testing

Add Podman deployment configuration
Add GPG key and reorganize dockerbox configuration
2025-08-08 01:31:39 -04:00 · 2025-08-07 00:24:58 -04:00 · 2025-03-26 22:07:06 -04:00 · 2025-01-19 17:48:45 -05:00 · 2025-01-19 16:28:54 -05:00 · 2024-12-29 02:22:46 -05:00
32 changed files with 485 additions and 264 deletions
--- a/.github/workflows/vagrant.yml
+++ b/.github/workflows/vagrant.yml
@@ -3,8 +3,9 @@ name: homelab-ci
 on:
  push:
    branches:
-      - main
+      - github_actions
-      - testing
+      # - main
      # - testing
 jobs:
  homelab-ci:
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 .ansible*
 /environments/
 .playbook
 .vagrant*
 .vscode
 /environments/
--- a/README.md
+++ b/README.md
@@ -1,41 +1,76 @@
-# Project Moxie
+# Homelab
-Project Moxie is a personal IT homelab project written in Ansible and executed by Jenkins. It is a growing collection of infrastructure as code (IaC) I write out of curiosity and for reference purposes, keeping a handful of beneficial projects managed and secured.
+This project is my personal IT homelab initiative for self-hosting and
 exploring Free and Open Source Software (FOSS) infrastructure. As a technology
 enthusiast and professional, this project is primarily a practical tool for
 hosting services. It serves as a playground for engaging with systems
 technology in functional, intriguing, and gratifying ways. Self-hosting
 empowers individuals to govern their digital space, ensuring that their online
 environments reflect personal ethics rather than centralized entities' opaque
 policies.
 Built on Debian Stable, this project utilizes Ansible and Vagrant, providing
 relatively easy-to-use reproducible ephemeral environments to test
 infrastructure automation before pushing to live systems.
 ## Quick Start
 To configure a local virtual machine for testing, follow these simple steps.
 ### Prerequisites
 Vagrant and VirtualBox are used to develop Project Moxie. You will need to install these before continuing.
 ### Installation
 1. Clone this repository
   ```
-   git clone https://github.com/krislamo/moxie
+   git clone https://git.krislamo.org/kris/homelab
   ```
   Optionally clone from the GitHub mirror instead:
   ```
   git clone https://github.com/krislamo/homelab
   ```
 2. Set the `PLAYBOOK` environmental variable to a development playbook name in the `dev/` directory
-   The following `PLAYBOOK` names are available: `dockerbox`, `hypervisor`, `minecraft`, `bitwarden`, `nextcloud`, `nginx`
+   To list available options in the `dev/` directory and choose a suitable PLAYBOOK, run:
-
+   ```
   ls dev/*.yml | xargs -n 1 basename -s .yml
   ```
   Export the `PLAYBOOK` variable
   ```
   export PLAYBOOK=dockerbox
   ```
-3. Bring the Vagrant box up
+3. Clean up any previous provision and build the VM
   ```
-   vagrant up
+   make clean && make
   ```
-#### Copyright and License
+## Vagrant Settings
-Copyright (C) 2020-2021  Kris Lamoureux
+The Vagrantfile configures the environment based on settings from `.vagrant.yml`,
 with default values including:
 - PLAYBOOK: `default`
   - Runs a `default` playbook that does nothing.
   - You can set this by an environmental variable with the same name.
 - VAGRANT_BOX: `debian/bookworm64`
   - Current Debian Stable codename
 - VAGRANT_CPUS: `2`
   - Threads or cores per node, depending on CPU architecture
 - VAGRANT_MEM: `2048`
   - Specifies the amount of memory (in MB) allocated
 - SSH_FORWARD: `false`
   - Enable this if you need to forward SSH agents to the Vagrant machine
 ## Copyright and License
 Copyright (C) 2019-2023  Kris Lamoureux
 [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
 This program is free software: you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software
 Foundation, version 3 of the License.
-This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+This program is distributed in the hope that it will be useful, but WITHOUT ANY
 WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+You should have received a copy of the GNU General Public License along with
-
+this program. If not, see <https://www.gnu.org/licenses/>.
