533
+63616566343463363039613030636462613161333764353237396330346534326165646262393464
+33663237323662333237383535623139333133653333663332346133636230643863666135396563
+61643337393439376564623766363632393766633263376362363537356132613039613339363231
+63666436316439313432636463356235373161323337653234366233616434646566636466653961
+66623062366130376335336161386462653034643637643264353636333934653935313663396364
+35396438396532303461383234636133656139623063636534653737653264333733346332343966
+62633764313939393934316464653762326433303336356263343461626538336536316562393261
+38343361623930383137373239326263616366393262616264656536373831623839383431313635
+34393534666434353764363061303938643238336530313366366363646665643334373735363436
+39313637666562383538646336663435326337646164306631656533353766363037353633666632
+66376235306136643334363236316164643735343837353761393331623836613965643739343035
+36663531646534393333366133386631623265623462353432316133303238356463373338666631
+35396261323539333631303436333433366431353637373965383965653561626635616237303033
+63613839643763363466666564373061666630326330613538646365363365313534393632373635
+33616262343937656663636361376433373432336235393132313061396336636461303939663339
+30346534393533343536343237336636336633313333613966346665333734636461653030623164
+35613138343237336437646131376132333130333466643137643765383964333466363430316330
+38383762313961656462343132666339313862326631353237636162373433363137633864623365
+31363536383130656662613937656630623930393139653865323862653032363135303235386461
+37613234653534613866616164653335613665326361363663356666383532653634633466306330
+38303533323566653136323535313162313161616465303933636639616262376238613736643430
+37626134363662646266356561363033663030373766323561353166663066656133623537376631
+34616262343736623933366130643065363736663535393334616266613632656530346237346461
+37306238343836313734353665653538333162353065633530643762643937666662336562643838
+36383531623439633939633465323332613762363536663936623666346135646634623064373335
+36633232386633306462363438646564356332356338666365393537306632323665623166633063
+33383766336262373939313832373562303164303733663362653865623065333830646236663164
+66316365336434313532373865396431663036326335326566653533323031353735613266653132
+34323961663733336535366530316162346566643639316136316536616462313037623263626432
+31316533633334343839353763666432313037383662663065323335313534613866646665646339
+61633366346664316337653365653565313365313838363030653438386533343233363738323032
+37643037636430383835393732636230633136393764313237326334353862333662353665636430
+35643837656437623663656133666335656530343330663839356565663766343731383265313062
+36633736653964336234623530306163363237643465616463323362653436306463326235333766
+62303337333633306361393231396233393839386664623665636563626664653437316136303735
+33373337373462656133326261626136333038303136343230366665346233363130303365613830
+31356635633033396239336265316232623930353662656337346664396236633861663431323862
+65643365356166613634383064383338363366383934353837353062393862653430373863613562
+63663236643637613131376636383937653038356435353639373032393032313866343737363963
+65393664363331656366666536336439303438643636303563316432346634333265616631373934
+33363238313265333465363038333632653039383263633666343935303433643133646461333733
+37653166393431376336383333383035666537356636393537323530633534336563633831653938
+32633361363263663039653363626364336638613539613330636238626163386137303364633363
+66643563633733373066313536376435356338623832313262386130376337393131303439396566
+63313563653366383866636134383938336666376365613431646665393561643965613933623830
+61656230396439373133306536366231393139613834623138653636663366313335653563663530
+32623131626330353838666630326634653238633366323031306334346666663235653130313261
+37316162323332663734356236613664623032373935613436653265653435353930373762653836
+30313939653662383639623838353863313138313334353337393162393263346165396261313266
+66366137383165386437316236616361383262636562626437613934386561616231386236373831
+31653735396536336639623333633461356530623162343865393939616135333133333838633034
+30383932303134396439636339613336656439343834616536346365376436303763336335333266
+34646633363230326564646665653666393139303432633762636662373264393836653637623532
+30323032643938346565306639373766326666333437363163343064333330613564316463356536
+34663663356534316533623739363530633164343563663461666466303833623635306639663535
+61316665363963653864333937343739336466623939303030383136646265643634383430323036
+34636534346666346566393934636434663735383737373964313530633433326431316637376636
+63623333303937616339333462343366313835326161383335613034313539383837363835663465
+66356665323037653565393763623538356633663565353230616338623339383633313162666564
+30373731356639376539613438636133303064653866653039636366393736393531613264313264
+62353166353866313539656236353461356164353737343530643737373434333336316364393038
+37343063303862613434373630646161373933363663653066343163636638323461393530376463
+66393431643031386333343238393634653962386466643063633463356561303163663362643332
+39663039353962663835666435656236313931613931313964646663383731323139646436336637
+65303735346133623933326139353731336233393034343763313335373138656531333337656664
+63636639663761343565333064393061356637313734373061353833396366353463353032643561
+36383531396231343338366364303637313137396666376333656437663631626466366461383362
+62363766393531356631623737323539656139653161646338663835303735356130353337656164
+30643038643537656166386631353166636362653832373362616636336130663534623836396439
+37656533303635613065353832326636306261353565613461303730396161323634323533633234
+38623564626431326261313731303636363861386139666162393037346463653966313932643265
+37333338393461663135336332633364383964303431346532336332663235653062616362303564
+35663539336431626564353565636363303161643438643837656264343836393130333162313862
+62313536666461343766313930376531663362626364326230396565323130366238396436323431
+61646339383239363834613163326461303232336534386434633938666231656261376263383437
+31393835396537646462623030306637626663336666663434366631313437383763363831643962
+62333433313038353334633365316263336233323836313162643764656366323762323066643363
+65323239316237653863363631633838343939666235623438306466363632333638306530616330
+30303561343233373264323430616131616363363938363365636634373861373737663630633632
+38616334623938656337366237346665316666633832313264633533383534303538633733346534
+64356638383932663639343131653465633335326337663532356436306666303632363430623333
+35363933613336626634323261346536396562313066656166613138393733383236346333666531
+31303035396161346266363763363439343764363031343836353263666663633932643561316364
+62393632646132363632343231356339303939373833313030613837363536323263653866396532
+61346464613835333434316362306633333636643139616538386432666231623663373239306437
+36343834643461393234356266636363656462613139636563343766323533626562336262616562
+61353164373466633266343335346630656630363362326434623838626339383130613237383737
+62613363643536666636626337386334393830346632623132656566613238396335656332343065
+35386331623331323535656631386134376239313861346664653734623366383663663530333633
+62653037383465313662353339663132653837313562393639376166316165363736303635323438
+65366632396266386561633139623666396333666634363663363134663965373836666134623130
+61306532663235646334323961313261613631396638353035636635366365653565313030613565
+33376637313339633064383732633638616134393536376262396466356563666236643232643066
+31643631323665366266363263303231313066663838313538396536656566306262353263393063
+61353434333363333630366135653536343733636432323133366361313236353033373130653434
+64663964386164643934316130353438653561613263353835323463376332383765633137363536
+38626130353664616331353536356636346635643764613230356435643535363163626238656566
+64623933343261396465356136646336346538656134343134663436653037663564373533613432
+30316132363033313461616535323462643164646338646564363536326162616362306563663666
+37303930386666643134633138346238313737623463643339383632643636396631663833636534
+38626163636361643930346161393132303133346532653231316533626336386135663531336166
+37616336663362613838363964643638356131396135666261303065323863333061323839666433
+61356166363638353339306433333735353032306431366462323764326233636437356231373763
+38616361663632653364663739336665656532323439356235626631343662626133336332633331
+35383864396437323762373937363763623936346465383636393164613161373865333532373738
+32323062323130626136313434656534303139656136363661333139393037323362666332613930
+30363261613761303961383465326637633463336633666630653036333165666262306131656338
+37383764663462613862373433323733616166626132316435373262656433363462656432303639
+66323239333031653736646465316434653638316336393731353466336338346466333161323034
+61336261666534616663303264343665353163633838633636653139346139616466333530306565
+31303631613233366363323231653835633030326532623633333238323434346637393064376462
+38373163383431613662643233393332656537326334373962356330616262303461366165366166
+32663739623165393861333232373061666439353231376361623837663466653865386136636236
+63346130303732643733633362613163366135656434383838303830313963636136373763393234
+30653161643262353439613132643866373263663966326338386137333533613630383165323832
+34616138363863633037613731356135333738383332383931373862353430663838666230656437
+36363234376563376566613136666434346438303761323737386163376233366133323236343331
+31353630323430366533623232343162396462356161663531616634386639653137346634346632
+38383235333363326439646638393839386162636436306663616564323264333664313039333864
+30363337323561396131613263376432346138383063346232306235636564643162616638373461
+66356463303332353636613131336432303137393331353663363061636437636162353462363430
+38313538313430386165323139623365313862663763656634613233326339343433666339666362
+66646637656434393230353466303436316465333737393236383531653161326666656536616638
+34646338373462373064636234623936353134303432333133393765623165656332353562316239
+33313639616261306564313861626334346664383565636433396339383165636464643638373330
+36323738366635323266616661336235653731393331396166356430373161346633393937386637
+61636133333632353064303961346531386231316632653234333862626462366431653336386234
+62323930326466343862336133386561656635323636356634653761626465303262343962306161
+36643232363662613664366530646562613764636334326231393965646266633039643462653266
+66626161656438313938653863633234313938653061366235613766333533346363366633613561
+33306665306663393464363938616530636330383939336133363330353563633935356334343934
+62386233666633643539643230353235313162353765356362363564373736343834646231336266
+38613533666262636633643163326636396632656233656535393461643161646461346133333039
+33626464333232336666323866666533346430646635356166366430313638333062343563626461
+32303365623262666366346630343434306636646161386662353466663662356462383638386232
+66323037396635656463386164633464333930393734663362303465616638386238623234613663
+36363330356435636365383363363233396462383561306538393333653065363634356566323262
+35356165666639613062663362643136633263313636653562363564306531363664333062333033
+35613465633663336362663637346463653765663463366662623337663530633637623739643036
+32303633336639313661303233303162366439643933356238306361643732633165623265386662
+61316631623063666138633866646235373232616634643834366462393431393435393138333161
+36633033653439386131333963386466333138623435306464336137656664613634353639653861
+33616231316464343662623231346137643064353861343763336562666639643531623933663962
+31343364616533613966666431616434336335336339313435636131646365633833373363393864
+30343030303365393537393839303933383738333934373336666436623964373237663535323662
+34663863306432383732663365633838663463366234336539313230646636616130376463356136
+38383865336533313734663361363130333666663230383938336636313166626236303433393639
+39656236356665623439343130343566666337366638363361616435376162663461343337663164
+36393037333162343134336362323030393638376132636638373764303533333861313833313932
+38623933376632353432643361303739336465383039643832386534386336616261663565656465
+30343561653266653831616635613166633830383131633734353230643637393839333130306637
+65343862396232663635383861323232303537396562326537666638393330396534633834363665
+38653234383838643565663063316138643632393064333765663431366538333365303231643738
+62353433636131643634326437623966666364656562613261346337653133333337363636643666
+38376530613139393965613135646435623362373935613239323039396630346332636135623535
+30613861353662366362326536313139636131313139613339383431366561373036393763373433
+63626666633335353762303636333666623035323134386433326335393831356234343333393161
+35343765616333303463613762623964386138383361383330383031353865343363353534643831
+38613530306465383332646632383964663734623034663435383433333561383134373833396665
+64313833373338366539656437343039313063643635626633306236386235376438353735356466
+64633564303861663266316231653562366662363932313666313964313734363135396235306538
+39636130643438303133303863366132333733666333626337373863343537313034343161393761
+36353036666533343735643236666464626136663439346265316431386534363863613433353537
+65663464383264343934376532396462373934393262356536633531313136353934313365316566
+62336530303862313061393763323038373637616232336337646661353762303132376465633762
+63363731616236323763363932326138636137306437666165316337346138613033303365386661
+32386466616463373531373464323365633866306438396131396134356630313562336636646532
+36663939326237623365383264653566383032383933643965386434386237306337313261646531
+36303238326361396165663537386239383934353066333032356431383935626235633862316163
+38633565326561383132386264623661306563313936626134623830343265346239376231626636
+37623566363864376337303161366665343665666334646364663638666464346131313931626237
+35313964626337313961376234343530623239666438356162373234366261623031656237643430
+64323834323534646461613762643965316334396534363834613337326436326333623862633563
+65663165343432306131633837336536613632323735313135353563383165303863326635663963
+32623365313431623366343535313463356536666332643733383032653138393466656639363235
+64313365303765323065653733363537646233326534303434323931323730363963663631356563
+33343332306333373362313562616562336234663931623062333133303561393763383965363236
+33633833346534383739373966376364356132313234666261353734326331366439623936326661
+36383034633662373462323961353235636361633639626165346133353730623339376332633235
+39396131666339373835373938643636396264386536316336353133373163623666343732333836
+30343835313836616262336464336663336232656433653564386666633666636363313939333838
+34373436393530383061656435666135333661333834633637313433616138373965373936303235
+65363863393136323239303432663335623465306561646666633433383831363864376237333333
+39663639643938353666613531363638353661396331356564653335353535313930613930346330
+37613263353664646238373363383166333764333036336566306631313435616134643865316435
+62363336653331333361666566353138373762343734663365626335393336653862636164383064
+63616262656239623235643139303537643363386561323538343432346637353865363235633061
+36363136396235393436303066643436353332613636323937373636306235353533663335613332
+36393730616132626433313063363063656438366465306630303030633564646634633739316335
+66633738343362316335386238383562653634333437373035646563326534386465633463326539
+36313565636261613264333334333963333561306163306131353965346264643439353462623832
+34653933333933633537653561326465366462376464643465666261306266306265323664333937
+61623262643634666430633336633033616534316531663236633139626630333131356234343336
+31313263623037303366386534313031376638373664323164383362323136366533343632333235
+64316364346532336263323766353564633261653838343130333462313530363635323466373437
+38336466666631333037346537663465373731343232626237616637333436343034336632303465
+37363834356537623937323639396131353762623961353631323539376535663731663961326635
+31396138316261396130363831636638356162353363636132306238623364326634616166653339
+38373334386135386361316436356366623932643164633532653738346634323665353931653238
+36316563343234636362393339386365653535623837643638316534316261303732323862653030
+37373330316432363266646632373661663230626463613166636131623931363961333161393931
+33376364313236376137633638316465363661336264343137393863363161393463653163383636
+33356663323131653431643739336130356534323133323030376532373934383837303365616533
+32376432623861663937663165393138616463336233343062636532656237353238666130333064
+33653334643432343836656532326163663939376535613131653163646266326439383935623031
+31373733363265363738313465386138663332643464663736313631323532346566626363336233
+64663036626336623034353366363037346136326662633933383263653531616636666435396164
+34643532353237323838323862316161373864356664313738326432666130343234313663343066
+38666165373432383362626635623865383562643036316664613163373735376365373363633930
+61303961353061313365363564303336336338373566636563613639643934333864303131383132
+63653765323462303936353063643030356262653637313935633561613038333063636536386163
+33313139636438373839303332306539363135396336656632636532373137633965343031313532
+30363136613536616261643764633637643965653231326633323861383464616664303566663561
+33303931356237623636633931326266313536356465333631343733623735366165333630323633
+35663361383534316265633261653837336638383162626338653366343337653730396434613236
+63613634613166633839393162636334366165303639333837393165633766393930663833393333
+36353035663036633936386538306461333637346633663730353030366336666433613065623037
+37633434343761373931393963613531313638316362613362306532343562653736373161353434
+32643635353462653835643239623863623266396237373437646237623362386365663331336665
+62653139346537303736

ansible/host_vars/host.nc.chaoswg.org/wireguard-peers.yaml

@@ -0,0 +1,50 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+34636239613366316164616562343261323862646561386161366366316530333633613131633630
+3834613539343265376530633065306430316164626132660a373730613137373133656365323230
+66636135356264326634373862376565393833356330326439633138613333333439386564646366
+3761663161653862660a663638623635616138316332643730656263633565393734656534326265
+37616462313536393832656461626663353933383530656466326364376163633138633935616430
+34303536616138636131656662376236336232393466383362636363356134633138613839633038
+65316665653631653739376266636261356161326266326364666563356637653666303333336433
+31663238626665323961333734626133316530383262303766356438346237643765393138366439
+36313332353534366666656332373434303438376336313438643733303634373731363062653366
+61316462326335633262313331386336383238383536313134626361636338316236613138643032
+62663962343435323039313663363364323433303637643835363137373133366139636663316139
+64636564643332353537346162613661656463623930616530353731326236373934316565323233
+66353536336632623135323062336364313231326433396538313837363035343566316566373062
+38363731363832313939666137653561666334306663383134323161376437326536653439353634
+31613861383833613933623564613335386433363530386535636661376638666434313931633963
+66616239323137663732636365656639643262663462613033373165636633303661633239306166
+31633965646438636165626361356666396532616161363263306666393731336434356130633838
+63396466623230333332623765386438386634636137356638646439313366353061306430396664
+32356138636465303538343638613937366662373230386561396632383636636665313364633432
+34393165316330633430643035313536626263303831393935313037303438633035393738663339
+66663933363266623931393064613830393531623235343162633735303163623232393034623130
+62343136643138366365386263626635663337656538663465303930623166323131643631613036
+62306334646366363732663139366466326231383435383362373665393264383565306466353230
+61376164376635336636306563353366313662613463383466393166326434653333343763373961
+34323330346664626139373666316133303035623561633731336232656561653566383335303132
+35616238306231636531363438646361343334306434376338633962313163393165333665343861
+61376334613433643438623563366564313065663762663437366262316632386337316430396636
+36636236666266323137373163316135383439653834653532653330316635656435383664343662
+63373666643031323861623536663266653431666632643437643464643066346263393262313130
+38643861613665373435333838333838306234616139373431393835623364653464626164653436
+36643963303438653337613739316338376236363139326562393266306331386433356461323734
+30343838343666653736303238316332343962613433343262306232336238303135306666303364
+65393936666564653031323035366162393835373466316666323934356262396639366664363962
+39623930613137393861353938343838633532343939633763666238393239356632383038653535
+31353331356561646330303734633536313034316239366432656631623033363339616630306664
+31346366303266303237343937373132363862623838646535623264323831326566666662383039
+32363834373063633434613038643064623433373534356539336533656333613038313863313732
+63653237663363383031333431356162346137356564653961356139643761323364626133393362
+34626630316165376636346563363639366166666565353638636166393234373964346462376533
+33373532333632336661323863333065663731303637333638653461303235363661643835623434
+39376633343439396438393461636136653265396330323435343766613861323034346134623537
+31636535633832376336323162336266656164343839313131646533323631326264626330643132
+63336430383765336131313932306465663439353039616165343032333230393461666461313365
+37356162613631663761303562663132363938346137376164643532353037663635643430613062
+30313039613434316636323330343235396534376631646237326235383534393435663835376339
+62383161303030663065383863633536346235613864636565393538633731353439633262373433
+62383432393435363961313263316630326632393937376538363731316239383833323766616466
+32353539376137356162376236353830363036653062653935666431303339326435396235646431
+37616136363136393331373833343264326130396532376639656434613063353633

ansible/host_vars/infra.unruhig.eu/main.yaml

@@ -0,0 +1,4 @@
+ssh:
+  authorized_keys:
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD/pWrMOC24gEe75cvMUiOxLN1yixAyhd9uhKw2/tGn0MsqeVtiNtbHqb0vVFUPISDqKK5SxGsqYkikyTAfZSKI= infra.unruhig.eu_22
+

