Change Factorio password

.gitea/workflows/check.yaml

@@ -1,15 +1,16 @@
 name: Check
-on: [push]
+"on": [push]
 jobs:
   "Lint Ansible Files":
-    runs-on: ubuntu-22.04
+    runs-on: node-22-bookworm
     steps:
       - run: apt-get update
+      - run: apt-get upgrade -y
       - run: apt-get install -y python3 python3-pip python3-venv
       - run: python3 --version
       - name: Check out repo
         uses: actions/checkout@v3
       - run: python3 -m venv venv
-      - run: venv/bin/pip --disable-pip-version-check install ansible==7.2.0 ansible-lint==6.16.1 > /dev/null 2> /dev/null
+      - run: venv/bin/pip --disable-pip-version-check install ansible==12.0.0 ansible-lint==25.8.2
       - run: venv/bin/ansible-lint -c .ansible-lint ansible
   # TODO: Reimplement ansible-play --check step from old drone config

README.md

@@ -4,8 +4,8 @@
 
 | Prop | Value |
 | --- | --- |
-| Hostname | `shamash` |
-| Domains  | `{,pad.,codi.,ci.,git.,jupyter.,plantuml.}pbrinkmeier.de`, `tichy.click`, `beany.club`, `vmd98928.contaboserver.net` |
+| Hostname | `nanna` |
+| Domains  | `{,pad.,codi.,git.,plantuml.}pbrinkmeier.de`, `tichy.click`, `{utoy,vrnp}.beany.club` |
 
 ## Linting
 
@@ -17,3 +17,10 @@ ansible-lint --offline
 ```
 
 to avoid checking for a new version every single run.
+
+## TODO
+
+- [x] Migrate to `community.docker.docker_compose_v2` (`v1` is deprecated)
+- [x] Nix Gitea Action runner
+- [x] Install but disable zomboid server
+- [x] Download volume for yore

ansible/README.md

@@ -12,11 +12,11 @@ nix develop
 ## `misc.yaml`
 
 Server for miscellaneous stuff, e.g. the website.
-Expects to have a user `andi` who can `sudo`.
+Expects to have a user `paul who can `sudo`.
 Sets up:
 
 - Some basic packages
-- Docker and `docker-compose` (the latter via `pip`)
+- Docker and `docker-compose`
 - Nix multi-user installation
 
 ## `misc-docker.yaml`

ansible/group_vars/gods/vars.yaml

@@ -0,0 +1,18 @@
+---
+ansible_python_interpreter: /usr/bin/python3
+gods_users:
+  - name: postgres
+    uid: 70
+    state: present
+  - name: hackmd
+    uid: 1500
+    state: present
+  - name: gitea
+    uid: 42001
+    state: present
+  - name: caddy
+    uid: 42002
+    state: present
+  - name: yore
+    uid: 42004
+    state: present

ansible/group_vars/misc/vars.yaml

@@ -1,4 +0,0 @@
----
-# Has pw-less sudo
-ansible_user: paul
-ansible_python_interpreter: /usr/bin/python3

ansible/host_vars/nanna/vars.yaml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+62643463383563343863376537643438356663636666356636346465613165363231653664323164
+3137343761613064616566656133346339613462333330360a626431653366643162316435373066
+65323863373361363765623563653863366338616564623532363233646466316539376666356564
+3034393930376630350a396632393262316238663162346533343464386135666364383663313539
+63393536353334666432393639616130636232343630626235663337393438336430666637663133
+65316161646161376333376330353063363966383936396566323633366435663835346564356137
+65633262623133373865643230303236663532623863386264326662393364396636306537653264
+62326264393039343733643138313639333635366532383137613131656163356534303738336338
+6339

ansible/inventory

@@ -1,2 +1,2 @@
-[misc]
-vmd98928.contaboserver.net ansible_port=2309
+[gods]
+nanna

ansible/playbooks/misc-all.yaml

@@ -1,8 +0,0 @@
-# All tasks for misc, use this to check whether everything is deployed.
