Merge branch 'master' of ssh://git.mvl.sh/vleeuwenmenno/dotfiles

2025-10-21 10:06:20 +02:00
parent 436deb267e 77424506d6
commit f6a3f6d379
21 changed files with 337 additions and 97 deletions
--- a/ansible/inventory.ini
+++ b/ansible/inventory.ini
@@ -4,5 +4,5 @@ mennos-desktop ansible_connection=local

 [servers]
 mennos-vps ansible_connection=local
-mennos-desktop ansible_connection=local
+mennos-server ansible_connection=local
 mennos-rtlsdr-pc ansible_connection=local
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -16,4 +16,4 @@

    - name: Include server tasks
      ansible.builtin.import_tasks: tasks/servers/server.yml
-      when: inventory_hostname in ['mennos-vps', 'mennos-desktop', 'mennos-rtlsdr-pc']
+      when: inventory_hostname in ['mennos-vps', 'mennos-server', 'mennos-rtlsdr-pc']
--- a/ansible/tasks/global/utils/smart-ssh/config.yaml
+++ b/ansible/tasks/global/utils/smart-ssh/config.yaml
@@ -13,6 +13,12 @@ smart_aliases:
  desktop:
    primary: "desktop-local"
    fallback: "desktop"
+    check_host: "192.168.1.250"
+    timeout: "2s"
+
+  server:
+    primary: "server-local"
+    fallback: "server"
    check_host: "192.168.1.254"
    timeout: "2s"

--- a/ansible/tasks/servers/dynamic-dns.yml
+++ b/ansible/tasks/servers/dynamic-dns.yml
@@ -83,6 +83,6 @@
          - Manual run: sudo /usr/local/bin/dynamic-dns-update.sh
          - Domains: vleeuwen.me, mvl.sh, mennovanleeuwen.nl

-  when: inventory_hostname == 'mennos-desktop' or inventory_hostname == 'mennos-vps'
+  when: inventory_hostname == 'mennos-server' or inventory_hostname == 'mennos-vps'
  tags:
    - dynamic-dns
--- a/ansible/tasks/servers/juicefs.yml
+++ b/ansible/tasks/servers/juicefs.yml
@@ -70,7 +70,7 @@

    - name: Include JuiceFS Redis tasks
      ansible.builtin.include_tasks: services/redis/redis.yml
-      when: inventory_hostname == 'mennos-desktop'
+      when: inventory_hostname == 'mennos-server'

    - name: Enable and start JuiceFS service
      ansible.builtin.systemd:
--- a/ansible/tasks/servers/server.yml
+++ b/ansible/tasks/servers/server.yml
@@ -78,84 +78,84 @@
      - name: dashy
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: gitea
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: factorio
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: dozzle
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: beszel
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: caddy
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: golink
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: immich
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: plex
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: tautulli
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: downloaders
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: wireguard
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: nextcloud
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: cloudreve
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: echoip
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: arr-stack
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: home-assistant
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: privatebin
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: unifi-network-application
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: avorion
        enabled: false
        hosts:
-          - mennos-desktop
+          - mennos-server
      - name: sathub
        enabled: true
        hosts:
-          - mennos-desktop
+          - mennos-server
--- a/ansible/tasks/servers/services/caddy/Caddyfile.j2
+++ b/ansible/tasks/servers/services/caddy/Caddyfile.j2
@@ -28,7 +28,7 @@
 }
 {% endif %}

-{% if inventory_hostname == 'mennos-desktop' %}
+{% if inventory_hostname == 'mennos-server' %}
 git.mvl.sh {
   import country_block
   reverse_proxy gitea:3000
--- a/ansible/tasks/servers/services/cloudreve/docker-compose.yml.j2
+++ b/ansible/tasks/servers/services/cloudreve/docker-compose.yml.j2
@@ -46,6 +46,10 @@ services:
    networks:
      - cloudreve
      - caddy_network
+    deploy:
+      resources:
+        limits:
+          memory: 1G

  redis:
    image: redis:latest
--- a/ansible/tasks/servers/services/dashy/conf.yml.j2
+++ b/ansible/tasks/servers/services/dashy/conf.yml.j2
@@ -5,34 +5,34 @@ sections:
  - name: Selfhosted
    items:
      - title: Plex
-        icon: http://mennos-desktop:4000/assets/plex.svg
+        icon: http://mennos-server:4000/assets/plex.svg
        url: https://plex.mvl.sh
        statusCheckUrl: https://plex.mvl.sh/identity
        statusCheck: true
        id: 0_1035_plex
      - title: Tautulli
-        icon: http://mennos-desktop:4000/assets/tautulli.svg
+        icon: http://mennos-server:4000/assets/tautulli.svg
        url: https://tautulli.mvl.sh
        id: 1_1035_tautulli
        statusCheck: true
      - title: Overseerr
-        icon: http://mennos-desktop:4000/assets/overseerr.svg
+        icon: http://mennos-server:4000/assets/overseerr.svg
        url: https://overseerr.mvl.sh
        id: 2_1035_overseerr
        statusCheck: true
      - title: Immich
-        icon: http://mennos-desktop:4000/assets/immich.svg
+        icon: http://mennos-server:4000/assets/immich.svg
        url: https://photos.mvl.sh
        id: 3_1035_immich
        statusCheck: true
      - title: Nextcloud
-        icon: http://mennos-desktop:4000/assets/nextcloud.svg
+        icon: http://mennos-server:4000/assets/nextcloud.svg
        url: https://drive.mvl.sh
        id: 3_1035_nxtcld
        statusCheck: true
      - title: ComfyUI
-        icon: http://mennos-desktop:8188/assets/favicon.ico
-        url: http://mennos-desktop:8188
+        icon: http://mennos-server:8188/assets/favicon.ico
+        url: http://mennos-server:8188
        statusCheckUrl: http://host.docker.internal:8188/api/system_stats
        id: 3_1035_comfyui
        statusCheck: true
@@ -45,19 +45,19 @@ sections:
  - name: Media Management
    items:
      - title: Sonarr
-        icon: http://mennos-desktop:4000/assets/sonarr.svg
+        icon: http://mennos-server:4000/assets/sonarr.svg
        url: http://go/sonarr
        id: 0_1533_sonarr
      - title: Radarr
-        icon: http://mennos-desktop:4000/assets/radarr.svg
+        icon: http://mennos-server:4000/assets/radarr.svg
        url: http://go/radarr
        id: 1_1533_radarr
      - title: Prowlarr
-        icon: http://mennos-desktop:4000/assets/prowlarr.svg
+        icon: http://mennos-server:4000/assets/prowlarr.svg
        url: http://go/prowlarr
        id: 2_1533_prowlarr
      - title: Tdarr
-        icon: http://mennos-desktop:4000/assets/tdarr.png
+        icon: http://mennos-server:4000/assets/tdarr.png
        url: http://go/tdarr
        id: 3_1533_tdarr
  - name: Kagi
@@ -77,7 +77,7 @@ sections:
  - name: News
    items:
      - title: Nu.nl
-        icon: http://mennos-desktop:4000/assets/nunl.svg
+        icon: http://mennos-server:4000/assets/nunl.svg
        url: https://www.nu.nl/
        id: 0_380_nu
      - title: Tweakers.net
@@ -91,7 +91,7 @@ sections:
  - name: Downloaders
    items:
      - title: qBittorrent
-        icon: http://mennos-desktop:4000/assets/qbittorrent.svg
+        icon: http://mennos-server:4000/assets/qbittorrent.svg
        url: http://go/qbit
        id: 0_1154_qbittorrent
        tags:
@@ -99,7 +99,7 @@ sections:
          - torrent
          - yarr
      - title: Sabnzbd
-        icon: http://mennos-desktop:4000/assets/sabnzbd.svg
+        icon: http://mennos-server:4000/assets/sabnzbd.svg
        url: http://go/sabnzbd
        id: 1_1154_sabnzbd
        tags:
@@ -109,7 +109,7 @@ sections:
  - name: Git
    items:
      - title: GitHub
-        icon: http://mennos-desktop:4000/assets/github.svg
+        icon: http://mennos-server:4000/assets/github.svg
        url: https://github.com/vleeuwenmenno
        id: 0_292_github
        tags:
@@ -117,7 +117,7 @@ sections:
          - git
          - hub
      - title: Gitea
-        icon: http://mennos-desktop:4000/assets/gitea.svg
+        icon: http://mennos-server:4000/assets/gitea.svg
        url: http://git.mvl.sh/vleeuwenmenno
        id: 1_292_gitea
        tags:
@@ -127,14 +127,14 @@ sections:
  - name: Server Monitoring
    items:
      - title: Beszel
-        icon: http://mennos-desktop:4000/assets/beszel.svg
+        icon: http://mennos-server:4000/assets/beszel.svg
        url: http://go/beszel
        tags:
          - monitoring
          - logs
        id: 0_1725_beszel
      - title: Dozzle
-        icon: http://mennos-desktop:4000/assets/dozzle.svg
+        icon: http://mennos-server:4000/assets/dozzle.svg
        url: http://go/dozzle
        id: 1_1725_dozzle
        tags:
@@ -150,19 +150,19 @@ sections:
  - name: Tools
    items:
      - title: Home Assistant
-        icon: http://mennos-desktop:4000/assets/home-assistant.svg
+        icon: http://mennos-server:4000/assets/home-assistant.svg
        url: http://go/homeassistant
        id: 0_529_homeassistant
      - title: Tailscale
-        icon: http://mennos-desktop:4000/assets/tailscale.svg
+        icon: http://mennos-server:4000/assets/tailscale.svg
        url: http://go/tailscale
        id: 1_529_tailscale
      - title: GliNet KVM
-        icon: http://mennos-desktop:4000/assets/glinet.svg
+        icon: http://mennos-server:4000/assets/glinet.svg
        url: http://go/glkvm
        id: 2_529_glinetkvm
      - title: Unifi Network Controller
-        icon: http://mennos-desktop:4000/assets/unifi.svg
+        icon: http://mennos-server:4000/assets/unifi.svg
        url: http://go/unifi
        id: 3_529_unifinetworkcontroller
      - title: Dashboard Icons
@@ -236,7 +236,7 @@ sections:
          - discount
          - work
      - title: Proxmox
-        icon: http://mennos-desktop:4000/assets/proxmox.svg
+        icon: http://mennos-server:4000/assets/proxmox.svg
        url: https://www.transip.nl/cp/vps/prm/350680/
        id: 5_1429_proxmox
        tags:
@@ -252,7 +252,7 @@ sections:
          - discount
          - work
      - title: Kibana
-        icon: http://mennos-desktop:4000/assets/kibana.svg
+        icon: http://mennos-server:4000/assets/kibana.svg
        url: http://go/kibana
        id: 7_1429_kibana
        tags:
--- a/ansible/tasks/servers/services/sathub/.env.j2
+++ b/ansible/tasks/servers/services/sathub/.env.j2
@@ -0,0 +1,47 @@
+# Production Environment Variables
+# Copy this to .env and fill in your values
+
+# Database configuration (PostgreSQL)
+DB_TYPE=postgres
+DB_HOST=postgres
+DB_PORT=5432
+DB_USER=sathub
+DB_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DB_PASSWORD') }}
+DB_NAME=sathub
+
+# Required: JWT secret for token signing
+JWT_SECRET={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='JWT_SECRET') }}
+
+# Required: Two-factor authentication encryption key
+TWO_FA_ENCRYPTION_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='TWO_FA_ENCRYPTION_KEY') }}
+
+# Email configuration (required for password resets)
+SMTP_HOST={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_HOST') }}
+SMTP_PORT={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PORT') }}
+SMTP_USERNAME={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_USERNAME') }}
+SMTP_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PASSWORD') }}
+SMTP_FROM_EMAIL={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_FROM_EMAIL') }}
+
+# MinIO Object Storage configuration
+MINIO_ROOT_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
+MINIO_ROOT_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+# Basically the same as the above
+MINIO_ACCESS_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
+MINIO_SECRET_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+
+# GitHub credentials for Watchtower (auto-updates)
+GITHUB_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_USER') }}
+GITHUB_PAT={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_PAT') }}
+REPO_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_USER') }}
+REPO_PASS={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_PAT') }}
+
+# Optional: Override defaults if needed
+# GIN_MODE=release (set automatically)
+FRONTEND_URL=https://sathub.de
+
+# CORS configuration (optional - additional allowed origins)
+CORS_ALLOWED_ORIGINS=https://sathub.de,https://sathub.nl,https://api.sathub.de
+
+# Frontend configuration (optional - defaults are provided)
+VITE_API_BASE_URL=https://api.sathub.de
+VITE_ALLOWED_HOSTS=sathub.de,sathub.nl
--- a/ansible/tasks/servers/services/sathub/docker-compose.yml.j2
+++ b/ansible/tasks/servers/services/sathub/docker-compose.yml.j2
@@ -1,43 +1,108 @@
 services:
-  backend:
-    image: ghcr.io/vleeuwenmenno/sathub/backend:latest
-    container_name: sathub-backend
-    restart: unless-stopped
+  # Migration service - runs once on stack startup
+  migrate:
+    image: ghcr.io/vleeuwenmenno/sathub-backend/backend:latest
+    container_name: sathub-migrate
+    restart: "no"
+    command: ["./main", "auto-migrate"]
    environment:
      - GIN_MODE=release
-      - FRONTEND_URL=${FRONTEND_URL:-https://sathub.de}
-      - CORS_ALLOWED_ORIGINS={{ cors_allowed_origins | default('') }}

      # Database settings
      - DB_TYPE=postgres
      - DB_HOST=postgres
      - DB_PORT=5432
      - DB_USER=${DB_USER:-sathub}
-      - DB_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DB_PASSWORD') }}
+      - DB_PASSWORD=${DB_PASSWORD}
      - DB_NAME=${DB_NAME:-sathub}

-      # Security settings
-      - JWT_SECRET={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='JWT_SECRET') }}
-      - TWO_FA_ENCRYPTION_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='TWO_FA_ENCRYPTION_KEY') }}
-
-      # SMTP settings
-      - SMTP_HOST={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_HOST') }}
-      - SMTP_PORT={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PORT') }}
-      - SMTP_USERNAME={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_USERNAME') }}
-      - SMTP_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PASSWORD') }}
-      - SMTP_FROM_EMAIL={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_FROM_EMAIL') }}
-
      # MinIO settings
      - MINIO_ENDPOINT=http://minio:9000
      - MINIO_BUCKET=sathub-images
-      - MINIO_ACCESS_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
-      - MINIO_SECRET_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY}
+      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY}
+      - MINIO_EXTERNAL_URL=https://obj.sathub.de
+    networks:
+      - sathub
+    depends_on:
+      - postgres
+
+  backend:
+    image: ghcr.io/vleeuwenmenno/sathub-backend/backend:latest
+    container_name: sathub-backend
+    restart: unless-stopped
+    command: ["./main", "api"]
+    environment:
+      - GIN_MODE=release
+      - FRONTEND_URL=${FRONTEND_URL:-https://sathub.de}
+      - CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-https://sathub.de}
+
+      # Database settings
+      - DB_TYPE=postgres
+      - DB_HOST=postgres
+      - DB_PORT=5432
+      - DB_USER=${DB_USER:-sathub}
+      - DB_PASSWORD=${DB_PASSWORD}
+      - DB_NAME=${DB_NAME:-sathub}
+
+      # Security settings
+      - JWT_SECRET=${JWT_SECRET}
+      - TWO_FA_ENCRYPTION_KEY=${TWO_FA_ENCRYPTION_KEY}
+
+      # SMTP settings
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_USERNAME=${SMTP_USERNAME}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
+      - SMTP_FROM_EMAIL=${SMTP_FROM_EMAIL}
+
+      # MinIO settings
+      - MINIO_ENDPOINT=http://minio:9000
+      - MINIO_BUCKET=sathub-images
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY}
+      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY}
      - MINIO_EXTERNAL_URL=https://obj.sathub.de
    networks:
      - sathub
      - caddy_network
    depends_on:
-      - postgres
+      migrate:
+        condition: service_completed_successfully
+
+  worker:
+    image: ghcr.io/vleeuwenmenno/sathub-backend/backend:latest
+    container_name: sathub-worker
+    restart: unless-stopped
+    command: ["./main", "worker"]
+    environment:
+      - GIN_MODE=release
+
+      # Database settings
+      - DB_TYPE=postgres
+      - DB_HOST=postgres
+      - DB_PORT=5432
+      - DB_USER=${DB_USER:-sathub}
+      - DB_PASSWORD=${DB_PASSWORD}
+      - DB_NAME=${DB_NAME:-sathub}
+
+      # SMTP settings (needed for notifications)
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_USERNAME=${SMTP_USERNAME}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
+      - SMTP_FROM_EMAIL=${SMTP_FROM_EMAIL}
+
+      # MinIO settings
+      - MINIO_ENDPOINT=http://minio:9000
+      - MINIO_BUCKET=sathub-images
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY}
+      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY}
+      - MINIO_EXTERNAL_URL=https://obj.sathub.de
+    networks:
+      - sathub
+    depends_on:
+      migrate:
+        condition: service_completed_successfully

  postgres:
    image: postgres:15-alpine
@@ -45,20 +110,20 @@ services:
    restart: unless-stopped
    environment:
      - POSTGRES_USER=${DB_USER:-sathub}
-      - POSTGRES_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DB_PASSWORD') }}
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - POSTGRES_DB=${DB_NAME:-sathub}
    volumes:
-      - {{ sathub_data_dir }}/postgres:/var/lib/postgresql/data
+      - postgres_data:/var/lib/postgresql/data
    networks:
      - sathub

  frontend:
-    image: ghcr.io/vleeuwenmenno/sathub/frontend:latest
+    image: ghcr.io/vleeuwenmenno/sathub-frontend/frontend:latest
    container_name: sathub-frontend
    restart: unless-stopped
    environment:
-      - VITE_API_BASE_URL={{ frontend_api_base_url | default('https://api.sathub.de') }}
-      - VITE_ALLOWED_HOSTS={{ frontend_allowed_hosts | default('sathub.de,sathub.nl') }}
+      - VITE_API_BASE_URL=${VITE_API_BASE_URL:-https://api.sathub.de}
+      - VITE_ALLOWED_HOSTS=${VITE_ALLOWED_HOSTS:-sathub.de,sathub.nl}
    networks:
      - sathub
      - caddy_network
@@ -68,10 +133,10 @@ services:
    container_name: sathub-minio
    restart: unless-stopped
    environment:
-      - MINIO_ROOT_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
-      - MINIO_ROOT_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+      - MINIO_ROOT_USER=${MINIO_ROOT_USER}
+      - MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD}
    volumes:
-      - {{ sathub_data_dir }}/minio:/data
+      - minio_data:/data
    command: server /data --console-address :9001
    networks:
      - sathub
@@ -87,15 +152,25 @@ services:
    environment:
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_INCLUDE_STOPPED=false
-      - REPO_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_USER') }}
-      - REPO_PASS={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_PAT') }}
-    command: --interval 30 --cleanup --include-stopped=false sathub-backend sathub-frontend
+      - REPO_USER=${REPO_USER}
+      - REPO_PASS=${REPO_PASS}
+    command: --interval 30 --cleanup --include-stopped=false sathub-backend sathub-worker sathub-frontend
    networks:
      - sathub

+volumes:
+  minio_data:
+    driver: local
+  postgres_data:
+    driver: local
+
 networks:
  sathub:
    driver: bridge
+
+  # We assume you're running a Caddy instance in a separate compose file with this network
+  # If not, you can remove this network and the related depends_on in the services above
+  # But the stack is designed to run behind a Caddy reverse proxy for SSL termination and routing
  caddy_network:
    external: true
    name: caddy_default
--- a/ansible/tasks/servers/services/sathub/sathub.yml
+++ b/ansible/tasks/servers/services/sathub/sathub.yml
@@ -24,6 +24,13 @@
        state: directory
        mode: "0755"

+    - name: Deploy SatHub .env
+      ansible.builtin.template:
+        src: .env.j2
+        dest: "{{ sathub_service_dir }}/.env"
+        mode: "0644"
+      register: sathub_env
+
    - name: Deploy SatHub docker-compose.yml
      ansible.builtin.template:
        src: docker-compose.yml.j2
@@ -33,11 +40,11 @@

