chore(deps): update dependency ansible-role-mirrors/ansible-role-unattended-upgrades to v4.1.0

Reviewed-on: #72
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>

.ansible-lint

@@ -12,15 +12,14 @@ exclude_paths:
   - .gitlab-ci.yml
   - friedhof/
   - playbooks/on-off
-  - roles/geerlingguy-ansible-role-pip
-  - roles/pyratlabs-ansible-role-k3s
-  - roles/robertdebock-ansible-role-bootstrap
-  - roles/gantsign-ansible-role-ctop
-  - roles/geerlingguy-ansible-role-docker
-  - roles/geerlingguy-ansible-role-helm
-  - roles/geerlingguy-ansible-role-nfs
-  - roles/hifis-net-ansible-role-unattended-upgrades
-  - roles/mrlesmithjr-ansible-manage-lvm
-  - roles/oefenweb-ansible-ufw
-  - roles/pandemonium1986-ansible-role-k9s
-  - roles/pyratlabs-ansible-role-gitea
+  - roles/ansible-role-pip
+  - roles/ansible-role-bootstrap
+  - roles/ansible_role_ctop
+  - roles/ansible-role-docker
+  - roles/ansible-role-helm
+  - roles/ansible-role-nfs
+  - roles/ansible-role-unattended-upgrades
+  - roles/ansible-manage-lvm
+  - roles/ansible-ufw
+  - roles/ansible_role_gitea
+  - roles/ansible-role-postgresql

.gitignore

@@ -2,16 +2,19 @@
 vault-pass.yml
 id_ed25519
 id_ed25519.pub
-roles/geerlingguy-ansible-role-pip
-roles/pyratlabs-ansible-role-k3s
-roles/robertdebock-ansible-role-bootstrap
-roles/gantsign-ansible-role-ctop
-roles/geerlingguy-ansible-role-docker
-roles/geerlingguy-ansible-role-helm
-roles/geerlingguy-ansible-role-nfs
-roles/hifis-net-ansible-role-unattended-upgrades
-roles/mrlesmithjr-ansible-manage-lvm
-roles/oefenweb-ansible-ufw
+roles/ansible-role-pip
+roles/ansible-role-k3s
+roles/ansible-role-bootstrap
+roles/ansible_role_ctop
+roles/ansible-role-docker
+roles/ansible-role-helm
+roles/ansible-role-nfs
+roles/ansible_role_gitea
+roles/ansible-role-unattended-upgrades
+roles/ansible-manage-lvm
+roles/ansible-ufw
 roles/pandemonium1986-ansible-role-k9s
-roles/pyratlabs-ansible-role-gitea
+roles/ansible_role_gitea
 collections/
+plugins/lookup/__pycache__/
+roles/ansible-role-postgresql

.woodpecker/ansible-lint.yml

@@ -1,19 +1,18 @@
 ---
-kind: pipeline
-type: docker
-name: ansible-lint
 depends_on:
   - gitleaks
+
 steps:
   ansible-lint:
-    image: quay.io/ansible/creator-ee
+    image: quay.io/ansible/creator-ee:v24.2.0
     commands:
       - ansible-lint --version
-      - echo $VAULT-PASS > ./vault-pass.yml # nach des Secret in Großschreibung
-      - ansible-galaxy install -r requirements.yml
+      - echo $${VAULTPASS} > ./vault-pass.yml # nach des Secret in Großschreibung
+      - ansible-galaxy install -r requirements.yaml
       - ansible-lint --force-color --format pep8
+    # https://woodpecker-ci.org/docs/usage/secrets#use-secrets-in-commands
+    secrets: [vaultpass]
     when:
-      event:
-        exclude:
-          - tag
-    secret: [vault-pass] #dieses Secret darf verwendet werden
+      - event: [push, pull_request, cron]
+        evaluate: 'CI_COMMIT_AUTHOR_EMAIL != "renovate@mgrote.net"'
+...

.woodpecker/gitleaks.yml

@@ -1,13 +1,10 @@
 ---
-kind: pipeline
-type: docker
-name: gitleaks
 steps:
   gitleaks:
-    image: zricethezav/gitleaks:latest
+    image: zricethezav/gitleaks:v8.18.2
     commands:
       - gitleaks detect --no-git --verbose --source $CI_WORKSPACE
     when:
-      event:
-        exclude:
-          - tag
+      - event: [push, pull_request, cron]
+        evaluate: 'CI_COMMIT_AUTHOR_EMAIL != "renovate@mgrote.net"'
+...

ansible.cfg

@@ -4,7 +4,7 @@ nocows                = 1
 retry_files_enabled   = False
 roles_path            = ./roles
 lookup_plugins        = ./plugins/lookup
-collections_paths     = ./collections
+collections_path     = ./collections
 private_key_file      = ./id_ed25519
 vault_password_file   = vault-pass.yml
 gathering             = smart

docker-compose/httpd/docker-compose.yml.j2

@@ -2,19 +2,22 @@ version: '3'
 services:
   httpd-registry:
     container_name: "httpd-registry"
-    image: httpd:bullseye
+    image: "registry.mgrote.net/httpd:latest"
     restart: always
     volumes:
       - uploads:/usr/local/apache2/htdocs/
       - "{{ compose_dest_basedir }}/httpd/httpd.conf:/usr/local/apache2/conf/httpd.conf:ro"
     ports:
       - 3344:80
-    labels:
-      com.centurylinklabs.watchtower.enable: true
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
 
   python-api-server:
     container_name: httpd-api
-    image: registry.mgrote.net/python-api-server:latest
+    image: "registry.mgrote.net/python-api-server:latest"
     restart: always
     ports:
       - "5040:5000"
@@ -25,10 +28,8 @@ services:
       # FLASK_APP: app # for debugging
       MAX_CONTENT_LENGTH: 500
       UPLOAD_DIRECTORY: /uploads
-      AUTH_TOKEN: {{ lookup('keepass', 'httpd-api-server-token', 'password') }}
+      AUTH_TOKEN: "{{ lookup('keepass', 'httpd-api-server-token', 'password') }}"
       ENABLE_WEBSERVER: false
-    labels:
-      com.centurylinklabs.watchtower.enable: true
 
 volumes:
   uploads:

docker-compose/mail-relay/docker-compose.yml.j2

@@ -1,25 +1,33 @@
 version: '3.3'
 services:
-    postfix:
-      image: registry.mgrote.net/postfix:master
-      container_name: mail-relay
-      restart: always
-      labels:
-        com.centurylinklabs.watchtower.enable: true
-      ports:
-          - 1025:25
-      environment:
-        SMTP_SERVER: smtp.strato.de
-        SMTP_USERNAME: info@mgrote.net
-        SMTP_PASSWORD: {{ lookup('keepass', 'strato_smtp_password', 'password') }}
-        SERVER_HOSTNAME: mgrote.net
-        # DEBUG: "yes" # literal
-        ALWAYS_ADD_MISSING_HEADERS: "no" # literal
-        # LOG_SUBJECT: "yes" # literal
-        INET_PROTOCOL: ipv4
-        SMTP_GENERIC_MAP: "/.*/ info@mgrote.net"
-      networks:
-        - mail-relay
+  postfix:
+    image: "registry.mgrote.net/postfix:latest"
+    container_name: mail-relay
+    restart: always
+    ports:
+        - 1025:25
+    environment:
+      SMTP_SERVER: smtp.strato.de
+      SMTP_USERNAME: info@mgrote.net
+      SMTP_PASSWORD: "{{ lookup('keepass', 'strato_smtp_password', 'password') }}"
+      SERVER_HOSTNAME: mgrote.net
+      # DEBUG: "yes" # as string not boolean
+      ALWAYS_ADD_MISSING_HEADERS: "no" # as string not boolean
+      # LOG_SUBJECT: "yes" # as string not boolean
+      INET_PROTOCOL: ipv4
+      SMTP_GENERIC_MAP: |
+        /nobody@lldap/ lldap@mgrote.net
+        /mg@pbs.localdomain/ pbs@mgrote.net
+        /root@pbs.localdomain/ pbs@mgrote.net
+      # rewrite FROM "nobody@lldap" to "lldap@mgrote.net"
+      # /.*/ würde alle absender adressen ersetzen
+    networks:
+      - mail-relay
+    healthcheck:
+      test: ["CMD", "sh", "-c", "echo 'EHLO localhost' | nc -w 1 127.0.0.1 25 | grep -q '220 '"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
 
 ######## Networks ########
 networks:

docker-compose/miniflux/docker-compose.yml.j2

@@ -3,16 +3,16 @@ services:
 ######## Miniflux ########
   miniflux:
     container_name: "mf-frontend"
-    image: miniflux/miniflux:latest
+    image: "ghcr.io/miniflux/miniflux:2.1.3"
     restart: always
     depends_on:
-      - db
+      - mf-db16
     environment:
-      DATABASE_URL: postgres://miniflux:{{ lookup('keepass', 'miniflux_postgres_password', 'password') }}@mf-db/miniflux?sslmode=disable
+      DATABASE_URL: "postgres://miniflux:{{ lookup('keepass', 'miniflux_postgres_password', 'password') }}@mf-db16/miniflux?sslmode=disable"
       RUN_MIGRATIONS: 1
 #      CREATE_ADMIN: 1
 #      ADMIN_USERNAME: adminmf
-#      ADMIN_PASSWORD: {{ lookup('keepass', 'miniflux_admin_password', 'password') }}
+#      ADMIN_PASSWORD: "{{ lookup('keepass', 'miniflux_admin_password', 'password') }}"
       WORKER_POOL_SIZE: 10
       POLLING_FREQUENCY: 10
       CLEANUP_ARCHIVE_UNREAD_DAYS: -1
@@ -21,6 +21,8 @@ services:
     networks:
       - intern
       - traefik
+    healthcheck:
+      test: ["CMD", "/usr/bin/miniflux", "-healthcheck", "auto"]
     labels:
       traefik.http.routers.miniflux.rule: Host(`miniflux.mgrote.net`)
       traefik.enable: true
@@ -29,25 +31,24 @@ services:
       traefik.http.routers.miniflux.entrypoints: entry_https
       traefik.http.services.miniflux.loadbalancer.server.port: 8080
 
-      com.centurylinklabs.watchtower.enable: true
-      com.centurylinklabs.watchtower.depends-on: mf-db
-
-
-######## PostGreSQL ########
-  db:
-    container_name: "mf-db"
-    image: postgres:13
+######## Postgres ########
+  mf-db16:
+    container_name: "mf-db16"
+    image: "postgres:16.3"
     restart: always
     environment:
       POSTGRES_USER: miniflux
-      POSTGRES_PASSWORD: {{ lookup('keepass', 'miniflux_postgres_password', 'password') }}
+      POSTGRES_PASSWORD: "{{ lookup('keepass', 'miniflux_postgres_password', 'password') }}"
       TZ: Europe/Berlin
+      POSTGRES_HOST_AUTH_METHOD: "md5" # Workaround beim Migration von 13 -> 16; https://eelkevdbos.medium.com/upgrade-postgresql-with-docker-compose-99d995e464 ;
     volumes:
-      - db:/var/lib/postgresql/data
+      - db16:/var/lib/postgresql/data
     networks:
       - intern
-    labels:
-      com.centurylinklabs.watchtower.enable: true
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "miniflux"]
+      interval: 10s
+      start_period: 30s
 
 ######## Miniflux-Filter ########
   mf-filter:
@@ -57,22 +58,19 @@ services:
     restart: always
     environment:
       TZ: Europe/Berlin
-      MF_AUTH_TOKEN: {{ lookup('keepass', 'miniflux_auth_token', 'password') }}
+      MF_AUTH_TOKEN: "{{ lookup('keepass', 'miniflux_auth_token', 'password') }}"
       MF_API_URL: https://miniflux.mgrote.net/v1
       MF_SLEEP: 600
       #MF_DEBUG: 1
-    image: registry.mgrote.net/miniflux-filter:latest
+    image: "registry.mgrote.net/miniflux-filter:latest"
     volumes:
       - ./filter.txt:/data/filter.txt
     networks:
       - intern
-    labels:
-      com.centurylinklabs.watchtower.enable: true
-      com.centurylinklabs.watchtower.depends-on: mf-frontend
 
 ######## Volumes ########
 volumes:
-  db:
+  db16:
 ######## Networks ########
 networks:
   traefik:

