apps: add minecruft server

.idea/alpina.iml

@@ -4,7 +4,7 @@
     <content url="file://$MODULE_DIR$">
       <excludeFolder url="file://$MODULE_DIR$/venv" />
     </content>
-    <orderEntry type="inheritedJdk" />
+    <orderEntry type="jdk" jdkName="Poetry (alpina)" jdkType="Python SDK" />
     <orderEntry type="sourceFolder" forTests="false" />
   </component>
   <component name="PyDocumentationSettings">

.idea/jsonSchemas.xml

@@ -31,7 +31,7 @@
                 <list>
                   <Item>
                     <option name="directory" value="true" />
-                    <option name="path" value="roles/alpina/collections/services/authentik/templates/blueprints" />
+                    <option name="path" value="roles/alpina/templates/services/authentik/blueprints" />
                     <option name="mappingKind" value="Directory" />
                   </Item>
                 </list>
@@ -106,6 +106,16 @@
               <option name="applicationDefined" value="true" />
               <option name="patterns">
                 <list>
+                  <Item>
+                    <option name="pattern" value="true" />
+                    <option name="path" value="*/compose.yml" />
+                    <option name="mappingKind" value="Pattern" />
+                  </Item>
+                  <Item>
+                    <option name="pattern" value="true" />
+                    <option name="path" value="*/compose.yml.j2" />
+                    <option name="mappingKind" value="Pattern" />
+                  </Item>
                   <Item>
                     <option name="pattern" value="true" />
                     <option name="path" value="*/docker-compose.yml" />

Makefile

@@ -1,19 +1,23 @@
 .POSIX:
 .PHONY: *
 .EXPORT_ALL_VARIABLES:
+MAKEFLAGS += -r # no use of built-in rules
 
 env ?= staging
 vault_id ?= alpina@contrib/rbw-client.sh
 
-clean_desired ?= false
+playbook_cmd := poetry run ansible-playbook --vault-id ${vault_id} -i inventories/${env}
 
-all: site
+all: site services
 
 setup:
 	poetry install --quiet
 
 site: setup
-	poetry run ansible-playbook --vault-id ${vault_id} -i inventories/${env} --extra-vars "clean_desired_arg=${clean_desired}" site.yml
+	 $(playbook_cmd) site.yml
 
 services: setup
-	poetry run ansible-playbook --vault-id ${vault_id} -i inventories/${env} services.yml
+	$(playbook_cmd) services.yml
+
+clean: setup
+	$(playbook_cmd) clean.yml

clean.yml

@@ -0,0 +1,3 @@
+- hosts: alpina
+  roles:
+    - clean

contrib/compose_helpers.j2

@@ -6,23 +6,38 @@ default:
       - subnet: {{ docker_ipv6_subnet | ansible.utils.ipsubnet(80, subnet_index) }}
 {% endmacro %}
 
-{% macro traefik_labels(host, service="", port="", auth=false) %}
+{% macro traefik_labels(host, port='', path_prefix='', auth=false, wildcard=false) %}
+{% set name = host ~ (wildcard * '-*') ~ path_prefix -%}
+{% set tls_base = domain %}
+{% if wildcard -%}
+  {% set tls_base = host ~ '.' ~ domain %}
+{%- endif -%}
+
 traefik.enable=true
-- traefik.http.routers.{{ host }}.rule=Host(`{{ host }}.{{ domain }}`)
+- traefik.http.routers.r-{{ name }}.rule={{ host_rule(host, path_prefix, wildcard) }}
-- traefik.http.routers.{{ host }}.entrypoints=web
+- traefik.http.routers.r-{{ name }}.entrypoints=websecure
-- traefik.http.routers.{{ host }}-tls.rule=Host(`{{ host }}.{{ domain }}`)
+- traefik.http.routers.r-{{ name }}.tls=true
-- traefik.http.routers.{{ host }}-tls.entrypoints=websecure
+- traefik.http.routers.r-{{ name }}.tls.certresolver=letsencrypt
-- traefik.http.routers.{{ host }}-tls.tls=true
+- traefik.http.routers.r-{{ name }}.tls.domains.0.main={{ tls_base }}
-- traefik.http.routers.{{ host }}-tls.tls.certresolver=letsencrypt
+- traefik.http.routers.r-{{ name }}.tls.domains.0.sans=*.{{ tls_base }}
-- traefik.http.routers.{{ host }}-tls.tls.domains.0.main={{ domain }}
-- traefik.http.routers.{{ host }}-tls.tls.domains.0.sans=*.{{ domain }}
-{% if service -%}
-- traefik.http.routers.{{ host }}.service={{ service }}
-{% endif %}
 {% if port -%}
-- traefik.http.services.{{ host }}.loadbalancer.server.port={{ port }}
+- traefik.http.routers.r-{{ name }}.service=svc-{{ name }}
+- traefik.http.services.svc-{{ name }}.loadbalancer.server.port={{ port }}
 {% endif %}
 {% if auth -%}
-- traefik.http.routers.{{ host }}-tls.middlewares=authentik@docker
+- traefik.http.routers.r-{{ name }}.middlewares=authentik@docker
 {% endif %}
 {% endmacro %}
+
+{% macro host_rule(host, path_prefix="", wildcard=false) %}
+{% if wildcard %}
+{# regular a.host prevents warnings from 'No domain found in rule HostRegexp' #}
+{# TODO: figure out this stupidity properly #}
+Host(`a.{{ host }}.{{ domain }}`) || HostRegexp(`^.+\.{{ host }}\.{{ domain | replace('.', '\.') }}$`)
+{%- else %}
+Host(`{{ host }}.{{ domain }}`)
+{%- endif %}
+{% if path_prefix -%}
+ && PathPrefix(`{{ path_prefix }}`)
+{%- endif %}
+{% endmacro %}

group_vars/alpina/vars.yml

@@ -5,22 +5,31 @@ alpina_svc_path: ~/alpina
 base_volume_path: /mnt/dock
 media_volume_path: /mnt/media
 
-traefik_subnet: 172.16.122.0
+docker_ipv6_subnet: "{{ \
+          ansible_default_ipv6.address \
+          | ansible.utils.ipsubnet(64) \
+          | ansible.utils.ipsubnet(72, docker_ipv6_index) \
+        }}"
 
 # Authentik
 authentik_db_password: "{{ vault_authentik_db_password }}"
 authentik_secret_key: "{{ vault_authentik_secret_key }}"
-
 authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"
 
 auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
+auth_minio_client_secret: "{{ vault_auth_minio_client_secret }}"
+auth_gitea_client_secret: "{{ vault_auth_gitea_client_secret }}"
+auth_nextcloud_client_secret: "{{ vault_auth_nextcloud_client_secret }}"
 arrstack_password: "{{ vault_arrstack_password }}"
+auth_vpgen_client_secret: "{{ vault_auth_vpgen_client_secret }}"
+auth_pgrok_client_secret: "{{ vault_auth_pgrok_client_secret }}"
+
+auth_default_enrollment_group: vpgen
 
 # Minio
 minio_password: "{{ vault_minio_password }}"
 
 # Monitoring
-## auth_grafana_client_secret:
 influxdb_admin_password: "{{ vault_influxdb_admin_password }}"
 influxdb_admin_token: "{{ vault_influxdb_admin_token }}"
 
@@ -46,3 +55,27 @@ jwt_secret: "{{ vault_jwt_secret }}"
 nextcloud_db_password: "{{ vault_nextcloud_db_password }}"
 redis_password: "{{ vault_redis_password }}"
 nextcloud_sendgrid_api_key: "{{ vault_nextcloud_sendgrid_api_key }}"
+
+# VPGen
+vpgen_auth_invite_token: "{{ vault_vpgen_auth_invite_token }}"
+
+vpgen_opnsense_api_url: https://opnsense.cazzzer.com
+vpgen_opnsense_api_key: "{{ vault_vpgen_opnsense_api_key }}"
+vpgen_opnsense_api_secret: "{{ vault_vpgen_opnsense_api_secret }}"
+vpgen_opnsense_wg_ifname: wg2
+
+vpgen_ipv6_client_prefix_size: 112
+vpgen_ip_max_index: 100
+vpgen_vpn_endpoint: "{{ vault_vpgen_vpn_endpoint }}"
+vpgen_vpn_dns: "{{ vault_vpgen_vpn_dns }}"
+vpgen_max_clients_per_user: 20
+
+# Woodpecker
+woodpecker_agent_secret: "{{ vault_woopecker_agent_secret }}"
+
+# Pgrok
+pgrok_db_password: "{{ vault_pgrok_db_password }}"
+
+# Minecruft
+
+minecruft_cf_api_key: "{{ vault_minecruft_cf_api_key }}"

group_vars/alpina/vault.yml

@@ -1,88 +1,165 @@
 $ANSIBLE_VAULT;1.1;AES256
-36636236366435333738633465323539336231393239656538643863643233346563333836623335
+31623438643264373065653633306538336133623864643438653630353265376138613361393466
-3136393936656261396434316232356338313838373666660a653464613833306133343232623864
+3464643166633332666230353734333363623030646564310a313134336539343436626234626364
-61666561336462376664363463313533353238623031613664353063396236343663643936303730
+62336366323433346165373666656466616434613565323632353033323161363533356133613732
-6235646336306636360a653238633038306532613436633132363231613862383636313838623461
+3464353362333362350a633937313036336438393462396538613764636337386166613861613439
-32633366326136346435613232396632396365656138643361643139353430663637353565383664
+39656466383833646236383062396130306563633861396234383462306331663136396331333433
-36623961663030653639316131376535363138343965636437653139646233613765323439393030
+37303737626533666530393632616130313734653331353364616135633664343035303631343266
-31666137346339663162393836636638636431326232323461353661613062623032306130393965
+65356133376438393639643931636561616434333637393264343832613035653034363863653233
-38313931313935666633343835303232333961633232623538383138366262663335323764323939
+35313035303731316431313634643638666339396139333565663464633131393266333036316437
-32373333663834626633363265373632356439633862316562323565646530383534653338353165
+32363661303534306535326130313139366466393634373762393165393735613563396230636538
-38396434353332623164346137383238343536303130616666643065306431656137303263323135
+37623665373538633237373235396430333539343232363931656463363866363539326464613337
-34316662353031653932396239623733313037383935383762623136346636323434363231623161
+65303932396666383235616162333564626231656361353133326333663039303331613433613030
-30393864353466643637316566663366363231373335663331323932663837626239663633663965
+38353366393466343334656130306131626330613934313865343039616462363137336238303262
-66333531323861663130353531323339386566303630366236636135393439356634393732623033
+64393931353466643466373331396536386231363233396339326637643662613438376666386661
-31336231363935633436363962316666666336303338313636386163313666636336343464336133
+34346530346533643364636665313633633635656564333436346531623564646534646566623135
-33313730303961663632323435323963663530623265663664343735643061323332343265343431
+30613036616662643461623561623837386538633231383736376462363836313538393036356164
-61363039333730623562363233373537633138663239313132336666313237373137353663326538
+61323664666663313838313033336664363062646562336561663138393635626134613036623332
-32366130326635366433393434653735616132366264386461363063393265623765666461626366
+39396137306531366464643862376238643238336230626533653033376361653839323962373162
-38636239376534653230663932393930343162333262643130633835343363613061623932363761
+65373463643235626463316362356161323737623335633832353663613661636436626632313634
-64643164323335376565646137643763316562343565366462376162333633313737303465373362
+39333033393861306333356335623439653432626336376133646432633332393639323230306435
-63343734633536353661353165346632666230616138396461336332623365366432313734343837
+66376631313033643336373430616638393366313538316239386430393064613430666330363233
-30613736313961663334326335333834336634373338326631313739363765303036303132346166
+39343234663635623764646332666634346437333264636339616431666330313138623734326364
-37313030373264383564383936396339623061616134356663333733653838393537306336313135
+34336335353763396238353633333837616534303537303565323264383963616362643761363332
-32336261356437653863653839373130323035346538343938646265653239376236373932646433
+61326566656337373437353236363865376661376462346430626639623561326435613131626330
-35373932326535643763396563373138626239393661373231393066323335336264373835336635
+64643361323533633462313330333536343739393461616264653737626432343362393232613166
-38393732643630336364363834303534663334396363623261383339313939663461303236646237
+35376631666537373765343035616333323663376363613563336366623235643536356134353434
-36393330373534383836373065373239353836653137306338336638396662363434303839363466
+63363337366461623762653964396534336530373134333364633037343739393134616230363033
-37303332343464663733653632363239366337656364333532313237633935616637333361383763
+66666231346362313561323432376164316439646263333131306335333533353939363763653964
-62363063323362323565363837333264346161353032643039323839336666656333336433376231
+36656164623838323638663363336666343766383865393461653435666539663339656239303861
-36363335626137366135373230613436653232663138343862623562306331336330356630316166
+65353032623966653239393234646664633132306163323438343436343365353361653638376637
-30613264353165343634663461373630653632366333313837373237613339336638396338376465
+34393734316166393234313536656533326337616564663732353735343130646265386635363439
-64633638373263376330343561303664666139663237326637663964386133623164626339346635
+33393331656538346563623031623861396437613437663437326134656535633362323039396232
-66636365366562343636653362656133306164353761346661343430356633613063656466316262
+35346135633235623933393239373361376535376332666338626538353333303038666239643837
-31633932313532663930303837353863333664393563646566396164666236633832633235653362
+30356265313235626330613931323538303362626330333162323062326139353661326536633239
-63663931353436623034653733313766393465363466363831643130643939356335643166356436
+38386336613362646465313635613432666436663938353733313365353137333830333362393365
-38386530333264313263636438376134666235646636316233653330613735323234313036356639
+66623961336335633365386339643437303933346432376466643562623232336461306231623038
-61316164376434616239646235326661323363333835393430646462323234356138653163616530
+63646566636434616364613230316238363563623364643138316135326166613939343464633462
-65623233636435396462343437626130353735643530376538633762346332653162353563386366
+36326338343234643338333737313434366461306435643165353030323939333635666435353639
-32656633633935626238323431643631633434633032303435383037353834653964326336616530
+32346563353037653231373836656261623162356138393861313463616532653039396138383436
-30363765663133313239373664383830393238303439653531316664636532363135636563356666
+38646462636464336564663633333631323731623663383138613231643861323932613466326439
-34376636373033353665373261363536393562653638306661663832326139383565613862333831
+31666535313136613632383833323134613639623836653635326336363531363832303633323731
-38616238616332326532656430393331383161376237393365666639363732363164306332343336
+61646630353462363932396661613639353538343136653433656132323637313434306136306366
-37366638326464373261386431623731306663616262633837313965633530616265326536323136
+66336164643431333564623965623064326139646664383965656636393564366535343365616634
-62366365666461383535663637633332626464643062653139623333663038316536353930653266
+31366665396330663864323666386431633439323933306538316231663066323565386132326563
-37343830613062346533613762663738343138383537396435643765323237623130363564396462
+64376434333636373362613937323632356261326439653736336331323233653063613661633539
-61663063643135303539313062396338353061346336303938626361343238366366393533363638
+39323261363333666461393166353362656630633262373661636535363863323664666438306633
-31313437623631626437393761366537636664393863306164373431653133316639623630353336
+61643865323634643063636631366165373230303533323338333832643364663066333131383436
-65313037636533393362363266366231393334613264343331623531393666336336626265366163
+32623662373439636164633939623164396666613138623632333532636634303633356638393537
-34663161396633666162326564313735373137303337386538633866653331646635633532336465
+31343933313965326238643331653635373430636236656433363039383263366363626565326462
-34386166373436386566656135313438363733353139663630613430363332656239356139393532
+30336631656431643262613663376331353631333563623361373231643439646465333261303862
-35626337666639376664346631323938316538333066353363646562323266353165366632656137
+36343766323033356536623931306365313363343232343538396561636133643365663933306231
-66366162376165626564363230353062666364646363366637666433636333316536623435623836
+31666362313935346336333662643237326137336263633934663663656636663836626364643966
-62346566363362363939353038396566653238666138666531396338323262323965383031336362
+34653830356163616636306536303030393634343062623538383239636365373663343463306262
-34613332363334653531383231363539343133333531666564386133346562323338366139663438
+62666536393332316365646630636232376165313266353138346536663435313063663466343533
-31613466366438643566333632326239653662636464373337326537313234393038306132343730
+35323238323466323663396563636361353833663636383234383533356362626232353632633665
-36633136366162643966396362643165313336383862653435343630646431306366656636353230
+31323865303935643765323663383730643462376464626566663562323339613037373761326632
-64326633346561613662383863356531306563623439363566643733336535303335303164633535
+33623636353832323735383866366534663561623136633639653232313564383639653833623532
-36356463616162313039386434323637383937613133623131373033373462363365643730666166
+32326535306661383433656436633031626235373466383633366663376537306530616438383361
-65383166346638313533326366346433656461346439343838306564393336383536633732343965
+65363838663965333831636166316464383964656431383161313838303736656130363132623664
-39306231386130303433616361366363366163646534316138623362393063663438313165643762
+32656232363933616532643461353565366438323166323237393434333630633830366562396531
-39393332653564333762663762366633386135353865366338396138666265653662373535666366
+35626564306634376364333332326539613839346639336561303038653937306339376161393763
-35613937613366323064316561643435353830316239396464393737613835373964626437316464
+30356464646435653237643065643264326630656366656138376566636161323261663366343462
-39643664656565633966393832643033323130636562383233323636363361353430353062323439
+62643837336133316262306261363238316533326436343631643031623731353563323836336533
-39396464633336623963633963326461316562333162333766613064336462613235336531623437
+66613737306232366339653962613136326430353732373034623130306539366431363864626535
-30383063653666633839646533386239366637346230363033306161386537303039376465303535
+38346166613864396434616663393837613466666436613730373466653532663561386533343635
-34643162323065326264343662303138313063303834353832393663616239383739313133393532
+37336233383337343266663037333133373036373435303432313265663539343961653665363762
-62393766343037666564326132386139346661383564366366646530346434373366326531356138
+64323761376632393638356235316362366630323039323336316262343663343563383839363165
-31323531653338653130303733363764636430336563336439666132626434363463306631363334
+38346161303931613832316333353130303637373638636561366134636137376537393538306532
-39623332376334383338633132653262653735346563626365613336623435396539383630366332
+66343133616333353664353062613862656439636161653864343734663537663762626539636138
-31316638393562376131363166633163333332633332393062393962613132366538653865663264
+32643361623135363539663865643935666263373432656138383966393162656164363734626332
-38313237393436353333323431336361653938343034346164353335366535396265633961333138
+61626634643135323262616465393332366235333637393937646531386562313338363431336135
-65386137356161643732636531613166633464326163303336303439383435376331373935333563
+30316632326637393431323538376663336136323438636463656639623238353533633336376534
-64633961623761393131333234656530653737346563643963643833383262383434653266343362
+32303566643264373861323030303033393939326161613037333162363864653839643966393939
-35623832643032346133346363646136646438663761363330666231316434306232623339656535
+34353765653765393336393338663761626663366136303136353932386231346331363961363930
-34393337666237656262313439386336336466373466663663616139353463316265396135626366
+39383131366466633365376635636231363639656238613737356630363734646166336432303535
-62313562306334343831616364633933343463386233323637313832316635346235623830333461
+34313938663864303730373331643437613636356139363934343261306666326437353737336466
-33663530343966383739643261653736363865323438363430653661653964643339633833386438
+30653139656335356133376239386666393166613062303233396330386462633666336532663765
-36333331366334366461346636636462343335313234663864613864366134356161396662383632
+36343230663035353638633662343035656639633433363165346539396661646635653562653161
-36663538373761353937313666363262626435623537646665646364353934373638366261333234
+31363161346565356164343530363731353935663563643532363535343266623935646663336333
-36353439303663656531666637376364313838386130343966316138356338643135316139363630
+35313065663439313535623430333533303964663263643064393331363035376635663964646138
-30386635376565363931333331336431303562346431323534643238333337386264616161356163
+63366361393531326132623236636333626334333433383531653161663961636430663964636561
-35663766306635626235373663643064393233346364666663393236353561653362373361666164
+36333463636334323834336435663636623133306434646530336332386265613962663132663737
-65653566666234626464356338613834323332383939643935323337376162316163333034643062
+31393537336162336532613239666332646436363266313632653538366561643137393332643065
-63646237646234636561313038383636373936656164333735323461626233633337623764383830
+32643264396135653439613632613332393937336230303131343465346232353261646536633130
-66383161346336633962643032376662656566396666343662656337306333313836613335643961
+35626363363763623839343566376633323765353934356431313537323332323736656635613039
-64323961663032373239636430306430383639306333363938303837386139643230353061623937
+39383039366437356535396133396336666330396566373961653762633965373761393633336165
-36373733636337616264313432643230303935626666633533666135666538626266626266643864
+39613261306465353634336666363138343830653939666637353330303234393632306166626633
-376430653461346366626432636336653437
+62336531373636656130363731363334313731376561636466643638363530353363323730643232
+31643636623363646233613733326630646235383539393834303864383039313934383633613232
+33376433656561356337666638353038353362363936366561323966653862303837663264623039
+36353966626362373531333939633934373266313831663337383464616237386361303166383634
+61643434633964373634646436623861646266366530313535663361626438323530343361313430
+31663066323232353130333732616663373361666661333561343133353837353766623230623963
+32323936373336646131653166633365323963616339643630623962663866373038393034623632
+35656130383562353734666162666264626138363265626263666661346465333130373764653262
+65623939623831633265346638626134386131303339386434343466656565373538613934653035
+31663265646266656432333739653439356134366663346366373139353562303964333537396361
+35353132636266613965313232326439366231653535653861653131373936303439303662643261
+32623662636565396632376437633064663032393538323432393764383062643835616563656535
+31386366393839643931656334633930343535326462623761353762396264323362326231643336
+32633534323661666239366563633837666161643438643033303732623237356139333739663135
+36343732656263313536383136663832323130393031313265326439383061666264333461373134
+34616163643839373663306630343861613663643030643437373833643239633539616565636233
+66303234303036616438356563663636633833396137323462316363613864663536343137303064
+32623030616562313131343536373435353636353161346337303337633135343262336164336632
+39343736313165626562353665613061626461393130373735303533636239376533636137396331
+37346234396364333537623034333430616133396363656164393337396338613766336433396464
+36346664383838386366366537306333306436383235316535623631343438633232313234613036
+36396564353833626566316130343439653562313863653761383564643162386362383138356530
+63376336616266623133323031353966623830633135316636383863333266333136303839373333
+35366130306431636362636162333661343939386463373936313866646162396138626663353765
+61666463653939373363393463656537653965313735653863323965666237353230316135346138
+34373637326366363033393830386164643530313937663031363932343637323836363932303832
+30316163393431663436643638313233643664333461623932356231383636633536393133666463
+38303030633866383866356262386235623034666161326632633735396162653437643533313034
+35306134343731376563383662353463386164323633643231386339356263663534613061306632
+37646338653633366530323837386333393335323664306265643235346366613164303962643433
+66303964346339663364633631656434626361396564666366333165396436666632663364336431
+31376435396134646665353135636138663733363565393833336464653465303961373262393932
+63396461653133396633376130326463313465363161633861653964313639666534633434393032
+38383334386432353630316336313839363362643533356433636665623235366664326139346430
+35646435356131666230383966383230336336623935336431653562363863643739373962366230
+32373661313832313963373263613764336635616239393063346232666364623631373839303632
+66386462666166616465336538313335323461316162346461613163643363313732366331313166
+39646535393235383633323663333865383462623162393665336132303334326138303431616665
+35633864373530613762396632303737653535663538316237663538646465313038373961616361
+39643866363563643133346437643038393361373938633935363332346236353362363238353365
+38393632336139313937616536633839383830376131633561383237313264373739626661646139
+32613465613933623062653362646439343035376261613361356233363631636539653062613138
+65633235656534633135633434336233303031333135363838666361306238323530643838386264
+33666639613931313239306539313131313530353836306361643665666231663966316237613134
+30303437376132373034366534383435626139623162653335636434373665623034376163633239
+39326332396631333965373337653239356237656235393765303236366565326536313732353137
+32623036343831383335336539303439303864666561323463393162353536303235626631373363
+37346338393336363038643430313037373164336264633838656231343331356266386266376563
+31633561376166343939326534383363393738613837653135663765366464306336326663333566
+61613339373234303838633639396562313930643339633733663030323761343737323862343232
+64343233326330306662653535633539393566626565306530363161343731613439383362393738
+61303339373565643036396563376230376464636632316265326165333761656164626632303235
+61353962613731633238643937343166343261363337303731633134373238643062643133633434
+37306265373666613131316332663066363834663864396364373637613632376539616363623963
+31356264393335366266613339343233383830643364356435316432613566316365326130333531
+64366536383937306437386538643338306662633739363231616438633465613563336564616363
+64363130326337383734666435336333656136326663336637336231623637633738323863636437
+39373766646333363433383130336336626163616564376336633833633835653231333239656462
+63316263313931626333663832653939616436643964613061343866303035653830633734643631
+35316533383333616332313938653762623435353161653061633732386365303138656466313238
+30616666666433333237313835623764373361633938396361393930393832323763373533356565
+65393261393363623435346463343537386531643439383764626239356530346666346633313332
+61656639616361396562633137666631613062303031343734313738313735346237613233363833
+39663036653865346336653734306631303563343563663438643533626638363463353731386132
+62326538613237616264623936393530613366303632643939336539333138626464383964663838
+34363763663732336536656162393635306563633662636664323563363161386261313230393766
+66373037343135616531653938633931643539386433633037623138613639653238303936383930
+62333564663537653764653638663465326462323838613838643034363238343339396663333835
+62396161373531646132663931356638643331626135376432633531383564393335316534313266
+62613935313661303636303762336166323064633837396435363937623238333461396235636534
+31616461303334363361376334306366633133633965646138623663623137393634613465376663
+33613836316365393136333639643035333238373535643932353330316161363733333439356532
+31343935376564333938613630616437343864336632356435326265363761643339653638666139
+30613035393830616263353338393334353635333534336165396266326462373036653663393863
+61323838363831663434636236636463633362633136653662623863323737626163613863643566
+63363933336533386666636632656661303033326535613234336264376337376139353831386364
+64643331353934323761623264353030653265336462356233313864343233323866333262363536
+36346630396536663565