    - name: Stop SatHub service
      ansible.builtin.command: docker compose -f "{{ sathub_service_dir }}/docker-compose.yml" down --remove-orphans
-      when: sathub_compose.changed
+      when: sathub_compose.changed or sathub_env.changed

    - name: Start SatHub service
      ansible.builtin.command: docker compose -f "{{ sathub_service_dir }}/docker-compose.yml" up -d
-      when: sathub_compose.changed
+      when: sathub_compose.changed or sathub_env.changed
  tags:
    - services
    - sathub
--- a/ansible/tasks/workstations/flatpaks.yml
+++ b/ansible/tasks/workstations/flatpaks.yml
@@ -53,6 +53,7 @@
      - io.mango3d.LycheeSlicer

      # Utilities
+      - com.fastmail.Fastmail
      - com.ranfdev.DistroShelf
      - io.missioncenter.MissionCenter
      - io.gitlab.elescoute.spacelaunch
--- a/ansible/templates/juicefs.service.j2
+++ b/ansible/templates/juicefs.service.j2
@@ -5,7 +5,7 @@ Before=docker.service

 [Service]
 Type=simple
-ExecStart=/usr/local/bin/juicefs mount redis://:{{ redis_password }}@mennos-desktop:6379/0 /mnt/object_storage \
+ExecStart=/usr/local/bin/juicefs mount redis://:{{ redis_password }}@mennos-server:6379/0 /mnt/object_storage \
  --cache-dir=/var/jfsCache \
  --buffer-size=4096 \
  --prefetch=16 \
--- a/config/autostart/Nextcloud.desktop
+++ b/config/autostart/Nextcloud.desktop
@@ -0,0 +1,11 @@
+[Desktop Entry]
+Name=Nextcloud
+GenericName=File Synchronizer
+Exec="/usr/bin/nextcloud" --background
+Terminal=false
+Icon=Nextcloud
+Categories=Network
+Type=Application
+StartupNotify=false
+X-GNOME-Autostart-enabled=true
+X-GNOME-Autostart-Delay=10
--- a/config/autostart/equibop.desktop
+++ b/config/autostart/equibop.desktop
@@ -0,0 +1,8 @@
+[Desktop Entry]
+Type=Application
+Name=Equibop
+Comment=Equibop autostart script
+Exec="/opt/Equibop/equibop"
+StartupNotify=false
+Terminal=false
+Icon=vesktop
--- a/config/git.nix
+++ b/config/git.nix
@@ -23,7 +23,7 @@
      };