docker-compose/miniflux/filter.txt

@@ -1,6 +1,8 @@
 9to5linux.com::9to5Linux Weekly Roundup:
 apnic.net::Podcast
+apnic.net::Event Wrap
 astralcodexten.substack.com::Open Thread
+astralcodexten.substack.com::Book Review Contest
 augengeradeaus.net::Sicherheitshalber der Podcast
 axios.com::Axios on HBO
 axios.com::football
@@ -21,6 +23,8 @@ computerbase.de::Twitter
 computerbase.de::wettbewerb
 computerbase.de::WM
 computerbase.de::Wochenrück- und Ausblick:
+computerbase.de::Xbox Game Pass
+computerbase.de::GeForce
 facebook.com::Bridge returned error
 golem.de::Anzeige
 golem.de::Aus dem Verlag:
@@ -30,6 +34,7 @@ golem.de::Fussball
 golem.de::Fußball
 golem.de::(g+)
 golem.de::Golem Karrierewelt
+www.thedrive.com::Bunker Talk:
 golem.de::in aller Kürze
 golem.de::In eigener Sache
 golem.de::kurznews
@@ -44,6 +49,7 @@ golem.de::Wochenrückblick
 hardwareluxx.de::Der Hardwareluxx-Webwatch:
 hardwareluxx.de::Die Artikel unserer Partner
 hardwareluxx.de::Shopping Club
+hardwareluxx.de::KW
 heise.de::Anzeige
 heise.de::Auslegungssache
 heise.de::Bit-Rauschen
@@ -102,7 +108,10 @@ heise.de::Zugriff auf alle Inhalte von heise+
 instagram.com::Bridge returned error
 ipspace.net::Built.fm
 ipspace.net::Podcast
+mdr.de::Schwimm-WM
+mdr.de::DSV
 mdr.de::Basketball
+mdr.de::Volleyball
 mdr.de::DFB
 mdr.de::DFB-Pokal
 mdr.de::Fussball
@@ -120,8 +129,7 @@ mdr.de::Podcast "digital Leben"
 mdr.de::Podcast "digital Leben":
 mdr.de::Podcastserie
 mdr.de::Schwimmen:
-mf-bridge::Bridge encountered an unexpected situation
-mf-bridge::Bridge returned error 401
+falseknees.tumblr.com::Kneesvember
 monkeyuser.com::AdLitteram
 netzpolitik.org::KW
 netzpolitik.org::NPP
@@ -164,344 +172,8 @@ portuguesegeese.com::portuguesegeese.com
 reddit.com::UEFA
 stackoverflow.blog::Podcast
 stackoverflow.blog::The Overflow
-stadt-bremerhaven.de::[Anzeige]
-stadt-bremerhaven.de::Basketball-WM
-stadt-bremerhaven.de::Black-Friday
-stadt-bremerhaven.de::Bundesliga
-stadt-bremerhaven.de::Cloud-Gaming-Rückblick
-stadt-bremerhaven.de::DAZN
-stadt-bremerhaven.de::Disney+
-stadt-bremerhaven.de::eFootball
-stadt-bremerhaven.de::Eishockey
-stadt-bremerhaven.de::Elon Musk
-stadt-bremerhaven.de::EM 2024
-stadt-bremerhaven.de::FIFA
-stadt-bremerhaven.de::Formel 1
-stadt-bremerhaven.de::FUSSBALL
-stadt-bremerhaven.de::Immer wieder sonntags KW
-stadt-bremerhaven.de::MagentaSport
-stadt-bremerhaven.de::Podcast
-stadt-bremerhaven.de::Rückblick
-stadt-bremerhaven.de::Sky Ticket
-stadt-bremerhaven.de::Twitter
-stadt-bremerhaven.de::WM 2022
-sueddeutsche.de::1:1
-sueddeutsche.de::1860 München
-sueddeutsche.de::1. FC Kaiserslautern:
-sueddeutsche.de::1. FC Köln
-sueddeutsche.de::1. FC Nürnberg
-sueddeutsche.de::1. FC Union
-sueddeutsche.de::2. Liga
-sueddeutsche.de::2. Liga:
-sueddeutsche.de::3. Liga
-sueddeutsche.de::Achtelfinale
-sueddeutsche.de::Afrika-Cup:
-sueddeutsche.de::Ajax
-sueddeutsche.de::Alonso:
-sueddeutsche.de::Alphonso Davies
-sueddeutsche.de::American Football:
-sueddeutsche.de::Amos Pieper
-sueddeutsche.de::Arminia Bielefeld:
-sueddeutsche.de::Athlet
-sueddeutsche.de::ATP-
-sueddeutsche.de::ATP Finals
-sueddeutsche.de::Australian Open
-sueddeutsche.de::Australian Open:
-sueddeutsche.de::Auswärtstor
-sueddeutsche.de::Barça
-sueddeutsche.de::Baseball
-sueddeutsche.de::Basketball
-sueddeutsche.de::Basketball-WM
-sueddeutsche.de::Bayern
-sueddeutsche.de::Belenenses
-sueddeutsche.de::Berlinale
-sueddeutsche.de::Biathlon
-sueddeutsche.de::Boateng
-sueddeutsche.de::Bobfahr
-sueddeutsche.de::Borussia
-sueddeutsche.de::Borussia Dortmund
-sueddeutsche.de::Borussia Dortmund:
-sueddeutsche.de::Bundesliga
-sueddeutsche.de::Bundestrainer
-sueddeutsche.de::BVB
-sueddeutsche.de::Carlos Alcaraz
-sueddeutsche.de::CB-Funk-Podcast
-sueddeutsche.de::Champions League:
-sueddeutsche.de::Champions-League
-sueddeutsche.de::Chelsea
-sueddeutsche.de::Claudio Pizarro
-sueddeutsche.de::Claudio Pizarro:
-sueddeutsche.de::Conference League
-sueddeutsche.de::Conference-League
-sueddeutsche.de::Copa Libertadores
-sueddeutsche.de::Daniil Medwedew
-sueddeutsche.de::Darts
-sueddeutsche.de::Davis Cup
-sueddeutsche.de::Derby
-sueddeutsche.de::Deutsche Fußball Liga
-sueddeutsche.de::Deutsche Nationalmannschaft
-sueddeutsche.de::Deutsche U21:
-sueddeutsche.de::DFB
-sueddeutsche.de::DFB-
-sueddeutsche.de::DFB:
-sueddeutsche.de::DFB-Elf
-sueddeutsche.de::DFB-Frauen:
-sueddeutsche.de::DFB-Pokal
-sueddeutsche.de::DFL
-sueddeutsche.de::DFL-Supercup
-sueddeutsche.de::Djokovic
-sueddeutsche.de::Dressur-Weltmeister
-sueddeutsche.de::Dritte Liga:
-sueddeutsche.de::Drittliga
-sueddeutsche.de::Dschungelcamp
-sueddeutsche.de::Eintracht
-sueddeutsche.de::Eintracht Frankfurt
-sueddeutsche.de::Eisbären Berlin
-sueddeutsche.de::Eishockey
-sueddeutsche.de::Eishockey:
-sueddeutsche.de::Eishockey-WM:
-sueddeutsche.de::Eiskunstl
-sueddeutsche.de::Eisschnelllauf
-sueddeutsche.de::Elfmeter
-sueddeutsche.de::EM:
-sueddeutsche.de::EM-Aus
-sueddeutsche.de::Emil Forsberg
-sueddeutsche.de::EM-Qualifikation
-sueddeutsche.de::Englisches Nationalteam:
-sueddeutsche.de::Eröffnungsspiel
-sueddeutsche.de::ESC-Finale
-sueddeutsche.de::ESC-Vorentscheid
-sueddeutsche.de::Euroleague
-sueddeutsche.de::Europa League
-sueddeutsche.de::Europa-League
-sueddeutsche.de::Europameister
-sueddeutsche.de::Europapokal
-sueddeutsche.de::European Championships
-sueddeutsche.de::Eurovision Song Contest
-sueddeutsche.de::Eurovision Song Contest:
-sueddeutsche.de::FC Augsburg
-sueddeutsche.de::FC Barcelona
-sueddeutsche.de::FC Chelsea:
-sueddeutsche.de::FC Homburg
-sueddeutsche.de::FC Sevilla
-sueddeutsche.de::Fifa
-sueddeutsche.de::Fifa:
-sueddeutsche.de::Formel 1
-sueddeutsche.de::Frankfurt
-sueddeutsche.de::French Open
-sueddeutsche.de::Fussball
-sueddeutsche.de::Fußball:
-sueddeutsche.de::Fußball-EM
-sueddeutsche.de::Fußballerinnen
-sueddeutsche.de::Fußballern
-sueddeutsche.de::Fußball in England:
-sueddeutsche.de::Fußball-Legende
-sueddeutsche.de::Fußballtorwart
-sueddeutsche.de::Fußballverband
-sueddeutsche.de::Fußball-Verband
-sueddeutsche.de::Fußball-Weltmeisterschaft
-sueddeutsche.de::Fußball-WM
-sueddeutsche.de::Galopp
-sueddeutsche.de::Gerard López
-sueddeutsche.de::Gladbach
-sueddeutsche.de::Glasgow Rangers
-sueddeutsche.de::Golf:
-sueddeutsche.de::Guardiola
-sueddeutsche.de::Hamburger SV
-sueddeutsche.de::Handball-EM:
-sueddeutsche.de::Handball-WM
-sueddeutsche.de::Hannover 96:
-sueddeutsche.de::Heldenfußball
-sueddeutsche.de::Hertha BSC
-sueddeutsche.de::Hertha BSC:
-sueddeutsche.de::Hinspiel
-sueddeutsche.de::Hochspring
-sueddeutsche.de::Hockey
-sueddeutsche.de::Hockey-EM
-sueddeutsche.de::Hockey-WM
-sueddeutsche.de::Hoeneß:
-sueddeutsche.de::HSV-Verteidiger
-sueddeutsche.de::Ibrahimović
-sueddeutsche.de::"Ich bin ein Star"
-sueddeutsche.de::Infantino
-sueddeutsche.de::Inter Mailand
-sueddeutsche.de::Joachim Löw
-sueddeutsche.de::Jugendwort des Jahres
-sueddeutsche.de::Julian Nagelsmann
-sueddeutsche.de::Juve
-sueddeutsche.de::Kevin Trapp
-sueddeutsche.de::Kinderfußball
-sueddeutsche.de::Klopp
-sueddeutsche.de::Klosterhalfen
-sueddeutsche.de::Kolumne
-sueddeutsche.de::Kroos
-sueddeutsche.de::La Boum:
-sueddeutsche.de::La Liga
-sueddeutsche.de::Länderspiel
-sueddeutsche.de::Lazio Rom
-sueddeutsche.de::Leichtathletik:
-sueddeutsche.de::Leichtathletik-Weltmeisterschaft
-sueddeutsche.de::Leichtathletik-WM
-sueddeutsche.de::Leichtathletik-WM:
-sueddeutsche.de::Leon Draisaitl
-sueddeutsche.de::leute:
-sueddeutsche.de::Leverkusen
-sueddeutsche.de::Lewandowski
-sueddeutsche.de::Lewis Hamilton
-sueddeutsche.de::Linda Dallmann
-sueddeutsche.de::LIV Tour
-sueddeutsche.de::Los Angeles Lakers
-sueddeutsche.de::Manchester City
-sueddeutsche.de::Manchester United
-sueddeutsche.de::Mancini
-sueddeutsche.de::ManCity
-sueddeutsche.de::ManUnited
-sueddeutsche.de::Markus Weinzierl
-sueddeutsche.de::Mbappé
-sueddeutsche.de::Messi
-sueddeutsche.de::Miroslav Klose
-sueddeutsche.de::Monza
-sueddeutsche.de::Mourinho
-sueddeutsche.de::Musiala
-sueddeutsche.de::Nadal
-sueddeutsche.de::nationalelf
-sueddeutsche.de::Nationalmannschaft
-sueddeutsche.de::Nationalspieler
-sueddeutsche.de::Nationalteam
-sueddeutsche.de::Nations League
-sueddeutsche.de::NBA
-sueddeutsche.de::NBA:
-sueddeutsche.de::Netzkolumne
-sueddeutsche.de::Neujahrsspringen
-sueddeutsche.de::Neymar
-sueddeutsche.de::NFL
-sueddeutsche.de::Niklas Süle:
-sueddeutsche.de::Nordische Ski-WM
-sueddeutsche.de::Olympia
-sueddeutsche.de::Olympia:
-sueddeutsche.de::Olympia 2022:
-sueddeutsche.de::Olympia-Ticker:
-sueddeutsche.de::Olympischen Spielen:
-sueddeutsche.de::Olympische Spiele:
-sueddeutsche.de::Olympische Winterspiele:
-sueddeutsche.de::OSC Lille
-sueddeutsche.de::Paralympics:
-sueddeutsche.de::Paris Saint-Germain
-sueddeutsche.de::Pep Guardiola
-sueddeutsche.de::Pferdesport
-sueddeutsche.de::Playoffs
-sueddeutsche.de::Podcast "Lanz & Precht"
-sueddeutsche.de::Podcasts-Tipps im
-sueddeutsche.de::Podcast-Tipps
-sueddeutsche.de::Pokal
-sueddeutsche.de::Pokal-Sieg
-sueddeutsche.de::Pokalspiel
-sueddeutsche.de::Polizeiruf 110
-sueddeutsche.de::Prantls Blick:
-sueddeutsche.de::Premier
-sueddeutsche.de::PSV Eindhoven
-sueddeutsche.de::Qualifikationsspiel
-sueddeutsche.de::quoted.
-sueddeutsche.de::Raducanu
-sueddeutsche.de::Rangnick
-sueddeutsche.de::RB Leipzig
-sueddeutsche.de::RB Leipzig:
-sueddeutsche.de::Real Madrid
-sueddeutsche.de::Reiten
-sueddeutsche.de::Reit-WM
-sueddeutsche.de::Relegation
-sueddeutsche.de::Rennrodl
-sueddeutsche.de::Robin Gosens
-sueddeutsche.de::Rodeln:
-sueddeutsche.de::Ronaldo
-sueddeutsche.de::Rudern
-sueddeutsche.de::SC Freiburg
-sueddeutsche.de::Schach-WM
-sueddeutsche.de::Schiedsrichter
-sueddeutsche.de::Schwimmen:
-sueddeutsche.de::Schwimm-WM
-sueddeutsche.de::Serien des Monats
-sueddeutsche.de::Ski alpin
-sueddeutsche.de::Ski alpin:
-sueddeutsche.de::Skilanglauf
-sueddeutsche.de::Ski-nordisch-WM:
-sueddeutsche.de::Skirenn
-sueddeutsche.de::Skispringen
-sueddeutsche.de::Ski-Weltcup
-sueddeutsche.de::Ski-Weltverband
-sueddeutsche.de::Ski-WM
-sueddeutsche.de::Slalomfahr
-sueddeutsche.de::-Spiel
-sueddeutsche.de::SSC Neapel
-sueddeutsche.de::Stanley Cup
-sueddeutsche.de::Stimmen zum Spiel
-sueddeutsche.de::Stürmer
-sueddeutsche.de::Super Bowl
-sueddeutsche.de::Super Bowl Sunday:
-sueddeutsche.de::Supercup
-sueddeutsche.de::Supercup live
-sueddeutsche.de::Super League
-sueddeutsche.de::SZ-Audioreihe
-sueddeutsche.de::SZ-Kolumne "Bester Dinge":
-sueddeutsche.de::SZ-Kolumne "Mitten in ...":
-sueddeutsche.de::SZ-Plus-Abonnenten lesen auch
-sueddeutsche.de::SZ-Podcast
-sueddeutsche.de::SZ-Podcast "Und nun zum Sport":
-sueddeutsche.de::Tabellenspitze
-sueddeutsche.de::"Tatort"
-sueddeutsche.de::Tatort aus
-sueddeutsche.de::Tatort München:
-sueddeutsche.de::Teamspringen
-sueddeutsche.de::Team-WM
-sueddeutsche.de::Tennis
-sueddeutsche.de::Tennis:
-sueddeutsche.de::Thomas Müller
-sueddeutsche.de::Three Lions:
-sueddeutsche.de::Timo Boll
-sueddeutsche.de::Tischtennis WM:
-sueddeutsche.de::Toni Kroos
-sueddeutsche.de::Tore
-sueddeutsche.de::Torhüter
-sueddeutsche.de::torwart
-sueddeutsche.de::Tottenham
-sueddeutsche.de::Transfermarkt
-sueddeutsche.de::Trikots
-sueddeutsche.de::TSG Hoffenheim
-sueddeutsche.de::Tuchel
-sueddeutsche.de::Türkgücü München
-sueddeutsche.de::Turn-WM
-sueddeutsche.de::U21-Europameisterschaft
-sueddeutsche.de::ückenkemper
-sueddeutsche.de::Ukrainisches Tagebuch
-sueddeutsche.de::Uli Hoeneß
-sueddeutsche.de::Union Berlin
-sueddeutsche.de::Urs Fischer
-sueddeutsche.de::US Open
-sueddeutsche.de::VfB
-sueddeutsche.de::VfB Stuttgart
-sueddeutsche.de::VfL
-sueddeutsche.de::VfL Wolfsburg
-sueddeutsche.de::Vierschanzentournee
-sueddeutsche.de::Viertelfinal
-sueddeutsche.de::Viertelfinale
-sueddeutsche.de::Volleyball-WM:
-sueddeutsche.de::Vuskovic
-sueddeutsche.de::Weitspr
-sueddeutsche.de::Werder
-sueddeutsche.de::Wiegman
-sueddeutsche.de::Wimbledon
-sueddeutsche.de::Wintersport:
-sueddeutsche.de::WM-
-sueddeutsche.de::WM:
-sueddeutsche.de::WM-Kader
-sueddeutsche.de::WM-Qualifikation
-sueddeutsche.de::WM-Silber
-sueddeutsche.de::WM-Ticket
-sueddeutsche.de::WM-Titel
-sueddeutsche.de::Zlatan
-sueddeutsche.de::zweite Liga
-sueddeutsche.de::zweiten Liga
 tagesschau.de::11KM
+tagesschau.de::11KM-Podcast
 tagesschau.de::Achtelfinale
 tagesschau.de::Alpine-Super-Kombination:
 tagesschau.de::American Football:
@@ -610,3 +282,8 @@ theguardian.com::Guardiola
 theguardian.com::Manchester United
 theycantalk.com::Tinyview
 toonhole.com::Bernai
+www.army-technology.com::who are the leaders
+www.army-technology.com::files patent
+www.army-technology.com::sees highest patent filings
+www.army-technology.com::theme innovation strategy
+www.army-technology.com::gets grant

docker-compose/munin/docker-compose.yml.j2

@@ -0,0 +1,43 @@
+version: '3'
+services:
+  munin:
+    container_name: "munin-master"
+    image: registry.mgrote.net/munin-server:latest
+    restart: always
+    environment:
+      MAILCONTACT: michael.grote@posteo.de
+      MAILSERVER: mail-relay
+      MAILPORT: 25
+      MAILFROM: munin@mgrote.net
+      MAILUSER: munin@mgrote.net
+      MAILNAME: Munin
+      MAILDOMAIN: mgrote.net
+      TZ: Europe/Berlin
+      CRONDELAY: 5
+      NODES: |
+        fileserver3.mgrote.net:fileserver3.mgrote.net
+        ansible2.mgrote.net:ansible2.mgrote.net
+        pve5.mgrote.net:pve5.mgrote.net
+        forgejo.mgrote.net:forgejo.mgrote.net
+        docker10.mgrote.net:docker10.mgrote.net
+        pbs.mgrote.net:pbs.mgrote.net
+        blocky.mgrote.net:blocky.mgrote.net
+        ldap.mgrote.net:ldap.mgrote.net
+      # z.B.
+      # computer-test.mgrote.net.test:192.68.2.4
+      # computer.mgrote.net:computer.mgrote.net
+    volumes:
+      - db:/var/lib/munin
+      - logs:/var/log/munin
+      - cache:/var/cache/munin
+    ports:
+      - 1234:80
+
+volumes:
+  db:
+  logs:
+  cache:
+
+networks:
+  mail-relay:
+    external: true

docker-compose/navidrome/docker-compose.yml.j2

@@ -3,7 +3,7 @@ services:
 ######## navidrome-mg ########
   navidrome-mg:
     container_name: "navidrome-mg"
-    image: deluan/navidrome:latest
+    image: "deluan/navidrome:0.52.5"
     restart: always
     environment:
       ND_LOGLEVEL: info
@@ -35,8 +35,6 @@ services:
       traefik.http.routers.navidrome-mg.tls.certresolver: resolver_letsencrypt
       traefik.http.routers.navidrome-mg.entrypoints: entry_https
       traefik.http.services.navidrome-mg.loadbalancer.server.port: 4533
-
-      com.centurylinklabs.watchtower.enable: true
     ports:
       - "4533:4533"
 

docker-compose/nextcloud/docker-compose.yml.j2

@@ -2,7 +2,7 @@ version: '3.3'
 services:
 ######## Datenbank ########
   nextcloud-db:
-    image: mariadb:10
+    image: "mariadb:11.3.2"
     container_name: nextcloud-db
     command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
     restart: unless-stopped
@@ -11,59 +11,75 @@ services:
       - /etc/timezone:/etc/timezone:ro
       - db:/var/lib/mysql
     environment:
-      MYSQL_ROOT_PASSWORD: {{ lookup('keepass', 'nextcloud_mysql_root_password', 'password') }}
-      MYSQL_PASSWORD: {{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}
+      MYSQL_ROOT_PASSWORD: "{{ lookup('keepass', 'nextcloud_mysql_root_password', 'password') }}"
+      MYSQL_PASSWORD: "{{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}"
       MYSQL_DATABASE: nextcloud
       MYSQL_USER: nextcloud
       MYSQL_INITDB_SKIP_TZINFO: 1
     networks:
       - intern
-    labels:
-      com.centurylinklabs.watchtower.enable: true
+    healthcheck:
+      interval: 30s
+      retries: 3
+      test:
+        [
+          "CMD",
+          "healthcheck.sh",
+          "--su-mysql",
+          "--connect"
+        ]
+      timeout: 30s
+
+  # Error
+  ## [ERROR] Incorrect definition of table mysql.column_stats: expected column 'histogram' at position 10 to have type longblob, found type varbinary(255).
+  ## [ERROR] Incorrect definition of table mysql.column_stats: expected column 'hist_type' at position 9 to have type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB'), found type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB').
+  # Fix
+  ## docker exec nextcloud-db mysql nextcloud -p<MySQL-Root-Pw> -e "ALTER TABLE mysql.column_stats MODIFY histogram longblob;"
+  ## docker exec nextcloud-db mysql nextcloud -p<MySQL-Root-Pw> -e "ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');"
 
 ######## Redis ########
   nextcloud-redis:
-    image: redis:7-alpine
+    image: "redis:7.2.4"
     container_name: nextcloud-redis
     hostname: nextcloud-redis
     networks:
       - intern
     restart: unless-stopped
-    command: redis-server --requirepass {{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}
-    labels:
-      com.centurylinklabs.watchtower.enable: true
+    command: "redis-server --requirepass {{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}"
+    healthcheck:
+      test: ["CMD", "redis-cli", "--pass", "{{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"]
+      interval: 5s
+      timeout: 2s
+      retries: 3
 
 ######## cron ########
   nextcloud-cron:
     container_name: nextcloud-cron
-    image: registry.mgrote.net/nextcloud-cronjob:master
+    image: "registry.mgrote.net/nextcloud-cronjob:latest"
     restart: unless-stopped
     network_mode: none
-    depends_on:
-      - nextcloud-app
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /etc/localtime:/etc/localtime:ro
     environment:
       NEXTCLOUD_CONTAINER_NAME: nextcloud-app
       NEXTCLOUD_CRON_MINUTE_INTERVAL: 1
-    labels:
-      com.centurylinklabs.watchtower.enable: true
 
 ######## Nextcloud ########
   nextcloud-app:
-    image: nextcloud:27
+    image: "nextcloud:29.0.0"
     container_name: nextcloud-app
     restart: unless-stopped
     depends_on:
       - nextcloud-db
       - nextcloud-redis
+      - nextcloud-cron
     environment:
         REDIS_HOST: nextcloud-redis
-        REDIS_HOST_PASSWORD: {{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}
+        REDIS_HOST_PASSWORD: "{{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}"
         MYSQL_DATABASE: nextcloud
         MYSQL_USER: nextcloud
-        MYSQL_PASSWORD: {{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}
+        MYSQL_PASSWORD: "{{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}"
         MYSQL_HOST: nextcloud-db
         NEXTCLOUD_TRUSTED_DOMAINS: "nextcloud.mgrote.net"
         SMTP_HOST: mail-relay
@@ -71,12 +87,15 @@ services:
         SMTP_PORT: 25
         #SMTP_AUTHTYPE: LOGIN
         SMTP_NAME: info@mgrote.net
-        #SMTP_PASSWORD: {{ lookup('keepass', 'strato_smtp_password', 'password') }}
+        #SMTP_PASSWORD: "{{ lookup('keepass', 'strato_smtp_password', 'password') }}"
         MAIL_FROM_ADDRESS: info@mgrote.net
         PHP_MEMORY_LIMIT: 1024M
         PHP_UPLOAD_LIMIT: 10G
         APACHE_DISABLE_REWRITE_IP: 1
         TRUSTED_PROXIES: "192.168.48.0/24" # Subnetz in dem sich traefik befindet
+        NEXTCLOUD_UPLOAD_LIMIT: 10G
+        NEXTCLOUD_MAX_TIME: 3600
+        APACHE_BODY_LIMIT: 0 # unlimited, https://github.com/nextcloud/docker/issues/1796
     volumes:
       - app:/var/www/html
       - data:/var/www/html/data
@@ -84,10 +103,12 @@ services:
       - intern
       - traefik
       - mail-relay
+    healthcheck:
+      test: ["CMD", "curl", "-f", "--insecure", "http://localhost:80"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     labels:
-      com.centurylinklabs.watchtower.enable: true
-      com.centurylinklabs.watchtower.depends-on: nextcloud-redis,nextcloud-db
-
       traefik.http.routers.nextcloud.rule: Host(`nextcloud.mgrote.net`)
       traefik.enable: true
       traefik.http.routers.nextcloud.tls: true
@@ -122,3 +143,6 @@ volumes:
 ######## Doku ########
 # Telefonregion
 # docker exec --user www-data nextcloud-app php occ config:system:set default_phone_region --value="DE"
+# https://help.nextcloud.com/t/nextcloud-wont-load-any-mixed-content/13565/3
+# docker exec --user www-data nextcloud-app php occ config:system:set overwriteprotocol --value="https"
+# docker exec --user www-data nextcloud-app php occ config:system:set overwrite.cli.url --value="http://nextcloud.mgrote.net"

docker-compose/photoprism/docker-compose.yml.j2

@@ -1,88 +0,0 @@
-version: '3.5'
-# ------------------------------------------------------------------
-# DOCKER COMPOSE COMMAND REFERENCE
-# ------------------------------------------------------------------
-# Start    | docker-compose up -d
-# Stop     | docker-compose stop
-# Update   | docker-compose pull
-# Logs     | docker-compose logs --tail=25 -f
-# Terminal | docker-compose exec photoprism bash
-# Help     | docker-compose exec photoprism photoprism help
-# Config   | docker-compose exec photoprism photoprism config
-# Reset    | docker-compose exec photoprism photoprism reset
-# Backup   | docker-compose exec photoprism photoprism backup -a -i
-# Restore  | docker-compose exec photoprism photoprism restore -a -i
-# Index    | docker-compose exec photoprism photoprism index
-# Reindex  | docker-compose exec photoprism photoprism index -a
-# Import   | docker-compose exec photoprism photoprism import
-# -------------------------------------------------------------------
-services:
-  photoprism:
-    # Use photoprism/photoprism:preview instead for testing preview builds:
-    image: photoprism/photoprism:latest
-    container_name: photoprism-frontend
-    restart: always
-    security_opt:
-      - seccomp:unconfined
-      - apparmor:unconfined
-    ports:
-      - 2342:2342
-    environment:
-      PHOTOPRISM_ADMIN_PASSWORD: "{{ lookup('keepass', 'photoprism_admin_password', 'password') }}"
-      PHOTOPRISM_HTTP_PORT: 2342
-      PHOTOPRISM_HTTP_COMPRESSION: "gzip" # none or gzip
-      PHOTOPRISM_DEBUG: "false"
-      PHOTOPRISM_PUBLIC: "false" # No authentication required (disables password protection)
-      PHOTOPRISM_READONLY: "true" # Don't modify originals directory (reduced functionality)
-      PHOTOPRISM_EXPERIMENTAL: "false"
-      PHOTOPRISM_DISABLE_WEBDAV: "true"
-      PHOTOPRISM_DISABLE_SETTINGS: "false"
-      PHOTOPRISM_DISABLE_TENSORFLOW: "false"
-      PHOTOPRISM_DARKTABLE_PRESETS: "false"
-      PHOTOPRISM_DETECT_NSFW: "true"
-      PHOTOPRISM_UPLOAD_NSFW: "true"
-      PHOTOPRISM_DATABASE_DRIVER: "mysql"
-      PHOTOPRISM_DATABASE_SERVER: "mariadb:3306"
-      PHOTOPRISM_DATABASE_NAME: "photoprism"
-      PHOTOPRISM_DATABASE_USER: "photoprism"
-      PHOTOPRISM_DATABASE_PASSWORD: "{{ lookup('keepass', 'photoprism_database_password', 'password') }}"
-      PHOTOPRISM_SITE_URL: "http://docker10.mgrote.net:2342/"
-      PHOTOPRISM_SITE_TITLE: "PhotoPrism"
-      PHOTOPRISM_SITE_CAPTION: "Browse Your Life"
-      PHOTOPRISM_SITE_DESCRIPTION: ""
-      PHOTOPRISM_SITE_AUTHOR: "mgrote"
-      # You may optionally set a user / group id using environment variables if your Docker version or NAS does not
-      # support this natively (see next example):
-      UID: 5000
-      GID: 5000
-      # UMASK: 0000
-    # Uncomment and edit the following line to set a specific user / group id (native):
-    user: "5000:5000"
-    volumes:
-      - /mnt/fileserver3_photoprism_bilder_ro:/photoprism/originals/:ro
-      - "storage:/photoprism/storage"
-    labels:
-      com.centurylinklabs.watchtower.enable: true
-      com.centurylinklabs.watchtower.depends-on: photoprism-db
-
-  mariadb:
-    image: mariadb:10
-    container_name: photoprism-db
-    restart: always
-    security_opt:
-      - seccomp:unconfined
-      - apparmor:unconfined
-    command: mysqld --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=50
-    volumes: # Don't remove permanent storage for index database files!
-      - "database:/var/lib/mysql"
-    environment:
-      MYSQL_ROOT_PASSWORD: {{ lookup('keepass', 'photoprism_mysql_root_password', 'password') }}
-      MYSQL_DATABASE: photoprism
-      MYSQL_USER: photoprism
-      MYSQL_PASSWORD: {{ lookup('keepass', 'photoprism_database_password', 'password') }}
-    labels:
-      com.centurylinklabs.watchtower.enable: true
-
-volumes:
-  storage:
-  database:

docker-compose/registry/docker-compose.yml.j2

@@ -3,7 +3,7 @@ services:
   oci-registry:
     restart: always
     container_name: oci-registry
-    image: registry:2
+    image: "registry:2.8.3"
     volumes:
       - oci:/var/lib/registry
       - ./htpasswd:/auth/htpasswd
@@ -11,15 +11,25 @@ services:
       - traefik
       - intern
     depends_on:
-      - oci-registry-ui
       - oci-registry-redis
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:5000/v2/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     environment:
       TZ: Europe/Berlin
       REGISTRY_AUTH: none
       REGISTRY_REDIS_ADDR: oci-registry-redis:6379
-      REGISTRY_REDIS_PASSWORD: {{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}
+      REGISTRY_REDIS_PASSWORD: "{{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}"
       REGISTRY_STORAGE_DELETE_ENABLED: true
       REGISTRY_CATALOG_MAXENTRIES: 100000 # https://github.com/Joxit/docker-registry-ui/issues/306
+      # https://joxit.dev/docker-registry-ui/#using-cors
+      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://registry.mgrote.net/ui/]'
+      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
+      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
+      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
+      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
     labels:
       traefik.http.routers.registry.rule: Host(`registry.mgrote.net`)
       traefik.enable: true
@@ -28,13 +38,10 @@ services:
       traefik.http.routers.registry.entrypoints: entry_https
       traefik.http.services.registry.loadbalancer.server.port: 5000
 
-      traefik.http.routers.registry.middlewares: registry-ipwhitelist
+      traefik.http.routers.registry.middlewares: registry-ipallowlist
 
-      traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker
-      traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth
-
-      com.centurylinklabs.watchtower.depends-on: oci-registry-redis
-      com.centurylinklabs.watchtower.enable: true
+      traefik.http.middlewares.registry-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker
+      traefik.http.middlewares.registry-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
 
     # registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect --delete-untagged=true /etc/docker/registry/config.yml
 
@@ -45,21 +52,24 @@ services:
     # docker pull registry.mgrote.net/myfirstimage
 
   oci-registry-redis:
-    image: redis:7
+    image: "redis:7.2.4"
     container_name: oci-registry-redis
     networks:
       - intern
     restart: always
     environment:
-      REDIS_PASSWORD: {{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}
+      REDIS_PASSWORD: "{{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}"
       MAXMEMORY POLICY: allkeys-lru
-    labels:
-      com.centurylinklabs.watchtower.enable: true
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
 
   oci-registry-ui:
     restart: always
     # url: registry.mgrote.net/ui/index.html
-    image: joxit/docker-registry-ui:latest
+    image: "joxit/docker-registry-ui:2.5.7"
     container_name: oci-registry-ui
     environment:
       DELETE_IMAGES: true
@@ -67,12 +77,20 @@ services:
       NGINX_PROXY_PASS_URL: http://oci-registry:5000
       SHOW_CONTENT_DIGEST: true # https://github.com/Joxit/docker-registry-ui/issues/297
       SHOW_CATALOG_NB_TAGS: true
+      PULL_URL: registry.mgrote.net
+    depends_on:
+      - oci-registry
     networks:
       - traefik
       - intern
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     labels:
       traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht
-      traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-ipwhitelist # also entferne den Prefix danach wieder
+      traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-ipallowlist # also entferne den Prefix danach wieder
       traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert
       traefik.enable: true
       traefik.http.routers.registry-ui.tls: true
@@ -80,13 +98,8 @@ services:
       traefik.http.routers.registry-ui.entrypoints: entry_https
       traefik.http.services.registry-ui.loadbalancer.server.port: 80
 
-      traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker
-      traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth
-
-
-      com.centurylinklabs.watchtower.depends-on: oci-registry-redis,oci-registry
-      com.centurylinklabs.watchtower.enable: true
-
+      traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker
+      traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
 
 ######## Networks ########
 networks:

docker-compose/routeros-config-export/docker-compose.yml

@@ -3,7 +3,7 @@ services:
   routeros-config-export:
     container_name: routeros-config-export
     restart: always
-    image: registry.mgrote.net/oxidized-selfmade:check
+    image: "registry.mgrote.net/routeros-config-export:latest"
     volumes:
       - ./key_rb5009:/key_rb5009:ro
       - ./key_hex:/key_hex:ro
@@ -15,7 +15,7 @@ services:
               hex.mgrote.net,routeros-config-backup,/key_hex
               crs305.mgrote.net,routeros-config-backup,/key_crs305
       GIT_REPO_BRANCH: "master"
-      GIT_REPO_URL: "ssh://gitea@gitea.mgrote.net:2222/mg/routeros-configs.git"
+      GIT_REPO_URL: "ssh://gitea@forgejo.mgrote.net:2222/mg/routeros-configs.git"
       GIT_REPO_DEPLOY_KEY: "/deploy_token"
       GIT_USERNAME: oxidized-selfmade
       GIT_USER_MAIL: michael.grote@posteo.de

docker-compose/statping-ng/docker-compose.yml.j2

@@ -1,27 +0,0 @@
-version: '2.3'
-
-services:
-  statping:
-    container_name: statping
-    image: adamboutcher/statping-ng:latest
-    restart: always
-    volumes:
-      - statping_data:/app
-    environment:
-      DB_CONN: sqlite
-      ALLOW_REPORT: false
-      ADMIN_USER: statadmin
-      ADMIN_PASSWORD: {{ lookup('keepass', 'statping_admin_password', 'password') }}
-      SAMPLE_DATA: false
-    ports:
-      - 8083:8080
-    networks:
-      - mail-relay
-    labels:
-      com.centurylinklabs.watchtower.enable: true
-
-volumes:
-  statping_data:
-networks:
-  mail-relay:
-    external: true

docker-compose/traefik/docker-compose.yml.j2

@@ -3,7 +3,7 @@ services:
 ######## traefik ########
   traefik:
     container_name: traefik
-    image: traefik:latest
+    image: "traefik:v3.0.0"
     restart: always
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -19,16 +19,19 @@ services:
       - "2222:2222" # SSH
     environment:
       TZ: Europe/Berlin
-    labels:
-      com.centurylinklabs.watchtower.enable: true
+    healthcheck:
+      test: ["CMD", "traefik", "healthcheck", "--ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
 
 ######## nforwardauth ########
   nforwardauth:
     restart: always
-    image: nosduco/nforwardauth:v1
+    image: "nosduco/nforwardauth:v1.4.0"
     container_name: traefik-nforwardauth
     environment:
-      TOKEN_SECRET: {{ lookup('keepass', 'nforwardauth_token_secret', 'password') }}
+      TOKEN_SECRET: "{{ lookup('keepass', 'nforwardauth_token_secret', 'password') }}"
       AUTH_HOST: auth.mgrote.net
     labels:
       traefik.enable: true
@@ -40,13 +43,15 @@ services:
       traefik.http.routers.nforwardauth.tls: true
       traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
       traefik.http.routers.nforwardauth.entrypoints: entry_https
-
-      com.centurylinklabs.watchtower.depends-on: traefik
-      com.centurylinklabs.watchtower.enable: true
     volumes:
       - "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
     networks:
       - traefik
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:3000/login"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
 
 ######## Networks ########
 networks:

docker-compose/traefik/file-provider.yml

@@ -14,4 +14,4 @@ http:
     service_gitea:
       loadBalancer:
         servers:
-          - url: "http://gitea.mgrote.net:3000/"
+          - url: "http://forgejo.mgrote.net:3000/"

docker-compose/traefik/traefik.yml

@@ -37,6 +37,8 @@ api:
   insecure: true
   dashboard: true # unter Port 8081 erreichbar
 
+ping: {} # für healthcheck
+
 #experimental:
 #  plugins:
 #    ldapAuth:

docker-compose/unifi-network-application/docker-compose.yml.j2

@@ -2,14 +2,14 @@
 version: "2.1"
 services:
   unifi-network-application:
-    image: lscr.io/linuxserver/unifi-network-application:latest
+    image: "lscr.io/linuxserver/unifi-network-application:8.0.28-ls27"
     container_name: unifi-network-application
     environment:
       PUID: 1000
       PGID: 1000
       TZ: Etc/UTC
       MONGO_USER: unifiuser
-      MONGO_PASS: {{ lookup('keepass', 'unifi-mongodb-pass', 'password') }}
+      MONGO_PASS: "{{ lookup('keepass', 'unifi-mongodb-pass', 'password') }}"
       MONGO_HOST: unifi-db
       MONGO_PORT: 27017
       MONGO_DBNAME: unifidb
@@ -28,28 +28,37 @@ services:
       - 6789:6789 #optional
       - 5514:5514/udp #optional
     restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
-      com.centurylinklabs.watchtower.depends-on: unifi-db
     networks:
       - mail-relay
       - unifi-internal
+    healthcheck:
+      test: ["CMD", "curl", "-f", "--insecure", "https://localhost:8443"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    depends_on:
+      - unifi-db
 
   unifi-db:
     # Starte Container OHNE init-script
-    # IN Container
-    # 1. mongo
+    # In Container
+    # 1. mongosh
     # 2. db.getSiblingDB("unifidb").createUser({user: "unifiuser", pwd: "GEHEIM", roles: [{role: "dbOwner", db: "unifidb"}, {role: "dbOwner", db: "unifidb_stat"}]});
     # https://discourse.linuxserver.io/t/cant-connect-to-mongodb-for-unifi-network-application/8166
-    image: docker.io/mongo:4
+    image: "docker.io/mongo:7.0.9"
     container_name: unifi-db
     volumes:
       - db-data:/data/db
     restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
+    environment:
+      MARIADB_AUTO_UPGRADE: "1"
     networks:
       - unifi-internal
+    healthcheck:
+      test: ["CMD", "mongosh", "--eval", "db.stats().ok"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
 
 ######## Volumes ########
 volumes:

docker-compose/watchtower/docker-compose.yml.j2

@@ -1,42 +0,0 @@
-version: "3"
-services:
-  watchtower:
-    restart: always
-    container_name: watchtower
-    image: containrrr/watchtower
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    environment:
-      TZ: Europe/Berlin
-      WATCHTOWER_CLEANUP: true
-      WATCHTOWER_INCLUDE_RESTARTING: true
-      WATCHTOWER_INCLUDE_STOPPED: true
-      WATCHTOWER_REVIVE_STOPPED: false
-      WATCHTOWER_SCHEDULE: "0 20 3 * * *" # jeden Tag um 03:20
-      WATCHTOWER_LABEL_ENABLE: true
-      WATCHTOWER_NOTIFICATIONS: email
-      WATCHTOWER_NOTIFICATION_EMAIL_FROM: info@mgrote.net
-      WATCHTOWER_NOTIFICATION_EMAIL_TO: info@mgrote.net
-      WATCHTOWER_NOTIFICATION_EMAIL_SERVER: mail-relay # "container_name" des Relays
-      # WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT: 25 # nicht benötigt, nur als Referenz stehen gelassen
-      # WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER: "" # nicht benötigt, nur als Referenz stehen gelassen
-      # WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD: "" # nicht benötigt, nur als Referenz stehen gelassen
-      WATCHTOWER_NOTIFICATION_EMAIL_DELAY: 2
-      WATCHTOWER_NO_STARTUP_MESSAGE: true
-    labels:
-      com.centurylinklabs.watchtower.enable: true
-    networks:
-      - mail-relay # binde externe Netzwerk an Container
-
-# monitore diesen Container nur
-#   labels:
-#     com.centurylinklabs.watchtower.monitor-only: true
-# dieser container hängt von x ab
-#     com.centurylinklabs.watchtower.depends-on: mf-db
-# aktualisiere container
-#     com.centurylinklabs.watchtower.enable: true
-
-######## Networks ########
-networks:
-  mail-relay: # damit das mail-relaay im anderen Container erreicht werden kann
-    external: true

docker-compose/wiki/docker-compose.yml.j2

@@ -2,7 +2,7 @@ version: '3'
 services:
   wiki-webserver:
     container_name: wiki-webserver
-    image: httpd:2.4
+    image: "registry.mgrote.net/httpd:latest"
     restart: always
     networks:
       - traefik
@@ -13,6 +13,11 @@ services:
       # /docker/wiki/site ist ein lokales Verzeichnis auf docker10
       # dieser Verzeichnis wird direkt in der wiki ci gemountet
       # und die daten werden dort reingeschrieben
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     labels:
       traefik.http.routers.wiki.rule: Host(`wiki.mgrote.net`)
       traefik.enable: true
@@ -23,8 +28,6 @@ services:
 
       traefik.http.routers.wiki.middlewares: nforwardauth
 
-      com.centurylinklabs.watchtower.enable: true
-
 ######## Networks ########
 networks:
   traefik:

docker-compose/woodpecker/docker-compose.yml.j2

@@ -5,7 +5,7 @@ services:
   woodpecker-server:
     restart: always
     container_name: woodpecker-server
-    image: woodpeckerci/woodpecker-server:v2.0
+    image: "woodpeckerci/woodpecker-server:v2.4.1"
     ports:
       - 8000:8000
     volumes:
@@ -16,9 +16,9 @@ services:
       WOODPECKER_WEBHOOK_HOST: http://docker10.mgrote.net:8000
       WOODPECKER_GITEA: true
       WOODPECKER_GITEA_URL: https://git.mgrote.net
-      WOODPECKER_GITEA_CLIENT: {{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }}
-      WOODPECKER_GITEA_SECRET: {{ lookup('keepass', 'woodpecker-oauth2-client-secret', 'password') }}
-      WOODPECKER_AGENT_SECRET: {{ lookup('keepass', 'woodpecker-agent-secret', 'password') }}
+      WOODPECKER_GITEA_CLIENT: "{{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }}"
+      WOODPECKER_GITEA_SECRET: "{{ lookup('keepass', 'woodpecker-oauth2-client-secret', 'password') }}"
+      WOODPECKER_AGENT_SECRET: "{{ lookup('keepass', 'woodpecker-agent-secret', 'password') }}"
       WOODPECKER_ADMIN: mg
       WOODPECKER_LOG_LEVEL: info
       WOODPECKER_DEBUG_PRETTY: true
@@ -26,8 +26,6 @@ services:
       - intern
       - traefik
     labels:
-      com.centurylinklabs.watchtower.enable: true
-
       traefik.http.routers.woodpecker.rule: Host(`ci.mgrote.net`)
       traefik.enable: true
       traefik.http.routers.woodpecker.tls: true
@@ -35,15 +33,15 @@ services:
       traefik.http.routers.woodpecker.entrypoints: entry_https
       traefik.http.services.woodpecker.loadbalancer.server.port: 8000
 
-      traefik.http.routers.woodpecker.middlewares: woodpecker-ipwhitelist
+      traefik.http.routers.woodpecker.middlewares: woodpecker-ipallowlist
 
-      traefik.http.middlewares.woodpecker-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24
-      traefik.http.middlewares.woodpecker-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth
+      traefik.http.middlewares.woodpecker-ipallowlist.ipallowlist.sourcerange: "192.168.2.0/24,10.25.25.0/24"
+      traefik.http.middlewares.woodpecker-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
 
 
   woodpecker-agent:
     container_name: woodpecker-agent
-    image: woodpeckerci/woodpecker-agent:v2.0
+    image: "woodpeckerci/woodpecker-agent:v2.4.1"
     command: agent
     restart: always
     depends_on:
@@ -55,14 +53,12 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
     environment:
       WOODPECKER_SERVER: woodpecker-server:9000
-      WOODPECKER_AGENT_SECRET: {{ lookup('keepass', 'woodpecker-agent-secret', 'password') }}
-      WOODPECKER_MAX_WORKFLOWS: 4
+      WOODPECKER_AGENT_SECRET: "{{ lookup('keepass', 'woodpecker-agent-secret', 'password') }}"
+      WOODPECKER_MAX_WORKFLOWS: 20
       WOODPECKER_DEBUG_PRETTY: true
       WOODPECKER_LOG_LEVEL: info
       WOODPECKER_HEALTHCHECK: true
       WOODPECKER_BACKEND: docker
-    labels:
-      com.centurylinklabs.watchtower.enable: true
     networks:
       - intern
 
@@ -72,8 +68,8 @@ volumes:
   agent-config:
 
 # git.mgrote.net -> Settings -> Applications -> woodpecker
-# WOODPECKER_GITEA_CLIENT: {{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }}
-# WOODPECKER_GITEA_SECRET: {{ lookup('keepass', 'woodpecker-oauth2-client-secret', 'password') }}
+# WOODPECKER_GITEA_CLIENT: "{{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }}"
+# WOODPECKER_GITEA_SECRET: "{{ lookup('keepass', 'woodpecker-oauth2-client-secret', 'password') }}"
 # Redirect URL: https://ci.mgrote.net/authorize
 
 ######## Networks ########

friedhof/lldap/docker-compose.yml.j2

@@ -42,7 +42,7 @@ services:
       - com.centurylinklabs.watchtower.depends-on=lldap-db
 ######## DB ########
   lldap-db:
-    image: mariadb:10
+    image: mariadb:10.6.14
     container_name: lldap-db
     restart: always
     volumes:

friedhof/lldap/docker-compose0.yml.j2

@@ -2,7 +2,7 @@ version: '3'
 services:
   wiki-webserver:
     container_name: wiki-webserver
-    image: httpd:2.4
+    image: httpd:2.4@sha256:ba846154ade27292d216cce2d21f1c7e589f3b66a4a643bff0cdd348efd17aa3
     restart: always
     networks:
       - traefik

friedhof/mgrote_munin_node/readme.md

@@ -1,12 +0,0 @@
-## mgrote.munin-node
-
-### Beschreibung
-Installiert munin-node + Plugins.
-
-### getestet auf
-- [x] Ubuntu (>=18.04)
-- [ ] Debian
-- [x] ProxMox 6.1
-
-### Variablen + Defaults
-see [defaults](./defaults/main.yml)

group_vars/all.yml

@@ -1,5 +1,6 @@
 ---
 ### wird in vielen Rollen verwendet
+ansible_facts_parallel: true
 ssh_public_key_mg: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL8opSQ0rWVw9uCfbuiqmXq188OP4xh66MBTO3zV5jo heimserver_mg_v3
 my_mail: michael.grote@posteo.de
 file_header: |
@@ -7,33 +8,19 @@ file_header: |
   #              This file is managed with ansible!                #
   #----------------------------------------------------------------#
 
+### mgrote_user_setup
+dotfiles:
+  - user: mg
+    home: /home/mg
+  - user: root
+    home: /root
+dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
+dotfiles_vim_vundle_repo_url: https://git.mgrote.net/mirrors/Vundle.vim.git
+
 ### mgrote_netplan
 netplan_configure: true
 
