add git guardian pre-commit

.ansible-lint

@@ -0,0 +1,5 @@
+---
+profile: production
+strict: true
+exclude_paths:
+  - "**/*docker-compose.yaml"

.pre-commit-config.yaml

@@ -0,0 +1,39 @@
+---
+ci:
+  autoupdate_schedule: monthly
+  skip:
+    # build of https://github.com/ansible/ansible-lint:ansible@v24.9.2 for python@python3 exceeds tier max size 250MiB: 405.6MiB
+    - ansible-lint
+    - ggshield
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-executables-have-shebangs
+      - id: check-illegal-windows-names
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-shebang-scripts-are-executable
+      - id: check-symlinks
+      - id: check-toml
+      - id: check-vcs-permalinks
+      - id: check-yaml
+        args: [--unsafe]
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+      - id: trailing-whitespace
+  - repo: https://github.com/ansible/ansible-lint
+    rev: v24.9.2
+    hooks:
+      - id: ansible-lint
+        entry: python3 -m ansiblelint -v --force-color --fix
+        additional_dependencies:
+          - ansible # necessary because we're using community collections
+  - repo: https://github.com/gitguardian/ggshield
+    rev: v1.32.1
+    hooks:
+      - id: ggshield

inventory.ini

@@ -1,2 +1,2 @@
 [servers]
-ubuntu ansible_host=192.168.0.6 ansible_port=38303 ansible_python_interpreter=auto_silent
+ubuntu ansible_host=192.168.0.6 ansible_python_interpreter=auto_silent

playbooks/apps/caddy.yaml

@@ -0,0 +1,20 @@
+---
+- name: Update caddy config
+  hosts: servers
+  gather_facts: false
+  become: true
+  tasks:
+    - name: Write Caddyfile
+      ansible.builtin.copy:
+        src: files/Caddyfile
+        dest: /etc/caddy/Caddyfile
+        mode: "0644"
+        owner: root
+        group: root
+      notify:
+        - Reload caddy
+  handlers:
+    - name: Reload caddy
+      ansible.builtin.service:
+        name: caddy
+        state: reloaded

