Delete unused stuff

.gitea/workflows/check.yaml

@@ -1,5 +1,5 @@
 name: Check
-on: [push]
+"on": [push]
 jobs:
   "Lint Ansible Files":
     runs-on: node-22-bookworm
@@ -11,6 +11,6 @@ jobs:
       - name: Check out repo
         uses: actions/checkout@v3
       - run: python3 -m venv venv
-      - run: venv/bin/pip --disable-pip-version-check install ansible==9.6.0 ansible-lint==24.2.2
+      - run: venv/bin/pip --disable-pip-version-check install ansible==11.1.0 ansible-lint==24.12.1
       - run: venv/bin/ansible-lint -c .ansible-lint ansible
   # TODO: Reimplement ansible-play --check step from old drone config

README.md

@@ -4,8 +4,8 @@
 
 | Prop | Value |
 | --- | --- |
-| Hostname | `shamash` |
+| Hostname | `nanna` |
-| Domains  | `{,pad.,codi.,ci.,git.,jupyter.,plantuml.}pbrinkmeier.de`, `tichy.click`, `beany.club`, `vmd98928.contaboserver.net` |
+| Domains  | `{,pad.,codi.,git.,plantuml.}pbrinkmeier.de`, `tichy.click`, `{utoy,vrnp}.beany.club` |
 
 ## Linting
 
@@ -20,4 +20,4 @@ to avoid checking for a new version every single run.
 
 ## TODO
 
-- [ ] Migrate to `community.docker.docker_compose_v2` (`v1` is deprecated)
+- [x] Migrate to `community.docker.docker_compose_v2` (`v1` is deprecated)

ansible/README.md

@@ -12,11 +12,11 @@ nix develop
 ## `misc.yaml`
 
 Server for miscellaneous stuff, e.g. the website.
-Expects to have a user `andi` who can `sudo`.
+Expects to have a user `paul who can `sudo`.
 Sets up:
 
 - Some basic packages
-- Docker and `docker-compose` (the latter via `pip`)
+- Docker and `docker-compose`
 - Nix multi-user installation
 
 ## `misc-docker.yaml`

ansible/group_vars/gods/vars.yaml

@@ -0,0 +1,15 @@
+---
+ansible_python_interpreter: /usr/bin/python3
+gods_users:
+  - name: postgres
+    uid: 70
+    state: present
+  - name: hackmd
+    uid: 1500
+    state: present
+  - name: gitea
+    uid: 42001
+    state: present
+  - name: caddy
+    uid: 42002
+    state: present

ansible/group_vars/misc/vars.yaml

@@ -1,4 +0,0 @@
----
-# Has pw-less sudo
-ansible_user: paul
-ansible_python_interpreter: /usr/bin/python3

ansible/host_vars/nanna/vars.yaml

@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+37646262396235383766303137613134323330396364346261653036303935663935323930663630
+3562306337383765323635623838646538376362396638360a366336336134616163663533373836
+30333834306466633162613264376266646239343432646162396132643437663934613464363437
+6530653234336133360a666232386537353835386364613065343063613536613638393736666635
+65363362363766353231646461343764306637353465373633363861333436336263393561656330
+39613761373437313663613737613961666330373135666365373433376437383232383461633861
+333763383538633430303663636338363537

ansible/inventory

@@ -1,2 +1,2 @@
-[misc]
+[gods]
-vmd98928.contaboserver.net ansible_port=2309
+nanna

ansible/playbooks/misc-all.yaml

@@ -1,8 +0,0 @@
-# All tasks for misc, use this to check whether everything is deployed.
----
-- name: Set up basic packages, Docker, Nix, sshd
-  import_playbook: misc-setup.yaml
-- name: Deploy Docker configuration
-  import_playbook: misc-docker.yaml
-- name: Check out static websites from git
-  import_playbook: misc-sites.yaml