inventories/prod/group_vars/all.yml

@@ -1 +0,0 @@
-domain: cazzzer.com

inventories/prod/group_vars/alpina/vars.yml

@@ -1,6 +1,8 @@
 # Environment specific variables (prod)
 
 ---
+domain: cazzzer.com
+
 docker_ipv6_index: 255
 
 # Arrstack VPN
@@ -9,6 +11,16 @@ wg_psk: "{{ vault_wg_psk }}"
 wg_addresses: "{{ vault_wg_addresses }}"
 fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
 
-# Authentik GitHub OAuth
+# Authentik External OAuth
 github_consumer_key: 32d5cae58d744c56fcc9
 github_consumer_secret: "{{ vault_github_consumer_secret }}"
+google_consumer_key: 606830535764-9vc8mjta87g9974pb7qasp82cpoc1d3a.apps.googleusercontent.com
+google_consumer_secret: "{{ vault_google_consumer_secret }}"
+
+# VPGen
+vpgen_ipv4_starting_addr: 10.18.11.100
+vpgen_ipv6_starting_addr: "{{ vault_vpgen_ipv6_starting_addr }}"
+
+# Woodpecker
+woodpecker_gitea_client_id: 3b7515f3-6005-4512-a2ee-5464dba315f8
+woodpecker_gitea_client_secret: "{{ vault_woodpecker_gitea_client_secret }}"

inventories/prod/group_vars/alpina/vault.yml

@@ -1,21 +1,32 @@
 $ANSIBLE_VAULT;1.1;AES256
-61656162363565633436373135333536623561663136303736393865623830633539376362363363
+36313835643238353932323631323439626432316436346533376365633332313963666433313333
-3938333137343336626634346262363964316563643261310a366538363037343965363766646535
+6134633133636133623130376237373462383164396338380a316463396139653161366536636336
-61636239326464373039333462653562373933396665393039633266326234663335363337666439
+64346664356538366538363239306631326464633635316161663963326635656430326637333963
-6137323332303533640a383062383135633762323561313666636566306531306636633466316536
+6462633236353132300a323062353639646238663737353461633733636530613036316364353864
-66623731626266333731303336323733343336626366343833633365616330343565363035323039
+34326534376639643734303137613866393464306334336566653134333765356361386436323939
-35313961383131616133386663376331336639633137383137346164353632653939363266613562
+35393535303635376162386266396431313739663961643061623037343463303637623130623131
-36316631366661353632386230306532633862393963663465383862653964646462666334396666
+31653761616639613964386432643561376637316435333064343837636463303033333432636234
-66626636353539316266343937623662613336616331626439306538363764636366656635356639
+39323735373161616133396566316266383165343033666530376333626264643531613334363634
-30663535393366383261333832356237373230663037373638303161303534636230616464636265
+35393766623361346461333764666139366632306362613362376133363239656562346263643066
-37623938303638646233346338616239393838396433313063343065386666323264646461373032
+65616538366532346537383432663766366161633234373562623531356339666661346164306563
-63376661646139316430303533643063336634333364643231336130613638626431623732646434
+35343339386631383462656466303563376237386137346437323634626163353464356462346364
-63643833353164313465633333646232653761356333323933396666323837656334343866363762
+35373061636237383335396231326563366230663566333665326338303564326263316630666233
-39646263653137356632323534356631366531636530613736343438393136363835373435636230
+65303930663862313137333630353837363265333532303133306466643462626662613166326132
-30313163386335353935663432323033326235653963653930396235373863373232666334326661
+66346439333739653965346236313766346532356233333164633538326135643662623533646561
-34336632666365666563326366376461386130343965363832343430396537323734363533353065
+65626530386333303362343830653430653866336261623566616362313739303939656364656363
-64313837623366356261383437306465633730353332636561333462356363326132313933653234
+37336331353766633534653936626139303061623531323362346564363665663438646533646166
-66363634333664333433613466396639306436353035346134373430663532373934343861323262
+62376534653562373138656465666133353235313935626534383537643436376665613865303363
-30666664336336393835346234316238613839326436363162626439376530306133343530303365
+62326562396361306131616363363866316232623635353663323537366563333239383636643763
-65393030633237333166336637363435646435323736353461333932366638333264333239373733
+35623366663463303831323730363036306363643364303532326339353633393739306366396331
-30623062643336643431
+33313230656431623462376135623438633164323064653866646165643263383832353138633931
+66306463346361646561376334613837383762366365666638643434383034376339643239646463
+66343461363233626635323535336462666339323032616136396239396534346434623238396330
+37653665643366323362313136386231396532323035363963623738346564356435303263303832
+37346532366432363638363330316464366361313461626535616165333433343835393565633766
+32663162386562373035333335303332323136613233613431386265626337653939326435396262
+61303631633838613962346663326232636438393563396230306361333335383462653432383766
+35376662353262303635316635363130383032366530396439613861653037383234363831333562
+37343332646534353838626366623361636261393865363633303631613837323733626264643835
+63376430613234386463336234623062656534643863656434386134616265333666613939393331
+39333166393538306135313431303831623063363533326330633062653333313733653831383736
+613864303461323739336563356161353234

inventories/prod/hosts

@@ -1,2 +1,2 @@
 [alpina]
-debbi.lab.home
+debbi.sys.cazzzer.com

inventories/staging/group_vars/all.yml

@@ -1 +0,0 @@
-domain: lab.cazzzer.com

inventories/staging/group_vars/alpina/vars.yml

@@ -1,6 +1,8 @@
 # Environment specific variables (staging)
 
 ---
+domain: lab.cazzzer.com
+
 docker_ipv6_index: 254
 
 # Arrstack VPN
@@ -9,6 +11,16 @@ wg_psk: "{{ vault_wg_psk }}"
 wg_addresses: "{{ vault_wg_addresses }}"
 fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
 
-# Authentik GitHub OAuth
+# Authentik External OAuth
 github_consumer_key: dbacb8621c37320eb745
 github_consumer_secret: "{{ vault_github_consumer_secret }}"
+google_consumer_key: 606830535764-pec4b3sa2tohim3u9jl2jmnl1see46q1.apps.googleusercontent.com
+google_consumer_secret: "{{ vault_google_consumer_secret }}"
+
+# VPGen
+vpgen_ipv4_starting_addr: 10.18.11.50
+vpgen_ipv6_starting_addr: "{{ vault_vpgen_ipv6_starting_addr }}"
+
+# Woodpecker
+woodpecker_gitea_client_id: c7122416-b160-498b-8021-8f2837552588
+woodpecker_gitea_client_secret: "{{ vault_woodpecker_gitea_client_secret }}"

inventories/staging/group_vars/alpina/vault.yml

@@ -1,21 +1,32 @@
 $ANSIBLE_VAULT;1.1;AES256
-63633535633462326534626562373461373363643166383961303861623531663263323534366537
+36343339366166383430383235626463376339653331333635623936653135633633353064613634
-3263633238646439306430356365623233313838326639350a386633363434623737313565316535
+3263306161376232356634363532653266366665333364650a636365393465383165306563346132
-33393734633937333637373432366132323366343836393538366339626235613937323066613666
+37653564633630653635353464333939353266396562316663653933373065353536333130383065
-3737393262646333390a623331333461373563313166323232343234616538623433376166313532
+3864353332303164320a316439313164663736636465366539643131303663343861333164613561
-32323834346336336164343938303062336438643566343866316164643535663039326331646465
+37383965373964313535313335643164376164323263613539643933333035323837373662303030
-36666162393365323633646635333666613030386265306238633434303234336439646663356363
+66636465303566313334386435326433653032383962353739643861346161323738636366396239
-63323638373035326465633934326363316364616539613462653232393465633233366666373664
+39623336336234376339343562656362323932383265313161396435346530663330353266323433
-66616361646564303530356331323864343966633736643434653237316236363063613634646438
+66396538313365653963323164306464663565303364386466666636346533633661333634313236
-35303238646632616465643264316164363139393834626362326538613033656464323435396638
+33623936616239613264613730363039366561646535633239633564656166343162303633373366
-31346631653764303332386331663361623766333332366537313634636333346538653537346631
+37656163333838656533363735383332626632353237613666396633363531666366336630613064
-62363438303036386530633236376633326162336434343861346261373835653735323161323965
+66626561663766376531313666663963643766393965653564333062653139336230356330383464
-62353965373164616537346134303232363033323134323130316439386339613966646330666533
+38343562383430303132663964303736623238386562323033623861303432363363373934643332
-65346239383230646565346133663530613462363532663562326136376233303638323332326630
+63363239323664333131306237336134613137653136633932356238343733393632616464366134
-35656432363563653663616236393932663637323139666664636237336136366438656666633865
+33623038363032653134626337663863366663383433633134326239616136656139366535613565
-66353162656364356638313236643131613830393838636264663833343461373963613431656364
+61646330356330396236303566363834613236653733643162666536303435643133346633353632
-32303331623033303433333631313038316336653638656638373031653234356164333363336532
+62386135303262353332643135636164303963616234626132356161663463366434323864626261
-37316334353463376562643138346633613633353536653939376564333166323931353634333736
+33356536626263626261343937386666396561306334346435316262333431353234303836356563
-63616133663266383339323562343265613461623865623263623139396163343065623264366230
+31343566373935396633636133616265346235396333396664333534336162323039623937656336
-32633362336335396562366563363830636133376238646433386236666461333731353337386333
+36656133383966613333646336613039626563353862646238376461373264633233313836333062
-61323931643766326338
+30343134363862626630393035643762376435346532306462363437646238333463396230666465
+64386365393063613139313164366562643066323461313364393265393638643137386561633530
+65643861386531323836306339386462656530383533363831323461303131396666626464303136
+64343865616235616366633136393662623862383961323338366435396334653538303830616166
+39636164613466313033643639366635323666666235653633333436613133343962353664313838
+64356466393239666131363964643461346633313030643061643938643232343334313731636463
+37396637643232353539626239306463623237623534366666396164613135356136313534663231
+36613662653237343061316463386231656136383636393034333666633063613731316162333464
+64313866633062623530326233633166343434636639346565346337396461393637383333366435
+62393030383963396638653230613431623837353461313630343333376131616239313164336234
+62323739316536353835613032303438623230626563303934626466303934613566656232323663
+643265386333313065333737613438316532

inventories/staging/hosts

@@ -1,2 +1,2 @@
 [alpina]
-etappi.lab.home
+etappi.sys.cazzzer.com

poetry.lock

@@ -1,28 +1,30 @@
-# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.1.1 and should not be changed by hand.
 
