add shortener

playbooks/apps/all.yaml

@@ -5,10 +5,17 @@
 - import_playbook: checkout.yaml # noqa: name[play]
 - import_playbook: code.yaml # noqa: name[play]
 - import_playbook: collabora.yaml # noqa: name[play]
+- import_playbook: display.yaml # noqa: name[play]
+- import_playbook: ghost-config.yaml # noqa: name[play]
 - import_playbook: ghost-update.yaml # noqa: name[play]
 - import_playbook: gitea.yaml # noqa: name[play]
 - import_playbook: goatcounter.yaml # noqa: name[play]
 - import_playbook: lyon-transports.yaml # noqa: name[play]
 - import_playbook: manuels.yaml # noqa: name[play]
+- import_playbook: media.yaml # noqa: name[play]
+- import_playbook: miniflux.yaml # noqa: name[play]
+- import_playbook: portainer.yaml # noqa: name[play]
+- import_playbook: privatebin.yaml # noqa: name[play]
+- import_playbook: shortener.yaml # noqa: name[play]
 - import_playbook: test_headers.yaml # noqa: name[play]
 - import_playbook: wallabag.yaml # noqa: name[play]

playbooks/apps/display.yaml

@@ -0,0 +1,24 @@
+---
+- name: Display
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Fix git config
+      community.general.git_config:
+        scope: global
+        name: merge.conflictstyle
+        value: diff3
+    - name: Pull git repo
+      ansible.builtin.git:
+        executable: /usr/bin/git
+        repo: https://git.augendre.info/gaugendre/display.git
+        dest: "{{ dir }}/sources"
+        version: HEAD # noqa: latest[git] # we want the latest revision
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: display
+    docker_build: always
+    dir: /mnt/data/{{ docker_app_name }}

playbooks/apps/files/display/docker-compose.yaml

@@ -0,0 +1,7 @@
+services:
+  app:
+    build:
+      context: sources
+    restart: always
+    ports:
+      - "9010:80"

playbooks/apps/files/display/update

@@ -0,0 +1,3 @@
+#!/bin/bash
+git -C ./sources pull
+docker compose --ansi never up -d --build

playbooks/apps/files/media/common.env

@@ -0,0 +1,3 @@
+PUID=1000
+PGID=1000
+TZ=Europe/Paris

playbooks/apps/files/media/docker-compose.yaml

@@ -0,0 +1,68 @@
+services:
+  plex:
+    image: plexinc/pms-docker:plexpass
+    restart: always
+    env_file: plex.env
+    ports:
+      - "9003:32400"
+#      - "32400:32400/tcp"
+#      - "3005:3005/tcp"
+#      - "8324:8324/tcp"
+#      - "32469:32469/tcp"
+#      - "1900:1900/udp"
+#      - "32410:32410/udp"
+#      - "32412:32412/udp"
+#      - "32413:32413/udp"
+#      - "32414:32414/udp"
+    volumes:
+      - ./plex/config:/config
+      - ./plex/transcode:/transcode
+      - ./data:/data
+  transmission:
+    image: lscr.io/linuxserver/transmission:latest
+    restart: always
+    env_file: transmission.env
+    volumes:
+      - ./transmission:/config
+      - ./data:/data
+    mem_limit: 2g
+    ports:
+      - "9004:9091"
+  sonarr:
+    image: lscr.io/linuxserver/sonarr:latest
+    restart: always
+    env_file: common.env
+    volumes:
+      - ./sonarr:/config
+      - ./data:/data
+    mem_limit: 1g
+    ports:
+      - "9005:8989"
+  prowlarr:
+    image: lscr.io/linuxserver/prowlarr:latest
+    restart: always
+    env_file: common.env
+    volumes:
+      - ./prowlarr:/config
+    mem_limit: 1g
+    ports:
+      - "9006:9696"
+  radarr:
+    image: lscr.io/linuxserver/radarr:latest
+    restart: always
+    env_file: common.env
+    volumes:
+      - ./radarr:/config
+      - ./data:/data
+    mem_limit: 1g
+    ports:
+      - "9007:7878"
+  unpackerr:
+    image: golift/unpackerr
+    volumes:
+      - ./data:/data
+    restart: always
+    user: 1000:1000
+    env_file: unpackerr.env
+    mem_limit: 2g
+    cpus: 2