ansible/playbooks/misc-setup.yaml

@@ -1,74 +0,0 @@
----
-- name: Basic setup for shamash (packages, Docker, Nix, sshd)
-  hosts: misc
-  tasks:
-    - name: Create /etc/pbri
-      become: true
-      ansible.builtin.file:
-        path: /etc/pbri
-        state: directory
-        mode: u=rwx,g=rx,o=rx
-    - name: Create /home/paul/{Sites,Source}
-      become: true
-      ansible.builtin.file:
-        path: "/home/paul/{{ item }}"
-        state: directory
-        owner: paul
-        group: paul
-        mode: u=rwx,g=rx,o=rx
-      loop:
-        - Sites
-        - Source
-    - name: Install basic packages
-      become: true
-      ansible.builtin.apt:
-        name:
-          - vim
-          - git
-          - htop
-          - tmux
-        update_cache: true
-      tags:
-        - apt
-    - name: Install and set up Docker and docker-compose
-      ansible.builtin.include_role:
-        name: docker
-    - name: Install and set up Nix
-      ansible.builtin.include_role:
-        name: install_nix
-    - name: Install pip prerequisites
-      become: true
-      ansible.builtin.apt:
-        name:
-          - python3-pip
-          - python3-setuptools
-          - python3-virtualenv
-    - name: Install global python docker package
-      become: true
-      ansible.builtin.pip:
-        name:
-          - docker
-          - docker-compose
-          - requests
-    - name: Configure sshd
-      become: true
-      ansible.builtin.copy:
-        dest: /etc/ssh/sshd_config.d/00_pbri.conf
-        mode: u=rw,g=r,o=r
-        # Included by /etc/ssh/sshd_config before other configuration
-        content: |
-          Port 2309
-          PermitRootLogin no
-          PubkeyAuthentication yes
-          AuthorizedKeysFile .ssh/authorized_keys
-          PasswordAuthentication no
-        validate: /usr/sbin/sshd -T -f %s
-      notify:
-        - Restart sshd
-
-  handlers:
-    - name: Restart sshd
-      become: true
-      ansible.builtin.service:
-        name: sshd
-        state: restarted

