system: hostname: osterei domain: ctu.cx timezone: Europe/Berlin alpineVersion: v3.15 enableOwnRepos: true enableSudo: true useNTP: true enableNFSMount: true extraPackages: - iftop - iotop - htop - rsync - mtr - bind-tools - tar - unzip - wget - curl - nginx fstab: - device: UUID=d70afec5-1c07-4b4e-8ee8-93947ab737a8 path: / fstype: ext4 options: rw,relatime checks: 0 1 - device: UUID=cadc498e-0cf9-4617-a817-3383b7233185 path: /boot fstype: ext4 options: rw,relatime checks: 0 2 nameservers: - 1.1.1.1 - 8.8.8.8 users: - name: root allowedSshKeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161 - name: leah groups: "wheel" password: "{{ lookup('diskcache', 'passwordstore', 'Server/leah.password')}}" allowedSshKeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161 network: nftables: enable: true configFile: config-files/nftables/osterei.nft interfaces: - name: lo loopback: true - name: eth0 ipv4: address: 185.232.70.80 gateway: 185.232.68.1 netmask: 255.255.252.0 ipv6: address: 2a03:4000:4e:af1::1 gateway: fe80::1 netmask: 64 - name: eth1 ipv4: address: 10.0.0.15 netmask: 255.255.255.0 files: /var/lib/websites: state: "directory" mode: "0755" owner: "leah" group: "nginx" /var/lib/websites/ctu.cx: state: "directory" mode: "0755" owner: "leah" group: "nginx" /var/lib/websites/photos.ctu.cx: state: "directory" mode: "0755" owner: "leah" group: "nginx" /etc/nginx/passwd/print: state: "file" content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/ctu.cx/drucken returnall=true')}}" mode: "0600" owner: "nginx" group: "nginx" /etc/nginx/passwd/synapse: state: "file" content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/synapse returnall=true')}}" mode: "0600" owner: "nginx" group: "nginx" /usr/share/webapps/cgit/custom-cgit.css: state: "file" src: "config-files/osterei/cgit/cgit.css" mode: "0600" owner: "nginx" group: "nginx" services: openssh: enable: true port: 22 permitRootLogin: true passwordAuthentication: false prometheus_node_exporter: enable: true postgresql: enable: true vnstat: enable: true bind: enable: true zonesRepo: https://cgit.ctu.cx/dns-zones serveDomains: - ctu.cx - ctucx.de - thein.ovh - antifa.jetzt - oeffisear.ch - trans-agenda.de acme_redirect: enable: true email: lets-encrypt@ctu.cx certs: ctu.cx: renewTasks: - sudo rc-service nginx restart osterei.ctu.cx: renewTasks: - sudo rc-service nginx restart - sudo rc-service maddy restart syncthing.osterei.ctu.cx: renewTasks: - sudo rc-service nginx restart fbexporter.ctu.cx: renewTasks: - sudo rc-service nginx restart prometheus.ctu.cx: renewTasks: - sudo rc-service nginx restart grafana.ctu.cx: renewTasks: - sudo rc-service nginx restart frp.ctu.cx: extraDnsNames: - stasicontainer-mac.frp.ctu.cx - stasicontainer.frp.ctu.cx - coladose.frp.ctu.cx - toaster.frp.ctu.cx - isa.frp.ctu.cx - isa-mac.frp.ctu.cx renewTasks: - sudo rc-service nginx restart dav.ctu.cx: renewTasks: - sudo rc-service nginx restart cgit.ctu.cx: renewTasks: - sudo rc-service nginx restart oeffi.ctu.cx: renewTasks: - sudo rc-service nginx restart pleroma.ctu.cx: renewTasks: - sudo rc-service nginx restart matrix.ctu.cx: renewTasks: - sudo rc-service nginx restart photos.ctu.cx: renewTasks: - sudo rc-service nginx restart repo.f2k1.de: renewTasks: - sudo rc-service nginx restart oeffisear.ch: renewTasks: - sudo rc-service nginx restart nginx: enable: true enableXSLTFilter: true user: nginx group: nginx sslOnly: true vhosts: osterei.ctu.cx: defaultServer: true ssl: enable: true cert: "/var/lib/acme-redirect/live/osterei.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/osterei.ctu.cx/privkey" locations: - path: /node-exporter proxy: http://127.0.0.1:9100/metrics ctu.cx: ssl: enable: true cert: "/var/lib/acme-redirect/live/ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/ctu.cx/privkey" root: /var/lib/websites/ctu.cx locations: - path: "/.well-known/host-meta" extraConfig: "return 301 https://pleroma.ctu.cx$request_uri;" - path: "/.well-known/matrix/client" extraConfig: ' add_header Content-Type application/json; return 200 "{\"m.homeserver\": {\"base_url\": \"https://matrix.ctu.cx\"}}"; ' - path: "/.well-known/matrix/server" extraConfig: ' add_header Content-Type application/json; return 200 "{\"m.server\": \"matrix.ctu.cx:443\"}"; ' - path: "/vodafone-map" extraConfig: ' proxy_set_header Accept-Encoding ""; proxy_pass https://netmap.vodafone.de/arcgis/rest/services/CoKart/netzabdeckung_mobilfunk_4x/MapServer; ' - path: "/magenta-at-map" extraConfig: ' proxy_set_header Accept-Encoding ""; proxy_pass https://app.wigeogis.com/kunden/tmobile/data/geoserver.php; ' - path: "/drei-at-data" extraConfig: ' proxy_set_header Accept-Encoding ""; proxy_pass https://www.drei.at/media/common/netzabdeckung; proxy_hide_header "access-control-allow-origin"; add_header "access-control-allow-origin" "*"; ' - path: "/drucken" directoryListing: true baiscAuth: /etc/nginx/passwd/print - path: "/cypro-dispenser" directoryListing: true extraConfig: " autoindex_format xml; xslt_string_param path $uri; xslt_stylesheet /var/lib/websites/superbindex.xslt; " - path: "/bikemap" extraConfig: " alias /var/lib/websites/bikemap; " repo.f2k1.de: ssl: enable: true cert: "/var/lib/acme-redirect/live/repo.f2k1.de/fullchain" privkey: "/var/lib/acme-redirect/live/repo.f2k1.de/privkey" locations: - path: / proxy: http://127.0.0.1:8088 prometheus: enable: true nginx: enable: true domain: "prometheus.ctu.cx" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/prometheus.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/prometheus.ctu.cx/privkey" config: global: scrape_interval: 20s evaluation_interval: 1m scrape_configs: - job_name: 'prometheus' static_configs: - targets: ['127.0.0.1:9090'] - job_name: 'node-exporter' metrics_path: '/node-exporter' scheme: 'https' scrape_interval: 30s static_configs: - targets: [ 'taurus.ctu.cx', 'quitschi.ctu.cx', 'osterei.ctu.cx', 'desastro.ctu.cx', 'lollo.ctu.cx', 'joguhrtbecher.ctu.cx', 'stasicontainer.home.ctu.cx', 'toaster.frp.ctu.cx', 'repo.ctu.cx', 'repo.f2k1.de', 'luna.f2k1.de', 'isa-nuc.home.ctu.cx', 'matrix.flauschekatze.space' ] - job_name: 'fritzbox-exporter' metrics_path: '/metrics' scheme: 'https' scrape_interval: 30s static_configs: - targets: [ 'fbexporter.ctu.cx', 'fbexporter.f2k1.de' ] grafana: enable: true configFile: config-files/osterei/grafana/grafana.ini provisioning: enable: true dashboards: config-files/osterei/grafana/dashboards datasources: - name: Prometheus type: prometheus access: proxy orgId: 1 url: http://127.0.0.1:9090 isDefault: true jsonData: httpMode: GET version: 1 editable: false - name: InfluxDB (Powermeters) type: influxdb access: proxy orgId: 1 url: https://influx.home.ctu.cx database: powermeters # secureJsonData: # token: "{{ lookup('diskcache', 'passwordstore', 'Server/lollo/influx/smartied.token')}}" # jsonData: # version: Flux # organization: organization # defaultBucket: bucket # tlsSkipVerify: true jsonData: httpMode: GET httpHeaderName1: "Authorization" secureJsonData: httpHeaderValue1: "Token {{ lookup('diskcache', 'passwordstore', 'Server/lollo/influx/smartied.token')}}" version: 3 editable: false - name: InfluxDB (Sensors) type: influxdb access: proxy orgId: 1 url: https://influx.home.ctu.cx database: sensors # secureJsonData: # token: "{{ lookup('diskcache', 'passwordstore', 'Server/lollo/influx/smartied.token')}}" # jsonData: # version: Flux # organization: organization # defaultBucket: bucket # tlsSkipVerify: true jsonData: httpMode: GET httpHeaderName1: "Authorization" secureJsonData: httpHeaderValue1: "Token {{ lookup('diskcache', 'passwordstore', 'Server/lollo/influx/smartied.token')}}" version: 3 editable: false nginx: enable: true domain: "grafana.ctu.cx" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/grafana.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/grafana.ctu.cx/privkey" frps: enable: true token: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/frps/token returnall=true')}}" port: 5050 vhostDomain: "frp.ctu.cx" vhostPort: 8088 nginx: enable: true sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/frp.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/frp.ctu.cx/privkey" vhosts: - stasicontainer-mac - stasicontainer - coladose - toaster - isa - isa-mac oeffisearch: enable: true instances: 4 #currently not used and allways 4 nginx: enable: true domain: "oeffisear.ch" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/oeffisear.ch/fullchain" privkey: "/var/lib/acme-redirect/live/oeffisear.ch/privkey" oeffi_web: enable: true instances: 4 #currently not used and allways 4 nginx: enable: true domain: "oeffi.ctu.cx" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/oeffi.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/oeffi.ctu.cx/privkey" radicale: enable: true users: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/radicale.users returnall=true')}}" nginx: enable: true domain: "dav.ctu.cx" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/dav.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/dav.ctu.cx/privkey" gitolite: enable: true initialKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829" cgit: enable: true configFile: config-files/osterei/cgit/cgitrc nginx: enable: true domain: "cgit.ctu.cx" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/cgit.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/cgit.ctu.cx/privkey" maddy: enable: true hostname: "osterei.ctu.cx" ssl_cert: "/var/lib/acme-redirect/live/osterei.ctu.cx/fullchain" ssl_privkey: "/var/lib/acme-redirect/live/osterei.ctu.cx/privkey" syncthing: enable: true user: leah nginx: enable: true domain: "syncthing.osterei.ctu.cx" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/syncthing.osterei.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/syncthing.osterei.ctu.cx/privkey" pleroma: enable: true configFile: config-files/osterei/pleroma.exs secretsContent: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/pleroma.secrets returnall=true')}}" nginx: enable: true domain: "pleroma.ctu.cx" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/pleroma.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/pleroma.ctu.cx/privkey" synapse: enable: true homeserverConfig: suppress_key_server_warning: true no_tls: false server_name: "ctu.cx" pid_file: "/run/matrix-synapse.pid" public_baseurl: "https://matrix.ctu.cx/" listeners: - port: 8008 bind_address: "127.0.0.1" type: http tls: false x_forwarded: true resources: - names: ["client", "metrics"] compress: true - names: ["federation"] compress: false database: name: "psycopg2" args: database: "synapse" event_cache_size: "10K" verbose: 0 rc_messages_per_second: 0.2 rc_message_burst_count: 10.0 federation_rc_window_size: 1000 federation_rc_sleep_limit: 10 federation_rc_sleep_delay: 500 federation_rc_reject_limit: 50 federation_rc_concurrent: 3 media_store_path: "/var/lib/synapse/media" uploads_path: "/var/lib/synapse/uploads" max_upload_size: "100M" max_image_pixels: "32M" dynamic_thumbnails: false url_preview_enabled: true url_preview_ip_range_blacklist: ["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"] url_preview_ip_range_whitelist: [] url_preview_url_blacklist: [] enable_registration: false registration_shared_secret: "{{ lookup('diskcache', 'passwordstore', 'Server/osterei/synapse.secret')}}" enable_registration_captcha: false recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" turn_uris: [] turn_shared_secret: "" turn_user_lifetime: "1h" enable_metrics: true user_creation_max_duration: 1209600000 bcrypt_rounds: 12 allow_guest_access: false room_invite_state_types: ["m.room.join_rules", "m.room.canonical_alias", "m.room.avatar", "m.room.name"] expire_access_token: false report_stats: false signing_key_path: "/var/lib/synapse/homeserver.signing.key" key_refresh_interval: "1d" redaction_retention_period: 7 perspectives: servers: "matrix.org": verify_keys: "ed25519:auto": key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" logConfig: version: 1 formatters: precise: format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' handlers: file: class: logging.handlers.TimedRotatingFileHandler formatter: precise filename: /var/log/synapse/homeserver.log when: midnight backupCount: 3 # Does not include the current log file. encoding: utf8 buffer: class: logging.handlers.MemoryHandler target: file capacity: 10 flushLevel: 30 # Flush for WARNING logs as well console: class: logging.StreamHandler formatter: precise loggers: synapse.storage.SQL: level: INFO twisted: handlers: [file] propagate: false root: level: INFO handlers: [buffer] disable_existing_loggers: false webClient: enable: true configFile: config-files/osterei/schildichat-web.json nginx: enable: true domain: "matrix.ctu.cx" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/matrix.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/matrix.ctu.cx/privkey" extraConfig: " location /_synapse { proxy_pass http://127.0.0.1:8008; proxy_set_header X-Forwarded-For $remote_addr; auth_basic 'Authorization required'; auth_basic_user_file /etc/nginx/passwd/synapse; } " ctucxGallery: enable: true user: leah sourceDir: /home/leah/syncthing/Pictures/photos.ctu.cx targetDir: /var/lib/websites/photos.ctu.cx site: name: ctucx.photos author: ctucx description: photos that i made tags: ctucx, ctucx bahnbilder nginx: enable: true domain: "photos.ctu.cx" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/photos.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/photos.ctu.cx/privkey"