monitoring: revert loki version to 3.5

Possible to add it back with a proper database, but all-in-one keeps everything in memory.

.idea/alpina.iml

@@ -4,7 +4,7 @@
     <content url="file://$MODULE_DIR$">
       <excludeFolder url="file://$MODULE_DIR$/venv" />
     </content>
-    <orderEntry type="inheritedJdk" />
+    <orderEntry type="jdk" jdkName="Poetry (alpina)" jdkType="Python SDK" />
     <orderEntry type="sourceFolder" forTests="false" />
   </component>
   <component name="PyDocumentationSettings">
@@ -23,9 +23,8 @@
     <option name="TEMPLATE_CONFIGURATION" value="Jinja2" />
     <option name="TEMPLATE_FOLDERS">
       <list>
-        <option value="$MODULE_DIR$/roles/traefik/templates" />
-        <option value="$MODULE_DIR$/roles/gitea/templates" />
-        <option value="$MODULE_DIR$/roles/nextcloud/templates" />
+        <option value="$MODULE_DIR$/roles/docker_host/templates" />
+        <option value="$MODULE_DIR$/roles/alpina/templates" />
       </list>
     </option>
   </component>

.idea/jsonSchemas.xml

@@ -3,6 +3,58 @@
   <component name="JsonSchemaMappingsProjectConfiguration">
     <state>
       <map>
+        <entry key="Ansible Tasks File">
+          <value>
+            <SchemaInfo>
+              <option name="name" value="Ansible Tasks File" />
+              <option name="relativePathToSchema" value="https://raw.githubusercontent.com/ansible/ansible-lint/main/src/ansiblelint/schemas/ansible.json#/$defs/tasks" />
+              <option name="applicationDefined" value="true" />
+              <option name="patterns">
+                <list>
+                  <Item>
+                    <option name="pattern" value="true" />
+                    <option name="path" value="*/tasks/*.yml" />
+                    <option name="mappingKind" value="Pattern" />
+                  </Item>
+                </list>
+              </option>
+            </SchemaInfo>
+          </value>
+        </entry>
+        <entry key="Authentik Blueprint">
+          <value>
+            <SchemaInfo>
+              <option name="generatedName" value="New Schema" />
+              <option name="name" value="Authentik Blueprint" />
+              <option name="relativePathToSchema" value="https://goauthentik.io/blueprints/schema.json" />
+              <option name="patterns">
+                <list>
+                  <Item>
+                    <option name="directory" value="true" />
+                    <option name="path" value="roles/alpina/templates/services/authentik/blueprints" />
+                    <option name="mappingKind" value="Directory" />
+                  </Item>
+                </list>
+              </option>
+            </SchemaInfo>
+          </value>
+        </entry>
+        <entry key="Loki">
+          <value>
+            <SchemaInfo>
+              <option name="name" value="Loki" />
+              <option name="relativePathToSchema" value="https://json.schemastore.org/loki.json" />
+              <option name="applicationDefined" value="true" />
+              <option name="patterns">
+                <list>
+                  <Item>
+                    <option name="path" value="roles/alpina/templates/services/monitoring/loki_config/loki-config.yaml.j2" />
+                  </Item>
+                </list>
+              </option>
+            </SchemaInfo>
+          </value>
+        </entry>
         <entry key="Traefik v2">
           <value>
             <SchemaInfo>
@@ -12,7 +64,86 @@
               <option name="patterns">
                 <list>
                   <Item>
-                    <option name="path" value="roles/traefik/templates/traefik.yml.j2" />
+                    <option name="pattern" value="true" />
+                    <option name="path" value="*/traefik.yml.j2" />
+                    <option name="mappingKind" value="Pattern" />
+                  </Item>
+                </list>
+              </option>
+            </SchemaInfo>
+          </value>
+        </entry>
+        <entry key="Traefik v2 File Provider">
+          <value>
+            <SchemaInfo>
+              <option name="generatedName" value="New Schema" />
+              <option name="name" value="Traefik v2 File Provider" />
+              <option name="relativePathToSchema" value="https://json.schemastore.org/traefik-v2-file-provider.json" />
+              <option name="patterns">
+                <list>
+                  <Item>
+                    <option name="path" value="file://$APPLICATION_CONFIG_DIR$/scratches/scratch.yml" />
+                  </Item>
+                  <Item>
+                    <option name="path" value="file://$APPLICATION_CONFIG_DIR$/scratches/scratch_1.yml" />
+                  </Item>
+                  <Item>
+                    <option name="path" value="file:///run/user/1000/kio-fuse-kipURF/sftp/root@debbi.lab.home/mnt/dock/traefik/rules/hello-world.yml" />
+                  </Item>
+                  <Item>
+                    <option name="path" value="roles/alpina/templates/services/traefik/rules/traefik-dash.yml.j2" />
+                  </Item>
+                </list>
+              </option>
+            </SchemaInfo>
+          </value>
+        </entry>
+        <entry key="docker-compose.yml">
+          <value>
+            <SchemaInfo>
+              <option name="name" value="docker-compose.yml" />
+              <option name="relativePathToSchema" value="https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json" />
+              <option name="applicationDefined" value="true" />
+              <option name="patterns">
+                <list>
+                  <Item>
+                    <option name="pattern" value="true" />
+                    <option name="path" value="*/compose.yml" />
+                    <option name="mappingKind" value="Pattern" />
+                  </Item>
+                  <Item>
+                    <option name="pattern" value="true" />
+                    <option name="path" value="*/compose.yml.j2" />
+                    <option name="mappingKind" value="Pattern" />
+                  </Item>
+                  <Item>
+                    <option name="pattern" value="true" />
+                    <option name="path" value="*/docker-compose.yml" />
+                    <option name="mappingKind" value="Pattern" />
+                  </Item>
+                  <Item>
+                    <option name="pattern" value="true" />
+                    <option name="path" value="*/docker-compose.yml.j2" />
+                    <option name="mappingKind" value="Pattern" />
+                  </Item>
+                </list>
+              </option>
+            </SchemaInfo>
+          </value>
+        </entry>
+        <entry key="prometheus.json">
+          <value>
+            <SchemaInfo>
+              <option name="name" value="prometheus.json" />
+              <option name="relativePathToSchema" value="https://json.schemastore.org/prometheus.json" />
+              <option name="applicationDefined" value="true" />
+              <option name="patterns">
+                <list>
+                  <Item>
+                    <option name="path" value="roles/alpina/collections/services/monitoring/templates/prometheus_config/prometheus.yml.j2" />
+                  </Item>
+                  <Item>
+                    <option name="path" value="roles/alpina/templates/services/monitoring/prometheus_config/prometheus.yml.j2" />
                   </Item>
                 </list>
               </option>

.idea/misc.xml

@@ -1,4 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
-  <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.10 (alpina)" project-jdk-type="Python SDK" />
+  <component name="Black">
+    <option name="sdkName" value="Poetry (alpina) (2)" />
+  </component>
+  <component name="ProjectRootManager" version="2" project-jdk-name="Poetry (alpina)" project-jdk-type="Python SDK" />
 </project>

Makefile

@@ -0,0 +1,23 @@
+.POSIX:
+.PHONY: *
+.EXPORT_ALL_VARIABLES:
+MAKEFLAGS += -r # no use of built-in rules
+
+env ?= staging
+vault_id ?= alpina@contrib/rbw-client.sh
+
+playbook_cmd := poetry run ansible-playbook --vault-id ${vault_id} -i inventories/${env}
+
+all: site services
+
+setup:
+	poetry install --quiet
+
+site: setup
+	 $(playbook_cmd) site.yml
+
+services: setup
+	$(playbook_cmd) services.yml
+
+clean: setup
+	$(playbook_cmd) clean.yml

README.md

@@ -0,0 +1,75 @@
+# Alpina
+
+A home for configuring all of my homelab containers on a Debian Linux machine.
+This assumes a Debian Linux machine with Docker and Docker Compose installed.
+
+My particular setup is based on a [jailmaker](https://github.com/Jip-Hop/jailmaker) container
+running on top of TrueNAS SCALE, separating all the docker stuff from the appliance.
+
+# Notes
+
+## Monitoring
+The monitoring stack is set up to monitor all the containers and the host.
+
+This is a work in progress, Grafana is set up with grafanalib, a Python library that generates Grafana dashboards.
+The dashboards are generated from Python scripts in 
+[grafana_config/dashboards](roles/alpina/templates/services/monitoring/grafana_config/dashboards).
+
+This requires a custom grafana image, which is built from the 
+[Dockerfile](roles/alpina/templates/services/monitoring/Dockerfile).
+
+This also means it has to be manually rebuilt whenever the dashboards are updated.
+From the services/monitoring directory, run:
+```bash
+docker compose up -d --build --force-recreate grafana
+```
+
+## IPv6
+The current configuration is designed to work with IPv6. 
+However, because of how (not properly) I'm doing the subnetting 
+from the host's network, NDP doesn't work.
+This means that container IPs are not accessible from other hosts on the local network.
+I simply have a static route on my router to the container subnet, 
+that uses the IP of this host as the gateway.
+
+This is a limitation of my current ISP, I only have a single /64 subnet for my lab network.
+I'd like to get a /56 or /48, perhaps using Hurricane Electric's tunnel broker.
+*Sigh* ISPs being stingy with the 2^48 prefixes they're afraid of running out of.
+
+## Upgrading Postgres
+Upgrading the postgres container for a given stack requires a dump and restore.
+
+After making a snapshot or backup of postgres data directory,
+in the compose directory for a given stack, run the following commands:
+```bash
+docker compose down
+docker compose up -d <db_service>
+docker compose exec -it <db_service> pg_dumpall -U <db_user> | tee /tmp/dump.sql
+docker compose down
+
+rm -r <postgres_data_dir>/*  # as root
+# Edit the docker-compose.yml file to use the new postgres image
+docker compose up -d <db_service>
+# For some reason, compose exec doesn't like the input redirection
+docker exec -i <db_container_name> psql -U <db_user> < /tmp/dump.sql
+docker compose up -d
+rm /tmp/dump.sql
+```
+
+Additionally, if upgrading from postgres <= 13, it is necessary to upgrade the
+password hashes. This can be done by running the following command:
+```bash
+docker compose exec -it <db_service> psql -U <db_user> -c "\password"
+```
+
+## Nextcloud
+Nextcloud requires some additional work to set up notify_push.
+
+- Initially, comment out the notify_push service in the docker compose.
+- Set up nextcloud and install the Client Push (notify_push) app.
+- Uncomment the notify_push service in the docker compose and `up -d` the stack.
+- ```bash
+  docker compose exec app ./occ notify_push:setup https://nc.<domain>/push
+  ```
+
+I should probably get around to automating this at some point.

clean.yml

@@ -0,0 +1,3 @@
+- hosts: alpina
+  roles:
+    - clean

contrib/compose_helpers.j2

@@ -0,0 +1,43 @@
+{% macro default_network(subnet_index) %}
+default:
+  enable_ipv6: true
+  ipam:
+    config:
+      - subnet: {{ docker_ipv6_subnet | ansible.utils.ipsubnet(80, subnet_index) }}
+{% endmacro %}
+
+{% macro traefik_labels(host, port='', path_prefix='', auth=false, wildcard=false) %}
+{% set name = host ~ (wildcard * '-*') ~ path_prefix -%}
+{% set tls_base = domain %}
+{% if wildcard -%}
+  {% set tls_base = host ~ '.' ~ domain %}
+{%- endif -%}
+
+traefik.enable=true
+- traefik.http.routers.r-{{ name }}.rule={{ host_rule(host, path_prefix, wildcard) }}
+- traefik.http.routers.r-{{ name }}.entrypoints=websecure
+- traefik.http.routers.r-{{ name }}.tls=true
+- traefik.http.routers.r-{{ name }}.tls.certresolver=letsencrypt
+- traefik.http.routers.r-{{ name }}.tls.domains.0.main={{ tls_base }}
+- traefik.http.routers.r-{{ name }}.tls.domains.0.sans=*.{{ tls_base }}
+{% if port -%}
+- traefik.http.routers.r-{{ name }}.service=svc-{{ name }}
+- traefik.http.services.svc-{{ name }}.loadbalancer.server.port={{ port }}
+{% endif %}
+{% if auth -%}
+- traefik.http.routers.r-{{ name }}.middlewares=authentik@docker
+{% endif %}
+{% endmacro %}
+
+{% macro host_rule(host, path_prefix="", wildcard=false) %}
+{% if wildcard %}
+{# regular a.host prevents warnings from 'No domain found in rule HostRegexp' #}
+{# TODO: figure out this stupidity properly #}
+Host(`a.{{ host }}.{{ domain }}`) || HostRegexp(`^.+\.{{ host }}\.{{ domain | replace('.', '\.') }}$`)
+{%- else %}
+Host(`{{ host }}.{{ domain }}`)
+{%- endif %}
+{% if path_prefix -%}
+ && PathPrefix(`{{ path_prefix }}`)
+{%- endif %}
+{% endmacro %}

group_vars/alpina/vars.yml

@@ -0,0 +1,77 @@
+# Shared variables between environments
+
+---
+alpina_svc_path: ~/alpina
+base_volume_path: /mnt/dock
+media_volume_path: /mnt/media
+
+docker_ipv6_subnet: "{{ \
+          ansible_default_ipv6.address \
+          | ansible.utils.ipsubnet(64) \
+          | ansible.utils.ipsubnet(72, docker_ipv6_index) \
+        }}"
+
+# Authentik
+authentik_db_password: "{{ vault_authentik_db_password }}"
+authentik_secret_key: "{{ vault_authentik_secret_key }}"
+authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"
+
+auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
+auth_minio_client_secret: "{{ vault_auth_minio_client_secret }}"
+auth_gitea_client_secret: "{{ vault_auth_gitea_client_secret }}"
+auth_nextcloud_client_secret: "{{ vault_auth_nextcloud_client_secret }}"
+arrstack_password: "{{ vault_arrstack_password }}"
+auth_vpgen_client_secret: "{{ vault_auth_vpgen_client_secret }}"
+auth_pgrok_client_secret: "{{ vault_auth_pgrok_client_secret }}"
+
+auth_default_enrollment_group: vpgen
+
+# Minio
+minio_password: "{{ vault_minio_password }}"
+
+# Monitoring
+influxdb_admin_password: "{{ vault_influxdb_admin_password }}"
+influxdb_admin_token: "{{ vault_influxdb_admin_token }}"
+
+# Traefik
+acme_email: "{{ vault_acme_email }}"
+cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
+
+# Arrstack
+wg_peer_pubkey: "{{ vault_wg_peer_pubkey }}"
+vpn_server_names: "{{ vault_vpn_server_names }}"
+
+# Gitea
+gitea_db_password: "{{ vault_gitea_db_password }}"
+gitea_sendgrid_api_key: "{{ vault_gitea_sendgrid_api_key }}"
+## Security
+secret_key: "{{ vault_secret_key }}"
+internal_token: "{{ vault_internal_token }}"
+jwt_secret: "{{ vault_jwt_secret }}"
+
+# Jellyfin
+
+# Nextcloud
+nextcloud_db_password: "{{ vault_nextcloud_db_password }}"
+redis_password: "{{ vault_redis_password }}"
+nextcloud_sendgrid_api_key: "{{ vault_nextcloud_sendgrid_api_key }}"
+
+# VPGen
+vpgen_auth_invite_token: "{{ vault_vpgen_auth_invite_token }}"
+
+vpgen_opnsense_api_url: https://opnsense.cazzzer.com
+vpgen_opnsense_api_key: "{{ vault_vpgen_opnsense_api_key }}"
+vpgen_opnsense_api_secret: "{{ vault_vpgen_opnsense_api_secret }}"
+vpgen_opnsense_wg_ifname: wg2
+
+vpgen_ipv6_client_prefix_size: 112
+vpgen_ip_max_index: 100
+vpgen_vpn_endpoint: "{{ vault_vpgen_vpn_endpoint }}"
+vpgen_vpn_dns: "{{ vault_vpgen_vpn_dns }}"
+vpgen_max_clients_per_user: 20
+
+# Woodpecker
+woodpecker_agent_secret: "{{ vault_woopecker_agent_secret }}"
+
+# Pgrok
+pgrok_db_password: "{{ vault_pgrok_db_password }}"

group_vars/alpina/vault.yml

@@ -0,0 +1,158 @@
+$ANSIBLE_VAULT;1.1;AES256
+39313964356339363432393662666162343133633033316465636433323339323931303866646635
+3630663865626431396563346365363636383637626263620a633332623365643765386566356336
+65356439386565306461313863633835623031656136393039326366623137333536363836316563
+3062356431346539330a366534646239353934363137373662343862393365373835653530336166
+34613763626630316431326133366461363030663137366536393764356437323235343438326237
+36656234653363623836303863346233616661623135383130663930333365373733663134323234
+39666233643733653336386234613563656134396638373561323432313631633166386266323865
+66313630333332316662643434646465343861643461373631396538663763633263323738616330
+37316561663231366336383539306130396631643839383563643363623362376266356565363434
+31306634356162383839613464386664633237343461646132366439613563623732346362363534
+39636635396133336330373938366236646237393866316136663537363138636239636638386363
+37623131636133343062306139666666393566333665356566313530383033636534383132373765
+31303362303237623337323632373161306138353666633462386165633935626536396135363330
+62633233316664656166306438653039306564633336616661306366306634333734353866313765
+30386236643033303537336562643431306232656162663066643238353662303533616130303335
+61643436333063313164353366346564336366663431663636653334326262626635326264653938
+37393136336336656538366533626566366365313837383236653762653464666336353862313434
+64646431363462643839643937646537306433616565303466626530386366373934376665303638
+63653164623231636539643332356162353134646130626365393166373932386530313030336136
+30303138373432306665376432646664336461303564333535636463373232303661323336633536
+63366363393161613832356362356437666365333062303635363961343739373739343364646331
+63383131363430393331666331613965666239393865346234646632353962333531346239333333
+39643832386363353461366332366138366134333638666664383434353262376263386531346262
+36383365613764363135343765313863306135373062613362313761353165613166613966366363
+37616163643230343062336462666233666438643332343963666161333631663532653733376239
+37383335623337343761643936333264383766373137393964636138663362643064363666643130
+39636639646264303333623036373439636566346437643539656531303534376139613832396638
+37373736343538663062633132376164386635333038656338373037633033623238633035333130
+65316330393261326139373331386239636230376237386664386134663131343836393464646362
+39366434313034383561623664343530633165316438333830346330653730613264656661303061
+34393863306465373639306531643534366464393365373264316136653334356530376366303330
+31383137306439616362313861396633333430626463326531336533323038333336313337396338
+64636161333839366536643662653563613138633331316166333766666537386666616161313531
+62363666646635656233363962346333393861303165643130333435613436366131393463663162
+34623536316363643539663261373830316638383439326431373866646436616635303466343830
+33303362356166333338333265633366353538353135353933383939343562633433333337363564
+37366536343066326338313262313830623263356464323565373362356631303538646366373635
+31343861626636313530343964656133333031326634333434643037393436313833306133396563
+61333636646437623963666265666565623965386364376430666662336365363762316639343939
+66303164303161396463363265393966306636616231633838366437626162323465356430643333
+66663633353462646334663034373465343432626638383237383330313932663930663962656665
+62363133306632613062393830316135333965623963643337336638366236343533323832633564
+66643331623263393966343930613430646438386563646235363837376230373365346462633937
+37333431346363303630313265626533373662613332383236313736663534306132653635333464
+30643761613762353536613531326334336138323934393832393765613533666432616631396337
+36373261313236666365656563316330313061336664646230393931616264643864623263333132