ansible/playbooks/nanna-docker.yaml

@@ -1,39 +1,25 @@
 ---
-- name: Update Docker configuration on shamash
+- name: Update Docker configuration
-  hosts: misc
+  hosts: gods
   tasks:
+    - name: Add groups
+      become: true
+      ansible.builtin.group:
+        name: "{{ item.name }}"
+        gid: "{{ item.uid }}"
+        state: "{{ item.state }}"
+        system: true
+      loop: "{{ gods_users }}"
     - name: Add users for running containers
       become: true
       ansible.builtin.user:
         name: "{{ item.name }}"
         uid: "{{ item.uid }}"
+        group: "{{ item.name }}"
         state: "{{ item.state }}"
         create_home: false
         system: true
-      loop:
+      loop: "{{ gods_users }}"
-        - name: jupyter
-          uid: 42000
-          state: present
-        - name: gitea
-          uid: 42001
-          state: present
-        - name: factorio
-          uid: 845
-          state: present
-        - name: hackmd
-          uid: 1500
-          state: present
-
-        - name: hedgedoc
-          uid: 10000
-          state: absent
-        - name: bsa
-          uid: 42002
-          state: absent
-        - name: score
-          uid: 42003
-          state: absent
-    # All services that are behind Caddy need to be in this network
     - name: Create Caddy network
       become: true
       community.docker.docker_network:
@@ -48,6 +34,13 @@
         mode: u=rw,g=,o=
         # Directories should be listable
         directory_mode: u=rwx,g=rx,o=rx
+    - name: Create directory for docker volumes
+      become: true
+      ansible.builtin.file:
+        path: /var/lib/pbri/docker
+        state: directory
+        # Hide contents from non-root users
+        mode: u=rwx,g=,o=
     - name: Upload and decrypt docker environment vars
       become: true
       ansible.builtin.copy:
@@ -58,26 +51,16 @@
         # This is true by default but I put it here anyways
         # to emphasize what's happening
         decrypt: true
-      # Not quite happy with all the seperate loops yet.
       loop:
-        - name: codi
-          state: present
-        - name: drone
-          state: present
-        - name: factorio
-          state: present
         - name: gitea
           state: present
+        - name: codi
+          state: present
         - name: vrnp
           state: present
-    - name: Create directory for docker volumes
+    # This needs to be done for any services where user:
-      become: true
+    # is set in docker-compose.yaml.
-      ansible.builtin.file:
+    - name: Create volume directories with correct permissions
-        path: /var/lib/pbri/docker
-        state: directory
-        # Hide contents from non-root users
-        mode: u=rwx,g=,o=
-    - name: Create jupyter folders
       become: true
       ansible.builtin.file:
         path: "/var/lib/pbri/docker/{{ item.name }}"
@@ -86,26 +69,12 @@
         state: directory
         mode: u=rwx,g=,o=
       loop:
-        - name: jupyter_data
+        - name: caddy_config
-          user: jupyter
+          user: caddy
-        - name: jupyter_notebooks
+        - name: caddy_data
-          user: jupyter
+          user: caddy
-    - name: Create Factorio data folder
+        - name: codi_uploads
-      become: true
+          user: hackmd
-      ansible.builtin.file:
-        path: /var/lib/pbri/docker/factorio
-        state: directory
-        owner: factorio
-        group: factorio
-        mode: u=rwx,g=,o=
-    - name: Delete score data folder
-      become: true
-      ansible.builtin.file:
-        path: /var/lib/pbri/docker/score
-        state: absent
-        owner: score
-        group: score
-        mode: u=rwx,g=,o=
     # Since some docker-compose configuration might want to pull
     # images from the Gitea package repository, we need to ensure
     # that Gitea is reachable before those configurations are deployed.
@@ -131,7 +100,7 @@
       register: gitea_version_response
       until: gitea_version_response.status == 200
       retries: 10
-      delay: 5  # Retry every 5 seconds
+      delay: 3  # Retry every 3 seconds
     - name: Set up other containers
       become: true
       community.docker.docker_compose_v2:
@@ -140,21 +109,9 @@
         build: "always"
         pull: "always"
       loop:
-        - name: drone
-          state: present
         - name: codi
           state: present
-        - name: jupyter
-          state: present
         - name: utoy
           state: present
         - name: vrnp
           state: present
-
-        # Keep these to ensure they're down
-        - name: factorio
-          state: absent
-        - name: glebby
-          state: absent
-        - name: score
-          state: absent

ansible/playbooks/nanna-setup.yaml

@@ -0,0 +1,29 @@
+---
+- name: Basic setup for nanna
+  hosts: nanna
+  tasks:
+    - name: Configure sshd
+      become: true
+      ansible.builtin.copy:
+        dest: /etc/ssh/sshd_config.d/00_pbri.conf
+        mode: u=rw,g=r,o=r
+        # Included by /etc/ssh/sshd_config before other configuration
+        content: |
+          Port 2309
+          PermitRootLogin no
+          PubkeyAuthentication yes
+          AuthorizedKeysFile .ssh/authorized_keys
+          PasswordAuthentication no
+        validate: /usr/sbin/sshd -T -f %s
+      notify:
+        - Restart sshd
+    - name: Install and set up Docker and docker-compose
+      ansible.builtin.include_role:
+        name: docker
+
+  handlers:
+    - name: Restart sshd
+      become: true
+      ansible.builtin.service:
+        name: ssh
+        state: restarted

ansible/playbooks/nanna-sites.yaml

@@ -1,6 +1,6 @@
 ---
-- name: Check out static sites hosted on shamash
+- name: Check out static sites hosted on nanna
-  hosts: misc
+  hosts: nanna
   tasks:
     - name: Check out static sites
       ansible.builtin.include_role:

ansible/roles/docker/defaults/main.yaml

@@ -0,0 +1,3 @@
+---
+docker_apt_arch: "amd64"
+docker_ubuntu_release: "{{ ansible_distribution_release }}"

ansible/roles/docker/tasks/main.yaml

@@ -25,12 +25,6 @@
     stdin: "{{ docker_gpg_key.content }}"
     creates: /usr/share/keyrings/docker-archive-keyring.gpg
 