----
-- name: Set up basic packages, Docker, Nix, sshd
-  import_playbook: misc-setup.yaml
-- name: Deploy Docker configuration
-  import_playbook: misc-docker.yaml
-- name: Check out static websites from git
-  import_playbook: misc-sites.yaml

ansible/playbooks/misc-setup.yaml

@@ -1,74 +0,0 @@
----
-- name: Basic setup for shamash (packages, Docker, Nix, sshd)
-  hosts: misc
-  tasks:
-    - name: Create /etc/pbri
-      become: true
-      ansible.builtin.file:
-        path: /etc/pbri
-        state: directory
-        mode: u=rwx,g=rx,o=rx
-    - name: Create /home/paul/{Sites,Source}
-      become: true
-      ansible.builtin.file:
-        path: "/home/paul/{{ item }}"
-        state: directory
-        owner: paul
-        group: paul
-        mode: u=rwx,g=rx,o=rx
-      loop:
-        - Sites
-        - Source
-    - name: Install basic packages
-      become: true
-      ansible.builtin.apt:
-        name:
-          - vim
-          - git
-          - htop
-          - tmux
-        update_cache: true
-      tags:
-        - apt
-    - name: Install and set up Docker and docker-compose
-      ansible.builtin.include_role:
-        name: docker
-    - name: Install and set up Nix
-      ansible.builtin.include_role:
-        name: install_nix
-    - name: Install pip prerequisites
-      become: true
-      ansible.builtin.apt:
-        name:
-          - python3-pip
-          - python3-setuptools
-          - python3-virtualenv
-    - name: Install global python docker package
-      become: true
-      ansible.builtin.pip:
-        name:
-          - docker
-          - docker-compose
-          - requests
-    - name: Configure sshd
-      become: true
-      ansible.builtin.copy:
-        dest: /etc/ssh/sshd_config.d/00_pbri.conf
-        mode: u=rw,g=r,o=r
-        # Included by /etc/ssh/sshd_config before other configuration
-        content: |
-          Port 2309
-          PermitRootLogin no
-          PubkeyAuthentication yes
-          AuthorizedKeysFile .ssh/authorized_keys
-          PasswordAuthentication no
-        validate: /usr/sbin/sshd -T -f %s
-      notify:
-        - Restart sshd
-
-  handlers:
-    - name: Restart sshd
-      become: true
-      ansible.builtin.service:
-        name: sshd
-        state: restarted

ansible/playbooks/misc-sites.yaml

@@ -1,18 +0,0 @@
----
-- name: Check out static sites hosted on shamash
-  hosts: misc
-  tasks:
-    - name: Check out static sites
-      ansible.builtin.include_role:
-        name: checkout_static_sites
-      vars:
-        checkout_static_sites:
-          checkouts:
-            - path: /home/paul/Sites/pbrinkmeier.de
-              url: https://git.pbrinkmeier.de/paul/pbrinkmeier.de
-              commit: 680ac7d9c44752f57436d0ecb9c8018205a5fc0f
-              owner: paul
-            - path: /home/paul/Sites/tichy.click
-              url: https://github.com/pbrinkmeier/tichy-clicker
-              commit: 7dfb14183c765e3661fda84a7e89c2f73ca86f26
-              owner: paul

ansible/playbooks/nanna-docker.yaml

@@ -1,39 +1,25 @@
 ---
-- name: Update Docker configuration on shamash
-  hosts: misc
+- name: Update Docker configuration
+  hosts: gods
   tasks:
+    - name: Add groups
+      become: true
+      ansible.builtin.group:
+        name: "{{ item.name }}"
+        gid: "{{ item.uid }}"
+        state: "{{ item.state }}"
+        system: true
+      loop: "{{ gods_users }}"
     - name: Add users for running containers
       become: true
       ansible.builtin.user:
         name: "{{ item.name }}"
         uid: "{{ item.uid }}"
+        group: "{{ item.name }}"
         state: "{{ item.state }}"
         create_home: false
         system: true
-      loop:
-        - name: jupyter
-          uid: 42000
-          state: present
-        - name: gitea
-          uid: 42001
-          state: present
-        - name: score
-          uid: 42003
-          state: present
-        - name: factorio
-          uid: 845
-          state: present
-        - name: hackmd
-          uid: 1500
-          state: present
-
-        - name: hedgedoc
-          uid: 10000
-          state: absent
-        - name: bsa
-          uid: 42002
-          state: absent
-    # All services that are behind Caddy need to be in this network
+      loop: "{{ gods_users }}"
     - name: Create Caddy network
       become: true
       community.docker.docker_network:
@@ -48,6 +34,13 @@
         mode: u=rw,g=,o=
         # Directories should be listable
         directory_mode: u=rwx,g=rx,o=rx
+    - name: Create directory for docker volumes
+      become: true
+      ansible.builtin.file:
+        path: /var/lib/pbri/docker
+        state: directory
+        # Hide contents from non-root users
+        mode: u=rwx,g=,o=
     - name: Upload and decrypt docker environment vars
       become: true
       ansible.builtin.copy:
@@ -58,24 +51,22 @@
         # This is true by default but I put it here anyways
         # to emphasize what's happening
         decrypt: true
-      # Not quite happy with all the seperate loops yet.
       loop:
+        - name: gitea
+          state: present
         - name: codi
           state: present
-        - name: drone
+        - name: vrnp
+          state: present
+        - name: zomboid
+          state: present
+        - name: yore
           state: present
         - name: factorio
           state: present
-        - name: gitea
-          state: present
-    - name: Create directory for docker volumes
-      become: true
-      ansible.builtin.file:
-        path: /var/lib/pbri/docker
-        state: directory
-        # Hide contents from non-root users
-        mode: u=rwx,g=,o=
-    - name: Create jupyter folders
+    # This needs to be done for any services where user:
+    # is set in docker-compose.yaml.
+    - name: Create volume directories with correct permissions
       become: true
       ansible.builtin.file:
         path: "/var/lib/pbri/docker/{{ item.name }}"
@@ -84,36 +75,30 @@
         state: directory
         mode: u=rwx,g=,o=
       loop:
-        - name: jupyter_data
-          user: jupyter
-        - name: jupyter_notebooks
-          user: jupyter
-    - name: Create Factorio data folder
-      become: true
-      ansible.builtin.file:
-        path: /var/lib/pbri/docker/factorio
-        state: directory
-        owner: factorio
-        group: factorio
-        mode: u=rwx,g=,o=
-    - name: Create score data folder
-      become: true
-      ansible.builtin.file:
