any.software.actual-podman: added role

plays/emma.yml

@@ -60,3 +60,18 @@
         webdav_user: "{{ vault_webdav_user }}"
         webdav_password: "{{ vault_webdav_password }}"
         webdav_password_bcrypt: "{{ vault_webdav_password_bcrypt }}"
+
+- name: Set up Otter
+  hosts: emma
+  become: yes
+  tags: otter
+  roles:
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
+            filesystem_path: "{{ btrfs_nvme.path }}"
+            name: "/@rootfs/otter/data"
+    - role: any.software.otter
+      vars:
+        data_dir: '{{ btrfs_nvme.path }}/data/otter/data'

roles/any.software.actual-podman/files/actual.Caddyfile

@@ -0,0 +1,5 @@
+actual.roosens.me {
+    reverse_proxy localhost:8014 {
+        header_down +X-Robots-Tag "none"
+    }
+}

roles/any.software.actual-podman/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: 'restart actual'
+  ansible.builtin.systemd_service:
+    name: 'actual'
+    state: 'restarted'
+
+    scope: 'user'
+    daemon_reload: true

roles/any.software.actual-podman/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: any.tools.caddy
+    become: true

roles/any.software.actual-podman/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Ensure Quadlet files are present
+  ansible.builtin.template:
+    src: "actual.container.j2"
+    dest: "/home/debian/.config/containers/systemd/actual.container"
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  notify: 'restart actual'
+
+- name: Ensure Caddyfile is present
+  ansible.builtin.copy:
+    src: 'actual.Caddyfile'
+    dest: '/etc/caddy/actual.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  become: true
+  notify: reload caddy

roles/any.software.actual-podman/templates/actual.container.j2

@@ -0,0 +1,13 @@
+[Container]
+Image=docker.io/actualbudget/actual-server:25.12.0-alpine
+
+PublishPort=127.0.0.1:8014:5006
+Volume={{ data_dir }}:/data
+
+User=0
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target

roles/any.software.gitea/files/gitea.Caddyfile

@@ -0,0 +1,5 @@
+git.rustybever.be {
+    reverse_proxy localhost:8010 {
+        header_down +X-Robots-Tag "none"
+    }
+}

roles/any.software.gitea/files/gitea.data.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/gitea/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/any.software.gitea/files/gitea.lfs.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/gitea/lfs'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/any.software.gitea/files/gitea.pod

@@ -0,0 +1,4 @@
+# vim: ft=systemd
+[Pod]
+PublishPort=8016:22
+PublishPort=8010:3000

roles/any.software.gitea/files/gitea.postgres.backup.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+cd /etc/gitea
+
+/usr/bin/docker compose exec -T db pg_dump -U gitea gitea |
+    /usr/bin/gzip --rsyncable |
+    /usr/local/bin/restic backup --stdin --stdin-filename gitea-postgres.sql.gz

roles/any.software.gitea/files/gitea.repositories.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/gitea/repositories'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/any.software.gitea/files/gitea.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Private, Fast, Reliable DevOps Platform
+After=docker.service 
+Requires=docker.service
+
+[Service]
+Type=exec
+WorkingDirectory=/etc/gitea
+ExecStart=/usr/bin/docker compose up
+ExecStop=/usr/bin/docker compose down
+
+[Install]
+WantedBy=multi-user.target

roles/any.software.gitea/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: 'restart gitea'
+  ansible.builtin.service:
+    name: 'gitea'
+    state: 'restarted'

roles/any.software.gitea/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: any.tools.caddy