-- name: Retrieve dpkg architecture
-  check_mode: false
-  ansible.builtin.command: dpkg --print-architecture
-  register: docker_dpkg_architecture
-  changed_when: false
-
 - name: Add Docker apt repository
   become: true
   ansible.builtin.template:
@@ -48,3 +42,4 @@
       - docker-ce
       - docker-ce-cli
       - containerd.io
+      - docker-compose-plugin

ansible/roles/docker/templates/docker.list.j2

@@ -1 +1 @@
-deb [arch={{ docker_dpkg_architecture.stdout }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
+deb [arch={{ docker_apt_arch }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ docker_ubuntu_release }} stable

docker/docker/caddy/Dockerfile

@@ -1,3 +1,4 @@
 FROM caddy
 
 COPY Caddyfile /etc/caddy/Caddyfile
+RUN chown 42002:42002 /etc/caddy/Caddyfile

docker/docker/caddy/docker-compose.yaml

@@ -6,6 +6,7 @@ services:
     ports:
       - "80:80"
       - "443:443"
+    user: "42002"
     volumes:
       - /var/lib/pbri/docker/caddy_data:/data
       - /var/lib/pbri/docker/caddy_config:/config

docker/docker/drone/README.md

@@ -1,9 +0,0 @@
-Add a `.env` file like this:
-
-```
-DRONE_GITEA_CLIENT_ID=...
-DRONE_GITEA_CLIENT_SECRET=...
-DRONE_RPC_SECRET=...
-```
-
-See also: https://docs.drone.io/server/provider/gitea/.

docker/docker/drone/docker-compose.yaml

@@ -1,30 +0,0 @@
-services:
-  drone:
-    image: drone/drone:2
-    environment:
-      DRONE_GITEA_SERVER: https://git.pbrinkmeier.de
-      DRONE_GITEA_CLIENT_ID: "${DRONE_GITEA_CLIENT_ID}"
-      DRONE_GITEA_CLIENT_SECRET: "${DRONE_GITEA_CLIENT_SECRET}"
-      DRONE_RPC_SECRET: "${DRONE_RPC_SECRET}"
-      DRONE_SERVER_HOST: ci.pbrinkmeier.de
-      DRONE_SERVER_PROTO: https
-    volumes:
-      - /var/lib/pbri/docker/drone:/data
-    restart: unless-stopped
-
-  drone_runner:
-    image: drone/drone-runner-docker:1
-    environment:
-      DRONE_RPC_PROTO: https
-      DRONE_RPC_HOST: ci.pbrinkmeier.de
-      DRONE_RPC_SECRET: "${DRONE_RPC_SECRET}"
-      DRONE_RUNNER_CAPACITY: 1
-      DRONE_RUNNER_NAME: shamash
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    restart: unless-stopped
-
-networks:
-  default:
-    name: caddy-network
-    external: true

docker/docker/factorio/Dockerfile

@@ -1,4 +0,0 @@
-FROM factoriotools/factorio:1.1.87
-
-COPY server-settings.json /server-settings.json
-ENTRYPOINT [ "/bin/sh", "-c", "mkdir -p /factorio/config && envsubst < /server-settings.json > /factorio/config/server-settings.json && exec /docker-entrypoint.sh" ]

docker/docker/factorio/README.md

@@ -1,10 +0,0 @@
-# factorio
-
-Add a `.env` file like this:
-
-```
-GAME_PASSWORD=...
-```
-
-Environment variables are put into `server-settings.json` during startup using `envsubst`.
-See also: https://hub.docker.com/r/factoriotools/factorio.

