├── .gitignore
├── README.md
├── ansible.cfg
├── cn-mirrors.yml
├── factorio.yml
├── forum.yml
├── home.yml
├── homelab.yml
├── hosts
├── infinity-secrets.yml.asc
├── internal-certs
    ├── .gitignore
    ├── README.md
    ├── ca-key.pem.asc
    ├── ca.pem
    ├── device.crt
    ├── device.csr
    └── device.key.asc
├── nginx-sites
    ├── ap-home
    │   ├── blog.conf
    │   ├── cats-blog.conf
    │   ├── holding.conf
    │   ├── jybox.conf
    │   ├── mabolo.conf
    │   ├── nohttps.conf
    │   └── rpvhost.conf
    └── infinity
    │   ├── bitwarden.conf
    │   ├── home.conf
    │   ├── lobechat.conf
    │   ├── miniflux.conf
    │   └── nextcloud.conf
├── roles
    ├── bitwarden
    │   ├── defaults
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── docker-compose.yml
    ├── clash-redir
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── aptproxy
    │   │   ├── clash.service
    │   │   └── clash.yaml
    ├── clickhouse
    │   ├── defaults
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── config.xml
    │   │   ├── docker-compose.yml
    │   │   ├── keeper.xml
    │   │   └── users.xml
    ├── common
    │   └── tasks
    │   │   └── main.yml
    ├── discourse
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── meta
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── container.yml
    │   │   └── nginx.conf
    ├── dnsmasq
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   └── tasks
    │   │   └── main.yml
    ├── docker
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   ├── main.yml
    │   │   └── remote.yml
    │   └── templates
    │   │   └── daemon.json
    ├── factorio
    │   ├── defaults
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── docker-compose.yml
    ├── frpc
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── frpc.ini
    │   │   └── frpc.service
    ├── frps
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── frps.ini
    │   │   └── frps.service
    ├── gitea
    │   ├── defaults
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── app.ini
    │   │   └── docker-compose.yml
    ├── global-vars.yml
    ├── letsencrypt
    │   ├── defaults
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── nginx.conf
    ├── lobechat
    │   ├── defaults
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── docker-compose.yml
    ├── miniflux
    │   ├── defaults
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── docker-compose.yml
    ├── mongodb
    │   ├── handlers
    │   │   └── main.yml
    │   └── tasks
    │   │   └── main.yml
    ├── netdata
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   └── tasks
    │   │   └── main.yml
    ├── nextcloud
    │   ├── README.md
    │   ├── defaults
    │   │   └── main.yml
    │   ├── files
    │   │   ├── app
    │   │   │   └── Dockerfile
    │   │   └── web
    │   │   │   ├── Dockerfile
    │   │   │   └── nginx.conf
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── docker-compose.yml
    ├── nginx
    │   ├── defaults
    │   │   └── main.yml
    │   ├── files
    │   │   └── holding
    │   │   │   └── index.html
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   ├── basic-auth.yml
    │   │   └── main.yml
    │   └── templates
    │   │   ├── default.conf
    │   │   └── nginx.conf
    ├── postgres
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   └── tasks
    │   │   ├── dump.yml
    │   │   └── main.yml
    ├── pppoe
    │   └── tasks
    │   │   └── main.yml
    ├── prometheus
    │   ├── defaults
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── docker-compose.yml
    │   │   ├── loki.yaml
    │   │   └── prometheus.yml
    ├── restic
    │   ├── README.md
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── restic-backup.service
    │   │   └── restic-backup.timer
    ├── router
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── netplan.yaml
    ├── rsync
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── rsyncd.conf
    │   │   └── rsyncd.secrets
    ├── samba
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── avahi.service
    │   │   ├── com.apple.TimeMachine.quota.plist
    │   │   └── smb.conf
    ├── shadowsocks
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── config.json
    ├── syncthing
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── syncthing.conf
    ├── traefik
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   ├── fileprovider
    │   │       ├── dashboard.yaml
    │   │       └── middleware.yaml
    │   │   ├── traefik.service
    │   │   └── traefik.yaml
    ├── transmission
    │   ├── defaults
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── docker-compose.yml
    ├── trojan
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── config.json
    ├── wireguard
    │   ├── defaults
    │   │   └── main.yml
    │   ├── handlers
    │   │   └── main.yml
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │   │   └── wg0.conf
    └── zfs
    │   ├── defaults
    │       └── main.yml
    │   ├── handlers
    │       └── main.yml
    │   ├── tasks
    │       └── main.yml
    │   └── templates
    │       ├── clean-zfs-snapshots
    │       ├── mountall
    │       ├── zfs-snapshot.service
    │       └── zfs-snapshot.timer
├── secrets.yml.asc
└── voyager-secrets.yml.asc


/.gitignore:
--------------------------------------------------------------------------------
1 | *secrets.yml
2 | *.retry
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Playbooks
 2 | Infrastructure as Code of my servers, NAS and router. Currently using Ansible.
 3 | 
 4 | ## Import SSH Key
 5 | 
 6 | ```
 7 | mkdir -m 700 ~/.ssh
 8 | curl https://github.com/jysperm.keys >> ~/.ssh/authorized_keys
 9 | chown 600 ~/.ssh/authorized_keys
10 | ```
11 | 
12 | ## Encrypted files
13 | 
14 | Encrypt:
15 | 
16 | ```
17 | gpg -a -r jysperm --encrypt secrets.yml
18 | ```
19 | 
20 | Decrypt:
21 | 
22 | ```
23 | gpg --decrypt secrets.yml.asc > secrets.yml
24 | ```
25 | 


--------------------------------------------------------------------------------
/ansible.cfg:
--------------------------------------------------------------------------------
1 | [ssh_connection]
2 | pipelining = True
3 | 
4 | [defaults]
5 | inventory = hosts
6 | ansible_ssh_user = root
7 | stdout_callback = debug
8 | 


--------------------------------------------------------------------------------
/cn-mirrors.yml:
--------------------------------------------------------------------------------
1 | ---
2 | pip_args: '-i https://pypi.tuna.tsinghua.edu.cn/simple'
3 | docker_mirror_url: 'https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu'
4 | docker_registry_url: 'https://docker.mirrors.ustc.edu.cn/'
5 | discourse_templates: ['templates/web.china.template.yml']
6 | 


--------------------------------------------------------------------------------
/factorio.yml:
--------------------------------------------------------------------------------
 1 | - hosts: infinity
 2 |   vars_files:
 3 |     - secrets.yml
 4 |     - infinity-secrets.yml
 5 |   vars:
 6 |     factorio_version: '1.1.35'
 7 |     factorio_server: 'spaceex'
 8 |     frp_client_proxies:
 9 |       - name: factorio-spaceex
10 |         local_port: 34197
11 |         remote_port: 34197
12 |         type: udp
13 |   roles:
14 |     - factorio
15 | 


--------------------------------------------------------------------------------
/forum.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: ap-forum
 3 |   vars_files:
 4 |     - secrets.yml
 5 |   vars:
 6 |     discourse:
 7 |       -
 8 |         name: atom-china
 9 |         domain: atom-china.org
10 |         smtp_user: '{{ ses_smtp_user_atom_china }}'
11 |         smtp_password: '{{ ses_smtp_secret_atom_china }}'
12 |     letsencrypt:
13 |       - atom-china.org
14 |   roles:
15 |     - common
16 |     - discourse
17 |     - docker
18 |     - letsencrypt
19 |     - nginx
20 | 


--------------------------------------------------------------------------------
/home.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: ap-home
 3 |   vars_files:
 4 |     - secrets.yml
 5 |   vars:
 6 |     letsencrypt:
 7 |       - jybox.net
 8 |     # rsync_users:
 9 |     #   -
10 |     #     username: 'synology'
11 |     #     password: '{{ rsync_synology_password }}'
12 |   roles:
13 |     - common
14 |     - nginx
15 |     - letsencrypt
16 |     # - rsync
17 |     - frps
18 | 


--------------------------------------------------------------------------------
/homelab.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # No longer supported since ansible 2.17
 3 | # /opt/homebrew/opt/ansible@9/bin/ansible-playbook
 4 | # - hosts: voyager
 5 | #   vars:
 6 | #     nextdata_exposed: true
 7 | #     # dns_proxied: true
 8 | #     frp_client_proxies:
 9 | #       - name: wireguard
10 | #         local_port: 41194
11 | #         remote_port: 41194
12 | #         type: udp
13 | #   vars_files:
14 | #     - secrets.yml
15 | #     - voyager-secrets.yml
16 | #   roles:
17 | #     - common
18 | #     - pppoe
19 | #     - router
20 | #     - clash-redir
21 | #     - dnsmasq
22 | #     - netdata
23 | #     - wireguard
24 | #     - frpc
25 | 
26 | - hosts: infinity
27 |   vars_files:
28 |     - secrets.yml
29 |     - infinity-secrets.yml
30 |   vars:
31 |     nextdata_exposed: true
32 |     letsencrypt:
33 |       - 'nextcloud.{{ infinity_domain }}'
34 |       - 'miniflux.{{ infinity_domain }}'
35 |       - 'bitwarden.{{ infinity_domain }}'
36 |       - 'lobechat.{{ infinity_domain }}'
37 |       - 'home.{{ infinity_domain }}'
38 |     miniflux_base_url: 'https://miniflux.{{ infinity_domain }}/'
39 |     bitwarden_base_url: 'https://bitwarden.{{ infinity_domain }}/'
40 |     zpool_name: storage
41 |     frp_client_proxies:
42 |       - name: nginx-http
43 |         local_port: 80
44 |         remote_port: 80
45 |         type: tcp
46 |       - name: nginx-https
47 |         local_port: 443
48 |         remote_port: 443
49 |         type: tcp
50 |       - name: wireguard-default
51 |         local_port: 10011
52 |         local_ip: 10.0.0.1
53 |         remote_port: 10011
54 |         type: udp
55 |       - name: wireguard-mexin
56 |         local_port: 10331
57 |         local_ip: 10.0.0.1
58 |         remote_port: 10331
59 |         type: udp
60 |     restic_backup_paths:
61 |       - /storage/db
62 |       - /storage/nextcloud
63 |       - /storage/private
64 |       - /storage/shares/AudioWorks/Caipai
65 |       - /storage/shares/VideoWorks/Rendered
66 |   roles:
67 |     - bitwarden
68 |     - common
69 |     - docker
70 |     - frpc
71 |     - letsencrypt
72 |     - lobechat
73 |     - netdata
74 |     - nextcloud
75 |     - nginx
76 |     - restic
77 |     - samba
78 |     - transmission
79 |     - zfs
80 | 
81 | - hosts: refinity
82 |   vars_files:
83 |     - secrets.yml
84 |   roles:
85 |     - common
86 |     - frps
87 | 
88 | - hosts: satellite-sin
89 |   vars_files:
90 |     - secrets.yml
91 |   roles:
92 |     - common
93 |     - frps
94 | 


--------------------------------------------------------------------------------
/hosts:
--------------------------------------------------------------------------------
1 | ap-forum
2 | ap-home
3 | voyager
4 | infinity
5 | refinity
6 | 
7 | satellite-sgp
8 | satellite-usw
9 | 


--------------------------------------------------------------------------------
/infinity-secrets.yml.asc:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP MESSAGE-----
 2 | 
 3 | hQEMAyp325QokoazAQf9HUkqMiTk+RXqTrRuKApAKndFgp882D/F3tpVkbcaV+RY
 4 | NpNT+X+Nl6GeBvmhvBnzSWXR50OAicaGdSxLSAm540c0HjI6X/ntNe5MjkLpgaEy
 5 | H3B2z6TCWpz2Mqrp5vBVrGohI0BSN9Oun+EwN7E2H1LWOtRDQzYNEjrpGXqV+upj
 6 | mLaJoZQrlUynoaCWpSoVnCvaHo6GFLxgWijMW56s38kV6FzjQ+SeVKSNwFWYYA7R
 7 | F+GCWYzLANCeclJZiX5C/T5U8VM1KVKjeGisyghb+7p4CTrhhAqe55ze5lnYISqe
 8 | cp8/z1InFB4r5Xv0jIYgNNXx7i2zQOFyZP3jw778J9LpAVZIuVHULwcmAk/qT+z7
 9 | DIYTXYZlYaR343gpZFPd63A8BTfIgDHExHeRK47tma3nO5ciNLxLBJTpq01YqNTk
10 | 5V/FUVSpiC+dKVomFaRy/jZgE+4p5X7cmpZBYZT8WhC1SnvraZBR5cQxVJh8x9YC
11 | EX3LpxXGcp09a2tGFhBRWNEakhsSP/l29aBztmbUYRlJbzopCKn1vzS6E1DLHk53
12 | zf2qMfmr5F0Sa4iiqa0IMPCUc01edc3KJCa9SM0M9l4na45sxlIt0YhRfoYSyfwf
13 | KAt+V9QLMB6VqMnQ8Q1+FLwpiJNCl6jk1hsO4pY8hruo02T4zmYAlAVYyiovnEwQ
14 | YbqV4BWZRi8UJSLaCoB8iemJnpf5qLBzXgbzndiWTX+qHT6osvEwiPRxkAnwQe4J
15 | SCRgo7ATRlz6/8OwIxe5DI4Kzvr3AxBT+lm48Tl3ax+wFR5pX9nPVJfnaVvPW1GN
16 | SdEj0oh61tfiIzAiGlVxnwguBpuxRfxM44enrY26Fu5ru3P0XADlDkgxgphKBxg0
17 | 4Nt5hDw6+GeUOPWuxQUedyjLaRinfdT1HCBcQUGN3gqit9fD7dlUa6wnukN7OSj1
18 | Ly7E850Roo2WhxR+I6uEwdrrjGO21yvSJeMxn61hZmXKLTruknkOjSVekbll5Il0
19 | yTCbSZnW/8mN2Ejr7J1ZzYPApb03H6UqBvDBYAgciBVpAcGWjtwzjCyaVWtAvfde
20 | 1CACdjpEbjs5zSWy1tny6JmM0FobMGYpZynsEcm1nxDNKlLjtStFvOy2UxEhY6b7
21 | EJzZuyp7AQV7cL3LC6LoZ+HDI7hPwmuET8wGAohehG6CS01Wdiz1plXJRsYQnMah
22 | UaacAdBhoVuJaLFNtununS26ZAZcB13r9BVZNgcdWjGOG3CGGAzLPTdxpDQHJNWg
23 | BsS/FaXu624IlaXH9bkYMxMb6FbD9/mSX2cUQDxHoGbgXXb8/tWHpgkZnL4DeQMu
24 | KvCXAxiZbmBAlJnJi8JRwot3YUPb6tIedT68L6nXuz7RBxYiG+1nyuo6EaiNAqIC
25 | 51mUA8SesWCt84DvaQRCXK6zMMaZ4wVPAaD/Noyfe5qj2avHeB514mgr83oMlTNp
26 | 4vk5GE2XLGOjf9O2ejOy3pKhQFUlA8mmi89EnDxC+G8/aUgakHZXwQ==
27 | =Af7A
28 | -----END PGP MESSAGE-----
29 | 


--------------------------------------------------------------------------------
/internal-certs/.gitignore:
--------------------------------------------------------------------------------
1 | ca-key.pem
2 | device.key
3 | device.p12
4 | 


--------------------------------------------------------------------------------
/internal-certs/README.md:
--------------------------------------------------------------------------------
1 | https://gist.github.com/alexishida/607cca2e51ec356b1fe1909047ec70fd
2 | 