playbooks/apps/files/miniflux/docker-compose.yaml

@@ -0,0 +1,19 @@
+services:
+  miniflux:
+    image: miniflux/miniflux:latest
+    restart: always
+    env_file: miniflux.env
+    depends_on:
+      - db
+    healthcheck:
+      test: ["CMD", "/usr/bin/miniflux", "-healthcheck", "auto"]
+    mem_limit: 512m
+    ports:
+      - "8008:3298"
+  db:
+    image: postgres:15
+    restart: always
+    env_file: postgres.env
+    volumes:
+      - ./db_data:/var/lib/postgresql/data
+    mem_limit: 512m

playbooks/apps/files/portainer/docker-compose.yaml

@@ -0,0 +1,9 @@
+services:
+  portainer:
+    image: portainer/portainer-ee:latest
+    restart: always
+    volumes:
+      - ./portainer_data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9443"

playbooks/apps/files/privatebin/conf.php

@@ -0,0 +1,181 @@
+;<?php http_response_code(403); /*
+; config file for PrivateBin
+;
+; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
+
+[main]
+; (optional) set a project name to be displayed on the website
+; name = "PrivateBin"
+
+; The full URL, with the domain name and directories that point to the PrivateBin files
+; This URL is essential to allow Opengraph images to be displayed on social networks
+; basepath = ""
+
+; enable or disable the discussion feature, defaults to true
+discussion = false
+
+; preselect the discussion feature, defaults to false
+opendiscussion = false
+
+; enable or disable the password feature, defaults to true
+password = true
+
+; enable or disable the file upload feature, defaults to false
+fileupload = false
+
+; preselect the burn-after-reading feature, defaults to false
+burnafterreadingselected = false
+
+; which display mode to preselect by default, defaults to "plaintext"
+; make sure the value exists in [formatter_options]
+defaultformatter = "plaintext"
+
+; (optional) set a syntax highlighting theme, as found in css/prettify/
+; syntaxhighlightingtheme = "sons-of-obsidian"
+
+; size limit per paste or comment in bytes, defaults to 10 Mebibytes
+sizelimit = 10485760
+
+; template to include, default is "bootstrap" (tpl/bootstrap.php)
+template = "bootstrap"
+
+; (optional) info text to display
+; use single, instead of double quotes for HTML attributes
+;info = "More information on the <a href='https://privatebin.info/'>project page</a>."
+
+; (optional) notice to display
+; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."
+
+; by default PrivateBin will guess the visitors language based on the browsers
+; settings. Optionally you can enable the language selection menu, which uses
+; a session cookie to store the choice until the browser is closed.
+languageselection = false
+
+; set the language your installs defaults to, defaults to English
+; if this is set and language selection is disabled, this will be the only language
+; languagedefault = "en"
+
+; (optional) URL shortener address to offer after a new paste is created
+; it is suggested to only use this with self-hosted shorteners as this will leak
+; the pastes encryption key
+; urlshortener = "https://shortener.example.com/api?link="
+
+; (optional) Let users create a QR code for sharing the paste URL with one click.
+; It works both when a new paste is created and when you view a paste.
+; qrcode = true
+
+; (optional) IP based icons are a weak mechanism to detect if a comment was from
+; a different user when the same username was used in a comment. It might be
+; used to get the IP of a non anonymous comment poster if the server salt is
+; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs.
+; Can be set to one these values: "none" / "vizhash" / "identicon" (default).
+; icon = "none"
+
+; Content Security Policy headers allow a website to restrict what sources are
+; allowed to be accessed in its context. You need to change this if you added
+; custom scripts from third-party domains to your templates, e.g. tracking