-        path: /var/lib/pbri/docker/score
-        state: directory
-        owner: score
-        group: score
-        mode: u=rwx,g=,o=
+        - name: caddy_config
+          user: caddy
+        - name: caddy_data
+          user: caddy
+        - name: codi_uploads
+          user: hackmd
+        - name: nix_runner_etc
+          user: 1000
+        - name: nix_runner_nix
+          user: 1000
+        - name: nix_runner_home_node
+          user: 1000
+        - name: yore_data
+          user: yore
     # Since some docker-compose configuration might want to pull
     # images from the Gitea package repository, we need to ensure
     # that Gitea is reachable before those configurations are deployed.
     - name: Set up caddy and gitea containers
       become: true
-      community.docker.docker_compose:
+      community.docker.docker_compose_v2:
         project_src: "/etc/pbri/docker/{{ item.name }}"
         state: "{{ item.state }}"
-        build: true
-        debug: true
+        build: "always"
+        pull: "always"
       loop:
         - name: caddy
           state: present
@@ -129,27 +114,24 @@
       register: gitea_version_response
       until: gitea_version_response.status == 200
       retries: 10
-      delay: 5  # Retry every 5 seconds
+      delay: 3  # Retry every 3 seconds
     - name: Set up other containers
       become: true
-      community.docker.docker_compose:
+      community.docker.docker_compose_v2:
         project_src: "/etc/pbri/docker/{{ item.name }}"
         state: "{{ item.state }}"
-        build: true
-        debug: true
+        build: "always"
+        pull: "always"
       loop:
-        - name: drone
-          state: present
         - name: codi
           state: present
-        - name: jupyter
-          state: present
         - name: utoy
           state: present
-        - name: score
+        - name: vrnp
+          state: present
+        - name: yore
           state: present
-
         - name: factorio
-          state: absent
-        - name: glebby
+          state: present
+        - name: zomboid
           state: absent

ansible/playbooks/nanna-setup.yaml

@@ -0,0 +1,76 @@
+---
+- name: Basic setup for nanna
+  hosts: nanna
+  tasks:
+    - name: Configure sshd
+      become: true
+      ansible.builtin.copy:
+        dest: /etc/ssh/sshd_config.d/00_pbri.conf
+        mode: u=rw,g=r,o=r
+        # Included by /etc/ssh/sshd_config before other configuration
+        content: |
+          Port 2309
+          PermitRootLogin no
+          PubkeyAuthentication yes
+          AuthorizedKeysFile .ssh/authorized_keys
+          PasswordAuthentication no
+        validate: /usr/sbin/sshd -T -f %s
+      notify:
+        - Restart sshd
+    - name: Install and set up Docker and docker-compose
+      ansible.builtin.include_role:
+        name: docker
+    - name: Add Davids group
+      become: true
+      ansible.builtin.group:
+        name: "david"
+        state: "present"
+    - name: Add David
+      become: true
+      ansible.builtin.user:
+        name: "david"
+        group: "david"
+        state: "present"
+        shell: "/bin/bash"
+        # Disable password auth
+        password: "!"
+    - name: Create David SSH directory
+      become: true
+      ansible.builtin.file:
+        path: /home/david/.ssh
+        owner: david
+        group: david
+        state: directory
+        mode: "0700"
+    - name: Set David SSH key
+      become: true
+      ansible.builtin.lineinfile:
+        path: /home/david/.ssh/authorized_keys
+        line: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICttSQcZsKvw5qKCDGt\
+nxEdyH1aEGOGGRqDCp3U/SG46 davidtanner@coolerLaptop2.fritz.box"
+        owner: david
+        group: david
+        create: true
+        state: present
+        mode: "0600"
+    - name: Add work SSH key
+      become: true
+      ansible.builtin.lineinfile:
+        path: /home/paul/.ssh/authorized_keys
+        line: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMeHrSd8NJ9dAoQEJez\
+FbxfbWlo/HQNoA8vaaBZj58Cp paul@MacBook-Pro.meqo"
+        owner: paul
+        group: paul
+        create: true
+        state: present
+        mode: "0600"
+    - name: Install Nix
+      ansible.builtin.include_role:
+        name: install_nix
+
+  handlers:
+    - name: Restart sshd
+      become: true
+      ansible.builtin.service:
+        name: ssh
+        state: restarted

ansible/playbooks/nanna-sites.yaml

@@ -0,0 +1,50 @@
+---
+- name: Check out static sites hosted on nanna
+  hosts: nanna
+  tasks:
+    - name: Check out static sites
+      ansible.builtin.include_role:
+        name: checkout_static_sites
+      vars:
+        checkout_static_sites_config:
+          checkouts:
+            - path: /home/paul/Sites/pbrinkmeier.de
+              url: https://git.pbrinkmeier.de/paul/pbrinkmeier.de