 You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
--- a/dev/dockerbox.yml
+++ b/dev/dockerbox.yml
@@ -6,8 +6,7 @@
  roles:
    - base
    - docker
    - mariadb
    - traefik
    - nextcloud
-    - jenkins
+    - proxy
    - prometheus
    - nginx
--- a/dev/host_vars/dockerbox.yml
+++ b/dev/host_vars/dockerbox.yml
@@ -2,44 +2,51 @@
 allow_reboot: false
 manage_network: false
 # Import my GPG key for git signature verification
 root_gpgkeys:
  - name: kris@lamoureux.io
    id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96
  # Older key, but still in use
  - name: kris@lamoureux.io
    id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
    server: keyserver.ubuntu.com
 # proxy
 proxy:
  servers:
    - domain: cloud.local.krislamo.org
      proxy_pass: http://127.0.0.1:8000
 # docker
 docker_official: true # docker's apt repos
 docker_users:
  - vagrant
 docker_compose_env_nolog: false # dev only setting
 docker_compose_deploy:
  # Traefik
  - name: traefik
    url: https://github.com/krislamo/traefik
    version: d62bd06b37ecf0993962b0449a9d708373f9e381
    enabled: true
    accept_newhostkey: true # Consider verifying manually instead
    trusted_keys:
      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
    env:
      DASHBOARD: true
  # Nextcloud
  - name: nextcloud
    url: https://github.com/krislamo/nextcloud
    version: fe6d349749f178e91ae7ff726d557f48ebf84356
    env:
      DATA: ./data
 # traefik
-traefik_version: latest
+traefik:
-traefik_dashboard: true
+  ENABLE: true
 traefik_domain: traefik.local.krislamo.org
 traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 traefik_web_entry: 0.0.0.0:80
 traefik_websecure_entry: 0.0.0.0:443
 #traefik_acme_email: realemail@example.com # Let's Encrypt settings
 #traefik_production: true
 #traefik_http_only: true # if behind reverse-proxy
 # nextcloud
-nextcloud_version: stable
+nextcloud:
-nextcloud_admin: admin
+  DOMAIN: cloud.local.krislamo.org
-nextcloud_pass: password
+  DB_PASSWD: password
-nextcloud_domain: cloud.local.krislamo.org
+  ADMIN_PASSWD: password
 nextcloud_dbversion: latest
 nextcloud_dbpass: password
 # jenkins
 jenkins_version: lts
 jenkins_domain: jenkins.local.krislamo.org
 # prometheus (includes grafana)
 prom_version: latest
 prom_domain: prom.local.krislamo.org
 grafana_version: latest
 grafana_domain: grafana.local.krislamo.org
 prom_targets: "['10.0.2.15:9100']"
 # nginx
 nginx_domain: nginx.local.krislamo.org
 nginx_name: staticsite
 nginx_repo_url: https://git.krislamo.org/kris/example-website/
 nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 nginx_version: latest
--- a/dev/host_vars/podman.yml
+++ b/dev/host_vars/podman.yml
@@ -0,0 +1,14 @@
 # base
 allow_reboot: false
 manage_network: false
 users:
  kris:
    uid: 1001
    gid: 1001
    home: true
 # podman
 user_namespaces:
  - kris
--- a/dev/podman.yml
+++ b/dev/podman.yml
@@ -0,0 +1,8 @@
 - name: Install Podman server
  hosts: all
  become: true
  vars_files:
    - host_vars/podman.yml
  roles:
    - base
    - podman
--- a/forward-ssh.sh
+++ b/forward-ssh.sh
@@ -1,11 +1,28 @@
 #!/bin/bash
 # Finds the SSH private key under ./.vagrant and connects to
-# the Vagrant box, port forwarding localhost ports: 8443, 80, 443
+# the Vagrant box, port forwarding localhost ports: 8443, 443, 80, 22
 #
 # Download the latest script:
 # https://git.krislamo.org/kris/homelab/raw/branch/main/forward-ssh.sh
 #
 # Copyright (C) 2023  Kris Lamoureux
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 # Root check
 if [ "$EUID" -ne 0 ]; then
-  echo "[ERROR]: Please run script as root"
+  echo "[ERROR]: Please run this script as root"
  exit 1
 fi
@@ -24,8 +41,8 @@ function ssh_connect {
      printf "[INFO]: Starting new vagrant SSH tunnel on PID "
      sudo -u "$USER" ssh -fNT -i "$PRIVATE_KEY" \
        -L 22:localhost:22 \
-        -L 80:localhost:80 \
+        -L 80:"$HOST_IP":80 \
-        -L 443:localhost:443 \
+        -L 443:"$HOST_IP":443 \
        -L 8443:localhost:8443 \
        -o UserKnownHostsFile=/dev/null \
        -o StrictHostKeyChecking=no \
@@ -34,28 +51,45 @@ function ssh_connect {
      pgrep -f "$MATCH_PATTERN"
      ;;
    *)
-      echo "[INFO]: Delined to start a new vagrant SSH tunnel"
+      echo "[INFO]: Declined to start a new vagrant SSH tunnel"
      exit 0
      ;;
  esac
 }
 # Check for valid PRIVATE_KEY location
-PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null)"
+PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null | sort)"
-if ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
+
 # Single vagrant machine or multiple
 if [ "$(echo "$PRIVATE_KEY" | wc -l)" -gt 1 ]; then
  while IFS= read -r KEYFILE; do
    if ! ssh-keygen -l -f "$KEYFILE" &>/dev/null; then
      echo "[ERROR]: The SSH key '$KEYFILE' is not valid. Are your virtual machines running?"
      exit 1
    fi
    echo "[CHECK]: Valid key at $KEYFILE"
  done < <(echo "$PRIVATE_KEY")
  PRIVATE_KEY="$(echo "$PRIVATE_KEY" | grep -m1 "${1:-default}")"
 elif ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
  echo "[ERROR]: The SSH key '$PRIVATE_KEY' is not valid. Is your virtual machine running?"