ansible/host_vars/infra.unruhig.eu/metrics.yaml

@@ -0,0 +1,21 @@
+metrics:
+  additional_scrape_rules:
+    - job_name: minio-job
+      bearer_token: "{{ prometheus.scrape.s3.bearer_token }}"
+      metrics_path: /minio/v2/metrics/cluster
+      scheme: https
+      static_configs:
+      - targets: [s3.tobiasmanske.de]
+    - job_name: drone-job
+      bearer_token: "{{ prometheus.scrape.drone.bearer_token }}"
+      scheme: https
+      static_configs:
+      - targets: [drone.tobiasmanske.de]
+    - job_name: 'uptime-kuma-job'
+      scrape_interval: 30s
+      scheme: https
+      static_configs:
+        - targets: [status.tobiasmanske.de]
+      basic_auth:
+        username: "{{ prometheus.scrape.kuma.user }}"
+        password: "{{ prometheus.scrape.kuma.password }}"

ansible/host_vars/infra.unruhig.eu/vault.yaml

@@ -0,0 +1,85 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+37646239383161613330383037643836616464613635376538333738646164653535343365646637
+3265333661656565653135653837666462623364346665310a653033613838643633313062343334
+39343866623636386235343731643637656332306132303065393231643935643234306630343833
+6562626632333534630a306661353739336266336661646132333862663231306135353564323762
+62613433653737356564323538626666656434613966346631613934396238626531616631383433
+39326532316439663632333331613135316134353531646362653432333734313534343037663433
+39333566336265356532396434623836366166363961346439373635363334636133643831373132
+64353939313135343338386638633136333931353839316236346634616430383263366137663565
+36303733306163363332613964343162613337386263613032663539623430666639323062646565
+61646463393338383934663665363837626532326630383930353236613161356230346162393031
+39643531663565633666333032306235323038363234346264656239336535393539306439643833
+33363035393864616664363463656361366365316230663031383037376139623039303361313131
+34386361393930373430323961303039653561323430356139393434643763346563306266623366
+36333265643738656362616363333638396139373137383366303263613031383237353435326562
+34633839316335613766306134343333373032353635383964663336656134646634613164366465
+66326533613363383337616437666333376133386231326336653934663233613333343464306238
+30386338303730383836663262373239656438313361373331343364623231356134643631323565
+31336464333838356265323938623133636536313736376136663330346630663837613937336436
+33386639383465363333343566646337633236393130326439323536393830323331393862616361
+36346162363166646537666666383464633165373263326532623061613065373030313439623039
+30646632333964323330396464383535303261613237353535613438336163323235333534313434
+31346233346335336230653337363337653763643535373532396362316131653665386539636432
+30663735616136316639633333303732336239393435653239336133383362613061306537623063
+31653634653233346634353136653763333833613337633530363338643336666463373465306434
+66363939313434333364323931663766393564353663666262363037323761653339316637386532
+39663538333664663139663262376137623765373931393833313130626135366436396636303062
+36623362343432633462373733373235353034373335356534653965393131613831636237666163
+65653463633961386266313534343833666136366235343639636561393534373830393434353363
+31363536616664373935346331633335643536313432346133356637363566633564633963313639
+62326439643333663362633739343465316431616234663233353066623861653165343461663830
+37316464653138386135656662663465333932306263396235626434356666373762356264336534
+66303664383630333064383363313864346234643639623037363437306638363937636162633362
+30313263376262636164363064626538386161653964663130326134636166633735633966386332
+61643566373233326362323034366537623830353463306363643866636439616430306362363863
+35306530666266623734653235313835323536343837396631393134343835303464393335653639
+39613530326562323764646662643439383639353661666231336433326564663463323638666639
+63333434353364656264303361636234623266326364346230613033343433376639356537643530
+30373631663165623035396139346165306335663263636434626336316265356535393034633832
+35653264313331396434636131396531613833643331643235306130373132643636376638663432
+32646539316138313234613536653538373638623330316236356431346461663034343932386536
+32383334633238373465636164653766323132386337653861396362353937353963636136373136
+66316331323132616337393438363636653561393432663238363764633938623531616538613865
+61346563643966623362366131313635656336326363346231373636323930623563646137303861
+39393064393965643638653462343631613466616366663232353864373236316438626135643537
+64363862393839356664336632623765656264366630383836323233333836626637653461386163
+66393263346539356363643566323366343631393139613864383764656465613033633038333661
+64336636383737313163306363333634633966356439333432636635393064306231663533646139
+65343637616532323366326239356263343432626238366333316238633366663734386332613631
+63336466326163663338393363626635306436653166363239393263333731366261313963383466
+38626665356463633439653932303033386464363862393439376635393961323530333566663263
+65613333303036303764636131323630303737336561373733663930323863393566313665613231
+32613962313935323432626230613334363163623836383135653931346132363538383632633031
+31346566383364333062646334346433336235623636326436343230666537383635383332613963
+63393366646266356130653339623439326230366234306235643332383261633739353039333039
+35336165383061303863623031313033623865346366366235363262326266383033613961373933
+33623832383934386563653662363461303939363533336561623430643865656232353731633263
+33656432386165326566656432663665633461306365633164303061373264383532626361666437
+62643533323136326539653263393663303365666532663262636165646561383333376336383332
+30653161313336393033363061343633346230393337393966343134323436623537383532346361
+61623661653132633234626631363430333837656633396365613834616635626139383731323837
+38346533353061363766633634346231373339656463376634366533643861343161633435633138
+39356165386635326535626161303462303939383461313834396333633565353634643362343539
+64653530303663663032353138383934373837306437643962333339363366353966333437383932
+30363934346638356565306365386335336530616532306465373163353562363235623937333832
+62663963306663306462373838636436366661333565303736393731636562663332326363656636
+39353161616134623433646539366664363935313866383163316665646236666237393762393563
+62633062646536633437666362363531646234326666386561613863633934663462643634333362
+65336431623836323334393934613133653262626134373838356238373031613737613965613761
+34643539373230396362633761626339356362613730383831316565393030623930616364313430
+35653935616662306130633263356165336130336363366532393735343137643831636462616334
+65343437396566346263346463326361303862623164346365346132633936303230323838303361
+62303663363834633635626331343531373639613763363537333539653631636462616437656135
+34333633633565306663666338646339326564663936373963353465313065633434613435376261
+30313963336664313465323036643035386463646561373235646134303930333961393639353639
+35376135363235623730663932313337366564346636333464623234346237346162356262333764
+62626563393261373838353663343430663763383365303766343665333231343861373534383739
+37353437383966376664383438323430316237626232376134656134346362316335396331346531
+63343933396636393332303636613133396162643132643765646664373438653732316633366338
+65653963333633303963623362353739313635663266643236666334323262616531356165363330
+66633131343461623231663832643138663563326264313036306438613837336333656361373166
+62666261626430393830396636376434376233636639666432316165346237383261626530623539
+63353530643065373734613664333239636433343262366637376130373130663766656563643931
+38393334343836386533643839643232386165636566646434616662336334366263633835376564
+38626339383631336638

ansible/host_vars/mon1.hel1.chaoswg.org/main.yaml

@@ -0,0 +1,3 @@
+ssh:
+  authorized_keys:
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMeX2lqjaVHJicNohQLi64Bk6Oo9PMm6UaoULL7G+sMGsZthWryjoIB9hwgBJPbhDXBpO3rNn6wwWumAUXWEsE= mon1.hel1.chaoswg.org_22

ansible/host_vars/mon1.hel1.chaoswg.org/vault.yaml

@@ -0,0 +1,24 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+32366236633933396537643061353531643566663930626366343333643234653363653336613138
+6563306263656136333235353164383562323237613763650a393734356261393330306539373562
+62633332643737333137316433316363333338666538303636636461626161303638383465646565
+3564643732376137640a386131646339326633333633366162613064646432636630393035373562
+33373537653866333661633634356361663366336236313932636630623539316130356431303530
+38636534616264366235316638346437356162303331303763306437363438663632353730653236
+30333065306261383664636563336631383263376135356663363633626130326265336261316632
+31393635613264386463306265303137366330656339386363393061356434393162336237373737
+38626331336138313636333363653264376463326238383335613964333438303835353239303135
+38343837613562316463313366363931373134306635356465313532623663613666353935336234
+30323063633664653835356138313363333736323265396434313632333832316163303063373465
+63376136643337666166633732656532333235366636633739653665336637363436333433636164
+34623539353839376232363564336633666433353262366637623930663865623966343762643530
+37346433376662613966633436663833643065646632373135363663396564626136343635613333
+61633739646230633630373364343232646533653239346632663130353833343464633862343136
+30623337633766383530383333626331333839363532363734613333333763636264313539383939
+34323438373530653235666235633037393965353738373365633566313830623761663265363337
+34343030373065393765333038343865626161373134623837643037306230306435313834636634
+30323033343236396234386338623930353065346134343564653439306535313934616135346533
+37353363323732326333616165636331396234646564303738343265366465336563383333626432
+37623165663435313033383665353030363031373833653266356638353734313536626366373863
+61393937623165613563366138393533666166663266323864626537363066666338363261336265
+393938326530663531363535333061666332

ansible/host_vars/thonkpad.ka.chaoswg.org/main.yaml

@@ -0,0 +1,15 @@
+ssh:
+  authorized_keys:
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKmN5g3jN6tsA8qcEaLTPzFp5c/p65wjAo31nUO5TtT7TDUDCvU68yi11HuZc9mhK7v3e2ZgCEnua/0g8lCyCoE= 192.168.0.73_22
+metrics:
+  additional_scrape_rules:
+    - job_name: opnsense
+      honor_timestamps: true
+      scrape_interval: 30s
+      scrape_timeout: 10s
+      metrics_path: /metrics
+      scheme: http
+      static_configs:
+      - targets:
+        - 192.168.1.1:9100
+

ansible/host_vars/thonkpad.ka.chaoswg.org/override.yaml

@@ -0,0 +1,2 @@
+---
+heartbeat_timer_interval: 60

ansible/host_vars/thonkpad.ka.chaoswg.org/vault.yaml

@@ -0,0 +1,42 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+30343065306563343765353231366539356463646634363230643639616338663138376666343962
+6164333837646563356334613035383365636337393362350a343334643838303562363932336263
+33363432393565623631356331343063333332663937343639343739666130646262623364353237
+6366346434366236370a393063356266333430326362643932303130633635363732623361323736
+63386266333362653530333262383064366462313938646362386338643661343165363839636536
+62613561363637346538323062643664303932666566393537616539353730306164623535313636
+32656230663861363635633839643731326363393838636263313665313466313833363638346566
+33386566346564363963363166326564613366393531366135633430616634323261386263376565
+63663962653039623434643136393564336631613433613433636632623938306365376639326338
+38393465393764666636373430323736303235363238393038353632646365373536313566333238
+32616631666263353132333439653334643737336633663164356337363732366534366537343532
+30383531303663656263353461343166616139306634396432653032313366356265326664666339
+39393432343734336565303034636435623336646639373438363363613538643435653230326630
+32393362376164646335613166643632323861313834386630613932666166303438346461646564
+37646362316662373231666332666530353537376239633664316561363332313565633361393464
+65623635623166613430396638613061613737303739343266643663626134303361633561376135
+32336339356462353864646664633632306338353230663532303963636238636266383137393063
+37663064666539653362376662356265626630636230393230306565313264663961653135363238
+39623436646138656565383662653037623835333631323836343262353830323764663266396634
+62636536653833653932613661373438356138643334363034656339626365613761333764333732
+34303538313134666238663732393933613537383661636463336538393035626438323039353661
+36663939303366386136643335356131643032313934363361373563313965383734613632373631
+38333961613838313863333436356263363432326366353266623266616561323666383931343362
+32616265643133653532383732393739343366366532343461636338333463336466363331303931
+30373833363037643637343662313737383565363164323235306335303938363937626466643066
+62336261373865383234626463333535383662306330306663353438343061383761393165306231
+33303434303734623564616331646166376432343035393231306136343762653038656434653436
+66626639616139666133373063626237616133626334326530636162333930336539613336316330
+62653964353633376164646664376234336535633765616634663266636464393464653435393538
+34363865363338616336363561306461363532363131366534663366353463383134666239393230
+65653864643562333962323832363732616434343736376561643361666138343330653337313266
+31363339356536313832383162643035663538656463373133346265353437323634346539383933
+64613539333566333262656566643935323138393266656361316131623566663164333138656437
+34363830356431666531343938643934373562643232653239373837363336633030666631656361
+36393765333463643365663938636134666664653763663264613032386135356266636236623035
+64326239343730326639363133653666643534326362303339373733643164623634613633613138
+61313130613434336463363739623430626638323939306462316235663963313233633833313734
+66333461613766343130393539613332353131643730623466623365643237653865363262333734
+64623164663366326538386331343162336433393466386133323537623536636461613732323734
+39613639306562326366336634376263633062386163333964396532326666643539613739313365
+31343132313837646235313764396130653764623838396635626462626531303732

ansible/host_vars/thonkpad.ka.chaoswg.org/wireguard-peers.yaml

@@ -0,0 +1,15 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+32643663326666316663626638303839353966356532333066313561656234393139656333346438
+3961633439383530323266323933303866656362306363630a333034666135303430363435656231
+30353630643162326664383232613161376137653638396363343735306336656432623766386638
+3832333632353536320a383365363037343161623364303837666238306336376463346236396566
+34323666383935363737656632666532383435626132313534393437383162663232623534336664
+64383839656561333064346536376561333666356535366232383636663665666464336462636161
+32363964613332353735336164646363643430656330653635616663656263353837313232633838
+36666165613530653832313538306434643862313161663662323434343236306666656634393261
+31303039343363323638333434383765633362353365666264646564323436386335663435363635
+35336162346635333062613639663434666339343662656465326439656533646262396436326631
+66303539363365323133336633373431353065613935616638343831326435623832616136313731
+30663863656465396139303931366565326362303036303761326132383164393361623664386566
+35316335383036393539386663343638366262666139373232636561383135333963313365386566
+6162666432623037666433636663643262316264323061363961

ansible/inventory.yaml

@@ -0,0 +1,61 @@
+---
+all:
+  hosts:
+    host.nc.chaoswg.org:
+      ansible_user: core
+      network_interface: ens3
+      network_ipv6_addr: "2a03:4000:4f:9f2::1"
+      wg_addr: 10.1.0.1
+    mon1.hel1.chaoswg.org:
+      ansible_user: core
+      network_interface: ens3
+      network_ipv6_addr: "2a03:4000:65:f3b::1"
+      wg_addr: 10.1.0.2
+    thonkpad.ka.chaoswg.org:
+      ansible_user: core
+      network_interface: ens3
+      wg_addr: 10.1.0.3
+    infra.unruhig.eu:
+      ansible_user: core
+      network_interface: ens3
+      network_ipv6_addr: "2a03:4000:9:176::1"
+      wg_addr: 10.1.0.4
+    filehost.unruhig.eu:
+      ansible_user: core
+      network_interface: ens3
+      network_ipv6_addr: "2a03:4000:56:e17::1"
+      wg_addr: 10.1.0.5
+    # localhost:
+    #   ansible_interpreter_python: ./ENV/bin/python
+    #   ansible_connection: local
+  vars:
+    service_base: "{{ playbook_dir }}/services"
+    wg_keepalive: 30
+    ansible_ssh_extra_args: "-o UserKnownHostsFile=./known_hosts"
+    ansible_ssh_private_key_file: "{{ lookup('ansible.builtin.env', 'SSH_KEY_' ~ inventory_hostname | mandatory | regex_replace('[^A-Za-z0-9]', '_')) }}"
+  children:
+    unprovisioned:
+      hosts:
+        # host.nc.chaoswg.org: null
+    prometheus:
+      hosts:
+        host.nc.chaoswg.org: null
+        thonkpad.ka.chaoswg.org: null
+        infra.unruhig.eu: null
+        filehost.unruhig.eu: null
+        mon1.hel1.chaoswg.org: null
+    backup:
+      hosts:
+        host.nc.chaoswg.org: null
+        thonkpad.ka.chaoswg.org: null
+        mon1.hel1.chaoswg.org: null
+        infra.unruhig.eu: null
+    monitoring:
+      hosts:
+        mon1.hel1.chaoswg.org: null
+    network_config:
+      hosts:
+        host.nc.chaoswg.org: null
+        mon1.hel1.chaoswg.org: null
+        infra.unruhig.eu: null
+        filehost.unruhig.eu: null