-### mgrote.restic
-restic_user: root
-restic_group: restic
-restic_conf_dir: /etc/restic
-restic_exclude: |
-      ._*
-      desktop.ini
-      .Trash-*
-      **/**cache***/**
-      **/**Cache***/**
-      **/**AppData***/**
-      # https://github.com/restic/restic/issues/1005
-      # https://forum.restic.net/t/exclude-syntax-confusion/1531/12
-restic_mount_timeout: "10 min"
-restic_failure_delay: "30 s"
-restic_schedule: "0/6:00" # alle 6 Stunden
-restic_folders_to_backup: "/" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
-restic_repository: "//fileserver3.mgrote.net/restic"
-restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"
-restic_mount_user: restic
-restic_mount_password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}"
-restic_fail_mail: "{{ my_mail }}"
-
-### mgrote.user
+### mgrote_user
 users:
   - username: mg
     password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
@@ -52,18 +39,6 @@ users:
     allow_sudo: true
     allow_passwordless_sudo: true
 
-### mgrote.dotfiles
-dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
-dotfiles_repo_path: /home/mg/dotfiles
-dotfiles_files:
-  - repo_path: "{{ dotfiles_repo_path }}/.vimrc"
-    local_path: "/home/mg/.vimrc"
-  - repo_path: "{{ dotfiles_repo_path }}/.tmux.conf"
-    local_path: "/home/mg/.tmux.conf"
-  - repo_path: "{{ dotfiles_repo_path }}/.gitconfig"
-    local_path: "/home/mg/.gitconfig"
-dotfiles_owner: mg
-
 ### jnv.unattended_upgrades
 unattended_mail: "{{ my_mail }}"
 unattended_mail_only_on_error: true
@@ -72,7 +47,7 @@ unattended_origins_patterns:
   - 'origin=Ubuntu,archive=${distro_codename}-security'
   - 'o=Ubuntu,a=${distro_codename}-updates'
 
-### mgrote.ntp_chrony_client
+### mgrote_ntp_chrony_client
 ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
 ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
 ntp_chrony_servers: # welche Server sollen befragt werden
@@ -82,16 +57,11 @@ ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst
 ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst
 ntp_chrony_logging: false
 
-### mgrote.postfix
+### mgrote_postfix
 postfix_smtp_server: docker10.mgrote.net
 postfix_smtp_server_port: 1025
 
-### mgrote.tmux
-tmux_conf_destination: "/home/mg/.tmux.conf"
-tmux_bashrc_destination: "/home/mg/.bashrc"
-tmux_standardsession_name: "default"
-
-### mgrote.fail2ban
+### mgrote_fail2ban
 f2b_bantime: 300
 f2b_findtime: 300
 f2b_maxretry: 5
@@ -105,10 +75,15 @@ ufw_rules:
     protocol: tcp
     comment: 'ssh'
     from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: 4949
+    protocol: tcp
+    comment: 'munin'
+    from_ip: 192.168.2.0/24
 ufw_default_incoming_policy: deny
 ufw_default_outgoing_policy: allow
 
-### mgrote.apt_manage_packages
+### mgrote_apt_manage_packages
 apt_packages_common:
   - locales
   - python3
@@ -139,6 +114,8 @@ apt_packages_common:
   - pwgen
   - keychain
   - fwupd
+  - bc
+  - jq
 apt_packages_physical:
   - s-tui
   - smartmontools
@@ -151,10 +128,8 @@ apt_packages_absent:
   - nano
   - snapd
   - ubuntu-advantage-tools
-apt_packages_internet:
-  - http://docker10.mgrote.net:3344/bash-helper-scripts-mgrote-latest.deb
 
-### mgrote.zfs_sanoid
+### mgrote_zfs_sanoid
 sanoid_templates:
   - name: '31tage'
     keep_hourly: '24'                        # Aufheben (Stunde)
@@ -202,8 +177,45 @@ sanoid_templates:
     autosnap: 'yes'
     autoprune: 'yes'
 
-### mgrote.zfs_sanoid
-sanoid_deb_url: http://docker10.mgrote.net:3344/sanoid_3.0.4.deb
+### mgrote_zfs_sanoid
+sanoid_deb_url: http://docker10.mgrote.net:3344/sanoid_v2.2.0.deb
+
+### mgrote_munin_node
+munin_node_bind_host: "0.0.0.0"
+munin_node_bind_port: "4949"
+munin_node_allowed_cidrs: [192.168.2.0/24]
+munin_node_disabled_plugins:
+  - name: meminfo # zu hohe last
+  - name: hddtemp2 # ersetzt durch hddtemp_smartctl
+  - name: ntp # verursacht zu viele dns ptr request
+  - name: hddtempd # ersetzt durch hddtemp_smartctl
+  - name: squid_cache # proxmox
+  - name: squid_objectsize # proxmox
+  - name: squid_requests # proxmox
+  - name: squid_traffic # proxmox
+  - name: timesync
+munin_node_plugins:
+  - name: chrony
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
+  - name: systemd_status
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+  - name: systemd_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    config: |
+      [systemd_mem]
+      env.all_services true
+  - name: lvm_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
+    config: |
+      [lvm_*]
+      user root
+  - name: fail2ban
+    src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+    config: |
+      [fail2ban]
+      env.client /usr/bin/fail2ban-client
+      env.config_dir /etc/fail2ban
+      user root
 
 # Ansible Variablen
 ### User

group_vars/ansible.yml

@@ -9,6 +9,6 @@ pip_install_packages:
   - name: ansible
   - name: docker-compose
 
-### mgrote.apt_manage_packages
+### mgrote_apt_manage_packages
 apt_packages_extra:
   - sshpass

group_vars/blocky.yml

@@ -0,0 +1,125 @@
+---
+### mgrote_systemd_resolved
+systemd_resolved_nameserver: 9.9.9.9
+
+### oefenweb.ufw
+ufw_rules:
+  - rule: allow
+    to_port: 22
+    protocol: tcp
+    comment: 'ssh'
+    from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: 4949
+    protocol: tcp
+    comment: 'munin'
+    from_ip: 192.168.2.0/24
+  - rule: allow
+    to_port: 53
+    comment: 'dns'
+    from_ip: 0.0.0.0/0
+
+### mgrote.apt_manage_packages
+apt_packages_extra:
+  - libnet-dns-perl # für munin: dnsresponse_
+
+### mgrote_user_setup
+dotfiles_vim_vundle_repo_url: http://192.168.2.42:3000/mirrors/Vundle.vim.git
+dotfiles:
+  - user: mg
+    home: /home/mg
+  - user: root
+    home: /root
+dotfiles_repo_url: http://192.168.2.42:3000/mg/dotfiles
+
+### mgrote_blocky
+blocky_version: v0.23
+blocky_block_type: zeroIp
+blocky_local_upstream: 192.168.2.1
+blocky_conditional_mapping: # optional
+  - domain: mgrote.net
+    resolver: 192.168.2.1
+blocky_dns_upstream:
+  - 9.9.9.9
+  - 1.1.1.1
+  - 8.8.8.8
+  - 5.9.164.112
+blocky_dns_blocklists:
+  - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
+  - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+  - http://sysctl.org/cameleon/hosts
+  - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
+blocky_custom_lookups: # optional
+  # Internet
+  - name: wiki.mgrote.net
+    ip: 192.168.2.43
+  - name: audio.mgrote.net
+    ip: 192.168.2.43
+  - name: auth.mgrote.net
+    ip: 192.168.2.43
+  - name: ci.mgrote.net
+    ip: 192.168.2.43
+  - name: miniflux.mgrote.net
+    ip: 192.168.2.43
+  - name: nextcloud.mgrote.net
+    ip: 192.168.2.43
+  - name: registry.mgrote.net
+    ip: 192.168.2.43
+  - name: git.mgrote.net
+    ip: 192.168.2.43
+  # Intern
+  - name: ads2700w.mgrote.net
+    ip: 192.168.2.147
+  - name: crs305.mgrote.net
+    ip: 192.168.2.225
+  - name: hex.mgrote.net
+    ip: 192.168.3.144
+  - name: pbs-test.mgrote.net
+    ip: 192.168.2.18
+  - name: pbs.mgrote.net
+    ip: 192.168.3.239
+  - name: pve5-test.mgrote.net
+    ip: 192.168.2.17
+  - name: pve5.mgrote.net # bleibt im Router auch angelegt, weil wenn pve aus auch kein blocky mehr ;-)
+    ip: 192.168.2.16
+  - name: rb5009.mgrote.net
+    ip: 192.168.2.1
+  - name: fritz.box
+    ip: 192.168.5.1
+  - name: ldap.mgrote.net
+    ip: 192.168.2.47
+
+### mgrote_munin_node
+# kann git.mgrote.net nicht auflösen, deshalb hiermit IP
+munin_node_plugins:
+  - name: chrony
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
+  - name: systemd_status
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+  - name: systemd_mem
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    config: |
+      [systemd_mem]
+      env.all_services true
+  - name: lvm_
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
+    config: |
+      [lvm_*]
+      user root
+  - name: fail2ban
+    src: http://192.168.2.42:3000/mg/munin-plugins/raw/branch/master/extern/fail2ban
+    config: |
+      [fail2ban]
+      env.client /usr/bin/fail2ban-client
+      env.config_dir /etc/fail2ban
+      user root
+  - name: dnsresponse_192.168.2.1
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
+  - name: dnsresponse_192.168.2.37
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
+  - name: dnsresponse_127.0.0.1
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
+    config: |
+      [dnsresponse_*]
+      env.site www.heise.de
+      env.times 20

group_vars/docker.yml

@@ -15,10 +15,16 @@ lvm_groups:
 manage_lvm: true
 pvresize_to_max: true
 
-### mgrote.restic
-restic_folders_to_backup: "/ /var/lib/docker" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
+### geerlingguy.pip
+pip_package: python3-pip
+pip_install_packages:
+  - name: docker # für munin-plugin docker_
 
-### mgrote.user
+### mgrote.apt_manage_packages
+apt_packages_extra:
+  - libnet-dns-perl # für munin: dnsresponse_*
+
+### mgrote_user
 users:
   - username: mg
     password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
@@ -50,12 +56,12 @@ docker_users:
   - mg
   - docker-user
 docker_install_compose: true
-docker_add_repo: false # erstelle kein Repo-Eintrag unter /etc/apt/sources.list.d/, steht explizit unter "repos_override"
+docker_add_repo: false # erstelle kein Repo-Eintrag unter /etc/apt/sources.list.d/, steht explizit unter "repos_override", wird nur zum installieren benötigt
 
-### mgrote.docker-compose-deploy
+### mgrote_docker-compose-deploy
 docker_compose_base_dir: /home/docker-user
 
-### mgrote.apt_manage_sources
+### mgrote_apt_manage_sources
 repos_override: # mit docker-repos
   - deb [arch=amd64] https://download.docker.com/linux/ubuntu jammy stable
   - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} main restricted"
@@ -68,3 +74,66 @@ repos_override: # mit docker-repos
   - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted"
   - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security universe"
   - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security multiverse"
+
+### mgrote_systemd_resolved
+systemd_resolved_nameserver: 192.168.2.37
+
+### mgrote_munin_node
+munin_node_allowed_cidrs: [0.0.0.0/0] # weil der munin-server aus einem anderen subnet zugreift
+munin_node_plugins:
+  - name: systemd_status
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+  - name: systemd_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    config: |
+      [systemd_mem]
+      env.all_services true
+  - name: lvm_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
+    config: |
+      [lvm_*]
+      user root
+  - name: fail2ban
+    src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+    config: |
+      [fail2ban]
+      env.client /usr/bin/fail2ban-client
+      env.config_dir /etc/fail2ban
+      user root
+  - name: docker_containers
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
+    config: |
+      [docker_*]
+      user root
+      env.DOCKER_HOST unix://run/docker.sock
+  - name: docker_cpu
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
+  - name: docker_memory
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
+  - name: docker_network
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
+  - name: docker_volumes
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
+  - name: docker_volumesize
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize
+  - name: chrony
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
+
+### oefenweb.ufw
+ufw_rules:
+  - rule: allow
+    to_port: 22
+    protocol: tcp
+    comment: 'ssh'
+    from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: 4949
+    protocol: tcp
+    comment: 'munin'
+    from_ip: 192.168.2.0/24
+  - rule: allow
+    from_ip: 192.168.0.0/16
+    comment: 'docker networks'
+  - rule: allow
+    from_ip: 172.0.0.0/8
+    comment: 'docker networks'

group_vars/fileserver.yml

@@ -9,6 +9,11 @@ ufw_rules:
     protocol: tcp
     comment: 'ssh'
     from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: 4949
+    protocol: tcp
+    comment: 'munin'
+    from_ip: 192.168.2.0/24
   - rule: allow
     to_port: 445
     comment: 'smb'
@@ -18,13 +23,37 @@ ufw_rules:
     comment: 'smb'
     from_ip: 0.0.0.0/0
 
-### mgrote.apt_manage_packages
-apt_packages_internet:
-  - http://docker10.mgrote.net:3344/bash-helper-scripts-mgrote-latest.deb
-
-### mgrote.fileserver_smb
+### mgrote_fileserver_smb
 smb_workgroup: WORKGROUP
 smb_min_protocol: "SMB2"
 smb_client_min_protocol: "SMB2"
 smb_client_max_protocol: "SMB3_11"
 smb_enable_snapshots_dir: true
+smb_enable_snapshots_shadow: true
+
+### mgrote_munin_node
+munin_node_plugins:
+  - name: chrony
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
+  - name: systemd_status
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+  - name: systemd_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    config: |
+      [systemd_mem]
+      env.all_services true
+  - name: fail2ban
+    src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+    config: |
+      [fail2ban]
+      env.client /usr/bin/fail2ban-client
+      env.config_dir /etc/fail2ban
+      user root
+  - name: samba
+    src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/samba
+    config: |
+      [samba]
+      user root
+      group root
+      env.smbstatus /usr/bin/smbstatus
+      env.ignoreipcshare 1

group_vars/git.yml

@@ -0,0 +1,154 @@
+---
+### mrlesmithjr.ansible-manage-lvm
+lvm_groups:
+  - vgname: vg_data
+    disks:
+      - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
+    create: true
+    lvnames:
+      - lvname: lv_data
+        size: +100%FREE
+        create: true
+        filesystem: xfs
+        mount: true
+        mntp: /var/lib/gitea
+manage_lvm: true
+pvresize_to_max: true
+
+### mgrote_apt_manage_packages
+apt_packages_extra:
+  - fail2ban
+
+### geerlingguy_postgres
+postgresql_databases:
+  - name: "{{ gitea_db_name }}"
+postgresql_users:
+  - name: "{{ gitea_db_user }}"
+    password: "{{ gitea_db_password }}"
+
+### oefenweb.ufw
+ufw_rules:
+  - rule: allow
+    to_port: 22
+    protocol: tcp
+    comment: 'ssh'
+    from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: 4949
+    protocol: tcp
+    comment: 'munin'
+    from_ip: 192.168.2.0/24
+  - rule: allow
+    to_port: "{{ gitea_http_port }}"
+    protocol: tcp
+    comment: 'gitea'
+    from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: "{{ gitea_ssh_port }}"
+    protocol: tcp
+    comment: 'gitea'
+    from_ip: 0.0.0.0/0
+
+### ansible_role_gitea
+# https://git.mgrote.net/ansible-roles-mirrors/ansible_role_gitea
+gitea_fork: "forgejo"
+# gitea update
+gitea_version: "1.21.7-0" # alt zum renovate testen
+gitea_version_check: true
+gitea_backup_on_upgrade: false
+# gitea in the linux world
+gitea_group: "gitea"
+gitea_user: "gitea"
+gitea_home: "/var/lib/gitea"
+gitea_user_home: "{{ gitea_home }}"
+# config liegt in /etc/gitea/gitea.ini
+gitea_configuration_path: "/etc/gitea" # anpassen
+gitea_app_name: "forgejo"
+gitea_fqdn: "git.mgrote.net"
+# ssh
+gitea_ssh_port: 2222
+gitea_start_ssh: true
+gitea_shell: "/bin/false"
+# Repository
+gitea_default_branch: "master"
+gitea_default_private: "public"
+gitea_repository_root: "{{ gitea_home }}/repos"
+# ui
+gitea_show_user_email: false
+# server
+gitea_protocol: "http"
+gitea_http_domain: "{{ gitea_fqdn }}"
+gitea_http_port: "3000"
+gitea_http_listen: "0.0.0.0"
+gitea_root_url: "https://git.mgrote.net"
+gitea_landing_page: "login"
+# database
+gitea_db_type: "postgres"
+gitea_db_host: "localhost"
+gitea_db_name: "gitea"
+gitea_db_user: "gitea"
+gitea_db_password: "{{ lookup('keepass', 'forgejo_db_password', 'password') }}"
+# indexer
+gitea_repo_indexer_enabled: true
+# security
+gitea_disable_webhooks: false
+gitea_password_check_pwn: false
+gitea_internal_token: "{{ lookup('keepass', 'forgejo_internal_token', 'password') }}"
+gitea_secret_key: "{{ lookup('keepass', 'forgejo_secret_key', 'password') }}"
+# service
+gitea_disable_registration: true
+gitea_register_email_confirm: true
+gitea_require_signin: false
+gitea_default_keep_mail_private: true
+gitea_enable_captcha: false
+gitea_show_registration_button: false
+gitea_enable_notify_mail: true
+gitea_default_user_visibility: "public"
+gitea_show_milestones_dashboard_page: false
+gitea_default_allow_create_organization: true
+gitea_default_org_visibility: "public"
+gitea_default_user_is_restricted: false
+# Mailer
+gitea_mailer_enabled: true
+gitea_mailer_protocol: "smtp"
+gitea_mailer_smtp_addr: "docker10.mgrote.net"
+gitea_mailer_smtp_port: 1025
+gitea_mailer_from: "gitea@mgrote.net"
+gitea_subject_prefix: "git.mgrote.net - "
+# log
+gitea_log_systemd: true
+gitea_log_level: "Info"
+# Metrics
+gitea_metrics_enabled: false
+# Federation
+gitea_federation_enabled: false
+# Packages
+gitea_packages_enabled: false
+# actions
+gitea_actions_enabled: false
+gitea_extra_config: |
+  ; webhook: wird für drone benötigt, sonst wird der Webhook nicht "gesendet"
+  [webhook]
+  ALLOWED_HOST_LIST = *.mgrote.net
+  ; für Import/Migration aus anderen Git-Systemen
+  [migrations]
+  ALLOWED_DOMAINS = *
+  ; disabled; see: https://github.com/go-gitea/gitea/issues/25992
+  [repo-archive]
+  ENABLED = false
+# oauth2
+gitea_oauth2_jwt_secret: "{{ lookup('keepass', 'forgejo_oauth2_jwt_secret', 'password') }}"
+# Fail2Ban configuration
+gitea_fail2ban_enabled: true
+gitea_fail2ban_jail_maxretry: "3"
+gitea_fail2ban_jail_findtime: "300"
+gitea_fail2ban_jail_bantime: "600"
+gitea_fail2ban_jail_action: "iptables-allports"
+
+### mgrote_gitea_setup
+gitea_ldap_host: "ldap.mgrote.net"
+gitea_ldap_base_path: "dc=mgrote,dc=net"
+gitea_ldap_bind_user: "forgejo_bind_user"
+gitea_ldap_bind_pass: "{{ lookup('keepass', 'lldap_forgejo_bind_user', 'password') }}"
+gitea_admin_user: "fadmin"
+gitea_admin_user_pass: "{{ lookup('keepass', 'forgejo_admin_user_pass', 'password') }}"