playbooks/apps/files/Caddyfile

@@ -0,0 +1,294 @@
+{
+	email gabriel@augendre.info
+	http_port 80
+	https_port 443
+}
+
+(common_headers) {
+	header * -Server
+	header * -X-Powered-By
+	header * Permissions-Policy interest-cohort=()
+	header * ?Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	header * ?Referrer-Policy "strict-origin-when-cross-origin"
+	header * ?X-Content-Type-Options "nosniff"
+	header * ?X-Frame-Options "DENY"
+	header * ?X-XSS-Protection "1; mode=block"
+}
+
+(internal) {
+	@blocked not client_ip private_ranges 2a01:e0a:325:a1c0::/64
+	respond @blocked "Access denied" 403 {
+		close
+	}
+}
+
+#########################################################
+# PUBLIC SERVICES
+#########################################################
+
+## Static config
+#########################################################
+
+static.augendre.info {
+	import common_headers
+	header * Cache-Control "max-age=300"
+	file_server * {
+		root /mnt/data/caddy/static
+		hide .*
+	}
+}
+
+augendre.info {
+	import common_headers
+	respond * 200
+}
+
+## Reverse proxies (ports 8000-8999)
+#########################################################
+
+charasheet.augendre.info {
+	import common_headers
+	route {
+		file_server /media/* {
+			root /mnt/data/charasheet/data
+		}
+		reverse_proxy localhost:8001
+	}
+}
+
+checkout.augendre.info {
+	import common_headers
+	route {
+		file_server /media/* {
+			root /mnt/data/checkout
+		}
+		reverse_proxy localhost:8002
+	}
+}
+
+cloud.augendre.info {
+	import common_headers
+	route /push/* {
+		uri strip_prefix /push
+		reverse_proxy localhost:8004
+	}
+	# rewrite to suppress carddav/caldav warning
+	# in nextcloud settings
+	rewrite /.well-known/carddav /remote.php/dav/
+	rewrite /.well-known/caldav /remote.php/dav/
+	reverse_proxy localhost:8003
+}
+
+gc.gabnotes.org, gc.augendre.info, static.gc.augendre.info, voyages.gc.coccomagnard.fr {
+	import common_headers
+	reverse_proxy localhost:8005
+}
+
+git.augendre.info {
+	import common_headers
+	reverse_proxy localhost:8006
+}
+
+office.augendre.info {
+	import common_headers
+	reverse_proxy localhost:8007
+}
+
+reader.augendre.info {
+	import common_headers
+	reverse_proxy localhost:8008
+}
+
+wallabag.augendre.info {
+	import common_headers
+	header * ?Content-Security-Policy "default-src 'none'; img-src * data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; manifest-src 'self'"
+	reverse_proxy localhost:8009
+}
+
+bin.augendre.info, paste.augendre.info {
+	import common_headers
+	@bot header User-Agent PrivateBinDirectoryBot*
+	respond @bot "Access denied" 403 {
+		close
+	}
+	reverse_proxy localhost:8010
+}
+
+g4b.ovh {
+	import common_headers
+	reverse_proxy localhost:8011
+}
+
+manuels.augendre.info, fournitures.augendre.info {
+	import common_headers
+	reverse_proxy localhost:8012
+}
+
+tcl.augendre.info {
+	import common_headers
+	reverse_proxy localhost:8013
+}
+
+## Ghost blogs (ports >=2368)
+#########################################################
+
+gabnotes.org {
+	import common_headers
+	header * Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline' https:; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://*.gabnotes.org https://unpkg.com https://cdnjs.cloudflare.com; img-src 'self' https:; connect-src 'self' https://*.augendre.info https://unpkg.com https://*.gabnotes.org https://api.codapi.org; frame-ancestors https://*.augendre.info; base-uri 'self'; form-action 'self';"
+
+	reverse_proxy localhost:2368
+}
+ghost.augendre.info {
+	import common_headers
+	redir / /ghost/
+
+    reverse_proxy localhost:2368
+}
+
+voyages-lois.augendre.info {
+	import common_headers
+	header * X-Frame-Options "SAMEORIGIN"
+	reverse_proxy localhost:2369
+}
+
+voyages.coccomagnard.fr, voyages.augendre.info {
+	import common_headers
+	header * X-Frame-Options "SAMEORIGIN"
+	reverse_proxy localhost:2370
+}
+
+#########################################################
+# PROXY TO EXTERNAL SERVICES
+#########################################################
+
+## At home
+#########################################################
+
+hass.augendre.info {
+	import common_headers
+	header * X-Frame-Options "SAMEORIGIN"
+	reverse_proxy http://192.168.0.9:8123
+}
+
+prusalink.augendre.info {
+	import internal
+	reverse_proxy http://192.168.0.12
+}
+
+## Outside
+#########################################################
+
+autoconfig.augendre.info {
+	import common_headers
+	reverse_proxy https://autoconfig.migadu.com
+}
+
+#########################################################
+# INTERNAL SERVICES
+#########################################################
+
+## Static config
+#########################################################
+
+internal-static.augendre.info {
+	import common_headers
+	import internal
+	header * Cache-Control "max-age=300"
+	file_server * {
+		root /mnt/data/caddy/internal-static
+		hide .*
+		browse
+	}
+}
+
+## Reverse proxies (ports 9000-9999)
+#########################################################
+
+portainer.augendre.info {
+	import common_headers
+	import internal
+	reverse_proxy https://localhost:9001 {
+		transport http {
+			tls_insecure_skip_verify
+		}
+	}
+}
+
+code.augendre.info {
+	import common_headers
+	import internal
+	reverse_proxy localhost:9002
+}
+
+plex.augendre.info {
+	import common_headers
+	import internal
+	reverse_proxy localhost:9003
+}
+transmission.augendre.info {
+	import common_headers
+	import internal
+	reverse_proxy localhost:9004
+}
+sonarr.augendre.info {
+	import common_headers
+	import internal
+	reverse_proxy localhost:9005
+}
+prowlarr.augendre.info {
+	import common_headers
+	import internal
+	reverse_proxy localhost:9006
+}
+radarr.augendre.info {
+	import common_headers
+	import internal
+	reverse_proxy localhost:9007
+}
+
+test.augendre.info {
+	import common_headers
+	import internal
+	reverse_proxy localhost:9008
+}
+
+nextcloud-kibana.augendre.info {
+	import common_headers
+	import internal
+	reverse_proxy localhost:9009
+}
+
+display.augendre.info {
+	import common_headers
+	import internal
+	header Content-Security-Policy "default-src 'self' https://*.augendre.info; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; frame-ancestors https://*.augendre.info; connect-src 'self' https://*.augendre.info https://download.data.grandlyon.com"
+	reverse_proxy localhost:9010
+}
+
+#########################################################
+# REDIRECTS
+#########################################################
+mariage.augendre.info {
+	import common_headers
+	redir https://cloud.augendre.info/s/65JgH8fzz2CyJZ3
+}
+
+mail.augendre.info {
+	import common_headers
+	redir https://webmail.migadu.com permanent
+}
+
+cv-gabriel.augendre.info {
+	import common_headers
+	redir https://cloud.augendre.info/s/FHGJkc2DzJECY64/download permanent
+}
+
+blog.augendre.info gabriel.augendre.info www.gabnotes.org {
+	import common_headers
+	redir https://gabnotes.org{uri} permanent
+}
+
+qrcode.augendre.info qr.augendre.info {
+	import common_headers
+	redir https://static.augendre.info/qrcode-web/
+}