--------------------------------------------------------------------------------
/internal-certs/ca-key.pem.asc:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP MESSAGE-----
 2 | 
 3 | hQIMA7QPOvDkZs8eAQ/+JjW3jgMcGjkF/AobbS1PkBnbp3l5stLlUAkVhNROhrOB
 4 | uX9v1PVJKLy9BYYsaDELKKd5Cm2NNpLSxLklU/YJtxugFnGAWxMZB+nvzb6scP1V
 5 | QmKq3jgaxshK9YHcpttxKhKm0W1vEag0dcZ6rATB0BBOTQMkYWhRULhmXR2QXs3B
 6 | 6IdxqIWlae24Ngvo9kqdEYxG0WOYkl6cdzmlotaGNIgTrOjDMFDXXhuKbOym9UGd
 7 | hz+/JsWn9rjFUS7r71kqT1dLTAU3a1/SMgrx5PlUgJwvq1YuuNIwWDI4datiUAl8
 8 | u+P9TjhWh1M7UUHLVf/fwSXzqpz+n4x2q2zRQr8iI0/JYczEH5erT84g1bgzio3a
 9 | 4qcoUSn+d09C4hPbcxnunaFMu49S8IY3GCQWGvzVd13zmXpYyfyosm/4fE4+Pp2S
10 | rpEBaj45my7sIxjwzpeByiHBmS7rARD2ULAzdtaIJi0uJKckjbhD1Kr5mz0yiN6f
11 | dj6BYltqMzv7QYx87CSP+oVNx/iG15eeayVJf3QE/suEdlE/cj4dWnRIA7p9cbQP
12 | atL8UhmZ4iLnvwZ50IXVksT0pTIQlwRydPSWSeU6kTiUJslOZ/XwRVOX/iFp1+4w
13 | cxiv1E08yFOOngdKvD5r565IYpPQPrAKmb5qB7CToJPHOxH3R9PbV5oVMnbsAkTS
14 | 6gHSUR/tHbxXO9+0AlnSN5pxLLXwMTm4uP1fThOUZ6y+dULV2Pj12BGHPcAbgbju
15 | kDumKkwkl4dXt0PHOU4xP6soc7U1kmMDyIlsyyXW5oDvkZOHIhLWHhV+5TWukS37
16 | d7I+3DfHbn3OjQqGtkSaLnYLi/eeSqkdm3RUOvm9+IekyJojGsjcO+M7zJP+Posx
17 | YWTsxtPZsqVmfttimPc6IonsTdvad3+ds5Mx95c6XUpAPDNgRnyIXj4Sgw6xwWCr
18 | evnBT6Sd4aMNloq/Yune+NCUQPUH6btV/zEFmMZHrtiiquJxL1T6aTB/hVyYft0S
19 | QGPleDijrOUS8S+ex2sJszNU5g/VfocG5TIwF3QRVpmG61ptBBdo3idSIQf2ixsa
20 | pFqsY5aHRXRdVi47O43vUuRTNu/RqbYKtslYsD1tGV9uCJfMgutPZ+9Azuoywd4D
21 | KhVTzFvwnLqSTOsq7LpXEDLYOwGEQBXteK7w6RTuKNWwqTyne3nKVfFTcqQQGYCF
22 | zG6PSEaW52bnXfcqxjAeGwuflUbMyfTMo15WRtYbnvsedyhQLlK/kwUQSgp3iDGB
23 | Q0xLQAxEw/ZHp9dCflFQ9Su/9GT3V3qW/50HXLJiDwZsJr9ncW2mcyxTOsKVDGv9
24 | G7tZxO9IhPwamFtJCVwh1FhN3BFhsTfD0/lVFmASyDPRdgald4NehMADuWHFci1m
25 | 6IxKgZVm5GQTpKYr2fRUiQHsgTE1oWfZd95/aAGyoV4NCWqU7t4fGebbWgovk0mb
26 | PXZWvHKkPMCMp/Z/Co9riOVukJfpS1HQdat4hAwyHpRn0PzouQsk7rBYZPQOhH1D
27 | H+7TiB333BYxBcoGx4eNbrxQRCl8J1Nl+g/SMMgDq8ln/M6HthN4lZVp9e9UtMQx
28 | Xju8QgvzrI/yF8+jYFM+Gq0GL1763y0H5IwN+RPKKMnwf0ftzGSApdAdHV0MegI3
29 | tGCZJXgDvEjhpdeBNe086MeZgV2/VZjwY5bJjnx0XMLye42QMdo/z7VBAvd4/gWm
30 | d9MKD3THg/tuZ7wtCTNIQFHRW3buDYYlMDwhQF5bOpV2EeQdWdLzoviQjroc+ABU
31 | PuAXCNrg0ya7VHi2gSbNWVMTafFWIdJ00QLk2pLNk7X63lWhliR/Ly+e4UmY+iYa
32 | sytnV86oN1EnVFTIn+cL3HKe9B0mNSZ5uHSYSd9XxpeRjbNVedFYa0lMzqKLSlL6
33 | oBgQLxqh8ZFfB8X6gRnAx0ylvB0VjNU9Ej81QYamj7ct6NEQ8hWlsZNmR4Aq0+Tj
34 | 04quZZjEjxzEXbcXQYc8tV2acnhJZJ8pu/O5dTfbjTJPJ3RpV8ijaqEuYkg9opTD
35 | ESuye6WZZ75KyEGOv1CY5Jzqx6CKk4488Mtp7xImfgyqRXvs0jOzVSc5M05ntOcq
36 | XTvTUvPftoTPxQ0u9ihmyo3BaAAWm1Jt83XNXzJ20yT8l3zRT3BD8P/NW3Rx2J0c
37 | XMX11vtOUGFgSTALXFt9I3R6aAl2JKkCVjYjuKLyby4RWcXSC7/IUlApKkExYozy
38 | lWW4B8m9Hw9iZE4KaAwH6MIJp8gUQCW3CxyV4XMAKNwtaEAE95Y5LF+ISNFlGzJk
39 | oU2zLyn13f1liFOMRAC+WpcZLtKcJi+rsn9sai+7PpOBdZ85DeJ5K17uUoXJTAy0
40 | 2VL3Y+EsaeMTuAmeYTPhwNWFu8KQRdU/Fw3aCTJHPT3uSScpqi/x+Cp+946KjEBL
41 | wZkwFE3BNnbZKvfhaIay1N6J8f/XBW71gyFEw7FVct51BAPvzJf9eIGBkXZXttSf
42 | tL2HeVxdoWomRCi/Fguh/+BN+AGvX+20p9IDQhw9FdmJoUxm+sjTyf01LmEcvR6L
43 | KPPDjDuAYNK2anxL7AHFf0/Ec22O2wT0S+4tv9xuP2qkdHXMIcU+IFYpm18r8ewo
44 | 2m3W7n6CfilWG1baXXHr3MoWRdFN4UZ5mXntfWFI9rn6G5TdgUqhsgTkSzqiG9rI
45 | 2L+jOswNkFlUbM2uqroCuNdZEqPAJMXZu8qIcXumxIcgwRmbTxqc7SXH2zovzBG9
46 | uFUQCbmKU04Qroy0j/2bs3MiRTRiSycBgwjXSfOvw+vVMgPBOqMXCJYTvYVEFyDK
47 | iJCLew3e4ryFho5O0CD607anpfm2wPGel18hhitmPNb9IVBRtnXGz7c2A6kSf+J3
48 | /O34OIUMooFHkawksI0gn3vE1ZgfazHzNnOBYKCcaNYSdBVDoCGhi8Ev3yajZ6T9
49 | 47qmmitHGC8xY6vpuPIIKGEY/pRi90tNjnyROhOIqmbmcd87HzYrMPXOsEw6TXfA
50 | LWikRsDutWZvl5qWw4uMU4uHjgt6OmFwg/95tF0LNxzdvFOR2BTkWn5iC9VPN6+/
51 | Hyr96C3gFK1zj5A0NvUFdrB+9eUJ4YJWgQLYSAF87GcWf+1Gm+zc9sNxrIpThfBq
52 | 5VLk/OOFYNMq9xskrpSfeBReE1oiV+VabV10+w6HqNOg9GHgc9H3gRH2aeeS59iF
53 | EqUFHEzPRM0TFFGj4ifHtuiIG/m5Qn8kye28obMOuMjQfvxxfps4whj8j0PWJ5ru
54 | ZZ/8kMizV0sY2xRpYswTooXY8GGg9Ieu3kVoTvUDjVSBoyZl0oKBOLdAOX/rczOq
55 | LnZtspRXh7YccreYw6LXwAj5n9ZZQU7qUh1gL3wNemLkyM0bFd5c+9t8mAmGTi0E
56 | BOhlICOmoYUCqJN8Ap5FuvGs1oXJ0qYREeZ6zjH/oE/1AulccLxvsNSycWwCiaSL
57 | ELt7gISCTG6Zuw6TD6tSMxLn3X6TxkQzN14ImhtHDmuXa+IZb9/WJkMWdmJM+mx4
58 | Job4H8bkwlGlgPSPZ+7dWpFXBM5HVKHugdMRImHOBJ2bzb0mz7lFral9AwAqTAY9
59 | 1ufJOJAUVMeYncs62jNmXZGDl9hK2HWbuOz4jSecUKmGHfY3UslHLSJESh9YgMxj
60 | eVm8KA5XyUDEJNm7zjZ2ej7gvwExnU+UYghAiU+0gqudvwkzvmevB35Nw8FAxELJ
61 | qFGJt4z3hBQXzEAz4ZD5XOM/lhpIclOCyM73xJt1F2gFya+zc3hTnELzyCgj0b3N
62 | rYy8E6yN+KCXCs6fWlWWGGoZZ+8vMbhYoQXI+we4L8lAoBa0xEXJ6J0ADoV3vjUk
63 | wKeyVtzGQB7jYiAp+mgCMfc9xVxZxPIIS2ojLYNOKWIRDzDFmxuovle0jjZdObGu
64 | Kcxdvn1M8o2CRWhFB6/nSAHKbUwuACupvdLIlj1xIcHBiyn2QknLUcdNj6J62ai5
65 | b+9ObbcC0z43YcLzby4dfFPWTkmpH5O3pFzLKdrbUiXgLf2u/xYZcj2bx7jqCNR2
66 | mXv4UUcRGXW0DU933KJ1p9XpzEei4HkiEfCdLIdVqRnFDNd30v7Q2THGZP5jnRJh
67 | ocNHft1pbzNijpJMy3KphQAYMQEk
68 | =VSP0
69 | -----END PGP MESSAGE-----
70 | 


--------------------------------------------------------------------------------
/internal-certs/ca.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIF2zCCA8OgAwIBAgIUKCi45UEnx0wJA49c7UU0FiF86SUwDQYJKoZIhvcNAQEL
 3 | BQAwfTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 4 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwLeml0aW5nLndhbmcx
 5 | IDAeBgkqhkiG9w0BCQEWEWp5c3Blcm1AZ21haWwuY29tMB4XDTI0MTEzMDEwMDQw
 6 | MVoXDTM0MTEyODEwMDQwMVowfTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUt
 7 | U3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UE
 8 | AwwLeml0aW5nLndhbmcxIDAeBgkqhkiG9w0BCQEWEWp5c3Blcm1AZ21haWwuY29t
 9 | MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw/nkgXxytvQnHeaMLN6p
10 | ozurdQNloIerkpHww44UbwYQByJqjhIHGZr3YbMKJfguph6AewEHhCLRTn1k37i9
11 | RCxB6MKyvZE29YU1PtdMvAwagyjg23UHC6MgzsA0Rx8T/w9aWb7GHGojpCkDzeVU
12 | yLTvvgjJBDrZpvst7gZ9R0+QYwbxcupyVPB90WOsaTuLS0cVjJfK2G4lrXBQDAvF
13 | hgBkpTpv6kzbiv0s/Nt5R69POisCbArto/YME1EiJKzuP/sxTHv2rCDhsvXg+c1h
14 | 99nHMhwxN9Ql9RQT0/NLj5OEufv05x9q9Bgj1Py9eSqnfS9D2x4PUdUfu/tLHHRU
15 | 9JE1qfxrjcNG2rAv1CxoDiYaYoYlmtloAluSOkB8JyeNNZDlAS6gIvJFA4xDgRPK
16 | J8IuNhnZl2MXpwkLG3AYaEjIbEEHZdtNW+ScV6Ay+jnE5Ypo20LTKpm76+Hs7AJU
17 | 3BL3N0zwow3zCzSUDE2HVTEgTVRVZ7vwwhcuVlyprUVl5+Lv9sV4rqIYIg3dNXY7
18 | Tt9ph2x/LOlPrevqPWFqwFYOkO1a+bu1uEdnyIFzojk6SApBfVCxVH5qw8Mw+yBk
19 | vKGJkMYoN7KhfEnlvSUq1X39aNd4GD8ZbNNgvSAzno0xDaX9cegcxoP9OBq2AI0q
20 | C7QgB1BEleBOD/ly4J50iAsCAwEAAaNTMFEwHQYDVR0OBBYEFBJZGqoAOTUgmJGx
21 | gqI7evRbo7W8MB8GA1UdIwQYMBaAFBJZGqoAOTUgmJGxgqI7evRbo7W8MA8GA1Ud
22 | EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAJIYbE/pidlRC1wqB7okn6ym
23 | TzZHM06I6I3kW0Z6LNUIu0oqxZ7uYEWFiXNgcYpH1cVQxARynxwqrdoAxfAzkPa+
24 | GFKeMZJjbBV4/Vk0ggPHZ0ODjixzRka2KNflh7wF3IPBbl/ckLY0RrZPjf3YO9B9
25 | fnmd6AJJ82CQZJ9kfNr0KprIE7esvBGf7SqRgiFQWUxD3ETO/+KfzHWDqr3tTkxE
26 | BROmwDbFkdZNFnicwbnmuvr9tqax3f3BmXlydgYH4mSPxMzKjDAuhTwNLpu0h5Yj
27 | VsinQ8yMaojHXZz+lFsECx3M3AVgNApXKo98vHTd7i09UDa1d6czrOLQG3fxgPDf
28 | yrLEFnO9873R4qOouFujSPZ5kJarhgVIr1OPasy/VjnU94P1OD5x8WMFmm5ZJJs/
29 | hRtWX85q51dsjSy5cd1KGg+xdt3RWRloPsrVILkM5CgVvYo8WY6+yy8VSyYn9RkC
30 | Bkb8aDnzgA9f2KWjG7qzNXq4J9VMBD8IuZOoLx/E7p9ZoVQU9uDSJZo5uLXT7UNh
31 | MiFidMllS3++BSl4hW970wD5L5RHxodgRDVwxCfa39TnvjWgLgu4WkzKhWFNwNvC
32 | epDEjPW1IQ/HUlbrY7nLVsX2XxiMnBTQqZo7j63NngtwvgAlP20LlgR2Lx7FlO80
33 | +2Fmy36VxODehuPocA6j
34 | -----END CERTIFICATE-----
35 | 


--------------------------------------------------------------------------------
/internal-certs/device.crt:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIF0TCCA7mgAwIBAgIUGZw0w1vyGECFD/fhisufmfmuJOkwDQYJKoZIhvcNAQEL
 3 | BQAwfTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 4 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwLeml0aW5nLndhbmcx
 5 | IDAeBgkqhkiG9w0BCQEWEWp5c3Blcm1AZ21haWwuY29tMB4XDTI0MTEzMDEwMDgy
 6 | MVoXDTM0MTEyODEwMDgyMVowgYMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21l
 7 | LVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNV
 8 | BAMMEWp5c3Blcm1AZ21haWwuY29tMSAwHgYJKoZIhvcNAQkBFhFqeXNwZXJtQGdt
 9 | YWlsLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKrXHiQ+F2ls
10 | zDTwLr7QqL5jIrtXx92F56RnGZz20xPOMpGJLQk1COhQZO5etoWlOACz8KaydKbH
11 | /wWr+ra418CPX5J19bRv0rjpJM+jNVwO174mYAIIn1lO2IlzURD1J0P55dJbTG4Y
12 | WaNjJP1BjdiqbYOOgEJad2NNei1bHFhe0ae6J5ImdqKMxpkCQzAjGv1HrwO97Ltf
13 | tGmVzDMoB8cWu3JdEgmzt37P2gMGVHA5pEwTUZiClrpyG94Ckk0XlAg76ar9mPXD
14 | FSA6E5BL6pX5IOGJku7q+sc+DGdgFcFUgyhlODF50kEOBy64OtQi3XjFfB7lKNt8
15 | jflrGDr/4oPtO/f/Z5OYpMhZWGYD4h2AVEB9vTsuV0HRdJgcMgmdAocKt8Kw6/py
16 | dk72829pcg5MnE73xcG2NCc6DOyORoMloulj9mMBKOvnZdVYf/ZxFJtXdqrZGBET
17 | /v/EgqpecIhOuCEL/LjKl+AMT6ee4U3ufzPsON4IUul0m2RZf33KBh3dLUh65ylu
18 | kCIOTfnsUaFMhcTohPdRNE/2AHeB2UU8ueP27uZ9+IqFl4RLTyay6OO6rqQRjFbS
19 | 4Kh9ieTy7JdZSYweyVV49zjHwLG/6DswusU6IBT2ObiO9+qD/tu4lJQc54ntv8QH
20 | tse5d+W+/abBrbXJquCVIjXjG3eIjTRTAgMBAAGjQjBAMB0GA1UdDgQWBBQNm4cM
21 | ReQJaJGxrg9OuuO79b/nSzAfBgNVHSMEGDAWgBQSWRqqADk1IJiRsYKiO3r0W6O1
22 | vDANBgkqhkiG9w0BAQsFAAOCAgEANLTj7DLOAxo36cr6XY0V0zmuDKW9pA72zhTp
23 | +Gz4DRN4LMiiiH00AEHFlzPU0X2qej9UAxwaDcamspCkKWrnkR9At4vTfkXblbyC
24 | 8oHrooRzIlfFX8NpnK4ptcfb7yGnMeLdhWAXSJ/uwJ3LCLBjel6vO6bRFXIJTqU/
25 | JlfZlh2NI2bgyt5J5vROt1+d9Lp3oYIstUnVd+h7Nkdmd284/gG1SFiIzYHBz4Wy
26 | prVFmJ9XDsUzWztAcmDTn3d2MyZRDTtPflq/qugVW2b774LHRfZK7rwppUs/ViAF
27 | JX8F5ZP8N4z6I7fpTuBr51E95x4A1nMNkYXcuw2Pgk8uomnA5NuXnytLouZp3DpQ
28 | l/wdRzFsGdnHGmzmEAlQ1EhFCEMR/+fFYYBqBHiLZg2rdvWB3m965nWnZJoaPUrt
29 | wtTK8aKbEm1oGOO92bojZqn4iWuJJ3Q+n4nGeradCyOeF0UWp11r52pKRs/uyGMQ
30 | VuA4KN58+Vd4NA3WMx3WyDi0uKSIkm3dVh2X6xruED83xubhN4/DCti+6tPVIM2H
31 | tWl6EAomWDeHQ+0gs9eDHipxLkbMYcZdCUYwQWfs1fJTM7brhq8vk1CTFdmJiRZY
32 | cE9IevnzpgODj+pjl/fd3iLA+JWEWwCjQSQvae1qU3nhBSyXm7a5aUAc0YVhoyxW
33 | /i5GtvE=
34 | -----END CERTIFICATE-----
35 | 


