ctucx.git: ansible-configs

My personal ansible roles and playbooks

commit 6c4427224970e128587e19b19cfa6c0041c11136
parent 06d8deb2b722110e6983812a850266ce16926271
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 6 Apr 2021 18:58:34 +0200

move allmost all services to osterei
3 files changed, 377 insertions(+), 491 deletions(-)
M
configuration/osterei.yml
|
336
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
configuration/wanderduene.yml
|
476
+------------------------------------------------------------------------------
M
playbook.yml
|
56
++++++++++++++++++++++++++++++++++++++++----------------
diff --git a/configuration/osterei.yml b/configuration/osterei.yml
@@ -77,6 +77,29 @@ files:
     mode:    "0755"
     owner:   "leah"
     group:   "nginx"
+  /var/lib/websites/photos.ctu.cx:
+    state:   "directory"
+    mode:    "0755"
+    owner:   "leah"
+    group:   "nginx"
+  /etc/nginx/passwd/print:
+    state:   "file"
+    content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/ctu.cx/drucken returnall=true')}}"
+    mode:    "0600"
+    owner:   "nginx"
+    group:   "nginx"
+  /etc/nginx/passwd/synapse:
+    state:   "file"
+    content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/synapse returnall=true')}}"
+    mode:    "0600"
+    owner:   "nginx"
+    group:   "nginx"
+  /usr/share/webapps/cgit/custom-cgit.css:
+    state:   "file"
+    src:     "config-files/wanderduene/cgit/cgit.css"
+    mode:    "0600"
+    owner:   "nginx"
+    group:   "nginx"
 
 services:
   openssh:

@@ -94,13 +117,31 @@ services:
   vnstat:
     enable: true
 
+  bind:
+    enable: true
+    zonesRepo: https://cgit.ctu.cx/dns-zones
+    serveDomains:
+      - ctu.cx
+      - ctucx.de
+      - thein.ovh
+      - antifa.jetzt
+      - oeffisear.ch
+      - trans-agenda.de
+
   acme_redirect:
     enable: true
     email: lets-encrypt@ctu.cx
     certs:
+      ctu.cx:
+        renewTasks:
+          - sudo rc-service nginx restart
       osterei.ctu.cx:
         renewTasks:
           - sudo rc-service nginx restart
+          - sudo rc-service maddy restart
+      syncthing.osterei.ctu.cx:
+        renewTasks:
+          - sudo rc-service nginx restart
       fbexporter.ctu.cx:
         renewTasks:
           - sudo rc-service nginx restart

@@ -120,6 +161,30 @@ services:
           - isa-mac.frp.ctu.cx
         renewTasks:
           - sudo rc-service nginx restart
+      dav.ctu.cx:
+        renewTasks:
+          - sudo rc-service nginx restart
+      cgit.ctu.cx:
+        renewTasks:
+          - sudo rc-service nginx restart
+      oeffi.ctu.cx:
+        renewTasks:
+          - sudo rc-service nginx restart
+      pleroma.ctu.cx:
+        renewTasks:
+          - sudo rc-service nginx restart
+      matrix.ctu.cx:
+        renewTasks:
+          - sudo rc-service nginx restart
+      photos.ctu.cx:
+        renewTasks:
+          - sudo rc-service nginx restart
+      repo.f2k1.de:
+        renewTasks:
+          - sudo rc-service nginx restart
+      oeffisear.ch:
+        renewTasks:
+          - sudo rc-service nginx restart
 
   nginx:
     enable: true

@@ -137,6 +202,60 @@ services:
         locations:
           - path: /node-exporter
             proxy: http://127.0.0.1:9100/metrics
+      ctu.cx:
+        ssl:
+          enable: true
+          cert: "/var/lib/acme-redirect/live/ctu.cx/fullchain"
+          privkey: "/var/lib/acme-redirect/live/ctu.cx/privkey"
+        root: /var/lib/websites/ctu.cx
+        locations:
+          - path: "/.well-known/host-meta"
+            extraConfig: "return 301 https://pleroma.ctu.cx$request_uri;"
+          - path: "/.well-known/matrix/client"
+            extraConfig: '
+              add_header Content-Type application/json;
+              return 200 "{\"m.homeserver\": {\"base_url\": \"https://matrix.ctu.cx\"}}";
+            '
+          - path: "/.well-known/matrix/server"
+            extraConfig: '
+              add_header Content-Type application/json;
+              return 200 "{\"m.server\": \"matrix.ctu.cx:443\"}";
+            '
+          - path: "/vodafone-map"
+            extraConfig: '
+              proxy_set_header Accept-Encoding "";
+              proxy_pass https://netmap.vodafone.de/arcgis/rest/services/CoKart/netzabdeckung_mobilfunk_4x/MapServer;
+            '
+          - path: "/magenta-at-map"
+            extraConfig: '
+              proxy_set_header Accept-Encoding "";
+              proxy_pass https://app.wigeogis.com/kunden/tmobile/data/geoserver.php;
+            '
+          - path: "/drei-at-data"
+            extraConfig: '
+              proxy_set_header Accept-Encoding "";
+              proxy_pass https://www.drei.at/media/common/netzabdeckung;
+              proxy_hide_header "access-control-allow-origin";
+              add_header "access-control-allow-origin" "*";
+            '
+          - path: "/drucken"
+            directoryListing: true
+            baiscAuth: /etc/nginx/passwd/print
+          - path: "/cypro-dispenser"
+            directoryListing: true
+            extraConfig: "
+              autoindex_format xml;
+              xslt_string_param path $uri;
+              xslt_stylesheet /var/lib/websites/superbindex.xslt;
+            "
+      repo.f2k1.de:
+        ssl:
+          enable: true
+          cert: "/var/lib/acme-redirect/live/repo.f2k1.de/fullchain"
+          privkey: "/var/lib/acme-redirect/live/repo.f2k1.de/privkey"
+        locations:
+          - path: /
+            proxy: http://127.0.0.1:8088
 
   prometheus:
     enable: true

@@ -275,3 +394,220 @@ services:
         - toaster
         - isa
         - isa-mac
+
+  oeffisearch:
+    enable: true
+    instances: 4 #currently not used and allways 4
+    nginx:
+      enable: true
+      domain: "oeffisear.ch"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/oeffisear.ch/fullchain"
+        privkey: "/var/lib/acme-redirect/live/oeffisear.ch/privkey"
+
+  oeffi_web:
+    enable: true
+    instances: 4 #currently not used and allways 4
+    nginx:
+      enable: true
+      domain: "oeffi.ctu.cx"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/oeffi.ctu.cx/fullchain"
+        privkey: "/var/lib/acme-redirect/live/oeffi.ctu.cx/privkey"
+
+  radicale:
+    enable: true
+    users: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/radicale.users returnall=true')}}"
+    nginx:
+      enable: true
+      domain: "dav.ctu.cx"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/dav.ctu.cx/fullchain"
+        privkey: "/var/lib/acme-redirect/live/dav.ctu.cx/privkey"
+
+  gitolite:
+    enable: true
+    initialKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829"
+
+  cgit:
+    enable: true
+    configFile: config-files/wanderduene/cgit/cgitrc
+    nginx:
+      enable: true
+      domain: "cgit.ctu.cx"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/cgit.ctu.cx/fullchain"
+        privkey: "/var/lib/acme-redirect/live/cgit.ctu.cx/privkey"
+
+  maddy:
+    enable: true
+    hostname: "osterei.ctu.cx"
+    ssl_cert: "/var/lib/acme-redirect/live/osterei.ctu.cx/fullchain"
+    ssl_privkey: "/var/lib/acme-redirect/live/osterei.ctu.cx/privkey"
+
+  syncthing:
+    enable: true
+    user: leah
+    nginx:
+      enable: true
+      domain: "syncthing.osterei.ctu.cx"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/syncthing.osterei.ctu.cx/fullchain"
+        privkey: "/var/lib/acme-redirect/live/syncthing.osterei.ctu.cx/privkey"
+
+  pleroma:
+    enable: true
+    configFile: config-files/wanderduene/pleroma.exs
+    secretsContent: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/pleroma.secrets returnall=true')}}"
+    nginx:
+      enable: true
+      domain: "pleroma.ctu.cx"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/pleroma.ctu.cx/fullchain"
+        privkey: "/var/lib/acme-redirect/live/pleroma.ctu.cx/privkey"
+
+  synapse:
+    enable: true
+    homeserverConfig:
+      suppress_key_server_warning: true
+      no_tls: false
+      server_name: "ctu.cx"
+      pid_file: "/run/matrix-synapse.pid"
+      public_baseurl: "https://matrix.ctu.cx/"
+      listeners:
+        - port: 8008
+          bind_address: "127.0.0.1"
+          type: http
+          tls: false
+          x_forwarded: true
+          resources:
+            - names: ["client", "metrics"]
+              compress: true
+            - names: ["federation"]
+              compress: false
+      database:
+        name: "psycopg2"
+        args:
+          database: "synapse"
+      event_cache_size: "10K"
+      verbose: 0
+      rc_messages_per_second: 0.2
+      rc_message_burst_count: 10.0
+      federation_rc_window_size: 1000
+      federation_rc_sleep_limit: 10
+      federation_rc_sleep_delay: 500
+      federation_rc_reject_limit: 50
+      federation_rc_concurrent: 3
+      media_store_path: "/var/lib/synapse/media"
+      uploads_path: "/var/lib/synapse/uploads"
+      max_upload_size: "100M"
+      max_image_pixels: "32M"
+      dynamic_thumbnails: false
+      url_preview_enabled: true
+      url_preview_ip_range_blacklist: ["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"]
+      url_preview_ip_range_whitelist: []
+      url_preview_url_blacklist: []
+      enable_registration: false
+      registration_shared_secret: "{{ lookup('diskcache', 'passwordstore', 'Server/osterei/synapse.secret')}}"
+      enable_registration_captcha: false
+      recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+      turn_uris: []
+      turn_shared_secret: ""
+      turn_user_lifetime: "1h"
+      enable_metrics: true
+      user_creation_max_duration: 1209600000
+      bcrypt_rounds: 12
+      allow_guest_access: false
+      room_invite_state_types: ["m.room.join_rules", "m.room.canonical_alias", "m.room.avatar", "m.room.name"]
+      expire_access_token: false
+      report_stats: false
+      signing_key_path: "/var/lib/synapse/homeserver.signing.key"
+      key_refresh_interval: "1d"
+      redaction_retention_period: 7
+      perspectives:
+        servers:
+          "matrix.org":
+            verify_keys:
+              "ed25519:auto":
+                key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
+    logConfig:
+      version: 1
+      formatters:
+          precise:
+              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+      handlers:
+          file:
+              class: logging.handlers.TimedRotatingFileHandler
+              formatter: precise
+              filename: /var/log/synapse/homeserver.log
+              when: midnight
+              backupCount: 3  # Does not include the current log file.
+              encoding: utf8
+          buffer:
+              class: logging.handlers.MemoryHandler
+              target: file
+              capacity: 10
+              flushLevel: 30  # Flush for WARNING logs as well
+          console:
+              class: logging.StreamHandler
+              formatter: precise
+      loggers:
+          synapse.storage.SQL:
+              level: INFO
+          twisted:
+              handlers: [file]
+              propagate: false
+      root:
+          level: INFO
+          handlers: [buffer]
+      disable_existing_loggers: false
+    webClient:
+      enable: true
+      configFile: config-files/wanderduene/schildichat-web.json
+    nginx:
+      enable: true
+      domain: "matrix.ctu.cx"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/matrix.ctu.cx/fullchain"
+        privkey: "/var/lib/acme-redirect/live/matrix.ctu.cx/privkey"
+      extraConfig: "
+        location /_synapse {
+          proxy_pass http://127.0.0.1:8008;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          auth_basic 'Authorization required';
+          auth_basic_user_file /etc/nginx/passwd/synapse;
+        }
+      "
+
+  ctucxGallery:
+    enable: true
+    user: leah
+    sourceDir: /home/leah/syncthing/Pictures/photos.ctu.cx
+    targetDir: /var/lib/websites/photos.ctu.cx
+    site:
+      name: ctucx' photos
+      author: ctucx
+      description: photos that i made
+      tags: ctucx, ctucx bahnbilder
+    nginx:
+      enable: true
+      domain: "photos.ctu.cx"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/photos.ctu.cx/fullchain"
+        privkey: "/var/lib/acme-redirect/live/photos.ctu.cx/privkey"
diff --git a/configuration/wanderduene.yml b/configuration/wanderduene.yml
@@ -29,21 +29,6 @@ system:
       fstype: ext4
       options: rw,relatime
       checks: 0 2
-    - device: 10.0.0.1:/srv/wanderduene/pleroma
-      path: /var/lib/pleroma
-      fstype: nfs
-      options: defaults,nolock
-      checks: 0 0
-    - device: 10.0.0.1:/srv/wanderduene/synapse
-      path: /var/lib/synapse
-      fstype: nfs
-      options: defaults,nolock
-      checks: 0 0
-    - device: 10.0.0.1:/srv/wanderduene/oeffisearch
-      path: /var/lib/oeffisearch
-      fstype: nfs
-      options: defaults,nolock
-      checks: 0 0
   nameservers:
     - 1.1.1.1
     - 8.8.8.8

@@ -80,37 +65,6 @@ network:
         address: 10.0.0.10
         netmask: 255.255.255.0
 
-files:
-  /var/lib/websites:
-    state:   "directory"
-    mode:    "0755"
-    owner:   "leah"
-    group:   "nginx"
-  /var/lib/websites/ctu.cx:
-    state:   "directory"
-    mode:    "0755"
-    owner:   "leah"
-    group:   "nginx"
-  /etc/nginx/passwd/print:
-    state:   "file"
-    content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/ctu.cx/drucken returnall=true')}}"
-    mode:    "0600"
-    owner:   "nginx"
-    group:   "nginx"
-  /usr/share/webapps/cgit/custom-cgit.css:
-    state:   "file"
-    src:     "config-files/wanderduene/cgit/cgit.css"
-    mode:    "0600"
-    owner:   "nginx"
-    group:   "nginx"
-  /etc/nginx/passwd/synapse:
-    state:   "file"
-    content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/synapse returnall=true')}}"
-    mode:    "0600"
-    owner:   "nginx"
-    group:   "nginx"
-
-
 services:
   openssh:
     enable: true

@@ -122,7 +76,7 @@ services:
     enable: true
 
   postgresql:
-    enable: true
+    enable: false
 
   vnstat:
     enable: true

@@ -142,56 +96,10 @@ services:
     enable: true
     email: lets-encrypt@ctu.cx
     certs:
-      ctucx.de:
-        renewTasks:
-          - sudo rc-service nginx restart
-      ctu.cx:
-        renewTasks:
-          - sudo rc-service nginx restart
       wanderduene.ctu.cx:
         renewTasks:
           - sudo rc-service nginx restart
           - sudo rc-service maddy restart
-      matrix.ctu.cx:
-        renewTasks:
-          - sudo rc-service nginx restart
-      dav.ctu.cx:
-        renewTasks:
-          - sudo rc-service nginx restart
-      cgit.ctu.cx:
-        renewTasks:
-          - sudo rc-service nginx restart
-#      fbexporter.ctu.cx:
-#        renewTasks:
-#          - sudo rc-service nginx restart
-#      prometheus.ctu.cx:
-#        renewTasks:
-#          - sudo rc-service nginx restart
-#      grafana.ctu.cx:
-#        renewTasks:
-#          - sudo rc-service nginx restart
-      pleroma.ctu.cx:
-        renewTasks:
-          - sudo rc-service nginx restart
-#      frp.ctu.cx:
-#        extraDnsNames:
-#          - stasicontainer-mac.frp.ctu.cx
-#          - stasicontainer.frp.ctu.cx
-#          - coladose.frp.ctu.cx
-#          - toaster.frp.ctu.cx
-#          - isa.frp.ctu.cx
-#          - isa-mac.frp.ctu.cx
-#        renewTasks:
-#          - sudo rc-service nginx restart
-      oeffi.ctu.cx:
-        renewTasks:
-          - sudo rc-service nginx restart
-      repo.f2k1.de:
-        renewTasks:
-          - sudo rc-service nginx restart
-      oeffisear.ch:
-        renewTasks:
-          - sudo rc-service nginx restart
 
   nginx:
     enable: true

@@ -209,391 +117,9 @@ services:
         locations:
           - path: /node-exporter
             proxy: http://127.0.0.1:9100/metrics
-      ctu.cx:
-        ssl:
-          enable: true
-          cert: "/var/lib/acme-redirect/live/ctu.cx/fullchain"
-          privkey: "/var/lib/acme-redirect/live/ctu.cx/privkey"
-        root: /var/lib/websites/ctu.cx
-        locations:
-          - path: "/.well-known/host-meta"
-            extraConfig: "return 301 https://pleroma.ctu.cx$request_uri;"
-          - path: "/.well-known/matrix/client"
-            extraConfig: '
-              add_header Content-Type application/json;
-              return 200 "{\"m.homeserver\": {\"base_url\": \"https://matrix.ctu.cx\"}}";
-            '
-          - path: "/.well-known/matrix/server"
-            extraConfig: '
-              add_header Content-Type application/json;
-              return 200 "{\"m.server\": \"matrix.ctu.cx:443\"}";
-            '
-          - path: "/vodafone-map"
-            extraConfig: '
-              proxy_set_header Accept-Encoding "";
-              proxy_pass https://netmap.vodafone.de/arcgis/rest/services/CoKart/netzabdeckung_mobilfunk_4x/MapServer;
-            '
-          - path: "/magenta-at-map"
-            extraConfig: '
-              proxy_set_header Accept-Encoding "";
-              proxy_pass https://app.wigeogis.com/kunden/tmobile/data/geoserver.php;
-            '
-          - path: "/drei-at-data"
-            extraConfig: '
-              proxy_set_header Accept-Encoding "";
-              proxy_pass https://www.drei.at/media/common/netzabdeckung;
-              proxy_hide_header "access-control-allow-origin";
-              add_header "access-control-allow-origin" "*";
-            '
-          - path: "/drucken"
-            directoryListing: true
-            baiscAuth: /etc/nginx/passwd/print
-          - path: "/cypro-dispenser"
-            directoryListing: true
-            extraConfig: "
-              autoindex_format xml;
-              xslt_string_param path $uri;
-              xslt_stylesheet /var/lib/websites/superbindex.xslt;
-            "
-      repo.f2k1.de:
-        ssl:
-          enable: true
-          cert: "/var/lib/acme-redirect/live/repo.f2k1.de/fullchain"
-          privkey: "/var/lib/acme-redirect/live/repo.f2k1.de/privkey"
-        locations:
-          - path: /
-            proxy: http://127.0.0.1:8088
-
-  gitolite:
-    enable: true
-    initialKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829"
-
-  cgit:
-    enable: true
-    configFile: config-files/wanderduene/cgit/cgitrc
-    nginx:
-      enable: true
-      domain: "cgit.ctu.cx"
-      sslOnly: true
-      ssl:
-        enable: true
-        cert: "/var/lib/acme-redirect/live/cgit.ctu.cx/fullchain"
-        privkey: "/var/lib/acme-redirect/live/cgit.ctu.cx/privkey"
-
-  oeffisearch:
-    enable: true
-    instances: 4 #currently not used and allways 4
-    nginx:
-      enable: true
-      domain: "oeffisear.ch"
-      sslOnly: true
-      ssl:
-        enable: true
-        cert: "/var/lib/acme-redirect/live/oeffisear.ch/fullchain"
-        privkey: "/var/lib/acme-redirect/live/oeffisear.ch/privkey"
-
-  oeffi_web:
-    enable: true
-    instances: 4 #currently not used and allways 4
-    nginx:
-      enable: true
-      domain: "oeffi.ctu.cx"
-      sslOnly: true
-      ssl:
-        enable: true
-        cert: "/var/lib/acme-redirect/live/oeffi.ctu.cx/fullchain"
-        privkey: "/var/lib/acme-redirect/live/oeffi.ctu.cx/privkey"
 
   maddy:
     enable: true
     hostname: "wanderduene.ctu.cx"
     ssl_cert: "/var/lib/acme-redirect/live/wanderduene.ctu.cx/fullchain"
     ssl_privkey: "/var/lib/acme-redirect/live/wanderduene.ctu.cx/privkey"
-
-  radicale:
-    enable: true
-    users: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/radicale.users returnall=true')}}"
-    nginx:
-      enable: true
-      domain: "dav.ctu.cx"
-      sslOnly: true
-      ssl:
-        enable: true
-        cert: "/var/lib/acme-redirect/live/dav.ctu.cx/fullchain"
-        privkey: "/var/lib/acme-redirect/live/dav.ctu.cx/privkey"
-
-  synapse:
-    enable: true
-    homeserverConfig:
-      suppress_key_server_warning: true
-      no_tls: false
-      server_name: "ctu.cx"
-      pid_file: "/run/matrix-synapse.pid"
-      public_baseurl: "https://matrix.ctu.cx/"
-      listeners:
-        - port: 8008
-          bind_address: "127.0.0.1"
-          type: http
-          tls: false
-          x_forwarded: true
-          resources:
-            - names: ["client", "metrics"]
-              compress: true
-            - names: ["federation"]
-              compress: false
-      database:
-        name: "psycopg2"
-        args:
-          database: "synapse"
-      event_cache_size: "10K"
-      verbose: 0
-      rc_messages_per_second: 0.2
-      rc_message_burst_count: 10.0
-      federation_rc_window_size: 1000
-      federation_rc_sleep_limit: 10
-      federation_rc_sleep_delay: 500
-      federation_rc_reject_limit: 50
-      federation_rc_concurrent: 3
-      media_store_path: "/var/lib/synapse/media"
-      uploads_path: "/var/lib/synapse/uploads"
-      max_upload_size: "100M"
-      max_image_pixels: "32M"
-      dynamic_thumbnails: false
-      url_preview_enabled: true
-      url_preview_ip_range_blacklist: ["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"]
-      url_preview_ip_range_whitelist: []
-      url_preview_url_blacklist: []
-      enable_registration: false
-      registration_shared_secret: "{{ lookup('diskcache', 'passwordstore', 'Server/wanderduene/synapse.secret')}}"
-      enable_registration_captcha: false
-      recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
-      turn_uris: []
-      turn_shared_secret: ""
-      turn_user_lifetime: "1h"
-      enable_metrics: true
-      user_creation_max_duration: 1209600000
-      bcrypt_rounds: 12
-      allow_guest_access: false
-      room_invite_state_types: ["m.room.join_rules", "m.room.canonical_alias", "m.room.avatar", "m.room.name"]
-      expire_access_token: false
-      report_stats: false
-      signing_key_path: "/var/lib/synapse/homeserver.signing.key"
-      key_refresh_interval: "1d"
-      redaction_retention_period: 7
-      perspectives:
-        servers:
-          "matrix.org":
-            verify_keys:
-              "ed25519:auto":
-                key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
-    logConfig:
-      version: 1
-      formatters:
-          precise:
-              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
-      handlers:
-          file:
-              class: logging.handlers.TimedRotatingFileHandler
-              formatter: precise
-              filename: /var/log/synapse/homeserver.log
-              when: midnight
-              backupCount: 3  # Does not include the current log file.
-              encoding: utf8
-          buffer:
-              class: logging.handlers.MemoryHandler
-              target: file
-              capacity: 10
-              flushLevel: 30  # Flush for WARNING logs as well
-          console:
-              class: logging.StreamHandler
-              formatter: precise
-      loggers:
-          synapse.storage.SQL:
-              level: INFO
-          twisted:
-              handlers: [file]
-              propagate: false
-      root:
-          level: INFO
-          handlers: [buffer]
-      disable_existing_loggers: false
-    webClient:
-      enable: true
-      configFile: config-files/wanderduene/schildichat-web.json
-    nginx:
-      enable: true
-      domain: "matrix.ctu.cx"
-      sslOnly: true
-      ssl:
-        enable: true
-        cert: "/var/lib/acme-redirect/live/matrix.ctu.cx/fullchain"
-        privkey: "/var/lib/acme-redirect/live/matrix.ctu.cx/privkey"
-      extraConfig: "
-        location /_synapse {
-          proxy_pass http://127.0.0.1:8008;
-          proxy_set_header X-Forwarded-For $remote_addr;
-          auth_basic 'Authorization required';
-          auth_basic_user_file /etc/nginx/passwd/synapse;
-        }
-      "
-#  prometheus:
-#    enable: true
-#    nginx:
-#      enable: true
-#      domain: "prometheus.ctu.cx"
-#      sslOnly: true
-#      ssl:
-#        enable: true
-#        cert: "/var/lib/acme-redirect/live/prometheus.ctu.cx/fullchain"
-#        privkey: "/var/lib/acme-redirect/live/prometheus.ctu.cx/privkey"
-#    config:
-#      global:
-#        scrape_interval: 20s
-#        evaluation_interval: 1m
-#      scrape_configs:
-#        - job_name: 'prometheus'
-#          static_configs:
-#          - targets: ['127.0.0.1:9090']
-
-#        - job_name: 'node-exporter'
-#          metrics_path: '/node-exporter'
-#          scheme: 'https'
-#          scrape_interval: 30s
-#          static_configs:
-#          - targets: [
-#            'wanderduene.ctu.cx',
-#            'taurus.ctu.cx',
-#            'quitschi.ctu.cx',
-#            'osterei.ctu.cx',
-#            'desastro.ctu.cx',
-#            'lollo.ctu.cx',
-#            'joguhrtbecher.ctu.cx',
-#            'repo.f2k1.de',
-#            'stasicontainer.home.ctu.cx',
-#            'toaster.frp.ctu.cx',
-#            'luna.f2k1.de'
-#          ]
-
-#        - job_name: 'fritzbox-exporter'
-#          metrics_path: '/metrics'
-#          scheme: 'https'
-#          scrape_interval: 30s
-#          static_configs:
-#          - targets: [
-#            'fbexporter.ctu.cx',
-#            'fbexporter.f2k1.de'
-#          ]
-
-#  grafana:
-#    enable: true
-#    configFile: config-files/wanderduene/grafana/grafana.ini
-#    provisioning:
-#      enable: true
-#      dashboards: config-files/wanderduene/grafana/dashboards
-#      datasources:
-#        - name: Prometheus
-#          type: prometheus
-#          access: proxy
-#          orgId: 1
-#          url: http://127.0.0.1:9090
-#          isDefault: true
-#          jsonData:
-#             httpMode: GET
-#          version: 1
-#          editable: false
-#
-#        - name: InfluxDB (Powermeters)
-#          type: influxdb
-#          access: proxy
-#          orgId: 1
-#          url: https://influx.home.ctu.cx
-#          database: powermeters
-##          secureJsonData:
-##            token: "{{ lookup('diskcache', 'passwordstore', 'Server/lollo/influx/smartied.token')}}"
-##          jsonData:
-##            version: Flux
-##            organization: organization
-##            defaultBucket: bucket
-##            tlsSkipVerify: true
-#          jsonData:
-#            httpMode: GET
-#            httpHeaderName1: "Authorization"
-#          secureJsonData:
-#            httpHeaderValue1: "Token {{ lookup('diskcache', 'passwordstore', 'Server/lollo/influx/smartied.token')}}"
-#          version: 3
-#          editable: false
-#
-#        - name: InfluxDB (Sensors)
-#          type: influxdb
-#          access: proxy
-#          orgId: 1
-#          url: https://influx.home.ctu.cx
-#          database: sensors
-#          secureJsonData:
-#            token: "{{ lookup('diskcache', 'passwordstore', 'Server/lollo/influx/smartied.token')}}"
-#          jsonData:
-#            version: Flux
-#            organization: organization
-#            defaultBucket: bucket
-#            tlsSkipVerify: true
-#          jsonData:
-#            httpMode: GET
-#            httpHeaderName1: "Authorization"
-#          secureJsonData:
-#            httpHeaderValue1: "Token {{ lookup('diskcache', 'passwordstore', 'Server/lollo/influx/smartied.token')}}"
-#          version: 3
-#          editable: false
-#
-#    nginx:
-#      enable: true
-#      domain: "grafana.ctu.cx"
-#      sslOnly: true
-#      ssl:
-#        enable: true
-#        cert: "/var/lib/acme-redirect/live/grafana.ctu.cx/fullchain"
-#        privkey: "/var/lib/acme-redirect/live/grafana.ctu.cx/privkey"
-
-  pleroma:
-    enable: true
-    configFile: config-files/wanderduene/pleroma.exs
-    secretsContent: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/pleroma.secrets returnall=true')}}"
-    nginx:
-      enable: true
-      domain: "pleroma.ctu.cx"
-      sslOnly: true
-      ssl:
-        enable: true
-        cert: "/var/lib/acme-redirect/live/pleroma.ctu.cx/fullchain"
-        privkey: "/var/lib/acme-redirect/live/pleroma.ctu.cx/privkey"
-
-#  fritzboxExporter:
-#    enable: true
-#    nginx:
-#      enable: true
-#      domain: "fbexporter.ctu.cx"
-#      sslOnly: true
-#      ssl:
-#        enable: true
-#        cert: "/var/lib/acme-redirect/live/fbexporter.ctu.cx/fullchain"
-#        privkey: "/var/lib/acme-redirect/live/fbexporter.ctu.cx/privkey"
-#
-#  frps:
-#    enable: true
-#    token: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/frps/token returnall=true')}}"
-#    port: 5050
-#    vhostDomain: "frp.ctu.cx"
-#    vhostPort: 8088
-#    nginx:
-#      enable: true
-#      sslOnly: true
-#      ssl:
-#        enable: true
-#        cert: "/var/lib/acme-redirect/live/frp.ctu.cx/fullchain"
-#        privkey: "/var/lib/acme-redirect/live/frp.ctu.cx/privkey"
-#      vhosts:
-#        - stasicontainer-mac
-#        - stasicontainer
-#        - coladose
-#        - toaster
-#        - isa
-#        - isa-mac
diff --git a/playbook.yml b/playbook.yml
@@ -26,24 +26,30 @@
       tags: vnstat
     - role: nginx
       tags: nginx
-    - role: gitolite
-      tags: gitolite
-    - role: cgit
-      tags: cgit
-    - role: oeffisearch
-      tags: oeffisearch
-    - role: oeffi-web
-      tags: oeffi-web
     - role: maddy
       tags: maddy
-    - role: radicale
-      tags: radicale
     - role: pleroma
       tags: pleroma
-    - role: synapse
-      tags: synapse
     - role: backup
       tags: backup
+    - role: frps
+      tags: [ frp, frps ]
+    - role: fritzboxExporter
+      tags: fritzboxExporter
+    - role: pleroma
+      tags: pleroma
+    - role: prometheus 
+      tags: prometheus
+    - role: grafana
+      tags: grafana
+    - role: synapse
+      tags: synapse
+    - role: oeffisearch
+      tags: oeffisearch
+    - role: oeffi-web
+      tags: oeffi-web
+    - role: cgit
+      tags: cgit
 
 
 - hosts: taurus

@@ -66,8 +72,6 @@
       tags: nginx
     - role: syncthing
       tags: syncthing
-    - role: ctucx-gallery
-      tags: ctucx-gallery
     - role: rest-server
       tags: [ backup, rest-server, restic ]
 

@@ -81,8 +85,6 @@
       tags: [ openssh, common ]
     - role: files
       tags: files
-    - role: bind
-      tags: bind
     - role: vnstat
       tags: vnstat
     - role: nginx

@@ -224,3 +226,25 @@
       tags: fritzboxExporter
     - role: frps
       tags: [ frp, frps ]
+    - role: oeffisearch
+      tags: oeffisearch
+    - role: oeffi-web
+      tags: oeffi-web
+    - role: radicale
+      tags: radicale
+    - role: gitolite
+      tags: gitolite
+    - role: cgit
+      tags: cgit
+    - role: maddy
+      tags: maddy
+    - role: syncthing
+      tags: syncthing
+    - role: pleroma
+      tags: pleroma
+    - role: synapse
+      tags: synapse
+    - role: ctucx-gallery
+      tags: ctucx-gallery
+    - role: backup
+      tags: backup