+              commit: a3ad633087d2778ccfcf0f154d4717e9f9451d9b
+              owner: paul
+            - path: /home/paul/Sites/tichy.click
+              url: https://github.com/pbrinkmeier/tichy-clicker
+              commit: 7dfb14183c765e3661fda84a7e89c2f73ca86f26
+              owner: paul
+    - name: Create David Sites directory
+      become: true
+      ansible.builtin.file:
+        path: /home/david/Sites
+        state: directory
+        owner: david
+        group: david
+        mode: "0755"
+    - name: Create dt.beany.club directory
+      become: true
+      ansible.builtin.file:
+        path: /home/david/Sites/dt.beany.club
+        state: directory
+        owner: david
+        group: david
+        mode: "0775"
+    - name: Create vorschlagzumklangvongeschichtsschreibendenprozessen.de directory
+      become: true
+      ansible.builtin.file:
+        path: /home/david/Sites/vorschlagzumklangvongeschichtsschreibendenprozessen.de
+        state: directory
+        owner: david
+        group: david
+        mode: "0775"
+    - name: Create beany.club directory
+      become: true
+      ansible.builtin.file:
+        path: /home/paul/Sites/beany.club
+        state: directory
+        owner: paul
+        group: paul
+        mode: "0775"

ansible/roles/checkout_static_sites/tasks/main.yaml

@@ -7,7 +7,7 @@
     mode: '0755'
     owner: "{{ item.owner }}"
     group: "{{ item.owner }}"
-  loop: "{{ checkout_static_sites.checkouts }}"
+  loop: "{{ checkout_static_sites_config.checkouts }}"
 - name: Check out static site repositories
   become: true
   become_user: "{{ item.owner }}"
@@ -15,4 +15,5 @@
     dest: "{{ item.path }}"
     repo: "{{ item.url }}"
     version: "{{ item.commit }}"
-  loop: "{{ checkout_static_sites.checkouts }}"
+    force: true
+  loop: "{{ checkout_static_sites_config.checkouts }}"

ansible/roles/docker/defaults/main.yaml

@@ -0,0 +1,3 @@
+---
+docker_apt_arch: "amd64"
+docker_ubuntu_release: "{{ ansible_distribution_release }}"

ansible/roles/docker/tasks/main.yaml

@@ -25,12 +25,6 @@
     stdin: "{{ docker_gpg_key.content }}"
     creates: /usr/share/keyrings/docker-archive-keyring.gpg
 
-- name: Retrieve dpkg architecture
-  check_mode: false
-  ansible.builtin.command: dpkg --print-architecture
-  register: docker_dpkg_architecture
-  changed_when: false
-
 - name: Add Docker apt repository
   become: true
   ansible.builtin.template:
@@ -48,3 +42,4 @@
       - docker-ce
       - docker-ce-cli
       - containerd.io
+      - docker-compose-plugin

ansible/roles/docker/templates/docker.list.j2

@@ -1 +1 @@
-deb [arch={{ docker_dpkg_architecture.stdout }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
+deb [arch={{ docker_apt_arch }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ docker_ubuntu_release }} stable

ansible/roles/install_nix/files/install-nix

@@ -26,38 +26,43 @@ require_util() {
 
 case "$(uname -s).$(uname -m)" in
     Linux.x86_64)
-        hash=0b32afd8c9147532bf8ce8908395b1b4d6dde9bedb0fcf5ace8b9fe0bd4c075c
-        path=0zij5bm5f2gm3p2c8dkkv58684j1k100/nix-2.8.0-x86_64-linux.tar.xz
+        hash=d1f67c86eed016214864ba08bfb9529c307aea7e8fafb74853f96fcc3bfd8a60
+        path=n1j9ng0120ql98l5a8mi626ka8wvixq4/nix-2.31.2-x86_64-linux.tar.xz
         system=x86_64-linux
         ;;
     Linux.i?86)
-        hash=3f4bb50f639515df069fb682bb68da77565e5ca8678a3b0fb7dcc79ef591f518
-        path=kjpj1rn6x5lh20fkyfyyzgmgjdra1jpy/nix-2.8.0-i686-linux.tar.xz
+        hash=9e8a403421c68683557180444f089861469e12b41d41ee2f9be4c8e731b7d160
+        path=zjcwglfyf0fvjb4j86kgijzwhzaqbngc/nix-2.31.2-i686-linux.tar.xz
         system=i686-linux
         ;;
     Linux.aarch64)
-        hash=d29ea31c581e1ba7a651e6b22999cef8923e852e1d6fe7008d9545f4275f5343
-        path=npadny2da5149lcycbfmacf1r936n9zg/nix-2.8.0-aarch64-linux.tar.xz
+        hash=64db528412096d718b4bf8f78f85e5ac2b714b774e5005500dee37d23f560456
+        path=0aw1ka8njh94nvjy8596va5bbx4wd2nw/nix-2.31.2-aarch64-linux.tar.xz
         system=aarch64-linux
         ;;
-    Linux.armv6l_linux)
-        hash=69d5cb0e95bc83154099debd139d4f767622d94b17149fa127d492017c2e3896
-        path=jb1l7y40im5dsbq5gamppss59y0c7jmj/nix-2.8.0-armv6l-linux.tar.xz
+    Linux.armv6l)
+        hash=5e088d3f4fe27dd35991b1888c1ea5284edade24965328604968b9a1cc20a94c
+        path=2pzkwf2ysf0znsnz5i9gfn6w2gikhlys/nix-2.31.2-armv6l-linux.tar.xz
         system=armv6l-linux
         ;;
-    Linux.armv7l_linux)
-        hash=25857729f23dc25fe92dabd376917d83fe0f23038f82c1f2ab230171eb70f648
-        path=firp24ikxcygwrwd4208lyla4b6jl3sh/nix-2.8.0-armv7l-linux.tar.xz
+    Linux.armv7l)
+        hash=4e2c1e8a3172ae71f041b9b647aa8153fb24518272d1a9bc3d9b384ab7ad54a1
+        path=nkp9wbvnsxinr9xl7sn0yy96wvc4chn0/nix-2.31.2-armv7l-linux.tar.xz
         system=armv7l-linux
         ;;
+    Linux.riscv64)