      core = {
-        editor = "zed";
+        editor = "micro";
        autocrlf = false;
        filemode = true;
        ignorecase = false;
--- a/config/nextcloud.cfg
+++ b/config/nextcloud.cfg
@@ -0,0 +1,80 @@
+[General]
+clientVersion=3.16.0-1 (Debian built)
+desktopEnterpriseChannel=daily
+isVfsEnabled=false
+launchOnSystemStartup=true
+optionalServerNotifications=true
+overrideLocalDir=
+overrideServerUrl=
+promptDeleteAllFiles=false
+showCallNotifications=true
+showChatNotifications=true
+
+[Accounts]
+0\Folders\1\ignoreHiddenFiles=false
+0\Folders\1\journalPath=.sync_42a4129584d0.db
+0\Folders\1\localPath=/home/menno/Nextcloud/
+0\Folders\1\paused=false
+0\Folders\1\targetPath=/
+0\Folders\1\version=2
+0\Folders\1\virtualFilesMode=off
+0\Folders\2\ignoreHiddenFiles=false
+0\Folders\2\journalPath=.sync_65a742b0aa83.db
+0\Folders\2\localPath=/home/menno/Desktop/
+0\Folders\2\paused=false
+0\Folders\2\targetPath=/Desktop
+0\Folders\2\version=2
+0\Folders\2\virtualFilesMode=off
+0\Folders\3\ignoreHiddenFiles=false
+0\Folders\3\journalPath=.sync_65289e64a490.db
+0\Folders\3\localPath=/home/menno/Documents/
+0\Folders\3\paused=false
+0\Folders\3\targetPath=/Documents
+0\Folders\3\version=2
+0\Folders\3\virtualFilesMode=off
+0\Folders\4\ignoreHiddenFiles=false
+0\Folders\4\journalPath=.sync_283a65eecb9c.db
+0\Folders\4\localPath=/home/menno/Music/
+0\Folders\4\paused=false
+0\Folders\4\targetPath=/Music
+0\Folders\4\version=2
+0\Folders\4\virtualFilesMode=off
+0\Folders\5\ignoreHiddenFiles=false
+0\Folders\5\journalPath=.sync_884042991bd6.db
+0\Folders\5\localPath=/home/menno/3D Objects/
+0\Folders\5\paused=false
+0\Folders\5\targetPath=/3D Objects
+0\Folders\5\version=2
+0\Folders\5\virtualFilesMode=off
+0\Folders\6\ignoreHiddenFiles=false
+0\Folders\6\journalPath=.sync_90ea5e3c7a33.db
+0\Folders\6\localPath=/home/menno/Videos/
+0\Folders\6\paused=false
+0\Folders\6\targetPath=/Videos
+0\Folders\6\version=2
+0\Folders\6\virtualFilesMode=off
+0\authType=webflow
+0\dav_user=menno
+0\displayName=Menno van Leeuwen
+0\encryptionCertificateSha256Fingerprint=@ByteArray()
+0\networkDownloadLimit=0
+0\networkDownloadLimitSetting=-2
+0\networkProxyHostName=
+0\networkProxyNeedsAuth=false
+0\networkProxyPort=0
+0\networkProxySetting=0
+0\networkProxyType=2
+0\networkProxyUser=
+0\networkUploadLimit=0
+0\networkUploadLimitSetting=-2
+0\serverColor=@Variant(\0\0\0\x43\x1\xff\xff\x1c\x1c$$<<\0\0)
+0\serverHasValidSubscription=false
+0\serverTextColor=@Variant(\0\0\0\x43\x1\xff\xff\xff\xff\xff\xff\xff\xff\0\0)
+0\serverVersion=32.0.0.13
+0\url=https://drive.mvl.sh
+0\version=13
+0\webflow_user=menno
+version=13
+
+[Settings]
+geometry=@ByteArray(\x1\xd9\xd0\xcb\0\x3\0\0\0\0\0\0\0\0\x4\xe\0\0\x2\x37\0\0\x6W\0\0\0\0\0\0\x4\xe\0\0\x2\x37\0\0\x6W\0\0\0\x1\0\0\0\0\x14\0\0\0\0\0\0\0\x4\xe\0\0\x2\x37\0\0\x6W)
--- a/flake.lock
+++ b/flake.lock
@@ -41,11 +41,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1759735786,
-        "narHash": "sha256-a0+h02lyP2KwSNrZz4wLJTu9ikujNsTWIC874Bv7IJ0=",
+        "lastModified": 1760862643,
+        "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "20c4598c84a671783f741e02bf05cbfaf4907cff",
+        "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c",
        "type": "github"
      },
      "original": {
@@ -77,11 +77,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1751283143,
-        "narHash": "sha256-I3DMLT0qg5xxjS7BrmOBIK6pG+vZqOhKivEGnkDIli8=",
+        "lastModified": 1760894497,
+        "narHash": "sha256-u2unItzVvUe3Y2opdJrISGtHSmQLVnDOIfhWvSBrw74=",
        "owner": "brizzbuzz",
        "repo": "opnix",
-        "rev": "1a807befe8f418da0df24c54b9633c395d840d0e",
+        "rev": "92974503378ca6ec6206b74cd3a78377a5796cbb",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -42,6 +42,7 @@
        {
          "mennos-vps" = mkHomeConfig "aarch64-linux" "mennos-vps" true;
          "mennos-desktop" = mkHomeConfig "x86_64-linux" "mennos-desktop" false;
+          "mennos-server" = mkHomeConfig "x86_64-linux" "mennos-server" true;
          "mennos-rtlsdr-pc" = mkHomeConfig "x86_64-linux" "mennos-rtlsdr-pc" true;
          "mennos-laptop" = mkHomeConfig "x86_64-linux" "mennos-laptop" false;
        };