roles/any.software.gitea/tasks/main.yml

@@ -0,0 +1,82 @@
+---
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/gitea'
+    state: directory
+    mode: '0755'
+
+- name: Ensure Quadlet files is present
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/home/debian/.config/containers/systemd/{{ item }}"
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  loop:
+    - 'gitea-app.container'
+    - 'gitea-postgres.container'
+
+- name: Ensure Quadlet files is present
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/home/debian/.config/containers/systemd/{{ item }}"
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  loop:
+    - 'gitea.pod'
+
+- name: Ensure Caddyfile is present
+  ansible.builtin.copy:
+    src: 'gitea.Caddyfile'
+    dest: '/etc/caddy/gitea.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: reload caddy
+
+- name: Allow Gitea SSH connections
+  community.general.ufw:
+    port: 8016
+    rule: 'allow'
+
+# - name: Ensure compose file is present
+#   ansible.builtin.copy:
+#     src: 'compose.yml'
+#     dest: '/etc/gitea/compose.yml'
+#     mode: '0644'
+#     owner: 'root'
+#     group: 'root'
+#   notify: 'restart gitea'
+
+# - name: Ensure config file is present
+#   ansible.builtin.template:
+#     src: 'app.ini.j2'
+#     dest: '/etc/gitea/app.ini'
+#     mode: '0644'
+#     owner: 'root'
+#     group: 'root'
+#   notify: 'restart gitea'
+
+# - name: Ensure backup scripts are present
+#   ansible.builtin.copy:
+#     src: "gitea.{{ item }}.backup.sh"
+#     dest: "/etc/backups/gitea.{{ item }}.backup.sh"
+#     owner: 'root'
+#     group: 'root'
+#     mode: '0644'
+#   loop:
+#     - 'postgres'
+#     - 'data'
+#     - 'lfs'
+#     - 'repositories'
+
+# - name: systemd-reload
+#   ansible.builtin.systemd_service:
+#     daemon_reload: true
+#   when: 'res.changed'
+
+# - name: Ensure gitea service is enabled
+#   ansible.builtin.service:
+#     name: 'gitea'
+#     enabled: true

roles/any.software.gitea/templates/app.ini.j2

@@ -0,0 +1,112 @@
+APP_NAME = The Rusty Bever
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+; Makes public the default option when creating a repo
+DEFAULT_PRIVATE = public
+; Disables releases, projects & wiki by default for new repos (but can be enabled when needed)
+DEFAULT_REPO_UNITS = repo.code,repo.issues,repo.pulls
+; Might as well be compatible with
+DEFAULT_BRANCH = main
+
+[repository.pull-request]
+WORK_IN_PROGRESS_PREFIXES = WIP:,[WIP]:,Draft:,[Draft]:
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[ui]
+; Always show the full name of a user when possible
+DEFAULT_SHOW_FULL_NAME = true
+THEMES = auto,gitea,arc-green,gitea-modern
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = git.rustybever.be
+SSH_DOMAIN = git.rustybever.be
+HTTP_PORT = 3000
+ROOT_URL = https://git.rustybever.be/
+DISABLE_SSH = false
+SSH_PORT = 22
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+OFFLINE_MODE = false
+LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
+
+[lfs]
+PATH = /data/git/lfs
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = postgres
+HOST = db:5432
+NAME = gitea
+USER = gitea
+PASSWD = gitea
+LOG_SQL = false
+SCHEMA = 
+SSL_MODE = disable
+CHARSET = utf8
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+DISABLE_GRAVATAR = false
+ENABLE_FEDERATED_AVATAR = true
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+REDIRECT_MACARON_LOG = true
+MACARON = console
+ROUTER = console
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = true
+MIN_PASSWORD_LENGTH = 12
+PASSWORD_COMPLEXITY = lower,upper,digit
+SECRET_KEY = {{ gitea_secret_key }}
+INTERNAL_TOKEN = {{ gitea_internal_token }}
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localhost
+
+[mailer]
+ENABLED = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = false
+
+[oauth2]
+JWT_SECRET = {{ gitea_jwt_secret }}
+
+[other]
+SHOW_FOOTER_VERSION = false
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = false

roles/any.software.gitea/templates/gitea-app.container.j2

@@ -0,0 +1,20 @@
+# vim: ft=systemd
+[Unit]
+Requires=gitea-postgres.service
+After=gitea-postgres.service
+
+[Container]
+Image=docker.io/gitea/gitea:1.20.1
+Pod=gitea.pod
+
+Volume={{ gitea_data_dir }}:/data
+Volume={{ gitea_repositories_dir }}:/data/git/repositories
+Volume={{ gitea_lfs_dir }}:/data/git/lfs
+; Volume=/etc/timezone:/etc/timezone:ro
+Volume=/etc/localtime:/etc/localtime:ro
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target

roles/any.software.gitea/templates/gitea-postgres.container.j2

@@ -0,0 +1,18 @@
+# vim: ft=systemd
+[Container]
+Image=docker.io/postgres:14.8-alpine
+Pod=gitea.pod
+
+Environment=POSTGRES_USER=gitea POSTGRES_PASSWORD=gitea POSTGRES_DB=gitea
+
+HealthCmd=["pg_isready","-U","gitea"]
+HealthInterval=30s
+HealthRetries=3
+HealthStartPeriod=30s
+HealthTimeout=5s
+Notify=Healthy
+
+Volume={{ postgres_data_dir }}:/var/lib/postgresql/data
+
+[Service]
+Restart=always

roles/any.software.otter/files/otter.Caddyfile

@@ -0,0 +1,3 @@
+otter.roosens.me {
+    reverse_proxy localhost:8017
+}

roles/any.software.otter/files/otter.data.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/otter/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/any.software.otter/files/otter.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Gpodder.net API implementation
+After=network.target network-online.target
+
+[Service]
+Type=exec
+User=otter
+Group=otter
+ExecStart=/usr/local/bin/otter serve -c /etc/otter/otter.toml
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/any.software.otter/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: 'restart otter'
+  ansible.builtin.service:
+    name: 'otter'
+    state: 'restarted'

roles/any.software.otter/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: any.tools.caddy

roles/any.software.otter/tasks/main.yml

@@ -0,0 +1,85 @@
+---
+- name: Ensure binary is present
+  ansible.builtin.get_url:
+    url: 'https://git.rustybever.be/api/packages/Chewing_Bever/generic/otter/0.3.0/otter-linux-amd64'
+    dest: '/usr/local/bin/otter'
+    owner: 'root'
+    group: 'root'
+    mode: '755'
+  notify: 'restart otter'
+
+- name: Ensure system group exists
+  ansible.builtin.group:
+    name: 'otter'
+    gid: 204
+    system: true
+    state: present
+
+- name: Ensure system user exists
+  ansible.builtin.user:
+    name: 'otter'
+    group: 'otter'
+    uid: 204
+    system: true
+    create_home: false
+
+- name: Ensure permissions are correct
+  ansible.builtin.file:
+    path: "{{ data_dir }}"
+    state: directory
+    mode: '0755'
+    owner: '204'
+    group: '204'
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/otter'
+    state: directory
+    mode: '0755'
+
+- name: Ensure config file is present
+  ansible.builtin.template:
+    src: 'otter.toml.j2'
+    dest: '/etc/otter/otter.toml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart otter'
+
+- name: Ensure Caddyfile is present
+  ansible.builtin.copy:
+    src: 'otter.Caddyfile'
+    dest: '/etc/caddy/otter.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: reload caddy
+
+# - name: Ensure backup scripts are present
+#   ansible.builtin.copy:
+#     src: "otter.{{ item }}.backup.sh"
+#     dest: "/etc/backups/otter.{{ item }}.backup.sh"
+#     owner: 'root'
+#     group: 'root'
+#     mode: '0644'
+#   loop:
+#     - 'data'
+
+- name: Ensure service file is present
+  ansible.builtin.copy:
+    src: 'otter.service'
+    dest: '/lib/systemd/system/otter.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: res
+
+- name: systemd-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  when: 'res.changed'
+
+- name: Ensure otter service is enabled
+  ansible.builtin.service:
+    name: 'otter'
+    enabled: true

roles/any.software.otter/templates/otter.toml.j2

@@ -0,0 +1,7 @@
+data_dir = "{{ data_dir }}"
+log_level = "debug"
+
+[net]
+type = "tcp"
+domain = "0.0.0.0"
+port = 8017