44 changed files with 370 additions and 436 deletions
--- a/.gitea/workflows/check.yaml
+++ b/.gitea/workflows/check.yaml
@ -1,16 +1,15 @@
 name: Check
-"on": [push]
+on: [push]
 jobs:
  "Lint Ansible Files":
-    runs-on: node-22-bookworm
+    runs-on: ubuntu-22.04
    steps:
      - run: apt-get update
      - run: apt-get upgrade -y
      - run: apt-get install -y python3 python3-pip python3-venv
      - run: python3 --version
      - name: Check out repo
        uses: actions/checkout@v3
      - run: python3 -m venv venv
-      - run: venv/bin/pip --disable-pip-version-check install ansible==12.0.0 ansible-lint==25.8.2
+      - run: venv/bin/pip --disable-pip-version-check install ansible==7.2.0 ansible-lint==6.16.1 > /dev/null 2> /dev/null
      - run: venv/bin/ansible-lint -c .ansible-lint ansible
  # TODO: Reimplement ansible-play --check step from old drone config
--- a/README.md
+++ b/README.md
@ -4,8 +4,8 @@
 | Prop | Value |
 | --- | --- |
-| Hostname | `nanna` |
+| Hostname | `shamash` |
-| Domains  | `{,pad.,codi.,git.,plantuml.}pbrinkmeier.de`, `tichy.click`, `{utoy,vrnp}.beany.club` |
+| Domains  | `{,pad.,codi.,ci.,git.,jupyter.,plantuml.}pbrinkmeier.de`, `tichy.click`, `beany.club`, `vmd98928.contaboserver.net` |
 ## Linting
@ -17,10 +17,3 @@ ansible-lint --offline
 ```
 to avoid checking for a new version every single run.
 ## TODO
 - [x] Migrate to `community.docker.docker_compose_v2` (`v1` is deprecated)
 - [x] Nix Gitea Action runner
 - [x] Install but disable zomboid server
 - [x] Download volume for yore
--- a/ansible/README.md
+++ b/ansible/README.md
@ -12,11 +12,11 @@ nix develop
 ## `misc.yaml`
 Server for miscellaneous stuff, e.g. the website.
-Expects to have a user `paul who can `sudo`.
+Expects to have a user `andi` who can `sudo`.
 Sets up:
 - Some basic packages
- Docker and `docker-compose`
+- Docker and `docker-compose` (the latter via `pip`)
 - Nix multi-user installation
 ## `misc-docker.yaml`
--- a/ansible/group_vars/gods/vars.yaml
+++ b/ansible/group_vars/gods/vars.yaml
@ -1,18 +0,0 @@
 ---
 ansible_python_interpreter: /usr/bin/python3
 gods_users:
  - name: postgres
    uid: 70
    state: present
  - name: hackmd
    uid: 1500
    state: present
  - name: gitea
    uid: 42001
    state: present
  - name: caddy
    uid: 42002
    state: present
  - name: yore
    uid: 42004
    state: present
--- a/ansible/group_vars/misc/vars.yaml
+++ b/ansible/group_vars/misc/vars.yaml
@ -0,0 +1,4 @@
 ---
 # Has pw-less sudo
 ansible_user: paul
 ansible_python_interpreter: /usr/bin/python3
--- a/ansible/host_vars/nanna/vars.yaml
+++ b/ansible/host_vars/nanna/vars.yaml
@ -1,10 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 62643463383563343863376537643438356663636666356636346465613165363231653664323164
 3137343761613064616566656133346339613462333330360a626431653366643162316435373066
 65323863373361363765623563653863366338616564623532363233646466316539376666356564
 3034393930376630350a396632393262316238663162346533343464386135666364383663313539
 63393536353334666432393639616130636232343630626235663337393438336430666637663133
 65316161646161376333376330353063363966383936396566323633366435663835346564356137
 65633262623133373865643230303236663532623863386264326662393364396636306537653264
 62326264393039343733643138313639333635366532383137613131656163356534303738336338
 6339
--- a/ansible/inventory
+++ b/ansible/inventory
@ -1,2 +1,2 @@
-[gods]
+[misc]
-nanna
+vmd98928.contaboserver.net ansible_port=2309
--- a/ansible/playbooks/misc-all.yaml
+++ b/ansible/playbooks/misc-all.yaml
@ -0,0 +1,8 @@
 # All tasks for misc, use this to check whether everything is deployed.
 ---
 - name: Set up basic packages, Docker, Nix, sshd
  import_playbook: misc-setup.yaml
 - name: Deploy Docker configuration
  import_playbook: misc-docker.yaml
 - name: Check out static websites from git
  import_playbook: misc-sites.yaml
--- a/ansible/playbooks/nanna-docker.yaml
+++ b/ansible/playbooks/nanna-docker.yaml
@ -1,25 +1,39 @@
 ---
- name: Update Docker configuration
+- name: Update Docker configuration on shamash
-  hosts: gods
+  hosts: misc
  tasks:
    - name: Add groups
      become: true
      ansible.builtin.group:
        name: "{{ item.name }}"
        gid: "{{ item.uid }}"
        state: "{{ item.state }}"
        system: true
      loop: "{{ gods_users }}"
    - name: Add users for running containers
      become: true
      ansible.builtin.user:
        name: "{{ item.name }}"
        uid: "{{ item.uid }}"
        group: "{{ item.name }}"
        state: "{{ item.state }}"
        create_home: false
        system: true
-      loop: "{{ gods_users }}"
+      loop:
        - name: jupyter
          uid: 42000
          state: present
        - name: gitea
          uid: 42001
          state: present
        - name: score
          uid: 42003
          state: present
        - name: factorio
          uid: 845
          state: present
        - name: hackmd
          uid: 1500
          state: present
        - name: hedgedoc
          uid: 10000
          state: absent
        - name: bsa
          uid: 42002
          state: absent
    # All services that are behind Caddy need to be in this network
    - name: Create Caddy network
      become: true
      community.docker.docker_network:
@ -34,13 +48,6 @@
        mode: u=rw,g=,o=
        # Directories should be listable
        directory_mode: u=rwx,g=rx,o=rx
    - name: Create directory for docker volumes
      become: true
      ansible.builtin.file:
        path: /var/lib/pbri/docker
        state: directory
        # Hide contents from non-root users
        mode: u=rwx,g=,o=
    - name: Upload and decrypt docker environment vars
      become: true
      ansible.builtin.copy:
@ -51,22 +58,24 @@
        # This is true by default but I put it here anyways
        # to emphasize what's happening
        decrypt: true
      # Not quite happy with all the seperate loops yet.
      loop:
        - name: gitea
          state: present
        - name: codi
          state: present
-        - name: vrnp
+        - name: drone
          state: present
        - name: zomboid
          state: present
        - name: yore
          state: present
        - name: factorio
          state: present
-    # This needs to be done for any services where user:
+        - name: gitea
-    # is set in docker-compose.yaml.
+          state: present
-    - name: Create volume directories with correct permissions
+    - name: Create directory for docker volumes
      become: true
      ansible.builtin.file:
        path: /var/lib/pbri/docker
        state: directory
        # Hide contents from non-root users
        mode: u=rwx,g=,o=
    - name: Create jupyter folders
      become: true
      ansible.builtin.file:
        path: "/var/lib/pbri/docker/{{ item.name }}"
@ -75,30 +84,36 @@
        state: directory
        mode: u=rwx,g=,o=
      loop:
-        - name: caddy_config
+        - name: jupyter_data
-          user: caddy
+          user: jupyter
-        - name: caddy_data
+        - name: jupyter_notebooks
-          user: caddy
+          user: jupyter
-        - name: codi_uploads
+    - name: Create Factorio data folder
-          user: hackmd
+      become: true
-        - name: nix_runner_etc
+      ansible.builtin.file:
-          user: 1000
+        path: /var/lib/pbri/docker/factorio
-        - name: nix_runner_nix
+        state: directory
-          user: 1000
+        owner: factorio
-        - name: nix_runner_home_node
+        group: factorio
-          user: 1000
+        mode: u=rwx,g=,o=
-        - name: yore_data
+    - name: Create score data folder
-          user: yore
+      become: true
      ansible.builtin.file:
        path: /var/lib/pbri/docker/score
        state: directory
        owner: score
        group: score
        mode: u=rwx,g=,o=
    # Since some docker-compose configuration might want to pull
    # images from the Gitea package repository, we need to ensure
    # that Gitea is reachable before those configurations are deployed.
    - name: Set up caddy and gitea containers
      become: true
-      community.docker.docker_compose_v2:
+      community.docker.docker_compose:
        project_src: "/etc/pbri/docker/{{ item.name }}"
        state: "{{ item.state }}"
-        build: "always"
+        build: true
-        pull: "always"
+        debug: true
      loop:
        - name: caddy
          state: present
@ -114,24 +129,27 @@
      register: gitea_version_response
      until: gitea_version_response.status == 200
      retries: 10
-      delay: 3  # Retry every 3 seconds
+      delay: 5  # Retry every 5 seconds
    - name: Set up other containers
      become: true
-      community.docker.docker_compose_v2:
+      community.docker.docker_compose:
        project_src: "/etc/pbri/docker/{{ item.name }}"
        state: "{{ item.state }}"
-        build: "always"
+        build: true
-        pull: "always"
+        debug: true
      loop:
        - name: drone
          state: present
        - name: codi
          state: present
        - name: jupyter
          state: present
        - name: utoy
          state: present
-        - name: vrnp
+        - name: score
          state: present
        - name: yore
          state: present
        - name: factorio
-          state: present
+          state: absent
-        - name: zomboid
+        - name: glebby
          state: absent
--- a/ansible/playbooks/misc-setup.yaml
+++ b/ansible/playbooks/misc-setup.yaml
@ -0,0 +1,74 @@
 ---
 - name: Basic setup for shamash (packages, Docker, Nix, sshd)
  hosts: misc
  tasks:
    - name: Create /etc/pbri
      become: true
      ansible.builtin.file:
        path: /etc/pbri
        state: directory
        mode: u=rwx,g=rx,o=rx
    - name: Create /home/paul/{Sites,Source}
      become: true
      ansible.builtin.file:
        path: "/home/paul/{{ item }}"
        state: directory
        owner: paul
        group: paul
        mode: u=rwx,g=rx,o=rx
      loop:
        - Sites
        - Source
    - name: Install basic packages
      become: true
      ansible.builtin.apt:
        name:
          - vim
          - git
          - htop
          - tmux
        update_cache: true
      tags:
        - apt
    - name: Install and set up Docker and docker-compose
      ansible.builtin.include_role:
        name: docker
    - name: Install and set up Nix
      ansible.builtin.include_role:
        name: install_nix
    - name: Install pip prerequisites
      become: true
      ansible.builtin.apt:
        name:
          - python3-pip
          - python3-setuptools
          - python3-virtualenv
    - name: Install global python docker package
      become: true
      ansible.builtin.pip:
        name:
          - docker
          - docker-compose
          - requests
    - name: Configure sshd
      become: true
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/00_pbri.conf
        mode: u=rw,g=r,o=r
        # Included by /etc/ssh/sshd_config before other configuration
        content: |
          Port 2309
          PermitRootLogin no
          PubkeyAuthentication yes
          AuthorizedKeysFile .ssh/authorized_keys
          PasswordAuthentication no
        validate: /usr/sbin/sshd -T -f %s
      notify:
        - Restart sshd
  handlers:
    - name: Restart sshd
      become: true
      ansible.builtin.service:
        name: sshd
        state: restarted
--- a/ansible/playbooks/misc-sites.yaml
+++ b/ansible/playbooks/misc-sites.yaml
@ -0,0 +1,18 @@
 ---
 - name: Check out static sites hosted on shamash
  hosts: misc
  tasks:
    - name: Check out static sites
      ansible.builtin.include_role:
        name: checkout_static_sites
      vars:
        checkout_static_sites:
          checkouts:
            - path: /home/paul/Sites/pbrinkmeier.de
              url: https://git.pbrinkmeier.de/paul/pbrinkmeier.de
              commit: 680ac7d9c44752f57436d0ecb9c8018205a5fc0f
              owner: paul
            - path: /home/paul/Sites/tichy.click
              url: https://github.com/pbrinkmeier/tichy-clicker
              commit: 7dfb14183c765e3661fda84a7e89c2f73ca86f26
              owner: paul
--- a/ansible/playbooks/nanna-setup.yaml
+++ b/ansible/playbooks/nanna-setup.yaml
@ -1,76 +0,0 @@
 ---
 - name: Basic setup for nanna
  hosts: nanna
  tasks:
    - name: Configure sshd
      become: true
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/00_pbri.conf
        mode: u=rw,g=r,o=r
        # Included by /etc/ssh/sshd_config before other configuration
        content: |
          Port 2309
          PermitRootLogin no
          PubkeyAuthentication yes
          AuthorizedKeysFile .ssh/authorized_keys
          PasswordAuthentication no
        validate: /usr/sbin/sshd -T -f %s
      notify:
        - Restart sshd
    - name: Install and set up Docker and docker-compose
      ansible.builtin.include_role:
        name: docker
    - name: Add Davids group
      become: true
      ansible.builtin.group:
        name: "david"
        state: "present"
    - name: Add David
      become: true
      ansible.builtin.user:
        name: "david"
        group: "david"
        state: "present"
        shell: "/bin/bash"
        # Disable password auth
        password: "!"
    - name: Create David SSH directory
      become: true
      ansible.builtin.file:
        path: /home/david/.ssh
        owner: david
        group: david
        state: directory
        mode: "0700"
    - name: Set David SSH key
      become: true
      ansible.builtin.lineinfile:
        path: /home/david/.ssh/authorized_keys
        line: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICttSQcZsKvw5qKCDGt\
 nxEdyH1aEGOGGRqDCp3U/SG46 davidtanner@coolerLaptop2.fritz.box"
        owner: david
        group: david
        create: true
        state: present
        mode: "0600"
    - name: Add work SSH key
      become: true
      ansible.builtin.lineinfile:
        path: /home/paul/.ssh/authorized_keys
        line: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMeHrSd8NJ9dAoQEJez\
 FbxfbWlo/HQNoA8vaaBZj58Cp paul@MacBook-Pro.meqo"
        owner: paul
        group: paul
        create: true
        state: present
        mode: "0600"
    - name: Install Nix
      ansible.builtin.include_role:
        name: install_nix
  handlers:
    - name: Restart sshd
      become: true
      ansible.builtin.service:
        name: ssh
        state: restarted
--- a/ansible/playbooks/nanna-sites.yaml
+++ b/ansible/playbooks/nanna-sites.yaml
@ -1,50 +0,0 @@
 ---
 - name: Check out static sites hosted on nanna
  hosts: nanna
  tasks:
    - name: Check out static sites
      ansible.builtin.include_role:
        name: checkout_static_sites
      vars:
        checkout_static_sites_config:
          checkouts:
            - path: /home/paul/Sites/pbrinkmeier.de
              url: https://git.pbrinkmeier.de/paul/pbrinkmeier.de
              commit: a3ad633087d2778ccfcf0f154d4717e9f9451d9b
              owner: paul
            - path: /home/paul/Sites/tichy.click
              url: https://github.com/pbrinkmeier/tichy-clicker
              commit: 7dfb14183c765e3661fda84a7e89c2f73ca86f26
              owner: paul
    - name: Create David Sites directory
      become: true
      ansible.builtin.file:
        path: /home/david/Sites
        state: directory
        owner: david
        group: david
        mode: "0755"
    - name: Create dt.beany.club directory
      become: true
      ansible.builtin.file:
        path: /home/david/Sites/dt.beany.club
        state: directory
        owner: david
        group: david
        mode: "0775"
    - name: Create vorschlagzumklangvongeschichtsschreibendenprozessen.de directory
      become: true
      ansible.builtin.file:
        path: /home/david/Sites/vorschlagzumklangvongeschichtsschreibendenprozessen.de
        state: directory
        owner: david
        group: david
        mode: "0775"
    - name: Create beany.club directory
      become: true
      ansible.builtin.file:
        path: /home/paul/Sites/beany.club
        state: directory
        owner: paul
        group: paul
        mode: "0775"
--- a/ansible/roles/checkout_static_sites/tasks/main.yaml
+++ b/ansible/roles/checkout_static_sites/tasks/main.yaml
@ -7,7 +7,7 @@
    mode: '0755'
    owner: "{{ item.owner }}"
    group: "{{ item.owner }}"
-  loop: "{{ checkout_static_sites_config.checkouts }}"
+  loop: "{{ checkout_static_sites.checkouts }}"
 - name: Check out static site repositories
  become: true
  become_user: "{{ item.owner }}"
@ -15,5 +15,4 @@
    dest: "{{ item.path }}"
    repo: "{{ item.url }}"
    version: "{{ item.commit }}"
-    force: true
+  loop: "{{ checkout_static_sites.checkouts }}"
  loop: "{{ checkout_static_sites_config.checkouts }}"
--- a/ansible/roles/docker/defaults/main.yaml
+++ b/ansible/roles/docker/defaults/main.yaml
@ -1,3 +0,0 @@
 ---
 docker_apt_arch: "amd64"
 docker_ubuntu_release: "{{ ansible_distribution_release }}"
--- a/ansible/roles/docker/tasks/main.yaml
+++ b/ansible/roles/docker/tasks/main.yaml
@ -25,6 +25,12 @@
    stdin: "{{ docker_gpg_key.content }}"
    creates: /usr/share/keyrings/docker-archive-keyring.gpg
 - name: Retrieve dpkg architecture
  check_mode: false
  ansible.builtin.command: dpkg --print-architecture
  register: docker_dpkg_architecture
  changed_when: false
 - name: Add Docker apt repository
  become: true
  ansible.builtin.template:
@ -42,4 +48,3 @@
      - docker-ce
      - docker-ce-cli
      - containerd.io
      - docker-compose-plugin
--- a/ansible/roles/docker/templates/docker.list.j2
+++ b/ansible/roles/docker/templates/docker.list.j2
@ -1 +1 @@
-deb [arch={{ docker_apt_arch }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ docker_ubuntu_release }} stable
+deb [arch={{ docker_dpkg_architecture.stdout }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
--- a/ansible/roles/install_nix/files/install-nix
+++ b/ansible/roles/install_nix/files/install-nix
@ -26,43 +26,38 @@ require_util() {
 case "$(uname -s).$(uname -m)" in
    Linux.x86_64)
-        hash=d1f67c86eed016214864ba08bfb9529c307aea7e8fafb74853f96fcc3bfd8a60
+        hash=0b32afd8c9147532bf8ce8908395b1b4d6dde9bedb0fcf5ace8b9fe0bd4c075c
-        path=n1j9ng0120ql98l5a8mi626ka8wvixq4/nix-2.31.2-x86_64-linux.tar.xz
+        path=0zij5bm5f2gm3p2c8dkkv58684j1k100/nix-2.8.0-x86_64-linux.tar.xz
        system=x86_64-linux
        ;;
    Linux.i?86)
-        hash=9e8a403421c68683557180444f089861469e12b41d41ee2f9be4c8e731b7d160
+        hash=3f4bb50f639515df069fb682bb68da77565e5ca8678a3b0fb7dcc79ef591f518
-        path=zjcwglfyf0fvjb4j86kgijzwhzaqbngc/nix-2.31.2-i686-linux.tar.xz
+        path=kjpj1rn6x5lh20fkyfyyzgmgjdra1jpy/nix-2.8.0-i686-linux.tar.xz
        system=i686-linux
        ;;
    Linux.aarch64)
-        hash=64db528412096d718b4bf8f78f85e5ac2b714b774e5005500dee37d23f560456
+        hash=d29ea31c581e1ba7a651e6b22999cef8923e852e1d6fe7008d9545f4275f5343
-        path=0aw1ka8njh94nvjy8596va5bbx4wd2nw/nix-2.31.2-aarch64-linux.tar.xz
+        path=npadny2da5149lcycbfmacf1r936n9zg/nix-2.8.0-aarch64-linux.tar.xz
        system=aarch64-linux
        ;;
-    Linux.armv6l)
+    Linux.armv6l_linux)
-        hash=5e088d3f4fe27dd35991b1888c1ea5284edade24965328604968b9a1cc20a94c
+        hash=69d5cb0e95bc83154099debd139d4f767622d94b17149fa127d492017c2e3896
-        path=2pzkwf2ysf0znsnz5i9gfn6w2gikhlys/nix-2.31.2-armv6l-linux.tar.xz
+        path=jb1l7y40im5dsbq5gamppss59y0c7jmj/nix-2.8.0-armv6l-linux.tar.xz
        system=armv6l-linux
        ;;
-    Linux.armv7l)
+    Linux.armv7l_linux)
-        hash=4e2c1e8a3172ae71f041b9b647aa8153fb24518272d1a9bc3d9b384ab7ad54a1
+        hash=25857729f23dc25fe92dabd376917d83fe0f23038f82c1f2ab230171eb70f648
-        path=nkp9wbvnsxinr9xl7sn0yy96wvc4chn0/nix-2.31.2-armv7l-linux.tar.xz
+        path=firp24ikxcygwrwd4208lyla4b6jl3sh/nix-2.8.0-armv7l-linux.tar.xz
        system=armv7l-linux
        ;;
    Linux.riscv64)
        hash=79601e08b6389df130b5bf1e0a48590aea044ac18bc61660545cf65843b39251
        path=dhqxgwygm94vd6rdiwscxxz98kh8jal3/nix-2.31.2-riscv64-linux.tar.xz
        system=riscv64-linux
        ;;
    Darwin.x86_64)
-        hash=ed8df6a1046dea90ba4068a827bdeaf372d522867c4d2b48cdb37145c200eeba
+        hash=ebf383f1b499d3e4897cd61d068dc46e118e5f53667f5f28748b0b3682d7649a
-        path=5zp5bzz45sn9ff2bfhh03cmavvm1r6gs/nix-2.31.2-x86_64-darwin.tar.xz
+        path=wwf7b61nyhgj3z0vvgnnb4yzi081jkjp/nix-2.8.0-x86_64-darwin.tar.xz
        system=x86_64-darwin
        ;;
    Darwin.arm64|Darwin.aarch64)
-        hash=3baa0af88a1ef4e2cc82cb64cd384b1805ecc3771b574e97277ae213d52711d8
+        hash=f320f381299e0fc2f907ae81ac123d0689245cb39f0672f8a65dffea12fa0240
-        path=b7hidzsb4i3gx6s23ig9mp7mwmiljzfk/nix-2.31.2-aarch64-darwin.tar.xz
+        path=fr5rcinvqzgcrggxw3phrzcck9wpzz83/nix-2.8.0-aarch64-darwin.tar.xz
        system=aarch64-darwin
        ;;
    *) oops "sorry, there is no binary distribution of Nix for your platform";;
@ -76,10 +71,10 @@ if [ "${1:-}" = "--tarball-url-prefix" ]; then
    url=${2}/${path}
    shift 2
 else
-    url=https://releases.nixos.org/nix/nix-2.31.2/nix-2.31.2-$system.tar.xz
+    url=https://releases.nixos.org/nix/nix-2.8.0/nix-2.8.0-$system.tar.xz
 fi
-tarball=$tmpDir/nix-2.31.2-$system.tar.xz
+tarball=$tmpDir/nix-2.8.0-$system.tar.xz
 require_util tar "unpack the binary tarball"
 if [ "$(uname -s)" != "Darwin" ]; then
@ -94,7 +89,7 @@ else
    oops "you don't have wget or curl installed, which I need to download the binary tarball"
 fi
-echo "downloading Nix 2.31.2 binary tarball for $system from '$url' to '$tmpDir'..."
+echo "downloading Nix 2.8.0 binary tarball for $system from '$url' to '$tmpDir'..."
 fetch "$url" "$tarball" || oops "failed to download '$url'"
 if command -v sha256sum > /dev/null 2>&1; then
--- a/docker/docker/caddy/Caddyfile
+++ b/docker/docker/caddy/Caddyfile
@ -8,29 +8,6 @@ pbrinkmeier.de {
    }
 }
 files.pbrinkmeier.de {
    basicauth {
        wug JDJhJDE0JEJrQXUzVWxFZ2JGVmx6YlZWTkpYdy5IMjRXdnZZdGw5SjZDcUg2ZWMxOEVjcEV6dWhIRmhD
    }
    file_server {
        root /srv/files.pbrinkmeier.de
    }
 }
 dt.beany.club {
    file_server {
        root /srv/dt.beany.club
        browse
    }
 }
 vorschlagzumklangvongeschichtsschreibendenprozessen.de {
    file_server {
        root /srv/vorschlagzumklangvongeschichtsschreibendenprozessen.de
        browse
    }
 }
 tichy.click {
    file_server {
        root /srv/tichy.click
@ -49,6 +26,17 @@ git.pbrinkmeier.de {
    reverse_proxy gitea:3000
 }
 ci.pbrinkmeier.de {
    reverse_proxy drone:80
 }
 jupyter.pbrinkmeier.de {
    reverse_proxy jupyter:8888
    basicauth {
        wug JDJhJDE0JEJrQXUzVWxFZ2JGVmx6YlZWTkpYdy5IMjRXdnZZdGw5SjZDcUg2ZWMxOEVjcEV6dWhIRmhD
    }
 }
 plantuml.pbrinkmeier.de {
    reverse_proxy codi_plantuml:8080
 }
@ -57,19 +45,6 @@ utoy.beany.club {
    reverse_proxy utoy:3000
 }
-vrnp.beany.club {
+score.brocke.net {
-    reverse_proxy vrnp:8000
+    reverse_proxy score:8080
 }
 fz.beany.club {
    reverse_proxy yore:3000
 }
 beany.club, www.beany.club {
    file_server {
        root /srv/beany.club
    }
    header /hotel {
        Content-Type application/pdf
    }
 }
--- a/docker/docker/caddy/Dockerfile
+++ b/docker/docker/caddy/Dockerfile
@ -1,4 +1,3 @@
 FROM caddy
-COPY Caddyfile /etc/caddy/Caddyfile
+COPY Caddyfile /etc/caddy/Caddyfile
 RUN chown 42002:42002 /etc/caddy/Caddyfile
--- a/docker/docker/caddy/docker-compose.yaml
+++ b/docker/docker/caddy/docker-compose.yaml
@ -1,3 +1,5 @@
 version: "3"
 services:
  # Webserver for static files and reverse proxy
  web:
@ -6,17 +8,10 @@ services:
    ports:
      - "80:80"
      - "443:443"
    user: "42002"
    volumes:
      - /var/lib/pbri/docker/caddy_data:/data
      - /var/lib/pbri/docker/caddy_config:/config
-      # See nanna-sites playbook/Caddyfile
+      - /home/paul/Sites:/srv:ro
      - /home/david/Sites/dt.beany.club:/srv/dt.beany.club:ro
      - /home/david/Sites/vorschlagzumklangvongeschichtsschreibendenprozessen.de:/srv/vorschlagzumklangvongeschichtsschreibendenprozessen.de:ro
      - /home/paul/Sites/files.pbrinkmeier.de:/srv/files.pbrinkmeier.de:ro
      - /home/paul/Sites/pbrinkmeier.de:/srv/pbrinkmeier.de:ro
      - /home/paul/Sites/tichy.click:/srv/tichy.click:ro
      - /home/paul/Sites/beany.club:/srv/beany.club:ro
    restart: always
 networks:
--- a/docker/docker/codi/docker-compose.yaml
+++ b/docker/docker/codi/docker-compose.yaml
@ -1,6 +1,8 @@
 version: "3"
 services:
  codi:
-    image: hackmdio/hackmd:2.5.4
+    image: hackmdio/hackmd:2.4.2
    user: hackmd
    environment:
      # Admin stuff
@ -36,7 +38,7 @@ services:
    volumes:
      - /var/lib/pbri/docker/codi_uploads:/home/hackmd/app/public/uploads
    restart: always
-
+    
  codi_db:
    image: postgres:11.6-alpine
    environment:
--- a/docker/docker/drone/README.md
+++ b/docker/docker/drone/README.md
@ -0,0 +1,9 @@
 Add a `.env` file like this:
 ```
 DRONE_GITEA_CLIENT_ID=...
 DRONE_GITEA_CLIENT_SECRET=...
 DRONE_RPC_SECRET=...
 ```
 See also: https://docs.drone.io/server/provider/gitea/.
--- a/docker/docker/drone/docker-compose.yaml
+++ b/docker/docker/drone/docker-compose.yaml
@ -0,0 +1,32 @@
 version: "3"
 services:
  drone:
    image: drone/drone:2
    environment:
      DRONE_GITEA_SERVER: https://git.pbrinkmeier.de
      DRONE_GITEA_CLIENT_ID: "${DRONE_GITEA_CLIENT_ID}"
      DRONE_GITEA_CLIENT_SECRET: "${DRONE_GITEA_CLIENT_SECRET}"
      DRONE_RPC_SECRET: "${DRONE_RPC_SECRET}"
      DRONE_SERVER_HOST: ci.pbrinkmeier.de
      DRONE_SERVER_PROTO: https
    volumes:
      - /var/lib/pbri/docker/drone:/data
    restart: unless-stopped
  drone_runner:
    image: drone/drone-runner-docker:1
    environment:
      DRONE_RPC_PROTO: https
      DRONE_RPC_HOST: ci.pbrinkmeier.de
      DRONE_RPC_SECRET: "${DRONE_RPC_SECRET}"
      DRONE_RUNNER_CAPACITY: 1
      DRONE_RUNNER_NAME: shamash
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped
 networks:
  default:
    name: caddy-network
    external: true
--- a/docker/docker/factorio/Dockerfile
+++ b/docker/docker/factorio/Dockerfile
@ -1,4 +1,4 @@
-FROM factoriotools/factorio:2.0.73
+FROM factoriotools/factorio:1.1.87
 COPY server-settings.json /server-settings.json
 ENTRYPOINT [ "/bin/sh", "-c", "mkdir -p /factorio/config && envsubst < /server-settings.json > /factorio/config/server-settings.json && exec /docker-entrypoint.sh" ]
--- a/docker/docker/factorio/docker-compose.yaml
+++ b/docker/docker/factorio/docker-compose.yaml
@ -1,13 +1,12 @@
---
+version: "3"
 services:
-  factorio:
+  gitea:
    image: pbrinkmeier/factorio
    build: .
    restart: always
    environment:
      GAME_PASSWORD: "${GAME_PASSWORD}"
      DLC_SPACE_AGE: false
    volumes:
      - /var/lib/pbri/docker/factorio:/factorio
    ports:
--- a/docker/docker/factorio/server-settings.json
+++ b/docker/docker/factorio/server-settings.json
@ -21,7 +21,7 @@
    "_comment_token": "Authentication token. May be used instead of 'password' above.",
    "token": "",
-    "game_password": "${GAME_PASSWORD}",
+    "game_password": "",
    "_comment_require_user_verification": "When set to true, the server will only allow clients that have a valid Factorio.com account",
    "require_user_verification": false,
--- a/docker/docker/gitea/Dockerfile
+++ b/docker/docker/gitea/Dockerfile
@ -1,3 +1,3 @@
- FROM gitea/act_runner:0.2.11
+ FROM gitea/act_runner:0.2.5
 COPY runner-config.yaml /opt/runner-config.yaml
--- a/docker/docker/gitea/docker-compose.yaml
+++ b/docker/docker/gitea/docker-compose.yaml
@ -1,6 +1,8 @@
 version: "3"
 services:
  gitea:
-    image: gitea/gitea:1.23.1
+    image: gitea/gitea:1.20.3
    restart: unless-stopped
    environment:
      # Ref: https://docs.gitea.io/en-us/config-cheat-sheet
@ -64,8 +66,7 @@ services:
      - /var/lib/pbri/docker/gitea_db:/var/lib/postgresql/data
  gitea_runner:
-    # Make sure to keep this in sync with the version in the Dockerfile
+    image: pbrinkmeier/act_runner:0.2.5
    image: pbrinkmeier/act_runner:0.2.11
    build: .
    restart: unless-stopped
    environment:
--- a/docker/docker/gitea/runner-config.yaml
+++ b/docker/docker/gitea/runner-config.yaml
@ -32,8 +32,6 @@ runner:
  # ubuntu:22.04 here is not enough.
  labels:
    - "ubuntu-22.04:docker://node:16-bullseye"
    - "node-22-bullseye:docker://node:22-bullseye"
    - "node-22-bookworm:docker://node:22-bookworm"
 cache:
  # Enable cache server to use actions/cache.
@ -74,10 +72,7 @@ container:
  # If you want to allow any volume, please use the following configuration:
  # valid_volumes:
  #   - '**'
-  valid_volumes:
+  valid_volumes: []
    - /var/lib/pbri/docker/nix_runner_etc
    - /var/lib/pbri/docker/nix_runner_nix
    - /var/lib/pbri/docker/nix_runner_home_node
  # overrides the docker client host with the specified one.
  # If it's empty, act_runner will find an available docker host automatically.
  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
--- a/docker/docker/glebby/docker-compose.yaml
+++ b/docker/docker/glebby/docker-compose.yaml
@ -0,0 +1,11 @@
 version: "3"
 services:
  glebby:
    image: git.pbrinkmeier.de/paul/glebby:1.1-prod
    restart: always
 networks:
  default:
    name: caddy-network
    external: true
--- a/docker/docker/jupyter/docker-compose.yaml
+++ b/docker/docker/jupyter/docker-compose.yaml
@ -0,0 +1,15 @@
 version: "3"
 services:
  jupyter:
    image: git.pbrinkmeier.de/paul/jup:1.5
    user: "42000"
    volumes:
      - /var/lib/pbri/docker/jupyter_data:/data
      - /var/lib/pbri/docker/jupyter_notebooks:/notebooks
    restart: always
 networks:
  default:
    name: caddy-network
    external: true
--- a/docker/docker/score/docker-compose.yaml
+++ b/docker/docker/score/docker-compose.yaml
@ -0,0 +1,16 @@
 version: "3"
 services:
  score:
    image: ghcr.io/lbrocke/score:v1.0.2
    user: "42003:42003"
    environment:
      SCORE_LISTEN: 0.0.0.0:8080
    volumes:
      - /var/lib/pbri/docker/score:/data
    restart: unless-stopped
 networks:
  default:
    name: caddy-network
    external: true
--- a/docker/docker/utoy/docker-compose.yaml
+++ b/docker/docker/utoy/docker-compose.yaml
@ -1,6 +1,8 @@
 version: "3"
 services:
  utoy:
-    image: git.pbrinkmeier.de/paul/utoy:0.6.3
+    image: git.pbrinkmeier.de/paul/utoy:0.6
    restart: always
 networks:
--- a/docker/docker/vrnp/docker-compose.yaml
+++ b/docker/docker/vrnp/docker-compose.yaml
@ -1,12 +0,0 @@
 services:
  vrnp:
    image: git.pbrinkmeier.de/paul/vrnp:0.0.10
    restart: always
    environment:
      VRNP_PASSWORD: "${VRNP_PASSWORD}"
      VRNP_CLIENT_ALLOWLIST: "VAG"
 networks:
  default:
    name: caddy-network
    external: true
--- a/docker/docker/yore/docker-compose.yaml
+++ b/docker/docker/yore/docker-compose.yaml
@ -1,34 +0,0 @@
 services:
  yore:
    image: git.pbrinkmeier.de/paul/yore:0.0.9
    restart: always
    environment:
      # For dbmate (migrations)
      DATABASE_URL: "postgres://yore:${YORE_DB_PASSWORD}@yore_db/yore-db?sslmode=disable&search_path=public"
      # For yore itself
      YORE_DB: "host=yore_db dbname=yore-db user=yore password=${YORE_DB_PASSWORD}"
      YORE_DOWNLOAD_DIR: /data/downloads
      YORE_DBMATE_DIR: /data/dbmate
    user: 42004:42004
    volumes:
      - /etc/passwd:/etc/passwd:ro
      - /etc/group:/etc/group:ro
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/lib/pbri/docker/yore_data:/data
  yore_db:
    image: postgres:17-alpine
    restart: unless-stopped
    environment:
      POSTGRES_DB: yore-db
      POSTGRES_USER: yore
      POSTGRES_PASSWORD: "${YORE_DB_PASSWORD}"
    volumes:
      - /var/lib/pbri/docker/yore_db:/var/lib/postgresql/data
 networks:
  default:
    name: caddy-network
    external: true
--- a/docker/docker/zomboid/docker-compose.yaml
+++ b/docker/docker/zomboid/docker-compose.yaml
@ -1,15 +0,0 @@
 services:
  zomboid:
    image: renegademaster/zomboid-dedicated-server:2.5.0
    restart: unless-stopped
    volumes:
      - /var/lib/pbri/docker/zomboid_dedicated_server:/home/steam/ZomboidDedicatedServer
      - /var/lib/pbri/docker/zomboid_config:/home/steam/Zomboid
    ports:
      - "16261:16261/udp"
      - "16262:16262/udp"
    environment:
      ADMIN_USERNAME: "the_gwiddy"
      ADMIN_PASSWORD: "${ZOMBOID_ADMIN_PASSWORD}"
      SERVER_NAME: "server3"
      SERVER_PASSWORD: "${ZOMBOID_SERVER_PASSWORD}"
--- a/docker/envs/drone/.env
+++ b/docker/envs/drone/.env
@ -0,0 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
 31333834393366333930346366373931333930646233383664643463393965303238613430646638
 6461373434616433353337643131396462326537346434380a386562633335346436303662336362
 62333739626237323334333666633162616338313932393261303231353539623237383638643030
 3364393934653232310a383065386530373433393635313665353532666361303436613337316565
 32306233336134383531633232393862303466373331373764376462653736663861663366323762
 65666263366461396362386264613830336435346234386234333562616131653938386439336566
 34386461343433346363336161373038303434383563303564653533623939613937323030636362
 66636639643963613236366138646335393831366432333637333065326162646237643561336666
 61323833333337633861646462393930663733333266336233663630396532366566303835653431
 38363365383166393765343735363030363562313837643837313864373735643264663264643633
 66306261633666616363666562306632613032373231633730313638383033633761653661383738
 39623630643766663438656635653530626664313765633430646330356333306239653437373839
 3933
--- a/docker/envs/factorio/.env
+++ b/docker/envs/factorio/.env
@ -1,6 +1,7 @@
 $ANSIBLE_VAULT;1.1;AES256
-33633161386465383663373137623030626264653862373161353564343662346433376437353530
+32356463313330336636636363646138393236636233326132623165353962623565356364396530
-6265356266663464613439663434373531333939326538330a313064343637366632633866343534
+3636336532396665333637653432353332643434643962390a313162343836306435383536313937
-38313234303830636364383361613538666338636333323262333438313134353134356635626239
+36656632356366303561366536373535383538303730386239386437323466346533353634306436
-6366336439353266660a633161383062666130396566396431383534313266343431633064376463
+3930633464353235360a653936333734353137313363316261366666353238366566613865366463
-38623562656564363565346166396363303636323062336636313838653638663833
+32393431343439383733343766323831643561663938376264336331306139646337343633346536
 3236343538323032636666366639303539316236393535323661
--- a/docker/envs/gitea/.env
+++ b/docker/envs/gitea/.env
@ -1,14 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-30626565616334613665623138613533653739333038643530636633393264393334373563326631
+35623364633833623964623536646534373634663736613561333561343136333965306638396532
-3838333663306537326534333666316539383038363236650a613163643433653466666639666366
+6162393239383936386338666565306132646230383066630a336337613636383431623738343663
-33653861613638653862393338386334643332633762666136613932343834333162303363373030
+61343262363631376665383035323139313863626331666439336134613035663439376231343863
-6161323863316134340a646532386537313164643039353435633535363061616363363337663365
+3032353139643138640a383365356630323835383538393734643134343133653033383663333464
-39343461356631383062353837383034653430373663323966373632323063636132613137643662
+62386361633435633664306531623835353665326432393932336163316561653866343137323030
-37373065313764626539396463376637353136613365366566363436356537343932376565633962
+63643262323436356166373533363235366238393633336631336266373837373932313134303563
-62316631663634316530623736613961623635303763633964386433333531626437303136363537
+65633337393938623134636538653561356565333831356638373862376333336163363438626438
-35393134643935316330396161303134626537643162393062636363376435636162393136373034
+39343436383732313561396236656530303064363961663636353538346264633532633866333162
-39636231626635643530313634333464653564353861656666633035623932336234303735386366
+35303032303662646166333537373566316462633536333463323433353539623363323036643763
-62303133326237613763336435323338623036663137333439613462333434303734303737363936
+34376365613932303133366236613235636238643139666663356436326532616437383432303437
-65333762376233396332633434353832373136383137336665623534356538636166303835376334
+39376535656266383465373837643634383937656431323265386163373138336164383666383962
-64346139656432633230386666653531333864333664393936366630346334323963343431346164
+64623762613332363731323739666238613634646237396331666463363663313461313966356233
-64376165666230386464303036303861653437646463633764343064376464396135
+30653362353061333739303234336461373337346632646433623462623765353330
--- a/docker/envs/vrnp/.env
+++ b/docker/envs/vrnp/.env
@ -1,10 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 36643163613366383136326339346231373533373361633834663332343932356665303434333564
 3936636366396233326664636137363134643066303432380a363662646465656130303431386530
 37316138366239313038336664313661333632393333666539363565623032653431623935613631
 3635323330363663610a353263663736653561666261636138336438666261613739346664393233
 32323364346665633662663266626436343831386565663761393237346637376438613865363663
 36613035376638653937633866613935343834633431393830303438363265656337343565323063
 36303033323537666236633037656236656133396431326362303462353237326162626335363761
 36636362306232333630613464393135383539666632343038393333353462336238663130326166
 3061
--- a/docker/envs/yore/.env
+++ b/docker/envs/yore/.env
@ -1,7 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 36313063633538313631386664353535373166306563613830316430613035306438326564396331
 6336306566306166616266643630343262616465306631350a393932613665346164613361333037
 39386135396364666630623962653462623234386430383034353731353361663837343036393130
 3261633964626135610a626364363761373734333762373764366363643537316662643634616263
 32383730663230303064626130393164616237636362656331313333316439323135366535303334
 3436323333383739666261656531363335326532616562353166
--- a/docker/envs/zomboid/.env
+++ b/docker/envs/zomboid/.env
@ -1,10 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 35336632386231333233333633656163356564316637366438383532626437303364633733353436
 3836376461393761653637666532643264613864633935620a326365386634393935333433306564
 62346235346262313339633739353232663562623562616136623838386233633136383764666536
 6239663264643333370a393762636231343034643133613163626239353735363037646638633933
 62376165306438653537343564376536396537666534633330666163346533313434616561306434
 63313035643732303863663430303936346264626637623936343763303738623865356536306365
 32623164323738663065613332656465643536633933643731366139626165636230343966383839
 64343961316139313931313966356430343438376461366537356337363835623637306539646265
 32376562363061643630663937663064393664663766613365363439653030393239
--- a/flake.lock
+++ b/flake.lock
@ -5,11 +5,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1731533236,
+        "lastModified": 1685518550,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
        "type": "github"
      },
      "original": {
@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1759779330,
+        "lastModified": 1686259070,
-        "narHash": "sha256-xZOU0j9Ix5IkOEDKM91ownNNmOcfDhAbhSCtG6FiPl4=",
+        "narHash": "sha256-bJ2TqJHMdU27o3+AlYzsDooUzneFHwvK5LaRv5JYit4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "41da8f041b93896fa4758c7291a65bc96d1ed6cc",
+        "rev": "8a7d5c039cacc83bd1926aaabc04d541e04a1460",
        "type": "github"
      },
      "original": {
`@ -1,2 +1,2 @@`
	`[gods]`	`[misc]`
	`nanna`	`vmd98928.contaboserver.net ansible_port=2309`
`@ -1 +1 @@`
	`deb [arch={{ docker_apt_arch }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ docker_ubuntu_release }} stable`	`deb [arch={{ docker_dpkg_architecture.stdout }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable`
`@ -1,3 +1,3 @@`
	`FROM gitea/act_runner:0.2.11`	`FROM gitea/act_runner:0.2.5`

	`COPY runner-config.yaml /opt/runner-config.yaml`	`COPY runner-config.yaml /opt/runner-config.yaml`