--------------------------------------------------------------------------------
/internal-certs/device.csr:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE REQUEST-----
 2 | MIIEyTCCArECAQAwgYMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRl
 3 | MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMMEWp5
 4 | c3Blcm1AZ21haWwuY29tMSAwHgYJKoZIhvcNAQkBFhFqeXNwZXJtQGdtYWlsLmNv
 5 | bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKrXHiQ+F2lszDTwLr7Q
 6 | qL5jIrtXx92F56RnGZz20xPOMpGJLQk1COhQZO5etoWlOACz8KaydKbH/wWr+ra4
 7 | 18CPX5J19bRv0rjpJM+jNVwO174mYAIIn1lO2IlzURD1J0P55dJbTG4YWaNjJP1B
 8 | jdiqbYOOgEJad2NNei1bHFhe0ae6J5ImdqKMxpkCQzAjGv1HrwO97LtftGmVzDMo
 9 | B8cWu3JdEgmzt37P2gMGVHA5pEwTUZiClrpyG94Ckk0XlAg76ar9mPXDFSA6E5BL
10 | 6pX5IOGJku7q+sc+DGdgFcFUgyhlODF50kEOBy64OtQi3XjFfB7lKNt8jflrGDr/
11 | 4oPtO/f/Z5OYpMhZWGYD4h2AVEB9vTsuV0HRdJgcMgmdAocKt8Kw6/pydk72829p
12 | cg5MnE73xcG2NCc6DOyORoMloulj9mMBKOvnZdVYf/ZxFJtXdqrZGBET/v/Egqpe
13 | cIhOuCEL/LjKl+AMT6ee4U3ufzPsON4IUul0m2RZf33KBh3dLUh65ylukCIOTfns
14 | UaFMhcTohPdRNE/2AHeB2UU8ueP27uZ9+IqFl4RLTyay6OO6rqQRjFbS4Kh9ieTy
15 | 7JdZSYweyVV49zjHwLG/6DswusU6IBT2ObiO9+qD/tu4lJQc54ntv8QHtse5d+W+
16 | /abBrbXJquCVIjXjG3eIjTRTAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAeb4e
17 | DlM36TI8RDLjyXW2l6RCSPKacWf4AxcYE7cO3w8d0wsRxMwashVueyQ5XASd3LBE
18 | osP0b1qpiykjfWc++TVC0hyILg9XJE7Hmcts77b+JUYkmjDizxMkIaUDsNS6RA6u
19 | HCcBrhfsx898zEV6Th0scceWDnbyGz0J2UjntwEzLpwC2/pVi4STTOxJwKhRWC9H
20 | epiGrevWqXf/KBfiXt9sYohOUVpF2761iye3TwgOI2hAWf3IR7Zj5UuJgqlXlkeO
21 | o8LCt8qYwwqlMJ4Hub4l1L795acH5ZvThCldmmMlNo/90JiybzgtSoYo3YB1+Fra
22 | VAMTp3KAlQwIKbjl5MJfRP0sP+JhYPZN8yInjedt4pPgdTTHaXsFBg3OSLjLuitk
23 | eVuMuATaYzpAuG87Ma4iwL7LfVRJ9o55lNQwldi4YYU92kePLebND5cGi0wWk/tk
24 | 8LzjDyemsgX8dlhB55UdQMizqpNt+92ejKVPx9mB9vNfZ+jjFPt6XGZ0sjW0N6eA
25 | 7V28Tw/YYuwt9zKud+gf/2puVr1xP4lkuE+N8UQjNEMnSQpRe26hTDhAwYugqem+
26 | d2m4LjOaz3PZFo23QTKPUVQOgEYtkB86ZNcgwkTIrs69XKyUf0SYjS0gANG2bAZD
27 | RE4z5PtvpJ/G7KVJBcPm5WOY/qr3H5VFMXU0bF8=
28 | -----END CERTIFICATE REQUEST-----
29 | 


--------------------------------------------------------------------------------
/internal-certs/device.key.asc:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP MESSAGE-----
 2 | 
 3 | hQIMA7QPOvDkZs8eAQ//WafVTAnYS3a1a4YaNdBkxyspegUC+5zgNnmph8rx+/Rd
 4 | W3J9sNSff6FdnEQZkNBHbZyQakyiNfYSX8dCRnQR0PCJ4XBRMfdB27mTL8T/pLl8
 5 | yvNu+hBPydZzrJ2YwtO/UIu4smgoW4OCUSd3qWWvVJj4XVGMPVRbOmpQ3mBmzGpI
 6 | NQpmAIlDMwLVadPt4P1VNGR6A5ou8dC7zzRGczlW/r045Gh08DcSz3YmVOUEhNZ2
 7 | mH5j1mfwJPjEG4tfAHTHml/M/LH3jgMqaeSscB2kY2STavTc0DfmwUAYT37vs9G7
 8 | JQ+jSSdWXf6I8JuwUZRt+av3hS1SE84dxkvLx94oCMn6WJDngrS3WS7tPDqBC3Tb
 9 | W1btmURe7BjJaQr6hFWU1eEU4w5N8Z0iB/6qznAVkxUKrh7u4le3ZXSKrq/6vGcH
10 | qSdqwTEnfdEKt5v+o0OlePLv8FORZUZFvo14CH/d1ovFEk/5lbSBapkTiupSmmM5
11 | 2iU+Iw97lC/ggfozQqnkDSB9SWZFT5+Xht4xn7OYFx4KVo7j+WlqBL0DfEd1V8+e
12 | t4R7wYzxI85d9F7r0OpDsaQqS8rDguSo28nazWpB1rSKxHc0GkafhU0KsbviHlNr
13 | S8A2C5uR4tU4ZwMlCA2DU6pPXkz/S9wrMs7lM91i+wWfXP/xZhZSOGwC6dhuTlzS
14 | 6gH9exiNR7JdgmtqOrzS3R7wKz7/d9Zwlboy2qFbBduc8n/FYZ7dz/qWNNSy7of8
15 | dk3Ouc3Xloa20nGfZwdOyWSU/XZKptPaToCI76RWqnaTAfsDG4bf7keEc28A6tu9
16 | Yym2vdrwlad1Q3OriRFuuV0VUhi99lpBF4DZtKN5Rr4SXUrVS6wjBN5yElF8TK1Y
17 | awJNjgO66zD6ewn4UBRc2nlr8MRXwbVlzJ6Eu+5kRoAuKLkep43ZqyI8xrqRUBQl
18 | Ah0WdaIwD8jHj6MmGgtl0dZY10PX9+t/pJwVe5KlWM3UaRRQzEUrNvrrcSkdSG0H
19 | 0Y/chgOB62IbG/rJRPfgabKExLRtHvCSHrbgEkbZOfXo1NSkhgkJaOaNDUUozuIL
20 | Zz1RPw8Gq9pAsPkXipCmQI9igagzfjoIjlT+CZ82hGsnXym4HLSzJzIRA/iFAFmc
21 | a7ieC+pjSj/Q5G3YXi4SAZ5Vxy60Kk+84SpI9cDYt5fySCdIRLuWjwU5E3pYMD0O
22 | 7WgZTArsX5bD/QhuhmcL/QrAbToIn4UWcgGgK4F9p9phRp9RA9+LWBQQAxnewzIm
23 | 2TsmhxLJBo2Y3fbOGSupxb2Nce4eMPeFJGtV/QfVXtLt5QPydQlDgHVubW5OScTZ
24 | 3mawlXdMJgqT29UeoBR49L2dNF9W3Hfb59uhdrrr38Xwn7ZaEbWRSBLic84PfFBr
25 | nljAmAax+0jF9UX1fMhMxx9SGiBA+PXXfLMsedowOMAY+jPtbYKNp7WVSm2gDvjC
26 | aUXH7dCjf1R4LzkmQAS3mRz5slqz1tcAUwoTb1JJalFU0CQXwJi/uiPFEhDtyK7m
27 | alu9395nTeugt7BmVCYil9eHvsqA+DlA5lteO2+TWtHDsciwNBC5pmY46MJqzhVG
28 | UaXo8XxGL4rVHB7bz1Z5jwRn8ceCC1l+G0XI5Igs9tKkmQrfeXiAgDqTdmbZJIku
29 | UlytNVNRJAJRPHloXe7xVjaDvxsqqxLXWUpK+M9XBComL800NHa6VrXv7NS0fwDc
30 | Ow9k2GINF9rw8jnCpDc9A9KsPyYXTI1uZ64CfYXkj9BmRlKf9TWAItmh8o9VWYNc
31 | hpRqJeuCKQXHFGkfsmuSmbFPW/3V4g6+Pnmmpy8mqOuyQG+/Q9cuirZ9fZGEM+vs
32 | LBVio/LxIhtd+XvT5I28X1YFPiJ5XJ32PbsVy7h1PE0xRzX6KfRbuXwPxS8hkO7a
33 | qm2VA5uZKP/AoAyH6FcoFESAKsD2yqPDfIrIQt3zvhuiU5VkQCSvvNzyifLUpogt
34 | UaBkYikwgA9MLyH4bvxkm7xT8/hUaMuRR9h56/8xWTQDVVc+w2RgXnxYgnfRE3PT
35 | f/xNMNmb8HfZv+GELic/Jg7ql4H0kuHzbbjOQtsouzW0CBK4V84BvSJsJOqTAYaM
36 | YnHmWKAkixvA1io0gz6y2QxI/GnN9SypQees1bq5wWnLD1+d7GICKnq+yO7PEr6v
37 | KcY+0ckDgT8ShheUzCVsUQ0aCIxtp9mNDxrvGzlTiTneD6CagHkAybxSY9Wolu0r
38 | 9PyHvHYn8KFHa8d/Y6hgtu2fe54GYiIw4TAzURGtl8TOvk9zr8LoFYvZ+zHAVThL
39 | dqOP5tQfQN6ZL/dOedyr368mZSco/4QcYefmL5VQVgsKF26du5n0cG4qdO26BV4N
40 | g8Iy7iXYcP73Egswb0PIH2XA8gwxLev60zrYZTQ/BEjc//Bz97IttP815wZBxmAU
41 | XvuQyPgqdjJoJ0oYQIVbfiuVr/jeEioOVx7gS0oNsOqrc3cHo+T7kZ3OBDaoCxY6
42 | IG+BOR5/jZ1LXY6eqUg2eiEAuWsR+IN55DJNmN0EDIX3yjdBL3yiu2Itif40Mx00
43 | pI9hET0GA3v0Rhaf+/m4iu3UjhUDrH6AyAdXqXfKNHpUZ7jlFydip6pcVkh6CHBe
44 | Pe9VWqs9cauBu6gfM450PJ3xscCuVXygRjJyTIcusfrnAXnxxMunkpUabZUG4QJT
45 | aBHR3ASo9OiVuT30WTC0a6jeMonvc4ibvrbH0DioPGjWwJlZ+DawgVm6Svuru+Lq
46 | YHZggLZLFKqLFx0X0Y5qXJ/qU7US1BRJcH5L5nZLHh4trBZm7jC2zB83qxoZVJ3M
47 | sDp9g1pe1hDvQE5tHsetUKVtOWcJmsS5FnU7L0iIXOUXqS60W5LgiyZgXCbLVB1L
48 | e0reGAIs+jxUh35geve6LfXiikCqsWS8djHyM6/DriHG8ol2t3FUQvVfMLxLNoiG
49 | dyTFDSzXCB7YdDl30rBqdd1YT0HaSxrKA+/bnBRP+dqxfwOLhAT/1JEKMsrL2i6n
50 | VdXRG/Agv+klGBAawH86B3NP1FsdbYeRxKb3k8rhF8Ysb926hCP7u0aXOXLmBNak
51 | iL1HeiElmLqv4xR1uRK5xeOswoZ57+BqnqFfXbTO/JqevmMISA6jUC2zQbHl3GGl
52 | qzOB1qTkr0LL/42zyZ4npVDnnO7mQbn7AauHAIMga7cUf8TyjvNzQWTUJ/Ol9rIn
53 | X1QTuVzUR5zLbaJ1d6lKjIoVwA4l8ayh2C9LLUXFrIn9RbueSaGtmEeulpjt3lxd
54 | ArSzozXp4La1pCRnkKxLc9s6rjOPzg/GbqmiKrVdYS2MjhTpHpZ/42uAzmgP7BFY
55 | tA5Oc93ouyo2G3S+nkvQg7WhWBMaDI95G438mkoIiuxX+pbeT40US3uMv1REYNZ7
56 | dzLZ0teTnrPD0fY9ANoASWOjhsihN45PiAw3SLJk3DrGvOlr9oUMK5w70q11mKg4
57 | eXsp7PpBDdbMvamCM2ceGXglzC2JPujSf3A1uSZJA9/XtG6jQlaqdx0Hro8uYHTN
58 | GSWGmZk5kHfzWKqsT0kE2Iskmt30whPiKZ83M3OcX/j/yCXP3rNieBqZgGoXZw4E
59 | T8IddC+SYzi8pzixoZcz+xzbrDIwt03fctUQiCcdlwAMxKdTU4Gpbs02T+ytYFg5
60 | Hs301UObeSQSBOdW2jCJoBXEn0UudpHq+iZk4rJ9i48WQAab4/vzWUnzLD+zRIpt
61 | ByXyxYA4lGF8N4cH3xvknCmmJjZY5l3G3y9A4YVhpcV6QO8l+HNtD5rHh6L5EZVB
62 | fASFkVIL+MZg44pQi+cN9iH2ZbU9ztDn2BlCBpDvqd5KbL9h73paAUo2mHjH9u+4
63 | VDKKKuR+5TiZg4ydV0TFHMRG6D68tUDhFETSjr9eNFSKimBAW1CANQ5r7fQBPFWt
64 | hVlMqxMMRy6HwCT3zUvhOaOtlLTZ5HRuBmHzSlgkkYHDCtqXvFHlsSXn79rQkjAG
65 | +Nq2kXYJPFq0d70NhO7BxBGlnorUsPoY9RhLzNH43lU6cvHcvH4KZCnkjCSBIuvV
66 | GkFCrlDA7+7iWgWYAJgrYQGGKOTmXNxQfIvfmdsxH3eWsQNtgyOq8R9aRekS6TZ/
67 | HyabLsldN6SETx0NUFC5GsNHBQHW
68 | =a/hr
69 | -----END PGP MESSAGE-----
70 | 


--------------------------------------------------------------------------------
/nginx-sites/ap-home/blog.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 443 ssl;
 3 |     server_name jysperm.me;
 4 | 
 5 |     root /home/www-data/blog;
 6 |     error_page 404 /404/;
 7 |     autoindex off;
 8 | 
 9 |     ssl_certificate /etc/letsencrypt/live/jysperm.me/fullchain.pem;
10 |     ssl_certificate_key /etc/letsencrypt/live/jysperm.me/privkey.pem;
11 | 
12 |     add_header Strict-Transport-Security 'max-age=10886400; includeSubDomains; preload';
13 | 
14 |     rewrite ^/feed/? /atom.xml permanent;
15 |     rewrite ^/date/(\d+)/(\d+)/? /$1/$2 permanent;
16 | 
17 |     rewrite ^/profile/? /resume/ permanent;
18 | 
19 |     rewrite \D/1476/?$ /2014/02/1476 permanent;
20 |     rewrite \D/1493/?$ /2014/02/1493 permanent;
21 |     rewrite \D/1750/?$ /2014/07/1750 permanent;
22 |     rewrite \D/1830/?$ /2014/09/1830 permanent;
23 |     rewrite \D/1866/?$ /2014/10/1866 permanent;
24 |     rewrite \D/1976/?$ /2015/01/1976 permanent;
25 | 
26 |     location ~* \.(?:png|css|js|eot|svg|ttf|woff)$ {
27 |         expires 1d;
28 |     }
29 | 
30 |     location / {
31 |         try_files $uri $uri/ $uri.html =404;
32 |     }
33 | }
34 | 


--------------------------------------------------------------------------------
/nginx-sites/ap-home/cats-blog.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80;
 3 |     server_name pidan.cat doufu.cat;
 4 | 
 5 |     root /home/www-data/cats-blog;
 6 |     autoindex off;
 7 | 
 8 |     location ~* \.(?:png|css|js|eot|svg|ttf|woff)$ {
 9 |       expires 1d;
10 |     }
11 | 
12 |     location / {
13 |         try_files $uri $uri/ $uri.html =404;
14 |     }
15 | }
16 | 


--------------------------------------------------------------------------------
/nginx-sites/ap-home/holding.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80;
 3 |     server_name 0-ms.org *.0-ms.org
 4 |                 stream.pub *.stream.pub
 5 |                 git-china.org *.git-china.org
 6 |                 gpg-china.org *.gpg-china.org;
 7 | 
 8 |     root /var/www/holding;
 9 |     autoindex off;
10 | 
11 |     location / {
12 |         try_files $uri $uri/ $uri.html index.html;
13 |     }
14 | }
15 | 


--------------------------------------------------------------------------------
/nginx-sites/ap-home/jybox.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 443 ssl;
 3 |     server_name jybox.net;
 4 | 
 5 |     ssl_certificate /etc/letsencrypt/live/jybox.net/fullchain.pem;
 6 |     ssl_certificate_key /etc/letsencrypt/live/jybox.net/privkey.pem;
 7 | 
 8 |     root /home/www-data/jybox.net;
 9 |     index index.html;
10 | 
11 |     location ~* \.(?:png|css|js|eot|svg|ttf|woff)$ {
12 |         expires 1d;
13 |     }
14 | 
15 |     location / {
16 |         try_files $uri $uri/ $uri.html =404;
17 |     }
18 | 
19 |     location /old-bbs/ {
20 |       root /home/www-data/old-bbs;
21 |     }
22 | }
23 | 
24 | server {
25 |     listen 80;
26 |     server_name maillist.jybox.net;
27 |     return 302 http://eepurl.com/bYeGvr;
28 | }
29 | 


--------------------------------------------------------------------------------
/nginx-sites/ap-home/mabolo.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80;
 3 |     server_name mabolo.hackplan.com;
 4 | 
 5 |     root /home/www-data/mabolo;
 6 |     autoindex off;
 7 |     index README.html;
 8 | 
 9 |     location ~* \.(?:png|css|js|eot|svg|ttf|woff)$ {
10 |       expires 1d;
11 |     }
12 | 
13 |     location / {
14 |         try_files $uri $uri/ $uri.html =404;
15 |     }
16 | }
17 | 


--------------------------------------------------------------------------------
/nginx-sites/ap-home/nohttps.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80;
 3 |     server_name nohttps.org;
 4 | 
 5 |     root /home/www-data/nohttps;
 6 |     autoindex off;
 7 |     index index.html;
 8 | 
 9 |     location / {
10 |         try_files $uri $uri/ $uri.html =404;
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/nginx-sites/ap-home/rpvhost.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80;
 3 |     server_name *.rpvhost.net rpvhost.net;
 4 | 
 5 |     root /home/www-data/rpvhost-blog;
 6 | 
 7 |     location / {
 8 |         rewrite ^ /closed.html break;
 9 |     }
10 | }
11 | 
12 | server {
13 |     listen 80;
14 |     server_name blog.rpvhost.net;
15 | 
16 |     root /home/www-data/rpvhost-blog;
17 |     autoindex off;
18 | 
19 |     rewrite ^/feed/? /atom.xml permanent;
20 | 
21 |     location ~* \.(?:png|css|js|eot|svg|ttf|woff)$ {
22 |       expires 1d;
23 |     }
24 | 
25 |     location / {
26 |         try_files $uri $uri/ $uri.html =404;
27 |     }
28 | }
29 | 


--------------------------------------------------------------------------------
/nginx-sites/infinity/bitwarden.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 443 ssl;
 3 |     server_name bitwarden.{{ infinity_domain }};
 4 | 
 5 |     ssl_certificate /etc/letsencrypt/live/bitwarden.{{ infinity_domain }}/fullchain.pem;
 6 |     ssl_certificate_key /etc/letsencrypt/live/bitwarden.{{ infinity_domain }}/privkey.pem;
 7 | 
 8 |     add_header Strict-Transport-Security 'max-age=10886400; preload';
 9 | 
10 |     location / {
11 |         proxy_http_version 1.1;
12 | 
13 |         proxy_set_header Host $host;
14 |         proxy_set_header X-Real-IP $remote_addr;
15 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
16 |         proxy_set_header X-Forwarded-Proto $scheme;
17 | 
18 |         proxy_set_header Upgrade $http_upgrade;
19 |         proxy_set_header Connection 'upgrade';
20 | 
21 |         proxy_pass http://127.0.0.1:8082;
22 |     }
23 | 
24 |     location /.well-known {
25 |         root /var/www/html;
26 |     }
27 | }
28 | 