ansible/known_hosts

@@ -0,0 +1,15 @@
+filehost.unruhig.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNxa8vbJ70oM2PlEKegPu3/SUO7oXz2lM6PvR74Ad+RYjjAQZr/j3WMpeDn15ugexlYmYoHgxgeT0xA6E/ZAM/0=
+filehost.unruhig.eu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvXX75sXWRgslMW/Ufq0t0OJQnTFiWPL4yBUBdGIU9k
+filehost.unruhig.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXlm4q3UBK2ChZCujrc9nv45tnntj6E+80UOOzZ6EEFWeUkJ0R+o4z4bnLsWBfFxfwgMDUvFCUCuS7R7xo2pE6vlRhPeD6eTitqNmRMfgmMZLJCdWD5eechg2FNSIht+wB61KEwMBuARXX45nmvIknWiRBK0qAGMLgy46hAx60hf/2uzSuyF6cxQdRqH7TNKZ/06aC7fCo9MCvHbiWvOSKbRx+jYSw8L27DW8WbPTqTGhywidij3nQEjwCFof/IN/hdp7NLpF/8qAoxW9iLWHh7ghESSwHxDF+QC1NjyA1g9QvyX+4p/hzR71wvQ2OVT/R9qx45jJiEi4dVQtsPGbcMzY9gQNbzyzl898cvnp2OuS50kGxuJZaJLMOj2UClbpW+lTrrkKvBZKkAF85v+C6Xcx/waY01eH0PaDBpoo40Y+vS9nWLmnKcvz5iDC6DVL8gUyDxuQj6/qMQuVsr5GL7GnvqIF/jjz6rNqES5Lr88c18ZyWeaupAHNnSgxaGV8=
+host.nc.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE+xbsYUu5fNjUZuJMER9VMx7aPCPCVcZvBpnNjxySRrkUSOgLV6n2IYj+aTfrxT3sCJFzkXzNS8R25Fyqw53WE=
+host.nc.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfZWpJz8JiM6F5zXcUg9K7OsCx0UbrK4z9sijpmUn3F
+host.nc.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCiVZ57grUnL7JNyUTlU2LVVCS5cfC4dasBGvdQDlN36VNGxo3HDzu9ppichlXUO2KNT5J86sgh6o9KeAmu/mqIasNm2JQC+FIRc1xKQU1xufLVHm9LZqUfk18olHm8tTIxE3yOpcPYJRRlBe+l66OYary9huJfQZPvHik5umQ4fWg+l1VBd8p6IMOQHNA8AyGlb/VKg79c1Qk9fxzKxqkSAc0LCIwrNPSQNF8BzjiBXaw1AuHwvPDmMFjb3cFv4I8GwNSH/A1xRHXg2ymqE818A9eXim/RHDHNiyEf7HPC0kuT95x5ii9pd8WRqa5GXULSHMz1vajAMtgfnGawz8pvY+MnfOFqF2i5WLcaPSqK9IdFst6lFp2ThBCAijW2Wa8o8gQeazr3twhC9Dd5C3+HkNq2MpEYM8ck0yZUFhAkRPUc3laX+8y9KsiqDMbfg1aErEbrezlSb6h19oWVAhFy+d8xVUX53a/9C9uF3P8hFwy4o76lTHVwmB8rTD8DXT8=
+infra.unruhig.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGpspDDbmZt71/g8R4K+jn3A4n7z+8lO3unv8Pm8xLKhr3mDD0MErbRrP/ucYtsBRauMc+IOmBsDtM2Ayp/0zio=
+infra.unruhig.eu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8dLUAnoazcq9Tl2zeLP0Ed8QlMs6226raruQhP/0y8
+infra.unruhig.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0cOVaDYrycZ89VpBoysO2f5ihYGpz4Fxw2tpOSW16JztwGA7mksI9sSJUus69RtsFwgzxW9XNfKA1V63yVc5lE2f8PJg4zTTLtHRJk6V6mjWgIKQV6Ro9lxVW1g+bxVnRmkC2JC7OPE/k4qQcVKF7JMsCD8oG6uV4ghGaisDBifmixyGAwtsJ+Ev9M92HvWLvRRVLgMXozLgWfJUZJvz4p/xgKqrfS1WmjCRRqQT+FeI3BqWoA6l1jgY5xa/qeie5SYEClEp3K30wfI9bLBCSZiKYOHBnhrWtPcNw8z0G2pdLIbWpH6nM78nZ60UiK5yHjbR4XcxDxaZ695SKolyOjDazkt8yjuLM2kz//C+Tj/+1/rrUkEn8bT6zdJmmFzz++d+o6sYAPczcsmc40rs9+DHp7lFcgv7/RSVryXkdK71plhb4Uj/xpf2VlriiUe8+FzxMHu8NH5B3NlZAKLyhEQVPIHxsY0/7MjKdF2igGNgJZ7UA8BNYfTZ+9+Wx7cs=
+mon1.hel1.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFGUIZFzyXd6QAA4Xn+SikYIdfZ+c2R4aFXCY6/Gh2oZGjpq4xtHLw7AFyadnC1UGVNNINNJY1FLfgbavIkeh6M=
+mon1.hel1.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsSgW6MyvR0YJWn61UZLG8hgj/ewvlRqiHIZDAkYDtV
+mon1.hel1.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCl6bzWEhtuyKLLOUjRv0mxkmzpnjGzzdkc2DFZU+ueiMG4cTxCpwO5cXOST8RXC5WU49HtEpW0ZX4oCWxdEKhFeUXpij1Ins9Hvx31nHMot7sTLa745QcR0feQGYFl9DXfK1OADvstzWBL4n/UO70psK2Ir6aoBV1CM18w2Gk+DVSh5coLsMRczPczzG08ALIvhWa/1l3ObX7tULjs2y5Pf0F6Ukns8wcfxarUfUihdgnRwHdyc4yxaLHBvizAs3bl1G7zXdOh4SMOjw219J1ORbO/+n9fTSwhs78jU0IQCSZgI86Tp+EaLk+6RmA9SIGhI0+s3qk6UfwqMFM6VPxbiCUMbUeAhGcOo8UD3PMlLeTHWBwADHl2ee/mUmXBUh6Smyr9YlpbSCfcTNgXX2enkByidIgy+tEhJzaTub9vFRt8q0nj7fEimqQ63NecMzMZXPTGxnCma5Y3/TSLeBPE1aUNLGea6MFwUevCamdn9qB/KTAmMoyRTRR8pREsdfs=
+thonkpad.ka.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDq68XLq1mlFsHDfa1mlpNJZ83wCR3ZO5C/fkNe+kVwG9apKmGdCaAWZs9n1MKe08maSLf5Dx01B+m79+l9KrKQ=
+thonkpad.ka.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOY8bK8R5aUnXr/8vxZ6NSznTNGcTu4iQJJo5GYVXflR
+thonkpad.ka.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8b0SqPTmmJYJEcGYMjeeyEZlEjjQTIj+XKZ3Sonbb6xT32SedabIJ8k+xw+yeRjDOhBnx1wl7KrfBhZqZ18qGbB3214d7QmgylWpC5KkQV89ow0c24JI2zSLfC3kMYbGvSSwch+ql8rLUBXGRczzMYuh9kWrXhkK9vF7821/pxBSsO4XD/9fZwEa/VfpakuFJUU0bmFGgi/OmlHf80U08B0LHlg/IYdM+3JemwWbx1swx7ylXwDUWGjyK5mxYR2SEBbwnHuCoanj8SW9xwPLfUOT9t5+IADtFya7J3o0cDAk+6ZjJOZcdtmY6WO1hR/K82aFnecAV4mjr8+fx/GpnbGCt8Jpv88bdhG7LWxzKESrZDbQDiZ2z4itkkq5fbOGeXeUrFuff8Vva/VtsUoLPToS6bctgVqZ2slbI+6J6YJXPE4LzUa57NRj2qyXSbr+q5q9URfrkOmFDwaBq5jLiFcDEDOS7UpAjoN5A1rAkxN7v+uP3gwYainkbx2+7DrM=

ansible/playbook.yaml

@@ -0,0 +1,31 @@
+---
+
+- name: Wait for hosts to be ready
+  hosts: all
+  gather_facts: false
+  tasks:
+  - name: Wait for system to become reachable
+    wait_for_connection:
+      timeout: 300
+      sleep: 10
+  - name: gather facts
+    ansible.builtin.setup:
+      gather_subset: all
+
+- name: Common
+  ansible.builtin.import_playbook: plays/common.yaml
+
+- name: host.nc.chaoswg.org
+  ansible.builtin.import_playbook: plays/vps.yaml
+- name: mon1.hel1.chaoswg.org
+  ansible.builtin.import_playbook: plays/monitoring.yaml
+- name: thonkpad.ka.chaoswg.org
+  ansible.builtin.import_playbook: plays/thonkpad.yaml
+- name: infra.unruhig.eu
+  ansible.builtin.import_playbook: plays/infra.yaml
+- name: filehost.unruhig.eu
+  ansible.builtin.import_playbook: plays/filehost.yaml
+
+- name: grp_prometheus
+  ansible.builtin.import_playbook: plays/grp_prometheus.yaml
+...

ansible/plays/common.yaml

@@ -0,0 +1,330 @@
+- name: Setup SSH Config
+  hosts: all
+  become: true
+  become_user: root
+  tags:
+    - setup_ssh
+    - setup
+  tasks:
+    - name: Authorized_keys dir present
+      ansible.builtin.file:
+        state: directory
+        path: /etc/ssh/authorized_keys
+        owner: root
+        group: root
+        mode: '0755'
+    - name: Obtain Machine Pubkey
+      delegate_to: localhost
+      become: false
+      changed_when: false
+      register: pubkey
+      ansible.builtin.command:
+        cmd: "ssh-keygen -y -f {{ ansible_ssh_private_key_file }}"
+    - name: Deploy SSH-Keys
+      vars:
+        machine_key: "{{ pubkey.stdout }}"
+      ansible.builtin.template:
+        src: "authorized_keys.j2"
+        dest: "/etc/ssh/authorized_keys/{{ ansible_user }}"
+        owner: root
+        group: root
+        mode: '0644'
+    - name: Ensure authorized_keys ownership
+      ansible.builtin.file:
+        state: directory
+        path: /etc/ssh/authorized_keys
+        owner: root
+        group: root
+        mode: "u=rwX,g=rX,o=rX"
+        recurse: true
+    - name: Configure sshd
+      ansible.builtin.template:
+        src: 'sshd_config.j2'
+        dest: '/etc/ssh/sshd_config.d/99-override.conf'
+        owner: root
+        group: root
+        mode: '0600'
+    - name: Remove Keys Config
+      ansible.builtin.file:
+        state: absent
+        path: /etc/ssh/ssh_config.d/40-ssh-key-dir.conf
+
+- name: Setup Networks
+  hosts: network_config
+  become: true
+  become_user: root
+  tasks:
+    - name: Setup wired interface
+      ansible.builtin.template:
+        src: "connection.nmconnection.j2"
+        dest: "/etc/NetworkManager/system-connections/Wired Connection 1.nmconnection"
+        owner: root
+        group: root
+        mode: '0600'
+      notify: Restart Network
+    - name: Setup DNS
+      ansible.builtin.lineinfile:
+        path: /etc/systemd/resolved.conf
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+      notify: Restart systemd-resolved
+      loop:
+        - regexp: "^DNS="
+          line: "DNS=1.1.1.1"
+        - regexp: "^FallbackDNS="
+          line: "FallbackDNS=8.8.8.8"
+  handlers:
+    - name: Restart Network
+      ansible.builtin.systemd:
+        name: NetworkManager.service
+        state: restarted
+    - name: Restart systemd-resolved
+      ansible.builtin.systemd:
+        name: systemd-resolved.service
+        state: restarted
+
+
+- name: Backup
+  hosts: backup
+  become: true
+  become_user: root
+  vars:
+    repo_path: "/var/home/backup/storagebox/{{ inventory_hostname }}"
+    password: "{{ backup.password }}"
+    pushkey: "{{ backup.pushkey }}"
+  tasks:
+    - name: Install backup script
+      vars:
+        repo: "ssh://{{ common.backup.user }}@{{ common.backup.url }}{{ repo_path }}"
+      ansible.builtin.template:
+        src: backup.sh.j2
+        dest: /root/backup.sh
+        mode: '0700'
+        owner: root
+    - name: Generate SSH directory
+      ansible.builtin.file:
+        path: /root/.ssh
+        owner: root
+        state: directory
+        mode: '0700'
+    - name: Generate SSH Key
+      community.crypto.openssh_keypair:
+        path: /root/.ssh/borgbackup
+        type: ed25519
+        owner: root
+        mode: '0600'
+      register: keypair
+    - name: Register SSH Key with backup server
+      become: true
+      become_user: root
+      delegate_to: filehost.unruhig.eu
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/authorized_keys/backup
+        state: present
+        search_string: "{{ keypair.public_key }}"
+        line: 'command="borg serve --append-only --restrict-to-repository {{ repo_path }}",restrict {{ keypair.public_key }}'
+    - name: Add Known Hosts entries
+      ansible.builtin.known_hosts:
+        path: "/root/.ssh/known_hosts"
+        name: "filehost.unruhig.eu"
+        key: "{{ item }}"
+      loop: "{{ hostvars['filehost.unruhig.eu']['known_hosts'] }}"
+- name: Restore from Backup
+  hosts: backup
+  become: true
+  become_user: root
+  gather_facts: true
+  vars:
+    repo_path: "/var/home/backup/storagebox/{{ inventory_hostname }}"
+    password: "{{ backup.password }}"
+    pushkey: "{{ backup.pushkey }}"
+  tasks:
+    - name: Check if restore is needed
+      ansible.builtin.stat:
+        path: "/etc/setup_complete"
+      register: setup_complete
+    - block:
+        - name: Install restore script
+          vars:
+            repo: "ssh://{{ common.backup.user }}@{{ common.backup.url }}{{ repo_path }}"
+          ansible.builtin.template:
+            src: restore.sh.j2
+            dest: /root/restore.sh
+            mode: '0700'
+            owner: root
+        - name: Stop and mask backup service
+          become: true
+          become_user: root
+          ansible.builtin.systemd:
+            name: "borgbackup.service"
+            state: stopped
+            masked: true
+        - name: Restore from Borg
+          become: true
+          become_user: root
+          ansible.builtin.command:
+            chdir: /
+            cmd: bash /root/restore.sh
+        - name: Remove script from host
+          ansible.builtin.file:
+            path: /root/restore.sh
+            state: absent
+        - name: Mark setup as complete
+          ansible.builtin.file:
+            path: "/etc/setup_complete"
+            state: touch
+            owner: root
+            group: root
+            mode: 0600
+        - name: Unmask backup service
+          become: true
+          become_user: root
+          ansible.builtin.systemd:
+            name: "borgbackup.service"
+            state: stopped
+            masked: false
+      when: not setup_complete.stat.exists
+- name: Setup Registry credentials
+  hosts: all
+  tasks:
+    - ansible.builtin.file:
+        path: /home/core/.docker
+        owner: core
+        state: directory
+        mode: '0700'
+    - ansible.builtin.template:
+        src: docker-config.json.j2
+        dest: /home/core/.docker/config.json
+        mode: '0600'
+        owner: core
+- name: Setup Docker Config
+  hosts: all
+  become: true
+  become_user: root
+  tasks:
+    - ansible.builtin.file:
+        path: /etc/docker
+        owner: root
+        state: directory
+        mode: '0700'
+    - name: Template Config
+      ansible.builtin.template:
+        src: "docker-daemon.json.j2"
+        dest: /etc/docker/daemon.json
+        owner: root
+        group: root
+        mode: '0600'
+      notify: Restart Docker
+    - name: Check if sysconfig exists
+      ansible.builtin.stat:
+        path: /etc/sysconfig/docker
+      register: sysconfig
+    - name: Remove ulimits from sysconfig
+      ansible.builtin.lineinfile:
+        path: /etc/sysconfig/docker
+        search_string: '--default-ulimit nofile='
+        state: absent
+      when: sysconfig.stat.exists
+      notify: Restart Docker
+    - name: Remove log-driver from sysconfig
+      ansible.builtin.lineinfile:
+        path: /etc/sysconfig/docker
+        search_string: '--log-driver='
+        state: absent
+      when: sysconfig.stat.exists
+      notify: Restart Docker
+    - name: Restart Docker if necessary
+      meta: flush_handlers
+  handlers:
+    - name: Restart Docker
+      ansible.builtin.systemd:
+        state: restarted
+        name: docker.service
+- name: Setup internal networks
+  hosts: all
+  tasks:
+    - name: Setup network
+      community.docker.docker_network:
+        name: "{{ item }}"
+        internal: true
+      loop: "{{ docker.internal_networks | default([]) }}"
+- name: Setup Push Monitoring
+  hosts: all
+  tags:
+    - never
+    - setup_monitoring
+    - setup
+  tasks:
+    - name: Login to Kuma
+      delegate_to: localhost
+      check_mode: false
+      lucasheld.uptime_kuma.login:
+        api_url: "{{ kuma.api_url }}"
+        api_username: "{{ kuma.api_username }}"
+        api_password: "{{ kuma.api_password }}"
+      register: kumalogin
+    - name: Create Kuma Monitor
+      delegate_to: localhost
+      check_mode: false
+      lucasheld.uptime_kuma.monitor:
+        api_url: "{{ kuma.api_url }}"
+        api_token: "{{ kumalogin.token }}"
+        name: "{{ inventory_hostname }}"
+        description: "Managed by Ansible"
+        type: push
+        interval: "{{ heartbeat_timer_interval|mandatory + 30 }}"
+        maxretries: 2
+        notification_names:
+          - "Kuma Statusmonitor"
+        state: present
+    - name: Obtain Kuma Push Token
+      delegate_to: localhost
+      check_mode: false
+      lucasheld.uptime_kuma.monitor_info:
+        api_url: "{{ kuma.api_url }}"
+        api_token: "{{ kumalogin.token }}"
+        name: "{{ inventory_hostname }}"
+      register: monitor
+    - name: Check if user is lingering
+      stat:
+        path: "/var/lib/systemd/linger/{{ ansible_user }}"
+      register: user_lingering
+    - name: Enable lingering for user if needed
+      command: "loginctl enable-linger {{ ansible_user }}"
+      when:
+        - not user_lingering.stat.exists
+    - name: Create systemd config dir
+      file:
+        state: directory
+        path: "/home/{{ ansible_user }}/.config/systemd/user"
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: '0755'
+    - name: Copy Push Monitor Service and Timer
+      ansible.builtin.template:
+        src: "{{ item }}.j2"
+        dest: "/home/{{ ansible_user }}/.config/systemd/user/{{ item }}"
+        mode: '0600'
+        owner: "{{ ansible_user }}"
+      vars:
+        monitor_url: "{{ kuma.api_url }}/api/push/{{ monitor.monitors[0].pushToken }}?status=up&msg=OK"
+      loop:
+        - heartbeat.service
+        - heartbeat.timer
+    - name: Enable timer
+      ansible.builtin.systemd:
+        scope: user
+        name: heartbeat.timer
+        state: started
+        enabled: true
+        masked: false
+        daemon_reload: true
+- name: Setup Infrastructure Wireguard
+  tags:
+    - never
+    - setup
+    - setup_wireguard
+    - setup_vpn
+  ansible.builtin.import_playbook: vpn.yaml
+
+# vim: ft=yaml.ansible

ansible/plays/docker.yaml

@@ -0,0 +1,41 @@
+- name: Migrate to docker compose v2
+  hosts: all
+  become: true
+  become_user: root
+  pre_tasks:
+    - name: Find deployed projects
+      ansible.builtin.find:
+        paths: /home/core/compose
+        recurse: no
+        file_type: directory
+      register: find_challenges
+    - name: Register Projects Fact
+      ansible.builtin.set_fact:
+        deployed_challenges: "{{ find_challenges.files | map(attribute='path') | map('basename') }}"
+    - name: Undeploy
+      include_tasks: undeploy.yaml
+      loop: "{{ deployed_challenges | mandatory }}"
+      loop_control:
+        loop_var: item
+        label: "{{ item }}"
+  tasks:
+    - name: Install Repo
+      copy:
+        dest: /etc/yum.repos.d/docker-ce.repo
+        src: docker.repo
+        owner: root
+        group: root
+        mode: '0644'
+    - name: Remove legacy versions
+      command: "rpm-ostree override remove --reboot docker containerd runc"
+      async: true
+      poll: 0
+      ignore_errors: true
+    - name: Wait for host
+      ansible.builtin.wait_for_connection:
+        delay: 90
+    - name: Install new docker versions
+      command: "rpm-ostree install -A -y --idempotent docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-buildx-plugin"
+
+- name: Redeploy
+  ansible.builtin.import_playbook: ../playbook.yaml

ansible/plays/filehost.yaml

@@ -0,0 +1,78 @@
+- name: Setup Users
+  hosts: filehost.unruhig.eu
+  gather_facts: false
+  tasks:
+    - name: Create user [backup]
+      become: true
+      ansible.builtin.user:
+        name: backup
+        comment: Used for receiving borg backups
+        shell: /bin/bash
+        create_home: true
+        state: present
+        generate_ssh_key: true
+        ssh_key_type: "ed25519"
+        ssh_key_file: ".ssh/storagebox"
+    - name: Create mount directory
+      become: true
+      become_user: backup
+      ansible.builtin.file:
+        path: "/home/backup/storagebox"
+        state: directory
+        owner: backup
+        group: backup
+        mode: '0700'
+    - name: Create user [files]
+      become: true
+      ansible.builtin.user:
+        name: files
+        comment: Used for providing access to files
+        shell: /bin/bash
+        create_home: true
+        state: present
+        generate_ssh_key: true
+        ssh_key_type: "ed25519"
+        ssh_key_file: ".ssh/storagebox"
+    - name: Create mount directory
+      become: true
+      become_user: files
+      ansible.builtin.file:
+        path: "/home/files/data"
+        state: directory
+        owner: files
+        group: files
+        mode: '0700'
+
+- name: Setup mounts
+  hosts: filehost.unruhig.eu
+  become: true
+  become_user: root
+  pre_tasks:
+    - name: Info user [backup]
+      become: true
+      ansible.builtin.user:
+        name: backup
+        state: present
+      register: user_backup
+    - name: Info user [files]
+      become: true
+      ansible.builtin.user:
+        name: files
+        state: present
+      register: user_files
+  roles:
+    - role: ansible_systemd_mounts
+      mounts:
+        backup:
+          share: "//{{ backup.cifs.host }}/{{ backup.cifs.user }}"
+          mount: "{{ user_backup.home }}/storagebox"
+          type: "cifs"
+          options: "_netdev,iocharset=utf8,seal,x-systemd.automount,username={{ backup.cifs.user }},password={{ backup.cifs.password }},uid={{ user_backup.uid }},gid={{ user_backup.group }}"
+          automount: true
+        files:
+          share: "//{{ files.cifs.host }}/{{ files.cifs.user }}"
+          mount: "{{ user_files.home }}/data"
+          type: "cifs"
+          options: "_netdev,iocharset=utf8,seal,x-systemd.automount,username={{ files.cifs.user }},password={{ files.cifs.password }},uid={{ user_files.uid }},gid={{ user_files.group }}"
+          automount: true
+# vim: ft=yaml.ansible

ansible/plays/files/docker.repo

@@ -0,0 +1,6 @@
+[docker-ce-stable]
+name=Docker CE Stable - $basearch
+baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/stable
+enabled=1
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg

ansible/plays/grp_prometheus.yaml

@@ -0,0 +1,8 @@
+- name: Deploy Metrics exporter
+  hosts: prometheus
+  vars:
+    state: running
+  roles:
+    - {role: compose_project, service: metric-export}
+
+# vim: ft=yaml.ansible

ansible/plays/infra.yaml

@@ -0,0 +1,16 @@
+- name: Setup Infra Meta Host
+  hosts: infra.unruhig.eu
+  gather_facts: false
+  vars:
+    state: running
+    base_domain: "tobiasmanske.de"
+  roles:
+    - {role: compose_project, service: traefik}
+    - {role: compose_project, service: keycloak}
+    # - {role: compose_project, service: db} # database used for terraform state
+    # - {role: compose_project, service: monitoring-stack} # mimir, loki, grafana
+    - {role: compose_project, service: pantalaimon}
+    - {role: compose_project, service: watchtower}
+    - {role: compose_project, service: vaultwarden}
+
+# vim: ft=yaml.ansible

ansible/plays/monitoring.yaml

@@ -0,0 +1,30 @@
+- name: Base Setup Monitoring
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: running
+  roles:
+    - {role: compose_project, service: traefik}
+    - {role: compose_project, service: pantalaimon}
+    - {role: compose_project, service: watchtower}
+- name: Setup Monitoring Kuma 1
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: running
+  roles:
+    - role: compose_project
+      service: kuma
+      vars:
+        service_name: "tobias"
+        urls:
+          - "status.tobiasmanske.de"
+          - "monitor.chaoswg.org"
+- name: Setup Monitoring Kuma 2
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: running
+  roles:
+    - role: compose_project
+      service: kuma
+      vars:
+        service_name: "istannen"
+        urls: ["monitor.ialistannen.de"]

ansible/plays/services/ba-gitlab-runner/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=gitlab-ba

ansible/plays/services/ba-gitlab-runner/docker-compose.yaml

@@ -0,0 +1,39 @@
+---
+version: "3.4"
+
+services:
+  dind:
+    image: docker:dind
+    restart: unless-stopped
+    privileged: true
+    volumes:
+      - /lib/modules:/lib/modules:ro
+    environment:
+      DOCKER_TLS_CERTDIR: ""
+    networks:
+      - backend
+      - default
+
+  runner:
+    image: gitlab/gitlab-runner:alpine
+    restart: unless-stopped
+    depends_on:
+      - dind
+    networks:
+      - default
+      - backend
+    volumes:
+      - runner_cfg:/etc/gitlab-runner:z
+    environment:
+      - DOCKER_HOST=tcp://dind:2375
+      - CI_SERVER_URL={{ ba_gitlab_runner.server }}
+      - REGISTRATION_TOKEN={{ ba_gitlab_runner.token }}
+
+volumes:
+  runner_cfg:
+
+networks:
+  backend:
+    internal: true
+
+...