+        hash=79601e08b6389df130b5bf1e0a48590aea044ac18bc61660545cf65843b39251
+        path=dhqxgwygm94vd6rdiwscxxz98kh8jal3/nix-2.31.2-riscv64-linux.tar.xz
+        system=riscv64-linux
+        ;;
     Darwin.x86_64)
-        hash=ebf383f1b499d3e4897cd61d068dc46e118e5f53667f5f28748b0b3682d7649a
-        path=wwf7b61nyhgj3z0vvgnnb4yzi081jkjp/nix-2.8.0-x86_64-darwin.tar.xz
+        hash=ed8df6a1046dea90ba4068a827bdeaf372d522867c4d2b48cdb37145c200eeba
+        path=5zp5bzz45sn9ff2bfhh03cmavvm1r6gs/nix-2.31.2-x86_64-darwin.tar.xz
         system=x86_64-darwin
         ;;
     Darwin.arm64|Darwin.aarch64)
-        hash=f320f381299e0fc2f907ae81ac123d0689245cb39f0672f8a65dffea12fa0240
-        path=fr5rcinvqzgcrggxw3phrzcck9wpzz83/nix-2.8.0-aarch64-darwin.tar.xz
+        hash=3baa0af88a1ef4e2cc82cb64cd384b1805ecc3771b574e97277ae213d52711d8
+        path=b7hidzsb4i3gx6s23ig9mp7mwmiljzfk/nix-2.31.2-aarch64-darwin.tar.xz
         system=aarch64-darwin
         ;;
     *) oops "sorry, there is no binary distribution of Nix for your platform";;
@@ -71,10 +76,10 @@ if [ "${1:-}" = "--tarball-url-prefix" ]; then
     url=${2}/${path}
     shift 2
 else
-    url=https://releases.nixos.org/nix/nix-2.8.0/nix-2.8.0-$system.tar.xz
+    url=https://releases.nixos.org/nix/nix-2.31.2/nix-2.31.2-$system.tar.xz
 fi
 
-tarball=$tmpDir/nix-2.8.0-$system.tar.xz
+tarball=$tmpDir/nix-2.31.2-$system.tar.xz
 
 require_util tar "unpack the binary tarball"
 if [ "$(uname -s)" != "Darwin" ]; then
@@ -89,7 +94,7 @@ else
     oops "you don't have wget or curl installed, which I need to download the binary tarball"
 fi
 
-echo "downloading Nix 2.8.0 binary tarball for $system from '$url' to '$tmpDir'..."
+echo "downloading Nix 2.31.2 binary tarball for $system from '$url' to '$tmpDir'..."
 fetch "$url" "$tarball" || oops "failed to download '$url'"
 
 if command -v sha256sum > /dev/null 2>&1; then

docker/docker/caddy/Caddyfile

@@ -8,6 +8,29 @@ pbrinkmeier.de {
     }
 }
 
+files.pbrinkmeier.de {
+    basicauth {
+        wug JDJhJDE0JEJrQXUzVWxFZ2JGVmx6YlZWTkpYdy5IMjRXdnZZdGw5SjZDcUg2ZWMxOEVjcEV6dWhIRmhD
+    }
+    file_server {
+        root /srv/files.pbrinkmeier.de
+    }
+}
+
+dt.beany.club {
+    file_server {
+        root /srv/dt.beany.club
+        browse
+    }
+}
+
+vorschlagzumklangvongeschichtsschreibendenprozessen.de {
+    file_server {
+        root /srv/vorschlagzumklangvongeschichtsschreibendenprozessen.de
+        browse
+    }
+}
+
 tichy.click {
     file_server {
         root /srv/tichy.click
@@ -26,17 +49,6 @@ git.pbrinkmeier.de {
     reverse_proxy gitea:3000
 }
 
-ci.pbrinkmeier.de {
-    reverse_proxy drone:80
-}
-
-jupyter.pbrinkmeier.de {
-    reverse_proxy jupyter:8888
-    basicauth {
-        wug JDJhJDE0JEJrQXUzVWxFZ2JGVmx6YlZWTkpYdy5IMjRXdnZZdGw5SjZDcUg2ZWMxOEVjcEV6dWhIRmhD
-    }
-}
-
 plantuml.pbrinkmeier.de {
     reverse_proxy codi_plantuml:8080
 }
@@ -45,6 +57,19 @@ utoy.beany.club {
     reverse_proxy utoy:3000
 }
 
-score.brocke.net {
-    reverse_proxy score:8080
+vrnp.beany.club {
+    reverse_proxy vrnp:8000
+}
+
+fz.beany.club {
+    reverse_proxy yore:3000
+}
+
+beany.club, www.beany.club {
+    file_server {
+        root /srv/beany.club
+    }
+    header /hotel {
+        Content-Type application/pdf
+    }
 }

docker/docker/caddy/Dockerfile

@@ -1,3 +1,4 @@
 FROM caddy
 
-COPY Caddyfile /etc/caddy/Caddyfile
+COPY Caddyfile /etc/caddy/Caddyfile
+RUN chown 42002:42002 /etc/caddy/Caddyfile

docker/docker/caddy/docker-compose.yaml

@@ -1,5 +1,3 @@
-version: "3"
-
 services:
   # Webserver for static files and reverse proxy
   web:
@@ -8,10 +6,17 @@ services:
     ports:
       - "80:80"
       - "443:443"
+    user: "42002"
     volumes:
       - /var/lib/pbri/docker/caddy_data:/data
       - /var/lib/pbri/docker/caddy_config:/config
-      - /home/paul/Sites:/srv:ro
+      # See nanna-sites playbook/Caddyfile
+      - /home/david/Sites/dt.beany.club:/srv/dt.beany.club:ro
+      - /home/david/Sites/vorschlagzumklangvongeschichtsschreibendenprozessen.de:/srv/vorschlagzumklangvongeschichtsschreibendenprozessen.de:ro
+      - /home/paul/Sites/files.pbrinkmeier.de:/srv/files.pbrinkmeier.de:ro
+      - /home/paul/Sites/pbrinkmeier.de:/srv/pbrinkmeier.de:ro
+      - /home/paul/Sites/tichy.click:/srv/tichy.click:ro
+      - /home/paul/Sites/beany.club:/srv/beany.club:ro
     restart: always
 
 networks:

docker/docker/codi/docker-compose.yaml

@@ -1,8 +1,6 @@
-version: "3"
-
 services:
   codi:
-    image: hackmdio/hackmd:2.4.2
+    image: hackmdio/hackmd:2.5.4
     user: hackmd
     environment:
       # Admin stuff
@@ -38,7 +36,7 @@ services:
     volumes:
       - /var/lib/pbri/docker/codi_uploads:/home/hackmd/app/public/uploads
     restart: always
-    
+
   codi_db:
     image: postgres:11.6-alpine
     environment:

docker/docker/drone/README.md

@@ -1,9 +0,0 @@
-Add a `.env` file like this:
-
-```
-DRONE_GITEA_CLIENT_ID=...