+; scripts or run your site behind certain DDoS-protection services.
+; Check the documentation at https://content-security-policy.com/
+; Notes:
+; - If you use a bootstrap theme, you can remove the allow-popups from the
+;   sandbox restrictions.
+; - By default this disallows to load images from third-party servers, e.g. when
+;   they are embedded in pastes. If you wish to allow that, you can adjust the
+;   policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
+;   for details.
+; - The 'unsafe-eval' is used in two cases; to check if the browser supports
+;   async functions and display an error if not and for Chrome to enable
+;   webassembly support (used for zlib compression). You can remove it if Chrome
+;   doesn't need to be supported and old browsers don't need to be warned.
+; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
+
+; stay compatible with PrivateBin Alpha 0.19, less secure
+; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
+; sha256 in HMAC for the deletion token
+; zerobincompatibility = false
+
+; Enable or disable the warning message when the site is served over an insecure
+; connection (insecure HTTP instead of HTTPS), defaults to true.
+; Secure transport methods like Tor and I2P domains are automatically whitelisted.
+; It is **strongly discouraged** to disable this.
+; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
+; httpwarning = true
+
+; Pick compression algorithm or disable it. Only applies to pastes/comments
+; created after changing the setting.
+; Can be set to one these values: "none" / "zlib" (default).
+; compression = "zlib"
+
+[expire]
+; expire value that is selected per default
+; make sure the value exists in [expire_options]
+default = "1week"
+
+[expire_options]
+; Set each one of these to the number of seconds in the expiration period,
+; or 0 if it should never expire
+5min = 300
+10min = 600
+1hour = 3600
+1day = 86400
+1week = 604800
+; Well this is not *exactly* one month, it's 30 days:
+1month = 2592000
+
+[formatter_options]
+; Set available formatters, their order and their labels
+plaintext = "Plain Text"
+syntaxhighlighting = "Source Code"
+markdown = "Markdown"
+
+[traffic]
+; time limit between calls from the same IP address in seconds
+; Set this to 0 to disable rate limiting.
+limit = 10
+
+; (optional) if your website runs behind a reverse proxy or load balancer,
+; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
+; header = "X_FORWARDED_FOR"
+
+; directory to store the traffic limits in
+dir = PATH "data"
+
+[purge]
+; minimum time limit between two purgings of expired pastes, it is only
+; triggered when pastes are created
+; Set this to 0 to run a purge every time a paste is created.
+limit = 300
+
+; maximum amount of expired pastes to delete in one purge
+; Set this to 0 to disable purging. Set it higher, if you are running a large
+; site
+batchsize = 10
+
+; directory to store the purge limit in
+dir = PATH "data"
+
+[model]
+; name of data model class to load and directory for storage
+; the default model "Filesystem" stores everything in the filesystem
+class = Filesystem
+[model_options]
+dir = PATH "data"
+
+;[model]
+; example of DB configuration for MySQL
+;class = Database
+;[model_options]
+;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+;tbl = "privatebin_"	; table prefix
+;usr = "privatebin"
+;pwd = "samplepass"
+;opt[12] = true	  ; PDO::ATTR_PERSISTENT
+
+;[model]
+; example of DB configuration for SQLite
+;class = Database
+;[model_options]
+;dsn = "sqlite:" PATH "data/db.sq3"
+;usr = null
+;pwd = null
+;opt[12] = true	; PDO::ATTR_PERSISTENT

playbooks/apps/files/privatebin/docker-compose.yaml

@@ -0,0 +1,12 @@
+services:
+  privatebin:
+    image: privatebin/nginx-fpm-alpine:stable
+    read_only: true
+    restart: always
+    volumes:
+      - ./data:/srv/data
+      - ./conf.php:/srv/cfg/conf.php:ro
+    cpus: 0.5
+    mem_limit: 150m
+    ports:
+      - "8010:8080"