playbooks/apps/files/gitea/docker-compose.yaml

@@ -0,0 +1,13 @@
+services:
+  server:
+    image: codeberg.org/forgejo/forgejo:8
+    env_file: gitea.env
+    restart: always
+    volumes:
+      - ./gitea_data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "23730:22"
+      - "8006:3000"
+    mem_limit: 512m

playbooks/apps/files/gitea/gitea.env

@@ -0,0 +1,8 @@
+# Edit most values in gitea_data/gitea/conf/app.ini
+DOMAIN=git.augendre.info
+SSH_DOMAIN=git.augendre.info
+ROOT_URL=https://git.augendre.info/
+SSH_PORT=23730
+SSH_LISTEN_PORT=22
+INSTALL_LOCK=false
+DISABLE_REGISTRATION=true

playbooks/apps/files/test_headers/app.py

@@ -0,0 +1,47 @@
+"""
+Very simple HTTP server in python for logging requests
+Usage::
+    ./server.py [<port>]
+"""
+from http.server import BaseHTTPRequestHandler, HTTPServer
+import logging
+
+class S(BaseHTTPRequestHandler):
+    def _set_response(self):
+        self.send_response(200)
+        self.send_header('Content-type', 'text/html')
+        self.end_headers()
+
+    def do_GET(self):
+        logging.info("GET request,\nPath: %s\nHeaders:\n%s\n", str(self.path), str(self.headers))
+        self._set_response()
+        self.wfile.write("GET request for {}".format(self.path).encode('utf-8'))
+
+    def do_POST(self):
+        content_length = int(self.headers['Content-Length']) # <--- Gets the size of data
+        post_data = self.rfile.read(content_length) # <--- Gets the data itself
+        logging.info("POST request,\nPath: %s\nHeaders:\n%s\n\nBody:\n%s\n",
+                str(self.path), str(self.headers), post_data.decode('utf-8'))
+
+        self._set_response()
+        self.wfile.write("POST request for {}".format(self.path).encode('utf-8'))
+
+def run(server_class=HTTPServer, handler_class=S, port=8080):
+    logging.basicConfig(level=logging.INFO)
+    server_address = ('', port)
+    httpd = server_class(server_address, handler_class)
+    logging.info('Starting httpd on port %s...\n', port)
+    try:
+        httpd.serve_forever()
+    except KeyboardInterrupt:
+        pass
+    httpd.server_close()
+    logging.info('Stopping httpd...\n')
+
+if __name__ == '__main__':
+    from sys import argv
+
+    if len(argv) == 2:
+        run(port=int(argv[1]))
+    else:
+        run()

playbooks/apps/files/test_headers/docker-compose.yaml

@@ -0,0 +1,10 @@
+services:
+  app:
+    image: python:3.13-slim
+    command: python /app/app.py
+    volumes:
+      - ./:/app
+    ports:
+      - "9008:8080"
+    init: true
+    tty: true