 [[package]]
 name = "ansible"
-version = "10.5.0"
+version = "11.6.0"
 description = "Radically simple IT automation"
 optional = false
-python-versions = ">=3.10"
+python-versions = ">=3.11"
+groups = ["main"]
 files = [
-    {file = "ansible-10.5.0-py3-none-any.whl", hash = "sha256:1d10bddba58f1edd0fe0b8e0387e0fafc519535066bb3c919c33b6ea3ec32a0f"},
+    {file = "ansible-11.6.0-py3-none-any.whl", hash = "sha256:5b9c19d6a1080011c14c821bc7e6f8fd5b2a392219cbf2ced9be05e6d447d8cd"},
-    {file = "ansible-10.5.0.tar.gz", hash = "sha256:ba2045031a7d60c203b6e5fe1f8eaddd53ae076f7ada910e636494384135face"},
+    {file = "ansible-11.6.0.tar.gz", hash = "sha256:934a948caa3ec1a3eb277e7ab1638b808b074a6e0c46045794cde7b637e275d8"},
 ]
 
 [package.dependencies]
-ansible-core = ">=2.17.5,<2.18.0"
+ansible-core = ">=2.18.6,<2.19.0"
 
 [[package]]
 name = "ansible-core"
-version = "2.17.5"
+version = "2.18.6"
 description = "Radically simple IT automation"
 optional = false
-python-versions = ">=3.10"
+python-versions = ">=3.11"
+groups = ["main"]
 files = [
-    {file = "ansible_core-2.17.5-py3-none-any.whl", hash = "sha256:10f165b475cf2bc8d886e532cadb32c52ee6a533649793101d3166bca9bd3ea3"},
+    {file = "ansible_core-2.18.6-py3-none-any.whl", hash = "sha256:12a34749a7b20f0f1536bd3e3b2e137341867e4642e351273e96647161f595c0"},
-    {file = "ansible_core-2.17.5.tar.gz", hash = "sha256:ae7f51fd13dc9d57c9bcd43ef23f9c255ca8f18f4b5c0011a4f9b724d92c5a8e"},
+    {file = "ansible_core-2.18.6.tar.gz", hash = "sha256:25bb20ce1516a1b7307831b263cef684043b3720711466bd9d4164e5fd576557"},
 ]
 
 [package.dependencies]
@@ -38,6 +40,7 @@ version = "2.1.0"
 description = "R/W an ansible-vault yaml file"
 optional = false
 python-versions = "*"
+groups = ["main"]
 files = [
     {file = "ansible-vault-2.1.0.tar.gz", hash = "sha256:5ce8fdb5470f1449b76bf07ae2abc56480dad48356ae405c85b686efb64dbd5e"},
 ]
@@ -47,27 +50,28 @@ ansible = "*"
 setuptools = "*"
 
 [package.extras]
-dev = ["black", "flake8", "isort[pyproject]", "pytest"]
+dev = ["black ; python_version >= \"3.6\"", "flake8 ; python_version >= \"3.6\"", "isort[pyproject] ; python_version >= \"3.6\"", "pytest"]
 release = ["twine"]
 
 [[package]]
 name = "attrs"
-version = "24.2.0"
+version = "25.1.0"
 description = "Classes Without Boilerplate"
 optional = false
-python-versions = ">=3.7"
+python-versions = ">=3.8"
+groups = ["dev"]
 files = [
-    {file = "attrs-24.2.0-py3-none-any.whl", hash = "sha256:81921eb96de3191c8258c199618104dd27ac608d9366f5e35d011eae1867ede2"},
+    {file = "attrs-25.1.0-py3-none-any.whl", hash = "sha256:c75a69e28a550a7e93789579c22aa26b0f5b83b75dc4e08fe092980051e1090a"},
-    {file = "attrs-24.2.0.tar.gz", hash = "sha256:5cfb1b9148b5b086569baec03f20d7b6bf3bcacc9a42bebf87ffaaca362f6346"},
+    {file = "attrs-25.1.0.tar.gz", hash = "sha256:1c97078a80c814273a76b2a298a932eb681c87415c11dee0a6921de7f1b02c3e"},
 ]
 
 [package.extras]
-benchmark = ["cloudpickle", "hypothesis", "mypy (>=1.11.1)", "pympler", "pytest (>=4.3.0)", "pytest-codspeed", "pytest-mypy-plugins", "pytest-xdist[psutil]"]
+benchmark = ["cloudpickle ; platform_python_implementation == \"CPython\"", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pympler", "pytest (>=4.3.0)", "pytest-codspeed", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pytest-xdist[psutil]"]
-cov = ["cloudpickle", "coverage[toml] (>=5.3)", "hypothesis", "mypy (>=1.11.1)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-xdist[psutil]"]
+cov = ["cloudpickle ; platform_python_implementation == \"CPython\"", "coverage[toml] (>=5.3)", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pytest-xdist[psutil]"]
-dev = ["cloudpickle", "hypothesis", "mypy (>=1.11.1)", "pre-commit", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-xdist[psutil]"]
+dev = ["cloudpickle ; platform_python_implementation == \"CPython\"", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pre-commit-uv", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pytest-xdist[psutil]"]
 docs = ["cogapp", "furo", "myst-parser", "sphinx", "sphinx-notfound-page", "sphinxcontrib-towncrier", "towncrier (<24.7)"]
-tests = ["cloudpickle", "hypothesis", "mypy (>=1.11.1)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-xdist[psutil]"]
+tests = ["cloudpickle ; platform_python_implementation == \"CPython\"", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pytest-xdist[psutil]"]
-tests-mypy = ["mypy (>=1.11.1)", "pytest-mypy-plugins"]
+tests-mypy = ["mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\""]
 
 [[package]]
 name = "cffi"
@@ -75,6 +79,8 @@ version = "1.17.1"
 description = "Foreign Function Interface for Python calling C code."
 optional = false
 python-versions = ">=3.8"
+groups = ["main"]
+markers = "platform_python_implementation != \"PyPy\""
 files = [
     {file = "cffi-1.17.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14"},
     {file = "cffi-1.17.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67"},
@@ -150,51 +156,56 @@ pycparser = "*"
 
 [[package]]
 name = "cryptography"
-version = "43.0.1"
+version = "44.0.1"
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
 optional = false
-python-versions = ">=3.7"
+python-versions = "!=3.9.0,!=3.9.1,>=3.7"
+groups = ["main"]
 files = [
-    {file = "cryptography-43.0.1-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:8385d98f6a3bf8bb2d65a73e17ed87a3ba84f6991c155691c51112075f9ffc5d"},
+    {file = "cryptography-44.0.1-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:bf688f615c29bfe9dfc44312ca470989279f0e94bb9f631f85e3459af8efc009"},
-    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:27e613d7077ac613e399270253259d9d53872aaf657471473ebfc9a52935c062"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dd7c7e2d71d908dc0f8d2027e1604102140d84b155e658c20e8ad1304317691f"},
-    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:68aaecc4178e90719e95298515979814bda0cbada1256a4485414860bd7ab962"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:887143b9ff6bad2b7570da75a7fe8bbf5f65276365ac259a5d2d5147a73775f2"},
-    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:de41fd81a41e53267cb020bb3a7212861da53a7d39f863585d13ea11049cf277"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:322eb03ecc62784536bc173f1483e76747aafeb69c8728df48537eb431cd1911"},
-    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:f98bf604c82c416bc829e490c700ca1553eafdf2912a91e23a79d97d9801372a"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:21377472ca4ada2906bc313168c9dc7b1d7ca417b63c1c3011d0c74b7de9ae69"},
-    {file = "cryptography-43.0.1-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:61ec41068b7b74268fa86e3e9e12b9f0c21fcf65434571dbb13d954bceb08042"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:df978682c1504fc93b3209de21aeabf2375cb1571d4e61907b3e7a2540e83026"},
-    {file = "cryptography-43.0.1-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:eb3889330f2a4a148abead555399ec9a32b13b7c8ba969b72d8e500eb7ef84cd"},
-    {file = "cryptography-43.0.1-cp37-abi3-win32.whl", hash = "sha256:2bd51274dcd59f09dd952afb696bf9c61a7a49dfc764c04dd33ef7a6b502a1e2"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:8e6a85a93d0642bd774460a86513c5d9d80b5c002ca9693e63f6e540f1815ed0"},
-    {file = "cryptography-43.0.1-cp37-abi3-win_amd64.whl", hash = "sha256:666ae11966643886c2987b3b721899d250855718d6d9ce41b521252a17985f4d"},
+    {file = "cryptography-44.0.1-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:6f76fdd6fd048576a04c5210d53aa04ca34d2ed63336d4abd306d0cbe298fddf"},
-    {file = "cryptography-43.0.1-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:ac119bb76b9faa00f48128b7f5679e1d8d437365c5d26f1c2c3f0da4ce1b553d"},
+    {file = "cryptography-44.0.1-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:6c8acf6f3d1f47acb2248ec3ea261171a671f3d9428e34ad0357148d492c7864"},
-    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806"},
+    {file = "cryptography-44.0.1-cp37-abi3-win32.whl", hash = "sha256:24979e9f2040c953a94bf3c6782e67795a4c260734e5264dceea65c8f4bae64a"},
-    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58d4e9129985185a06d849aa6df265bdd5a74ca6e1b736a77959b498e0505b85"},
+    {file = "cryptography-44.0.1-cp37-abi3-win_amd64.whl", hash = "sha256:fd0ee90072861e276b0ff08bd627abec29e32a53b2be44e41dbcdf87cbee2b00"},
-    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:d03a475165f3134f773d1388aeb19c2d25ba88b6a9733c5c590b9ff7bbfa2e0c"},
+    {file = "cryptography-44.0.1-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:a2d8a7045e1ab9b9f803f0d9531ead85f90c5f2859e653b61497228b18452008"},
-    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:511f4273808ab590912a93ddb4e3914dfd8a388fed883361b02dea3791f292e1"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b8272f257cf1cbd3f2e120f14c68bff2b6bdfcc157fafdee84a1b795efd72862"},
-    {file = "cryptography-43.0.1-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:80eda8b3e173f0f247f711eef62be51b599b5d425c429b5d4ca6a05e9e856baa"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1e8d181e90a777b63f3f0caa836844a1182f1f265687fac2115fcf245f5fbec3"},
-    {file = "cryptography-43.0.1-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:38926c50cff6f533f8a2dae3d7f19541432610d114a70808f0926d5aaa7121e4"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:436df4f203482f41aad60ed1813811ac4ab102765ecae7a2bbb1dbb66dcff5a7"},
-    {file = "cryptography-43.0.1-cp39-abi3-win32.whl", hash = "sha256:a575913fb06e05e6b4b814d7f7468c2c660e8bb16d8d5a1faf9b33ccc569dd47"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:4f422e8c6a28cf8b7f883eb790695d6d45b0c385a2583073f3cec434cc705e1a"},
-    {file = "cryptography-43.0.1-cp39-abi3-win_amd64.whl", hash = "sha256:d75601ad10b059ec832e78823b348bfa1a59f6b8d545db3a24fd44362a1564cb"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:72198e2b5925155497a5a3e8c216c7fb3e64c16ccee11f0e7da272fa93b35c4c"},
-    {file = "cryptography-43.0.1-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:ea25acb556320250756e53f9e20a4177515f012c9eaea17eb7587a8c4d8ae034"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:2a46a89ad3e6176223b632056f321bc7de36b9f9b93b2cc1cccf935a3849dc62"},
-    {file = "cryptography-43.0.1-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:c1332724be35d23a854994ff0b66530119500b6053d0bd3363265f7e5e77288d"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:53f23339864b617a3dfc2b0ac8d5c432625c80014c25caac9082314e9de56f41"},
-    {file = "cryptography-43.0.1-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:fba1007b3ef89946dbbb515aeeb41e30203b004f0b4b00e5e16078b518563289"},
+    {file = "cryptography-44.0.1-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:888fcc3fce0c888785a4876ca55f9f43787f4c5c1cc1e2e0da71ad481ff82c5b"},
-    {file = "cryptography-43.0.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:5b43d1ea6b378b54a1dc99dd8a2b5be47658fe9a7ce0a58ff0b55f4b43ef2b84"},
+    {file = "cryptography-44.0.1-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:00918d859aa4e57db8299607086f793fa7813ae2ff5a4637e318a25ef82730f7"},
-    {file = "cryptography-43.0.1-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:88cce104c36870d70c49c7c8fd22885875d950d9ee6ab54df2745f83ba0dc365"},
+    {file = "cryptography-44.0.1-cp39-abi3-win32.whl", hash = "sha256:9b336599e2cb77b1008cb2ac264b290803ec5e8e89d618a5e978ff5eb6f715d9"},
-    {file = "cryptography-43.0.1-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:9d3cdb25fa98afdd3d0892d132b8d7139e2c087da1712041f6b762e4f807cc96"},
+    {file = "cryptography-44.0.1-cp39-abi3-win_amd64.whl", hash = "sha256:e403f7f766ded778ecdb790da786b418a9f2394f36e8cc8b796cc056ab05f44f"},
-    {file = "cryptography-43.0.1-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:e710bf40870f4db63c3d7d929aa9e09e4e7ee219e703f949ec4073b4294f6172"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:1f9a92144fa0c877117e9748c74501bea842f93d21ee00b0cf922846d9d0b183"},
-    {file = "cryptography-43.0.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:7c05650fe8023c5ed0d46793d4b7d7e6cd9c04e68eabe5b0aeea836e37bdcec2"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:610a83540765a8d8ce0f351ce42e26e53e1f774a6efb71eb1b41eb01d01c3d12"},
-    {file = "cryptography-43.0.1.tar.gz", hash = "sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:5fed5cd6102bb4eb843e3315d2bf25fede494509bddadb81e03a859c1bc17b83"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:f4daefc971c2d1f82f03097dc6f216744a6cd2ac0f04c68fb935ea2ba2a0d420"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:94f99f2b943b354a5b6307d7e8d19f5c423a794462bde2bf310c770ba052b1c4"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:d9c5b9f698a83c8bd71e0f4d3f9f839ef244798e5ffe96febfa9714717db7af7"},
+    {file = "cryptography-44.0.1.tar.gz", hash = "sha256:f51f5705ab27898afda1aaa430f34ad90dc117421057782022edf0600bec5f14"},
 ]
 
 [package.dependencies]
 cffi = {version = ">=1.12", markers = "platform_python_implementation != \"PyPy\""}
 
 [package.extras]
-docs = ["sphinx (>=5.3.0)", "sphinx-rtd-theme (>=1.1.1)"]
+docs = ["sphinx (>=5.3.0)", "sphinx-rtd-theme (>=3.0.0) ; python_version >= \"3.8\""]
-docstest = ["pyenchant (>=1.6.11)", "readme-renderer", "sphinxcontrib-spelling (>=4.0.1)"]
+docstest = ["pyenchant (>=3)", "readme-renderer (>=30.0)", "sphinxcontrib-spelling (>=7.3.1)"]
-nox = ["nox"]
+nox = ["nox (>=2024.4.15)", "nox[uv] (>=2024.3.2) ; python_version >= \"3.8\""]
-pep8test = ["check-sdist", "click", "mypy", "ruff"]
+pep8test = ["check-sdist ; python_version >= \"3.8\"", "click (>=8.0.1)", "mypy (>=1.4)", "ruff (>=0.3.6)"]
-sdist = ["build"]
+sdist = ["build (>=1.0.0)"]
 ssh = ["bcrypt (>=3.1.5)"]
-test = ["certifi", "cryptography-vectors (==43.0.1)", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"]
+test = ["certifi (>=2024)", "cryptography-vectors (==44.0.1)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
 test-randomorder = ["pytest-randomly"]
 
 [[package]]
@@ -203,6 +214,7 @@ version = "0.7.1"
 description = "Library for building Grafana dashboards"
 optional = false
 python-versions = "*"
+groups = ["dev"]
 files = [
     {file = "grafanalib-0.7.1-py3-none-any.whl", hash = "sha256:6fab5d7b837a1f2d1322ef762cd52e565ec0422707a7512765c59f668bdceb58"},
     {file = "grafanalib-0.7.1.tar.gz", hash = "sha256:3d92bb4e92ae78fe4e21c5b252ab51f4fdcacd8523ba5a44545b897b2a375b83"},
@@ -216,13 +228,14 @@ dev = ["flake8", "pytest"]
 
 [[package]]
 name = "jinja2"
-version = "3.1.4"
+version = "3.1.5"
 description = "A very fast and expressive template engine."
 optional = false
 python-versions = ">=3.7"
+groups = ["main"]
 files = [
-    {file = "jinja2-3.1.4-py3-none-any.whl", hash = "sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d"},
+    {file = "jinja2-3.1.5-py3-none-any.whl", hash = "sha256:aba0f4dc9ed8013c424088f68a5c226f7d6097ed89b246d7749c2ec4175c6adb"},
-    {file = "jinja2-3.1.4.tar.gz", hash = "sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369"},
+    {file = "jinja2-3.1.5.tar.gz", hash = "sha256:8fefff8dc3034e27bb80d67c671eb8a9bc424c0ef4c0826edbff304cceff43bb"},
 ]
 
 [package.dependencies]
@@ -233,72 +246,73 @@ i18n = ["Babel (>=2.7)"]
 