ansible/plays/services/blog/docker-compose.yaml

@@ -6,15 +6,9 @@ services:
     image: registry.tobiasmanske.de/tobiasmanske.de:latest
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.tobiasmanskede.rule=Host(`tobiasmanske.de`) || Host(`www.tobiasmanske.de`)"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.tobiasmanskede.rule=(Host(`tobiasmanske.de`) || Host(`www.tobiasmanske.de`)) && !PathPrefix(`/{path:(_matrix|_synapse|.well-known/matrix|.well-known/openpgpkey)}/`)"
       - "traefik.http.routers.tobiasmanskede.entryPoints=websecure"
       - "traefik.http.services.tobiasmanskede.loadbalancer.server.port=80"
-      - "com.centurylinklabs.watchtower.scope=http"
     restart: always
-    networks:
-      - gateway
-
-networks:
-  gateway:
-    external: true
 ...

ansible/plays/services/caddy/Caddyfile

@@ -0,0 +1,14 @@
+{
+    auto_https off
+}
+
+{% for rule in redirect.hosts %}
+http://{{ rule.from }} {
+    {% if rule.keepUri %}
+    redir https://{{ rule.to }}{uri}
+    {% else %}
+    redir https://{{ rule.to }}
+    {% endif %}
+}
+
+{% endfor %}

ansible/plays/services/caddy/docker-compose.yaml

@@ -8,15 +8,9 @@ services:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro,z
     labels:
       - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
       - "traefik.http.routers.caddyredir.rule={{ redirect.hosts | map(attribute='from') | map('regex_replace', '^(.*)$', 'Host(`\\1`)') | join(' || ') }}"
       - "traefik.http.routers.caddyredir.entryPoints=websecure"
       - "traefik.http.services.caddyredir.loadbalancer.server.port=80"
-      - "com.centurylinklabs.watchtower.scope=update"
     restart: always
-    networks:
-      - gateway
-
-networks:
-  gateway:
-    external: true
 ...

ansible/plays/services/diun/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=diun

ansible/plays/services/diun/diun.yml

@@ -0,0 +1,19 @@
+watch:
+  workers: 20
+  schedule: "0 */6 * * *"
+  firstCheckNotif: false
+
+notif:
+  matrix:
+    homeserverURL: http://pantalaimon:8008
+    user: "{{ diun.matrix.user }}"
+    password: "{{ diun.matrix.password }}"
+    roomID: "{{ diun.matrix.roomID }}"
+    msgType: notice
+    templateBody: |
+      {% raw %}Docker tag {{ if .Entry.Image.HubLink }}[**{{ .Entry.Image }}**]({{ .Entry.Image.HubLink }}){{ else }}**{{ .Entry.Image }}**{{ end }} which you subscribed to through {{ .Entry.Provider }} provider {{ if (eq .Entry.Status "new") }}is available{{ else }}has been updated{{ end }} on {{ .Entry.Image.Domain }} registry.
+      {{ if and (eq .Entry.Status "new") (eq .Entry.Image "docker.io/jitsi/web") }}See https://github.com/jitsi/docker-jitsi-meet/releases/tag/{{ .Entry.Image.Tag }}{{ end }}{% endraw %}
+
+providers:
+  file:
+    filename: /watch.yml

ansible/plays/services/diun/docker-compose.yaml

@@ -0,0 +1,29 @@
+---
+version: "3.4"
+
+services:
+  diun:
+    image: crazymax/diun:latest
+    container_name: diun
+    command: serve
+    volumes:
+      - "data:/data"
+      - "./diun.yml:/diun.yml:ro,Z"
+      - "./watch.yml:/watch.yml:ro,Z"
+    environment:
+      - "TZ=Europe/Berlin"
+      - "LOG_LEVEL=info"
+      - "LOG_JSON=false"
+    restart: always
+    networks:
+      - default
+      - pantalaimon
+
+volumes:
+  data:
+
+networks:
+  pantalaimon:
+    external: true
+
+...

ansible/plays/services/diun/watch.yml

@@ -0,0 +1,6 @@
+- name: docker.io/jitsi/web
+  watch_repo: true
+  notify_on:
+    - new
+  include_tags:
+    - ^stable-\d+

ansible/plays/services/filestash/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=filestash

ansible/plays/services/filestash/docker-compose.yaml

@@ -0,0 +1,21 @@
+version: "3.4"
+services:
+  filestash:
+    container_name: filestash
+    image: machines/filestash:latest
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.filestash.rule=Host(`stash.unruhig.eu`)"
+      - "traefik.http.routers.filestash.entryPoints=websecure"
+      - "traefik.http.services.filestash.loadbalancer.server.port=8334"
+    environment:
+      - "APPLICATION_URL=https://stash.unruhig.eu"
+    volumes:
+    - data:/app/data/state/
+    networks:
+      - default
+
+volumes:
+  data:

ansible/plays/services/gitea-runner/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=gitea-runner

ansible/plays/services/gitea-runner/docker-compose.yaml

@@ -0,0 +1,44 @@
+---
+version: '3.9'
+
+services:
+  dind:
+    image: docker:dind
+    restart: unless-stopped
+    privileged: true
+    volumes:
+      - /lib/modules:/lib/modules:ro
+    environment:
+      DOCKER_TLS_CERTDIR: ""
+    command:
+      - '--tls=false' # Do not force TLS; note that this service is NOT exposed to the internet
+    networks:
+      - backend
+      - default
+
+  drone_runner:
+    image: drone/drone-runner-docker:1
+    restart: always
+    environment:
+      - "DOCKER_HOST=tcp://dind:2375"
+      - "DRONE_LIMIT_MEM=8192000000"
+      - "DRONE_RPC_SECRET={{ gitea.drone.rpc_secret }}"
+      - "DRONE_RPC_HOST=drone.tobiasmanske.de"
+      - "DRONE_RPC_PROTO=https"
+      - "DRONE_RUNNER_CAPACITY={{ gitea.drone.runner_capacity }}"
+      - "DRONE_RUNNER_NAME={{ gitea.drone.runner_name }}"
+{% if gitea.drone.runner_labels is defined %}
+      - "DRONE_RUNNER_LABELS={{ gitea.drone.runner_labels | join(',') }}"
+{% endif %}
+      - "DRONE_RUNNER_CLONE_IMAGE=drone/git:linux-amd64"
+      - "DRONE_RUNNER_VOLUMES=/etc/hosts:/etc/hosts"
+    depends_on:
+      - dind
+    networks:
+      - backend
+      - default
+
+networks:
+  backend:
+    internal: true
+...

ansible/plays/services/gitea/docker-compose.yaml

@@ -1,3 +1,4 @@
+{% import 'macro/postgres.j2' as pg with context %}
 ---
 version: '3.9'
 
@@ -14,44 +15,36 @@ services:
       - "GITEA__database__USER={{ gitea.db.user }}"
       - "GITEA__database__PASSWD={{ gitea.db.password }}"
       - "GITEA__webhook__ALLOWED_HOST_LIST=*.tobiasmanske.de"
+      - "GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true"
+      - "GITEA__service__DISABLE_REGISTRATION=true"
     restart: always
     networks:
+      - default # mirror service needs internet
       - backend
-      - gateway
     volumes:
       - gitea_data:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     labels:
       - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
       - "traefik.http.routers.gitea.rule=Host(`git.tobiasmanske.de`)"
       - "traefik.http.routers.gitea.entryPoints=websecure"
       - "traefik.http.services.gitea.loadbalancer.server.port=3000"
-      - "com.centurylinklabs.watchtower.scope=update"
     ports:
       - "7779:22"
     depends_on:
-      - db
+      db:
+        condition: service_healthy
 
-  db:
-    image: postgres:14
-    restart: always
-    labels:
-      - "com.centurylinklabs.watchtower.scope=update"
-    environment:
-      - POSTGRES_USER="{{ gitea.db.user }}"
-      - POSTGRES_PASSWORD="{{ gitea.db.password }}"
-      - POSTGRES_DB="{{ gitea.db.name }}"
-    networks:
-      - backend
-    volumes:
-      - pg_data:/var/lib/postgresql/data
+{{ pg.postgres("db", gitea.db.user, gitea.db.password, gitea.db.name, ["backend"], version="14" ) }}
 
   drone:
     image: drone/drone:2
     restart: always
     environment:
       - "DRONE_GITEA_SERVER=https://git.tobiasmanske.de"
+      - "DRONEC_COOKIE_SECRET={{ gitea.drone.cookie_secret }}"
       - "DRONE_GITEA_CLIENT_ID={{ gitea.drone.client_id }}"
       - "DRONE_GIT_ALWAYS_AUTH=true"
       - "DRONE_GITEA_CLIENT_SECRET={{ gitea.drone.client_secret }}"
@@ -59,48 +52,31 @@ services:
       - "DRONE_SERVER_HOST=drone.tobiasmanske.de"
       - "DRONE_SERVER_PROTO=https"
       - "DRONE_IMAGE_CLONE=openjdk:17-bullseye"
+      - "DRONE_USER_CREATE=username:tobias,admin:true"
     networks:
+      - default
       - backend
-      - gateway
     volumes:
       - drone_data:/data
     labels:
       - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
       - "traefik.http.routers.drone.rule=Host(`drone.tobiasmanske.de`)"
       - "traefik.http.routers.drone.entryPoints=websecure"
       - "traefik.http.services.drone.loadbalancer.server.port=80"
-      - "com.centurylinklabs.watchtower.scope=update"
     depends_on:
       - gitea
 
-  drone_runner:
-    image: drone/drone-runner-docker:1.8
-    restart: always
-    privileged: true
-    labels:
-      - "com.centurylinklabs.watchtower.scope=update"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    environment:
-      - "DRONE_RPC_SECRET={{ gitea.drone.rpc_secret }}"
-      - "DRONE_RPC_HOST=drone.tobiasmanske.de"
-      - "DRONE_RPC_PROTO=https"
-      - "DRONE_RUNNER_CAPACITY=2"
-      - "DRONE_RUNNER_NAME=docker-01"
-      - "DRONE_RUNNER_CLONE_IMAGE=drone/git:linux-amd64"
-      - "DRONE_RUNNER_VOLUMES=/etc/hosts:/etc/hosts"
-    networks:
-      - backend
-      - default
-
 networks:
+  postgres:
+    internal: true
+  default:
+    enable_ipv6: true
   backend:
     internal: true
-  gateway:
-    external: true
 
 volumes:
   gitea_data:
   drone_data:
-  pg_data:
+  db_data:
 ...

ansible/plays/services/gotosocial/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=gotosocial

ansible/plays/services/gotosocial/docker-compose.yaml

@@ -0,0 +1,69 @@
+{% import 'macro/postgres.j2' as pg with context %}
+---
+version: '3'
+services:
+  gotosocial:
+    image: superseriousbusiness/gotosocial:latest
+    restart: unless-stopped
+    user: "1000:1000"
+    depends_on:
+      db:
+        condition: service_healthy
+    environment:
+      GTS_LOG_LEVEL: "info"
+      GTS_HOST: "social.unruhig.eu"
+      GTS_ACCOUNT_DOMAIN: "unruhig.eu"
+      GTS_DB_TYPE: "postgres"
+      GTS_DB_ADDRESS: "db"
+      GTS_DB_PORT: "5432"
+      GTS_DB_DATABASE: "{{ gotosocial.db.user }}"
+      GTS_DB_USER: "{{ gotosocial.db.user }}"
+      GTS_DB_PASSWORD: "{{ gotosocial.db.password }}"
+      GTS_TRUSTED_PROXIES: "127.0.0.1/32,10.254.0.0/17,fd64:2::/104,::1"
+      GTS_INSTANCE_LANGUAGES: "de,en-gb"
+      GTS_LETSENCRYPT_ENABLED: "false"
+      GTS_METRICS_ENABLED: "true"
+      GTS_LANDING_PAGE_USER: "admin"
+      # STORAGE
+      GTS_STORAGE_BACKEND: "s3"
+      GTS_STORAGE_S3_ENDPOINT: "{{ gotosocial.s3.endpoint }}"
+      GTS_STORAGE_S3_BUCKET: "{{ gotosocial.s3.bucket }}"
+      GTS_STORAGE_S3_ACCESS_KEY: "{{ gotosocial.s3.access_key }}"
+      GTS_STORAGE_S3_SECRET_KEY: "{{ gotosocial.s3.secret_key | mandatory }}"
+      # OPENID CONNECT
+      GTS_OIDC_ENABLED: "true"
+      GTS_OIDC_IDP_NAME: "KeyCloak"
+      GTS_OIDC_ISSUER: "{{ gotosocial.oidc.issuer }}"
+      GTS_OIDC_CLIENT_ID: "{{ gotosocial.oidc.client_id }}"
+      GTS_OIDC_CLIENT_SECRET: "{{ gotosocial.oidc.client_secret }}"
+      GTS_OIDC_ADMIN_GROUPS: "gotosocial-admin,service-admin"
+      GTS_OIDC_SCOPES: "openid,email,profile"
+      # GTS_ACCOUNTS_REGISTRATION_OPEN: "false"
+      TZ: "Europe/Berlin"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.gotosocial.rule=(Host(`social.unruhig.eu`) || (Host(`unruhig.eu`) && Path(`/.well-known/{a:(webfinger|nodeinfo|host-meta)}`)))"
+      - "traefik.http.routers.gotosocial.entryPoints=websecure"
+      - "traefik.http.services.gotosocial.loadbalancer.server.port=8080"
+      - "traefik.http.routers.gotosocial.middlewares=deny-metrics@file"
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=8080"
+    networks:
+      - backend
+      - default
+      - metrics
+
+{{ pg.postgres("db", gotosocial.db.user, gotosocial.db.password, gotosocial.db.user, ["backend"]) }}
+
+volumes:
+  db_data:
+
+networks:
+  backend:
+    internal: true
+  metrics:
+    external: true
+  postgres:
+    internal: true
+...

ansible/plays/services/grafana/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=grafana

ansible/plays/services/grafana/docker-compose.yaml

@@ -0,0 +1,48 @@
+version: "3.4"
+services:
+  grafana:
+    image: grafana/grafana:latest
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.grafana.rule=Host(`grafana.tobiasmanske.de`)"
+      - "traefik.http.routers.grafana.entryPoints=websecure"
+      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
+    environment:
+      - "GF_SERVER_ROOT_URL=https://grafana.tobiasmanske.de"
+      - "GF_SECURITY_ADMIN_USER={{ grafana.admin.user }}"
+      - "GF_SECURITY_ADMIN_PASSWORD={{ grafana.admin.password }}"
+      - "GF_AUTH_GENERIC_OAUTH_NAME=Keycloak"
+      - "GF_AUTH_GENERIC_OAUTH_ENABLED=true"
+      - "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true"
+      - "GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ grafana.oidc.client_id }}"
+      - "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ grafana.oidc.client_secret }}"
+      - "GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile offline_access roles"
+      - "GF_AUTH_GENERIC_OAUTH_GROUP_ATTRIBUTE_PATH=groups"
+      - "GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email"
+      - "GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username"
+      - "GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=full_name"
+      - "GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/auth"
+      - "GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/token"
+      - "GF_AUTH_GENERIC_OAUTH_API_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/userinfo"
+      - "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(resource_access.grafana.roles[*], 'serveradmin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || contains(resource_access.grafana.roles[*], 'viewer') && 'Viewer' || 'None'"
+      - "GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true"
+    volumes:
+      - data:/var/lib/grafana
+      - ./grafana-ds.yml:/etc/grafana/provisioning/datasources/datasource.yml:ro,Z
+      - ./grafana-db.yml:/etc/grafana/provisioning/dashboards/datasource.yml:ro,Z
+      - ./grafana-dashboards:/var/lib/grafana/dashboards:ro,Z
+    networks:
+      - default
+      - metrics
+
+volumes:
+  data:
+networks:
+  backend:
+    internal: true
+  metrics:
+    external: true
+  postgres:
+    internal: true