-DRONE_GITEA_CLIENT_SECRET=...
-DRONE_RPC_SECRET=...
-```
-
-See also: https://docs.drone.io/server/provider/gitea/.

docker/docker/drone/docker-compose.yaml

@@ -1,32 +0,0 @@
-version: "3"
-
-services:
-  drone:
-    image: drone/drone:2
-    environment:
-      DRONE_GITEA_SERVER: https://git.pbrinkmeier.de
-      DRONE_GITEA_CLIENT_ID: "${DRONE_GITEA_CLIENT_ID}"
-      DRONE_GITEA_CLIENT_SECRET: "${DRONE_GITEA_CLIENT_SECRET}"
-      DRONE_RPC_SECRET: "${DRONE_RPC_SECRET}"
-      DRONE_SERVER_HOST: ci.pbrinkmeier.de
-      DRONE_SERVER_PROTO: https
-    volumes:
-      - /var/lib/pbri/docker/drone:/data
-    restart: unless-stopped
-
-  drone_runner:
-    image: drone/drone-runner-docker:1
-    environment:
-      DRONE_RPC_PROTO: https
-      DRONE_RPC_HOST: ci.pbrinkmeier.de
-      DRONE_RPC_SECRET: "${DRONE_RPC_SECRET}"
-      DRONE_RUNNER_CAPACITY: 1
-      DRONE_RUNNER_NAME: shamash
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    restart: unless-stopped
-
-networks:
-  default:
-    name: caddy-network
-    external: true

docker/docker/factorio/Dockerfile

@@ -1,4 +1,4 @@
-FROM factoriotools/factorio:1.1.87
+FROM factoriotools/factorio:2.0.73
 
 COPY server-settings.json /server-settings.json
 ENTRYPOINT [ "/bin/sh", "-c", "mkdir -p /factorio/config && envsubst < /server-settings.json > /factorio/config/server-settings.json && exec /docker-entrypoint.sh" ]

docker/docker/factorio/docker-compose.yaml

@@ -1,12 +1,13 @@
-version: "3"
+---
 
 services:
-  gitea:
+  factorio:
     image: pbrinkmeier/factorio
     build: .
     restart: always
     environment:
       GAME_PASSWORD: "${GAME_PASSWORD}"
+      DLC_SPACE_AGE: false
     volumes:
       - /var/lib/pbri/docker/factorio:/factorio
     ports:

docker/docker/factorio/server-settings.json

@@ -21,7 +21,7 @@
     "_comment_token": "Authentication token. May be used instead of 'password' above.",
     "token": "",
   
-    "game_password": "",
+    "game_password": "${GAME_PASSWORD}",
   
     "_comment_require_user_verification": "When set to true, the server will only allow clients that have a valid Factorio.com account",
     "require_user_verification": false,

docker/docker/gitea/Dockerfile

@@ -1,3 +1,3 @@
- FROM gitea/act_runner:0.2.5
+ FROM gitea/act_runner:0.2.11
 
  COPY runner-config.yaml /opt/runner-config.yaml

docker/docker/gitea/docker-compose.yaml

@@ -1,8 +1,6 @@
-version: "3"
-
 services:
   gitea:
-    image: gitea/gitea:1.20.3
+    image: gitea/gitea:1.23.1
     restart: unless-stopped
     environment:
       # Ref: https://docs.gitea.io/en-us/config-cheat-sheet
@@ -66,7 +64,8 @@ services:
       - /var/lib/pbri/docker/gitea_db:/var/lib/postgresql/data
 
   gitea_runner:
-    image: pbrinkmeier/act_runner:0.2.5
+    # Make sure to keep this in sync with the version in the Dockerfile
+    image: pbrinkmeier/act_runner:0.2.11
     build: .
     restart: unless-stopped
     environment:

docker/docker/gitea/runner-config.yaml

@@ -32,6 +32,8 @@ runner:
   # ubuntu:22.04 here is not enough.
   labels:
     - "ubuntu-22.04:docker://node:16-bullseye"
+    - "node-22-bullseye:docker://node:22-bullseye"
+    - "node-22-bookworm:docker://node:22-bookworm"
 
 cache:
   # Enable cache server to use actions/cache.
@@ -72,7 +74,10 @@ container:
   # If you want to allow any volume, please use the following configuration:
   # valid_volumes:
   #   - '**'
-  valid_volumes: []
+  valid_volumes:
+    - /var/lib/pbri/docker/nix_runner_etc
+    - /var/lib/pbri/docker/nix_runner_nix
+    - /var/lib/pbri/docker/nix_runner_home_node
   # overrides the docker client host with the specified one.
   # If it's empty, act_runner will find an available docker host automatically.
   # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.