+33336263663164343962383366333264633735383731613939383333343265366166346534326538
+31636136643466623037333334396162333435303062313861626435623134386432333065383865
+62343435396233376366656365303966633533633232303763616234396365306338326562363234
+65313437396534346661643365363533363133663133613733316331663364326131613464653133
+63386535366138636436616666613664663632376430623063343030393631386233346133373466
+39386436313566636662306438373932386232353865363736383962353864373132363564393133
+38343439313766323035363238336335333063323730396161303634313738663931316262613164
+61623939666263323563313131383064386632663132336234373132316430306431636535393663
+66653835396431626633616236666365333264306662333865663739623430656563393133393938
+37633665633961326162666232386338316432633139386233393834376533326333343435643562
+32353664383436633832356662326265613636636534346432356534303061633337313139323138
+66303064366636316537333735336232303964333139626161373138373765303464633835623333
+66623862343636343134363266666164666432393835316165333465363736643735643134636364
+65383037646633613564363436663235616530643631356462383337396437653437613933653739
+64396434343839393638363866386234393132396262363637643466333439656464326364393231
+39333635643165666331636230333931663561663532326338366136343832613862616466623132
+37653139343235656335336566356631663938646631626562363130393031346133326562656366
+38623633346632393263663536623131316662646130633533333431666162353834363537633631
+36643439313734396365633533303930626431376132656439393838306662363934663764373939
+65623136363239636161343162363265313036346332333864366363663933356264663935653762
+61306135366562613162616538303334626433633731613530613837323433306235393338613532
+35626366613535326363643864663863303734373435636664653931613462336332353334323365
+37616539343335386636306138656233396238636137636130663035336365653230666436663030
+63653136636162386630656538636338646531336335363737333062383138646538356137353837
+61306235303564653065653034633762653466376530653338383362613766313563636232613934
+63373466613136663035646134623335383037653231333035323036653264636161623766643332
+35323530386333333563373565356130393836343137656361316437343235343235623539333963
+36396565336233373433643466643330623434363261643933666332386536323332643466363135
+64353464386365313862323032363932656662376464323830326432313737336166373764303034
+66343664613839323731643463323239303138303234316564626438663031613763393532376531
+30333037386138306466313332346139363238323736656463633038323261363862666433663865
+34333464363637313362303863356236376531643161646632303265646337616532323039373562
+31316262643764353937336433343630396534653831376231626338643033353939363562636535
+62326634396538393564353531343461353137613932386531353362313262653363623633373131
+33353861373136663162383439616131303639313931616633333538363436353934636530303461
+30346237373331356335656632633632353735386433313934323031646339386631373838366331
+35303736373432343361643439316333386233633634393464343164633161643436306637336234
+62373136303263323133303839333438633038356161653839333139383633366333616363303766
+34313236306462366261336331306634373538316435623963313335383130653732323032663234
+65626131353839373137346166633164303462336234666230383664383139323036393732373531
+32653034326134626133313363613432663366373739653332376364636139666261353536303437
+33626332376361653930356261316162623134303135346235616165323632353538653661393261
+37373561616237353133646466313262633632383533656632633431643131333366306662653361
+39653066326564383461623035636136613035613962623131633734663262313532653366306530
+38366132323030346262366262363231303737646131633931363162383461333262316564383861
+32313537323637363163646335333566333463366265323438386230333765396334646436623234
+62653233306433643261373262376535616365363065346431333331653164306463643033333930
+34383533336536613233663630656561653034333134326563613538613134633038356265343839
+36303266303363666335323831613430373536346336333934643338373064646365386365316633
+37303565653565653334643463323137366137346538613632343131383235326339333235373562
+36326230333734373365376239306664616433373664343462383961366636383263333764646362
+32383463343130313931656436613235336561383165613737643835396264616262356431333564
+36313965323164393633653330366666393337363831653763343938653464383235623236343332
+30653034386136643961323034346262613566373534333464653235636164393931393131316662
+65656462623431613239336431313239343762643731663438323333613661343462633038333264
+31303435313431373461623564396336386131383565376162386439383562653036373262643662
+37326634646233326461633236336364356133383135326638623063313332616539353538663432
+31396135396430646635323335323666646265646339333838326261393963383331356334303630
+63313465356233363636336136356336366333636261613663663433343535323563663062626361
+35323161376466383966343963306237396362323736666331633235383832376364343037656433
+33326638396232396666393939303735636337313730363137663839393662613333393061386536
+35353132366432623336333331386234326139653435376261366631356538303562383034623338
+66353834633161313462663531623762356561393535656535613663393137663436313466633364
+33313533343633376638333339653834313231393131363866333961393639393665373638353930
+39653831613563313537333137323633613536363536613335363836336339613135346330626335
+63323038626462656435343431326663643332363962393863393461336334616637316462363538
+33333762393164396435646266376534363861633430643265646662626630643035396466363537
+63386233663130373335376334353630386662306563323736623265333230623136356664666639
+32316139386165623264616466353765613239313635653635343439666337656335393334323939
+66393331653266316330633535636534663436316235373231626664393565303161643730323537
+36373063326339326339653232323331663532653337343638653236306263313264323734303465
+33363239653634623630393961346139343230363135393830336139386130356239346430306238
+61616433343566393962656532333833363036373235386530303237653537363139373962386364
+32336231613362353131623263313539623330663632646135313038346161346135353233303965
+39356331626465613036376266376264396563373239333834336337383332646536346636623666
+31386536343964643433616638386161383935386165363230643131336439623835326136646161
+39343035383039396235653364396638656334396231323263636534633932386161616233343063
+61373462366235383564313762366334313137363636333732313663356233653133323537663331
+64636336663862303335316432393663653436313834323231663730623562373333346634303138
+31353662333139626133623564333863363565616466353266343737616163386432636631613136
+34313530383934336138336535373562636366653663383238376136376561306532383933336236
+62613361613539663030323832666430356138376236383335393538306131333061313339323163
+32313131383134663838393462343963623962613638656462356664303132386233363063316266
+35656635333861366435396638653934663935306230373962346633613431353461373933316435
+35373134643562616662656130396266613365326565666536653732333635346338643435376264
+65323237386565363431653930373137633330363764663063393335633638653036623732316464
+66373863303364333534316464636130633665383439626531383466313330393233663933666438
+36333535636562396361643564343534626436373961636261666135386635316331326164316565
+34386565636538633361613235303862303231343664363465373363306461356333363764356163
+65396533626238356331346434383435343135326135366235393862663861636361363032613266
+34633631653261653230396338363762376563613138303533653530636666313864303334626261
+34346436316564663632303634343837303065306530306662343062633738653635653164656465
+36393239373763666131343739303132616366353365636338333263326539343862623462653639
+64616430663033663162306335303230643131633763633635306464346431393237666536343130
+35366231386237666331383132373835616365316665353235623735363530626266366437326537
+32326230306562343830666135326464383834623461643465336131356332376235623735633232
+62663535303661376465303533306530636366356632626137353135336264356266366335396539
+31616661363065366136323061303764366332326362653036353562336561336166316664346661
+63303835626463303731376337366265653931343238316631333032656535376439313335326265
+62383761623437323862643035333832653065396439303738343336653961623563383964326338
+38613464653530373938333737316133353064356362323933383765363566343638303233616233
+63333039363063616464616465313166626262363030326565346461313034633432643232356336
+65306534366234333562333764653539333935613166313065646430343834653833386434613436
+62613033313632623236663731343533643864373139613739336135353833386438353461626336
+64336334646139633633656266633034373461656539633238383531356537396439363233633466
+64663639383166303261303864383137623236643934356665623537363839396565633863376639
+64376131356637333562663731393437653236393366303830323239643736386464326539636234
+61353939356465656465666263336232373733326331623831376539336438373265666135306134
+64303736346431633332633635633839663235373864323664343830393336376336633235373164
+64326335326664376530313838386266613632633764373430643663306434303263613234616438
+6230

group_vars/docker_hosts.yml

@@ -1,2 +0,0 @@
----
-my_svc_path: ~/services

inventories/prod/group_vars/all.yml

@@ -1 +0,0 @@
-domain: cazzzer.com

inventories/prod/group_vars/alpina/vars.yml

@@ -0,0 +1,26 @@
+# Environment specific variables (prod)
+
+---
+domain: cazzzer.com
+
+docker_ipv6_index: 255
+
+# Arrstack VPN
+wg_privkey: "{{ vault_wg_privkey }}"
+wg_psk: "{{ vault_wg_psk }}"
+wg_addresses: "{{ vault_wg_addresses }}"
+fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
+
+# Authentik External OAuth
+github_consumer_key: 32d5cae58d744c56fcc9
+github_consumer_secret: "{{ vault_github_consumer_secret }}"
+google_consumer_key: 606830535764-9vc8mjta87g9974pb7qasp82cpoc1d3a.apps.googleusercontent.com
+google_consumer_secret: "{{ vault_google_consumer_secret }}"
+
+# VPGen
+vpgen_ipv4_starting_addr: 10.18.11.100
+vpgen_ipv6_starting_addr: "{{ vault_vpgen_ipv6_starting_addr }}"
+
+# Woodpecker
+woodpecker_gitea_client_id: 3b7515f3-6005-4512-a2ee-5464dba315f8
+woodpecker_gitea_client_secret: "{{ vault_woodpecker_gitea_client_secret }}"

inventories/prod/group_vars/alpina/vault.yml

@@ -0,0 +1,32 @@
+$ANSIBLE_VAULT;1.1;AES256
+36313835643238353932323631323439626432316436346533376365633332313963666433313333
+6134633133636133623130376237373462383164396338380a316463396139653161366536636336
+64346664356538366538363239306631326464633635316161663963326635656430326637333963
+6462633236353132300a323062353639646238663737353461633733636530613036316364353864
+34326534376639643734303137613866393464306334336566653134333765356361386436323939
+35393535303635376162386266396431313739663961643061623037343463303637623130623131
+31653761616639613964386432643561376637316435333064343837636463303033333432636234
+39323735373161616133396566316266383165343033666530376333626264643531613334363634
+35393766623361346461333764666139366632306362613362376133363239656562346263643066
+65616538366532346537383432663766366161633234373562623531356339666661346164306563
+35343339386631383462656466303563376237386137346437323634626163353464356462346364
+35373061636237383335396231326563366230663566333665326338303564326263316630666233
+65303930663862313137333630353837363265333532303133306466643462626662613166326132
+66346439333739653965346236313766346532356233333164633538326135643662623533646561
+65626530386333303362343830653430653866336261623566616362313739303939656364656363
+37336331353766633534653936626139303061623531323362346564363665663438646533646166
+62376534653562373138656465666133353235313935626534383537643436376665613865303363
+62326562396361306131616363363866316232623635353663323537366563333239383636643763
+35623366663463303831323730363036306363643364303532326339353633393739306366396331
+33313230656431623462376135623438633164323064653866646165643263383832353138633931
+66306463346361646561376334613837383762366365666638643434383034376339643239646463
+66343461363233626635323535336462666339323032616136396239396534346434623238396330
+37653665643366323362313136386231396532323035363963623738346564356435303263303832
+37346532366432363638363330316464366361313461626535616165333433343835393565633766
+32663162386562373035333335303332323136613233613431386265626337653939326435396262
+61303631633838613962346663326232636438393563396230306361333335383462653432383766
+35376662353262303635316635363130383032366530396439613861653037383234363831333562
+37343332646534353838626366623361636261393865363633303631613837323733626264643835
+63376430613234386463336234623062656534643863656434386134616265333666613939393331
+39333166393538306135313431303831623063363533326330633062653333313733653831383736
+613864303461323739336563356161353234

inventories/prod/hosts

@@ -1,2 +1,2 @@
-[docker_hosts]
-root@alpina.lab.home
+[alpina]
+debbi.sys.cazzzer.com

inventories/staging/group_vars/all.yml

@@ -1 +0,0 @@
-domain: lab.cazzzer.com

inventories/staging/group_vars/alpina/vars.yml

@@ -0,0 +1,26 @@
+# Environment specific variables (staging)
+
+---
+domain: lab.cazzzer.com
+
+docker_ipv6_index: 254
+
+# Arrstack VPN
+wg_privkey: "{{ vault_wg_privkey }}"
+wg_psk: "{{ vault_wg_psk }}"
+wg_addresses: "{{ vault_wg_addresses }}"
+fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
+
+# Authentik External OAuth
+github_consumer_key: dbacb8621c37320eb745
+github_consumer_secret: "{{ vault_github_consumer_secret }}"
+google_consumer_key: 606830535764-pec4b3sa2tohim3u9jl2jmnl1see46q1.apps.googleusercontent.com
+google_consumer_secret: "{{ vault_google_consumer_secret }}"
+
+# VPGen
+vpgen_ipv4_starting_addr: 10.18.11.50
+vpgen_ipv6_starting_addr: "{{ vault_vpgen_ipv6_starting_addr }}"
+
+# Woodpecker
+woodpecker_gitea_client_id: c7122416-b160-498b-8021-8f2837552588
+woodpecker_gitea_client_secret: "{{ vault_woodpecker_gitea_client_secret }}"

inventories/staging/group_vars/alpina/vault.yml

@@ -0,0 +1,32 @@
+$ANSIBLE_VAULT;1.1;AES256
+36343339366166383430383235626463376339653331333635623936653135633633353064613634
+3263306161376232356634363532653266366665333364650a636365393465383165306563346132
+37653564633630653635353464333939353266396562316663653933373065353536333130383065
+3864353332303164320a316439313164663736636465366539643131303663343861333164613561
+37383965373964313535313335643164376164323263613539643933333035323837373662303030
+66636465303566313334386435326433653032383962353739643861346161323738636366396239
+39623336336234376339343562656362323932383265313161396435346530663330353266323433
+66396538313365653963323164306464663565303364386466666636346533633661333634313236
+33623936616239613264613730363039366561646535633239633564656166343162303633373366
+37656163333838656533363735383332626632353237613666396633363531666366336630613064
+66626561663766376531313666663963643766393965653564333062653139336230356330383464
+38343562383430303132663964303736623238386562323033623861303432363363373934643332
+63363239323664333131306237336134613137653136633932356238343733393632616464366134
+33623038363032653134626337663863366663383433633134326239616136656139366535613565
+61646330356330396236303566363834613236653733643162666536303435643133346633353632
+62386135303262353332643135636164303963616234626132356161663463366434323864626261
+33356536626263626261343937386666396561306334346435316262333431353234303836356563
+31343566373935396633636133616265346235396333396664333534336162323039623937656336
+36656133383966613333646336613039626563353862646238376461373264633233313836333062
+30343134363862626630393035643762376435346532306462363437646238333463396230666465
+64386365393063613139313164366562643066323461313364393265393638643137386561633530
+65643861386531323836306339386462656530383533363831323461303131396666626464303136
+64343865616235616366633136393662623862383961323338366435396334653538303830616166
+39636164613466313033643639366635323666666235653633333436613133343962353664313838
+64356466393239666131363964643461346633313030643061643938643232343334313731636463
+37396637643232353539626239306463623237623534366666396164613135356136313534663231
+36613662653237343061316463386231656136383636393034333666633063613731316162333464
+64313866633062623530326233633166343434636639346565346337396461393637383333366435
+62393030383963396638653230613431623837353461313630343333376131616239313164336234
+62323739316536353835613032303438623230626563303934626466303934613566656232323663
+643265386333313065333737613438316532

inventories/staging/hosts

@@ -1,2 +1,2 @@
-[docker_hosts]
-root@etapp.lab.home
+[alpina]
+etappi.sys.cazzzer.com

poetry.lock

@@ -0,0 +1,463 @@
+# This file is automatically @generated by Poetry 2.1.1 and should not be changed by hand.
+
+[[package]]
+name = "ansible"
+version = "11.5.0"
+description = "Radically simple IT automation"
+optional = false
+python-versions = ">=3.11"
+groups = ["main"]
+files = [
+    {file = "ansible-11.5.0-py3-none-any.whl", hash = "sha256:d20bc30f44a35678ca5f05868084f2f52a8bb6f024e85dc80639f6ac4364cc61"},
+    {file = "ansible-11.5.0.tar.gz", hash = "sha256:18a3fc73120a49ade9a9a67eb8f9d4f5009d2106c34ffeb9663ad928b76ed59b"},
+]
+
+[package.dependencies]
+ansible-core = ">=2.18.5,<2.19.0"
+
+[[package]]
+name = "ansible-core"
+version = "2.18.5"
+description = "Radically simple IT automation"
+optional = false
+python-versions = ">=3.11"
+groups = ["main"]
+files = [
+    {file = "ansible_core-2.18.5-py3-none-any.whl", hash = "sha256:4a1e75a24969d0a650d399bffbaf5a76d7c9b96a21a199a939fe836c3452718d"},
+    {file = "ansible_core-2.18.5.tar.gz", hash = "sha256:319304d161770a8a891c07dec8a22c528548a948a7097eaf1a79939395105535"},
+]
+
+[package.dependencies]
+cryptography = "*"
+jinja2 = ">=3.0.0"
+packaging = "*"
+PyYAML = ">=5.1"
+resolvelib = ">=0.5.3,<1.1.0"
+
+[[package]]
+name = "ansible-vault"
+version = "2.1.0"
+description = "R/W an ansible-vault yaml file"
+optional = false
+python-versions = "*"
+groups = ["main"]
+files = [
+    {file = "ansible-vault-2.1.0.tar.gz", hash = "sha256:5ce8fdb5470f1449b76bf07ae2abc56480dad48356ae405c85b686efb64dbd5e"},
+]
+
+[package.dependencies]
+ansible = "*"
+setuptools = "*"
+
+[package.extras]
+dev = ["black ; python_version >= \"3.6\"", "flake8 ; python_version >= \"3.6\"", "isort[pyproject] ; python_version >= \"3.6\"", "pytest"]
+release = ["twine"]
+
+[[package]]
+name = "attrs"
+version = "25.1.0"
+description = "Classes Without Boilerplate"
+optional = false
+python-versions = ">=3.8"
+groups = ["dev"]
+files = [
+    {file = "attrs-25.1.0-py3-none-any.whl", hash = "sha256:c75a69e28a550a7e93789579c22aa26b0f5b83b75dc4e08fe092980051e1090a"},
+    {file = "attrs-25.1.0.tar.gz", hash = "sha256:1c97078a80c814273a76b2a298a932eb681c87415c11dee0a6921de7f1b02c3e"},
+]
+
+[package.extras]
+benchmark = ["cloudpickle ; platform_python_implementation == \"CPython\"", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pympler", "pytest (>=4.3.0)", "pytest-codspeed", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pytest-xdist[psutil]"]
+cov = ["cloudpickle ; platform_python_implementation == \"CPython\"", "coverage[toml] (>=5.3)", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pytest-xdist[psutil]"]
+dev = ["cloudpickle ; platform_python_implementation == \"CPython\"", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pre-commit-uv", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pytest-xdist[psutil]"]
+docs = ["cogapp", "furo", "myst-parser", "sphinx", "sphinx-notfound-page", "sphinxcontrib-towncrier", "towncrier (<24.7)"]
+tests = ["cloudpickle ; platform_python_implementation == \"CPython\"", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pytest-xdist[psutil]"]
+tests-mypy = ["mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\"", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.10\""]
+
+[[package]]
+name = "cffi"
+version = "1.17.1"
+description = "Foreign Function Interface for Python calling C code."
