feat(docker): Removed nodes docker-host10 and docker-host12

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
feat(docker): match services that moved to k3s
2025-09-15 23:19:39 +02:00 · 2025-09-13 18:57:56 +02:00 · 2025-09-07 23:43:20 +02:00 · 2025-09-07 21:40:21 +02:00 · 2025-09-07 21:28:23 +02:00 · 2025-09-07 21:24:31 +02:00
244 changed files with 4332 additions and 62462 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -0,0 +1,33 @@
 ---
 # .ansible-lint
 # Specify exclude paths to prevent linting vendor roles, etc.
 exclude_paths:
  - ./.git/
  - ./.venv/
  - ./galaxy_roles/
 # A list of rules to skip. This is a more modern and readable alternative to 'skip_list'.
 skip_list:
  - experimental
  - fqcn-builtins
  - no-handler
  - var-naming
  - no-changed-when
  - risky-shell-pipe
 # Enforce certain rules that are not enabled by default.
 enable_list:
  - no-free-form
  - var-spacing
  - no-log-password
  - no-relative-path
  - command-instead-of-module
  - fqcn[deep]
  - no-changed-when
 # Offline mode disables any features that require internet access.
 offline: false
 # Set the desired verbosity level.
 verbosity: 1
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,17 @@
 root = true
 [*]
 indent_style = space
 end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 [*.{yml,yaml}]
 indent_size = 2
 [*.py]
 indent_size = 4
 [*.md]
 trim_trailing_whitespace = false
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +0,0 @@
 /secrets.yml
 *.ovpn
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,23 @@
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.6.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
      - id: check-added-large-files
  - repo: local
    hooks:
      - id: ansible-galaxy-install
        name: Install ansible-galaxy collections
        entry: ansible-galaxy collection install -r requirements.yml
        language: system
        pass_filenames: false
        always_run: true
  - repo: https://github.com/ansible/ansible-lint
    rev: v6.22.2
    hooks:
      - id: ansible-lint
        files: \.(yaml|yml)$
        additional_dependencies:
          - ansible-core==2.15.8
--- a/Diagram.drawio
+++ b/Diagram.drawio
@@ -1,207 +0,0 @@
 <mxfile host="app.diagrams.net" modified="2023-11-05T13:55:54.105Z" agent="Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0" etag="qKRITLw66apjhZnPW2mG" version="21.6.2" pages="2">
  <diagram id="JSIfkQgaAO27B-iO4uI6" name="Homelab Overview">
    <mxGraphModel dx="2924" dy="1194" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="850" pageHeight="1100" math="0" shadow="0">
      <root>
        <mxCell id="0" />
        <mxCell id="1" parent="0" />
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-54" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="z4CzeoHyWsNDpYlZFiTu-73" target="z4CzeoHyWsNDpYlZFiTu-27">
          <mxGeometry relative="1" as="geometry">
            <mxPoint x="-500" y="530" as="targetPoint" />
            <Array as="points">
              <mxPoint x="10" y="320" />
              <mxPoint x="-515" y="320" />
            </Array>
          </mxGeometry>
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-66" value="192.168.20.1/24" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="z4CzeoHyWsNDpYlZFiTu-54">
          <mxGeometry x="-0.3363" y="1" relative="1" as="geometry">
            <mxPoint as="offset" />
          </mxGeometry>
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-55" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.25;exitY=1;exitDx=0;exitDy=0;" edge="1" parent="1" source="z4CzeoHyWsNDpYlZFiTu-73" target="z4CzeoHyWsNDpYlZFiTu-35">
          <mxGeometry relative="1" as="geometry">
            <mxPoint x="180" y="290" as="sourcePoint" />
            <Array as="points">
              <mxPoint x="105" y="360" />
              <mxPoint x="-20" y="360" />
            </Array>
          </mxGeometry>
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-65" value="192.168.30.1/24" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="z4CzeoHyWsNDpYlZFiTu-55">
          <mxGeometry x="-0.1082" y="1" relative="1" as="geometry">
            <mxPoint x="52" as="offset" />
          </mxGeometry>
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-56" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=0;entryDx=0;entryDy=0;exitX=0.75;exitY=1;exitDx=0;exitDy=0;" edge="1" parent="1" source="z4CzeoHyWsNDpYlZFiTu-73" target="z4CzeoHyWsNDpYlZFiTu-41">
          <mxGeometry relative="1" as="geometry">
            <Array as="points">
              <mxPoint x="295" y="360" />
              <mxPoint x="420" y="360" />
            </Array>
          </mxGeometry>
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-67" value="192.168.40.1/24" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="z4CzeoHyWsNDpYlZFiTu-56">
          <mxGeometry x="-0.1475" y="-2" relative="1" as="geometry">
            <mxPoint x="-33" as="offset" />
          </mxGeometry>
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-57" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=1;exitDx=0;exitDy=0;" edge="1" parent="1" source="z4CzeoHyWsNDpYlZFiTu-73" target="z4CzeoHyWsNDpYlZFiTu-39">
          <mxGeometry relative="1" as="geometry">
            <Array as="points">
              <mxPoint x="390" y="320" />
              <mxPoint x="820" y="320" />
            </Array>
          </mxGeometry>
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-68" value="192.168.50.1/24" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="z4CzeoHyWsNDpYlZFiTu-57">
          <mxGeometry x="-0.2384" y="-3" relative="1" as="geometry">
            <mxPoint as="offset" />
          </mxGeometry>
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-27" value="Homelab VLAN20" style="swimlane;whiteSpace=wrap;html=1;" vertex="1" parent="1">
          <mxGeometry x="-750" y="600" width="470" height="400" as="geometry">
            <mxRectangle x="-750" y="600" width="140" height="30" as="alternateBounds" />
          </mxGeometry>
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-90" value="&lt;div&gt;aya01.seyshiro.de&lt;/div&gt;&lt;div&gt;192.168.20.12&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.server_storage;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-27">
          <mxGeometry x="20" y="40" width="105" height="105" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-19" value="&lt;div&gt;pi.seyshiro.de&lt;/div&gt;&lt;div&gt;192.168.20.11&lt;br&gt;&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.server;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-27">
          <mxGeometry x="250" y="40" width="90" height="100" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-17" value="&lt;div&gt;inko.seyshiro.de&lt;/div&gt;&lt;div&gt;192.168.20.14&lt;br&gt;&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.server;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-27">
          <mxGeometry x="140" y="40" width="90" height="100" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-20" value="&lt;div&gt;naruto.seyshiro.de&lt;/div&gt;&lt;div&gt;192.168.20.13&lt;br&gt;&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.server;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-27">
          <mxGeometry x="360" y="40" width="90" height="100" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-35" value="User VLAN30" style="swimlane;whiteSpace=wrap;html=1;" vertex="1" parent="1">
          <mxGeometry x="-200" y="600" width="360" height="400" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-28" value="" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.tablet;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-35">
          <mxGeometry x="50" y="50" width="100" height="70" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-8" value="" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.pc;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-35">
          <mxGeometry x="100" y="140" width="100" height="70" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-33" value="" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.mobile;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-35">
          <mxGeometry x="250" y="70" width="50" height="100" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-36" value="" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.video_projector;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-35">
          <mxGeometry x="220" y="210" width="100" height="35" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-46" value="" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.laptop;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-35">
          <mxGeometry x="50" y="260" width="100" height="55" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-39" value="IoT VLAN50" style="swimlane;whiteSpace=wrap;html=1;" vertex="1" parent="1">
          <mxGeometry x="680" y="600" width="280" height="460" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-52" value="&lt;div&gt;Brother MFC-L2710DW&lt;/div&gt;&lt;div&gt;192.168.50.219&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.copier;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-39">
          <mxGeometry x="20" y="35" width="100" height="100" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-51" value="&lt;div&gt;Brother QL-820NWB&lt;/div&gt;&lt;div&gt;192.168.50.218&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.copier;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-39">
          <mxGeometry x="150" y="35" width="100" height="100" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-60" value="Lightbulbs" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.comm_link;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-39">
          <mxGeometry x="50" y="190" width="40" height="80" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-62" value="Shelly Power Outlet" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.comm_link;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-39">
          <mxGeometry x="180" y="190" width="40" height="80" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-81" value="BirbCam" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.security_camera;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-39">
          <mxGeometry x="30" y="330" width="100" height="75" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-53" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="z4CzeoHyWsNDpYlZFiTu-40" target="z4CzeoHyWsNDpYlZFiTu-73">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-69" value="192.168.200.1/32" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="z4CzeoHyWsNDpYlZFiTu-53">
          <mxGeometry x="-0.3672" relative="1" as="geometry">
            <mxPoint as="offset" />
          </mxGeometry>
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-40" value="netcup VPS" style="swimlane;whiteSpace=wrap;html=1;" vertex="1" parent="1">
          <mxGeometry x="-290" y="40" width="150" height="220" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-38" value="&lt;div&gt;mii.seyshiro.de&lt;/div&gt;&lt;div&gt;tudattr.dev&lt;br&gt;&lt;/div&gt;&lt;div&gt;192.168.200.2&lt;br&gt;&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.proxy_server;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-40">
          <mxGeometry x="20" y="50" width="105" height="105" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-41" value="Guest VLAN40" style="swimlane;whiteSpace=wrap;html=1;" vertex="1" parent="1">
          <mxGeometry x="240" y="600" width="360" height="280" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-44" value="" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.mobile;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-41">
          <mxGeometry x="250" y="70" width="50" height="100" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-47" value="" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.tablet;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-41">
          <mxGeometry x="40" y="50" width="100" height="70" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-48" value="" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.laptop;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-41">
          <mxGeometry x="90" y="160" width="100" height="55" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-73" value="&lt;div&gt;Network Backbone&amp;nbsp;&lt;/div&gt;&lt;div&gt;(Management VLAN 70)&lt;/div&gt;" style="swimlane;whiteSpace=wrap;html=1;startSize=40;" vertex="1" parent="1">
          <mxGeometry x="10" y="40" width="380" height="220" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-10" value="&lt;div&gt;Mikrotik CRS 326&lt;/div&gt;&lt;div&gt;192.168.70.1&lt;br&gt;&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.router;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-73">
          <mxGeometry x="60" y="85" width="100" height="30" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-70" value="&lt;div&gt;TP-Link EAP 225&lt;/div&gt;&lt;div&gt;192.168.70.250&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.wireless_modem;" vertex="1" parent="z4CzeoHyWsNDpYlZFiTu-73">
          <mxGeometry x="260" y="57.5" width="100" height="85" as="geometry" />
        </mxCell>
        <mxCell id="z4CzeoHyWsNDpYlZFiTu-71" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;exitPerimeter=0;endArrow=none;endFill=0;" edge="1" parent="z4CzeoHyWsNDpYlZFiTu-73" source="z4CzeoHyWsNDpYlZFiTu-10" target="z4CzeoHyWsNDpYlZFiTu-70">
          <mxGeometry relative="1" as="geometry">
            <mxPoint x="30" y="142.5" as="sourcePoint" />
          </mxGeometry>
        </mxCell>
      </root>
    </mxGraphModel>
  </diagram>
  <diagram id="2pU-qBdMS-FfD6IS7qYU" name="VLAN View">
    <mxGraphModel dx="2440" dy="1405" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="850" pageHeight="1100" math="0" shadow="0">
      <root>
        <mxCell id="0" />
        <mxCell id="1" parent="0" />
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-28" value="netcup VPS" style="swimlane;whiteSpace=wrap;html=1;" vertex="1" parent="1">
          <mxGeometry x="480" y="20" width="150" height="220" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-29" value="&lt;div&gt;mii.seyshiro.de&lt;/div&gt;&lt;div&gt;tudattr.dev&lt;br&gt;&lt;/div&gt;&lt;div&gt;192.168.200.2&lt;br&gt;&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.proxy_server;" vertex="1" parent="7z5INb6uvPQJT5LWZGVQ-28">
          <mxGeometry x="20" y="50" width="105" height="105" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-34" value="&lt;div&gt;Network Backbone&amp;nbsp;&lt;/div&gt;&lt;div&gt;(Management VLAN 70)&lt;/div&gt;" style="swimlane;whiteSpace=wrap;html=1;startSize=40;" vertex="1" parent="1">
          <mxGeometry x="780" y="20" width="380" height="220" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-36" value="&lt;div&gt;TP-Link EAP 225&lt;/div&gt;&lt;div&gt;192.168.70.250&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.wireless_modem;" vertex="1" parent="7z5INb6uvPQJT5LWZGVQ-34">
          <mxGeometry x="260" y="57.5" width="100" height="85" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-35" value="&lt;div&gt;Mikrotik CRS 326&lt;/div&gt;&lt;div&gt;192.168.70.1&lt;br&gt;&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.router;" vertex="1" parent="7z5INb6uvPQJT5LWZGVQ-34">
          <mxGeometry x="60" y="100" width="100" height="30" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-13" value="&lt;div&gt;naruto.seyshiro.de&lt;/div&gt;&lt;div&gt;192.168.20.13&lt;br&gt;&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.server;" vertex="1" parent="1">
          <mxGeometry x="420" y="370" width="90" height="100" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-11" value="&lt;div&gt;pi.seyshiro.de&lt;/div&gt;&lt;div&gt;192.168.20.11&lt;br&gt;&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.server;" vertex="1" parent="1">
          <mxGeometry x="310" y="370" width="90" height="100" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-12" value="&lt;div&gt;inko.seyshiro.de&lt;/div&gt;&lt;div&gt;192.168.20.14&lt;br&gt;&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.server;" vertex="1" parent="1">
          <mxGeometry x="200" y="370" width="90" height="100" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-10" value="&lt;div&gt;aya01.seyshiro.de&lt;/div&gt;&lt;div&gt;192.168.20.12&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.server_storage;" vertex="1" parent="1">
          <mxGeometry x="80" y="370" width="105" height="105" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-21" value="&lt;div&gt;Brother MFC-L2710DW&lt;/div&gt;&lt;div&gt;192.168.50.219&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.copier;" vertex="1" parent="1">
          <mxGeometry x="1330" y="160" width="100" height="100" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-22" value="&lt;div&gt;Brother QL-820NWB&lt;/div&gt;&lt;div&gt;192.168.50.218&lt;/div&gt;" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.copier;" vertex="1" parent="1">
          <mxGeometry x="1460" y="160" width="100" height="100" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-23" value="Lightbulbs" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.comm_link;" vertex="1" parent="1">
          <mxGeometry x="1360" y="315" width="40" height="80" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-24" value="Shelly Power Outlet" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.comm_link;" vertex="1" parent="1">
          <mxGeometry x="1490" y="315" width="40" height="80" as="geometry" />
        </mxCell>
        <mxCell id="7z5INb6uvPQJT5LWZGVQ-25" value="BirbCam" style="fontColor=#0066CC;verticalAlign=top;verticalLabelPosition=bottom;labelPosition=center;align=center;html=1;outlineConnect=0;fillColor=#CCCCCC;strokeColor=#6881B3;gradientColor=none;gradientDirection=north;strokeWidth=2;shape=mxgraph.networks.security_camera;" vertex="1" parent="1">
          <mxGeometry x="1340" y="455" width="100" height="75" as="geometry" />
        </mxCell>
      </root>
    </mxGraphModel>
  </diagram>
 </mxfile>
--- a/Diagram.pdf
+++ b/Diagram.pdf
--- a/README.md
+++ b/README.md
@@ -1,227 +1,71 @@
 # TuDatTr IaC
-## User
+**I do not recommend this project being used for ones own infrastructure, as
-It is expected that a user with sudo privilages is on the target, for me the users name is "tudattr"
+this project is heavily attuned to my specific host/network setup**
 you can add such user with the following command `useradd -m -g sudo -s /bin/bash tudattr`
 Don't forget to set a password for the new user with `passwd tudattr`
 ## sudo
 Install sudo on the target machine, with debian its
-```sh
+This Ansible project automates the setup of a K3s Kubernetes cluster on Proxmox VE. It also includes playbooks for configuring Docker hosts, load balancers, and other services.
 su root
 apt install sudo
 usermod -a -G sudo tudattr
 ```
-## Backups
+## Repository Structure
 Backup for aya01 and raspberry are in a backblaze b2, which gets encrypted on the clientside by rclone.
 but first of all we need to create the buckets and provide ansible with the needed information.
-First we need to create a api key for backblaze, consists of an id and a key.
+The repository is organized into the following main directories:
 we use clone to sync to backblaze.
 we can encrypt the data with rclone before sending it to backblaze.
 to do this we need two buckets:
 - b2
 - crypt
 on each device that should be backupped.
-we create these by running `rclone config` and creating one [remote] b2 config and a [secret] crypt config. The crypt config should have two passwords that we store in our secrets file.
+- `playbooks/`: Contains the main Ansible playbooks for different setup scenarios.
 - `roles/`: Contains the Ansible roles that are used by the playbooks.
 - `vars/`: Contains variable files, including group-specific variables.
-`
+## Playbooks
 ## Vault
 - Create vault with: `ansible-vault create secrets.yml`
 - Create entry in vault with: `ansible-vault edit secrets.yml`
 - Add following entries: TODO
-## Docker
+The following playbooks are available:
 To add new docker containers to the docker role you need to add the following and replace `service` with the name of your service:
- Add relevent vars to `group_vars/all/vars.yaml`:
+- `proxmox.yml`: Provisions VMs and containers on Proxmox VE.
-```yaml
+- `k3s-servers.yml`: Sets up the K3s master nodes.
-service:
+- `k3s-agents.yml`: Sets up the K3s agent nodes.
-  host: "service"
+- `k3s-loadbalancer.yml`: Configures a load balancer for the K3s cluster.
-  ports:
+- `k3s-storage.yml`: Configures storage for the K3s cluster.
-    http: "19999"
+- `docker.yml`: Sets up Docker hosts and their load balancer.
-  volumes:
+- `docker-host.yml`: Configures the docker hosts.
-    config: "{{ docker_dir }}/service/" # config folder or your dir
+- `docker-lb.yml`: Configures a load balancer for Docker services.
-    data: "{{ docker_data_dir }}/service/" # data folder or your dir (only works on aya01)
+- `kubernetes_setup.yml`: A meta-playbook for setting up the entire Kubernetes cluster.
 ```
- Create necessary directories for service in the docker role `roles/docker/tasks/service.yaml`
+## Roles
 ```yaml
 - name: Create service dirs
  file:
    path: "{{ item }}"
    owner: 1000
    group: 1000
    mode: '775'
    state: directory
  loop:
    - "{{ service.volumes.config }}"
    - "{{ service.volumes.data }}"
-# optional:
+The following roles are defined:
 # - name: Place service config
 #   template:
 #     owner: 1000
 #     mode: '660'
 #     src: "templates/hostname/service/service.yml"
 #     dest: "{{ prm_config }}/service.yml"
 ```
- Includ new tasks to `roles/docker/tasks/hostname_compose.yaml`:
+- `common`: Common configuration tasks for all nodes.
-```yaml
+- `proxmox`: Manages Proxmox VE, including VM and container creation.
- include_tasks: service.yaml
+- `k3s_server`: Installs and configures K3s master nodes.
-  tags:
+- `k3s_agent`: Installs and configures K3s agent nodes.
-    - service
+- `k3s_loadbalancer`: Configures an Nginx-based load balancer for the K3s cluster.
-```
+- `k3s_storage`: Configures storage solutions for Kubernetes.
 - `docker_host`: Installs and configures Docker.
 - `kubernetes_argocd`: Deploys Argo CD to the Kubernetes cluster.
 - `node_exporter`: Installs the Prometheus Node Exporter for monitoring.
 - `reverse_proxy`: Configures a Caddy-based reverse proxy.
- Add new service to compose `roles/docker/templates/hostname/compose.yaml`
+## Usage
 ```yaml
  service:
    image: service/service
    container_name: service
    hostname: service
    networks:
      - net
    ports:
      - "{{service_port}}:19999"
    restart: unless-stopped
    volumes:
      - "{{service_config}}:/etc/service"
      - "{{service_lib}}:/var/lib/service"
      - "{{service_cache}}:/var/cache/service"
 ```
-## Server
+1.  **Install dependencies:**
 - Install Debian (debian-11.5.0-amd64-netinst.iso) on remote system
 - Create user (tudattr)
 - Get IP of remote system (192.168.20.11)
 - Create ssh-config entry
  ```config
  Host aya01
    HostName 192.168.20.11
    Port 22
    User tudattr
    IdentityFile /mnt/veracrypt1/genesis
  ```
  - copy public key to remote system
  `ssh-copy-id -i /mnt/veracrypt1/genesis.pub aya01`
 - Add this host to ansible inventory
 - Install sudo on remote
 - add user to sudo group (with `su --login` without login the path will not be loaded correctly see [here](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918754)) and `usermod -a -G sudo tudattr`
 - set time correctly when getting the following error
 ```sh
 Release file for http://security.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 12h 46min 9s). Updates for this repository will not be applied.
 ```
 By doing on remote system (example):
 ```sh
 sudo systemctl stop ntp.service
 sudo ntpd -gq
 sudo systemctl start ntp.service
 ```
 ### zoneminder
 - Enable authentification in (Option->System)
 - Create new Camera:
  - General>Name: BirdCam
  - General>Function: Ffmpeg
  - General>Function: Modect
  - Source>Source Path: `rtsp://user:pw@ip:554/cam/mpeg4`
 - Change default admin password
 - Create users
    ```bash
    pip install -r requirements.txt
    ansible-galaxy install -r requirements.yml
    ```
 2.  **Configure variables:**
-## RaspberryPi
+    - Create an inventory file (e.g., `vars/k3s.ini`).