group_vars/gitea.yml

@@ -1,101 +0,0 @@
----
-### mrlesmithjr.ansible-manage-lvm
-lvm_groups:
-  - vgname: vg_gitea_data
-    disks:
-      - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
-    create: true
-    lvnames:
-      - lvname: lv_gitea_data
-        size: +100%FREE
-        create: true
-        filesystem: xfs
-        mount: true
-        mntp: /var/lib/gitea
-manage_lvm: true
-pvresize_to_max: true
-
-### mgrote.restic
-restic_folders_to_backup: "/ /var/lib/gitea" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
-
-### oefenweb.ufw
-ufw_rules:
-  - rule: allow
-    to_port: 22
-    protocol: tcp
-    comment: 'ssh'
-    from_ip: 0.0.0.0/0
-  - rule: allow
-    to_port: "{{ gitea_http_port }}"
-    protocol: tcp
-    comment: 'gitea'
-    from_ip: 0.0.0.0/0
-  - rule: allow
-    to_port: "{{ gitea_ssh_port }}"
-    protocol: tcp
-    comment: 'gitea'
-    from_ip: 0.0.0.0/0
-
-### l3d.gitea
-# config liegt in /etc/gitea/gitea.ini
-gitea_version: "1.21.0"
-gitea_app_name: "Gitea"
-gitea_user: "gitea"
-gitea_home: "/var/lib/gitea"
-gitea_repository_root: "{{ gitea_home }}"
-gitea_user_repo_limit: 300
-gitea_root_url: https://git.mgrote.net
-gitea_offline_mode: true
-gitea_lfs_server_enabled: false
-gitea_secret_key: "{{ lookup('keepass', 'gitea_secret_key', 'password') }}"
-gitea_internal_token: "{{ lookup('keepass', 'gitea_internal_token', 'password') }}"
-gitea_disable_git_hooks: false
-gitea_show_user_email: false
-gitea_disable_gravatar: true
-gitea_enable_captcha: true
-gitea_only_allow_external_registration: false
-gitea_enable_notify_mail: false
-gitea_force_private: false
-gitea_oauth2_enabled: true
-gitea_repo_indexer_enabled: true
-
-gitea_mailer_enabled: true
-gitea_mailer_skip_verify: false
-gitea_mailer_tls_enabled: true
-gitea_mailer_host: smtp.strato.de:465
-gitea_mailer_from: info@mgrote.net
-gitea_mailer_user: "info@mgrote.net"
-gitea_mailer_password: "{{ lookup('keepass', 'strato_smtp_password', 'password') }}"
-gitea_mailer_type: smtp
-
-gitea_default_branch: 'master'
-
-gitea_db_type: sqlite3
-gitea_db_path: "{{ gitea_home }}/data/gitea.db" # for sqlite3
-
-gitea_ssh_listen: 0.0.0.0
-gitea_ssh_domain: gitea.mgrote.net
-gitea_ssh_port: 2222
-gitea_start_ssh: true
-
-gitea_http_domain: git.mgrote.net
-gitea_http_listen: 0.0.0.0
-gitea_http_port: 3000
-gitea_disable_http_git: false
-gitea_protocol: http
-
-gitea_show_registration_button: false
-gitea_require_signin: false
-gitea_disable_registration: true
-
-gitea_fail2ban_enabled: true
-gitea_fail2ban_jail_maxretry: 3
-gitea_fail2ban_jail_findtime: 300
-gitea_fail2ban_jail_bantime: 600
-# wird für drone benötigt, sonst wird der Webhook nicht "gesendet"
-gitea_extra_config: |
-  [webhook]
-  ALLOWED_HOST_LIST = *.mgrote.net
-
-gitea_backup_on_upgrade: false
-gitea_backup_location: "{{ gitea_home }}/backups/"

group_vars/ldap.yml

@@ -0,0 +1,58 @@
+---
+### geerlingguy_postgres
+postgresql_databases:
+  - name: "{{ lldap_db_name }}"
+postgresql_users:
+  - name: "{{ lldap_db_user }}"
+    password: "{{ lldap_db_pass }}"
+
+### oefenweb.ufw
+ufw_rules:
+  - rule: allow
+    to_port: 22
+    protocol: tcp
+    comment: 'ssh'
+    from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: 4949
+    protocol: tcp
+    comment: 'munin'
+    from_ip: 192.168.2.0/24
+  - rule: allow
+    to_port: "{{ lldap_http_port }}"
+    protocol: tcp
+    comment: 'lldap'
+    from_ip: 192.168.2.0/24
+  - rule: allow
+    to_port: 3890
+    protocol: tcp
+    comment: 'lldap'
+    from_ip: 192.168.2.0/24
+
+### mgrote_lldap
+lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+3.1_amd64.deb"
+lldap_logging_verbose: "true" # must be a string not a boolean
+lldap_http_port: 17170
+lldap_http_host: "0.0.0.0"
+lldap_ldap_host: "0.0.0.0"
+lldap_public_url: http://ldap.mgrote.net:17170
+lldap_jwt_secret: "{{ lookup('keepass', 'lldap_jwt_secret', 'password') }}"
+lldap_ldap_base_dn: "dc=mgrote,dc=net"
+lldap_admin_username: ladmin # only used on setup
+lldap_admin_password: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}" # only used on setup; also bind-secret
+lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
+lldap_database_url: "postgres://{{ lldap_db_user }}:{{ lldap_db_pass }}@{{ lldap_db_host }}/{{ lldap_db_name }}"
+lldap_key_seed: "{{ lookup('keepass', 'lldap_key_seed', 'password') }}"
+#lldap_smtp_from: "lldap@mgrote.net" # unused in role
+lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
+lldap_smtp_server: "docker10.mgrote.net"
+lldap_smtp_port: "1025"
+lldap_smtp_smtp_encryption: "NONE"
+#lldap_smtp_user: "info@mgrote.net" # unused in role
+lldap_smtp_enable_password_reset: "true" # must be a string not a boolean
+# "meta vars"; daraus werden die db-url und die postgres-db abgeleitet
+lldap_db_name: "lldap"
+lldap_db_user: "lldap"
+lldap_db_pass: "{{ lookup('keepass', 'lldap_db_pass', 'password') }}"
+lldap_db_host: "localhost"
+...

group_vars/pbs.yml

@@ -2,13 +2,10 @@
 ### mgrote_netplan
 netplan_configure: false
 
-### mgrote.postfix
+### mgrote_postfix
 postfix_erlaubte_netzwerke: "127.0.0.0/8 192.168.2.0/24 192.168.3.0/24"
 
-### mgrote.restic
-restic_folders_to_backup: "/ /etc/proxmox-backup"
-
-### mgrote.user
+### mgrote_user
 users:
   - username: root
     password: "{{ lookup('keepass', 'root_linux_password_hash_proxmox', 'password') }}"
@@ -33,3 +30,55 @@ users:
     public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
     allow_sudo: true
     allow_passwordless_sudo: true
+
+### mgrote_munin_node
+munin_node_plugins:
+  - name: chrony
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
+  - name: systemd_status
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+  - name: systemd_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    config: |
+      [systemd_mem]
+      env.all_services true
+  - name: fail2ban
+    src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+    config: |
+      [fail2ban]
+      env.client /usr/bin/fail2ban-client
+      env.config_dir /etc/fail2ban
+      user root
+  - name: zfs_arcstats
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats
+  - name: zfsonlinux_stats_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_
+  - name: zpool_iostat
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
+  - name: zfs_list
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_list
+    config: |
+      [zfs_list]
+      env.ignore_datasets_pattern autodaily
+  - name: zfs_count
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count
+  - name: zpool_iostat
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
+  - name: zpool_capacity
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity
+munin_node_disabled_plugins:
+  - meminfo # zu hohe last
+  - hddtemp2 # ersetzt durch hddtemp_smartctl
+  - ntp # verursacht zu viele dns ptr request
+  - hddtempd # ersetzt durch hddtemp_smartctl
+  - squid_cache # proxmox
+  - squid_objectsize # proxmox
+  - squid_requests # proxmox
+  - squid_traffic # proxmox
+  - lvm_
+  - timesync
+  - lxc_guests
+munin_node_allowed_cidrs:
+  - 192.168.3.0/24
+  - 192.168.2.0/24
+...

group_vars/pve.yml

@@ -2,10 +2,7 @@
 ### mgrote_netplan
 netplan_configure: false
 
-### mgrote.restic
-restic_folders_to_backup: "/ /etc/pve"
-
-### mgrote.user
+### mgrote_user
 users:
   - username: root
     password: "{{ lookup('keepass', 'root_linux_password_hash_proxmox', 'password') }}"
@@ -31,7 +28,14 @@ users:
     allow_sudo: true
     allow_passwordless_sudo: true
 
-### mgrote.apt_manage_packages
+### mgrote_cv4pve_autosnap
+cv4pve_api_user: root@pam!cv4pve-autosnap
+cv4pve_api_token: "{{ lookup('keepass', 'cv4pve_api_token', 'password') }}"
+cv4pve_vmid: all,-115
+cv4pve_keep_snapshots: 5
+cv4pve_version: "v1.14.8"
+
+### mgrote_apt_manage_packages
 apt_packages_extra:
   - ifupdown2
   - bmon
@@ -39,6 +43,73 @@ apt_packages_extra:
   - open-vm-tools
   - systemd-boot
 
+### mgrote_munin_node
+munin_node_plugins:
+  - name: chrony
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
+  - name: systemd_status
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+  - name: systemd_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    config: |
+      [systemd_mem]
+      env.all_services true
+  - name: fail2ban
+    src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+    config: |
+      [fail2ban]
+      env.client /usr/bin/fail2ban-client
+      env.config_dir /etc/fail2ban
+      user root
+  - name: zfs_arcstats
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats
+  - name: zfsonlinux_stats_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_
+  - name: zpool_iostat
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
+  - name: zfs_list
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_list
+    config: |
+      [zfs_list]
+      env.ignore_datasets_pattern autodaily
+  - name: zpool_capacity
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity
+  - name: kvm_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_mem
+  - name: kvm_net
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_net
+  - name: kvm_io
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_io
+    config: |
+      [kvm_io]
+      user root
+  - name: kvm_cpu
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_cpu
+  - name: proxmox_count
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/proxmox/proxmox_vm_count
+    config: |
+      [proxmox_count]
+      user root
+      group root
+  - name: zfs_count
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count
+  - name: ksm_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/system/kernel_same_page_merging
+munin_node_disabled_plugins:
+  - meminfo # zu hohe last
+  - hddtemp2 # ersetzt durch hddtemp_smartctl
+  - ntp # verursacht zu viele dns ptr request
+  - hddtempd # ersetzt durch hddtemp_smartctl
+  - squid_cache # proxmox
+  - squid_objectsize # proxmox
+  - squid_requests # proxmox
+  - squid_traffic # proxmox
+  - lvm_
+  - slab
+  - timesync
+  - lxc_guests
+
 # Ansible Variablen
 ### sudo
 sudo: false
+...

host_vars/docker10.mgrote.net.yml

@@ -15,11 +15,11 @@ lvm_groups:
 manage_lvm: true
 pvresize_to_max: true
 
-### mgrote_mount_cifs
+### mgrote_mount_cifs #  löschen
 cifs_mounts:
   - name: bilder
     type: cifs
-    state: present
+    state: absent
     dest: /mnt/fileserver3_photoprism_bilder_ro
     src: //fileserver3.mgrote.net/bilder
     user: photoprism
@@ -29,10 +29,7 @@ cifs_mounts:
     gid: 5000
     extra_opts: ",ro" # komma am Anfang ist notwendig weil die Option hinten angehangen wird
 
-### mgrote.restic
-restic_folders_to_backup: "/ /var/lib/docker /mnt/oci-registry" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben
-
-### mgrote.docker-compose-inline
+### mgrote_docker-compose-inline
 compose_owner: "docker-user"
 compose_group: "docker-user"
 compose_file_permissions: "644"
@@ -59,8 +56,6 @@ compose_files:
   - name: navidrome
     state: present
     network: traefik
-  - name: watchtower
-    state: present
   - name: routeros-config-export
     state: present
   - name: mail-relay
@@ -69,13 +64,9 @@ compose_files:
   - name: woodpecker
     state: present
     network: traefik
-  - name: photoprism
-    state: present
   - name: wiki
     state: present
     network: traefik
-  - name: statping-ng
-    state: present
 
 ### oefenweb.ufw
 ufw_rules:

host_vars/fileserver3.mgrote.net.yml

@@ -1,5 +1,5 @@
 ---
-### mgrote.youtubedl
+### mgrote_youtubedl
 ytdl_dl_url: "https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp"
 ytdl_timer: "Tue,Sat 03:00"
 ytdl_bin_path: /usr/local/bin/yt-dlp
@@ -23,22 +23,21 @@ ytdl_video_urls:
   - https://www.youtube.com/watch?v=TowKvEJcYDw&list=PLlQWnS27jXh9aEp7hl54xrk5CgiVbvMBy # arte - zu Tisch in...
   - https://www.youtube.com/playlist?list=PLs4hTtftqnlAkiQNdWn6bbKUr-P1wuSm0 # jimmy kimmel mean tweets
   - https://www.youtube.com/tomstantonengineering
-  - https://www.youtube.com/@liamcarps #englandvideos ironisch
-ytdl_podcast_urls:
-  - https://sternengeschichten.podigee.io/feed/aac # Sternengeschichten
-  - https://feeds.br.de/radiowissen/feed.xml # BR2 RadioWissen
 
-ytdl_video_output: "/shares_videos/Youtube/%(uploader)s/%(title)s-%(id)s.%(ext)s" # Videos werden jetzt IMMEr nach "Uploader/Name.ext" geschrieben
+ytdl_video_output: "/shares_videos/Youtube/%(uploader)s/%(title)s-%(id)s.%(ext)s" # Videos werden jetzt IMMER nach "Uploader/Name.ext" geschrieben
+
+ytdl_enable_video_download: true
+ytdl_enable_podcast_download: false
 
 ytdl_podcast_output: "/shares_music/Podcasts/%(playlist)s/%(id)s.%(ext)s"
 ytdl_video_log_output: "/shares_videos/Youtube/archive-youtube.log"
 ytdl_podcast_log_output: "/shares_music/Podcasts/archive-podcast.log"
 ytdl_youtube_username: "{{ lookup('keepass', 'youtubedl_youtube_login', 'username') }}"
 ytdl_youtube_password: "{{ lookup('keepass', 'youtubedl_youtube_login', 'password') }}"
-ytdl_conf_dir: "/etc/youtubedl" #ohne / am ende
+ytdl_conf_dir: "/etc/youtubedl" # ohne / am ende
 ytdl_download_limit: "10000K"
 
-### mgrote.fileserver_smb
+### mgrote_fileserver_smb
 smb_users:
   - name: 'restic'
     password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}"
@@ -47,7 +46,7 @@ smb_users:
   - name: 'kodi'
     password: "{{ lookup('keepass', 'fileserver_smb_user_kodi', 'password') }}"
   - name: 'michaelgrote'
-    password: "{{ lookup('keepass', 'fileserver_smb_user_mg', 'password') }}"
+    password: "{{ lookup('keepass', 'fileserver_smb_user_michaelgrote', 'password') }}"
   - name: 'navidrome'
     password: "{{ lookup('keepass', 'fileserver_smb_user_navidrome', 'password') }}"
   - name: 'docker'
@@ -56,8 +55,6 @@ smb_users:
     password: "{{ lookup('keepass', 'fileserver_smb_user_pve', 'password') }}"
   - name: 'brother_ads2700w'
     password: "{{ lookup('keepass', 'fileserver_smb_user_brother_ads2700w', 'password') }}"
-  - name: 'photoprism'
-    password: "{{ lookup('keepass', 'fileserver_smb_user_photoprism', 'password') }}"
 
 smb_shares:
   - name: 'videos'
@@ -80,10 +77,6 @@ smb_shares:
     path: '/shares_archiv'
     users_ro: ''
     users_rw: 'michaelgrote win10'
-  - name: 'hm'
-    path: '/shares_hm'
-    users_ro: ''
-    users_rw: 'michaelgrote win10'
   - name: 'musik'
     path: '/shares_music'
     users_ro: 'navidrome kodi  '
@@ -94,7 +87,7 @@ smb_shares:
     users_rw: 'kodi win10 michaelgrote'
   - name: 'bilder'
     path: '/shares_bilder'
-    users_ro: 'photoprism'
+    users_ro: ''
     users_rw: ' michaelgrote win10'
   - name: 'proxmox'
     path: '/shares_pve_backup'
@@ -103,7 +96,7 @@ smb_shares:
   - name: 'restic'
     path: '/shares_restic'
     users_ro: ''
-    users_rw: ' restic win10 michaelgrote'
+    users_rw: 'restic win10 michaelgrote'
   - name: 'buecher'
     path: '/shares_buecher'
     users_ro: ''

host_vars/pbs-test.mgrote.net.yml

@@ -33,7 +33,7 @@ pbs_users:
 ### sudo zpool create -o ashift=12 -o feature@encryption=enabled -O encryption=on -O keylocation=prompt -O keyformat=passphrase backup /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
 
 # mgrote.zfs_manage_datasets
-### mgrote.zfs_extra
+### mgrote_zfs_extra
 # Variablen für mgrote.zfs_health/trim/scrub/zed/arc_mem/ sind zusammengefasst unter zfs_extra_*
 zfs_datasets: # DatenPools werden hier nicht verwaltet
   # rpool - System-Datasets
@@ -47,12 +47,15 @@ zfs_datasets: # DatenPools werden hier nicht verwaltet
     snapdir: hidden
     reservation: 1G
     refreservation: 1G
+    acltype: posix
   - dataset: rpool/ROOT
     state: present
     refreservation: 1G
   - dataset: rpool/ROOT/pbs-1
     state: present
     refreservation: 1G
+    acltype: posix # https://docs.ansible.com/ansible-core/2.14/playbook_guide/playbooks_privilege_escalation.html#risks-of-becoming-an-unprivileged-user ; sonst kann die dotfiles-Rolle kein setfacl machen
+
   # backup-pool
   - dataset: backup/pbs_data
     state: present
@@ -60,6 +63,7 @@ zfs_datasets: # DatenPools werden hier nicht verwaltet
   - dataset: backup/pve5
     state: present
     canmount: off # noqa yaml[truthy]
+
 # Variablen für mgrote.zfs_health/trim/scrub/zed/arc_mem/ sind zusammengefasst unter zfs_extra_*
 zfs_extra_arc_max_size: "1073741824" # 1GB in Bytes
 zfs_extra_zfs_pools:
@@ -68,7 +72,7 @@ zfs_extra_zfs_pools:
   - name: "backup"
     systemd_timer_schedule: "*-01,04,07,10-01 23:00"
 
-### mgrote.zfs_sanoid
+### mgrote_zfs_sanoid
 sanoid_snaps_enable: true
 
 ## syncoid
@@ -80,62 +84,62 @@ sanoid_syncoid_datasets_sync:
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/pve_backup
-    source_dataset: hdd_data_raidz/pve_backup
+    source_dataset: hdd_data/pve_backup
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/videos
-    source_dataset: hdd_data_raidz/videos
+    source_dataset: hdd_data/videos
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/music
-    source_dataset: hdd_data_raidz/music
+    source_dataset: hdd_data/music
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/tmp
-    source_dataset: hdd_data_raidz/tmp
+    source_dataset: hdd_data/tmp
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/archiv
-    source_dataset: hdd_data_raidz/archiv
+    source_dataset: hdd_data/archiv
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/bilder
-    source_dataset: hdd_data_raidz/bilder
+    source_dataset: hdd_data/bilder
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/scans
-    source_dataset: hdd_data_raidz/scans
+    source_dataset: hdd_data/scans
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/restic
-    source_dataset: hdd_data_raidz/restic
+    source_dataset: hdd_data/restic
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/backup
-    source_dataset: hdd_data_raidz/backup
+    source_dataset: hdd_data/backup
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/buecher
-    source_dataset: hdd_data_raidz/buecher
+    source_dataset: hdd_data/buecher
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/programme
-    source_dataset: hdd_data_raidz/programme
+    source_dataset: hdd_data/programme
 
   - source_host: pve5.mgrote.net
     destination_mount_check: backup
     destination_dataset: backup/pve5/vm
-    source_dataset: hdd_data_raidz/vm
+    source_dataset: hdd_data/vm
 
 # sanoid
 sanoid_datasets:

host_vars/pbs.mgrote.net.yml

@@ -29,7 +29,7 @@ pbs_users:
 ### sudo zpool create -o ashift=12 -o feature@encryption=enabled -O encryption=on -O keylocation=prompt -O keyformat=passphrase backup /dev/disk/by-id/ata-TOSHIBA_MG09ACA18TE_Z1B0A28LFJDH
 
 # mgrote.zfs_manage_datasets
-### mgrote.zfs_extra
+### mgrote_zfs_extra
 # Variablen für mgrote.zfs_health/trim/scrub/zed/arc_mem/ sind zusammengefasst unter zfs_extra_*
 zfs_datasets: # DatenPools werden hier nicht verwaltet
   # rpool - System-Datasets
@@ -43,12 +43,14 @@ zfs_datasets: # DatenPools werden hier nicht verwaltet
     snapdir: hidden
     reservation: 1G
     refreservation: 10G
+    acltype: posix
   - dataset: rpool/ROOT
     state: present
     refreservation: 10G
   - dataset: rpool/ROOT/pbs-1
     state: present
     refreservation: 10G
+    acltype: posix # https://docs.ansible.com/ansible-core/2.14/playbook_guide/playbooks_privilege_escalation.html#risks-of-becoming-an-unprivileged-user ; sonst kann die dotfiles-Rolle kein setfacl machen
   # backup-pool
   - dataset: backup/pbs_data
     state: present
@@ -64,7 +66,7 @@ zfs_extra_zfs_pools:
   - name: "backup"
     systemd_timer_schedule: "*-01,04,07,10-01 23:00"
 
