Update flake.lock

Include Vicinae setup in workstation playbook for non-WSL2 systems

Update flake.lock to newer nixpkgs revision

.bashrc

@@ -1,202 +0,0 @@
-# HISTFILE Configuration (Bash equivalent)
-HISTFILE=~/.bash_history
-HISTSIZE=1000
-HISTFILESIZE=2000  # Adjusted to match both histfile and size criteria
-
-# GPU Related shenanigans
-if [ "$(hostname)" = "mennos-desktop" ]; then
-    export DRI_PRIME=1
-    export MESA_VK_DEVICE_SELECT=1002:744c
-fi
-
-if [ -f /etc/os-release ]; then
-    distro=$(awk -F= '/^NAME/{print $ssss2}' /etc/os-release | tr -d '"')
-    if [[ "$distro" == *"Pop!_OS"* ]]; then
-        export CGO_CFLAGS="-I/usr/include"
-    fi
-fi
-
-# For microsoft-standard-WSL2 in uname -a
-if [[ "$(uname -a)" == *"microsoft-standard-WSL2"* ]]; then
-    source $HOME/.agent-bridge.sh
-    alias winget='winget.exe'
-fi
-
-# Set SSH_AUTH_SOCK to ~/.1password/agent.sock, but only if we don't already have a SSH_AUTH_SOCK
-if [ -z "$SSH_AUTH_SOCK" ]; then
-    export SSH_AUTH_SOCK=~/.1password/agent.sock
-fi
-
-# Docker Compose Alias (Mostly for old shell scripts)
-alias docker-compose='docker compose'
-
-# Modern tools aliases
-alias l="eza --header --long --git --group-directories-first --group --icons --color=always --sort=name --hyperlink -o --no-permissions"
-alias ll='l'
-alias la='l -a'
-alias cat='bat'
-alias du='dust'
-alias df='duf'
-alias augp='sudo apt update && sudo apt upgrade -y && sudo apt autopurge -y && sudo apt autoclean'
-
-# Docker Aliases
-alias d='docker'
-alias dc='docker compose'
-alias dce='docker compose exec'
-alias dcl='docker compose logs'
-alias dcd='docker compose down'
-alias dcu='docker compose up'
-alias dcp='docker compose ps'
-alias dcps='docker compose ps'
-alias dcpr='dcp && dcd && dcu -d && dcl -f'
-alias dcr='dcd && dcu -d && dcl -f'
-alias ddpul='docker compose down && docker compose pull && docker compose up -d && docker compose logs -f'
-alias docker-nuke='docker kill $(docker ps -q) && docker rm $(docker ps -a -q) && docker system prune --all --volumes --force && docker volume prune --force'
-
-# Git aliases
-alias g='git'
-alias gg='git pull'
-alias gl='git log --stat'
-alias gp='git push'
-alias gs='git status -s'
-alias gst='git status'
-alias ga='git add'
-alias gc='git commit'
-alias gcm='git commit -m'
-alias gco='git checkout'
-alias gcb='git checkout -b'
-
-# Kubernetes aliases (Minikube)
-alias kubectl="minikube kubectl --"
-alias zed=zeditor
-alias ssh="~/.local/bin/smart-ssh"
-
-# random string (Syntax: random <length>)
-alias random='openssl rand -base64'
-
-# Alias for ls to l but only if it's an interactive shell because we don't want to override ls in scripts which could blow up in our face
-if [ -t 1 ]; then
-    alias ls='l'
-fi
-
-# PATH Manipulation
-export DOTFILES_PATH=$HOME/.dotfiles
-export PATH=$PATH:$HOME/.local/bin
-export PATH=$PATH:$HOME/.cargo/bin
-export PATH=$PATH:$DOTFILES_PATH/bin
-export PATH="/usr/bin:$PATH"
-
-if [ -d /usr/lib/pkgconfig ]; then
-    export PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/share/pkgconfig:$PKG_CONFIG_PATH
-fi
-
-# Include spicetify if it exists
-if [ -d "$HOME/.spicetify" ]; then
-    export PATH=$PATH:$HOME/.spicetify
-fi
-
-# Include pyenv if it exists
-if [ -d "$HOME/.pyenv" ]; then
-    export PYENV_ROOT="$HOME/.pyenv"
-    [[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"
-    eval "$(pyenv init - bash)"
-fi
-
-# Include pnpm if it exists
-if [ -d "$HOME/.local/share/pnpm" ]; then
-    export PATH=$PATH:$HOME/.local/share/pnpm
-fi
-
-# Miniconda
-export PATH="$HOME/miniconda3/bin:$PATH"
-
-# In case $HOME/.flutter/flutter/bin is found, we can add it to the PATH
-if [ -d "$HOME/.flutter/flutter/bin" ]; then
-    export PATH=$PATH:$HOME/.flutter/flutter/bin
-    export PATH="$PATH":"$HOME/.pub-cache/bin"
-
-    # Flutter linux fixes:
-    export CPPFLAGS="-I/usr/include"
-    export LDFLAGS="-L/usr/lib/x86_64-linux-gnu -lbz2"
-    export PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig:$PKG_CONFIG_PATH
-fi
-
-# Add flatpak to XDG_DATA_DIRS
-export XDG_DATA_DIRS=$XDG_DATA_DIRS:/usr/share:/var/lib/flatpak/exports/share:$HOME/.local/share/flatpak/exports/share
-
-# Allow unfree nixos
-export NIXPKGS_ALLOW_UNFREE=1
-
-# Allow insecure nixpkgs
-export NIXPKGS_ALLOW_INSECURE=1
-
-# Tradaware / DiscountOffice Configuration
-if [ -d "/home/menno/Projects/Work" ]; then
-    export TRADAWARE_DEVOPS=true
-fi
-
-# 1Password Source Plugin (Assuming bash compatibility)
-if [ -f /home/menno/.config/op/plugins.sh ]; then
-    source /home/menno/.config/op/plugins.sh
-fi
-
-# Initialize starship if available
-if ! command -v starship &> /dev/null; then
-    echo "FYI, starship not found"
-else
-    export STARSHIP_ENABLE_RIGHT_PROMPT=true
-    export STARSHIP_ENABLE_BASH_CONTINUATION=true
-    eval "$(starship init bash)"
-fi
-
-# Read .op_sat
-if [ -f ~/.op_sat ]; then
-    export OP_SERVICE_ACCOUNT_TOKEN=$(cat ~/.op_sat)
-
-    # Ensure .op_sat is 0600 and only readable by the owner
-    if [ "$(stat -c %a ~/.op_sat)" != "600" ]; then
-        echo "WARNING: ~/.op_sat is not 0600, please fix this!"
-    fi
-
-    if [ "$(stat -c %U ~/.op_sat)" != "$(whoami)" ]; then
-        echo "WARNING: ~/.op_sat is not owned by the current user, please fix this!"
-    fi
-fi
-
-# Source nix home-manager
-if [ -f "$HOME/.nix-profile/etc/profile.d/hm-session-vars.sh" ]; then
-    . "$HOME/.nix-profile/etc/profile.d/hm-session-vars.sh"
-fi
-
-# Source ble.sh if it exists
-if [[ -f "${HOME}/.nix-profile/share/blesh/ble.sh" ]]; then
-    source "${HOME}/.nix-profile/share/blesh/ble.sh"
-
-    # Custom function for fzf history search
-    function fzf_history_search() {
-        local selected
-        selected=$(history | fzf --tac --height=40% --layout=reverse --border --info=inline \
-            --query="$READLINE_LINE" \
-            --color 'fg:#ebdbb2,bg:#282828,hl:#fabd2f,fg+:#ebdbb2,bg+:#3c3836,hl+:#fabd2f' \
-            --color 'info:#83a598,prompt:#bdae93,spinner:#fabd2f,pointer:#83a598,marker:#fe8019,header:#665c54' \
-            | sed 's/^ *[0-9]* *//')
-        if [[ -n "$selected" ]]; then
-            READLINE_LINE="$selected"
-            READLINE_POINT=${#selected}
-        fi
-        ble-redraw-prompt
-    }
-
-    # Bind Ctrl+R to our custom function
-    bind -x '"\C-r": fzf_history_search'
-fi
-
-# In case a basrc.local exists, source it
-if [ -f $HOME/.bashrc.local ]; then
-    source $HOME/.bashrc.local
-fi
-
-# Display a welcome message for interactive shells
-if [ -t 1 ]; then
-    helloworld
-fi

.github/workflows/python.yml

@@ -3,7 +3,7 @@ name: Python Lint Check
 on:
   pull_request:
   push:
-    branches: [ master ]
+    branches: [master]
 
 jobs:
   check-python:
@@ -29,7 +29,7 @@ jobs:
             exit 0
           fi
 
-          pylint $python_files
+          pylint --exit-zero $python_files
 
       - name: Check Black formatting
         run: |

.gitignore

@@ -1,2 +1,4 @@
 logs/*
 **/__pycache__/
+.ansible/
+.ansible/.lock

README.md

@@ -1,16 +1,13 @@
 # Setup
 
 This dotfiles is intended to be used with either Fedora 40>, Ubuntu 20.04> or Arch Linux.
-Please install a clean version of either distro with GNOME and then follow the steps below.
+Please install a clean version of either distro and then follow the steps below.
 