- Install raspbian lite (2022-09-22-raspios-bullseye-arm64-lite.img) on pi
+    - Adjust variables in `vars/group_vars/` to match your environment.
 - Get IP of remote system (192.168.20.11)
 - Create ssh-config entry
 ```config
 Host pi
     HostName 192.168.20.11
     Port 22
     User tudattr
     IdentityFile /mnt/veracrypt1/genesis
 ```
 - enable ssh on pi
 - copy public key to pi
 - change user password of user on pi
 - execute `ansible-playbook -i production --ask-vault-pass --extra-vars '@secrets.yml' pi.yml`
-## Mikrotik
+3.  **Run playbooks:**
 - Create rsa-key on your device and name it mikrotik_rsa
 - On mikrotik run: `/user/ssh-keys/import public-key-file=mikrotik_rsa.pub user=tudattr`
 - Create ssh-config entry:
 ```config
 Host mikrotik
     HostName 192.168.70.1
     Port 2200
     User tudattr
     IdentityFile /mnt/veracrypt1/mikrotik_rsa
 ```
-### wireguard
+    ```bash
-thanks to [mikrotik](https://www.medo64.com/2022/04/wireguard-on-mikrotik-routeros-7/)0
+    # To provision VMs on Proxmox
-quick code
+    ansible-playbook -i vars/proxmox.ini playbooks/proxmox.yml
 ```
 # add wiregurad interface
 interface/wireguard/add listen-port=51820 name=wg1
 # get public key
 interface/wireguard/print
 $ > public-key: <mikrotik_public_key>
 # add network/ip for wireguard interface
 ip/address/add address=192.168.200.1/24 network=192.168.200.0 interface=wg1
 # add firewall rule for wireguard (maybe specify to be from pppoe-wan)
 /ip/firewall/filter/add chain=input protocol=udp dst-port=51820 action=accept 
 # routing for wg1 clients and rest of the network
 > <insert forward for routing between wg1 and other networks>
 # enable internet for wg1 clients (may have to add to enable internet list
 /ip/firewall/nat/add chain=srcnat src-address=192.168.200.0/24 out-interface=pppoe-wan action=masquerade
 ```
 add peer
 ```
 /interface/wireguard/peers/add interface=wg1 allowed-address=<untaken_ipv4>/24 public-key="<client_public_key"
 ```
-Keygeneragion on archlinux `wg genkey | (umask 0077 && tee wireguard.key) | wg pubkey > peer_A.pub`
+    # To set up the K3s cluster
-Wireguard config on archlinux at `/etc/wireguard/wg0.conf`:
+    ansible-playbook -i vars/k3s.ini playbooks/kubernetes_setup.yml
-```
+    ```
 [Interface]
 PrivateKey = <client_private_key>
 Address = 192.168.200.250/24
-[Peer]
+## Disclaimer
 PublicKey = <mikrotik public key>
 Endpoint = tudattr.dev:51820
 AllowedIPs = 0.0.0.0/0
 ```
 used ipv4: 
 - tudattr: 192.168.200.250
 - livei: 192.168.200.240
-#### notes
+This project is highly customized for the author's specific environment. Using it without modification is not recommended.
 - wireguard->add
  name: wg_tunnel01
  listen port: 51820
  [save]
 - wireguard->peers->add
  interface: wg_tunnel01
  endpoint port: 51820
  allowed address: ::/0
  psk: <password>
  persistent keepalive: 25
 - ip->address->address list->add
  address:192.168.200.1/24
  network: 192.168.200.0
  interface: wg_tunnel01
 ## troubleshooting
 ### Docker networking problem
 `docker system prune -a`
 ### Time problems (NTP service: n/a)
 systemctl status systemd-timesyncd.service
 when not available
 sudo apt install systemd-timesyncd/stable
 ### Syncthing inotify
 echo "fs.inotify.max_user_watches=204800" | sudo tee -a /etc/sysctl.conf
 https://forum.cloudron.io/topic/7163/how-to-increase-inotify-limit-for-syncthing/2
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -0,0 +1,41 @@
 [defaults]
 # (string) Path to the Python interpreter to be used for module execution on remote targets, or an automatic discovery mode. Supported discovery modes are ``auto`` (the default), ``auto_silent``, ``auto_legacy``, and ``auto_legacy_silent``. All discovery modes employ a lookup table to use the included system Python (on distributions known to include one), falling back to a fixed ordered list of well-known Python interpreter locations if a platform-specific default is not available. The fallback behavior will issue a warning that the interpreter should be set explicitly (since interpreters installed later may change which one is used). This warning behavior can be disabled by setting ``auto_silent`` or ``auto_legacy_silent``. The value of ``auto_legacy`` provides all the same behavior, but for backwards-compatibility with older Ansible releases that always defaulted to ``/usr/bin/python``, will use that interpreter if present.
 interpreter_python=python3
 # (pathspec) Colon separated paths in which Ansible will search for Roles.
 roles_path=./roles
 # (pathlist) Comma separated list of Ansible inventory sources
 inventory=./vars/
 # (path) The vault password file to use. Equivalent to --vault-password-file or --vault-id
 # If executable, it will be run and the resulting stdout will be used as the password.
 vault_password_file=/media/veracrypt1/scripts/ansible_vault.sh
 # (list) Check all of these extensions when looking for 'variable' files which should be YAML or JSON or vaulted versions of these.
 # This affects vars_files, include_vars, inventory and vars plugins among others.
 yaml_valid_extensions=.yml
 # (boolean) Set this to "False" if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host
 host_key_checking=False
 # (bool) This controls whether a failed Ansible playbook should create a .retry file.
 ;retry_files_enabled=False
 # (path) This sets the path in which Ansible will save .retry files when a playbook fails and retry files are enabled.
 # This file will be overwritten after each run with the list of failed hosts from all plays.
 ;retry_files_save_path=
 # (list) Allows to change the group variable precedence merge order.
 ;precedence=all_inventory, groups_inventory, all_plugins_inventory, all_plugins_play, groups_plugins_inventory, groups_plugins_play
 [colors]
 # (string) Defines the color to use when showing 'Skipped' task status
 skip=dark gray
 [tags]
 # (list) default list of tags to skip in your plays, has precedence over Run Tags
 ;skip=
 [inventory]
 ignore_extensions={{(REJECT_EXTS + ('.orig', '.cfg', '.retry', '.bak'))}}
--- a/ansible.cfg.default
+++ b/ansible.cfg.default
@@ -0,0 +1,690 @@
 [defaults]
 # (boolean) By default Ansible will issue a warning when received from a task action (module or action plugin)
 # These warnings can be silenced by adjusting this setting to False.
 ;action_warnings=True
 # (list) Accept list of cowsay templates that are 'safe' to use, set to empty list if you want to enable all installed templates.
 ;cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
 # (string) Specify a custom cowsay path or swap in your cowsay implementation of choice
 ;cowpath=
 # (string) This allows you to chose a specific cowsay stencil for the banners or use 'random' to cycle through them.
 ;cow_selection=default
 # (boolean) This option forces color mode even when running without a TTY or the "nocolor" setting is True.
 ;force_color=False
 # (path) The default root path for Ansible config files on the controller.
 ;home=~/.ansible
 # (boolean) This setting allows suppressing colorizing output, which is used to give a better indication of failure and status information.
 ;nocolor=False
 # (boolean) If you have cowsay installed but want to avoid the 'cows' (why????), use this.
 ;nocows=False
 # (boolean) Sets the default value for the any_errors_fatal keyword, if True, Task failures will be considered fatal errors.
 ;any_errors_fatal=False
 # (path) The password file to use for the become plugin. --become-password-file.
 # If executable, it will be run and the resulting stdout will be used as the password.
 ;become_password_file=
 # (pathspec) Colon separated paths in which Ansible will search for Become Plugins.
 ;become_plugins={{ ANSIBLE_HOME ~ "/plugins/become:/usr/share/ansible/plugins/become" }}
 # (string) Chooses which cache plugin to use, the default 'memory' is ephemeral.
 ;fact_caching=memory
 # (string) Defines connection or path information for the cache plugin
 ;fact_caching_connection=
 # (string) Prefix to use for cache plugin files/tables
 ;fact_caching_prefix=ansible_facts
 # (integer) Expiration timeout for the cache plugin data
 ;fact_caching_timeout=86400
 # (list) List of enabled callbacks, not all callbacks need enabling, but many of those shipped with Ansible do as we don't want them activated by default.
 ;callbacks_enabled=
 # (string) When a collection is loaded that does not support the running Ansible version (with the collection metadata key `requires_ansible`).
 ;collections_on_ansible_version_mismatch=warning
 # (pathspec) Colon separated paths in which Ansible will search for collections content. Collections must be in nested *subdirectories*, not directly in these directories. For example, if ``COLLECTIONS_PATHS`` includes ``'{{ ANSIBLE_HOME ~ "/collections" }}'``, and you want to add ``my.collection`` to that directory, it must be saved as ``'{{ ANSIBLE_HOME} ~ "/collections/ansible_collections/my/collection" }}'``.
 ;collections_path={{ ANSIBLE_HOME ~ "/collections:/usr/share/ansible/collections" }}
 # (boolean) A boolean to enable or disable scanning the sys.path for installed collections
 ;collections_scan_sys_path=True
 # (path) The password file to use for the connection plugin. --connection-password-file.
 ;connection_password_file=
 # (pathspec) Colon separated paths in which Ansible will search for Action Plugins.
 ;action_plugins={{ ANSIBLE_HOME ~ "/plugins/action:/usr/share/ansible/plugins/action" }}
 # (boolean) When enabled, this option allows lookup plugins (whether used in variables as ``{{lookup('foo')}}`` or as a loop as with_foo) to return data that is not marked 'unsafe'.
 # By default, such data is marked as unsafe to prevent the templating engine from evaluating any jinja2 templating language, as this could represent a security risk. This option is provided to allow for backward compatibility, however users should first consider adding allow_unsafe=True to any lookups which may be expected to contain data which may be run through the templating engine late
 ;allow_unsafe_lookups=False
 # (boolean) This controls whether an Ansible playbook should prompt for a login password. If using SSH keys for authentication, you probably do not need to change this setting.
 ;ask_pass=False
 # (boolean) This controls whether an Ansible playbook should prompt for a vault password.
 ;ask_vault_pass=False
 # (pathspec) Colon separated paths in which Ansible will search for Cache Plugins.
 ;cache_plugins={{ ANSIBLE_HOME ~ "/plugins/cache:/usr/share/ansible/plugins/cache" }}
 # (pathspec) Colon separated paths in which Ansible will search for Callback Plugins.
 ;callback_plugins={{ ANSIBLE_HOME ~ "/plugins/callback:/usr/share/ansible/plugins/callback" }}
 # (pathspec) Colon separated paths in which Ansible will search for Cliconf Plugins.
 ;cliconf_plugins={{ ANSIBLE_HOME ~ "/plugins/cliconf:/usr/share/ansible/plugins/cliconf" }}
 # (pathspec) Colon separated paths in which Ansible will search for Connection Plugins.
 ;connection_plugins={{ ANSIBLE_HOME ~ "/plugins/connection:/usr/share/ansible/plugins/connection" }}
 # (boolean) Toggles debug output in Ansible. This is *very* verbose and can hinder multiprocessing.  Debug output can also include secret information despite no_log settings being enabled, which means debug mode should not be used in production.
 ;debug=False
 # (string) This indicates the command to use to spawn a shell under for Ansible's execution needs on a target. Users may need to change this in rare instances when shell usage is constrained, but in most cases it may be left as is.
 ;executable=/bin/sh
 # (string) This option allows you to globally configure a custom path for 'local_facts' for the implied :ref:`ansible_collections.ansible.builtin.setup_module` task when using fact gathering.
 # If not set, it will fallback to the default from the ``ansible.builtin.setup`` module: ``/etc/ansible/facts.d``.
 # This does **not** affect  user defined tasks that use the ``ansible.builtin.setup`` module.
 # The real action being created by the implicit task is currently    ``ansible.legacy.gather_facts`` module, which then calls the configured fact modules, by default this will be ``ansible.builtin.setup`` for POSIX systems but other platforms might have different defaults.
 ;fact_path=
 # (pathspec) Colon separated paths in which Ansible will search for Jinja2 Filter Plugins.
 ;filter_plugins={{ ANSIBLE_HOME ~ "/plugins/filter:/usr/share/ansible/plugins/filter" }}
 # (boolean) This option controls if notified handlers run on a host even if a failure occurs on that host.
 # When false, the handlers will not run if a failure has occurred on a host.
 # This can also be set per play or on the command line. See Handlers and Failure for more details.
 ;force_handlers=False
 # (integer) Maximum number of forks Ansible will use to execute tasks on target hosts.
 ;forks=5
 # (string) This setting controls the default policy of fact gathering (facts discovered about remote systems).
 # This option can be useful for those wishing to save fact gathering time. Both 'smart' and 'explicit' will use the cache plugin.
 ;gathering=implicit
 # (list) Set the `gather_subset` option for the :ref:`ansible_collections.ansible.builtin.setup_module` task in the implicit fact gathering. See the module documentation for specifics.
 # It does **not** apply to user defined ``ansible.builtin.setup`` tasks.
 ;gather_subset=
 # (integer) Set the timeout in seconds for the implicit fact gathering, see the module documentation for specifics.
 # It does **not** apply to user defined :ref:`ansible_collections.ansible.builtin.setup_module` tasks.
 ;gather_timeout=
 # (string) This setting controls how duplicate definitions of dictionary variables (aka hash, map, associative array) are handled in Ansible.
 # This does not affect variables whose values are scalars (integers, strings) or arrays.
 # **WARNING**, changing this setting is not recommended as this is fragile and makes your content (plays, roles, collections) non portable, leading to continual confusion and misuse. Don't change this setting unless you think you have an absolute need for it.
 # We recommend avoiding reusing variable names and relying on the ``combine`` filter and ``vars`` and ``varnames`` lookups to create merged versions of the individual variables. In our experience this is rarely really needed and a sign that too much complexity has been introduced into the data structures and plays.
 # For some uses you can also look into custom vars_plugins to merge on input, even substituting the default ``host_group_vars`` that is in charge of parsing the ``host_vars/`` and ``group_vars/`` directories. Most users of this setting are only interested in inventory scope, but the setting itself affects all sources and makes debugging even harder.
 # All playbooks and roles in the official examples repos assume the default for this setting.
 # Changing the setting to ``merge`` applies across variable sources, but many sources will internally still overwrite the variables. For example ``include_vars`` will dedupe variables internally before updating Ansible, with 'last defined' overwriting previous definitions in same file.
 # The Ansible project recommends you **avoid ``merge`` for new projects.**
 # It is the intention of the Ansible developers to eventually deprecate and remove this setting, but it is being kept as some users do heavily rely on it. New projects should **avoid 'merge'**.
 ;hash_behaviour=replace
 # (pathlist) Comma separated list of Ansible inventory sources
 ;inventory=/etc/ansible/hosts
 # (pathspec) Colon separated paths in which Ansible will search for HttpApi Plugins.
 ;httpapi_plugins={{ ANSIBLE_HOME ~ "/plugins/httpapi:/usr/share/ansible/plugins/httpapi" }}
 # (float) This sets the interval (in seconds) of Ansible internal processes polling each other. Lower values improve performance with large playbooks at the expense of extra CPU load. Higher values are more suitable for Ansible usage in automation scenarios, when UI responsiveness is not required but CPU usage might be a concern.
 # The default corresponds to the value hardcoded in Ansible <= 2.1
 ;internal_poll_interval=0.001
 # (pathspec) Colon separated paths in which Ansible will search for Inventory Plugins.
 ;inventory_plugins={{ ANSIBLE_HOME ~ "/plugins/inventory:/usr/share/ansible/plugins/inventory" }}
 # (string) This is a developer-specific feature that allows enabling additional Jinja2 extensions.
 # See the Jinja2 documentation for details. If you do not know what these do, you probably don't need to change this setting :)
 ;jinja2_extensions=[]
 # (boolean) This option preserves variable types during template operations.
 ;jinja2_native=False
 # (boolean) Enables/disables the cleaning up of the temporary files Ansible used to execute the tasks on the remote.
 # If this option is enabled it will disable ``ANSIBLE_PIPELINING``.
 ;keep_remote_files=False
 # (boolean) Controls whether callback plugins are loaded when running /usr/bin/ansible. This may be used to log activity from the command line, send notifications, and so on. Callback plugins are always loaded for ``ansible-playbook``.
 ;bin_ansible_callbacks=False
 # (tmppath) Temporary directory for Ansible to use on the controller.
 ;local_tmp={{ ANSIBLE_HOME ~ "/tmp" }}
 # (list) List of logger names to filter out of the log file
 ;log_filter=
 # (path) File to which Ansible will log on the controller. When empty logging is disabled.
 ;log_path=
 # (pathspec) Colon separated paths in which Ansible will search for Lookup Plugins.
 ;lookup_plugins={{ ANSIBLE_HOME ~ "/plugins/lookup:/usr/share/ansible/plugins/lookup" }}
 # (string) Sets the macro for the 'ansible_managed' variable available for :ref:`ansible_collections.ansible.builtin.template_module` and :ref:`ansible_collections.ansible.windows.win_template_module`.  This is only relevant for those two modules.
 ;ansible_managed=Ansible managed
 # (string) This sets the default arguments to pass to the ``ansible`` adhoc binary if no ``-a`` is specified.
 ;module_args=
 # (string) Compression scheme to use when transferring Python modules to the target.
 ;module_compression=ZIP_DEFLATED
 # (string) Module to use with the ``ansible`` AdHoc command, if none is specified via ``-m``.
 ;module_name=command
 # (pathspec) Colon separated paths in which Ansible will search for Modules.
 ;library={{ ANSIBLE_HOME ~ "/plugins/modules:/usr/share/ansible/plugins/modules" }}
 # (pathspec) Colon separated paths in which Ansible will search for Module utils files, which are shared by modules.
 ;module_utils={{ ANSIBLE_HOME ~ "/plugins/module_utils:/usr/share/ansible/plugins/module_utils" }}
 # (pathspec) Colon separated paths in which Ansible will search for Netconf Plugins.
 ;netconf_plugins={{ ANSIBLE_HOME ~ "/plugins/netconf:/usr/share/ansible/plugins/netconf" }}
 # (boolean) Toggle Ansible's display and logging of task details, mainly used to avoid security disclosures.
 ;no_log=False
 # (boolean) Toggle Ansible logging to syslog on the target when it executes tasks. On Windows hosts this will disable a newer style PowerShell modules from writing to the event log.
 ;no_target_syslog=False
 # (raw) What templating should return as a 'null' value. When not set it will let Jinja2 decide.
 ;null_representation=
 # (integer) For asynchronous tasks in Ansible (covered in Asynchronous Actions and Polling), this is how often to check back on the status of those tasks when an explicit poll interval is not supplied. The default is a reasonably moderate 15 seconds which is a tradeoff between checking in frequently and providing a quick turnaround when something may have completed.
 ;poll_interval=15
 # (path) Option for connections using a certificate or key file to authenticate, rather than an agent or passwords, you can set the default value here to avoid re-specifying --private-key with every invocation.
 ;private_key_file=
 # (boolean) By default, imported roles publish their variables to the play and other roles, this setting can avoid that.
 # This was introduced as a way to reset role variables to default values if a role is used more than once in a playbook.
 # Included roles only make their variables public at execution, unlike imported roles which happen at playbook compile time.
 ;private_role_vars=False
 # (integer) Port to use in remote connections, when blank it will use the connection plugin default.
 ;remote_port=
 # (string) Sets the login user for the target machines
 # When blank it uses the connection plugin's default, normally the user currently executing Ansible.
 ;remote_user=
 # (pathspec) Colon separated paths in which Ansible will search for Roles.
 ;roles_path={{ ANSIBLE_HOME ~ "/roles:/usr/share/ansible/roles:/etc/ansible/roles" }}
 # (string) Set the main callback used to display Ansible output. You can only have one at a time.
 # You can have many other callbacks, but just one can be in charge of stdout.
 # See :ref:`callback_plugins` for a list of available options.
 ;stdout_callback=default
 # (string) Set the default strategy used for plays.
 ;strategy=linear
 # (pathspec) Colon separated paths in which Ansible will search for Strategy Plugins.
 ;strategy_plugins={{ ANSIBLE_HOME ~ "/plugins/strategy:/usr/share/ansible/plugins/strategy" }}
 # (boolean) Toggle the use of "su" for tasks.
 ;su=False
 # (string) Syslog facility to use when Ansible logs to the remote target
 ;syslog_facility=LOG_USER
 # (pathspec) Colon separated paths in which Ansible will search for Terminal Plugins.
 ;terminal_plugins={{ ANSIBLE_HOME ~ "/plugins/terminal:/usr/share/ansible/plugins/terminal" }}
 # (pathspec) Colon separated paths in which Ansible will search for Jinja2 Test Plugins.
 ;test_plugins={{ ANSIBLE_HOME ~ "/plugins/test:/usr/share/ansible/plugins/test" }}
 # (integer) This is the default timeout for connection plugins to use.
 ;timeout=10
 # (string) Can be any connection plugin available to your ansible installation.
 # There is also a (DEPRECATED) special 'smart' option, that will toggle between 'ssh' and 'paramiko' depending on controller OS and ssh versions.