playbooks/apps/files/wallabag-docker-compose.yaml

@@ -0,0 +1,10 @@
+services:
+  wallabag:
+    image: wallabag/wallabag:latest
+    env_file: wallabag.env
+    restart: always
+    volumes:
+      - ./wallabag_data/data:/var/www/wallabag/data
+      - ./wallabag_data/images:/var/www/wallabag/web/assets/images
+    ports:
+      - "8009:80"

playbooks/apps/ghost-update.yaml

@@ -0,0 +1,53 @@
+---
+- name: Ghost update
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Start update on gabnotes.org
+      ansible.builtin.command:
+        chdir: /mnt/data/gabnotes.org
+        cmd: ghost update
+      register: gabnotes_async
+      changed_when: true
+      async: 300
+      poll: 0
+    - name: Start update on voyages-lois.augendre.info
+      ansible.builtin.command:
+        chdir: /mnt/data/voyages-lois.augendre.info
+        cmd: ghost update
+      register: voyages_lois_async
+      changed_when: true
+      async: 300
+      poll: 0
+    - name: Start update on voyages.coccomagnard.fr
+      ansible.builtin.command:
+        chdir: /mnt/data/voyages.coccomagnard.fr
+        cmd: ghost update
+      register: voyages_coccomagnard_async
+      changed_when: true
+      async: 300
+      poll: 0
+    - name: Check gabnotes.org
+      ansible.builtin.async_status:
+        jid: "{{ gabnotes_async.ansible_job_id }}"
+      register: gabnotes
+      until: gabnotes.finished
+      changed_when: '"Restarting Ghost" in gabnotes.stdout'
+      retries: 100
+      delay: 10
+    - name: Check voyages-lois.augendre.info
+      ansible.builtin.async_status:
+        jid: "{{ voyages_lois_async.ansible_job_id }}"
+      register: voyages_lois
+      until: voyages_lois.finished
+      changed_when: '"Restarting Ghost" in voyages_lois.stdout'
+      retries: 100
+      delay: 10
+    - name: Check voyages.coccomagnard.fr
+      ansible.builtin.async_status:
+        jid: "{{ voyages_coccomagnard_async.ansible_job_id }}"
+      register: voyages_coccomagnard
+      until: voyages_coccomagnard.finished
+      changed_when: '"Restarting Ghost" in voyages_coccomagnard.stdout'
+      retries: 100
+      delay: 10