 ## Installation
 
 ### 0. Install distro
 
 Download the latest ISO from your desired distro and write it to a USB stick.
-I'd recommend getting the GNOME version as it's easier to setup unless you're planning on setting up a server, in that case I recommend getting the server ISO for the specific distro.
-
-#### Note: If you intend on using a desktop environment you should select the GNOME version as this dotfiles repository expects the GNOME desktop environment for various configurations
 
 ### 1. Clone dotfiles to home directory
 
@@ -44,15 +41,6 @@ Run the `dotf update` command, although the setup script did most of the work so
 dotf update
 ```
 
-### 5. Decrypt secrets
-
-Either using 1Password or by manualling providing the decryption key you should decrypt the secrets.
-Various configurations depend on the secrets to be decrypted such as the SSH keys, yubikey pam configuration and more.
-
-```bash
-dotf secrets decrypt
-```
-
 ### 6. Profit
 
 You should now have a fully setup system with all the configurations applied.
@@ -65,12 +53,13 @@ Here are some paths that contain files named after the hostname of the system.
 If you add a new system you should add the relevant files to these paths.
 
 - `config/ssh/authorized_keys`: Contains the public keys per hostname that will be symlinked to the `~/.ssh/authorized_keys` file.
-- `config/home-manager/flake.nix`: Contains an array `homeConfigurations` where you should be adding the new system hostname and relevant configuration.
+- `flake.nix`: Contains an array `homeConfigurations` where you should be adding the new system hostname and relevant configuration.
 
 ### Server reboots
 
 In case you reboot a server, it's likely that this runs JuiceFS.
 To be sure that every service is properly accessing JuiceFS mounted files you should probably restart the services once when the server comes online.
+
 ```bash
 dotf service stop --all
 df # confirm JuiceFS is mounted
@@ -81,16 +70,19 @@ dotf service start --all
 
 In case you need to adjust anything regarding the /mnt/object_storage JuiceFS.
 Ensure to shut down all services:
+
 ```bash
 dotf service stop --all
 ```
 