docker/docker/factorio/docker-compose.yaml

@@ -1,12 +0,0 @@
-services:
-  gitea:
-    image: pbrinkmeier/factorio
-    build: .
-    restart: always
-    environment:
-      GAME_PASSWORD: "${GAME_PASSWORD}"
-    volumes:
-      - /var/lib/pbri/docker/factorio:/factorio
-    ports:
-      - "34197:34197/udp"
-      - "27015:27015/tcp"

docker/docker/factorio/server-settings.json

@@ -1,72 +0,0 @@
-{
-    "name": "le epic factorio server",
-    "description": "Description of the game that will appear in the listing",
-    "tags": ["game", "tags"],
-  
-    "_comment_max_players": "Maximum number of players allowed, admins can join even a full server. 0 means unlimited.",
-    "max_players": 0,
-  
-    "_comment_visibility": ["public: Game will be published on the official Factorio matching server",
-                            "lan: Game will be broadcast on LAN"],
-    "visibility":
-    {
-      "public": false,
-      "lan": false
-    },
-  
-    "_comment_credentials": "Your factorio.com login credentials. Required for games with visibility public",
-    "username": "",
-    "password": "",
-  
-    "_comment_token": "Authentication token. May be used instead of 'password' above.",
-    "token": "",
-  
-    "game_password": "",
-  
-    "_comment_require_user_verification": "When set to true, the server will only allow clients that have a valid Factorio.com account",
-    "require_user_verification": false,
-  
-    "_comment_max_upload_in_kilobytes_per_second" : "optional, default value is 0. 0 means unlimited.",
-    "max_upload_in_kilobytes_per_second": 0,
-  
-    "_comment_max_upload_slots" : "optional, default value is 5. 0 means unlimited.",
-    "max_upload_slots": 5,
-  
-    "_comment_minimum_latency_in_ticks": "optional one tick is 16ms in default speed, default value is 0. 0 means no minimum.",
-    "minimum_latency_in_ticks": 0,
-  
-    "_comment_max_heartbeats_per_second": "Network tick rate. Maximum rate game updates packets are sent at before bundling them together. Minimum value is 6, maximum value is 240.",
-    "max_heartbeats_per_second": 60,
-  
-    "_comment_ignore_player_limit_for_returning_players": "Players that played on this map already can join even when the max player limit was reached.",
-    "ignore_player_limit_for_returning_players": false,
-  
-    "_comment_allow_commands": "possible values are, true, false and admins-only",
-    "allow_commands": "admins-only",
-  
-    "_comment_autosave_interval": "Autosave interval in minutes",
-    "autosave_interval": 10,
-  
-    "_comment_autosave_slots": "server autosave slots, it is cycled through when the server autosaves.",
-    "autosave_slots": 5,
-  
-    "_comment_afk_autokick_interval": "How many minutes until someone is kicked when doing nothing, 0 for never.",
-    "afk_autokick_interval": 5,
-  
-    "_comment_auto_pause": "Whether should the server be paused when no players are present.",
-    "auto_pause": true,
-  
-    "only_admins_can_pause_the_game": true,
-  
-    "_comment_autosave_only_on_server": "Whether autosaves should be saved only on server or also on all connected clients. Default is true.",
-    "autosave_only_on_server": true,
-  
-    "_comment_non_blocking_saving": "Highly experimental feature, enable only at your own risk of losing your saves. On UNIX systems, server will fork itself to create an autosave. Autosaving on connected Windows clients will be disabled regardless of autosave_only_on_server option.",
-    "non_blocking_saving": false,
-  
-    "_comment_segment_sizes": "Long network messages are split into segments that are sent over multiple ticks. Their size depends on the number of peers currently connected. Increasing the segment size will increase upload bandwidth requirement for the server and download bandwidth requirement for clients. This setting only affects server outbound messages. Changing these settings can have a negative impact on connection stability for some clients.",
-    "minimum_segment_size": 25,
-    "minimum_segment_size_peer_count": 20,
-    "maximum_segment_size": 100,
-    "maximum_segment_size_peer_count": 10
-  }