playbooks/apps/files/shortener/docker-compose.yaml

@@ -0,0 +1,10 @@
+services:
+  django:
+    image: rg.fr-par.scw.cloud/crocmagnon/shortener
+    env_file: shortener.env
+    restart: always
+    volumes:
+      - ./shortener_data:/db
+    mem_limit: 300m
+    ports:
+      - "8011:8000"

playbooks/apps/files/shortener/update

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euxo pipefail
+pushd /mnt/data/shortener
+docker compose --ansi never pull
+docker compose --ansi never up -d
+popd
+docker image prune -f

playbooks/apps/ghost-config.yaml

@@ -0,0 +1,80 @@
+---
+- name: Ghost config
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Write config files
+      ansible.builtin.template:
+        src: templates/ghost-config/{{ item.filename }}
+        dest: /mnt/data/{{ item.site }}/config.production.json
+        mode: "0664"
+      notify:
+        - Restart service
+      loop_control:
+        label: "{{ item.site }}"
+      loop:
+        - filename: gabnotes-org-config.json.j2
+          site: gabnotes.org
+          db_password: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            66306233626430393737653333313461666665363936376465623137656561356431373666363032
+            6537313234336331626464336434343462623264633463330a353165396163653666636333633537
+            33353464393836623861633238663336336465326435613638613734613433386537663635666332
+            6338343039393737310a356335666632303062353336613364323165633239323032346239376262
+            32323862393264326162383761653163353731363331326337633461643364373936
+          mail_password: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            61313164316335333431656136326636353535643363623665326565303961356234353362646261
+            3339616561643434376163613962366631303863313263310a323330316230333864636232386632
+            36363966303861396161373031343865323639383634323131633761666137663766353165333265
+            3630333962383338650a326166383635636533656363613865323065396537396664663132303766
+            62346530353634383935303031343737326335326361313765393664613236356364313161373834
+            35396435303337643330393266376139616164613730643037303039633337343262303335616366
+            373032363533393263323835363666623966
+        - filename: voyages-coccomagnard-fr-config.json.j2
+          site: voyages.coccomagnard.fr
+          db_password: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            33623632396330303536366136313438623138366231333063613539303538303761386264623239
+            3266366633343936356564636131303939636330336335390a313430346536666239656562393238
+            32373533373663656435306239643638313937623631366262393462306138323061333961363938
+            3239373062613138660a393933393436633166303837303263356232336666386336346366373934
+            38346330616639646666616161613865643461643965333237353936663933336533
+          mail_password: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            33386530613164633962393133316231613664623761336237353335336430313637356430306430
+            3837373934336361636461343338643737653839396336340a633130613038666534653865303338
+            64343366663330653737653638326263383836343762386332346339366465363966346432333631
+            6665396333303462620a636335663266316566636536613630313336636463646430333935373965
+            62653636613263303066333833623637653532663939656339376636356261666235656562336661
+            36376233386235393164363064373733623330306362343039623465303134313434366433383863
+            656136646536333065616631336235623430
+        - filename: voyages-lois-augendre-info-config.json.j2
+          site: voyages-lois.augendre.info
+          db_password: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            30623130336131633738353931653239623133326265363862353530303232633333383462663330
+            3935333936383663326162653864623630396363666131390a393532336531663262616431396165
+            33303236363739636665616636326262336532623234666263363563633962343734613565373031
+            3139313038663432370a623363366436643862343734393334306162376634366637616536303035
+            32653739373732613930376336636332343333643436633261616561633034623566
+          mail_password: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            35353737376566653462393530613034353763643166626432613836663638636562303762343133
+            6132313762353565646531613336663336313765623430310a616438613433333632343933373330
+            62356661626437306265313061636634613263613633353433653330653862633639376462353637
+            3739313432356262330a626432386536663638646539323861356564616436386464366333303564
+            35303230623365636362323733623531343335376361313430373936663836353132643834643664
+            6163326436323961636462616430366364626532323861656436
+      register: config_files
+
+  handlers:
+    - name: Restart service
+      ansible.builtin.command:
+        cmd: ghost restart
+        chdir: /mnt/data/{{ item.item.site }}
+      when: item.changed
+      changed_when: true
+      loop: "{{ config_files.results }}"
+      loop_control:
+        label: "{{ item.item.site }}"