ansible/plays/services/grafana/grafana-dashboards/droneci.json

@@ -0,0 +1,602 @@
+{% raw %}
+{
+  "__inputs": [
+    {
+      "name": "DS_PROMETHEUS",
+      "label": "Prometheus",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
+  "__elements": {},
+  "__requires": [
+    {
+      "type": "grafana",
+      "id": "grafana",
+      "name": "Grafana",
+      "version": "10.0.3"
+    },
+    {
+      "type": "datasource",
+      "id": "prometheus",
+      "name": "Prometheus",
+      "version": "1.0.0"
+    },
+    {
+      "type": "panel",
+      "id": "stat",
+      "name": "Stat",
+      "version": ""
+    },
+    {
+      "type": "panel",
+      "id": "timeseries",
+      "name": "Time series",
+      "version": ""
+    }
+  ],
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "description": "Dashboard for Drone CI",
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "gnetId": 16720,
+  "graphTooltip": 2,
+  "id": null,
+  "links": [],
+  "liveNow": false,
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "match": "null",
+                "result": {
+                  "text": "N/A"
+                }
+              },
+              "type": "special"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "none"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 4,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "links": [],
+      "maxDataPoints": 100,
+      "options": {
+        "colorMode": "none",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "horizontal",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "sum(drone_build_count) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "refId": "A"
+        }
+      ],
+      "title": "Total Builds",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "match": "null",
+                "result": {
+                  "text": "N/A"
+                }
+              },
+              "type": "special"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "none"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 4,
+        "x": 4,
+        "y": 0
+      },
+      "id": 4,
+      "links": [],
+      "maxDataPoints": 100,
+      "options": {
+        "colorMode": "none",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "horizontal",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "sum(drone_repo_count) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "refId": "A"
+        }
+      ],
+      "title": "Activated Repos",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "match": "null",
+                "result": {
+                  "text": "N/A"
+                }
+              },
+              "type": "special"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "none"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 4,
+        "x": 8,
+        "y": 0
+      },
+      "id": 7,
+      "links": [],
+      "maxDataPoints": 100,
+      "options": {
+        "colorMode": "none",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "horizontal",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(drone_user_count) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Total Users",
+      "type": "stat"
+    },
+    {
+      "gridPos": {
+        "h": 1,
+        "w": 24,
+        "x": 0,
+        "y": 4
+      },
+      "id": 10,
+      "title": "Metrics",
+      "type": "row"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "decimals": 0,
+          "links": [],
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 5
+      },
+      "id": 6,
+      "links": [],
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "9.0.7",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(drone_running_builds) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "legendFormat": "running builds",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(drone_pending_builds) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "legendFormat": "pending builds",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Builds",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "decimals": 0,
+          "links": [],
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 5
+      },
+      "id": 8,
+      "links": [],
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "9.0.7",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(drone_running_jobs) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "legendFormat": "running jobs",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(drone_pending_jobs) by (application_name)",
+          "format": "time_series",
+          "intervalFactor": 1,
+          "legendFormat": "pending jobs",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Jobs",
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "1m",
+  "schemaVersion": 38,
+  "style": "dark",
+  "tags": [
+    "drone",
+    "drone-ci",
+    "ci/cd"
+  ],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "selected": true,
+          "text": "Prometheus",
+          "value": "Prometheus"
+        },
+        "hide": 0,
+        "includeAll": false,
+        "label": "datasource",
+        "multi": false,
+        "name": "DS_PROMETHEUS",
+        "options": [],
+        "query": "prometheus",
+        "queryValue": "",
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "type": "datasource"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-12h",
+    "to": "now"
+  },
+  "timepicker": {
+    "refresh_intervals": [
+      "5s",
+      "10s",
+      "30s",
+      "1m",
+      "5m",
+      "15m",
+      "30m",
+      "1h",
+      "2h",
+      "1d"
+    ],
+    "time_options": [
+      "5m",
+      "15m",
+      "1h",
+      "6h",
+      "12h",
+      "24h",
+      "2d",
+      "7d",
+      "30d"
+    ]
+  },
+  "timezone": "",
+  "title": "Drone CI",
+  "uid": "IT4-bnNik",
+  "version": 2,
+  "weekStart": ""
+}
+{% endraw %}

ansible/plays/services/grafana/grafana-dashboards/kuma.json

@@ -0,0 +1,440 @@
+{% raw %}
+{
+  "__inputs": [
+    {
+      "name": "DS_PROMETHEUS",
+      "label": "Prometheus",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
+  "__elements": {},
+  "__requires": [
+    {
+      "type": "grafana",
+      "id": "grafana",
+      "name": "Grafana",
+      "version": "10.0.3"
+    },
+    {
+      "type": "datasource",
+      "id": "prometheus",
+      "name": "Prometheus",
+      "version": "1.0.0"
+    },
+    {
+      "type": "panel",
+      "id": "stat",
+      "name": "Stat",
+      "version": ""
+    },
+    {
+      "type": "panel",
+      "id": "timeseries",
+      "name": "Time series",
+      "version": ""
+    }
+  ],
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "description": "A dashboard to show the data from the excellent Uptime Kuma project!",
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "gnetId": 14847,
+  "graphTooltip": 0,
+  "id": null,
+  "links": [],
+  "liveNow": false,
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "0": {
+                  "color": "red",
+                  "index": 0,
+                  "text": "DOWN"
+                },
+                "1": {
+                  "color": "green",
+                  "index": 1,
+                  "text": "UP"
+                }
+              },
+              "type": "value"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 17,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 4,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "area",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "text": {},
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "exemplar": true,
+          "expr": "monitor_status ",
+          "interval": "",
+          "legendFormat": "{{ monitor_name }}",
+          "refId": "A"
+        }
+      ],
+      "title": "Site Status",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "red",
+                "value": null
+              },
+              {
+                "color": "#EAB839",
+                "value": 30
+              },
+              {
+                "color": "green",
+                "value": 60
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 13,
+        "x": 0,
+        "y": 17
+      },
+      "id": 6,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "area",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "text": {},
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "exemplar": true,
+          "expr": "monitor_cert_days_remaining",
+          "interval": "",
+          "legendFormat": "{{ monitor_name }}",
+          "refId": "A"
+        }
+      ],
+      "title": "TLS Certificate Remaining Days",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "0": {
+                  "color": "red",
+                  "index": 0,
+                  "text": "EXPIRED"
+                },
+                "1": {
+                  "color": "green",
+                  "index": 1,
+                  "text": "VALID"
+                }
+              },
+              "type": "value"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "red",
+                "value": null
+              },
+              {
+                "color": "green",
+                "value": 1
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 11,
+        "x": 13,
+        "y": 17
+      },
+      "id": 5,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "area",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "text": {},
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "exemplar": true,
+          "expr": "monitor_cert_is_valid",
+          "interval": "",
+          "legendFormat": "{{ monitor_name }}",
+          "refId": "A"
+        }
+      ],
+      "title": "TLS Certificate Status",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "ms"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 24,
+        "x": 0,
+        "y": 26
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "calcs": [
+            "max",
+            "min",
+            "lastNotNull"
+          ],
+          "displayMode": "table",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "exemplar": true,
+          "expr": "sum(monitor_response_time{}) by (monitor_name)",
+          "interval": "",
+          "legendFormat": "{{ monitor_name }}",
+          "refId": "A"
+        }
+      ],
+      "title": "Response Times",
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "30s",
+  "revision": 1,
+  "schemaVersion": 38,
+  "style": "dark",
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "selected": false,
+          "text": "Prometheus",
+          "value": "Prometheus"
+        },
+        "hide": 0,
+        "includeAll": false,
+        "multi": false,
+        "name": "DS_PROMETHEUS",
+        "options": [],
+        "query": "prometheus",
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "type": "datasource"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-5m",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Uptime Kuma",
+  "uid": "CN8E-vZ7k",
+  "version": 4,
+  "weekStart": ""
+}
+{% endraw %}

ansible/plays/services/grafana/grafana-dashboards/smokeping.json

@@ -0,0 +1,562 @@
+{% raw %}
+{
+  "__inputs": [
+    {
+      "name": "DS_MIMIR_NETCUP",
+      "label": "Mimir Netcup",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
+  "__elements": {},
+  "__requires": [
+    {
+      "type": "grafana",
+      "id": "grafana",
+      "name": "Grafana",
+      "version": "10.2.3"
+    },
+    {
+      "type": "panel",
+      "id": "heatmap",
+      "name": "Heatmap",
+      "version": ""
+    },
+    {
+      "type": "datasource",
+      "id": "prometheus",
+      "name": "Prometheus",
+      "version": "1.0.0"
+    },
+    {
+      "type": "panel",
+      "id": "timeseries",
+      "name": "Time series",
+      "version": ""
+    }
+  ],
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "description": "Smoke Ping using https://github.com/SuperQ/smokeping_prober\r\nwith \r\nlatency heatmap\r\nlatency graph\r\npacket loss gragh\r\n",
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "gnetId": 11335,
+  "graphTooltip": 0,
+  "id": null,
+  "links": [],
+  "liveNow": false,
+  "panels": [
+    {
+      "cards": {},
+      "color": {
+        "cardColor": "#FF9830",
+        "colorScale": "sqrt",
+        "colorScheme": "interpolateOranges",
+        "exponent": 0.5,
+        "mode": "opacity"
+      },
+      "dataFormat": "tsbuckets",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_MIMIR_NETCUP}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "scaleDistribution": {
+              "type": "linear"
+            }
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "heatmap": {},
+      "hideZeroBuckets": false,
+      "highlightCards": true,
+      "id": 2,
+      "legend": {
+        "show": false
+      },
+      "links": [],
+      "options": {
+        "calculate": false,
+        "calculation": {},
+        "cellGap": 2,
+        "cellValues": {},
+        "color": {
+          "exponent": 0.5,
+          "fill": "#FF9830",
+          "mode": "opacity",
+          "reverse": false,
+          "scale": "exponential",
+          "scheme": "Oranges",
+          "steps": 128
+        },
+        "exemplars": {
+          "color": "rgba(255,0,255,0.7)"
+        },
+        "filterValues": {
+          "le": 1e-9
+        },
+        "legend": {
+          "show": true
+        },
+        "rowsFrame": {
+          "layout": "auto"
+        },
+        "showValue": "never",
+        "tooltip": {
+          "show": true,
+          "showColorScale": false,
+          "yHistogram": false
+        },
+        "yAxis": {
+          "axisPlacement": "right",
+          "decimals": 0,
+          "min": "0",
+          "reverse": false,
+          "unit": "s"
+        }
+      },
+      "pluginVersion": "10.2.3",
+      "reverseYBuckets": false,
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_MIMIR_NETCUP}"
+          },
+          "editorMode": "code",
+          "expr": "sum(rate(smokeping_response_duration_seconds_bucket{host=\"$target\", __tenant_id__=\"$source\"}[1m])) by (le)",
+          "format": "heatmap",
+          "intervalFactor": 1,
+          "legendFormat": "{{le}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Smoke Ping - $target",
+      "tooltip": {
+        "show": true,
+        "showHistogram": false
+      },
+      "transparent": true,
+      "type": "heatmap",
+      "xAxis": {
+        "show": true
+      },
+      "yAxis": {
+        "decimals": 0,
+        "format": "s",
+        "logBase": 1,
+        "min": "0",
+        "show": true
+      },
+      "yBucketBound": "auto"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_MIMIR_NETCUP}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "Loss %",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "links": [],
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "percentunit"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Count"
+            },
+            "properties": [
+              {
+                "id": "custom.fillOpacity",
+                "value": 0
+              },
+              {
+                "id": "unit",
+                "value": "none"
+              },
+              {
+                "id": "decimals",
+                "value": 0
+              },
+              {
+                "id": "custom.axisLabel",
+                "value": "Loss Packet"
+              },
+              {
+                "id": "custom.lineStyle",
+                "value": {
+                  "dash": [
+                    10,
+                    10
+                  ],
+                  "fill": "dash"
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "displayMode": "table",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "10.2.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_MIMIR_NETCUP}"
+          },
+          "editorMode": "code",
+          "expr": "(smokeping_requests_total{host=\"$target\", __tenant_id__=\"$source\"} - smokeping_response_duration_seconds_count{host=\"$target\", __tenant_id__=\"$source\"})/smokeping_requests_total{host=\"$target\", __tenant_id__=\"$source\"} ",
+          "legendFormat": "Percentage",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_MIMIR_NETCUP}"
+          },
+          "editorMode": "code",
+          "expr": "(smokeping_requests_total{host=\"$target\", __tenant_id__=\"$source\"} - smokeping_response_duration_seconds_count{host=\"$target\", __tenant_id__=\"$source\"})",
+          "legendFormat": "Count",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Packet Loss - $target",
+      "transparent": true,
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_MIMIR_NETCUP}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "links": [],
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Count"
+            },
+            "properties": [
+              {
+                "id": "custom.fillOpacity",
+                "value": 0
+              },
+              {
+                "id": "unit",
+                "value": "none"
+              },
+              {
+                "id": "decimals",
+                "value": 0
+              },
+              {
+                "id": "custom.axisPlacement",
+                "value": "hidden"
+              },
+              {
+                "id": "custom.axisLabel",
+                "value": "Loss Packet"
+              },
+              {
+                "id": "custom.lineStyle",
+                "value": {
+                  "dash": [
+                    10,
+                    10
+                  ],
+                  "fill": "dash"
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 24,
+        "x": 0,
+        "y": 10
+      },
+      "id": 5,
+      "options": {
+        "legend": {
+          "calcs": [
+            "mean",
+            "lastNotNull",
+            "max",
+            "min"
+          ],
+          "displayMode": "table",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "10.2.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_MIMIR_NETCUP}"
+          },
+          "editorMode": "code",
+          "expr": "smokeping_response_duration_seconds_sum{host=\"$target\", __tenant_id__=\"$source\"} / smokeping_response_duration_seconds_count{host=\"$target\", __tenant_id__=\"$source\"}",
+          "legendFormat": "{{host}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Latency - $target",
+      "transparent": true,
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "30s",
+  "schemaVersion": 39,
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {},
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_MIMIR_NETCUP}"
+        },
+        "definition": "label_values(smokeping_response_duration_seconds_bucket, host)",
+        "hide": 0,
+        "includeAll": false,
+        "multi": false,
+        "name": "target",
+        "options": [],
+        "query": "label_values(smokeping_response_duration_seconds_bucket, host)",
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 1,
+        "tagValuesQuery": "",
+        "tagsQuery": "",
+        "type": "query",
+        "useTags": false
+      },
+      {
+        "current": {},
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_MIMIR_NETCUP}"
+        },
+        "definition": "label_values(__tenant_id__)",
+        "description": "Host to query from",
+        "hide": 0,
+        "includeAll": false,
+        "label": "Host",
+        "multi": false,
+        "name": "source",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(__tenant_id__)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 0,
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-30m",
+    "to": "now"
+  },
+  "timepicker": {
+    "refresh_intervals": [
+      "5s",
+      "10s",
+      "30s",
+      "1m",
+      "5m",
+      "15m",
+      "30m",
+      "1h",
+      "2h",
+      "1d"
+    ],
+    "time_options": [
+      "5m",
+      "15m",
+      "1h",
+      "6h",
+      "12h",
+      "24h",
+      "2d",
+      "7d",
+      "30d"
+    ]
+  },
+  "timezone": "",
+  "title": "Smoke Ping",
+  "uid": "i5aRaLaik",
+  "version": 4,
+  "weekStart": ""
+}
+{% endraw %}

ansible/plays/services/grafana/grafana-db.yml

@@ -0,0 +1,12 @@
+apiVersion: 1
+
+providers:
+  - name: "Dashboard provider"
+    orgId: 1
+    type: file
+    disableDeletion: false
+    updateIntervalSeconds: 10
+    allowUiUpdates: true
+    options:
+      path: /var/lib/grafana/dashboards
+      foldersFromFilesStructure: true

ansible/plays/services/grafana/grafana-ds.yml

@@ -0,0 +1,28 @@
+apiVersion: 1
+
+datasources:
+- name: Mimir Netcup
+  type: prometheus
+  basicAuth: true
+  basicAuthUser: {{ common.mimir.username }}
+  jsonData:
+    httpHeaderName1: "X-Scope-OrgID"
+  secureJsonData:
+    basicAuthPassword: {{ common.mimir.password }}
+    httpHeaderValue1: "{{ groups['prometheus']|map('extract', hostvars, 'inventory_hostname')|join('|')|replace('.','-') }}"
+  url: https://{{ common.mimir.host }}/prometheus
+  isDefault: false
+  access: proxy
+  editable: true
+- name: Loki
+  type: loki
+  access: proxy
+  orgId: 1
+  url: https://{{ common.loki.host }}
+  basicAuth: true
+  basicAuthUser: {{ common.loki.username }}
+  secureJsonData:
+    basicAuthPassword: {{ common.loki.password }}
+  isDefault: false
+  version: 1
+  editable: true

ansible/plays/services/hedgedoc/docker-compose.yaml

@@ -1,25 +1,12 @@
+{% import 'macro/postgres.j2' as pg with context %}
 ---
 version: '3'
 services:
-  database:
-    image: postgres:13-alpine
-    environment:
-      - POSTGRES_USER={{ hedgedoc.db.user }}
-      - POSTGRES_PASSWORD={{ hedgedoc.db.password }}
-      - POSTGRES_DB={{ hedgedoc.db.name }}
-    volumes:
-      - database:/var/lib/postgresql/data
-    labels:
-      - "com.centurylinklabs.watchtower.scope=update"
-    restart: always
-    networks:
-      - backend
-
   app:
     # Make sure to use the latest release from https://hedgedoc.org/latest-release
-    image: quay.io/hedgedoc/hedgedoc:1.9.3
+    image: quay.io/hedgedoc/hedgedoc:latest
     environment:
-      - CMD_DB_URL=postgres://{{ hedgedoc.db.user }}:{{ hedgedoc.db.password }}@database:5432/{{ hedgedoc.db.name }}
+      - CMD_DB_URL=postgres://{{ hedgedoc.db.user }}:{{ hedgedoc.db.password }}@db:5432/{{ hedgedoc.db.name }}
       - CMD_DOMAIN=doc.tobiasmanske.de
       - CMD_ALLOW_ORIGIN=doc.tobiasmanske.de,localhost
       - CMD_CSP_ENABLE=true
@@ -34,33 +21,48 @@ services:
       - CMD_OAUTH2_CLIENT_ID={{ hedgedoc.cmd.client_id }}
       - CMD_OAUTH2_CLIENT_SECRET={{ hedgedoc.cmd.client_secret }}
       - CMD_OAUTH2_AUTHORIZATION_URL={{ hedgedoc.cmd.authorization_url }}
+      - CMD_OAUTH2_SCOPE=openid email profile
       - CMD_OAUTH2_TOKEN_URL={{ hedgedoc.cmd.token_url }}
       - CMD_OAUTH2_USER_PROFILE_URL={{ hedgedoc.cmd.user_profile_url }}
-      - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=ocs.data.id
-      - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=ocs.data.display-name
-      - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=ocs.data.email
-    volumes:
-      - uploads:/hedgedoc/public/uploads
+      - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
+      - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
+      - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
+      - CMD_OAUTH2_PROVIDERNAME=Keycloak
+      - CMD_IMAGE_UPLOAD_TYPE=minio
+      - CMD_MINIO_ACCESS_KEY={{ hedgedoc.cmd.s3.access_key }}
+      - CMD_MINIO_SECRET_KEY={{ hedgedoc.cmd.s3.secret_key }}
+      - CMD_MINIO_ENDPOINT={{ hedgedoc.cmd.s3.endpoint }}
+      - CMD_MINIO_PORT={{ hedgedoc.cmd.s3.port }}
+      - CMD_MINIO_SECURE={{ hedgedoc.cmd.s3.secure }}
+      - CMD_S3_BUCKET=hedgedoc
+      - CMD_S3_FOLDER=uploads
     restart: always
     labels:
       - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
       - "traefik.http.routers.hedgedoc.rule=Host(`doc.tobiasmanske.de`)"
+      - "traefik.http.routers.hedgedoc.middlewares=deny-metrics@file"
       - "traefik.http.routers.hedgedoc.entryPoints=websecure"
       - "traefik.http.services.hedgedoc.loadbalancer.server.port=3000"
-      - "com.centurylinklabs.watchtower.scope=update"
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=3000"
     depends_on:
-      - database
+      db:
+        condition: service_healthy
     networks:
       - backend
-      - gateway
+      - metrics
+      - default # oauth
+{{ pg.postgres("db", hedgedoc.db.user, hedgedoc.db.password, hedgedoc.db.name, ["backend"], version="13-alpine") }}
 
 volumes:
-  database:
-  uploads:
+  db_data:
 
 networks:
-  gateway:
-    external: true
   backend:
     internal: true
+  metrics:
+    external: true
+  postgres:
+    internal: true
 ...

