remove old static site servers

add dns entries for karakeep
Shift even more DNS entries. DO ALL THE THINGS
2026-06-09 11:49:37 -06:00 · 2026-06-09 11:35:48 -06:00 · 2026-06-07 16:56:24 -06:00 · 2026-06-07 13:23:36 -06:00 · 2026-06-07 12:45:44 -06:00 · 2026-06-07 12:00:08 -06:00
19 changed files with 290 additions and 17 deletions
--- a/ansible/auth.yaml
+++ b/ansible/auth.yaml
@@ -0,0 +1,8 @@
 ---
 # file: auth.yaml
 - hosts: auth
  roles:
    - common
    - ldap_client
    - docker
    - pocketid
--- a/ansible/dns.yaml
+++ b/ansible/dns.yaml
@@ -4,3 +4,4 @@
  roles:
    - common
    - unbound
    - netbird_peer
--- a/ansible/gitea.yaml
+++ b/ansible/gitea.yaml
@@ -6,4 +6,5 @@
    - lego
    - nginx
    - gitea
    - netbird_peer
    - ldap_client
--- a/ansible/inventories/production/host_vars/auth.home.jthan.io/vars.yaml
+++ b/ansible/inventories/production/host_vars/auth.home.jthan.io/vars.yaml
@@ -0,0 +1,3 @@
 pocket_id_encryption_key: "{{ lookup('bitwarden.secrets.lookup', '6a5549a9-0f64-4791-94d1-b43b00254c42') }}"
 pocket_id_version: 2.6.2
 pocket_id_sha256: "348c2cfb6457d31078327c203896c29509d0417982c78bfac185d07859dc5b86"
--- a/ansible/inventories/production/host_vars/git.jthan.io/vars.yaml
+++ b/ansible/inventories/production/host_vars/git.jthan.io/vars.yaml
@@ -14,3 +14,8 @@ olm_secret: "{{ lookup('bitwarden.secrets.lookup', 'a9499a7f-4b3e-4c1b-97a0-b3de
 olm_loglevel: "INFO"
 olm_override_dns: "false"
 olm_tunnel_dns: "true"
 netbird_version: "0.71.4"
 netbird_arch: "amd64"
 netbird_sha256: "a7c55f50cafb4034425135253f96a6028edfceb723d09e260bb16eaf4c5a82c3"
 netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', '4ba58bbe-e459-4978-894b-b43000561a2f') }}"
--- a/ansible/inventories/production/host_vars/netbird.jthan.io/vars.yaml
+++ b/ansible/inventories/production/host_vars/netbird.jthan.io/vars.yaml
@@ -1 +1,6 @@
 root_pw: "{{ lookup('bitwarden.secrets.lookup', 'a3402c94-7082-4d70-8436-b42e002c8e18') }}"
 netbird_version: "0.71.4"
 netbird_arch: "amd64"
 netbird_sha256: "a7c55f50cafb4034425135253f96a6028edfceb723d09e260bb16eaf4c5a82c3"
 netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', '88be4f9e-2558-455f-a34a-b436003684af') }}"
--- a/ansible/inventories/production/host_vars/rpi0.home.jthan.io/vars.yaml
+++ b/ansible/inventories/production/host_vars/rpi0.home.jthan.io/vars.yaml
@@ -1,18 +1,23 @@
 netbird_version: "0.71.4"
 netbird_arch: "arm64"
 netbird_sha256: "95be7c307a4e9f83e1a67271390c5efd1e389210f851f26511f436f4393878af"
 netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', 'ceda19a5-3efb-4bcf-ac84-b43000086ea4') }}"
 private_domains:
  - name: jthan.io
    records:
      - type: A
        name: "jthan.io"
-        value: "192.168.1.17"
+        value: "192.168.1.18"
      - type: A
        name: "notes.jthan.io"
-        value: "192.168.1.16"
+        value: "192.168.1.18"
      - type: AAAA
        name: "jthan.io"
-        value: "2602:fb57:c20:b00:be24:11ff:feac:6536"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
      - type: AAAA
        name: "notes.jthan.io"
-        value: "2602:fb57:c20:b00:be24:11ff:fe8b:f6db"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
  - name: home.jthan.io
    records:
      - type: A
@@ -24,6 +29,9 @@ private_domains:
      - type: A
        name: "storage0.home.jthan.io"
        value: 192.168.1.3
      - type: A
        name: "auth.home.jthan.io"
        value: 192.168.1.7
      - type: A
        name: "proxy0.home.jthan.io"
        value: 192.168.1.7
@@ -45,6 +53,24 @@ private_domains:
      - type: A