+optional = false
+python-versions = ">=3.8"
+groups = ["main"]
+markers = "platform_python_implementation != \"PyPy\""
+files = [
+    {file = "cffi-1.17.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14"},
+    {file = "cffi-1.17.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67"},
+    {file = "cffi-1.17.1-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382"},
+    {file = "cffi-1.17.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702"},
+    {file = "cffi-1.17.1-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3"},
+    {file = "cffi-1.17.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6"},
+    {file = "cffi-1.17.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17"},
+    {file = "cffi-1.17.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8"},
+    {file = "cffi-1.17.1-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e"},
+    {file = "cffi-1.17.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be"},
+    {file = "cffi-1.17.1-cp310-cp310-win32.whl", hash = "sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c"},
+    {file = "cffi-1.17.1-cp310-cp310-win_amd64.whl", hash = "sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15"},
+    {file = "cffi-1.17.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401"},
+    {file = "cffi-1.17.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf"},
+    {file = "cffi-1.17.1-cp311-cp311-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4"},
+    {file = "cffi-1.17.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41"},
+    {file = "cffi-1.17.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1"},
+    {file = "cffi-1.17.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6"},
+    {file = "cffi-1.17.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d"},
+    {file = "cffi-1.17.1-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6"},
+    {file = "cffi-1.17.1-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f"},
+    {file = "cffi-1.17.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b"},
+    {file = "cffi-1.17.1-cp311-cp311-win32.whl", hash = "sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655"},
+    {file = "cffi-1.17.1-cp311-cp311-win_amd64.whl", hash = "sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0"},
+    {file = "cffi-1.17.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4"},
+    {file = "cffi-1.17.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c"},
+    {file = "cffi-1.17.1-cp312-cp312-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36"},
+    {file = "cffi-1.17.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5"},
+    {file = "cffi-1.17.1-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff"},
+    {file = "cffi-1.17.1-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99"},
+    {file = "cffi-1.17.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93"},
+    {file = "cffi-1.17.1-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3"},
+    {file = "cffi-1.17.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8"},
+    {file = "cffi-1.17.1-cp312-cp312-win32.whl", hash = "sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65"},
+    {file = "cffi-1.17.1-cp312-cp312-win_amd64.whl", hash = "sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903"},
+    {file = "cffi-1.17.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e"},
+    {file = "cffi-1.17.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2"},
+    {file = "cffi-1.17.1-cp313-cp313-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3"},
+    {file = "cffi-1.17.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683"},
+    {file = "cffi-1.17.1-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5"},
+    {file = "cffi-1.17.1-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4"},
+    {file = "cffi-1.17.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd"},
+    {file = "cffi-1.17.1-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed"},
+    {file = "cffi-1.17.1-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9"},
+    {file = "cffi-1.17.1-cp313-cp313-win32.whl", hash = "sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d"},
+    {file = "cffi-1.17.1-cp313-cp313-win_amd64.whl", hash = "sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a"},
+    {file = "cffi-1.17.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b"},
+    {file = "cffi-1.17.1-cp38-cp38-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964"},
+    {file = "cffi-1.17.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9"},
+    {file = "cffi-1.17.1-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc"},
+    {file = "cffi-1.17.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c"},
+    {file = "cffi-1.17.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1"},
+    {file = "cffi-1.17.1-cp38-cp38-win32.whl", hash = "sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8"},
+    {file = "cffi-1.17.1-cp38-cp38-win_amd64.whl", hash = "sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1"},
+    {file = "cffi-1.17.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16"},
+    {file = "cffi-1.17.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36"},
+    {file = "cffi-1.17.1-cp39-cp39-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8"},
+    {file = "cffi-1.17.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576"},
+    {file = "cffi-1.17.1-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87"},
+    {file = "cffi-1.17.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0"},
+    {file = "cffi-1.17.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3"},
+    {file = "cffi-1.17.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595"},
+    {file = "cffi-1.17.1-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a"},
+    {file = "cffi-1.17.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e"},
+    {file = "cffi-1.17.1-cp39-cp39-win32.whl", hash = "sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7"},
+    {file = "cffi-1.17.1-cp39-cp39-win_amd64.whl", hash = "sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662"},
+    {file = "cffi-1.17.1.tar.gz", hash = "sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824"},
+]
+
+[package.dependencies]
+pycparser = "*"
+
+[[package]]
+name = "cryptography"
+version = "44.0.1"
+description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
+optional = false
+python-versions = "!=3.9.0,!=3.9.1,>=3.7"
+groups = ["main"]
+files = [
+    {file = "cryptography-44.0.1-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:bf688f615c29bfe9dfc44312ca470989279f0e94bb9f631f85e3459af8efc009"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dd7c7e2d71d908dc0f8d2027e1604102140d84b155e658c20e8ad1304317691f"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:887143b9ff6bad2b7570da75a7fe8bbf5f65276365ac259a5d2d5147a73775f2"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:322eb03ecc62784536bc173f1483e76747aafeb69c8728df48537eb431cd1911"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:21377472ca4ada2906bc313168c9dc7b1d7ca417b63c1c3011d0c74b7de9ae69"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:df978682c1504fc93b3209de21aeabf2375cb1571d4e61907b3e7a2540e83026"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:eb3889330f2a4a148abead555399ec9a32b13b7c8ba969b72d8e500eb7ef84cd"},
+    {file = "cryptography-44.0.1-cp37-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:8e6a85a93d0642bd774460a86513c5d9d80b5c002ca9693e63f6e540f1815ed0"},
+    {file = "cryptography-44.0.1-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:6f76fdd6fd048576a04c5210d53aa04ca34d2ed63336d4abd306d0cbe298fddf"},
+    {file = "cryptography-44.0.1-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:6c8acf6f3d1f47acb2248ec3ea261171a671f3d9428e34ad0357148d492c7864"},
+    {file = "cryptography-44.0.1-cp37-abi3-win32.whl", hash = "sha256:24979e9f2040c953a94bf3c6782e67795a4c260734e5264dceea65c8f4bae64a"},
+    {file = "cryptography-44.0.1-cp37-abi3-win_amd64.whl", hash = "sha256:fd0ee90072861e276b0ff08bd627abec29e32a53b2be44e41dbcdf87cbee2b00"},
+    {file = "cryptography-44.0.1-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:a2d8a7045e1ab9b9f803f0d9531ead85f90c5f2859e653b61497228b18452008"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b8272f257cf1cbd3f2e120f14c68bff2b6bdfcc157fafdee84a1b795efd72862"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1e8d181e90a777b63f3f0caa836844a1182f1f265687fac2115fcf245f5fbec3"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:436df4f203482f41aad60ed1813811ac4ab102765ecae7a2bbb1dbb66dcff5a7"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:4f422e8c6a28cf8b7f883eb790695d6d45b0c385a2583073f3cec434cc705e1a"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:72198e2b5925155497a5a3e8c216c7fb3e64c16ccee11f0e7da272fa93b35c4c"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:2a46a89ad3e6176223b632056f321bc7de36b9f9b93b2cc1cccf935a3849dc62"},
+    {file = "cryptography-44.0.1-cp39-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:53f23339864b617a3dfc2b0ac8d5c432625c80014c25caac9082314e9de56f41"},
+    {file = "cryptography-44.0.1-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:888fcc3fce0c888785a4876ca55f9f43787f4c5c1cc1e2e0da71ad481ff82c5b"},
+    {file = "cryptography-44.0.1-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:00918d859aa4e57db8299607086f793fa7813ae2ff5a4637e318a25ef82730f7"},
+    {file = "cryptography-44.0.1-cp39-abi3-win32.whl", hash = "sha256:9b336599e2cb77b1008cb2ac264b290803ec5e8e89d618a5e978ff5eb6f715d9"},
+    {file = "cryptography-44.0.1-cp39-abi3-win_amd64.whl", hash = "sha256:e403f7f766ded778ecdb790da786b418a9f2394f36e8cc8b796cc056ab05f44f"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:1f9a92144fa0c877117e9748c74501bea842f93d21ee00b0cf922846d9d0b183"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:610a83540765a8d8ce0f351ce42e26e53e1f774a6efb71eb1b41eb01d01c3d12"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:5fed5cd6102bb4eb843e3315d2bf25fede494509bddadb81e03a859c1bc17b83"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:f4daefc971c2d1f82f03097dc6f216744a6cd2ac0f04c68fb935ea2ba2a0d420"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:94f99f2b943b354a5b6307d7e8d19f5c423a794462bde2bf310c770ba052b1c4"},
+    {file = "cryptography-44.0.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:d9c5b9f698a83c8bd71e0f4d3f9f839ef244798e5ffe96febfa9714717db7af7"},
+    {file = "cryptography-44.0.1.tar.gz", hash = "sha256:f51f5705ab27898afda1aaa430f34ad90dc117421057782022edf0600bec5f14"},
+]
+
+[package.dependencies]
+cffi = {version = ">=1.12", markers = "platform_python_implementation != \"PyPy\""}
+
+[package.extras]
+docs = ["sphinx (>=5.3.0)", "sphinx-rtd-theme (>=3.0.0) ; python_version >= \"3.8\""]
+docstest = ["pyenchant (>=3)", "readme-renderer (>=30.0)", "sphinxcontrib-spelling (>=7.3.1)"]
+nox = ["nox (>=2024.4.15)", "nox[uv] (>=2024.3.2) ; python_version >= \"3.8\""]
+pep8test = ["check-sdist ; python_version >= \"3.8\"", "click (>=8.0.1)", "mypy (>=1.4)", "ruff (>=0.3.6)"]
+sdist = ["build (>=1.0.0)"]
+ssh = ["bcrypt (>=3.1.5)"]
+test = ["certifi (>=2024)", "cryptography-vectors (==44.0.1)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
+test-randomorder = ["pytest-randomly"]
+
+[[package]]
+name = "grafanalib"
+version = "0.7.1"
+description = "Library for building Grafana dashboards"
+optional = false
+python-versions = "*"
+groups = ["dev"]
+files = [
+    {file = "grafanalib-0.7.1-py3-none-any.whl", hash = "sha256:6fab5d7b837a1f2d1322ef762cd52e565ec0422707a7512765c59f668bdceb58"},
+    {file = "grafanalib-0.7.1.tar.gz", hash = "sha256:3d92bb4e92ae78fe4e21c5b252ab51f4fdcacd8523ba5a44545b897b2a375b83"},
+]
+
+[package.dependencies]
+attrs = ">=15.2.0"
+
+[package.extras]
+dev = ["flake8", "pytest"]
+
+[[package]]
+name = "jinja2"
+version = "3.1.5"
+description = "A very fast and expressive template engine."
+optional = false
+python-versions = ">=3.7"
+groups = ["main"]
+files = [
+    {file = "jinja2-3.1.5-py3-none-any.whl", hash = "sha256:aba0f4dc9ed8013c424088f68a5c226f7d6097ed89b246d7749c2ec4175c6adb"},
+    {file = "jinja2-3.1.5.tar.gz", hash = "sha256:8fefff8dc3034e27bb80d67c671eb8a9bc424c0ef4c0826edbff304cceff43bb"},
+]
+
+[package.dependencies]
+MarkupSafe = ">=2.0"
+
+[package.extras]
+i18n = ["Babel (>=2.7)"]
+
+[[package]]
+name = "markupsafe"
+version = "3.0.2"
+description = "Safely add untrusted strings to HTML/XML markup."
+optional = false
+python-versions = ">=3.9"
+groups = ["main"]
+files = [
+    {file = "MarkupSafe-3.0.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9e2d922824181480953426608b81967de705c3cef4d1af983af849d7bd619158"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:38a9ef736c01fccdd6600705b09dc574584b89bea478200c5fbf112a6b0d5579"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bbcb445fa71794da8f178f0f6d66789a28d7319071af7a496d4d507ed566270d"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:57cb5a3cf367aeb1d316576250f65edec5bb3be939e9247ae594b4bcbc317dfb"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:3809ede931876f5b2ec92eef964286840ed3540dadf803dd570c3b7e13141a3b"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:e07c3764494e3776c602c1e78e298937c3315ccc9043ead7e685b7f2b8d47b3c"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:b424c77b206d63d500bcb69fa55ed8d0e6a3774056bdc4839fc9298a7edca171"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-win32.whl", hash = "sha256:fcabf5ff6eea076f859677f5f0b6b5c1a51e70a376b0579e0eadef8db48c6b50"},
+    {file = "MarkupSafe-3.0.2-cp310-cp310-win_amd64.whl", hash = "sha256:6af100e168aa82a50e186c82875a5893c5597a0c1ccdb0d8b40240b1f28b969a"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:9025b4018f3a1314059769c7bf15441064b2207cb3f065e6ea1e7359cb46db9d"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:93335ca3812df2f366e80509ae119189886b0f3c2b81325d39efdb84a1e2ae93"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2cb8438c3cbb25e220c2ab33bb226559e7afb3baec11c4f218ffa7308603c832"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a123e330ef0853c6e822384873bef7507557d8e4a082961e1defa947aa59ba84"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1e084f686b92e5b83186b07e8a17fc09e38fff551f3602b249881fec658d3eca"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:d8213e09c917a951de9d09ecee036d5c7d36cb6cb7dbaece4c71a60d79fb9798"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:5b02fb34468b6aaa40dfc198d813a641e3a63b98c2b05a16b9f80b7ec314185e"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:0bff5e0ae4ef2e1ae4fdf2dfd5b76c75e5c2fa4132d05fc1b0dabcd20c7e28c4"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-win32.whl", hash = "sha256:6c89876f41da747c8d3677a2b540fb32ef5715f97b66eeb0c6b66f5e3ef6f59d"},
+    {file = "MarkupSafe-3.0.2-cp311-cp311-win_amd64.whl", hash = "sha256:70a87b411535ccad5ef2f1df5136506a10775d267e197e4cf531ced10537bd6b"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:9778bd8ab0a994ebf6f84c2b949e65736d5575320a17ae8984a77fab08db94cf"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:846ade7b71e3536c4e56b386c2a47adf5741d2d8b94ec9dc3e92e5e1ee1e2225"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1c99d261bd2d5f6b59325c92c73df481e05e57f19837bdca8413b9eac4bd8028"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e17c96c14e19278594aa4841ec148115f9c7615a47382ecb6b82bd8fea3ab0c8"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:88416bd1e65dcea10bc7569faacb2c20ce071dd1f87539ca2ab364bf6231393c"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:2181e67807fc2fa785d0592dc2d6206c019b9502410671cc905d132a92866557"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:52305740fe773d09cffb16f8ed0427942901f00adedac82ec8b67752f58a1b22"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:ad10d3ded218f1039f11a75f8091880239651b52e9bb592ca27de44eed242a48"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-win32.whl", hash = "sha256:0f4ca02bea9a23221c0182836703cbf8930c5e9454bacce27e767509fa286a30"},
+    {file = "MarkupSafe-3.0.2-cp312-cp312-win_amd64.whl", hash = "sha256:8e06879fc22a25ca47312fbe7c8264eb0b662f6db27cb2d3bbbc74b1df4b9b87"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:ba9527cdd4c926ed0760bc301f6728ef34d841f405abf9d4f959c478421e4efd"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:f8b3d067f2e40fe93e1ccdd6b2e1d16c43140e76f02fb1319a05cf2b79d99430"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:569511d3b58c8791ab4c2e1285575265991e6d8f8700c7be0e88f86cb0672094"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:15ab75ef81add55874e7ab7055e9c397312385bd9ced94920f2802310c930396"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f3818cb119498c0678015754eba762e0d61e5b52d34c8b13d770f0719f7b1d79"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:cdb82a876c47801bb54a690c5ae105a46b392ac6099881cdfb9f6e95e4014c6a"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:cabc348d87e913db6ab4aa100f01b08f481097838bdddf7c7a84b7575b7309ca"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:444dcda765c8a838eaae23112db52f1efaf750daddb2d9ca300bcae1039adc5c"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-win32.whl", hash = "sha256:bcf3e58998965654fdaff38e58584d8937aa3096ab5354d493c77d1fdd66d7a1"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313-win_amd64.whl", hash = "sha256:e6a2a455bd412959b57a172ce6328d2dd1f01cb2135efda2e4576e8a23fa3b0f"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-macosx_10_13_universal2.whl", hash = "sha256:b5a6b3ada725cea8a5e634536b1b01c30bcdcd7f9c6fff4151548d5bf6b3a36c"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:a904af0a6162c73e3edcb969eeeb53a63ceeb5d8cf642fade7d39e7963a22ddb"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4aa4e5faecf353ed117801a068ebab7b7e09ffb6e1d5e412dc852e0da018126c"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c0ef13eaeee5b615fb07c9a7dadb38eac06a0608b41570d8ade51c56539e509d"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d16a81a06776313e817c951135cf7340a3e91e8c1ff2fac444cfd75fffa04afe"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:6381026f158fdb7c72a168278597a5e3a5222e83ea18f543112b2662a9b699c5"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:3d79d162e7be8f996986c064d1c7c817f6df3a77fe3d6859f6f9e7be4b8c213a"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:131a3c7689c85f5ad20f9f6fb1b866f402c445b220c19fe4308c0b147ccd2ad9"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-win32.whl", hash = "sha256:ba8062ed2cf21c07a9e295d5b8a2a5ce678b913b45fdf68c32d95d6c1291e0b6"},
+    {file = "MarkupSafe-3.0.2-cp313-cp313t-win_amd64.whl", hash = "sha256:e444a31f8db13eb18ada366ab3cf45fd4b31e4db1236a4448f68778c1d1a5a2f"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:eaa0a10b7f72326f1372a713e73c3f739b524b3af41feb43e4921cb529f5929a"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:48032821bbdf20f5799ff537c7ac3d1fba0ba032cfc06194faffa8cda8b560ff"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1a9d3f5f0901fdec14d8d2f66ef7d035f2157240a433441719ac9a3fba440b13"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:88b49a3b9ff31e19998750c38e030fc7bb937398b1f78cfa599aaef92d693144"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:cfad01eed2c2e0c01fd0ecd2ef42c492f7f93902e39a42fc9ee1692961443a29"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:1225beacc926f536dc82e45f8a4d68502949dc67eea90eab715dea3a21c1b5f0"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:3169b1eefae027567d1ce6ee7cae382c57fe26e82775f460f0b2778beaad66c0"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:eb7972a85c54febfb25b5c4b4f3af4dcc731994c7da0d8a0b4a6eb0640e1d178"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-win32.whl", hash = "sha256:8c4e8c3ce11e1f92f6536ff07154f9d49677ebaaafc32db9db4620bc11ed480f"},
+    {file = "MarkupSafe-3.0.2-cp39-cp39-win_amd64.whl", hash = "sha256:6e296a513ca3d94054c2c881cc913116e90fd030ad1c656b3869762b754f5f8a"},
+    {file = "markupsafe-3.0.2.tar.gz", hash = "sha256:ee55d3edf80167e48ea11a923c7386f4669df67d7994554387f84e7d8b0a2bf0"},
+]
+
+[[package]]
+name = "netaddr"
+version = "1.3.0"
+description = "A network address manipulation library for Python"
+optional = false
+python-versions = ">=3.7"
+groups = ["main"]
+files = [
+    {file = "netaddr-1.3.0-py3-none-any.whl", hash = "sha256:c2c6a8ebe5554ce33b7d5b3a306b71bbb373e000bbbf2350dd5213cc56e3dbbe"},
+    {file = "netaddr-1.3.0.tar.gz", hash = "sha256:5c3c3d9895b551b763779ba7db7a03487dc1f8e3b385af819af341ae9ef6e48a"},
+]
+
+[package.extras]
+nicer-shell = ["ipython"]
+
+[[package]]
+name = "packaging"
+version = "24.2"
+description = "Core utilities for Python packages"
+optional = false
+python-versions = ">=3.8"
+groups = ["main"]
+files = [
+    {file = "packaging-24.2-py3-none-any.whl", hash = "sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759"},
+    {file = "packaging-24.2.tar.gz", hash = "sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f"},
+]
+
+[[package]]
+name = "pycparser"
+version = "2.22"
+description = "C parser in Python"
+optional = false
+python-versions = ">=3.8"
+groups = ["main"]
+markers = "platform_python_implementation != \"PyPy\""
+files = [
+    {file = "pycparser-2.22-py3-none-any.whl", hash = "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"},
+    {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"},
+]
+
+[[package]]
+name = "pyyaml"
+version = "6.0.2"
+description = "YAML parser and emitter for Python"
+optional = false
+python-versions = ">=3.8"
+groups = ["main"]