-### mgrote.zfs_sanoid
+### mgrote_zfs_sanoid
 sanoid_snaps_enable: true
 ## syncoid
 sanoid_syncoid_destination_host: true
@@ -75,62 +77,62 @@ sanoid_syncoid_datasets_sync:
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/pve_backup
-    source_dataset: hdd_data_raidz/pve_backup
+    source_dataset: hdd_data/pve_backup
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/videos
-    source_dataset: hdd_data_raidz/videos
+    source_dataset: hdd_data/videos
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/music
-    source_dataset: hdd_data_raidz/music
+    source_dataset: hdd_data/music
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/tmp
-    source_dataset: hdd_data_raidz/tmp
+    source_dataset: hdd_data/tmp
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/archiv
-    source_dataset: hdd_data_raidz/archiv
+    source_dataset: hdd_data/archiv
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/bilder
-    source_dataset: hdd_data_raidz/bilder
+    source_dataset: hdd_data/bilder
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/scans
-    source_dataset: hdd_data_raidz/scans
+    source_dataset: hdd_data/scans
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/restic
-    source_dataset: hdd_data_raidz/restic
+    source_dataset: hdd_data/restic
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/backup
-    source_dataset: hdd_data_raidz/backup
+    source_dataset: hdd_data/backup
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/buecher
-    source_dataset: hdd_data_raidz/buecher
+    source_dataset: hdd_data/buecher
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/programme
-    source_dataset: hdd_data_raidz/programme
+    source_dataset: hdd_data/programme
 
   - source_host: 192.168.2.16 # pve5, weil pbs den fqdn nicht auflösen kann
     destination_mount_check: backup
     destination_dataset: backup/pve5/vm
-    source_dataset: hdd_data_raidz/vm
+    source_dataset: hdd_data/vm
 
 # sanoid
 sanoid_datasets:

host_vars/pve5-test.mgrote.net.yml

@@ -3,11 +3,11 @@
 # der Speicherort fur die VMs ist verschlüsselt
 # zfs create -o encryption=aes-256-gcm -o keyformat=passphrase rpool/vm
 # entschlüsseln nach Boot mit: sudo zpool import -d /dev/disk/by-id/ -a && sudo zfs mount -a  -l
-## HDD_DATA_RAIDZ
-### sudo zpool create -o ashift=12 -o feature@encryption=enabled -O encryption=on -O keylocation=prompt -O keyformat=passphrase hdd_data_raidz mirror /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2
+## hdd_data
+### sudo zpool create -o ashift=12 -o feature@encryption=enabled -O encryption=on -O keylocation=prompt -O keyformat=passphrase hdd_data mirror /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2
 
 # mgrote.zfs_manage_datasets
-### mgrote.zfs_extra
+### mgrote_zfs_extra
 # Variablen für mgrote.zfs_health/trim/scrub/zed/arc_mem/ sind zusammengefasst unter zfs_extra_*
 zfs_datasets: # DatenPools werden hier nicht verwaltet
   # rpool - System-Datasets
@@ -21,12 +21,14 @@ zfs_datasets: # DatenPools werden hier nicht verwaltet
     snapdir: hidden
     reservation: 1G
     refreservation: 1G
+    acltype: posix
   - dataset: rpool/ROOT
     state: present
     refreservation: 1G
   - dataset: rpool/ROOT/pve-1
     state: present
     refreservation: 1G
+    acltype: posix # https://docs.ansible.com/ansible-core/2.14/playbook_guide/playbooks_privilege_escalation.html#risks-of-becoming-an-unprivileged-user ; sonst kann die dotfiles-Rolle kein setfacl machen
 
   # rpool - VMs
   - dataset: rpool/vm
@@ -35,8 +37,9 @@ zfs_datasets: # DatenPools werden hier nicht verwaltet
     state: present
   - dataset: rpool/vm/lxc
     state: present
-  # hdd_data_raidz
-  - dataset: hdd_data_raidz
+
+  # hdd_data
+  - dataset: hdd_data
     state: present
     compression: zstd
     sync: disabled
@@ -45,95 +48,95 @@ zfs_datasets: # DatenPools werden hier nicht verwaltet
     atime: on # noqa yaml[truthy]
     snapdir: hidden
     reservation: 1G
-  - dataset: hdd_data_raidz/papa_backup
+  - dataset: hdd_data/papa_backup
     state: present
-  - dataset: hdd_data_raidz/pve_backup
+  - dataset: hdd_data/pve_backup
     state: present
     recordsize: 1M
-  - dataset: hdd_data_raidz/videos
+  - dataset: hdd_data/videos
     state: present
     recordsize: 1M
-  - dataset: hdd_data_raidz/music
+  - dataset: hdd_data/music
     state: present
     recordsize: 1M
-  - dataset: hdd_data_raidz/tmp
+  - dataset: hdd_data/tmp
     state: present
-  - dataset: hdd_data_raidz/archiv
+  - dataset: hdd_data/archiv
     state: present
-  - dataset: hdd_data_raidz/bilder
+  - dataset: hdd_data/bilder
     state: present
     recordsize: 1M
-  - dataset: hdd_data_raidz/scans
+  - dataset: hdd_data/scans
     state: present
-  - dataset: hdd_data_raidz/restic
+  - dataset: hdd_data/restic
     state: present
-  - dataset: hdd_data_raidz/backup
+  - dataset: hdd_data/backup
     state: present
-  - dataset: hdd_data_raidz/buecher
+  - dataset: hdd_data/buecher
     state: present
-  - dataset: hdd_data_raidz/programme
+  - dataset: hdd_data/programme
     state: present
-  - dataset: hdd_data_raidz/vm
+  - dataset: hdd_data/vm
     state: present
 
 zfs_extra_arc_max_size: "1073741824" # 1GB in Bytes
 zfs_extra_zfs_pools:
   - name: "rpool"
     systemd_timer_schedule: "*-01,04,07,10-01 23:00" # jeden ersten eines jeden Quartals
-  - name: "hdd_data_raidz"
+  - name: "hdd_data"
     systemd_timer_schedule: "*-01,04,07,10-01 23:00"
 
-### mgrote.zfs_sanoid
+### mgrote_zfs_sanoid
 sanoid_datasets:
-  - path: 'hdd_data_raidz/videos'
+  - path: 'hdd_data/videos'
     template: '3tage'
     recursive: 'yes'
     snapshots: true
-  - path: 'hdd_data_raidz/music'
+  - path: 'hdd_data/music'
     template: '14tage'
     recursive: 'yes'
     snapshots: true
-  - path: 'hdd_data_raidz/papa_backup'
+  - path: 'hdd_data/papa_backup'
     template: '14tage'
     recursive: 'yes'
     snapshots: true
-  - path: 'hdd_data_raidz/tmp'
+  - path: 'hdd_data/tmp'
     template: '3tage'
     recursive: 'yes'
     snapshots: true
-  - path: 'hdd_data_raidz/pve_backup'
+  - path: 'hdd_data/pve_backup'
     template: '3tage'
     recursive: 'yes'
     snapshots: true
-  - path: 'hdd_data_raidz/archiv'
+  - path: 'hdd_data/archiv'
     template: '14tage'
     recursive: 'yes'
     snapshots: true
-  - path: hdd_data_raidz/bilder
+  - path: hdd_data/bilder
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '14tage'
-  - path: hdd_data_raidz/scans
+  - path: hdd_data/scans
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '3tage'
-  - path: hdd_data_raidz/backup
+  - path: hdd_data/backup
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '31tage'
-  - path: hdd_data_raidz/restic
+  - path: hdd_data/restic
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '3tage'
-  - path: hdd_data_raidz/programme
+  - path: hdd_data/programme
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '14tage'
-  - path: hdd_data_raidz/buecher
+  - path: hdd_data/buecher
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '14tage'
-  - path: hdd_data_raidz/vm
+  - path: hdd_data/vm
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: 'pve3tage'
@@ -150,66 +153,59 @@ sanoid_datasets:
     snapshots: true
     template: '3tage'
 
-### mgrote.cv4pve-autosnap
-cv4pve_api_user: root@pam!cv4pve-autosnap
-cv4pve_api_token: "{{ lookup('keepass', 'cv4pve_api_token', 'password') }}"
-cv4pve_vmid: all
-cv4pve_keep_snapshots: 5
-cv4pve_dl_link: "https://github.com/Corsinvest/cv4pve-autosnap/releases/download/v1.10.0/cv4pve-autosnap-linux-x64.zip"
-
-### mgrote.proxmox_bind_mounts
+### mgrote_proxmox_bind_mounts
 pve_bind_mounts:
   - vmid: 100
     mp_nr: 0
-    mp_path_host: /hdd_data_raidz/videos
+    mp_path_host: /hdd_data/videos
     mp_path_guest: /shares_videos
   - vmid: 100
     mp_nr: 2
-    mp_path_host: /hdd_data_raidz/pve_backup
+    mp_path_host: /hdd_data/pve_backup
     mp_path_guest: /shares_pve_backup
   - vmid: 100
     mp_nr: 3
-    mp_path_host: /hdd_data_raidz/papa_backup
+    mp_path_host: /hdd_data/papa_backup
     mp_path_guest: /shares_papa_backup
   - vmid: 100
     mp_nr: 4
-    mp_path_host: /hdd_data_raidz/music
+    mp_path_host: /hdd_data/music
     mp_path_guest: /shares_music
   - vmid: 100
     mp_nr: 5
-    mp_path_host: /hdd_data_raidz/tmp
+    mp_path_host: /hdd_data/tmp
     mp_path_guest: /shares_tmp
   - vmid: 100
     mp_nr: 6
-    mp_path_host: /hdd_data_raidz/archiv
+    mp_path_host: /hdd_data/archiv
     mp_path_guest: /shares_archiv
   - vmid: 100
     mp_nr: 7
-    mp_path_host: /hdd_data_raidz/bilder
+    mp_path_host: /hdd_data/bilder
     mp_path_guest: /shares_bilder
   - vmid: 100
     mp_nr: 9
-    mp_path_host: /hdd_data_raidz/scans
+    mp_path_host: /hdd_data/scans
     mp_path_guest: /shares_scans
   - vmid: 100
     mp_nr: 10
-    mp_path_host: /hdd_data_raidz/restic
+    mp_path_host: /hdd_data/restic
     mp_path_guest: /shares_restic
   - vmid: 100
     mp_nr: 12
-    mp_path_host: /hdd_data_raidz/backup
+    mp_path_host: /hdd_data/backup
     mp_path_guest: /shares_backup
   - vmid: 100
     mp_nr: 14
-    mp_path_host: /hdd_data_raidz/buecher
+    mp_path_host: /hdd_data/buecher
     mp_path_guest: /shares_buecher
   - vmid: 100
     mp_nr: 15
-    mp_path_host: /hdd_data_raidz/programme
+    mp_path_host: /hdd_data/programme
     mp_path_guest: /shares_programme
   - vmid: 100
     mp_nr: 16
-    mp_path_host: /hdd_data_raidz/vm
+    mp_path_host: /hdd_data/vm
     mp_path_guest: /shares_vm
 
 # mgrote.pbs_pve_integration

host_vars/pve5.mgrote.net.yml

@@ -3,11 +3,15 @@
 # der Speicherort fur die VMs ist verschlüsselt
 # zfs create -o encryption=aes-256-gcm -o keyformat=passphrase rpool/vm
 # entschlüsseln nach Boot mit: sudo zpool import -d /dev/disk/by-id/ -a && sudo zfs mount -a  -l
-## HDD_DATA_RAIDZ
-### sudo zpool create -o ashift=12 -o feature@encryption=enabled -O encryption=on -O keylocation=prompt -O keyformat=passphrase hdd_data_raidz mirror /dev/disk/by-id/ata-TOSHIBA_MG09ACA18TE_Z1B0A27KFJDH /dev/disk/by-id/ata-TOSHIBA_MG09ACA18TE_Z1B0A28LFJDH
+## hdd_data
+### sudo zpool create -o ashift=12 -o feature@encryption=enabled -O encryption=on -O keylocation=prompt -O keyformat=passphrase hdd_data mirror /dev/disk/by-id/ata-TOSHIBA_MG09ACA18TE_Z1B0A27KFJDH /dev/disk/by-id/ata-ST18000NM003D-3DL103_ZVTBSAYS
+
+## hdd_data "neu"
+### sudo zpool create -o ashift=12 -o feature@encryption=enabled -O encryption=on -O keylocation=prompt -O keyformat=passphrase hdd_data /dev/disk/by-id/ata-ST18000NM003D-3DL103_ZVTBSAYS
+
 
 # mgrote.zfs_manage_datasets
-### mgrote.zfs_extra
+### mgrote_zfs_extra
 # Variablen für mgrote.zfs_health/trim/scrub/zed/arc_mem/ sind zusammengefasst unter zfs_extra_*
 zfs_datasets: # DatenPools werden hier nicht verwaltet
   # rpool - System-Datasets
@@ -21,15 +25,19 @@ zfs_datasets: # DatenPools werden hier nicht verwaltet
     snapdir: hidden
     reservation: 1G
     refreservation: 10G
+    acltype: posix
   - dataset: rpool/ROOT
     state: present
     refreservation: 10G
   - dataset: rpool/ROOT/pve-1
     state: present
     refreservation: 10G
+    acltype: posix # https://docs.ansible.com/ansible-core/2.14/playbook_guide/playbooks_privilege_escalation.html#risks-of-becoming-an-unprivileged-user ; sonst kann die dotfiles-Rolle kein setfacl machen
+
   # rpool - Data
   - dataset: rpool/data
     state: present
+
   # rpool - VMs
   - dataset: rpool/vm
     state: present
@@ -39,8 +47,9 @@ zfs_datasets: # DatenPools werden hier nicht verwaltet
     state: present
   - dataset: rpool/data
     state: present
-  # hdd_data_raidz
-  - dataset: hdd_data_raidz
+
+  # hdd_data
+  - dataset: hdd_data
     state: present
     compression: zstd
     sync: disabled
@@ -49,100 +58,101 @@ zfs_datasets: # DatenPools werden hier nicht verwaltet
     atime: on # noqa yaml[truthy]
     snapdir: hidden
     reservation: 1G
-  - dataset: hdd_data_raidz/papa_backup
+    acltype: posix # https://docs.ansible.com/ansible-core/2.14/playbook_guide/playbooks_privilege_escalation.html#risks-of-becoming-an-unprivileged-user ; sonst kann die dotfiles-Rolle kein setfacl machen
+  - dataset: hdd_data/papa_backup
     state: present
-  - dataset: hdd_data_raidz/pve_backup
+  - dataset: hdd_data/pve_backup
     state: present
     recordsize: 1M
-  - dataset: hdd_data_raidz/videos
+  - dataset: hdd_data/videos
     state: present
     recordsize: 1M
-  - dataset: hdd_data_raidz/music
+  - dataset: hdd_data/music
     state: present
     recordsize: 1M
-  - dataset: hdd_data_raidz/tmp
+  - dataset: hdd_data/tmp
     state: present
-  - dataset: hdd_data_raidz/archiv
+  - dataset: hdd_data/archiv
     state: present
-  - dataset: hdd_data_raidz/bilder
+  - dataset: hdd_data/bilder
     state: present
     recordsize: 1M
-  - dataset: hdd_data_raidz/scans
+  - dataset: hdd_data/scans
     state: present
-  - dataset: hdd_data_raidz/restic
+  - dataset: hdd_data/restic
     state: present
-  - dataset: hdd_data_raidz/backup
+  - dataset: hdd_data/backup
     state: present
-  - dataset: hdd_data_raidz/buecher
+  - dataset: hdd_data/buecher
     state: present
-  - dataset: hdd_data_raidz/programme
+  - dataset: hdd_data/programme
     state: present
-  - dataset: hdd_data_raidz/vm
+  - dataset: hdd_data/vm
     state: present
 
 zfs_extra_arc_max_size: "8589934592" # 8GB in Bytes
 zfs_extra_zfs_pools:
   - name: "rpool"
     systemd_timer_schedule: "*-01,04,07,10-01 23:00" # jeden ersten eines jeden Quartals
-  - name: "hdd_data_raidz"
+  - name: "hdd_data"
     systemd_timer_schedule: "*-01,04,07,10-01 23:00"
 
-### mgrote.zfs_sanoid
+### mgrote_zfs_sanoid
 sanoid_snaps_enable: true
 ## enable sending snaps
 sanoid_syncoid_source_host: true
 sanoid_syncoid_ssh_pubkey: "{{ lookup('keepass', 'sanoid_syncoid_public_key', 'notes') }}"
 sanoid_datasets:
-  ### hdd_data_raidz
-  - path: 'hdd_data_raidz/videos'
+  ### hdd_data
+  - path: 'hdd_data/videos'
     template: '3tage'
     recursive: 'yes'
     snapshots: true
-  - path: 'hdd_data_raidz/music'
+  - path: 'hdd_data/music'
     template: '14tage'
     recursive: 'yes'
     snapshots: true
-  - path: 'hdd_data_raidz/papa_backup'
+  - path: 'hdd_data/papa_backup'
     template: '14tage'
     recursive: 'yes'
     snapshots: true
-  - path: 'hdd_data_raidz/tmp'
+  - path: 'hdd_data/tmp'
     template: '3tage'
     recursive: 'yes'
     snapshots: true
-  - path: 'hdd_data_raidz/pve_backup'
+  - path: 'hdd_data/pve_backup'
     template: '3tage'
     recursive: 'yes'
     snapshots: true
-  - path: 'hdd_data_raidz/archiv'
+  - path: 'hdd_data/archiv'
     template: '14tage'
     recursive: 'yes'
     snapshots: true
-  - path: hdd_data_raidz/bilder
+  - path: hdd_data/bilder
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '14tage'
-  - path: hdd_data_raidz/scans
+  - path: hdd_data/scans
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '3tage'
-  - path: hdd_data_raidz/backup
+  - path: hdd_data/backup
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '31tage'
-  - path: hdd_data_raidz/restic
+  - path: hdd_data/restic
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '3tage'
-  - path: hdd_data_raidz/programme
+  - path: hdd_data/programme
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '14tage'
-  - path: hdd_data_raidz/buecher
+  - path: hdd_data/buecher
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '14tage'
-  - path: hdd_data_raidz/vm
+  - path: hdd_data/vm
     recursive: 'no' # noqa yaml[truthy]
     snapshots: true
     template: '3tage'
@@ -160,67 +170,60 @@ sanoid_datasets:
     snapshots: true
     template: 'pve3tage'
 
-### mgrote.cv4pve-autosnap
-cv4pve_api_user: root@pam!cv4pve-autosnap
-cv4pve_api_token: "{{ lookup('keepass', 'cv4pve_api_token', 'password') }}"
-cv4pve_vmid: all,-115
-cv4pve_keep_snapshots: 5
-cv4pve_dl_link: "https://github.com/Corsinvest/cv4pve-autosnap/releases/download/v1.14.7/cv4pve-autosnap-linux-x64.zip"
-
-### mgrote.proxmox_bind_mounts
+### mgrote_proxmox_bind_mounts
 pve_bind_mounts:
   ### fileserver3
   - vmid: 115
     mp_nr: 0
-    mp_path_host: /hdd_data_raidz/videos
+    mp_path_host: /hdd_data/videos
     mp_path_guest: /shares_videos
   - vmid: 115
     mp_nr: 2
-    mp_path_host: /hdd_data_raidz/pve_backup
+    mp_path_host: /hdd_data/pve_backup
     mp_path_guest: /shares_pve_backup
   - vmid: 115
     mp_nr: 3
-    mp_path_host: /hdd_data_raidz/papa_backup
+    mp_path_host: /hdd_data/papa_backup
     mp_path_guest: /shares_papa_backup
   - vmid: 115
     mp_nr: 4
-    mp_path_host: /hdd_data_raidz/music
+    mp_path_host: /hdd_data/music
     mp_path_guest: /shares_music
   - vmid: 115
     mp_nr: 5
-    mp_path_host: /hdd_data_raidz/tmp
+    mp_path_host: /hdd_data/tmp
     mp_path_guest: /shares_tmp
   - vmid: 115
     mp_nr: 6
-    mp_path_host: /hdd_data_raidz/archiv
+    mp_path_host: /hdd_data/archiv
     mp_path_guest: /shares_archiv
   - vmid: 115
     mp_nr: 7
-    mp_path_host: /hdd_data_raidz/bilder
+    mp_path_host: /hdd_data/bilder
     mp_path_guest: /shares_bilder
   - vmid: 115
     mp_nr: 9
-    mp_path_host: /hdd_data_raidz/scans
+    mp_path_host: /hdd_data/scans
     mp_path_guest: /shares_scans
   - vmid: 115
     mp_nr: 10
-    mp_path_host: /hdd_data_raidz/restic
+    mp_path_host: /hdd_data/restic
     mp_path_guest: /shares_restic
   - vmid: 115
     mp_nr: 12
-    mp_path_host: /hdd_data_raidz/backup
+    mp_path_host: /hdd_data/backup
     mp_path_guest: /shares_backup
   - vmid: 115
     mp_nr: 14
-    mp_path_host: /hdd_data_raidz/buecher
+    mp_path_host: /hdd_data/buecher
     mp_path_guest: /shares_buecher
   - vmid: 115
     mp_nr: 15
-    mp_path_host: /hdd_data_raidz/programme
+    mp_path_host: /hdd_data/programme
     mp_path_guest: /shares_programme
   - vmid: 115
     mp_nr: 16
-    mp_path_host: /hdd_data_raidz/vm
+    mp_path_host: /hdd_data/vm
     mp_path_guest: /shares_vm
 