playbooks/apps/gitea.yaml

@@ -0,0 +1,86 @@
+---
+- name: Setup gitea
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Create dir
+      ansible.builtin.file:
+        path: "{{ dir }}"
+        state: directory
+        mode: "0775"
+    - name: Write env file
+      ansible.builtin.copy:
+        src: files/gitea/gitea.env
+        dest: "{{ dir }}/gitea.env"
+        mode: "0644"
+    - name: Write docker-compose.yaml
+      ansible.builtin.copy:
+        src: files/gitea/docker-compose.yaml
+        dest: "{{ dir }}/docker-compose.yaml"
+        mode: "0644"
+    - name: Write app.ini
+      ansible.builtin.template:
+        src: templates/gitea_app.ini.j2
+        dest: "{{ dir }}/gitea_data/gitea/conf/app.ini"
+        mode: "0600"
+      notify:
+        - Restart service
+    - name: Ensure service is started
+      community.docker.docker_compose_v2:
+        project_src: "{{ dir }}"
+        state: present
+
+  handlers:
+    - name: Restart service
+      community.docker.docker_compose_v2:
+        project_src: "{{ dir }}"
+        state: restarted
+
+  vars:
+    dir: /mnt/data/git
+    lfs_jwt_secret: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      34656631616165623233353835386162343837363230366136303764613334323262313233616462
+      6431363965646135343161373039333130666663613765660a343734656332323730633165376166
+      66323834326263336265303864653036343262336262376433373163666339666236363438363031
+      3632323362336433360a643537613336353434323631366262613839333931666435333563653737
+      62303161393435653735326338623162383432663964333436373539663434363737386161636535
+      3032313433633635636136656434626163393734306563333631
+    secret_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      35323938623166653161316430346664643063363366656461623333373764626439336335383538
+      6664346231326137313863623966343438333662383139360a373762346438636630363833653330
+      38323532663435643666306563353632653832366635626664373534383633346662353165363235
+      6263633436663661610a653335653730613832373836616231383135316262383438633938353133
+      34633231636331353864346637326535656538666662643965366232666265333332666362323034
+      65363435623366303937353337303131663138303935333562626461643332383434376364376537
+      66666436333261326336666130373934323138623233383038343563353132326231623264313565
+      32376463353631616234
+    internal_token: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      30666238373766633735626466393534646138616139326533363561373331653730663731626338
+      6139323230353139383638326639646534383463636266650a633737366632636262323938643531
+      33386236643234303365326430326436653830363561373334633461306161666439653833386432
+      6537343332313535340a643638346563663966383862646433636531316433343234356262653766
+      37356233323165633565636137653865373835663234343363313966346138636439303761646534
+      36393633636433376231353364386164336566386161376337366336396566333332623430646261
+      65663964383262633037663330646161663236613038626531636237376661633037313566366439
+      35643362653637663662666663393035653765306262376365386437393537623037633365333236
+      32303261313264363232643834313166656137316635356436343566343962663630
+    oauth_jwt_secret: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      66646361313538383161633932643062633336333436376564383836363762303738336638373865
+      6161326465386466326366383766633338623934396464610a643337363439663833363139366564
+      35316562643431616637623432363636623238303637366162393434346366393166313334653932
+      3637303230323733340a353038376631613238393363396363646339393961353430663561353831
+      32333435633565323064616463333863373132313164386462333934303434356334643938623334
+      3037366532373130393236666534653132343335366335633635
+    mailgun_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      65363934663231343630323139393839383161333562376630653363646630393265326134646463
+      3735363064643138333332623736326638396332323664630a663230363230333138373430316361
+      35326166663361666437346631626235393133633833336166393366383832363466336635646237
+      6432653738303864300a623266363661616434393964333464366264326266356466646664363531
+      63666633376563316336326231313533343065376537313437393830633962313964613336323566
+      61393561333264366332353838326265343039653165393964313036626563626439616666343436
+      666235313435363835333664376237336439

playbooks/apps/goatcounter.yaml

@@ -1,57 +1,65 @@
-- name: goatcounter
+---
+- name: Goatcounter
   hosts: servers
+  gather_facts: false
   tasks:
-    - name: get latest release
+    - name: Get latest release
-      github_release:
+      community.general.github_release:
         action: latest_release
         user: arp242
         repo: goatcounter
       register: release
-    - name: print release
+    - name: Print release
       ansible.builtin.debug:
         var: release.tag
-    - name: download binary
+    - name: Download binary
-      get_url:
+      ansible.builtin.get_url:
-        url: https://github.com/arp242/goatcounter/releases/download/{{release.tag}}/goatcounter-{{release.tag}}-linux-amd64.gz
+        url: https://github.com/arp242/goatcounter/releases/download/{{ release.tag }}/goatcounter-{{ release.tag }}-linux-amd64.gz
-        dest: "{{base_dir}}/goatcounter-{{release.tag}}.gz"
+        dest: "{{ base_dir }}/goatcounter-{{ release.tag }}.gz"
-    - name: uncompress
+        mode: "0644"
-      command: gunzip {{base_dir}}/goatcounter-{{release.tag}}.gz
+        owner: gaugendre
+        group: gaugendre
+    - name: Uncompress
+      ansible.builtin.command: gunzip {{ base_dir }}/goatcounter-{{ release.tag }}.gz
       args:
-        creates: "{{base_dir}}/goatcounter-{{release.tag}}"
+        creates: "{{ base_dir }}/goatcounter-{{ release.tag }}"
-    - name: make executable
+    - name: Make executable
-      file:
+      ansible.builtin.file:
-        path: "{{base_dir}}/goatcounter-{{release.tag}}"
+        path: "{{ base_dir }}/goatcounter-{{ release.tag }}"
-        mode: '0775'
+        mode: "0775"
-    - name: symlink
+    - name: Symlink
-      file:
+      ansible.builtin.file:
-        src: "{{base_dir}}/goatcounter-{{release.tag}}"
+        src: "{{ base_dir }}/goatcounter-{{ release.tag }}"
-        dest: "{{base_dir}}/goatcounter"
+        dest: "{{ base_dir }}/goatcounter"
         state: link
-    - name: write service unit file
+    - name: Write service unit file
       become: true
-      template:
+      ansible.builtin.template:
-        src: ../../templates/goatcounter.service.j2
+        src: templates/goatcounter.service.j2
         dest: /etc/systemd/system/goatcounter.service
+        mode: "0644"
+        owner: root
+        group: root
       notify:
-        - daemon-reload
+        - Daemon-reload
-        - restart goatcounter
+        - Restart service
-    - name: flush handlers
+    - name: Flush handlers
-      meta: flush_handlers
+      ansible.builtin.meta: flush_handlers
-    - name: ensure service is running
+    - name: Ensure service is running
       become: true
-      service:
+      ansible.builtin.service:
         name: goatcounter
         state: started
         enabled: true
 