docker/docker/glebby/docker-compose.yaml

@@ -1,11 +0,0 @@
-version: "3"
-
-services:
-  glebby:
-    image: git.pbrinkmeier.de/paul/glebby:1.1-prod
-    restart: always
-
-networks:
-  default:
-    name: caddy-network
-    external: true

docker/docker/jupyter/docker-compose.yaml

@@ -1,15 +0,0 @@
-version: "3"
-
-services:
-  jupyter:
-    image: git.pbrinkmeier.de/paul/jup:1.5
-    user: "42000"
-    volumes:
-      - /var/lib/pbri/docker/jupyter_data:/data
-      - /var/lib/pbri/docker/jupyter_notebooks:/notebooks
-    restart: always
-
-networks:
-  default:
-    name: caddy-network
-    external: true

docker/docker/score/docker-compose.yaml

@@ -1,16 +0,0 @@
-version: "3"
-
-services:
-  score:
-    image: ghcr.io/lbrocke/score:v1.0.2
-    user: "42003:42003"
-    environment:
-      SCORE_LISTEN: 0.0.0.0:8080
-    volumes:
-      - /var/lib/pbri/docker/score:/data
-    restart: unless-stopped
-
-networks:
-  default:
-    name: caddy-network
-    external: true

docker/docker/utoy/docker-compose.yaml

@@ -1,8 +1,6 @@
-version: "3"
-
 services:
   utoy:
-    image: git.pbrinkmeier.de/paul/utoy:0.6
+    image: git.pbrinkmeier.de/paul/utoy:0.6.3
     restart: always
 
 networks:

docker/docker/vrnp/docker-compose.yaml

@@ -0,0 +1,12 @@
+services:
+  vrnp:
+    image: git.pbrinkmeier.de/paul/vrnp:0.0.10
+    restart: always
+    environment:
+      VRNP_PASSWORD: "${VRNP_PASSWORD}"
+      VRNP_CLIENT_ALLOWLIST: "VAG"
+
+networks:
+  default:
+    name: caddy-network
+    external: true

docker/docker/yore/docker-compose.yaml

@@ -0,0 +1,34 @@
+services:
+  yore:
+    image: git.pbrinkmeier.de/paul/yore:0.0.9
+    restart: always
+    environment:
+      # For dbmate (migrations)
+      DATABASE_URL: "postgres://yore:${YORE_DB_PASSWORD}@yore_db/yore-db?sslmode=disable&search_path=public"
+      # For yore itself
+      YORE_DB: "host=yore_db dbname=yore-db user=yore password=${YORE_DB_PASSWORD}"
+      YORE_DOWNLOAD_DIR: /data/downloads
+      YORE_DBMATE_DIR: /data/dbmate
+    user: 42004:42004
+    volumes:
+      - /etc/passwd:/etc/passwd:ro
+      - /etc/group:/etc/group:ro
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /var/lib/pbri/docker/yore_data:/data
+
+  yore_db:
+    image: postgres:17-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: yore-db
+      POSTGRES_USER: yore
+      POSTGRES_PASSWORD: "${YORE_DB_PASSWORD}"
+    volumes:
+      - /var/lib/pbri/docker/yore_db:/var/lib/postgresql/data
+
+
+networks:
+  default:
+    name: caddy-network
+    external: true

docker/docker/zomboid/docker-compose.yaml

@@ -0,0 +1,15 @@
+services:
+  zomboid:
+    image: renegademaster/zomboid-dedicated-server:2.5.0
+    restart: unless-stopped
+    volumes:
+      - /var/lib/pbri/docker/zomboid_dedicated_server:/home/steam/ZomboidDedicatedServer
+      - /var/lib/pbri/docker/zomboid_config:/home/steam/Zomboid
+    ports:
+      - "16261:16261/udp"
+      - "16262:16262/udp"
+    environment:
+      ADMIN_USERNAME: "the_gwiddy"
+      ADMIN_PASSWORD: "${ZOMBOID_ADMIN_PASSWORD}"
+      SERVER_NAME: "server3"
+      SERVER_PASSWORD: "${ZOMBOID_SERVER_PASSWORD}"

docker/envs/drone/.env

@@ -1,14 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-31333834393366333930346366373931333930646233383664643463393965303238613430646638
-6461373434616433353337643131396462326537346434380a386562633335346436303662336362
-62333739626237323334333666633162616338313932393261303231353539623237383638643030
-3364393934653232310a383065386530373433393635313665353532666361303436613337316565
-32306233336134383531633232393862303466373331373764376462653736663861663366323762
-65666263366461396362386264613830336435346234386234333562616131653938386439336566
-34386461343433346363336161373038303434383563303564653533623939613937323030636362
-66636639643963613236366138646335393831366432333637333065326162646237643561336666
-61323833333337633861646462393930663733333266336233663630396532366566303835653431
-38363365383166393765343735363030363562313837643837313864373735643264663264643633
-66306261633666616363666562306632613032373231633730313638383033633761653661383738
-39623630643766663438656635653530626664313765633430646330356333306239653437373839
-3933

docker/envs/factorio/.env

@@ -1,7 +1,6 @@
 $ANSIBLE_VAULT;1.1;AES256
-32356463313330336636636363646138393236636233326132623165353962623565356364396530
-3636336532396665333637653432353332643434643962390a313162343836306435383536313937
-36656632356366303561366536373535383538303730386239386437323466346533353634306436
-3930633464353235360a653936333734353137313363316261366666353238366566613865366463
-32393431343439383733343766323831643561663938376264336331306139646337343633346536
-3236343538323032636666366639303539316236393535323661
+33633161386465383663373137623030626264653862373161353564343662346433376437353530
+6265356266663464613439663434373531333939326538330a313064343637366632633866343534
+38313234303830636364383361613538666338636333323262333438313134353134356635626239