+files = [
+    {file = "PyYAML-6.0.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086"},
+    {file = "PyYAML-6.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf"},
+    {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237"},
+    {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b"},
+    {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed"},
+    {file = "PyYAML-6.0.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180"},
+    {file = "PyYAML-6.0.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68"},
+    {file = "PyYAML-6.0.2-cp310-cp310-win32.whl", hash = "sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99"},
+    {file = "PyYAML-6.0.2-cp310-cp310-win_amd64.whl", hash = "sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e"},
+    {file = "PyYAML-6.0.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774"},
+    {file = "PyYAML-6.0.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee"},
+    {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c"},
+    {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317"},
+    {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85"},
+    {file = "PyYAML-6.0.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4"},
+    {file = "PyYAML-6.0.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e"},
+    {file = "PyYAML-6.0.2-cp311-cp311-win32.whl", hash = "sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5"},
+    {file = "PyYAML-6.0.2-cp311-cp311-win_amd64.whl", hash = "sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44"},
+    {file = "PyYAML-6.0.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab"},
+    {file = "PyYAML-6.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725"},
+    {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5"},
+    {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425"},
+    {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476"},
+    {file = "PyYAML-6.0.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48"},
+    {file = "PyYAML-6.0.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b"},
+    {file = "PyYAML-6.0.2-cp312-cp312-win32.whl", hash = "sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4"},
+    {file = "PyYAML-6.0.2-cp312-cp312-win_amd64.whl", hash = "sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8"},
+    {file = "PyYAML-6.0.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba"},
+    {file = "PyYAML-6.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1"},
+    {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133"},
+    {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484"},
+    {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5"},
+    {file = "PyYAML-6.0.2-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc"},
+    {file = "PyYAML-6.0.2-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652"},
+    {file = "PyYAML-6.0.2-cp313-cp313-win32.whl", hash = "sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183"},
+    {file = "PyYAML-6.0.2-cp313-cp313-win_amd64.whl", hash = "sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563"},
+    {file = "PyYAML-6.0.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a"},
+    {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5"},
+    {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d"},
+    {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083"},
+    {file = "PyYAML-6.0.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706"},
+    {file = "PyYAML-6.0.2-cp38-cp38-win32.whl", hash = "sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a"},
+    {file = "PyYAML-6.0.2-cp38-cp38-win_amd64.whl", hash = "sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff"},
+    {file = "PyYAML-6.0.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d"},
+    {file = "PyYAML-6.0.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f"},
+    {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290"},
+    {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12"},
+    {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19"},
+    {file = "PyYAML-6.0.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e"},
+    {file = "PyYAML-6.0.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725"},
+    {file = "PyYAML-6.0.2-cp39-cp39-win32.whl", hash = "sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631"},
+    {file = "PyYAML-6.0.2-cp39-cp39-win_amd64.whl", hash = "sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8"},
+    {file = "pyyaml-6.0.2.tar.gz", hash = "sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e"},
+]
+
+[[package]]
+name = "resolvelib"
+version = "1.0.1"
+description = "Resolve abstract dependencies into concrete ones"
+optional = false
+python-versions = "*"
+groups = ["main"]
+files = [
+    {file = "resolvelib-1.0.1-py2.py3-none-any.whl", hash = "sha256:d2da45d1a8dfee81bdd591647783e340ef3bcb104b54c383f70d422ef5cc7dbf"},
+    {file = "resolvelib-1.0.1.tar.gz", hash = "sha256:04ce76cbd63fded2078ce224785da6ecd42b9564b1390793f64ddecbe997b309"},
+]
+
+[package.extras]
+examples = ["html5lib", "packaging", "pygraphviz", "requests"]
+lint = ["black", "flake8", "isort", "mypy", "types-requests"]
+release = ["build", "towncrier", "twine"]
+test = ["commentjson", "packaging", "pytest"]
+
+[[package]]
+name = "setuptools"
+version = "75.8.1"
+description = "Easily download, build, install, upgrade, and uninstall Python packages"
+optional = false
+python-versions = ">=3.9"
+groups = ["main"]
+files = [
+    {file = "setuptools-75.8.1-py3-none-any.whl", hash = "sha256:3bc32c0b84c643299ca94e77f834730f126efd621de0cc1de64119e0e17dab1f"},
+    {file = "setuptools-75.8.1.tar.gz", hash = "sha256:65fb779a8f28895242923582eadca2337285f0891c2c9e160754df917c3d2530"},
+]
+
+[package.extras]
+check = ["pytest-checkdocs (>=2.4)", "pytest-ruff (>=0.2.1) ; sys_platform != \"cygwin\"", "ruff (>=0.8.0) ; sys_platform != \"cygwin\""]
+core = ["importlib_metadata (>=6) ; python_version < \"3.10\"", "jaraco.collections", "jaraco.functools (>=4)", "jaraco.text (>=3.7)", "more_itertools", "more_itertools (>=8.8)", "packaging", "packaging (>=24.2)", "platformdirs (>=4.2.2)", "tomli (>=2.0.1) ; python_version < \"3.11\"", "wheel (>=0.43.0)"]
+cover = ["pytest-cov"]
+doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier", "towncrier (<24.7)"]
+enabler = ["pytest-enabler (>=2.2)"]
+test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21) ; python_version >= \"3.9\" and sys_platform != \"cygwin\"", "jaraco.envs (>=2.2)", "jaraco.path (>=3.7.2)", "jaraco.test (>=5.5)", "packaging (>=24.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-home (>=0.5)", "pytest-perf ; sys_platform != \"cygwin\"", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel (>=0.44.0)"]
+type = ["importlib_metadata (>=7.0.2) ; python_version < \"3.10\"", "jaraco.develop (>=7.21) ; sys_platform != \"cygwin\"", "mypy (==1.14.*)", "pytest-mypy"]
+
+[metadata]
+lock-version = "2.1"
+python-versions = "^3.11"
+content-hash = "aee53e668f5f3a99526ea72999ad57256351453f5331f71c0abf94b5bd74a0c3"

pyproject.toml

@@ -0,0 +1,20 @@
+[tool.poetry]
+name = "alpina"
+version = "0.1.0"
+description = ""
+authors = ["Iurii Tatishchev <itatishch@gmail.com>"]
+readme = "README.md"
+
+[tool.poetry.dependencies]
+python = "^3.11"
+ansible = "^11.1.0"
+ansible-vault = "^2.1.0"
+netaddr = "^1.3.0"
+
+[tool.poetry.group.dev.dependencies]
+grafanalib = "^0.7.1"
+
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"

renovate.json

@@ -0,0 +1,11 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "docker-compose": {
+    "fileMatch": [
+      "(^|/)(?:docker-)?compose[^/]*\\.ya?ml(\\.j2)?$"
+    ]
+  }
+}

requirements.txt

@@ -1 +0,0 @@
-ansible==6.0.0

roles/alpina/tasks/deploy_collection.yml

@@ -0,0 +1,15 @@
+- name: Ensure {{ collection }} collection directory exists
+  file:
+    path: "{{ alpina_svc_path }}/{{ collection }}"
+    state: directory
+    mode: "700"
+
+- name: Deploy docker compose stacks for {{ collection }}
+  vars:
+    current_stack_name: "{{ stack }}"
+    current_stack_dest: "{{ alpina_svc_path }}/{{ collection }}/{{ stack }}"
+    current_stack_source: "{{ role_path }}/templates/{{ collection }}/{{ stack }}"
+  include_tasks: deploy_compose_stack.yml
+  loop: "{{ stacks }}"
+  loop_control:
+    loop_var: stack

roles/alpina/tasks/deploy_compose_stack.yml

@@ -0,0 +1,42 @@
+# https://stackoverflow.com/questions/41667864/can-the-templates-module-handle-multiple-templates-directories
+
+- name: Ensure {{ stack }} stack directory exists
+  file:
+    path: "{{ current_stack_dest }}"
+    state: directory
+    mode: "700"
+
+- name: Ensure directory structure exists
+  file:
+    path: "{{ current_stack_dest }}/{{ item.path }}"
+    state: directory
+    mode: "755"
+  loop: "{{ query('community.general.filetree', current_stack_source) }}"
+  when: item.state == "directory"
+
+- name: Generate {{ current_stack_name }} deployment from templates
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ current_stack_dest }}/{{ item.path | regex_replace('\\.j2$', '') }}"
+    mode: "644"
+  loop: "{{ query('community.general.filetree', current_stack_source) }}"
+  when: item.state == "file" and item.path | regex_search('\\.j2$')
+
+- name: Generate {{ current_stack_name }} deployment from static files
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ current_stack_dest }}/{{ item.path }}"
+    mode: "644"
+  loop: "{{ query('community.general.filetree', current_stack_source) }}"
+  when: item.state == "file" and not item.path | regex_search('\\.j2$')
+
+- name: Deploy docker-compose for {{ current_stack_name }}
+  community.docker.docker_compose_v2:
+    project_src: "{{ current_stack_dest }}"
+    state: present
+    pull: always
+    remove_orphans: yes
+  register: docker_compose_output
+
+# - debug:
+#     var: docker_compose_output

roles/alpina/tasks/main.yml

@@ -0,0 +1,38 @@
+- name: Register uid of remote user
+  command: id -u
+  register: remote_uid_command
+  changed_when: false
+
+- name: Set fact for uid
+  set_fact:
+    remote_uid: "{{ remote_uid_command.stdout }}"
+
+- name: Ensure alpina directory exists
+  file:
+    state: directory
+    path: "{{ alpina_svc_path }}"
+    mode: "700"
+
+- name: Deploy collection services
+  vars:
+    collection: services
+    stacks:
+      - traefik
+      - monitoring
+      - authentik
+      - minio
+  import_tasks: deploy_collection.yml
+
+- name: Deploy collection apps
+  vars:
+    collection: apps
+    stacks:
+      - gitea
+      - woodpecker
+      - syncthing
+      - nextcloud
+      - jellyfin
+      - arrstack
+      - vpgen
+      - pgrok
+  import_tasks: deploy_collection.yml

roles/alpina/templates/apps/arrstack/.env.gluetun.j2

@@ -0,0 +1,33 @@
+## ProtonVPN OpenVPN
+#VPN_SERVICE_PROVIDER=protonvpn
+#OPENVPN_USER=+pmp
+#OPENVPN_PASSWORD=
+#SERVER_HOSTNAMES=node-us-160.protonvpn.net,node-us-161.protonvpn.net
+#VPN_PORT_FORWARDING=on
+
+## ProtonVPN WireGuard
+#VPN_SERVICE_PROVIDER=custom
+#VPN_TYPE=wireguard
+#VPN_ENDPOINT_IP=
+#VPN_ENDPOINT_PORT=
+#WIREGUARD_PUBLIC_KEY=
+#WIREGUARD_PRIVATE_KEY=
+#WIREGUARD_PRESHARED_KEY=
+#WIREGUARD_ADDRESSES=
+#VPN_DNS_ADDRESS=
+#VPN_PORT_FORWARDING=on
+#VPN_PORT_FORWARDING_PROVIDER=protonvpn
+
+## AirVPN
+VPN_SERVICE_PROVIDER=airvpn
+VPN_TYPE=wireguard
+SERVER_NAMES={{ vpn_server_names }}
+WIREGUARD_PUBLIC_KEY={{ wg_peer_pubkey }}
+WIREGUARD_PRIVATE_KEY={{ wg_privkey }}
+WIREGUARD_PRESHARED_KEY={{ wg_psk }}
+WIREGUARD_ADDRESSES={{ wg_addresses }}
+FIREWALL_VPN_INPUT_PORTS={{ fw_vpn_input_ports }}
+
+UPDATER_PERIOD=24h
+
+#FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/8,{{ docker_ipv6_subnet }}

roles/alpina/templates/apps/arrstack/compose.yml.j2

@@ -0,0 +1,76 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(249) | indent(2) }}
+
+services:
+  gluetun:
+    image: qmcgaw/gluetun:latest
+    container_name: gluetun
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=0
+    env_file:
+      - .env.gluetun
+    restart: unless-stopped
+    volumes:
+      - {{ base_volume_path }}/arrstack/gluetun:/gluetun
+
+  qbittorrent:
+    image: linuxserver/qbittorrent:latest
+    container_name: qbittorrent
+    labels:
+      - {{ helpers.traefik_labels('qbit', port='8080', auth=true) | indent(6) }}
+    restart: unless-stopped
+    environment:
+      {#  Keeping this for debugging purposes  -#}
+      - DOCKER_MODS=linuxserver/mods:universal-package-install
+    network_mode: service:gluetun
+    volumes:
+      - {{ base_volume_path }}/arrstack/config/qbittorrent:/config
+      - {{ base_volume_path }}/arrstack/downloads:/downloads
+      - {{ media_volume_path }}/Plex:/media/Plex
+      - {{ media_volume_path }}/iso-img:/media/iso-img
+    depends_on:
+      gluetun:
+        condition: service_healthy
+
+  prowlarr:
+    image: linuxserver/prowlarr:latest
+    container_name: prowlarr
+    labels:
+      - {{ helpers.traefik_labels('prowlarr', port='9696', auth=true) | indent(6) }}
+    restart: unless-stopped
+    depends_on:
+      - qbittorrent
+    volumes:
+      - {{ base_volume_path }}/arrstack/config/prowlarr:/config
+
+  sonarr:
+    image: linuxserver/sonarr:latest
+    container_name: sonarr
+    labels:
+      - {{ helpers.traefik_labels('sonarr', port='8989', auth=true) | indent(6) }}
+    restart: unless-stopped
+    depends_on:
+      - qbittorrent
+    volumes:
+      - {{ base_volume_path }}/arrstack/config/sonarr:/config
+      - {{ base_volume_path }}/arrstack/downloads:/downloads
+      - {{ media_volume_path }}/Plex:/media/Plex
+
+  radarr:
+    image: linuxserver/radarr:latest
+    container_name: radarr
+    labels:
+      - {{ helpers.traefik_labels('radarr', port='7878', auth=true) | indent(6) }}
+    restart: unless-stopped
+    depends_on:
+      - qbittorrent
+    volumes:
+      - {{ base_volume_path }}/arrstack/config/radarr:/config
+      - {{ base_volume_path }}/arrstack/downloads:/downloads
+      - {{ media_volume_path }}/Plex:/media/Plex

roles/alpina/templates/apps/gitea/.env.db.j2

@@ -0,0 +1,3 @@
+POSTGRES_USER=gitea
+POSTGRES_DB=gitea
+POSTGRES_PASSWORD={{ gitea_db_password }}

roles/alpina/templates/apps/gitea/.env.gitea.j2

@@ -0,0 +1,31 @@
+GITEA____APP_NAME=CazGitea
+
+# Database
+GITEA__database__DB_TYPE=postgres
+GITEA__database__HOST=db:5432
+GITEA__database__NAME=gitea
+GITEA__database__USER=gitea
+GITEA__database__PASSWD={{ gitea_db_password }}
+
+# Server
+GITEA__server__ROOT_URL=https://gitea.{{ domain }}/
+GITEA__server__DISABLE_SSH=true
+
+# Mail
+GITEA__mailer__ENABLED=true
+GITEA__mailer__SMTP_ADDR=smtp.sendgrid.net
+GITEA__mailer__SMTP_PORT=587
+GITEA__mailer__FROM=gitea@cazzzer.com
+GITEA__mailer__USER=apikey
+GITEA__mailer__PASSWD={{ gitea_sendgrid_api_key }}
+
+# Security
+GITEA__security__SECRET_KEY={{ secret_key }}
+GITEA__security__INTERNAL_TOKEN={{ internal_token }}
+
+GITEA__oauth2__JWT_SECRET={{ jwt_secret }}
+
+GITEA__webhook__ALLOWED_HOST_LIST="external,woodpecker.{{ domain }}"
+
+# Indexer
+GITEA__indexer__REPO_INDEXER_ENABLED=true

roles/alpina/templates/apps/gitea/compose.yml.j2

@@ -0,0 +1,26 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(199) | indent(2) }}
+
+services:
+  server:
+    image: gitea/gitea
+    container_name: gitea_server
+    labels:
+      - {{ helpers.traefik_labels('gitea', port='3000') | indent(6) }}
+    restart: unless-stopped
+    env_file:
+      - .env.gitea
+    volumes:
+      - {{ base_volume_path }}/gitea/gitea:/data
+    depends_on:
+      - db
+  db:
+    image: postgres:16-alpine
+    container_name: gitea_db
+    restart: unless-stopped
+    env_file:
+      - .env.db
+    volumes:
+      - {{ base_volume_path }}/gitea/postgres:/var/lib/postgresql/data

roles/alpina/templates/apps/jellyfin/.env.jellyfin.j2

@@ -0,0 +1 @@
+JELLYFIN_PublishedServerUrl=https://jellyfin.{{ domain }}

roles/alpina/templates/apps/jellyfin/compose.yml.j2

@@ -0,0 +1,23 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(197) | indent(2) }}
+
+services:
+  jellyfin:
+    image: jellyfin/jellyfin:latest
+    container_name: jellyfin_jellyfin
+    labels:
+      - {{ helpers.traefik_labels('jellyfin', port='8096') | indent(6) }}
+    restart: unless-stopped
+    env_file:
+      - .env.jellyfin
+    volumes:
+      - {{ base_volume_path }}/jellyfin/config:/config
+      - {{ base_volume_path }}/jellyfin/cache:/cache
+      - {{ media_volume_path }}/Plex/media:/data/media:ro
+      - {{ media_volume_path }}/other_videos:/data/other_videos:ro
+    tmpfs:
+      - /tmp/transcodes
+    devices:
+      - /dev/dri:/dev/dri

roles/alpina/templates/apps/nextcloud/.env.db.j2

@@ -1,3 +1,3 @@
 POSTGRES_USER=nextcloud
 POSTGRES_DB=nextcloud
-POSTGRES_PASSWORD="{{ db_password }}"
+POSTGRES_PASSWORD={{ nextcloud_db_password }}

roles/alpina/templates/apps/nextcloud/.env.nextcloud.j2

@@ -0,0 +1,24 @@
+POSTGRES_DB=nextcloud
+POSTGRES_USER=nextcloud
+POSTGRES_PASSWORD={{ nextcloud_db_password }}
+POSTGRES_HOST=db
+
+NEXTCLOUD_TRUSTED_DOMAINS=nc.{{ domain }}
+
+REDIS_HOST=redis
+REDIS_HOST_PASSWORD={{ redis_password }}
+
+SMTP_HOST=smtp.sendgrid.net
+SMTP_SECURE=tls
+SMTP_PORT=587
+SMTP_AUTHTYPE=LOGIN
+SMTP_NAME=apikey
+SMTP_PASSWORD={{ nextcloud_sendgrid_api_key }}
+MAIL_FROM_ADDRESS=nc
+MAIL_DOMAIN=cazzzer.com
+
+# host IPv4 and IPv6 addresses, loopback for notify_push
+TRUSTED_PROXIES={{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} {{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }} 127.0.0.1 ::1
+OVERWRITEHOST=nc.{{ domain }}
+OVERWRITEPROTOCOL=https
+OVERWRITECLIURL=https://nc.{{ domain }}

roles/alpina/templates/apps/nextcloud/.env.notify_push.j2

@@ -0,0 +1,4 @@
+DATABASE_URL=postgres://nextcloud:{{ nextcloud_db_password }}@db/nextcloud
+DATABASE_PREFIX=oc_
+REDIS_URL=redis://:{{ redis_password }}@redis
+NEXTCLOUD_URL=http://localhost

roles/alpina/templates/apps/nextcloud/.env.redis.j2

@@ -0,0 +1 @@
+REDIS_PASSWORD={{ redis_password }}

roles/alpina/templates/apps/nextcloud/compose.yml.j2

@@ -0,0 +1,68 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(198) | indent(2) }}
+
+services:
+  app:
+    image: &nextcloud_image nextcloud:stable-apache
+    container_name: nextcloud_app
+    labels:
+      - {{ helpers.traefik_labels('nc', port='80') | indent(6) }}
+    restart: unless-stopped
+    depends_on:
+      - db
+      - redis
+    env_file:
+      - .env.nextcloud
+    volumes:
+      - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
+      - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
+      - {{ base_volume_path }}/nextcloud/nextcloud_data:/var/www/html/data
+
+  cron:
+    image: *nextcloud_image
+    container_name: nextcloud_cron
+    restart: unless-stopped
+    depends_on:
+      - app
+    entrypoint: /cron.sh
+    volumes:
+      - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
+      - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
+      - {{ base_volume_path }}/nextcloud/nextcloud_data:/var/www/html/data
+
+  notify_push:
+    image: *nextcloud_image
+    container_name: nextcloud_notify_push
+    labels:
+      - {{ helpers.traefik_labels('nc', port='7867', path_prefix='/push') | indent(6) }}
+    restart: unless-stopped
+    user: www-data
+    env_file:
+      - .env.notify_push
+    network_mode: service:app
+    entrypoint:
+      - /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push
+    volumes:
+      - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
+
+  db:
+    image: postgres:16-alpine
+    container_name: nextcloud_db
+    restart: unless-stopped
+    env_file:
+      - .env.db
+    volumes:
+      - {{ base_volume_path }}/nextcloud/db:/var/lib/postgresql/data
+
+  redis:
+    image: redis:alpine
+    container_name: nextcloud_redis
+    restart: unless-stopped
+    env_file:
+      - .env.redis
+    command:
+      - sh
+      - -c
+      - redis-server --requirepass $$REDIS_PASSWORD

roles/alpina/templates/apps/pgrok/compose.yml.j2

@@ -0,0 +1,31 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(194) | indent(2) }}
+
+#  https://github.com/pgrok/pgrok/blob/main/docs/admin/docker.md#docker-compose
+services:
+  server:
+    image: ghcr.io/pgrok/pgrokd:latest
+    container_name: pgrok_server
+    labels:
+      - {{ helpers.traefik_labels('pgrok', port='3320') | indent(6) }}
+      - {{ helpers.traefik_labels('pgrok', port='3000', wildcard=true) | indent(6) }}
+    restart: unless-stopped
+    volumes:
+      - ./pgrokd.yml:/var/opt/pgrokd/pgrokd.yml
+    ports:
+      - "2222:2222"
+    depends_on:
+      - db
+
+  db:
+    image: postgres:17-alpine
+    container_name: pgrok_db
+    restart: unless-stopped
+    volumes:
+      - {{ base_volume_path }}/pgrok/postgres:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: pgrok
+      POSTGRES_USER: pgrok
+      POSTGRES_PASSWORD: "{{ pgrok_db_password }}"

roles/alpina/templates/apps/pgrok/pgrokd.yml.j2

@@ -0,0 +1,29 @@
+external_url: "https://pgrok.{{ domain }}"
+web:
+  port: 3320
+proxy:
+  port: 3000
+  scheme: https
+  domain: "pgrok.{{ domain }}"
+sshd:
+  port: 2222
+
+database:
+  host: db
+  port: 5432
+  user: pgrok
+  password: "{{ pgrok_db_password }}"
+  database: pgrok
+
+identity_provider:
+  type: oidc
+  display_name: Authentik
+  issuer: "https://auth.{{ domain }}/application/o/pgrok/"
+  client_id: "pgrok"
+  client_secret: "{{ auth_pgrok_client_secret }}"
+  field_mapping:
+    identifier: "preferred_username"
+    display_name: "name"
+    email: "email"
+# # The required domain name, "field_mapping.email" is required to set for this to work.