 [[package]]
 name = "markupsafe"
-version = "3.0.1"
+version = "3.0.2"
 description = "Safely add untrusted strings to HTML/XML markup."
 optional = false
 python-versions = ">=3.9"
+groups = ["main"]
 files = [
-    {file = "MarkupSafe-3.0.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:db842712984e91707437461930e6011e60b39136c7331e971952bb30465bc1a1"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8"},
-    {file = "MarkupSafe-3.0.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:3ffb4a8e7d46ed96ae48805746755fadd0909fea2306f93d5d8233ba23dda12a"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9e2d922824181480953426608b81967de705c3cef4d1af983af849d7bd619158"},
-    {file = "MarkupSafe-3.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:67c519635a4f64e495c50e3107d9b4075aec33634272b5db1cde839e07367589"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:38a9ef736c01fccdd6600705b09dc574584b89bea478200c5fbf112a6b0d5579"},
-    {file = "MarkupSafe-3.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:48488d999ed50ba8d38c581d67e496f955821dc183883550a6fbc7f1aefdc170"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bbcb445fa71794da8f178f0f6d66789a28d7319071af7a496d4d507ed566270d"},
-    {file = "MarkupSafe-3.0.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f31ae06f1328595d762c9a2bf29dafd8621c7d3adc130cbb46278079758779ca"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:57cb5a3cf367aeb1d316576250f65edec5bb3be939e9247ae594b4bcbc317dfb"},
-    {file = "MarkupSafe-3.0.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:80fcbf3add8790caddfab6764bde258b5d09aefbe9169c183f88a7410f0f6dea"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:3809ede931876f5b2ec92eef964286840ed3540dadf803dd570c3b7e13141a3b"},
-    {file = "MarkupSafe-3.0.1-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:3341c043c37d78cc5ae6e3e305e988532b072329639007fd408a476642a89fd6"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:e07c3764494e3776c602c1e78e298937c3315ccc9043ead7e685b7f2b8d47b3c"},
-    {file = "MarkupSafe-3.0.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:cb53e2a99df28eee3b5f4fea166020d3ef9116fdc5764bc5117486e6d1211b25"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:b424c77b206d63d500bcb69fa55ed8d0e6a3774056bdc4839fc9298a7edca171"},
-    {file = "MarkupSafe-3.0.1-cp310-cp310-win32.whl", hash = "sha256:db15ce28e1e127a0013dfb8ac243a8e392db8c61eae113337536edb28bdc1f97"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-win32.whl", hash = "sha256:fcabf5ff6eea076f859677f5f0b6b5c1a51e70a376b0579e0eadef8db48c6b50"},
-    {file = "MarkupSafe-3.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:4ffaaac913c3f7345579db4f33b0020db693f302ca5137f106060316761beea9"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-win_amd64.whl", hash = "sha256:6af100e168aa82a50e186c82875a5893c5597a0c1ccdb0d8b40240b1f28b969a"},
-    {file = "MarkupSafe-3.0.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:26627785a54a947f6d7336ce5963569b5d75614619e75193bdb4e06e21d447ad"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:9025b4018f3a1314059769c7bf15441064b2207cb3f065e6ea1e7359cb46db9d"},
-    {file = "MarkupSafe-3.0.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:b954093679d5750495725ea6f88409946d69cfb25ea7b4c846eef5044194f583"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:93335ca3812df2f366e80509ae119189886b0f3c2b81325d39efdb84a1e2ae93"},
-    {file = "MarkupSafe-3.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:973a371a55ce9ed333a3a0f8e0bcfae9e0d637711534bcb11e130af2ab9334e7"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2cb8438c3cbb25e220c2ab33bb226559e7afb3baec11c4f218ffa7308603c832"},
-    {file = "MarkupSafe-3.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:244dbe463d5fb6d7ce161301a03a6fe744dac9072328ba9fc82289238582697b"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a123e330ef0853c6e822384873bef7507557d8e4a082961e1defa947aa59ba84"},
-    {file = "MarkupSafe-3.0.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d98e66a24497637dd31ccab090b34392dddb1f2f811c4b4cd80c230205c074a3"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1e084f686b92e5b83186b07e8a17fc09e38fff551f3602b249881fec658d3eca"},
-    {file = "MarkupSafe-3.0.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:ad91738f14eb8da0ff82f2acd0098b6257621410dcbd4df20aaa5b4233d75a50"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:d8213e09c917a951de9d09ecee036d5c7d36cb6cb7dbaece4c71a60d79fb9798"},
-    {file = "MarkupSafe-3.0.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:7044312a928a66a4c2a22644147bc61a199c1709712069a344a3fb5cfcf16915"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:5b02fb34468b6aaa40dfc198d813a641e3a63b98c2b05a16b9f80b7ec314185e"},
-    {file = "MarkupSafe-3.0.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:a4792d3b3a6dfafefdf8e937f14906a51bd27025a36f4b188728a73382231d91"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:0bff5e0ae4ef2e1ae4fdf2dfd5b76c75e5c2fa4132d05fc1b0dabcd20c7e28c4"},
-    {file = "MarkupSafe-3.0.1-cp311-cp311-win32.whl", hash = "sha256:fa7d686ed9883f3d664d39d5a8e74d3c5f63e603c2e3ff0abcba23eac6542635"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-win32.whl", hash = "sha256:6c89876f41da747c8d3677a2b540fb32ef5715f97b66eeb0c6b66f5e3ef6f59d"},
-    {file = "MarkupSafe-3.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:9ba25a71ebf05b9bb0e2ae99f8bc08a07ee8e98c612175087112656ca0f5c8bf"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-win_amd64.whl", hash = "sha256:70a87b411535ccad5ef2f1df5136506a10775d267e197e4cf531ced10537bd6b"},
-    {file = "MarkupSafe-3.0.1-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:8ae369e84466aa70f3154ee23c1451fda10a8ee1b63923ce76667e3077f2b0c4"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:9778bd8ab0a994ebf6f84c2b949e65736d5575320a17ae8984a77fab08db94cf"},
-    {file = "MarkupSafe-3.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40f1e10d51c92859765522cbd79c5c8989f40f0419614bcdc5015e7b6bf97fc5"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:846ade7b71e3536c4e56b386c2a47adf5741d2d8b94ec9dc3e92e5e1ee1e2225"},
-    {file = "MarkupSafe-3.0.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5a4cb365cb49b750bdb60b846b0c0bc49ed62e59a76635095a179d440540c346"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1c99d261bd2d5f6b59325c92c73df481e05e57f19837bdca8413b9eac4bd8028"},
-    {file = "MarkupSafe-3.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ee3941769bd2522fe39222206f6dd97ae83c442a94c90f2b7a25d847d40f4729"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e17c96c14e19278594aa4841ec148115f9c7615a47382ecb6b82bd8fea3ab0c8"},
-    {file = "MarkupSafe-3.0.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:62fada2c942702ef8952754abfc1a9f7658a4d5460fabe95ac7ec2cbe0d02abc"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:88416bd1e65dcea10bc7569faacb2c20ce071dd1f87539ca2ab364bf6231393c"},
-    {file = "MarkupSafe-3.0.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:4c2d64fdba74ad16138300815cfdc6ab2f4647e23ced81f59e940d7d4a1469d9"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:2181e67807fc2fa785d0592dc2d6206c019b9502410671cc905d132a92866557"},
-    {file = "MarkupSafe-3.0.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:fb532dd9900381d2e8f48172ddc5a59db4c445a11b9fab40b3b786da40d3b56b"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:52305740fe773d09cffb16f8ed0427942901f00adedac82ec8b67752f58a1b22"},
-    {file = "MarkupSafe-3.0.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:0f84af7e813784feb4d5e4ff7db633aba6c8ca64a833f61d8e4eade234ef0c38"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:ad10d3ded218f1039f11a75f8091880239651b52e9bb592ca27de44eed242a48"},
-    {file = "MarkupSafe-3.0.1-cp312-cp312-win32.whl", hash = "sha256:cbf445eb5628981a80f54087f9acdbf84f9b7d862756110d172993b9a5ae81aa"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-win32.whl", hash = "sha256:0f4ca02bea9a23221c0182836703cbf8930c5e9454bacce27e767509fa286a30"},
-    {file = "MarkupSafe-3.0.1-cp312-cp312-win_amd64.whl", hash = "sha256:a10860e00ded1dd0a65b83e717af28845bb7bd16d8ace40fe5531491de76b79f"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-win_amd64.whl", hash = "sha256:8e06879fc22a25ca47312fbe7c8264eb0b662f6db27cb2d3bbbc74b1df4b9b87"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:e81c52638315ff4ac1b533d427f50bc0afc746deb949210bc85f05d4f15fd772"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:ba9527cdd4c926ed0760bc301f6728ef34d841f405abf9d4f959c478421e4efd"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:312387403cd40699ab91d50735ea7a507b788091c416dd007eac54434aee51da"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:f8b3d067f2e40fe93e1ccdd6b2e1d16c43140e76f02fb1319a05cf2b79d99430"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2ae99f31f47d849758a687102afdd05bd3d3ff7dbab0a8f1587981b58a76152a"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:569511d3b58c8791ab4c2e1285575265991e6d8f8700c7be0e88f86cb0672094"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c97ff7fedf56d86bae92fa0a646ce1a0ec7509a7578e1ed238731ba13aabcd1c"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:15ab75ef81add55874e7ab7055e9c397312385bd9ced94920f2802310c930396"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a7420ceda262dbb4b8d839a4ec63d61c261e4e77677ed7c66c99f4e7cb5030dd"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f3818cb119498c0678015754eba762e0d61e5b52d34c8b13d770f0719f7b1d79"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:45d42d132cff577c92bfba536aefcfea7e26efb975bd455db4e6602f5c9f45e7"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:cdb82a876c47801bb54a690c5ae105a46b392ac6099881cdfb9f6e95e4014c6a"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:4c8817557d0de9349109acb38b9dd570b03cc5014e8aabf1cbddc6e81005becd"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:cabc348d87e913db6ab4aa100f01b08f481097838bdddf7c7a84b7575b7309ca"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:6a54c43d3ec4cf2a39f4387ad044221c66a376e58c0d0e971d47c475ba79c6b5"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:444dcda765c8a838eaae23112db52f1efaf750daddb2d9ca300bcae1039adc5c"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313-win32.whl", hash = "sha256:c91b394f7601438ff79a4b93d16be92f216adb57d813a78be4446fe0f6bc2d8c"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-win32.whl", hash = "sha256:bcf3e58998965654fdaff38e58584d8937aa3096ab5354d493c77d1fdd66d7a1"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313-win_amd64.whl", hash = "sha256:fe32482b37b4b00c7a52a07211b479653b7fe4f22b2e481b9a9b099d8a430f2f"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-win_amd64.whl", hash = "sha256:e6a2a455bd412959b57a172ce6328d2dd1f01cb2135efda2e4576e8a23fa3b0f"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313t-macosx_10_13_universal2.whl", hash = "sha256:17b2aea42a7280db02ac644db1d634ad47dcc96faf38ab304fe26ba2680d359a"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-macosx_10_13_universal2.whl", hash = "sha256:b5a6b3ada725cea8a5e634536b1b01c30bcdcd7f9c6fff4151548d5bf6b3a36c"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:852dc840f6d7c985603e60b5deaae1d89c56cb038b577f6b5b8c808c97580f1d"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:a904af0a6162c73e3edcb969eeeb53a63ceeb5d8cf642fade7d39e7963a22ddb"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0778de17cff1acaeccc3ff30cd99a3fd5c50fc58ad3d6c0e0c4c58092b859396"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4aa4e5faecf353ed117801a068ebab7b7e09ffb6e1d5e412dc852e0da018126c"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:800100d45176652ded796134277ecb13640c1a537cad3b8b53da45aa96330453"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c0ef13eaeee5b615fb07c9a7dadb38eac06a0608b41570d8ade51c56539e509d"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d06b24c686a34c86c8c1fba923181eae6b10565e4d80bdd7bc1c8e2f11247aa4"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d16a81a06776313e817c951135cf7340a3e91e8c1ff2fac444cfd75fffa04afe"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:33d1c36b90e570ba7785dacd1faaf091203d9942bc036118fab8110a401eb1a8"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:6381026f158fdb7c72a168278597a5e3a5222e83ea18f543112b2662a9b699c5"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:beeebf760a9c1f4c07ef6a53465e8cfa776ea6a2021eda0d0417ec41043fe984"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:3d79d162e7be8f996986c064d1c7c817f6df3a77fe3d6859f6f9e7be4b8c213a"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:bbde71a705f8e9e4c3e9e33db69341d040c827c7afa6789b14c6e16776074f5a"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:131a3c7689c85f5ad20f9f6fb1b866f402c445b220c19fe4308c0b147ccd2ad9"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313t-win32.whl", hash = "sha256:82b5dba6eb1bcc29cc305a18a3c5365d2af06ee71b123216416f7e20d2a84e5b"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-win32.whl", hash = "sha256:ba8062ed2cf21c07a9e295d5b8a2a5ce678b913b45fdf68c32d95d6c1291e0b6"},
-    {file = "MarkupSafe-3.0.1-cp313-cp313t-win_amd64.whl", hash = "sha256:730d86af59e0e43ce277bb83970530dd223bf7f2a838e086b50affa6ec5f9295"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-win_amd64.whl", hash = "sha256:e444a31f8db13eb18ada366ab3cf45fd4b31e4db1236a4448f68778c1d1a5a2f"},
-    {file = "MarkupSafe-3.0.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:4935dd7883f1d50e2ffecca0aa33dc1946a94c8f3fdafb8df5c330e48f71b132"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:eaa0a10b7f72326f1372a713e73c3f739b524b3af41feb43e4921cb529f5929a"},
-    {file = "MarkupSafe-3.0.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e9393357f19954248b00bed7c56f29a25c930593a77630c719653d51e7669c2a"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:48032821bbdf20f5799ff537c7ac3d1fba0ba032cfc06194faffa8cda8b560ff"},
-    {file = "MarkupSafe-3.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:40621d60d0e58aa573b68ac5e2d6b20d44392878e0bfc159012a5787c4e35bc8"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1a9d3f5f0901fdec14d8d2f66ef7d035f2157240a433441719ac9a3fba440b13"},
-    {file = "MarkupSafe-3.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f94190df587738280d544971500b9cafc9b950d32efcb1fba9ac10d84e6aa4e6"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:88b49a3b9ff31e19998750c38e030fc7bb937398b1f78cfa599aaef92d693144"},
-    {file = "MarkupSafe-3.0.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b6a387d61fe41cdf7ea95b38e9af11cfb1a63499af2759444b99185c4ab33f5b"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:cfad01eed2c2e0c01fd0ecd2ef42c492f7f93902e39a42fc9ee1692961443a29"},
-    {file = "MarkupSafe-3.0.1-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:8ad4ad1429cd4f315f32ef263c1342166695fad76c100c5d979c45d5570ed58b"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:1225beacc926f536dc82e45f8a4d68502949dc67eea90eab715dea3a21c1b5f0"},
-    {file = "MarkupSafe-3.0.1-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:e24bfe89c6ac4c31792793ad9f861b8f6dc4546ac6dc8f1c9083c7c4f2b335cd"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:3169b1eefae027567d1ce6ee7cae382c57fe26e82775f460f0b2778beaad66c0"},
-    {file = "MarkupSafe-3.0.1-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:2a4b34a8d14649315c4bc26bbfa352663eb51d146e35eef231dd739d54a5430a"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:eb7972a85c54febfb25b5c4b4f3af4dcc731994c7da0d8a0b4a6eb0640e1d178"},
-    {file = "MarkupSafe-3.0.1-cp39-cp39-win32.whl", hash = "sha256:242d6860f1fd9191aef5fae22b51c5c19767f93fb9ead4d21924e0bcb17619d8"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-win32.whl", hash = "sha256:8c4e8c3ce11e1f92f6536ff07154f9d49677ebaaafc32db9db4620bc11ed480f"},
-    {file = "MarkupSafe-3.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:93e8248d650e7e9d49e8251f883eed60ecbc0e8ffd6349e18550925e31bd029b"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-win_amd64.whl", hash = "sha256:6e296a513ca3d94054c2c881cc913116e90fd030ad1c656b3869762b754f5f8a"},
-    {file = "markupsafe-3.0.1.tar.gz", hash = "sha256:3e683ee4f5d0fa2dde4db77ed8dd8a876686e3fc417655c2ece9a90576905344"},
+    {file = "markupsafe-3.0.2.tar.gz", hash = "sha256:ee55d3edf80167e48ea11a923c7386f4669df67d7994554387f84e7d8b0a2bf0"},
 ]
 
 [[package]]
@@ -307,6 +321,7 @@ version = "1.3.0"
 description = "A network address manipulation library for Python"
 optional = false
 python-versions = ">=3.7"
+groups = ["main"]
 files = [
     {file = "netaddr-1.3.0-py3-none-any.whl", hash = "sha256:c2c6a8ebe5554ce33b7d5b3a306b71bbb373e000bbbf2350dd5213cc56e3dbbe"},
     {file = "netaddr-1.3.0.tar.gz", hash = "sha256:5c3c3d9895b551b763779ba7db7a03487dc1f8e3b385af819af341ae9ef6e48a"},
@@ -317,13 +332,14 @@ nicer-shell = ["ipython"]
 
 [[package]]
 name = "packaging"
-version = "24.1"
+version = "24.2"
 description = "Core utilities for Python packages"
 optional = false
 python-versions = ">=3.8"
+groups = ["main"]
 files = [
-    {file = "packaging-24.1-py3-none-any.whl", hash = "sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124"},
+    {file = "packaging-24.2-py3-none-any.whl", hash = "sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759"},
-    {file = "packaging-24.1.tar.gz", hash = "sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002"},
+    {file = "packaging-24.2.tar.gz", hash = "sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f"},
 ]
 
 [[package]]
@@ -332,6 +348,8 @@ version = "2.22"
 description = "C parser in Python"
 optional = false
 python-versions = ">=3.8"
+groups = ["main"]
+markers = "platform_python_implementation != \"PyPy\""
 files = [
     {file = "pycparser-2.22-py3-none-any.whl", hash = "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"},
     {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"},
@@ -343,6 +361,7 @@ version = "6.0.2"
 description = "YAML parser and emitter for Python"
 optional = false
 python-versions = ">=3.8"
+groups = ["main"]
 files = [
     {file = "PyYAML-6.0.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086"},
     {file = "PyYAML-6.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf"},
@@ -405,6 +424,7 @@ version = "1.0.1"
 description = "Resolve abstract dependencies into concrete ones"
 optional = false
 python-versions = "*"
+groups = ["main"]
 files = [
     {file = "resolvelib-1.0.1-py2.py3-none-any.whl", hash = "sha256:d2da45d1a8dfee81bdd591647783e340ef3bcb104b54c383f70d422ef5cc7dbf"},
     {file = "resolvelib-1.0.1.tar.gz", hash = "sha256:04ce76cbd63fded2078ce224785da6ecd42b9564b1390793f64ddecbe997b309"},
@@ -418,25 +438,26 @@ test = ["commentjson", "packaging", "pytest"]
 