 ;transport=ssh
 # (boolean) When True, this causes ansible templating to fail steps that reference variable names that are likely typoed.
 # Otherwise, any '{{ template_expression }}' that contains undefined variables will be rendered in a template or ansible action line exactly as written.
 ;error_on_undefined_vars=True
 # (pathspec) Colon separated paths in which Ansible will search for Vars Plugins.
 ;vars_plugins={{ ANSIBLE_HOME ~ "/plugins/vars:/usr/share/ansible/plugins/vars" }}
 # (string) The vault_id to use for encrypting by default. If multiple vault_ids are provided, this specifies which to use for encryption. The --encrypt-vault-id cli option overrides the configured value.
 ;vault_encrypt_identity=
 # (string) The label to use for the default vault id label in cases where a vault id label is not provided
 ;vault_identity=default
 # (list) A list of vault-ids to use by default. Equivalent to multiple --vault-id args. Vault-ids are tried in order.
 ;vault_identity_list=
 # (string) If true, decrypting vaults with a vault id will only try the password from the matching vault-id
 ;vault_id_match=False
 # (path) The vault password file to use. Equivalent to --vault-password-file or --vault-id
 # If executable, it will be run and the resulting stdout will be used as the password.
 ;vault_password_file=
 # (integer) Sets the default verbosity, equivalent to the number of ``-v`` passed in the command line.
 ;verbosity=0
 # (boolean) Toggle to control the showing of deprecation warnings
 ;deprecation_warnings=True
 # (boolean) Toggle to control showing warnings related to running devel
 ;devel_warning=True
 # (boolean) Normally ``ansible-playbook`` will print a header for each task that is run. These headers will contain the name: field from the task if you specified one. If you didn't then ``ansible-playbook`` uses the task's action to help you tell which task is presently running. Sometimes you run many of the same action and so you want more information about the task to differentiate it from others of the same action. If you set this variable to True in the config then ``ansible-playbook`` will also include the task's arguments in the header.
 # This setting defaults to False because there is a chance that you have sensitive values in your parameters and you do not want those to be printed.
 # If you set this to True you should be sure that you have secured your environment's stdout (no one can shoulder surf your screen and you aren't saving stdout to an insecure file) or made sure that all of your playbooks explicitly added the ``no_log: True`` parameter to tasks which have sensitive values See How do I keep secret data in my playbook? for more information.
 ;display_args_to_stdout=False
 # (boolean) Toggle to control displaying skipped task/host entries in a task in the default callback
 ;display_skipped_hosts=True
 # (string) Root docsite URL used to generate docs URLs in warning/error text; must be an absolute URL with valid scheme and trailing slash.
 ;docsite_root_url=https://docs.ansible.com/ansible-core/
 # (pathspec) Colon separated paths in which Ansible will search for Documentation Fragments Plugins.
 ;doc_fragment_plugins={{ ANSIBLE_HOME ~ "/plugins/doc_fragments:/usr/share/ansible/plugins/doc_fragments" }}
 # (string) By default Ansible will issue a warning when a duplicate dict key is encountered in YAML.
 # These warnings can be silenced by adjusting this setting to False.
 ;duplicate_dict_key=warn
 # (boolean) Whether or not to enable the task debugger, this previously was done as a strategy plugin.
 # Now all strategy plugins can inherit this behavior. The debugger defaults to activating when
 # a task is failed on unreachable. Use the debugger keyword for more flexibility.
 ;enable_task_debugger=False
 # (boolean) Toggle to allow missing handlers to become a warning instead of an error when notifying.
 ;error_on_missing_handler=True
 # (list) Which modules to run during a play's fact gathering stage, using the default of 'smart' will try to figure it out based on connection type.
 # If adding your own modules but you still want to use the default Ansible facts, you will want to include 'setup' or corresponding network module to the list (if you add 'smart', Ansible will also figure it out).
 # This does not affect explicit calls to the 'setup' module, but does always affect the 'gather_facts' action (implicit or explicit).
 ;facts_modules=smart
 # (boolean) Set this to "False" if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host
 ;host_key_checking=True
 # (boolean) Facts are available inside the `ansible_facts` variable, this setting also pushes them as their own vars in the main namespace.
 # Unlike inside the `ansible_facts` dictionary, these will have an `ansible_` prefix.
 ;inject_facts_as_vars=True
 # (string) Path to the Python interpreter to be used for module execution on remote targets, or an automatic discovery mode. Supported discovery modes are ``auto`` (the default), ``auto_silent``, ``auto_legacy``, and ``auto_legacy_silent``. All discovery modes employ a lookup table to use the included system Python (on distributions known to include one), falling back to a fixed ordered list of well-known Python interpreter locations if a platform-specific default is not available. The fallback behavior will issue a warning that the interpreter should be set explicitly (since interpreters installed later may change which one is used). This warning behavior can be disabled by setting ``auto_silent`` or ``auto_legacy_silent``. The value of ``auto_legacy`` provides all the same behavior, but for backwards-compatibility with older Ansible releases that always defaulted to ``/usr/bin/python``, will use that interpreter if present.
 ;interpreter_python=auto
 # (boolean) If 'false', invalid attributes for a task will result in warnings instead of errors
 ;invalid_task_attribute_failed=True
 # (boolean) Toggle to control showing warnings related to running a Jinja version older than required for jinja2_native
 ;jinja2_native_warning=True
 # (boolean) By default Ansible will issue a warning when there are no hosts in the inventory.
 # These warnings can be silenced by adjusting this setting to False.
 ;localhost_warning=True
 # (int) Maximum size of files to be considered for diff display
 ;max_diff_size=104448
 # (list) List of extensions to ignore when looking for modules to load
 # This is for rejecting script and binary module fallback extensions
 ;module_ignore_exts={{(REJECT_EXTS + ('.yaml', '.yml', '.ini'))}}
 # (bool) Enables whether module responses are evaluated for containing non UTF-8 data
 # Disabling this may result in unexpected behavior
 # Only ansible-core should evaluate this configuration
 ;module_strict_utf8_response=True
 # (list) TODO: write it
 ;network_group_modules=eos, nxos, ios, iosxr, junos, enos, ce, vyos, sros, dellos9, dellos10, dellos6, asa, aruba, aireos, bigip, ironware, onyx, netconf, exos, voss, slxos
 # (boolean) Previously Ansible would only clear some of the plugin loading caches when loading new roles, this led to some behaviours in which a plugin loaded in previous plays would be unexpectedly 'sticky'. This setting allows to return to that behaviour.
 ;old_plugin_cache_clear=False
 # (path) A number of non-playbook CLIs have a ``--playbook-dir`` argument; this sets the default value for it.
 ;playbook_dir=
 # (string) This sets which playbook dirs will be used as a root to process vars plugins, which includes finding host_vars/group_vars
 ;playbook_vars_root=top
 # (path) A path to configuration for filtering which plugins installed on the system are allowed to be used.
 # See :ref:`plugin_filtering_config` for details of the filter file's format.
 #  The default is /etc/ansible/plugin_filters.yml
 ;plugin_filters_cfg=
 # (string) Attempts to set RLIMIT_NOFILE soft limit to the specified value when executing Python modules (can speed up subprocess usage on Python 2.x. See https://bugs.python.org/issue11284). The value will be limited by the existing hard limit. Default value of 0 does not attempt to adjust existing system-defined limits.
 ;python_module_rlimit_nofile=0
 # (bool) This controls whether a failed Ansible playbook should create a .retry file.
 ;retry_files_enabled=False
 # (path) This sets the path in which Ansible will save .retry files when a playbook fails and retry files are enabled.
 # This file will be overwritten after each run with the list of failed hosts from all plays.
 ;retry_files_save_path=
 # (str) This setting can be used to optimize vars_plugin usage depending on user's inventory size and play selection.
 ;run_vars_plugins=demand
 # (bool) This adds the custom stats set via the set_stats plugin to the default output
 ;show_custom_stats=False
 # (string) Action to take when a module parameter value is converted to a string (this does not affect variables). For string parameters, values such as '1.00', "['a', 'b',]", and 'yes', 'y', etc. will be converted by the YAML parser unless fully quoted.
 # Valid options are 'error', 'warn', and 'ignore'.
 # Since 2.8, this option defaults to 'warn' but will change to 'error' in 2.12.
 ;string_conversion_action=warn
 # (boolean) Allows disabling of warnings related to potential issues on the system running ansible itself (not on the managed hosts)
 # These may include warnings about 3rd party packages or other conditions that should be resolved if possible.
 ;system_warnings=True
 # (boolean) This option defines whether the task debugger will be invoked on a failed task when ignore_errors=True is specified.
 # True specifies that the debugger will honor ignore_errors, False will not honor ignore_errors.
 ;task_debugger_ignore_errors=True
 # (integer) Set the maximum time (in seconds) that a task can run for.
 # If set to 0 (the default) there is no timeout.
 ;task_timeout=0
 # (string) Make ansible transform invalid characters in group names supplied by inventory sources.
 ;force_valid_group_names=never
 # (boolean) Toggles the use of persistence for connections.
 ;use_persistent_connections=False
 # (bool) A toggle to disable validating a collection's 'metadata' entry for a module_defaults action group. Metadata containing unexpected fields or value types will produce a warning when this is True.
 ;validate_action_group_metadata=True
 # (list) Accept list for variable plugins that require it.
 ;vars_plugins_enabled=host_group_vars
 # (list) Allows to change the group variable precedence merge order.
 ;precedence=all_inventory, groups_inventory, all_plugins_inventory, all_plugins_play, groups_plugins_inventory, groups_plugins_play
 # (string) The salt to use for the vault encryption. If it is not provided, a random salt will be used.
 ;vault_encrypt_salt=
 # (bool) Force 'verbose' option to use stderr instead of stdout
 ;verbose_to_stderr=False
 # (integer) For asynchronous tasks in Ansible (covered in Asynchronous Actions and Polling), this is how long, in seconds, to wait for the task spawned by Ansible to connect back to the named pipe used on Windows systems. The default is 5 seconds. This can be too low on slower systems, or systems under heavy load.
 # This is not the total time an async command can run for, but is a separate timeout to wait for an async command to start. The task will only start to be timed against its async_timeout once it has connected to the pipe, so the overall maximum duration the task can take will be extended by the amount specified here.
 ;win_async_startup_timeout=5
 # (list) Check all of these extensions when looking for 'variable' files which should be YAML or JSON or vaulted versions of these.
 # This affects vars_files, include_vars, inventory and vars plugins among others.
 ;yaml_valid_extensions=.yml, .yaml, .json
 [privilege_escalation]
 # (boolean) Display an agnostic become prompt instead of displaying a prompt containing the command line supplied become method
 ;agnostic_become_prompt=True
 # (boolean) This setting controls if become is skipped when remote user and become user are the same. I.E root sudo to root.
 # If executable, it will be run and the resulting stdout will be used as the password.
 ;become_allow_same_user=False
 # (boolean) Toggles the use of privilege escalation, allowing you to 'become' another user after login.
 ;become=False
 # (boolean) Toggle to prompt for privilege escalation password.
 ;become_ask_pass=False
 # (string) executable to use for privilege escalation, otherwise Ansible will depend on PATH
 ;become_exe=
 # (string) Flags to pass to the privilege escalation executable.
 ;become_flags=
 # (string) Privilege escalation method to use when `become` is enabled.
 ;become_method=sudo
 # (string) The user your login/remote user 'becomes' when using privilege escalation, most systems will use 'root' when no user is specified.
 ;become_user=root
 [persistent_connection]
 # (path) Specify where to look for the ansible-connection script. This location will be checked before searching $PATH.
 # If null, ansible will start with the same directory as the ansible script.
 ;ansible_connection_path=
 # (int) This controls the amount of time to wait for response from remote device before timing out persistent connection.
 ;command_timeout=30
 # (integer) This controls the retry timeout for persistent connection to connect to the local domain socket.
 ;connect_retry_timeout=15
 # (integer) This controls how long the persistent connection will remain idle before it is destroyed.
 ;connect_timeout=30
 # (path) Path to socket to be used by the connection persistence system.
 ;control_path_dir={{ ANSIBLE_HOME ~ "/pc" }}
 [connection]
 # (boolean) This is a global option, each connection plugin can override either by having more specific options or not supporting pipelining at all.
 # Pipelining, if supported by the connection plugin, reduces the number of network operations required to execute a module on the remote server, by executing many Ansible modules without actual file transfer.
 # It can result in a very significant performance improvement when enabled.
 # However this conflicts with privilege escalation (become). For example, when using 'sudo:' operations you must first disable 'requiretty' in /etc/sudoers on all managed hosts, which is why it is disabled by default.
 # This setting will be disabled if ``ANSIBLE_KEEP_REMOTE_FILES`` is enabled.
 ;pipelining=False
 [colors]
 # (string) Defines the color to use on 'Changed' task status
 ;changed=yellow
 # (string) Defines the default color to use for ansible-console
 ;console_prompt=white
 # (string) Defines the color to use when emitting debug messages
 ;debug=dark gray
 # (string) Defines the color to use when emitting deprecation messages
 ;deprecate=purple
 # (string) Defines the color to use when showing added lines in diffs
 ;diff_add=green
 # (string) Defines the color to use when showing diffs
 ;diff_lines=cyan
 # (string) Defines the color to use when showing removed lines in diffs
 ;diff_remove=red
 # (string) Defines the color to use when emitting error messages
 ;error=red
 # (string) Defines the color to use for highlighting
 ;highlight=white
 # (string) Defines the color to use when showing 'OK' task status
 ;ok=green
 # (string) Defines the color to use when showing 'Skipped' task status
 ;skip=cyan
 # (string) Defines the color to use on 'Unreachable' status
 ;unreachable=bright red
 # (string) Defines the color to use when emitting verbose messages. i.e those that show with '-v's.
 ;verbose=blue
 # (string) Defines the color to use when emitting warning messages
 ;warn=bright purple
 [selinux]
 # (boolean) This setting causes libvirt to connect to lxc containers by passing --noseclabel to virsh. This is necessary when running on systems which do not have SELinux.
 ;libvirt_lxc_noseclabel=False
 # (list) Some filesystems do not support safe operations and/or return inconsistent errors, this setting makes Ansible 'tolerate' those in the list w/o causing fatal errors.
 # Data corruption may occur and writes are not always verified when a filesystem is in the list.
 ;special_context_filesystems=fuse, nfs, vboxsf, ramfs, 9p, vfat
 [diff]
 # (bool) Configuration toggle to tell modules to show differences when in 'changed' status, equivalent to ``--diff``.
 ;always=False
 # (integer) How many lines of context to show when displaying the differences between files.
 ;context=3
 [galaxy]
 # (path) The directory that stores cached responses from a Galaxy server.
 # This is only used by the ``ansible-galaxy collection install`` and ``download`` commands.
 # Cache files inside this dir will be ignored if they are world writable.
 ;cache_dir={{ ANSIBLE_HOME ~ "/galaxy_cache" }}
 # (bool) whether ``ansible-galaxy collection install`` should warn about ``--collections-path`` missing from configured :ref:`collections_paths`
 ;collections_path_warning=True
 # (path) Collection skeleton directory to use as a template for the ``init`` action in ``ansible-galaxy collection``, same as ``--collection-skeleton``.
 ;collection_skeleton=
 # (list) patterns of files to ignore inside a Galaxy collection skeleton directory
 ;collection_skeleton_ignore=^.git$, ^.*/.git_keep$
 # (bool) Disable GPG signature verification during collection installation.
 ;disable_gpg_verify=False
 # (bool) Some steps in ``ansible-galaxy`` display a progress wheel which can cause issues on certain displays or when outputting the stdout to a file.
 # This config option controls whether the display wheel is shown or not.
 # The default is to show the display wheel if stdout has a tty.
 ;display_progress=
 # (path) Configure the keyring used for GPG signature verification during collection installation and verification.
 ;gpg_keyring=
 # (boolean) If set to yes, ansible-galaxy will not validate TLS certificates. This can be useful for testing against a server with a self-signed certificate.
 ;ignore_certs=
 # (list) A list of GPG status codes to ignore during GPG signature verification. See L(https://github.com/gpg/gnupg/blob/master/doc/DETAILS#general-status-codes) for status code descriptions.
 # If fewer signatures successfully verify the collection than `GALAXY_REQUIRED_VALID_SIGNATURE_COUNT`, signature verification will fail even if all error codes are ignored.
 ;ignore_signature_status_codes=
 # (str) The number of signatures that must be successful during GPG signature verification while installing or verifying collections.
 # This should be a positive integer or all to indicate all signatures must successfully validate the collection.
 # Prepend + to the value to fail if no valid signatures are found for the collection.
 ;required_valid_signature_count=1
 # (path) Role skeleton directory to use as a template for the ``init`` action in ``ansible-galaxy``/``ansible-galaxy role``, same as ``--role-skeleton``.
 ;role_skeleton=
 # (list) patterns of files to ignore inside a Galaxy role or collection skeleton directory
 ;role_skeleton_ignore=^.git$, ^.*/.git_keep$
 # (string) URL to prepend when roles don't specify the full URI, assume they are referencing this server as the source.
 ;server=https://galaxy.ansible.com
 # (list) A list of Galaxy servers to use when installing a collection.
 # The value corresponds to the config ini header ``[galaxy_server.{{item}}]`` which defines the server details.
 # See :ref:`galaxy_server_config` for more details on how to define a Galaxy server.
 # The order of servers in this list is used to as the order in which a collection is resolved.
 # Setting this config option will ignore the :ref:`galaxy_server` config option.
 ;server_list=
 # (int) The default timeout for Galaxy API calls. Galaxy servers that don't configure a specific timeout will fall back to this value.
 ;server_timeout=60
 # (path) Local path to galaxy access token file
 ;token_path={{ ANSIBLE_HOME ~ "/galaxy_token" }}
 [inventory]
 # (string) This setting changes the behaviour of mismatched host patterns, it allows you to force a fatal error, a warning or just ignore it
 ;host_pattern_mismatch=warning
 # (boolean) If 'true', it is a fatal error when any given inventory source cannot be successfully parsed by any available inventory plugin; otherwise, this situation only attracts a warning.
 ;any_unparsed_is_failed=False
 # (bool) Toggle to turn on inventory caching.
 # This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
 # The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory configuration.
 # This message will be removed in 2.16.
 ;cache=False
 # (string) The plugin for caching inventory.
 # This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
 # The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
 # This message will be removed in 2.16.
 ;cache_plugin=
 # (string) The inventory cache connection.
 # This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
 # The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
 # This message will be removed in 2.16.
 ;cache_connection=
 # (string) The table prefix for the cache plugin.
 # This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
 # The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
 # This message will be removed in 2.16.
 ;cache_prefix=ansible_inventory_
 # (string) Expiration timeout for the inventory cache plugin data.
 # This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
 # The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
 # This message will be removed in 2.16.
 ;cache_timeout=3600
 # (list) List of enabled inventory plugins, it also determines the order in which they are used.
 ;enable_plugins=host_list, script, auto, yaml, ini, toml
 # (bool) Controls if ansible-inventory will accurately reflect Ansible's view into inventory or its optimized for exporting.
 ;export=False
 # (list) List of extensions to ignore when using a directory as an inventory source
 ;ignore_extensions={{(REJECT_EXTS + ('.orig', '.ini', '.cfg', '.retry'))}}
 # (list) List of patterns to ignore when using a directory as an inventory source
 ;ignore_patterns=
 # (bool) If 'true' it is a fatal error if every single potential inventory source fails to parse, otherwise this situation will only attract a warning.
 ;unparsed_is_failed=False
 # (boolean) By default Ansible will issue a warning when no inventory was loaded and notes that it will use an implicit localhost-only inventory.
 # These warnings can be silenced by adjusting this setting to False.
 ;inventory_unparsed_warning=True
 [netconf_connection]
 # (string) This variable is used to enable bastion/jump host with netconf connection. If set to True the bastion/jump host ssh settings should be present in ~/.ssh/config file, alternatively it can be set to custom ssh configuration file path to read the bastion/jump host settings.
 ;ssh_config=
 [paramiko_connection]
 # (boolean) TODO: write it
 ;host_key_auto_add=False
 # (boolean) TODO: write it
 ;look_for_keys=True
 [jinja2]
 # (list) This list of filters avoids 'type conversion' when templating variables
 # Useful when you want to avoid conversion into lists or dictionaries for JSON strings, for example.
 ;dont_type_filters=string, to_json, to_nice_json, to_yaml, to_nice_yaml, ppretty, json
 [tags]
 # (list) default list of tags to run in your plays, Skip Tags has precedence.
 ;run=
 # (list) default list of tags to skip in your plays, has precedence over Run Tags
 ;skip=
--- a/aya01.yml
+++ b/aya01.yml
@@ -1,29 +0,0 @@
 ---
 - name: Set up Servers
  hosts: aya01
  gather_facts: yes
  roles:
    - role: common
      tags:
        - common
    - role: samba
      tags:
        - samba
 #    - role: power_management
 #      tags:
 #        - power_management
    - role: backblaze
      tags:
        - backblaze
    - role: node_exporter
      tags:
        - node_exporter
    - role: snmp_exporter
      tags:
        - snmp_exporter
    - role: smart_exporter
      tags:
        - smart_exporter
    - role: docker
      tags:
        - docker
--- a/blog.md
+++ b/blog.md
@@ -0,0 +1,69 @@
 ---
 title: "Automating My Homelab: From Bare Metal to Kubernetes with Ansible"
 date: 2025-07-27
 author: "TuDatTr"
 tags: ["Ansible", "Proxmox", "Kubernetes", "K3s", "IaC", "Homelab"]
 ---
 ## The Homelab: Repeatable, Automated, and Documented
 For many tech enthusiasts, a homelab is a playground for learning, experimenting, and self-hosting services. But as the complexity grows, so does the management overhead. Manually setting up virtual machines, configuring networks, and deploying applications becomes a tedious and error-prone process. This lead me to building my homelab as Infrastructure as Code (IaC) with Ansible.
 This blog post walks you through my Ansible project, which automates the entire lifecycle of my homelab—from provisioning VMs on Proxmox to deploying a production-ready K3s Kubernetes cluster.
 ## Why Ansible?
 When I decided to automate my infrastructure, I considered several tools. I chose Ansible for its simplicity, agentless architecture, and gentle learning curve. Writing playbooks in YAML felt declarative and intuitive, and the vast collection of community-supported modules meant I wouldn't have to reinvent the wheel.
 ## The Architecture: A Multi-Layered Approach
 My Ansible project is designed to be modular and scalable, with a clear separation of concerns. It's built around a collection of roles, each responsible for a specific component of the infrastructure.
 ### Layer 1: Proxmox Provisioning
 The foundation of my homelab is Proxmox VE. The `proxmox` role is the first step in the automation pipeline. It handles:
 - **VM and Container Creation:** Using a simple YAML definition in my `vars` files, I can specify the number of VMs and containers to create, their resources (CPU, memory, disk), and their base operating system images.
 - **Cloud-Init Integration:** For VMs, I leverage Cloud-Init to perform initial setup, such as setting the hostname, creating users, and injecting SSH keys for Ansible to connect to.
 - **Hardware Passthrough:** The role also configures hardware passthrough for devices like Intel Quick Sync for video transcoding in my media server.
 ### Layer 2: The K3s Kubernetes Cluster
 With the base VMs ready, the next step is to build the Kubernetes cluster. I chose K3s for its lightweight footprint and ease of installation. The setup is divided into several roles:
 - `k3s_server`: This role bootstraps the first master node and then adds additional master nodes to create a highly available control plane.
 - `k3s_agent`: This role joins the worker nodes to the cluster.
 - `k3s_loadbalancer`: A dedicated VM running Nginx is set up to act as a load balancer for the K3s API server, ensuring a stable endpoint for `kubectl` and other clients.
 ### Layer 3: Applications and Services
 Once the Kubernetes cluster is up and running, it's time to deploy applications. My project includes roles for:
 - `docker_host`: For services that are better suited to run in a traditional Docker environment, this role sets up and configures Docker hosts.
 - `kubernetes_argocd`: I use Argo CD for GitOps-based continuous delivery. This role deploys Argo CD to the cluster and configures it to sync with my application repositories.
 - `reverse_proxy`: Caddy is my reverse proxy of choice, and this role automates its installation and configuration, including obtaining SSL certificates from Let's Encrypt.
 ## Putting It All Together: The Power of Playbooks
 The playbooks in the `playbooks/` directory tie everything together. For example, the `kubernetes_setup.yml` playbook runs all the necessary roles in the correct order to bring up the entire Kubernetes cluster from scratch.
 ```yaml
 # playbooks/kubernetes_setup.yml
 ---
 - name: Set up Kubernetes Cluster
  hosts: all
  gather_facts: true
  roles:
    - role: k3s_server
    - role: k3s_agent
    - role: k3s_loadbalancer
    - role: kubernetes_argocd
 ```
 ## Final Thoughts and Future Plans
 This Ansible project has transformed my homelab from a collection of manually configured machines into a fully automated and reproducible environment. I can now tear down and rebuild my entire infrastructure with a single command, which gives me the confidence to experiment without fear of breaking things.
 While the project is highly tailored to my specific needs, I hope this overview provides some inspiration for your own automation journey. The principles of IaC and the power of tools like Ansible can be applied to any environment, big or small.
 What's next? I plan to explore more advanced Kubernetes concepts, such as Cilium for networking and policy, and integrate more of my self-hosted services into the GitOps workflow with Argo CD. The homelab is never truly "finished," and that's what makes it so much fun.
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -1,545 +0,0 @@
 #
 # Essential
 #
 user: tudattr
 timezone: Europe/Berlin
 rclone_config: "/root/.config/rclone/"
 puid: "1000"
 pgid: "1000"
 pk_path: "/mnt/veracrypt1/genesis"
 pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqc9fnzfCz8fQDFzla+D8PBhvaMmFu2aF+TYkkZRxl9 tuan@genesis-2022-01-20"
 local_domain: tudattr.dev
 local_subdomains: "local"
 remote_domain: tudattr.dev
 remote_subdomains: "www,plex,status,tautulli"
 backup_domain: seyshiro.de
 backup_subdomains: "hass,qbit,zm,"
 #
 # aya01
 #
 aya01_host: "aya01"
 aya01_ip: "192.168.20.12"
 #
 # mii
 #
 mii_host: "mii"
 mii_ip: "192.168.200.2"
 #
 # naruto
 #
 naruto_host: "naruto"
 naruto_ip: "192.168.20.13"
 #
 # pi
 #
 pi_host: "pi"
 pi_ip: "192.168.20.11"
 #
 # inko
 #
 inko_host: "inko"
 inko_ip: "192.168.20.14"
 #
 # Used to download for git releases
 #
 go_arch_map:
  i386: '386'
  x86_64: 'amd64'
  aarch64: 'arm64'
  armv7l: 'armv7'
  armv6l: 'armv6'
 go_arch: "{{ go_arch_map[ansible_architecture] | default(ansible_architecture) }}"
 #
 # aya01 - Disks
 #
 fstab_entries:
 - name: "config"
  path: "/opt"
  type: "ext4"
  uuid: "cad60133-dd84-4a2a-8db4-2881c608addf"
 - name: "media0"
  path: "/mnt/media0"
  type: "ext4"
  uuid: "c4c724ec-4fe3-4665-adf4-acd31d6b7f95"
 - name: "media1"
  path: "/mnt/media1"
  type: "ext4"
  uuid: "8d66d395-1e35-4f5a-a5a7-d181d6642ebf"
 mergerfs_entries:
  - name: "media"
    path: "/media"
    branches:
    - "/mnt/media0"
    - "/mnt/media1"
    opts:
    - "use_ino"
    - "allow_other"
    - "cache.files=partial"
    - "dropcacheonclose=true"
    - "category.create=mfs"
    type: "fuse.mergerfs"
 #
 # Packages
 #
 common_packages:
  - sudo
  - git
  - iperf3
  - git
  - smartmontools
  - vim 
  - curl
  - tree
  - rsync
  - systemd-timesyncd
  - neofetch
  - build-essential
  - btrfs-progs
 #
 # Docker
 #
 docker_repo_url: https://download.docker.com/linux
 docker_apt_gpg_key: "{{ docker_repo_url }}/{{ ansible_distribution | lower }}/gpg"
 docker_apt_release_channel: stable
 docker_apt_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
 docker_apt_repository: "deb [arch={{ docker_apt_arch }}] {{ docker_repo_url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}"
 docker_network: "172.16.69.0/24"
 docker_compose_dir: /opt/docker/compose
 docker_dir: /opt/docker/config
 docker_data_dir: /media/docker/data # only available on aya01
 mysql_user: user
 #
 # ZoneMinder
 #
 zoneminder_host: "zm"
 zoneminder_port: "8081"
 zoneminder_network: "172.16.42.0/24"
 zoneminder_root: "{{ docker_dir }}/zm"
 zoneminder_config: "{{ zoneminder_root }}/config"
 zoneminder_log: "{{ zoneminder_root}}/log"
 zoneminder_db: "{{ zoneminder_root}}/db"
 zoneminder_data: "{{ docker_data_dir }}/zm/data"
 #
 # Syncthing
 #
 syncthing_host: "syncthing"
 syncthing_port: "8384"
 syncthing_data: "{{docker_data_dir}}/syncthing/"
 #
 # Softserve
 #
 softserve_data: "{{docker_dir}}/softserve/data"
 #
 # cupsd
 #
 cupsd_host: "cupsd"
 cupsd_port: "631"
 cupsd_config: "{{ docker_dir }}/cupsd/"
 #
 # Uptime Kuma
 #
 kuma_host: "status"
 kuma_port: "3001"
 kuma_config: "{{ docker_dir }}/kuma/"
 #
 # Traefik
 #
 traefik:
  host: "traefik"
  admin:
    port: "8080"
  config: "{{ docker_dir }}/traefik/etc-traefik/"
  data: "{{ docker_dir }}/traefik/var-log/"
  letsencrypt: "{{ docker_dir }}/traefik/letsencrypt/"
  user:
    web: "80"
    websecure: "443"
 #
 # DynDns Updater
 #
 ddns_host: "ddns"
 ddns_port: "8000"
 ddns_data:  "{{ docker_dir }}/ddns-updater/data/"
 #
 # Home Assistant
 #
 ha_host: "hass"
 ha_port: "8123"
 ha_config: "{{ docker_dir }}/home-assistant/config/"
 #
 # pihole
 #
 pihole_host: "pihole"
 pihole_port: "8089"
 pihole_config: "{{ docker_dir }}/pihole/etc-pihole/"
 pihole_dnsmasq: "{{ docker_dir }}/pihole/etc-dnsmasq.d/"
 #
 # backblaze
 #
 # Directories that will be backupped to backblaze
 # MOVED TO HOSTVARS
 # backblaze_paths:
 #   aya01:
 #     - "{{ docker_compose_dir }}"
 #     - "{{ docker_dir }}"
 #   pi:
 #     - "{{ docker_compose_dir }}"
 #     - "{{ docker_dir }}"
 #
 # samba
 #
 samba:
  dependencies:
    - "samba"
    - "smbclient"
    - "cifs-utils"
  user: "smbuser"
  group: "smbshare"
  config: "templates/smb.conf"
  shares:
    media:
      name: "media"
      path: "/media"
    paperless:
      name: "paperless"
      path: "{{ paperless.data.consume }}"
 #
 # netdata
 #
 netdata_port: "19999"
 netdata_config: "{{ docker_dir }}/netdata/"
 netdata_lib: "{{ docker_data_dir }}/netdata/lib/"
 netdata_cache: "{{ docker_data_dir }}/netdata/cache"
 #
 # Plex
 #
 plex_host: "plex"
 # plex_ip: "172.16.69.12"
 plex_port: "32400"
 plex_config: "{{docker_data_dir}}/{{ plex_host }}/config"
 plex_tv: "/media/series"
 plex_movies: "/media/movies"
 plex_music: "/media/songs"
 #
 # WireGuard
 #
 wg_config: "templates/wg0.conf"
 wg_remote_config: "/etc/wireguard/wg0.conf"
 wg_service: "wg-quick@wg0.service"
 wg_deps: "wireguard"
 wg_ip: "192.168.200.2"
 wg_pubkey: "+LaPESyBF6Sb1lqkk4UcestFpXNaKYyyX99tkqwLQhU="
 wg_endpoint: "{{ local_subdomains }}.{{ local_domain }}:51820"
 wg_allowed_ips: "192.168.20.0/24,192.168.200.1/32"
 wg_dns: "{{ aya01_ip }},{{ pi_ip }},1.1.1.1"
 arr_downloads: "{{ docker_data_dir }}/arr_downloads"
 #
 # Sonarr
 #
 sonarr_port: "8989"
 sonarr_host: "sonarr"
 sonarr_config: "{{ docker_dir }}/{{ sonarr_host }}/config"
 sonarr_media: "{{ plex_tv }}"
 sonarr_downloads: "{{ arr_downloads }}/{{ sonarr_host }}"
 #
 # Radarr
 #
 radarr_port: "7878"
 radarr_host: "radarr"
 radarr_config: "{{ docker_dir }}/{{ radarr_host }}/config"
 radarr_media: "{{ plex_movies }}"
 radarr_downloads: "{{ arr_downloads }}/{{ radarr_host }}"
 #
 # Lidarr
 #
 lidarr_port: "8686"
 lidarr_host: "lidarr"
 lidarr_config: "{{ docker_dir }}/{{ lidarr_host }}/config"
 lidarr_media: "{{ plex_music }}"
 lidarr_downloads: "{{ arr_downloads }}/{{ lidarr_host }}"
 #
 # Prowlarr
 #
 prowlarr_port: "9696"
 prowlarr_host: "prowlarr"
 prowlarr_config: "{{ docker_dir }}/{{ prowlarr_host }}/config"
 #
 # bin
 #
 bin_port: "6162"
 bin_host: "bin"
 bin_upload: "{{ docker_data_dir }}/{{bin_host}}/upload"
 #
 # qbittorrentvpn
 #
 qbit_port: "8082"
 qbit_host: "qbit"
 qbit_config: "templates/aya01/qbittorrentvpn/config"
 qbit_remote_config: "{{ docker_dir }}/{{ qbit_host }}/config"
 qbit_downloads: "{{ arr_downloads }}"
 qbit_type: "openvpn"
 qbit_ssl: "no"
 qbit_lan: "192.168.20.0/24, 192.168.30.0/24, {{ docker_network }}"
 qbit_dns: "{{ aya01_ip }}, {{ pi_ip }}, 1.1.1.1"
 #
 # qbittorrentvpn - torrentleech
 #
 torrentleech_port: "8083"
 torrentleech_host: "torrentleech"
 torrentleech_remote_config: "{{ docker_dir }}/{{ torrentleech_host }}/config"
 #
 # Home Assistant
 #
 hass_port: ""
 hass_host: "hass"
 #
 # Tautulli
 #
 tautulli_port: "8181"
 tautulli_host: "tautulli"
 tautulli_config: "{{ docker_dir }}/{{ tautulli_host }}/config"
 #
 # Code Server
 #
 code_port: "8443"
 code_host: "code"
 code_config: "{{ docker_dir }}/{{ code_host }}/config"
 #
 # GlueTun
 #
 gluetun_port: ""
 gluetun_host: "gluetun"
 gluetun_country: "Hungary"
 gluetun_config: "{{ docker_dir }}/{{ gluetun_host }}/config"
 #
 # NodeExporter
 #
 node_exporter:
  port: 9100
  host: 'node'
  version: 'latest'
  serve: 'localhost'
  options: ''
  bin_path: /usr/local/bin/node_exporter
 #
 # Prometheus
 #
 prometheus_puid: "65534"
 prometheus_pgid: "65534"
 prometheus_host: "prometheus"
 prometheus_data: "{{docker_data_dir}}/prometheus/"
 prometheus_config: "{{docker_dir}}/prometheus/"
 prometheus_port: "9090"
 #
 # Grafana
 #
 grafana_host: "grafana"
 grafana_port: "3000"
 grafana_data: "{{docker_data_dir}}/grafana/"
 grafana_config: "{{docker_dir}}/grafana/config/"
 grafana_logs: "{{docker_dir}}/grafana/logs/"
 grafana_puid: "472"
 grafana_pgid: "472"
 #
 # SNMP Exporter
 #
 snmp_exporter_port: "9116"
 snmp_exporter_target: "192.168.20.1"
 snmp_exporter_config: "{{ docker_dir }}/snmp_exporter/"
 snmp_exporter_host: "snmp_exporter"
 #
 # SMART Exporter
 #
 smart_exporter:
  port: 9633
  version: 'latest'
  options: '--web.listen-address=9633'
  bin_path: /usr/local/bin/smart_exporter
 #
 # Stirling-pdf
 #
 stirling:
  host: "stirling"
  dns: "pdf"
  port: 8084
 #
 # nginx proxy manager
 #
 nginx:
  host: "nginx"
  endpoints:
    http: 80
    https: 443
    admin: 8080
  paths:
    letsencrypt: "{{docker_dir}}/nginx/letsencrypt"
    data: "{{docker_dir}}/nginx/data"
 #
 # Jellyfin
 #
 jellyfin:
  host: "jellyfin"
  port: "8096"
  config: "{{docker_dir}}/jellyfin/config"
  cache: "{{docker_dir}}/jellyfin/cache"
  media:
    tv: "{{ plex_tv }}"
    movies: "{{ plex_movies }}"
    music: "{{ plex_music }}"
 #
 # paperless-ngx
 #
 paperless:
  host: "paperless"
  port: "8000"
  data:
    data: "{{ docker_dir }}/paperless/data/data"
    media: "{{ docker_dir }}/paperless/data/media"
    export: "{{ docker_dir }}/paperless/data/export"
    consume: "{{ docker_dir }}/paperless/data/consume"
  db:
    host: "paperless-sqlite"
    db: "paperless"
    user: "paperless"
    password: "{{ host.paperless.db.password }}"
    data: "{{ docker_dir }}/paperless/db/data"
  redis:
    host: "paperless-redis"
    data: "{{ docker_dir }}/paperless/redis/data"
 #
 # Homarr
 #
 homarr:
  host: "homarr"
  volumes:
    configs: "{{docker_dir}}/homarr/configs"
    data: "{{ docker_data_dir }}/homarr/data/"
    icons: "{{docker_dir}}/homarr/icons"
 #
 # gitea
 #
 gitea:
  host: "git"
  url: "https://git.tudattr.dev"
  volumes:
    data: "{{ docker_data_dir }}/gitea/data"
    config: "{{ docker_dir }}/gitea/config"
  ports:
    http: "3000"
    ssh: "2222"
  runner:
    host: "gitea-runner-{{ host.hostname }}"
    token: "{{ host.gitea.runner.token }}"
    name: "{{ host.hostname }}"
    volumes:
      data: "{{ docker_data_dir }}/gitea/runner/data/"
      config: "{{ docker_dir }}/gitea/runner/config/"
    config_file: "{{ docker_dir }}/gitea/runner/config/config.yml"
 #
 # Jellyseer
 #
 jellyseer:
  host: "jellyseer"
  ports:
    http: "5055"
  volumes:
    config: "{{ docker_dir }}/jellyseer/config"
--- a/host_vars/aya01.yml
+++ b/host_vars/aya01.yml
@@ -1,53 +0,0 @@
 ansible_user: "{{ user }}"
 ansible_host: 192.168.20.12
 ansible_port: 22
 ansible_ssh_private_key_file: '{{ pk_path }}'
 ansible_become_pass: '{{ vault.aya01.sudo }}'
 host:
  hostname: "aya01"
  ip: "{{ ansible_host }}"
  backblaze:
    account: "{{ vault.aya01.backblaze.account }}"
    key: "{{ vault.aya01.backblaze.key }}"
    remote: "remote:aya01-tudattr-dev"
    password: "{{ vault.aya01.rclone.password }}"
    password2: "{{ vault.aya01.rclone.password2 }}"
    paths:
      - "{{ docker_compose_dir }}"
      - "{{ docker_dir }}"
  fstab:
    - name: "config"
      path: "/opt"
      type: "ext4"
      uuid: "cad60133-dd84-4a2a-8db4-2881c608addf"
    - name: "media0"
      path: "/mnt/media0"
      type: "ext4"
      uuid: "c4c724ec-4fe3-4665-adf4-acd31d6b7f95"
    - name: "media1"
      path: "/mnt/media1"
      type: "ext4"
      uuid: "8d66d395-1e35-4f5a-a5a7-d181d6642ebf"
  mergerfs:
  - name: "media"
    path: "/media"
    branches:
      - "/mnt/media0"
      - "/mnt/media1"
    opts:
      - "use_ino"
      - "allow_other"
      - "cache.files=partial"
      - "dropcacheonclose=true"
      - "category.create=mfs"
    type: "fuse.mergerfs"
  samba:
    password: "{{ vault.aya01.samba.password }}"
  paperless:
    db:
      password: "{{ vault.aya01.paperless.db.password }}"
  gitea:
    runner:
      token: "{{ vault.aya01.gitea.runner.token }}"
      name: "aya01"
--- a/host_vars/inko.yml
+++ b/host_vars/inko.yml
@@ -1,10 +0,0 @@
 ansible_user: "{{ user }}"
 ansible_host: 192.168.20.14
 ansible_port: 22
 ansible_ssh_private_key_file: '{{ pk_path }}'
 ansible_become_pass: '{{ vault.inko.sudo }}'
 host:
  ip: "{{ ansible_host }}"
  fstab:
  mergerfs:
--- a/host_vars/mii.yml
+++ b/host_vars/mii.yml
@@ -1,20 +0,0 @@
 ansible_user: "{{ user }}"
 ansible_host: 202.61.207.139
 ansible_port: 22
 ansible_ssh_private_key_file: '{{ pk_path }}'
 ansible_become_pass: '{{ vault.mii.sudo }}'
 host:
  hostname: "mii"
  ip: "192.168.200.2"
  backblaze:
    account: "{{ vault.mii.backblaze.account }}"
    key: "{{ vault.mii.backblaze.key }}"
    remote: "remote:mii-tudattr-dev"
    password: "{{ vault.mii.rclone.password }}"
    password2: "{{ vault.mii.rclone.password2 }}"
    paths:
      - "{{ docker_compose_dir }}"
      - "{{ docker_dir }}"
  fstab:
  mergerfs:
--- a/host_vars/naruto.yml
+++ b/host_vars/naruto.yml
@@ -1,23 +0,0 @@
 ansible_user: "{{ user }}"
 ansible_host: 192.168.20.13
 ansible_port: 22
 ansible_ssh_private_key_file: '{{ pk_path }}'
 ansible_become_pass: '{{ vault.naruto.sudo }}'
 host:
  hostname: "naruto"
  ip: "{{ ansible_host }}"
  backblaze:
    account: "{{ vault.naruto.backblaze.account }}"
    key: "{{ vault.naruto.backblaze.key }}"
    remote: "remote:naruto-tudattr-dev"
    password: "{{ vault.naruto.rclone.password }}"
    password2: "{{ vault.naruto.rclone.password2 }}"
    paths:
      - "{{ docker_compose_dir }}"
      - "{{ docker_dir }}"
  fstab:
  mergerfs:
  gitea:
    runner:
      token: "{{ vault.naruto.gitea.runner.token }}"
--- a/host_vars/pi.yml
+++ b/host_vars/pi.yml
@@ -1,23 +0,0 @@
 ansible_user: "{{ user }}"
 ansible_host: 192.168.20.11
 ansible_port: 22
 ansible_ssh_private_key_file: '{{ pk_path }}'
 ansible_become_pass: '{{ vault.pi.sudo }}'
 host:
  hostname: "pi"
  ip: "{{ ansible_host }}"
  backblaze:
    account: "{{ vault.pi.backblaze.account }}"
    key: "{{ vault.pi.backblaze.key }}"
    remote: "remote:pi-tudattr-dev"
    password: "{{ vault.pi.rclone.password }}"
    password2: "{{ vault.pi.rclone.password2 }}"
    paths:
      - "{{ docker_compose_dir }}"
      - "{{ docker_dir }}"
  fstab:
  mergerfs:
  gitea:
    runner:
      token: "{{ vault.pi.gitea.runner.token }}"
--- a/inko.yml
+++ b/inko.yml
@@ -1,14 +0,0 @@
 ---
 - name: Set up Servers
  hosts: inko
  gather_facts: yes
  roles:
    - role: common
      tags:
        - common
    - role: power_management
      tags:
        - power_management
    - role: node_exporter
      tags:
        - node_exporter
--- a/mii.yml
+++ b/mii.yml
@@ -1,20 +0,0 @@
 ---
 - name: Set up Servers
  hosts: mii
  gather_facts: yes
  roles:
    - role: common
      tags:
        - common
    - role: backblaze
      tags:
        - backblaze
    - role: node_exporter
      tags:
        - node_exporter
    - role: docker
      tags:
        - docker
    - role: wireguard
      tags:
        - wireguard
--- a/naruto.yml
+++ b/naruto.yml
@@ -1,17 +0,0 @@
 ---
 - name: Set up Servers
  hosts: naruto
  gather_facts: yes
  roles:
    - role: common
      tags:
        - common
    - role: samba
      tags:
        - samba
    - role: node_exporter
      tags:
        - node_exporter
    - role: smart_exporter
      tags:
        - smart_exporter
--- a/pi.yml
+++ b/pi.yml
@@ -1,17 +0,0 @@
 ---
 - name: Set up Raspberry Pis
  hosts: pi
  gather_facts: yes
  roles:
    - role: common
      tags:
        - common
    - role: backblaze
      tags:
        - backblaze
    - role: node_exporter
      tags:
        - node_exporter
    - role: docker
      tags:
        - docker
--- a/playbooks/docker-host.yml
+++ b/playbooks/docker-host.yml
@@ -0,0 +1,11 @@
 ---
 - name: Set up Servers
  hosts: docker_host
  gather_facts: true
  roles:
    # - role: common
    #   tags:
    #     - common
    - role: docker_host
      tags:
        - docker_host
--- a/playbooks/docker-lb.yml
+++ b/playbooks/docker-lb.yml
@@ -0,0 +1,13 @@
 ---
 - name: Set up reverse proxy for docker
  hosts: docker
  gather_facts: true
  roles:
    - role: common
      tags:
        - common
      when: inventory_hostname in groups["docker_lb"]
    - role: reverse_proxy
      tags:
        - reverse_proxy
      when: inventory_hostname in groups["docker_lb"]
--- a/playbooks/docker.yml
+++ b/playbooks/docker.yml
@@ -0,0 +1,5 @@
 ---
 - name: Setup Docker Hosts
  ansible.builtin.import_playbook: docker-host.yml
 - name: Setup Docker load balancer
  ansible.builtin.import_playbook: docker-lb.yml
--- a/playbooks/k3s-agents.yml
+++ b/playbooks/k3s-agents.yml
@@ -0,0 +1,16 @@
 - name: Set up Agents
  hosts: k3s
  gather_facts: true
  roles:
    - role: common
      when: inventory_hostname in groups["k3s_agent"]
      tags:
        - common
    - role: k3s_agent
      when: inventory_hostname in groups["k3s_agent"]
      tags:
        - k3s_agent
    # - role: node_exporter
    #   when: inventory_hostname in groups["k3s_agent"]
    #   tags:
    #     - node_exporter
--- a/playbooks/k3s-loadbalancer.yml
+++ b/playbooks/k3s-loadbalancer.yml
@@ -0,0 +1,17 @@
 ---
 - name: Set up Servers
  hosts: k3s
  gather_facts: true
  roles:
    - role: common
      tags:
        - common
      when: inventory_hostname in groups["k3s_loadbalancer"]
    - role: k3s_loadbalancer
      tags:
        - k3s_loadbalancer
      when: inventory_hostname in groups["k3s_loadbalancer"]
    # - role: node_exporter
    #   tags:
    #     - node_exporter
    #   when: inventory_hostname in groups["k3s_loadbalancer"]
--- a/playbooks/k3s-servers.yml
+++ b/playbooks/k3s-servers.yml
@@ -0,0 +1,17 @@
 ---
 - name: Set up Servers
  hosts: k3s
  gather_facts: true
  roles:
    - role: common
      tags:
        - common
      when: inventory_hostname in groups["k3s_server"]
    - role: k3s_server
      tags:
        - k3s_server
      when: inventory_hostname in groups["k3s_server"]
    # - role: node_exporter
    #   tags:
    #     - node_exporter
    #   when: inventory_hostname in groups["k3s_server"]
--- a/playbooks/k3s-storage.yml
+++ b/playbooks/k3s-storage.yml
@@ -0,0 +1,16 @@
 - name: Set up storage
  hosts: k3s_nodes
  gather_facts: true
  roles:
    - role: common
      when: inventory_hostname in groups["k3s_storage"]
      tags:
        - common
    - role: k3s_storage
      when: inventory_hostname in groups["k3s_storage"]
      tags:
        - k3s_storage
    # - role: node_exporter
    #   when: inventory_hostname in groups["k3s_storage"]
    #   tags:
    #     - node_exporter
--- a/playbooks/kubernetes_setup.yml
+++ b/playbooks/kubernetes_setup.yml
@@ -0,0 +1,10 @@
 ---
 - name: Setup Kubernetes Cluster
  hosts: kubernetes
  any_errors_fatal: true
  gather_facts: false
  vars:
    is_localhost: "{{ inventory_hostname == '127.0.0.1' }}"
  roles:
    - role: kubernetes_argocd
      when: is_localhost
--- a/playbooks/proxmox.yml
+++ b/playbooks/proxmox.yml
@@ -0,0 +1,15 @@
 ---
 - name: Run proxmox vm playbook
  hosts: proxmox
  gather_facts: true
  vars:
    is_localhost: "{{ inventory_hostname == '127.0.0.1' }}"
    is_proxmox_node: "{{ 'proxmox_nodes' in group_names }}"
  roles:
    - role: common
      tags:
        - common
      when: not is_localhost
    - role: proxmox
      tags:
        - proxmox
--- a/9
+++ b/9
@@ -1,9 +0,0 @@
 [server]
 aya01
 [raspberry]
 pi
 naruto
 [vps]
 mii
--- a/requirements.txt
+++ b/requirements.txt
@@ -0,0 +1,28 @@
 cachetools==5.5.2
 certifi==2025.1.31
 cfgv==3.4.0
 charset-normalizer==3.4.1
 distlib==0.4.0
 durationpy==0.10
 filelock==3.18.0
 google-auth==2.40.3
 identify==2.6.12
 idna==3.10
 kubernetes==33.1.0
 nc-dnsapi==0.1.3
 nodeenv==1.9.1
 oauthlib==3.3.1
 platformdirs==4.3.8
 pre_commit==4.2.0
 proxmoxer==2.2.0
 pyasn1==0.6.1
 pyasn1_modules==0.4.2
 python-dateutil==2.9.0.post0
 PyYAML==6.0.2
 requests==2.32.3
 requests-oauthlib==2.0.0
 rsa==4.9.1
 six==1.17.0
 urllib3==2.3.0
 virtualenv==20.32.0
 websocket-client==1.8.0
--- a/requirements.yml
+++ b/requirements.yml
@@ -0,0 +1,5 @@
 ---
 collections:
  - name: community.docker
  - name: community.general
  - name: kubernetes.core
--- a/roles/backblaze/tasks/backup.yml
+++ b/roles/backblaze/tasks/backup.yml
@@ -1,24 +0,0 @@
 ---
 - name: Shut down docker
  systemd:
    name: docker
    state: stopped
  become: true
  # - name: Backing up for "{{ inventory_hostname }}"
  #   shell:
  #     cmd: "rclone sync {{ item }} secret:{{ item }} --transfers 16"
  #   loop: "{{ host.backblaze.paths }}"
  #   become: true
 - name: Backing up for "{{ inventory_hostname }}"
  shell:
    cmd: "rclone sync {{ item }} secret:{{ item }} --skip-links"
  loop: "{{ host.backblaze.paths }}"
  become: true
 - name: Restart docker
  systemd:
    name: docker
    state: started
  become: true
--- a/roles/backblaze/tasks/config.yml
+++ b/roles/backblaze/tasks/config.yml
@@ -1,18 +0,0 @@
 ---
 - name: Create rclone config folder
  file:
    path: "{{ rclone_config }}"
    owner: '0'
    group: '0'
    mode: '700'
    state: directory
  become: true
 - name: Copy "rclone.conf"
  template:
    src: "rclone.conf.j2"
    dest: "{{ rclone_config }}/rclone.conf"
    owner: '0'
    group: '0'
    mode: '400'
  become: true
--- a/roles/backblaze/tasks/install.yml
+++ b/roles/backblaze/tasks/install.yml
@@ -1,13 +0,0 @@
 ---
 - name: Update and upgrade packages 
  apt:
    update_cache: true
    upgrade: true
    autoremove: true
  become: true
 - name: Install rclone
  apt:
    name: "rclone"
    state: present
  become: true
--- a/roles/backblaze/tasks/main.yml
+++ b/roles/backblaze/tasks/main.yml
@@ -1,5 +0,0 @@
 ---
 - include_tasks: install.yml
 - include_tasks: config.yml
 - include_tasks: backup.yml
--- a/roles/backblaze/templates/rclone.conf.j2
+++ b/roles/backblaze/templates/rclone.conf.j2
@@ -1,10 +0,0 @@
 [remote]
 type = b2
 account = {{ host.backblaze.account }}
 key = {{ host.backblaze.key }}
 [secret]
 type = crypt
 remote = {{ host.backblaze.remote }}
 password = {{ host.backblaze.password }}
 password2 = {{ host.backblaze.password2 }}
--- a/roles/common/README.md
+++ b/roles/common/README.md
@@ -0,0 +1,49 @@
 # Ansible Role: common
 This role configures a baseline set of common configurations for Debian-based systems.
 ## Requirements
 None.
 ## Role Variables
 Available variables are listed below, along with default values (see `vars/main.yml`):
 ```yaml
 # The hostname to configure.
 hostname: "new-host"
 # A list of extra packages to install.
 extra_packages:
  - "htop"
  - "ncdu"
  - "stow"
  - "unzip"
 ```
 ## Dependencies
 None.
 ## Example Playbook
 Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
 ```yaml
 - hosts: servers
  roles:
    - role: common
      hostname: "my-new-host"
      extra_packages:
        - "vim"
        - "curl"
 ```
 ## License
 MIT
 ## Author Information
 This role was created in 2025 by [TuDatTr](https://codeberg.org/tudattr/).
--- a/roles/common/files/bash/bash_aliases
+++ b/roles/common/files/bash/bash_aliases
@@ -0,0 +1,4 @@
 alias cat=batcat
 alias vim=nvim
 alias fd=fdfind
 alias ls=eza
--- a/roles/common/templates/common/bash/bashrc.j2
+++ b/roles/common/templates/common/bash/bashrc.j2
@@ -1,7 +1,7 @@
 export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 case $- in
-    *i*) ;;
+*i*) ;;
-      *) return;;
+*) return ;;
 esac
 HISTCONTROL=ignoreboth
 shopt -s histappend
@@ -9,39 +9,38 @@ HISTSIZE=1000
 HISTFILESIZE=2000
 shopt -s checkwinsize
 if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
-    debian_chroot=$(cat /etc/debian_chroot)
+  debian_chroot=$(cat /etc/debian_chroot)
 fi
 case "$TERM" in
-    xterm-color|*-256color) color_prompt=yes;;
+xterm-color | *-256color) color_prompt=yes ;;
 esac
 if [ -n "$force_color_prompt" ]; then
-    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+  if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
-	color_prompt=yes
+    color_prompt=yes
-    else
+  else
-	color_prompt=
+    color_prompt=
-    fi
+  fi
 fi
 if [ "$color_prompt" = yes ]; then
-    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+  PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
 else
-    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+  PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
 fi
 unset color_prompt force_color_prompt
 case "$TERM" in
-xterm*|rxvt*)
+xterm* | rxvt*)
-    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
+  PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
-    ;;
+  ;;
-*)
+*) ;;
    ;;
 esac
 if [ -x /usr/bin/dircolors ]; then
-    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+  test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
-    alias ls='ls --color=auto'
+  alias ls='ls --color=auto'
 fi
 if [ -f ~/.bash_aliases ]; then
-    . ~/.bash_aliases
+  . ~/.bash_aliases
 fi
 if ! shopt -oq posix; then
@@ -52,5 +51,6 @@ if ! shopt -oq posix; then
  fi
 fi
-
+if [ -f /etc/profile ]; then
-. "$HOME/.cargo/env"
+  . /etc/profile
 fi
--- a/roles/common/files/ghostty/infocmp
+++ b/roles/common/files/ghostty/infocmp
@@ -0,0 +1,80 @@
 xterm-ghostty|ghostty|Ghostty,
 	am, bce, ccc, hs, km, mc5i, mir, msgr, npc, xenl, AX, Su, Tc, XT, fullkbd,
 	colors#0x100, cols#80, it#8, lines#24, pairs#0x7fff,
 	acsc=++\,\,--..00``aaffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~,
 	bel=^G, blink=\E[5m, bold=\E[1m, cbt=\E[Z, civis=\E[?25l,
 	clear=\E[H\E[2J, cnorm=\E[?12l\E[?25h, cr=\r,
 	csr=\E[%i%p1%d;%p2%dr, cub=\E[%p1%dD, cub1=^H,
 	cud=\E[%p1%dB, cud1=\n, cuf=\E[%p1%dC, cuf1=\E[C,
 	cup=\E[%i%p1%d;%p2%dH, cuu=\E[%p1%dA, cuu1=\E[A,
 	cvvis=\E[?12;25h, dch=\E[%p1%dP, dch1=\E[P, dim=\E[2m,
 	dl=\E[%p1%dM, dl1=\E[M, dsl=\E]2;\007, ech=\E[%p1%dX,
 	ed=\E[J, el=\E[K, el1=\E[1K, flash=\E[?5h$<100/>\E[?5l,
 	fsl=^G, home=\E[H, hpa=\E[%i%p1%dG, ht=^I, hts=\EH,
 	ich=\E[%p1%d@, ich1=\E[@, il=\E[%p1%dL, il1=\E[L, ind=\n,
 	indn=\E[%p1%dS,
 	initc=\E]4;%p1%d;rgb:%p2%{255}%*%{1000}%/%2.2X/%p3%{255}%*%{1000}%/%2.2X/%p4%{255}%*%{1000}%/%2.2X\E\\,
 	invis=\E[8m, kDC=\E[3;2~, kEND=\E[1;2F, kHOM=\E[1;2H,
 	kIC=\E[2;2~, kLFT=\E[1;2D, kNXT=\E[6;2~, kPRV=\E[5;2~,
 	kRIT=\E[1;2C, kbs=^?, kcbt=\E[Z, kcub1=\EOD, kcud1=\EOB,
 	kcuf1=\EOC, kcuu1=\EOA, kdch1=\E[3~, kend=\EOF, kent=\EOM,
 	kf1=\EOP, kf10=\E[21~, kf11=\E[23~, kf12=\E[24~,
 	kf13=\E[1;2P, kf14=\E[1;2Q, kf15=\E[1;2R, kf16=\E[1;2S,
 	kf17=\E[15;2~, kf18=\E[17;2~, kf19=\E[18;2~, kf2=\EOQ,
 	kf20=\E[19;2~, kf21=\E[20;2~, kf22=\E[21;2~,
 	kf23=\E[23;2~, kf24=\E[24;2~, kf25=\E[1;5P, kf26=\E[1;5Q,
 	kf27=\E[1;5R, kf28=\E[1;5S, kf29=\E[15;5~, kf3=\EOR,
 	kf30=\E[17;5~, kf31=\E[18;5~, kf32=\E[19;5~,
 	kf33=\E[20;5~, kf34=\E[21;5~, kf35=\E[23;5~,
 	kf36=\E[24;5~, kf37=\E[1;6P, kf38=\E[1;6Q, kf39=\E[1;6R,
 	kf4=\EOS, kf40=\E[1;6S, kf41=\E[15;6~, kf42=\E[17;6~,
 	kf43=\E[18;6~, kf44=\E[19;6~, kf45=\E[20;6~,
 	kf46=\E[21;6~, kf47=\E[23;6~, kf48=\E[24;6~,
 	kf49=\E[1;3P, kf5=\E[15~, kf50=\E[1;3Q, kf51=\E[1;3R,
 	kf52=\E[1;3S, kf53=\E[15;3~, kf54=\E[17;3~,
 	kf55=\E[18;3~, kf56=\E[19;3~, kf57=\E[20;3~,
 	kf58=\E[21;3~, kf59=\E[23;3~, kf6=\E[17~, kf60=\E[24;3~,
 	kf61=\E[1;4P, kf62=\E[1;4Q, kf63=\E[1;4R, kf7=\E[18~,
 	kf8=\E[19~, kf9=\E[20~, khome=\EOH, kich1=\E[2~,
 	kind=\E[1;2B, kmous=\E[<, knp=\E[6~, kpp=\E[5~,
 	kri=\E[1;2A, oc=\E]104\007, op=\E[39;49m, rc=\E8,
 	rep=%p1%c\E[%p2%{1}%-%db, rev=\E[7m, ri=\EM,
 	rin=\E[%p1%dT, ritm=\E[23m, rmacs=\E(B, rmam=\E[?7l,
 	rmcup=\E[?1049l, rmir=\E[4l, rmkx=\E[?1l\E>, rmso=\E[27m,
 	rmul=\E[24m, rs1=\E]\E\\\Ec, sc=\E7,
 	setab=\E[%?%p1%{8}%<%t4%p1%d%e%p1%{16}%<%t10%p1%{8}%-%d%e48;5;%p1%d%;m,
 	setaf=\E[%?%p1%{8}%<%t3%p1%d%e%p1%{16}%<%t9%p1%{8}%-%d%e38;5;%p1%d%;m,
 	sgr=%?%p9%t\E(0%e\E(B%;\E[0%?%p6%t;1%;%?%p2%t;4%;%?%p1%p3%|%t;7%;%?%p4%t;5%;%?%p7%t;8%;m,
 	sgr0=\E(B\E[m, sitm=\E[3m, smacs=\E(0, smam=\E[?7h,
 	smcup=\E[?1049h, smir=\E[4h, smkx=\E[?1h\E=, smso=\E[7m,
 	smul=\E[4m, tbc=\E[3g, tsl=\E]2;, u6=\E[%i%d;%dR, u7=\E[6n,
 	u8=\E[?%[;0123456789]c, u9=\E[c, vpa=\E[%i%p1%dd,
 	BD=\E[?2004l, BE=\E[?2004h, Clmg=\E[s,
 	Cmg=\E[%i%p1%d;%p2%ds, Dsmg=\E[?69l, E3=\E[3J,
 	Enmg=\E[?69h, Ms=\E]52;%p1%s;%p2%s\007, PE=\E[201~,
 	PS=\E[200~, RV=\E[>c, Se=\E[2 q,
 	Setulc=\E[58:2::%p1%{65536}%/%d:%p1%{256}%/%{255}%&%d:%p1%{255}%&%d%;m,
 	Smulx=\E[4:%p1%dm, Ss=\E[%p1%d q,
 	Sync=\E[?2026%?%p1%{1}%-%tl%eh%;,
 	XM=\E[?1006;1000%?%p1%{1}%=%th%el%;, XR=\E[>0q,
 	fd=\E[?1004l, fe=\E[?1004h, kDC3=\E[3;3~, kDC4=\E[3;4~,
 	kDC5=\E[3;5~, kDC6=\E[3;6~, kDC7=\E[3;7~, kDN=\E[1;2B,
 	kDN3=\E[1;3B, kDN4=\E[1;4B, kDN5=\E[1;5B, kDN6=\E[1;6B,
 	kDN7=\E[1;7B, kEND3=\E[1;3F, kEND4=\E[1;4F,
 	kEND5=\E[1;5F, kEND6=\E[1;6F, kEND7=\E[1;7F,
 	kHOM3=\E[1;3H, kHOM4=\E[1;4H, kHOM5=\E[1;5H,
 	kHOM6=\E[1;6H, kHOM7=\E[1;7H, kIC3=\E[2;3~, kIC4=\E[2;4~,
 	kIC5=\E[2;5~, kIC6=\E[2;6~, kIC7=\E[2;7~, kLFT3=\E[1;3D,
 	kLFT4=\E[1;4D, kLFT5=\E[1;5D, kLFT6=\E[1;6D,
 	kLFT7=\E[1;7D, kNXT3=\E[6;3~, kNXT4=\E[6;4~,
 	kNXT5=\E[6;5~, kNXT6=\E[6;6~, kNXT7=\E[6;7~,
 	kPRV3=\E[5;3~, kPRV4=\E[5;4~, kPRV5=\E[5;5~,
 	kPRV6=\E[5;6~, kPRV7=\E[5;7~, kRIT3=\E[1;3C,
 	kRIT4=\E[1;4C, kRIT5=\E[1;5C, kRIT6=\E[1;6C,
 	kRIT7=\E[1;7C, kUP=\E[1;2A, kUP3=\E[1;3A, kUP4=\E[1;4A,
 	kUP5=\E[1;5A, kUP6=\E[1;6A, kUP7=\E[1;7A, kxIN=\E[I,
 	kxOUT=\E[O, rmxx=\E[29m, rv=\E\\[[0-9]+;[0-9]+;[0-9]+c,
 	setrgbb=\E[48:2:%p1%d:%p2%d:%p3%dm,
 	setrgbf=\E[38:2:%p1%d:%p2%d:%p3%dm, smxx=\E[9m,
 	xm=\E[<%i%p3%d;%p1%d;%p2%d;%?%p4%tM%em%;,
 	xr=\EP>\\|[ -~]+a\E\\,
--- a/roles/common/files/ssh/root/sshd_config
+++ b/roles/common/files/ssh/root/sshd_config
@@ -0,0 +1,18 @@
 Protocol 2
 PermitRootLogin yes
 MaxAuthTries 3
 PubkeyAuthentication yes
 PasswordAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
 AllowAgentForwarding no
 AllowTcpForwarding yes
 X11Forwarding no
 PrintMotd no
 TCPKeepAlive no
 ClientAliveCountMax 2
 TrustedUserCAKeys /etc/ssh/vault-ca.pub
 UseDNS yes
 AcceptEnv LANG LC_*
 Subsystem	sftp	/usr/lib/openssh/sftp-server
--- a/roles/common/files/ssh/user/sshd_config
+++ b/roles/common/files/ssh/user/sshd_config
@@ -0,0 +1,18 @@
 Protocol 2
 PermitRootLogin no
 MaxAuthTries 3
 PubkeyAuthentication yes
 PasswordAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
 AllowAgentForwarding no
 AllowTcpForwarding no
 X11Forwarding no
 PrintMotd no
 TCPKeepAlive no
 ClientAliveCountMax 2
 TrustedUserCAKeys /etc/ssh/vault-ca.pub
 UseDNS yes
 AcceptEnv LANG LC_*
 Subsystem	sftp	/usr/lib/openssh/sftp-server
--- a/roles/common/files/ssh/vault-ca.pub
+++ b/roles/common/files/ssh/vault-ca.pub
@@ -0,0 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxIbkko72kVSfYDjJpiMH9SjHUGqBn3MbBvmotsPQhybFgnnkBpX/3fM9olP+Z6PGsmbOEs0fOjPS6uY5hjKcKsyHdZfS6cA4wjY/DL8fwATAW5FCDBtMpdg2/sb8j9jutHHs4sQeRBolVwKcv+ZAaJNnOzNHwxVUfT9bNwShthnAFjkY7oZo657FRomlkDJjmGQuratP0veKA8jYzqqPWwWidTGQerLYTyJ3Z8pbQa5eN7svrvabjjDLbVTDESE8st9WEmwvAwoj7Kz+WovCy0Uz7LRFVmaRiapM8SXtPPUC0xfyzAB3NxwBtxizdUMlShvLcL6cujcUBMulVMpsqEaOESTpmVTrMJhnJPZG/3j9ziGoYIa6hMj1J9/qLQ5dDNVVXMxw99G31x0LJoy12IE90P4Cahux8iN0Cp4oB4+B6/qledxs1fcRzsnQY/ickjKhqcJwgHzsnwjDkeYRaYte5x4f/gJ77kA20nPto7mxr2mhWot/i9B1KlMURVXOH/q4nrzhJ0hPJpM0UtzQ58TmzE4Osf/B5yoe8V//6XnelbmG/nKCIzg12d7PvaLjbFMn8IgOwDMRlip+vpyadRr/+pCawrfo4vLF7BsnJ84aoByIpbwaysgaYHtjfZWImorMVkgviC4O6Hn9/ZiLNze2A9DaNUnLVJ0nYNbmv9Q==
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -0,0 +1,6 @@
 ---
 - name: Restart sshd
  service:
    name: sshd
    state: restarted
  become: true
--- a/roles/common/tasks/bash.yml
+++ b/roles/common/tasks/bash.yml
@@ -1,10 +1,24 @@
 ---
- name: Copy .bashrc
+- name: Copy bash-configs
-  template:
+  ansible.builtin.template:
-    src: templates/common/bash/bashrc.j2
+    src: "files/bash/{{ item }}"
-    dest: "/home/{{ user }}/.bashrc"
+    dest: "{{ ansible_env.HOME }}/.{{ item }}"
-    owner: "{{ user }}"
+    owner: "{{ ansible_user_id }}"
-    group: "{{ user }}"
+    group: "{{ ansible_user_id }}"
-    mode: 0644
+    mode: "644"
-  become: yes
+  loop:
-  register: sshd
+    - bashrc
    - bash_aliases
 - name: Copy ghostty infocmp
  ansible.builtin.copy:
    src: files/ghostty/infocmp
    dest: "{{ ansible_env.HOME }}/ghostty"
    owner: "{{ ansible_user_id }}"
    group: "{{ ansible_user_id }}"
    mode: "0644"
  register: ghostty_terminfo
 - name: Compile ghostty terminalinfo
  ansible.builtin.command: "tic -x {{ ansible_env.HOME }}/ghostty"
  when: ghostty_terminfo.changed
--- a/roles/common/tasks/essential.yml
+++ b/roles/common/tasks/essential.yml
@@ -1,13 +0,0 @@
 ---
 - name: Update and upgrade packages 
  apt:
    update_cache: yes
    upgrade: yes
    autoremove: yes
  become: yes
 - name: Install extra packages
  apt:
    name: "{{ common_packages }}"
    state: present
  become: yes
--- a/roles/common/tasks/extra_packages.yml
+++ b/roles/common/tasks/extra_packages.yml
@@ -0,0 +1,95 @@
 ---
 - name: Ensure /etc/apt/keyrings directory exists
  ansible.builtin.file:
    path: /etc/apt/keyrings
    state: directory
    mode: "0755"
  become: true
 - name: Download and save Gierens repository GPG key
  ansible.builtin.get_url:
    url: https://raw.githubusercontent.com/eza-community/eza/main/deb.asc
    dest: /etc/apt/keyrings/gierens.asc
    mode: "0644"
  become: true
 - name: Add Gierens repository to apt sources
  ansible.builtin.apt_repository:
    repo: "deb [signed-by=/etc/apt/keyrings/gierens.asc] http://deb.gierens.de stable main"
    state: present
    update_cache: true
  become: true
 - name: Install eza package
  ansible.builtin.apt:
    name: eza
    state: present
  become: true
 - name: Install bottom package
  ansible.builtin.apt:
    deb: https://github.com/ClementTsang/bottom/releases/download/0.9.6/bottom_0.9.6_amd64.deb
    state: present
  become: true
 - name: Check if Neovim is already installed
  ansible.builtin.command: "which nvim"
  register: neovim_installed
  changed_when: false
  ignore_errors: true
 - name: Download Neovim AppImage
  ansible.builtin.get_url:
    url: https://github.com/neovim/neovim/releases/download/v0.10.0/nvim.appimage
    dest: /tmp/nvim.appimage
    mode: "0755"
  when: neovim_installed.rc != 0
  register: download_result
 - name: Extract Neovim AppImage
  ansible.builtin.command:
    cmd: "./nvim.appimage --appimage-extract"
    chdir: /tmp
  when: download_result.changed
  register: extract_result
 - name: Copy extracted Neovim files to /usr
  ansible.builtin.copy:
    src: /tmp/squashfs-root/usr/
    dest: /usr/
    remote_src: true
    mode: "0755"
  become: true
  when: extract_result.changed
 - name: Clean up extracted Neovim files
  ansible.builtin.file:
    path: /tmp/squashfs-root
    state: absent
  when: extract_result.changed
 - name: Remove Neovim AppImage
  ansible.builtin.file:
    path: /tmp/nvim.appimage
    state: absent
  when: download_result.changed
 - name: Check if Neovim config directory already exists
  ansible.builtin.stat:
    path: ~/.config/nvim
  register: nvim_config
 - name: Clone personal Neovim config directory
  ansible.builtin.git:
    repo: https://codeberg.org/tudattr/nvim
    dest: ~/.config/nvim
    clone: true
    update: false
    version: 1.0.0
  when: not nvim_config.stat.exists
 - name: Remove .git directory from Neovim config
  ansible.builtin.file:
    path: ~/.config/nvim/.git
    state: absent
  when: not nvim_config.stat.exists
--- a/roles/common/tasks/fstab.yml
+++ b/roles/common/tasks/fstab.yml
@@ -1,42 +0,0 @@
 ---
 - name: Install dependencies
  apt:
    name: "mergerfs"
    state: present
  become: yes
 - name: Create mount folders
  file:
    path: "{{ item.path }}"
    state: directory
  loop: "{{ host.fstab if host.fstab is iterable else []}}"
  become: true
 - name: Create fstab entries
  mount:
    src: "UUID={{ item.uuid }}"
    path: "{{ item.path }}"
    fstype: "{{ item.type }}"
    state: present
    backup: true
  loop: "{{ host.fstab if host.fstab is iterable else []}}"
  become: true
  register: fstab
 - name: Create/mount mergerfs
  mount:
    src: "{{ item.branches | join(':') }}"
    path: "{{ item.path }}"
    fstype: "{{ item.type }}"
    opts: "{{ item.opts | join(',') }}"
    state: present
    backup: true
  become: true
  loop: "{{ host.mergerfs if host.mergerfs is iterable else []}}"
  register: fstab
 - name: Mount all disks
  command: mount -a
  become: true
  when: fstab.changed
--- a/roles/common/tasks/hostname.yml
+++ b/roles/common/tasks/hostname.yml
@@ -0,0 +1,14 @@
 ---
 - name: Set a hostname
  ansible.builtin.hostname:
    name: "{{ inventory_hostname }}"
  become: true
 - name: Update /etc/hosts to reflect the new hostname
  ansible.builtin.lineinfile:
    path: /etc/hosts
    regexp: '^127\.0\.1\.1'
    line: "127.0.1.1 {{ inventory_hostname }}"
    state: present
    backup: true
  become: true
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,6 +1,13 @@
 ---
- include_tasks: time.yml
+- name: Configure Time
- include_tasks: essential.yml
+  ansible.builtin.include_tasks: time.yml
- include_tasks: bash.yml
+- name: Configure Packages
- include_tasks: sshd.yml
+  ansible.builtin.include_tasks: packages.yml
- include_tasks: fstab.yml
+- name: Configure Hostname
  ansible.builtin.include_tasks: hostname.yml
 - name: Configure Extra-Packages
  ansible.builtin.include_tasks: extra_packages.yml
 - name: Configure Bash
  ansible.builtin.include_tasks: bash.yml
 - name: Configure SSH
  ansible.builtin.include_tasks: sshd.yml
--- a/roles/common/tasks/packages.yml
+++ b/roles/common/tasks/packages.yml
@@ -0,0 +1,28 @@
 ---
 - name: Update and upgrade packages
  ansible.builtin.apt:
    update_cache: true
    upgrade: true
    autoremove: true
  become: true
  when: ansible_user_id != "root"
 - name: Install base packages
  ansible.builtin.apt:
    name: "{{ common_packages }}"
    state: present
  become: true
  when: ansible_user_id != "root"
 - name: Update and upgrade packages
  ansible.builtin.apt:
    update_cache: true
    upgrade: true
    autoremove: true
  when: ansible_user_id == "root"
 - name: Install base packages
  ansible.builtin.apt:
    name: "{{ common_packages }}"
    state: present
  when: ansible_user_id == "root"
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -1,23 +1,28 @@
 ---
- name: Copy sshd_config
+- name: Copy user sshd_config
-  template:
+  ansible.builtin.template:
-    src: templates/common/ssh/sshd_config
+    src: files/ssh/user/sshd_config
    dest: /etc/ssh/sshd_config
-    mode: 0644
+    mode: "644"
-  become: yes
+    backup: true
-  register: sshd
+  notify:
    - Restart sshd
  become: true
  when: ansible_user_id != "root"
 - name: Copy root sshd_config
  ansible.builtin.template:
    src: files/ssh/root/sshd_config
    dest: /etc/ssh/sshd_config
    mode: "644"
    backup: true
  notify:
    - Restart sshd
  when: ansible_user_id == "root"
 - name: Copy pubkey
-  copy:
+  ansible.builtin.copy:
-    content: "{{ pubkey }}"
+    src: files/ssh/vault-ca.pub
-    dest: "/home/{{ user }}/.ssh/authorized_keys"
+    dest: "/etc/ssh/vault-ca.pub"
    owner: "{{ user }}"
    group: "{{ user }}"
    mode: "644"
-
+  become: true
 - name: Restart sshd
  service:
    name: "sshd"
    state: "restarted"
  become: yes
  when: sshd.changed
--- a/roles/common/tasks/time.yml
+++ b/roles/common/tasks/time.yml
@@ -1,4 +1,11 @@
 ---
- name: Set timezone to "{{ timezone }}"
+- name: Set timezone
  community.general.timezone:
    name: "{{ timezone }}"
  become: true
  when: ansible_user_id != "root"
 - name: Set timezone
  community.general.timezone:
    name: "{{ timezone }}"
  when: ansible_user_id == "root"
--- a/roles/common/templates/common/ssh/sshd_config
+++ b/roles/common/templates/common/ssh/sshd_config
@@ -1,124 +0,0 @@
 #	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 Include /etc/ssh/sshd_config.d/*.conf
 Protocol 2
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
 #RekeyLimit default none
 # Logging
 #SyslogFacility AUTH
 #LogLevel INFO
 # Authentication:
 #LoginGraceTime 2m
 PermitRootLogin no
 #StrictModes yes
 MaxAuthTries 3
 #MaxSessions 10
 PubkeyAuthentication yes
 # Expect .ssh/authorized_keys2 to be disregarded by default in future.
 #AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
 PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 AllowAgentForwarding no
 AllowTcpForwarding no
 #GatewayPorts no
 X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 PrintMotd no
 #PrintLastLog yes
 TCPKeepAlive no
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 ClientAliveCountMax 2
 UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
 #Banner none
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 # override default of no subsystems
 Subsystem	sftp	/usr/lib/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -0,0 +1,17 @@
 common_packages:
  - build-essential
  - curl
  - git
  - iperf3
  - neovim
  - rsync
  - smartmontools
  - sudo
  - systemd-timesyncd
  - tree
  - screen
  - bat
  - fd-find
  - ripgrep
  - nfs-common
  - open-iscsi
--- a/roles/docker/tasks/aya01_compose.yml
+++ b/roles/docker/tasks/aya01_compose.yml
@@ -1,96 +0,0 @@
 ---
 # - include_tasks: zoneminder.yml
 #   tags:
 #     - zoneminder
 - include_tasks: pihole.yml
  tags:
    - pihole
 - include_tasks: syncthing.yml
  tags:
    - syncthing
 # - include_tasks: softserve.yml
 #   tags:
 #     - softserve
 - include_tasks: cupsd.yml
  tags:
    - cupsd
 - include_tasks: kuma.yml
  tags:
    - kuma
 # - include_tasks: traefik.yml
 #   tags:
 #     - traefik
 - include_tasks: plex.yml
  tags:
    - plex
 - include_tasks: ddns.yml
  tags:
    - ddns
 - include_tasks: homeassistant.yml
  tags:
    - homeassistant
 - include_tasks: tautulli.yml
  tags:
    - tautulli
 - include_tasks: sonarr.yml
  tags:
    - sonarr
 - include_tasks: radarr.yml
  tags:
    - radarr
 - include_tasks: lidarr.yml
  tags:
    - lidarr
 - include_tasks: prowlarr.yml
  tags:
    - prowlarr
 - include_tasks: bin.yml
  tags:
    - bin
 - include_tasks: gluetun.yml
  tags:
    - gluetun
 - include_tasks: qbit.yml
  tags:
    - qbit
 - include_tasks: qbit_private.yml
  tags:
    - qbit_priv
 - include_tasks: prometheus.yml
  tags:
    - prometheus
 - include_tasks: grafana.yml
  tags:
    - grafana
 - include_tasks: jellyfin.yml
  tags:
    - jellyfin
 - include_tasks: gitea.yml
  tags:
    - gitea
 - include_tasks: gitea-runner.yml
  tags:
    - gitea-runner
--- a/roles/docker/tasks/bin.yml
+++ b/roles/docker/tasks/bin.yml
@@ -1,9 +0,0 @@
 ---
 - name: Create bin-config directory
  file:
    path: "{{ bin_upload }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
--- a/roles/docker/tasks/cupsd.yml
+++ b/roles/docker/tasks/cupsd.yml
@@ -1,19 +0,0 @@
 ---
 - name: Create cupsd-config directory
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  loop:
    - "{{ cupsd_config }}"
  become: true
 - name: Copy cupsd config
  template:
    owner: "{{ puid }}"
    src: "templates/aya01/cupsd/cupsd.conf"
    dest: "{{ cupsd_config }}/cupsd.conf"
    mode: '660'
  become: true
--- a/roles/docker/tasks/ddns.yml
+++ b/roles/docker/tasks/ddns.yml
@@ -1,16 +0,0 @@
 ---
 - name: Create ddns-config directory
  file:
    path: "{{ docker_dir }}/ddns-updater/data/"
    owner: 1000
    group: 1000
    mode: '700'
    state: directory
 - name: Copy ddns-config
  template:
    owner: 1000
    src: "templates/{{host.hostname}}/ddns-updater/data/config.json"
    dest: "{{ docker_dir }}/ddns-updater/data/config.json"
    mode: '400'
--- a/roles/docker/tasks/gitea-runner.yml
+++ b/roles/docker/tasks/gitea-runner.yml
@@ -1,11 +0,0 @@
 ---
 - name: Create gitea-runner directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ gitea.runner.volumes.data }}"
--- a/roles/docker/tasks/gitea.yml
+++ b/roles/docker/tasks/gitea.yml
@@ -1,12 +0,0 @@
 ---
 - name: Create gitea directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ gitea.volumes.data }}"
    - "{{ gitea.volumes.config }}"
--- a/roles/docker/tasks/gitlab-runner.yml
+++ b/roles/docker/tasks/gitlab-runner.yml
@@ -1,11 +0,0 @@
 ---
 - name: Create gitlab-runner directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ gitlab.runner.volumes.config }}"
--- a/roles/docker/tasks/gitlab.yml
+++ b/roles/docker/tasks/gitlab.yml
@@ -1,14 +0,0 @@
 ---
 - name: Create gitlab-config
  file:
    path: "{{ item }}"
    owner: "{{ gitlab.puid }}"
    group: "{{ gitlab.pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ gitlab.paths.config }}"
    - "{{ gitlab.paths.logs }}"
    - "{{ gitlab.paths.data }}"
--- a/roles/docker/tasks/gluetun.yml
+++ b/roles/docker/tasks/gluetun.yml
@@ -1,11 +0,0 @@
 ---
 - name: Create gluetun-config directory
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '775'
    state: directory
  loop:
    - "{{ gluetun_config}}"
  become: true
--- a/roles/docker/tasks/grafana.yml
+++ b/roles/docker/tasks/grafana.yml
@@ -1,22 +0,0 @@
 ---
 - name: Create grafana data directory
  file:
    path: "{{ item }}"
    owner: "{{ grafana_puid }}"
    group: "{{ grafana_pgid }}"
    mode: '755'
    state: directory
  loop:
    - "{{ grafana_data }}"
    - "{{ grafana_config }}"
  become: true
 - name: Copy grafana config
  template:
    owner: "{{ grafana_puid }}"
    group: "{{ grafana_pgid }}"
    src: "templates/aya01/grafana/etc-grafana/grafana.ini.j2"
    dest: "{{ grafana_config }}/grafana.ini"
    mode: '644'
  become: true
--- a/roles/docker/tasks/homeassistant.yml
+++ b/roles/docker/tasks/homeassistant.yml
@@ -1,8 +0,0 @@
 ---
 - name: Create homeassistant-config directory
  file:
    path: "{{ ha_config }}"
    mode: '755'
    state: directory   
  become: true
--- a/roles/docker/tasks/hugo.yml
+++ b/roles/docker/tasks/hugo.yml
@@ -1,30 +0,0 @@
 ---
 - name: Create zoneminder user
  user:
    name: zm
    uid: 911
    shell: /bin/false
  become: true
 - name: Create Zoneminder config directory
  file:
    path: "{{ item }}"
    owner: 911
    group: 911
    mode: '700'
    state: directory
  loop:
    - "{{ zoneminder_config }}"
  become: true
 - name: Create Zoneminder data directory
  file:
    path: "{{ item }}"
    owner: 911
    group: 911
    mode: '755'
    state: directory
  loop:
    - "{{ zoneminder_data }}"
  become: true
--- a/roles/docker/tasks/jellyfin.yml
+++ b/roles/docker/tasks/jellyfin.yml
@@ -1,31 +0,0 @@
 ---
 - name: Create jellyfin-config directory
  file:
    path: "{{ jellyfin.config }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
 - name: Create jellyfin-cache directory
  file:
    path: "{{ jellyfin.cache }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
 - name: Create jellyfin media directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ jellyfin.media.tv }}"
    - "{{ jellyfin.media.movies }}"
    - "{{ jellyfin.media.music }}"
--- a/roles/docker/tasks/kuma.yml
+++ b/roles/docker/tasks/kuma.yml
@@ -1,11 +0,0 @@
 ---
 - name: Create kuma-config directory
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  loop:
    - "{{ kuma_config }}"
  become: true
--- a/roles/docker/tasks/lidarr.yml
+++ b/roles/docker/tasks/lidarr.yml
@@ -1,13 +0,0 @@
 ---
 - name: Create lidarr directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ lidarr_config }}"
    - "{{ lidarr_media }}"
    - "{{ lidarr_downloads }}"
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -1,24 +0,0 @@
 ---
 - include_tasks: install.yml
 - include_tasks: user_group_setup.yml
 - name: Copy the compose file
  template:
    src: templates/{{ inventory_hostname }}/compose.yaml
    dest: "{{ docker_compose_dir }}/compose.yaml"
  register: compose
 - include_tasks: "{{ inventory_hostname }}_compose.yml"
  tags:
    - reload_compose
 - name: Update docker Images
  shell:
    cmd: "docker compose pull"
    chdir: "{{ docker_compose_dir }}"
 - name: Rebuilding docker images
  shell:
    cmd: "docker compose up -d --build"
    chdir: "{{ docker_compose_dir }}"
--- a/roles/docker/tasks/mii_compose.yml
+++ b/roles/docker/tasks/mii_compose.yml
@@ -1,5 +0,0 @@
 ---
 - include_tasks: nginx-proxy-manager.yml
  tags:
    - nginx
--- a/roles/docker/tasks/naruto_compose.yml
+++ b/roles/docker/tasks/naruto_compose.yml
@@ -1,13 +0,0 @@
 ---
 - include_tasks: nginx-proxy-manager.yml
  tags:
    - nginx
 - include_tasks: pihole.yml
  tags:
    - pihole
 - include_tasks: gitea-runner.yml
  tags:
    - gitea-runner
--- a/roles/docker/tasks/netdata.yaml
+++ b/roles/docker/tasks/netdata.yaml
@@ -1,14 +0,0 @@
 ---
 - name: Create netdata dirs
  file:
    path: "{{ item }}"
    owner: 1000
    group: 1000
    mode: '777'
    state: directory   
  loop:
    - "{{ netdata_config }}"
    - "{{ netdata_cache }}"
    - "{{ netdata_lib }}"
  become: true
--- a/roles/docker/tasks/nginx-proxy-manager.yml
+++ b/roles/docker/tasks/nginx-proxy-manager.yml
@@ -1,13 +0,0 @@
 ---
 - name: Create nginx-data directory
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  loop:
    - "{{ nginx.paths.letsencrypt }}"
    - "{{ nginx.paths.data }}"
  become: yes
--- a/roles/docker/tasks/pi_compose.yml
+++ b/roles/docker/tasks/pi_compose.yml
@@ -1,14 +0,0 @@
 ---
 - include_tasks: nginx-proxy-manager.yml
  tags:
    - nginx
 - include_tasks: pihole.yml
  tags:
    - pihole
 - include_tasks: gitea-runner.yml
  tags:
    - gitea-runner
--- a/roles/docker/tasks/pihole.yml
+++ b/roles/docker/tasks/pihole.yml
@@ -1,14 +0,0 @@
 ---
 - name: Create pihole-config directory
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory   
  loop:
    - "{{ docker_dir }}/pihole/etc-pihole/"
    - "{{ docker_dir }}/pihole/etc-dnsmasq.d/"
  become: true
--- a/roles/docker/tasks/plex.yml
+++ b/roles/docker/tasks/plex.yml
@@ -1,22 +0,0 @@
 ---
 - name: Create plex-config directory
  file:
    path: "{{ plex_config }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
 - name: Create plex media directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ plex_tv }}"
    - "{{ plex_movies }}"
    - "{{ plex_music }}"
--- a/roles/docker/tasks/prometheus.yml
+++ b/roles/docker/tasks/prometheus.yml
@@ -1,21 +0,0 @@
 ---
 - name: Create prometheus dirs
  file:
    path: "{{ item }}"
    owner: "{{ prometheus_puid }}"
    group: "{{ prometheus_pgid }}"
    mode: '755'
    state: directory   
  loop:
    - "{{ prometheus_config }}"
    - "{{ prometheus_data }}"
  become: true
 - name: Place prometheus config
  template:
    owner: "{{ prometheus_puid }}"
    group: "{{ prometheus_pgid}}"
    src: "templates/aya01/prometheus/prometheus.yml.j2"
    dest: "{{ prometheus_config }}/prometheus.yml"
    mode: '644'
  become: true
--- a/roles/docker/tasks/prowlarr.yml
+++ b/roles/docker/tasks/prowlarr.yml
@@ -1,11 +0,0 @@
 ---
 - name: Create prowlarr directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ prowlarr_config }}"
--- a/roles/docker/tasks/qbit.yml
+++ b/roles/docker/tasks/qbit.yml
@@ -1,12 +0,0 @@
 ---
 - name: Create qbit-config directory
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '775'
    state: directory
  loop:
    - "{{ qbit_remote_config }}"
    - "{{ qbit_downloads }}"
  become: true
--- a/roles/docker/tasks/qbit_private.yml
+++ b/roles/docker/tasks/qbit_private.yml
@@ -1,12 +0,0 @@
 ---
 - name: Create qbit_torrentleech-config directory
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '775'
    state: directory
  loop:
    - "{{ torrentleech_remote_config }}"
    - "{{ qbit_downloads }}"
  become: true
--- a/roles/docker/tasks/radarr.yml
+++ b/roles/docker/tasks/radarr.yml
@@ -1,13 +0,0 @@
 ---
 - name: Create radarr directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ radarr_config }}"
    - "{{ radarr_media }}"
    - "{{ radarr_downloads }}"
--- a/roles/docker/tasks/softserve.yml
+++ b/roles/docker/tasks/softserve.yml
@@ -1,12 +0,0 @@
 ---
 - name: Create soft-serve directory
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  loop:
    - "{{ softserve_data }}"
  become: true
--- a/roles/docker/tasks/sonarr.yml
+++ b/roles/docker/tasks/sonarr.yml
@@ -1,13 +0,0 @@
 ---
 - name: Create sonarr directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ sonarr_config }}"
    - "{{ sonarr_media }}"
    - "{{ sonarr_downloads }}"
--- a/roles/docker/tasks/swag.yml
+++ b/roles/docker/tasks/swag.yml
@@ -1,20 +0,0 @@
 ---
 - name: Create swag-config directory
  file:
    path: "{{ item }}"
    owner: "{{ puid  }}"
    group: "{{ pgid }}"
    state: directory
  loop:
    - "{{ swag_config }}"
 - name: Copy site-confs
  template:
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    src: "{{ item }}"
    dest: "{{ swag_remote_site_confs }}"
    mode: '664'
  loop: "{{ swag_site_confs }}"
  become: true
--- a/roles/docker/tasks/syncthing.yml
+++ b/roles/docker/tasks/syncthing.yml
@@ -1,18 +0,0 @@
 ---
 - name: Create syncthing directory
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  loop:
    - "{{ syncthing_data }}"
  become: true
 - name: Resolve inotify error for syncthing
  template:
    src: "templates/aya01/syncthing/syncthing.conf"
    dest: "/etc/sysctl.d/syncthing.conf"
    mode: "660"
  become: true
--- a/roles/docker/tasks/tautulli.yml
+++ b/roles/docker/tasks/tautulli.yml
@@ -1,9 +0,0 @@
 ---
 - name: Create tautulli-config directory
  file:
    path: "{{ tautulli_config }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
--- a/roles/docker/tasks/traefik.yml
+++ b/roles/docker/tasks/traefik.yml
@@ -1,18 +0,0 @@
 ---
 - name: Create traefik-config directory
  file:
    path: "{{ item }}"
    owner: "{{ puid  }}"
    group: "{{ pgid }}"
    state: directory
  loop:
    - "{{ docker_dir }}/traefik/etc-traefik/"
    - "{{ docker_dir }}/traefik/var-log/"
 - name: Copy traefik-config
  template:
    owner: 1000
    src: "templates/common/traefik/etc-traefik/traefik.yml"
    dest: "{{ traefik.config }}"
    mode: '400'
--- a/roles/docker/tasks/user_group_setup.yml
+++ b/roles/docker/tasks/user_group_setup.yml
@@ -1,25 +0,0 @@
 ---
 - name: Ensure group "docker" exists
  group:
    name: docker
    state: present
  become: yes
 - name: Append the group "docker" to  "{{ user }}" groups
  ansible.builtin.user:
    name: "{{ user }}"
    shell: /bin/bash
    groups: docker
    append: yes 
  become: yes
 - name: Make sure that the docker folders exists
  ansible.builtin.file:
    path: "{{ item }}"
    owner: "{{ user }}"
    group: "{{ user }}"
    state: directory
  loop:
    - "{{docker_compose_dir}}"
    - "{{docker_dir}}"
  become: yes
--- a/roles/docker/tasks/zoneminder.yml
+++ b/roles/docker/tasks/zoneminder.yml
@@ -1,30 +0,0 @@
 ---
 - name: Create zoneminder user
  user:
    name: zm
    uid: '911'
    shell: /bin/false
  become: true
 - name: Create Zoneminder config directory
  file:
    path: "{{ item }}"
    owner: '911'
    group: '911'
    mode: '755'
    state: directory
  loop:
    - "{{ zoneminder_config }}"
  become: true
 - name: Create Zoneminder data directory
  file:
    path: "{{ item }}"
    owner: '911'
    group: '911'
    mode: '755'
    state: directory
  loop:
    - "{{ zoneminder_data }}"
  become: true
--- a/roles/docker/templates/aya01/compose.yaml
+++ b/roles/docker/templates/aya01/compose.yaml
@@ -1,518 +0,0 @@
 version: '3'
 services:
  nginx:
    container_name: "{{nginx.host}}"
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    networks:
      net: {}
    ports:
      - '{{nginx.endpoints.http}}:80'
      - '{{nginx.endpoints.https}}:443'
      - '{{nginx.endpoints.admin}}:81'
    volumes:
      - "{{nginx.paths.data}}:/data"
      - "{{nginx.paths.letsencrypt}}:/etc/letsencrypt"
      - '/var/run/docker.sock:/var/run/docker.sock'
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    restart: unless-stopped
    depends_on:
      - nginx
    networks:
      - net
    ports:
      - "53:53/tcp"
      - "53:53/udp"
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "{{ pihole_config }}:/etc/pihole/"
      - "{{ pihole_dnsmasq }}:/etc/dnsmasq.d/"
    environment:
      - PUID={{puid}}
      - PGID={{pgid}}
      - TZ={{timezone}}
      - "WEBPASSWORD={{ vault_aya01_pihole_password }}"
      - "ServerIP={{ host.ip }}"
      - "INTERFACE=eth0"
      - "DNS1=1.1.1.1"
      - "DNS1=1.0.0.1"
    dns:
      - 127.0.0.1
      - 1.1.1.1
    cap_add:
      - NET_ADMIN
  syncthing:
    image: syncthing/syncthing
    container_name: syncthing
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    ports:
      - 22000:22000/tcp # TCP file transfers
      - 22000:22000/udp # QUIC file transfers
      - 21027:21027/udp # Receive local discovery broadcasts
    volumes:
      - "{{syncthing_data}}:/var/syncthing"
    environment:
      - PUID={{puid}}
      - PGID={{pgid}}
      - TZ={{timezone}}
    hostname: syncthing
  cupsd:
    container_name: cupsd
    image: olbat/cupsd
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    environment:
      - PUID={{puid}}
      - PGID={{pgid}}
      - TZ={{timezone}}
    volumes:
      - /var/run/dbus:/var/run/dbus
      - "{{cupsd_config}}:/etc/cups"
  kuma:
    container_name: kuma
    image: louislam/uptime-kuma:1
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    environment:
      - PUID={{puid}}
      - PGID={{pgid}}
      - TZ={{timezone}}
    ports:
      - "{{kuma_port}}:3001"
    volumes:
      - "{{ kuma_config }}:/app/data"
  plex:
    image: lscr.io/linuxserver/plex:latest
    container_name: plex
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    devices:
      - /dev/dri:/dev/dri
    ports:
      - "{{ plex_port }}:32400"
      - "1900:1900"
      - "3005:3005"
      - "5353:5353"
      - "32410:32410"
      - "8324:8324"
      - "32412:32412"
      - "32469:32469"
    environment:
      - PUID={{puid}}
      - PGID={{pgid}}
      - TZ={{timezone}}
      - VERSION=docker
    volumes:
      - "{{ plex_config }}:/config"
      - "{{ plex_tv }}:/tv:ro"
      - "{{ plex_movies }}:/movies:ro"
      - "{{ plex_music }}:/music:ro"
  sonarr:
    image: lscr.io/linuxserver/sonarr:latest
    container_name: sonarr
    restart: unless-stopped
    depends_on:
      - prowlarr
    networks:
      - net
    environment:
      - PUID={{ puid }}
      - PGID={{ pgid }}
      - TZ={{ timezone }}
    volumes:
      - {{ sonarr_config }}:/config
      - {{ sonarr_media }}:/tv #optional
      - {{ sonarr_downloads }}:/downloads #optional
  radarr:
    image: lscr.io/linuxserver/radarr:latest
    container_name: radarr
    restart: unless-stopped
    depends_on:
      - prowlarr
    networks:
      - net
    environment:
      - PUID={{ puid }}
      - PGID={{ pgid }}
      - TZ={{ timezone }}
    volumes:
      - {{ radarr_config }}:/config
      - {{ radarr_media }}:/movies #optional
      - {{ radarr_downloads }}:/downloads #optional
  lidarr:
    image: lscr.io/linuxserver/lidarr:latest
    container_name: lidarr
    restart: unless-stopped
    depends_on:
      - prowlarr
    networks:
      - net
    environment:
      - PUID={{ puid }}
      - PGID={{ pgid }}
      - TZ={{ timezone }}
    volumes:
      - {{ lidarr_config }}:/config
      - {{ lidarr_media }}:/music #optional
      - {{ lidarr_downloads }}:/downloads #optional
  prowlarr:
    image: lscr.io/linuxserver/prowlarr:latest
    container_name: prowlarr
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    environment:
      - PUID={{ puid }}
      - PGID={{ pgid }}
      - TZ={{ timezone }}
    volumes:
      - {{ prowlarr_config }}:/config
  pastebin:
    image: wantguns/bin
    container_name: pastebin
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    environment:
      - PUID={{ puid }}
      - PGID={{ pgid }}
      - TZ={{ timezone }}
      - ROCKET_PORT={{ bin_port }}
      - HOST_URL={{ bin_host }}.{{ aya01_host }}.{{ local_domain }}
    volumes:
      - {{ bin_upload }}:/app/upload
  tautulli:
    image: lscr.io/linuxserver/tautulli:latest
    container_name: tautulli
    restart: unless-stopped
    depends_on:
      - plex
    networks:
      - net
    environment:
      - PUID={{ puid }}
      - PGID={{ pgid}}
      - TZ={{ timezone }}
    ports:
      - "{{ tautulli_port }}:8181"
    volumes:
      - {{ tautulli_config}}:/config
  {{ gluetun_host }}:
    image: qmcgaw/gluetun
    container_name: {{ gluetun_host }}
    restart: unless-stopped
    networks:
      - net
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - {{ gluetun_config }}:/gluetun
    environment:
      - PUID={{puid}}
      - PGID={{pgid}}
      - TZ={{ timezone }}
      - VPN_SERVICE_PROVIDER=protonvpn
      - UPDATER_VPN_SERVICE_PROVIDERS=protonvpn
      - UPDATER_PERIOD=24h
      - SERVER_COUNTRIES={{ gluetun_country }}
      - OPENVPN_USER={{ vault_qbit_vpn_user }}+pmp
      - OPENVPN_PASSWORD={{ vault_qbit_vpn_password }}
  {{ torrentleech_host }}:
    image: qbittorrentofficial/qbittorrent-nox
    container_name: {{ torrentleech_host }}
    restart: unless-stopped
    depends_on:
      - gluetun
      - sonarr
      - radarr
      - lidarr
    network_mode: "container:{{ gluetun_host }}"
    environment:
      - PUID={{ puid }}
      - PGID={{ pgid }}
      - TZ={{ timezone }}
      - QBT_EULA="accept"
      - QBT_WEBUI_PORT="{{ torrentleech_port }}"
    volumes:
      - {{ torrentleech_remote_config }}:/config
      - {{ qbit_downloads }}:/downloads
  {{qbit_host}}:
    image: qbittorrentofficial/qbittorrent-nox
    container_name: {{ qbit_host }}
    restart: unless-stopped
    depends_on:
      - gluetun
      - sonarr
      - radarr
      - lidarr
    network_mode: "container:{{ gluetun_host }}"
    environment:
      - PUID={{ puid }}
      - PGID={{ pgid }}
      - TZ={{ timezone }}
      - QBT_EULA="accept"
      - QBT_WEBUI_PORT="{{ qbit_port }}"
    volumes:
      - {{ qbit_remote_config }}:/config
      - {{ qbit_downloads }}:/downloads
  {{ prometheus_host }}:
    image: prom/prometheus
    container_name: {{ prometheus_host }}
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    environment:
      - PUID={{ prometheus_puid }}
      - PGID={{ prometheus_pgid}}
      - TZ={{ timezone }}
    volumes:
      - {{ prometheus_config }}:/etc/prometheus/
      - prometheus_data:/prometheus/
  {{ grafana_host }}:
    image: grafana/grafana-oss
    container_name: {{ grafana_host }}
    restart: unless-stopped
    user: "0:0"
    depends_on:
      - {{ prometheus_host }}
    networks:
      - net
    environment:
      - PUID={{ grafana_puid }}
      - PGID={{ grafana_pgid }}
      - TZ={{ timezone }}
    volumes:
      - {{ grafana_data }}:/var/lib/grafana/
      - {{ grafana_config }}:/etc/grafana/
  ddns-updater:
    container_name: ddns-updater
    image: "ghcr.io/qdm12/ddns-updater"
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      net: {}
    volumes:
      - "{{ ddns_data }}:/updater/data/"
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      net: {}
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "{{ ha_config }}:/config/"
    privileged: true
    ports:
      - "{{ ha_port }}:8123"
      - 4357:4357
      - 5683:5683
      - 5683:5683/udp
  {{stirling.host}}:
    container_name: {{stirling.host}}
    image: frooodle/s-pdf:latest
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      net: {}
  {{ jellyfin.host }}:
    container_name: {{ jellyfin.host }}
    image: jellyfin/jellyfin
    restart: 'unless-stopped'
    depends_on:
      - pihole
    networks:
      net: {}
    devices:
      - /dev/dri:/dev/dri
    volumes:
      - {{ jellyfin.config }}:/config
      - {{ jellyfin.cache }}:/cache
      - {{ jellyfin.media.tv }}:/tv:ro
      - {{ jellyfin.media.movies }}:/movies:ro
      - {{ jellyfin.media.music }}:/music:ro
    ports:
      - "{{ jellyfin.port }}:{{ jellyfin.port }}"
  broker:
    container_name: {{ paperless.redis.host }}
    image: docker.io/library/redis:7
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    volumes:
      - {{paperless.redis.data}}:/data
  db:
    container_name: {{ paperless.db.host }}
    image: docker.io/library/postgres:15
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    volumes:
      - {{paperless.db.data}}:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: {{ paperless.db.db }}
      POSTGRES_USER: {{ paperless.db.user }}
      POSTGRES_PASSWORD: {{ paperless.db.password }}
  paperless:
    container_name: {{ paperless.host }}
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    restart: unless-stopped
    depends_on:
      - db
      - broker
    networks:
      - net
    healthcheck:
      test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:{{ paperless.port }}"]
      interval: 30s
      timeout: 10s
      retries: 5
    volumes:
      - {{ paperless.data.data }}:/usr/src/paperless/data
      - {{ paperless.data.media }}:/usr/src/paperless/media
      - {{ paperless.data.export }}:/usr/src/paperless/export
      - {{ paperless.data.consume }}:/usr/src/paperless/consume
    environment:
      - "PAPERLESS_REDIS=redis://broker:6379"
      - "PAPERLESS_DBHOST=db"
      - "PAPERLESS_DBUSER={{paperless.db.user}}"
      - "PAPERLESS_DBPASS={{paperless.db.password}}"
      - "USERMAP_UID={{ puid }}"
      - "USERMAP_GID={{ pgid}}"
      - "PAPERLESS_URL=https://{{paperless.host}}.{{ host.hostname }}.{{ backup_domain }}"
      - "PAPERLESS_TIME_ZONE={{ timezone }}"
      - "PAPERLESS_OCR_LANGUAGE=deu"
  {{ homarr.host }}:
    container_name: {{ homarr.host }}
    image: ghcr.io/ajnart/homarr:latest
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    volumes:
      - {{ homarr.volumes.configs }}:/app/data/configs
      - {{ homarr.volumes.data }}:/data
      - {{ homarr.volumes.icons }}:/app/public/icons
  {{ gitea.host }}:
    container_name: {{ gitea.host }}
    image: gitea/gitea:1.20.5-rootless
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    volumes:
      - {{ gitea.volumes.data }}:/var/lib/gitea
      - {{ gitea.volumes.config }}:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "{{ gitea.ports.http }}:3000"
      - "{{ gitea.ports.ssh }}:2222"
  {{ gitea.runner.host }}:
    container_name: {{ gitea.runner.host }}
    image: gitea/act_runner:nightly
    restart: unless-stopped
    depends_on:
      - {{ gitea.host }}
    networks:
      - net
    volumes:
      - "{{ gitea.runner.config_file }}:/config.yaml"
      - "{{ gitea.runner.volumes.data }}:/data"
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - "GITEA_INSTANCE_URL={{ gitea.url }}"
      - "GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea.runner.token }}"
      - "GITEA_RUNNER_NAME: {{ gitea.runner.name }}"
      - "CONFIG_FILE: /config.yaml"
  {{ jellyseer.host }}:
    container_name: {{ jellyseer.host }}
    image: fallenbagel/jellyseerr:latest
    restart: unless-stopped
    environment:
      - LOG_LEVEL=info
      - TZ={{ timezone }}
    depends_on:
      - {{ jellyfin.host }}
    networks:
      - net
    volumes:
      - {{ jellyseer.volumes.config }}:/app/config
 networks:
  zoneminder:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: {{ zoneminder_network }}
  net:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: {{ docker_network }}
 volumes:
  prometheus_data: {}
--- a/roles/docker/templates/aya01/cupsd/cupsd.conf
+++ b/roles/docker/templates/aya01/cupsd/cupsd.conf
@@ -1,196 +0,0 @@
 #
 # Configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
 # complete description of this file.
 #
 # Log general information in error_log - change "warn" to "debug"
 # for troubleshooting...
 LogLevel warn
 PageLogFormat
 ServerAlias *
 # Specifies the maximum size of the log files before they are rotated.  The value "0" disables log rotation.
 MaxLogSize 0
 # Default error policy for printers
 ErrorPolicy retry-job
 # Allow remote access
 Listen *:631
 # Show shared printers on the local network.
 Browsing Yes
 BrowseLocalProtocols dnssd
 # Default authentication type, when authentication is required...
 DefaultAuthType Basic
 DefaultEncryption IfRequested
 # Web interface setting...
 WebInterface Yes
 # Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l)
 IdleExitTimeout 60
 # Restrict access to the server...
 <Location />
  Order allow,deny
  Allow all
 </Location>
 # Restrict access to the admin pages...
 <Location /admin>
  Order allow,deny
  Allow all
 </Location>
 # Restrict access to configuration files...
 <Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  Allow all
 </Location>
 # Restrict access to log files...
 <Location /admin/log>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  Allow all
 </Location>
 # Set the default printer/job policies...
 <Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default
  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
  </Limit>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
 </Policy>
 # Set the authenticated printer/job policies...
 <Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default
  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Default
    Order deny,allow
  </Limit>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
 </Policy>
 # Set the kerberized printer/job policies...
 <Policy kerberos>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default
  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Negotiate
    Order deny,allow
  </Limit>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Negotiate
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Negotiate
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
 </Policy>
--- a/roles/docker/templates/aya01/ddns-updater/data/config.json
+++ b/roles/docker/templates/aya01/ddns-updater/data/config.json
@@ -1,11 +0,0 @@
 {
    "settings": [
        {
            "provider": "namecheap",
            "domain": "{{ local_domain }}",
            "host": "{{ local_subdomains }}",
            "password": "{{ vault_ddns_local_password }}",
            "provider_ip": true
        }
    ]
 }
--- a/roles/docker/templates/aya01/grafana/etc-grafana/grafana.ini.j2
+++ b/roles/docker/templates/aya01/grafana/etc-grafana/grafana.ini.j2
--- a/roles/docker/templates/aya01/prometheus/exporter/mikrotik/config/config.yml
+++ b/roles/docker/templates/aya01/prometheus/exporter/mikrotik/config/config.yml
@@ -1,18 +0,0 @@
 devices:
  - name: mikrotik
    address: "{{ e_mikrotik_ip }}"
    user: "{{ prm_user }}"
    password: "{{ vault_prm_user_password }}"
 features:
  bgp: false
  dhcp: true
  dhcpv6: true
  dhcpl: true
  routes: true
  pools: true
  optics: true
--- a/roles/docker/templates/aya01/prometheus/prometheus.yml.j2
+++ b/roles/docker/templates/aya01/prometheus/prometheus.yml.j2
@@ -1,46 +0,0 @@
 # Sample config for Prometheus.
 global:
  scrape_interval:     15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).
  # Attach these labels to any time series or alerts when communicating with
  # external systems (federation, remote storage, Alertmanager).
  external_labels:
      monitor: '{{ user }}'
 # Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
 rule_files:
  # - "first_rules.yml"
  # - "second_rules.yml"
 scrape_configs:
  - job_name: 'node'
    scrape_interval: 10s
    scrape_timeout: 10s
    tls_config:
      insecure_skip_verify: true
    static_configs:
    - targets: ['{{ aya01_ip }}:{{node_exporter.port}}']
    - targets: ['{{ mii_ip }}:{{node_exporter.port}}']
    - targets: ['{{ pi_ip }}:{{node_exporter.port}}']
    - targets: ['{{ naruto_ip }}:{{node_exporter.port}}']
    - targets: ['{{ inko_ip }}:{{node_exporter.port}}']
  - job_name: 'mikrotik'
    static_configs:
      - targets:
        - {{ snmp_exporter_target }}
    metrics_path: /snmp
    params:
      module: [mikrotik]
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: {{ aya01_ip }}:{{ snmp_exporter_port }} # The SNMP exporter's real hostname:port.
  - job_name: 'SMART'
    static_configs:
    - targets: ['{{ aya01_ip }}:{{smart_exporter.port}}']
--- a/roles/docker/templates/aya01/syncthing/syncthing.conf
+++ b/roles/docker/templates/aya01/syncthing/syncthing.conf
@@ -1 +0,0 @@
 fs.inotify.max_user_watches=204800
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tuan-Dat Tran	9251406426	feat(docker): Removed nodes docker-host10 and docker-host12 Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-09-15 23:19:39 +02:00
Tuan-Dat Tran	af75d7123e	feat(docker): match services that moved to k3s Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-09-13 18:57:56 +02:00
Tuan-Dat Tran	defc4a59ff	feat(docker): match services that moved to k3s Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-09-07 23:43:20 +02:00
Tuan-Dat Tran	78fe3fa694	refactor(ansible-lint): fixed ansible-lint warnings Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-09-07 21:40:21 +02:00
Tuan-Dat Tran	a1acb21e8e	fixup! fix(proxmox): commented 'non-errors' on script	2025-09-07 21:28:23 +02:00
Tuan-Dat Tran	1636247734	fix(proxmox): commented 'non-errors' on script Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-09-07 21:24:31 +02:00
Tuan-Dat Tran	9573cbfcad	feat(k3s): Added 2 nodes Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-09-07 21:21:33 +02:00
Tuan-Dat Tran	48aec11d8c	feat(common): added iscsi for longhorn on k3s Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-09-07 18:17:33 +02:00
Tuan-Dat Tran	a1da69ac98	feat(proxmox): check_vm as cronjob Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-09-02 19:52:49 +02:00
Tuan-Dat Tran	7aa16f3207	Added blog.md Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-27 22:59:01 +02:00
Tuan-Dat Tran	fe3f1749c5	Update README.md Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-27 22:51:15 +02:00
Tuan-Dat Tran	6eef96b302	feat(pre-commit): Added linting	2025-07-27 22:46:23 +02:00
Tuan-Dat Tran	2882abfc0b	Added README.md for roles Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-27 16:40:46 +02:00
Tuan-Dat Tran	2b759cc2ab	Update README.md Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-27 16:16:35 +02:00
Tuan-Dat Tran	dbaebaee80	cleanup: services moved to argocd Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-27 13:58:25 +02:00
Tuan-Dat Tran	89c51aa45c	feat(argo): app-of-app argo Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-25 07:58:41 +02:00
Tuan-Dat Tran	0139850ee3	feat(reverse_proxy): fix caddy letsencrypt Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-22 21:26:11 +02:00
Tuan-Dat Tran	976cad51e2	refactor(k3s): enhance cluster setup and enable ArgoCD apps Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-22 07:23:23 +02:00
Tuan-Dat Tran	e1a2248154	feat(kubernetes): add nfs-provisioner Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-15 23:24:52 +02:00
Tuan-Dat Tran	d8fd094379	feat(kubernetes): stable kubernetes with argo Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-14 22:57:13 +02:00
Tuan-Dat Tran	76000f8123	feat(kubernetes): add initial setup for ArgoCD, Cert-Manager, MetalLB, and Traefik Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-13 14:25:53 +02:00
Tuan-Dat Tran	4aa939426b	refactor(k3s): enhance kubeconfig generation and token management Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-13 09:33:39 +02:00
Tuan-Dat Tran	9cce71f73b	refactor(k3s): manage token securely and install guest agent Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-13 02:15:01 +02:00
Tuan-Dat Tran	97a5d6c41d	refactor(k3s): centralize k3s primary server IP and integrate Netcup DNS Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-13 01:30:05 +02:00
Tuan-Dat Tran	f1b0cfad2c	refactor(k3s): streamline inventory and primary server IP handling Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-13 00:40:48 +02:00
Tuan-Dat Tran	dac0d88d60	feat(proxmox): add k3s agents and refine VM provisioning Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-12 23:08:44 +02:00
Tuan-Dat Tran	609e000089	refactor(ansible): centralize inventory and variables in 'vars' directory Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-12 21:38:53 +02:00
Tuan-Dat Tran	3d7f652ff3	refactor(ansible): restructure inventory and remove postgres role Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-12 20:35:26 +02:00
Tuan-Dat Tran	cb8ccd8f00	wip Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-06-07 01:19:27 +02:00
Tuan-Dat Tran	02168225b1	wip Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-06-07 00:16:54 +02:00
Tuan-Dat Tran	6ff1ccecd0	refactor(infra): reorganize docker host VMs and service assignments Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-05-07 00:02:30 +02:00
Tuan-Dat Tran	de62327fde	Add naruto01 to proxmox nodes Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-05-06 13:33:46 +02:00
Tuan-Dat Tran	b70c8408dc	2025-05-03T21:41+02:00 Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-05-03 21:41:32 +02:00
Tuan-Dat Tran	a913e1cbc0	refactor: reorganize proxmox roles, add hardware acceleration, and update common config tasks Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-05-03 10:24:50 +02:00
Tuan-Dat Tran	e3c67a32e9	feat(reverse_proxy): add Netcup DNS ACME challenge support and refactor Caddy setup Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-28 23:24:29 +02:00
Tuan-Dat Tran	8f2998abc0	refactor(ansible): use ansible_user_id and add root package condition Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-27 18:15:07 +02:00
Tuan-Dat Tran	7fcee3912f	refactor(ansible): refactor common role application and improve vm ssh config Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-27 17:46:41 +02:00
Tuan-Dat Tran	591342f580	feat(proxmox): refactor vm provisioning and add pci passthrough config Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-26 23:34:42 +02:00
Tuan-Dat Tran	f2ea03bc01	feat(proxmox): automatic vm creation Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-26 21:58:58 +02:00
Tuan-Dat Tran	0e8e07ed3e	feat(docker): Added healthcheck Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-26 13:21:02 +02:00
Tuan-Dat Tran	a2a58f6343	feat(keycloak\|docker): improved templating Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-25 23:37:24 +02:00
Tuan-Dat Tran	42196a32dc	feat(docker): Add karakeep and keycloak services Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-24 20:24:33 +02:00
Tuan-Dat Tran	6934a9f5fc	distributed secrets to group_vars and added karakeep Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-06 23:46:28 +02:00
Tuan-Dat Tran	27621aac03	Added proxmox-vm and static tagging of docker images Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-06 18:04:33 +02:00
Tuan-Dat Tran	56f058c254	moved ssh to cert based Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-03-25 01:09:08 +01:00
Tuan-Dat Tran	924e4a2f92	refactor(inventory): Reorganized inventory Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-02-07 01:54:34 +01:00
Tuan-Dat Tran	060e2425ff	fix(skeleton): Fixed script and content for secrets.skeleton Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-02-07 00:09:37 +01:00
Tuan-Dat Tran	f2d489f63a	refactor(structure/ansible.cfg): Changed folder structure with ansible.cfg Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-02-07 00:06:37 +01:00
Tuan-Dat Tran	4aa3e711c9	fix(ssh): switch to ubuntu based key Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-01-24 12:47:23 +01:00
Tuan-Dat Tran	00e4f4807d	feat(docker): Removed data Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-01-24 09:11:36 +01:00
Tuan-Dat Tran	161e6446cd	fix(compose): made port expose optional Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-01-24 07:28:12 +01:00
Tuan-Dat Tran	ae929ca09d	feat(docker): Added cadvisor on all hosts, added docker metric exporter, added docker compose restart as handler, moved repetetive directory/permission creation into loops, moved repetetive values into variables, cleanup compose template for better empty lines Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-01-17 21:50:36 +01:00
Tuan-Dat Tran	1017fed848	fix(docker): Fixed git deployment,which failed with migration error on new db Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-01-17 10:08:32 +01:00
Tuan-Dat Tran	cb256e9451	refactor(playbooks): Moved playbooks to seperate folder Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-01-17 02:41:30 +01:00
Tuan-Dat Tran	6bc591550c	fix(port mapping,docker): fixed duplicate port mapping on hosts and incompatible docker options in compose Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-01-17 02:10:36 +01:00
Tuan-Dat Tran	e68d534e4f	feat(docker): Move compose content to ansible group vars Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-01-17 01:31:10 +01:00
Tuan-Dat Tran	1a1b8cb69c	feat(reverse-proxy): Add Caddy for reverse proxy Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-01-12 21:19:37 +01:00
Tuan-Dat Tran	88141f8869	chore(secrets): Updated secrets.yml.skeleton to reflect recent changes Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-12-11 20:04:41 +01:00
Tuan-Dat Tran	6d099061ac	feat(docker): Split docker compose to be deployed different services on different hosts. See host_vars of each host. Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-12-11 19:58:57 +01:00
Tuan-Dat Tran	711dc58f2e	fix(docker/jellyfin): Moved jellyfin config to local machine due to error with sqlite dbs used for config Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-11-15 14:09:31 +01:00
Tuan-Dat Tran	5aaf3eef53	chore(inventory): add host-specific configuration files and update production inventory for proxmox hosts - Add individual `host_vars` YAML files for new proxmox hosts (`aya01`, `inko`, `lulu`): - Set SSH and Ansible connection variables, including `ansible_user`, `ansible_host`, `ansible_port`, and `ansible_ssh_private_key_file` - Configure `ansible_become_pass` with respective vault entries for sudo access - Define host-specific metadata, including hostname and IP address - Update `production` inventory: - Add new `[proxmox]` group and include `aya01`, `inko`, and `lulu` for proxmox-related automation These additions streamline Ansible's management of proxmox hosts, centralizing their configuration and enabling easier host-specific variable access for deployment and management tasks. Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-11-13 23:55:22 +01:00
Tuan-Dat Tran	33253e934d	feat(docker): add Calibre Web service to Docker Compose configuration - Add Calibre Web container configuration to `docker-compose.yaml` - Use `lscr.io/linuxserver/calibre-web:latest` image - Configure environment variables (PUID, PGID, TZ, DOCKER_MODS) - Set up volumes for persistent storage of Calibre configuration and books - Expose port 8084 to access the Calibre Web UI - Implement automatic restart policy (`unless-stopped`) This commit introduces the Calibre Web service to the Docker Compose setup, enabling users to run a Calibre library management and e-book reader web service in a Docker container. Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-11-11 01:04:30 +01:00
Tuan-Dat Tran	4db26b56da	feat(ansible): add Docker host configuration with NFS mounts and utility packages - Introduce Docker host configuration playbooks in `docker_host` role - Install Docker and Docker Compose via apt repository - Configure Docker user, group, and required directories (`/opt/docker`, `/media`) - Add NFS mounts for Docker data, series, movies, and songs directories - Add extra utility packages (`bat`, `ripgrep`, `fd-find`, `screen`, `eza`, `neovim`) - Set up and manage `bash_aliases` for user-friendly command replacements (`batcat`, `nvim`, `eza`) - Enhance `/group_vars` and `/host_vars` for Docker-related settings and secure access - Add `docker-host00` and `docker-host01` entries to production and staging inventories Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-11-10 21:37:22 +01:00
Tuan-Dat Tran	ce0411cdb0	fixed taint Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-13 22:56:59 +02:00
Tuan-Dat Tran	28d946cae5	Add noexecute taint on longhorn Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-13 21:49:10 +02:00
Tuan-Dat Tran	5d0f56ce38	linting Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-08 11:31:26 +02:00
Tuan-Dat Tran	0c1a8a95f2	add postgres exporter Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-08 11:17:03 +02:00
Tuan-Dat Tran	05c35a546a	added installation of reqs for longhorn Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-08 05:20:35 +02:00
Tuan-Dat Tran	d16cc0db06	Added notes for longhorn nodes Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-08 04:40:16 +02:00
Tuan-Dat Tran	2ae0f4863e	update vault skeleton Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-08 04:14:01 +02:00
Tuan-Dat Tran	7d58de98d9	Added storage nodes for k3s Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-08 04:13:38 +02:00
Tuan-Dat Tran	92e4b3bb27	Add k3s-server02 Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-07 20:56:12 +02:00
Tuan-Dat Tran	ed980f816f	prod and staging for tls in loadbalancer Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-04 00:00:02 +02:00
Tuan-Dat Tran	c0e81ee277	Added script etc for ssl on lb Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-10-03 17:38:08 +02:00
Tuan-Dat Tran	a09448985c	Added https lb for lb Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-09-30 20:06:27 +02:00
Tuan-Dat Tran	95afa201e3	Fixed host forwarding for subdomain reverse proxy Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-09-30 10:53:18 +02:00
Tuan-Dat Tran	000375c7ba	adjust name for upstream in lb Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-09-30 10:46:19 +02:00
Tuan-Dat Tran	2cc4fd0be0	Added http lb for lb Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-09-30 07:51:33 +02:00
Tuan-Dat Tran	8fb4eaf610	Added k3s agents Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-09-20 16:57:59 +02:00
Tuan-Dat Tran	3aa56be025	Full k3s server installation done Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-09-20 15:01:33 +02:00
Tuan-Dat Tran	51a49d003d	Finished lb and db Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-09-19 23:10:00 +02:00
Tuan-Dat Tran	50abbf933c	First step towards rewrite Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2024-09-17 23:44:20 +02:00
		`@@ -0,0 +1 @@`
							ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxIbkko72kVSfYDjJpiMH9SjHUGqBn3MbBvmotsPQhybFgnnkBpX/3fM9olP+Z6PGsmbOEs0fOjPS6uY5hjKcKsyHdZfS6cA4wjY/DL8fwATAW5FCDBtMpdg2/sb8j9jutHHs4sQeRBolVwKcv+ZAaJNnOzNHwxVUfT9bNwShthnAFjkY7oZo657FRomlkDJjmGQuratP0veKA8jYzqqPWwWidTGQerLYTyJ3Z8pbQa5eN7svrvabjjDLbVTDESE8st9WEmwvAwoj7Kz+WovCy0Uz7LRFVmaRiapM8SXtPPUC0xfyzAB3NxwBtxizdUMlShvLcL6cujcUBMulVMpsqEaOESTpmVTrMJhnJPZG/3j9ziGoYIa6hMj1J9/qLQ5dDNVVXMxw99G31x0LJoy12IE90P4Cahux8iN0Cp4oB4+B6/qledxs1fcRzsnQY/ickjKhqcJwgHzsnwjDkeYRaYte5x4f/gJ77kA20nPto7mxr2mhWot/i9B1KlMURVXOH/q4nrzhJ0hPJpM0UtzQ58TmzE4Osf/B5yoe8V//6XnelbmG/nKCIzg12d7PvaLjbFMn8IgOwDMRlip+vpyadRr/+pCawrfo4vLF7BsnJ84aoByIpbwaysgaYHtjfZWImorMVkgviC4O6Hn9/ZiLNze2A9DaNUnLVJ0nYNbmv9Q==