+  #  required_domain: "example.com"

roles/alpina/templates/apps/syncthing/compose.yml.j2

@@ -0,0 +1,16 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(193) | indent(2) }}
+
+services:
+  syncthing:
+    image: linuxserver/syncthing
+    container_name: syncthing
+    labels:
+      - {{ helpers.traefik_labels('sync', port='8384', auth=true) | indent(6) }}
+    restart: unless-stopped
+    network_mode: host
+    volumes:
+      - {{ base_volume_path }}/syncthing/config:/config
+      - {{ base_volume_path }}/syncthing/data:/data

roles/alpina/templates/apps/vpgen/.env.vpgen.j2

@@ -0,0 +1,29 @@
+DATABASE_URL=file:/data/vpgen.db
+
+PUBLIC_AUTH_AUTHENTIK_ENABLE=1
+AUTH_AUTHENTIK_REQUIRE_INVITE=0
+AUTH_AUTHENTIK_DOMAIN="auth.{{ domain }}"
+AUTH_AUTHENTIK_CLIENT_ID=vpgen
+AUTH_AUTHENTIK_CLIENT_SECRET="{{ auth_vpgen_client_secret }}"
+
+PUBLIC_AUTH_GOOGLE_ENABLE=1
+AUTH_GOOGLE_REQUIRE_INVITE=1
+AUTH_GOOGLE_CLIENT_ID="{{ google_consumer_key }}"
+AUTH_GOOGLE_CLIENT_SECRET="{{ google_consumer_secret }}"
+
+AUTH_INVITE_TOKEN="{{ vpgen_auth_invite_token }}"
+
+OPNSENSE_API_URL={{ vpgen_opnsense_api_url }}
+OPNSENSE_API_KEY={{ vpgen_opnsense_api_key }}
+OPNSENSE_API_SECRET={{ vpgen_opnsense_api_secret }}
+OPNSENSE_WG_IFNAME={{ vpgen_opnsense_wg_ifname }}
+
+IPV4_STARTING_ADDR={{ vpgen_ipv4_starting_addr }}
+IPV6_STARTING_ADDR={{ vpgen_ipv6_starting_addr }}
+IPV6_CLIENT_PREFIX_SIZE={{ vpgen_ipv6_client_prefix_size }}
+IP_MAX_INDEX={{ vpgen_ip_max_index }}
+VPN_ENDPOINT={{ vpgen_vpn_endpoint }}
+VPN_DNS={{ vpgen_vpn_dns }}
+MAX_CLIENTS_PER_USER={{ vpgen_max_clients_per_user }}
+
+ORIGIN=https://vpgen.{{ domain }}

roles/alpina/templates/apps/vpgen/compose.yml.j2

@@ -0,0 +1,16 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(196) | indent(2) }}
+
+services:
+  vpgen:
+    image: gitea.cazzzer.com/cazzzer/vpgen:develop
+    container_name: vpgen
+    labels:
+      - {{ helpers.traefik_labels('vpgen', port='3000') | indent(6) }}
+    restart: unless-stopped
+    env_file:
+      - .env.vpgen
+    volumes:
+      - {{ base_volume_path }}/vpgen:/data

roles/alpina/templates/apps/woodpecker/compose.yml.j2

@@ -0,0 +1,35 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(195) | indent(2) }}
+
+services:
+  woodpecker-server:
+    image: woodpeckerci/woodpecker-server:v3
+    container_name: woodpecker_server
+    labels:
+      - {{ helpers.traefik_labels('woodpecker', port='8000') | indent(6) }}
+    restart: unless-stopped
+    volumes:
+      - {{ base_volume_path }}/woodpecker/data:/var/lib/woodpecker
+    environment:
+      - WOODPECKER_OPEN=true
+      - WOODPECKER_HOST=https://woodpecker.{{ domain }}
+      - WOODPECKER_GITEA=true
+      - WOODPECKER_GITEA_URL=https://gitea.{{ domain }}
+      - WOODPECKER_GITEA_CLIENT={{ woodpecker_gitea_client_id }}
+      - WOODPECKER_GITEA_SECRET={{ woodpecker_gitea_client_secret }}
+      - WOODPECKER_AGENT_SECRET={{ woodpecker_agent_secret }}
+
+  woodpecker-agent:
+    image: woodpeckerci/woodpecker-agent:v3
+    container_name: woodpecker_agent
+    restart: unless-stopped
+    depends_on:
+      - woodpecker-server
+    volumes:
+      - {{ base_volume_path }}/woodpecker/agent_config:/etc/woodpecker
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - WOODPECKER_SERVER=woodpecker-server:9000
+      - WOODPECKER_AGENT_SECRET={{ woodpecker_agent_secret }}

roles/alpina/templates/services/authentik/.env.authentik.j2

@@ -0,0 +1,21 @@
+AUTHENTIK_ERROR_REPORTING__ENABLED=true
+
+AUTHENTIK_REDIS__HOST=redis
+AUTHENTIK_POSTGRESQL__HOST=postgres
+AUTHENTIK_POSTGRESQL__USER=authentik
+AUTHENTIK_POSTGRESQL__NAME=authentik
+AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
+
+AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
+
+AUTHENTIK_EMAIL__HOST=smtp.sendgrid.net
+AUTHENTIK_EMAIL__PORT=587
+AUTHENTIK_EMAIL__USERNAME=apikey
+AUTHENTIK_EMAIL__PASSWORD={{ authentik_sendgrid_api_key }}
+
+AUTHENTIK_EMAIL__USE_TLS=true
+AUTHENTIK_EMAIL__TIMEOUT=10
+AUTHENTIK_EMAIL__FROM=auth@cazzzer.com
+
+AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL=false
+AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false

roles/alpina/templates/services/authentik/.env.db.j2

@@ -0,0 +1,3 @@
+POSTGRES_USER=authentik
+POSTGRES_DB=authentik
+POSTGRES_PASSWORD={{ authentik_db_password }}

roles/alpina/templates/services/authentik/blueprints/alpina-enrollment-internal.yaml.j2

@@ -0,0 +1,225 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Enrollment by Invitation (Internal)
+entries:
+  # Flow for internal enrollment by invitation
+  - identifiers:
+      slug: enrollment-internal-invitation-flow
+    model: authentik_flows.flow
+    id: flow
+    attrs:
+      name: Alpina Enrollment Flow
+      title: Sign Up
+      designation: enrollment
+      authentication: require_unauthenticated
+
+  # Prompt fields
+  - identifiers:
+      name: alpina-enrollment-field-name
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-name
+    attrs:
+      field_key: name
+      label: Name
+      type: text
+      required: true
+      placeholder: Name
+      placeholder_expression: false
+      order: 0
+  - identifiers:
+      name: alpina-enrollment-field-password
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-password
+    attrs:
+      field_key: password
+      label: Password
+      type: password
+      required: true
+      placeholder: Password
+      placeholder_expression: false
+      order: 1
+  - identifiers:
+      name: alpina-enrollment-field-password-repeat
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-password-repeat
+    attrs:
+      field_key: password_repeat
+      label: Password (repeat)
+      type: password
+      required: true
+      placeholder: Password (repeat)
+      placeholder_expression: false
+      order: 2
+
+  # Flow stages
+  - identifiers:
+      name: alpina-enrollment-invitation
+    model: authentik_stages_invitation.invitationstage
+    id: enrollment-invitation
+  - identifiers:
+      name: alpina-enrollment-identification-oauth
+    model: authentik_stages_identification.identificationstage
+    id: enrollment-identification-oauth
+    attrs:
+      user_fields:
+        - email
+      pretend_user_exists: true
+      show_matched_user: false
+      sources:
+        - !Find [authentik_sources_oauth.oauthsource, [slug, github-enrollment]]
+        - !Find [authentik_sources_oauth.oauthsource, [slug, google-enrollment]]
+  - identifiers:
+      name: alpina-enrollment-deny-existing-email
+    model: authentik_stages_deny.denystage
+    id: enrollment-deny-existing-email
+    attrs:
+      deny_message: "An account with this email already exists"
+  - identifiers:
+      name: alpina-enrollment-prompt-name-password
+    model: authentik_stages_prompt.promptstage
+    id: enrollment-prompt-name-password
+    attrs:
+      fields:
+        - !KeyOf prompt-field-name
+        - !KeyOf prompt-field-password
+        - !KeyOf prompt-field-password-repeat
+      validation_policies:
+        - !Find [authentik_policies_password.passwordpolicy, [name, default-password-change-password-policy]]
+  - identifiers:
+      name: alpina-enrollment-user-write
+    model: authentik_stages_user_write.userwritestage
+    id: enrollment-user-write
+    attrs:
+      user_type: internal
+      create_users_group: !Find [authentik_core.group, [name, {{ auth_default_enrollment_group }}]]
+  - identifiers:
+      name: alpina-enrollment-email-verify
+    model: authentik_stages_email.emailstage
+    id: enrollment-email-verify
+    attrs:
+      use_global_settings: true
+      template: email/account_confirmation.html
+      activate_user_on_success: true
+  - identifiers:
+      name: alpina-enrollment-user-login
+    model: authentik_stages_user_login.userloginstage
+    id: enrollment-user-login
+
+  # Policies
+  - identifiers:
+      name: alpina-enrollment-invited-used-policy
+    model: authentik_policies_event_matcher.eventmatcherpolicy
+    id: enrollment-invited-used-policy
+    attrs:
+      action: invitation_used
+  - identifiers:
+      name: alpina-enrollment-unique-email-policy
+    model: authentik_policies_expression.expressionpolicy
+    id: enrollment-unique-email-policy
+    attrs:
+      expression: |
+        # https://docs.goauthentik.io/docs/customize/policies/expression/unique_email
+        from authentik.core.models import User
+        email = request.context["flow_plan"].context["pending_user"].email
+
+        if User.objects.filter(email=email).exists():
+          ak_message("Email address in use")
+          return False
+
+        if request.context["flow_plan"].context.get("prompt_data") is None:
+          request.context["flow_plan"].context["prompt_data"] = {}
+
+        request.context["flow_plan"].context["prompt_data"]["email"] = email
+        request.context["flow_plan"].context["prompt_data"]["username"] = email
+        return True
+
+  - identifiers:
+      name: alpina-enrollment-user-write-add-groups-policy
+    model: authentik_policies_expression.expressionpolicy
+    id: enrollment-user-write-add-groups-policy
+    attrs:
+        expression: |
+          # https://docs.goauthentik.io/docs/add-secure-apps/flows-stages/stages/user_write
+          from authentik.core.models import Group
+          ak_logger.info("Adding groups", request=request, prompt_data=request.context["prompt_data"], invitation=request.context.get("invitation"))
+
+          requested_groups = request.context["prompt_data"].get("alpina_add_groups")
+          if requested_groups is None:
+            return True
+
+          groups = []
+          for group_name in requested_groups:
+            group, _ = Group.objects.get_or_create(name=group_name)
+            groups.append(group)
+
+          # ["groups"] *must* be set to an array of Group objects, names alone are not enough.
+          request.context["flow_plan"].context["groups"] = groups
+          return True
+
+  # Flow stage bindings
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-invitation
+      order: 0
+    model: authentik_flows.flowstagebinding
+    id: enrollment-invitation-binding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-identification-oauth
+      order: 1
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-deny-existing-email
+      order: 2
+    model: authentik_flows.flowstagebinding
+    id: enrollment-deny-existing-email-binding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-prompt-name-password
+      order: 10
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-user-write
+      order: 20
+    model: authentik_flows.flowstagebinding
+    id: enrollment-user-write-binding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-email-verify
+      order: 30
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-user-login
+      order: 100
+    model: authentik_flows.flowstagebinding
+
+  # Stage policy bindings
+  # Log used invitations
+  - identifiers:
+      target: !KeyOf enrollment-invitation-binding
+      policy: !KeyOf enrollment-invited-used-policy
+      order: 0
+    model: authentik_policies.policybinding
+    attrs:
+      negate: true
+  # Deny existing email addresses
+  - identifiers:
+      target: !KeyOf enrollment-deny-existing-email-binding
+      policy: !KeyOf enrollment-unique-email-policy
+      order: 0
+    model: authentik_policies.policybinding
+    attrs:
+      negate: true
+  # Add groups to user from invitation "alpina_add_groups" field
+  # This only work for email sign up, as the invitation flow context isn't
+  # preserved for the default-source-enrollment flow
+  - identifiers:
+      target: !KeyOf enrollment-user-write-binding
+      policy: !KeyOf enrollment-user-write-add-groups-policy
+      order: 0
+    model: authentik_policies.policybinding

roles/alpina/templates/services/authentik/blueprints/alpina-groups.yaml.j2

@@ -0,0 +1,45 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Default Groups
+entries:
+  - identifiers:
+      name: "admins"
+    model: authentik_core.group
+    id: "admins"
+    attrs:
+      is_superuser: true
+
+  - identifiers:
+      name: "users"
+    model: authentik_core.group
+    id: "users"
+
+  - identifiers:
+      name: "arrstack"
+    model: authentik_core.group
+    id: "arrstack"
+    attrs:
+      arrstack_username: "arr"
+      arrstack_password: "{{ arrstack_password }}"
+
+  - identifiers:
+      scope_name: "minio"
+    model: authentik_providers_oauth2.scopemapping
+    id: "scope-minio"
+    attrs:
+      name: "Minio Policy"
+      expression: |
+        policy = "default"
+        if ak_is_group_member(request.user, name="admins"):
+            policy = "consoleAdmin"
+
+        return {
+          "policy": policy,
+        }
+
+  - identifiers:
+      name: "vpgen"
+    model: authentik_core.group
+    id: "vpgen"

roles/alpina/templates/services/authentik/blueprints/alpina-oauth-sources.yaml.j2

@@ -0,0 +1,79 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - External OAuth
+entries:
+  {% set sources = {
+    "GitHub": {
+      "provider_type": "github",
+      "consumer_key": github_consumer_key,
+      "consumer_secret": github_consumer_secret,
+    },
+    "Google": {
+      "provider_type": "google",
+      "consumer_key": google_consumer_key,
+      "consumer_secret": google_consumer_secret,
+    },
+  } -%}
+  {% for source in sources.keys() -%}
+  - identifiers:
+      slug: {{ source | lower }}-auth
+    model: authentik_sources_oauth.oauthsource
+    attrs:
+      provider_type: {{ sources[source]["provider_type"] }}
+      name: {{ source }} (Auth Only)
+      consumer_key: {{ sources[source]["consumer_key"] }}
+      consumer_secret: {{ sources[source]["consumer_secret"] }}
+      user_matching_mode: email_link
+      user_path_template: goauthentik.io/sources/%(slug)s
+      authentication_flow: !Find [authentik_flows.flow, [slug, default-source-authentication]]
+  - identifiers:
+      slug: {{ source | lower }}-enrollment
+    model: authentik_sources_oauth.oauthsource
+    attrs:
+      provider_type: {{ sources[source]["provider_type"] }}
+      name: {{ source }} (Auth and Enrollment)
+      consumer_key: {{ sources[source]["consumer_key"] }}
+      consumer_secret: {{ sources[source]["consumer_secret"] }}
+      user_matching_mode: email_link
+      user_path_template: goauthentik.io/sources/%(slug)s
+      authentication_flow: !Find [authentik_flows.flow, [slug, default-source-authentication]]
+      enrollment_flow: !Find [authentik_flows.flow, [slug, default-source-enrollment]]
+  {% endfor %}
+
+  # Modify default source enrollment to use email as username
+  - identifiers:
+      slug: default-source-enrollment
+    model: authentik_flows.flow
+    id: source-enrollment-flow
+    attrs:
+      policy_engine_mode: all
+  - identifiers:
+      name: alpina-email-as-username-policy
+    model: authentik_policies_expression.expressionpolicy
+    id: email-as-username-policy
+    attrs:
+      expression: |
+        # https://docs.goauthentik.io/docs/users-sources/sources/social-logins/google/#username-mapping
+        email = request.context["prompt_data"].get("email")
+        # Direct set username to email
+        request.context["prompt_data"]["username"] = email
+        # Set username to email without domain
+        # request.context["prompt_data"]["username"] = email.split("@")[0]
+        return True
+  - identifiers:
+      policy: !KeyOf email-as-username-policy
+      target: !KeyOf source-enrollment-flow
+    model: authentik_policies.policybinding
+    attrs:
+      order: 0
+
+  # Modify default source enrollment to create internal users
+  # with the internal user type and the users group
+  - identifiers:
+      name: default-source-enrollment-write
+    model: authentik_stages_user_write.userwritestage
+    attrs:
+      user_type: internal
+      create_users_group: !Find [authentik_core.group, [name, {{ auth_default_enrollment_group }}]]

roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2

@@ -0,0 +1,98 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - OAuth2 Apps
+entries:
+  {% set apps = {
+    "Grafana": {
+      "redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
+      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
+      "client_secret": auth_grafana_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
+    "Minio": {
+      "redirect_uri": "https://minio."~ domain ~"/oauth_callback",
+      "icon": "https://minio."~ domain ~"/logo192.png",
+      "client_secret": auth_minio_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
+    "Gitea": {
+      "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
+      "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
+      "client_secret": auth_gitea_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
+    },
+    "Nextcloud": {
+      "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
+      "icon": "https://nc."~ domain ~"/apps/theming/favicon",
+      "client_secret": auth_nextcloud_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
+    },
+    "VPGen": {
+      "redirect_uri": "https://vpgen."~ domain ~"/auth/authentik/callback",
+      "icon": "https://vpgen."~ domain ~"/favicon.png",
+      "client_secret": auth_vpgen_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users", "vpgen"],
+    },
+    "Pgrok": {
+      "redirect_uri": "https://pgrok."~ domain ~"/-/oidc/callback",
+      "icon": "https://pgrok."~ domain ~"/pgrok.svg",
+      "client_secret": auth_pgrok_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
+    },
+  } -%}
+  {% for app in apps.keys() -%}
+  - identifiers:
+      name: {{ app }}
+    model: authentik_providers_oauth2.oauth2provider
+    id: {{ app }}
+    attrs:
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      client_type: confidential
+      client_id: {{ app | lower }}
+      client_secret: {{ apps[app]["client_secret"] }}
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+        {% if app == "Minio" -%}
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, minio]]
+        {%- endif %}
+
+      redirect_uris:
+        - matching_mode: strict
+          url: {{ apps[app]["redirect_uri"] }}
+      # Necessary for JWKS to be generated correctly
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
+
+  - identifiers:
+      slug: {{ app | lower }}
+    model: authentik_core.application
+    id: app-{{ app }}
+    attrs:
+      name: {{ app }}
+      group: "{{ apps[app]["ui_group"] }}"
+      meta_description: "Hello, I'm {{ app }}!"