docker/docker/gitea/Dockerfile

@@ -1,3 +1,3 @@
- FROM gitea/act_runner:0.2.10
+ FROM gitea/act_runner:0.2.11
 
  COPY runner-config.yaml /opt/runner-config.yaml

docker/docker/gitea/docker-compose.yaml

@@ -64,7 +64,8 @@ services:
       - /var/lib/pbri/docker/gitea_db:/var/lib/postgresql/data
 
   gitea_runner:
-    image: pbrinkmeier/act_runner:0.2.10
+    # Make sure to keep this in sync with the version in the Dockerfile
+    image: pbrinkmeier/act_runner:0.2.11
     build: .
     restart: unless-stopped
     environment:

docker/docker/glebby/docker-compose.yaml

@@ -1,9 +0,0 @@
-services:
-  glebby:
-    image: git.pbrinkmeier.de/paul/glebby:1.1-prod
-    restart: always
-
-networks:
-  default:
-    name: caddy-network
-    external: true

docker/docker/jupyter/docker-compose.yaml

@@ -1,13 +0,0 @@
-services:
-  jupyter:
-    image: git.pbrinkmeier.de/paul/jup:1.5
-    user: "42000"
-    volumes:
-      - /var/lib/pbri/docker/jupyter_data:/data
-      - /var/lib/pbri/docker/jupyter_notebooks:/notebooks
-    restart: always
-
-networks:
-  default:
-    name: caddy-network
-    external: true

docker/docker/score/README.md

@@ -1,3 +0,0 @@
-# score
-
-Seems to not be maintained anymore.

docker/docker/score/docker-compose.yaml

@@ -1,14 +0,0 @@
-services:
-  score:
-    image: ghcr.io/lbrocke/score:v1.0.2
-    user: "42003:42003"
-    environment:
-      SCORE_LISTEN: 0.0.0.0:8080
-    volumes:
-      - /var/lib/pbri/docker/score:/data
-    restart: unless-stopped
-
-networks:
-  default:
-    name: caddy-network
-    external: true

docker/envs/drone/.env

@@ -1,14 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-31333834393366333930346366373931333930646233383664643463393965303238613430646638
-6461373434616433353337643131396462326537346434380a386562633335346436303662336362
-62333739626237323334333666633162616338313932393261303231353539623237383638643030
-3364393934653232310a383065386530373433393635313665353532666361303436613337316565
-32306233336134383531633232393862303466373331373764376462653736663861663366323762
-65666263366461396362386264613830336435346234386234333562616131653938386439336566
-34386461343433346363336161373038303434383563303564653533623939613937323030636362
-66636639643963613236366138646335393831366432333637333065326162646237643561336666
-61323833333337633861646462393930663733333266336233663630396532366566303835653431
-38363365383166393765343735363030363562313837643837313864373735643264663264643633
-66306261633666616363666562306632613032373231633730313638383033633761653661383738
-39623630643766663438656635653530626664313765633430646330356333306239653437373839
-3933

docker/envs/factorio/.env

@@ -1,7 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-32356463313330336636636363646138393236636233326132623165353962623565356364396530
-3636336532396665333637653432353332643434643962390a313162343836306435383536313937
-36656632356366303561366536373535383538303730386239386437323466346533353634306436
-3930633464353235360a653936333734353137313363316261366666353238366566613865366463
-32393431343439383733343766323831643561663938376264336331306139646337343633346536
-3236343538323032636666366639303539316236393535323661

flake.lock

@@ -5,11 +5,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1731533236,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719936093,
+        "lastModified": 1737753628,
-        "narHash": "sha256-oe5wiTSfxeDLisswomHcMGMV01hkBGuCJyMzjqCDdPY=",
+        "narHash": "sha256-vwRbCpftG6/QrBeu3eQO1l5wzAg/pAMdvGOOLeXWeM4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f593f9129f3cbf39261a8bbc86f6b4ceb4624881",
+        "rev": "f22b0184bd0f4bb3061580b1e807feb68a85d90d",
         "type": "github"
       },
       "original": {