ansible/plays/services/jellyfin/.env

@@ -0,0 +1,3 @@
+COMPOSE_PROJECT_NAME=jellyfin
+UID=64001
+GID=64001

ansible/plays/services/jellyfin/docker-compose.yaml

@@ -0,0 +1,25 @@
+---
+version: "3.4"
+
+services:
+  jellyfin:
+    image: jellyfin/jellyfin:latest
+    user: "$UID:$GID"
+    ports:
+      - "8096:8096/tcp"
+    restart: always
+    volumes:
+      - "library:/media"
+      - "cache:/cache"
+      - "config:/config"
+
+volumes:
+  library:
+    driver: local
+    driver_opts:
+      type: cifs
+      device: "{{ jellyfin.cifs.address }}"
+      o: "username={{ jellyfin.cifs.username }},password={{ jellyfin.cifs.password }},vers=3.0,uid=$UID,gid=$GID"
+  cache:
+  config:
+...

ansible/plays/services/keycloak/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=keycloak

ansible/plays/services/keycloak/docker-compose.yaml

@@ -0,0 +1,43 @@
+{% import 'macro/postgres.j2' as pg with context %}
+---
+version: '3.9'
+
+services:
+  keycloak:
+    image: registry.tobiasmanske.de/keycloak:main
+    command: start
+    depends_on:
+      pg:
+        condition: service_healthy
+    environment:
+      - "KC_DB=postgres"
+      - "KC_DB_URL_HOST=pg"
+      - "KC_DB_URL_DATABASE={{ auth.db.name }}"
+      - "KC_DB_USERNAME={{ auth.db.user }}"
+      - "KC_DB_PASSWORD={{ auth.db.password }}"
+      - "KEYCLOAK_ADMIN={{ auth.keycloak.user }}"
+      - "KEYCLOAK_ADMIN_PASSWORD={{ auth.keycloak.password }}"
+      - "KC_PROXY=edge"
+      - "KC_HOSTNAME=auth.tobiasmanske.de"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.keycloak.rule=Host(`auth.tobiasmanske.de`)"
+      - "traefik.http.routers.keycloak.entryPoints=websecure"
+      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+    restart: always
+    networks:
+      - backend
+      - default # keycloak needs to talk to social logins
+
+{{ pg.postgres("pg", auth.db.user, auth.db.password, auth.db.name, ["backend"]) }}
+
+networks:
+  postgres:
+    internal: true
+  backend:
+    internal: true
+
+volumes:
+  pg_data:
+...

ansible/plays/services/kuma/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=kuma-{{ service_name|default("kuma") }}

ansible/plays/services/kuma/docker-compose.yaml

@@ -0,0 +1,26 @@
+{% set _name = service_name|default("kuma") %}
+{% set _urls = urls|default(kuma.urls)|mandatory %}
+---
+services:
+  kuma:
+    image: louislam/uptime-kuma:latest
+    restart: unless-stopped
+    volumes:
+      - data:/app/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.kuma-{{ _name }}.rule={{ _urls | map('regex_replace', '^(.*)$', 'Host(`\\1`)') | join(' || ') }}"
+      - "traefik.http.routers.kuma-{{ _name }}.entryPoints=websecure"
+      - "traefik.http.services.kuma-{{ _name }}.loadbalancer.server.port=3001"
+    networks:
+      - default
+      - pantalaimon
+
+volumes:
+  data:
+
+networks:
+  pantalaimon:
+    external: true
+...

ansible/plays/services/linktree/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=linktree

ansible/plays/services/linktree/docker-compose.yaml

@@ -0,0 +1,14 @@
+---
+version: "3.4"
+
+services:
+  unruhig.eu:
+    image: registry.tobiasmanske.de/unruhig.eu:latest
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.unruhigeu.rule=(Host(`unruhig.eu`) || Host(`www.unruhig.eu`))"
+      - "traefik.http.routers.unruhigeu.entryPoints=websecure"
+      - "traefik.http.services.unruhigeu.loadbalancer.server.port=80"
+    restart: always
+...

ansible/plays/services/loki/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=loki

ansible/plays/services/loki/docker-compose.yaml

@@ -0,0 +1,28 @@
+version: "3.4"
+services:
+  loki:
+    image: grafana/loki:latest
+    restart: unless-stopped
+    command: -config.file=/etc/loki/loki.yaml
+    volumes:
+      - ./loki.yml:/etc/loki/loki.yaml:ro,Z
+      - loki_data:/loki
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.loki.rule=Host(`loki.tobiasmanske.de`)"
+      - "traefik.http.middlewares.loki-auth.basicauth.users={{ common.loki.username }}:{{ common.loki.password_hash | mandatory }}"
+      - "traefik.http.routers.loki.entryPoints=websecure"
+      - "traefik.http.services.loki.loadbalancer.server.port=3100"
+      - "traefik.http.routers.loki.middlewares=loki-auth"
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=3100"
+    networks:
+      - metrics
+      - default
+
+volumes:
+  loki_data:
+networks:
+  metrics:
+    external: true

ansible/plays/services/loki/loki.yml

@@ -0,0 +1,51 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+
+query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: boltdb-shipper
+      object_store: aws
+      schema: v11
+      index:
+        prefix: index_
+        period: 24h
+
+common:
+  path_prefix: /loki
+  storage:
+    s3:
+      endpoint: s3.tobiasmanske.de
+      bucketnames: loki-data
+      access_key_id: "{{ loki.s3.access_key }}"
+      secret_access_key: "{{ loki.s3.secret_key }}"
+      s3forcepathstyle: true
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+compactor:
+  working_directory: /loki/compactor
+  shared_store: s3
+
+storage_config:
+  boltdb_shipper:
+    active_index_directory: /loki/active
+    cache_location: /loki/cache
+    cache_ttl: 24h
+    resync_interval: 5s
+    shared_store: s3
+  aws:
+    s3: "s3://{{ loki.s3.access_key }}:{{ loki.s3.secret_key }}@s3.tobiasmanske.de.:443/loki-data"
+    s3forcepathstyle: true

ansible/plays/services/matrix/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=matrix

ansible/plays/services/matrix/Caddyfile

@@ -0,0 +1,15 @@
+{
+  auto_https off
+}
+
+http://{{ matrix.baseurl }} {
+  header {
+    Content-Type application/json
+    Access-Control-Allow-Origin *
+  }
+  respond /.well-known/matrix/client "{\"m.homeserver\": {\"base_url\": \"https://synapse.{{ matrix.baseurl }}\"}, \"org.matrix.msc3575.proxy\": { \"url\": \"https://syncv3.{{ matrix.baseurl }}\" } }" 200
+  respond /.well-known/matrix/server "{\"m.server\": \"synapse.{{ matrix.baseurl }}:443\"}" 200
+  respond /.well-known/matrix/support "{\"admins\":[{\"matrix_id\":\"@tobi:{{ matrix.baseurl }}\",\"email_address\":\"matrix@{{ matrix.baseurl }}\",\"role\":\"admin\"}]}" 200
+
+  respond 404
+}

ansible/plays/services/matrix/cinny-config.json

@@ -0,0 +1,12 @@
+{
+  "defaultHomeserver": 0,
+  "homeserverList": [
+    "unruhig.eu",
+    "entropia.de",
+    "matrix.org",
+    "archlinux.org",
+    "kit.edu",
+    "mozilla.org"
+  ],
+  "allowCustomHomeservers": true
+}

ansible/plays/services/matrix/docker-compose.yaml

@@ -0,0 +1,207 @@
+{% import 'macro/postgres.j2' as pg with context %}
+---
+version: '3.9'
+
+services:
+
+  synapse:
+    image: registry.tobiasmanske.de/matrixdotorg/synapse:latest
+    user: "1000:1000"
+    # Since synapse does not retry to connect to the database, restart upon
+    # failure
+    restart: unless-stopped
+    # See the readme for a full documentation of the environment settings
+    # NOTE: You must edit homeserver.yaml to use postgres, it defaults to sqlite
+    environment:
+      - SYNAPSE_CONFIG_DIR=/config
+      - SYNAPSE_CONFIG_PATH=/config/homeserver.yaml
+      - TZ=Europe/Berlin
+    ulimits:
+      nofile:
+        soft: 10000
+        hard: 40000
+    volumes:
+      - synapse_data:/data
+      - ./synapse-config:/config:ro,Z
+      - ./mautrix-telegram/registration.yaml:/data/reg-mautrix-tg.yaml:ro,Z
+      - ./mautrix-slack/registration.yaml:/data/reg-mautrix-slack.yaml:ro,Z
+      - ./mautrix-signal/registration.yaml:/data/reg-mautrix-signal.yaml:ro,Z
+    depends_on:
+      - db
+      - redis
+    networks:
+      - default
+      - backend
+      - metrics
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.http-synapse.rule=Host(`synapse.{{ matrix.baseurl }}`)"
+      - "traefik.http.routers.http-synapse.entryPoints=websecure"
+      - "traefik.http.routers.http-synapse.service=matrix-synapse"
+      - "traefik.http.routers.matrix-synapse.rule=Host(`{{ matrix.baseurl }}`) && PathPrefix(`/_{path:(matrix|synapse)}/`)"
+      - "traefik.http.routers.matrix-synapse.entryPoints=websecure"
+      - "traefik.http.routers.matrix-synapse.service=matrix-synapse"
+      - "traefik.http.services.matrix-synapse.loadbalancer.server.port=8008"
+      - "prometheus-scrape.enabled=true"
+      - "prometheus-scrape.port=9091"
+      - "prometheus-scrape.metrics_path=/_synapse/metrics"
+
+{{ pg.postgres("db", matrix.db.user, matrix.db.password, matrix.db.database, ["backend"] ) }}
+
+  caddy:
+    image: caddy:2
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro,z
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.matrix-well-known.rule=Host(`{{ matrix.baseurl }}`) && PathPrefix(`/.well-known/matrix/`)"
+      - "traefik.http.routers.matrix-well-known.entrypoints=websecure"
+      - "traefik.http.services.matrix-well-known.loadbalancer.server.port=80"
+
+  cinny:
+    image: ghcr.io/cinnyapp/cinny:latest
+    # image: registry.tobiasmanske.de/cinnyapp/cinny:latest
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.matrix-cinny.rule=Host(`cinny.{{ matrix.baseurl }}`)"
+      - "traefik.http.routers.matrix-cinny.entryPoints=websecure"
+      - "traefik.http.services.matrix-cinny.loadbalancer.server.port=80"
+    volumes:
+      - ./cinny-config.json:/app/config.json:ro,Z
+    networks:
+      - default
+
+  redis:
+    image: redis:latest
+    restart: unless-stopped
+    networks:
+      - backend
+
+### SLIDING SYNC
+
+{{ pg.postgres("db-syncv3", matrix.syncv3.user, matrix.syncv3.password, matrix.syncv3.database, ["syncv3"] ) }}
+
+  syncv3-proxy:
+    image: ghcr.io/matrix-org/sliding-sync:latest
+    restart: always
+    environment:
+      - "SYNCV3_SERVER=https://synapse.{{ matrix.baseurl }}"
+      - "SYNCV3_SECRET={{ matrix.syncv3.secret }}"
+      - "SYNCV3_BINDADDR=:8008"
+      - "SYNCV3_PROM=:2112"
+      - "SYNCV3_DB=user={{ matrix.syncv3.user }} dbname={{ matrix.syncv3.database }} sslmode=disable host=db-syncv3 password='{{ matrix.syncv3.password }}'"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.matrix-syncv3-proxy.rule=Host(`syncv3.{{ matrix.baseurl }}`)"
+      - "traefik.http.routers.matrix-syncv3-proxy.entrypoints=websecure"
+      - "traefik.http.services.matrix-syncv3-proxy.loadbalancer.server.port=8008"
+      - "prometheus-scrape.enabled=false"
+      - "prometheus-scrape.port=2112"
+    networks:
+      - syncv3
+      - default
+
+### BRIDGES
+
+#### Telegram
+
+  mautrix-telegram:
+    image: dock.mau.dev/mautrix/telegram:latest
+    user: "1000:1000"
+    restart: unless-stopped
+    environment:
+      - "MAUTRIX_DIRECT_STARTUP=1"
+    volumes:
+      - bridge_tg_data:/data
+      - ./mautrix-telegram/config.yaml:/data/config.yaml:ro,Z
+      - ./mautrix-telegram/registration.yaml:/data/registration.yaml:ro,Z
+    networks:
+      - backend
+      - default # Needs to contact UFOs in the sky
+    depends_on:
+      - db-bridge-tg
+      - synapse
+
+{{ pg.postgres("db-bridge-tg", matrix.bridge.tg.dbuser, matrix.bridge.tg.dbpass, matrix.bridge.tg.dbname, ["backend"] ) }}
+
+#### SLACK
+
+  mautrix-slack:
+    image: dock.mau.dev/mautrix/slack:latest
+    environment:
+      - "UID=1000"
+      - "GID=1000"
+    restart: unless-stopped
+    volumes:
+      - bridge_slack_data:/data
+      - ./mautrix-slack/config.yaml:/data/config.yaml:ro,Z
+      - ./mautrix-slack/registration.yaml:/data/registration.yaml:ro,Z
+    networks:
+      - backend
+      - default # Needs to contact UFOs in the sky
+    depends_on:
+      - db-bridge-slack
+      - synapse
+
+{{ pg.postgres("db-bridge-slack", matrix.bridge.slack.dbuser, matrix.bridge.slack.dbpass, matrix.bridge.slack.dbname, ["backend"] ) }}
+
+#### SIGNAL
+  mautrix-signal:
+    image: dock.mau.dev/mautrix/signal:latest
+    restart: unless-stopped
+    environment:
+      - "MAUTRIX_DIRECT_STARTUP=1"
+      - "UID=1000"
+    networks:
+      - default
+      - backend
+    volumes:
+      - bridge_signal_data:/data
+      - signald_data:/signald
+      - ./mautrix-signal/config.yaml:/data/config.yaml:ro,Z
+      - ./mautrix-signal/registration.yaml:/data/registration.yaml:ro,Z
+    depends_on:
+      - signald
+      - db-bridge-signal
+
+  signald:
+    image: docker.io/signald/signald:latest
+    restart: unless-stopped
+    networks:
+      - default
+      - backend
+    volumes:
+      - signald_data:/signald
+
+{{ pg.postgres("db-bridge-signal", matrix.bridge.signal.dbuser, matrix.bridge.signal.dbpass, matrix.bridge.signal.dbname, ["backend"] ) }}
+
+networks:
+  default:
+    enable_ipv6: true
+  postgres:
+    internal: true
+  backend:
+    internal: true
+  syncv3:
+    internal: true
+  metrics:
+    external: true
+
+volumes:
+  bridge_signal_data:
+  bridge_slack_data:
+  bridge_tg_data:
+  db-bridge-signal_data:
+  db-bridge-slack_data:
+  db-bridge-tg_data:
+  db-syncv3_data:
+  db_data:
+  signald_data:
+  synapse_data:
+...