 # mgrote.pbs_pve_integration

inventory

@@ -3,6 +3,12 @@ all:
     fileserver:
       hosts:
         fileserver3.mgrote.net:
+    blocky:
+      hosts:
+        blocky.mgrote.net:
+    ldap:
+      hosts:
+        ldap.mgrote.net:
     lxc:
       hosts:
         fileserver3.mgrote.net:
@@ -29,18 +35,20 @@ all:
       hosts:
         pve5.mgrote.net:
         pbs.mgrote.net:
-    gitea:
+    git:
       hosts:
-        gitea.mgrote.net:
+        forgejo.mgrote.net:
 
     production:
       hosts:
         fileserver3.mgrote.net:
         ansible2.mgrote.net:
         pve5.mgrote.net:
-        gitea.mgrote.net:
+        forgejo.mgrote.net:
         docker10.mgrote.net:
         pbs.mgrote.net:
+        blocky.mgrote.net:
+        ldap.mgrote.net:
     test:
       hosts:
         vm-test-2204.mgrote.net:

playbooks/1_bootstrap.yml

@@ -2,7 +2,7 @@
 - hosts: all
   gather_facts: false
   roles:
-    - role: robertdebock-ansible-role-bootstrap
+    - role: ansible-role-bootstrap
       tags: "bootstrap"
       become: true
     - role: mgrote_apt_manage_sources
@@ -34,7 +34,7 @@
     ansible_password: hallowelt
     ansible_become_password: hallowelt
     ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'"
-    ### mgrote.user
+    ### mgrote_user
     users:
       - username: ansible-user
         password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"

playbooks/2_all.yml

@@ -3,3 +3,4 @@
 - ansible.builtin.import_playbook: base/system.yml
 - ansible.builtin.import_playbook: base/users.yml
 - ansible.builtin.import_playbook: base/ufw.yml
+- ansible.builtin.import_playbook: base/monitoring.yml

playbooks/3_service/ansible.yml

@@ -1,4 +1,6 @@
 ---
 - hosts: ansible
   roles:
-    - { role: geerlingguy-ansible-role-pip, tags: "pip", become: true }
+    - role: ansible-role-pip
+      tags: "pip"
+      become: true

playbooks/3_service/blocky.yml

@@ -0,0 +1,7 @@
+---
+- hosts: blocky
+  roles:
+    - role: mgrote_systemd_resolved
+      tags: "resolved"
+    - role: mgrote_blocky
+      tags: "blocky"

playbooks/3_service/docker.yml

@@ -1,10 +1,21 @@
 ---
 - hosts: docker
   roles:
-    - { role: mgrote_systemd_resolved, tags: "dns", become: true }
-    - { role: mgrote_mount_cifs, tags: "cifs", become: true }
-    - { role: geerlingguy-ansible-role-pip, tags: "pip", become: true }
-    - { role: geerlingguy-ansible-role-docker, tags: "docker", become: true }
-    - { role: gantsign-ansible-role-ctop, tags: "ctop", become: true }
-    - { role: mgrote_set_permissions, tags: "perm", become: true }
-    - { role: mgrote_docker_compose_inline, tags: "compose", become: true }
+    - role: mgrote_systemd_resolved
+      tags: "dns"
+      become: true
+    - role: ansible-role-pip
+      tags: "pip"
+      become: true
+    - role: ansible-role-docker
+      tags: "docker"
+      become: true
+    - role: ansible_role_ctop
+      tags: "ctop"
+      become: true
+    - role: mgrote_set_permissions
+      tags: "perm"
+      become: true
+    - role: mgrote_docker_compose_inline
+      tags: "compose"
+      become: true

playbooks/3_service/fileserver.yml

@@ -6,6 +6,9 @@
 ---
 - hosts: fileserver
   roles:
-    - { role: mgrote_fileserver_smb, tags: "fileserver_smb" }
-    - { role: mgrote_youtubedl, tags: "youtubedl" }
-    - { role: mgrote_disable_oom_killer, tags: "oom" }
+    - role: mgrote_fileserver_smb
+      tags: "smb"
+    - role: mgrote_youtubedl
+      tags: "youtubedl"
+    - role: mgrote_disable_oom_killer
+      tags: "oom"

playbooks/3_service/git.yml

@@ -0,0 +1,12 @@
+---
+- hosts: git
+  roles:
+    - role: ansible-role-postgresql
+      tags: "db"
+      become: true
+    - role: ansible_role_gitea
+      tags: "gitea"
+      become: true
+    - role: mgrote_gitea_setup
+      tags: "setup"
+      become: true

playbooks/3_service/gitea.yml

@@ -1,4 +0,0 @@
----
-- hosts: gitea
-  roles:
-    - { role: pyratlabs-ansible-role-gitea, tags: "gitea", become: true }

playbooks/3_service/lldap.yml

@@ -0,0 +1,11 @@
+---
+- hosts: ldap
+  roles:
+    - role: ansible-role-postgresql
+      tags: "db"
+      become: true
+    - role: mgrote_lldap
+      tags:
+        - lldap
+        - ldap
+      become: true

playbooks/3_service/pbs.yml

@@ -1,12 +1,21 @@
 ---
 - hosts: pbs
   roles:
-    - { role: mgrote_zfs_packages, tags: "zfs_packages" }
-    - { role: mgrote_zfs_arc_mem, tags: "zfs_arc_mem" }
-    - { role: mgrote_zfs_manage_datasets, tags: "datasets" }
-    - { role: mgrote_zfs_scrub, tags: "zfs_scrub" }
-    - { role: mgrote_zfs_zed, tags: "zfs_zed" }
-    - { role: mgrote_zfs_sanoid, tags: "sanoid" }
-    - { role: mgrote_smart, tags: "smart" }
-    - { role: mgrote_pbs_users, tags: "pbs_users" }
-    - { role: mgrote_pbs_datastores, tags: "pbs_datastores" }
+    - role: mgrote_zfs_packages
+      tags: "zfs_packages"
+    - role: mgrote_zfs_arc_mem
+      tags: "zfs_arc_mem"
+    - role: mgrote_zfs_manage_datasets
+      tags: "datasets"
+    - role: mgrote_zfs_scrub
+      tags: "zfs_scrub"
+    - role: mgrote_zfs_zed
+      tags: "zfs_zed"
+    - role: mgrote_zfs_sanoid
+      tags: "sanoid"
+    - role: mgrote_smart
+      tags: "smart"
+    - role: mgrote_pbs_users
+      tags: "pbs_users"
+    - role: mgrote_pbs_datastores
+      tags: "pbs_datastores"

playbooks/3_service/pve.yml

@@ -1,14 +1,26 @@
 ---
 - hosts: pve
   roles:
-    - { role: mgrote_zfs_packages, tags: "zfs_packages" }
-    - { role: mgrote_zfs_arc_mem, tags: "zfs_arc_mem" }
-    - { role: mgrote_zfs_manage_datasets, tags: "datasets" }
-    - { role: mgrote_zfs_scrub, tags: "zfs_scrub" }
-    - { role: mgrote_zfs_zed, tags: "zfs_zed" }
-    - { role: mgrote_zfs_sanoid, tags: "sanoid" }
-    - { role: mgrote_smart, tags: "smart" }
-    - { role: mgrote_cv4pve_autosnap, tags: "cv4pve" }
-    - { role: mgrote_proxmox_bind_mounts, tags: "bindmounts" }
-    - { role: mgrote_proxmox_lxc_profiles, tags: "lxc-profile" }
-    - { role: mgrote_pbs_pve_integration, tags: "pbs" }
+    - role: mgrote_zfs_packages
+      tags: "zfs_packages"
+    - role: mgrote_zfs_arc_mem
+      tags: "zfs_arc_mem"
+    - role: mgrote_zfs_manage_datasets
+      tags: "datasets"
+    - role: mgrote_zfs_scrub
+      tags: "zfs_scrub"
+    - role: mgrote_zfs_zed
+      tags: "zfs_zed"
+    - role: mgrote_zfs_sanoid
+      tags: "sanoid"
+    - role: mgrote_smart
+      tags: "smart"
+    - role: mgrote_cv4pve_autosnap
+      tags: cv4pve
+      become: true
+    - role: mgrote_proxmox_bind_mounts
+      tags: "bindmounts"
+    - role: mgrote_proxmox_lxc_profiles
+      tags: "lxc-profile"
+    - role: mgrote_pbs_pve_integration
+      tags: "pbs"

playbooks/base/monitoring.yml

@@ -0,0 +1,11 @@
+---
+- hosts: all
+  roles:
+    - role: mgrote_munin_node
+      become: true
+      tags: "munin"
+      when: "not 'laptop' in group_names"
+
+  ### Die Host müssen auch beim Docker-Container: "munin-master eingetragen" werden.
+  ### wird nur auf physischen Rechnern ausgeführt.
+  ### Wenn ein Plugin nicht geht: munin-node-configure --shell --families=contrib,auto | sh -x

playbooks/base/packages.yml

@@ -5,14 +5,12 @@
       tags: "apt_sources"
     - role: mgrote_apt_manage_packages
       tags: "install"
-    - role: mgrote_exa
-      tags: "exa"
     - role: mgrote_remove_snapd
       become: true
       tags: "snapd"
     - role: mgrote_apt_update_packages
       tags: "updates"
-    - role: hifis-net-ansible-role-unattended-upgrades
+    - role: ansible-role-unattended-upgrades
       become: true
       tags: unattended
       when: "ansible_facts['distribution'] == 'Ubuntu'"

playbooks/base/system.yml

@@ -3,21 +3,21 @@
   roles:
     - role: mgrote_ntp_chrony_client
       tags: "ntp"
+    - role: mgrote_etckeeper
+      tags: "etckeeper"
     - role: mgrote_postfix
       tags: "postfix"
-    - role: mgrote_restic
-      tags: "restic"
     - role: mgrote_fail2ban
       tags: "f2b"
     - role: mgrote_fwupd_settings
       become: true
       tags: fwupd
       when: "ansible_facts['distribution'] == 'Ubuntu'"
-    - role: mrlesmithjr-ansible-manage-lvm
+    - role: ansible-manage-lvm
       tags: "lvm"
       become: true
       when: manage_lvm == true and manage_lvm is defined
-      # $manage_lvm gehört zu dieser Rolle, wird aber extra abgefragt um das PLaybook zu "aktivieren"
+      # $manage_lvm gehört zu dieser Rolle, wird aber extra abgefragt um das Playbook zu "aktivieren"
     - role: mgrote_ssh
       tags: "ssh"
     - role: mgrote_netplan

playbooks/base/ufw.yml

@@ -1,6 +1,6 @@
 ---
 - hosts: all:!pve:!pbs
   roles:
-    - { role: oefenweb-ansible-ufw, # Regeln werden in den Group/Host-Vars gesetzt
-        tags: "ufw",
-        become: true}
+    - role: ansible-ufw # Regeln werden in den Group/Host-Vars gesetzt
+      tags: ufw
+      become: true

playbooks/base/users.yml

@@ -1,10 +1,10 @@
 ---
 - hosts: all
-  become: true
   roles:
     - role: mgrote_users
-      tags: "user"
-    - role: mgrote_dotfiles
-      tags: "dotfiles"
-    - role: mgrote_vim
-      tags: "vim"
+      tags: users
+      become: true
+    - role: mgrote_user_setup
+      tags:
+        - user_setup
+        - dotfiles

playbooks/on-off/autoremove.yml

@@ -0,0 +1,7 @@
+---
+- hosts: all
+  tasks:
+    - name: apt autoremove
+      become: true
+      ansible.builtin.apt:
+        autoremove: true

playbooks/on-off/remove_dotfiles.yml

@@ -0,0 +1,22 @@
+---
+- hosts: all
+  become: true
+  tasks:
+    - name: remove files
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /home/mg/.gitconfig
+        - /home/mg/.tmux.conf
+        - /home/mg/.vimrc
+        - /home/mg/dotfiles
+
+    - name: remove from .bashrc
+      ansible.builtin.lineinfile:
+        path: "{{ item }}"
+        state: absent
+        line: "source /home/mg/dotfiles/.bash_extra"
+      loop:
+        - /root/.bashrc
+        - /home/mg/.bashrc

playbooks/on-off/remove_drone-user.yml

@@ -0,0 +1,18 @@
+---
+- hosts: all
+  tasks:
+    - name: remove user
+      become: true
+      ansible.builtin.user:
+        name: "{{ item }}"
+        state: absent
+        remove: true
+      loop:
+        - drone
+        - drone-user
+
+    - name: Ensure dir is removed
+      become: true
+      ansible.builtin.file:
+        path: /home/drone
+        state: absent

playbooks/on-off/remove_munin_node.yml

@@ -0,0 +1,22 @@
+---
+- hosts: all
+  become: yes
+  tasks:
+    - name: Ensure packages are absent
+      become: yes
+      ansible.builtin.apt:
+        autoremove: yes
+        autoclean: yes
+        purge: yes
+        name:
+          - munin-node
+        state: absent
+
+    - name: Ensure directories are absent
+      become: yes
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /usr/share/munin
+        - /etc/munin

playbooks/on-off/remove_restic.yml

@@ -0,0 +1,78 @@
+---
+- hosts: all
+  tasks:
+    - name: ensure group exists
+      become: true
+      ansible.builtin.group:
+        name: restic
+        state: absent
+
+    - name: install restic-packages
+      become: true
+      ansible.builtin.package:
+        name:
+          - restic
+        state: absent
+
+    - name: create "/etc/restic"
+      become: true
+      ansible.builtin.file:
+        path: "/etc/restic"
+        state: absent
+
+    - name: systemctl start restic.timer
+      become: true
+      ansible.builtin.systemd:
+        name: restic.timer
+        state: stopped
+        enabled: false
+
+
+    - name: systemctl enable units
+      become: true
+      ansible.builtin.systemd:
+        name: "{{ item }}"
+        enabled: false
+        masked: true
+      with_items:
+        - media-restic.automount
+        - media-restic.mount
+        - restic.service
+        - restic.timer
+        - restic_mail.service
+
+    - name: template restic.mount
+      become: true
+      ansible.builtin.file:
+        state: absent
+        path: /etc/systemd/system/media-restic.mount # media-restic == /media/restic
+
+    - name: template restic.automount
+      become: true
+      ansible.builtin.file:
+        path: /etc/systemd/system/media-restic.automount
+        state: absent
+
+    - name: template restic.service
+      become: true
+      ansible.builtin.file:
+        path: /etc/systemd/system/restic.service
+        state: absent
+
+    - name: template restic.timer
+      become: true
+      ansible.builtin.file:
+        path: /etc/systemd/system/restic.timer
+        state: absent
+
+    - name: template restic_mail.service
+      become: true
+      ansible.builtin.file:
+        path: /etc/systemd/system/restic_mail.service
+        state: absent
+
+    - name: template restic_mail.service
+      become: true
+      ansible.builtin.file:
+        path: /etc/systemd/system/media-restic.automount
+        state: absent

playbooks/on-off/update.yml

@@ -0,0 +1,26 @@
+---
+- hosts: all
+  become: true
+  tasks:
+    - name: update apt cache
+      ansible.builtin.apt:
+        update_cache: true
+
+    - name: update installed packages
+      ansible.builtin.package:
+        upgrade: dist
+      register: upgrade
+
+    - name: apt autoremove
+      ansible.builtin.apt:
+        autoremove: true
+        clean: yes
+
+    - name: reboot
+      ansible.builtin.reboot:
+      when: (upgrade.changed and (inventory_hostname != 'pve5.mgrote.net' and inventory_hostname != 'ansible2.mgrote.net'))
+
+    - name: Info
+      ansible.builtin.debug:
+        msg: Pool auf pbs.mgrote.net mounten!
+      when: (upgrade.changed and inventory_hostname == 'pbs.mgrote.net')

renovate.json

@@ -0,0 +1,5 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": ["config:recommended"],
+    "ignorePaths": ["**/friedhof/**"]
+}

requirements.yaml

@@ -0,0 +1,30 @@
+collections:
+  - name: community.general
+    version: "8.6.0"
+  - name: community.crypto
+    version: "2.19.1"
+  - name: ansible.posix
+    version: "1.5.4"
+  - name: community.docker
+    version: "3.9.0"
+roles:
+  - src: https://git.mgrote.net/ansible-role-mirrors/ansible-role-bootstrap
+    version: "6.2.5"
+  - src: https://git.mgrote.net/ansible-role-mirrors/ansible-ufw
+    version: "v4.1.13"
+  - src: https://git.mgrote.net/ansible-role-mirrors/ansible-manage-lvm
+    version: "v0.2.11"
+  - src: https://git.mgrote.net/ansible-role-mirrors/ansible-role-unattended-upgrades
+    version: "v4.1.0"
+  - src: https://git.mgrote.net/ansible-role-mirrors/ansible-role-pip
+    version: "3.0.3"
+  - src: https://git.mgrote.net/ansible-role-mirrors/ansible-role-nfs
+    version: "2.0.0"
+  - src: https://git.mgrote.net/ansible-role-mirrors/ansible-role-docker
+    version: "7.1.0"
+  - src: https://git.mgrote.net/ansible-role-mirrors/ansible_role_ctop
+    version: "1.1.6"
+  - src: https://git.mgrote.net/ansible-role-mirrors/ansible_role_gitea
+    version: "v3.4.2"
+  - src: https://git.mgrote.net/ansible-role-mirrors/ansible-role-postgresql
+    version: "3.5.1"

requirements.yml

@@ -1,30 +0,0 @@
-collections:
-  - git+https://git.mgrote.net/ansible-collections-mirrors/community.general
-  - git+https://git.mgrote.net/ansible-collections-mirrors/community.crypto
-  - git+https://git.mgrote.net/ansible-collections-mirrors/ansible.posix
-  - git+https://git.mgrote.net/ansible-collections-mirrors/community.docker
-roles:
-  - src: https://git.mgrote.net/ansible-roles-mirrors/pyratlabs-ansible-role-k3s
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/robertdebock-ansible-role-bootstrap
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/pandemonium1986-ansible-role-k9s
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/oefenweb-ansible-ufw
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/mrlesmithjr-ansible-manage-lvm
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/hifis-net-ansible-role-unattended-upgrades
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-pip
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-nfs
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-helm
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-docker
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/gantsign-ansible-role-ctop
-    scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/pyratlabs-ansible-role-gitea
-    scm: git

roles/mgrote_apt_manage_packages/tasks/main.yml

@@ -29,10 +29,9 @@
 - name: install packages from the internet
   become: true
   ansible.builtin.apt:
-    deb: "{{ item }}"
+    deb: "{{ apt_packages_internet }}"
     state: present
   when: apt_packages_internet is defined
-  loop: "{{ apt_packages_internet }}"
 