 [[package]]
 name = "setuptools"
-version = "75.1.0"
+version = "75.8.1"
 description = "Easily download, build, install, upgrade, and uninstall Python packages"
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
+groups = ["main"]
 files = [
-    {file = "setuptools-75.1.0-py3-none-any.whl", hash = "sha256:35ab7fd3bcd95e6b7fd704e4a1539513edad446c097797f2985e0e4b960772f2"},
+    {file = "setuptools-75.8.1-py3-none-any.whl", hash = "sha256:3bc32c0b84c643299ca94e77f834730f126efd621de0cc1de64119e0e17dab1f"},
-    {file = "setuptools-75.1.0.tar.gz", hash = "sha256:d59a21b17a275fb872a9c3dae73963160ae079f1049ed956880cd7c09b120538"},
+    {file = "setuptools-75.8.1.tar.gz", hash = "sha256:65fb779a8f28895242923582eadca2337285f0891c2c9e160754df917c3d2530"},
 ]
 
 [package.extras]
-check = ["pytest-checkdocs (>=2.4)", "pytest-ruff (>=0.2.1)", "ruff (>=0.5.2)"]
+check = ["pytest-checkdocs (>=2.4)", "pytest-ruff (>=0.2.1) ; sys_platform != \"cygwin\"", "ruff (>=0.8.0) ; sys_platform != \"cygwin\""]
-core = ["importlib-metadata (>=6)", "importlib-resources (>=5.10.2)", "jaraco.collections", "jaraco.functools", "jaraco.text (>=3.7)", "more-itertools", "more-itertools (>=8.8)", "packaging", "packaging (>=24)", "platformdirs (>=2.6.2)", "tomli (>=2.0.1)", "wheel (>=0.43.0)"]
+core = ["importlib_metadata (>=6) ; python_version < \"3.10\"", "jaraco.collections", "jaraco.functools (>=4)", "jaraco.text (>=3.7)", "more_itertools", "more_itertools (>=8.8)", "packaging", "packaging (>=24.2)", "platformdirs (>=4.2.2)", "tomli (>=2.0.1) ; python_version < \"3.11\"", "wheel (>=0.43.0)"]
 cover = ["pytest-cov"]
 doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier", "towncrier (<24.7)"]
 enabler = ["pytest-enabler (>=2.2)"]
-test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "jaraco.test", "packaging (>=23.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-home (>=0.5)", "pytest-perf", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel (>=0.44.0)"]
+test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21) ; python_version >= \"3.9\" and sys_platform != \"cygwin\"", "jaraco.envs (>=2.2)", "jaraco.path (>=3.7.2)", "jaraco.test (>=5.5)", "packaging (>=24.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-home (>=0.5)", "pytest-perf ; sys_platform != \"cygwin\"", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel (>=0.44.0)"]
-type = ["importlib-metadata (>=7.0.2)", "jaraco.develop (>=7.21)", "mypy (==1.11.*)", "pytest-mypy"]
+type = ["importlib_metadata (>=7.0.2) ; python_version < \"3.10\"", "jaraco.develop (>=7.21) ; sys_platform != \"cygwin\"", "mypy (==1.14.*)", "pytest-mypy"]
 
 [metadata]
-lock-version = "2.0"
+lock-version = "2.1"
-python-versions = "^3.10"
+python-versions = "^3.11"
-content-hash = "334448cb0c7d192f0e10987a995ecefca5e136733cce4dd15dcc2238f1c371c8"
+content-hash = "aee53e668f5f3a99526ea72999ad57256351453f5331f71c0abf94b5bd74a0c3"

poetry.toml

@@ -0,0 +1,2 @@
+[virtualenvs]
+in-project = true

pyproject.toml

@@ -6,12 +6,12 @@ authors = ["Iurii Tatishchev <itatishch@gmail.com>"]
 readme = "README.md"
 
 [tool.poetry.dependencies]
-python = "^3.10"
+python = "^3.11"
-ansible = "^10.1.0"
+ansible = "^11.1.0"
 ansible-vault = "^2.1.0"
 netaddr = "^1.3.0"
 
-[tool.poetry.dev-dependencies]
+[tool.poetry.group.dev.dependencies]
 grafanalib = "^0.7.1"
 
 

renovate.json

@@ -0,0 +1,11 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "docker-compose": {
+    "fileMatch": [
+      "(^|/)(?:docker-)?compose[^/]*\\.ya?ml(\\.j2)?$"
+    ]
+  }
+}

roles/alpina/tasks/deploy_compose_stack.yml

@@ -11,7 +11,7 @@
     path: "{{ current_stack_dest }}/{{ item.path }}"
     state: directory
     mode: "755"
-  loop: "{{ lookup('community.general.filetree', current_stack_source) }}"
+  loop: "{{ query('community.general.filetree', current_stack_source) }}"
   when: item.state == "directory"
 
 - name: Generate {{ current_stack_name }} deployment from templates
@@ -19,7 +19,7 @@
     src: "{{ item.src }}"
     dest: "{{ current_stack_dest }}/{{ item.path | regex_replace('\\.j2$', '') }}"
     mode: "644"
-  loop: "{{ lookup('community.general.filetree', current_stack_source) }}"
+  loop: "{{ query('community.general.filetree', current_stack_source) }}"
   when: item.state == "file" and item.path | regex_search('\\.j2$')
 
 - name: Generate {{ current_stack_name }} deployment from static files
@@ -27,7 +27,7 @@
     src: "{{ item.src }}"
     dest: "{{ current_stack_dest }}/{{ item.path }}"
     mode: "644"
-  loop: "{{ lookup('community.general.filetree', current_stack_source) }}"
+  loop: "{{ query('community.general.filetree', current_stack_source) }}"
   when: item.state == "file" and not item.path | regex_search('\\.j2$')
 
 - name: Deploy docker-compose for {{ current_stack_name }}

roles/alpina/tasks/main.yml

@@ -28,7 +28,12 @@
     collection: apps
     stacks:
       - gitea
+      - woodpecker
+      - syncthing
       - nextcloud
       - jellyfin
       - arrstack
+      - vpgen
+      - pgrok
+      - minecruft
   import_tasks: deploy_collection.yml

roles/alpina/templates/apps/arrstack/compose.yml.j2

@@ -2,8 +2,6 @@
 
 networks:
   {{ helpers.default_network(249) | indent(2) }}
-  traefik_traefik:
-    external: true
 
 services:
   gluetun:
@@ -11,14 +9,13 @@ services:
     container_name: gluetun
     cap_add:
       - NET_ADMIN
+    devices:
+      - /dev/net/tun:/dev/net/tun
     sysctls:
       - net.ipv6.conf.all.disable_ipv6=0
     env_file:
       - .env.gluetun
     restart: unless-stopped
-    networks:
-      - default
-      - traefik_traefik
     volumes:
       - {{ base_volume_path }}/arrstack/gluetun:/gluetun
 
@@ -49,9 +46,6 @@ services:
     restart: unless-stopped
     depends_on:
       - qbittorrent
-    networks:
-      - default
-      - traefik_traefik
     volumes:
       - {{ base_volume_path }}/arrstack/config/prowlarr:/config
 
@@ -63,9 +57,6 @@ services:
     restart: unless-stopped
     depends_on:
       - qbittorrent
-    networks:
-      - default
-      - traefik_traefik
     volumes:
       - {{ base_volume_path }}/arrstack/config/sonarr:/config
       - {{ base_volume_path }}/arrstack/downloads:/downloads
@@ -79,9 +70,6 @@ services:
     restart: unless-stopped
     depends_on:
       - qbittorrent
-    networks:
-      - default
-      - traefik_traefik
     volumes:
       - {{ base_volume_path }}/arrstack/config/radarr:/config
       - {{ base_volume_path }}/arrstack/downloads:/downloads

roles/alpina/templates/apps/gitea/.env.gitea.j2

@@ -25,5 +25,7 @@ GITEA__security__INTERNAL_TOKEN={{ internal_token }}
 
 GITEA__oauth2__JWT_SECRET={{ jwt_secret }}
 
+GITEA__webhook__ALLOWED_HOST_LIST="external,woodpecker.{{ domain }}"
+
 # Indexer
 GITEA__indexer__REPO_INDEXER_ENABLED=true

roles/alpina/templates/apps/gitea/compose.yml.j2

@@ -2,21 +2,16 @@
 
 networks:
   {{ helpers.default_network(199) | indent(2) }}
-  traefik_traefik:
-    external: true
 
 services:
   server:
-    image: gitea/gitea:1.22
+    image: gitea/gitea
     container_name: gitea_server
     labels:
       - {{ helpers.traefik_labels('gitea', port='3000') | indent(6) }}
     restart: unless-stopped
     env_file:
       - .env.gitea
-    networks:
-      - default
-      - traefik_traefik
     volumes:
       - {{ base_volume_path }}/gitea/gitea:/data
     depends_on:
@@ -27,7 +22,5 @@ services:
     restart: unless-stopped
     env_file:
       - .env.db
-    networks:
-      - default
     volumes:
       - {{ base_volume_path }}/gitea/postgres:/var/lib/postgresql/data

roles/alpina/templates/apps/jellyfin/compose.yml.j2

@@ -2,8 +2,6 @@
 
 networks:
   {{ helpers.default_network(197) | indent(2) }}
-  traefik_traefik:
-    external: true
 
 services:
   jellyfin:
@@ -14,9 +12,6 @@ services:
     restart: unless-stopped
     env_file:
       - .env.jellyfin
-    networks:
-      - default
-      - traefik_traefik
     volumes:
       - {{ base_volume_path }}/jellyfin/config:/config
       - {{ base_volume_path }}/jellyfin/cache:/cache

roles/alpina/templates/apps/minecruft/.env.minecruft.j2

@@ -0,0 +1,25 @@
+EULA=true
+
+CF_API_KEY="{{ minecruft_cf_api_key }}"
+TYPE=AUTO_CURSEFORGE
+CF_PAGE_URL=https://www.curseforge.com/minecraft/modpacks/create-arcane-engineering/files/4852034
+CF_EXCLUDE_MODS=591711
+CURSEFORGE_FILES=https://www.curseforge.com/minecraft/mc-mods/simple-voice-chat/files/7011546
+
+MEMORY=16G
+ENABLE_ROLLING_LOGS=true
+#TZ=America/New_York
+
+OVERRIDE_SERVER_PROPERTIES=true
+DIFFICULTY=normal
+MAX_TICK_TIME=-1
+ALLOW_FLIGHT=true
+OPS=Litoprobka,CaZzzer
+VIEW_DISTANCE=12
+MAX_PLAYERS=16
+PVP=false
+LEVEL_TYPE=normal
+LEVEL_SEED=133769
+MOTD="Remember the Cavendish"
+ONLINE_MODE=false
+SPAWN_PROTECTION=0

roles/alpina/templates/apps/minecruft/compose.yml.j2

@@ -0,0 +1,13 @@
+services:
+  minecruft:
+    image: itzg/minecraft-server:java17-alpine
+    container_name: minecruft
+    ports:
+      - 25565:25565
+      - 25565:25565/udp
+      - 24454:24454/udp
+    restart: unless-stopped
+    env_file: .env.minecruft
+    volumes:
+      - {{ base_volume_path }}/minecruft/data:/data
+      - {{ base_volume_path }}/minecruft/downloads:/downloads

roles/alpina/templates/apps/nextcloud/.env.j2

@@ -1 +0,0 @@
-NEXTCLOUD_VERSION=30-apache

roles/alpina/templates/apps/nextcloud/compose.yml.j2

@@ -2,13 +2,10 @@
 
 networks:
   {{ helpers.default_network(198) | indent(2) }}
-  traefik_traefik:
-    external: true
-
 
 services:
   app:
-    image: nextcloud:${NEXTCLOUD_VERSION}
+    image: &nextcloud_image nextcloud:stable-apache
     container_name: nextcloud_app
     labels:
       - {{ helpers.traefik_labels('nc', port='80') | indent(6) }}
@@ -18,40 +15,28 @@ services:
       - redis
     env_file:
       - .env.nextcloud
-    networks:
-      - default
     volumes:
       - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
       - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
       - {{ base_volume_path }}/nextcloud/nextcloud_data:/var/www/html/data
 
   cron:
-    image: nextcloud:${NEXTCLOUD_VERSION}
+    image: *nextcloud_image
     container_name: nextcloud_cron
     restart: unless-stopped
     depends_on:
       - app
     entrypoint: /cron.sh
-    networks:
-      - default
     volumes:
       - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
       - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
       - {{ base_volume_path }}/nextcloud/nextcloud_data:/var/www/html/data
 
   notify_push:
-    image: nextcloud:${NEXTCLOUD_VERSION}
+    image: *nextcloud_image
     container_name: nextcloud_notify_push
-    {# TODO: Refactor this and minio -#}
     labels:
-      - traefik.enable=true
+      - {{ helpers.traefik_labels('nc', port='7867', path_prefix='/push') | indent(6) }}
-      - traefik.http.routers.nc-notify.rule=Host(`nc.{{ domain }}`) && PathPrefix(`/push`)
-      - traefik.http.routers.nc-notify.entrypoints=websecure
-      - traefik.http.routers.nc-notify.tls=true
-      - traefik.http.routers.nc-notify.tls.certresolver=letsencrypt
-      - traefik.http.routers.nc-notify.tls.domains.0.main={{ domain }}
-      - traefik.http.routers.nc-notify.tls.domains.0.sans=*.{{ domain }}
-      - traefik.http.services.nc-notify.loadbalancer.server.port=7867
     restart: unless-stopped
     user: www-data
     env_file:
@@ -68,8 +53,6 @@ services:
     restart: unless-stopped
     env_file:
       - .env.db
-    networks:
-      - default
     volumes:
       - {{ base_volume_path }}/nextcloud/db:/var/lib/postgresql/data
 
@@ -79,8 +62,6 @@ services:
     restart: unless-stopped
     env_file:
       - .env.redis
-    networks:
-      - default
     command:
       - sh
       - -c

roles/alpina/templates/apps/pgrok/compose.yml.j2

@@ -0,0 +1,31 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(194) | indent(2) }}
+
+#  https://github.com/pgrok/pgrok/blob/main/docs/admin/docker.md#docker-compose
+services:
+  server:
+    image: ghcr.io/pgrok/pgrokd:latest
+    container_name: pgrok_server
+    labels:
+      - {{ helpers.traefik_labels('pgrok', port='3320') | indent(6) }}
+      - {{ helpers.traefik_labels('pgrok', port='3000', wildcard=true) | indent(6) }}
+    restart: unless-stopped
+    volumes:
+      - ./pgrokd.yml:/var/opt/pgrokd/pgrokd.yml
+    ports:
+      - "2222:2222"
+    depends_on:
+      - db
+
+  db:
+    image: postgres:17-alpine
+    container_name: pgrok_db
+    restart: unless-stopped
+    volumes:
+      - {{ base_volume_path }}/pgrok/postgres:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: pgrok
+      POSTGRES_USER: pgrok
+      POSTGRES_PASSWORD: "{{ pgrok_db_password }}"

roles/alpina/templates/apps/pgrok/pgrokd.yml.j2

@@ -0,0 +1,29 @@
+external_url: "https://pgrok.{{ domain }}"
+web:
+  port: 3320
+proxy:
+  port: 3000
+  scheme: https
+  domain: "pgrok.{{ domain }}"
+sshd:
+  port: 2222
+
+database:
+  host: db
+  port: 5432
+  user: pgrok
+  password: "{{ pgrok_db_password }}"
+  database: pgrok
+
+identity_provider:
+  type: oidc
+  display_name: Authentik
+  issuer: "https://auth.{{ domain }}/application/o/pgrok/"
+  client_id: "pgrok"
+  client_secret: "{{ auth_pgrok_client_secret }}"
+  field_mapping:
+    identifier: "preferred_username"
+    display_name: "name"
+    email: "email"
+# # The required domain name, "field_mapping.email" is required to set for this to work.
+  #  required_domain: "example.com"

roles/alpina/templates/apps/syncthing/compose.yml.j2

@@ -0,0 +1,16 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(193) | indent(2) }}
+
+services:
+  syncthing:
+    image: linuxserver/syncthing
+    container_name: syncthing
+    labels:
+      - {{ helpers.traefik_labels('sync', port='8384', auth=true) | indent(6) }}
+    restart: unless-stopped
+    network_mode: host
+    volumes:
+      - {{ base_volume_path }}/syncthing/config:/config
+      - {{ base_volume_path }}/syncthing/data:/data

roles/alpina/templates/apps/vpgen/.env.vpgen.j2

@@ -0,0 +1,29 @@
+DATABASE_URL=file:/data/vpgen.db
+
+PUBLIC_AUTH_AUTHENTIK_ENABLE=1
+AUTH_AUTHENTIK_REQUIRE_INVITE=0
+AUTH_AUTHENTIK_DOMAIN="auth.{{ domain }}"
+AUTH_AUTHENTIK_CLIENT_ID=vpgen
+AUTH_AUTHENTIK_CLIENT_SECRET="{{ auth_vpgen_client_secret }}"
+
+PUBLIC_AUTH_GOOGLE_ENABLE=1
+AUTH_GOOGLE_REQUIRE_INVITE=1
+AUTH_GOOGLE_CLIENT_ID="{{ google_consumer_key }}"
+AUTH_GOOGLE_CLIENT_SECRET="{{ google_consumer_secret }}"
+
+AUTH_INVITE_TOKEN="{{ vpgen_auth_invite_token }}"
+
+OPNSENSE_API_URL={{ vpgen_opnsense_api_url }}
+OPNSENSE_API_KEY={{ vpgen_opnsense_api_key }}
+OPNSENSE_API_SECRET={{ vpgen_opnsense_api_secret }}
+OPNSENSE_WG_IFNAME={{ vpgen_opnsense_wg_ifname }}
+
+IPV4_STARTING_ADDR={{ vpgen_ipv4_starting_addr }}
+IPV6_STARTING_ADDR={{ vpgen_ipv6_starting_addr }}
+IPV6_CLIENT_PREFIX_SIZE={{ vpgen_ipv6_client_prefix_size }}
+IP_MAX_INDEX={{ vpgen_ip_max_index }}
+VPN_ENDPOINT={{ vpgen_vpn_endpoint }}
+VPN_DNS={{ vpgen_vpn_dns }}
+MAX_CLIENTS_PER_USER={{ vpgen_max_clients_per_user }}
+
+ORIGIN=https://vpgen.{{ domain }}

roles/alpina/templates/apps/vpgen/compose.yml.j2

@@ -0,0 +1,16 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(196) | indent(2) }}
+
+services:
+  vpgen:
+    image: gitea.cazzzer.com/cazzzer/vpgen:develop
+    container_name: vpgen
+    labels:
+      - {{ helpers.traefik_labels('vpgen', port='3000') | indent(6) }}
+    restart: unless-stopped
+    env_file:
+      - .env.vpgen
+    volumes:
+      - {{ base_volume_path }}/vpgen:/data

roles/alpina/templates/apps/woodpecker/compose.yml.j2

@@ -0,0 +1,35 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(195) | indent(2) }}
+
+services:
+  woodpecker-server:
+    image: woodpeckerci/woodpecker-server:v3
+    container_name: woodpecker_server
+    labels:
+      - {{ helpers.traefik_labels('woodpecker', port='8000') | indent(6) }}
+    restart: unless-stopped
+    volumes:
+      - {{ base_volume_path }}/woodpecker/data:/var/lib/woodpecker
+    environment:
+      - WOODPECKER_OPEN=true
+      - WOODPECKER_HOST=https://woodpecker.{{ domain }}
+      - WOODPECKER_GITEA=true
+      - WOODPECKER_GITEA_URL=https://gitea.{{ domain }}
+      - WOODPECKER_GITEA_CLIENT={{ woodpecker_gitea_client_id }}
+      - WOODPECKER_GITEA_SECRET={{ woodpecker_gitea_client_secret }}
+      - WOODPECKER_AGENT_SECRET={{ woodpecker_agent_secret }}
+
+  woodpecker-agent:
+    image: woodpeckerci/woodpecker-agent:v3
+    container_name: woodpecker_agent
+    restart: unless-stopped
+    depends_on:
+      - woodpecker-server
+    volumes:
+      - {{ base_volume_path }}/woodpecker/agent_config:/etc/woodpecker
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - WOODPECKER_SERVER=woodpecker-server:9000
+      - WOODPECKER_AGENT_SECRET={{ woodpecker_agent_secret }}

roles/alpina/templates/services/authentik/blueprints/alpina-enrollment-internal.yaml.j2