ansible/plays/services/matrix/mautrix-signal/config.yaml

@@ -0,0 +1,306 @@
+# Homeserver details
+# {% set config = matrix.bridge.signal %}
+
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: https://synapse.{{ matrix.baseurl }}
+    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
+    domain: {{ matrix.baseurl }}
+    # Whether or not to verify the SSL certificate of the homeserver.
+    # Only applies if address starts with https://
+    verify_ssl: true
+    # What software is the homeserver running?
+    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+    software: standard
+    # Number of retries for all HTTP requests if the homeserver isn't reachable.
+    http_retry_count: 4
+    # The URL to push real-time bridge status to.
+    # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
+    # The bridge will use the appservice as_token to authorize requests.
+    status_endpoint:
+    # Endpoint for reporting per-message status.
+    message_send_checkpoint_endpoint:
+    # Maximum number of simultaneous HTTP connections to the homeserver.
+    connection_limit: 100
+    # Whether asynchronous uploads via MSC2246 should be enabled for media.
+    # Requires a media repo that supports MSC2246.
+    async_media: false
+
+# Application service host/registration related details
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: http://mautrix-signal:29328
+    # When using https:// the TLS certificate and key files for the address.
+    tls_cert: false
+    tls_key: false
+
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 29328
+    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+    max_body_size: 1
+
+    # The full URI to the database. SQLite and Postgres are supported.
+    # Format examples:
+    #   SQLite:   sqlite:///filename.db
+    #   Postgres: postgres://username:password@hostname/dbname
+    database: postgres://{{ config.dbuser }}:{{ config.dbpass }}@db-bridge-signal/{{ config.dbname }}?sslmode=disable
+    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
+    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
+    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
+    # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
+    # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs).
+    database_opts:
+        min_size: 1
+        max_size: 10
+    id: signal
+    # Username of the appservice bot.
+    bot_username: signalbot
+    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+    # to leave display name/avatar as-is.
+    bot_displayname: Signal bridge bot
+    bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
+
+    # Whether or not to receive ephemeral events via appservice transactions.
+    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+    ephemeral_events: true
+
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+    as_token: "{{ config.as_token }}"
+    hs_token: "{{ config.hs_token }}"
+
+# Prometheus telemetry config. Requires prometheus-client to be installed.
+metrics:
+    enabled: false
+    listen_port: 8000
+
+# Manhole config.
+manhole:
+    # Whether or not opening the manhole is allowed.
+    enabled: false
+    # The path for the unix socket.
+    path: /var/tmp/mautrix-signal.manhole
+    # The list of UIDs who can be added to the whitelist.
+    # If empty, any UIDs can be specified in the open-manhole command.
+    whitelist:
+    - 0
+signal:
+    # Path to signald unix socket
+    socket_path: /signald/signald.sock
+    # Directory for temp files when sending files to Signal. This should be an
+    # absolute path that signald can read. For attachments in the other direction,
+    # make sure signald is configured to use an absolute path as the data directory.
+    outgoing_attachment_dir: /signald/attachments
+    # Directory where signald stores avatars for groups.
+    avatar_dir: /signald/avatars
+    # Directory where signald stores auth data. Used to delete data when logging out.
+    data_dir: /signald/data
+    # Whether or not unknown signald accounts should be deleted when the bridge is started.
+    # When this is enabled, any UserInUse errors should be resolved by restarting the bridge.
+    delete_unknown_accounts_on_start: false
+    # Whether or not message attachments should be removed from disk after they're bridged.
+    remove_file_after_handling: true
+    # Whether or not users can register a primary device
+    registration_enabled: true
+    # Whether or not to enable disappearing messages in groups. If enabled, then the expiration
+    # time of the messages will be determined by the first users to read the message, rather
+    # than individually. If the bridge has a single user, this can be turned on safely.
+    enable_disappearing_messages_in_groups: false
+
+# Bridge config
+bridge:
+    # {% raw %}
+    # Localpart template of MXIDs for Signal users.
+    # {userid} is replaced with the UUID of the Signal user.
+    username_template: "signal_{{.}}"
+    # Displayname template for Signal users.
+    # {displayname} is replaced with the displayname of the Signal user, which is the first
+    # available variable in displayname_preference. The variables in displayname_preference
+    # can also be used here directly.
+    # FIXME: ContactName is not save for multi-user instances.
+    displayname_template: '{{or .ProfileName .ContactName .PhoneNumber "Unknown User"}} (Signal)'
+    # {% endraw %}
+    autocreate_group_portal: true
+    # Whether or not to create portals for all contacts on login/connect.
+    autocreate_contact_portal: false
+    # Whether or not to make portals of Signal groups in which joining via invite link does
+    # not need to be approved by an administrator publicly joinable on Matrix.
+    public_portals: false
+    # Whether or not to use /sync to get read receipts and typing notifications
+    # when double puppeting is enabled
+    sync_with_custom_puppets: false
+    # Whether or not to update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
+    double_puppet_server_map:
+        {{ matrix.baseurl }}: https://{{ matrix.baseurl }}
+    login_shared_secret_map:
+        {{ matrix.baseurl }}: {{ matrix.authenticator.shared_secret }}
+    federate_rooms: false
+    # End-to-bridge encryption support options.
+    #
+    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+    encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: true
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        default: true
+        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+        appservice: false
+        # Require encryption, drop any unencrypted messages.
+        require: true
+        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+        # You must use a client that supports requesting keys from other users to use this feature.
+        allow_key_sharing: false
+        # What level of device verification should be required from users?
+        #
+        # Valid levels:
+        #   unverified - Send keys to all device in the room.
+        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+        #                           Note that creating user signatures from the bridge bot is not currently possible.
+        #   verified - Require manual per-device verification
+        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+        verification_levels:
+            # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
+            receive: unverified
+            # Minimum level that the bridge should accept for incoming Matrix messages.
+            send: unverified
+            # Minimum level that the bridge should require for accepting key requests.
+            share: cross-signed-tofu
+        # Options for Megolm room key rotation. These options allow you to
+        # configure the m.room.encryption event content. See:
+        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+        # more information about that event.
+        rotation:
+            # Enable custom Megolm room key rotation settings. Note that these
+            # settings will only apply to rooms created after this option is
+            # set.
+            enable_custom: false
+            # The maximum number of milliseconds a session should be used
+            # before changing it. The Matrix spec recommends 604800000 (a week)
+            # as the default.
+            milliseconds: 604800000
+            # The maximum number of messages that should be sent with a given a
+            # session before changing it. The Matrix spec recommends 100 as the
+            # default.
+            messages: 100
+
+    # Whether or not to explicitly set the avatar and room name for private
+    # chat portal rooms. This will be implicitly enabled if encryption.default is true.
+    private_chat_portal_meta: "default"
+    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
+    # been sent to Signal. This let's you check manually whether the bridge is receiving your
+    # messages.
+    # Note that this is not related to Signal delivery receipts.
+    delivery_receipts: true
+    # Whether or not delivery errors should be reported as messages in the Matrix room.
+    delivery_error_reports: true
+    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+    message_status_events: false
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # This field will automatically be changed back to false after it,
+    # except if the config file is not writable.
+    resend_bridge_info: false
+    # Interval at which to resync contacts (in seconds).
+    periodic_sync: 0
+    # Should leaving the room on Matrix make the user leave on Signal?
+    bridge_matrix_leave: false
+    # Should the bridge auto-create a group chat on Signal when a ghost is invited to a room?
+    # Requires the user to have sufficient power level and double puppeting enabled.
+    create_group_on_invite: true
+    hacky_contact_name_mixup_detection: false
+
+    # Provisioning API part of the web server for automated portal creation and fetching information.
+    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
+    provisioning:
+        # Whether or not the provisioning API should be enabled.
+        enabled: false
+        # The prefix to use in the provisioning API endpoints.
+        prefix: /_matrix/provision
+        # The shared secret to authorize users of the API.
+        # Set to "generate" to generate and save a new token.
+        shared_secret: disabled
+        # Segment API key to enable analytics tracking for web server
+        # endpoints. Set to null to disable.
+        # Currently the only events are login start, QR code scan, and login
+        # success/failure.
+        segment_key:
+        # Optional user_id to use when sending Segment events. If null, defaults to using mxID.
+        segment_user_id:
+
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: '!signal'
+
+    # Messages sent upon joining a management room.
+    # Markdown is supported. The defaults are listed below.
+    management_room_text:
+        # Sent when joining a room.
+        welcome: Hello, I'm a Signal bridge bot.
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: Use `help` for help.
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: Use `help` for help or `link` to log in.
+        # Optional extra text sent when joining a management room.
+        additional_help: ''
+
+    # Send each message separately (for readability in some clients)
+    management_room_multiple_messages: false
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #      relay - Allowed to be relayed through the bridge, no access to commands.
+    #       user - Use the bridge with puppeting.
+    #      admin - Use and administrate the bridge.
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions:
+        '*': relay
+        {{ matrix.baseurl }}: user
+        '@tobi:{{ matrix.baseurl }}': admin
+    relay:
+        # Whether relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
+        # authenticated user into a relaybot for that chat.
+        enabled: false
+        # The formats to use when sending messages to Signal via a relay user.
+        #
+        # Available variables:
+        #   $sender_displayname - The display name of the sender (e.g. Example User)
+        #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
+        #   $sender_mxid        - The Matrix ID of the sender (e.g. @exampleuser:example.com)
+        #   $message            - The message content
+        message_formats:
+            m.text: '$sender_displayname: $message'
+            m.notice: '$sender_displayname: $message'
+            m.emote: '* $sender_displayname $message'
+            m.file: $sender_displayname sent a file
+            m.image: $sender_displayname sent an image
+            m.audio: $sender_displayname sent an audio file
+            m.video: $sender_displayname sent a video
+            m.location: $sender_displayname sent a location
+        relaybot: '@relaybot:example.com'
+        # Whether or not invites from non-logged-in users should be relayed
+        invite: true
+
+    # Format for generating URLs from location messages for sending to Signal
+    # Google Maps: 'https://www.google.com/maps/place/{lat},{long}'
+    # OpenStreetMap: 'https://www.openstreetmap.org/?mlat={lat}&mlon={long}'
+    location_format: https://www.google.com/maps/place/{lat},{long}
+
+logging:
+    min_level: debug
+    writers:
+    - type: stdout
+      format: json
+

ansible/plays/services/matrix/mautrix-signal/registration.yaml

@@ -0,0 +1,31 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+31353638336331613430353931626330366132643736326566343536343666643965333163313831
+3062336363343836666163393763326332623730623930620a333666373365306536636264613732
+64373937373062303332306166393833656239333862343836626364613639633762376138383964
+3033623639636530320a613233643736383637396131636434306435346637353966393639363239
+30336461616464303031386164393433373831353435333466323166643436626234623262633237
+30373830366430636230633962643439363666363031633936313934616332306437623138373535
+65343062336461663861376664383138636333353338666231623436666366303431363438323632
+31313739376439323665386130323338363930366361646361383831643337653963353639353738
+36383866313262616135633231623964663266643030343561363735323039376338373165356366
+30643738313331333733343739366435383936373135666433666663353039316331366463623362
+38343430663432396332623662633533396433366564656263393735663839666566376139656261
+65323664616463626430653734393433626231386230633664653264373034633731633239363135
+35333366333039623764386330613130373263316436316266303461626463373939336134363039
+62653363613064373731616137333663333334636336623363343034383263656631653864336439
+65623762666538383766393939303832373566623666383761623234636638303566336438616136
+33333939323061333431656435383731326633323135313839343761613231623537356333636336
+65323063653239623166313938386133366565313336643161323564386338363839393434616535
+63373038383334633238303336386261343639393537333735383439346164633962343033633533
+64353138373161323639613434653939326265336239366364336630666634356439303564653833
+31333765303030376330396261376161636563306133363137313435376133373363653031356333
+62663737646165626366363230663262346563633236366238646339303763383161663033356232
+34343434363833386330636535663333356364633332616431613431386534336133386638333034
+35633363333366306435656137303866636232323765313164363636636366653364326332613233
+32643866663032313431663463666364326633376332323335336131376131663865616232653065
+34633338333237636336333062646561376331363138346132386430633462666634646462656431
+65373562323539636165313038643839623132643539346539343338346366366362323230653935
+34323834393961376234343564383635623865303765663439316535396263363265626265613761
+33343034343666663834363133663734343838623132666561393862623136613035656434626233
+31666434656535393536623461393630346262643331336364353932326337376132333631616635
+3963306630613238323633666264316462393063383639656333

ansible/plays/services/matrix/mautrix-slack/config.yaml

@@ -0,0 +1,233 @@
+# Homeserver details.
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: https://synapse.{{ matrix.baseurl }}
+    # The domain of the homeserver (for MXIDs, etc).
+    domain: {{ matrix.baseurl }}
+    # What software is the homeserver running?
+    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+    software: standard
+    # The URL to push real-time bridge status to.
+    # If set, the bridge will make POST requests to this URL whenever a user's slack connection state changes.
+    # The bridge will use the appservice as_token to authorize requests.
+    status_endpoint: null
+    # Endpoint for reporting per-message status.
+    message_send_checkpoint_endpoint: null
+    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
+    async_media: false
+
+# Application service host/registration related details.
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: http://mautrix-slack:29335
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 29335
+
+    # Database config.
+    database:
+        # The database type. "sqlite3" and "postgres" are supported.
+        type: postgres
+        # The database URI.
+        #   SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string
+        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+        uri: postgres://{{ matrix.bridge.slack.dbuser }}:{{ matrix.bridge.slack.dbpass }}@db-bridge-slack/{{ matrix.bridge.slack.dbname }}?sslmode=disable
+        # Maximum number of connections. Mostly relevant for Postgres.
+        max_open_conns: 20
+        max_idle_conns: 2
+        # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+        # Parsed with https://pkg.go.dev/time#ParseDuration
+        max_conn_idle_time: null
+        max_conn_lifetime: null
+
+    # The unique ID of this appservice.
+    id: slack
+    # Appservice bot details.
+    bot:
+        # Username of the appservice bot.
+        username: slackbot
+        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+        # to leave display name/avatar as-is.
+        displayname: Slack bridge bot
+        avatar: mxc://maunium.net/pVtzLmChZejGxLqmXtQjFxem
+    # Whether or not to receive ephemeral events via appservice transactions.
+    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+    ephemeral_events: true
+
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+    as_token: "{{ matrix.bridge.slack.as_token }}"
+    hs_token: "{{ matrix.bridge.slack.hs_token }}"
+
+# Bridge config
+bridge:
+{% raw %}
+    # Localpart template of MXIDs for Slack users.
+    # {{.}} is replaced with the internal ID of the Slack user.
+    username_template: slack_{{.}}
+    # Displayname template for Slack users.
+    # TODO: document variables
+    displayname_template: '{{if not .DisplayName}}{{.RealName}}{{else}}{{.DisplayName}}{{end}} (Slack)'
+    bot_displayname_template: '{{.Name}} (bot)'
+    channel_name_template: '#{{.Name}}'
+{% endraw %}
+    portal_message_buffer: 128
+    # Should the bridge send a read receipt from the bridge bot when a message has been sent to Slack?
+    delivery_receipts: true
+    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+    message_status_events: false
+    # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
+    message_error_notices: true
+    # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices.
+    sync_with_custom_puppets: false
+    # Should the bridge update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    private_chat_portal_meta: always
+    federate_rooms: false
+    # Servers to always allow double puppeting from
+    double_puppet_server_map:
+      {{ matrix.baseurl }}: https://{{ matrix.baseurl }}
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+    #
+    # If set, double puppeting will be enabled automatically for local users
+    # instead of users having to find an access token and run `login-matrix`
+    # manually.
+    login_shared_secret_map:
+      {{ matrix.baseurl }}: "{{ matrix.authenticator.shared_secret }}"
+    message_handling_timeout:
+        # Send an error message after this timeout, but keep waiting for the response until the deadline.
+        # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
+        # If the message is older than this when it reaches the bridge, the message won't be handled at all.
+        error_after: 10s
+        # Drop messages after this timeout. They may still go through if the message got sent to the servers.
+        # This is counted from the time the bridge starts handling the message.
+        deadline: 60s
+
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: '!slack'
+
+    # Messages sent upon joining a management room.
+    # Markdown is supported. The defaults are listed below.
+    management_room_text:
+        # Sent when joining a room.
+        welcome: "Hello, I'm a Slack bridge bot."
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: "Use `help` for help."
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: "Use `help` for help, or `login-token` or `login-password` to log in."
+        # Optional extra text sent when joining a management room.
+        additional_help: ""
+    backfill:
+        # Allow backfilling at all? Requires MSC2716 support on homeserver.
+        enable: false
+        # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Slack.
+        # Set to -1 to let any chat be unread.
+        unread_hours_threshold: 720
+        # Number of messages to immediately backfill when creating a portal.
+        immediate_messages: 10
+        # Settings for incremental backfill of history.
+        incremental:
+            # Maximum number of messages to backfill per batch.
+            messages_per_batch: 100
+            # The number of seconds to wait after backfilling the batch of messages.
+            post_batch_delay: 20
+            # The maximum number of messages to backfill per portal, split by the chat type.
+            # If set to -1, all messages in the chat will eventually be backfilled.
+            max_messages:
+                # Channels
+                channel: -1
+                # Group direct messages
+                group_dm: -1
+                # 1:1 direct messages
+                dm: -1
+
+    # End-to-bridge encryption support options.
+    #
+    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+    encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: true
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        default: true
+        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+        appservice: false
+        # Require encryption, drop any unencrypted messages.
+        require: false
+        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+        # You must use a client that supports requesting keys from other users to use this feature.
+        allow_key_sharing: true
+        # What level of device verification should be required from users?
+        #
+        # Valid levels:
+        #   unverified - Send keys to all device in the room.
+        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+        #                           Note that creating user signatures from the bridge bot is not currently possible.
+        #   verified - Require manual per-device verification
+        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+        verification_levels:
+            # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
+            receive: unverified
+            # Minimum level that the bridge should accept for incoming Matrix messages.
+            send: unverified
+            # Minimum level that the bridge should require for accepting key requests.
+            share: cross-signed-tofu
+        # Options for Megolm room key rotation. These options allow you to
+        # configure the m.room.encryption event content. See:
+        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+        # more information about that event.
+        rotation:
+            # Enable custom Megolm room key rotation settings. Note that these
+            # settings will only apply to rooms created after this option is
+            # set.
+            enable_custom: false
+            # The maximum number of milliseconds a session should be used
+            # before changing it. The Matrix spec recommends 604800000 (a week)
+            # as the default.
+            milliseconds: 604800000
+            # The maximum number of messages that should be sent with a given a
+            # session before changing it. The Matrix spec recommends 100 as the
+            # default.
+            messages: 100
+
+    # Settings for provisioning API
+    provisioning:
+        # Prefix for the provisioning API paths.
+        prefix: /_matrix/provision
+        # Shared secret for authentication. If set to "generate", a random secret will be generated,
+        # or if set to "disable", the provisioning API will be disabled.
+        shared_secret: disable
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #    relay - Talk through the relaybot (if enabled), no access otherwise
+    #     user - Access to use the bridge to chat with a Slack account.
+    #    admin - User level and some additional administration tools
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions:
+        "*": relay
+        "{{ matrix.baseurl }}": user
+        "@tobi:{{ matrix.baseurl }}": admin
+
+{% raw %}
+logging:
+    directory: ./logs
+    file_name_format: '{{.Date}}-{{.Index}}.log'
+    file_date_format: "2006-01-02"
+    file_mode: 384
+    timestamp_format: Jan _2, 2006 15:04:05
+    print_level: debug
+    print_json: false
+    file_json: false
+{% endraw %}

ansible/plays/services/matrix/mautrix-slack/registration.yaml

@@ -0,0 +1,26 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+63643764313434366534636536373233613163353932353332353034386638623463323265356366
+3033666637643563393537636263366338643736303663620a376138656235653238386131623864
+33356331386265613436626337356436373439376434633135626339373931346166313834323938
+3833636339306137360a383230386236333632613037363139356230663563333266353030616133
+39343037343234386465646433613465646363343237346432373934623431336163303233323263
+65356133373264323664663238306266336332353632643533373038653938623939353931613964
+33383638653061313961363033343435316130666337393034356664653933626466623734643239
+63663864316464343631313533653931376561303830366665333635613666346139623937373663
+65393234326533623364626666353763396437386330386563333432306566316161626561363836
+62613630623864323163616639396233393031373734373332383064626562623563363266383065
+61613738323034313431333333656530346566333165363430333962373930363736396265636663
+65646632356265633665633930343231636138366364653038336563333234326139333437643063
+39653437303565343739306237653832616265323138643234313731343339353161333363366538
+35373864666436306438303037363766373532633533666335303137346337633265613630653637
+39356237663665333533363030653735333535653861353866363362343830366562383661666137
+37623436336531363230356233656235666238663537616437353636353732643639386534616561
+30656264316535636437653032343634643036363838626234303837393935393430323537643231
+64363534313033396362326530663430373661613362346364356262386433663731313866363438
+30653966343436656430326434646337386230333432383861333635326431346332663332313437
+35636162323834616437383563353932333137653639616532363162663365393437386333613439
+35343937333034303934623962653132323837643430303230383163393833316233636233643736
+33666530653033613762313364653734633765326432613032386535333335633834633430356165
+64396132386133326464376163326236373131316266343634306163313235616236383239366639
+38373235643763616236356266663534356230643131653130323338393262616337346635633835
+39386236643562653738383037376334303138623966316637386464386139613431