 Unmount the volume:
+
 ```bash
 sudo systemctl stop juicefs
 ```
 
 And optionally if you're going to do something with metadata you might need to stop redis too.
+
 ```bash
 cd ~/services/juicefs-redis/
 docker compose down --remove-orphans
@@ -103,6 +95,7 @@ To add a new system you should follow these steps:
 1. Add the relevant files shown in the section above.
 2. Ensure you've either updated or added the `$HOME/.hostname` file with the hostname of the system.
 3. Run `dotf update` to ensure the symlinks are properly updated/created.
+
 ---
 
 ## Using 1Password SSH Agent with WSL2 (Windows 11)
@@ -132,5 +125,6 @@ This setup allows you to use your 1Password-managed SSH keys inside WSL2. The WS
    - If your 1Password keys are listed, the setup is complete.
 
 #### References
+
 - [Using 1Password's SSH Agent with WSL2](https://dev.to/d4vsanchez/use-1password-ssh-agent-in-wsl-2j6m)
 - [How to change the PATH environment variable in Windows](https://www.wikihow.com/Change-the-PATH-Environment-Variable-on-Windows)

ansible/group_vars/servers.yml

@@ -0,0 +1,82 @@
+---
+flatpaks: false
+install_ui_apps: false
+
+# European countries for EU-specific access control
+eu_countries_codes:
+    - AL # Albania
+    - AD # Andorra
+    - AM # Armenia
+    - AT # Austria
+    - AZ # Azerbaijan
+    # - BY # Belarus (Belarus is disabled due to geopolitical reasons)
+    - BE # Belgium
+    - BA # Bosnia and Herzegovina
+    - BG # Bulgaria
+    - HR # Croatia
+    - CY # Cyprus
+    - CZ # Czech Republic
+    - DK # Denmark
+    - EE # Estonia
+    - FI # Finland
+    - FR # France
+    - GE # Georgia
+    - DE # Germany
+    - GR # Greece
+    - HU # Hungary
+    - IS # Iceland
+    - IE # Ireland
+    - IT # Italy
+    - XK # Kosovo
+    - LV # Latvia
+    - LI # Liechtenstein
+    - LT # Lithuania
+    - LU # Luxembourg
+    - MK # North Macedonia
+    - MT # Malta
+    - MD # Moldova
+    - MC # Monaco
+    - ME # Montenegro
+    - NL # Netherlands
+    - NO # Norway
+    - PL # Poland
+    - PT # Portugal
+    - RO # Romania
+    # - RU # Russia (Russia is disabled due to geopolitical reasons)
+    - SM # San Marino
+    - RS # Serbia
+    - SK # Slovakia
+    - SI # Slovenia
+    - ES # Spain
+    - SE # Sweden
+    - CH # Switzerland
+    - TR # Turkey
+    - UA # Ukraine
+    - GB # United Kingdom
+    - VA # Vatican City
+
+# Trusted non-EU countries for extended access control
+trusted_countries_codes:
+    - US # United States
+    - AU # Australia
+    - NZ # New Zealand
+    - JP # Japan
+
+# Countries that are allowed to access the server Caddy reverse proxy
+allowed_countries_codes:
+    - US # United States
+    - GB # United Kingdom
+    - DE # Germany
+    - FR # France
+    - IT # Italy
+    - NL # Netherlands
+    - JP # Japan
+    - KR # South Korea
+    - CH # Switzerland
+    - AU # Australia (Added for UpDown.io to monitor server uptime)
+    - CA # Canada (Added for UpDown.io to monitor server uptime)
+    - FI # Finland (Added for UpDown.io to monitor server uptime)
+    - SG # Singapore (Added for UpDown.io to monitor server uptime)
+
+# Enable/disable country blocking globally
+enable_country_blocking: true

ansible/inventory.ini

@@ -0,0 +1,11 @@
+[workstations]
+mennos-laptop ansible_connection=local
+mennos-desktop ansible_connection=local
+
+[servers]
+mennos-vps ansible_connection=local
+mennos-server ansible_connection=local
+mennos-rtlsdr-pc ansible_connection=local
+
+[wsl]
+mennos-desktopw ansible_connection=local

ansible/playbook.yml

@@ -0,0 +1,19 @@
+---
+- name: Configure all hosts
+  hosts: all
+  handlers:
+      - name: Import handler tasks
+        ansible.builtin.import_tasks: handlers/main.yml
+  gather_facts: true
+
+  tasks:
+      - name: Include global tasks
+        ansible.builtin.import_tasks: tasks/global/global.yml
+
+      - name: Include workstation tasks
+        ansible.builtin.import_tasks: tasks/workstations/workstation.yml
+        when: inventory_hostname in ['mennos-laptop', 'mennos-desktop']
+
+      - name: Include server tasks
+        ansible.builtin.import_tasks: tasks/servers/server.yml
+        when: inventory_hostname in ['mennos-vps', 'mennos-server', 'mennos-rtlsdr-pc', 'mennos-desktopw']

ansible/tasks/global/global.yml

@@ -1,21 +1,9 @@
 ---
-- name: Include global symlinks tasks
-  ansible.builtin.import_tasks: tasks/global/symlinks.yml
-
 - name: Gather package facts
   ansible.builtin.package_facts:
     manager: auto
   become: true
 
-- name: Debug ansible_facts for troubleshooting
-  ansible.builtin.debug:
-    msg: |
-      OS Family: {{ ansible_facts['os_family'] }}
-      Distribution: {{ ansible_facts['distribution'] }}
-      Package Manager: {{ ansible_pkg_mgr }}
-      Kernel: {{ ansible_kernel }}
-  tags: debug
-
 - name: Include Tailscale tasks
   ansible.builtin.import_tasks: tasks/global/tailscale.yml
   become: true
@@ -131,7 +119,7 @@
   ansible.builtin.replace:
     path: /etc/sudoers
     regexp: '^Defaults\s+env_reset(?!.*pwfeedback)'
-    replace: 'Defaults        env_reset,pwfeedback'
+    replace: "Defaults        env_reset,pwfeedback"
-    validate: 'visudo -cf %s'
+    validate: "visudo -cf %s"
   become: true
   tags: sudoers

ansible/tasks/global/utils.yml

@@ -15,14 +15,14 @@
 
     - name: Scan utils folder for files
       ansible.builtin.find:
-        paths: "{{ dotfiles_path }}/config/ansible/tasks/global/utils"
+        paths: "{{ dotfiles_path }}/ansible/tasks/global/utils"
         file_type: file
       register: utils_files
       become: false
 
     - name: Scan utils folder for Go projects (directories with go.mod)
       ansible.builtin.find:
-        paths: "{{ dotfiles_path }}/config/ansible/tasks/global/utils"
+        paths: "{{ dotfiles_path }}/ansible/tasks/global/utils"
         file_type: directory
         recurse: true
       register: utils_dirs

ansible/tasks/global/utils/smart-ssh/README.md

@@ -36,7 +36,7 @@ The utility is automatically compiled and installed to `~/.local/bin/ssh` via An
 3. Ensure your `~/.ssh/config` contains the referenced host entries:
    ```
    Host desktop
-       HostName mennos-cachyos-desktop
+       HostName mennos-desktop
        User menno
        Port 400
        ForwardAgent yes

ansible/tasks/global/utils/smart-ssh/config.yaml

@@ -13,6 +13,12 @@ smart_aliases:
   desktop:
     primary: "desktop-local"
     fallback: "desktop"
+    check_host: "192.168.1.250"
+    timeout: "2s"
+
+  server:
+    primary: "server-local"
+    fallback: "server"
     check_host: "192.168.1.254"
     timeout: "2s"
 
@@ -22,6 +28,12 @@ smart_aliases:
     check_host: "192.168.1.253"
     timeout: "2s"
 
+  rtlsdr:
+    primary: "rtlsdr-local"
+    fallback: "rtlsdr"
+    check_host: "192.168.1.252"
+    timeout: "2s"
+
 # Background SSH Tunnel Definitions
 tunnels:
   # Example: Desktop database tunnel
@@ -76,7 +88,7 @@ tunnels:
 
 # Your SSH config should contain the actual host definitions:
 # Host desktop
-#     HostName mennos-cachyos-desktop
+#     HostName mennos-desktop
 #     User menno
 #     Port 400
 #     ForwardAgent yes

ansible/tasks/global/utils/smart-ssh/smart-ssh.go

@@ -30,10 +30,10 @@ type LoggingConfig struct {
 
 // SmartAlias represents a smart SSH alias configuration
 type SmartAlias struct {
-	Primary   string `yaml:"primary"`   // SSH config host to use when local
+	Primary   string `yaml:"primary"`    // SSH config host to use when local
-	Fallback  string `yaml:"fallback"`  // SSH config host to use when remote
+	Fallback  string `yaml:"fallback"`   // SSH config host to use when remote
 	CheckHost string `yaml:"check_host"` // IP to ping for connectivity test
-	Timeout   string `yaml:"timeout"`   // Ping timeout (default: "2s")
+	Timeout   string `yaml:"timeout"`    // Ping timeout (default: "2s")
 }
 
 // TunnelDefinition represents a tunnel configuration
@@ -47,36 +47,39 @@ type TunnelDefinition struct {
 
 // TunnelState represents runtime state of an active tunnel
 type TunnelState struct {
-	Name               string    `json:"name"`
+	Name            string    `json:"name"`
-	Source             string    `json:"source"`              // "config" or "adhoc"
+	Source          string    `json:"source"` // "config" or "adhoc"
-	Type               string    `json:"type"`                // local, remote, dynamic
+	Type            string    `json:"type"`   // local, remote, dynamic
-	LocalPort          int       `json:"local_port"`
+	LocalPort       int       `json:"local_port"`
-	RemoteHost         string    `json:"remote_host"`
+	RemoteHost      string    `json:"remote_host"`
-	RemotePort         int       `json:"remote_port"`
+	RemotePort      int       `json:"remote_port"`
-	SSHHost            string    `json:"ssh_host"`
+	SSHHost         string    `json:"ssh_host"`
-	SSHHostResolved    string    `json:"ssh_host_resolved"`   // After smart alias resolution
+	SSHHostResolved string    `json:"ssh_host_resolved"` // After smart alias resolution
-	PID                int       `json:"pid"`
+	PID             int       `json:"pid"`
-	Status             string    `json:"status"`
+	Status          string    `json:"status"`
-	StartedAt          time.Time `json:"started_at"`
+	StartedAt       time.Time `json:"started_at"`
-	LastSeen           time.Time `json:"last_seen"`
+	LastSeen        time.Time `json:"last_seen"`
-	CommandLine        string    `json:"command_line"`
+	CommandLine     string    `json:"command_line"`
 }
 
 // Config represents the YAML configuration structure
 type Config struct {
-	Logging      LoggingConfig                    `yaml:"logging"`
+	Logging      LoggingConfig               `yaml:"logging"`
-	SmartAliases map[string]SmartAlias            `yaml:"smart_aliases"`
+	SmartAliases map[string]SmartAlias       `yaml:"smart_aliases"`
-	Tunnels      map[string]TunnelDefinition      `yaml:"tunnels"`
+	Tunnels      map[string]TunnelDefinition `yaml:"tunnels"`
 }
 
 const (
-	realSSHPath = "/usr/bin/ssh"
+	defaultSSHPath = "/usr/bin/ssh"
+	wslSSHPath     = "ssh.exe"
+	wslDetectPath  = "/mnt/c/Windows/System32/cmd.exe"
 )
 
 var (
-	configDir   string
+	configDir  string
-	tunnelsDir  string
+	tunnelsDir string
-	config      *Config
+	config     *Config
+	sshPath    string // Will be set based on WSL2 detection
 