@@ -0,0 +1,225 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Enrollment by Invitation (Internal)
+entries:
+  # Flow for internal enrollment by invitation
+  - identifiers:
+      slug: enrollment-internal-invitation-flow
+    model: authentik_flows.flow
+    id: flow
+    attrs:
+      name: Alpina Enrollment Flow
+      title: Sign Up
+      designation: enrollment
+      authentication: require_unauthenticated
+
+  # Prompt fields
+  - identifiers:
+      name: alpina-enrollment-field-name
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-name
+    attrs:
+      field_key: name
+      label: Name
+      type: text
+      required: true
+      placeholder: Name
+      placeholder_expression: false
+      order: 0
+  - identifiers:
+      name: alpina-enrollment-field-password
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-password
+    attrs:
+      field_key: password
+      label: Password
+      type: password
+      required: true
+      placeholder: Password
+      placeholder_expression: false
+      order: 1
+  - identifiers:
+      name: alpina-enrollment-field-password-repeat
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-password-repeat
+    attrs:
+      field_key: password_repeat
+      label: Password (repeat)
+      type: password
+      required: true
+      placeholder: Password (repeat)
+      placeholder_expression: false
+      order: 2
+
+  # Flow stages
+  - identifiers:
+      name: alpina-enrollment-invitation
+    model: authentik_stages_invitation.invitationstage
+    id: enrollment-invitation
+  - identifiers:
+      name: alpina-enrollment-identification-oauth
+    model: authentik_stages_identification.identificationstage
+    id: enrollment-identification-oauth
+    attrs:
+      user_fields:
+        - email
+      pretend_user_exists: true
+      show_matched_user: false
+      sources:
+        - !Find [authentik_sources_oauth.oauthsource, [slug, github-enrollment]]
+        - !Find [authentik_sources_oauth.oauthsource, [slug, google-enrollment]]
+  - identifiers:
+      name: alpina-enrollment-deny-existing-email
+    model: authentik_stages_deny.denystage
+    id: enrollment-deny-existing-email
+    attrs:
+      deny_message: "An account with this email already exists"
+  - identifiers:
+      name: alpina-enrollment-prompt-name-password
+    model: authentik_stages_prompt.promptstage
+    id: enrollment-prompt-name-password
+    attrs:
+      fields:
+        - !KeyOf prompt-field-name
+        - !KeyOf prompt-field-password
+        - !KeyOf prompt-field-password-repeat
+      validation_policies:
+        - !Find [authentik_policies_password.passwordpolicy, [name, default-password-change-password-policy]]
+  - identifiers:
+      name: alpina-enrollment-user-write
+    model: authentik_stages_user_write.userwritestage
+    id: enrollment-user-write
+    attrs:
+      user_type: internal
+      create_users_group: !Find [authentik_core.group, [name, {{ auth_default_enrollment_group }}]]
+  - identifiers:
+      name: alpina-enrollment-email-verify
+    model: authentik_stages_email.emailstage
+    id: enrollment-email-verify
+    attrs:
+      use_global_settings: true
+      template: email/account_confirmation.html
+      activate_user_on_success: true
+  - identifiers:
+      name: alpina-enrollment-user-login
+    model: authentik_stages_user_login.userloginstage
+    id: enrollment-user-login
+
+  # Policies
+  - identifiers:
+      name: alpina-enrollment-invited-used-policy
+    model: authentik_policies_event_matcher.eventmatcherpolicy
+    id: enrollment-invited-used-policy
+    attrs:
+      action: invitation_used
+  - identifiers:
+      name: alpina-enrollment-unique-email-policy
+    model: authentik_policies_expression.expressionpolicy
+    id: enrollment-unique-email-policy
+    attrs:
+      expression: |
+        # https://docs.goauthentik.io/docs/customize/policies/expression/unique_email
+        from authentik.core.models import User
+        email = request.context["flow_plan"].context["pending_user"].email
+
+        if User.objects.filter(email=email).exists():
+          ak_message("Email address in use")
+          return False
+
+        if request.context["flow_plan"].context.get("prompt_data") is None:
+          request.context["flow_plan"].context["prompt_data"] = {}
+
+        request.context["flow_plan"].context["prompt_data"]["email"] = email
+        request.context["flow_plan"].context["prompt_data"]["username"] = email
+        return True
+
+  - identifiers:
+      name: alpina-enrollment-user-write-add-groups-policy
+    model: authentik_policies_expression.expressionpolicy
+    id: enrollment-user-write-add-groups-policy
+    attrs:
+        expression: |
+          # https://docs.goauthentik.io/docs/add-secure-apps/flows-stages/stages/user_write
+          from authentik.core.models import Group
+          ak_logger.info("Adding groups", request=request, prompt_data=request.context["prompt_data"], invitation=request.context.get("invitation"))
+
+          requested_groups = request.context["prompt_data"].get("alpina_add_groups")
+          if requested_groups is None:
+            return True
+
+          groups = []
+          for group_name in requested_groups:
+            group, _ = Group.objects.get_or_create(name=group_name)
+            groups.append(group)
+
+          # ["groups"] *must* be set to an array of Group objects, names alone are not enough.
+          request.context["flow_plan"].context["groups"] = groups
+          return True
+
+  # Flow stage bindings
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-invitation
+      order: 0
+    model: authentik_flows.flowstagebinding
+    id: enrollment-invitation-binding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-identification-oauth
+      order: 1
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-deny-existing-email
+      order: 2
+    model: authentik_flows.flowstagebinding
+    id: enrollment-deny-existing-email-binding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-prompt-name-password
+      order: 10
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-user-write
+      order: 20
+    model: authentik_flows.flowstagebinding
+    id: enrollment-user-write-binding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-email-verify
+      order: 30
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-user-login
+      order: 100
+    model: authentik_flows.flowstagebinding
+
+  # Stage policy bindings
+  # Log used invitations
+  - identifiers:
+      target: !KeyOf enrollment-invitation-binding
+      policy: !KeyOf enrollment-invited-used-policy
+      order: 0
+    model: authentik_policies.policybinding
+    attrs:
+      negate: true
+  # Deny existing email addresses
+  - identifiers:
+      target: !KeyOf enrollment-deny-existing-email-binding
+      policy: !KeyOf enrollment-unique-email-policy
+      order: 0
+    model: authentik_policies.policybinding
+    attrs:
+      negate: true
+  # Add groups to user from invitation "alpina_add_groups" field
+  # This only work for email sign up, as the invitation flow context isn't
+  # preserved for the default-source-enrollment flow
+  - identifiers:
+      target: !KeyOf enrollment-user-write-binding
+      policy: !KeyOf enrollment-user-write-add-groups-policy
+      order: 0
+    model: authentik_policies.policybinding

roles/alpina/templates/services/authentik/blueprints/alpina-groups.yaml.j2

@@ -0,0 +1,45 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Default Groups
+entries:
+  - identifiers:
+      name: "admins"
+    model: authentik_core.group
+    id: "admins"
+    attrs:
+      is_superuser: true
+
+  - identifiers:
+      name: "users"
+    model: authentik_core.group
+    id: "users"
+
+  - identifiers:
+      name: "arrstack"
+    model: authentik_core.group
+    id: "arrstack"
+    attrs:
+      arrstack_username: "arr"
+      arrstack_password: "{{ arrstack_password }}"
+
+  - identifiers:
+      scope_name: "minio"
+    model: authentik_providers_oauth2.scopemapping
+    id: "scope-minio"
+    attrs:
+      name: "Minio Policy"
+      expression: |
+        policy = "default"
+        if ak_is_group_member(request.user, name="admins"):
+            policy = "consoleAdmin"
+
+        return {
+          "policy": policy,
+        }
+
+  - identifiers:
+      name: "vpgen"
+    model: authentik_core.group
+    id: "vpgen"

roles/alpina/templates/services/authentik/blueprints/alpina-oauth-sources.yaml.j2

@@ -0,0 +1,79 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - External OAuth
+entries:
+  {% set sources = {
+    "GitHub": {
+      "provider_type": "github",
+      "consumer_key": github_consumer_key,
+      "consumer_secret": github_consumer_secret,
+    },
+    "Google": {
+      "provider_type": "google",
+      "consumer_key": google_consumer_key,
+      "consumer_secret": google_consumer_secret,
+    },
+  } -%}
+  {% for source in sources.keys() -%}
+  - identifiers:
+      slug: {{ source | lower }}-auth
+    model: authentik_sources_oauth.oauthsource
+    attrs:
+      provider_type: {{ sources[source]["provider_type"] }}
+      name: {{ source }} (Auth Only)
+      consumer_key: {{ sources[source]["consumer_key"] }}
+      consumer_secret: {{ sources[source]["consumer_secret"] }}
+      user_matching_mode: email_link
+      user_path_template: goauthentik.io/sources/%(slug)s
+      authentication_flow: !Find [authentik_flows.flow, [slug, default-source-authentication]]
+  - identifiers:
+      slug: {{ source | lower }}-enrollment
+    model: authentik_sources_oauth.oauthsource
+    attrs:
+      provider_type: {{ sources[source]["provider_type"] }}
+      name: {{ source }} (Auth and Enrollment)
+      consumer_key: {{ sources[source]["consumer_key"] }}
+      consumer_secret: {{ sources[source]["consumer_secret"] }}
+      user_matching_mode: email_link
+      user_path_template: goauthentik.io/sources/%(slug)s
+      authentication_flow: !Find [authentik_flows.flow, [slug, default-source-authentication]]
+      enrollment_flow: !Find [authentik_flows.flow, [slug, default-source-enrollment]]
+  {% endfor %}
+
+  # Modify default source enrollment to use email as username
+  - identifiers:
+      slug: default-source-enrollment
+    model: authentik_flows.flow
+    id: source-enrollment-flow
+    attrs:
+      policy_engine_mode: all
+  - identifiers:
+      name: alpina-email-as-username-policy
+    model: authentik_policies_expression.expressionpolicy
+    id: email-as-username-policy
+    attrs:
+      expression: |
+        # https://docs.goauthentik.io/docs/users-sources/sources/social-logins/google/#username-mapping
+        email = request.context["prompt_data"].get("email")
+        # Direct set username to email
+        request.context["prompt_data"]["username"] = email
+        # Set username to email without domain
+        # request.context["prompt_data"]["username"] = email.split("@")[0]
+        return True
+  - identifiers:
+      policy: !KeyOf email-as-username-policy
+      target: !KeyOf source-enrollment-flow
+    model: authentik_policies.policybinding
+    attrs:
+      order: 0
+
+  # Modify default source enrollment to create internal users
+  # with the internal user type and the users group
+  - identifiers:
+      name: default-source-enrollment-write
+    model: authentik_stages_user_write.userwritestage
+    attrs:
+      user_type: internal
+      create_users_group: !Find [authentik_core.group, [name, {{ auth_default_enrollment_group }}]]

roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2

@@ -5,46 +5,94 @@ metadata:
   name: Alpina - OAuth2 Apps
 entries:
   {% set apps = {
+    "Grafana": {
+      "redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
+      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
+      "client_secret": auth_grafana_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
+    "Minio": {
+      "redirect_uri": "https://minio."~ domain ~"/oauth_callback",
+      "icon": "https://minio."~ domain ~"/logo192.png",
+      "client_secret": auth_minio_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
     "Gitea": {
-      "redirect_uris": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
+      "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
       "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
+      "client_secret": auth_gitea_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
     },
     "Nextcloud": {
-      "redirect_uris": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
+      "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
       "icon": "https://nc."~ domain ~"/apps/theming/favicon",
+      "client_secret": auth_nextcloud_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
+    },
+    "VPGen": {
+      "redirect_uri": "https://vpgen."~ domain ~"/auth/authentik/callback",
+      "icon": "https://vpgen."~ domain ~"/favicon.png",
+      "client_secret": auth_vpgen_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users", "vpgen"],
+    },
+    "Pgrok": {
+      "redirect_uri": "https://pgrok."~ domain ~"/-/oidc/callback",
+      "icon": "https://pgrok."~ domain ~"/pgrok.svg",
+      "client_secret": auth_pgrok_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
     },
   } -%}
   {% for app in apps.keys() -%}
   - identifiers:
       name: {{ app }}
     model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
+    id: {{ app }}
     attrs:
-      access_code_validity: minutes=1
-      access_token_validity: minutes=5
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
       client_type: confidential
-      issuer_mode: per_provider
+      client_id: {{ app | lower }}
-      sub_mode: hashed_user_id
+      client_secret: {{ apps[app]["client_secret"] }}
       property_mappings:
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
+        {% if app == "Minio" -%}
-      refresh_token_validity: days=30
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, minio]]
+        {%- endif %}
+
+      redirect_uris:
+        - matching_mode: strict
+          url: {{ apps[app]["redirect_uri"] }}
+      # Necessary for JWKS to be generated correctly
       signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
 
   - identifiers:
       slug: {{ app | lower }}
     model: authentik_core.application
-    id: {{ app | lower }}
+    id: app-{{ app }}
     attrs:
       name: {{ app }}
-      group: "Apps"
+      group: "{{ apps[app]["ui_group"] }}"
       meta_description: "Hello, I'm {{ app }}!"
       meta_publisher: Alpina
       icon: "{{ apps[app]["icon"] }}"
       open_in_new_tab: true
-      policy_engine_mode: any
+      provider: !KeyOf {{ app }}
-      provider: !KeyOf {{ app | lower }}
+
+  {% for group in apps[app]["allowed_for_groups"] -%}
+  - identifiers:
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
+    model: authentik_policies.policybinding
+    attrs:
+      order: 10
+  {% endfor %}
+
   {% endfor %}

roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2

@@ -4,61 +4,54 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Alpina - Proxied Apps
 entries:
-  - identifiers:
+  # TODO: Possibly refactor this into a jinja macro (?)
-      name: arrstack
-    model: authentik_core.group
-    id: arrstack
-    attrs:
-      arrstack_username: "arr"
-      arrstack_password: "{{ arrstack_password }}"
-
-  # TODO: Probably refactor this into a jinja macro
   {% set apps = {
-    "uptime-kuma": {
+    "Uptime Kuma": {
       "host": "uptime",
-      "name": "Uptime Kuma",
       "icon": "https://uptime."~ domain ~"/icon.svg",
       "unauthenticated_paths": "^/icon.svg$",
-      "group": "Services",
+      "ui_group": "Services",
-      "create_admin_group": true,
+      "allowed_for_groups": ["admins"],
     },
-    "qbit": {
+    "Syncthing": {
+      "host": "sync",
+      "icon": "https://sync."~ domain ~"/assets/img/favicon-default.png",
+      "unauthenticated_paths": "^/assets/img/favicon-default.png$",
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins"],
+    },
+    "qBit": {
       "host": "qbit",
-      "name": "qBit",
       "icon": "https://qbit."~ domain ~"/images/qbittorrent-tray.svg",
       "unauthenticated_paths": "^/images/qbittorrent-tray.svg$",
-      "group": "Arrstack",
+      "ui_group": "Arrstack",
-      "create_admin_group": false,
+      "allowed_for_groups": ["arrstack"],
     },
-    "prowlarr": {
+    "Prowlarr": {
       "host": "prowlarr",
-      "name": "Prowlarr",
       "icon": "https://prowlarr."~ domain ~"/Content/Images/logo.svg",
       "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
+      "ui_group": "Arrstack",
-      "create_admin_group": false,
+      "allowed_for_groups": ["arrstack"],
     },
-    "sonarr": {
+    "Sonarr": {
       "host": "sonarr",
-      "name": "Sonarr",
       "icon": "https://sonarr."~ domain ~"/Content/Images/logo.svg",
       "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
+      "ui_group": "Arrstack",
-      "create_admin_group": false,
+      "allowed_for_groups": ["arrstack"],
     },
-    "radarr": {
+    "Radarr": {
       "host": "radarr",
-      "name": "Radarr",
       "icon": "https://radarr."~ domain ~"/Content/Images/logo.svg",
       "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
+      "ui_group": "Arrstack",
-      "create_admin_group": false,
+      "allowed_for_groups": ["arrstack"],
     },
   } -%}
-
   {% for app in apps.keys() -%}
   - identifiers:
-      name: {{ apps[app]["name"] }}
+      name: {{ app }}
     model: authentik_providers_proxy.proxyprovider
     id: {{ app }}
     attrs:
@@ -68,39 +61,26 @@ entries:
       skip_path_regex: "{{ apps[app]["unauthenticated_paths"] }}"
 