playbooks/apps/media.yaml

@@ -0,0 +1,43 @@
+---
+- name: Media
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: media
+    plex_claim: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      61633832616461636362643838353961353962393662346235616664343635363864616366346331
+      3663316133316336333032626165303763396539303539300a323935663564386165636237666536
+      38393939383461653564333232666565383837306465363833336636666535306438306132323066
+      6635653763376534640a373861383531636438353138386133333430376262356635373333666237
+      34663664613631393139313731623836626439613535623365343233363937616265
+    transmission_password: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      34386433633862613963376431303435363964366138616135643266643661633835656466643466
+      3962383731643061383663666130343136333462643733620a653234373937633164326230316363
+      32326137376263366163666433303363393464646639363166663933346364663437353439333965
+      3163646264326437310a333737333766306234366435613335303632373231306566386566333533
+      36663764396230353939306238373132363137376231383063343839653537613037336162366261
+      30336462653132656433323237613362323135623665336461376434303335353136333262653365
+      636134613535663365316265636163653335
+    sonarr_api_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      31393436633730653965363164333165326434353133666164336463653264623337373438346332
+      3261323037663432343266336332336139626234656130380a366432323935356134333936373934
+      66313232353132363439373338623331313832313463336432656466626632306465326664343731
+      3431653135333631340a333962656132663065393737306261366237326532643338303832363463
+      64346136336438363238336237396231343064633464353934383835653132613363383833376166
+      3934616366616264626232303561666533386435666166366632
+    radarr_api_key: !vault |-
+      $ANSIBLE_VAULT;1.1;AES256
+      65653435326663343566643664373737356438666466326566303733393132343637343266666664
+      3738326336613035373039636133316466656332303463620a646163366538343633616234326539
+      36333038393731316464323631373239356532306366353961656533643863656135633634386364
+      3833373537656164650a346139343762326166653634396230333133343930623263306561356361
+      61666438653664633764303263366434653436623366386364613631623862383364313434626638
+      3830616364616363396134346135383862643733616333656434

playbooks/apps/miniflux.yaml

@@ -0,0 +1,21 @@
+---
+- name: Miniflux
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: miniflux
+    db_password: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      62393237393135383461613666613935376565363363383336356565623763313135383630613436
+      3132656464383036613234666335303239623137366165630a363763666635313262303334336364
+      37373530396634303737613162653961323163316337383635303865366134623637633732313436
+      3865383032646165640a356131356134316131613263303035383262323962636439363539656137
+      30343339633431616266356531666264343965343064323664363037393766613634386464336333
+      33313838306461303165366539323535376139383461373665653231613438303661363135623364
+      37646635303032376364346263353139383030653132376266323738376161366466383238313064
+      39356434623137643135

playbooks/apps/portainer.yaml

@@ -0,0 +1,11 @@
+---
+- name: Portainer
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: portainer

playbooks/apps/privatebin.yaml

@@ -0,0 +1,11 @@
+---
+- name: Privatebin
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: privatebin

playbooks/apps/shortener.yaml

@@ -0,0 +1,20 @@
+---
+- name: Shortener
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: shortener
+    secret_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      37353266666433343332313765343531623930613733393865363131616666653532343130316163
+      3965326235653239373561373361643239326665636166610a303461626433306636653638313435
+      61393338643738363765323630623765323238373964306532346664656666623663306330373838
+      3633366163636265660a366465656539383539383665323639623430656265346234303136303937
+      64376439386232663733363539616232656266626465316364323331386633346530373165376231
+      65363935643965356237396235666337343739653164366263386537366338373036393734343565
+      653032643966636463316633616137646235