+      meta_publisher: Alpina
+      icon: "{{ apps[app]["icon"] }}"
+      open_in_new_tab: true
+      provider: !KeyOf {{ app }}
+
+  {% for group in apps[app]["allowed_for_groups"] -%}
+  - identifiers:
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
+    model: authentik_policies.policybinding
+    attrs:
+      order: 10
+  {% endfor %}
+
+  {% endfor %}

roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2

@@ -0,0 +1,95 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Proxied Apps
+entries:
+  # TODO: Possibly refactor this into a jinja macro (?)
+  {% set apps = {
+    "Uptime Kuma": {
+      "host": "uptime",
+      "icon": "https://uptime."~ domain ~"/icon.svg",
+      "unauthenticated_paths": "^/icon.svg$",
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
+    "Syncthing": {
+      "host": "sync",
+      "icon": "https://sync."~ domain ~"/assets/img/favicon-default.png",
+      "unauthenticated_paths": "^/assets/img/favicon-default.png$",
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins"],
+    },
+    "qBit": {
+      "host": "qbit",
+      "icon": "https://qbit."~ domain ~"/images/qbittorrent-tray.svg",
+      "unauthenticated_paths": "^/images/qbittorrent-tray.svg$",
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
+    },
+    "Prowlarr": {
+      "host": "prowlarr",
+      "icon": "https://prowlarr."~ domain ~"/Content/Images/logo.svg",
+      "unauthenticated_paths": "^/Content/Images/logo.svg$",
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
+    },
+    "Sonarr": {
+      "host": "sonarr",
+      "icon": "https://sonarr."~ domain ~"/Content/Images/logo.svg",
+      "unauthenticated_paths": "^/Content/Images/logo.svg$",
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
+    },
+    "Radarr": {
+      "host": "radarr",
+      "icon": "https://radarr."~ domain ~"/Content/Images/logo.svg",
+      "unauthenticated_paths": "^/Content/Images/logo.svg$",
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
+    },
+  } -%}
+  {% for app in apps.keys() -%}
+  - identifiers:
+      name: {{ app }}
+    model: authentik_providers_proxy.proxyprovider
+    id: {{ app }}
+    attrs:
+      authorization_flow: !Find [authentik_flows.flow, [ slug, default-provider-authorization-implicit-consent ] ]
+      mode: forward_single
+      external_host: "https://{{ apps[app]["host"] }}.{{ domain }}/"
+      skip_path_regex: "{{ apps[app]["unauthenticated_paths"] }}"
+
+  - identifiers:
+      slug: {{ app | lower | replace(" ", "-") }}
+    model: authentik_core.application
+    id: app-{{ app }}
+    attrs:
+      name: {{ app }}
+      group: {{ apps[app]["ui_group"] }}
+      meta_description: "Hello, I'm {{ app }}!"
+      meta_publisher: Alpina
+      icon: "{{ apps[app]["icon"] }}"
+      open_in_new_tab: true
+      provider: !KeyOf {{ app }}
+
+  {% for group in apps[app]["allowed_for_groups"] -%}
+  - identifiers:
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
+    model: authentik_policies.policybinding
+    attrs:
+      order: 10
+  {% endfor %}
+
+  {% endfor %}
+
+  - identifiers:
+      managed: goauthentik.io/outposts/embedded
+      name: authentik Embedded Outpost
+    model: authentik_outposts.outpost
+    attrs:
+      providers:
+      {% for app in apps.keys() -%}
+        - !KeyOf {{ app }}
+      {% endfor %}

roles/alpina/templates/services/authentik/blueprints/default-authentication.yaml.j2

@@ -0,0 +1,59 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Default Authentication Modifications
+entries:
+    # Add a new flow for passwordless WebAuthn authentication
+  - identifiers:
+      slug: authentication-passwordless-flow
+    model: authentik_flows.flow
+    attrs:
+      designation: authentication
+      name: WebAuthn Authentication Flow
+      title: Sign in with a passkey
+
+    # Add a new stage to the flow to validate just WebAuthn devices
+  - identifiers:
+      name: webauthn-validation
+    model: authentik_stages_authenticator_validate.authenticatorvalidatestage
+    attrs:
+      device_classes:
+        - webauthn
+      not_configured_action: deny
+      webauthn_user_verification: required
+
+    # Stage bindings for passwordless flow,
+    # 1. Validate WebAuthn key
+  - identifiers:
+      order: 10
+      stage: !Find [authentik_stages_authenticator_validate.authenticatorvalidatestage, [name, webauthn-validation]]
+      target: !Find [authentik_flows.flow, [slug, authentication-passwordless-flow]]
+    model: authentik_flows.flowstagebinding
+    # 2. Finish authenticating user
+  - identifiers:
+      order: 100
+      stage: !Find [authentik_stages_user_login.userloginstage, [name, default-authentication-login]]
+      target: !Find [authentik_flows.flow, [slug, authentication-passwordless-flow]]
+    model: authentik_flows.flowstagebinding
+
+    # Some modifications to the default identification stage
+  - identifiers:
+      name: default-authentication-identification
+    model: authentik_stages_identification.identificationstage
+    attrs:
+      # Allow username and password fields to be on the same page
+      password_stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
+      # Add a button to use the passwordless WebAuthn flow
+      passwordless_flow: !Find [authentik_flows.flow, [slug, authentication-passwordless-flow]]
+      sources:
+        - !Find [authentik_core.source, [slug, authentik-built-in]]
+        - !Find [authentik_sources_oauth.oauthsource, [slug, github-auth]]
+        - !Find [authentik_sources_oauth.oauthsource, [slug, google-auth]]
+
+    # Enable compatibility mode for the default authentication flow for better autofill support
+  - identifiers:
+      slug: default-authentication-flow
+    model: authentik_flows.flow
+    attrs:
+      compatibility_mode: true

roles/alpina/templates/services/authentik/compose.yml.j2

@@ -0,0 +1,62 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(253) | indent(2) }}
+
+services:
+  server:
+    image: ghcr.io/goauthentik/server:latest
+    container_name: authentik_server
+    labels:
+      - {{ helpers.traefik_labels('auth', port='9000') | indent(6) }}
+      - traefik.http.middlewares.authentik.forwardauth.address=http://localhost:9000/outpost.goauthentik.io/auth/traefik
+      - traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true
+      - traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=Authorization,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
+    restart: unless-stopped
+    # Port forward is needed because traefik can't resolve the container name from the host network
+    ports:
+      - "127.0.0.1:9000:9000"
+      - "[::1]:9000:9000"
+    command: server
+    env_file:
+      - .env.authentik
+
+  worker:
+    image: ghcr.io/goauthentik/server:latest
+    container_name: authentik_worker
+    restart: unless-stopped
+    command: worker
+    env_file:
+      - .env.authentik
+    volumes:
+      - ./blueprints:/blueprints/alpina
+      - {{ base_volume_path }}/authentik/certs:/certs
+
+  postgres:
+    image: postgres:16-alpine
+    container_name: authentik_postgres
+    restart: unless-stopped
+    env_file:
+      - .env.db
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - {{ base_volume_path }}/authentik/postgres:/var/lib/postgresql/data
+
+  redis:
+    image: redis:alpine
+    container_name: authentik_redis
+    restart: unless-stopped
+    command: --save 60 1 --loglevel warning
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - {{ base_volume_path }}/authentik/redis:/data

roles/alpina/templates/services/minio/.env.minio.j2

@@ -0,0 +1,20 @@
+MINIO_ROOT_USER=minio
+MINIO_ROOT_PASSWORD={{ minio_password }}
+
+MINIO_DOMAIN=s3.{{ domain }}
+MINIO_SERVER_URL=https://s3.{{ domain }}
+MINIO_BROWSER_REDIRECT_URL=https://minio.{{ domain }}
+
+# https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
+MINIO_IDENTITY_OPENID_CLIENT_ID=minio
+MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ auth_minio_client_secret }}
+# defaults to "policy"
+#MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
+MINIO_IDENTITY_OPENID_DISPLAY_NAME=Authentik
+# no need to specify scopes,
+# as it defaults to the ones advertised at the discovery url
+#MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio
+#MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=off
+#MINIO_IDENTITY_OPENID_CLAIM_USERINFO=on
+#MINIO_IDENTITY_OPENID_COMMENT=

roles/alpina/templates/services/minio/compose.yml.j2

@@ -0,0 +1,19 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(252) | indent(2) }}
+
+services:
+  minio:
+    image: minio/minio:latest
+    container_name: minio
+    labels:
+      - {{ helpers.traefik_labels('minio', port='9090') | indent(6) }}
+      - {{ helpers.traefik_labels('s3', port='9000') | indent(6) }}
+      - {{ helpers.traefik_labels('s3', port='9000', wildcard=true) | indent(6) }}
+    restart: unless-stopped
+    command: server --console-address ":9090" /data
+    env_file:
+      - .env.minio
+    volumes:
+      - {{ base_volume_path }}/minio/data:/data

roles/alpina/templates/services/monitoring/.env.influxdb.j2

@@ -0,0 +1,7 @@
+DOCKER_INFLUXDB_INIT_MODE=setup
+DOCKER_INFLUXDB_INIT_ORG=home
+DOCKER_INFLUXDB_INIT_BUCKET=influx
+DOCKER_INFLUXDB_INIT_USERNAME=CaZzzer
+DOCKER_INFLUXDB_INIT_PASSWORD={{ influxdb_admin_password }}
+DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ influxdb_admin_token }}
+DOCKER_INFLUXDB_INIT_RETENTION=1w

roles/alpina/templates/services/monitoring/Dockerfile

@@ -0,0 +1,17 @@
+FROM python:3-alpine AS builder
+
+RUN pip install grafanalib
+
+COPY ./grafana_config/dashboards /dashboards
+
+# Required for grafanalib to find the shared python files like common.py
+# https://github.com/weaveworks/grafanalib/issues/58
+ENV PYTHONPATH=/dashboards
+
+RUN generate-dashboards /dashboards/*.dashboard.py
+
+FROM grafana/grafana:latest
+
+#COPY ./grafana_config /etc/grafana
+COPY ./grafana_config/dashboards/*.yaml /etc/grafana/provisioning/dashboards
+COPY --from=builder /dashboards/*.json /etc/grafana/provisioning/dashboards

roles/alpina/templates/services/monitoring/compose.yml.j2

@@ -0,0 +1,112 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(251) | indent(2) }}
+
+services:
+  grafana:
+{#    image: grafana/grafana:latest#}
+    build:
+      context: .
+      dockerfile: Dockerfile
+    container_name: grafana
+    labels:
+      - {{ helpers.traefik_labels('grafana', port='3000') | indent(6) }}
+    restart: unless-stopped
+    # Needed to make config files readable (not anymore, TODO: remove)
+    user: "{{ remote_uid }}"
+    volumes:
+      - {{ base_volume_path }}/monitoring/grafana:/var/lib/grafana
+      - ./grafana_config/grafana.ini:/etc/grafana/grafana.ini:ro
+      - ./grafana_config/datasources:/etc/grafana/provisioning/datasources:ro
+{#      - ./grafana_config:/etc/grafana:ro#}
+
+  loki:
+    image: grafana/loki:3.5
+    container_name: loki
+    restart: unless-stopped
+    # Needed to make config files readable (not anymore, TODO: remove)
+    user: "{{ remote_uid }}"
+    command:
+      - -config.file=/etc/loki/loki-config.yaml
+    # Port forward is needed because not possible to resolve the container name from the host network
+    ports:
+      - "127.0.0.1:3100:3100"
+      - "[::1]:3100:3100"
+    volumes:
+      - {{ base_volume_path }}/monitoring/loki:/loki
+      - ./loki_config:/etc/loki:ro
+    tmpfs:
+      - /tmp/loki
+
+  promtail:
+    image: grafana/promtail:3.5
+    container_name: promtail
+    restart: unless-stopped
+    command:
+      - -config.file=/etc/promtail/promtail-config.yaml
+    ports:
+      - 514:514
+    volumes:
+        - ./promtail_config:/etc/promtail:ro
+        - /var/log:/var/log:ro
+    tmpfs:
+      - /tmp
+
+  prometheus:
+    image: prom/prometheus:latest
+    container_name: prometheus
+    restart: unless-stopped
+    # Needed to make config files readable (not anymore, TODO: remove)
+    user: "{{ remote_uid }}"
+    command:
+      - --config.file=/etc/prometheus/prometheus.yml
+      - --storage.tsdb.retention.time=30d
+    volumes:
+      - ./prometheus_config:/etc/prometheus:ro
+      - {{ base_volume_path }}/monitoring/prometheus_configs:/etc/prometheus/extra:ro
+      - {{ base_volume_path }}/monitoring/prometheus:/prometheus
+
+  node-exporter:
+    image: prom/node-exporter:latest
+    container_name: node-exporter
+    restart: unless-stopped
+    network_mode: host
+    pid: host
+    volumes:
+      - /:/host:ro,rslave
+
+  cadvisor:
+    image: gcr.io/cadvisor/cadvisor:latest
+    container_name: cadvisor
+    restart: unless-stopped
+    command:
+      - --docker_only=true
+      - --store_container_labels=false
+      - --whitelisted_container_labels=com.docker.compose.project,com.docker.compose.service
+      - --enable_metrics=cpu,cpuLoad,diskIO,memory,network,oom_event,process
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:rw
+      - /sys:/sys:ro
+      - /var/lib/docker/:/var/lib/docker:ro
+
+  influxdb:
+    image: influxdb:2.7-alpine
+    container_name: influxdb
+    labels:
+      - {{ helpers.traefik_labels('influxdb', port='8086') | indent(6) }}
+    restart: unless-stopped
+    env_file:
+      - .env.influxdb
+    volumes:
+      - {{ base_volume_path }}/monitoring/influxdb:/var/lib/influxdb2
+
+  uptime-kuma:
+    image: louislam/uptime-kuma:1
+    container_name: uptime-kuma
+    labels:
+      - {{ helpers.traefik_labels('uptime', port='3001', auth=true) | indent(6) }}
+    restart: unless-stopped
+    volumes:
+      - {{ base_volume_path }}/monitoring/uptime-kuma:/app/data

roles/alpina/templates/services/monitoring/grafana_config/dashboards/alpina.yaml

@@ -0,0 +1,9 @@
+apiVersion: 1
+
+providers:
+  - name: "Grafana"
+    org_id: 1
+    folder: "Alpina"
+    type: "file"
+    options:
+      path: "/etc/grafana/provisioning/dashboards"

roles/alpina/templates/services/monitoring/grafana_config/dashboards/common.py

@@ -0,0 +1,81 @@
+from attrs import define
+from grafanalib.core import Template, TimeSeries, Dashboard, HIDE_VARIABLE, Target
+
+CONF_SUPPORT_LOKI = True
+CONF_SUPPORT_ZFS = True
+
+CONF_DATASOURCE_VAR_PROM = 'prom_datasource'
+CONF_DATASOURCE_VAR_LOKI = 'loki_datasource'
+
+prom_datasource = f'${{{CONF_DATASOURCE_VAR_PROM}}}'
+loki_datasource = f'${{{CONF_DATASOURCE_VAR_LOKI}}}'
+
+prom_template = Template(
+    name=CONF_DATASOURCE_VAR_PROM,
+    type='datasource',
+    label='Prometheus',
+    query='prometheus',
+    hide=HIDE_VARIABLE,
+)
+
+loki_template = Template(
+    name=CONF_DATASOURCE_VAR_LOKI,
+    type='datasource',
+    label='Loki',
+    query='loki',
+    hide=HIDE_VARIABLE,
+)
+
+
+@define
+class MyDashboard(Dashboard):
+    """Wrapper class for Dashboard with some default values"""
+    timezone: str = 'browser'
+    sharedCrosshair: bool = True
+
+
+@define
+class MyTimeSeries(TimeSeries):
+    """Wrapper class for TimeSeries with some default values and custom fields"""
+    fillOpacity: int = 10
+    lineWidth: int = 1
+    showPoints: str = 'never'
+    tooltipMode: str = 'multi'
+    maxDataPoints: int = None
+
+    # new fields
+    axisCenteredZero: bool = False
+
+    def to_json_data(self):
+        data = super().to_json_data()
+        data['fieldConfig']['defaults']['custom']['axisCenteredZero'] = self.axisCenteredZero
+        return data
+
+
+@define
+class PromTarget(Target):
+    """Wrapper class for Target with default prometheus datasource"""
+    datasource: str = prom_datasource
+
+
+@define
+class LokiTarget(object):
+    """Custom class for Loki Target, because normal Target gave errors in grafana"""
+    expr: str
+    legendFormat: str
+    datasource: str = loki_datasource
+    refId: str = None
+    queryType: str = 'range'
+
+    def to_json_data(self):
+        return {
+            'datasource': self.datasource,
+            'expr': self.expr,
+            'legendFormat': self.legendFormat,
+            'refId': self.refId,
+            'queryType': self.queryType,
+        }
+
+
+def filter_none(l: list):
+    return [i for i in l if i is not None]

roles/alpina/templates/services/monitoring/grafana_config/dashboards/containers.dashboard.py

@@ -0,0 +1,101 @@
+from grafanalib.core import GridPos, Templating, Template, Logs
+from grafanalib.formatunits import BYTES_IEC, SECONDS, BYTES_SEC_IEC
+
+from common import LokiTarget, prom_template, loki_template, MyTimeSeries, MyDashboard, CONF_SUPPORT_LOKI, filter_none, \
+    prom_datasource, PromTarget
+
+dashboard = MyDashboard(
+    title='Containers',
+    uid='containers',
+    description='Data for compose projects from default Prometheus datasource collected by Cadvisor',
+    tags=[
+        'linux',
+        'docker',
+    ],
+    templating=Templating(list=filter_none([
+        prom_template,
+        loki_template if CONF_SUPPORT_LOKI else None,
+        Template(
+            name='compose_project',
+            label='Compose Project',
+            dataSource=prom_datasource,
+            query='label_values({__name__=~"container.*"}, container_label_com_docker_compose_project)',
+            includeAll=True,
+            multi=True,
+        ),
+        Template(
+            name='container_name',
+            label='Container',
+            dataSource=prom_datasource,
+            query='label_values({__name__=~"container.*", container_label_com_docker_compose_project=~"$compose_project"}, name)',
+            includeAll=True,
+            multi=True,
+        ),
+        Template(
+            name='logs_query',
+            label='Log Search',
+            query='',
+            type='textbox',
+        ),
+    ])),
+    panels=filter_none([
+        MyTimeSeries(
+            title='Container Memory Usage',
+            unit=BYTES_IEC,
+            gridPos=GridPos(h=8, w=12, x=0, y=0),
+            tooltipSort='desc',
+            stacking={'mode': 'normal'},
+            targets=[
+                PromTarget(
+                    expr='max by (name) (container_memory_usage_bytes{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"})',
+                    legendFormat='{{ name }}',
+                ),
+            ],
+        ),
+        MyTimeSeries(
+            title='Container CPU Usage',
+            unit=SECONDS,
+            gridPos=GridPos(h=8, w=12, x=12, y=0),
+            tooltipSort='desc',
+            stacking={'mode': 'normal'},
+            targets=[
+                PromTarget(
+                    expr='max by (name) (irate(container_cpu_usage_seconds_total{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"}[$__rate_interval]))',
+                    legendFormat='{{ name }}',
+                ),
+            ],
+        ),
+        MyTimeSeries(
+            title='Container Network Traffic',
+            unit=BYTES_SEC_IEC,
+            gridPos=GridPos(h=8, w=12, x=0, y=8),
+            tooltipSort='desc',
+            axisCenteredZero=True,
+            targets=[
+                PromTarget(
+                    expr='max by (name) (irate(container_network_receive_bytes_total{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"}[$__rate_interval]))',
+                    legendFormat="rx {{ name }}",
+                ),
+                PromTarget(
+                    expr='-max by (name) (irate(container_network_transmit_bytes_total{name=~"$container_name", container_label_com_docker_compose_project=~"$compose_project"}[$__rate_interval]))',
+                    legendFormat="tx {{ name }}",
+                ),
+            ],
+        ),
+        Logs(
+            title='',
+            gridPos=GridPos(h=8, w=12, x=12, y=8),
+            showLabels=True,
+            showCommonLabels=True,
+            wrapLogMessages=True,
+            prettifyLogMessage=True,
+            dedupStrategy='numbers',
+            targets=[
+                LokiTarget(
+                    expr='{compose_project=~"$compose_project", container_name=~"$container_name"} |= `$logs_query`',
+                    legendFormat='{{ container_name }}',
+                ),
+            ],
+        ) if CONF_SUPPORT_LOKI else None,
+    ]),
+).auto_panel_ids()

roles/alpina/templates/services/monitoring/grafana_config/dashboards/node.dashboard.py

@@ -0,0 +1,159 @@