 	// Global flags
 	tunnelMode bool
@@ -92,10 +95,10 @@ var (
 )
 
 var rootCmd = &cobra.Command{
-	Use:   "ssh",
+	Use:                "ssh",
-	Short: "Smart SSH utility with tunnel management",
+	Short:              "Smart SSH utility with tunnel management",
-	Long:  "A transparent SSH wrapper that provides smart alias resolution and background tunnel management",
+	Long:               "A transparent SSH wrapper that provides smart alias resolution and background tunnel management",
-	Run:   handleSSH,
+	Run:                handleSSH,
 	DisableFlagParsing: true,
 }
 
@@ -103,13 +106,16 @@ var tunnelCmd = &cobra.Command{
 	Use:   "tunnel [tunnel-name]",
 	Short: "Manage background SSH tunnels",
 	Long:  "Create, list, and manage persistent SSH tunnels in the background",
-	Run:   func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, args []string) {
 		handleTunnelManual(append([]string{"--tunnel"}, args...))
 	},
-	Args:  cobra.MaximumNArgs(1),
+	Args: cobra.MaximumNArgs(1),
 }
 
 func init() {
+	// Detect and set SSH path based on environment (WSL2 vs native Linux)
+	sshPath = detectSSHPath()
+
 	// Initialize config directory
 	homeDir, err := os.UserHomeDir()
 	if err != nil {
@@ -141,6 +147,13 @@ func init() {
 	// Initialize logging
 	initLogging(config.Logging)
 
+	// Log SSH path detection (after logging is initialized)
+	if isWSL2() {
+		log.Debug().Str("ssh_path", sshPath).Msg("WSL2 detected, using Windows SSH")
+	} else {
+		log.Debug().Str("ssh_path", sshPath).Msg("Native Linux environment, using Linux SSH")
+	}
+
 	// Global flags
 	rootCmd.PersistentFlags().BoolVarP(&tunnelMode, "tunnel", "T", false, "Enable tunnel mode")
 	rootCmd.Flags().BoolVarP(&tunnelOpen, "open", "O", false, "Open a tunnel")
@@ -169,6 +182,22 @@ func init() {
 	}
 }
 
+// detectSSHPath determines the correct SSH binary path based on the environment
+func detectSSHPath() string {
+	if isWSL2() {
+		// In WSL2, use Windows SSH
+		return wslSSHPath
+	}
+	// Default to Linux SSH
+	return defaultSSHPath
+}
+
+// isWSL2 checks if we're running in WSL2 by looking for Windows System32
+func isWSL2() bool {
+	_, err := os.Stat(wslDetectPath)
+	return err == nil
+}
+
 func main() {
 	// Check if this is a tunnel command first
 	args := os.Args[1:]
@@ -563,7 +592,7 @@ func openTunnel(name string) error {
 	log.Debug().Strs("command", cmdArgs).Msg("Starting SSH tunnel")
 
 	// Start SSH process
-	cmd := exec.Command(realSSHPath, cmdArgs[1:]...)
+	cmd := exec.Command(sshPath, cmdArgs[1:]...)
 
 	// Capture stderr to see any SSH errors
 	var stderr bytes.Buffer
@@ -708,7 +737,9 @@ func createAdhocTunnel() (TunnelDefinition, error) {
 }
 
 func buildSSHCommand(tunnel TunnelDefinition, sshHost string) []string {
-	args := []string{"ssh", "-f", "-N"}
+	// Use the detected SSH path basename for the command
+	sshBinary := filepath.Base(sshPath)
+	args := []string{sshBinary, "-f", "-N"}
 
 	switch tunnel.Type {
 	case "local":
@@ -1056,18 +1087,37 @@ func findSSHProcessByPort(port int) int {
 
 // executeRealSSH executes the real SSH binary with given arguments
 func executeRealSSH(args []string) {
-	// Check if real SSH exists
+	log.Debug().Str("ssh_path", sshPath).Strs("args", args).Msg("Executing real SSH")
-	if _, err := os.Stat(realSSHPath); os.IsNotExist(err) {
+
-		log.Error().Str("path", realSSHPath).Msg("Real SSH binary not found")
+	// In WSL2, we need to use exec.Command instead of syscall.Exec for Windows binaries
-		fmt.Fprintf(os.Stderr, "Error: Real SSH binary not found at %s\n", realSSHPath)
+	if isWSL2() {
+		cmd := exec.Command(sshPath, args...)
+		cmd.Stdin = os.Stdin
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+
+		err := cmd.Run()
+		if err != nil {
+			if exitErr, ok := err.(*exec.ExitError); ok {
+				os.Exit(exitErr.ExitCode())
+			}
+			log.Error().Err(err).Msg("Failed to execute SSH")
+			fmt.Fprintf(os.Stderr, "Error executing SSH: %v\n", err)
+			os.Exit(1)
+		}
+		os.Exit(0)
+	}
+
+	// For native Linux, check if SSH exists
+	if _, err := os.Stat(sshPath); os.IsNotExist(err) {
+		log.Error().Str("path", sshPath).Msg("Real SSH binary not found")
+		fmt.Fprintf(os.Stderr, "Error: Real SSH binary not found at %s\n", sshPath)
 		os.Exit(1)
 	}
 
-	log.Debug().Str("ssh_path", realSSHPath).Strs("args", args).Msg("Executing real SSH")
+	// Execute the real SSH binary using syscall.Exec (Linux only)
-
+	// This replaces the current process (like exec in shell)
-	// Execute the real SSH binary
+	err := syscall.Exec(sshPath, append([]string{"ssh"}, args...), os.Environ())
-	// Using syscall.Exec to replace current process (like exec in shell)
-	err := syscall.Exec(realSSHPath, append([]string{"ssh"}, args...), os.Environ())
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to execute SSH")
 		fmt.Fprintf(os.Stderr, "Error executing SSH: %v\n", err)

ansible/tasks/servers/dynamic-dns.yml

@@ -18,7 +18,7 @@
           #!/bin/bash
 
           # Run dynamic DNS update (binary compiled by utils.yml)
-          {{ ansible_user_dir }}/.local/bin/dynamic-dns-cf -record "vleeuwen.me,mvl.sh,mennovanleeuwen.nl" 2>&1 | logger -t dynamic-dns
+          {{ ansible_user_dir }}/.local/bin/dynamic-dns-cf -record "vleeuwen.me,mvl.sh,mennovanleeuwen.nl,sathub.de,sathub.nl" 2>&1 | logger -t dynamic-dns
       become: true
 
     - name: Create dynamic DNS systemd timer
@@ -83,6 +83,6 @@
           - Manual run: sudo /usr/local/bin/dynamic-dns-update.sh
           - Domains: vleeuwen.me, mvl.sh, mennovanleeuwen.nl
 
-  when: inventory_hostname == 'mennos-cachyos-desktop'
+  when: inventory_hostname == 'mennos-server' or inventory_hostname == 'mennos-vps'
   tags:
     - dynamic-dns

ansible/tasks/servers/juicefs.yml

@@ -70,7 +70,7 @@
 
     - name: Include JuiceFS Redis tasks
       ansible.builtin.include_tasks: services/redis/redis.yml
-      when: inventory_hostname == 'mennos-cachyos-desktop'
+      when: inventory_hostname == 'mennos-server'
 
     - name: Enable and start JuiceFS service
       ansible.builtin.systemd:

ansible/tasks/servers/server.yml

@@ -0,0 +1,165 @@
+---
+- name: Server setup
+  block:
+      - name: Ensure openssh-server is installed on Arch-based systems
+        ansible.builtin.package:
+            name: openssh
+            state: present
+        when: ansible_pkg_mgr == 'pacman'
+
+      - name: Ensure openssh-server is installed on non-Arch systems
+        ansible.builtin.package:
+            name: openssh-server
+            state: present
+        when: ansible_pkg_mgr != 'pacman'
+
+      - name: Ensure Borg is installed on Arch-based systems
+        ansible.builtin.package:
+            name: borg
+            state: present
+        become: true
+        when: ansible_pkg_mgr == 'pacman'
+
+      - name: Ensure Borg is installed on Debian/Ubuntu systems
+        ansible.builtin.package:
+            name: borgbackup
+            state: present
+        become: true
+        when: ansible_pkg_mgr != 'pacman'
+
+      - name: Include JuiceFS tasks
+        ansible.builtin.include_tasks: juicefs.yml
+        tags:
+            - juicefs
+
+      - name: Include Dynamic DNS tasks
+        ansible.builtin.include_tasks: dynamic-dns.yml
+        tags:
+            - dynamic-dns
+
+      - name: Include Borg Backup tasks
+        ansible.builtin.include_tasks: borg-backup.yml
+        tags:
+            - borg-backup
+
+      - name: Include Borg Local Sync tasks
+        ansible.builtin.include_tasks: borg-local-sync.yml
+        tags:
+            - borg-local-sync
+
+      - name: System performance optimizations
+        ansible.posix.sysctl:
+            name: "{{ item.name }}"
+            value: "{{ item.value }}"
+            state: present
+            reload: true
+        become: true
+        loop:
+            - { name: "fs.file-max", value: "2097152" } # Max open files for the entire system
+            - { name: "vm.max_map_count", value: "16777216" } # Max memory map areas a process can have
+            - { name: "vm.swappiness", value: "10" } # Controls how aggressively the kernel swaps out memory
+            - { name: "vm.vfs_cache_pressure", value: "50" } # Controls kernel's tendency to reclaim memory for directory/inode caches
+            - { name: "net.core.somaxconn", value: "65535" } # Max pending connections for a listening socket
+            - { name: "net.core.netdev_max_backlog", value: "65535" } # Max packets queued on network interface input
+            - { name: "net.ipv4.tcp_fin_timeout", value: "30" } # How long sockets stay in FIN-WAIT-2 state
+            - { name: "net.ipv4.tcp_tw_reuse", value: "1" } # Allows reusing TIME_WAIT sockets for new outgoing connections
+
+      - name: Include service tasks
+        ansible.builtin.include_tasks: "services/{{ item.name }}/{{ item.name }}.yml"
+        loop: "{{ services | selectattr('enabled', 'equalto', true) | selectattr('hosts', 'contains', inventory_hostname) | list if specific_service is not defined else services | selectattr('name', 'equalto', specific_service) | selectattr('enabled', 'equalto', true) | selectattr('hosts', 'contains', inventory_hostname) | list }}"
+        loop_control:
+            label: "{{ item.name }}"
+        tags:
+            - services
+            - always
+
+  vars:
+      services:
+          - name: dashy
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: gitea
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: factorio
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: dozzle
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: beszel
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: caddy
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: golink
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: immich
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: plex
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: tautulli
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: downloaders
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: wireguard
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: nextcloud
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: cloudreve
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: echoip