--------------------------------------------------------------------------------
/nginx-sites/infinity/home.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 443 ssl;
 3 |     server_name home.{{ infinity_domain }};
 4 | 
 5 |     ssl_certificate /etc/letsencrypt/live/home.{{ infinity_domain }}/fullchain.pem;
 6 |     ssl_certificate_key /etc/letsencrypt/live/home.{{ infinity_domain }}/privkey.pem;
 7 | 
 8 |     ssl_client_certificate /etc/nginx/internal-ca.pem;
 9 |     ssl_verify_client on;
10 | 
11 |     add_header Strict-Transport-Security 'max-age=10886400; preload';
12 | 
13 |     location / {
14 |         proxy_set_header Host $host;
15 |         proxy_set_header X-Real-IP $remote_addr;
16 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
17 |         proxy_set_header X-Forwarded-Proto $scheme;
18 | 
19 |         proxy_set_header Upgrade $http_upgrade;
20 |         proxy_set_header Connection "Upgrade";
21 | 
22 |         proxy_pass http://10.0.0.24:8123;
23 |     }
24 | 
25 |     location /.well-known {
26 |         root /var/www/html;
27 |     }
28 | }
29 | 


--------------------------------------------------------------------------------
/nginx-sites/infinity/lobechat.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 443 ssl;
 3 |     server_name lobechat.{{ infinity_domain }};
 4 | 
 5 |     ssl_certificate /etc/letsencrypt/live/lobechat.{{ infinity_domain }}/fullchain.pem;
 6 |     ssl_certificate_key /etc/letsencrypt/live/lobechat.{{ infinity_domain }}/privkey.pem;
 7 | 
 8 |     ssl_client_certificate /etc/nginx/internal-ca.pem;
 9 |     ssl_verify_client on;
10 | 
11 |     add_header Strict-Transport-Security 'max-age=10886400; preload';
12 | 
13 |     location / {
14 |         proxy_set_header Host $host;
15 |         proxy_set_header X-Real-IP $remote_addr;
16 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
17 |         proxy_set_header X-Forwarded-Proto $scheme;
18 | 
19 |         proxy_set_header Upgrade $http_upgrade;
20 |         proxy_set_header Connection 'upgrade';
21 | 
22 |         proxy_pass http://127.0.0.1:3210;
23 |     }
24 | 
25 |     location /.well-known {
26 |         root /var/www/html;
27 |     }
28 | }
29 | 


--------------------------------------------------------------------------------
/nginx-sites/infinity/miniflux.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 443 ssl;
 3 |     server_name miniflux.{{ infinity_domain }};
 4 | 
 5 |     ssl_certificate /etc/letsencrypt/live/miniflux.{{ infinity_domain }}/fullchain.pem;
 6 |     ssl_certificate_key /etc/letsencrypt/live/miniflux.{{ infinity_domain }}/privkey.pem;
 7 | 
 8 |     add_header Strict-Transport-Security 'max-age=10886400; preload';
 9 | 
10 |     client_max_body_size 10G;
11 | 
12 |     location / {
13 |         proxy_set_header Host $host;
14 |         proxy_set_header X-Real-IP $remote_addr;
15 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
16 |         proxy_set_header X-Forwarded-Proto $scheme;
17 | 
18 |         proxy_pass http://127.0.0.1:8081;
19 |     }
20 | 
21 |     location /.well-known {
22 |         root /var/www/html;
23 |     }
24 | }
25 | 


--------------------------------------------------------------------------------
/nginx-sites/infinity/nextcloud.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 443 ssl;
 3 |     server_name nextcloud.{{ infinity_domain }};
 4 | 
 5 |     ssl_certificate /etc/letsencrypt/live/nextcloud.{{ infinity_domain }}/fullchain.pem;
 6 |     ssl_certificate_key /etc/letsencrypt/live/nextcloud.{{ infinity_domain }}/privkey.pem;
 7 | 
 8 |     add_header Strict-Transport-Security 'max-age=10886400; preload';
 9 | 
10 |     client_max_body_size 10G;
11 | 
12 |     location / {
13 |         proxy_set_header Host $host;
14 |         proxy_set_header X-Real-IP $remote_addr;
15 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
16 |         proxy_set_header X-Forwarded-Proto $scheme;
17 | 
18 |         proxy_pass http://127.0.0.1:8080;
19 |     }
20 | 
21 |     location /.well-known {
22 |         root /var/www/html;
23 |     }
24 | }
25 | 


--------------------------------------------------------------------------------
/roles/bitwarden/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | bitwarden_base_url: 'http://localhost/'
3 | bitwarden_db: '/storage/db/bitwarden'
4 | 


--------------------------------------------------------------------------------
/roles/bitwarden/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create bitwarden compose dir
 3 |   file:
 4 |     path: /root/bitwarden
 5 |     state: directory
 6 | 
 7 | - name: upload compose file
 8 |   template:
 9 |     src: 'docker-compose.yml'
10 |     dest: '/root/bitwarden/docker-compose.yml'
11 | 
12 | - name: Start bitwarden
13 |   command:
14 |     cmd: docker compose up -d
15 |     chdir: /root/bitwarden
16 |   register: compose_upped
17 |   changed_when: compose_upped.stderr is search('Creating|Starting|Recreated')
18 | 


--------------------------------------------------------------------------------
/roles/bitwarden/templates/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3'
 2 | 
 3 | services:
 4 |   bitwarden:
 5 |     image: vaultwarden/server:1.32.5
 6 |     container_name: bitwarden
 7 |     ports:
 8 |       - 8082:80
 9 |     environment:
10 |       # - SIGNUPS_ALLOWED=true
11 |       - DOMAIN={{ bitwarden_base_url }}
12 |     volumes:
13 |       - '{{ bitwarden_db }}:/data'
14 | 


--------------------------------------------------------------------------------
/roles/clash-redir/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | clash_release: '1.1.0'
 3 | clash_redir_port: '7892'
 4 | lan_gateway_cidr: '10.0.0.1/24'
 5 | http_proxy_port: '8118'
 6 | clash_proxy_ports: [12345]
 7 | clash_dashbiard_secret: ''
 8 | clash_ignored_lan_ip: []
 9 | dns_proxied: false
10 | 
11 | clash_proxies: |
12 |   proxies:
13 |     - { name: 'Proxy', type: 'ss', server: '1.2.3.4', port: 12345, cipher: 'aes-128-gcm',password :'123456' }
14 | 
15 |   proxy-groups:
16 |     - { name: 'Streaming', type: select, proxies: [Proxy] }
17 |     - { name: 'Blocked', type: select, proxies: [REJECT] }
18 | 
19 | clash_rules: |
20 | 


--------------------------------------------------------------------------------
/roles/clash-redir/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: reload systemd
 3 |   command: systemctl daemon-reload
 4 | 
 5 | - name: restart clash
 6 |   service:
 7 |     name: 'clash'
 8 |     state: 'restarted'
 9 |     enabled: 'yes'
10 | 
11 | - name: netfilter-persistent
12 |   command: netfilter-persistent save
13 | 


--------------------------------------------------------------------------------
/roles/clash-redir/tasks/main.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | - name: ensures directory exists
  3 |   file:
  4 |     path: '{{ item }}'
  5 |     state: 'directory'
  6 |   with_items:
  7 |     - '/root/downloads'
  8 |     - '/etc/clash'
  9 | 
 10 | - name: download clash
 11 |   get_url:
 12 |     url: 'https://github.com/Dreamacro/clash/releases/download/v{{ clash_release }}/clash-linux-amd64-v{{ clash_release }}.gz'
 13 |     dest: '/root/downloads/clash.gz'
 14 |   tags: [download]
 15 | 
 16 | - name: unarchive clash
 17 |   command: gzip -dk /root/downloads/clash.gz
 18 |   args:
 19 |     creates: /root/downloads/clash
 20 | 
 21 | - name: install clash
 22 |   copy:
 23 |     src: '/root/downloads/clash'
 24 |     dest: /usr/bin/clash
 25 |     remote_src: yes
 26 |     mode: '0755'
 27 |   notify: restart clash
 28 | 
 29 | - name: install clash configure
 30 |   template:
 31 |     src: 'clash.yaml'
 32 |     dest: /etc/clash/config.yaml
 33 |   notify: restart clash
 34 |   tags: [config]
 35 | 
 36 | - name: create systemd service
 37 |   template:
 38 |     src: 'clash.service'
 39 |     dest: '/etc/systemd/system/clash.service'
 40 |     mode: '0644'
 41 |   notify:
 42 |     - reload systemd
 43 |     - restart clash
 44 | 
 45 | - name: create new chain
 46 |   command: iptables -t nat -N CLASH
 47 |   register: result
 48 |   failed_when: 'result.rc != 0 and "already exists" not in result.stderr'
 49 |   changed_when: '"already exists" not in result.stderr'
 50 |   tags: [iptables]
 51 | 
 52 | - name: configure clash ignored destination
 53 |   iptables:
 54 |     table: nat
 55 |     chain: CLASH
 56 |     protocol: tcp
 57 |     destination: '{{ item }}'
 58 |     jump: RETURN
 59 |   with_items:
 60 |     - '0.0.0.0/8'
 61 |     - '10.0.0.0/8'
 62 |     - '127.0.0.0/8'
 63 |     - '172.16.0.0/12'
 64 |     - '192.168.0.0/16'
 65 |   notify: netfilter-persistent
 66 |   tags: [iptables]
 67 | 
 68 | - name: configure clash ignored source
 69 |   iptables:
 70 |     table: nat
 71 |     chain: CLASH
 72 |     protocol: tcp
 73 |     source: '{{ item }}'
 74 |     jump: RETURN
 75 |   with_items: '{{ clash_ignored_lan_ip }}'
 76 |   notify: netfilter-persistent
 77 |   tags: [iptables]
 78 | 
 79 | - name: configure clash ignored address
 80 |   iptables:
 81 |     table: nat
 82 |     chain: CLASH
 83 |     protocol: tcp
 84 |     destination: '{{ item }}'
 85 |     jump: RETURN
 86 |   with_items: '{{ clash_proxy_address }}'
 87 |   notify: netfilter-persistent
 88 |   tags: [iptables]
 89 | 
 90 | - name: configure clash ignored port
 91 |   iptables:
 92 |     table: nat
 93 |     chain: CLASH
 94 |     protocol: tcp
 95 |     destination_port: '{{ item }}'
 96 |     jump: RETURN
 97 |   with_items: '{{ [clash_redir_port] + clash_proxy_ports }}'
 98 |   notify: netfilter-persistent
 99 |   tags: [iptables]
100 | 
101 | - name: configure clash redirect
102 |   iptables:
103 |     table: nat
104 |     chain: CLASH
105 |     protocol: tcp
106 |     to_ports: '{{ clash_redir_port }}'
107 |     jump: REDIRECT
108 |   notify: netfilter-persistent
109 |   tags: [iptables]
110 | 
111 | - name: redirect PREROUTING to CLASH
112 |   iptables:
113 |     table: nat
114 |     chain: PREROUTING
115 |     source: '{{ lan_gateway_cidr }}'
116 |     protocol: tcp
117 |     jump: CLASH
118 |   notify: netfilter-persistent
119 |   tags: [iptables]
120 | 
121 | - name: redirect DNS to CLASH
122 |   iptables:
123 |     table: nat
124 |     chain: OUTPUT
125 |     destination: '{{ item }}'
126 |     protocol: tcp
127 |     jump: CLASH
128 |   with_items:
129 |     - '1.1.1.1'
130 |     - '9.9.9.9'
131 |   notify: netfilter-persistent
132 |   when: dns_proxied
133 |   tags: [iptables]
134 | 


--------------------------------------------------------------------------------
/roles/clash-redir/templates/aptproxy:
--------------------------------------------------------------------------------
1 | # /etc/apt/apt.conf.d/90curtin-aptproxy
2 | Acquire::http::Proxy "http:127.0.0.1:{{ http_proxy_port }}";
3 | Acquire::https::Proxy "http:127.0.0.1:{{ http_proxy_port }}";
4 | 


--------------------------------------------------------------------------------
/roles/clash-redir/templates/clash.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Clash daemon
 3 | 
 4 | [Service]
 5 | Type=simple
 6 | LimitNOFILE=49152
 7 | ExecStart=/usr/bin/clash -d /etc/clash
 8 | 
 9 | [Install]
10 | WantedBy=multi-user.target
11 | 