+from grafanalib.core import Templating, Template, GridPos
+from grafanalib.formatunits import BYTES_IEC, BITS_SEC, PERCENT_UNIT
+
+from common import prom_template, MyTimeSeries, MyDashboard, CONF_SUPPORT_ZFS, PromTarget, prom_datasource
+
+dashboard = MyDashboard(
+    title='Node Exporter',
+    uid='node',
+    description='Node Exporter (not quite full)',
+    tags=[
+        'linux',
+    ],
+    templating=Templating(list=[
+        # Datasource
+        prom_template,
+        # Job
+        Template(
+            name='job',
+            label='Job',
+            dataSource=prom_datasource,
+            query='label_values(node_uname_info, job)',
+        ),
+        # Instance
+        Template(
+            name='instance',
+            label='Instance',
+            dataSource=prom_datasource,
+            query='label_values(node_uname_info{job="$job"}, instance)',
+        ),
+    ]),
+    panels=[
+        # CPU Basic
+        MyTimeSeries(
+            title='CPU Basic',
+            description='Basic CPU usage info',
+            unit=PERCENT_UNIT,
+            gridPos=GridPos(h=8, w=12, x=0, y=0),
+            stacking={'mode': 'percent'},
+            targets=[
+                PromTarget(
+                    expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job", mode="system"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
+                    legendFormat='Busy System',
+                ),
+                PromTarget(
+                    expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job", mode="user"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
+                    legendFormat='Busy User',
+                ),
+                PromTarget(
+                    expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job", mode="iowait"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
+                    legendFormat='Busy Iowait',
+                ),
+                PromTarget(
+                    expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job", mode=~".*irq"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
+                    legendFormat='Busy IRQs',
+                ),
+                PromTarget(
+                    expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job",  mode!="idle",mode!="user",mode!="system",mode!="iowait",mode!="irq",mode!="softirq"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
+                    legendFormat='Busy Other',
+                ),
+                PromTarget(
+                    expr='sum(irate(node_cpu_seconds_total{instance="$instance",job="$job", mode="idle"}[$__rate_interval])) / scalar(count(count(node_cpu_seconds_total{instance="$instance",job="$job"}) by (cpu)))',
+                    legendFormat='Idle',
+                ),
+            ],
+        ),
+        # Memory Basic
+        MyTimeSeries(
+            title='Memory Basic',
+            description='Basic memory usage',
+            unit=BYTES_IEC,
+            gridPos=GridPos(h=8, w=12, x=12, y=0),
+            stacking={'mode': 'normal'},
+            valueMin=0,
+            targets=[
+                PromTarget(
+                    expr='node_memory_MemTotal_bytes{instance="$instance",job="$job"}',
+                    format='time_series',
+                    legendFormat='RAM Total',
+                ),
+                PromTarget(
+                    expr='node_memory_MemTotal_bytes{instance="$instance",job="$job"} - node_memory_MemFree_bytes{instance="$instance",job="$job"} - (node_memory_Cached_bytes{instance="$instance",job="$job"} + node_memory_Buffers_bytes{instance="$instance",job="$job"} + node_memory_SReclaimable_bytes{instance="$instance",job="$job"})',
+                    format='time_series',
+                    legendFormat='RAM Used',
+                    hide=CONF_SUPPORT_ZFS,
+                ),
+                PromTarget(
+                    expr='node_memory_MemTotal_bytes{instance="$instance",job="$job"} - node_memory_MemFree_bytes{instance="$instance",job="$job"} - (node_memory_Cached_bytes{instance="$instance",job="$job"} + node_memory_Buffers_bytes{instance="$instance",job="$job"} + node_memory_SReclaimable_bytes{instance="$instance",job="$job"}) - node_zfs_arc_size{instance="$instance",job="$job"}',
+                    format='time_series',
+                    legendFormat='RAM Used',
+                    hide=not CONF_SUPPORT_ZFS,
+                ),
+                PromTarget(
+                    expr='node_memory_Cached_bytes{instance="$instance",job="$job"} + node_memory_Buffers_bytes{instance="$instance",job="$job"} + node_memory_SReclaimable_bytes{instance="$instance",job="$job"}',
+                    legendFormat='RAM Cache + Buffer',
+                ),
+                PromTarget(
+                    expr='node_zfs_arc_size{instance="$instance",job="$job"}',
+                    legendFormat='ZFS Arc',
+                    hide=not CONF_SUPPORT_ZFS,
+                ),
+                PromTarget(
+                    expr='node_memory_MemFree_bytes{instance="$instance",job="$job"}',
+                    legendFormat='RAM Free',
+                ),
+                PromTarget(
+                    expr='(node_memory_SwapTotal_bytes{instance="$instance",job="$job"} - node_memory_SwapFree_bytes{instance="$instance",job="$job"})',
+                    legendFormat='SWAP Used',
+                ),
+            ],
+            overrides=[
+                # Prevent total memory from being stacked
+                {
+                    'matcher': {
+                        'id': 'byName',
+                        'options': 'RAM Total'
+                    },
+                    'properties': [
+                        {
+                            'id': 'custom.stacking',
+                            'value': {'mode': 'none'}
+                        }
+                    ]
+                },
+            ],
+        ),
+        # Network Traffic Basic
+        MyTimeSeries(
+            title='Network Traffic Basic',
+            description='Basic network usage info per interface',
+            unit=BITS_SEC,
+            gridPos=GridPos(h=8, w=12, x=0, y=8),
+            tooltipSort='desc',
+            axisCenteredZero=True,
+            targets=[
+                PromTarget(
+                    expr='irate(node_network_receive_bytes_total{instance="$instance",job="$job"}[$__rate_interval]) * 8',
+                    legendFormat='rx {{ device }}',
+                ),
+                PromTarget(
+                    expr='-irate(node_network_transmit_bytes_total{instance="$instance",job="$job"}[$__rate_interval]) * 8',
+                    legendFormat='tx {{ device }}',
+                ),
+            ],
+        ),
+        # Disk Space Basic
+        MyTimeSeries(
+            title='Disk Space Used Basic',
+            description='Disk space used of all filesystems mounted',
+            unit=PERCENT_UNIT,
+            gridPos=GridPos(h=8, w=12, x=12, y=8),
+            targets=[
+                PromTarget(
+                    expr='1 - (node_filesystem_avail_bytes{instance="$instance",job="$job",device!~"rootfs"} / node_filesystem_size_bytes{instance="$instance",job="$job",device!~"rootfs"})',
+                    legendFormat='{{ mountpoint }}',
+                ),
+            ],
+        ),
+    ],
+).auto_panel_ids()

roles/alpina/templates/services/monitoring/grafana_config/datasources/alpina.yaml.j2

@@ -0,0 +1,29 @@
+apiVersion: 1
+
+datasources:
+  - name: Loki
+    type: loki
+    access: proxy
+    uid: loki
+    url: http://loki:3100
+    editable: false
+
+  - name: Prometheus
+    type: prometheus
+    access: proxy
+    uid: prometheus
+    url: http://prometheus:9090
+    editable: false
+
+  - name: InfluxDB
+    type: influxdb
+    access: proxy
+    uid: influxdb
+    url: http://influxdb:8086
+    jsonData:
+      version: Flux
+      organization: home
+      defaultBucket: influx
+    secureJsonData:
+      token: {{ influxdb_admin_token }}
+    editable: false

roles/alpina/templates/services/monitoring/grafana_config/grafana.ini.j2

@@ -0,0 +1,34 @@
+[server]
+domain = grafana.{{ domain }}
+root_url = https://%(domain)s/
+
+;[security]
+;admin_user =
+;admin_email =
+;admin_password =
+
+; https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/
+[auth]
+disable_login_form = true
+signout_redirect_url = https://auth.{{ domain }}/application/o/grafana/end-session/
+
+[auth.generic_oauth]
+name = Authentik
+enabled = true
+allow_sign_up = true
+
+client_id = grafana
+client_secret = {{ auth_grafana_client_secret }}
+
+scopes = openid profile email
+auth_url = https://auth.{{ domain }}/application/o/authorize/
+token_url = https://auth.{{ domain }}/application/o/token/
+api_url = https://auth.{{ domain }}/application/o/userinfo/
+
+email_attribute_path = email
+login_attribute_path = preferred_username
+name_attribute_path = name
+
+# Optionally map user groups to Grafana roles
+allow_assign_grafana_admin = true
+role_attribute_path = contains(groups[*], 'admins') && 'GrafanaAdmin' || 'Viewer'

roles/alpina/templates/services/monitoring/loki_config/loki-config.yaml.j2

@@ -0,0 +1,30 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+
+common:
+  path_prefix: /loki
+  # TODO: Consider setting up S3 for storage
+  storage:
+    filesystem:
+      chunks_directory: /loki/chunks
+      rules_directory: /loki/rules
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+schema_config:
+  configs:
+    - from: 2024-10-18
+      index:
+        period: 24h
+        prefix: index_
+      object_store: filesystem
+      schema: v13
+      store: tsdb
+
+# TODO: Figure this out
+# ruler:
+#   alertmanager_url: http://localhost:9093

roles/alpina/templates/services/monitoring/prometheus_config/prometheus.yml.j2

@@ -0,0 +1,39 @@
+global:
+  scrape_interval: 15s
+  evaluation_interval: 15s
+
+  external_labels:
+    monitor: "{{ ansible_host }}"
+
+scrape_configs:
+  - job_name: "prometheus"
+    static_configs:
+      - targets: ["localhost:9090"]
+
+  - job_name: "node"
+    static_configs:
+      - targets: ["{{ ansible_host }}:9100"]
+
+  - job_name: "cadvisor"
+    static_configs:
+      - targets: ["cadvisor:8080"]
+
+  - job_name: "traefik"
+    static_configs:
+      - targets: ["{{ ansible_host }}:8082"]
+
+  - job_name: "loki"
+    static_configs:
+      - targets: ["loki:3100"]
+
+  - job_name: "promtail"
+    static_configs:
+      - targets: ["promtail:9080"]
+
+rule_files:
+  - "/etc/prometheus/extra/rules/*.yml"
+  - "/etc/prometheus/extra/rules/*.json"
+
+scrape_config_files:
+  - "/etc/prometheus/extra/scrape_configs/*.yml"
+  - "/etc/prometheus/extra/scrape_configs/*.json"

roles/alpina/templates/services/monitoring/promtail_config/promtail-config.yaml

@@ -0,0 +1,48 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+
+scrape_configs:
+
+  # local machine logs
+  - job_name: local
+    static_configs:
+    - targets:
+        - localhost
+      labels:
+        job: varlogs
+        __path__: /var/log/*log
+
+  # syslog target
+  - job_name: syslog
+    syslog:
+      listen_address: "0.0.0.0:514" # make sure you also expose this port on the container
+      idle_timeout: 60s
+      label_structured_data: yes
+      labels:
+        job: "syslog"
+    relabel_configs:
+      - source_labels: ['__syslog_message_hostname']
+        target_label: 'host'
+      - source_labels: ['__syslog_message_facility']
+        target_label: 'facility'
+      - source_labels: ['__syslog_message_severity']
+        target_label: 'severity'
+      - source_labels: ['__syslog_message_app_name']
+        target_label: 'app_name'
+
+## docker logs
+
+#- job_name: docker
+#  pipeline_stages:
+#    - docker: {}
+#  static_configs:
+#    - labels:
+#        job: docker
+#        __path__: /var/lib/docker/containers/*/*-json.log

roles/alpina/templates/services/traefik/.env.traefik.j2

@@ -0,0 +1 @@
+CF_DNS_API_TOKEN={{ cloudflare_api_token }}

roles/alpina/templates/services/traefik/compose.yml.j2

@@ -0,0 +1,25 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(254) | indent(2) }}
+
+services:
+  traefik:
+    image: traefik:v3.4
+    container_name: traefik
+    restart: unless-stopped
+    env_file:
+      - .env.traefik
+    network_mode: host
+    volumes:
+      - ./traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./rules:/rules:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - {{ base_volume_path }}/traefik/rules:/rules/extra:ro
+      - {{ base_volume_path }}/traefik/acme:/acme
+
+  whoami:
+    image: containous/whoami
+    container_name: whoami
+    labels:
+      - {{ helpers.traefik_labels('whoami', port='80') | indent(6) }}

roles/alpina/templates/services/traefik/rules/traefik-dash.yml.j2

@@ -0,0 +1,25 @@
+http:
+  routers:
+    traefik-dash:
+      rule: "Host(`traefik.{{ domain }}`)"
+      entryPoints:
+        - web
+      service: traefik-dash
+
+    traefik-dash-tls:
+      rule: "Host(`traefik.{{ domain }}`)"
+      entryPoints:
+        - websecure
+      service: traefik-dash
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: "{{ domain }}"
+            sans:
+              - "*.{{ domain }}"
+
+  services:
+    traefik-dash:
+      loadBalancer:
+        servers:
+          - url: "http://localhost:8080"

roles/alpina/templates/services/traefik/traefik.yml.j2

@@ -0,0 +1,51 @@
+api:
+  insecure: true
+
+log:
+  level: INFO
+accessLog:
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+    http3:
+      advertisedPort: 443
+    forwardedHeaders:
+      trustedIPs:
+        # https://www.cloudflare.com/ips-v6
+        - 2400:cb00::/32
+        - 2606:4700::/32
+        - 2803:f800::/32
+        - 2405:b500::/32
+        - 2405:8100::/32
+        - 2a06:98c0::/29
+        - 2c0f:f248::/32
+  metrics:
+    address: ":8082"
+
+metrics:
+  prometheus:
+    entryPoint: metrics
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: {{ acme_email }}
+      storage: "/acme/acme.json"
+      keyType: "EC384"
+      dnsChallenge:
+        provider: "cloudflare"
+        delayBeforeCheck: 10
+        resolvers:
+          - 1.1.1.1
+          - 8.8.8.8
+          - 9.9.9.9
+
+providers:
+  docker:
+    exposedByDefault: false
+  file:
+    directory: /rules
+    watch: true

roles/clean/tasks/main.yml

@@ -0,0 +1,22 @@
+- name: Get list of running Docker containers
+  docker_host_info:
+    containers: yes
+  register: docker_container_list
+
+- name: Stop all running Docker containers
+  docker_container:
+    name: "{{ item }}"
+    state: stopped
+  loop: "{{ docker_container_list.containers | map(attribute='Id') | list }}"
+  async: 300
+  poll: 0
+
+- name: Prune all Docker containers and networks
+  docker_prune:
+    containers: yes
+    networks: yes
+
+- name: Clean alpina directory
+  file:
+    path: "{{ alpina_svc_path }}"
+    state: absent

roles/common/tasks/main.yml

@@ -1,43 +1,86 @@
-- name: Upgrade alpine packages
-  community.general.apk:
-    upgrade: yes
-    update_cache: yes
-  register: apk_upgrades
-
-- name: Install alpine packages
-  community.general.apk:
+- name: Install Debian packages
+  become: yes
+  ansible.builtin.apt:
     name:
-      - qemu-guest-agent
-      - dhcpcd
-      - python3
-      - fish
-      - docker
-      - docker-compose
-      - docker-fish-completion
-      - docker-compose-fish-completion
-      - zfs
+     - docker-ce
+     - docker-compose-plugin
+     - firewalld
     state: latest
+
+- name: Upgrade Debian packages
+  become: yes
+  ansible.builtin.apt:
+    upgrade: dist
     update_cache: yes
-  register: apk_installs
+    cache_valid_time: 3600
+    autoremove: yes
+    state: latest
+  register: apt_upgrades
 
-- name: Enable qemu-guest-agent service
+- name: Ensure firewalld is running
+  become: yes
   service:
-    name: qemu-guest-agent
-    runlevel: boot
+    name: firewalld
+    state: started
     enabled: yes
 
-- name: Enable zfs-import service
-  service:
-    name: zfs-import
-    runlevel: sysinit
-    enabled: yes
+- name: Allow SSH
+  become: yes
+  firewalld:
+    service: ssh
+    permanent: yes
+    state: enabled
+    immediate: yes
 
-- name: Enable zfs-mount service
-  service:
-    name: zfs-mount
-    runlevel: sysinit
-    enabled: yes
+- name: Disallow Web
+  become: yes
+  firewalld:
+    service: http
+    permanent: yes
+    state: disabled
+    immediate: yes
+
+- name: Allow Web Secure
+  become: yes
+  firewalld:
+    service: https
+    permanent: yes
+    state: enabled
+    immediate: yes
+
+- name: Allow 443 udp for http3
+  become: yes
+  firewalld:
+    port: 443/udp
+    permanent: yes
+    state: enabled
+    immediate: yes
+
+- name: Allow 514 tcp for syslog
+  become: yes
+  firewalld:
+    port: 514/tcp
+    permanent: yes
+    state: enabled
+    immediate: yes
+
+- name: Allow 2222 tcp for pgrok ssh tunnel
+  become: yes
+  firewalld:
+    port: 2222/tcp
+    permanent: yes
+    state: enabled
+    immediate: yes
+
+- name: Allow Syncthing
+  become: yes
+  firewalld:
+    service: syncthing
+    permanent: yes
+    state: enabled
+    immediate: yes
 
 - name: Reboot if needed
-  reboot:
-  when: apk_upgrades.changed or apk_installs.changed
+  become: yes
+  ansible.builtin.reboot:
+  when: apt_upgrades.changed

roles/docker_host/tasks/main.yml

@@ -1,5 +1,36 @@
-- name: Create my service directory
-  file:
-    state: directory
-    path: "{{ my_svc_path }}"
-    mode: "700"
+- name: IPv6 subnet for Docker
+  debug:
+    var: docker_ipv6_subnet
+
+- name: Configure Docker daemon
+  become: yes
+  template:
+    src: "daemon.json.j2"
+    dest: "/etc/docker/daemon.json"
+    owner: root
+    group: root
+    mode: "0644"
+  register: docker_daemon_config
+
+- name: Install Docker loki plugin for logs
+  community.docker.docker_plugin:
+    plugin_name: grafana/loki-docker-driver:latest
+    alias: loki
+    state: enable
+
+- name: Remove docker0 from firewalld trusted zone
+  become: yes
+  firewalld:
+    zone: trusted
+    interface: docker0
+    permanent: yes
+    immediate: yes
+    state: disabled
+  register: docker0_firewalld
+
+- name: Restart Docker daemon
+  become: yes
+  service:
+    name: docker
+    state: restarted
+  when: docker_daemon_config.changed or docker0_firewalld.changed

roles/docker_host/templates/daemon.json.j2

@@ -0,0 +1,10 @@
+{
+    "ipv6": true,
+    "fixed-cidr-v6": "{{ docker_ipv6_subnet | ansible.utils.ipsubnet(80, 0) }}",
+    "log-driver": "loki",
+    "log-opts": {
+        "loki-url": "http://localhost:3100/loki/api/v1/push",
+        "loki-batch-size": "400",
+        "loki-retries": "5"
+    }
+}

roles/gitea/tasks/main.yml

@@ -1,33 +0,0 @@
-# https://stackoverflow.com/questions/41667864/can-the-templates-module-handle-multiple-templates-directories
-
-- name: Ensure service directory exists
-  file:
-    path: "{{ current_svc_path }}"
-    state: directory
-    mode: "500"
-
-- name: Ensure directory structure exists
-  file:
-    path: "{{ current_svc_path }}/{{ item.path }}"
-    state: directory
-    mode: "500"
-  with_community.general.filetree: "{{ templates_source }}"
-  when: item.state == "directory"
-
-
-- name: Include app config variables
-  include_vars:
-    file: "{{ role_path }}/vars/app_config.yml"
-
-- name: Generate {{ current_svc_name }} deployment from templates
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ current_svc_path }}/{{ item.path | regex_replace('\\.j2$', '') }}"
-    mode: "400"
-  with_community.general.filetree: "{{ templates_source }}"
-  when: item.state == "file"
-
-- name: Deploy docker-compose for {{ current_svc_name }}
-  community.docker.docker_compose:
-    project_src: "{{ current_svc_path }}"
-    state: present

roles/gitea/templates/.env.db.j2

@@ -1,3 +0,0 @@
-POSTGRES_USER=gitea
-POSTGRES_DB=gitea
-POSTGRES_PASSWORD="{{ db_password }}"

roles/gitea/templates/.env.gitea.j2

@@ -1,25 +0,0 @@
-GITEA____APP_NAME=CazGitea
-
-# Database
-GITEA__database__DB_TYPE=postgres
-GITEA__database__HOST=db:5432
-GITEA__database__NAME="{{ db_user }}"
-GITEA__database__USER="{{ db_name }}"
-GITEA__database__PASSWD="{{ db_password }}"
-
-# Server