+6366336439353266660a633161383062666130396566396431383534313266343431633064376463
+38623562656564363565346166396363303636323062336636313838653638663833

docker/envs/gitea/.env

@@ -1,14 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-35623364633833623964623536646534373634663736613561333561343136333965306638396532
-6162393239383936386338666565306132646230383066630a336337613636383431623738343663
-61343262363631376665383035323139313863626331666439336134613035663439376231343863
-3032353139643138640a383365356630323835383538393734643134343133653033383663333464
-62386361633435633664306531623835353665326432393932336163316561653866343137323030
-63643262323436356166373533363235366238393633336631336266373837373932313134303563
-65633337393938623134636538653561356565333831356638373862376333336163363438626438
-39343436383732313561396236656530303064363961663636353538346264633532633866333162
-35303032303662646166333537373566316462633536333463323433353539623363323036643763
-34376365613932303133366236613235636238643139666663356436326532616437383432303437
-39376535656266383465373837643634383937656431323265386163373138336164383666383962
-64623762613332363731323739666238613634646237396331666463363663313461313966356233
-30653362353061333739303234336461373337346632646433623462623765353330
+30626565616334613665623138613533653739333038643530636633393264393334373563326631
+3838333663306537326534333666316539383038363236650a613163643433653466666639666366
+33653861613638653862393338386334643332633762666136613932343834333162303363373030
+6161323863316134340a646532386537313164643039353435633535363061616363363337663365
+39343461356631383062353837383034653430373663323966373632323063636132613137643662
+37373065313764626539396463376637353136613365366566363436356537343932376565633962
+62316631663634316530623736613961623635303763633964386433333531626437303136363537
+35393134643935316330396161303134626537643162393062636363376435636162393136373034
+39636231626635643530313634333464653564353861656666633035623932336234303735386366
+62303133326237613763336435323338623036663137333439613462333434303734303737363936
+65333762376233396332633434353832373136383137336665623534356538636166303835376334
+64346139656432633230386666653531333864333664393936366630346334323963343431346164
+64376165666230386464303036303861653437646463633764343064376464396135

docker/envs/vrnp/.env

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+36643163613366383136326339346231373533373361633834663332343932356665303434333564
+3936636366396233326664636137363134643066303432380a363662646465656130303431386530
+37316138366239313038336664313661333632393333666539363565623032653431623935613631
+3635323330363663610a353263663736653561666261636138336438666261613739346664393233
+32323364346665633662663266626436343831386565663761393237346637376438613865363663
+36613035376638653937633866613935343834633431393830303438363265656337343565323063
+36303033323537666236633037656236656133396431326362303462353237326162626335363761
+36636362306232333630613464393135383539666632343038393333353462336238663130326166
+3061

docker/envs/yore/.env

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+36313063633538313631386664353535373166306563613830316430613035306438326564396331
+6336306566306166616266643630343262616465306631350a393932613665346164613361333037
+39386135396364666630623962653462623234386430383034353731353361663837343036393130
+3261633964626135610a626364363761373734333762373764366363643537316662643634616263
+32383730663230303064626130393164616237636362656331313333316439323135366535303334
+3436323333383739666261656531363335326532616562353166

docker/envs/zomboid/.env

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+35336632386231333233333633656163356564316637366438383532626437303364633733353436
+3836376461393761653637666532643264613864633935620a326365386634393935333433306564
+62346235346262313339633739353232663562623562616136623838386233633136383764666536
+6239663264643333370a393762636231343034643133613163626239353735363037646638633933
+62376165306438653537343564376536396537666534633330666163346533313434616561306434
+63313035643732303863663430303936346264626637623936343763303738623865356536306365
+32623164323738663065613332656465643536633933643731366139626165636230343966383839
+64343961316139313931313966356430343438376461366537356337363835623637306539646265
+32376562363061643630663937663064393664663766613365363439653030393239

flake.lock

@@ -5,11 +5,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1685518550,
-        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1686259070,
-        "narHash": "sha256-bJ2TqJHMdU27o3+AlYzsDooUzneFHwvK5LaRv5JYit4=",
+        "lastModified": 1759779330,
+        "narHash": "sha256-xZOU0j9Ix5IkOEDKM91ownNNmOcfDhAbhSCtG6FiPl4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8a7d5c039cacc83bd1926aaabc04d541e04a1460",
+        "rev": "41da8f041b93896fa4758c7291a65bc96d1ed6cc",
         "type": "github"
       },
       "original": {