        name: "docker.home.jthan.io"
        value: 192.168.1.18
      - type: A
        name: "papra.home.jthan.io"
        value: 192.168.1.18
      - type: A
        name: "keep.home.jthan.io"
        value: 192.168.1.18
      - type: A
        name: "whoami.home.jthan.io"
        value: 192.168.1.18
      - type: A
        name: "traefik.home.jthan.io"
        value: 192.168.1.18
      - type: A
        name: "music.home.jthan.io"
        value: 192.168.1.18
      - type: AAAA
        name: "rpi0.home.jthan.io"
        value: "2602:fb57:c20:b00:dea6:32ff:fe10:715a"
      - type: AAAA
        name: "storage0.home.jthan.io"
        value: "2602:fb57:c20:b00:7a55:36ff:fe02:92c9"
@@ -69,6 +95,24 @@ private_domains:
      - type: AAAA
        name: "docker.home.jthan.io"
        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
      - type: AAAA
        name: "whoami.home.jthan.io"
        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
      - type: AAAA
        name: "traefik.home.jthan.io"
        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
      - type: AAAA
        name: "music.home.jthan.io"
        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
      - type: AAAA
        name: "papra.home.jthan.io"
        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
      - type: AAAA
        name: "keep.home.jthan.io"
        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
      - type: AAAA
        name: "auth.home.jthan.io"
        value: "2602:fb57:c20:b00:be24:11ff:fee6:8593"
      - type: CNAME
        name: "ha.home.jthan.io"
        value: "proxy0.home.jthan.io"
--- a/ansible/inventories/production/hosts.ini
+++ b/ansible/inventories/production/hosts.ini
@@ -4,9 +4,6 @@ git.jthan.io
 [dns]
 rpi0.home.jthan.io
 [pangolin_server]
 pangolin.jthan.io
 [authentik]
 authentik.home.jthan.io ansible_host=192.168.1.8
@@ -22,12 +19,15 @@ irc.home.jthan.io
 [syncthing]
 syncthing.home.jthan.io
-[webservers]
+#[webservers]
-notes.jthan.io ansible_host=192.168.1.16
+#notes.jthan.io ansible_host=192.168.1.16
-jthan.io ansible_host=192.168.1.17
+#jthan.io ansible_host=192.168.1.17
 [netbird_server]
 netbird.jthan.io
 [dockhand]
 docker.home.jthan.io
 [auth]
 auth.home.jthan.io ansible_host=192.168.1.5
--- a/ansible/netbird_server.yaml
+++ b/ansible/netbird_server.yaml
@@ -4,3 +4,6 @@
  roles:
    - common
    - docker
    - netbird_peer # can be server and peer to access internal resources
    - ldap_client # which allows us to talk to ldap, authentik, etc.
--- a/ansible/roles/dockhand/tasks/templates/docker-compose.yaml.j2
+++ b/ansible/roles/dockhand/tasks/templates/docker-compose.yaml.j2
@@ -20,11 +20,12 @@ services:
      - ALLOW_STOP=1
      - ALLOW_RESTARTS=1
      # Optional: enable for terminal access
-      # - EXEC=1
+      - EXEC=1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - socket-proxy
      - proxy
  dockhand:
    image: fnsys/dockhand:latest
@@ -32,17 +33,25 @@ services:
    restart: unless-stopped
    depends_on:
      - socket-proxy
    ports:
      - "3000:3000"
    volumes:
      - dockhand_data:/app/data
    networks:
      - socket-proxy
      - proxy
      - default
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.dockhand.rule=Host(`docker.home.jthan.io`)" 
      - "traefik.http.routers.dockhand.entrypoints=websecure"
      - "traefik.http.routers.dockhand.tls.certresolver=myresolver"
        #- "traefik.http.services.dockhand.loadbalancer.server.port=3000"
 networks:
  socket-proxy:
    internal: true
  proxy:
    external: true
 volumes:
  dockhand_data:
--- a/ansible/roles/netbird_peer/handlers/main.yaml
+++ b/ansible/roles/netbird_peer/handlers/main.yaml
@@ -0,0 +1,9 @@
 - name: restart netbird
  service:
    name: netbird
    state: restarted
 - name: restart firewalld
  service:
    name: firewalld
    state: restarted
--- a/ansible/roles/netbird_peer/tasks/main.yaml
+++ b/ansible/roles/netbird_peer/tasks/main.yaml
@@ -0,0 +1,88 @@
 - name: Create temporary netbird unarchive directory
  file: 
    path: "/tmp/netbird_{{ netbird_version }}"
    state: directory
    mode: '0700'
    owner: root
    group: root
 - name: Download and verify the netbird archive
  get_url:
    url: "https://github.com/netbirdio/netbird/releases/download/v{{ netbird_version }}/netbird_{{ netbird_version }}_linux_{{ netbird_arch }}.tar.gz"
    dest: "/tmp/netbird-{{ netbird_version }}.linux-{{ netbird_arch }}.tar.gz"
    checksum: "sha256:{{ netbird_sha256 }}"
  register: download_result
 - name: Unarchive netbird binary
  unarchive:
    src: "{{ download_result.dest }}"
    dest: "/tmp/netbird_{{ netbird_version }}"
    remote_src: true # Indicates the source file is on the remote host
    owner: root
    group: root
    mode: 0755
 - name: Copy netbird binary to /usr/local/bin
  copy:
    src: "/tmp/netbird_{{ netbird_version }}/netbird"
    dest: "/usr/local/bin/netbird-{{ netbird_version }}"
    owner: root
    group: root
    mode: '0755'
    remote_src: yes
 - name: Create netbird binary symlink
  file:
    src: "/usr/local/bin/netbird-{{ netbird_version }}"
    dest: "/usr/local/bin/netbird"
    state: link
    owner: root
    group: root
    mode: '0755' # Permissions for the target file
    force: yes 
 - name: Run command to generate netbird systemd unit file
  command: 
    cmd: /usr/local/bin/netbird service install
    creates: /etc/systemd/system/netbird.service
  register: netbird_service
 - name: systemctl daemon-reload to pickup netbird service changes
  systemd_service:
    daemon_reload: true
  when: netbird_service.changed
  notify: restart netbird
 - name: Start and enable netbird service
  service:
    name: netbird
    state: started
    enabled: true
    daemon_reload: true
 - name: Run netbird up with setup key
  command:
    cmd: /usr/local/bin/netbird up --setup-key {{ netbird_setup_key }} --management-url https://netbird.jthan.io:443
 #- name: Create netbird firewalld zone
 #  ansible.posix.firewalld:
 #    zone: netbird
 #    state: present
 #    permanent: true
 #  notify: restart firewalld
 #
 #- name: Set netbird zone target to ACCEPT
 #  ansible.posix.firewalld:
 #    zone: netbird
 #    state: present
 #    permanent: true
 #    target: ACCEPT
 #  notify: restart firewalld
 #
 #- name: Add netbird interface to netbird zone 
 #  ansible.posix.firewalld:
 #    zone: netbird
 #    interface: wt0
 #    permanent: true
 #    state: enabled
 #  notify: restart firewalld
--- a/ansible/roles/pocketid/tasks/main.yaml
+++ b/ansible/roles/pocketid/tasks/main.yaml
@@ -0,0 +1,55 @@
 - name: Create a pocketid group
  group:
    name: pocketid
    state: present
    gid: 1050 
 - name: Create a pocketid user
  user:
    name: pocketid
    uid: 1050
    group: 1050
    comment: "pocketid user"
    shell: /bin/bash
    state: present
    create_home: yes
 - name: Create pocketid directory
  file:
    path: /home/pocketid/pocketid
    state: directory
    mode: '0755'
    owner: pocketid
    group: pocketid
 - name: Create encryption key file
  template:
    src: pocket_id_encryption_key.j2
    dest: /home/pocketid/pocketid/pocket_id_encryption_key