   handlers:
-    - name: daemon-reload
+    - name: Daemon-reload
       become: true
-      systemd:
+      ansible.builtin.systemd:
         daemon_reload: true
-    - name: restart service
+    - name: Restart service
       become: true
-      service:
+      ansible.builtin.service:
         name: goatcounter
         state: restarted
 

playbooks/apps/lyon-transports.yaml

@@ -1,31 +1,36 @@
-- name: lyon-transports
+---
+- name: Lyon-transports
   hosts: servers
+  gather_facts: false
   tasks:
-    - name: write service file
+    - name: Write service file
       become: true
-      template:
+      ansible.builtin.template:
-        src: ../../templates/lyon-transports.service.j2
+        src: templates/lyon-transports.service.j2
         dest: /etc/systemd/system/lyon-transports.service
+        mode: "0644"
+        owner: root
+        group: root
       notify:
-        - daemon-reload
+        - Reload daemon
-        - restart lyon-transports
+        - Restart service
-    - name: flush handlers
+    - name: Flush handlers
-      meta: flush_handlers
+      ansible.builtin.meta: flush_handlers
-    - name: ensure service is running
+    - name: Ensure service is running
       become: true
-      service:
+      ansible.builtin.service:
         name: lyon-transports
         state: started
         enabled: true
 
   handlers:
-    - name: daemon-reload
+    - name: Reload daemon
       become: true
-      systemd:
+      ansible.builtin.systemd:
         daemon_reload: true
-    - name: restart service
+    - name: Restart service
       become: true
-      service:
+      ansible.builtin.service:
         name: lyon-transports
         state: restarted
 

playbooks/apps/templates/gitea_app.ini.j2

@@ -0,0 +1,110 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+ENABLE_PUSH_CREATE_USER = true
+ENABLE_PUSH_CREATE_ORG = true
+MAX_CREATION_LIMIT = 0
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = git.augendre.info
+SSH_DOMAIN = git.augendre.info
+HTTP_PORT = 3000
+ROOT_URL = https://git.augendre.info/
+DISABLE_SSH = false
+SSH_PORT = 23730
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = {{ lfs_jwt_secret }}
+OFFLINE_MODE = true
+LANDING_PAGE = explore
+
+[lfs]
+PATH = /data/git/lfs
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = sqlite3
+HOST = localhost:3306
+NAME = gitea
+USER = root
+PASSWD =
+LOG_SQL = false
+SCHEMA =
+SSL_MODE = disable
+CHARSET = utf8
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+DISABLE_GRAVATAR = true
+ENABLE_FEDERATED_AVATAR = false
+
+[attachment]
+PATH = /data/gitea/attachments
+MAX_SIZE = 10
+MAX_FILES = 50
+
+[log]
+ROOT_PATH = /data/gitea/log
+MODE = console
+LEVEL = Info
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY = {{ secret_key }}
+INTERNAL_TOKEN = {{ internal_token }}
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = true
+ENABLE_NOTIFY_MAIL = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = true
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING = false
+NO_REPLY_ADDRESS = noreply-git.augendre.info
+
+[oauth2]
+JWT_SECRET = {{ oauth_jwt_secret }}
+
+[mailer]
+ENABLED = true
+SMTP_ADDR = smtp.mailgun.org
+SMTP_PORT = 587
+FROM = Gitea <git@mg.augendre.info>
+USER = git@mg.augendre.info
+PASSWD = {{ mailgun_key }}
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[cron.delete_old_actions]
+ENABLED = true
+
+[cron.delete_old_system_notices]
+ENABLED = true
+
+[cron.delete_inactive_accounts]
+ENABLED = true
+SCHEDULE = @monthly