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: arr-stack
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: home-assistant
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: privatebin
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: unifi-network-application
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: avorion
+            enabled: false
+            hosts:
+                - mennos-server
+          - name: sathub
+            enabled: true
+            hosts:
+                - mennos-server
+          - name: necesse
+            enabled: true
+            hosts:
+                - mennos-server

ansible/tasks/servers/services/arr-stack/arr-stack.yml

@@ -35,3 +35,4 @@
   tags:
     - services
     - arr_stack
+    - arr-stack

ansible/tasks/servers/services/arr-stack/docker-compose.yml.j2

@@ -20,7 +20,7 @@ services:
     deploy:
       resources:
         limits:
-          memory: 1G
+          memory: 2G
 
   sonarr:
     image: linuxserver/sonarr:latest
@@ -42,20 +42,21 @@ services:
     deploy:
       resources:
         limits:
-          memory: 1G
+          memory: 2G
 
-  whisparr:
+  bazarr:
-    image: ghcr.io/hotio/whisparr:latest
+    image: ghcr.io/hotio/bazarr:latest
+    container_name: bazarr
     environment:
       - PUID=1000
       - PGID=100
       - TZ=Europe/Amsterdam
     ports:
-      - 6969:6969
+      - 6767:6767
     extra_hosts:
       - host.docker.internal:host-gateway
     volumes:
-      - {{ arr_stack_data_dir }}/whisparr-config:/config
+      - {{ arr_stack_data_dir }}/bazarr-config:/config
       - /mnt/data:/mnt/data
     restart: unless-stopped
     networks:
@@ -63,7 +64,7 @@ services:
     deploy:
       resources:
         limits:
-          memory: 1G
+          memory: 512M
 
   prowlarr:
     container_name: prowlarr
@@ -127,6 +128,53 @@ services:
         limits:
           memory: 512M
 
+  tdarr:
+    image: ghcr.io/haveagitgat/tdarr:latest
+    container_name: tdarr
+    environment:
+      - PUID=1000
+      - PGID=100
+      - TZ=Europe/Amsterdam
+      - serverIP=0.0.0.0
+      - serverPort=8266
+      - webUIPort=8265
+      - internalNode=true
+      - inContainer=true
+      - ffmpegVersion=7
+      - nodeName=MyInternalNode
+      - auth=false
+      - openBrowser=true
+      - maxLogSizeMB=10
+      - cronPluginUpdate=
+      - NVIDIA_DRIVER_CAPABILITIES=all
+      - NVIDIA_VISIBLE_DEVICES=all
+    volumes:
+      - {{ arr_stack_data_dir }}/tdarr-server:/app/server
+      - {{ arr_stack_data_dir }}/tdarr-config:/app/configs
+      - {{ arr_stack_data_dir }}/tdarr-logs:/app/logs
+      - /mnt/data:/media
+      - {{ arr_stack_data_dir }}/tdarr-cache:/temp
+    ports:
+      - 8265:8265
+      - 8266:8266
+    extra_hosts:
+      - host.docker.internal:host-gateway
+    restart: unless-stopped
+    runtime: nvidia
+    devices:
+      - /dev/dri:/dev/dri
+    networks:
+      - arr_stack_net
+    deploy:
+      resources:
+        limits:
+          memory: 4G
+        reservations:
+          devices:
+            - driver: nvidia
+              count: all
+              capabilities: [gpu]
+
 networks:
   arr_stack_net:
   caddy_network:

ansible/tasks/servers/services/caddy/Caddyfile.j2

@@ -5,9 +5,9 @@
     }
 }
 
-# Country blocking snippet using MaxMind GeoLocation - reusable across all sites
+# Country allow list snippet using MaxMind GeoLocation - reusable across all sites
 {% if enable_country_blocking | default(false) and allowed_countries_codes | default([]) | length > 0 %}
-(country_block) {
+(country_allow) {
     @allowed_local {
         remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
     }
@@ -23,68 +23,170 @@
     respond @not_allowed_countries "Access denied" 403
 }
 {% else %}
-(country_block) {
+(country_allow) {
-    # Country blocking disabled
+    # Country allow list disabled
 }
 {% endif %}
 
-{% if inventory_hostname == 'mennos-cachyos-desktop' %}
+# European country allow list - allows all European countries only
+{% if eu_countries_codes | default([]) | length > 0 %}
+(eu_country_allow) {
+    @eu_allowed_local {
+        remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+    }
+    @eu_not_allowed_countries {
+        not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+        not {
+            maxmind_geolocation {
+                db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
+                allow_countries {{ eu_countries_codes | join(' ') }}
+            }
+        }
+    }
+    respond @eu_not_allowed_countries "Access denied" 403
+}
+{% else %}
+(eu_country_allow) {
+    # EU country allow list disabled
+}
+{% endif %}
+
+# Trusted country allow list - allows US, Australia, New Zealand, and Japan
+{% if trusted_countries_codes | default([]) | length > 0 %}
+(trusted_country_allow) {
+    @trusted_allowed_local {
+        remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+    }
+    @trusted_not_allowed_countries {
+        not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+        not {
+            maxmind_geolocation {
+                db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
+                allow_countries {{ trusted_countries_codes | join(' ') }}
+            }
+        }
+    }
+    respond @trusted_not_allowed_countries "Access denied" 403
+}
+{% else %}
+(trusted_country_allow) {
+    # Trusted country allow list disabled
+}
+{% endif %}
+
+# Sathub country allow list - combines EU and trusted countries
+{% if eu_countries_codes | default([]) | length > 0 and trusted_countries_codes | default([]) | length > 0 %}
+(sathub_country_allow) {
+    @sathub_allowed_local {
+        remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+    }
+    @sathub_not_allowed_countries {
+        not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+        not {
+            maxmind_geolocation {
+                db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
+                allow_countries {{ (eu_countries_codes + trusted_countries_codes) | join(' ') }}
+            }
+        }
+    }
+    respond @sathub_not_allowed_countries "Access denied" 403
+}
+{% else %}
+(sathub_country_allow) {
+    # Sathub country allow list disabled
+}
+{% endif %}
+
+{% if inventory_hostname == 'mennos-server' %}
 git.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy gitea:3000
    tls {{ caddy_email }}
 }
 
 git.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://git.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 df.mvl.sh {
-   import country_block
+   import country_allow
    redir / https://git.mvl.sh/vleeuwenmenno/dotfiles/raw/branch/master/setup.sh
    tls {{ caddy_email }}
 }
 
 fsm.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy factorio-server-manager:80
    tls {{ caddy_email }}
 }
 
 fsm.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://fsm.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 beszel.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy beszel:8090
    tls {{ caddy_email }}
 }
 
 beszel.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://beszel.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
+sathub.de {
+   import sathub_country_allow
+
+   handle {
+       reverse_proxy sathub-frontend:4173
+   }
+
+   # Enable compression
+   encode gzip
+
+   # Security headers
+   header {
+       X-Frame-Options "SAMEORIGIN"
+       X-Content-Type-Options "nosniff"
+       X-XSS-Protection "1; mode=block"
+       Referrer-Policy "strict-origin-when-cross-origin"
+       Strict-Transport-Security "max-age=31536000; includeSubDomains"
+   }
+   tls {{ caddy_email }}
+}
+
+api.sathub.de {
+   import sathub_country_allow
+   reverse_proxy sathub-backend:4001
+   tls {{ caddy_email }}
+}
+
+sathub.nl {
+   import sathub_country_allow
+   redir https://sathub.de{uri}
+   tls {{ caddy_email }}
+}
+
 photos.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy immich:2283
    tls {{ caddy_email }}
 }
 
 photos.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://photos.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 home.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy host.docker.internal:8123 {
        header_up Host {upstream_hostport}
        header_up X-Real-IP {http.request.remote.host}
@@ -93,7 +195,7 @@ home.mvl.sh {
 }
 
 home.vleeuwen.me {
-   import country_block
+   import country_allow
    reverse_proxy host.docker.internal:8123 {
        header_up Host {upstream_hostport}
        header_up X-Real-IP {http.request.remote.host}
@@ -127,13 +229,13 @@ hotspot.mvl.sh:80 {
 }
 
 bin.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy privatebin:8080
    tls {{ caddy_email }}
 }
 
 ip.mvl.sh ip.vleeuwen.me {
-   import country_block
+   import country_allow
    reverse_proxy echoip:8080 {
        header_up X-Real-IP {http.request.remote.host}
    }
@@ -141,26 +243,26 @@ ip.mvl.sh ip.vleeuwen.me {
 }
 
 http://ip.mvl.sh http://ip.vleeuwen.me {
-   import country_block
+   import country_allow
    reverse_proxy echoip:8080 {
        header_up X-Real-IP {http.request.remote.host}
    }
 }
 
 overseerr.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy overseerr:5055
    tls {{ caddy_email }}
 }
 
 overseerr.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://overseerr.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 plex.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy host.docker.internal:32400 {
        header_up Host {upstream_hostport}
        header_up X-Real-IP {http.request.remote.host}
@@ -169,13 +271,13 @@ plex.mvl.sh {
 }
 
 plex.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://plex.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 tautulli.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy host.docker.internal:8181 {
        header_up Host {upstream_hostport}
        header_up X-Real-IP {http.request.remote.host}
@@ -184,13 +286,37 @@ tautulli.mvl.sh {
 }
 
 tautulli.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://tautulli.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
+cloud.mvl.sh {
+   import country_allow
+   reverse_proxy cloudreve:5212 {
+       header_up Host {host}
+       header_up X-Real-IP {http.request.remote.host}
+   }
+   tls {{ caddy_email }}
+}
+
+cloud.vleeuwen.me {