    owner: pocketid
    group: pocketid
    mode: '0600'  
  no_log: true    # Prevents secret from appearing in logs
 - name: Create env file
  template:
    src: templates/pocketid.env.j2
    dest: /home/pocketid/pocketid/.env
    owner: pocketid
    group: pocketid
    mode: '0600'  
  no_log: true    # Prevents secret from appearing in logs
 - name: Create or update docker-compose
  template:
    src: templates/docker-compose.yaml.j2
    dest: /home/pocketid/pocketid/docker-compose.yaml
    owner: pocketid
    group: pocketid
    mode: 0600
 - name: Create and start pocketid
  community.docker.docker_compose_v2:
    project_src: /home/pocketid/pocketid/
    build: always
  register: output
--- a/ansible/roles/pocketid/tasks/templates/docker-compose.yaml.j2
+++ b/ansible/roles/pocketid/tasks/templates/docker-compose.yaml.j2
@@ -0,0 +1,21 @@
 secrets:
  pocket_id_encryption_key:
    file: ./pocket_id_encryption_key
 services:
  pocket-id:
    image: ghcr.io/pocket-id/pocket-id:v{{ pocket_id_version }}
    restart: unless-stopped
    env_file: .env
    ports:
      - 1411:1411
    volumes:
      - "./data:/app/data"
    # Optional healthcheck
    healthcheck:
      test: [ "CMD", "/app/pocket-id", "healthcheck" ]
      interval: 1m30s
      timeout: 5s
      retries: 2
      start_period: 10s
    secrets:
      - pocket_id_encryption_key
--- a/ansible/roles/pocketid/tasks/templates/pocket_id_encryption_key.j2
+++ b/ansible/roles/pocketid/tasks/templates/pocket_id_encryption_key.j2
@@ -0,0 +1 @@
 {{ pocket_id_encryption_key }}
--- a/ansible/roles/pocketid/tasks/templates/pocketid.env.j2
+++ b/ansible/roles/pocketid/tasks/templates/pocketid.env.j2
@@ -0,0 +1,18 @@
 # See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
 # These variables must be configured for your deployment:
 APP_URL=https://{{ inventory_hostname }}
 # Encryption key (choose one method):
 # Method 1: Direct key (simple but less secure)
 # Generate with: openssl rand -base64 32
 # ENCRYPTION_KEY=
 # Method 2: File-based key (recommended)
 # Put the base64 key in a file and point to it here.
 ENCRYPTION_KEY_FILE=/run/secrets/pocket_id_encryption_key
 # These variables are optional but recommended to review:
 TRUST_PROXY=true
 MAXMIND_LICENSE_KEY=
 PUID=1050
 PGID=1050
--- a/ansible/roles/unbound/tasks/templates/unbound.conf.j2
+++ b/ansible/roles/unbound/tasks/templates/unbound.conf.j2
@@ -16,6 +16,8 @@
 server:
 	access-control: 192.168.0.0/16 allow
        access-control: 2602:fb57:c20:b00::/56 allow
 	access-control: 100.92.0.0/16 allow
 	access-control: fd7c:9105:8a01:a24f::/64 allow
 	# whitespace is not necessary, but looks cleaner.
 	# verbosity number, 0 is least verbose. 1 is default.
--- a/ansible/site.yaml
+++ b/ansible/site.yaml
@@ -10,5 +10,5 @@
 - import_playbook: irc.yaml
 - import_playbook: syncthing.yaml
 - import_playbook: dockhand.yaml
-#- import_playbook: authentik.yaml
+- import_playbook: auth.yaml
--- a/misc/ansible-runner.sh
+++ b/misc/ansible-runner.sh
@@ -7,7 +7,7 @@ cd /home/ansible
 mkdir -p /home/ansible/logs
-cd /home/ansible/infra
+cd /home/ansible/ansible
 git fetch origin > /dev/null 2>&1
 BEHIND_COUNT=$(git rev-list --count HEAD..@{u})
@@ -25,10 +25,10 @@ python3 -m venv /home/ansible/venv
 . /home/ansible/venv/bin/activate
 # Install requirements for ansible
-pip install -r /home/ansible/infra/ansible/requirements.txt
+pip install -r /home/ansible/ansible/ansible/requirements.txt
 # Change into ansible subdir of repo
-cd /home/ansible/infra/ansible
+cd /home/ansible/ansible/ansible