--------------------------------------------------------------------------------
/roles/clash-redir/templates/clash.yaml:
--------------------------------------------------------------------------------
  1 | port: {{ http_proxy_port }}
  2 | socks-port: 1080
  3 | redir-port: {{ clash_redir_port }}
  4 | allow-lan: true
  5 | mode: rule
  6 | log-level: info
  7 | external-controller: 0.0.0.0:9090
  8 | external-ui: /etc/clash/dashboard
  9 | secret: "{{ clash_dashbiard_secret }}"
 10 | 
 11 | dns:
 12 |   enable: true
 13 |   ipv6: false
 14 |   listen: 127.0.0.53:53
 15 |   enhanced-mode: redir-host
 16 |   nameserver:
 17 |     - 119.29.29.29
 18 |     - 223.5.5.5
 19 |   fallback:
 20 |     - 'tls://1.1.1.1:853'
 21 |     - 'tls://9.9.9.9:853'
 22 | 
 23 | {{ clash_proxies }}
 24 | 
 25 | rules:
 26 | {{ clash_rules }}
 27 | 
 28 | # LAN
 29 | - DOMAIN-SUFFIX,local,DIRECT
 30 | - IP-CIDR,127.0.0.0/8,DIRECT
 31 | - IP-CIDR,172.16.0.0/12,DIRECT
 32 | - IP-CIDR,192.168.0.0/16,DIRECT
 33 | - IP-CIDR,10.0.0.0/8,DIRECT
 34 | - IP-CIDR,100.64.0.0/10,DIRECT
 35 | 
 36 | # Apple
 37 | - DOMAIN,hls.itunes.apple.com,Proxy
 38 | - DOMAIN,itunes.apple.com,Proxy
 39 | - DOMAIN,itunes.com,Proxy
 40 | - DOMAIN-SUFFIX,tv.apple.com,Proxy
 41 | - DOMAIN-SUFFIX,developer.apple.com,Proxy
 42 | - DOMAIN-SUFFIX,digicert.com,DIRECT
 43 | - DOMAIN-SUFFIX,icloud.com,DIRECT
 44 | - DOMAIN-SUFFIX,icloud-content.com,DIRECT
 45 | - DOMAIN-SUFFIX,mzstatic.com,DIRECT
 46 | - DOMAIN-SUFFIX,akadns.net,DIRECT
 47 | - DOMAIN-SUFFIX,aaplimg.com,DIRECT
 48 | - DOMAIN-SUFFIX,cdn-apple.com,DIRECT
 49 | - DOMAIN-SUFFIX,apple.com,DIRECT
 50 | 
 51 | # Streaming Media
 52 | - DOMAIN-SUFFIX,netflix.com,Streaming
 53 | - DOMAIN-SUFFIX,netflix.net,Streaming
 54 | - DOMAIN-SUFFIX,nflxext.com,Streaming
 55 | - DOMAIN-SUFFIX,nflximg.com,Streaming
 56 | - DOMAIN-SUFFIX,nflximg.net,Streaming
 57 | - DOMAIN-SUFFIX,nflxso.net,Streaming
 58 | - DOMAIN-SUFFIX,nflxvideo.net,Streaming
 59 | 
 60 | # Telegram
 61 | - DOMAIN-SUFFIX,telegra.ph,Proxy
 62 | - DOMAIN-SUFFIX,telegram.org,Proxy
 63 | - IP-CIDR,91.108.56.0/22,Proxy
 64 | - IP-CIDR,91.108.4.0/22,Proxy
 65 | - IP-CIDR,91.108.8.0/22,Proxy
 66 | - IP-CIDR,109.239.140.0/24,Proxy
 67 | - IP-CIDR,149.154.160.0/20,Proxy
 68 | - IP-CIDR,149.154.164.0/22,Proxy
 69 | 
 70 | # DIRECT keywords
 71 | - DOMAIN-SUFFIX,cn,DIRECT
 72 | - DOMAIN-KEYWORD,-cn,DIRECT
 73 | 
 74 | # DIRECT top sites
 75 | - DOMAIN-SUFFIX,126.com,DIRECT
 76 | - DOMAIN-SUFFIX,126.net,DIRECT
 77 | - DOMAIN-SUFFIX,127.net,DIRECT
 78 | - DOMAIN-SUFFIX,163.com,DIRECT
 79 | - DOMAIN-SUFFIX,360buyimg.com,DIRECT
 80 | - DOMAIN-SUFFIX,36kr.com,DIRECT
 81 | - DOMAIN-SUFFIX,acfun.tv,DIRECT
 82 | - DOMAIN-SUFFIX,air-matters.com,DIRECT
 83 | - DOMAIN-SUFFIX,aixifan.com,DIRECT
 84 | - DOMAIN-SUFFIX,akamaized.net,DIRECT
 85 | - DOMAIN-KEYWORD,alicdn,DIRECT
 86 | - DOMAIN-KEYWORD,alipay,DIRECT
 87 | - DOMAIN-KEYWORD,taobao,DIRECT
 88 | - DOMAIN-SUFFIX,amap.com,DIRECT
 89 | - DOMAIN-SUFFIX,autonavi.com,DIRECT
 90 | - DOMAIN-KEYWORD,baidu,DIRECT
 91 | - DOMAIN-SUFFIX,bdimg.com,DIRECT
 92 | - DOMAIN-SUFFIX,bdstatic.com,DIRECT
 93 | - DOMAIN-SUFFIX,bilibili.com,DIRECT
 94 | - DOMAIN-SUFFIX,caiyunapp.com,DIRECT
 95 | - DOMAIN-SUFFIX,clouddn.com,DIRECT
 96 | - DOMAIN-SUFFIX,cnbeta.com,DIRECT
 97 | - DOMAIN-SUFFIX,cnbetacdn.com,DIRECT
 98 | - DOMAIN-SUFFIX,cootekservice.com,DIRECT
 99 | - DOMAIN-SUFFIX,csdn.net,DIRECT
100 | - DOMAIN-SUFFIX,ctrip.com,DIRECT
101 | - DOMAIN-SUFFIX,dgtle.com,DIRECT
102 | - DOMAIN-SUFFIX,dianping.com,DIRECT
103 | - DOMAIN-SUFFIX,douban.com,DIRECT
104 | - DOMAIN-SUFFIX,doubanio.com,DIRECT
105 | - DOMAIN-SUFFIX,duokan.com,DIRECT
106 | - DOMAIN-SUFFIX,easou.com,DIRECT
107 | - DOMAIN-SUFFIX,ele.me,DIRECT
108 | - DOMAIN-SUFFIX,feng.com,DIRECT
109 | - DOMAIN-SUFFIX,fir.im,DIRECT
110 | - DOMAIN-SUFFIX,frdic.com,DIRECT
111 | - DOMAIN-SUFFIX,g-cores.com,DIRECT
112 | - DOMAIN-SUFFIX,godic.net,DIRECT
113 | - DOMAIN-SUFFIX,gtimg.com,DIRECT
114 | - DOMAIN,cdn.hockeyapp.net,DIRECT
115 | - DOMAIN-SUFFIX,hongxiu.com,DIRECT
116 | - DOMAIN-SUFFIX,hxcdn.net,DIRECT
117 | - DOMAIN-SUFFIX,iciba.com,DIRECT
118 | - DOMAIN-SUFFIX,ifeng.com,DIRECT
119 | - DOMAIN-SUFFIX,ifengimg.com,DIRECT
120 | - DOMAIN-SUFFIX,ipip.net,DIRECT
121 | - DOMAIN-SUFFIX,iqiyi.com,DIRECT
122 | - DOMAIN-SUFFIX,jd.com,DIRECT
123 | - DOMAIN-SUFFIX,jianshu.com,DIRECT
124 | - DOMAIN-SUFFIX,knewone.com,DIRECT
125 | - DOMAIN-SUFFIX,le.com,DIRECT
126 | - DOMAIN-SUFFIX,lecloud.com,DIRECT
127 | - DOMAIN-SUFFIX,lemicp.com,DIRECT
128 | - DOMAIN-SUFFIX,licdn.com,DIRECT
129 | - DOMAIN-SUFFIX,linkedin.com,DIRECT
130 | - DOMAIN-SUFFIX,luoo.net,DIRECT
131 | - DOMAIN-SUFFIX,meituan.com,DIRECT
132 | - DOMAIN-SUFFIX,meituan.net,DIRECT
133 | - DOMAIN-SUFFIX,mi.com,DIRECT
134 | - DOMAIN-SUFFIX,miaopai.com,DIRECT
135 | - DOMAIN-SUFFIX,microsoft.com,DIRECT
136 | - DOMAIN-SUFFIX,microsoftonline.com,DIRECT
137 | - DOMAIN-SUFFIX,miui.com,DIRECT
138 | - DOMAIN-SUFFIX,miwifi.com,DIRECT
139 | - DOMAIN-SUFFIX,mob.com,DIRECT
140 | - DOMAIN-SUFFIX,netease.com,DIRECT
141 | - DOMAIN-SUFFIX,office.com,DIRECT
142 | - DOMAIN-SUFFIX,office365.com,DIRECT
143 | - DOMAIN-KEYWORD,officecdn,DIRECT
144 | - DOMAIN-SUFFIX,oschina.net,DIRECT
145 | - DOMAIN-SUFFIX,ppsimg.com,DIRECT
146 | - DOMAIN-SUFFIX,pstatp.com,DIRECT
147 | - DOMAIN-SUFFIX,qcloud.com,DIRECT
148 | - DOMAIN-SUFFIX,qdaily.com,DIRECT
149 | - DOMAIN-SUFFIX,qdmm.com,DIRECT
150 | - DOMAIN-SUFFIX,qhimg.com,DIRECT
151 | - DOMAIN-SUFFIX,qhres.com,DIRECT
152 | - DOMAIN-SUFFIX,qidian.com,DIRECT
153 | - DOMAIN-SUFFIX,qihucdn.com,DIRECT
154 | - DOMAIN-SUFFIX,qiniu.com,DIRECT
155 | - DOMAIN-SUFFIX,qiniucdn.com,DIRECT
156 | - DOMAIN-SUFFIX,qiyipic.com,DIRECT
157 | - DOMAIN-SUFFIX,qq.com,DIRECT
158 | - DOMAIN-SUFFIX,qqurl.com,DIRECT
159 | - DOMAIN-SUFFIX,tencent.com,DIRECT
160 | - DOMAIN-SUFFIX,rarbg.to,DIRECT
161 | - DOMAIN-SUFFIX,ruguoapp.com,DIRECT
162 | - DOMAIN-SUFFIX,segmentfault.com,DIRECT
163 | - DOMAIN-SUFFIX,sinaapp.com,DIRECT
164 | - DOMAIN-SUFFIX,smzdm.com,DIRECT
165 | - DOMAIN-SUFFIX,sogou.com,DIRECT
166 | - DOMAIN-SUFFIX,sogoucdn.com,DIRECT
167 | - DOMAIN-SUFFIX,sohu.com,DIRECT
168 | - DOMAIN-SUFFIX,soku.com,DIRECT
169 | - DOMAIN-SUFFIX,speedtest.net,DIRECT
170 | - DOMAIN-SUFFIX,sspai.com,DIRECT
171 | - DOMAIN-SUFFIX,suning.com,DIRECT
172 | - DOMAIN-SUFFIX,taobao.com,DIRECT
173 | - DOMAIN-SUFFIX,tenpay.com,DIRECT
174 | - DOMAIN-SUFFIX,tmall.com,DIRECT
175 | - DOMAIN-SUFFIX,tudou.com,DIRECT
176 | - DOMAIN-SUFFIX,umetrip.com,DIRECT
177 | - DOMAIN-SUFFIX,upaiyun.com,DIRECT
178 | - DOMAIN-SUFFIX,upyun.com,DIRECT
179 | - DOMAIN-SUFFIX,veryzhun.com,DIRECT
180 | - DOMAIN-SUFFIX,weather.com,DIRECT
181 | - DOMAIN-SUFFIX,weibo.com,DIRECT
182 | - DOMAIN-SUFFIX,xiami.com,DIRECT
183 | - DOMAIN-SUFFIX,xiami.net,DIRECT
184 | - DOMAIN-SUFFIX,xiaomicp.com,DIRECT
185 | - DOMAIN-SUFFIX,ximalaya.com,DIRECT
186 | - DOMAIN-SUFFIX,xmcdn.com,DIRECT
187 | - DOMAIN-SUFFIX,xunlei.com,DIRECT
188 | - DOMAIN-SUFFIX,yhd.com,DIRECT
189 | - DOMAIN-SUFFIX,yihaodianimg.com,DIRECT
190 | - DOMAIN-SUFFIX,yinxiang.com,DIRECT
191 | - DOMAIN-SUFFIX,ykimg.com,DIRECT
192 | - DOMAIN-SUFFIX,youdao.com,DIRECT
193 | - DOMAIN-SUFFIX,youku.com,DIRECT
194 | - DOMAIN-SUFFIX,zealer.com,DIRECT
195 | - DOMAIN-SUFFIX,zhihu.com,DIRECT
196 | - DOMAIN-SUFFIX,zhimg.com,DIRECT
197 | - DOMAIN-SUFFIX,zimuzu.tv,DIRECT
198 | 
199 | # Proxy keywords
200 | - DOMAIN-KEYWORD,amazon,Proxy
201 | - DOMAIN-KEYWORD,google,Proxy
202 | - DOMAIN-KEYWORD,gmail,Proxy
203 | - DOMAIN-KEYWORD,youtube,Proxy
204 | - DOMAIN-KEYWORD,facebook,Proxy
205 | - DOMAIN-SUFFIX,fb.me,Proxy
206 | - DOMAIN-SUFFIX,fbcdn.net,Proxy
207 | - DOMAIN-KEYWORD,twitter,Proxy
208 | - DOMAIN-KEYWORD,instagram,Proxy
209 | - DOMAIN-KEYWORD,dropbox,Proxy
210 | - DOMAIN-SUFFIX,twimg.com,Proxy
211 | - DOMAIN-KEYWORD,blogspot,Proxy
212 | - DOMAIN-SUFFIX,youtu.be,Proxy
213 | - DOMAIN-KEYWORD,whatsapp,Proxy
214 | 
215 | # Proxy top sites
216 | - DOMAIN-SUFFIX,9to5mac.com,Proxy
217 | - DOMAIN-SUFFIX,abpchina.org,Proxy
218 | - DOMAIN-SUFFIX,adblockplus.org,Proxy
219 | - DOMAIN-SUFFIX,adobe.com,Proxy
220 | - DOMAIN-SUFFIX,alfredapp.com,Proxy
221 | - DOMAIN-SUFFIX,amplitude.com,Proxy
222 | - DOMAIN-SUFFIX,ampproject.org,Proxy
223 | - DOMAIN-SUFFIX,android.com,Proxy
224 | - DOMAIN-SUFFIX,angularjs.org,Proxy
225 | - DOMAIN-SUFFIX,aolcdn.com,Proxy
226 | - DOMAIN-SUFFIX,apkpure.com,Proxy
227 | - DOMAIN-SUFFIX,appledaily.com,Proxy
228 | - DOMAIN-SUFFIX,appshopper.com,Proxy
229 | - DOMAIN-SUFFIX,appspot.com,Proxy
230 | - DOMAIN-SUFFIX,arcgis.com,Proxy
231 | - DOMAIN-SUFFIX,archive.org,Proxy
232 | - DOMAIN-SUFFIX,armorgames.com,Proxy
233 | - DOMAIN-SUFFIX,aspnetcdn.com,Proxy
234 | - DOMAIN-SUFFIX,att.com,Proxy
235 | - DOMAIN-SUFFIX,awsstatic.com,Proxy
236 | - DOMAIN-SUFFIX,azureedge.net,Proxy
237 | - DOMAIN-SUFFIX,azurewebsites.net,Proxy
238 | - DOMAIN-SUFFIX,bing.com,Proxy
239 | - DOMAIN-SUFFIX,bintray.com,Proxy
240 | - DOMAIN-SUFFIX,bit.com,Proxy
241 | - DOMAIN-SUFFIX,bit.ly,Proxy
242 | - DOMAIN-SUFFIX,bitbucket.org,Proxy
243 | - DOMAIN-SUFFIX,bjango.com,Proxy
244 | - DOMAIN-SUFFIX,bkrtx.com,Proxy
245 | - DOMAIN-SUFFIX,blog.com,Proxy
246 | - DOMAIN-SUFFIX,blogcdn.com,Proxy
247 | - DOMAIN-SUFFIX,blogger.com,Proxy
248 | - DOMAIN-SUFFIX,blogsmithmedia.com,Proxy
249 | - DOMAIN-SUFFIX,blogspot.com,Proxy
250 | - DOMAIN-SUFFIX,blogspot.hk,Proxy
251 | - DOMAIN-SUFFIX,bloomberg.com,Proxy
252 | - DOMAIN-SUFFIX,box.com,Proxy
253 | - DOMAIN-SUFFIX,box.net,Proxy
254 | - DOMAIN-SUFFIX,cachefly.net,Proxy
255 | - DOMAIN-SUFFIX,chromium.org,Proxy
256 | - DOMAIN-SUFFIX,cl.ly,Proxy
257 | - DOMAIN-SUFFIX,cloudflare.com,Proxy
258 | - DOMAIN-SUFFIX,cloudfront.net,Proxy
259 | - DOMAIN-SUFFIX,cloudmagic.com,Proxy
260 | - DOMAIN-SUFFIX,cmail19.com,Proxy
261 | - DOMAIN-SUFFIX,cnet.com,Proxy
262 | - DOMAIN-SUFFIX,cocoapods.org,Proxy
263 | - DOMAIN-SUFFIX,comodoca.com,Proxy
264 | - DOMAIN-SUFFIX,crashlytics.com,Proxy
265 | - DOMAIN-SUFFIX,culturedcode.com,Proxy
266 | - DOMAIN-SUFFIX,d.pr,Proxy
267 | - DOMAIN-SUFFIX,danilo.to,Proxy
268 | - DOMAIN-SUFFIX,dayone.me,Proxy
269 | - DOMAIN-SUFFIX,db.tt,Proxy
270 | - DOMAIN-SUFFIX,deskconnect.com,Proxy
271 | - DOMAIN-SUFFIX,disq.us,Proxy
272 | - DOMAIN-SUFFIX,disqus.com,Proxy
273 | - DOMAIN-SUFFIX,disquscdn.com,Proxy
274 | - DOMAIN-SUFFIX,dnsimple.com,Proxy
275 | - DOMAIN-SUFFIX,docker.com,Proxy
276 | - DOMAIN-SUFFIX,dribbble.com,Proxy
277 | - DOMAIN-SUFFIX,droplr.com,Proxy
278 | - DOMAIN-SUFFIX,duckduckgo.com,Proxy
279 | - DOMAIN-SUFFIX,dueapp.com,Proxy
280 | - DOMAIN-SUFFIX,dytt8.net,Proxy
281 | - DOMAIN-SUFFIX,edgecastcdn.net,Proxy
282 | - DOMAIN-SUFFIX,edgekey.net,Proxy
283 | - DOMAIN-SUFFIX,edgesuite.net,Proxy
284 | - DOMAIN-SUFFIX,engadget.com,Proxy
285 | - DOMAIN-SUFFIX,entrust.net,Proxy
286 | - DOMAIN-SUFFIX,eurekavpt.com,Proxy
287 | - DOMAIN-SUFFIX,evernote.com,Proxy
288 | - DOMAIN-SUFFIX,fabric.io,Proxy
289 | - DOMAIN-SUFFIX,fast.com,Proxy
290 | - DOMAIN-SUFFIX,fastly.net,Proxy
291 | - DOMAIN-SUFFIX,fc2.com,Proxy
292 | - DOMAIN-SUFFIX,feedburner.com,Proxy
293 | - DOMAIN-SUFFIX,feedly.com,Proxy
294 | - DOMAIN-SUFFIX,feedsportal.com,Proxy
295 | - DOMAIN-SUFFIX,fiftythree.com,Proxy
296 | - DOMAIN-SUFFIX,firebaseio.com,Proxy
297 | - DOMAIN-SUFFIX,flexibits.com,Proxy
298 | - DOMAIN-SUFFIX,flickr.com,Proxy
299 | - DOMAIN-SUFFIX,flipboard.com,Proxy
300 | - DOMAIN-SUFFIX,g.co,Proxy
301 | - DOMAIN-SUFFIX,gabia.net,Proxy
302 | - DOMAIN-SUFFIX,geni.us,Proxy
303 | - DOMAIN-SUFFIX,gfx.ms,Proxy
304 | - DOMAIN-SUFFIX,ggpht.com,Proxy
305 | - DOMAIN-SUFFIX,ghostnoteapp.com,Proxy
306 | - DOMAIN-SUFFIX,git.io,Proxy
307 | - DOMAIN-KEYWORD,github,Proxy
308 | - DOMAIN-SUFFIX,globalsign.com,Proxy
309 | - DOMAIN-SUFFIX,gmodules.com,Proxy
310 | - DOMAIN-SUFFIX,godaddy.com,Proxy
311 | - DOMAIN-SUFFIX,golang.org,Proxy
312 | - DOMAIN-SUFFIX,gongm.in,Proxy
313 | - DOMAIN-SUFFIX,goo.gl,Proxy
314 | - DOMAIN-SUFFIX,goodreaders.com,Proxy
315 | - DOMAIN-SUFFIX,goodreads.com,Proxy
316 | - DOMAIN-SUFFIX,gravatar.com,Proxy
317 | - DOMAIN-SUFFIX,gstatic.com,Proxy
318 | - DOMAIN-SUFFIX,gvt0.com,Proxy
319 | - DOMAIN-SUFFIX,hockeyapp.net,Proxy
320 | - DOMAIN-SUFFIX,hotmail.com,Proxy
321 | - DOMAIN-SUFFIX,icons8.com,Proxy
322 | - DOMAIN-SUFFIX,ift.tt,Proxy
323 | - DOMAIN-SUFFIX,ifttt.com,Proxy
324 | - DOMAIN-SUFFIX,iherb.com,Proxy
325 | - DOMAIN-SUFFIX,imageshack.us,Proxy
326 | - DOMAIN-SUFFIX,img.ly,Proxy
327 | - DOMAIN-SUFFIX,imgur.com,Proxy
328 | - DOMAIN-SUFFIX,imore.com,Proxy
329 | - DOMAIN-SUFFIX,instapaper.com,Proxy
330 | - DOMAIN-SUFFIX,ipn.li,Proxy
331 | - DOMAIN-SUFFIX,is.gd,Proxy
332 | - DOMAIN-SUFFIX,issuu.com,Proxy
333 | - DOMAIN-SUFFIX,itgonglun.com,Proxy
334 | - DOMAIN-SUFFIX,itun.es,Proxy
335 | - DOMAIN-SUFFIX,ixquick.com,Proxy
336 | - DOMAIN-SUFFIX,j.mp,Proxy
337 | - DOMAIN-SUFFIX,js.revsci.net,Proxy
338 | - DOMAIN-SUFFIX,jshint.com,Proxy
339 | - DOMAIN-SUFFIX,jtvnw.net,Proxy
340 | - DOMAIN-SUFFIX,justgetflux.com,Proxy
341 | - DOMAIN-SUFFIX,kat.cr,Proxy
342 | - DOMAIN-SUFFIX,klip.me,Proxy
343 | - DOMAIN-SUFFIX,libsyn.com,Proxy
344 | - DOMAIN-SUFFIX,linode.com,Proxy
345 | - DOMAIN-SUFFIX,lithium.com,Proxy
346 | - DOMAIN-SUFFIX,littlehj.com,Proxy
347 | - DOMAIN-SUFFIX,live.com,Proxy
348 | - DOMAIN-SUFFIX,live.net,Proxy
349 | - DOMAIN-SUFFIX,livefilestore.com,Proxy
350 | - DOMAIN-SUFFIX,llnwd.net,Proxy
351 | - DOMAIN-SUFFIX,macid.co,Proxy
352 | - DOMAIN-SUFFIX,macromedia.com,Proxy
353 | - DOMAIN-SUFFIX,macrumors.com,Proxy
354 | - DOMAIN-SUFFIX,mashable.com,Proxy
355 | - DOMAIN-SUFFIX,mathjax.org,Proxy
356 | - DOMAIN-SUFFIX,medium.com,Proxy
357 | - DOMAIN-SUFFIX,mega.co.nz,Proxy
358 | - DOMAIN-SUFFIX,mega.nz,Proxy
359 | - DOMAIN-SUFFIX,megaupload.com,Proxy
360 | - DOMAIN-SUFFIX,microsofttranslator.com,Proxy
361 | - DOMAIN-SUFFIX,mindnode.com,Proxy
362 | - DOMAIN-SUFFIX,mobile01.com,Proxy
363 | - DOMAIN-SUFFIX,modmyi.com,Proxy
364 | - DOMAIN-SUFFIX,msedge.net,Proxy
365 | - DOMAIN-SUFFIX,myfontastic.com,Proxy
366 | - DOMAIN-SUFFIX,name.com,Proxy
367 | - DOMAIN-SUFFIX,nextmedia.com,Proxy
368 | - DOMAIN-SUFFIX,nsstatic.net,Proxy
369 | - DOMAIN-SUFFIX,nssurge.com,Proxy
370 | - DOMAIN-SUFFIX,nyt.com,Proxy
371 | - DOMAIN-SUFFIX,nytimes.com,Proxy
372 | - DOMAIN-SUFFIX,omnigroup.com,Proxy
373 | - DOMAIN-SUFFIX,onedrive.com,Proxy
374 | - DOMAIN-SUFFIX,onenote.com,Proxy
375 | - DOMAIN-SUFFIX,ooyala.com,Proxy
376 | - DOMAIN-SUFFIX,openvpn.net,Proxy
377 | - DOMAIN-SUFFIX,openwrt.org,Proxy
378 | - DOMAIN-SUFFIX,orkut.com,Proxy
379 | - DOMAIN-SUFFIX,osxdaily.com,Proxy
380 | - DOMAIN-SUFFIX,outlook.com,Proxy
381 | - DOMAIN-SUFFIX,ow.ly,Proxy
382 | - DOMAIN-SUFFIX,paddleapi.com,Proxy
383 | - DOMAIN-SUFFIX,parallels.com,Proxy
384 | - DOMAIN-SUFFIX,parse.com,Proxy
385 | - DOMAIN-SUFFIX,pdfexpert.com,Proxy
386 | - DOMAIN-SUFFIX,periscope.tv,Proxy
387 | - DOMAIN-SUFFIX,pinboard.in,Proxy
388 | - DOMAIN-SUFFIX,pinterest.com,Proxy
389 | - DOMAIN-SUFFIX,pixelmator.com,Proxy
390 | - DOMAIN-SUFFIX,pixiv.net,Proxy
391 | - DOMAIN-SUFFIX,playpcesor.com,Proxy
392 | - DOMAIN-SUFFIX,playstation.com,Proxy
393 | - DOMAIN-SUFFIX,playstation.com.hk,Proxy
394 | - DOMAIN-SUFFIX,playstation.net,Proxy
395 | - DOMAIN-SUFFIX,playstationnetwork.com,Proxy
396 | - DOMAIN-SUFFIX,pushwoosh.com,Proxy
397 | - DOMAIN-SUFFIX,rime.im,Proxy
398 | - DOMAIN-SUFFIX,servebom.com,Proxy
399 | - DOMAIN-SUFFIX,sfx.ms,Proxy
400 | - DOMAIN-SUFFIX,shadowsocks.org,Proxy
401 | - DOMAIN-SUFFIX,sharethis.com,Proxy
402 | - DOMAIN-SUFFIX,shazam.com,Proxy
403 | - DOMAIN-SUFFIX,skype.com,Proxy
404 | - DOMAIN-SUFFIX,smartdnsProxy.com,Proxy
405 | - DOMAIN-SUFFIX,smartmailcloud.com,Proxy
406 | - DOMAIN-SUFFIX,sndcdn.com,Proxy
407 | - DOMAIN-SUFFIX,sony.com,Proxy
408 | - DOMAIN-SUFFIX,soundcloud.com,Proxy
409 | - DOMAIN-SUFFIX,sourceforge.net,Proxy
410 | - DOMAIN-SUFFIX,spotify.com,Proxy
411 | - DOMAIN-SUFFIX,squarespace.com,Proxy
412 | - DOMAIN-SUFFIX,sstatic.net,Proxy
413 | - DOMAIN-SUFFIX,st.luluku.pw,Proxy
414 | - DOMAIN-SUFFIX,stackoverflow.com,Proxy
415 | - DOMAIN-SUFFIX,startpage.com,Proxy
416 | - DOMAIN-SUFFIX,staticflickr.com,Proxy
417 | - DOMAIN-SUFFIX,steamcommunity.com,Proxy
418 | - DOMAIN-SUFFIX,symauth.com,Proxy
419 | - DOMAIN-SUFFIX,symcb.com,Proxy
420 | - DOMAIN-SUFFIX,symcd.com,Proxy
421 | - DOMAIN-SUFFIX,tapbots.com,Proxy
422 | - DOMAIN-SUFFIX,tapbots.net,Proxy
423 | - DOMAIN-SUFFIX,tdesktop.com,Proxy
424 | - DOMAIN-SUFFIX,techcrunch.com,Proxy
425 | - DOMAIN-SUFFIX,techsmith.com,Proxy
426 | - DOMAIN-SUFFIX,thepiratebay.org,Proxy
427 | - DOMAIN-SUFFIX,theverge.com,Proxy
428 | - DOMAIN-SUFFIX,time.com,Proxy
429 | - DOMAIN-SUFFIX,timeinc.net,Proxy
430 | - DOMAIN-SUFFIX,tiny.cc,Proxy
431 | - DOMAIN-SUFFIX,tinypic.com,Proxy
432 | - DOMAIN-SUFFIX,tmblr.co,Proxy
433 | - DOMAIN-SUFFIX,todoist.com,Proxy
434 | - DOMAIN-SUFFIX,trello.com,Proxy
435 | - DOMAIN-SUFFIX,trustasiassl.com,Proxy
436 | - DOMAIN-SUFFIX,tumblr.co,Proxy
437 | - DOMAIN-SUFFIX,tumblr.com,Proxy
438 | - DOMAIN-SUFFIX,tweetdeck.com,Proxy
439 | - DOMAIN-SUFFIX,tweetmarker.net,Proxy
440 | - DOMAIN-SUFFIX,twitch.tv,Proxy
441 | - DOMAIN-SUFFIX,txmblr.com,Proxy
442 | - DOMAIN-SUFFIX,typekit.net,Proxy
443 | - DOMAIN-SUFFIX,ubertags.com,Proxy
444 | - DOMAIN-SUFFIX,ublock.org,Proxy
445 | - DOMAIN-SUFFIX,ubnt.com,Proxy
446 | - DOMAIN-SUFFIX,ulyssesapp.com,Proxy
447 | - DOMAIN-SUFFIX,urchin.com,Proxy
448 | - DOMAIN-SUFFIX,usertrust.com,Proxy
449 | - DOMAIN-SUFFIX,v.gd,Proxy
450 | - DOMAIN-SUFFIX,vimeo.com,Proxy
451 | - DOMAIN-SUFFIX,vimeocdn.com,Proxy
452 | - DOMAIN-SUFFIX,vine.co,Proxy
453 | - DOMAIN-SUFFIX,vivaldi.com,Proxy
454 | - DOMAIN-SUFFIX,vox-cdn.com,Proxy
455 | - DOMAIN-SUFFIX,vsco.co,Proxy
456 | - DOMAIN-SUFFIX,vultr.com,Proxy
457 | - DOMAIN-SUFFIX,w.org,Proxy
458 | - DOMAIN-SUFFIX,w3schools.com,Proxy
459 | - DOMAIN-SUFFIX,webtype.com,Proxy
460 | - DOMAIN-SUFFIX,wikiwand.com,Proxy
461 | - DOMAIN-SUFFIX,wikileaks.org,Proxy
462 | - DOMAIN-SUFFIX,wikimedia.org,Proxy
463 | - DOMAIN-SUFFIX,wikipedia.com,Proxy
464 | - DOMAIN-SUFFIX,wikipedia.org,Proxy
465 | - DOMAIN-SUFFIX,windows.com,Proxy
466 | - DOMAIN-SUFFIX,windows.net,Proxy
467 | - DOMAIN-SUFFIX,wire.com,Proxy
468 | - DOMAIN-SUFFIX,wordpress.com,Proxy
469 | - DOMAIN-SUFFIX,workflowy.com,Proxy
470 | - DOMAIN-SUFFIX,wp.com,Proxy
471 | - DOMAIN-SUFFIX,wsj.com,Proxy
472 | - DOMAIN-SUFFIX,wsj.net,Proxy
473 | - DOMAIN-SUFFIX,xda-developers.com,Proxy
474 | - DOMAIN-SUFFIX,xeeno.com,Proxy
475 | - DOMAIN-SUFFIX,xiti.com,Proxy
476 | - DOMAIN-SUFFIX,yahoo.com,Proxy
477 | - DOMAIN-SUFFIX,yimg.com,Proxy
478 | - DOMAIN-SUFFIX,ying.com,Proxy
479 | - DOMAIN-SUFFIX,yoyo.org,Proxy
480 | - DOMAIN-SUFFIX,ytimg.com,Proxy
481 | 
482 | # ISP Hijacking Protection
483 | - DOMAIN-SUFFIX,17gouwuba.com,Blocked
484 | - DOMAIN-SUFFIX,189zj.cn,Blocked
485 | - DOMAIN-SUFFIX,285680.com,Blocked
486 | - DOMAIN-SUFFIX,3721zh.com,Blocked
487 | - DOMAIN-SUFFIX,4009997658.com,Blocked
488 | - DOMAIN-SUFFIX,4336wang.cn,Blocked
489 | - DOMAIN-SUFFIX,51chumoping.com,Blocked
490 | - DOMAIN-SUFFIX,51mld.cn,Blocked
491 | - DOMAIN-SUFFIX,58mingri.cn,Blocked
492 | - DOMAIN-SUFFIX,58mingtian.cn,Blocked
493 | - DOMAIN-SUFFIX,6d63d3.com,Blocked
494 | - DOMAIN-SUFFIX,7gg.cc,Blocked
495 | - DOMAIN-SUFFIX,91veg.com,Blocked
496 | - DOMAIN-SUFFIX,9s6q.cn,Blocked
497 | - DOMAIN-SUFFIX,abbyychina.com,Blocked
498 | - DOMAIN-SUFFIX,adsame.com,Blocked
499 | - DOMAIN-SUFFIX,aiclk.com,Blocked
500 | - DOMAIN-SUFFIX,akuai.top,Blocked
501 | - DOMAIN-SUFFIX,atplay.cn,Blocked
502 | - DOMAIN-SUFFIX,baiwanchuangyi.com,Blocked
503 | - DOMAIN-SUFFIX,bartender.cc,Blocked
504 | - DOMAIN-SUFFIX,bayimob.com,Blocked
505 | - DOMAIN-SUFFIX,beerto.cn,Blocked
506 | - DOMAIN-SUFFIX,beilamusi.com,Blocked
507 | - DOMAIN-SUFFIX,benshiw.net,Blocked
508 | - DOMAIN-SUFFIX,betterzip.net,Blocked
509 | - DOMAIN-SUFFIX,beyondcompare.cc,Blocked
510 | - DOMAIN-SUFFIX,bianxianmao.com,Blocked
511 | - DOMAIN-SUFFIX,bingdianhuanyuan.cn,Blocked
512 | - DOMAIN-SUFFIX,bryonypie.com,Blocked
513 | - DOMAIN-SUFFIX,chemdraw.com.cn,Blocked
514 | - DOMAIN-SUFFIX,cishantao.com,Blocked
515 | - DOMAIN-SUFFIX,cjmakeding.com,Blocked
516 | - DOMAIN-SUFFIX,cjmkt.com,Blocked
517 | - DOMAIN-SUFFIX,codesoftchina.com,Blocked
518 | - DOMAIN-SUFFIX,coreldrawchina.com,Blocked
519 | - DOMAIN-SUFFIX,crossoverchina.com,Blocked
520 | - DOMAIN-SUFFIX,cszlks.com,Blocked
521 | - DOMAIN-SUFFIX,cudaojia.com,Blocked
522 | - DOMAIN-SUFFIX,dafapromo.com,Blocked
523 | - DOMAIN-SUFFIX,daitdai.com,Blocked
524 | - DOMAIN-SUFFIX,dsaeerf.com,Blocked
525 | - DOMAIN-SUFFIX,dugesheying.com,Blocked
526 | - DOMAIN-SUFFIX,dv8c1t.cn,Blocked
527 | - DOMAIN-SUFFIX,easyrecoverychina.com,Blocked
528 | - DOMAIN-SUFFIX,ediuschina.com,Blocked
529 | - DOMAIN-SUFFIX,erdoscs.com,Blocked
530 | - DOMAIN-SUFFIX,fan-yong.com,Blocked
531 | - DOMAIN-SUFFIX,feih.com.cn,Blocked
532 | - DOMAIN-SUFFIX,fjlqqc.com,Blocked
533 | - DOMAIN-SUFFIX,fkku194.com,Blocked
534 | - DOMAIN-SUFFIX,flash.cn,Blocked
535 | - DOMAIN-SUFFIX,flstudiochina.com,Blocked
536 | - DOMAIN-SUFFIX,formysql.com,Blocked
537 | - DOMAIN-SUFFIX,freedrive.cn,Blocked
538 | - DOMAIN-SUFFIX,gclick.cn,Blocked
539 | - DOMAIN-SUFFIX,goufanli100.com,Blocked
540 | - DOMAIN-SUFFIX,gouwubang.com,Blocked
541 | - DOMAIN-SUFFIX,guitarpro.cc,Blocked
542 | - DOMAIN-SUFFIX,haoshengtoys.com,Blocked
543 | - DOMAIN-SUFFIX,huishenghuiying.com.cn,Blocked
544 | - DOMAIN-SUFFIX,hypersnap.net,Blocked
545 | - DOMAIN-SUFFIX,ichaosheng.com,Blocked
546 | - DOMAIN-SUFFIX,iconworkshop.cn,Blocked
547 | - DOMAIN-SUFFIX,imindmap.cc,Blocked
548 | - DOMAIN-SUFFIX,ishop789.com,Blocked
549 | - DOMAIN-SUFFIX,jdkic.com,Blocked
550 | - DOMAIN-SUFFIX,jihehuaban.com.cn,Blocked
551 | - DOMAIN-SUFFIX,jiubuhua.com,Blocked
552 | - DOMAIN-SUFFIX,jwg365.cn,Blocked
553 | - DOMAIN-SUFFIX,keyshot.cc,Blocked
554 | - DOMAIN-SUFFIX,kingdeecn.cn,Blocked
555 | - DOMAIN-SUFFIX,kuaizip.com,Blocked
556 | - DOMAIN-SUFFIX,kualianyingxiao.cn,Blocked
557 | - DOMAIN-SUFFIX,kumihua.com,Blocked
558 | - DOMAIN-SUFFIX,linktech.cn,Blocked
559 | - DOMAIN-SUFFIX,logoshejishi.com,Blocked
560 | - DOMAIN-SUFFIX,ltheanine.cn,Blocked
561 | - DOMAIN-SUFFIX,mackeeper.com,Blocked
562 | - DOMAIN-SUFFIX,maipinshangmao.com,Blocked
563 | - DOMAIN-SUFFIX,mairuan.cn,Blocked
564 | - DOMAIN-SUFFIX,mairuan.com,Blocked
565 | - DOMAIN-SUFFIX,mairuan.com.cn,Blocked
566 | - DOMAIN-SUFFIX,mairuan.net,Blocked
567 | - DOMAIN-SUFFIX,mairuanwang.com,Blocked
568 | - DOMAIN-SUFFIX,makeding.com,Blocked
569 | - DOMAIN-SUFFIX,mathtype.cn,Blocked
570 | - DOMAIN-SUFFIX,mindmanager.cc,Blocked
571 | - DOMAIN-SUFFIX,mindmapper.cc,Blocked
572 | - DOMAIN-SUFFIX,minisplat.cn,Blocked
573 | - DOMAIN-SUFFIX,mkitgfs.com,Blocked
574 | - DOMAIN-SUFFIX,mlnbike.com,Blocked
575 | - DOMAIN-SUFFIX,mycleanmymac.com,Blocked
576 | - DOMAIN-SUFFIX,newapi.com,Blocked
577 | - DOMAIN-SUFFIX,nicelabel.cc,Blocked
578 | - DOMAIN-SUFFIX,ntfsformac.cc,Blocked
579 | - DOMAIN-SUFFIX,ntfsformac.cn,Blocked
580 | - DOMAIN-SUFFIX,overturechina.com,Blocked
581 | - DOMAIN-SUFFIX,passwordrecovery.cn,Blocked
582 | - DOMAIN-SUFFIX,pdfexpert.cc,Blocked
583 | - DOMAIN-SUFFIX,pinzhitmall.com,Blocked
584 | - DOMAIN-SUFFIX,poppyta.com,Blocked
585 | - DOMAIN-SUFFIX,qichexin.com,Blocked
586 | - DOMAIN-SUFFIX,qinchugudao.com,Blocked
587 | - DOMAIN-SUFFIX,quanliyouxi.cn,Blocked
588 | - DOMAIN-SUFFIX,qutaobi.com,Blocked
589 | - DOMAIN-SUFFIX,ry51w.cn,Blocked
590 | - DOMAIN-SUFFIX,sg536.cn,Blocked
591 | - DOMAIN-SUFFIX,shankejingling.com,Blocked
592 | - DOMAIN-SUFFIX,sifubo.cn,Blocked
593 | - DOMAIN-SUFFIX,sifuce.cn,Blocked
594 | - DOMAIN-SUFFIX,sifuda.cn,Blocked
595 | - DOMAIN-SUFFIX,sifufu.cn,Blocked
596 | - DOMAIN-SUFFIX,sifuge.cn,Blocked
597 | - DOMAIN-SUFFIX,sifugu.cn,Blocked
598 | - DOMAIN-SUFFIX,sifuhe.cn,Blocked
599 | - DOMAIN-SUFFIX,sifuhu.cn,Blocked
600 | - DOMAIN-SUFFIX,sifuji.cn,Blocked
601 | - DOMAIN-SUFFIX,sifuka.cn,Blocked
602 | - DOMAIN-SUFFIX,smgru.net,Blocked
603 | - DOMAIN-SUFFIX,taoggou.com,Blocked
604 | - DOMAIN-SUFFIX,tcxshop.com,Blocked
605 | - DOMAIN-SUFFIX,tjqonline.cn,Blocked
606 | - DOMAIN-SUFFIX,topitme.com,Blocked
607 | - DOMAIN-SUFFIX,tuia.cn,Blocked
608 | - DOMAIN-SUFFIX,tuipenguin.com,Blocked
609 | - DOMAIN-SUFFIX,tuitiger.com,Blocked
610 | - DOMAIN-SUFFIX,ultraiso.net,Blocked
611 | - DOMAIN-SUFFIX,vegaschina.cn,Blocked
612 | - DOMAIN-SUFFIX,wx16999.com,Blocked
613 | - DOMAIN-SUFFIX,xiaohuau.xyz,Blocked
614 | - DOMAIN-SUFFIX,xmindchina.net,Blocked
615 | - DOMAIN-SUFFIX,xshellcn.com,Blocked
616 | - DOMAIN-SUFFIX,yihuifu.cn,Blocked
617 | - DOMAIN-SUFFIX,yinmong.com,Blocked
618 | - DOMAIN-SUFFIX,yiqifa.com,Blocked
619 | - DOMAIN-SUFFIX,yitaopt.com,Blocked
620 | - DOMAIN-SUFFIX,yjqiqi.com,Blocked
621 | - DOMAIN-SUFFIX,yuanchengxiezuo.com,Blocked
622 | - DOMAIN-SUFFIX,yukhj.com,Blocked
623 | - DOMAIN-SUFFIX,zbrushcn.com,Blocked
624 | - DOMAIN-SUFFIX,zhaozecheng.cn,Blocked
625 | - DOMAIN-SUFFIX,zhenxinet.com,Blocked
626 | - DOMAIN-SUFFIX,zhzzx.com,Blocked
627 | - DOMAIN-SUFFIX,zunmi.cn,Blocked
628 | - DOMAIN-SUFFIX,zzd6.com,Blocked
629 | - DOMAIN,geo2.adobe.com,Blocked
630 | - IP-CIDR,10.72.25.0/24,Blocked
631 | - IP-CIDR,103.49.209.27/32,Blocked
632 | - IP-CIDR,106.75.231.48/32,Blocked
633 | - IP-CIDR,111.175.220.163/32,Blocked
634 | - IP-CIDR,111.175.220.164/32,Blocked
635 | - IP-CIDR,114.247.28.96/32,Blocked
636 | - IP-CIDR,115.182.16.79/32,Blocked
637 | - IP-CIDR,118.144.88.126/32,Blocked
638 | - IP-CIDR,118.144.88.215/32,Blocked
639 | - IP-CIDR,119.4.249.166/32,Blocked
640 | - IP-CIDR,120.76.189.132/32,Blocked
641 | - IP-CIDR,123.56.152.96/32,Blocked
642 | - IP-CIDR,124.14.21.147/32,Blocked
643 | - IP-CIDR,124.14.21.151/32,Blocked
644 | - IP-CIDR,124.232.160.178/32,Blocked
645 | - IP-CIDR,175.6.223.15/32,Blocked
646 | - IP-CIDR,180.166.52.24/32,Blocked
647 | - IP-CIDR,183.59.53.237/32,Blocked
648 | - IP-CIDR,211.161.101.106/32,Blocked
649 | - IP-CIDR,218.93.127.37/32,Blocked
650 | - IP-CIDR,220.115.251.25/32,Blocked
651 | - IP-CIDR,220.196.52.141/32,Blocked
652 | - IP-CIDR,221.179.131.72/32,Blocked
653 | - IP-CIDR,221.179.140.145/32,Blocked
654 | - IP-CIDR,221.228.17.152/32,Blocked
655 | - IP-CIDR,221.231.6.79/32,Blocked
656 | - IP-CIDR,221.6.4.148/32,Blocked
657 | - IP-CIDR,222.186.61.91/32,Blocked
658 | - IP-CIDR,222.186.61.95/32,Blocked
659 | - IP-CIDR,222.186.61.96/32,Blocked
660 | - IP-CIDR,222.186.61.97/32,Blocked
661 | - IP-CIDR,222.73.156.235/32,Blocked
662 | - IP-CIDR,39.107.15.115/32,Blocked
663 | - IP-CIDR,47.89.59.182/32,Blocked
664 | - IP-CIDR,61.160.200.223/32,Blocked
665 | - IP-CIDR,61.160.200.242/32,Blocked
666 | - IP-CIDR,61.160.200.252/32,Blocked
667 | - IP-CIDR,61.174.50.214/32,Blocked
668 | 
669 | - GEOIP,CN,DIRECT
670 | - MATCH,Proxy
671 | 