+  import country_allow
+  redir https://cloud.mvl.sh{uri}
+  tls {{ caddy_email }}
+}
+
+collabora.mvl.sh {
+  import country_allow
+  reverse_proxy collabora:9980 {
+    header_up Host {host}
+    header_up X-Real-IP {http.request.remote.host}
+  }
+  tls {{ caddy_email }}
+}
+
 drive.mvl.sh drive.vleeuwen.me {
-   import country_block
+   import country_allow
 
    # CalDAV and CardDAV redirects
    redir /.well-known/carddav /remote.php/dav/ 301

ansible/tasks/servers/services/cloudreve/cloudreve.yml

@@ -0,0 +1,32 @@
+- name: Deploy Cloudreve service
+  tags:
+    - services
+    - cloudreve
+  block:
+    - name: Set Cloudreve directories
+      ansible.builtin.set_fact:
+        cloudreve_service_dir: "{{ ansible_env.HOME }}/.services/cloudreve"
+        cloudreve_data_dir: "/mnt/services/cloudreve"
+
+    - name: Create Cloudreve directory
+      ansible.builtin.file:
+        path: "{{ cloudreve_service_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Deploy Cloudreve docker-compose.yml
+      ansible.builtin.template:
+        src: docker-compose.yml.j2
+        dest: "{{ cloudreve_service_dir }}/docker-compose.yml"
+        mode: "0644"
+      register: cloudreve_compose
+
+    - name: Stop Cloudreve service
+      ansible.builtin.command: docker compose -f "{{ cloudreve_service_dir }}/docker-compose.yml" down --remove-orphans
+      changed_when: false
+      when: cloudreve_compose.changed
+
+    - name: Start Cloudreve service
+      ansible.builtin.command: docker compose -f "{{ cloudreve_service_dir }}/docker-compose.yml" up -d
+      changed_when: false
+      when: cloudreve_compose.changed

ansible/tasks/servers/services/cloudreve/docker-compose.yml.j2

@@ -0,0 +1,67 @@
+services:
+  cloudreve:
+    image: cloudreve/cloudreve:latest
+    depends_on:
+      - postgresql
+      - redis
+    restart: always
+    ports:
+      - 5212:5212
+    networks:
+      - caddy_network
+      - cloudreve
+    environment:
+      - CR_CONF_Database.Type=postgres
+      - CR_CONF_Database.Host=postgresql
+      - CR_CONF_Database.User=cloudreve
+      - CR_CONF_Database.Name=cloudreve
+      - CR_CONF_Database.Port=5432
+      - CR_CONF_Redis.Server=redis:6379
+    volumes:
+      - {{ cloudreve_data_dir }}/data:/cloudreve/data
+
+  postgresql:
+    image: postgres:17
+    environment:
+      - POSTGRES_USER=cloudreve
+      - POSTGRES_DB=cloudreve
+      - POSTGRES_HOST_AUTH_METHOD=trust
+    networks:
+      - cloudreve
+    volumes:
+      - {{ cloudreve_data_dir }}/postgres:/var/lib/postgresql/data
+
+  collabora:
+    image: collabora/code
+    restart: unless-stopped
+    ports:
+      - 9980:9980
+    environment:
+      - domain=collabora\\.mvl\\.sh
+      - username=admin
+      - password=Dt3hgIJOPr3rgh
+      - dictionaries=en_US
+      - TZ=Europe/Amsterdam
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true
+    networks:
+      - cloudreve
+      - caddy_network
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+
+  redis:
+    image: redis:latest
+    networks:
+      - cloudreve
+    volumes:
+      - {{ cloudreve_data_dir }}/redis:/data
+
+networks:
+  cloudreve:
+    name: cloudreve
+    driver: bridge
+  caddy_network:
+    name: caddy_default
+    external: true

ansible/tasks/servers/services/dashy/conf.yml.j2

@@ -0,0 +1,308 @@
+pageInfo:
+  title: Menno's Home
+  navLinks: []
+sections:
+  - name: Selfhosted
+    items:
+      - title: Plex
+        icon: http://mennos-server:4000/assets/plex.svg
+        url: https://plex.mvl.sh
+        statusCheckUrl: https://plex.mvl.sh/identity
+        statusCheck: true
+        id: 0_1035_plex
+      - title: Tautulli
+        icon: http://mennos-server:4000/assets/tautulli.svg
+        url: https://tautulli.mvl.sh
+        id: 1_1035_tautulli
+        statusCheck: true
+      - title: Overseerr
+        icon: http://mennos-server:4000/assets/overseerr.svg
+        url: https://overseerr.mvl.sh
+        id: 2_1035_overseerr
+        statusCheck: true
+      - title: Immich
+        icon: http://mennos-server:4000/assets/immich.svg
+        url: https://photos.mvl.sh
+        id: 3_1035_immich
+        statusCheck: true
+      - title: Nextcloud
+        icon: http://mennos-server:4000/assets/nextcloud.svg
+        url: https://drive.mvl.sh
+        id: 3_1035_nxtcld
+        statusCheck: true
+      - title: ComfyUI
+        icon: http://mennos-server:8188/assets/favicon.ico
+        url: http://mennos-server:8188
+        statusCheckUrl: http://host.docker.internal:8188/api/system_stats
+        id: 3_1035_comfyui
+        statusCheck: true
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 2
+      collapsed: false
+      hideForGuests: false
+  - name: Media Management
+    items:
+      - title: Sonarr
+        icon: http://mennos-server:4000/assets/sonarr.svg
+        url: http://go/sonarr
+        id: 0_1533_sonarr
+      - title: Radarr
+        icon: http://mennos-server:4000/assets/radarr.svg
+        url: http://go/radarr
+        id: 1_1533_radarr
+      - title: Prowlarr
+        icon: http://mennos-server:4000/assets/prowlarr.svg
+        url: http://go/prowlarr
+        id: 2_1533_prowlarr
+      - title: Tdarr
+        icon: http://mennos-server:4000/assets/tdarr.png
+        url: http://go/tdarr
+        id: 3_1533_tdarr
+  - name: Kagi
+    items:
+      - title: Kagi Search
+        icon: favicon
+        url: https://kagi.com/
+        id: 0_380_kagisearch
+      - title: Kagi Translate
+        icon: favicon
+        url: https://translate.kagi.com/
+        id: 1_380_kagitranslate
+      - title: Kagi Assistant
+        icon: favicon
+        url: https://kagi.com/assistant
+        id: 2_380_kagiassistant
+  - name: News
+    items:
+      - title: Nu.nl
+        icon: http://mennos-server:4000/assets/nunl.svg
+        url: https://www.nu.nl/
+        id: 0_380_nu
+      - title: Tweakers.net
+        icon: favicon
+        url: https://www.tweakers.net/
+        id: 1_380_tweakers
+      - title: NL Times
+        icon: favicon
+        url: https://www.nltimes.nl/
+        id: 2_380_nl_times
+  - name: Downloaders
+    items:
+      - title: qBittorrent
+        icon: http://mennos-server:4000/assets/qbittorrent.svg
+        url: http://go/qbit
+        id: 0_1154_qbittorrent
+        tags:
+          - download
+          - torrent
+          - yarr
+      - title: Sabnzbd
+        icon: http://mennos-server:4000/assets/sabnzbd.svg
+        url: http://go/sabnzbd
+        id: 1_1154_sabnzbd
+        tags:
+          - download
+          - nzb
+          - yarr
+  - name: Git
+    items:
+      - title: GitHub
+        icon: http://mennos-server:4000/assets/github.svg
+        url: https://github.com/vleeuwenmenno
+        id: 0_292_github
+        tags:
+          - repo
+          - git
+          - hub
+      - title: Gitea
+        icon: http://mennos-server:4000/assets/gitea.svg
+        url: http://git.mvl.sh/vleeuwenmenno
+        id: 1_292_gitea
+        tags:
+          - repo
+          - git
+          - tea
+  - name: Server Monitoring
+    items:
+      - title: Beszel
+        icon: http://mennos-server:4000/assets/beszel.svg
+        url: http://go/beszel
+        tags:
+          - monitoring
+          - logs
+        id: 0_1725_beszel
+      - title: Dozzle
+        icon: http://mennos-server:4000/assets/dozzle.svg
+        url: http://go/dozzle
+        id: 1_1725_dozzle
+        tags:
+          - monitoring
+          - logs
+      - title: UpDown.io Status
+        icon: far fa-signal
+        url: http://go/status
+        id: 2_1725_updowniostatus
+        tags:
+          - monitoring
+          - logs
+  - name: Tools
+    items:
+      - title: Home Assistant
+        icon: http://mennos-server:4000/assets/home-assistant.svg
+        url: http://go/homeassistant
+        id: 0_529_homeassistant
+      - title: Tailscale
+        icon: http://mennos-server:4000/assets/tailscale.svg
+        url: http://go/tailscale
+        id: 1_529_tailscale
+      - title: GliNet KVM
+        icon: http://mennos-server:4000/assets/glinet.svg
+        url: http://go/glkvm
+        id: 2_529_glinetkvm
+      - title: Unifi Network Controller
+        icon: http://mennos-server:4000/assets/unifi.svg
+        url: http://go/unifi
+        id: 3_529_unifinetworkcontroller
+      - title: Dashboard Icons
+        icon: favicon
+        url: https://dashboardicons.com/
+        id: 4_529_dashboardicons
+  - name: Weather
+    items:
+      - title: Buienradar
+        icon: favicon
+        url: https://www.buienradar.nl/weer/Beverwijk/NL/2758998
+        id: 0_529_buienradar
+      - title: ClearOutside
+        icon: favicon
+        url: https://clearoutside.com/forecast/52.49/4.66
+        id: 1_529_clearoutside
+      - title: Windy
+        icon: favicon
+        url: https://www.windy.com/
+        id: 2_529_windy
+      - title: Meteoblue
+        icon: favicon
+        url: https://www.meteoblue.com/en/country/weather/radar/the-netherlands_the-netherlands_2750405
+        id: 2_529_meteoblue
+  - name: DiscountOffice
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 3
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: DiscountOffice.nl
+        icon: favicon
+        url: https://discountoffice.nl/
+        id: 0_1429_discountofficenl
+        tags:
+          - do
+          - discount
+          - work
+      - title: DiscountOffice.be
+        icon: favicon
+        url: https://discountoffice.be/
+        id: 1_1429_discountofficebe
+        tags:
+          - do
+          - discount
+          - work
+      - title: Admin NL
+        icon: favicon
+        url: https://discountoffice.nl/administrator
+        id: 2_1429_adminnl
+        tags:
+          - do
+          - discount
+          - work
+      - title: Admin BE
+        icon: favicon
+        url: https://discountoffice.be/administrator
+        id: 3_1429_adminbe
+        tags:
+          - do
+          - discount
+          - work
+      - title: Subsites
+        icon: favicon
+        url: https://elastomappen.nl
+        id: 4_1429_subsites
+        tags:
+          - do
+          - discount
+          - work
+      - title: Proxmox