  exit 1
 else
  echo "[CHECK]: Valid key at $PRIVATE_KEY"
 fi
 echo "[CHECK]: Valid key at $PRIVATE_KEY"
 # Grab first IP or use whatever HOST_IP_FIELD is set to and check that the guest is up
-HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" 2>/dev/null)"
+HOST_IP="$(sudo -u "$SUDO_USER" vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" "${1:-default}" 2>/dev/null)"
 if [ -z "$HOST_IP" ]; then
  echo "[ERROR]: Failed to find ${1:-default}'s IP"
  exit 1
 fi
 HOST_IP="${HOST_IP::-1}" # trim
 if ! ping -c 1 "$HOST_IP" &>/dev/null; then
  echo "[ERROR]: Cannot ping the host IP '$HOST_IP'"
  exit 1
 fi
-echo "[CHECK]: Host at $HOST_IP is up"
+echo "[CHECK]: Host at $HOST_IP (${1:-default}) is up"
 # Pattern for matching processes running
 MATCH_PATTERN="ssh -fNT -i ${PRIVATE_KEY}.*vagrant@"
--- a/playbooks/docker.yml
+++ b/playbooks/docker.yml
@@ -4,4 +4,5 @@
  roles:
    - base
    - jenkins
    - proxy
    - docker
--- a/playbooks/dockerbox.yml
+++ b/playbooks/dockerbox.yml
@@ -3,9 +3,9 @@
  become: true
  roles:
    - base
    - jenkins
    - docker
    - mariadb
    - traefik
    - nextcloud
-    - jenkins
+    - proxy
    - prometheus
    - nginx
--- a/roles/base/tasks/samba.yml
+++ b/roles/base/tasks/samba.yml
@@ -26,7 +26,7 @@
  ansible.builtin.template:
    src: smb.conf.j2
    dest: /etc/samba/smb.conf
-    mode: "700"
+    mode: "644"
  notify: restart_samba
 - name: Start smbd and enable on boot
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -80,8 +80,10 @@
    state: present
    uid: "{{ item.value.uid }}"
    group: "{{ item.value.gid }}"
    groups: "{{ item.value.groups | default([]) }}"
    shell: "{{ item.value.shell | default('/bin/bash') }}"
    create_home: "{{ item.value.home | default(false) }}"
    home: "{{ item.value.homedir | default('/home/' + item.key) }}"
    system: "{{ item.value.system | default(false) }}"
  loop: "{{ users | dict2items }}"
  loop_control:
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@@ -18,6 +18,28 @@
    src: /etc/wireguard/privatekey
  register: wgkey
 - name: Check if WireGuard preshared key file exists
  ansible.builtin.stat:
    path: /etc/wireguard/presharedkey-{{ item.name }}
  loop: "{{ wireguard.peers }}"
  loop_control:
    label: "{{ item.name }}"
  register: presharedkey_files
 - name: Grab WireGuard preshared key for configuration
  ansible.builtin.slurp:
    src: /etc/wireguard/presharedkey-{{ item.item.name }}
  register: wgshared
  loop: "{{ presharedkey_files.results }}"
  loop_control:
    label: "{{ item.item.name }}"
  when: item.stat.exists
 - name: Grab WireGuard private key for configuration
  ansible.builtin.slurp:
    src: /etc/wireguard/privatekey
  register: wgkey
 - name: Install WireGuard configuration
  ansible.builtin.template:
    src: wireguard.j2
--- a/roles/base/templates/wireguard.j2
+++ b/roles/base/templates/wireguard.j2
@@ -1,4 +1,6 @@
-[Interface]
+# {{ ansible_managed }}
 [Interface] # {{ ansible_hostname }}
 PrivateKey = {{ wgkey['content'] | b64decode | trim }}
 Address = {{ wireguard.address }}
 {% if wireguard.listenport is defined %}
@@ -6,8 +8,26 @@ ListenPort = {{ wireguard.listenport }}
 {% endif %}
 {% for peer in wireguard.peers %}
 {% if peer.name is defined %}
 [Peer] # {{ peer.name }}
 {% else %}
 [Peer]
 {% endif %}
 PublicKey = {{ peer.publickey }}
 {% if peer.presharedkey is defined %}
 PresharedKey = {{ peer.presharedkey }}
 {% else %}
 {% set preshared_key = (
    wgshared.results
    | selectattr('item.item.name', 'equalto', peer.name)
    | first
  ).content
  | default(none)
 %}
 {% if preshared_key is not none %}
 PresharedKey = {{ preshared_key | b64decode | trim }}
 {% endif %}
 {% endif %}
 {% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}
 {% endif %}
--- a/roles/bitwarden/defaults/main.yml
+++ b/roles/bitwarden/defaults/main.yml
@@ -1,7 +1,10 @@
 bitwarden_name: bitwarden
-bitwarden_root: "/var/lib/{{ bitwarden_name }}"
+bitwarden_user: bitwarden
 bitwarden_root: /home/bitwarden
 bitwarden_logs_identity: "{{ bitwarden_root }}/bwdata/logs/identity/Identity"
-bitwarden_logs_identity_date: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"
+bitwarden_logs_identity_date:
  "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{
  ansible_date_time.day }}"
 bitwarden_database: "{{ bitwarden_name }}"
 bitwarden_realips: "172.16.0.0/12"
 bitwarden_standalone: false
--- a/roles/bitwarden/handlers/main.yml
+++ b/roles/bitwarden/handlers/main.yml
@@ -5,7 +5,12 @@
  listen: rebuild_bitwarden
 - name: Rebuild Bitwarden
-  ansible.builtin.shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
+  ansible.builtin.command: "{{ bitwarden_root }}/bitwarden.sh rebuild"
  listen: rebuild_bitwarden
 - name: Reload systemd manager configuration
  ansible.builtin.systemd:
    daemon_reload: true
  listen: rebuild_bitwarden
 - name: Start Bitwarden after rebuild
@@ -14,3 +19,10 @@
    state: started
    enabled: true
  listen: rebuild_bitwarden
 - name: Create Bitwarden's initial log file
  ansible.builtin.file:
    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
    state: touch
    mode: "644"
  listen: touch_bitwarden
--- a/roles/bitwarden/tasks/main.yml
+++ b/roles/bitwarden/tasks/main.yml
@@ -3,33 +3,39 @@
    name: expect
    state: present
 - name: Create Bitwarden directory
  ansible.builtin.file:
    path: "{{ bitwarden_root }}"
    state: directory
 - name: Download Bitwarden script
  ansible.builtin.get_url:
    url: "https://raw.githubusercontent.com/\
      bitwarden/self-host/master/bitwarden.sh"
    dest: "{{ bitwarden_root }}"
    owner: "{{ bitwarden_user }}"
    group: "{{ bitwarden_user }}"
    mode: u+x
 - name: Install Bitwarden script wrapper
  ansible.builtin.template:
    src: bw_wrapper.j2
    dest: "{{ bitwarden_root }}/bw_wrapper"
    owner: "{{ bitwarden_user }}"
    group: "{{ bitwarden_user }}"
    mode: u+x
 - name: Run Bitwarden installation script
-  ansible.builtin.shell: "{{ bitwarden_root }}/bw_wrapper"
+  ansible.builtin.command: "{{ bitwarden_root }}/bw_wrapper"
  args:
    creates: "{{ bitwarden_root }}/bwdata/config.yml"
  become_user: "{{ bitwarden_user }}"
  become: true
 - name: Install compose override
  ansible.builtin.template:
    src: compose.override.yml.j2
    dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
    owner: "{{ bitwarden_user }}"
    group: "{{ bitwarden_user }}"
    mode: "644"
  become_user: "{{ bitwarden_user }}"
  become: true
  when: bitwarden_override | default(true)
  notify: rebuild_bitwarden
@@ -38,6 +44,8 @@
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^http_port: 80$"
    replace: "http_port: {{ bitwarden_http_port | default('127.0.0.1:9080') }}"
  become_user: "{{ bitwarden_user }}"
  become: true
  when: not bitwarden_standalone
  notify: rebuild_bitwarden
@@ -45,7 +53,10 @@
  ansible.builtin.replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^https_port: 443$"
-    replace: "https_port: {{ bitwarden_https_port | default('127.0.0.1:9443') }}"
+    replace:
      "https_port: {{ bitwarden_https_port | default('127.0.0.1:9443') }}"
  become_user: "{{ bitwarden_user }}"
  become: true
  when: not bitwarden_standalone
  notify: rebuild_bitwarden
@@ -54,6 +65,8 @@
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^ssl_managed_lets_encrypt: true$"
    replace: "ssl_managed_lets_encrypt: false"
  become_user: "{{ bitwarden_user }}"
  become: true
  when: not bitwarden_standalone or not bitwarden_production
  notify: rebuild_bitwarden
@@ -62,6 +75,8 @@
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^ssl: true$"
    replace: "ssl: false"
  become_user: "{{ bitwarden_user }}"
  become: true
  when: not bitwarden_standalone
  notify: rebuild_bitwarden
@@ -70,12 +85,17 @@
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    line: "- {{ bitwarden_realips }}"
    insertafter: "^real_ips"
  become_user: "{{ bitwarden_user }}"
  become: true
  notify: rebuild_bitwarden
 - name: Install Bitwarden systemd service
  ansible.builtin.template:
    src: bitwarden.service.j2
    dest: "/etc/systemd/system/{{ bitwarden_name }}.service"
    owner: "{{ bitwarden_user }}"
    group: "{{ bitwarden_user }}"
    mode: "644"
  register: bitwarden_systemd
  notify: rebuild_bitwarden
@@ -83,22 +103,14 @@
  ansible.builtin.file:
    path: "{{ bitwarden_logs_identity }}"
    state: directory
-  register: bitwarden_logs
+    owner: "{{ bitwarden_user }}"
-
+    group: "{{ bitwarden_user }}"
- name: Create Bitwarden's initial log file
+    mode: "755"
-  ansible.builtin.file:
+  notify: touch_bitwarden
    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
    state: touch
  when: bitwarden_logs.changed
 - name: Install Bitwarden's Fail2ban jail
  ansible.builtin.template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/bitwarden.conf
    mode: "640"
  notify: restart_fail2ban
 - name: Reload systemd manager configuration
  ansible.builtin.systemd:
    daemon_reload: true
  when: bitwarden_systemd.changed
  notify: rebuild_bitwarden
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -24,15 +24,21 @@
 - name: Install/uninstall Docker from Debian repositories
  ansible.builtin.apt:
-    name: ['docker.io', 'docker-compose', 'containerd', 'runc']
+    name: ["docker.io", "docker-compose", "containerd", "runc"]
    state: "{{ 'absent' if docker_official else 'present' }}"
    autoremove: true
    update_cache: true
 - name: Install/uninstall Docker from Docker repositories
  ansible.builtin.apt:
-    name: ['docker-ce', 'docker-ce-cli', 'containerd.io',
+    name:
-           'docker-buildx-plugin', 'docker-compose-plugin']
+      [
        "docker-ce",
        "docker-ce-cli",
        "containerd.io",
        "docker-buildx-plugin",
        "docker-compose-plugin",
      ]
    state: "{{ 'present' if docker_official else 'absent' }}"
    autoremove: true
    update_cache: true
@@ -135,14 +141,6 @@
    label: "{{ item.name }}"
  when: docker_compose_deploy is defined and item.env is defined
 - name: Add users to docker group
  ansible.builtin.user:
    name: "{{ item }}"
    groups: docker
    append: true
  loop: "{{ docker_users }}"
  when: docker_users is defined
 - name: Start Docker and enable on boot
  ansible.builtin.service:
    name: docker
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -21,6 +21,7 @@
 - name: Create git's .ssh directory
  ansible.builtin.file:
    path: /home/git/.ssh