playbooks/apps/templates/goatcounter.service.j2

@@ -3,7 +3,7 @@ Description=Goatcounter
 After=network.target
 
 [Service]
-ExecStart={{base_dir}}/goatcounter serve -listen *:8081 -tls http -smtp smtps://goatcounter%%40mg.augendre.info:{{gc_mailgun_api_key}}@smtp.mailgun.org:587 -email-from goatcounter@mg.augendre.info -automigrate -db sqlite+{{base_dir}}/db/goatcounter.sqlite3
+ExecStart={{base_dir}}/goatcounter serve -listen *:8005 -tls http -smtp smtps://goatcounter%%40mg.augendre.info:{{gc_mailgun_api_key}}@smtp.mailgun.org:587 -email-from goatcounter@mg.augendre.info -automigrate -db sqlite+{{base_dir}}/db/goatcounter.sqlite3
 Type=simple
 Restart=always
 User=gaugendre

playbooks/apps/templates/lyon-transports.service.j2

@@ -3,7 +3,7 @@ Description=Lyon transports API
 After=network.target
 
 [Service]
-ExecStart=/mnt/data/lyon-transports/lyon-transports-linux-amd64 --host 0.0.0.0 -u {{ lyon_transports_username }} -p {{ lyon_transports_password }} --cors-allowed-origin https://display.augendre.info
+ExecStart=/mnt/data/lyon-transports/lyon-transports-linux-amd64 --host 0.0.0.0 --port 8013 -u {{ lyon_transports_username }} -p {{ lyon_transports_password }} --cors-allowed-origin https://display.augendre.info
 Type=simple
 Restart=always
 User=gaugendre

playbooks/apps/templates/wallabag.env.j2

@@ -0,0 +1,10 @@
+SYMFONY__ENV__SECRET={{ secret_key }}
+SYMFONY__ENV__LOCALE=en
+SYMFONY__ENV__MAILER_HOST=smtp.mailgun.org
+SYMFONY__ENV__MAILER_USER=wallabag@mg.augendre.info
+SYMFONY__ENV__MAILER_PASSWORD={{ mailgun_api_key }}
+SYMFONY__ENV__MAILER_PORT=587
+SYMFONY__ENV__FROM_EMAIL=wallabag@mg.augendre.info
+SYMFONY__ENV__FOSUSER_REGISTRATION=false
+#SYMFONY__ENV__FOSUSER_CONFIRMATION=
+SYMFONY__ENV__DOMAIN_NAME=https://wallabag.augendre.info

playbooks/apps/test_headers.yaml

@@ -0,0 +1,37 @@
+---
+- name: Setup test_headers
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Create dir
+      ansible.builtin.file:
+        path: "{{ dir }}"
+        state: directory
+        mode: "0775"
+    - name: Write app.py
+      ansible.builtin.copy:
+        src: files/test_headers/app.py
+        dest: "{{ dir }}/app.py"
+        mode: "0644"
+        owner: gaugendre
+        group: gaugendre
+      notify:
+        - Restart service
+    - name: Write docker-compose.yaml
+      ansible.builtin.copy:
+        src: files/test_headers/docker-compose.yaml
+        dest: "{{ dir }}/docker-compose.yaml"
+        mode: "0644"
+        owner: gaugendre
+        group: gaugendre
+    - name: Ensure service is started
+      community.docker.docker_compose_v2:
+        project_src: "{{ dir }}"
+        state: present
+  handlers:
+    - name: Restart service
+      community.docker.docker_compose_v2:
+        project_src: "{{ dir }}"
+        state: restarted
+  vars:
+    dir: /mnt/data/test_headers