+        icon: http://mennos-server:4000/assets/proxmox.svg
+        url: https://www.transip.nl/cp/vps/prm/350680/
+        id: 5_1429_proxmox
+        tags:
+          - do
+          - discount
+          - work
+      - title: Transip
+        icon: favicon
+        url: https://www.transip.nl/cp/vps/prm/350680/
+        id: 6_1429_transip
+        tags:
+          - do
+          - discount
+          - work
+      - title: Kibana
+        icon: http://mennos-server:4000/assets/kibana.svg
+        url: http://go/kibana
+        id: 7_1429_kibana
+        tags:
+          - do
+          - discount
+          - work
+appConfig:
+  layout: auto
+  iconSize: large
+  theme: nord
+  startingView: default
+  defaultOpeningMethod: sametab
+  statusCheck: false
+  statusCheckInterval: 0
+  routingMode: history
+  enableMultiTasking: false
+  widgetsAlwaysUseProxy: false
+  webSearch:
+    disableWebSearch: false
+    searchEngine: https://kagi.com/search?q=
+    openingMethod: newtab
+    searchBangs: {}
+  enableFontAwesome: true
+  enableMaterialDesignIcons: false
+  hideComponents:
+    hideHeading: false
+    hideNav: true
+    hideSearch: false
+    hideSettings: true
+    hideFooter: false
+  auth:
+    enableGuestAccess: false
+    users: []
+    enableOidc: false
+    oidc:
+      adminRole: "false"
+      adminGroup: "false"
+    enableHeaderAuth: false
+    headerAuth:
+      userHeader: REMOTE_USER
+      proxyWhitelist: []
+    enableKeycloak: false
+  showSplashScreen: false
+  preventWriteToDisk: false
+  preventLocalSave: false
+  disableConfiguration: false
+  disableConfigurationForNonAdmin: false
+  allowConfigEdit: true
+  enableServiceWorker: false
+  disableContextMenu: false
+  disableUpdateChecks: false
+  disableSmartSort: false
+  enableErrorReporting: false

ansible/tasks/servers/services/dashy/dashy.yml

@@ -0,0 +1,44 @@
+---
+- name: Deploy Dashy service
+  block:
+    - name: Set Dashy directories
+      ansible.builtin.set_fact:
+        dashy_service_dir: "{{ ansible_env.HOME }}/.services/dashy"
+        dashy_data_dir: "/mnt/services/dashy"
+
+    - name: Create Dashy directory
+      ansible.builtin.file:
+        path: "{{ dashy_service_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Create Dashy data directory
+      ansible.builtin.file:
+        path: "{{ dashy_data_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Deploy Dashy docker-compose.yml
+      ansible.builtin.template:
+        src: docker-compose.yml.j2
+        dest: "{{ dashy_service_dir }}/docker-compose.yml"
+        mode: "0644"
+      register: dashy_compose
+
+    - name: Deploy Dashy config.yml
+      ansible.builtin.template:
+        src: conf.yml.j2
+        dest: "{{ dashy_data_dir }}/conf.yml"
+        mode: "0644"
+      register: dashy_config
+
+    - name: Stop Dashy service
+      ansible.builtin.command: docker compose -f "{{ dashy_service_dir }}/docker-compose.yml" down --remove-orphans
+      when: dashy_compose.changed
+
+    - name: Start Dashy service
+      ansible.builtin.command: docker compose -f "{{ dashy_service_dir }}/docker-compose.yml" up -d
+      when: dashy_compose.changed
+  tags:
+    - services
+    - dashy

ansible/tasks/servers/services/dashy/docker-compose.yml.j2

@@ -0,0 +1,21 @@
+services:
+  dashy:
+    image: lissy93/dashy:latest
+    restart: unless-stopped
+    ports:
+      - 4000:8080
+    volumes:
+      - {{dashy_data_dir}}/:/app/user-data
+    networks:
+      - caddy_network
+    extra_hosts:
+      - host.docker.internal:host-gateway
+    deploy:
+      resources:
+        limits:
+          memory: 2G
+
+networks:
+  caddy_network:
+    external: true
+    name: caddy_default

ansible/tasks/servers/services/downloaders/docker-compose.yml.j2

@@ -11,7 +11,6 @@ services:
       - 6881:6881
       - 6881:6881/udp
       - 8085:8085 # Qbittorrent
-      - 7788:8080 # Sabnzbd
     devices:
       - /dev/net/tun:/dev/net/tun
     volumes:
@@ -39,10 +38,8 @@ services:
       - {{ downloaders_data_dir }}/sabnzbd-config:/config
       - {{ local_data_dir }}:{{ local_data_dir }}
     restart: unless-stopped
-    network_mode: "service:gluetun"
+    ports:
-    depends_on:
+      - 7788:8080
-      gluetun:
-        condition: service_healthy
     deploy:
       resources:
         limits:

ansible/tasks/servers/services/necesse/docker-compose.yml.j2

@@ -0,0 +1,15 @@
+services:
+  necesse:
+    image: brammys/necesse-server
+    container_name: necesse
+    restart: unless-stopped
+    ports:
+      - "14159:14159/udp"
+    environment:
+      - MOTD=StarDebris' Server!
+      - PASSWORD=2142
+      - SLOTS=4
+      - PAUSE=1
+    volumes:
+      - {{ necesse_data_dir }}/saves:/necesse/saves
+      - {{ necesse_data_dir }}/logs:/necesse/logs

ansible/tasks/servers/services/necesse/necesse.yml

@@ -0,0 +1,41 @@
+---
+- name: Deploy Necesse service
+  block:
+    - name: Set Necesse directories
+      ansible.builtin.set_fact:
+        necesse_service_dir: "{{ ansible_env.HOME }}/.services/necesse"
+        necesse_data_dir: "/mnt/services/necesse"
+
+    - name: Create Necesse service directory
+      ansible.builtin.file:
+        path: "{{ necesse_service_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Create Necesse data directories
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: directory
+        mode: "0755"
+      loop:
+        - "{{ necesse_data_dir }}"
+        - "{{ necesse_data_dir }}/saves"
+        - "{{ necesse_data_dir }}/logs"
+
+    - name: Deploy Necesse docker-compose.yml
+      ansible.builtin.template:
+        src: docker-compose.yml.j2
+        dest: "{{ necesse_service_dir }}/docker-compose.yml"
+        mode: "0644"
+      register: necesse_compose
+
+    - name: Stop Necesse service
+      ansible.builtin.command: docker compose -f "{{ necesse_service_dir }}/docker-compose.yml" down --remove-orphans
+      when: necesse_compose.changed
+
+    - name: Start Necesse service
+      ansible.builtin.command: docker compose -f "{{ necesse_service_dir }}/docker-compose.yml" up -d
+      when: necesse_compose.changed
+  tags:
+    - services
+    - necesse

ansible/tasks/servers/services/plex/docker-compose.yml.j2

@@ -14,9 +14,10 @@ services:
     volumes:
       - {{ plex_data_dir }}/config:/config
       - {{ plex_data_dir }}/transcode:/transcode
-      - {{ '/mnt/data/movies' }}:/movies
+      - /mnt/data/movies:/movies
-      - {{ '/mnt/data/tvshows' }}:/tvshows
+      - /mnt/data/tvshows:/tvshows
-      - {{ '/mnt/data/music' }}:/music
+      - /mnt/object_storage/tvshows:/tvshows_slow
+      - /mnt/data/music:/music
     deploy:
       resources:
         limits:

ansible/tasks/servers/services/qdrant/docker-compose.yml.j2

@@ -10,7 +10,7 @@ services:
       - 6334
       - 6335
     volumes:
-      - {{ qdrant_data_dir }}:/qdrant/storage
+      - /mnt/services/qdrant:/qdrant/storage
     deploy:
       resources:
         limits:

ansible/tasks/servers/services/qdrant/qdrant.yml

@@ -0,0 +1,32 @@
+- name: Deploy Qdrant service
+  tags:
+    - services
+    - qdrant
+  block:
+    - name: Set Qdrant directories
+      ansible.builtin.set_fact:
+        qdrant_service_dir: "{{ ansible_env.HOME }}/.services/qdrant"
+        qdrant_data_dir: "/mnt/services/qdrant"
+
+    - name: Create Qdrant directory
+      ansible.builtin.file:
+        path: "{{ qdrant_service_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Deploy Qdrant docker-compose.yml
+      ansible.builtin.template:
+        src: docker-compose.yml.j2
+        dest: "{{ qdrant_service_dir }}/docker-compose.yml"
+        mode: "0644"
+      notify: restart_qdrant
+
+- name: Stop Qdrant service
+  ansible.builtin.command: docker compose -f "{{ qdrant_service_dir }}/docker-compose.yml" down --remove-orphans
+  changed_when: false
+  listen: restart_qdrant
+
+- name: Start Qdrant service
+  ansible.builtin.command: docker compose -f "{{ qdrant_service_dir }}/docker-compose.yml" up -d
+  changed_when: false
+  listen: restart_qdrant

ansible/tasks/servers/services/redis/redis.yml

@@ -34,6 +34,7 @@
       register: juicefs_stop
       changed_when: juicefs_stop.changed
       when: redis_compose.changed and juicefs_service_stat.stat.exists
+      become: true
 
     - name: List containers that are running
       ansible.builtin.command: docker ps -q
@@ -68,6 +69,7 @@
       register: juicefs_start
       changed_when: juicefs_start.changed
       when: juicefs_service_stat.stat.exists
+      become: true
 
     - name: Restart containers that were stopped
       ansible.builtin.command: docker start {{ item }}

ansible/tasks/servers/services/sathub/.env.j2

@@ -0,0 +1,53 @@
+# Production Environment Variables
+# Copy this to .env and fill in your values
+
+# Database configuration (PostgreSQL)
+DB_TYPE=postgres
+DB_HOST=postgres
+DB_PORT=5432
+DB_USER=sathub
+DB_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DB_PASSWORD') }}
+DB_NAME=sathub
+
+# Required: JWT secret for token signing
+JWT_SECRET={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='JWT_SECRET') }}
+
+# Required: Two-factor authentication encryption key
+TWO_FA_ENCRYPTION_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='TWO_FA_ENCRYPTION_KEY') }}
+
+# Email configuration (required for password resets)
+SMTP_HOST={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_HOST') }}
+SMTP_PORT={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PORT') }}
+SMTP_USERNAME={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_USERNAME') }}
+SMTP_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PASSWORD') }}
+SMTP_FROM_EMAIL={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_FROM_EMAIL') }}
+
+# MinIO Object Storage configuration
+MINIO_ROOT_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
+MINIO_ROOT_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+# Basically the same as the above
+MINIO_ACCESS_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
+MINIO_SECRET_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+
+# GitHub credentials for Watchtower (auto-updates)
+GITHUB_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_USER') }}
+GITHUB_PAT={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_PAT') }}
+REPO_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_USER') }}