 source /home/ansible/.bws
Author	SHA1	Message	Date
Jonathan DeMasi	4c0b74c80d	remove old static site servers	2026-06-09 11:49:37 -06:00
Jonathan DeMasi	15699177e6	add dns entries for karakeep	2026-06-09 11:35:48 -06:00
Jonathan DeMasi	4f0e35e66d	Shift even more DNS entries. DO ALL THE THINGS	2026-06-07 16:56:24 -06:00
Jonathan DeMasi	557c0c66a5	remove extraneous port	2026-06-07 13:23:36 -06:00
Jonathan DeMasi	a2fa11e8ff	Update dns, fix template	2026-06-07 12:45:44 -06:00
Jonathan DeMasi	f1755e079c	new dns entries	2026-06-07 12:00:08 -06:00
Jonathan DeMasi	d38354762c	add some dns entries to tet	2026-06-07 10:01:24 -06:00
Jonathan DeMasi	3c0f41f4c8	add DNS entries!	2026-06-06 21:02:39 -06:00
Jonathan DeMasi	61659accc0	restore netbird server peer	2026-05-30 21:50:56 -06:00
Jonathan DeMasi	e16cf0ea9b	Add gitea netbird client	2026-05-30 21:08:19 -06:00
Jonathan DeMasi	f0cb243a03	add VPN IPs	2026-05-30 16:35:14 -06:00
Jonathan DeMasi	891435583b	Remove gitea as netbird peer temporarily	2026-05-30 16:04:58 -06:00
Jonathan DeMasi	d5ac1bbd6f	remove server as peer for now	2026-05-30 16:00:04 -06:00
Jonathan DeMasi	77a3572da8	Update netbird role	2026-05-30 15:57:59 -06:00
Jonathan DeMasi	16b43a2cd1	Bump netbird version rpi0	2026-05-29 10:12:33 -06:00
Jonathan DeMasi	03888824d4	bump netbird version git	2026-05-29 09:15:51 -06:00
Jonathan DeMasi	67e2483a2d	bump netbird version	2026-05-27 23:20:14 -06:00
Jonathan DeMasi	6ee9515c1f	add ipv6 for rpi0	2026-05-27 20:48:36 -06:00
Jonathan DeMasi	b69092891b	update runner script to accommodate new repo name	2026-05-06 20:49:21 -06:00
Jonathan DeMasi	01b8ebfa08	small upadte	2026-04-28 20:53:24 -06:00
Jonathan DeMasi	2e51a1d06b	oof	2026-04-28 20:50:19 -06:00
Jonathan DeMasi	110519e8f3	fix dns records for auth	2026-04-28 20:48:56 -06:00
Jonathan DeMasi	d9e8c03ce8	fixed	2026-04-28 20:42:00 -06:00
Jonathan DeMasi	6adce5e2ed	right user maybe	2026-04-28 20:40:21 -06:00
Jonathan DeMasi	c0f5170c2a	Update env file	2026-04-28 20:37:11 -06:00
Jonathan DeMasi	061d8ebcef	Update dir	2026-04-28 20:31:46 -06:00
Jonathan DeMasi	f78c07f7db	init pocketid	2026-04-28 20:21:05 -06:00
Jonathan DeMasi	ca0e5ee0c3	init new auth host	2026-04-27 21:16:18 -06:00
Jonathan DeMasi	4c7ce981e3	Add some DNS entries for new auth server	2026-04-27 21:09:53 -06:00
Jonathan DeMasi	4f8b8e5bef	add role to netbird server	2026-04-23 21:39:02 -06:00
Jonathan DeMasi	20ff78ee38	add correct arch. derp	2026-04-23 21:32:23 -06:00
Jonathan DeMasi	db2a2acac1	remove extraneous, old host	2026-04-23 21:26:37 -06:00
Jonathan DeMasi	584da88236	Add netbird server as peer	2026-04-23 21:20:42 -06:00
Jonathan DeMasi	30e5e5c03e	add arch support	2026-04-17 23:24:19 -06:00
Jonathan DeMasi	8553964594	add gitea as netbird peer	2026-04-17 23:14:46 -06:00
Jonathan DeMasi	644af729ee	add handler plus calls	2026-04-17 22:34:50 -06:00
Jonathan DeMasi	3db5b84a0f	clean up some peer firewall stuff	2026-04-17 22:29:41 -06:00
Jonathan DeMasi	b7910eafa0	helps to use the right key	2026-04-17 18:35:24 -06:00
Jonathan DeMasi	2239644fb6	add setup command	2026-04-17 18:31:11 -06:00
Jonathan DeMasi	b21ea34764	add service logic	2026-04-17 18:14:12 -06:00
Jonathan DeMasi	7c19f7dafe	create directory plz	2026-04-17 17:56:11 -06:00
Jonathan DeMasi	108a5afa1e	hard code arch for now	2026-04-17 17:51:15 -06:00
Jonathan DeMasi	d4661682b5	add netbird_peer to dns servers	2026-04-17 17:46:43 -06:00
Jonathan DeMasi	0256e66d71	init netbird peer	2026-04-17 17:45:47 -06:00
Jonathan DeMasi	fbd335a39b	add netbird version and sha	2026-04-17 17:45:35 -06:00