playbooks/apps/wallabag.yaml

@@ -0,0 +1,44 @@
+---
+- name: Setup wallabag
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Create dir
+      ansible.builtin.file:
+        path: "{{ dir }}"
+        state: directory
+        mode: "0775"
+    - name: Write env file
+      ansible.builtin.template:
+        src: templates/wallabag.env.j2
+        dest: "{{ dir }}/wallabag.env"
+        mode: "0644"
+    - name: Write docker-compose.yaml
+      ansible.builtin.copy:
+        src: files/wallabag-docker-compose.yaml
+        dest: "{{ dir }}/docker-compose.yaml"
+        mode: "0644"
+    - name: Ensure service is started
+      community.docker.docker_compose_v2:
+        project_src: "{{ dir }}"
+        state: present
+  vars:
+    dir: /mnt/data/wallabag
+    secret_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      31346432623062383331306633383230376264326530643236393838356166346563653637376666
+      6164636662643832383639346638376534353339356161300a636132376531333539323066666334
+      38663566633337343164316239613239656662623437373234366135366134646665343134656566
+      3933313933323732350a623262383864343331363138353335663333626537366563663234363833
+      36613166343664386362626631623061613536616663616431353066633531643736343236333435
+      31613930633837396237633732353266656533373739613031326137656430633036356565376238
+      653264666166386662643966383234323133
+    mailgun_api_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      38643731363932383630346636353230626563376532316539346231376337636538326233663738
+      3237623235666635656566376364343063316661646161660a636366306562353361313930383136
+      34343938663832646631373830373539356236313132333039393236393539613938343339313066
+      6331656438666366330a353538393238353438643330356665373635373465643161333137386130
+      34316164613965663930303265353964666338326437386362326639656264653238326463613430
+      63326533386332313965343064323466653961643939656566343635366231386463323534303464
+      353966343531346266356462396433373164

playbooks/dependencies/00-clean-deps.yaml

@@ -1,7 +1,9 @@
-- name: clean ansible venv
+---
+- name: Clean ansible venv
   hosts: servers
+  gather_facts: false
   tasks:
-    - name: remove virtualenv
+    - name: Remove virtualenv
-      file:
+      ansible.builtin.file:
         path: /tmp/ansible
         state: absent

playbooks/dependencies/01-setup-deps.yaml

@@ -1,18 +1,20 @@
-- name: setup ansible python dependencies
+---
+- name: Setup ansible python dependencies
   hosts: servers
+  gather_facts: false
   tasks:
-    - name: install system deps
+    - name: Install system deps
       become: true
-      apt:
+      ansible.builtin.apt:
         pkg:
           - python3-venv
-    - name: setup venv
+    - name: Setup venv
-      shell: |
+      ansible.builtin.shell: |
         if [ -x /tmp/ansible/bin/python ]; then exit 123; fi
         /usr/bin/python3 -m venv /tmp/ansible
         /tmp/ansible/bin/pip install --upgrade 'github3.py >= 1.0.0a3'
       args:
         executable: /bin/bash
       register: venv
-      changed_when: "venv.rc != 123"
+      changed_when: venv.rc != 123
-      failed_when: "venv.rc != 0 and venv.rc != 123"
+      failed_when: venv.rc != 0 and venv.rc != 123

playbooks/dependencies/caddy.yaml

@@ -0,0 +1,36 @@
+---
+- name: Setup caddy
+  hosts: servers
+  gather_facts: false
+  become: true
+  tasks:
+    - name: Install system deps
+      ansible.builtin.apt:
+        pkg:
+          - debian-keyring
+          - debian-archive-keyring
+          - apt-transport-https
+          - gnupg2
+          - curl
+        state: present
+    - name: Add caddy repository
+      ansible.builtin.deb822_repository:
+        name: caddy
+        uris: https://dl.cloudsmith.io/public/caddy/stable/deb/debian
+        signed_by: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
+        components: main
+        suites: any-version
+        types: [deb]
+        state: present
+        enabled: true
+    - name: Install caddy
+      ansible.builtin.apt:
+        update_cache: true
+        name: caddy
+        state: present
+      notify: Restart caddy
+  handlers:
+    - name: Restart caddy
+      ansible.builtin.service:
+        name: caddy
+        state: restarted

playbooks/system/update.yaml

@@ -1,9 +1,11 @@
-- name: system update
+---
+- name: Update system
   hosts: servers
+  gather_facts: false
   become: true
   tasks:
-    - name: packages update
+    - name: Update packages
-      apt:
+      ansible.builtin.apt:
-        upgrade: yes
+        upgrade: true
-        update_cache: yes
+        update_cache: true
         cache_valid_time: 86400