playbooks/apps/templates/bin/dump-voyages-lois.augendre.info.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euo pipefail
+/usr/bin/mysqldump --no-tablespaces -u root --password={{ ghost_db_password }} voyages_lois_augendre_info_prod > /mnt/data/voyages-lois.augendre.info/db_export/backup.sql

playbooks/apps/templates/ghost-config/gabnotes-org-config.json.j2

@@ -0,0 +1,46 @@
+{
+  "url": "https://gabnotes.org",
+  "admin": {
+    "url": "https://ghost.augendre.info"
+  },
+  "server": {
+    "port": 2368,
+    "host": "0.0.0.0"
+  },
+  "database": {
+    "client": "mysql",
+    "connection": {
+      "host": "127.0.0.1",
+      "user": "ghost-900",
+      "password": "{{ item.db_password }}",
+      "database": "gabnotes_org_prod"
+    }
+  },
+  "mail": {
+    "transport": "SMTP",
+    "from": "blog@mg.gabnotes.org",
+    "options": {
+      "service": "Mailgun",
+      "host": "smtp.eu.mailgun.org",
+      "port": 465,
+      "secure": true,
+      "auth": {
+        "user": "blog@mg.gabnotes.org",
+        "pass": "{{ item.mail_password }}"
+      }
+    }
+  },
+  "logging": {
+    "transports": [
+      "file",
+      "stdout"
+    ]
+  },
+  "process": "systemd",
+  "paths": {
+    "contentPath": "/mnt/data/gabnotes.org/content"
+  },
+  "privacy": {
+    "useGravatar": false
+  }
+}

playbooks/apps/templates/ghost-config/voyages-coccomagnard-fr-config.json.j2

@@ -0,0 +1,40 @@
+{
+  "url": "https://voyages.coccomagnard.fr/",
+  "server": {
+    "port": 2370,
+    "host": "0.0.0.0"
+  },
+  "database": {
+    "client": "mysql",
+    "connection": {
+      "host": "127.0.0.1",
+      "user": "ghost-310",
+      "password": "{{ item.db_password }}",
+      "database": "voyages_coccomagnard_fr_prod"
+    }
+  },
+  "mail": {
+    "transport": "SMTP",
+    "from": "voyages@mg.coccomagnard.fr",
+    "options": {
+      "service": "Mailgun",
+      "host": "smtp.eu.mailgun.org",
+      "port": 465,
+      "secure": true,
+      "auth": {
+        "user": "voyages@mg.coccomagnard.fr",
+        "pass": "{{ item.mail_password }}"
+      }
+    }
+  },
+  "logging": {
+    "transports": [
+      "file",
+      "stdout"
+    ]
+  },
+  "process": "systemd",
+  "paths": {
+    "contentPath": "/mnt/data/voyages.coccomagnard.fr/content"
+  }
+}

playbooks/apps/templates/ghost-config/voyages-lois-augendre-info-config.json.j2

@@ -0,0 +1,40 @@
+{
+  "url": "https://voyages-lois.augendre.info",
+  "server": {
+    "port": 2369,
+    "host": "0.0.0.0"
+  },
+  "database": {
+    "client": "mysql",
+    "connection": {
+      "host": "127.0.0.1",
+      "user": "ghost-483",
+      "password": "{{ item.db_password }}",
+      "database": "voyages_lois_augendre_info_prod"
+    }
+  },
+  "mail": {
+    "transport": "SMTP",
+    "from": "voyages-lois@mg.augendre.info",
+    "options": {
+      "service": "Mailgun",
+      "host": "smtp.mailgun.org",
+      "port": 465,
+      "secure": true,
+      "auth": {
+        "user": "voyages-lois@mg.augendre.info",
+        "pass": "{{ item.mail_password }}"
+      }
+    }
+  },
+  "logging": {
+    "transports": [
+      "file",
+      "stdout"
+    ]
+  },
+  "process": "systemd",
+  "paths": {
+    "contentPath": "/mnt/data/voyages-lois.augendre.info/content"
+  }
+}

playbooks/apps/templates/media/plex.env.j2

@@ -0,0 +1,5 @@
+TZ=Europe/Paris
+PLEX_CLAIM={{ plex_claim }}
+ADVERTISE_IP=https://plex.augendre.info
+PLEX_UID=1000
+PLEX_GID=1000

playbooks/apps/templates/media/transmission.env.j2

@@ -0,0 +1,5 @@
+PUID=1000
+PGID=1000
+TZ=Europe/Paris
+USER=gaugendre
+PASS={{ transmission_password }}

playbooks/apps/templates/media/unpackerr.env.j2

@@ -0,0 +1,11 @@
+PUID=1000
+PGID=1000
+TZ=Europe/Paris
+
+UN_SONARR_0_URL=http://sonarr:8989
+UN_SONARR_0_API_KEY={{ sonarr_api_key }}
+UN_SONARR_0_PATHS_0=/data
+
+UN_RADARR_0_URL=http://radarr:7878
+UN_RADARR_0_API_KEY={{ radarr_api_key }}
+UN_RADARR_0_PATHS_0=/data

playbooks/apps/templates/miniflux/miniflux.env.j2

@@ -0,0 +1,16 @@
+POLLING_FREQUENCY=2
+LISTEN_ADDR=0.0.0.0:3298
+DATABASE_URL=postgres://miniflux:{{ db_password }}@db/miniflux?sslmode=disable
+LOG_DATE_TIME=1
+LOG_FORMAT=text
+LOG_FILE=stdout
+LOG_LEVEL=info
+WORKER_POOL_SIZE=10
+BATCH_SIZE=20
+BASE_URL=https://reader.augendre.info/
+WEBAUTHN=1
+RUN_MIGRATIONS=1
+HTTPS=1
+DISABLE_HSTS=1
+FETCH_YOUTUBE_WATCH_TIME=0
+POLLING_PARSING_ERROR_LIMIT=50

playbooks/apps/templates/miniflux/postgres.env.j2

@@ -0,0 +1,2 @@
+POSTGRES_USER=miniflux
+POSTGRES_PASSWORD={{ db_password }}

playbooks/apps/templates/shortener/shortener.env.j2

@@ -0,0 +1,5 @@
+DEBUG=false
+SECRET_KEY={{ secret_key }}
+DATABASE_URL=sqlite:////db/db.sqlite3
+ALLOWED_HOSTS=localhost,g4b.ovh
+CSRF_TRUSTED_ORIGINS=https://g4b.ovh

playbooks/system/all.yaml

@@ -1,2 +1,3 @@
 ---
 - import_playbook: update.yaml # noqa: name[play]
+- import_playbook: cron.yaml # noqa: name[play]

playbooks/system/cron-root.yaml

@@ -0,0 +1,27 @@
+---
+- name: Setup root crontab
+  hosts: servers
+  become: true
+  gather_facts: false
+  tasks:
+    - name: Cron - Restic backup
+      ansible.builtin.cron:
+        name: restic backup
+        minute: 0
+        job: /mnt/data/bin/healthcheck restic-backup /mnt/data/bin/restic-backup
+    - name: Cron - Restic prune
+      ansible.builtin.cron:
+        name: restic prune
+        minute: 30
+        hour: "*/3"
+        job: /mnt/data/bin/healthcheck restic-prune /mnt/data/bin/restic-prune
+    - name: Cron - SMART short
+      ansible.builtin.cron:
+        name: SMART short
+        special_time: weekly
+        job: /mnt/data/bin/smartshort
+    - name: Cron - SMART long
+      ansible.builtin.cron:
+        name: SMART long
+        special_time: monthly
+        job: /mnt/data/bin/smartlong