 - name: remove packages
   become: true

roles/mgrote_apt_update_packages/tasks/main.yml

@@ -1,10 +1,6 @@
 ---
-- name: update apt cache
-  become: true
-  ansible.builtin.apt:
-    update_cache: true
-
-- name: update installed packages
+- name: update apt cache and installed packages
   become: true
   ansible.builtin.package:
     upgrade: dist
+    update_cache: true

roles/mgrote_blocky/defaults/main.yml

@@ -0,0 +1,68 @@
+---
+# Docs in config.yml and https://0xerr0r.github.io/blocky/configuration/
+
+blocky_user: blocky
+blocky_group: blocky
+blocky_version: v0.22
+blocky_arch: x86_64
+blocky_download_url: "https://github.com/0xERR0R/blocky/releases/download/{{ blocky_version }}/blocky_{{ blocky_version }}_Linux_{{ blocky_arch }}.tar.gz"
+blocky_conf_dir: /etc/blocky
+blocky_block_type: zeroIp
+blocky_block_ttl: 1m
+blocky_blacklists_strategy: failOnError
+blocky_local_upstream: 192.168.2.1
+blocky_prometheus: false
+blocky_fqdn_only: false
+blocky_port_dns: 53
+blocky_log_level: info
+blocky_dns_upstream:
+  - 9.9.9.9
+  - 1.1.1.1
+  - 8.8.8.8
+  - 5.9.164.112
+blocky_dns_blocklists:
+  - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
+  - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+  - http://sysctl.org/cameleon/hosts
+  - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
+#blocky_custom_lookups: # optional
+#  # Internet
+#  - name: wiki.mgrote.net
+#    ip: 192.168.2.43
+#  - name: audio.mgrote.net
+#    ip: 192.168.2.43
+#  - name: auth.mgrote.net
+#    ip: 192.168.2.43
+#  - name: ci.mgrote.net
+#    ip: 192.168.2.43
+#  - name: git.mgrote.net
+#    ip: 192.168.2.43
+#  - name: miniflux.mgrote.net
+#    ip: 192.168.2.43
+#  - name: nextcloud.mgrote.net
+#    ip: 192.168.2.43
+#  - name: registry.mgrote.net
+#    ip: 192.168.2.43
+#  # Intern
+#  - name: ads2700w.mgrote.net
+#    ip: 192.168.2.147
+#  - name: crs305.mgrote.net
+#    ip: 192.168.2.225
+#  - name: hex.mgrote.net
+#    ip: 192.168.3.144
+#  - name: pbs-test.mgrote.net
+#    ip: 192.168.2.18
+#  - name: pbs.mgrote.net
+#    ip: 192.168.3.239
+#  - name: pve5-test.mgrote.net
+#    ip: 192.168.2.17
+#  - name: pve5.mgrote.net # bleibt im Router auch angelegt, weil wenn pve aus auch kein blocky ;-)
+#    ip: 192.168.2.16
+#  - name: rb5009.mgrote.net
+#    ip: 192.168.2.1
+#  - name: fritz.box
+#    ip: 192.168.5.1
+#blocky_conditional_mapping: # optional
+#  - domain: mgrote.net
+#    resolver: 192.168.2.1
+#

roles/mgrote_blocky/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+
+- name: set cap_net_bind_service # noqa no-changed-when
+  become: true
+  ansible.builtin.command: setcap 'cap_net_bind_service=+ep' /usr/local/bin/blocky
+
+- name: systemctl daemon-reload
+  become: true
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: restart service unit
+  become: true
+  ansible.builtin.systemd:
+    name: blocky.service
+    state: restarted
+    enabled: true

roles/mgrote_blocky/tasks/main.yml

@@ -0,0 +1,61 @@
+---
+- name: ensure group exists
+  become: true
+  ansible.builtin.group:
+    name: "{{ blocky_group }}"
+    state: present
+
+- name: ensure user exists
+  become: true
+  ansible.builtin.user:
+    name: "{{ blocky_user }}"
+    state: present
+    create_home: false
+
+- name: ensure binaries are installed
+  become: true
+  ansible.builtin.unarchive:
+    src: "{{ blocky_download_url }}"
+    dest: /usr/local/bin
+    remote_src: true
+    owner: "{{ blocky_user }}"
+    group: "{{ blocky_group }}"
+    mode: "0755"
+    exclude:
+      - LICENSE
+      - README.md
+  notify:
+    - set cap_net_bind_service
+    - restart service unit
+
+- name: ensure conf dir exists
+  become: true
+  ansible.builtin.file:
+    path: "{{ blocky_conf_dir }}"
+    state: directory
+    owner: "{{ blocky_user }}"
+    group: "{{ blocky_group }}"
+    mode: "0755"
+
+- name: template configuration
+  become: true
+  ansible.builtin.template:
+    src: "config.yml.j2"
+    dest: "{{ blocky_conf_dir }}/config.yml"
+    owner: "{{ blocky_user }}"
+    group: "{{ blocky_group }}"
+    mode: "0600"
+  notify:
+    - restart service unit
+
+- name: template service
+  become: true
+  ansible.builtin.template:
+    src: "blocky.service.j2"
+    dest: /etc/systemd/system/blocky.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - systemctl daemon-reload
+    - restart service unit

roles/mgrote_blocky/templates/blocky.service.j2

@@ -0,0 +1,15 @@
+{{ file_header | default () }}
+
+[Unit]
+Description=Blocky is a DNS proxy and ad-blocker for the local network written in Go.
+Requires=network.target
+Wants=nss-lookup.target
+Before=nss-lookup.target
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/blocky --config {{ blocky_conf_dir }}/config.yml
+
+[Install]
+WantedBy=multi-user.target

roles/mgrote_blocky/templates/config.yml.j2

@@ -0,0 +1,196 @@
+{{ file_header | default () }}
+upstreams:
+  init:
+    # Configure startup behavior.
+    # accepted: blocking, failOnError, fast
+    # default: blocking
+    strategy: fast
+  groups:
+    default:
+{% for item in blocky_dns_upstream %}
+      - {{ item }}
+{% endfor %}
+  strategy: parallel_best
+  timeout: 2s
+
+# optional: Determines how blocky will create outgoing connections. This impacts both upstreams, and lists.
+# accepted: dual, v4, v6
+# default: dual
+connectIPVersion: v4
+
+
+# optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.)
+blocking:
+  # definition of blacklist groups. Can be external link (http/https) or local file
+  blackLists:
+    ads:
+{% for item in blocky_dns_blocklists %}
+      - {{ item }}
+{% endfor %}
+  # which response will be sent, if query is blocked:
+  # zeroIp: 0.0.0.0 will be returned (default)
+  # nxDomain: return NXDOMAIN as return code
+  # comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page.
+  blockType: {{ blocky_block_type | default ("zeroIp") }}
+  # optional: TTL for answers to blocked domains
+  # default: 6h
+  blockTTL: {{ blocky_block_ttl | default ("6h") }}
+  clientGroupsBlock:
+    # default will be used, if no special definition for a client name exists
+    default:
+      - ads # siehe blocking.blacklists.ads
+  # optional: Configure how lists, AKA sources, are loaded
+  loading:
+    # optional: list refresh period in duration format.
+    # Set to a value <= 0 to disable.
+    # default: 4h
+    refreshPeriod: 4h
+    # optional: Applies only to lists that are downloaded (HTTP URLs).
+    downloads:
+      # optional: timeout for list download (each url). Use large values for big lists or slow internet connections
+      # default: 5s
+      timeout: 60s
+      # optional: Maximum download attempts
+      # default: 3
+      attempts: 5
+      # optional: Time between the download attempts
+      # default: 500ms
+      cooldown: 10s
+    # optional: Maximum number of lists to process in parallel.
+    # default: 4
+    concurrency: 16
+    # Configure startup behavior.
+    # accepted: blocking, failOnError, fast
+    # default: blocking
+    strategy: {{ blocky_blacklists_strategy | default ("blocking") }}
+    # Number of errors allowed in a list before it is considered invalid.
+    # A value of -1 disables the limit.
+    # default: 5
+    maxErrorsPerSource: 5
+
+{% if blocky_conditional_mapping is defined %}
+
+# optional: definition, which DNS resolver(s) should be used for queries to the domain (with all sub-domains). Multiple resolvers must be separated by a comma
+# Example: Query client.fritz.box will ask DNS server 192.168.178.1. This is necessary for local network, to resolve clients by host name
+conditional:
+  # optional: if false (default), return empty result if after rewrite, the mapped resolver returned an empty answer. If true, the original query will be sent to the upstream resolver
+  # Example: The query "blog.example.com" will be rewritten to "blog.fritz.box" and also redirected to the resolver at 192.168.178.1. If not found and if `fallbackUpstream` was set to `true`, the original query "blog.example.com" will be sent upstream.
+  # Usage: One usecase when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain.
+  fallbackUpstream: false
+  mapping:
+{% for item in blocky_conditional_mapping %}
+    {{ item.domain }}: {{ item.resolver }}
+{% endfor %}
+{% endif %}
+
+
+{% if blocky_custom_lookups is defined %}
+# optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma
+# example: query "printer.lan" or "my.printer.lan" will return 192.168.178.3
+customDNS:
+  customTTL: 1h
+  # optional: if true (default), return empty result for unmapped query types (for example TXT, MX or AAAA if only IPv4 address is defined).
+  # if false, queries with unmapped types will be forwarded to the upstream resolver
+  filterUnmappedTypes: true
+  # optional: replace domain in the query with other domain before resolver lookup in the mapping
+  # rewrite:
+  #   example.com: printer.lan
+  mapping:
+{% for item in blocky_custom_lookups %}
+    {{ item.name }}: {{ item.ip }}
+{% endfor %}
+{% endif %}
+
+# optional: configuration for caching of DNS responses
+caching:
+  # duration how long a response must be cached (min value).
+  # If <=0, use response's TTL, if >0 use this value, if TTL is smaller
+  # Default: 0
+  minTime: 0
+  # duration how long a response must be cached (max value).
+  # If <0, do not cache responses
+  # If 0, use TTL
+  # If > 0, use this value, if TTL is greater
+  # Default: 0
+  maxTime: 0
+  # Max number of cache entries (responses) to be kept in cache (soft limit). Useful on systems with limited amount of RAM.
+  # Default (0): unlimited
+  maxItemsCount: 0
+  # if true, will preload DNS results for often used queries (default: names queried more than 5 times in a 2-hour time window)
+  # this improves the response time for often used queries, but significantly increases external traffic
+  # default: false
+  prefetching: true
+  # prefetch track time window (in duration format)
+  # default: 120
+  prefetchExpires: 2h
+  # name queries threshold for prefetch
+  # default: 5
+  prefetchThreshold: 5
+  # Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM.
+  # Default (0): unlimited
+  prefetchMaxItemsCount: 0
+  # Time how long negative results (NXDOMAIN response or empty result) are cached. A value of -1 will disable caching for negative results.
+  # Default: 30m
+  cacheTimeNegative: -1
+
+# optional: configuration of client name resolution
+clientLookup:
+  # optional: this DNS resolver will be used to perform reverse DNS lookup (typically local router)
+  upstream: {{ blocky_local_upstream | default ("192.168.2.1") }}
+  # optional: some routers return multiple names for client (host name and user defined name). Define which single name should be used.
+  # Example: take second name if present, if not take first name
+  # singleNameOrder:
+  #   - 2
+  #   - 1
+
+
+# optional: configuration for prometheus metrics endpoint
+prometheus:
+  # enabled if true
+  enable: {{ blocky_prometheus | default ("false") }}
+  # url path, optional (default '/metrics')
+  path: /metrics
+
+
+# optional: Mininal TLS version that the DoH and DoT server will use
+# minTlsServeVersion: 1.3
+
+# if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated
+#certFile: server.crt
+#keyFile: server.key
+
+# optional: use these DNS servers to resolve blacklist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries.
+bootstrapDns:
+  - tcp+udp:9.9.9.9
+
+# optional: drop all queries with following query types. Default: empty
+filtering:
+  queryTypes:
+    - AAAA
+
+# optional: return NXDOMAIN for queries that are not FQDNs.
+fqdnOnly:
+  # default: false
+  enable: {{ blocky_fqdn_only | default ("false") }}
+
+# optional: ports configuration
+ports:
+  # optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353"
+  dns: {{ blocky_port_dns | default ("53") }}
+  # optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853
+  # tls: 853
+  # optional: Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:443. Example: 443, :443, 127.0.0.1:443,[::1]:443
+  # https: 443
+  # optional: Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:4000. Example: 4000, :4000, 127.0.0.1:4000,[::1]:4000
+  http: 4000
+
+# optional: logging configuration
+log:
+  # optional: Log level (one from debug, info, warn, error). Default: info
+  level: {{ blocky_log_level | default ("info") }}
+  # optional: Log format (text or json). Default: text
+  format: text
+  # optional: log timestamps. Default: true
+  timestamp: true
+  # optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false
+  privacy: false

roles/mgrote_cv4pve_autosnap/README.md

@@ -1,11 +0,0 @@
-## mgrote.cv4pve
-
-### Beschreibung
-Installiert [cv4pve-autosnap](https://github.com/Corsinvest/cv4pve-autosnap).
-Legt einen systemd-timer.
-
-### getestet auf
-- [x] ProxMox 7*
-
-### Variablen + Defaults
-- see [defaults](./defaults/main.yml)

roles/mgrote_cv4pve_autosnap/defaults/main.yml

@@ -3,7 +3,7 @@
 cv4pve_cron_minute: "39"
 cv4pve_cron_hour: "5"
 # proxmox api-token and user
-cv4pve_api_token: "XXXXXXXXXXXXXXXXXXXXXX"
+cv4pve_api_token: "supersecret"
 cv4pve_api_user: "root@pam!test2"
 # which vm to snapshot
 cv4pve_vmid: all
@@ -12,3 +12,7 @@ cv4pve_keep_snapshots: 3
 # under which user the script is run
 cv4pve_user_group: cv4pve
 cv4pve_user: cv4pve
+# url
+cv4pve_dl_link: https://github.com/Corsinvest/cv4pve-autosnap/releases/download/{{ cv4pve_version }}/cv4pve-autosnap-linux-x64.zip
+cv4pve_version: "v1.14.8"
+cv4pve_base_path: /usr/local/bin/cv4pve

roles/mgrote_cv4pve_autosnap/tasks/install.yml

@@ -0,0 +1,42 @@
+---
+- name: Ensure needed directories exist
+  ansible.builtin.file:
+    path: "{{ cv4pve_base_path }}"
+    state: directory
+    owner: "{{ cv4pve_user }}"
+    group: "{{ cv4pve_user_group }}"
+    mode: "0644"
+
+- name: Download specified version
+  ansible.builtin.unarchive:
+    src: "{{ cv4pve_dl_link }}"
+    dest: "{{ cv4pve_base_path }}"
+    mode: '0755'
+    owner: "{{ cv4pve_user }}"
+    group: "{{ cv4pve_user_group }}"
+    remote_src: true
+    creates: "{{ cv4pve_base_path }}/cv4pve-autosnap-{{ cv4pve_version }}"
+    list_files: true
+  register: download
+
+- name: Rename binary # noqa no-changed-when no-handler
+  ansible.builtin.command: |
+    mv "{{ cv4pve_base_path }}/cv4pve-autosnap" "{{ cv4pve_base_path }}/cv4pve-autosnap-{{ cv4pve_version }}"
+  when: download.changed
+
+# https://stackoverflow.com/questions/20252057/using-ansible-how-would-i-delete-all-items-except-for-a-specified-set-in-a-dire
+- name: Find old versions
+  ansible.builtin.find:
+    paths: "{{ cv4pve_base_path }}"
+    file_type: file
+    use_regex: false
+    excludes:
+      - "cv4pve-autosnap-{{ cv4pve_version }}"
+  register: found_files
+
+- name: Ensure old versions are absent
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: absent
+  with_items: "{{ found_files['files'] }}"
+...

roles/mgrote_cv4pve_autosnap/tasks/main.yml

@@ -2,74 +2,9 @@
 - name: include user tasks
   ansible.builtin.include_tasks: user.yml
 
+- name: include install tasks
+  ansible.builtin.include_tasks: install.yml
 
-- name: create directories
-  become: true
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: directory
-    owner: "{{ cv4pve_user }}"
-    group: "{{ cv4pve_user_group }}"
-    mode: "0644"
-  loop:
-    - '/tmp/cv4pve'
-    - '/usr/local/bin/cv4pve'
-
-- name: download archives
-  become: true
-  ansible.builtin.get_url:
-    url: "{{ cv4pve_dl_link }}"
-    dest: /tmp/cv4pve/cv4pve-autosnap-linux-x64.zip
-    mode: '0775'
-    owner: "{{ cv4pve_user }}"
-    group: "{{ cv4pve_user_group }}"
-
-- name: extract archives
-  become: true
-  ansible.builtin.unarchive:
-    src: /tmp/cv4pve/cv4pve-autosnap-linux-x64.zip
-    dest: /usr/local/bin/cv4pve
-    remote_src: true
-    mode: a+x
-    owner: "{{ cv4pve_user }}"
-    group: "{{ cv4pve_user_group }}"
-
-- name: template cv4pve.service
-  become: true
-  ansible.builtin.template:
-    src: cv4pve.service.j2
-    dest: /etc/systemd/system/cv4pve.service
-    owner: root
-    group: root
-    mode: "0644"
-  notify:
-    - systemctl daemon-reload
-
-- name: template cv4pve_mail.service
-  become: true
-  ansible.builtin.template:
-    src: cv4pve_mail.service.j2
-    dest: /etc/systemd/system/cv4pve_mail.service
-    owner: root
-    group: root
-    mode: "0644"
-  notify:
-    - systemctl daemon-reload
-
-- name: template cv4pve.timer
-  become: true
-  ansible.builtin.template:
-    src: cv4pve.timer.j2
-    dest: /etc/systemd/system/cv4pve.timer
-    owner: root
-    group: root
-    mode: "0644"
-  notify:
-    - systemctl daemon-reload
-
-- name: systemctl start cv4pve.timer
-  become: true
-  ansible.builtin.systemd:
-    name: cv4pve.timer
-    state: started
-    enabled: true
+- name: include systemd tasks
+  ansible.builtin.include_tasks: systemd.yml
+...

roles/mgrote_cv4pve_autosnap/tasks/systemd.yml

@@ -0,0 +1,38 @@
+---
+- name: Ensure service-unit (cv4pve) is templated
+  ansible.builtin.template:
+    src: cv4pve.service.j2
+    dest: /etc/systemd/system/cv4pve.service
+    owner: root
+    group: root
+    mode: "0644"
+  no_log: true
+  notify:
+    - systemctl daemon-reload
+
+- name: Ensure service-unit (mail) is templated
+  ansible.builtin.template:
+    src: cv4pve_mail.service.j2
+    dest: /etc/systemd/system/cv4pve_mail.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - systemctl daemon-reload
+
+- name: Ensure service-unit (timer) is templated
+  ansible.builtin.template:
+    src: cv4pve.timer.j2
+    dest: /etc/systemd/system/cv4pve.timer
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - systemctl daemon-reload
+
+- name: Ensure timer is started is templated
+  ansible.builtin.systemd:
+    name: cv4pve.timer
+    state: started
+    enabled: true
+...

roles/mgrote_cv4pve_autosnap/tasks/user.yml

@@ -1,5 +1,5 @@
 ---
-- name: ensure group exists
+- name: Ensure group exists
   become: true
   ansible.builtin.group:
     name: "{{ cv4pve_user_group }}"
@@ -7,7 +7,7 @@
   when:
     - cv4pve_user_group is defined
 
-- name: ensure user exists
+- name: Ensure user exists
   become: true
   ansible.builtin.user:
     name: "{{ cv4pve_user }}"
@@ -17,3 +17,4 @@
   when:
     - cv4pve_user_group is defined
     - cv4pve_user is defined
+...

roles/mgrote_cv4pve_autosnap/templates/cv4pve.service.j2

@@ -6,4 +6,4 @@ OnFailure=cv4pve_mail.service
 
 [Service]
 Type=simple
-ExecStart=/usr/local/bin/cv4pve/cv4pve-autosnap --host=127.0.0.1 --api-token {{ cv4pve_api_user }}={{ cv4pve_api_token }} --vmid="{{ cv4pve_vmid }}" snap --label='daily' --keep="{{ cv4pve_keep_snapshots }}" --state
+ExecStart={{ cv4pve_base_path }}/cv4pve-autosnap-{{ cv4pve_version }} --host=127.0.0.1 --api-token {{ cv4pve_api_user }}={{ cv4pve_api_token }} --vmid="{{ cv4pve_vmid }}" snap --label='daily' --keep="{{ cv4pve_keep_snapshots }}" --state

roles/mgrote_cv4pve_autosnap/templates/cv4pve.timer.j2

@@ -6,6 +6,5 @@ Description=Timer: Trigger VM-Snapshots in PVE with cv4pve.
 OnCalendar=*-*-* {{ cv4pve_cron_hour }}:{{ cv4pve_cron_minute }}:00
 RandomizedDelaySec=10 min
 
-
 [Install]
 WantedBy=timers.target multi-user.target

roles/mgrote_cv4pve_autosnap/templates/cv4pve_mail.service.j2

@@ -1,5 +1,4 @@
 {{ file_header | default () }}
-
 [Unit]
 Description=Send a Mail in case of an error in cv4pve.service.
 

roles/mgrote_dotfiles/README.md

@@ -1,11 +0,0 @@
-## mgrote.dotfiles
-
-### Beschreibung
-Klont das dotfile-repo und erstellt notwendige Ordner.
-
-### getestet auf
-- [x] Ubuntu (>=18.04)
-- [x] Linux Mint
-
-### Variablen + Defaults
-see [defaults](./defaults/main.yml)