ansible/plays/services/matrix/mautrix-telegram/config.yaml

@@ -0,0 +1,593 @@
+# Homeserver details
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: https://synapse.{{ matrix.baseurl }}
+    # The domain of the homeserver (for MXIDs, etc).
+    domain: {{ matrix.baseurl }}
+    # Whether or not to verify the SSL certificate of the homeserver.
+    # Only applies if address starts with https://
+    verify_ssl: true
+    # What software is the homeserver running?
+    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+    software: standard
+    # Number of retries for all HTTP requests if the homeserver isn't reachable.
+    http_retry_count: 4
+    # The URL to push real-time bridge status to.
+    # If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
+    # The bridge will use the appservice as_token to authorize requests.
+    status_endpoint: null
+    # Endpoint for reporting per-message status.
+    message_send_checkpoint_endpoint: null
+    # Whether asynchronous uploads via MSC2246 should be enabled for media.
+    # Requires a media repo that supports MSC2246.
+    async_media: false
+# Application service host/registration related details
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: http://mautrix-telegram:29317
+    # When using https:// the TLS certificate and key files for the address.
+    tls_cert: false
+    tls_key: false
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 29317
+    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+    max_body_size: 1
+    # The full URI to the database. SQLite and Postgres are supported.
+    # Format examples:
+    #   SQLite:   sqlite:///filename.db
+    #   Postgres: postgres://username:password@hostname/dbname
+    database: postgres://{{ matrix.bridge.tg.dbuser }}:{{ matrix.bridge.tg.dbpass }}@db-bridge-tg/{{ matrix.bridge.tg.dbname }}
+    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
+    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
+    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
+    # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
+    # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs).
+    database_opts:
+        min_size: 1
+        max_size: 10
+    # Public part of web server for out-of-Matrix interaction with the bridge.
+    # Used for things like login if the user wants to make sure the 2FA password isn't stored in
+    # the HS database.
+    public:
+        # Whether or not the public-facing endpoints should be enabled.
+        enabled: false
+        # The prefix to use in the public-facing endpoints.
+        prefix: /public
+        # The base URL where the public-facing endpoints are available. The prefix is not added
+        # implicitly.
+        external: https://example.com/public
+    # Provisioning API part of the web server for automated portal creation and fetching information.
+    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
+    provisioning:
+        # Whether or not the provisioning API should be enabled.
+        enabled: false
+        # The prefix to use in the provisioning API endpoints.
+        prefix: /_matrix/provision
+        # The shared secret to authorize users of the API.
+        # Set to "generate" to generate and save a new token.
+        shared_secret: generate
+    # The unique ID of this appservice.
+    id: telegram
+    # Username of the appservice bot.
+    bot_username: telegrambot
+    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+    # to leave display name/avatar as-is.
+    bot_displayname: Telegram bridge bot
+    bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
+    # Whether or not to receive ephemeral events via appservice transactions.
+    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+    ephemeral_events: true
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+    as_token: "{{ matrix.bridge.tg.as_token }}"
+    hs_token: "{{ matrix.bridge.tg.hs_token }}"
+# Prometheus telemetry config. Requires prometheus-client to be installed.
+metrics:
+    enabled: false
+    listen_port: 8000
+# Manhole config.
+manhole:
+    # Whether or not opening the manhole is allowed.
+    enabled: false
+    # The path for the unix socket.
+    path: /var/tmp/mautrix-telegram.manhole
+    # The list of UIDs who can be added to the whitelist.
+    # If empty, any UIDs can be specified in the open-manhole command.
+    whitelist:
+        - 0
+# Bridge config
+bridge:
+    # Localpart template of MXIDs for Telegram users.
+    # {userid} is replaced with the user ID of the Telegram user.
+    username_template: "telegram_{userid}"
+    # Localpart template of room aliases for Telegram portal rooms.
+    # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
+    alias_template: "telegram_{groupname}"
+    # Displayname template for Telegram users.
+    # {displayname} is replaced with the display name of the Telegram user.
+    displayname_template: "{displayname} (Telegram)"
+    # Set the preferred order of user identifiers which to use in the Matrix puppet display name.
+    # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
+    # ID is used.
+    #
+    # If the bridge is working properly, a phone number or an username should always be known, but
+    # the other one can very well be empty.
+    #
+    # Valid keys:
+    #   "full name"          (First and/or last name)
+    #   "full name reversed" (Last and/or first name)
+    #   "first name"
+    #   "last name"
+    #   "username"
+    #   "phone number"
+    displayname_preference:
+        - full name
+        - username
+        - phone number
+    # Maximum length of displayname
+    displayname_max_length: 100
+    # Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
+    # as there's no way to determine whether an avatar is removed or just hidden from some users. If
+    # you're on a single-user instance, this should be safe to enable.
+    allow_avatar_remove: false
+    # Maximum number of members to sync per portal when starting up. Other members will be
+    # synced when they send messages. The maximum is 10000, after which the Telegram server
+    # will not send any more members.
+    # -1 means no limit (which means it's limited to 10000 by the server)
+    max_initial_member_sync: 100
+    # Maximum number of participants in chats to bridge. Only applies when the portal is being created.
+    # If there are more members when trying to create a room, the room creation will be cancelled.
+    # -1 means no limit (which means all chats can be bridged)
+    max_member_count: -1
+    # Whether or not to sync the member list in channels.
+    # If no channel admins have logged into the bridge, the bridge won't be able to sync the member
+    # list regardless of this setting.
+    sync_channel_members: true
+    # Whether or not to skip deleted members when syncing members.
+    skip_deleted_members: true
+    # Whether or not to automatically synchronize contacts and chats of Matrix users logged into
+    # their Telegram account at startup.
+    startup_sync: true
+    # Number of most recently active dialogs to check when syncing chats.
+    # Set to 0 to remove limit.
+    sync_update_limit: 0
+    # Number of most recently active dialogs to create portals for when syncing chats.
+    # Set to 0 to remove limit.
+    sync_create_limit: 15
+    # Should all chats be scheduled to be created later?
+    # This is best used in combination with MSC2716 infinite backfill.
+    sync_deferred_create_all: false
+    # Whether or not to sync and create portals for direct chats at startup.
+    sync_direct_chats: true
+    # The maximum number of simultaneous Telegram deletions to handle.
+    # A large number of simultaneous redactions could put strain on your homeserver.
+    max_telegram_delete: 10
+    # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
+    # at startup and when creating a bridge.
+    sync_matrix_state: true
+    # Allow logging in within Matrix. If false, users can only log in using login-qr or the
+    # out-of-Matrix login website (see appservice.public config section)
+    allow_matrix_login: true
+    # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
+    public_portals: false
+    # Whether or not to use /sync to get presence, read receipts and typing notifications
+    # when double puppeting is enabled
+    sync_with_custom_puppets: false
+    # Whether or not to update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    # Servers to always allow double puppeting from
+    double_puppet_server_map:
+        {{ matrix.baseurl }}: https://{{ matrix.baseurl }}
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+    #
+    # If set, custom puppets will be enabled automatically for local users
+    # instead of users having to find an access token and run `login-matrix`
+    # manually.
+    # If using this for other servers than the bridge's server,
+    # you must also set the URL in the double_puppet_server_map.
+    login_shared_secret_map:
+        {{ matrix.baseurl }}: {{ matrix.authenticator.shared_secret }}
+    # Set to false to disable link previews in messages sent to Telegram.
+    telegram_link_preview: true
+    # Whether or not the !tg join command should do a HTTP request
+    # to resolve redirects in invite links.
+    invite_link_resolve: false
+    # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
+    # This is currently not supported in most clients.
+    caption_in_message: false
+    # Maximum size of image in megabytes before sending to Telegram as a document.
+    image_as_file_size: 10
+    # Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 4096x4096 = 16777216.
+    image_as_file_pixels: 16777216
+    # Enable experimental parallel file transfer, which makes uploads/downloads much faster by
+    # streaming from/to Matrix and using many connections for Telegram.
+    # Note that generating HQ thumbnails for videos is not possible with streamed transfers.
+    # This option uses internal Telethon implementation details and may break with minor updates.
+    parallel_file_transfer: false
+    # Whether or not created rooms should have federation enabled.
+    # If false, created portal rooms will never be federated.
+    federate_rooms: false
+    # Should the bridge send all unicode reactions as custom emoji reactions to Telegram?
+    # By default, the bridge only uses custom emojis for unicode emojis that aren't allowed in reactions.
+    always_custom_emoji_reaction: true
+    # Settings for converting animated stickers.
+    animated_sticker:
+        # Format to which animated stickers should be converted.
+        # disable - No conversion, send as-is (gzipped lottie)
+        # png - converts to non-animated png (fastest),
+        # gif - converts to animated gif
+        # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
+        # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
+        target: gif
+        # Should video stickers be converted to the specified format as well?
+        convert_from_webm: false
+        # Arguments for converter. All converters take width and height.
+        args:
+            width: 256
+            height: 256
+            fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
+    # Settings for converting animated emoji.
+    # Same as animated_sticker, but webm is not supported as the target
+    # (because inline images can only contain images, not videos).
+    animated_emoji:
+        target: webp
+        args:
+            width: 64
+            height: 64
+            fps: 25
+    # End-to-bridge encryption support options.
+    #
+    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+    encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: true
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        default: true
+        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+        appservice: false
+        # Require encryption, drop any unencrypted messages.
+        require: false
+        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+        # You must use a client that supports requesting keys from other users to use this feature.
+        allow_key_sharing: true
+        # What level of device verification should be required from users?
+        #
+        # Valid levels:
+        #   unverified - Send keys to all device in the room.
+        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+        #                           Note that creating user signatures from the bridge bot is not currently possible.
+        #   verified - Require manual per-device verification
+        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+        verification_levels:
+            # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
+            receive: unverified
+            # Minimum level that the bridge should accept for incoming Matrix messages.
+            send: unverified
+            # Minimum level that the bridge should require for accepting key requests.
+            share: cross-signed-tofu
+        # Options for Megolm room key rotation. These options allow you to
+        # configure the m.room.encryption event content. See:
+        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+        # more information about that event.
+        rotation:
+            # Enable custom Megolm room key rotation settings. Note that these
+            # settings will only apply to rooms created after this option is
+            # set.
+            enable_custom: false
+            # The maximum number of milliseconds a session should be used
+            # before changing it. The Matrix spec recommends 604800000 (a week)
+            # as the default.
+            milliseconds: 604800000
+            # The maximum number of messages that should be sent with a given a
+            # session before changing it. The Matrix spec recommends 100 as the
+            # default.
+            messages: 100
+    # Whether or not to explicitly set the avatar and room name for private
+    # chat portal rooms. This will be implicitly enabled if encryption.default is true.
+    private_chat_portal_meta: false
+    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
+    # been sent to Telegram.
+    delivery_receipts: false
+    # Whether or not delivery errors should be reported as messages in the Matrix room.
+    delivery_error_reports: true
+    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+    message_status_events: false
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # This field will automatically be changed back to false after it,
+    # except if the config file is not writable.
+    resend_bridge_info: false
+    # When using double puppeting, should muted chats be muted in Matrix?
+    mute_bridging: false
+    # When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
+    # The favorites tag is `m.favourite`.
+    pinned_tag: "m.favorite"
+    # Same as above for archived chats, the low priority tag is `m.lowpriority`.
+    archive_tag: "m.lowpriority"
+    # Whether or not mute status and tags should only be bridged when the portal room is created.
+    tag_only_on_create: true
+    # Should leaving the room on Matrix make the user leave on Telegram?
+    bridge_matrix_leave: true
+    # Should the user be kicked out of all portals when logging out of the bridge?
+    kick_on_logout: false
+    # Should the "* user joined Telegram" notice always be marked as read automatically?
+    always_read_joined_telegram_notice: true
+    # Should the bridge auto-create a group chat on Telegram when a ghost is invited to a room?
+    # Requires the user to have sufficient power level and double puppeting enabled.
+    create_group_on_invite: true
+    # Settings for backfilling messages from Telegram.
+    backfill:
+        # Allow backfilling at all?
+        enable: true
+        # Use MSC2716 for backfilling?
+        #
+        # This requires a server with MSC2716 support, which is currently an experimental feature in Synapse.
+        # It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml.
+        msc2716: false
+        # Use double puppets for backfilling?
+        #
+        # If using MSC2716, the double puppets must be in the appservice's user ID namespace
+        # (because the bridge can't use the double puppet access token with batch sending).
+        #
+        # Even without MSC2716, bridging old messages with correct timestamps requires the double
+        # puppets to be in an appservice namespace, or the server to be modified to allow
+        # overriding timestamps anyway.
+        double_puppet_backfill: false
+        # Whether or not to enable backfilling in normal groups.
+        # Normal groups have numerous technical problems in Telegram, and backfilling normal groups
+        # will likely cause problems if there are multiple Matrix users in the group.
+        normal_groups: false
+        # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Telegram.
+        # Set to -1 to let any chat be unread.
+        unread_hours_threshold: 720
+        # Forward backfilling limits. These apply to both MSC2716 and legacy backfill.
+        #
+        # Using a negative initial limit is not recommended, as it would try to backfill everything in a single batch.
+        # MSC2716 and the incremental settings are meant for backfilling everything incrementally rather than at once.
+        forward:
+            # Number of messages to backfill immediately after creating a portal.
+            initial_limit: 10
+            # Number of messages to backfill when syncing chats.
+            sync_limit: 100
+        # Settings for incremental backfill of history. These only apply when using MSC2716.
+        incremental:
+            # Maximum number of messages to backfill per batch.
+            messages_per_batch: 100
+            # The number of seconds to wait after backfilling the batch of messages.
+            post_batch_delay: 20
+            # The maximum number of batches to backfill per portal, split by the chat type.
+            # If set to -1, all messages in the chat will eventually be backfilled.
+            max_batches:
+                # Direct chats
+                user: -1
+                # Normal groups. Note that the normal_groups option above must be enabled
+                # for these to be backfilled.
+                normal_group: -1
+                # Supergroups
+                supergroup: 10
+                # Broadcast channels
+                channel: -1
+    # Overrides for base power levels.
+    initial_power_level_overrides:
+        user: {}
+        group: {}
+    # Whether to bridge Telegram bot messages as m.notices or m.texts.
+    bot_messages_as_notices: true
+    bridge_notices:
+        # Whether or not Matrix bot messages (type m.notice) should be bridged.
+        default: false
+        # List of user IDs for whom the previous flag is flipped.
+        # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
+        #      notices from users listed here will be bridged.
+        exceptions: []
+    # An array of possible values for the $distinguisher variable in message formats.
+    # Each user gets one of the values here, based on a hash of their user ID.
+    # If the array is empty, the $distinguisher variable will also be empty.
+    relay_user_distinguishers: ["\U0001F7E6", "\U0001F7E3", "\U0001F7E9", "⭕️", "\U0001F536", "⬛️", "\U0001F535", "\U0001F7E2"]
+    # The formats to use when sending messages to Telegram via the relay bot.
+    # Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
+    #
+    # Available variables:
+    #   $sender_displayname - The display name of the sender (e.g. Example User)
+    #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
+    #   $sender_mxid        - The Matrix ID of the sender (e.g. @exampleuser:example.com)
+    #   $distinguisher      - A random string from the options in the relay_user_distinguishers array.
+    #   $message            - The message content
+    message_formats:
+        m.text: "$distinguisher <b>$sender_displayname</b>: $message"
+        m.notice: "$distinguisher <b>$sender_displayname</b>: $message"
+        m.emote: "* $distinguisher <b>$sender_displayname</b> $message"
+        m.file: "$distinguisher <b>$sender_displayname</b> sent a file: $message"
+        m.image: "$distinguisher <b>$sender_displayname</b> sent an image: $message"
+        m.audio: "$distinguisher <b>$sender_displayname</b> sent an audio file: $message"
+        m.video: "$distinguisher <b>$sender_displayname</b> sent a video: $message"
+        m.location: "$distinguisher <b>$sender_displayname</b> sent a location: $message"
+    # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
+    # users are sent to telegram. All fields in message_formats are supported. Additionally, the
+    # Telegram user info is available in the following variables:
+    #    $displayname - Telegram displayname
+    #    $username    - Telegram username (may not exist)
+    #    $mention     - Telegram @username or displayname mention (depending on which exists)
+    emote_format: "* $mention $formatted_body"
+    # The formats to use when sending state events to Telegram via the relay bot.
+    #
+    # Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
+    # In name_change events, `$prev_displayname` is the previous displayname.
+    #
+    # Set format to an empty string to disable the messages for that event.
+    state_event_formats:
+        join: "$distinguisher <b>$displayname</b> joined the room."
+        leave: "$distinguisher <b>$displayname</b> left the room."
+        name_change: "$distinguisher <b>$prev_displayname</b> changed their name to $distinguisher <b>$displayname</b>"
+    # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
+    # `filter-mode` management commands.
+    #
+    # Filters do not affect direct chats.
+    # An empty blacklist will essentially disable the filter.
+    filter:
+        # Filter mode to use. Either "blacklist" or "whitelist".
+        # If the mode is "blacklist", the listed chats will never be bridged.
+        # If the mode is "whitelist", only the listed chats can be bridged.
+        mode: blacklist
+        # The list of group/channel IDs to filter.
+        list: []
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: "!tg"
+    # Messages sent upon joining a management room.
+    # Markdown is supported. The defaults are listed below.
+    management_room_text:
+        # Sent when joining a room.
+        welcome: "Hello, I'm a Telegram bridge bot."
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: "Use `help` for help."
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: "Use `help` for help or `login` to log in."
+        # Optional extra text sent when joining a management room.
+        additional_help: ""
+    # Send each message separately (for readability in some clients)
+    management_room_multiple_messages: false
+    # Permissions for using the bridge.
+    # Permitted values:
+    #   relaybot - Only use the bridge via the relaybot, no access to commands.
+    #       user - Relaybot level + access to commands to create bridges.
+    #  puppeting - User level + logging in with a Telegram account.
+    #       full - Full access to use the bridge, i.e. previous levels + Matrix login.
+    #      admin - Full access to use the bridge and some extra administration commands.
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions:
+        "*": "relaybot"
+        "{{ matrix.baseurl }}": "full"
+        "@tobi:{{ matrix.baseurl }}": "admin"
+    # Options related to the message relay Telegram bot.
+    relaybot:
+        private_chat:
+            # List of users to invite to the portal when someone starts a private chat with the bot.
+            # If empty, private chats with the bot won't create a portal.
+            invite: []
+            # Whether or not to bridge state change messages in relaybot private chats.
+            state_changes: true
+            # When private_chat_invite is empty, this message is sent to users /starting the
+            # relaybot. Telegram's "markdown" is supported.
+            message: This is a Matrix bridge relaybot and does not support direct chats
+        # List of users to invite to all group chat portals created by the bridge.
+        group_chat_invite: []
+        # Whether or not the relaybot should not bridge events in unbridged group chats.
+        # If false, portals will be created when the relaybot receives messages, just like normal
+        # users. This behavior is usually not desirable, as it interferes with manually bridging
+        # the chat to another room.
+        ignore_unbridged_group_chat: true
+        # Whether or not to allow creating portals from Telegram.
+        authless_portals: true
+        # Whether or not to allow Telegram group admins to use the bot commands.
+        whitelist_group_admins: true
+        # Whether or not to ignore incoming events sent by the relay bot.
+        ignore_own_incoming_events: true
+        # List of usernames/user IDs who are also allowed to use the bot commands.
+        whitelist:
+            - myusername
+            - 12345678
+# Telegram config
+telegram:
+    # Get your own API keys at https://my.telegram.org/apps
+    api_id: {{ matrix.bridge.tg.api_id }}
+    api_hash: {{ matrix.bridge.tg.api_hash }}
+    # (Optional) Create your own bot at https://t.me/BotFather
+    bot_token: disabled
+    # Should the bridge request missed updates from Telegram when restarting?
+    catch_up: true
+    # Should incoming updates be handled sequentially to make sure order is preserved on Matrix?
+    sequential_updates: true
+    exit_on_update_error: false
+    # Telethon connection options.
+    connection:
+        # The timeout in seconds to be used when connecting.
+        timeout: 120
+        # How many times the reconnection should retry, either on the initial connection or when
+        # Telegram disconnects us. May be set to a negative or null value for infinite retries, but
+        # this is not recommended, since the program can get stuck in an infinite loop.
+        retries: 5
+        # The delay in seconds to sleep between automatic reconnections.
+        retry_delay: 1
+        # The threshold below which the library should automatically sleep on flood wait errors
+        # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
+        # is 20s, the library will sleep automatically. If the error was for 21s, it would raise
+        # the error instead. Values larger than a day (86400) will be changed to a day.
+        flood_sleep_threshold: 60
+        # How many times a request should be retried. Request are retried when Telegram is having
+        # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
+        # there's a migrate error. May take a negative or null value for infinite retries, but this
+        # is not recommended, since some requests can always trigger a call fail (such as searching
+        # for messages).
+        request_retries: 5
+    # Device info sent to Telegram.
+    device_info:
+        # "auto" = OS name+version.
+        device_model: mautrix-telegram
+        # "auto" = Telethon version.
+        system_version: auto
+        # "auto" = mautrix-telegram version.
+        app_version: auto
+        lang_code: en
+        system_lang_code: en
+    # Custom server to connect to.
+    server:
+        # Set to true to use these server settings. If false, will automatically
+        # use production server assigned by Telegram. Set to false in production.
+        enabled: false
+        # The DC ID to connect to.
+        dc: 2
+        # The IP to connect to.
+        ip: 149.154.167.40
+        # The port to connect to. 443 may not work, 80 is better and both are equally secure.
+        port: 80
+    # Telethon proxy configuration.
+    # You must install PySocks from pip for proxies to work.
+    proxy:
+        # Allowed types: disabled, socks4, socks5, http, mtproxy
+        type: disabled
+        # Proxy IP address and port.
+        address: 127.0.0.1
+        port: 1080
+        # Whether or not to perform DNS resolving remotely. Only for socks/http proxies.
+        rdns: true
+        # Proxy authentication (optional). Put MTProxy secret in password field.
+        username: ""
+        password: ""
+# Python logging configuration.
+#
+# See section 16.7.2 of the Python documentation for more info:
+# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
+logging:
+    version: 1
+    formatters:
+        colored:
+            (): mautrix_telegram.util.ColorFormatter
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+        normal:
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+    handlers:
+        console:
+            class: logging.StreamHandler
+            formatter: colored
+    loggers:
+        mau:
+            level: DEBUG
+        telethon:
+            level: INFO
+        aiohttp:
+            level: INFO
+    root:
+        level: DEBUG
+        handlers: [console]