--------------------------------------------------------------------------------
/roles/clickhouse/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | clickhouse_root: '/var/lib/clickhouse'
3 | restart_container: true
4 | 


--------------------------------------------------------------------------------
/roles/clickhouse/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create compose dir
 3 |   file:
 4 |     path: /root/clickhouse
 5 |     state: directory
 6 | 
 7 | - name: upload compose file
 8 |   template:
 9 |     src: 'docker-compose.yml'
10 |     dest: '/root/clickhouse/docker-compose.yml'
11 | 
12 | - name: upload clickhouse config
13 |   template:
14 |     src: '{{ item }}'
15 |     dest: '/root/clickhouse/config.xml'
16 |   with_first_found:
17 |     - 'files/{{ ansible_hostname }}/clickhouse-config.xml'
18 |     - 'templates/config.xml'
19 | 
20 | - name: upload clickhouse users config
21 |   template:
22 |     src: '{{ item }}'
23 |     dest: '/root/clickhouse/users.xml'
24 |   with_first_found:
25 |     - 'files/{{ ansible_hostname }}/clickhouse-users.xml'
26 |     - 'templates/users.xml'
27 | 
28 | - name: upload clickhouse keeper config
29 |   template:
30 |     src: '{{ item }}'
31 |     dest: '/root/clickhouse/keeper.xml'
32 |   with_first_found:
33 |     - 'files/{{ ansible_hostname }}/clickhouse-keeper.xml'
34 |     - 'templates/keeper.xml'
35 | 
36 | - name: docker compose up
37 |   command:
38 |     cmd: docker compose up -d
39 |     chdir: /root/clickhouse
40 |   register: compose_up_result
41 |   changed_when: compose_up_result.stderr is search('Creating|Starting|Recreated')
42 | 


--------------------------------------------------------------------------------
/roles/clickhouse/templates/config.xml:
--------------------------------------------------------------------------------
 1 | <clickhouse replace="true">
 2 |     <logger>
 3 |         <level>debug</level>
 4 |         <log>/var/log/clickhouse-server/clickhouse-server.log</log>
 5 |         <errorlog>/var/log/clickhouse-server/clickhouse-server.err.log</errorlog>
 6 |         <size>1000M</size>
 7 |         <count>3</count>
 8 |     </logger>
 9 |     <display_name>ClickHouse</display_name>
10 |     <listen_host>0.0.0.0</listen_host>
11 |     <http_port>8123</http_port>
12 |     <tcp_port>9000</tcp_port>
13 |     <user_directories>
14 |         <users_xml>
15 |             <path>users.xml</path>
16 |         </users_xml>
17 |         <local_directory>
18 |             <path>{{ clickhouse_root }}/access/</path>
19 |         </local_directory>
20 |     </user_directories>
21 |     <distributed_ddl>
22 |         <path>/clickhouse/task_queue/ddl</path>
23 |     </distributed_ddl>
24 |     <zookeeper>
25 |         <node>
26 |             <host>clickhouse-keeper</host>
27 |             <port>9181</port>
28 |         </node>
29 |     </zookeeper>
30 | </clickhouse>
31 | 


--------------------------------------------------------------------------------
/roles/clickhouse/templates/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | # https://github.com/ClickHouse/examples/blob/a2d75b915964adf1f54d99582f36791fb464242b/docker-compose-recipes/recipes/ch-1S_1K/docker-compose.yaml
 2 | 
 3 | services:
 4 |   clickhouse:
 5 |     image: 'clickhouse/clickhouse-server:23.4'
 6 |     container_name: clickhouse
 7 |     hostname: clickhouse
 8 |     restart: {{ 'unless-stopped' if restart_container else 'no' }}
 9 |     volumes:
10 |       - ./config.xml:/etc/clickhouse-server/config.d/config.xml
11 |       - ./users.xml:/etc/clickhouse-server/users.d/users.xml
12 |       - '{{ clickhouse_root }}:/var/lib/clickhouse'
13 |       - '/var/log/clickhouse-server:/var/log/clickhouse-server'
14 |     ports:
15 |       - '8123:8123'
16 |       - '9000:9000'
17 |     depends_on:
18 |       - clickhouse-keeper
19 | 
20 |   clickhouse-keeper:
21 |     image: 'clickhouse/clickhouse-keeper:23.4-alpine'
22 |     container_name: clickhouse-keeper
23 |     hostname: clickhouse-keeper
24 |     volumes:
25 |       - ./keeper.xml:/etc/clickhouse-keeper/keeper_config.xml
26 |       - '{{ clickhouse_root }}:/var/lib/clickhouse'
27 |       - '/var/log/clickhouse-keeper:/var/log/clickhouse-keeper'
28 |     ports:
29 |       - '9181:9181'
30 | 


--------------------------------------------------------------------------------
/roles/clickhouse/templates/keeper.xml:
--------------------------------------------------------------------------------
 1 | <clickhouse replace="true">
 2 |     <logger>
 3 |         <level>information</level>
 4 |         <log>/var/log/clickhouse-keeper/clickhouse-keeper.log</log>
 5 |         <errorlog>/var/log/clickhouse-keeper/clickhouse-keeper.err.log</errorlog>
 6 |         <size>1000M</size>
 7 |         <count>3</count>
 8 |     </logger>
 9 |     <listen_host>0.0.0.0</listen_host>
10 |     <keeper_server>
11 |         <tcp_port>9181</tcp_port>
12 |         <server_id>1</server_id>
13 |         <log_storage_path>{{ clickhouse_root }}/coordination/log</log_storage_path>
14 |         <snapshot_storage_path>{{ clickhouse_root }}/coordination/snapshots</snapshot_storage_path>
15 |         <coordination_settings>
16 |             <operation_timeout_ms>10000</operation_timeout_ms>
17 |             <session_timeout_ms>30000</session_timeout_ms>
18 |             <raft_logs_level>information</raft_logs_level>
19 |         </coordination_settings>
20 |         <raft_configuration>
21 |             <server>
22 |                 <id>1</id>
23 |                 <hostname>clickhouse-keeper</hostname>
24 |                 <port>9234</port>
25 |             </server>
26 |         </raft_configuration>
27 |     </keeper_server>
28 | </clickhouse>
29 | 


--------------------------------------------------------------------------------
/roles/clickhouse/templates/users.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | <clickhouse replace="true">
 3 |     <profiles>
 4 |         <default>
 5 |             <max_memory_usage>10000000000</max_memory_usage>
 6 |             <use_uncompressed_cache>0</use_uncompressed_cache>
 7 |             <load_balancing>in_order</load_balancing>
 8 |             <log_queries>1</log_queries>
 9 |         </default>
10 |     </profiles>
11 |     <users>
12 |         <default>
13 |             <access_management>1</access_management>
14 |             <profile>default</profile>
15 |             <networks>
16 |                 <ip>::/0</ip>
17 |             </networks>
18 |             <quota>default</quota>
19 |             <access_management>1</access_management>
20 |             <named_collection_control>1</named_collection_control>
21 |             <show_named_collections>1</show_named_collections>
22 |             <show_named_collections_secrets>1</show_named_collections_secrets>
23 |         </default>
24 |     </users>
25 |     <quotas>
26 |         <default>
27 |             <interval>
28 |                 <duration>3600</duration>
29 |                 <queries>0</queries>
30 |                 <errors>0</errors>
31 |                 <result_rows>0</result_rows>
32 |                 <read_rows>0</read_rows>
33 |                 <execution_time>0</execution_time>
34 |             </interval>
35 |         </default>
36 |     </quotas>
37 | </clickhouse>
38 | 


--------------------------------------------------------------------------------
/roles/common/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install apt packages
 3 |   apt:
 4 |     name: '{{item}}'
 5 |   loop:
 6 |     - nethogs
 7 |     - htop
 8 |     - iotop
 9 |     - nmon
10 |     - neofetch
11 | 
12 | - name: uninstall snap
13 |   apt:
14 |     name: '{{item}}'
15 |     state: absent
16 |     purge: yes
17 |   loop:
18 |     - snap
19 |     - snapd
20 | 


--------------------------------------------------------------------------------
/roles/discourse/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | developer_email: jysperm@gmail.com
3 | smtp_address: email-smtp.us-east-1.amazonaws.com
4 | discourse_nginx_http_listen: 80
5 | discourse_nginx_https_listen: 443
6 | discourse_templates: []
7 | 


--------------------------------------------------------------------------------
/roles/discourse/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: restart nginx
 3 |   service:
 4 |     name: nginx
 5 |     state: restarted
 6 | 
 7 | - name: rebuild discourse
 8 |   command: './launcher rebuild {{ item.item.name }}'
 9 |   args:
10 |     chdir: '/var/discourse'
11 |   when: item.changed
12 |   with_items: '{{ definitions.results }}'
13 | 


--------------------------------------------------------------------------------
/roles/discourse/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 |   - docker
4 |   - nginx
5 | 


--------------------------------------------------------------------------------
/roles/discourse/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: clone git repository
 3 |   git:
 4 |     repo: 'https://github.com/discourse/discourse_docker.git'
 5 |     dest: /var/discourse
 6 | 
 7 | - name: upload container definitions
 8 |   template:
 9 |     src: 'container.yml'
10 |     dest: '/var/discourse/containers/{{ item.name }}.yml'
11 |   notify: rebuild discourse
12 |   register: definitions
13 |   with_items: '{{ discourse }}'
14 | 
15 | - name: upload nginx configuration
16 |   template:
17 |     src: 'nginx.conf'
18 |     dest: '/etc/nginx/sites-enabled/{{ item.name }}.conf'
19 |   notify: restart nginx
20 |   with_items: '{{ discourse }}'
21 | 


--------------------------------------------------------------------------------
/roles/discourse/templates/container.yml:
--------------------------------------------------------------------------------
 1 | templates:
 2 |   - "templates/postgres.template.yml"
 3 |   - "templates/redis.template.yml"
 4 |   - "templates/web.template.yml"
 5 |   - "templates/web.ratelimited.template.yml"
 6 |   - "templates/web.socketed.template.yml"
 7 |   {% for template_file in discourse_templates -%}
 8 |   - "{{ template_file }}"
 9 |   {% endfor %}
10 | 
11 | expose:
12 | 
13 | params:
14 |   db_default_text_search_config: "pg_catalog.english"
15 |   db_shared_buffers: "256MB"
16 | 
17 | env:
18 |   LANG: en_US.UTF-8
19 |   UNICORN_WORKERS: 2
20 |   DISCOURSE_HOSTNAME: '{{ item.domain }}'
21 |   DISCOURSE_DEVELOPER_EMAILS: '{{ developer_email }}'
22 |   DISCOURSE_SMTP_ADDRESS: '{{ smtp_address }}'
23 |   DISCOURSE_SMTP_PORT: 587
24 |   DISCOURSE_SMTP_USER_NAME: '{{ item.smtp_user }}'
25 |   DISCOURSE_SMTP_PASSWORD: '{{ item.smtp_password }}'
26 | 
27 | volumes:
28 |   - volume:
29 |       host: '/var/discourse/shared/{{ item.name }}'
30 |       guest: /shared
31 |   - volume:
32 |       host: '/var/discourse/shared/{{ item.name }}/log/var-log'
33 |       guest: /var/log
34 | 
35 | hooks:
36 |   after_code:
37 |     - exec:
38 |         cd: $home/plugins
39 |         cmd:
40 |           - git clone https://github.com/discourse/docker_manager.git
41 | 
42 | run:
43 |   - exec: echo "Beginning of custom commands"
44 |   - exec: echo "End of custom commands"
45 | 


--------------------------------------------------------------------------------
/roles/discourse/templates/nginx.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen {{ discourse_nginx_http_listen }};
 3 |     server_name {{ item.domain }};
 4 | 
 5 |     return 302 https://$host$request_uri;
 6 | }
 7 | 
 8 | server {
 9 |     listen {{ discourse_nginx_https_listen }} ssl;
10 |     server_name {{ item.domain }};
11 | 
12 |     ssl_certificate /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
13 |     ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
14 | 
15 |     add_header Strict-Transport-Security 'max-age=10886400; includeSubDomains; preload';
16 | 
17 |     location / {
18 |         proxy_set_header Host $host;
19 |         proxy_set_header X-Real-IP $remote_addr;
20 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
21 |         proxy_set_header X-Forwarded-Proto $scheme;
22 | 
23 |         proxy_pass http://unix:/var/discourse/shared/{{ item.name }}/nginx.http.sock:;
24 |     }
25 | 
26 |     location /.well-known {
27 |         root /var/www/html;
28 |     }
29 | }
30 | 


--------------------------------------------------------------------------------
/roles/dnsmasq/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | dnsmasq_dhcp_enable: True
 3 | dnsmasq_dhcp_interface: 'brlan'
 4 | dnsmasq_dhcp_range: '10.0.0.1,10.0.0.255,12h'
 5 | dnsmasq_dhcp_gateway_ip: '10.0.0.1'
 6 | dnsmasq_dns_enable: True
 7 | dnsmasq_dns_upstream: '127.0.0.53'
 8 | 
 9 | dnsmasq_dhcp_static_hosts:
10 |   - name: synology
11 |     mac: b4:3b:32:7e:4d:c3
12 |     address: 10.0.0.10
13 | 
14 | dnsmasq_dns_static_hosts:
15 |   - domain: nextcloud
16 |     address: 10.0.0.100
17 | 