+REPO_PASS={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_PAT') }}
+
+# Optional: Override defaults if needed
+# GIN_MODE=release (set automatically)
+FRONTEND_URL=https://sathub.de
+
+# CORS configuration (optional - additional allowed origins)
+CORS_ALLOWED_ORIGINS=https://sathub.de,https://sathub.nl,https://api.sathub.de
+
+# Frontend configuration (optional - defaults are provided)
+VITE_API_BASE_URL=https://api.sathub.de
+VITE_ALLOWED_HOSTS=sathub.de,sathub.nl
+
+# Discord related messsaging
+DISCORD_CLIENT_ID={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DISCORD_CLIENT_ID') }}
+DISCORD_CLIENT_SECRET={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DISCORD_CLIENT_SECRET') }}
+DISCORD_REDIRECT_URI={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DISCORD_REDIRECT_URL') }}
+DISCORD_WEBHOOK_URL={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DISCORD_WEBHOOK_URL') }}

ansible/tasks/servers/services/sathub/docker-compose.yml.j2

@@ -0,0 +1,182 @@
+services:
+  # Migration service - runs once on stack startup
+  migrate:
+    image: ghcr.io/vleeuwenmenno/sathub-backend/backend:latest
+    container_name: sathub-migrate
+    restart: "no"
+    command: ["./main", "auto-migrate"]
+    environment:
+      - GIN_MODE=release
+
+      # Database settings
+      - DB_TYPE=postgres
+      - DB_HOST=postgres
+      - DB_PORT=5432
+      - DB_USER=${DB_USER:-sathub}
+      - DB_PASSWORD=${DB_PASSWORD}
+      - DB_NAME=${DB_NAME:-sathub}
+
+      # MinIO settings
+      - MINIO_ENDPOINT=http://minio:9000
+      - MINIO_BUCKET=sathub-images
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY}
+      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY}
+      - MINIO_EXTERNAL_URL=https://obj.sathub.de
+    networks:
+      - sathub
+    depends_on:
+      - postgres
+
+  backend:
+    image: ghcr.io/vleeuwenmenno/sathub-backend/backend:latest
+    container_name: sathub-backend
+    restart: unless-stopped
+    command: ["./main", "api"]
+    environment:
+      - GIN_MODE=release
+      - FRONTEND_URL=${FRONTEND_URL:-https://sathub.de}
+      - CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-https://sathub.de}
+
+      # Database settings
+      - DB_TYPE=postgres
+      - DB_HOST=postgres
+      - DB_PORT=5432
+      - DB_USER=${DB_USER:-sathub}
+      - DB_PASSWORD=${DB_PASSWORD}
+      - DB_NAME=${DB_NAME:-sathub}
+
+      # Security settings
+      - JWT_SECRET=${JWT_SECRET}
+      - TWO_FA_ENCRYPTION_KEY=${TWO_FA_ENCRYPTION_KEY}
+
+      # SMTP settings
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_USERNAME=${SMTP_USERNAME}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
+      - SMTP_FROM_EMAIL=${SMTP_FROM_EMAIL}
+
+      # MinIO settings
+      - MINIO_ENDPOINT=http://minio:9000
+      - MINIO_BUCKET=sathub-images
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY}
+      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY}
+      - MINIO_EXTERNAL_URL=https://obj.sathub.de
+
+      # Discord settings
+      - DISCORD_CLIENT_ID=${DISCORD_CLIENT_ID}
+      - DISCORD_CLIENT_SECRET=${DISCORD_CLIENT_SECRET}
+      - DISCORD_REDIRECT_URI=${DISCORD_REDIRECT_URI}
+      - DISCORD_WEBHOOK_URL=${DISCORD_WEBHOOK_URL}
+    networks:
+      - sathub
+      - caddy_network
+    depends_on:
+      migrate:
+        condition: service_completed_successfully
+
+  worker:
+    image: ghcr.io/vleeuwenmenno/sathub-backend/backend:latest
+    container_name: sathub-worker
+    restart: unless-stopped
+    command: ["./main", "worker"]
+    environment:
+      - GIN_MODE=release
+
+      # Database settings
+      - DB_TYPE=postgres
+      - DB_HOST=postgres
+      - DB_PORT=5432
+      - DB_USER=${DB_USER:-sathub}
+      - DB_PASSWORD=${DB_PASSWORD}
+      - DB_NAME=${DB_NAME:-sathub}
+
+      # SMTP settings (needed for notifications)
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_USERNAME=${SMTP_USERNAME}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
+      - SMTP_FROM_EMAIL=${SMTP_FROM_EMAIL}
+
+      # MinIO settings
+      - MINIO_ENDPOINT=http://minio:9000
+      - MINIO_BUCKET=sathub-images
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY}
+      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY}
+      - MINIO_EXTERNAL_URL=https://obj.sathub.de
+
+      # Discord settings
+      - DISCORD_CLIENT_ID=${DISCORD_CLIENT_ID}
+      - DISCORD_CLIENT_SECRET=${DISCORD_CLIENT_SECRET}
+      - DISCORD_REDIRECT_URI=${DISCORD_REDIRECT_URI}
+      - DISCORD_WEBHOOK_URL=${DISCORD_WEBHOOK_URL}
+    networks:
+      - sathub
+    depends_on:
+      migrate:
+        condition: service_completed_successfully
+
+  postgres:
+    image: postgres:15-alpine
+    container_name: sathub-postgres
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=${DB_USER:-sathub}
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      - POSTGRES_DB=${DB_NAME:-sathub}
+    volumes:
+      - {{ sathub_data_dir }}/postgres_data:/var/lib/postgresql/data
+    networks:
+      - sathub
+
+  frontend:
+    image: ghcr.io/vleeuwenmenno/sathub-frontend/frontend:latest
+    container_name: sathub-frontend
+    restart: unless-stopped
+    environment:
+      - VITE_API_BASE_URL=${VITE_API_BASE_URL:-https://api.sathub.de}
+      - VITE_ALLOWED_HOSTS=${VITE_ALLOWED_HOSTS:-sathub.de,sathub.nl}
+    networks:
+      - sathub
+      - caddy_network
+
+  minio:
+    image: minio/minio
+    container_name: sathub-minio
+    restart: unless-stopped
+    environment:
+      - MINIO_ROOT_USER=${MINIO_ROOT_USER}
+      - MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD}
+    volumes:
+      - {{ sathub_data_dir }}/minio_data:/data
+    command: server /data --console-address :9001
+    networks:
+      - sathub
+    depends_on:
+      - postgres
+
+  watchtower:
+    image: containrrr/watchtower:latest
+    container_name: sathub-watchtower
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - WATCHTOWER_CLEANUP=true
+      - WATCHTOWER_INCLUDE_STOPPED=false
+      - REPO_USER=${REPO_USER}
+      - REPO_PASS=${REPO_PASS}
+    command: --interval 30 --cleanup --include-stopped=false sathub-backend sathub-worker sathub-frontend
+    networks:
+      - sathub
+
+networks:
+  sathub:
+    driver: bridge
+
+  # We assume you're running a Caddy instance in a separate compose file with this network
+  # If not, you can remove this network and the related depends_on in the services above
+  # But the stack is designed to run behind a Caddy reverse proxy for SSL termination and routing
+  caddy_network:
+    external: true
+    name: caddy_default

ansible/tasks/servers/services/sathub/sathub.yml

@@ -0,0 +1,50 @@
+---
+- name: Deploy SatHub service
+  block:
+    - name: Set SatHub directories
+      ansible.builtin.set_fact:
+        sathub_service_dir: "{{ ansible_env.HOME }}/.services/sathub"
+        sathub_data_dir: "/mnt/services/sathub"
+
+    - name: Set SatHub frontend configuration
+      ansible.builtin.set_fact:
+        frontend_api_base_url: "https://api.sathub.de"
+        frontend_allowed_hosts: "sathub.de,sathub.nl"
+        cors_allowed_origins: "https://sathub.nl,https://api.sathub.de,https://obj.sathub.de"
+
+    - name: Create SatHub directory
+      ansible.builtin.file:
+        path: "{{ sathub_service_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Create SatHub data directory
+      ansible.builtin.file:
+        path: "{{ sathub_data_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Deploy SatHub .env
+      ansible.builtin.template:
+        src: .env.j2
+        dest: "{{ sathub_service_dir }}/.env"
+        mode: "0644"
+      register: sathub_env
+
+    - name: Deploy SatHub docker-compose.yml
+      ansible.builtin.template:
+        src: docker-compose.yml.j2
+        dest: "{{ sathub_service_dir }}/docker-compose.yml"
+        mode: "0644"
+      register: sathub_compose
+
+    - name: Stop SatHub service
+      ansible.builtin.command: docker compose -f "{{ sathub_service_dir }}/docker-compose.yml" down --remove-orphans
+      when: sathub_compose.changed or sathub_env.changed
+
+    - name: Start SatHub service
+      ansible.builtin.command: docker compose -f "{{ sathub_service_dir }}/docker-compose.yml" up -d
+      when: sathub_compose.changed or sathub_env.changed
+  tags:
+    - services
+    - sathub

ansible/tasks/workstations/1password-browsers.yml

@@ -30,6 +30,7 @@
           Firefox
           firefox
           opera
+          zen-x86_64
         dest: /etc/1password/custom_allowed_browsers
         owner: root
         group: root

ansible/tasks/workstations/flatpaks.yml

@@ -31,11 +31,6 @@
 - name: Define system desired Flatpaks
   ansible.builtin.set_fact:
     desired_system_flatpaks:
-      # GNOME Software
-      - "{{ 'org.gnome.Extensions' if (ansible_facts.env.XDG_CURRENT_DESKTOP is defined and 'GNOME' in ansible_facts.env.XDG_CURRENT_DESKTOP) else omit }}"
-      - "{{ 'org.gnome.Weather' if (ansible_facts.env.XDG_CURRENT_DESKTOP is defined and 'GNOME' in ansible_facts.env.XDG_CURRENT_DESKTOP) else omit }}"
-      - "{{ 'org.gnome.Sudoku' if (ansible_facts.env.XDG_CURRENT_DESKTOP is defined and 'GNOME' in ansible_facts.env.XDG_CURRENT_DESKTOP) else omit }}"
-
       # Games
       - io.github.openhv.OpenHV
       - info.beyondallreason.bar
@@ -46,16 +41,20 @@
       # Multimedia
       - com.plexamp.Plexamp
       - tv.plex.PlexDesktop
+      - com.spotify.Client
 
       # Messaging
       - com.rtosta.zapzap
-      - io.github.equicord.equibop
+      - org.telegram.desktop
+      - org.signal.Signal
+      - com.discordapp.Discord
 
-      # Nextcloud Compatible Utilities
+      # 3D Printing
-      - io.github.mrvladus.List
+      - com.bambulab.BambuStudio
-      - org.gnome.World.Iotas
+      - io.mango3d.LycheeSlicer
 
       # Utilities
+      - com.fastmail.Fastmail
       - com.ranfdev.DistroShelf
       - io.missioncenter.MissionCenter
       - io.gitlab.elescoute.spacelaunch
@@ -75,6 +74,8 @@
       - io.github.flattool.Ignition
       - io.github.bytezz.IPLookup
       - org.gaphor.Gaphor
+      - io.dbeaver.DBeaverCommunity
+      - com.jetpackduba.Gitnuro
 
 - name: Define system desired Flatpak remotes
   ansible.builtin.set_fact: