remove old static site servers

ansible/auth.yaml

@@ -0,0 +1,8 @@
+---
+# file: auth.yaml
+- hosts: auth
+  roles:
+    - common
+    - ldap_client
+    - docker
+    - pocketid

ansible/dns.yaml

@@ -4,3 +4,4 @@
   roles:
     - common
     - unbound
+    - netbird_peer

ansible/dockhand.yaml

@@ -0,0 +1,8 @@
+---
+# file: dockhand.yaml
+- hosts: dockhand
+  roles:
+    - common
+    - ldap_client
+    - docker
+    - dockhand

ansible/gitea.yaml

@@ -3,7 +3,8 @@
 - hosts: gitea
   roles:
     - common
+    - lego
     - nginx
     - gitea
-    - olm
+    - netbird_peer
     - ldap_client

ansible/inventories/production/group_vars/all.yaml

@@ -1,3 +1,4 @@
 lego_version: "4.30.1"
 olm_version: "1.4.0"
 olm_checksum: "sha256:e35431991b00a6c62fa32c91497a011bde2af9358efc2cb7f49aae5606409f94"
+static_site: false

ansible/inventories/production/host_vars/auth.home.jthan.io/vars.yaml

@@ -0,0 +1,3 @@
+pocket_id_encryption_key: "{{ lookup('bitwarden.secrets.lookup', '6a5549a9-0f64-4791-94d1-b43b00254c42') }}"
+pocket_id_version: 2.6.2
+pocket_id_sha256: "348c2cfb6457d31078327c203896c29509d0417982c78bfac185d07859dc5b86"

ansible/inventories/production/host_vars/git.jthan.io/vars.yaml

@@ -2,6 +2,9 @@ gitea_version: 1.25.3
 
 root_pw: "{{ lookup('bitwarden.secrets.lookup', '4c3d81e6-bb31-40f9-a37a-b3bd00484160') }}" 
 
+letsencrypt_email: "me@jthan.io"
+linode_dns_token: "{{ lookup('bitwarden.secrets.lookup', '8849d676-e53e-4aef-a7e6-b3dc014dd698') }}"
+
 nginx_ssl_enabled: true
 
 olm_config_path: "/etc/olm"
@@ -11,3 +14,8 @@ olm_secret: "{{ lookup('bitwarden.secrets.lookup', 'a9499a7f-4b3e-4c1b-97a0-b3de
 olm_loglevel: "INFO"
 olm_override_dns: "false"
 olm_tunnel_dns: "true"
+
+netbird_version: "0.71.4"
+netbird_arch: "amd64"
+netbird_sha256: "a7c55f50cafb4034425135253f96a6028edfceb723d09e260bb16eaf4c5a82c3"
+netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', '4ba58bbe-e459-4978-894b-b43000561a2f') }}"

ansible/inventories/production/host_vars/jthan.io/vars.yaml

@@ -0,0 +1,6 @@
+nginx_ssl_enabled: true
+static_site: true
+
+letsencrypt_email: "me@jthan.io"
+linode_dns_token: "{{ lookup('bitwarden.secrets.lookup', '8849d676-e53e-4aef-a7e6-b3dc014dd698') }}"
+

ansible/inventories/production/host_vars/netbird.jthan.io/vars.yaml

@@ -0,0 +1,6 @@
+root_pw: "{{ lookup('bitwarden.secrets.lookup', 'a3402c94-7082-4d70-8436-b42e002c8e18') }}"
+
+netbird_version: "0.71.4"
+netbird_arch: "amd64"
+netbird_sha256: "a7c55f50cafb4034425135253f96a6028edfceb723d09e260bb16eaf4c5a82c3"
+netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', '88be4f9e-2558-455f-a34a-b436003684af') }}"

ansible/inventories/production/host_vars/notes.jthan.io/vars.yaml

@@ -1,4 +1,5 @@
 nginx_ssl_enabled: true
+static_site: true
 
 letsencrypt_email: "me@jthan.io"
 linode_dns_token: "{{ lookup('bitwarden.secrets.lookup', '8849d676-e53e-4aef-a7e6-b3dc014dd698') }}"

ansible/inventories/production/host_vars/pangolin.jthan.io/vars.yaml

@@ -1,4 +1,7 @@
 root_pw: "{{ lookup('bitwarden.secrets.lookup', '279ef4de-8dc7-4e55-a548-b3c400107332') }}"
+pangolin_version: "1.16.2"
+gerbil_version: "1.3.0"
+traefik_version: "3.6.8"
 pangolin_base_domain: "pangolin.jthan.io"
 pangolin_cert_email: "me@jthan.io"
 pangolin_secret_string: "{{ lookup('bitwarden.secrets.lookup', '30efc9d3-4f98-4b1b-b31b-b3c40010c343') }}"

ansible/inventories/production/host_vars/rpi0.home.jthan.io/vars.yaml

@@ -1,12 +1,23 @@
+netbird_version: "0.71.4"
+netbird_arch: "arm64"
+netbird_sha256: "95be7c307a4e9f83e1a67271390c5efd1e389210f851f26511f436f4393878af"
+netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', 'ceda19a5-3efb-4bcf-ac84-b43000086ea4') }}"
+
 private_domains:
   - name: jthan.io
     records:
+      - type: A
+        name: "jthan.io"
+        value: "192.168.1.18"
       - type: A
         name: "notes.jthan.io"
-        value: "192.168.1.16"
+        value: "192.168.1.18"
+      - type: AAAA
+        name: "jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
       - type: AAAA
         name: "notes.jthan.io"
-        value: "2602:fb57:c20:b00:be24:11ff:fe8b:f6db"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
   - name: home.jthan.io
     records:
       - type: A
@@ -18,6 +29,9 @@ private_domains:
       - type: A
         name: "storage0.home.jthan.io"
         value: 192.168.1.3
+      - type: A
+        name: "auth.home.jthan.io"
+        value: 192.168.1.7
       - type: A
         name: "proxy0.home.jthan.io"
         value: 192.168.1.7
@@ -36,6 +50,27 @@ private_domains:
       - type: A
         name: "syncthing.home.jthan.io"
         value: 192.168.1.15
+      - type: A
+        name: "docker.home.jthan.io"
+        value: 192.168.1.18
+      - type: A
+        name: "papra.home.jthan.io"
+        value: 192.168.1.18
+      - type: A
+        name: "keep.home.jthan.io"
+        value: 192.168.1.18
+      - type: A
+        name: "whoami.home.jthan.io"
+        value: 192.168.1.18
+      - type: A
+        name: "traefik.home.jthan.io"
+        value: 192.168.1.18
+      - type: A
+        name: "music.home.jthan.io"
+        value: 192.168.1.18
+      - type: AAAA
+        name: "rpi0.home.jthan.io"
+        value: "2602:fb57:c20:b00:dea6:32ff:fe10:715a"
       - type: AAAA
         name: "storage0.home.jthan.io"
         value: "2602:fb57:c20:b00:7a55:36ff:fe02:92c9"
@@ -57,6 +92,27 @@ private_domains:
       - type: AAAA
         name: "syncthing.home.jthan.io"
         value: "2602:fb57:c20:b00:be24:11ff:fee9:9c4b"
+      - type: AAAA
+        name: "docker.home.jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
+      - type: AAAA
+        name: "whoami.home.jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
+      - type: AAAA
+        name: "traefik.home.jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
+      - type: AAAA
+        name: "music.home.jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
+      - type: AAAA
+        name: "papra.home.jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
+      - type: AAAA
+        name: "keep.home.jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
+      - type: AAAA
+        name: "auth.home.jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fee6:8593"
       - type: CNAME
         name: "ha.home.jthan.io"
         value: "proxy0.home.jthan.io"

ansible/inventories/production/hosts.ini

@@ -4,9 +4,6 @@ git.jthan.io
 [dns]
 rpi0.home.jthan.io
 
-[pangolin]
-pangolin.jthan.io
-
 [authentik]
 authentik.home.jthan.io ansible_host=192.168.1.8
 
@@ -22,5 +19,15 @@ irc.home.jthan.io
 [syncthing]
 syncthing.home.jthan.io
 
-[notes]
-notes.jthan.io ansible_host=192.168.1.16
+#[webservers]
+#notes.jthan.io ansible_host=192.168.1.16
+#jthan.io ansible_host=192.168.1.17
+
+[netbird_server]
+netbird.jthan.io
+
+[dockhand]
+docker.home.jthan.io
+
+[auth]
+auth.home.jthan.io ansible_host=192.168.1.5

ansible/netbird_server.yaml

@@ -0,0 +1,9 @@
+---
+# file: netbird_server.yaml
+- hosts: netbird_server
+  roles:
+    - common
+    - docker
+    - netbird_peer # can be server and peer to access internal resources
+    - ldap_client # which allows us to talk to ldap, authentik, etc.
+

ansible/notes.yaml

@@ -1,8 +0,0 @@
----
-# file: notes.yaml
-- hosts: notes
-  roles:
-    - common
-    - ldap_client
-    - lego
-    - nginx

ansible/pangolin_server.yaml

@@ -1,6 +1,6 @@
 ---
 # file: pangolin.yaml
-- hosts: pangolin
+- hosts: pangolin_server
   roles:
     - common
-    - pangolin
+    - pangolin_server

ansible/roles/dockhand/tasks/main.yaml

@@ -0,0 +1,19 @@
+- name: Create dockhand directory
+  file:
+    path: /root/dockhand
+    state: directory
+    mode: '0755'
+
+- name: Create or update docker-compose
+  template:
+    src: templates/docker-compose.yaml.j2
+    dest: /root/dockhand/docker-compose.yaml
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Create and start dockhand
+  community.docker.docker_compose_v2:
+    project_src: /root/dockhand
+    build: always
+  register: output

ansible/roles/dockhand/tasks/templates/docker-compose.yaml.j2

@@ -0,0 +1,57 @@
+services:
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy
+    container_name: socket-proxy
+    restart: unless-stopped
+    environment:
+      # Required for Dockhand core functionality
+      - CONTAINERS=1
+      - IMAGES=1
+      - NETWORKS=1
+      - VOLUMES=1
+      - EVENTS=1
+      - POST=1
+      - DELETE=1
+      # Required for dashboard host info and disk usage
+      - INFO=1
+      - SYSTEM=1
+      # Required for vulnerability scanning
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+      # Optional: enable for terminal access
+      - EXEC=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - socket-proxy
+      - proxy
+
+  dockhand:
+    image: fnsys/dockhand:latest
+    container_name: dockhand
+    restart: unless-stopped
+    depends_on:
+      - socket-proxy
+    volumes:
+      - dockhand_data:/app/data
+    networks:
+      - socket-proxy
+      - proxy
+      - default
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"
+      - "traefik.http.routers.dockhand.rule=Host(`docker.home.jthan.io`)" 
+      - "traefik.http.routers.dockhand.entrypoints=websecure"
+      - "traefik.http.routers.dockhand.tls.certresolver=myresolver"
+        #- "traefik.http.services.dockhand.loadbalancer.server.port=3000"
+
+networks:
+  socket-proxy:
+    internal: true
+  proxy:
+    external: true
+
+volumes:
+  dockhand_data:

ansible/roles/lego/tasks/generate_cert.yaml

@@ -1,3 +1,8 @@
+- name: Check if SSL cert already exists for domain
+  stat:
+    path: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
+  register: existing_cert_check
+
 - name: Generate initial cert (http)
   command:
     cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} --http run
@@ -15,3 +20,13 @@
     LINODE_PROPAGATION_TIMEOUT: 600
     LINODE_TOKEN: "{{ linode_dns_token }}"
   when: lego_method == 'dns'
+
+- name: Renew cert (dns)
+  command:
+    cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --dns linode --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} --dns.resolvers 8.8.8.8 renew
+    chdir: /root
+  environment:
+    LINODE_POLLING_INTERVAL: 120
+    LINODE_PROPAGATION_TIMEOUT: 600
+    LINODE_TOKEN: "{{ linode_dns_token }}"
+  when: lego_method == 'dns' and existing_cert_check.stat.exists

ansible/roles/netbird_peer/handlers/main.yaml

@@ -0,0 +1,9 @@
+- name: restart netbird
+  service:
+    name: netbird
+    state: restarted
+
+- name: restart firewalld
+  service:
+    name: firewalld
+    state: restarted

ansible/roles/netbird_peer/tasks/main.yaml

@@ -0,0 +1,88 @@
+- name: Create temporary netbird unarchive directory
+  file: 
+    path: "/tmp/netbird_{{ netbird_version }}"
+    state: directory
+    mode: '0700'
+    owner: root
+    group: root
+
+- name: Download and verify the netbird archive
+  get_url:
+    url: "https://github.com/netbirdio/netbird/releases/download/v{{ netbird_version }}/netbird_{{ netbird_version }}_linux_{{ netbird_arch }}.tar.gz"
+    dest: "/tmp/netbird-{{ netbird_version }}.linux-{{ netbird_arch }}.tar.gz"
+    checksum: "sha256:{{ netbird_sha256 }}"
+  register: download_result
+
+- name: Unarchive netbird binary
+  unarchive:
+    src: "{{ download_result.dest }}"
+    dest: "/tmp/netbird_{{ netbird_version }}"
+    remote_src: true # Indicates the source file is on the remote host
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Copy netbird binary to /usr/local/bin
+  copy:
+    src: "/tmp/netbird_{{ netbird_version }}/netbird"
+    dest: "/usr/local/bin/netbird-{{ netbird_version }}"
+    owner: root
+    group: root
+    mode: '0755'
+    remote_src: yes
+
+- name: Create netbird binary symlink
+  file:
+    src: "/usr/local/bin/netbird-{{ netbird_version }}"
+    dest: "/usr/local/bin/netbird"
+    state: link
+    owner: root
+    group: root
+    mode: '0755' # Permissions for the target file
+    force: yes 
+
+- name: Run command to generate netbird systemd unit file
+  command: 
+    cmd: /usr/local/bin/netbird service install
+    creates: /etc/systemd/system/netbird.service
+  register: netbird_service
+
+- name: systemctl daemon-reload to pickup netbird service changes
+  systemd_service:
+    daemon_reload: true
+  when: netbird_service.changed
+  notify: restart netbird
+
+- name: Start and enable netbird service
+  service:
+    name: netbird
+    state: started
+    enabled: true
+    daemon_reload: true
+
+- name: Run netbird up with setup key
+  command:
+    cmd: /usr/local/bin/netbird up --setup-key {{ netbird_setup_key }} --management-url https://netbird.jthan.io:443
+
+#- name: Create netbird firewalld zone
+#  ansible.posix.firewalld:
+#    zone: netbird
+#    state: present
+#    permanent: true
+#  notify: restart firewalld
+#
+#- name: Set netbird zone target to ACCEPT
+#  ansible.posix.firewalld:
+#    zone: netbird
+#    state: present
+#    permanent: true
+#    target: ACCEPT
+#  notify: restart firewalld
+#
+#- name: Add netbird interface to netbird zone 
+#  ansible.posix.firewalld:
+#    zone: netbird
+#    interface: wt0
+#    permanent: true
+#    state: enabled
+#  notify: restart firewalld

ansible/roles/nginx/tasks/main.yaml

@@ -41,6 +41,7 @@
     mode: 0600
     remote_src: true
   when: nginx_ssl_enabled
+  notify: Restart nginx
 
 - name: Copy SSL issuer certificate into place for SSL enabled nginx server
   copy:
@@ -51,6 +52,7 @@
     mode: 0600
     remote_src: true
   when: nginx_ssl_enabled
+  notify: Restart nginx
 
 - name: Copy SSL key into place for SSL enabled nginx server
   copy:
@@ -61,6 +63,7 @@
     mode: 0600
     remote_src: true
   when: nginx_ssl_enabled
+  notify: Restart nginx
 
 - name: Create web root
   file:

ansible/roles/nginx/tasks/templates/vhost_ssl.conf.j2

@@ -33,6 +33,7 @@ server {
   ssl_stapling_verify on;
   server_name {{ inventory_hostname }};
 
+  {% if not static_site %}
   location / {
     client_max_body_size 512M;
     proxy_pass http://localhost:3000;
@@ -43,4 +44,13 @@ server {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
  }
+ {% endif %}
+ {% if static_site %}
+  root /srv/http/{{ inventory_hostname }}/html;
+  index index.html;
+  error_page 404 /404.html;
+  location / {
+    try_files $uri $uri.html $uri/ =404;
+  }
+ {% endif %}
 }

ansible/roles/pangolin_server/handlers/main.yaml

@@ -0,0 +1,6 @@
+- name: Restart pangolin
+  shell: |
+    podman compose down
+    podman compose up --build -d 
+  args:
+    chdir: /home/pangolin

ansible/roles/pangolin_server/tasks/main.yaml

@@ -73,7 +73,7 @@
     state: started
     enabled: true
 
-- name: Create pangolin config and logging directories
+- name: Create pangolin config, logging and backup directories
   file:
     path: "{{ item }}"
     state: directory
@@ -86,6 +86,7 @@
     - /home/pangolin/config/traefik
     - /home/pangolin/config/letsencrypt
     - /home/pangolin/config/logs
+    - /home/pangolin/backups
 
 - name: Create pangolin config
   template: 
@@ -111,17 +112,23 @@
     group: pangolin
     mode: 0600
 
-- name: Create docker-compose
+- name: Create or update docker-compose
   template:
     src: templates/docker-compose.yaml.j2
     dest: /home/pangolin/docker-compose.yaml
     owner: pangolin
     group: pangolin
     mode: 0600
+  notify: Restart pangolin
 
-#- name: Run podman-compose up
-#  become: true
-#  become_user: pangolin
-#  command: podman compose up -d
-#  args:
-#    chdir: /home/pangolin
+- name: Create local backup of config directory
+  copy:
+    src: /home/pangolin/config
+    dest: /home/pangolin/backups/config.backup.{{ ansible_date_time.date }}
+    remote_src: yes
+
+- name: Create local backup of docker-compose
+  copy:
+    src: /home/pangolin/docker-compose.yaml
+    dest: /home/pangolin/backups/docker-compose.yaml.backup.{{ ansible_date_time.date }}
+    remote_src: yes

ansible/roles/pangolin_server/tasks/templates/docker-compose.yaml.j2

@@ -1,6 +1,6 @@
 services:
   pangolin:
-    image: fosrl/pangolin:1.15.1 # https://github.com/fosrl/pangolin/releases
+    image: fosrl/pangolin:{{ pangolin_version }} # https://github.com/fosrl/pangolin/releases
     container_name: pangolin
     restart: unless-stopped
     volumes:
@@ -12,7 +12,7 @@ services:
       retries: 15
 
   gerbil:
-    image: fosrl/gerbil:1.3.0 # https://github.com/fosrl/gerbil/releases
+    image: fosrl/gerbil:{{ gerbil_version }} # https://github.com/fosrl/gerbil/releases
     container_name: gerbil
     restart: unless-stopped
     depends_on:
@@ -38,7 +38,7 @@ services:
       - 80:80 # Port for traefik because of the network_mode
 
   traefik:
-    image: traefik:v3.4.0
+    image: traefik:v{{ traefik_version }}
     container_name: traefik
     restart: unless-stopped
     network_mode: service:gerbil # Ports appear on the gerbil service

ansible/roles/pocketid/tasks/main.yaml

@@ -0,0 +1,55 @@
+- name: Create a pocketid group
+  group:
+    name: pocketid
+    state: present
+    gid: 1050 
+
+- name: Create a pocketid user
+  user:
+    name: pocketid
+    uid: 1050
+    group: 1050
+    comment: "pocketid user"
+    shell: /bin/bash
+    state: present
+    create_home: yes
+
+- name: Create pocketid directory
+  file:
+    path: /home/pocketid/pocketid
+    state: directory
+    mode: '0755'
+    owner: pocketid
+    group: pocketid
+
+- name: Create encryption key file
+  template:
+    src: pocket_id_encryption_key.j2
+    dest: /home/pocketid/pocketid/pocket_id_encryption_key
+    owner: pocketid
+    group: pocketid
+    mode: '0600'  
+  no_log: true    # Prevents secret from appearing in logs
+
+- name: Create env file
+  template:
+    src: templates/pocketid.env.j2
+    dest: /home/pocketid/pocketid/.env
+    owner: pocketid
+    group: pocketid
+    mode: '0600'  
+  no_log: true    # Prevents secret from appearing in logs
+
+- name: Create or update docker-compose
+  template:
+    src: templates/docker-compose.yaml.j2
+    dest: /home/pocketid/pocketid/docker-compose.yaml
+    owner: pocketid
+    group: pocketid
+    mode: 0600
+
+- name: Create and start pocketid
+  community.docker.docker_compose_v2:
+    project_src: /home/pocketid/pocketid/
+    build: always
+  register: output

ansible/roles/pocketid/tasks/templates/docker-compose.yaml.j2

@@ -0,0 +1,21 @@
+secrets:
+  pocket_id_encryption_key:
+    file: ./pocket_id_encryption_key
+services:
+  pocket-id:
+    image: ghcr.io/pocket-id/pocket-id:v{{ pocket_id_version }}
+    restart: unless-stopped
+    env_file: .env
+    ports:
+      - 1411:1411
+    volumes:
+      - "./data:/app/data"
+    # Optional healthcheck
+    healthcheck:
+      test: [ "CMD", "/app/pocket-id", "healthcheck" ]
+      interval: 1m30s
+      timeout: 5s
+      retries: 2
+      start_period: 10s
+    secrets:
+      - pocket_id_encryption_key

ansible/roles/pocketid/tasks/templates/pocket_id_encryption_key.j2

@@ -0,0 +1 @@
+{{ pocket_id_encryption_key }}

ansible/roles/pocketid/tasks/templates/pocketid.env.j2

@@ -0,0 +1,18 @@
+# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
+
+# These variables must be configured for your deployment:
+APP_URL=https://{{ inventory_hostname }}
+
+# Encryption key (choose one method):
+# Method 1: Direct key (simple but less secure)
+# Generate with: openssl rand -base64 32
+# ENCRYPTION_KEY=
+# Method 2: File-based key (recommended)
+# Put the base64 key in a file and point to it here.
+ENCRYPTION_KEY_FILE=/run/secrets/pocket_id_encryption_key
+
+# These variables are optional but recommended to review:
+TRUST_PROXY=true
+MAXMIND_LICENSE_KEY=
+PUID=1050
+PGID=1050

ansible/roles/unbound/tasks/templates/unbound.conf.j2

@@ -16,6 +16,8 @@
 server:
 	access-control: 192.168.0.0/16 allow
         access-control: 2602:fb57:c20:b00::/56 allow
+	access-control: 100.92.0.0/16 allow
+	access-control: fd7c:9105:8a01:a24f::/64 allow
 	# whitespace is not necessary, but looks cleaner.
 
 	# verbosity number, 0 is least verbose. 1 is default.

ansible/site.yaml

@@ -3,11 +3,12 @@
 - import_playbook: webservers.yaml
 - import_playbook: gitea.yaml
 - import_playbook: dns.yaml
-- import_playbook: pangolin.yaml
+- import_playbook: pangolin_server.yaml
+- import_playbook: netbird_server.yaml
 - import_playbook: monitoring.yaml
 - import_playbook: ldap_server.yaml
 - import_playbook: irc.yaml
 - import_playbook: syncthing.yaml
-- import_playbook: notes.yaml
-#- import_playbook: authentik.yaml
+- import_playbook: dockhand.yaml
+- import_playbook: auth.yaml
 

ansible/webservers.yaml

@@ -3,5 +3,6 @@
 - hosts: webservers
   roles:
     - common
-    - nginx
+    - ldap_client
     - lego
+    - nginx

misc/ansible-runner.sh

@@ -7,7 +7,7 @@ cd /home/ansible
 mkdir -p /home/ansible/logs
 
 
-cd /home/ansible/infra
+cd /home/ansible/ansible
 git fetch origin > /dev/null 2>&1
 
 BEHIND_COUNT=$(git rev-list --count HEAD..@{u})
@@ -25,10 +25,10 @@ python3 -m venv /home/ansible/venv
 . /home/ansible/venv/bin/activate
 
 # Install requirements for ansible
-pip install -r /home/ansible/infra/ansible/requirements.txt
+pip install -r /home/ansible/ansible/ansible/requirements.txt
 
 # Change into ansible subdir of repo
-cd /home/ansible/infra/ansible
+cd /home/ansible/ansible/ansible
 
 source /home/ansible/.bws