fix: correctly set apcu php mod

add: otf font to served files
add: nextcloud php config
2026-06-19 21:22:38 +02:00 · 2024-12-23 13:10:42 +00:00 · 2024-12-23 12:43:07 +00:00 · 2024-12-23 12:23:58 +00:00 · 2024-12-23 12:01:41 +00:00 · 2024-12-23 11:53:08 +00:00
140 changed files with 3089 additions and 496 deletions
@@ -2,7 +2,10 @@
 ansible.log
 files/icinga_master_hosts.conf
 files/nsca_server.conf
 templates/nsca_server.conf
 files/async-icinga-config-dynamic.json
 files/async-icinga-services-dynamic.conf
 hosts.ini
 files/atlantis-hub-content/
 join-k8s-command
 vault.secret
@@ -1,3 +1,4 @@
 [defaults]
 inventory = hosts.ini
 log_path = ansible.log
 vault_password_file = vault.secret
@@ -0,0 +1,46 @@
 ---
 - hosts: all
  gather_facts: yes
  become: false
  tasks:
  - name: Distribution major version
    debug:
        msg: "{{ ansible_distribution_major_version }}"
 #  - name: Upgrade
 #    block:
 #
 #      - name: Update apt repo and cache on all Debian/Ubuntu boxes
 #        apt:
 #          update_cache: yes
 #          force_apt_get: yes
 #          cache_valid_time: 0
 #
 #      - name: Prepare. Autoremove old packages
 #        apt:
 #          autoremove: true
 #          autoclean: true
 #
 #      - name: Update sources
 #        shell:
 #            cmd: |
 #                sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
 #
 #      - name: Update apt repo and cache on all Debian/Ubuntu boxes
 #        apt:
 #          update_cache: yes
 #          force_apt_get: yes
 #          cache_valid_time: 0
 #
 #      - name: Upgrade all packages on servers
 #        apt:
 #          upgrade: dist
 #          force_apt_get: yes
 #
 #      - name: Prepare. Autoremove old packages
 #        apt:
 #          autoremove: true
 #          autoclean: true
 #
 #    when: ansible_distribution_major_version == "11"
@@ -1,25 +1,77 @@
 ---
 checks:
 extra_sheppy_pubkeys:
-nsca_server: ""
+nsca_server: 192.168.122.107
-ldap_server: ""
+ldap_server: 192.168.122.112
-nsca_password: ""
+nsca_password: HISTORY_PURGED_SECRET
-RSYSLOG_SERVER: ""
+nsca_report_to_rudi_password: HISTORY_PURGED_SECRET
-influxdb_telegraf_password: ""
+RSYSLOG_SERVER: internal.monitoring.atlantishq.de
 influxdb_telegraf_password: HISTORY_PURGED_SECRET
 code_server_password: HISTORY_PURGED_SECRET
-icinga_api_user: ""
+nextcloud_ssl_enabled: false
-icinga_api_pass: ""
+nextcloud_cert_name: nextcloud.atlantishq.de
-icinga_api_url: "https://XXXXXXXXXXXXXXX:5665"
+nextcloud_instance_id: HISTORY_PURGED_SECRET
 nextcloud_password_salt: HISTORY_PURGED_SECRET
 nextcloud_instance_secret: HISTORY_PURGED_SECRET
 nextcloud_master_domain: nextcloud.atlantishq.de
 nextcloud_db_password: HISTORY_PURGED_SECRET
 tor_bridge_name: HISTORY_PURGED_SECRET
 tor_bridge_email: nobody@HISTORY_PURGED_SECRET.com
 signal_sender_number: +HISTORY_PURGED_SECRET
 atlantis_array_action_pw: jeanswochenendegeschichte
 money_balancer_jwt_secret: HISTORY_PURGED_SECRET
 hedgedoc_db_password: HISTORY_PURGED_SECRET
 paperless_secret_key: HISTORY_PURGED_SECRET
 kube_adm_token: HISTORY_PURGED_SECRET
 storagebox_u244665_sub2_password: HISTORY_PURGED_SECRET
 slapd_backup_submit_token: HISTORY_PURGED_SECRET
 tube_archivist_elasticsearch_password: HISTORY_PURGED_SECRET
 keep_journal_for_days: 3
 michy_email: HISTORY_PURGED_SECRET
 sheppy_email: HISTORY_PURGED_SECRET
 reactive_resume_postgres_password: HISTORY_PURGED_SECRET
 reactive_resume_minio_password: HISTORY_PURGED_SECRET
 reactive_resume_refresh_token: HISTORY_PURGED_SECRET
 reactive_resume_access_token: HISTORY_PURGED_SECRET
 icinga_api_user: "mobile"
 icinga_api_pass: "HISTORY_PURGED_SECRET"
 icinga_api_url: "https://192.168.122.107:5665"
 icinga_web_url: "https://icinga.atlantishq.de/"
 backup_vsyncdir_password: HISTORY_PURGED_SECRET
 icinga_web_db_password: HISTORY_PURGED_SECRET
 icinga_ido_password: HISTORY_PURGED_SECRET
 event_dispatcher_host: dispatcher.atlantishq.de
 event_dispatcher_proto: https
 event_dispatcher_port: 443
 event_dispatcher_address: "{{ event_dispatcher_proto }}://{{ event_dispatcher_host }}"
-event_dispatcher_user: ""
+event_dispatcher_user: dispatch
-event_dispatcher_pass: ""
+event_dispatcher_pass: HISTORY_PURGED_SECRET
 notification_settings_access_token: HISTORY_PURGED_SECRET
-ldap_password: ""
+ntfy_api_target: https://p.athq.de
 ntfy_push_target: https://push.atlantishq.de
 ntfy_api_access_token: HISTORY_PURGED_SECRET
 ldap_password: flanigan
 ldap_root_pw: HISTORY_PURGED_SECRET
 ldap_dc: "atlantishq"
 ldap_org: "atlantishq de"
 ldap_suffix: "dc=atlantishq,dc=de"
@@ -29,49 +81,77 @@ ldap_group_dn: "ou=groups,dc=atlantishq,dc=de"
 ldap_connection_url: ldap://192.168.122.112
 ldap_connection_url_ext: "ldaps://ldap.atlantishq.de"
-event_dispatcher_token: ""
+nsca_server_password: HISTORY_PURGED_SECRET
 immich_pg_password: HISTORY_PURGED_SECRET
 event_dispatcher_token: "HISTORY_PURGED_SECRET"
 opensearch_logstash_password: "HISTORY_PURGED_SECRET"
 opensearch_admin_password: "HISTORY_PURGED_SECRET"
 opensearch_seed_hosts:
    - ipv4.atlantishq.de:9300
    - ipv4.atlantishq.de:9301
 opensearch_manager_nodes:
    - opensearch-data-1
    - opensearch-data-2
 extra_root_keys:
    - "# no extra keys"
 smtp_user_domain: atlantishq.de
 smtp_internal_host: mail.atlantishq.de
 smtp_internal_host_port: 8025
-smtp_service_user: ""
+smtp_service_user: noreply
-smtp_service_pass: ""
+smtp_service_pass: HISTORY_PURGED_SECRET
 pki_domain: pki.atlantishq.de
-SOUNDLIB_AWS_ACCESS_KEY_ID: ""
+SOUNDLIB_AWS_ACCESS_KEY_ID: HISTORY_PURGED_SECRET
-SOUNDLIB_AWS_SECRET_ACCESS_KEY: ""
+SOUNDLIB_AWS_SECRET_ACCESS_KEY: HISTORY_PURGED_SECRET
-SOUNDLIB_S3_ENDPOINT: ""
+SOUNDLIB_S3_ENDPOINT: HISTORY_PURGED_SECRET
 # gotify #
 gotify_user: admin
-gotify_password: ""
+gotify_password: HISTORY_PURGED_SECRET
 # overwritten in monitoring master group var
 monitoring_master: false
 async_icinga_static_services:
-  - { "name" : "service_names", "timeout" : "5h",  "owner" : "sheppy", "token" : "" }
+  - { "name" : "ths_auftragsdatenbank",   "timeout" : "5h",  "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
  - { "name" : "apt_atlantis_laptop",     "timeout" : "30d", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
  - { "name" : "apt_atlantis_pc",         "timeout" : "30d", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
  - { "name" : "backup_atlantis_laptop",  "timeout" : "30d", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
  - { "name" : "backup_ths_storrage_box", "timeout" : "30d", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
  - { "name" : "mail_atlantishq",         "timeout" : "1h",  "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
  - { "name" : "ths_caldav_backup",       "timeout" : "2d",  "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
  - { "name" : "slapd_backup",            "timeout" : "2d",  "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
-keycloak_admin_password: ""
+keycloak_admin_password: HISTORY_PURGED_SECRET
-keycloak_postgres_password: ""
+keycloak_postgres_password: HISTORY_PURGED_SECRET
 keycloak_address: keycloak.atlantishq.de
-harbor_http_secret: ""
+harbor_http_secret: HISTORY_PURGED_SECRET
-harbor_core_secret: ""
+harbor_core_secret: HISTORY_PURGED_SECRET
-harbor_jobservice_secret: ""
+harbor_jobservice_secret: HISTORY_PURGED_SECRET
-harbor_postgres_pass: ""
+harbor_postgres_pass: HISTORY_PURGED_SECRET
 harbor_registry_user: harbor
-harbor_registry_password: ""
+harbor_registry_password: HISTORY_PURGED_SECRET
-harbor_admin_password: ""
+harbor_admin_password: 20Dino00
 ferchau_sftp_user: dkeipp
 ferchau_sftp_password: HISTORY_PURGED_SECRET
 gitea_postgres_pw: HISTORY_PURGED_SECRET
 gitea_runner_registration_token: HISTORY_PURGED_SECRET
 keycloak_clients:
    python-flask-picture-factory:
-        party_secret : "" # pwgen -s 16
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_images
-        client_secret: "" # pwgen -s 32
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://images.atlantishq.de/*"
            - "https://images.athq.de/*"
@@ -89,9 +169,9 @@ keycloak_clients:
            - "/pictures/"
    simple-log-server:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_sls
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://sls.atlantishq.de/*"
        description: "Simple Log Server"
@@ -102,9 +182,9 @@ keycloak_clients:
            - "/submit"
    soundlib-interface:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_soundlib
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://sounds.atlantishq.de/*"
        description: "Soundlib interface"
@@ -114,9 +194,9 @@ keycloak_clients:
        skips:
    pki:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_hashicorp_vault
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://pki.atlantishq.de/*"
        description: "PKI Vault"
@@ -126,9 +206,9 @@ keycloak_clients:
        skips:
    cert-manager:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_cert_manager
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://vpn.atlantishq.de/*"
        description: "AtlantisHQ Certificate Manager"
@@ -138,9 +218,9 @@ keycloak_clients:
        skips:
    tmnf-replay-server:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_trackmania
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://trackmania.atlantishq.de/*"
        description: "AtlantisHQ Trackmania Replays"
@@ -151,9 +231,9 @@ keycloak_clients:
            - "/open-info"
    atlantis-hub:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_atlantishub
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://hub.atlantishq.de/*"
        description: "AtlantisHQ Hub"
@@ -163,9 +243,9 @@ keycloak_clients:
        skips:
    paperless:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_paperless
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://paperless.atlantishq.de/*"
        description: "AtlantisHQ Paperless Archiving"
@@ -175,9 +255,9 @@ keycloak_clients:
        skips:
    icinga:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_icinga
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://icinga.atlantishq.de/*"
        description: "Icinga Web"
@@ -187,9 +267,9 @@ keycloak_clients:
        skips:
    grafana:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_grafana
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://stats.atlantishq.de/*"
        description: "Grafana"
@@ -199,9 +279,9 @@ keycloak_clients:
        skips:
    async-icinga:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_async_icinga
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://async-icinga.atlantishq.de/*"
        description: "Icinga Web"
@@ -212,9 +292,9 @@ keycloak_clients:
            - "/report"
    hedgedoc:
-        party_secret : ""
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_hedgedoc
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://hedgedoc.atlantishq.de/*"
        description: "Hedgedoc"
@@ -223,9 +303,9 @@ keycloak_clients:
        master_address: "https://hedgedoc.atlantishq.de"
    harbor:
-        party_secret: ""
+        party_secret: "iHISTORY_PURGED_SECRET"
        client_id: z_harbor
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://harbor-registry.atlantishq.de/*"
        description: "Harbor Registry"
@@ -234,9 +314,9 @@ keycloak_clients:
        master_address: "https://harbor-registry.atlantishq.de"
    atlantis-verify:
-        party_secret: ""
