From 5edd7c413e4c722cd6ae35ad698e4dc6379b9c70 Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 02:02:21 +0200 Subject: [PATCH 01/10] Update bash.nix to improve WSL Windows alias handling --- config/bash.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/config/bash.nix b/config/bash.nix index eda3ccb..bb52338 100644 --- a/config/bash.nix +++ b/config/bash.nix @@ -82,6 +82,8 @@ if [[ "$(uname -a)" == *"microsoft-standard-WSL2"* ]]; then [ -f "${config.home.homeDirectory}/.agent-bridge.sh" ] && source "${config.home.homeDirectory}/.agent-bridge.sh" alias winget='winget.exe' + alias ssh-add="ssh-add.exe" + alias git="git.exe" fi # Set SSH_AUTH_SOCK to 1Password agent if not already set @@ -137,11 +139,6 @@ bind -x '"\C-r": fzf_history_search' fi - # In case this is WSL, let's add various Windows executables as aliases - if [ -f "/mnt/c/Windows/System32/cmd.exe" ]; then - alias ssh-add="ssh-add.exe" - fi - # Display welcome message for interactive shells if [ -t 1 ]; then command -v helloworld &> /dev/null && helloworld From f67b16f59369ffcee553b1fabb35a6bc8dbf1a1a Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 02:02:28 +0200 Subject: [PATCH 02/10] update flake locvk --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 169e1fd..c88b2f8 100644 --- a/flake.lock +++ b/flake.lock @@ -41,11 +41,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1760862643, - "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=", + "lastModified": 1761016216, + "narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c", + "rev": "481cf557888e05d3128a76f14c76397b7d7cc869", "type": "github" }, "original": { From e57e9ee67c9f62dd612bab5b52f445cf0935713e Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 02:02:46 +0200 Subject: [PATCH 03/10] chore: update country allow list and add European allow option --- .../tasks/servers/services/caddy/Caddyfile.j2 | 79 +++++++++++-------- 1 file changed, 48 insertions(+), 31 deletions(-) diff --git a/ansible/tasks/servers/services/caddy/Caddyfile.j2 b/ansible/tasks/servers/services/caddy/Caddyfile.j2 index 4eeed84..baaa866 100644 --- a/ansible/tasks/servers/services/caddy/Caddyfile.j2 +++ b/ansible/tasks/servers/services/caddy/Caddyfile.j2 @@ -5,9 +5,9 @@ } } -# Country blocking snippet using MaxMind GeoLocation - reusable across all sites +# Country allow list snippet using MaxMind GeoLocation - reusable across all sites {% if enable_country_blocking | default(false) and allowed_countries_codes | default([]) | length > 0 %} -(country_block) { +(country_allow) { @allowed_local { remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 } @@ -23,56 +23,73 @@ respond @not_allowed_countries "Access denied" 403 } {% else %} -(country_block) { - # Country blocking disabled +(country_allow) { + # Country allow list disabled } {% endif %} +# European country allow list - allows all European countries +(eu_country_allow) { + @allowed_local { + remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + } + @not_allowed_countries { + not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + not { + maxmind_geolocation { + db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" + allow_countries AL AD AM AT AZ BY BE BA BG HR CY CZ DK EE FI FR GE DE GR HU IS IE IT XK LV LI LT LU MK MT MD MC ME NL NO PL PT RO SM RS SK SI ES SE CH TR UA GB VA + } + } + } + respond @not_allowed_countries "Access denied" 403 +} + {% if inventory_hostname == 'mennos-server' %} git.mvl.sh { - import country_block + import country_allow reverse_proxy gitea:3000 tls {{ caddy_email }} } git.vleeuwen.me { - import country_block + import country_allow redir https://git.mvl.sh{uri} tls {{ caddy_email }} } df.mvl.sh { - import country_block + import country_allow redir / https://git.mvl.sh/vleeuwenmenno/dotfiles/raw/branch/master/setup.sh tls {{ caddy_email }} } fsm.mvl.sh { - import country_block + import country_allow reverse_proxy factorio-server-manager:80 tls {{ caddy_email }} } fsm.vleeuwen.me { - import country_block + import country_allow redir https://fsm.mvl.sh{uri} tls {{ caddy_email }} } beszel.mvl.sh { - import country_block + import country_allow reverse_proxy beszel:8090 tls {{ caddy_email }} } beszel.vleeuwen.me { - import country_block + import country_allow redir https://beszel.mvl.sh{uri} tls {{ caddy_email }} } sathub.de { - import country_block + import eu_country_allow handle { reverse_proxy sathub-frontend:4173 @@ -93,31 +110,31 @@ sathub.de { } api.sathub.de { - import country_block + import eu_country_allow reverse_proxy sathub-backend:4001 tls {{ caddy_email }} } sathub.nl { - import country_block + import eu_country_allow redir https://sathub.de{uri} tls {{ caddy_email }} } photos.mvl.sh { - import country_block + import country_allow reverse_proxy immich:2283 tls {{ caddy_email }} } photos.vleeuwen.me { - import country_block + import country_allow redir https://photos.mvl.sh{uri} tls {{ caddy_email }} } home.mvl.sh { - import country_block + import country_allow reverse_proxy host.docker.internal:8123 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} @@ -126,7 +143,7 @@ home.mvl.sh { } home.vleeuwen.me { - import country_block + import country_allow reverse_proxy host.docker.internal:8123 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} @@ -160,13 +177,13 @@ hotspot.mvl.sh:80 { } bin.mvl.sh { - import country_block + import country_allow reverse_proxy privatebin:8080 tls {{ caddy_email }} } ip.mvl.sh ip.vleeuwen.me { - import country_block + import country_allow reverse_proxy echoip:8080 { header_up X-Real-IP {http.request.remote.host} } @@ -174,26 +191,26 @@ ip.mvl.sh ip.vleeuwen.me { } http://ip.mvl.sh http://ip.vleeuwen.me { - import country_block + import country_allow reverse_proxy echoip:8080 { header_up X-Real-IP {http.request.remote.host} } } overseerr.mvl.sh { - import country_block + import country_allow reverse_proxy overseerr:5055 tls {{ caddy_email }} } overseerr.vleeuwen.me { - import country_block + import country_allow redir https://overseerr.mvl.sh{uri} tls {{ caddy_email }} } plex.mvl.sh { - import country_block + import country_allow reverse_proxy host.docker.internal:32400 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} @@ -202,13 +219,13 @@ plex.mvl.sh { } plex.vleeuwen.me { - import country_block + import country_allow redir https://plex.mvl.sh{uri} tls {{ caddy_email }} } tautulli.mvl.sh { - import country_block + import country_allow reverse_proxy host.docker.internal:8181 { header_up Host {upstream_hostport} header_up X-Real-IP {http.request.remote.host} @@ -217,13 +234,13 @@ tautulli.mvl.sh { } tautulli.vleeuwen.me { - import country_block + import country_allow redir https://tautulli.mvl.sh{uri} tls {{ caddy_email }} } cloud.mvl.sh { - import country_block + import country_allow reverse_proxy cloudreve:5212 { header_up Host {host} header_up X-Real-IP {http.request.remote.host} @@ -232,13 +249,13 @@ cloud.mvl.sh { } cloud.vleeuwen.me { - import country_block + import country_allow redir https://cloud.mvl.sh{uri} tls {{ caddy_email }} } collabora.mvl.sh { - import country_block + import country_allow reverse_proxy collabora:9980 { header_up Host {host} header_up X-Real-IP {http.request.remote.host} @@ -247,7 +264,7 @@ collabora.mvl.sh { } drive.mvl.sh drive.vleeuwen.me { - import country_block + import country_allow # CalDAV and CardDAV redirects redir /.well-known/carddav /remote.php/dav/ 301 From 461d251356be6b923f6d4af17e7f8fc933630525 Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 00:04:14 +0000 Subject: [PATCH 04/10] Add Ansible role to deploy Necesse server with Docker --- .../services/necesse/docker-compose.yml.j2 | 15 +++++++ .../servers/services/necesse/necesse.yml | 41 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 ansible/tasks/servers/services/necesse/docker-compose.yml.j2 create mode 100644 ansible/tasks/servers/services/necesse/necesse.yml diff --git a/ansible/tasks/servers/services/necesse/docker-compose.yml.j2 b/ansible/tasks/servers/services/necesse/docker-compose.yml.j2 new file mode 100644 index 0000000..9009e90 --- /dev/null +++ b/ansible/tasks/servers/services/necesse/docker-compose.yml.j2 @@ -0,0 +1,15 @@ +services: + necesse: + image: brammys/necesse-server + container_name: necesse + restart: unless-stopped + ports: + - "14159:14159/udp" + environment: + - MOTD=StarDebris' Server! + - PASSWORD=2142 + - SLOTS=4 + - PAUSE=1 + volumes: + - {{ necesse_data_dir }}/saves:/necesse/saves + - {{ necesse_data_dir }}/logs:/necesse/logs diff --git a/ansible/tasks/servers/services/necesse/necesse.yml b/ansible/tasks/servers/services/necesse/necesse.yml new file mode 100644 index 0000000..d221d5a --- /dev/null +++ b/ansible/tasks/servers/services/necesse/necesse.yml @@ -0,0 +1,41 @@ +--- +- name: Deploy Necesse service + block: + - name: Set Necesse directories + ansible.builtin.set_fact: + necesse_service_dir: "{{ ansible_env.HOME }}/.services/necesse" + necesse_data_dir: "/mnt/services/necesse" + + - name: Create Necesse service directory + ansible.builtin.file: + path: "{{ necesse_service_dir }}" + state: directory + mode: "0755" + + - name: Create Necesse data directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0755" + loop: + - "{{ necesse_data_dir }}" + - "{{ necesse_data_dir }}/saves" + - "{{ necesse_data_dir }}/logs" + + - name: Deploy Necesse docker-compose.yml + ansible.builtin.template: + src: docker-compose.yml.j2 + dest: "{{ necesse_service_dir }}/docker-compose.yml" + mode: "0644" + register: necesse_compose + + - name: Stop Necesse service + ansible.builtin.command: docker compose -f "{{ necesse_service_dir }}/docker-compose.yml" down --remove-orphans + when: necesse_compose.changed + + - name: Start Necesse service + ansible.builtin.command: docker compose -f "{{ necesse_service_dir }}/docker-compose.yml" up -d + when: necesse_compose.changed + tags: + - services + - necesse From f0b15f77a15887dce0a2b5659dec1cf1aad65af5 Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 00:04:19 +0000 Subject: [PATCH 05/10] Update nixpkgs input to latest commit --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 651abac..a47936b 100644 --- a/flake.lock +++ b/flake.lock @@ -41,11 +41,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759994382, - "narHash": "sha256-wSK+3UkalDZRVHGCRikZ//CyZUJWDJkBDTQX1+G77Ow=", + "lastModified": 1760423683, + "narHash": "sha256-Tb+NYuJhWZieDZUxN6PgglB16yuqBYQeMJyYBGCXlt8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5da4a26309e796daa7ffca72df93dbe53b8164c7", + "rev": "a493e93b4a259cd9fea8073f89a7ed9b1c5a1da2", "type": "github" }, "original": { From 8bfd8395f53ccb83219e1dd1dcb380324a2b7f22 Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 00:04:41 +0000 Subject: [PATCH 06/10] Add Discord environment variables and update data volumes paths --- ansible/tasks/servers/services/sathub/.env.j2 | 6 +++++ .../services/sathub/docker-compose.yml.j2 | 22 ++++++++++++------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/ansible/tasks/servers/services/sathub/.env.j2 b/ansible/tasks/servers/services/sathub/.env.j2 index e4ac420..dc73eb6 100644 --- a/ansible/tasks/servers/services/sathub/.env.j2 +++ b/ansible/tasks/servers/services/sathub/.env.j2 @@ -45,3 +45,9 @@ CORS_ALLOWED_ORIGINS=https://sathub.de,https://sathub.nl,https://api.sathub.de # Frontend configuration (optional - defaults are provided) VITE_API_BASE_URL=https://api.sathub.de VITE_ALLOWED_HOSTS=sathub.de,sathub.nl + +# Discord related messsaging +DISCORD_CLIENT_ID={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DISCORD_CLIENT_ID') }} +DISCORD_CLIENT_SECRET={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DISCORD_CLIENT_SECRET') }} +DISCORD_REDIRECT_URI={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DISCORD_REDIRECT_URL') }} +DISCORD_WEBHOOK_URL={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DISCORD_WEBHOOK_URL') }} diff --git a/ansible/tasks/servers/services/sathub/docker-compose.yml.j2 b/ansible/tasks/servers/services/sathub/docker-compose.yml.j2 index 86191dd..69c3def 100644 --- a/ansible/tasks/servers/services/sathub/docker-compose.yml.j2 +++ b/ansible/tasks/servers/services/sathub/docker-compose.yml.j2 @@ -62,6 +62,12 @@ services: - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY} - MINIO_SECRET_KEY=${MINIO_SECRET_KEY} - MINIO_EXTERNAL_URL=https://obj.sathub.de + + # Discord settings + - DISCORD_CLIENT_ID=${DISCORD_CLIENT_ID} + - DISCORD_CLIENT_SECRET=${DISCORD_CLIENT_SECRET} + - DISCORD_REDIRECT_URI=${DISCORD_REDIRECT_URI} + - DISCORD_WEBHOOK_URL=${DISCORD_WEBHOOK_URL} networks: - sathub - caddy_network @@ -98,6 +104,12 @@ services: - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY} - MINIO_SECRET_KEY=${MINIO_SECRET_KEY} - MINIO_EXTERNAL_URL=https://obj.sathub.de + + # Discord settings + - DISCORD_CLIENT_ID=${DISCORD_CLIENT_ID} + - DISCORD_CLIENT_SECRET=${DISCORD_CLIENT_SECRET} + - DISCORD_REDIRECT_URI=${DISCORD_REDIRECT_URI} + - DISCORD_WEBHOOK_URL=${DISCORD_WEBHOOK_URL} networks: - sathub depends_on: @@ -113,7 +125,7 @@ services: - POSTGRES_PASSWORD=${DB_PASSWORD} - POSTGRES_DB=${DB_NAME:-sathub} volumes: - - postgres_data:/var/lib/postgresql/data + - {{ sathub_data_dir }}/postgres_data:/var/lib/postgresql/data networks: - sathub @@ -136,7 +148,7 @@ services: - MINIO_ROOT_USER=${MINIO_ROOT_USER} - MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD} volumes: - - minio_data:/data + - {{ sathub_data_dir }}/minio_data:/data command: server /data --console-address :9001 networks: - sathub @@ -158,12 +170,6 @@ services: networks: - sathub -volumes: - minio_data: - driver: local - postgres_data: - driver: local - networks: sathub: driver: bridge From 8ba47c2ebf4d511684c85f0d04719d9db7a90165 Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 00:04:51 +0000 Subject: [PATCH 07/10] Fix indentation in server.yml and add necesse service Add become: true to JuiceFS stop/start tasks in redis.yml --- ansible/tasks/servers/server.yml | 298 +++++++++--------- .../tasks/servers/services/redis/redis.yml | 2 + 2 files changed, 153 insertions(+), 147 deletions(-) diff --git a/ansible/tasks/servers/server.yml b/ansible/tasks/servers/server.yml index c1e1a5c..ba7090f 100644 --- a/ansible/tasks/servers/server.yml +++ b/ansible/tasks/servers/server.yml @@ -1,161 +1,165 @@ --- - name: Server setup block: - - name: Ensure openssh-server is installed on Arch-based systems - ansible.builtin.package: - name: openssh - state: present - when: ansible_pkg_mgr == 'pacman' + - name: Ensure openssh-server is installed on Arch-based systems + ansible.builtin.package: + name: openssh + state: present + when: ansible_pkg_mgr == 'pacman' - - name: Ensure openssh-server is installed on non-Arch systems - ansible.builtin.package: - name: openssh-server - state: present - when: ansible_pkg_mgr != 'pacman' + - name: Ensure openssh-server is installed on non-Arch systems + ansible.builtin.package: + name: openssh-server + state: present + when: ansible_pkg_mgr != 'pacman' - - name: Ensure Borg is installed on Arch-based systems - ansible.builtin.package: - name: borg - state: present - become: true - when: ansible_pkg_mgr == 'pacman' + - name: Ensure Borg is installed on Arch-based systems + ansible.builtin.package: + name: borg + state: present + become: true + when: ansible_pkg_mgr == 'pacman' - - name: Ensure Borg is installed on Debian/Ubuntu systems - ansible.builtin.package: - name: borgbackup - state: present - become: true - when: ansible_pkg_mgr != 'pacman' + - name: Ensure Borg is installed on Debian/Ubuntu systems + ansible.builtin.package: + name: borgbackup + state: present + become: true + when: ansible_pkg_mgr != 'pacman' - - name: Include JuiceFS tasks - ansible.builtin.include_tasks: juicefs.yml - tags: - - juicefs + - name: Include JuiceFS tasks + ansible.builtin.include_tasks: juicefs.yml + tags: + - juicefs - - name: Include Dynamic DNS tasks - ansible.builtin.include_tasks: dynamic-dns.yml - tags: - - dynamic-dns + - name: Include Dynamic DNS tasks + ansible.builtin.include_tasks: dynamic-dns.yml + tags: + - dynamic-dns - - name: Include Borg Backup tasks - ansible.builtin.include_tasks: borg-backup.yml - tags: - - borg-backup + - name: Include Borg Backup tasks + ansible.builtin.include_tasks: borg-backup.yml + tags: + - borg-backup - - name: Include Borg Local Sync tasks - ansible.builtin.include_tasks: borg-local-sync.yml - tags: - - borg-local-sync + - name: Include Borg Local Sync tasks + ansible.builtin.include_tasks: borg-local-sync.yml + tags: + - borg-local-sync - - name: System performance optimizations - ansible.posix.sysctl: - name: "{{ item.name }}" - value: "{{ item.value }}" - state: present - reload: true - become: true - loop: - - { name: "fs.file-max", value: "2097152" } # Max open files for the entire system - - { name: "vm.max_map_count", value: "16777216" } # Max memory map areas a process can have - - { name: "vm.swappiness", value: "10" } # Controls how aggressively the kernel swaps out memory - - { name: "vm.vfs_cache_pressure", value: "50" } # Controls kernel's tendency to reclaim memory for directory/inode caches - - { name: "net.core.somaxconn", value: "65535" } # Max pending connections for a listening socket - - { name: "net.core.netdev_max_backlog", value: "65535" } # Max packets queued on network interface input - - { name: "net.ipv4.tcp_fin_timeout", value: "30" } # How long sockets stay in FIN-WAIT-2 state - - { name: "net.ipv4.tcp_tw_reuse", value: "1" } # Allows reusing TIME_WAIT sockets for new outgoing connections + - name: System performance optimizations + ansible.posix.sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + reload: true + become: true + loop: + - { name: "fs.file-max", value: "2097152" } # Max open files for the entire system + - { name: "vm.max_map_count", value: "16777216" } # Max memory map areas a process can have + - { name: "vm.swappiness", value: "10" } # Controls how aggressively the kernel swaps out memory + - { name: "vm.vfs_cache_pressure", value: "50" } # Controls kernel's tendency to reclaim memory for directory/inode caches + - { name: "net.core.somaxconn", value: "65535" } # Max pending connections for a listening socket + - { name: "net.core.netdev_max_backlog", value: "65535" } # Max packets queued on network interface input + - { name: "net.ipv4.tcp_fin_timeout", value: "30" } # How long sockets stay in FIN-WAIT-2 state + - { name: "net.ipv4.tcp_tw_reuse", value: "1" } # Allows reusing TIME_WAIT sockets for new outgoing connections - - name: Include service tasks - ansible.builtin.include_tasks: "services/{{ item.name }}/{{ item.name }}.yml" - loop: "{{ services | selectattr('enabled', 'equalto', true) | selectattr('hosts', 'contains', inventory_hostname) | list if specific_service is not defined else services | selectattr('name', 'equalto', specific_service) | selectattr('enabled', 'equalto', true) | selectattr('hosts', 'contains', inventory_hostname) | list }}" - loop_control: - label: "{{ item.name }}" - tags: - - services - - always + - name: Include service tasks + ansible.builtin.include_tasks: "services/{{ item.name }}/{{ item.name }}.yml" + loop: "{{ services | selectattr('enabled', 'equalto', true) | selectattr('hosts', 'contains', inventory_hostname) | list if specific_service is not defined else services | selectattr('name', 'equalto', specific_service) | selectattr('enabled', 'equalto', true) | selectattr('hosts', 'contains', inventory_hostname) | list }}" + loop_control: + label: "{{ item.name }}" + tags: + - services + - always vars: - services: - - name: dashy - enabled: true - hosts: - - mennos-server - - name: gitea - enabled: true - hosts: - - mennos-server - - name: factorio - enabled: true - hosts: - - mennos-server - - name: dozzle - enabled: true - hosts: - - mennos-server - - name: beszel - enabled: true - hosts: - - mennos-server - - name: caddy - enabled: true - hosts: - - mennos-server - - name: golink - enabled: true - hosts: - - mennos-server - - name: immich - enabled: true - hosts: - - mennos-server - - name: plex - enabled: true - hosts: - - mennos-server - - name: tautulli - enabled: true - hosts: - - mennos-server - - name: downloaders - enabled: true - hosts: - - mennos-server - - name: wireguard - enabled: true - hosts: - - mennos-server - - name: nextcloud - enabled: true - hosts: - - mennos-server - - name: cloudreve - enabled: true - hosts: - - mennos-server - - name: echoip - enabled: true - hosts: - - mennos-server - - name: arr-stack - enabled: true - hosts: - - mennos-server - - name: home-assistant - enabled: true - hosts: - - mennos-server - - name: privatebin - enabled: true - hosts: - - mennos-server - - name: unifi-network-application - enabled: true - hosts: - - mennos-server - - name: avorion - enabled: false - hosts: - - mennos-server - - name: sathub - enabled: true - hosts: - - mennos-server + services: + - name: dashy + enabled: true + hosts: + - mennos-server + - name: gitea + enabled: true + hosts: + - mennos-server + - name: factorio + enabled: true + hosts: + - mennos-server + - name: dozzle + enabled: true + hosts: + - mennos-server + - name: beszel + enabled: true + hosts: + - mennos-server + - name: caddy + enabled: true + hosts: + - mennos-server + - name: golink + enabled: true + hosts: + - mennos-server + - name: immich + enabled: true + hosts: + - mennos-server + - name: plex + enabled: true + hosts: + - mennos-server + - name: tautulli + enabled: true + hosts: + - mennos-server + - name: downloaders + enabled: true + hosts: + - mennos-server + - name: wireguard + enabled: true + hosts: + - mennos-server + - name: nextcloud + enabled: true + hosts: + - mennos-server + - name: cloudreve + enabled: true + hosts: + - mennos-server + - name: echoip + enabled: true + hosts: + - mennos-server + - name: arr-stack + enabled: true + hosts: + - mennos-server + - name: home-assistant + enabled: true + hosts: + - mennos-server + - name: privatebin + enabled: true + hosts: + - mennos-server + - name: unifi-network-application + enabled: true + hosts: + - mennos-server + - name: avorion + enabled: false + hosts: + - mennos-server + - name: sathub + enabled: true + hosts: + - mennos-server + - name: necesse + enabled: true + hosts: + - mennos-server diff --git a/ansible/tasks/servers/services/redis/redis.yml b/ansible/tasks/servers/services/redis/redis.yml index 22b0f29..3f043f3 100644 --- a/ansible/tasks/servers/services/redis/redis.yml +++ b/ansible/tasks/servers/services/redis/redis.yml @@ -34,6 +34,7 @@ register: juicefs_stop changed_when: juicefs_stop.changed when: redis_compose.changed and juicefs_service_stat.stat.exists + become: true - name: List containers that are running ansible.builtin.command: docker ps -q @@ -68,6 +69,7 @@ register: juicefs_start changed_when: juicefs_start.changed when: juicefs_service_stat.stat.exists + become: true - name: Restart containers that were stopped ansible.builtin.command: docker start {{ item }} From f9ce652dfc7f17c6a758ec445ca964016ac50dc1 Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 00:09:15 +0000 Subject: [PATCH 08/10] flake lock Signed-off-by: Menno van Leeuwen --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 169e1fd..611b318 100644 --- a/flake.lock +++ b/flake.lock @@ -41,11 +41,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1760862643, - "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=", + "lastModified": 1761173472, + "narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c", + "rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb", "type": "github" }, "original": { From e14dd1d224e9d7c4f1e2834d70cd1cc1a9ccbf2e Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 00:21:27 +0000 Subject: [PATCH 09/10] Add EU and trusted country lists for Caddy access control Define separate lists for EU and trusted countries in group vars. Update Caddyfile template to support EU, trusted, and combined allow lists. Switch Sathub domains to use combined country allow list. --- ansible/group_vars/servers.yml | 87 +++++++++++++++---- .../tasks/servers/services/caddy/Caddyfile.j2 | 68 +++++++++++++-- 2 files changed, 129 insertions(+), 26 deletions(-) diff --git a/ansible/group_vars/servers.yml b/ansible/group_vars/servers.yml index f2f2121..bed20bb 100644 --- a/ansible/group_vars/servers.yml +++ b/ansible/group_vars/servers.yml @@ -2,26 +2,77 @@ flatpaks: false install_ui_apps: false +# European countries for EU-specific access control +eu_countries_codes: + - AL # Albania + - AD # Andorra + - AM # Armenia + - AT # Austria + - AZ # Azerbaijan + # - BY # Belarus (Belarus is disabled due to geopolitical reasons) + - BE # Belgium + - BA # Bosnia and Herzegovina + - BG # Bulgaria + - HR # Croatia + - CY # Cyprus + - CZ # Czech Republic + - DK # Denmark + - EE # Estonia + - FI # Finland + - FR # France + - GE # Georgia + - DE # Germany + - GR # Greece + - HU # Hungary + - IS # Iceland + - IE # Ireland + - IT # Italy + - XK # Kosovo + - LV # Latvia + - LI # Liechtenstein + - LT # Lithuania + - LU # Luxembourg + - MK # North Macedonia + - MT # Malta + - MD # Moldova + - MC # Monaco + - ME # Montenegro + - NL # Netherlands + - NO # Norway + - PL # Poland + - PT # Portugal + - RO # Romania + # - RU # Russia (Russia is disabled due to geopolitical reasons) + - SM # San Marino + - RS # Serbia + - SK # Slovakia + - SI # Slovenia + - ES # Spain + - SE # Sweden + - CH # Switzerland + - TR # Turkey + - UA # Ukraine + - GB # United Kingdom + - VA # Vatican City + +# Trusted non-EU countries for extended access control +trusted_countries_codes: + - US # United States + - AU # Australia + - NZ # New Zealand + - JP # Japan + # Countries that are allowed to access the server Caddy reverse proxy allowed_countries_codes: - - US # United States - - CA # Canada - - GB # United Kingdom - - DE # Germany - - FR # France - - ES # Spain - - IT # Italy - - NL # Netherlands - - AU # Australia - - NZ # New Zealand - - JP # Japan - - KR # South Korea - - SK # Slovakia - - FI # Finland - - DK # Denmark - - SG # Singapore - - AT # Austria - - CH # Switzerland + - US # United States + - GB # United Kingdom + - DE # Germany + - FR # France + - IT # Italy + - NL # Netherlands + - JP # Japan + - KR # South Korea + - CH # Switzerland # IP ranges for blocked countries (generated automatically) # This will be populated by the country blocking script diff --git a/ansible/tasks/servers/services/caddy/Caddyfile.j2 b/ansible/tasks/servers/services/caddy/Caddyfile.j2 index baaa866..17d0aff 100644 --- a/ansible/tasks/servers/services/caddy/Caddyfile.j2 +++ b/ansible/tasks/servers/services/caddy/Caddyfile.j2 @@ -28,22 +28,74 @@ } {% endif %} -# European country allow list - allows all European countries +# European country allow list - allows all European countries only +{% if eu_countries_codes | default([]) | length > 0 %} (eu_country_allow) { - @allowed_local { + @eu_allowed_local { remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 } - @not_allowed_countries { + @eu_not_allowed_countries { not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 not { maxmind_geolocation { db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" - allow_countries AL AD AM AT AZ BY BE BA BG HR CY CZ DK EE FI FR GE DE GR HU IS IE IT XK LV LI LT LU MK MT MD MC ME NL NO PL PT RO SM RS SK SI ES SE CH TR UA GB VA + allow_countries {{ eu_countries_codes | join(' ') }} } } } - respond @not_allowed_countries "Access denied" 403 + respond @eu_not_allowed_countries "Access denied" 403 } +{% else %} +(eu_country_allow) { + # EU country allow list disabled +} +{% endif %} + +# Trusted country allow list - allows US, Australia, New Zealand, and Japan +{% if trusted_countries_codes | default([]) | length > 0 %} +(trusted_country_allow) { + @trusted_allowed_local { + remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + } + @trusted_not_allowed_countries { + not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + not { + maxmind_geolocation { + db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" + allow_countries {{ trusted_countries_codes | join(' ') }} + } + } + } + respond @trusted_not_allowed_countries "Access denied" 403 +} +{% else %} +(trusted_country_allow) { + # Trusted country allow list disabled +} +{% endif %} + +# Sathub country allow list - combines EU and trusted countries +{% if eu_countries_codes | default([]) | length > 0 and trusted_countries_codes | default([]) | length > 0 %} +(sathub_country_allow) { + @sathub_allowed_local { + remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + } + @sathub_not_allowed_countries { + not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + not { + maxmind_geolocation { + db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" + allow_countries {{ (eu_countries_codes + trusted_countries_codes) | join(' ') }} + } + } + } + respond @sathub_not_allowed_countries "Access denied" 403 +} +{% else %} +(sathub_country_allow) { + # Sathub country allow list disabled +} +{% endif %} {% if inventory_hostname == 'mennos-server' %} git.mvl.sh { @@ -89,7 +141,7 @@ beszel.vleeuwen.me { } sathub.de { - import eu_country_allow + import sathub_country_allow handle { reverse_proxy sathub-frontend:4173 @@ -110,13 +162,13 @@ sathub.de { } api.sathub.de { - import eu_country_allow + import sathub_country_allow reverse_proxy sathub-backend:4001 tls {{ caddy_email }} } sathub.nl { - import eu_country_allow + import sathub_country_allow redir https://sathub.de{uri} tls {{ caddy_email }} } From a11376fe96949a75f86d057d617115da39050b2c Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 00:24:17 +0000 Subject: [PATCH 10/10] Add monitoring countries to allowed_countries_codes list --- ansible/group_vars/servers.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/group_vars/servers.yml b/ansible/group_vars/servers.yml index bed20bb..7fb2303 100644 --- a/ansible/group_vars/servers.yml +++ b/ansible/group_vars/servers.yml @@ -73,10 +73,10 @@ allowed_countries_codes: - JP # Japan - KR # South Korea - CH # Switzerland - -# IP ranges for blocked countries (generated automatically) -# This will be populated by the country blocking script -blocked_countries: [] + - AU # Australia (Added for UpDown.io to monitor server uptime) + - CA # Canada (Added for UpDown.io to monitor server uptime) + - FI # Finland (Added for UpDown.io to monitor server uptime) + - SG # Singapore (Added for UpDown.io to monitor server uptime) # Enable/disable country blocking globally enable_country_blocking: true