   - identifiers:
-      slug: {{ app }}
+      slug: {{ app | lower | replace(" ", "-") }}
     model: authentik_core.application
+    id: app-{{ app }}
     attrs:
-      name: {{ apps[app]["name"] }}
+      name: {{ app }}
-      group: {{ apps[app]["group"] }}
+      group: {{ apps[app]["ui_group"] }}
-      meta_description: "Hello, I'm {{ apps[app]["name"] }}!"
+      meta_description: "Hello, I'm {{ app }}!"
       meta_publisher: Alpina
       icon: "{{ apps[app]["icon"] }}"
       open_in_new_tab: true
       provider: !KeyOf {{ app }}
 
-  {% if apps[app]["create_admin_group"] -%}
+  {% for group in apps[app]["allowed_for_groups"] -%}
   - identifiers:
-      name: "{{ apps[app]["name"] }} Admins"
+      group: !Find [authentik_core.group, [name, {{ group }}]]
-    model: authentik_core.group
+      target: !KeyOf app-{{ app }}
-    id: "{{ app }} Admins"
-
-  - identifiers:
-      group: !KeyOf "{{ app }} Admins"
-      target: !Find [authentik_core.application, [ slug, {{ app }}] ]
     model: authentik_policies.policybinding
     attrs:
-      order: 0
+      order: 10
-  {% endif %}
+  {% endfor %}
-
-  {% if apps[app]["group"] == "Arrstack" -%}
-  - identifiers:
-      group: !KeyOf arrstack
-      target: !Find [authentik_core.application, [slug, {{ app }}]]
-    model: authentik_policies.policybinding
-    attrs:
-      order: 0
-  {% endif %}
 
   {% endfor %}
 

roles/alpina/templates/services/authentik/blueprints/default-authentication.yaml.j2

@@ -48,7 +48,8 @@ entries:
       passwordless_flow: !Find [authentik_flows.flow, [slug, authentication-passwordless-flow]]
       sources:
         - !Find [authentik_core.source, [slug, authentik-built-in]]
-        - !Find [authentik_sources_oauth.oauthsource, [slug, github]]
+        - !Find [authentik_sources_oauth.oauthsource, [slug, github-auth]]
+        - !Find [authentik_sources_oauth.oauthsource, [slug, google-auth]]
 
     # Enable compatibility mode for the default authentication flow for better autofill support
   - identifiers:

roles/alpina/templates/services/authentik/blueprints/github-oauth.yaml.j2

@@ -1,25 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Alpina - GitHub OAuth
-entries:
-  - identifiers:
-      slug: github
-    model: authentik_sources_oauth.oauthsource
-    attrs:
-      name: GitHub
-      slug: github
-      access_token_url: https://github.com/login/oauth/access_token
-      additional_scopes: openid read:org
-      authentication_flow: !Find [authentik_flows.flow, [slug, default-source-authentication]]
-      authorization_url: https://github.com/login/oauth/authorize
-      consumer_key: {{ github_consumer_key }}
-      consumer_secret: {{ github_consumer_secret }}
-      enabled: true
-      enrollment_flow: !Find [authentik_flows.flow, [slug, default-source-enrollment]]
-      policy_engine_mode: any
-      profile_url: https://api.github.com/user
-      provider_type: github
-      user_matching_mode: email_link
-      user_path_template: goauthentik.io/sources/%(slug)s

roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2

@@ -1,56 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Alpina - OAuth2 Services
-entries:
-  {% set apps = {
-    "Grafana": {
-      "redirect_uris": "https://grafana."~ domain ~"/login/generic_oauth",
-      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
-      "client_secret": auth_grafana_client_secret,
-    },
-  } -%}
-  # TODO: Add Minio
-
-  {% for app in apps.keys() -%}
-  - identifiers:
-      name: {{ app }}
-    model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
-    attrs:
-      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-      client_type: confidential
-      client_id: {{ app | lower }}
-      client_secret: {{ apps[app]["client_secret"] }}
-      property_mappings:
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-
-  - identifiers:
-      slug: {{ app | lower }}
-    model: authentik_core.application
-    attrs:
-      name: {{ app }}
-      group: "Services"
-      meta_description: "Hello, I'm {{ app }}!"
-      meta_publisher: Alpina
-      icon: "{{ apps[app]["icon"] }}"
-      open_in_new_tab: true
-      provider: !KeyOf {{ app | lower }}
-
-  - identifiers:
-      name: "{{ app }} Admins"
-    model: authentik_core.group
-    id: "{{ app }} Admins"
-
-  - identifiers:
-      group: !KeyOf "{{ app }} Admins"
-      target: !Find [authentik_core.application, [slug, {{ app | lower }}]]
-    model: authentik_policies.policybinding
-    attrs:
-      order: 0
-
-  {% endfor %}

roles/alpina/templates/services/authentik/compose.yml.j2

@@ -2,8 +2,6 @@
 
 networks:
   {{ helpers.default_network(253) | indent(2) }}
-  traefik_traefik:
-    external: true
 
 services:
   server:
@@ -17,13 +15,11 @@ services:
     restart: unless-stopped
     # Port forward is needed because traefik can't resolve the container name from the host network
     ports:
-      - "9000:9000"
+      - "127.0.0.1:9000:9000"
+      - "[::1]:9000:9000"
     command: server
     env_file:
       - .env.authentik
-    networks:
-      - default
-      - traefik_traefik
 
   worker:
     image: ghcr.io/goauthentik/server:latest

roles/alpina/templates/services/minio/.env.minio.j2

@@ -5,11 +5,16 @@ MINIO_DOMAIN=s3.{{ domain }}
 MINIO_SERVER_URL=https://s3.{{ domain }}
 MINIO_BROWSER_REDIRECT_URL=https://minio.{{ domain }}
 
-#MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
+# https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
-#MINIO_IDENTITY_OPENID_CLIENT_ID=
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
-#MINIO_IDENTITY_OPENID_CLIENT_SECRET=
+MINIO_IDENTITY_OPENID_CLIENT_ID=minio
-#MINIO_IDENTITY_OPENID_CLAIM_NAME=
+MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ auth_minio_client_secret }}
-#MINIO_IDENTITY_OPENID_CLAIM_PREFIX=
+# defaults to "policy"
-#MINIO_IDENTITY_OPENID_SCOPES=
+#MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
-#MINIO_IDENTITY_OPENID_REDIRECT_URI=
+MINIO_IDENTITY_OPENID_DISPLAY_NAME=Authentik
+# no need to specify scopes,
+# as it defaults to the ones advertised at the discovery url
+#MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio
+#MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=off
+#MINIO_IDENTITY_OPENID_CLAIM_USERINFO=on
 #MINIO_IDENTITY_OPENID_COMMENT=

roles/alpina/templates/services/minio/compose.yml.j2

@@ -0,0 +1,19 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(252) | indent(2) }}
+
+services:
+  minio:
+    image: minio/minio:latest
+    container_name: minio
+    labels:
+      - {{ helpers.traefik_labels('minio', port='9090') | indent(6) }}
+      - {{ helpers.traefik_labels('s3', port='9000') | indent(6) }}
+      - {{ helpers.traefik_labels('s3', port='9000', wildcard=true) | indent(6) }}
+    restart: unless-stopped
+    command: server --console-address ":9090" /data
+    env_file:
+      - .env.minio
+    volumes:
+      - {{ base_volume_path }}/minio/data:/data

roles/alpina/templates/services/minio/docker-compose.yml.j2

@@ -1,32 +0,0 @@
-{% import 'contrib/compose_helpers.j2' as helpers with context %}
-
-networks:
-  {{ helpers.default_network(252) | indent(2) }}
-  traefik_traefik:
-    external: true
-
-services:
-  minio:
-    image: minio/minio:latest
-    container_name: minio
-    labels:
-      - {{ helpers.traefik_labels('minio', port='9090') | indent(6) }}
-      - traefik.http.routers.minio.service=minio
-      - traefik.http.routers.minio-tls.service=minio
-      - traefik.http.routers.minio-s3.rule=Host(`s3.{{ domain }}`) || HostRegexp(`^.+[.]s3[.]{{ domain }}`)
-      - traefik.http.routers.minio-s3.entrypoints=websecure
-      - traefik.http.routers.minio-s3.tls=true
-      - traefik.http.routers.minio-s3.tls.certresolver=letsencrypt
-      - traefik.http.routers.minio-s3.tls.domains.0.main=s3.{{ domain }}
-      - traefik.http.routers.minio-s3.tls.domains.0.sans=*.s3.{{ domain }}
-      - traefik.http.routers.minio-s3.service=minio-s3
-      - traefik.http.services.minio-s3.loadbalancer.server.port=9000
-    restart: unless-stopped
-    command: server --console-address ":9090" /data
-    env_file:
-      - .env.minio
-    networks:
-      - default
-      - traefik_traefik
-    volumes:
-      - {{ base_volume_path }}/minio/data:/data

roles/alpina/templates/services/monitoring/compose.yml.j2

@@ -2,8 +2,6 @@
 
 networks:
   {{ helpers.default_network(251) | indent(2) }}
-  traefik_traefik:
-    external: true
 
 services:
   grafana:
@@ -17,9 +15,6 @@ services:
     restart: unless-stopped
     # Needed to make config files readable (not anymore, TODO: remove)
     user: "{{ remote_uid }}"
-    networks:
-      - default
-      - traefik_traefik
     volumes:
       - {{ base_volume_path }}/monitoring/grafana:/var/lib/grafana
       - ./grafana_config/grafana.ini:/etc/grafana/grafana.ini:ro
@@ -27,7 +22,7 @@ services:
 {#      - ./grafana_config:/etc/grafana:ro#}
 
   loki:
-    image: grafana/loki:latest
+    image: grafana/loki:3.5
     container_name: loki
     restart: unless-stopped
     # Needed to make config files readable (not anymore, TODO: remove)
@@ -36,7 +31,8 @@ services:
       - -config.file=/etc/loki/loki-config.yaml
     # Port forward is needed because not possible to resolve the container name from the host network
     ports:
-      - 3100:3100
+      - "127.0.0.1:3100:3100"
+      - "[::1]:3100:3100"
     volumes:
       - {{ base_volume_path }}/monitoring/loki:/loki
       - ./loki_config:/etc/loki:ro
@@ -44,7 +40,7 @@ services:
       - /tmp/loki
 
   promtail:
-    image: grafana/promtail:latest
+    image: grafana/promtail:3.5
     container_name: promtail
     restart: unless-stopped
     command:
@@ -103,9 +99,6 @@ services:
     restart: unless-stopped
     env_file:
       - .env.influxdb
-    networks:
-      - default
-      - traefik_traefik
     volumes:
       - {{ base_volume_path }}/monitoring/influxdb:/var/lib/influxdb2
 

roles/alpina/templates/services/monitoring/grafana_config/dashboards/common.py

@@ -1,27 +1,81 @@
-from grafanalib.core import Template
+from attrs import define
+from grafanalib.core import Template, TimeSeries, Dashboard, HIDE_VARIABLE, Target
 
-# TODO: consider default params for common params like line width, show points, tooltip
+CONF_SUPPORT_LOKI = True
+CONF_SUPPORT_ZFS = True
 
-PrometheusTemplate = Template(
+CONF_DATASOURCE_VAR_PROM = 'prom_datasource'
-    name='datasource',
+CONF_DATASOURCE_VAR_LOKI = 'loki_datasource'
+
+prom_datasource = f'${{{CONF_DATASOURCE_VAR_PROM}}}'
+loki_datasource = f'${{{CONF_DATASOURCE_VAR_LOKI}}}'
+
+prom_template = Template(
+    name=CONF_DATASOURCE_VAR_PROM,
     type='datasource',
     label='Prometheus',
     query='prometheus',
+    hide=HIDE_VARIABLE,
 )
 
-# TODO: this slightly less (clown emoji), normal Target gave me errors in grafana
+loki_template = Template(
+    name=CONF_DATASOURCE_VAR_LOKI,
+    type='datasource',
+    label='Loki',
+    query='loki',
+    hide=HIDE_VARIABLE,
+)
+
+
+@define
+class MyDashboard(Dashboard):
+    """Wrapper class for Dashboard with some default values"""
+    timezone: str = 'browser'
+    sharedCrosshair: bool = True
+
+
+@define
+class MyTimeSeries(TimeSeries):
+    """Wrapper class for TimeSeries with some default values and custom fields"""
+    fillOpacity: int = 10
+    lineWidth: int = 1
+    showPoints: str = 'never'
+    tooltipMode: str = 'multi'
+    maxDataPoints: int = None
+
+    # new fields
+    axisCenteredZero: bool = False
+
+    def to_json_data(self):
+        data = super().to_json_data()
+        data['fieldConfig']['defaults']['custom']['axisCenteredZero'] = self.axisCenteredZero
+        return data
+
+
+@define
+class PromTarget(Target):
+    """Wrapper class for Target with default prometheus datasource"""
+    datasource: str = prom_datasource
+
+
+@define
 class LokiTarget(object):
-    def __init__(self, loki_datasource, expr, legendFormat, refId):
+    """Custom class for Loki Target, because normal Target gave errors in grafana"""
-        self.loki_datasource = loki_datasource
+    expr: str
-        self.expr = expr
+    legendFormat: str
-        self.legendFormat = legendFormat
+    datasource: str = loki_datasource
-        self.refId = refId
+    refId: str = None
+    queryType: str = 'range'
 
     def to_json_data(self):
         return {
-            'datasource': self.loki_datasource,
+            'datasource': self.datasource,
             'expr': self.expr,
             'legendFormat': self.legendFormat,
             'refId': self.refId,
-            'queryType': 'range',
+            'queryType': self.queryType,
         }
+
+
+def filter_none(l: list):
+    return [i for i in l if i is not None]

roles/alpina/templates/services/monitoring/grafana_config/dashboards/containers.dashboard.py

@@ -1,16 +1,10 @@
-from grafanalib.core import (
+from grafanalib.core import GridPos, Templating, Template, Logs
-    Dashboard, TimeSeries,
-    Target, GridPos,
-    Templating, Template, REFRESH_ON_TIME_RANGE_CHANGE, Logs
-)
 from grafanalib.formatunits import BYTES_IEC, SECONDS, BYTES_SEC_IEC
 
-from common import LokiTarget, PrometheusTemplate
+from common import LokiTarget, prom_template, loki_template, MyTimeSeries, MyDashboard, CONF_SUPPORT_LOKI, filter_none, \
+    prom_datasource, PromTarget
 
-prom_datasource='${datasource}'
+dashboard = MyDashboard(
-loki_datasource='loki'
-
-dashboard = Dashboard(
     title='Containers',
     uid='containers',
     description='Data for compose projects from default Prometheus datasource collected by Cadvisor',
@@ -18,8 +12,9 @@ dashboard = Dashboard(
         'linux',
         'docker',
     ],
-    templating=Templating(list=[
+    templating=Templating(list=filter_none([
-        PrometheusTemplate,
+        prom_template,
+        loki_template if CONF_SUPPORT_LOKI else None,
         Template(
             name='compose_project',
             label='Compose Project',
@@ -27,7 +22,6 @@ dashboard = Dashboard(
             query='label_values({__name__=~"container.*"}, container_label_com_docker_compose_project)',
             includeAll=True,
             multi=True,
-            refresh=REFRESH_ON_TIME_RANGE_CHANGE,
         ),
         Template(
             name='container_name',
@@ -36,7 +30,6 @@ dashboard = Dashboard(
             query='label_values({__name__=~"container.*", container_label_com_docker_compose_project=~"$compose_project"}, name)',
             includeAll=True,
             multi=True,
-            refresh=REFRESH_ON_TIME_RANGE_CHANGE,
         ),
         Template(
             name='logs_query',
@@ -44,67 +37,48 @@ dashboard = Dashboard(
             query='',
             type='textbox',
         ),
-    ]),
+    ])),
-    timezone='browser',
+    panels=filter_none([
-    panels=[
+        MyTimeSeries(
-        TimeSeries(
             title='Container Memory Usage',
             unit=BYTES_IEC,
             gridPos=GridPos(h=8, w=12, x=0, y=0),
-            lineWidth=2,
-            fillOpacity=10,
-            showPoints='never',
-            stacking={'mode': 'normal'},
-            tooltipMode='all',
             tooltipSort='desc',
+            stacking={'mode': 'normal'},
             targets=[
-                Target(
+                PromTarget(
-                    datasource=prom_datasource,
                     expr='max by (name) (container_memory_usage_bytes{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"})',
                     legendFormat='{{ name }}',
-                    refId='A',
                 ),
             ],
         ),
-        TimeSeries(
+        MyTimeSeries(
             title='Container CPU Usage',
             unit=SECONDS,
             gridPos=GridPos(h=8, w=12, x=12, y=0),
-            lineWidth=2,
-            fillOpacity=10,
-            showPoints='never',
-            tooltipMode='all',
             tooltipSort='desc',
+            stacking={'mode': 'normal'},
             targets=[
-                Target(
+                PromTarget(
-                    datasource=prom_datasource,
+                    expr='max by (name) (irate(container_cpu_usage_seconds_total{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"}[$__rate_interval]))',
-                    expr='max by (name) (rate(container_cpu_usage_seconds_total{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"}[$__rate_interval]))',
                     legendFormat='{{ name }}',
-                    refId='A',
                 ),
             ],
         ),
-        TimeSeries(
+        MyTimeSeries(
             title='Container Network Traffic',
             unit=BYTES_SEC_IEC,
             gridPos=GridPos(h=8, w=12, x=0, y=8),
-            lineWidth=2,
-            fillOpacity=10,
-            showPoints='never',
-            tooltipMode='all',
             tooltipSort='desc',
+            axisCenteredZero=True,
             targets=[
-                Target(
+                PromTarget(
-                    datasource=prom_datasource,
+                    expr='max by (name) (irate(container_network_receive_bytes_total{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"}[$__rate_interval]))',
-                    expr='max by (name) (rate(container_network_receive_bytes_total{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"}[$__rate_interval]))',
                     legendFormat="rx {{ name }}",
-                    refId='A',
                 ),
-                Target(
+                PromTarget(
-                    datasource=prom_datasource,
+                    expr='-max by (name) (irate(container_network_transmit_bytes_total{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"}[$__rate_interval]))',
-                    expr='-max by (name) (rate(container_network_transmit_bytes_total{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"}[$__rate_interval]))',
                     legendFormat="tx {{ name }}",
-                    refId='B',
                 ),
             ],
         ),
@@ -118,12 +92,10 @@ dashboard = Dashboard(
             dedupStrategy='numbers',
             targets=[
                 LokiTarget(
-                    loki_datasource=loki_datasource,
                     expr='{compose_project=~"$compose_project", container_name=~"$container_name"} |= `$logs_query`',
                     legendFormat='{{ container_name }}',
-                    refId='A',
-                ),
-            ],
                 ),
             ],
+        ) if CONF_SUPPORT_LOKI else None,
+    ]),
 ).auto_panel_ids()

roles/alpina/templates/services/monitoring/grafana_config/dashboards/node.dashboard.py