playbooks/system/cron.yaml

@@ -0,0 +1,70 @@
+---
+- name: Setup crontab
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Cron - Docker system prune
+      ansible.builtin.cron:
+        name: docker system prune
+        minute: 0
+        hour: 4
+        weekday: SUN
+        job: /mnt/data/bin/healthcheck docker-system-prune /mnt/data/bin/docker-system-prune
+    - name: Cron - Clean old backups
+      ansible.builtin.cron:
+        name: clean old backups
+        minute: 55
+        hour: 4
+        job: /mnt/data/bin/healthcheck clean-old-backups /mnt/data/bin/clean-old-backups
+    - name: Cron - YNAB
+      ansible.builtin.cron:
+        name: YNAB
+        minute: 50
+        hour: 6
+        weekday: TUE-SAT
+        job: /mnt/data/bin/healthcheck ynab /mnt/data/ynab/run
+    - name: Cron - Nextcloud cron
+      ansible.builtin.cron:
+        name: Nextcloud cron
+        minute: "*/5"
+        job: /mnt/data/bin/healthcheck nextcloud-cron /mnt/data/bin/nextcloud-cron
+    - name: Cron - Nextcloud preview
+      ansible.builtin.cron:
+        name: Nextcloud preview
+        minute: "*/7"
+        job: /mnt/data/bin/healthcheck nextcloud-preview /mnt/data/bin/nextcloud-preview
+    - name: Cron - Nextcloud update apps
+      ansible.builtin.cron:
+        name: Nextcloud update apps
+        special_time: daily
+        job: /mnt/data/bin/healthcheck nextcloud-auto-update /mnt/data/bin/nextcloud-auto-update
+    - name: Cron - Dump manuels
+      ansible.builtin.cron:
+        name: Dump manuels
+        minute: 45
+        job: /mnt/data/bin/healthcheck dump-manuels /mnt/data/bin/dump-manuels
+    - name: Cron - Dump miniflux
+      ansible.builtin.cron:
+        name: Dump miniflux
+        minute: 50
+        job: /mnt/data/bin/healthcheck dump-miniflux /mnt/data/bin/dump-miniflux
+    - name: Cron - Dump nextcloud
+      ansible.builtin.cron:
+        name: Dump nextcloud
+        minute: 52
+        job: /mnt/data/bin/healthcheck dump-nextcloud /mnt/data/bin/dump-nextcloud
+    - name: Cron - Dump voyages.coccomagnard.fr
+      ansible.builtin.cron:
+        name: Dump voyages.coccomagnard.fr
+        minute: 55
+        job: /mnt/data/bin/healthcheck dump-voyages-coccomagnard-fr /mnt/data/bin/dump-voyages.coccomagnard.fr
+    - name: Cron - Dump gabnotes.org
+      ansible.builtin.cron:
+        name: Dump gabnotes.org
+        minute: 56
+        job: /mnt/data/bin/healthcheck dump-gabnotes-org /mnt/data/bin/dump-gabnotes.org
+    - name: Cron - Dump voyages-lois.augendre.info
+      ansible.builtin.cron:
+        name: Dump voyages-lois.augendre.info
+        minute: 57
+        job: /mnt/data/bin/healthcheck dump-voyages-lois-augendre-info /mnt/data/bin/dump-voyages-lois.augendre.info

roles/docker/defaults/main.yaml

@@ -1,3 +1,4 @@
 ---
 docker_app_name: some-app
 docker_dir: /mnt/data/{{ docker_app_name }}
+docker_build: policy

roles/docker/handlers/main.yaml

@@ -8,4 +8,5 @@
   community.docker.docker_compose_v2:
     project_src: "{{ docker_dir }}"
     state: present
+    build: "{{ docker_build }}"
   listen: Restart service