system: hostname: taurus domain: ctu.cx timezone: Europe/Berlin alpineVersion: v3.14 enableOwnRepos: true enableSudo: true useNTP: true extraPackages: - iftop - iotop - htop - rsync - mtr - bind-tools - tar - unzip - wget - curl nameservers: - 1.1.1.1 - 8.8.8.8 users: - name: root allowedSshKeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161 - name: leah groups: "wheel" password: "{{ lookup('diskcache', 'passwordstore', 'Server/leah.password')}}" allowedSshKeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161 network: nftables: enable: true configFile: config-files/nftables/taurus.nft interfaces: - name: lo loopback: true - name: eth0 ipv4: address: 37.221.196.131 gateway: 37.221.196.1 netmask: 255.255.255.0 ipv6: address: 2a03:4000:9:f8::1 gateway: fe80::1 netmask: 64 files: /var/lib/websites: state: "directory" mode: "0755" owner: "leah" group: "nginx" /var/lib/websites/pleroma-cache: state: "directory" mode: "0755" owner: "nginx" group: "nginx" /etc/nginx/passwd/synapse: state: "file" content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/synapse returnall=true')}}" mode: "0600" owner: "nginx" group: "nginx" services: openssh: enable: true port: 22 permitRootLogin: true passwordAuthentication: false prometheus_node_exporter: enable: true postgresql: enable: true bind: enable: true zonesRepo: https://cgit.ctu.cx/dns-zones serveDomains: - ctu.cx - ctucx.de - thein.ovh - antifa.jetzt - oeffisear.ch - trans-agenda.de vnstat: enable: true acme_redirect: enable: true email: lets-encrypt@ctu.cx certs: taurus.ctu.cx: renewTasks: - sudo rc-service nginx restart trans-agenda.de: renewTasks: - sudo rc-service nginx restart matrix.trans-agenda.de: renewTasks: - sudo rc-service nginx restart nginx: enable: true enableXSLTFilter: true user: nginx group: nginx sslOnly: true extraConfig: " proxy_cache_path /var/lib/websites/pleroma-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g inactive=720m use_temp_path=off; " vhosts: taurus.ctu.cx: defaultServer: true ssl: enable: true cert: "/var/lib/acme-redirect/live/taurus.ctu.cx/fullchain" privkey: "/var/lib/acme-redirect/live/taurus.ctu.cx/privkey" locations: - path: /node-exporter proxy: http://127.0.0.1:9100/metrics synapse: enable: true setupPostgreSQL: true homeserverConfig: suppress_key_server_warning: true admin_contact: 'mailto:leah@ctu.cx' no_tls: false server_name: "trans-agenda.de" pid_file: "/run/matrix-synapse.pid" public_baseurl: "https://matrix.trans-agenda.de/" listeners: - port: 8008 bind_address: "127.0.0.1" type: http tls: false x_forwarded: true resources: - names: ["client", "metrics"] compress: true - names: ["federation"] compress: false database: name: "psycopg2" args: database: "synapse" event_cache_size: "10K" verbose: 0 rc_messages_per_second: 0.2 rc_message_burst_count: 10.0 federation_rc_window_size: 1000 federation_rc_sleep_limit: 10 federation_rc_sleep_delay: 500 federation_rc_reject_limit: 50 federation_rc_concurrent: 3 media_store_path: "/var/lib/synapse/media" uploads_path: "/var/lib/synapse/uploads" max_upload_size: "150M" max_image_pixels: "32M" dynamic_thumbnails: true url_preview_enabled: true url_preview_ip_range_blacklist: ["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"] url_preview_ip_range_whitelist: [] url_preview_url_blacklist: [] enable_registration: true registration_shared_secret: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/synapse/secret')}}" enable_registration_captcha: true recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" recaptcha_public_key: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/synapse/recaptcha.pub')}}" recaptcha_private_key: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/synapse/recaptcha.priv')}}" turn_uris: [] turn_shared_secret: "" turn_user_lifetime: "1h" enable_metrics: true user_creation_max_duration: 1209600000 bcrypt_rounds: 12 allow_guest_access: false room_invite_state_types: ["m.room.join_rules", "m.room.canonical_alias", "m.room.avatar", "m.room.name"] expire_access_token: false report_stats: false signing_key_path: "/var/lib/synapse/homeserver.signing.key" key_refresh_interval: "1d" redaction_retention_period: 7 perspectives: servers: "matrix.org": verify_keys: "ed25519:auto": key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" email: smtp_host: wanderduene.ctu.cx smtp_port: 587 smtp_user: "matrix@trans-agenda.de" smtp_pass: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/synapse/email.passwd')}}" require_transport_security: true notif_from: "trans-agenda.de Matrix Server " app_name: Matrix enable_notifs: true notif_for_new_users: false client_base_url: "https://matrix.trans-agenda.de" validation_token_lifetime: 1h logConfig: version: 1 formatters: precise: format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' handlers: file: class: logging.handlers.TimedRotatingFileHandler formatter: precise filename: /var/log/synapse/homeserver.log when: midnight backupCount: 3 # Does not include the current log file. encoding: utf8 buffer: class: logging.handlers.MemoryHandler target: file capacity: 10 flushLevel: 30 # Flush for WARNING logs as well console: class: logging.StreamHandler formatter: precise loggers: synapse.storage.SQL: level: INFO twisted: handlers: [file] propagate: false root: level: INFO handlers: [buffer] disable_existing_loggers: false webClient: enable: true configFile: config-files/taurus/schildichat-web.json nginx: enable: true domain: "matrix.trans-agenda.de" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/matrix.trans-agenda.de/fullchain" privkey: "/var/lib/acme-redirect/live/matrix.trans-agenda.de/privkey" extraConfig: " location /_synapse { proxy_pass http://127.0.0.1:8008; proxy_set_header X-Forwarded-For $remote_addr; auth_basic 'Authorization required'; auth_basic_user_file /etc/nginx/passwd/synapse; } " pleroma: enable: true configFile: config-files/taurus/pleroma.exs secretsContent: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/pleroma.secrets returnall=true')}}" nginx: enable: true domain: "trans-agenda.de" sslOnly: true ssl: enable: true cert: "/var/lib/acme-redirect/live/trans-agenda.de/fullchain" privkey: "/var/lib/acme-redirect/live/trans-agenda.de/privkey" extraConfig: " location /proxy { proxy_cache pleroma_media_cache; proxy_cache_lock on; proxy_pass http://localhost:4000; } location /.well-known/matrix/server { add_header Content-Type application/json; return 200 '{\"m.server\": \"matrix.trans-agenda.de:443\"}'; } location /.well-known/matrix/client { add_header Content-Type application/json; return 200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.trans-agenda.de\"}}'; } "