+        party_secret: "3HISTORY_PURGED_SECRET"
        client_id: z_at_verify
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://verify.atlantishq.de/*"
        description: "Atlantis Verification"
@@ -245,9 +325,9 @@ keycloak_clients:
        master_address: "https://verify.atlantishq.de"
    reactive-resume:
-        party_secret: ""
+        party_secret: "RHISTORY_PURGED_SECRET"
        client_id: z_reactive_resume
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://resume.atlantishq.de/*"
        description: "Reactive Resume"
@@ -258,9 +338,9 @@ keycloak_clients:
            - "/logo/light.svg"
    money-balancer:
-        party_secret: ""
+        party_secret: "YHISTORY_PURGED_SECRET"
        client_id: z_money_balancer
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://money-balancer.atlantishq.de/*"
        description: "Money Balancer"
@@ -269,12 +349,96 @@ keycloak_clients:
        master_address: "https://money-balancer.atlantishq.de"
    atlantis-web-check:
-        party_secret: ""
+        party_secret: "CHISTORY_PURGED_SECRET"
        client_id: z_web_check
-        client_secret: ""
+        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://smartchecks.atlantishq.de/*"
        description: "SMART Web-Checks"
        keycloak_id: "00000000-0000-0000-0000-000000000017"
        groups:
        master_address: "https://smartchecks.atlantishq.de"
    ferchau-wscad:
        party_secret: "aHISTORY_PURGED_SECRET"
        client_id: z_guenter
        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://wscad.atlantishq.de/*"
        description: "WSCAD"
        keycloak_id: "00000000-0000-0000-0000-000000000018"
        groups: "guenter"
        master_address: "https://wscad.atlantishq.de"
    immich:
        party_secret: "0HISTORY_PURGED_SECRET"
        client_id: immich
        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://immich.atlantishq.de/*"
            - "https://i.athq.de/*"
            - "app.immich:/"
        description: "Immich Pictures"
        keycloak_id: "00000000-0000-0000-0000-000000000019"
        groups: ""
        master_address: "https://i.athq.de"
    gitea:
        party_secret: "SHISTORY_PURGED_SECRET"
        client_id: gitea
        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://git.atlantishq.de/*"
            - "https://git.athq.de/*"
        description: "Gitea"
        keycloak_id: "00000000-0000-0000-0000-000000000020"
        groups: ""
        master_address: "https://git.atlantishq.de"
    olive-tin:
        party_secret: "QHISTORY_PURGED_SECRET"
        client_id: olive-tin
        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://olive.atlantishq.de/*"
        description: "Olive-Tin"
        keycloak_id: "00000000-0000-0000-0000-000000000021"
        groups: "pki"
        master_address: "https://olive.atlantishq.de"
    tube-archivist:
        party_secret: "EHISTORY_PURGED_SECRET"
        client_id: tube-archivist
        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://youtube-proxy.atlantishq.de/*"
        description: "Tube Archivist"
        keycloak_id: "00000000-0000-0000-0000-000000000022"
        groups: ""
        master_address: "https://youtube-proxy.atlantishq.de"
    atlantis-status:
        party_secret: "EHISTORY_PURGED_SECRET"
        client_id: atlantis-status
        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://actions.atlantishq.de/*"
        description: "Atlantis Actions"
        keycloak_id: "00000000-0000-0000-0000-000000000023"
        groups: ""
        master_address: "https://actions.atlantishq.de"
        skips:
            - "/endpoints"
            - "/hook-passive"
    opensearch-dashboard:
        party_secret: "tHISTORY_PURGED_SECRET"
        client_id: opensearch-dashboard
        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris:
            - "https://opensearch.atlantishq.de/*"
        description: "Atlantis Actions"
        keycloak_id: "00000000-0000-0000-0000-000000000024"
        groups: ""
        master_address: "https://opensearch.atlantishq.de"
@@ -1,4 +1,4 @@
 harbor_version: v2.10.0
 harbor_file: harbor-online-installer-{{ harbor_version }}.tgz
-harbor_admin_password: ""
+harbor_admin_password: 20Dino00
-harbor_db_password: ""
+harbor_db_password: HISTORY_PURGED_SECRET
@@ -0,0 +1 @@
 is_k8s_master: true
@@ -1,3 +1,28 @@
 ---
 checks :
    - { user : nobody, name : mail_queue, cmd : "/usr/lib/nagios/plugins/check_mailq -w 10 -c 20"}
 mail_virtual_transport:
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET,kat.maurer@fau.de
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
 mail_enabled_senders:
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
    noreply@atlantishq.de: noreply@atlantishq.de
@@ -0,0 +1 @@
 nextcloud_nginx_ssl_enabled: true
@@ -0,0 +1,6 @@
 opensearch_data_nodes:
    - opensearch-data-1
    - opensearch-data-2
 opensearch_dashboards:
    - opensearch-dashboard-1
@@ -1,3 +1,9 @@
 ---
 nextcloud_nginx_ssl_enabled: false
 nextcloud_instance_id: HISTORY_PURGED_SECRET
 nextcloud_password_salt: HISTORY_PURGED_SECRET
 nextcloud_instance_secret: HISTORY_PURGED_SECRET
 nextcloud_master_domain: ths.atlantishq.de
 nextcloud_db_password: HISTORY_PURGED_SECRET
 checks :
    - { user : sheppy, name : irc, cmd : ""}
@@ -4,6 +4,6 @@ checks :
    - { user : nobody, name : wireguard-darknet-hase, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_hase_darknet -w300,10% -c 1000,20%"}
 #    - { user : nobody, name : darknet-reachable, cmd : "/usr/lib/nagios/plugins/check_ping -H 10.100.100.100 -w300,10% -c 1000,20%"}
-openvpn_management_password: ""
+openvpn_management_password: HISTORY_PURGED_SECRET
 openvpn_management_passfile: mgnt-pass.txt
 openvpn_management_port: 23000
@@ -1,5 +1,6 @@
 ---
 - hosts: all
  strategy: free
  roles:
    - { role : monitoring-client, tags : [ "monitoring", "monitoring-client", "client"] }
    - { role : sshd-config,       tags : [ "sshd" ] }
@@ -9,55 +10,72 @@
    - { role : zabbix-agent,      tags : [ "zabbix-agent" ] }
    - { role : iptables,          tags : [ "iptables" ] }
- hosts: web1
+- hosts: opensearch
  strategy: free
  roles: 
-    - { role : web1, tags : [ "web1" ] }
+    - { role : opensearch,        tags : [ "opensearch" ] }
-    - { role : media, tags : [ "media" ] }
+
 - hosts: signal
  strategy: free
  roles:
    - { role : signal, tags : [ "signal" ] }
 - hosts: all
  strategy: free
  roles:
    - { role : filebeat, tags : [ "filebeat" ] }
 - hosts: mail
  strategy: free
  roles:
    - { role : mail, tags : [ "mail" ] }
 - hosts: backup
  strategy: free
  roles:
    - { role : backup-vm, tags : [ "backup" ] }
 - hosts: kube1
  strategy: free
  roles:
    - { role : docker-deployments, tags : [ "docker", "kube1" ] }
 - hosts: usermanagement
  strategy: free
  roles:
    - { role : usermanagement, tags : [ "users", "keycloak" ] }
 - hosts: monitoring
  strategy: free
  roles:
    - { role : monitoring-master, tags : [ "monitoring-master", "icinga", "grafana" ] }
 - hosts: typo3-cms
  roles:
    - { role : typo3-cms, tags : [ "typo3" ] }
 - hosts: paperless
  strategy: free
  roles:
    - { role : paperless, tags : [ "paperless" ] }
 - hosts: vault-pki
  roles:
    - { role : vault-pki, tags : [ "pki_master", "vault" ] }
 - hosts: vpn
  strategy: free
  roles:
    - { role : openvpn, tags : [ "openvpn", "vpn", "certificate-manager" ] }
 - hosts: timetracking
  strategy: free
  roles:
    - { role : timetracking, tags : [ "timetracking", "kamai" ] }
 - hosts: harbor-registry
  strategy: free
  roles:
    - { role : harbor-registry, tags : [ "harbor" ] }
 - hosts: nextcloud ths
  strategy: free
  roles:
    - { role: nextcloud, tags: ["nextcloud"] }
 #- hosts: kube2
 #  strategy: free
 #  roles:
 #    - { role: kubernetes-base, tags: ["kubernetes"] }
@@ -1,38 +0,0 @@
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEA2gAT8vYdNPb1EI/oHsL4SDvZA6VAZJFuXRs+h7A8aehS3mdCjjEz
 2ckZMDx5AtyXnvL5E5dnxYu8I14ZFkqT3ux/0RXZ+px3+UUrzOGhMIZIw+xNZb3/ZS0VF5
 yEnhVxTnQ94aUV6k+clT/TtUt0ZN2/ovRz5XMNbw5hR0uZmfq15sUEshw/LrsghC9UYuSD
 s/V8cnGifzB19l2h1lPsYK0Nrr1q74Z4mwd24bX/eBqxyUF0X41HOJxd0ht/d+xZHYreS6
 M7gxN/5i6DTej8F89d2dmnApaY4sjmUMaWtvk6cBOYtq1qGcLF7//8s6IR2wN9PqmEsSWE
 K2GdV0cjkjxVkqd8MHLo/MjDKjCU9nu+Wclmh7qGLop3ThVuFTEe6RaabLJ523Sx7yRnuT
 2TEg8ZcoVLZACuKdZ39pxJ4N1YwgXJ+lFitaaOQ0JnC8JHdHEG1ky8R4x+LALX8qewPI7B
 i164Vq2jDjqFNCVZGpma6tgbksmguUu/inbxgoN1AAAFiNBNJKrQTSSqAAAAB3NzaC1yc2
 EAAAGBANoAE/L2HTT29RCP6B7C+Eg72QOlQGSRbl0bPoewPGnoUt5nQo4xM9nJGTA8eQLc
 l57y+ROXZ8WLvCNeGRZKk97sf9EV2fqcd/lFK8zhoTCGSMPsTWW9/2UtFRechJ4VcU50Pe
 GlFepPnJU/07VLdGTdv6L0c+VzDW8OYUdLmZn6tebFBLIcPy67IIQvVGLkg7P1fHJxon8w
 dfZdodZT7GCtDa69au+GeJsHduG1/3gasclBdF+NRzicXdIbf3fsWR2K3kujO4MTf+Yug0
 3o/BfPXdnZpwKWmOLI5lDGlrb5OnATmLatahnCxe///LOiEdsDfT6phLElhCthnVdHI5I8
 VZKnfDBy6PzIwyowlPZ7vlnJZoe6hi6Kd04VbhUxHukWmmyyedt0se8kZ7k9kxIPGXKFS2
 QArinWd/acSeDdWMIFyfpRYrWmjkNCZwvCR3RxBtZMvEeMfiwC1/KnsDyOwYteuFatow46
 hTQlWRqZmurYG5LJoLlLv4p28YKDdQAAAAMBAAEAAAGAbms5r4eflZM83820SdiBf7zol+
 Mc8ZOELh69lmbawt4NE1+EI5eiZr5oRrlqpdtr5PO224iF5FZ5zgQ8esD9kx2BRDtoNHsK
 fbTekaD7TyPFOY+4SD9rXCjwlQwPVC8SPCW+rks7BXqbmjFBH4P/iZOUHIrrJR4YgNbsyP
 ru60JE3oWOclTCX/4iYzHB8XFDkGRYS3NpVjkKluYoMfJCOVmOI6MHxhj7f7LRMVRI+OG0
 iXbg5gEeQPtavjB1aR3JuajYIRaxbJUzKCgE4+yeljvObSdG9THUiuFOTEkXcdtYnPu3uy
 d2LcBQzLJ0BY6YvIoI4OFV6lqRRBXMleUSKzHFgkHUuRAKyPtVrE38HV/X5qQeBlg89/7/
 XuwZDq+A7fSm95uj85bmrUXBKBog/F31UW+1P3lZ7j/ZxmcPwcJTJvPTFOSweynimeSZB/
 lwFJpiDhxJjlfpWF0GxgIHdsjD4CZgSpSKCh/kI954f4HnhWEXbs8quoGwgrjIElTFAAAA
 wEbaLe1mPdp8LsvOTbWNiF9eT5pKO2pwkJPINJ20ylxwYaap0Xda79shdskkxKTCwIFvoA
 xjdE6B1HKqzsWHu7fiQ29/btdAZav+930tMSxemIwhNe9aHyOgoujNS8UaxaR/sSTnj19V
 7DyetxFPGW1H1A/KKnPm+muqgO7KARHoQ+0x3I6pJzM+XHN5DT5FNSdtVm+xWCNsXwL4bk
 t5d5vBU/VAspgNZVSge+aN3R2FGqA0dlDww4XX0nywbaO8WgAAAMEA/kwTKHc7W9eqYCzM
 yRrPXB1cRhrLYOJNX+ykl/xPPx4YeZmrDmNfzcC8DULC/5HkXEygpsxuzK1SbGM0eeQyMu
 LboVYxgslC0QjIfDS3x7CYUMsrK1r1nleGxYFpXRBTqKty6nNR53Unum2QAsGW90xfoD1N
 NEeb2d/wgG/QHmTh6BzJ6JYqjc/ATsqfR5aKoNnh1stRHu6TzrIK4Y/6e/HEoXElwOyeYX
 DadG5VfnD4jglgQR78sHtaSSIpvCADAAAAwQDbdcgfXQ93mIDnk97aXbrR/tP76+0QmsM2
 IImV3/mhnjwsYXHnYTBoci6t+L+zClpW2FIj532XKSBF+fxIOTpnMW4grKICivbWmcrCj+
 aA+w+mshv4K1A+TDlzfW4c+UHpp26UopkaFMrG9hvNoDcREyYqERf1YnxZCLTGgNQLpDUa
 rveYj+PzCjTzUzH2wgtNttIDWeekFxTJP/7a7sdaRe4DzMMn0B0UDVKGgKY7s5q1xL0IJq
 8oXFJvSt894ScAAAASc2hlcHB5QGF0bGFudGlzcGFkAQ==
 -----END OPENSSH PRIVATE KEY-----
@@ -5,14 +5,14 @@
      - vdirsyncer
 - name: Copy Backup caldav script
-  copy:
+  template:
    src: ths_cal_backup.sh
    dest: /home/sheppy/ths_cal_backup.sh
    owner: sheppy
    group: sheppy
 - name: Copy vdirsync config
-  copy:
+  template:
    src: vsyncdir.conf
    dest: /home/sheppy/vsyncdir.conf
    owner: sheppy
@@ -48,7 +48,6 @@
    group: sheppy
    mode: 0600
  with_items:
    - backup_priv_key
    - config
 - name: template SLAPD backup script
@@ -3,12 +3,25 @@ set -e
 DIR=/home/sheppy/slapd_backup
 eval `ssh-agent`
 ssh-add ~/.ssh/id_rsa
 cd
 rsync -r --remove-source-files sheppy@192.168.122.112:$DIR /home/sheppy
 ~/backups/backup-tools/backup_manager.py --extensions ldif -- $DIR
-rsync --delete --rsh="/usr/bin/sshpass -p ebHYlyVHgRnBcdkb ssh -p23" -r slapd_backup/* u244665-sub2@u244665.your-storagebox.de:./slapd_backup/
+rsync --delete --rsh="/usr/bin/sshpass -p {{ storagebox_u244665_sub2_password }} ssh -p23" -r slapd_backup/* u244665-sub2@u244665.your-storagebox.de:./slapd_backup/
 for file in "$DIR"/*; do
  # Check if the file is empty
  if [ ! -s "$file" ]; then
    echo "Empty file found: $file"
    exit 1
  fi
 done
 curl -H "Content-Type: application/json" \
     -X POST https://async-icinga.atlantishq.de/report \
-     -d '{ "service" : "slapd_backup", "token" : "WX0yXFxSsb", "status" : "OK", "info" : "" }'
+     -d '{ "service" : "slapd_backup", "token" : "{{ slapd_backup_submit_token }}", "status" : "OK", "info" : "" }'
@@ -18,10 +18,10 @@ zip -q -r ~/ths_carddav_telefon_backups/${BACKUP_NAME} ~/ths-carddav-telefon
 ~/backups/backup-tools/backup_manager.py ~/ths_carddav_telefon_backups/ --debug
 # send to storrage box
-rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_caldav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/
+rsync --delete --rsh="/usr/bin/sshpass -p {{ storagebox_u244665_sub2_password }} ssh -p23" -r ths_caldav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/
-rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_carddav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav/
+rsync --delete --rsh="/usr/bin/sshpass -p {{ storagebox_u244665_sub2_password }} ssh -p23" -r ths_carddav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav/
-rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_carddav_telefon_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav_telefon/
+rsync --delete --rsh="/usr/bin/sshpass -p {{ storagebox_u244665_sub2_password }} ssh -p23" -r ths_carddav_telefon_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav_telefon/
 curl -H "Content-Type: application/json" \
     -X POST https://async-icinga.atlantishq.de/report \
-     -d '{ "service" : "ths_caldav_backup", "token" : "", "status" : "OK", "info" : "" }'
+     -d '{ "service" : "ths_caldav_backup", "token" : "{{ slapd_backup_submit_token }}", "status" : "OK", "info" : "" }'
@@ -11,7 +11,7 @@ type = "caldav"
 read_only = true
 url = "https://ths.atlantishq.de/remote.php/dav/calendars/backup/ths_shared_by_ths/"
 username = "backup"
-password = ""
+password = "{{ backup_vsyncdir_password }}"
 [storage ths_local_caldav]
 type = "filesystem"
@@ -28,7 +28,7 @@ type = "carddav"
 read_only = true
 url = "https://ths.atlantishq.de/remote.php/dav/addressbooks/users/backup/ths_shared_by_ths/"
 username = "backup"
-password = ""
+password = "{{ backup_vsyncdir_password }}"
 [storage ths_local_carddav]
 type = "filesystem"
@@ -46,7 +46,7 @@ type = "carddav"
 read_only = true
 url = "https://ths.atlantishq.de/remote.php/dav/addressbooks/users/backup/ths-telefon-1_shared_by_ths/"
 username = "backup"
-password = ""
+password = "{{ backup_vsyncdir_password }}"
 [storage ths_local_carddav_telefon]
 type = "filesystem"
@@ -7,6 +7,10 @@
        - tcpdump
        - git
        - apt-file
        - htop
        - ncdu
        - gpg
        - unattended-upgrades
 - name: Ensure Opt dir exists and accessible
  file:
@@ -47,3 +51,32 @@
    path: /root/.ssh/authorized_keys
    line: "{{ item }}"
  loop: "{{ extra_root_keys }}"
 - name: Add journalctl cleanup
  ansible.builtin.cron:
    name: "check dirs"
    minute: "0"
    hour: "0"
    job: "/usr/bin/journalctl --vacuum-time={{ keep_journal_for_days }}d"
 - name: Remove mails in var-mail
  ansible.builtin.cron:
    name: "Cleanup local mails"
    minute: "0"
    hour: "0"
    job: "/usr/bin/rm -f /var/mail/*"
 - name: Template Logrotate configs
  template:
    src: "{{ item }}"
    dest: "/etc/logrotate/logrotate.d/"
  with_items:
    - daemon.conf
    - syslog.conf
 - name: Template Unattended Upgrade conf
  template:
    src: "{{ item }}"
    dest: "/etc/apt/apt.conf.d/"
  with_items:
    - 20auto-upgrades.conf
@@ -0,0 +1,2 @@
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Unattended-Upgrade "1";
@@ -0,0 +1,9 @@
 /var/log/daemon.log {
    daily
    rotate {{ keep_journal_for_days }}
    compress
    delaycompress
    missingok
    notifempty
    create
 }
@@ -0,0 +1,9 @@
 /var/log/syslog.log {
    daily
    rotate {{ keep_journal_for_days }}
    compress
    delaycompress
    missingok
    notifempty
    create
 }
@@ -0,0 +1,5 @@
 [Peer]
 PublicKey = {{ hypervisor_wg_public_key }}
 Endpoint= {{ hypervisor_internal_ip }}:51820
 AllowedIPs = 0.0.0.0/0
 PersistentKeepalive = 21
@@ -0,0 +1,11 @@
 [Interface]
 PrivateKey = <server_private_key>
 Address = 10.0.0.1/24
 ListenPort = 51820
 {% for client in clients %}
 # {{ client.name }}
 [Peer]
 PublicKey = <client1_public_key>
 AllowedIPs = 10.0.0.{{ loop.index + }}/32
 {% endfor %}
@@ -0,0 +1,13 @@
 - name: Debian | Add GPG Keys
  apt_key:
    url: "https://download.docker.com/linux/debian/gpg"
 - name: Debian | Add Repo Source
  apt_repository:
    repo: "deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable"
    update_cache: yes
 - name: Install docker-ce
  apt:
    name: docker-ce
    state: present
@@ -0,0 +1,16 @@
 server {
    autoindex on;
    autoindex_localtime on;
    listen 5051;
    root /var/www/cdn/;
    add_header Vary Accept-Encoding;
    add_header Access-Control-Allow-Origin $http_origin;
    location /videos/{
        default_type video/mp4;
        limit_rate 2m;
        autoindex on;
    }
 }
@@ -0,0 +1,2 @@
 kathi:$y$j9T$HISTORY_PURGED_SECRET
 sheppy:$y$HISTORY_PURGED_SECRET
@@ -0,0 +1,19 @@
 server {
    listen 5053;
    access_log off;
    gzip off;
    default_type text/plain;
    if ($remote_addr ~* 172\.16\.1\.(.+)){
        return 200 "$remote_addr (This is a local VPN ip, it is NOT your true external ip!)";
    }
    if ($remote_addr ~* 192\.168\.122\.1){
        return 200 $http_x_real_ip;
    }
    location / {
        return 200 $remote_addr;
    }
 }
@@ -9,7 +9,7 @@ server {
    autoindex on;
    autoindex_localtime on;
-    listen 8000;
+    listen 5052;
    root /var/www/media;
    add_header Vary Accept-Encoding;
@@ -23,6 +23,6 @@ server {
    location /auth/{
        auth_basic $basic_auth_val;
-        auth_basic_user_file /etc/nginx/htpasswd;
+        auth_basic_user_file /etc/nginx/htpasswd_1;
    }
 }
@@ -5,4 +5,4 @@
 - name: restart hub
  shell:
-    cmd: docker restart atlantis-hub_atlantis-hub_1
+    cmd: docker restart atlantis-hub_atlantis-hub-1
@@ -1,5 +1,10 @@
 - include_vars: services.yaml
 - name: Deploy Docker daemon.json
  template:
    src: daemon.json
    dest: /etc/docker/daemon.json
 - name: Create data-dir
  file:
    name: /data/
@@ -34,6 +39,16 @@
  notify:
    - reload async icinga settings
 - name: Create Event Dispatch Substitutions config dir
  file:
    name: /data/event-dispatcher/substitutions/
    state: directory
 - name: Copy Event Dispatcher Substitutions Map
  template:
    src: event-message-subsitution-map.yaml
    dest: /data/event-dispatcher/substitutions/substitutions.yaml
 - name: Async Icinga Service (dynamic from backup file)
  copy:
    src: async-icinga-config-dynamic.json
@@ -50,14 +65,20 @@
    - atlantis-hub
    - grafana
    - event-dispatcher
-    #- reactive-resume
+    - reactive-resume
    - hedgedoc
    - atlantis-verify
    - soundlib-interface
    - python-flask-picture-factory
    - money-balancer
-    - atlantis-web-check
+    - ntfy
-    - gotify
+    - code-server
    - nginx-media-cdn
    - immich
    - gitea
    - gitea-runner
    - atlantis-status
    - logstash
 - name: Copy AtlantisHub config
  copy:
@@ -84,6 +105,37 @@
    src: "grafana.ini"
    dest: "/data/grafana/grafana.ini"
 - name: create_logstash_data_dirs
  file:
    name: "/data/logstash/{{ item }}"
    state: directory
  with_items:
    - "config"
    - "pipeline"
 - name: copy_logstash_config
  template:
    src: "{{ item }}"
    dest: "/data/logstash/config/"
  with_items:
    - "logstash.yml"
    - "pipelines.yml"
 - name: copy_logstash_pipeline_config
  template:
    src: "{{ item }}"
    dest: "/data/logstash/pipeline/"
  with_items:
    - "logstash.conf"
 - name: copy_atlantis_status_services
  template:
    src: "{{ item }}.yaml"
    dest: "/data/atlantis-status/services/"
  with_items:
    - "atlantis-array"
    - "service-dispatcher-config"
 - name: Create compose directories
  file:
    name: "/opt/{{ item }}"
@@ -98,15 +150,22 @@
    - atlantis-hub
    - grafana
    - event-dispatcher
-    - tor
+    #- tor
-    #- reactive-resume
+    - reactive-resume
    - hedgedoc
    - atlantis-verify
    - soundlib-interface
    - python-flask-picture-factory
    - money-balancer
-    - atlantis-web-check
+    - ntfy
-    - gotify
+    - code-server
    - serienampel
    - nginx-media-cdn
    - immich
    - gitea
    - gitea-runner
    - atlantis-status
    - logstash
 - name: Copy compose templates
  template:
@@ -122,25 +181,50 @@
    - atlantis-hub
    - grafana
    - event-dispatcher
-    - tor
+    #- tor
    - hedgedoc
    - atlantis-verify
    - soundlib-interface
    - python-flask-picture-factory
    - money-balancer
-    - atlantis-web-check
+    - ntfy
-    - gotify
+    - code-server
    - serienampel
    - nginx-media-cdn
    - immich
    - gitea
    - gitea-runner
    - atlantis-status
    - logstash
- name: Log into private registry
+- name: create sites-enabled dir
-  docker_login:
+  file:
-    registry: registry.atlantishq.de
+    path: "/opt/nginx-media-cdn/sites-enabled/"
-    username: docker
+    state: directory
-    password: ""
+
 - name: Deploy nginx-media-cdn config files
  copy:
    src: "{{ item }}"
    dest: "/opt/nginx-media-cdn/sites-enabled/"
  with_items:
    - media.conf
    - cdn.conf
    - ipcheck.conf
 - name: Deploy nginx auth
  copy:
    src: "{{ item }}"
    dest: "/opt/nginx-media-cdn/"
    owner: 101
    group: 101
  with_items:
    - htpasswd
 - name: Deploy compose templates
-  community.docker.docker_compose:
+  community.docker.docker_compose_v2:
    remove_orphans: true
    project_src: "/opt/{{ item }}/"
-    pull: true
+    pull: "missing"
    files:
      - "{{ item }}.yaml"
  with_items:
@@ -153,14 +237,22 @@
    - atlantis-hub
    - grafana
    - event-dispatcher
-    - tor
+    #- tor
    - reactive-resume
    - hedgedoc
    - atlantis-verify
    - soundlib-interface
    - python-flask-picture-factory
-    - money-balancer
+    #- money-balancer
-    - atlantis-web-check
+    - ntfy
-    - gotify
+    - code-server
    - serienampel
    - nginx-media-cdn
    - immich
    - gitea
    - gitea-runner
    - atlantis-status
    - logstash
 - name: OAuth2Proxy directories
  file:
@@ -177,7 +269,8 @@
    - python-flask-picture-factory
    #- reactive-resume
    - money-balancer
-    - atlantis-web-check
+    - olive-tin
    - atlantis-status
 - name: include services ports
  include_vars: services.yaml
@@ -186,6 +279,7 @@
  template:
    src: oauth-standalone-docker-compose.yaml
    dest: "/opt/oauth2proxy/{{ item }}/docker-compose.yaml"
    #remove_orphans: true
  with_items:
    - tmnf-replay-server
    - atlantis-hub
@@ -194,14 +288,15 @@
    - atlantis-verify
    - soundlib-interface
    - python-flask-picture-factory
-    #- reactive-resume
+    - reactive-resume
    - money-balancer
-    - atlantis-web-check
+    - olive-tin
    - atlantis-status
 - name: Deploy OAuth2Proxy
-  community.docker.docker_compose:
+  community.docker.docker_compose_v2:
    project_src: /opt/oauth2proxy/{{ item }}/
-    pull: true
+    pull: always
  with_items:
    - tmnf-replay-server
    - atlantis-hub
@@ -211,5 +306,6 @@
    - soundlib-interface
    - python-flask-picture-factory
    #- reactive-resume
-    - money-balancer
+    #- money-balancer
-    - atlantis-web-check
+    - olive-tin
    - atlantis-status
@@ -1,4 +1,5 @@
-async-icinga:
+services:
  async-icinga:
    volumes:
        - "/data/async-icinga/:/app/config"
        - "/data/async-icinga/instance/:/app/instance/"
@@ -1,5 +1,6 @@
-athqlanding:
+services:
  athqlanding:
    ports:
      - 5002:5000
-    image: registry.atlantishq.de/athq/landing-page
+    image: harbor-registry.atlantishq.de/atlantishq/athq-landing-page
    restart: always
@@ -0,0 +1,23 @@
 name: Atlantis Array
 hook_operations:
    - start_service:
        passive: true
    - unlock_service:
        location:
            url:
               - https://ipv4-vpn-activate.atlantishq.de:10443/activate
               - https://ipv6-vpn-activate.atlantishq.de:10443/activate
            client_secret: https://ipv4-vpn-activate.atlantishq.de:10443/one-time-token
            client_secret_field: "secret"
            args:
                secret: "{{ atlantis_array_action_pw }}"
        status_url: https://vpn-activate.atlantishq.de:10443/am-i-unlocked
        client: true
 register_endpoints:
    - start_service:
        token: token_1
 groups:
    - trackmania
@@ -1,5 +1,6 @@
-atlantis-hub:
+services:
-    image: registry.atlantishq.de/atlantis-hub:latest
+  atlantis-hub:
    image: harbor-registry.atlantishq.de/atlantishq/atlantis-hub:latest
    restart: always
    ports:
        - 6011:5000
@@ -0,0 +1,8 @@
 services:
  atlantis-status-management:
    ports:
        - 6026:5000
    volumes:
        - /data/atlantis-status/services:/app/services
    image: harbor-registry.atlantishq.de/atlantishq/atlantis-status:latest
    restart: always
@@ -1,4 +1,5 @@
-atlantis-verify:
+services:
  atlantis-verify:
    image: harbor-registry.atlantishq.de/atlantishq/atlantis-verify:latest
    restart: always
    environment:
@@ -9,6 +10,8 @@ atlantis-verify:
        LDAP_BASE_DN: {{ ldap_user_dn }}
        DISPATCH_SERVER: {{ event_dispatcher_address }}
        DISPATCH_SETTINGS_TOKEN: {{ notification_settings_access_token }}
        DISPATCH_ACCESS_TOKEN: {{ event_dispatcher_pass }}
        SQLALCHEMY_DATABASE_URI: "instance/database.sqlite"
@@ -19,8 +22,11 @@ atlantis-verify:
        MAIN_HOME: https://hub.atlantishq.de
-        DISPATCH_AUTH_USER: {{ event_dispatcher_user }}
+        NTFY_ACCESS_TOKEN: {{ ntfy_api_access_token }}
-        DISPATCH_AUTH_PASSWORD: {{ event_dispatcher_pass }}
+        NTFY_API_TARGET: {{ ntfy_api_target }}
        NTFY_PUSH_TARGET: {{ ntfy_push_target }}
        OIDC_ADMIN_USER: sheppy
    ports:
        - {{ services[item].port + 1000 }}:5000
@@ -1,4 +1,3 @@
 version: "3.3"
 services:
    master:
        image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-master:latest
@@ -0,0 +1,12 @@
 services:
  code:
    image: codercom/code-server
    volumes:
        - /data/code-server/projects/:/home/coder/project/
        - /data/code-server/data:/data
    environment:
        - PASSWORD={{ code_server_password }}
    ports:
        - 5020:8080
    command: code-server --auth password
    restart: always
@@ -0,0 +1,5 @@
 {
  "live-restore": true,
  "storage-driver": "overlay2",
  "log-opts": { "max-size": "10m" }
 }
@@ -1,14 +1,44 @@
-event-dispatcher:
+services:
  event-dispatcher:
      ports:
          - 5007:5000
-    image: registry.atlantishq.de/athq/event-dispatcher
+      image: harbor-registry.atlantishq.de/atlantishq/event-dispatcher
      restart: always
      volumes:
          - "/data/event-dispatcher/instance/:/app/instance/"
          - "/data/event-dispatcher/substitutions/:/app/substitutions/"
      environment:
        SIGNAL_API_PASS: "{{ event_dispatcher_pass }}"
          LDAP_SERVER : "{{ ldap_connection_url }}"
          LDAP_BIND_DN : "{{ ldap_bind_dn }}"
          LDAP_BIND_PW : "{{ ldap_password }}"
          LDAP_BASE_DN : "{{ ldap_user_dn }}"
-        SIGNAL_GATEWAY_PASS: "{{ event_dispatcher_token }}"
+  
          DISPATCH_ACCESS_TOKEN: "{{ event_dispatcher_pass }}"
          SETTINGS_ACCESS_TOKEN: "{{ notification_settings_access_token }}"
          SUBSTITUTION_MAP: /app/substitutions/substitutions.yaml
  event-dispatcher-worker:
      image: harbor-registry.atlantishq.de/atlantishq/event-dispatcher-worker
      restart: always
      environment:
          DISPATCH_SERVER: "{{ event_dispatcher_proto }}://{{ event_dispatcher_host }}"
          DISPATCH_ACCESS_TOKEN: "{{ event_dispatcher_pass }}"
          NTFY_PUSH_TARGET: "{{ ntfy_push_target }}"
          NTFY_USER: "admin"
          NTFY_PASS: "{{ ntfy_api_access_token }}"
          NTFY_API_SERVER: "{{ ntfy_api_target }}"
          NTFY_API_TOKEN: "{{ ntfy_api_access_token }}"
          LDAP_SERVER : "{{ ldap_connection_url }}"
          LDAP_BIND_DN : "{{ ldap_bind_dn }}"
          LDAP_BIND_PW : "{{ ldap_password }}"
          LDAP_BASE_DN : "{{ ldap_user_dn }}"
          SMTP_TARGET: "{{ smtp_internal_host }}"
          SMTP_PORT: "{{ smtp_internal_host_port }}"
          SMTP_USER: "{{ smtp_service_user }}@atlantishq.de"
          SMTP_PASS: "{{ smtp_service_pass }}"
@@ -0,0 +1,19 @@
 prometheus: "vnet0:"
 paperless: "vnet1:"
 usermanagement: "vnet2:"
 git: "vnet3:"
 harbor-registry: "vnet4:"
 irc-new: "vnet5:"
 backup: "vnet6:"
 ths: "vnet7:"
 signal: "vnet8:"
 zabbix: "vnet9:"
 kathi: "vnet10:"
 vpn: "vnet11:"
 timetracking: "vnet12:"
 monitoring: "vnet13:"
 mail: "vnet14:"
 nextcloud-athq: "vnet15:"
 steam-master: "vnet16:"
 kube1: "vnet20:"
 nextcloud-s3-oidc: "vnet22:"
@@ -0,0 +1,25 @@
 services:
  ferchau-wscad:
    image: harbor-registry.atlantishq.de/guenter/wscad-server
    restart: always
    ports:
        - 6019:5000
    volumes:
        - data:/app/data/
  openssh-server:
    image: lscr.io/linuxserver/openssh-server:latest
    restart: always
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SUDO_ACCESS=false
      - PASSWORD_ACCESS=true
      - USER_NAME={{ ferchau_sftp_user }}
      - USER_PASSWORD={{ ferchau_sftp_password }}
    volumes:
      - data:/config/data
    ports:
      - 2222:2222
 volumes:
    data:
@@ -0,0 +1,13 @@
 services:
  runner:
    image: gitea/act_runner:nightly
    environment:
      CONFIG_FILE: /config.yaml
      GITEA_INSTANCE_URL: "https://git.athq.de"
      GITEA_RUNNER_REGISTRATION_TOKEN: "{{ gitea_runner_registration_token }}"
      GITEA_RUNNER_NAME: "atlantis-runner"
      GITEA_RUNNER_LABELS: "ubuntu-latest,atlantis"
    volumes:
      - /data/gitea-runner/config.yaml:/config.yaml
      - /data/gitea-runner/data:/data
      - /var/run/docker.sock:/var/run/docker.sock
@@ -0,0 +1,40 @@
 version: "3"
 networks:
  gitea:
    external: false
 services:
  gitea-server:
    image: gitea/gitea:latest
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - GITEA__database__DB_TYPE=postgres
      - GITEA__database__HOST=db:5432
      - GITEA__database__NAME=gitea
      - GITEA__database__USER=gitea
      - GITEA__database__PASSWD={{ gitea_postgres_pw }}
    restart: always
    networks:
      - gitea
    volumes:
      - /data/gitea/data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "5024:3000"
      - "222:22"
    depends_on:
       - db
  db:
    image: postgres:14
    restart: always
    environment:
      - POSTGRES_USER=gitea
      - POSTGRES_PASSWORD={{ gitea_postgres_pw }}
      - POSTGRES_DB=gitea
    networks:
      - gitea
    volumes:
      - /data/gitea/pg-data:/var/lib/postgresql/data
@@ -1,11 +0,0 @@
 gotify:
    image: gotify/server
    restart: always
    environment:
        - TZ="Europe/Berlin"
        - GOTIFY_DEFAULTUSER_NAME={{ gotify_user }}
        - GOTIFY_DEFAULTUSER_PASS={{ gotify_password }}
    ports:
        - 4001:80
    volumes:
        - /data/gotify/data:/app/data
@@ -304,7 +304,7 @@
 ;admin_email = admin@localhost
 # used for signing
-;secret_key = SW2YcwTIb9zpOOhoPsMm
+;secret_key = HISTORY_PURGED_SECRET
 # current key provider used for envelope encryption, default to static value specified by secret_key
 ;encryption_provider = secretKey.v1
@@ -1,4 +1,5 @@
-grafana:
+services:
 grafana:
    ports:
        - 4000:3000
    image: grafana/grafana-oss
@@ -1,19 +1,18 @@
 version: '3'
 services:
  database:
-    image: postgres:13.4-alpine
+    image: postgres:15-alpine
    environment:
      - POSTGRES_USER=hedgedoc
-      - POSTGRES_PASSWORD=D7OIx5VBUa7nEzdy6f
+      - POSTGRES_PASSWORD={{ hedgedoc_db_password }}
      - POSTGRES_DB=hedgedoc
    volumes:
      - /data/hedgedoc/pgsql:/var/lib/postgresql/data
    restart: always
  app:
    # Make sure to use the latest release from https://hedgedoc.org/latest-release
-    image: quay.io/hedgedoc/hedgedoc:1.9.9
+    image: quay.io/hedgedoc/hedgedoc:latest
    environment:
-      - CMD_DB_URL=postgres://hedgedoc:D7OIx5VBUa7nEzdy6f@database:5432/hedgedoc
+      - CMD_DB_URL=postgres://hedgedoc:{{ hedgedoc_db_password }}@database:5432/hedgedoc
      - CMD_DOMAIN=hedgedoc.atlantishq.de
      - CMD_PROTOCOL_USESSL=true
      - CMD_ALLOW_ORIGIN=['hedgedoc.atlantishq.de']
@@ -23,7 +22,7 @@ services:
      - CMD_OAUTH2_TOKEN_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token
      - CMD_OAUTH2_AUTHORIZATION_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/auth
      - CMD_OAUTH2_CLIENT_ID=z_hedgedoc
-      - CMD_OAUTH2_CLIENT_SECRET=T4kvtI0ZF1JepEbmTm9bCksCJkuDOicGd
+      - CMD_OAUTH2_CLIENT_SECRET={{ keycloak_clients['hedgedoc']['client_secret'] }}
      - CMD_OAUTH2_SCOPE=openid email profile
      - CMD_OAUTH2_ROLES_CLAIM=roles
      - CMD_OAUTH2_PROVIDERNAME=AtlantisHQ Auth
@@ -0,0 +1,57 @@
 name: immich
 services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:release
    volumes:
      - /data/immich/upload:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    environment:
        DB_USERNAME: postgres
        DB_PASSWORD: HISTORY_PURGED_SECRET
        DB_DATABASE_NAME: immich 
    ports:
      - 2283:2283
    depends_on:
      - redis
      - database
    restart: always
  immich-machine-learning:
    container_name: immich_machine_learning
    image: ghcr.io/immich-app/immich-machine-learning:release
    volumes:
      - model-cache:/cache
    environment:
        DB_USERNAME: postgres
        DB_PASSWORD: HISTORY_PURGED_SECRET
        DB_DATABASE_NAME: immich 
    restart: always
  redis:
    container_name: immich_redis
    image: docker.io/redis:6.2-alpine
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
  database:
    container_name: immich_postgres
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0
    environment:
      POSTGRES_PASSWORD: {{ immich_pg_password }}
      POSTGRES_USER: postgres
      POSTGRES_DB: immich
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      - /data/immich/pgdata:/var/lib/postgresql/data
    healthcheck:
      test: pg_isready --dbname='immich' --username='postgres' || exit 1; Chksum="$$(psql --dbname='immich' --username='postgres' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
      interval: 5m
      start_interval: 30s
      start_period: 5m
    command: ["postgres", "-c" ,"shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"]
    restart: always
 volumes:
  model-cache:
@@ -0,0 +1,33 @@
 input {
  beats {
    port => 5044
  }
 }
 output {
  if [fields][container_logs] {
    opensearch {
      hosts => ["https://atlantishq.de:9200"]
      index => "filebeat-containers-dev-%{+YYYY.MM.dd}"
      ssl_certificate_verification => false
      user => "logstash"
      password => "HISTORY_PURGED_SECRET"
    }
  }else if [fields][syslog] {