    mode: "700"
    state: directory
 - name: Generate git's SSH keys
@@ -40,6 +41,7 @@
 - name: Create git's authorized_keys file
  ansible.builtin.file:
    path: /home/git/.ssh/authorized_keys
    mode: "600"
    state: touch
  when: not git_authkeys.stat.exists
@@ -53,21 +55,24 @@
  ansible.builtin.template:
    src: gitea.sh.j2
    dest: /usr/local/bin/gitea
-    mode: 0755
+    mode: "755"
 - name: Create Gitea's logging directory
  ansible.builtin.file:
    name: /var/log/gitea
    state: directory
    mode: "755"
 - name: Install Gitea's Fail2ban filter
  ansible.builtin.template:
    src: fail2ban-filter.conf.j2
    dest: /etc/fail2ban/filter.d/gitea.conf
    mode: "644"
  notify: restart_fail2ban
 - name: Install Gitea's Fail2ban jail
  ansible.builtin.template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/gitea.conf
    mode: "640"
  notify: restart_fail2ban
--- a/roles/jellyfin/templates/docker-compose.yml.j2
+++ b/roles/jellyfin/templates/docker-compose.yml.j2
@@ -15,7 +15,7 @@ services:
    networks:
      - traefik
    labels:
-      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host(`{{ jellyfin_domain }}`)"
+      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host({{ jellyfin_domains }})"
 {% if traefik_http_only %}
      - "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web"
 {% else %}
--- a/roles/mariadb/handlers/main.yml
+++ b/roles/mariadb/handlers/main.yml
@@ -6,7 +6,7 @@
  listen: restart_mariadb
 - name: Set MariaDB as restarted
-  set_fact:
+  ansible.builtin.set_fact:
    mariadb_restarted: true
  when: not mariadb_restarted
  listen: restart_mariadb
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -4,7 +4,7 @@
    state: present
 - name: Set MariaDB restarted fact
-  set_fact:
+  ansible.builtin.set_fact:
    mariadb_restarted: false
 - name: Regather facts for the potentially new docker0 interface
@@ -16,6 +16,12 @@
    regex: "^bind-address"
    line: "bind-address            = {{ ansible_facts.docker0.ipv4.address }}"
  notify: restart_mariadb
  when: ansible_facts.docker0 is defined
 - name: Flush handlers to ensure MariaDB restarts immediately
  ansible.builtin.meta: flush_handlers
  tags: restart_mariadb
  when: ansible_facts.docker0 is defined
 - name: Allow database connections from Docker
  community.general.ufw:
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@@ -1,11 +1 @@
-# container names
+nextcloud_name: nextcloud
 nextcloud_container: nextcloud
 nextcloud_dbcontainer: "{{ nextcloud_container }}-db"
 # database settings
 nextcloud_dbname: "{{ nextcloud_container }}"
 nextcloud_dbuser: "{{ nextcloud_dbname }}"
 # host mounts
 nextcloud_root: "/opt/{{ nextcloud_container }}/public_html"
 nextcloud_dbroot: "/opt/{{ nextcloud_container }}/database"
--- a/roles/nextcloud/handlers/main.yml
+++ b/roles/nextcloud/handlers/main.yml
@@ -0,0 +1,25 @@
 - name: Set Nextcloud's Trusted Proxy
  ansible.builtin.command: >
    docker exec --user www-data "{{ nextcloud_name }}"
      php occ config:system:set trusted_proxies 0 --value="{{ traefik_name }}"
  register: nextcloud_trusted_proxy
  changed_when: "nextcloud_trusted_proxy.stdout == 'System config value trusted_proxies => 0 set to string ' ~ traefik_name"
  listen: install_nextcloud
 - name: Set Nextcloud's Trusted Domain
  ansible.builtin.command: >
    docker exec --user www-data "{{ nextcloud_name }}"
      php occ config:system:set trusted_domains 0 --value="{{ nextcloud.DOMAIN }}"
  register: nextcloud_trusted_domains
  changed_when: "nextcloud_trusted_domains.stdout == 'System config value trusted_domains => 0 set to string ' ~ nextcloud.DOMAIN"
  listen: install_nextcloud
 - name: Preform Nextcloud database maintenance
  ansible.builtin.command: >
    docker exec --user www-data "{{ nextcloud_name }}" {{ item }}
  loop:
    - "php occ maintenance:mode --on"
    - "php occ db:add-missing-indices"
    - "php occ db:convert-filecache-bigint"
    - "php occ maintenance:mode --off"
  listen: install_nextcloud
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -1,109 +1,62 @@
- name: Create Nextcloud network
+- name: Install MySQL module for Ansible
-  community.general.docker_network:
+  ansible.builtin.apt:
-    name: "{{ nextcloud_container }}"
+    name: python3-pymysql
    state: present
- name: Start Nextcloud's database container
+- name: Create Nextcloud database
-  community.general.docker_container:
+  community.mysql.mysql_db:
-    name: "{{ nextcloud_dbcontainer }}"
+    name: "{{ nextcloud.DB_NAME | default('nextcloud') }}"
-    image: mariadb:{{ nextcloud_dbversion }}
+    state: present
    login_unix_socket: /var/run/mysqld/mysqld.sock
 - name: Create Nextcloud database user
  community.mysql.mysql_user:
    name: "{{ nextcloud.DB_USER | default('nextcloud') }}"
    password: "{{ nextcloud.DB_PASSWD }}"
    host: '%'
    state: present
    priv: "{{ nextcloud.DB_NAME | default('nextcloud') }}.*:ALL"
    login_unix_socket: /var/run/mysqld/mysqld.sock
 - name: Start Nextcloud service and enable on boot
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ nextcloud_name }}"
    state: started
-    restart_policy: always
+    enabled: true
-    volumes: "{{ nextcloud_dbroot }}:/var/lib/mysql"
+  when: nextcloud.ENABLE | default('false')
    networks_cli_compatible: true
    networks:
      - name: "{{ nextcloud_container }}"
    env:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "{{ nextcloud_dbname }}"
      MYSQL_USER: "{{ nextcloud_dbuser }}"
      MYSQL_PASSWORD: "{{ nextcloud_dbpass }}"
 - name: Start Nextcloud container
  community.general.docker_container:
    name: "{{ nextcloud_container }}"
    image: nextcloud:{{ nextcloud_version }}
    state: started
    restart_policy: always
    volumes: "{{ nextcloud_root }}:/var/www/html"
    networks_cli_compatible: true
    networks:
      - name: "{{ nextcloud_container }}"
      - name: traefik
    env:
      PHP_MEMORY_LIMIT: 1024M
    labels:
      traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
      traefik.http.routers.nextcloud.entrypoints: websecure
      traefik.http.routers.nextcloud.tls.certresolver: letsencrypt
      traefik.http.routers.nextcloud.middlewares: "securehttps@file,nextcloud-webdav"
      traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
      traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/"
      traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: "true"
      traefik.docker.network: traefik
      traefik.enable: "true"
 - name: Grab Nextcloud database container information
  community.general.docker_container_info:
    name: "{{ nextcloud_dbcontainer }}"
  register: nextcloud_dbinfo
 - name: Grab Nextcloud container information
  community.general.docker_container_info:
-    name: "{{ nextcloud_container }}"
+    name: "{{ nextcloud_name }}"
  register: nextcloud_info
 - name: Wait for Nextcloud to become available
  ansible.builtin.wait_for:
    host: "{{ nextcloud_info.container.NetworkSettings.Networks.traefik.IPAddress }}"
    delay: 10
    port: 80
 - name: Check Nextcloud status
-  ansible.builtin.command: "docker exec --user www-data {{ nextcloud_container }}
+  ansible.builtin.command: >
-            php occ status"
+    docker exec --user www-data "{{ nextcloud_name }}" php occ status
  register: nextcloud_status
-  args:
+  changed_when: false
    removes: "{{ nextcloud_root }}/config/CAN_INSTALL"
 - name: Wait for Nextcloud database to become available
  ansible.builtin.wait_for:
    host: "{{ nextcloud_dbinfo.container.NetworkSettings.Networks.nextcloud.IPAddress }}"
    port: 3306
 - name: Install Nextcloud
-  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
+  ansible.builtin.command: >
    docker exec --user www-data {{ nextcloud_name }}
      php occ maintenance:install
        --database "mysql"
-              --database-host "{{ nextcloud_dbcontainer }}"
+        --database-host "{{ nextcloud.DB_HOST | default('host.docker.internal') }}"
-              --database-name "{{ nextcloud_dbname }}"
+        --database-name "{{ nextcloud.DB_NAME | default('nextcloud') }}"
-              --database-user "{{ nextcloud_dbuser }}"
+        --database-user "{{ nextcloud.DB_USER | default('nextcloud') }}"
-              --database-pass "{{ nextcloud_dbpass }}"
+        --database-pass "{{ nextcloud.DB_PASSWD }}"
-              --admin-user "{{ nextcloud_admin }}"
+        --admin-user "{{ nextcloud.ADMIN_USER | default('admin') }}"
-              --admin-pass "{{ nextcloud_pass }}"'
+        --admin-pass "{{ nextcloud.ADMIN_PASSWD }}"
  register: nextcloud_install
-  when:
+  when: nextcloud_status.stderr[:26] == "Nextcloud is not installed"
-    - nextcloud_status.stdout[:26] == "Nextcloud is not installed"
+  changed_when: nextcloud_install.stdout == "Nextcloud was successfully installed"
-    - nextcloud_domain is defined
+  notify: install_nextcloud
 - name: Set Nextcloud's Trusted Proxy
  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
            php occ config:system:set trusted_proxies 0
              --value="{{ traefik_name }}"'
  when: nextcloud_install.changed
 - name: Set Nextcloud's Trusted Domain
  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
            php occ config:system:set trusted_domains 0
              --value="{{ nextcloud_domain }}"'
  when: nextcloud_install.changed
 - name: Preform Nextcloud database maintenance
  ansible.builtin.command: "docker exec --user www-data {{ nextcloud_container }} {{ item }}"
  loop:
    - "php occ maintenance:mode --on"
    - "php occ db:add-missing-indices"
    - "php occ db:convert-filecache-bigint"
    - "php occ maintenance:mode --off"
  when: nextcloud_install.changed
 - name: Install Nextcloud background jobs cron
  ansible.builtin.cron:
@@ -111,8 +64,3 @@
    minute: "*/5"
    job: "/usr/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php"
    user: root
 - name: Remove Nextcloud's CAN_INSTALL file
  ansible.builtin.file:
    path: "{{ nextcloud_root }}/config/CAN_INSTALL"
    state: absent
--- a/roles/podman/tasks/main.yml
+++ b/roles/podman/tasks/main.yml
@@ -0,0 +1,62 @@
 - name: Install Podman
  ansible.builtin.apt:
    name: ["podman", "podman-compose", "podman-docker"]
    state: present
 - name: Get user info for namespace users
  ansible.builtin.getent:
    database: passwd
    key: "{{ item }}"
  loop: "{{ user_namespaces }}"
  register: user_info
 - name: Configure /etc/subuid for rootless users
  ansible.builtin.lineinfile:
    path: "/etc/subuid"
    line:
      "{{ item.item }}:{{ 100000 +
      ((item.ansible_facts.getent_passwd[item.item][1] | int - 1000) * 65536)
      }}:65536"
    regexp: "^{{ item.item }}:"
    create: true
    backup: true
    mode: "0644"
  loop: "{{ user_info.results }}"
 - name: Configure /etc/subgid for rootless users
  ansible.builtin.lineinfile:
    path: "/etc/subgid"
    line:
      "{{ item.item }}:{{ 100000 +
      ((item.ansible_facts.getent_passwd[item.item][1] | int - 1000) * 65536)
      }}:65536"
    regexp: "^{{ item.item }}:"
    create: true
    backup: true
    mode: "0644"
  loop: "{{ user_info.results }}"
 - name: Create nodocker file to disable Docker CLI emulation message
  ansible.builtin.file:
    path: /etc/containers/nodocker
    state: touch
    owner: root
    group: root
    mode: "0644"
 - name: Create global containers config directory
  ansible.builtin.file:
    path: /etc/containers
    state: directory
    mode: "0755"
 - name: Configure global containers.conf for rootless
  ansible.builtin.copy:
    content: |
      [engine]
      cgroup_manager = "cgroupfs"
      events_logger = "journald"
      runtime = "crun"
    dest: /etc/containers/containers.conf
    mode: "0644"
    backup: true
--- a/roles/proxy/defaults/main.yml
+++ b/roles/proxy/defaults/main.yml
@@ -0,0 +1 @@
 cached_dhparams_pem: /vagrant/scratch/dhparams.pem
--- a/roles/proxy/handlers/main.yml
+++ b/roles/proxy/handlers/main.yml
@@ -1,3 +1,13 @@
 - name: Enable nginx sites configuration
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
    state: link
    mode: "400"
  loop: "{{ nginx_sites.results }}"
  when: item.changed
  listen: reload_nginx
 - name: Reload nginx
  ansible.builtin.service:
    name: nginx
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -10,6 +10,19 @@
    state: started
    enabled: true
 - name: Check for cached dhparams.pem file
  ansible.builtin.stat:
    path: "{{ cached_dhparams_pem }}"
  register: dhparams_file
 - name: Copy cached dhparams.pem to /etc/ssl/
  ansible.builtin.copy:
    src: "{{ cached_dhparams_pem }}"
    dest: /etc/ssl/dhparams.pem
    mode: "600"
    remote_src: true
  when: dhparams_file.stat.exists
 - name: Generate DH Parameters
  community.crypto.openssl_dhparam:
    path: /etc/ssl/dhparams.pem
@@ -19,30 +32,21 @@
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
-    mode: 0644
+    mode: "644"
  notify: reload_nginx
 - name: Install nginx sites configuration
  ansible.builtin.template:
    src: server-nginx.conf.j2
    dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
-    mode: 0400
+    mode: "400"
  loop: "{{ proxy.servers }}"
  notify: reload_nginx
  register: nginx_sites
 - name: Enable nginx sites configuration
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
    state: link
    mode: 0400
  loop: "{{ nginx_sites.results }}"
  when: item.changed
  notify: reload_nginx
 - name: Generate self-signed certificate
-  ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
+  ansible.builtin.command:
    'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
    -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
    -keyout /etc/ssl/private/nginx-selfsigned.key \
    -out    /etc/ssl/certs/nginx-selfsigned.crt'
@@ -53,29 +57,36 @@
 - name: Install LE's certbot
  ansible.builtin.apt:
-    name: ['certbot', 'python3-certbot-dns-cloudflare']
+    name: ["certbot", "python3-certbot-dns-cloudflare"]
    state: present
  when: proxy.production is defined and proxy.production
 - name: Grab Cloudflare API token for configuration
  ansible.builtin.slurp:
    src: /root/.cloudflare-api
  register: cfapi
  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 - name: Install Cloudflare API token
  ansible.builtin.template:
    src: cloudflare.ini.j2
    dest: /root/.cloudflare.ini
-    mode: 0400
+    mode: "400"
  diff: false
  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 - name: Create nginx post renewal hook directory
  ansible.builtin.file:
    path: /etc/letsencrypt/renewal-hooks/post
    state: directory
-    mode: 0500
+    mode: "500"
  when: proxy.production is defined and proxy.production
 - name: Install nginx post renewal hook
  ansible.builtin.copy:
    src: reload-nginx.sh
    dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
-    mode: '0755'
+    mode: "0755"
  when: proxy.production is defined and proxy.production
 - name: Run Cloudflare DNS-01 challenges on wildcard domains
--- a/roles/proxy/templates/cloudflare.ini.j2
+++ b/roles/proxy/templates/cloudflare.ini.j2
@@ -1,2 +1,2 @@
 # Cloudflare API token used by Certbot
-dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}
+dns_cloudflare_api_token = {{ cfapi['content'] | b64decode | trim }}
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@@ -28,13 +28,19 @@ server {
  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
 {% endif %}
 {% if item.hsts is defined %}
  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
 {% endif %}
 {% if item.client_max_body_size is defined %}
  client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
  location / {
 {% if item.hsts is defined %}
    add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
 {% endif %}
 {% if item.allowedips is defined %}
 {% for ip in item.allowedips %}
    allow {{ ip }};
 {% endfor %}
    deny all;
 {% endif %}
 {% if item.restrict is defined and item.restrict %}
    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
@@ -43,6 +49,7 @@ server {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass {{ item.proxy_pass }};
 {% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
    proxy_ssl_verify off;
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -21,20 +21,6 @@
  loop: "{{ traefik_external }}"
  when: traefik_external is defined
 - name: Install Traefik's docker-compose file
  ansible.builtin.template:
    src: docker-compose.yml.j2
    dest: "{{ traefik_root }}/docker-compose.yml"
    mode: 0400
  notify: restart_traefik
 - name: Install Traefik's docker-compose variables
  ansible.builtin.template:
    src: compose-env.j2
    dest: "{{ traefik_root }}/.env"
    mode: 0400
  notify: restart_traefik
 - name: Install static Traefik configuration
  ansible.builtin.template:
    src: traefik.yml.j2
@@ -42,8 +28,9 @@
    mode: 0400
  notify: restart_traefik
- name: Start and enable Traefik service
+- name: Start Traefik service and enable on boot
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ traefik_name }}"
    state: started
    enabled: true
  when: traefik.ENABLED | default('false')
Author	SHA1	Message	Date
Kris Lamoureux	ea9603a2db	testing	2025-08-08 01:31:39 -04:00
Kris Lamoureux	d954c64e23	Add Podman deployment configuration	2025-08-07 00:24:58 -04:00
Kris Lamoureux	ccf6b10a0e	Add GPG key and reorganize dockerbox configuration - Add new primary GPG key in dev config for compose repos - Slight reorganization of the dockerbox production playbook - Remove group management in the docker role - Move HSTS inside the location block - Add git ignore entry for .ansible files - Add X-Forwarded-Proto proxy header	2025-03-26 22:07:06 -04:00
Kris Lamoureux	bd8eca0466	Remove redundant group management for Docker users - Minor formatting updated	2025-01-19 17:48:45 -05:00
Kris Lamoureux	56c3721a5e	Add flexible home and group controls for users	2025-01-19 16:28:54 -05:00
Kris Lamoureux	77c9b12186	Add multi-domain support for Jellyfin - Allow Jellyfin to operate on multiple domains via Host rule config - Move Cloudflare API tokens from Ansible inventory to manual file - Minor formatting	2024-12-29 02:22:46 -05:00
Kris Lamoureux	3102c621f0	Add optional IP restriction for nginx site configs	2024-10-19 21:08:15 -04:00
Kris Lamoureux	e3f03edf3f	Use file-based preshared keys for WireGuard - Include proxy role in standard Docker playbook	2024-10-13 22:27:27 -04:00
Kris Lamoureux	f481a965dd	Update Samba and WireGuard configuration - Adjust Samba config file permissions to 644 - Introduce PresharedKey option in WireGuard config template	2024-09-10 22:35:20 -04:00
Kris Lamoureux	a0aa289c05	Restrict GitHub Actions to a dedicated branch - The Vagrant testing setup on macos-latest is broken - Temporary measure until fixed or abandoned	2024-09-10 22:11:31 -04:00
Kris Lamoureux	324fe0b191	Upgrade Nextcloud setup to use compose files - Integrated MariaDB role into Dockerbox configuration - Moved proxy role to the end to avoid early endpoint activation - Temporarily disabled select roles for future re-evaluation - Introduced flush_handlers task for early MariaDB restart - Moved a few Nextcloud tasks to handlers - Configured Nextcloud to utilize the host's MariaDB instance - Enhanced overall code linting quality	2024-04-21 22:27:48 -04:00
Kris Lamoureux	6fbd3c53bb	Add Vagrant cache option for dhparams.pem	2024-03-26 21:51:39 -04:00
Kris Lamoureux	01e8e22c01	Prevent running 'vagrant ssh' as root Resolve possible issues with 'vagrant ssh' when executed as root	2024-03-04 23:42:40 -05:00
Kris Lamoureux	a31bf233dc	Slight message tweaks in forward-ssh.sh script	2023-12-09 13:16:46 -05:00
Kris Lamoureux	60fafed9cd	Update forward-ssh.sh script for Swarm support - Address limitations in Swarm with loopback binding - Ensure compatibility with localhost DNS wildcard A record - Enable port forwarding on 80 and 443 using VM IP for Swarm compatibility - Retain 8443:localhost:8443 for non-Swarm setups	2023-12-09 13:04:07 -05:00
Kris Lamoureux	2c00858590	Update README.md	2023-11-18 17:37:27 -05:00
Kris Lamoureux	be80681485	Add multi-machine support to forward-ssh.sh - Detects multiple private keys - Adds validation for all discovered keys - Defaults to "default" machine, with override via the first parameter	2023-11-05 21:37:33 -05:00
Kris Lamoureux	a2e60972c7	Comply with linting on proxy setup	2023-11-05 21:34:19 -05:00
Kris Lamoureux	598359854f	Update proxy role to comply with linting	2023-11-03 00:47:06 -04:00
Kris Lamoureux	ef812c1877	Add copyright notice on forward-ssh.sh	2023-11-03 00:12:12 -04:00
		`@@ -0,0 +1 @@`
							`cached_dhparams_pem: /vagrant/scratch/dhparams.pem`
`@@ -1,2 +1,2 @@`
	`# Cloudflare API token used by Certbot`	`# Cloudflare API token used by Certbot`
	`dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}`	`dns_cloudflare_api_token = {{ cfapi['content'] \| b64decode \| trim }}`