@@ -1,139 +1,159 @@
-from grafanalib.core import Dashboard, Templating, Template, TimeSeries, PERCENT_UNIT_FORMAT, GridPos, Target
+from grafanalib.core import Templating, Template, GridPos
-from grafanalib.formatunits import BYTES_IEC
+from grafanalib.formatunits import BYTES_IEC, BITS_SEC, PERCENT_UNIT
 
-from common import PrometheusTemplate
+from common import prom_template, MyTimeSeries, MyDashboard, CONF_SUPPORT_ZFS, PromTarget, prom_datasource
-from node_consts import CPU_BASIC_COLORS, MEMORY_BASIC_COLORS
 
-dashboard = Dashboard(
+dashboard = MyDashboard(
     title='Node Exporter',
     uid='node',
     description='Node Exporter (not quite full)',
     tags=[
         'linux',
     ],
-    timezone='browser',
     templating=Templating(list=[
         # Datasource
-        PrometheusTemplate,
+        prom_template,
         # Job
         Template(
             name='job',
             label='Job',
-            dataSource='${datasource}',
+            dataSource=prom_datasource,
             query='label_values(node_uname_info, job)',
         ),
         # Instance
         Template(
             name='instance',
             label='Instance',
-            dataSource='${datasource}',
+            dataSource=prom_datasource,
             query='label_values(node_uname_info{job="$job"}, instance)',
         ),
     ]),
     panels=[
         # CPU Basic
-        TimeSeries(
+        MyTimeSeries(
             title='CPU Basic',
             description='Basic CPU usage info',
-            unit=PERCENT_UNIT_FORMAT,
+            unit=PERCENT_UNIT,
             gridPos=GridPos(h=8, w=12, x=0, y=0),
-            lineWidth=1,
+            stacking={'mode': 'percent'},
-            fillOpacity=30,
-            showPoints='never',
-            stacking={'mode': 'percent', 'group': 'A'},
-            tooltipMode='all',
-            tooltipSort='desc',
             targets=[
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
                     expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job", mode="system"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
                     legendFormat='Busy System',
-                    refId='A',
                 ),
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
                     expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job", mode="user"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
                     legendFormat='Busy User',
-                    refId='B',
                 ),
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
                     expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job", mode="iowait"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
                     legendFormat='Busy Iowait',
-                    refId='C',
                 ),
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
                     expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job", mode=~".*irq"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
                     legendFormat='Busy IRQs',
-                    refId='D',
                 ),
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
                     expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job",  mode!="idle",mode!="user",mode!="system",mode!="iowait",mode!="irq",mode!="softirq"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
                     legendFormat='Busy Other',
-                    refId='E',
                 ),
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
                     expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job", mode="idle"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
                     legendFormat='Idle',
-                    refId='F',
                 ),
             ],
-            # Extra JSON for the colors
-            extraJson=CPU_BASIC_COLORS,
         ),
         # Memory Basic
-        TimeSeries(
+        MyTimeSeries(
             title='Memory Basic',
             description='Basic memory usage',
             unit=BYTES_IEC,
             gridPos=GridPos(h=8, w=12, x=12, y=0),
-            lineWidth=1,
+            stacking={'mode': 'normal'},
-            fillOpacity=30,
+            valueMin=0,
-            showPoints='never',
-            stacking={'mode': 'normal', 'group': 'A'},
-            tooltipMode='all',
-            tooltipSort='desc',
             targets=[
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
                     expr='node_memory_MemTotal_bytes{instance="$instance",job="$job"}',
                     format='time_series',
                     legendFormat='RAM Total',
-                    refId='A',
                 ),
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
                     expr='node_memory_MemTotal_bytes{instance="$instance",job="$job"} - node_memory_MemFree_bytes{instance="$instance",job="$job"} - (node_memory_Cached_bytes{instance="$instance",job="$job"} + node_memory_Buffers_bytes{instance="$instance",job="$job"} + node_memory_SReclaimable_bytes{instance="$instance",job="$job"})',
                     format='time_series',
                     legendFormat='RAM Used',
-                    refId='B',
+                    hide=CONF_SUPPORT_ZFS,
                 ),
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
+                    expr='node_memory_MemTotal_bytes{instance="$instance",job="$job"} - node_memory_MemFree_bytes{instance="$instance",job="$job"} - (node_memory_Cached_bytes{instance="$instance",job="$job"} + node_memory_Buffers_bytes{instance="$instance",job="$job"} + node_memory_SReclaimable_bytes{instance="$instance",job="$job"}) - node_zfs_arc_size{instance="$instance",job="$job"}',
+                    format='time_series',
+                    legendFormat='RAM Used',
+                    hide=not CONF_SUPPORT_ZFS,
+                ),
+                PromTarget(
                     expr='node_memory_Cached_bytes{instance="$instance",job="$job"} + node_memory_Buffers_bytes{instance="$instance",job="$job"} + node_memory_SReclaimable_bytes{instance="$instance",job="$job"}',
                     legendFormat='RAM Cache + Buffer',
-                    refId='C',
                 ),
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
+                    expr='node_zfs_arc_size{instance="$instance",job="$job"}',
+                    legendFormat='ZFS Arc',
+                    hide=not CONF_SUPPORT_ZFS,
+                ),
+                PromTarget(
                     expr='node_memory_MemFree_bytes{instance="$instance",job="$job"}',
                     legendFormat='RAM Free',
-                    refId='D',
                 ),
-                Target(
+                PromTarget(
-                    datasource='${datasource}',
                     expr='(node_memory_SwapTotal_bytes{instance="$instance",job="$job"} - node_memory_SwapFree_bytes{instance="$instance",job="$job"})',
                     legendFormat='SWAP Used',
-                    refId='E',
                 ),
             ],
-            # Extra JSON for the colors
+            overrides=[
-            extraJson=MEMORY_BASIC_COLORS,
+                # Prevent total memory from being stacked
+                {
+                    'matcher': {
+                        'id': 'byName',
+                        'options': 'RAM Total'
+                    },
+                    'properties': [
+                        {
+                            'id': 'custom.stacking',
+                            'value': {'mode': 'none'}
+                        }
+                    ]
+                },
+            ],
+        ),
+        # Network Traffic Basic
+        MyTimeSeries(
+            title='Network Traffic Basic',
+            description='Basic network usage info per interface',
+            unit=BITS_SEC,
+            gridPos=GridPos(h=8, w=12, x=0, y=8),
+            tooltipSort='desc',
+            axisCenteredZero=True,
+            targets=[
+                PromTarget(
+                    expr='irate(node_network_receive_bytes_total{instance="$instance",job="$job"}[$__rate_interval]) * 8',
+                    legendFormat='rx {{ device }}',
+                ),
+                PromTarget(
+                    expr='-irate(node_network_transmit_bytes_total{instance="$instance",job="$job"}[$__rate_interval]) * 8',
+                    legendFormat='tx {{ device }}',
+                ),
+            ],
+        ),
+        # Disk Space Basic
+        MyTimeSeries(
+            title='Disk Space Used Basic',
+            description='Disk space used of all filesystems mounted',
+            unit=PERCENT_UNIT,
+            gridPos=GridPos(h=8, w=12, x=12, y=8),
+            targets=[
+                PromTarget(
+                    expr='1 - (node_filesystem_avail_bytes{instance="$instance",job="$job",device!~"rootfs"} / node_filesystem_size_bytes{instance="$instance",job="$job",device!~"rootfs"})',
+                    legendFormat='{{ mountpoint }}',
+                ),
+            ],
         ),
-        # TODO: Network Basic
-        # TODO: Disk Basic
     ],
 ).auto_panel_ids()

roles/alpina/templates/services/monitoring/grafana_config/dashboards/node_consts.py

@@ -1,487 +0,0 @@
-# TODO: Question life decisions (I'm not sure if this is good)
-
-CPU_BASIC_COLORS = {
-    "fieldConfig": {
-        "overrides": [
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Busy Iowait"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#890F02",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Idle"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#052B51",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Busy Iowait"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#890F02",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Idle"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#7EB26D",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Busy System"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#EAB839",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Busy User"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#0A437C",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Busy Other"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#6D1F62",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            }
-        ]
-    },
-}
-
-MEMORY_BASIC_COLORS = {
-    "fieldConfig": {
-        "overrides": [
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Apps"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#629E51",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Buffers"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#614D93",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Cache"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#6D1F62",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Cached"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#511749",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Committed"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#508642",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Free"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#0A437C",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Hardware Corrupted - Amount of RAM that the kernel identified as corrupted / not working"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#CFFAFF",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Inactive"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#584477",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "PageTables"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#0A50A1",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Page_Tables"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#0A50A1",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "RAM_Free"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#E0F9D7",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "SWAP Used"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#BF1B00",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Slab"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#806EB7",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Slab_Cache"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#E0752D",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Swap"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#BF1B00",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Swap Used"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#BF1B00",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Swap_Cache"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#C15C17",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Swap_Free"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#2F575E",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Unused"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#EAB839",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "RAM Total"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#E0F9D7",
-                            "mode": "fixed"
-                        }
-                    },
-                    {
-                        "id": "custom.fillOpacity",
-                        "value": 0
-                    },
-                    {
-                        "id": "custom.stacking",
-                        "value": {
-                            "group": False,
-                            "mode": "normal"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "RAM Cache + Buffer"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#052B51",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "RAM Free"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#7EB26D",
-                            "mode": "fixed"
-                        }
-                    }
-                ]
-            },
-            {
-                "matcher": {
-                    "id": "byName",
-                    "options": "Available"
-                },
-                "properties": [
-                    {
-                        "id": "color",
-                        "value": {
-                            "fixedColor": "#DEDAF7",
-                            "mode": "fixed"
-                        }
-                    },
-                    {
-                        "id": "custom.fillOpacity",
-                        "value": 0
-                    },
-                    {
-                        "id": "custom.stacking",
-                        "value": {
-                            "group": False,
-                            "mode": "normal"
-                        }
-                    }
-                ]
-            }
-        ]
-    }
-}

roles/alpina/templates/services/monitoring/grafana_config/grafana.ini.j2

@@ -31,4 +31,4 @@ name_attribute_path = name
 
 # Optionally map user groups to Grafana roles
 allow_assign_grafana_admin = true
-role_attribute_path = contains(groups[*], 'Grafana Admins') && 'GrafanaAdmin' || 'Viewer'
+role_attribute_path = contains(groups[*], 'admins') && 'GrafanaAdmin' || 'Viewer'

roles/alpina/templates/services/traefik/compose.yml.j2

@@ -1,18 +1,11 @@
 {% import 'contrib/compose_helpers.j2' as helpers with context %}
 
 networks:
-  traefik:
+  {{ helpers.default_network(254) | indent(2) }}
-    internal: true
-    enable_ipv6: true
-    ipam:
-      config:
-        # TODO: Consider removing traefik network, it shouldn't be needed with host networking
-        - subnet: {{ traefik_subnet }}/24
-        - subnet: {{ docker_ipv6_subnet | ansible.utils.ipsubnet(80, 255) }}
 
 services:
   traefik:
-    image: traefik:v3.0
+    image: traefik:v3.5
     container_name: traefik
     restart: unless-stopped
     env_file:
@@ -23,14 +16,10 @@ services:
       - ./rules:/rules:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - {{ base_volume_path }}/traefik/rules:/rules/extra:ro
-      - {{ base_volume_path }}/traefik/logs:/logs
       - {{ base_volume_path }}/traefik/acme:/acme
 
-  # This is mostly just so that the traefik network gets created
   whoami:
     image: containous/whoami
     container_name: whoami
     labels:
-      - {{ helpers.traefik_labels('whoami', port=80) | indent(6) }}
+      - {{ helpers.traefik_labels('whoami', port='80') | indent(6) }}
-    networks:
-      - traefik

roles/alpina/templates/services/traefik/traefik.yml.j2

@@ -2,11 +2,8 @@ api:
   insecure: true
 
 log:
-  filePath: /logs/traefik.log
   level: INFO
 accessLog:
-  filePath: /logs/access.log
-  bufferingSize: 100
 
 entryPoints:
   web:
@@ -15,6 +12,16 @@ entryPoints:
     address: ":443"
     http3:
       advertisedPort: 443
+    forwardedHeaders:
+      trustedIPs:
+        # https://www.cloudflare.com/ips-v6
+        - 2400:cb00::/32
+        - 2606:4700::/32
+        - 2803:f800::/32
+        - 2405:b500::/32
+        - 2405:8100::/32
+        - 2a06:98c0::/29
+        - 2c0f:f248::/32
   metrics:
     address: ":8082"
 
@@ -39,7 +46,6 @@ certificatesResolvers:
 providers:
   docker:
     exposedByDefault: false
-    network: traefik_traefik
   file:
     directory: /rules
     watch: true

roles/clean/tasks/main.yml

@@ -0,0 +1,22 @@
+- name: Get list of running Docker containers
+  docker_host_info:
+    containers: yes
+  register: docker_container_list
+
+- name: Stop all running Docker containers
+  docker_container:
+    name: "{{ item }}"
+    state: stopped
+  loop: "{{ docker_container_list.containers | map(attribute='Id') | list }}"
+  async: 300
+  poll: 0
+
+- name: Prune all Docker containers and networks
+  docker_prune:
+    containers: yes
+    networks: yes
+
+- name: Clean alpina directory
+  file:
+    path: "{{ alpina_svc_path }}"
+    state: absent

roles/common/tasks/main.yml

@@ -32,7 +32,7 @@
     state: enabled
     immediate: yes
 
-- name: Allow Web
+- name: Disallow Web
   become: yes
   firewalld:
     service: http
@@ -64,6 +64,46 @@
     state: enabled
     immediate: yes
 
+- name: Allow 2222 tcp for pgrok ssh tunnel
+  become: yes
+  firewalld:
+    port: 2222/tcp
+    permanent: yes
+    state: enabled
+    immediate: yes
+
+- name: Allow Syncthing
+  become: yes
+  firewalld:
+    service: syncthing
+    permanent: yes
+    state: enabled
+    immediate: yes
+
+- name: Allow 25565 tcp for minecruft
+  become: yes
+  firewalld:
+    port: 25565/tcp
+    permanent: yes
+    state: enabled
+    immediate: yes
+
+- name: Allow 25565 udp for minecruft
+  become: yes
+  firewalld:
+    port: 25565/udp
+    permanent: yes
+    state: enabled
+    immediate: yes
+
+- name: Allow 24454 udp for minecruft voice chat
+  become: yes
+  firewalld:
+    port: 24454/udp
+    permanent: yes
+    state: enabled
+    immediate: yes
+
 - name: Reboot if needed
   become: yes
   ansible.builtin.reboot:

roles/docker_host/tasks/main.yml

@@ -1,12 +1,5 @@
-- name: Get IPv6 subnet for Docker
+- name: IPv6 subnet for Docker
-  set_fact:
+  debug:
-    docker_ipv6_subnet: "{{ \
-      ansible_default_ipv6.address \
-      | ansible.utils.ipsubnet(64) \
-      | ansible.utils.ipsubnet(72, docker_ipv6_index) \
-    }}"
-
-- debug:
     var: docker_ipv6_subnet
 
 - name: Configure Docker daemon
@@ -35,33 +28,6 @@
     state: disabled
   register: docker0_firewalld
 
-- name: Get list of running Docker containers
-  docker_host_info:
-    containers: yes
-  register: docker_container_list
-  when: clean_desired is true
-
-- name: Stop all running Docker containers
-  docker_container:
-    name: "{{ item }}"
-    state: stopped
-  loop: "{{ docker_container_list.containers | map(attribute='Id') | list }}"
-  async: 300
-  poll: 0
-  when: clean_desired is true and docker_container_list.containers | length > 0
-
-- name: Prune all Docker containers and networks
-  docker_prune:
-    containers: yes
-    networks: yes
-  when: clean_desired is true
-
-- name: Clean alpina directory
-  file:
-    path: "{{ alpina_svc_path }}"
-    state: absent
-  when: clean_desired is true
-
 - name: Restart Docker daemon
   become: yes
   service:

services.yml

@@ -1,6 +1,5 @@
 - hosts: alpina
   roles:
-    - docker_host
     - alpina
   post_tasks:
     - name: Docker prune objects

site.yml

@@ -1,12 +1,4 @@
-- hosts: all
+- hosts: alpina
   roles:
     - common
-  pre_tasks:
+    - docker_host
-  - name: Set fact for clean desired of docker objects and compose files
-    set_fact:
-      # clean_desired_arg is an extra variable passed to the playbook
-      clean_desired: "{{ clean_desired_arg | bool }}"
-
-
-- name: Install services
-  import_playbook: services.yml