    opensearch {
      hosts => ["https://atlantishq.de:9200"]
      index => "filebeat-syslog-dev-%{+YYYY.MM.dd}"
      ssl_certificate_verification => false
      user => "logstash"
      password => "HISTORY_PURGED_SECRET"
    }
  }else{
    opensearch {
      hosts => ["https://atlantishq.de:9200"]
      index => "filebeat-dev-%{+YYYY.MM.dd}"
      ssl_certificate_verification => false
      user => "logstash"
      password => "HISTORY_PURGED_SECRET"
    }
  }
 }
@@ -0,0 +1,13 @@
 version: "3.8"
 services:
  logstash:
    restart: always
    image: opensearchproject/logstash-oss-with-opensearch-output-plugin:8.9.0
    container_name: logstash
    ports:
      - "5044:5044"
    volumes:
      - /data/logstash/config:/usr/share/logstash/config
      - /data/logstash/pipeline:/usr/share/logstash/pipeline
    environment:
      LS_JAVA_OPTS: "-Xmx256m -Xms256m"
@@ -0,0 +1,2 @@
 http.host: "0.0.0.0"
 #xpack.monitoring.enabled: false
@@ -1,4 +1,3 @@
 version: "3"
 services:
  money-balancer:
    image: ghcr.io/dorianim/money-balancer
@@ -8,7 +7,7 @@ services:
    volumes:
      - /data/money-balancer:/data
    environment:
-      - MONEYBALANCER_JWT_SECRET=Opta7EkHqgBWUDZULVypcP8FCxw511
+      - MONEYBALANCER_JWT_SECRET={{ money_balancer_jwt_secret }}
      - MONEYBALANCER_AUTH_LOCAL_ENABLED=false
      - MONEYBALANCER_AUTH_PROXY_ENABLED=true
      - MONEYBALANCER_AUTH_PROXY_HEADERS_USERNAME=x-forwarded-preferred-username
@@ -0,0 +1,13 @@
 services:
  nginx:
    image: nginx:latest
    restart: always
    ports:
      - "5051:5051"
      - "5052:5052"
      - "5053:5053"
    volumes:
      - /opt/nginx-media-cdn/sites-enabled:/etc/nginx/conf.d
      - /opt/nginx-media-cdn/htpasswd:/etc/nginx/htpasswd_1
      - /data/nginx-media-cdn/cdn:/var/www/cdn
      - /data/nginx-media-cdn/media:/var/www/media
@@ -0,0 +1,37 @@
 services:
  ntfy:
    image: binwiederhier/ntfy
    container_name: ntfy
    command:
      - serve
    environment:
        NTFY_BASE_URL: "https://push.atlantishq.de"
        NTFY_BEHIND_PROXY: "true"
        NTFY_AUTH_FILE: "/userdb/user.db"
        NTFY_AUTH_DEFAULT_ACCESS: "deny-all"
    volumes:
      - /data/ntfy/cache/ntfy:/var/cache/ntfy
      - /data/ntfy/etc/ntfy:/etc/ntfy
      - /data/ntfy/userdb/:/userdb/
    ports:
      - 4001:80
    healthcheck: # optional: remember to adapt the host:port to your environment
        test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:80/v1/health -O - | grep -Eo '\"healthy\"\\s*:\\s*true' || exit 1"]
        interval: 60s
        timeout: 10s
        retries: 3
        start_period: 40s
    restart: unless-stopped
  ntfy-api:
    image: harbor-registry.atlantishq.de/atlantishq/ntfy-api
    ports:
      - 4002:5000
    depends_on:
        - ntfy
    environment:
        ACCESS_TOKEN: {{ ntfy_api_access_token }}
        NTFY_AUTH_FILE: "/userdb/user.db"
    volumes:
      - /data/ntfy/userdb/:/userdb/
      - /data/ntfy/instance/:/app/instance/
    restart: unless-stopped
@@ -0,0 +1,2 @@
 - pipeline.id: main
  path.config: "/usr/share/logstash/pipeline/logstash.conf"
@@ -1,4 +1,5 @@
-potaris:
+services:
  potaris:
    ports:
        - 5003:5000
        - 5004:5000
@@ -1,4 +1,3 @@
 version: '3'
 services:
  image-factory:
    image: harbor-registry.atlantishq.de/atlantishq/atlantis-image-factory:latest
@@ -12,13 +12,13 @@ services:
      - resume
    environment:
      MINIO_ROOT_USER: minioadmin
-      MINIO_ROOT_PASSWORD: WGTVrFT73kwv0CbKa0PR
+      MINIO_ROOT_PASSWORD: {{ reactive_resume_minio_password }}
  db:
    image: postgres:13
    environment:
      - POSTGRES_USER=reactiveresume
-      - POSTGRES_PASSWORD=pwMOJntCfXdwF9ExnjNi
+      - POSTGRES_PASSWORD={{ reactive_resume_postgres_password }}
      - POSTGRES_DB=reactiveresume
    restart: always
    volumes:
@@ -65,11 +65,11 @@ services:
      CHROME_URL: ws://chrome:3000
      # -- Database (Postgres) --
-      DATABASE_URL: postgresql://reactiveresume:pwMOJntCfXdwF9ExnjNi@db:5432/postgres
+      DATABASE_URL: postgresql://reactiveresume:{{ reactive_resume_postgres_password }}@db:5432/postgres
      # -- Auth --
-      ACCESS_TOKEN_SECRET: 2EkPnUqJIE2EkPnUqJIE
+      ACCESS_TOKEN_SECRET: {{ reactive_resume_access_token }}
-      REFRESH_TOKEN_SECRET: cihib7NzMxcihib7NzMx
+      REFRESH_TOKEN_SECRET: {{ reactive_resume_refresh_token }}
      # -- Emails --
      MAIL_FROM: noreply@atlantishq.de
@@ -80,7 +80,7 @@ services:
      STORAGE_PORT: 9000
      STORAGE_BUCKET: default
      STORAGE_ACCESS_KEY: minioadmin
-      STORAGE_SECRET_KEY: WGTVrFT73kwv0CbKa0PR
+      STORAGE_SECRET_KEY: {{ reactive_resume_minio_password }}
      # -- Cache (Redis) --
      REDIS_URL: redis://default:password@redis:6379
@@ -1,5 +1,6 @@
-sector32:
+services:
  sector32:
    ports:
        - 5001:5000
-    image: registry.atlantishq.de/athq/sector32
+    image: harbor-registry.atlantishq.de/atlantishq/sector32
    restart: always
@@ -0,0 +1,6 @@
 services:
  serienampel:
    image: harbor-registry.atlantishq.de/atlantishq/serienampel:latest
    restart: always
    ports:
      - "5021:5000"
@@ -0,0 +1,34 @@
 name: Dispatcher Downtime
 hook_operations:
    - 5_minutes_downtime:
        location:
            url:
               - https://dispatcher.atlantishq.de/downtime
            method: "POST"
            args:
                token: "{{ notification_settings_access_token }}"
                minutes: 5
        client: false
    - 30_minutes_downtime:
        location:
            url:
               - https://dispatcher.atlantishq.de/downtime
            method: "POST"
            args:
                token: "{{ notification_settings_access_token }}"
                minutes: 30
        status_url: https://dispatcher.atlantishq.de/downtime
        client: false
    - 24_hours_downtime:
        location:
            url:
               - https://dispatcher.atlantishq.de/downtime
            method: "POST"
            args:
                token: "{{ notification_settings_access_token }}"
                minutes: 720
        client: false
 groups:
    - pki
@@ -1,4 +1,3 @@
 version: '3'
 services:
  soundlib:
    image: harbor-registry.atlantishq.de/atlantishq/atlantis-soundlib:latest
@@ -1,4 +1,5 @@
-tmnf-replay-server:
+services:
  tmnf-replay-server:
    image: harbor-registry.atlantishq.de/atlantishq/tmnf-replay-server:latest
    restart: always
    ports:
@@ -9,6 +10,4 @@ tmnf-replay-server:
    environment:
        SQLITE_LOCATION: sqlite:////app/data/sqlite.db
        DISPATCH_SERVER: {{ event_dispatcher_address }}
-        DISPATCH_AUTH_USER: {{ event_dispatcher_user }}
+        DISPATCH_TOKEN: {{ event_dispatcher_pass }}
        DISPATCH_AUTH_PASSWORD: {{ event_dispatcher_pass }}
@@ -7,8 +7,8 @@ services:
    environment:
      - OR_PORT=20000
      - PT_PORT=20001
-      - EMAIL=nobody@nowhere.com
+      - EMAIL={{ tor_bridge_email }}
-      - NICKNAME=nowhere
+      - NICKNAME={{ tor_bridge_name }}
      - OBFS4_ENABLE_ADDITIONAL_VARIABLES=1
      - OBFS4V_AddressDisableIPv6=1
      # - OBFS4V_PublishServerDescriptor=0
@@ -0,0 +1,65 @@
 ersion: '3.5'
 services:
  tubearchivist:
    container_name: tubearchivist
    restart: unless-stopped
    image: bbilly1/tubearchivist
    ports:
      - 8000:8000
    volumes:
      - media:/youtube
      - cache:/cache
    environment:
      - ES_URL=http://archivist-es:9200     # needs protocol e.g. http and port
      - REDIS_HOST=archivist-redis          # don't add protocol
      - HOST_UID=1000
      - HOST_GID=1000
      - TA_HOST=tubearchivist.local         # set your host name
      - TA_USERNAME=tubearchivist           # your initial TA credentials
      - TA_PASSWORD=verysecret              # your initial TA credentials
      - ELASTIC_PASSWORD={{ tube_archivist_elasticsearch_password }}
      - TZ=Europe/Berlin                 # set your time zone
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
      interval: 2m
      timeout: 10s
      retries: 3
      start_period: 30s
    depends_on:
      - archivist-es
      - archivist-redis
  archivist-redis:
    image: redis/redis-stack-server
    container_name: archivist-redis
    restart: unless-stopped
    expose:
      - "6379"
    volumes:
      - redis:/data
    depends_on:
      - archivist-es
  archivist-es:
    image: bbilly1/tubearchivist-es         # only for amd64, or use official es 8.14.3
    container_name: archivist-es
    restart: unless-stopped
    environment:
      - "ELASTIC_PASSWORD={{ tube_archivist_elasticsearch_password }}"
      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
      - "xpack.security.enabled=true"
      - "discovery.type=single-node"
      - "path.repo=/usr/share/elasticsearch/data/snapshot"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - es:/usr/share/elasticsearch/data    # check for permission error when using bind mount, see readme
    expose:
      - "9200"
 volumes:
  media:
  cache:
  redis:
  es:
@@ -0,0 +1,4 @@
 - name: restart filebeat
  systemd:
    name: filebeat
    state: restarted
@@ -0,0 +1,40 @@
 ---
 - name: Add Elastic GPG key
  ansible.builtin.apt_key:
    url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
    state: present
 - name: Ensure apt-transport-https is installed
  ansible.builtin.apt:
    name: apt-transport-https
    state: present
    update_cache: yes
 - name: Add Elastic repository (OSS package)
  ansible.builtin.copy:
    dest: /etc/apt/sources.list.d/elastic-8.x.list
    content: "deb https://artifacts.elastic.co/packages/oss-8.x/apt stable main\n"
    owner: root
    group: root
    mode: '0644'
 - name: Update apt cache
  ansible.builtin.apt:
    update_cache: yes
 - name: Install Filebeat
  ansible.builtin.apt:
    name: filebeat
    state: present
 - name: Enable Filebeat to start on boot
  ansible.builtin.systemd:
    name: filebeat
    enabled: yes
 - name: copy filebeat config
  template:
    src: filebeat.yml
    dest: /etc/filebeat/filebeat.yml
  notify:
    - restart filebeat
@@ -0,0 +1,50 @@
 logging.level: error
 filebeat.inputs:
 - type: filestream
  id: kube1-var-log
  enabled: true
  paths:
    - /var/log/syslog
  fields:
    syslog: true
  processors:
    - syslog:
        field: message
 - type: log
  paths:
    - "/var/lib/docker/containers/*/*.log"
  json.keys_under_root: true
  json.add_error_key: true
  json.overwrite_keys: true
  fields:
    container_logs: true
  processors:
    - dissect:
        tokenizer: '{"test": %{json_data}}'
        field: message
        target_prefix: ""
        ignore_failure: true
 filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
 setup.template.settings:
  index.number_of_shards: 1
 setup.kibana:
 output.logstash:
  hosts: ["192.168.122.1:5044"]
 processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
  - drop_fields:
      fields: ["host.ip", "host.mac"]
  - add_docker_metadata:
      host: "unix:///var/run/docker.sock"
@@ -30,6 +30,11 @@
    name: dovecot
    state: restarted
 - name: reload nginx
  systemd:
    name: nginx
    state: reloaded
 - name: restart nginx
  systemd:
    name: nginx
@@ -45,11 +50,21 @@
    name: opendkim
    state: restarted
 - name: restart docker
  systemd:
    name: docker
    state: restarted
 - name: restart slapd
  systemd:
    name: slapd-custom
    state: restarted
 - name: restart php-fpm
  systemd:
    name: php8.2-fpm
    state: restarted
 - name: daemon reload
  systemd:
    daemon-reload: yes
@@ -5,7 +5,7 @@
  "oidc_groups_claim": "groups",
  "oidc_admin_group": "pki",
  "oidc_client_id": "z_harbor",
-  "oidc_client_secret": "TODO MUST BE SET",
+  "oidc_client_secret": "{{ keycloak_clients['harbor']['client_secret'] }}",
  "oidc_scope": "openid,email,profile",
  "oidc_verify_cert": "true",
  "oidc_auto_onboard": "true",
@@ -0,0 +1,522 @@
 # Calico Version v3.3.7
 # https://docs.projectcalico.org/v3.3/releases#v3.3.7
 # This manifest includes the following component versions:
 #   calico/node:v3.3.7
 #   calico/cni:v3.3.7
 # This ConfigMap is used to configure a self-hosted Calico installation.
 kind: ConfigMap
 apiVersion: v1
 metadata:
  name: calico-config
  namespace: kube-system
 data:
  # To enable Typha, set this to "calico-typha" *and* set a non-zero value for Typha replicas
  # below.  We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is
  # essential.
  typha_service_name: "none"
  # Configure the Calico backend to use.
  calico_backend: "bird"
  # Configure the MTU to use
  veth_mtu: "1440"
  # The CNI network configuration to install on each node.  The special
  # values in this config will be automatically populated.
  cni_network_config: |-
    {
      "name": "k8s-pod-network",
      "cniVersion": "0.3.0",
      "plugins": [
        {
          "type": "calico",
          "log_level": "info",
          "datastore_type": "kubernetes",
          "nodename": "__KUBERNETES_NODE_NAME__",
          "mtu": __CNI_MTU__,
          "ipam": {
            "type": "host-local",
            "subnet": "usePodCidr"
          },
          "policy": {
              "type": "k8s"
          },
          "kubernetes": {
              "kubeconfig": "__KUBECONFIG_FILEPATH__"
          }
        },
        {
          "type": "portmap",
          "snat": true,
          "capabilities": {"portMappings": true}
        }
      ]
    }
 ---
 # This manifest creates a Service, which will be backed by Calico's Typha daemon.
 # Typha sits in between Felix and the API server, reducing Calico's load on the API server.
 apiVersion: v1
 kind: Service
 metadata:
  name: calico-typha
  namespace: kube-system
  labels:
    k8s-app: calico-typha
 spec:
  ports:
    - port: 5473
      protocol: TCP
      targetPort: calico-typha
      name: calico-typha
  selector:
    k8s-app: calico-typha
 ---
 # This manifest creates a Deployment of Typha to back the above service.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: calico-typha
  namespace: kube-system
  labels:
    k8s-app: calico-typha
 spec:
  # Number of Typha replicas.  To enable Typha, set this to a non-zero value *and* set the
  # typha_service_name variable in the calico-config ConfigMap above.
  #
  # We recommend using Typha if you have more than 50 nodes.  Above 100 nodes it is essential
  # (when using the Kubernetes datastore).  Use one replica for every 100-200 nodes.  In
  # production, we recommend running at least 3 replicas to reduce the impact of rolling upgrade.
  replicas: 0
  revisionHistoryLimit: 2
  template:
    metadata:
      labels:
        k8s-app: calico-typha
      annotations:
        # This, along with the CriticalAddonsOnly toleration below, marks the pod as a critical
        # add-on, ensuring it gets priority scheduling and that its resources are reserved
        # if it ever gets evicted.
        scheduler.alpha.kubernetes.io/critical-pod: ''
        cluster-autoscaler.kubernetes.io/safe-to-evict: 'true'
    spec:
      nodeSelector:
        beta.kubernetes.io/os: linux
      hostNetwork: true
      tolerations:
        # Mark the pod as a critical add-on for rescheduling.
        - key: CriticalAddonsOnly
          operator: Exists
      # Since Calico can't network a pod until Typha is up, we need to run Typha itself
      # as a host-networked pod.
      serviceAccountName: calico-node
      containers:
      - image: calico/typha:v3.3.7
        name: calico-typha
        ports:
        - containerPort: 5473
          name: calico-typha
          protocol: TCP
        env:
          # Enable "info" logging by default.  Can be set to "debug" to increase verbosity.
          - name: TYPHA_LOGSEVERITYSCREEN
            value: "info"
          # Disable logging to file and syslog since those don't make sense in Kubernetes.
          - name: TYPHA_LOGFILEPATH
            value: "none"
          - name: TYPHA_LOGSEVERITYSYS
            value: "none"
          # Monitor the Kubernetes API to find the number of running instances and rebalance
          # connections.
          - name: TYPHA_CONNECTIONREBALANCINGMODE
            value: "kubernetes"
          - name: TYPHA_DATASTORETYPE
            value: "kubernetes"
          - name: TYPHA_HEALTHENABLED
            value: "true"
          # Uncomment these lines to enable prometheus metrics.  Since Typha is host-networked,
          # this opens a port on the host, which may need to be secured.
          #- name: TYPHA_PROMETHEUSMETRICSENABLED
          #  value: "true"
          #- name: TYPHA_PROMETHEUSMETRICSPORT
          #  value: "9093"
        livenessProbe:
          exec:
            command:
            - calico-typha
            - check
            - liveness
          periodSeconds: 30
          initialDelaySeconds: 30
        readinessProbe:
          exec:
            command:
            - calico-typha
            - check
            - readiness
          periodSeconds: 10
 ---
 # This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: calico-typha
  namespace: kube-system
  labels:
    k8s-app: calico-typha
 spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      k8s-app: calico-typha
 ---
 # This manifest installs the calico/node container, as well
 # as the Calico CNI plugins and network config on
 # each master and worker node in a Kubernetes cluster.
 kind: DaemonSet
 apiVersion: extensions/v1
 metadata:
  name: calico-node
  namespace: kube-system
  labels:
    k8s-app: calico-node
 spec:
  selector:
    matchLabels:
      k8s-app: calico-node
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  template:
    metadata:
      labels:
        k8s-app: calico-node
      annotations:
        # This, along with the CriticalAddonsOnly toleration below,
        # marks the pod as a critical add-on, ensuring it gets
        # priority scheduling and that its resources are reserved
        # if it ever gets evicted.
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      nodeSelector:
        beta.kubernetes.io/os: linux
      hostNetwork: true
      tolerations:
        # Make sure calico-node gets scheduled on all nodes.
        - effect: NoSchedule
          operator: Exists
        # Mark the pod as a critical add-on for rescheduling.
        - key: CriticalAddonsOnly
          operator: Exists
        - effect: NoExecute
          operator: Exists
      serviceAccountName: calico-node
      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
      terminationGracePeriodSeconds: 0
      containers:
        # Runs calico/node container on each Kubernetes node.  This
        # container programs network policy and routes on each
        # host.
        - name: calico-node
          image: calico/node:v3.3.7
          env:
            # Use Kubernetes API as the backing datastore.
            - name: DATASTORE_TYPE
              value: "kubernetes"
            # Typha support: controlled by the ConfigMap.
            - name: FELIX_TYPHAK8SSERVICENAME
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: typha_service_name
            # Wait for the datastore.
            - name: WAIT_FOR_DATASTORE
              value: "true"
            # Set based on the k8s node name.
            - name: NODENAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            # Choose the backend to use.
            - name: CALICO_NETWORKING_BACKEND
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: calico_backend
            # Cluster type to identify the deployment type
            - name: CLUSTER_TYPE
              value: "k8s,bgp"
            # Auto-detect the BGP IP address.
            - name: IP
              value: "autodetect"
            # Enable IPIP
            - name: CALICO_IPV4POOL_IPIP
              value: "Always"
            # Set MTU for tunnel device used if ipip is enabled
            - name: FELIX_IPINIPMTU
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: veth_mtu
            # The default IPv4 pool to create on startup if none exists. Pod IPs will be
            # chosen from this range. Changing this value after installation will have
            # no effect. This should fall within `--cluster-cidr`.
            - name: CALICO_IPV4POOL_CIDR
              value: "10.10.0.0/18"
            # Disable file logging so `kubectl logs` works.
            - name: CALICO_DISABLE_FILE_LOGGING
              value: "true"
            # Set Felix endpoint to host default action to ACCEPT.
            - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
              value: "ACCEPT"
            # Disable IPv6 on Kubernetes.
            - name: FELIX_IPV6SUPPORT
              value: "false"
            # Set Felix logging to "info"
            - name: FELIX_LOGSEVERITYSCREEN
              value: "info"
            - name: FELIX_HEALTHENABLED
              value: "true"
          securityContext:
            privileged: true
          resources:
            requests:
              cpu: 250m
          livenessProbe:
            httpGet:
              path: /liveness
              port: 9099
              host: localhost
            periodSeconds: 10
            initialDelaySeconds: 10
            failureThreshold: 6
          readinessProbe:
            exec:
              command:
              - /bin/calico-node
              - -bird-ready
              - -felix-ready
            periodSeconds: 10
          volumeMounts:
            - mountPath: /lib/modules
              name: lib-modules
              readOnly: true
            - mountPath: /run/xtables.lock
              name: xtables-lock
              readOnly: false
            - mountPath: /var/run/calico
              name: var-run-calico
              readOnly: false
            - mountPath: /var/lib/calico
              name: var-lib-calico
              readOnly: false
        # This container installs the Calico CNI binaries
        # and CNI network config file on each node.
        - name: install-cni
          image: calico/cni:v3.3.7
          command: ["/install-cni.sh"]
          env:
            # Name of the CNI config file to create.
            - name: CNI_CONF_NAME
              value: "10-calico.conflist"
            # Set the hostname based on the k8s node name.
            - name: KUBERNETES_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            # The CNI network config to install on each node.
            - name: CNI_NETWORK_CONFIG
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: cni_network_config
            # CNI MTU Config variable
            - name: CNI_MTU
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: veth_mtu
          volumeMounts:
            - mountPath: /host/opt/cni/bin
              name: cni-bin-dir
            - mountPath: /host/etc/cni/net.d
              name: cni-net-dir
      volumes:
        # Used by calico/node.
        - name: lib-modules
          hostPath:
            path: /lib/modules
        - name: var-run-calico
          hostPath:
            path: /var/run/calico
        - name: var-lib-calico
          hostPath:
            path: /var/lib/calico
        - name: xtables-lock
          hostPath:
            path: /run/xtables.lock
            type: FileOrCreate
        # Used to install CNI.
        - name: cni-bin-dir
          hostPath:
            path: /opt/cni/bin
        - name: cni-net-dir
          hostPath:
            path: /etc/cni/net.d
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: calico-node
  namespace: kube-system
 ---
 # Create all the CustomResourceDefinitions needed for
 # Calico policy and networking mode.
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: felixconfigurations.crd.projectcalico.org
 spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: FelixConfiguration
    plural: felixconfigurations
    singular: felixconfiguration
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: bgppeers.crd.projectcalico.org
 spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: BGPPeer
    plural: bgppeers
    singular: bgppeer
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: bgpconfigurations.crd.projectcalico.org
 spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: BGPConfiguration
    plural: bgpconfigurations
    singular: bgpconfiguration
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: ippools.crd.projectcalico.org
 spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: IPPool
    plural: ippools
    singular: ippool
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: hostendpoints.crd.projectcalico.org
 spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: HostEndpoint
    plural: hostendpoints
    singular: hostendpoint
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: clusterinformations.crd.projectcalico.org
 spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: ClusterInformation
    plural: clusterinformations
    singular: clusterinformation
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: globalnetworkpolicies.crd.projectcalico.org
 spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: GlobalNetworkPolicy
    plural: globalnetworkpolicies
    singular: globalnetworkpolicy
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: globalnetworksets.crd.projectcalico.org
 spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: GlobalNetworkSet
    plural: globalnetworksets
    singular: globalnetworkset
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: networkpolicies.crd.projectcalico.org
 spec:
  scope: Namespaced
  group: crd.projectcalico.org
  version: v1
  names:
    kind: NetworkPolicy
    plural: networkpolicies
    singular: networkpolicy
@@ -0,0 +1,19 @@
 disabled_plugins = []
 #root = "/var/lib/containerd"
 #state = "/run/containerd"
 #subreaper = true
 #oom_score = 0
 #[grpc]
 #  address = "/run/containerd/containerd.sock"
 #  uid = 0
 #  gid = 0
 #[debug]
 #  address = "/run/containerd/debug.sock"
 #  uid = 0
 #  gid = 0
 #  level = "info"
 [plugins."io.containerd.grpc.v1.cri"]
  systemd_cgroup = true
@@ -0,0 +1,17 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: admin-user
  namespace: kube-system	
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: admin-user
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: admin-user
  namespace: kube-system
@@ -0,0 +1,92 @@
 # Calico Version v3.3.7
 # https://docs.projectcalico.org/v3.3/releases#v3.3.7
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: calico-node
 rules:
  - apiGroups: [""]
    resources:
      - namespaces
      - serviceaccounts
    verbs:
      - get
      - list
      - watch
  - apiGroups: [""]
    resources:
      - pods/status
    verbs:
      - patch
  - apiGroups: [""]
    resources:
      - pods
    verbs:
      - get
      - list
      - watch
  - apiGroups: [""]
    resources:
      - services
    verbs:
      - get
  - apiGroups: [""]
    resources:
      - endpoints
    verbs:
      - get
  - apiGroups: [""]
    resources:
      - nodes
    verbs:
      - get
      - list
      - update
      - watch
  - apiGroups: ["extensions"]
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups: ["networking.k8s.io"]
    resources:
      - networkpolicies
    verbs:
      - watch
      - list
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - globalfelixconfigs
      - felixconfigurations
      - bgppeers
      - globalbgpconfigs
      - bgpconfigurations
      - ippools
      - globalnetworkpolicies
      - globalnetworksets
      - networkpolicies
      - clusterinformations
      - hostendpoints
    verbs:
      - create
      - get
      - list
      - update
      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: calico-node
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: calico-node
 subjects:
 - kind: ServiceAccount
  name: calico-node
  namespace: kube-system
@@ -0,0 +1,155 @@
 - name: include services ports
  include_vars: kubernetes.yaml
 - name: Configure K8S Master Block
  block:
  - name: Initialise the Kubernetes cluster using kubeadm
    become: true
    command: kubeadm init --apiserver-advertise-address={{ ansible_default_ipv4.address }} --pod-network-cidr={{ k8s_pod_network }}
    args:
      creates: "{{ k8s_admin_config }}"
  - name: Wait for apiserver to become ready
    wait_for:
      port: 6443
      sleep: 10
  - name: Setup kubeconfig for {{ k8s_user }} user
    file:
      path: "{{ k8s_user_home }}/.kube"
      state: directory
      owner: "{{ k8s_user }}"
      group: "{{ k8s_user }}"
      mode: "0750"
  - name: Copy {{ k8s_admin_config }}
    become: true
    copy:
      src: "{{ k8s_admin_config }}"
      dest: "{{ k8s_user_home }}/.kube/config"
      owner: "{{ k8s_user }}"
      group: "{{ k8s_user }}"
      mode: "0640"
      remote_src: yes
              #  - name: Copy {{ calico_rbac_config }}
              #    copy:
              #      src: "{{ calico_rbac_config }}"
              #      dest: "{{ k8s_user_home }}/{{ calico_rbac_config }}"
              #      owner: "{{ k8s_user }}"
              #      group: "{{ k8s_user }}"
              #      mode: "0640"
              #  
              #  - name: Copy {{ calico_net_url }}
              #    copy:
              #      src: "{{ calico_net_config }}"
              #      dest: "{{ k8s_user_home }}/{{ calico_net_config }}"
              #      owner: "{{ k8s_user }}"
              #      group: "{{ k8s_user }}"
              #      mode: "0640"     
              #
              #  - name: Set CALICO_IPV4POOL_CIDR to {{ k8s_pod_network }}
              #    replace:
              #      path: "{{ k8s_user_home }}/{{ calico_net_config }}"
              #      regexp: "192.168.0.0/16"
              #      replace: "{{ k8s_pod_network }}"
  - name: Download Dashboard
    get_url:
      url: "{{ dashboard_url }}"
      dest: "{{ k8s_user_home }}/{{ dashboard_config }}"
      owner: "{{ k8s_user }}"
      group: "{{ k8s_user }}"
      mode: "0640"     
              #  - name: Install calico pod network {{ calico_rbac_config }}
              #    remote_user: false
              #    remote_user: "{{ k8s_user }}"
              #    command: kubectl apply -f "{{ k8s_user_home }}/{{ calico_rbac_config }}"
              #  
              #  - name: Install calico pod network {{ calico_net_config }}
              #    become: false
              #    remote_user: "{{ k8s_user }}"
              #    command: kubectl apply -f "{{ k8s_user_home }}/{{ calico_net_config }}"
  - name: Install K8S dashboard {{ dashboard_config }}
    become: false
    remote_user: "{{ k8s_user }}"
    command: kubectl apply -f "{{ k8s_user_home }}/{{ dashboard_config }}"
  - name: Create service account
    become: false
    remote_user: "{{ k8s_user }}"
    command: kubectl create serviceaccount dashboard -n default
    ignore_errors: yes
  - name: Create cluster role binding dashboard-admin
    remote_user: "{{ k8s_user }}"
    become: false
    command: kubectl create clusterrolebinding dashboard-admin -n default --clusterrole=cluster-admin --serviceaccount=default:dashboard
    ignore_errors: yes
  - name: Create {{ k8s_dashboard_adminuser_config }} for service account
    copy:
      src: "files/{{ k8s_dashboard_adminuser_config }}"
      dest: "{{ k8s_user_home }}/{{ k8s_dashboard_adminuser_config }}"
      owner: "{{ k8s_user }}"
      group: "{{ k8s_user }}"
      mode: "0640"
  - name: Create service account
    become: false
    remote_user: "{{ k8s_user }}"
    command: kubectl apply -f "{{ k8s_user_home }}/{{ k8s_dashboard_adminuser_config }}"
    ignore_errors: yes
  - name: Create cluster role binding cluster-system-anonymous
    become: false
    remote_user: "{{ k8s_user }}"
    command: kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
    ignore_errors: yes
  - name: Test K8S dashboard and wait for HTTP 200
    uri:
      url: "{{ k8s_dashboard_url }}"
      status_code: 200
      validate_certs: no
    ignore_errors: yes
    register: result_k8s_dashboard_page
    retries: 10
    delay: 6
    until: result_k8s_dashboard_page is succeeded
  - name: K8S dashboard URL
    debug:
      var: k8s_dashboard_url
  - name: Generate join command
    command: kubeadm token create --print-join-command
    register: join_command
  - name: Copy join command to local file
    become: false
    remote_user: "{{ k8s_user }}"
    copy:
        content: "{{ join_command.stdout_lines[0] }}"
        dest: "{{ k8s_token_file }}"
    delegate_to: localhost
  when: is_k8s_master is defined and is_k8s_master
 - name: Configure K8S Node Block
  block:
  - name: Copy {{ k8s_token_file }} to server location
    copy: 
      src: "{{ k8s_token_file }}"
      dest: "{{ k8s_user_home }}/{{ k8s_token_file }}.sh"
      owner: "{{ k8s_user }}"
      group: "{{ k8s_user }}"
      mode: "0750"
  - name: Join the node to cluster unless file {{ k8s_kubelet_config }} exists
    become: true
    command: sh "{{ k8s_user_home }}/{{ k8s_token_file }}.sh"
    args:
      creates: "{{ k8s_kubelet_config }}"
  when: is_k8s_node is defined and is_k8s_node
@@ -0,0 +1,37 @@
 - name: Debian | Configure Sysctl
  sysctl:
    name: "net.ipv4.ip_forward"
    value: "1"
    state: present
 - name: Fix CRI Plugin containerd config
  copy:
    src: containerd.toml
    dest: /etc/containerd/containerd.toml
    mode: 0644
  notify: restart docker
 - name: Debian | Add GPG Key
  apt_key:
    url: "https://packages.cloud.google.com/apt/doc/apt-key.gpg"
 - name: Debian | Add Kubernetes Repository
  apt_repository: 
    repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
    update_cache: yes
 - name: Debian | Install Dependencies
  apt:
      pkg:
        - kubernetes-cni
        - kubelet
      state: present
 - name: Debian | Install Kubernetes
  apt:
      pkg:
        - kubeadm
        - kubectl
      state: present
 - include: cluster_setup.yaml
@@ -1 +1,9 @@
-noreply:{SHA512-CRYPT}$6$XXXXXXXXXXXXXXXXXXXuse this: $(mkpasswd -msha512crypt)XXXXX:106:113::/var/dovecot/noreply::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
+sheppy:{SHA512-CRYPT}$6$Vrwtoe79Xa4jbghz$QFQI7P/j7k1sFeaQg.KBXjqs3F3S6H0u14kkd8GYrVV1mf2eblYC0rAVcAho.j8Axd1CyDpGQxri3HMC54CAr/:106:113::/var/dovecot/sheppy::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
 joerg:{SHA512-CRYPT}$6$x0nQ/K7W2KzI$xjidl.uf7a5uI0DStTGGujUP1XZblKctZLxVtvpIuv9NGuuZ5BnTBUeAWDJkBXkUsskbWuxUgt1RJcEoSuIc./:106:113::/var/dovecot/darknet::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
 yannik.schmidt:{SHA512-CRYPT}$6$Vrwtoe79Xa4jbghz$QFQI7P/j7k1sFeaQg.KBXjqs3F3S6H0u14kkd8GYrVV1mf2eblYC0rAVcAho.j8Axd1CyDpGQxri3HMC54CAr/:106:113::/var/dovecot/yannik.schmidt::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
 kathi:{SHA512-CRYPT}$6$AiHMofDe6i5huwb7$seYE1LIvoq8zJd1GL0lj3EkPf1BeI156ja/scPCExYJvNNz9y9xZqJ6LlY3DQPHINTU7JuUFgyPAzTPHnCmoE1:106:113::/var/dovecot/kathi::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=100M
 check:{SHA512-CRYPT}$6$004oR5.gn4nRsfM0$G8D5ZW7s6OueAwMZgj//jPgNAuXp4N0v6sXmvohSwwZPYUJaSegtf1fhg2V5.mPjjmkww0PV4Ny6/aj9tZLVe1:106:113::/var/dovecot/check::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
 ths-nas:{SHA512-CRYPT}$6$UAlpqf8tDKL.IBQj$r9j/xurvOrzmvWDJ.Ain8855HH9.pECQGr9mPuHorGYxrHXDMSPO/8t.HaHGXbq84UqV46qebFQi2v0SX6O8C.:106:113::/var/dovecot/check::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
 spamsink:{SHA512-CRYPT}$6$GVfeeL.8ObPDcfN3$.E8MTpHZZUivgwUutq4FHqIH8ra4MZ10/lLx74o4ssGuC/Yrgjbx0vl05aOe5iq6fD9hqu.5bYXWhVt3/O5pU1:106:113::/var/dovecot/spamsink::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
 noreply:{SHA512-CRYPT}$6$BexmD9kCiVyjyDEf$XVfJZh3mm5ed6e68feWUBiaFEOBlaq1aYGwZ/rs8bkQpaTlFkouNMB7TkeVwMMsipDQz.DpXziuBls6b0e1wE/:106:113::/var/dovecot/noreply::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
 alexander.schmidt:{SHA512-CRYPT}$y$j9T$/Vsucd.N.8AJJKGsZ/e./0$N5yBhGq3RAGpy5Lih/Vfx7oRU1sfOJkGHDgZM9udeo6:106:113::/var/dovecot/noreply::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
@@ -1,9 +0,0 @@
 # Sender adress       the               user          may use :)
 sheppy@atlantishq.de                    sheppy@atlantishq.de
 ths-nas@atlantishq.de                   ths-nas@atlantishq.de
 joerg@darknet-fashion.de                joerg@darknet-fashion.de
 yannik.schmidt@potaris.de               yannik.schmidt@potaris.de
 noreply@atlantishq.de                   noreply@atlantishq.de
@darknet-fashion.de                     joerg
@darknet-fashion.com                    joerg
@atlantishq.de                          sheppy
@@ -31,7 +31,7 @@ http {
    ssl_certificate         /etc/letsencrypt/live/atlantishq.de/fullchain.pem;
 	ssl_certificate_key     /etc/letsencrypt/live/atlantishq.de/privkey.pem;
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
 	ssl_prefer_server_ciphers on;
 	##
@@ -1 +0,0 @@
 test@atlantishq.de sheppy@atlantishq.de
@@ -0,0 +1,2 @@
 cat "${1}" | sudo -H -u debian-spamd spamassassin --test-mode --local --cf="bayes_auto_learn 0" \
 --cf='add_header all Spam-Tokens-Spammy _SPAMMYTOKENS(20,compact)_'  --cf='add header all Spam-Tokens-Hammy _HAMMYTOKENS(20,compact)_' | less
@@ -0,0 +1,12 @@
 set e
 sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --spam /var/dovecot/spamsink/Maildir/cur/
 sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Archives.2024
 sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Archives.freelancermap
 sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Trash
 sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/sheppy/Maildir/.Archives.2024
 sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/sheppy/Maildir/.Trash
 sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.INBOX.Job2024.Ferchau\ -\ G\&APw-nther\ Anlagen/
 sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.INBOX.Job2024.SINC-AfA/
 sudo -u spamd sa-compile
 systemctl restart spamassassin.service
 mv /var/dovecot/spamsink/Maildir/cur/* /var/dovecot/spamsink/Maildir/.Learned/
@@ -0,0 +1,76 @@
 include /usr/share/spamassassin/
 ifplugin Mail::SpamAssassin::Plugin::AskDNS
 askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
 askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
 askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
 meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
 score DMARC_REJECT 10
 meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
 score DMARC_QUAR 3
 meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
 score DMARC_NONE 2
 endif # Mail::SpamAssassin::Plugin::AskDNS
 score DKIM_INVALID 5
 header      LOCAL_FROM_TLD_BASE  From   =~ /@[a-z0-9\-\.]+\.*/i
 describe    LOCAL_FROM_TLD_BASE         Match any Domain
 score       LOCAL_FROM_TLD_BASE 2
 header      LOCAL_FROM_TLD  From   =~ /@[a-z0-9\-\.]+\.(de|com|org)[>\s]*\z/i
 describe    LOCAL_FROM_TLD         Match standard domains
 score       LOCAL_FROM_TLD  -3
 header      OBFUSCATED_FROM_TLD  From   =~ /@[a-z0-9\-\.]+\.(de|com|org)\..+/i
 describe    OBFUSCATED_FROM_TLD         Obfuscation attempt in FROM TLD
 score       OBFUSCATED_FROM_TLD  5
 header      MAIL_CHIMP_MARKETING  Return-Path =~ /@.*bounce-mc.+/i
 describe    MAIL_CHIMP_MARKETING         Mailchimp Marketing Lists
 score       MAIL_CHIMP_MARKETING  5
 header UTF_BASE64_SUBJECT Subject =~ /.*=\?utf-[0-9]+\?.*/i
 describe UTF_BASE64_SUBJECT UTF_X base64 encoded subject
 score    UTF_BASE64_SUBJECT 1
 score HTML_MESSAGE 1
 score URIBL_ABUSE_SURBL 5
 score HTML_IMAGE_ONLY_24 2
 score HTML_IMAGE_ONLY_28 2
 score HTML_IMAGE_RATIO_02 2
 score BAYES_999 0.8
 # Bayes
 use_bayes 1
 use_bayes_rules 1
 bayes_auto_learn 0
 bayes_file_mode 0660
 bayes_path /etc/spamassassin/bayes/bayes
 bayes_file_mode 0770
 bayes_min_ham_num 40
 bayes_min_spam_num 40
 bayes_ignore_header X-Bogosity
 bayes_ignore_header X-Spam-Flag
 bayes_ignore_header X-Spam-Status
 required_hits 3.1
 clear_report_template
 report Hello!
 report This is the atlantis-mailsystem reporting in. This mail is likely spam. Proceed with maximum caution.
 report
 report Content analysis details:   (_SCORE_ points, _REQD_ required)
 report
 report " pts rule name              description"
 report  ---- ---------------------- --------------------------------------------------
 report _SUMMARY_
@@ -1,38 +0,0 @@
 # you can also so this: test-second-account@atlantishq.de test@atlantishq.de
 # which will give all incoming mails of test-second-account to test (sorta obvious)
 # IMPORTANT >> IT IS _NOT_ NESSESARY TO DO THE FOLLOWING << IMPORTANT
 # user@atlantishq.de user@esports-erlangen.de
 # every user will get emails from both domains
 # If a user also wants to _SEND_ mails, he also have to have an
 # entry in the /etc/postfix/enabled-senders
 # CHANGES IN THIS FILE MUST BE MAPPED BEFORE RESTART (!)
 # postmap FILENAME
 # CHANGES IN THIS FILE WILL ONLY BE APPLIED ON POSTFIX RESTART, NOT RELOAD (!)
 # sheppy
 insurgency@atlantishq.de    sheppy@atlantishq.de
 yannik@atlantishq.de        sheppy@atlantishq.de
 tac@atlantishq.de           sheppy@atlantishq.de
 uplay@atlantishq.de         sheppy@atlantishq.de
 #yannik.schmidt@potaris.de   sheppy@atlantishq.de
 acc@atlantishq.de           sheppy@atlantishq.de
 mail@potaris.de	    	    yannik.schmidt@potaris.de
 sector32@potaris.de	        yannik.schmidt@potaris.de
 root@atlantishq.de          sheppy@atlantishq.de
 trackmania-2@atlantishq.de  sheppy@atlantishq.de
 maria@atlantishq.de         mondauge@icloud.com
 steam-potaris-1@atlantishq.de sheppy@atlantishq.de
 steam-potaris-2@atlantishq.de sheppy@atlantishq.de
 steam-potaris-3@atlantishq.de sheppy@atlantishq.de
 # michy
 ipatix@atlantishq.de        michael.panzlaff@fau.de
 # catchall
 #@atlantishq.de       root@atlantishq.de
 #@esports-erlangen.de root@atlantishq.de
@darknet-fashion.com        joerg@darknet-fashion.de
@darknet-fashion.de         joerg@darknet-fashion.de
@@ -0,0 +1,11 @@
 - name: postmap all
  shell:
    cmd: "/usr/sbin/postmap {{ item }}"
    chdir: "/etc/postfix/"
  with_items:
    - sender_access
    - enabled_senders
    - sender_blacklist
    - tls_policy
    - transport
    - virtual
@@ -12,7 +12,7 @@
    state: present
 - name: Deploy Postfix config
-  copy:
+  template:
    src: "{{ item }}"
    dest: "/etc/postfix/{{ item }}"
  with_items:
@@ -20,13 +20,15 @@
    - enabled_senders
    - main.cf
    - master.cf
    - relocated
    - sender_blacklist
    - tls_policy
    - transport
    - virtual
    - header_checks
-  notify: restart postfix
+    - sender_access
  notify:
    - postmap all
    - restart postfix
 - name: Deploy dmark/opendkim config (main)
  copy:
@@ -86,3 +88,15 @@
    owner: dovecot
    group: dovecot
  notify: restart dovecot
 - name: Deploy spam learning script
  template:
    src: spam.sh
    dest: /root/spam.sh
 - name: Add cronjob for reloading certs and config every night
  cron:
    minute: "0"
    hour: "1"
    name: reload_postfix_dovecot
    job: /usr/bin/systemctl reload postfix.service dovecot.service
@@ -0,0 +1,6 @@
 # Sender adress       the               user          may use :)
 {% for key, value in mail_enabled_senders.items() %}
 {{ key }} {{ value }}
 {% endfor %}
@atlantishq.de sheppy
@@ -6,6 +6,7 @@ append_dot_mydomain = no
 # delay_warning_time = 10h
 queue_directory = /var/spool/postfix
 maximal_queue_lifetime = 2d
 # TLS parameters
 smtpd_tls_cert_file=/etc/letsencrypt/live/atlantishq.de/fullchain.pem
@@ -53,7 +54,7 @@ smtpd_sender_login_maps=hash:/etc/postfix/enabled_senders
 smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policyd-spf,check_sender_access hash:/etc/postfix/sender_blacklist
 #smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_blacklist
 #smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender
-smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,reject_non_fqdn_sender,permit_sasl_authenticated
+smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,reject_non_fqdn_sender,check_sender_access hash:/etc/postfix/sender_access,permit_sasl_authenticated
 # USER mappings (not reliant on unix users)
@@ -0,0 +1 @@
 test@atlantishq.de HISTORY_PURGED_SECRET
@@ -0,0 +1 @@
 rejected-send@atlantishq.de REJECT
@@ -7,5 +7,9 @@ zapingers.autos    REJECT
 cleverep.com       REJECT
 .ru                REJECT
 allsip.ru          REJECT
 clickup.com        REJECT
 secureserver.net   REJECT
 pillenstein.de     REJECT
 ayoryor.com        REJECT
 sina.buffy@avantgarde-experts.de OK
 .avantgarde-experts.de OK
@@ -0,0 +1,16 @@
 #!/bin/bash
 set e
 sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --spam /var/dovecot/spamsink/Maildir/cur/
 #sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Archives.2024
 #sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Archives.freelancermap
 #sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Trash
 #sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/sheppy/Maildir/.Archives.2024
 #sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/sheppy/Maildir/.Trash
 #sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.INBOX.Job2024.Ferchau\ -\ G\&APw-nther\ Anlagen/
 #sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.INBOX.Job2024.SINC-AfA/
 chmod a+r -R /etc/spamassassin/bayes/bayes_journal
 sudo -u spamd sa-compile
 chmod a+r -R /etc/spamassassin/bayes/bayes_journal
 systemctl restart spamd.service
 mv /var/dovecot/spamsink/Maildir/cur/* /var/dovecot/spamsink/Maildir/.Learned/
@@ -0,0 +1,17 @@
 # you can also so this: test-second-account@atlantishq.de test@atlantishq.de
 # which will give all incoming mails of test-second-account to test (sorta obvious)
 # IMPORTANT >> IT IS _NOT_ NESSESARY TO DO THE FOLLOWING << IMPORTANT
 # user@atlantishq.de user@esports-erlangen.de
 # every user will get emails from both domains
 # If a user also wants to _SEND_ mails, he also have to have an
 # entry in the /etc/postfix/enabled-senders
 # CHANGES IN THIS FILE MUST BE MAPPED BEFORE RESTART (!)
 # postmap FILENAME
 # CHANGES IN THIS FILE WILL ONLY BE APPLIED ON POSTFIX RESTART, NOT RELOAD (!)
 {% for ingress_mail, target in mail_virtual_transport.items() %}
 {{ ingress_mail }} {{ target }}
 {% endfor %}
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`APT::Periodic::Update-Package-Lists "1";`
							`APT::Periodic::Unattended-Upgrade "1";`
		`@@ -0,0 +1,2 @@`
							`kathi:$y$j9T$HISTORY_PURGED_SECRET`
							`sheppy:$y$HISTORY_PURGED_SECRET`
		`@@ -0,0 +1,2 @@`
							`http.host: "0.0.0.0"`
							`#xpack.monitoring.enabled: false`
		`@@ -0,0 +1,2 @@`
							`- pipeline.id: main`
							`path.config: "/usr/share/logstash/pipeline/logstash.conf"`
		`@@ -0,0 +1,2 @@`
							`cat "${1}" \| sudo -H -u debian-spamd spamassassin --test-mode --local --cf="bayes_auto_learn 0" \`
							`--cf='add_header all Spam-Tokens-Spammy _SPAMMYTOKENS(20,compact)_' --cf='add header all Spam-Tokens-Hammy _HAMMYTOKENS(20,compact)_' \| less`