-GITEA__server__ROOT_URL=https://gitea.cazzzer.com/
-GITEA__server__DISABLE_SSH=true
-
-# Mail
-GITEA__mailer__ENABLED=true
-GITEA__mailer__HOST=smtp.sendgrid.net:587
-GITEA__mailer__FROM=gitea@cazzzer.com
-GITEA__mailer__USER=apikey
-GITEA__mailer__PASSWD="{{ sendgrid_api_key }}"
-
-# Security
-GITEA__security__SECRET_KEY="{{ secret_key }}"
-GITEA__security__INTERNAL_TOKEN="{{ internal_token }}"
-
-GITEA__oauth2__JWT_SECRET="{{ jwt_secret }}"

roles/gitea/templates/docker-compose.yml.j2

@@ -1,39 +0,0 @@
-version: "3.9"
-
-networks:
-  default:
-  traefik_traefik:
-    external: true
-
-volumes:
-  gitea:
-  postgres:
-
-services:
-  server:
-    image: gitea/gitea:1.17.2
-    container_name: gitea_server
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.gitea.rule=Host(`gitea.{{ domain }}`)
-      - traefik.http.services.gitea.loadbalancer.server.port=3000
-    restart: unless-stopped
-    env_file:
-      - .env.gitea
-    networks:
-      - default
-      - traefik_traefik
-    volumes:
-      - gitea:/data
-    depends_on:
-      - db
-  db:
-    image: postgres:14-alpine
-    container_name: gitea_db
-    restart: unless-stopped
-    env_file:
-      - .env.db
-    networks:
-      - default
-    volumes:
-      - postgres:/var/lib/postgresql/data

roles/gitea/vars/app_config.yml

@@ -1,27 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-35303032386566343430633238343936366234333434343763666231666232633539303232383534
-3035346233346162373939333531613535353232626531640a646537616163353736653161326265
-31336530316335623335353661373834613264326436303933326135396166346562343136353931
-6439383039346465300a366266393130356630316630333336616565366562613038393239623738
-65626664643630353236333932373337333363626337386163613464306638633964663264363964
-30373661393531306662323134626664656233323762393037356434353066343830333033316365
-65616636613437663737306263373066306361376630616331663031346434336663393862316464
-62343339663461353934323063653566303932656264363562333136353665336263646230323832
-35376666303531383961646234663230663634393135326664386665633538616233613866373965
-64363361313232316336376631646662376565353536316438306361306261663532386564616566
-61663534393035343233326562303863646165346538393761326335376165623964396130393831
-64333665313461666335383134613831376138393061343238643661366439636534626265323865
-35393035336632653038623438626366373733626331633866373935616531623664303063376562
-31356332346164663364636235333461383437623161343338643839323765336237633266633864
-64363234646533616439313638363865373364623637636537623666383664656630333533303233
-64383734366666633832393230663739333435666138636462336332373061346239306136336263
-39643666303863303035313738343664636536663939616335303834333834363739303938646665
-66303637633239373461393434313036316563313132356432633337666537616363373830313034
-61313538633663653230643262613333306361666131663036643162343966313365653566393235
-36623832663034373734653664613038363137366437326565373761663963636336393536386435
-30393831326134376639366661653439616138643438646363343632346131306532663439396534
-32383661306539306635336262383563376561303862396532633362666266313562623336383235
-36366565633734633639653239306331333237353233326563653930653739316230666362323931
-39663931376562653530323434656436353166393836643238643632396430353034333034333665
-62323338373839383132323537353431636537616366393965643463316164323034316536383961
-6164333537633631646663333463306236613038326339643439

roles/gitea/vars/main.yml

@@ -1,5 +0,0 @@
----
-current_svc_name: gitea
-current_svc_path: "{{ my_svc_path }}/{{ current_svc_name }}"
-
-templates_source: "{{ role_path }}/templates"

roles/jellyfin/tasks/main.yml

@@ -1,33 +0,0 @@
-# https://stackoverflow.com/questions/41667864/can-the-templates-module-handle-multiple-templates-directories
-
-- name: Ensure service directory exists
-  file:
-    path: "{{ current_svc_path }}"
-    state: directory
-    mode: "500"
-
-- name: Ensure directory structure exists
-  file:
-    path: "{{ current_svc_path }}/{{ item.path }}"
-    state: directory
-    mode: "500"
-  with_community.general.filetree: "{{ templates_source }}"
-  when: item.state == "directory"
-
-
-- name: Include app config variables
-  include_vars:
-    file: "{{ role_path }}/vars/app_config.yml"
-
-- name: Generate {{ current_svc_name }} deployment from templates
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ current_svc_path }}/{{ item.path | regex_replace('\\.j2$', '') }}"
-    mode: "400"
-  with_community.general.filetree: "{{ templates_source }}"
-  when: item.state == "file"
-
-- name: Deploy docker-compose for {{ current_svc_name }}
-  community.docker.docker_compose:
-    project_src: "{{ current_svc_path }}"
-    state: present

roles/jellyfin/templates/.env.jellyfin.j2

@@ -1 +0,0 @@
-JELLYFIN_PublishedServerUrl="https://jellyfin.{{ domain }}"

roles/jellyfin/templates/docker-compose.yml.j2

@@ -1,35 +0,0 @@
-version: "3.9"
-
-networks:
-  default:
-  traefik_traefik:
-    external: true
-
-volumes:
-  config:
-  cache:
-  media:
-    driver: local
-    driver_opts:
-      type: nfs
-      o: "addr=truenas.lab.home,nfsvers=4,ro,noatime"
-      device: ":/mnt/Mass-Storage-New/JailStorage/Plex"
-
-services:
-  jellyfin:
-    image: jellyfin/jellyfin:10.8.5
-    container_name: jellyfin_jellyfin
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.jellyfin.rule=Host(`jellyfin.{{ domain }}`)
-      - traefik.http.services.jellyfin.loadbalancer.server.port=8096
-    restart: unless-stopped
-    env_file:
-      - .env.jellyfin
-    networks:
-      - default
-      - traefik_traefik
-    volumes:
-      - config:/config
-      - cache:/cache
-      - media:/data/media

roles/jellyfin/vars/app_config.yml

@@ -1,6 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-61626665353536663033663661393434616339396434383530306265363837313839303939623465
-3634333839333530383464613966326238363738663637360a343837623832343232316565346131
-66663831356162653363383131396665326531363430656539333866313031306537343864343262
-3730643765633232620a643734623336646565663266656262343162613239306166386665333139
-6366

roles/jellyfin/vars/main.yml

@@ -1,5 +0,0 @@
----
-current_svc_name: jellyfin
-current_svc_path: "{{ my_svc_path }}/{{ current_svc_name }}"
-
-templates_source: "{{ role_path }}/templates"

roles/nextcloud/tasks/main.yml

@@ -1,33 +0,0 @@
-# https://stackoverflow.com/questions/41667864/can-the-templates-module-handle-multiple-templates-directories
-
-- name: Ensure service directory exists
-  file:
-    path: "{{ current_svc_path }}"
-    state: directory
-    mode: "500"
-
-- name: Ensure directory structure exists
-  file:
-    path: "{{ current_svc_path }}/{{ item.path }}"
-    state: directory
-    mode: "500"
-  with_community.general.filetree: "{{ templates_source }}"
-  when: item.state == "directory"
-
-
-- name: Include app config variables
-  include_vars:
-    file: "{{ role_path }}/vars/app_config.yml"
-
-- name: Generate {{ current_svc_name }} deployment from templates
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ current_svc_path }}/{{ item.path | regex_replace('\\.j2$', '') }}"
-    mode: "400"
-  with_community.general.filetree: "{{ templates_source }}"
-  when: item.state == "file"
-
-- name: Deploy docker-compose for {{ current_svc_name }}
-  community.docker.docker_compose:
-    project_src: "{{ current_svc_path }}"
-    state: present

roles/nextcloud/templates/.env.nextcloud.j2

@@ -1,18 +0,0 @@
-POSTGRES_DB=nextcloud
-POSTGRES_USER=nextcloud
-POSTGRES_PASSWORD="{{ db_password }}"
-POSTGRES_HOST=db
-
-NEXTCLOUD_TRUSTED_DOMAINS=nc.cazzzer.com
-
-REDIS_HOST=redis
-REDIS_HOST_PASSWORD="{{ redis_password }}"
-
-SMTP_HOST=smtp.sendgrid.net
-SMTP_SECURE=tls
-SMTP_PORT=587
-SMTP_AUTHTYPE=LOGIN
-SMTP_NAME=apikey
-SMTP_PASSWORD="{{ sendgrid_api_key }}"
-MAIL_FROM_ADDRESS=nc
-MAIL_DOMAIN=cazzzer.com

roles/nextcloud/templates/.env.redis.j2

@@ -1 +0,0 @@
-REDIS_PASSWORD="{{ redis_password }}"

roles/nextcloud/templates/docker-compose.yml.j2

@@ -1,96 +0,0 @@
-version: "3.9"
-
-networks:
-  default:
-  traefik_traefik:
-    external: true
-
-volumes:
-  nextcloud:
-  nextcloud_config:
-  nextcloud_data:
-  db:
-
-services:
-  app:
-    image: nextcloud:24-fpm-alpine
-    container_name: nextcloud_app
-    restart: unless-stopped
-    depends_on:
-      - db
-      - redis
-    env_file:
-      - .env.nextcloud
-    networks:
-      - default
-    volumes:
-      - nextcloud:/var/www/html
-      - nextcloud_config:/var/www/html/config
-      - nextcloud_data:/var/www/html/data
-
-  cron:
-    image: nextcloud:24-fpm-alpine
-    container_name: nextcloud_cron
-    restart: unless-stopped
-    depends_on:
-      - app
-    entrypoint: /cron.sh
-    networks:
-      - default
-    volumes_from:
-      - app
-
-  notify_push:
-    image: nextcloud:24-fpm-alpine
-    container_name: nextcloud_notify_push
-    restart: unless-stopped
-    depends_on:
-      - app
-    entrypoint:
-      - /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push
-      - /var/www/html/config/config.php
-    networks:
-      - default
-    volumes_from:
-      - app
-
-  db:
-    image: postgres:13-alpine
-    container_name: nextcloud_db
-    restart: unless-stopped
-    env_file:
-      - .env.db
-    networks:
-      - default
-    volumes:
-      - db:/var/lib/postgresql/data
-
-  redis:
-    image: redis:7-alpine
-    container_name: nextcloud_redis
-    restart: unless-stopped
-    env_file:
-      - .env.redis
-    networks:
-      - default
-    command:
-      - sh
-      - -c
-      - redis-server --requirepass $$REDIS_PASSWORD
-
-  web:
-    image: nginx:1.23-alpine
-    container_name: nextcloud_web
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.nextcloud.rule=Host(`nc.{{ domain }}`)
-    restart: unless-stopped
-    links:
-      - app
-    networks:
-      - traefik_traefik
-      - default
-    volumes:
-      - ./nginx.conf:/etc/nginx/nginx.conf
-    volumes_from:
-      - app

roles/nextcloud/templates/nginx.conf.j2

@@ -1,182 +0,0 @@
-# https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf
-
-worker_processes auto;
-
-error_log  /var/log/nginx/error.log warn;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    # Prevent nginx HTTP Server Detection
-    server_tokens   off;
-
-    keepalive_timeout  65;
-
-    upstream php-handler {
-        server app:9000;
-    }
-
-    server {
-        listen 80;
-
-        # HSTS settings
-        # WARNING: Only add the preload option once you read about
-        # the consequences in https://hstspreload.org/. This option
-        # will add the domain to a hardcoded list that is shipped
-        # in all major browsers and getting removed from this list
-        # could take several months.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-
-        # set max upload size
-        client_max_body_size 512M;
-        fastcgi_buffers 64 4K;
-
-        # Enable gzip but do not remove ETag headers
-        gzip on;
-        gzip_vary on;
-        gzip_comp_level 4;
-        gzip_min_length 256;
-        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-
-        # Pagespeed is not supported by Nextcloud, so if your server is built
-        # with the `ngx_pagespeed` module, uncomment this line to disable it.
-        #pagespeed off;
-
-        # HTTP response headers borrowed from Nextcloud `.htaccess`
-        add_header Referrer-Policy                      "no-referrer"   always;
-        add_header X-Content-Type-Options               "nosniff"       always;
-        add_header X-Download-Options                   "noopen"        always;
-        add_header X-Frame-Options                      "SAMEORIGIN"    always;
-        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-        add_header X-Robots-Tag                         "none"          always;
-        add_header X-XSS-Protection                     "1; mode=block" always;
-
-        # Remove X-Powered-By, which is an information leak
-        fastcgi_hide_header X-Powered-By;
-
-        # Path to the root of your installation
-        root /var/www/html;
-
-        # Specify how to handle directories -- specifying `/index.php$request_uri`
-        # here as the fallback means that Nginx always exhibits the desired behaviour
-        # when a client requests a path that corresponds to a directory that exists
-        # on the server. In particular, if that directory contains an index.php file,
-        # that file is correctly served; if it doesn't, then the request is passed to
-        # the front-end controller. This consistent behaviour means that we don't need
-        # to specify custom rules for certain paths (e.g. images and other assets,
-        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
-        # `try_files $uri $uri/ /index.php$request_uri`
-        # always provides the desired behaviour.
-        index index.php index.html /index.php$request_uri;
-
-        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
-        location = / {
-            if ( $http_user_agent ~ ^DavClnt ) {
-                return 302 /remote.php/webdav/$is_args$args;
-            }
-        }
-
-        location = /robots.txt {
-            allow all;
-            log_not_found off;
-            access_log off;
-        }
-
-        # Make a regex exception for `/.well-known` so that clients can still
-        # access it despite the existence of the regex rule
-        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
-        # for `/.well-known`.
-        location ^~ /.well-known {
-            # The rules in this block are an adaptation of the rules
-            # in `.htaccess` that concern `/.well-known`.
-
-            location = /.well-known/carddav { return 301 /remote.php/dav/; }
-            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
-
-            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
-            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
-
-            # Let Nextcloud's API for `/.well-known` URIs handle all other
-            # requests by passing them to the front-end controller.
-            return 301 /index.php$request_uri;
-        }
-
-        # Rules borrowed from `.htaccess` to hide certain paths from clients
-        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
-        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
-
-        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
-        # which handle static assets (as seen below). If this block is not declared first,
-        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
-        # to the URI, resulting in a HTTP 500 error response.
-        location ~ \.php(?:$|/) {
-            # Required for legacy support
-            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
-
-            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-            set $path_info $fastcgi_path_info;
-
-            try_files $fastcgi_script_name =404;
-
-            include fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $path_info;
-            #fastcgi_param HTTPS on;
-
-            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
-            fastcgi_param front_controller_active true;     # Enable pretty urls
-            fastcgi_pass php-handler;
-
-            fastcgi_intercept_errors on;
-            fastcgi_request_buffering off;
-        }
-
-        location ~ \.(?:css|js|svg|gif)$ {
-            try_files $uri /index.php$request_uri;
-            expires 6M;         # Cache-Control policy borrowed from `.htaccess`
-            access_log off;     # Optional: Don't log access to assets
-        }
-
-        location ~ \.woff2?$ {
-            try_files $uri /index.php$request_uri;
-            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
-            access_log off;     # Optional: Don't log access to assets
-        }
-
-        # Rule borrowed from `.htaccess`
-        location /remote {
-            return 301 /remote.php$request_uri;
-        }
-
-        location / {
-            try_files $uri $uri/ /index.php$request_uri;
-        }
-
-        location ^~ /push/ {
-            proxy_pass http://notify_push:7867/;
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "Upgrade";
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        }
-    }
-}

roles/nextcloud/vars/app_config.yml

@@ -1,14 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-65313636646233613364363933616361346639653939346337303832646339316632383966666237
-3766396134383434613534373937663162393134306536300a626139373732393037346630333838
-63663439353238643532316231623866396434303034313130386635623363353263626362376334
-3933346434633662320a386432373465646432343338666561366161646335636232353133393933
-65313364666564353039626238383033343765323730316633356139326666623135326131353864
-32386237643538636538356261393164633137636235346564393930346539623731386633336339
-31303466653936343166366164383134306232613236663735623834393963306331376435616365
-31313866383730393063353335626164303632636331303830636530656131636139376633623439
-63663639323964623231343066373538633336353561646230363363643762393634643435306164
-31366364326237636365336363343264343562353337303235633034383635373934376334353336
-61373065386639643064303431623162373665363937353832313561386134613834613935653964
-64656339316165313936333736643030356366663162316462636662326134396539356262666536
-64336133393937396330353234316563356337623733326264363333373536633833

roles/nextcloud/vars/main.yml

@@ -1,6 +0,0 @@
----
-# vars file for roles/nextcloud/
-current_svc_name: nextcloud
-current_svc_path: "{{ my_svc_path }}/{{ current_svc_name }}"
-
-templates_source: "{{ role_path }}/templates"

roles/traefik/tasks/main.yml

@@ -1,33 +0,0 @@
-# https://stackoverflow.com/questions/41667864/can-the-templates-module-handle-multiple-templates-directories
-
-- name: Ensure service directory exists
-  file:
-    path: "{{ current_svc_path }}"
-    state: directory
-    mode: "500"
-
-- name: Ensure directory structure exists
-  file:
-    path: "{{ current_svc_path }}/{{ item.path }}"
-    state: directory
-    mode: "500"
-  with_community.general.filetree: "{{ templates_source }}"
-  when: item.state == "directory"
-
-
-#- name: Include app config variables
-#  include_vars:
-#    file: "{{ role_path }}/vars/app_config.yml"
-
-- name: Generate {{ current_svc_name }} deployment from templates
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ current_svc_path }}/{{ item.path | regex_replace('\\.j2$', '') }}"
-    mode: "400"
-  with_community.general.filetree: "{{ templates_source }}"
-  when: item.state == "file"
-
-- name: Deploy docker-compose for {{ current_svc_name }}
-  community.docker.docker_compose:
-    project_src: "{{ current_svc_path }}"
-    state: present

roles/traefik/templates/docker-compose.yml.j2

@@ -1,20 +0,0 @@
-version: "3.9"
-
-networks:
-  traefik:
-
-services:
-  traefik:
-    image: traefik:v2.8
-    container_name: traefik
-    restart: unless-stopped
-    ports:
-      - "80:80"
-      - "8080:8080"
-    env_file:
-      - .env.traefik
-    networks:
-      - traefik
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ./traefik.yml:/etc/traefik/traefik.yml:ro

roles/traefik/templates/traefik.yml.j2

@@ -1,7 +0,0 @@
-api:
-  insecure: true
-
-providers:
-  docker:
-    exposedByDefault: false
-    network: traefik_traefik

roles/traefik/vars/main.yml

@@ -1,5 +0,0 @@
----
-current_svc_name: traefik
-current_svc_path: "{{ my_svc_path }}/{{ current_svc_name }}"
-
-templates_source: "{{ role_path }}/templates"

services.yml

@@ -1,7 +1,14 @@
-- hosts: docker_hosts
+- hosts: alpina
   roles:
-    - docker_host
-    - traefik
-    - nextcloud
-    - role: gitea
-
+    - alpina
+  post_tasks:
+    - name: Docker prune objects
+      docker_prune:
+        containers: true
+        # Keep images for building grafana
+        images: true
+        images_filters:
+          until: "720h"
+        networks: true
+        volumes: true
+        builder_cache: false

site.yml

@@ -1,6 +1,4 @@
-- hosts: all
+- hosts: alpina
   roles:
     - common
-
-- name: Install services
-  import_playbook: services.yml
+    - docker_host