--------------------------------------------------------------------------------
/roles/dnsmasq/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart dnsmasq
3 |   service:
4 |     name: 'dnsmasq'
5 |     state: 'restarted'
6 |     enabled: 'yes'
7 | 


--------------------------------------------------------------------------------
/roles/dnsmasq/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install apt packages
 3 |   apt:
 4 |     name: dnsmasq
 5 | 
 6 | - name: configure DHCP
 7 |   lineinfile:
 8 |     path: '/etc/dnsmasq.conf'
 9 |     regexp: '{{ item.regexp }}'
10 |     line: '{{ item.line }}'
11 |     firstmatch: true
12 |   with_items:
13 |     - { regexp: 'interface=', line: 'interface={{ dnsmasq_dhcp_interface }}'}
14 |     - { regexp: 'dhcp-range=', line: 'dhcp-range={{ dnsmasq_dhcp_interface }},{{ dnsmasq_dhcp_range }}'}
15 |     - { regexp: 'dhcp-option=6', line: 'dhcp-option=6,{{ dnsmasq_dhcp_gateway_ip }}' }
16 |   notify: restart dnsmasq
17 |   when: dnsmasq_dhcp_enable
18 | 
19 | - name: configure DHCP static hosts
20 |   lineinfile:
21 |     path: '/etc/dnsmasq.conf'
22 |     regexp: 'dhcp-host={{ item.mac }}'
23 |     line: 'dhcp-host={{ item.mac }},{{ item.name }},{{ item.address}}'
24 |     insertafter: '#dhcp-host='
25 |     firstmatch: true
26 |   loop: '{{ dnsmasq_dhcp_static_hosts }}'
27 |   when: dnsmasq_dhcp_enable
28 | 
29 | - name: disable systemd-resolved
30 |   service:
31 |     name: 'systemd-resolved'
32 |     state: 'stopped'
33 |     enabled: 'no'
34 |   when: dnsmasq_dns_enable
35 | 
36 | - name: configure DNS
37 |   lineinfile:
38 |     path: '/etc/dnsmasq.conf'
39 |     regexp: '{{ item.regexp }}'
40 |     line: '{{ item.line }}'
41 |     firstmatch: true
42 |   with_items:
43 |     - { regexp: 'port=', line: 'port=53'}
44 |     - { regexp: 'no-resolv', line: 'no-resolv'}
45 |     - { regexp: 'server=', line: 'server={{ dnsmasq_dns_upstream }}'}
46 |     - { regexp: 'cache-size=', line: 'cache-size=10000'}
47 |     - { regexp: 'log-queries=', line: 'log-queries=extra'}
48 |   notify: restart dnsmasq
49 |   when: dnsmasq_dns_enable
50 | 
51 | - name: configure DNS static hosts
52 |   lineinfile:
53 |     path: '/etc/hosts'
54 |     line: '{{ item.address }} {{ item.domain }}'
55 |   loop: '{{ dnsmasq_dns_static_hosts }}'
56 |   when: dnsmasq_dns_enable
57 | 
58 | - name: configure resolv.conf
59 |   copy:
60 |     dest: '/etc/resolv.conf'
61 |     content: |
62 |       nameserver 127.0.0.1
63 |   when: dnsmasq_dns_enable
64 | 


--------------------------------------------------------------------------------
/roles/docker/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | docker_cert_name: ''
3 | 


--------------------------------------------------------------------------------
/roles/docker/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: reload systemd
 3 |   command: systemctl daemon-reload
 4 | 
 5 | - name: restart docker
 6 |   service:
 7 |     name: 'docker'
 8 |     state: 'restarted'
 9 |     enabled: 'yes'
10 | 


--------------------------------------------------------------------------------
/roles/docker/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - include_vars: ../../global-vars.yml
 3 | 
 4 | - name: install apt packages
 5 |   apt:
 6 |     name: gnupg
 7 | 
 8 | - name: add apt repository key
 9 |   apt_key:
10 |     url: 'https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg'
11 | 
12 | - name: add apt repository
13 |   apt_repository:
14 |     repo: 'deb [arch={{ deb_architecture[ansible_architecture] }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable'
15 | 
16 | - name: install apt packages
17 |   apt:
18 |     name: docker-ce
19 |     update_cache: true
20 | 
21 | - name: setup docker registry mirror
22 |   template:
23 |     src: daemon.json
24 |     dest: /etc/docker/daemon.json
25 |   when: docker_registry_url is defined
26 |   notify: restart docker
27 | 
28 | - include_tasks: remote.yml
29 |   when: docker_cert_name
30 | 


--------------------------------------------------------------------------------
/roles/docker/tasks/remote.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create directory
 3 |   file:
 4 |     path: /etc/docker/certs
 5 |     state: directory
 6 | 
 7 | - name: upload certs
 8 |   copy:
 9 |     src: 'docker-certs/{{ item }}'
10 |     dest: '/etc/docker/certs/{{ item }}'
11 |   with_items:
12 |     - '{{ docker_cert_name }}.cert'
13 |     - '{{ docker_cert_name }}.key'
14 |     - 'ca.pem'
15 | 
16 | - name: setup docker remote access
17 |   lineinfile:
18 |     path: '/lib/systemd/system/docker.service'
19 |     regexp: 'ExecStart='
20 |     line: 'ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H 0.0.0.0:2376 --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/{{ docker_cert_name }}.cert --tlskey=/etc/docker/certs/{{ docker_cert_name }}.key'
21 |     firstmatch: true
22 |   notify:
23 |     - reload systemd
24 |     - restart docker
25 | 


--------------------------------------------------------------------------------
/roles/docker/templates/daemon.json:
--------------------------------------------------------------------------------
1 | {
2 |   "registry-mirrors": ["{{ docker_registry_url }}"]
3 | }
4 | 


--------------------------------------------------------------------------------
/roles/factorio/defaults/main.yml:
--------------------------------------------------------------------------------
1 | factorio_version: '1.1.33'
2 | factorio_server: 'mysave'
3 | 


--------------------------------------------------------------------------------
/roles/factorio/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create factorio compose dir
 3 |   file:
 4 |     path: /root/factorio
 5 |     state: directory
 6 | 
 7 | - name: upload compose file
 8 |   template:
 9 |     src: 'docker-compose.yml'
10 |     dest: '/root/factorio/docker-compose.yml'
11 | 
12 | - name: Start factorio
13 |   command:
14 |     cmd: docker-compose up -d
15 |     chdir: /root/factorio
16 | 


--------------------------------------------------------------------------------
/roles/factorio/templates/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3'
 2 | 
 3 | services:
 4 |   {{ factorio_server }}:
 5 |     image: 'factoriotools/factorio:{{ factorio_version }}'
 6 |     container_name: 'factorio-{{ factorio_server }}'
 7 |     ports:
 8 |       - 34197:34197/udp
 9 |     environment:
10 |       - LOAD_LATEST_SAVE=false
11 |       - UPDATE_MODS_ON_START=true
12 |       - SAVE_NAME={{ factorio_server }}
13 |     volumes:
14 |       - '/storage/db/factorio/{{ factorio_server }}:/factorio'
15 | 


--------------------------------------------------------------------------------
/roles/frpc/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | frp_release: 0.33.0
3 | frp_servers: []
4 | frp_client_proxies: []
5 | 


--------------------------------------------------------------------------------
/roles/frpc/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: reload systemd
3 |   command: systemctl daemon-reload
4 | 


--------------------------------------------------------------------------------
/roles/frpc/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - include_vars: ../../global-vars.yml
 3 | 
 4 | - name: ensures directory exists
 5 |   file:
 6 |     path: '{{ item }}'
 7 |     state: 'directory'
 8 |   with_items:
 9 |     - '/root/downloads'
10 |     - '/etc/frpc'
11 | 
12 | - name: download frp
13 |   get_url:
14 |     url: 'https://github.com/fatedier/frp/releases/download/v{{ frp_release }}/frp_{{ frp_release }}_linux_{{ deb_architecture[ansible_architecture] }}.tar.gz'
15 |     dest: '/root/downloads/frp.tar.gz'
16 |   tags: [download]
17 | 
18 | - name: unarchive frp
19 |   unarchive:
20 |     src: '/root/downloads/frp.tar.gz'
21 |     dest: '/root/downloads'
22 |     remote_src: 'yes'
23 | 
24 | - name: install frpc
25 |   copy:
26 |     src: '/root/downloads/frp_{{ frp_release }}_linux_{{ deb_architecture[ansible_architecture] }}/frpc'
27 |     dest: /usr/bin/frpc
28 |     remote_src: yes
29 |     mode: '0755'
30 | 
31 | - name: generate frpc configure
32 |   template:
33 |     src: 'frpc.ini'
34 |     dest: '/etc/frpc/frpc-{{ item }}.ini'
35 |   with_items: '{{ frp_servers }}'
36 |   register: generate_result
37 | 
38 | - name: create systemd service
39 |   template:
40 |     src: 'frpc.service'
41 |     dest: '/etc/systemd/system/frpc@.service'
42 |     mode: '0644'
43 |   notify:
44 |     - reload systemd
45 | 
46 | - name: restart frpc services
47 |   service:
48 |     name: 'frpc@{{ item }}'
49 |     state: 'restarted'
50 |     enabled: 'yes'
51 |   with_items: '{{ frp_servers }}'
52 |   when: generate_result.changed
53 | 


--------------------------------------------------------------------------------
/roles/frpc/templates/frpc.ini:
--------------------------------------------------------------------------------
 1 | [common]
 2 | server_addr = {{item}}
 3 | server_port = 7000
 4 | token = {{frp_token}}
 5 | 
 6 | {% for proxy in frp_client_proxies -%}
 7 | [{{proxy.name}}]
 8 | type = {{proxy.type}}
 9 | local_ip = {{proxy.local_ip | default('127.0.0.1')}}
10 | local_port = {{proxy.local_port}}
11 | remote_port = {{proxy.remote_port}}
12 | ; protocol = kcp
13 | {% endfor %}
14 | 


--------------------------------------------------------------------------------
/roles/frpc/templates/frpc.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=frpc daemon (%i)
 3 | Wants=network-online.target
 4 | After=network-online.target
 5 | 
 6 | [Service]
 7 | Type=simple
 8 | ExecStart=/usr/bin/frpc -c /etc/frpc/frpc-%i.ini
 9 | Restart=on-failure
10 | 
11 | [Install]
12 | WantedBy=multi-user.target
13 | 


--------------------------------------------------------------------------------
/roles/frps/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | frp_release: 0.33.0
3 | 


--------------------------------------------------------------------------------
/roles/frps/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: reload systemd
 3 |   command: systemctl daemon-reload
 4 | 
 5 | - name: restart frps
 6 |   service:
 7 |     name: 'frps'
 8 |     state: 'restarted'
 9 |     enabled: 'yes'
10 | 


--------------------------------------------------------------------------------
/roles/frps/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: ensures directory exists
 3 |   file:
 4 |     path: '{{ item }}'
 5 |     state: 'directory'
 6 |   with_items:
 7 |     - '/root/downloads'
 8 |     - '/etc/frps'
 9 | 
10 | - name: download frp
11 |   get_url:
12 |     url: 'https://github.com/fatedier/frp/releases/download/v{{ frp_release }}/frp_{{ frp_release }}_linux_amd64.tar.gz'
13 |     dest: '/root/downloads/frp.tar.gz'
14 |   tags: [download]
15 | 
16 | - name: unarchive frp
17 |   unarchive:
18 |     src: '/root/downloads/frp.tar.gz'
19 |     dest: '/root/downloads'
20 |     remote_src: 'yes'
21 | 
22 | - name: install frps
23 |   copy:
24 |     src: '/root/downloads/frp_{{ frp_release }}_linux_amd64/frps'
25 |     dest: /usr/bin/frps
26 |     remote_src: yes
27 |     mode: '0755'
28 |   notify: restart frps
29 | 
30 | - name: install frps configure
31 |   template:
32 |     src: 'frps.ini'
33 |     dest: /etc/frps/frps.ini
34 |   notify: restart frps
35 | 
36 | - name: create systemd service
37 |   template:
38 |     src: 'frps.service'
39 |     dest: '/etc/systemd/system/frps.service'
40 |     mode: '0644'
41 |   notify:
42 |     - reload systemd
43 |     - restart frps
44 | 


--------------------------------------------------------------------------------
/roles/frps/templates/frps.ini:
--------------------------------------------------------------------------------
1 | [common]
2 | bind_port = 7000
3 | kcp_bind_port = 7000
4 | authentication_method = token
5 | token = {{frp_token}}
6 | 


--------------------------------------------------------------------------------
/roles/frps/templates/frps.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=frps daemon
 3 | 
 4 | [Service]
 5 | Type=simple
 6 | ExecStart=/usr/bin/frps -c /etc/frps/frps.ini
 7 | 
 8 | [Install]
 9 | WantedBy=multi-user.target
10 | 


--------------------------------------------------------------------------------
/roles/gitea/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | gitea_root: '/var/lib/gitea'
3 | 


--------------------------------------------------------------------------------
/roles/gitea/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create dirs
 3 |   file:
 4 |     path: '{{item}}'
 5 |     state: directory
 6 |   with_items:
 7 |     - '/root/gitea'
 8 |     - '{{gitea_root}}/conf'
 9 | 
10 | - name: upload compose file
11 |   template:
12 |     src: 'docker-compose.yml'
13 |     dest: '/root/gitea/docker-compose.yml'
14 | 
15 | - name: upload gitea config
16 |   template:
17 |     src: '{{ item }}'
18 |     dest: '{{gitea_root}}/conf/app.ini'
19 |     owner: '1000'
20 |     group: '1000'
21 |   with_first_found:
22 |     - 'files/{{ ansible_hostname }}/gitea.ini'
23 |     - 'templates/app.ini'
24 | 
25 | - name: docker compose up
26 |   command:
27 |     cmd: docker compose up -d
28 |     chdir: /root/gitea
29 |   register: compose_upped
30 |   changed_when: compose_upped.stderr is search('Creating|Starting|Recreated')
31 | 


--------------------------------------------------------------------------------
/roles/gitea/templates/app.ini:
--------------------------------------------------------------------------------
 1 | APP_NAME = Gitea: Git with a cup of tea
 2 | RUN_MODE = prod
 3 | 
 4 | [repository]
 5 | ROOT = /data/git/repositories
 6 | 
 7 | [repository.local]
 8 | LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
 9 | 
10 | [repository.upload]
11 | TEMP_PATH = /data/gitea/uploads
12 | 
13 | [server]
14 | APP_DATA_PATH = /data/gitea
15 | DOMAIN           = localhost
16 | SSH_DOMAIN       = localhost
17 | HTTP_PORT        = 3000
18 | ROOT_URL         =
19 | DISABLE_SSH      = false
20 | SSH_PORT         = 22
21 | SSH_LISTEN_PORT  = 22
22 | LFS_START_SERVER = false
23 | 
24 | [database]
25 | PATH = /data/gitea/gitea.db
26 | DB_TYPE = sqlite3
27 | HOST    = localhost:3306
28 | NAME    = gitea
29 | USER    = root
30 | PASSWD  =
31 | LOG_SQL = false
32 | 
33 | [indexer]
34 | ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
35 | 
36 | [session]
37 | PROVIDER_CONFIG = /data/gitea/sessions
38 | 
39 | [picture]
40 | AVATAR_UPLOAD_PATH = /data/gitea/avatars
41 | REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
42 | 
43 | [attachment]
44 | PATH = /data/gitea/attachments
45 | 
46 | [log]
47 | MODE = console
48 | LEVEL = info
49 | ROOT_PATH = /data/gitea/log
50 | 
51 | [security]
52 | INSTALL_LOCK = false
53 | SECRET_KEY   =
54 | REVERSE_PROXY_LIMIT = 1
55 | REVERSE_PROXY_TRUSTED_PROXIES = *
56 | 
57 | [service]
58 | DISABLE_REGISTRATION = false
59 | REQUIRE_SIGNIN_VIEW  = false
60 | 
61 | [lfs]
62 | PATH = /data/git/lfs
63 | 


--------------------------------------------------------------------------------
/roles/gitea/templates/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: "3"
 2 | 
 3 | networks:
 4 |   gitea:
 5 |     external: false
 6 | 
 7 | services:
 8 |   server:
 9 |     image: gitea/gitea:1.22.4
10 |     container_name: gitea
11 |     environment:
12 |       - USER_UID=1000
13 |       - USER_GID=1000
14 |       - GITEA_CUSTOM=/var/lib/gitea
15 |     restart: always
16 |     networks:
17 |       - gitea
18 |     volumes:
19 |       - '{{gitea_root}}:/var/lib/gitea'
20 |       - /etc/timezone:/etc/timezone:ro
21 |       - /etc/localtime:/etc/localtime:ro
22 |     ports:
23 |       - "3300:3000"
24 |       - "2222:2222"
25 | 


--------------------------------------------------------------------------------
/roles/global-vars.yml:
--------------------------------------------------------------------------------
1 | ---
2 | deb_architecture:
3 |   aarch64: arm64
4 |   armv7l: arm
5 |   x86_64: amd64
6 | 


--------------------------------------------------------------------------------
/roles/letsencrypt/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | letsencrypt_email: jysperm@gmail.com
3 | letsencrypt: []
4 | 


--------------------------------------------------------------------------------
/roles/letsencrypt/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install apt packages
 3 |   apt:
 4 |     name: certbot
 5 | 
 6 | - name: upload nginx config
 7 |   template:
 8 |     src: nginx.conf
 9 |     dest: /etc/nginx/sites-enabled/letsencrypt.conf
10 |   register: nginx_conf
11 | 
12 | - name: ensures directory exists
13 |   file:
14 |     path: '/var/www/html'
15 |     state: 'directory'
16 | 
17 | - name: restart nginx
18 |   service:
19 |     name: nginx
20 |     state: restarted
21 |   when: nginx_conf.changed
22 | 
23 | - name: issue certificates
24 |   command: certbot certonly --webroot -w /var/www/html -d {{ item }} --email {{ letsencrypt_email }} --noninteractive --agree-tos
25 |   with_items: '{{ letsencrypt }}'
26 |   register: certbot_result
27 |   changed_when: certbot_result.stdout is not search('no action taken')
28 | 
29 | - name: setup renew cronjob
30 |   cron:
31 |     name: letsencrypt
32 |     special_time: daily
33 |     job: 'certbot renew'
34 | 
35 | - name: setup nginx cronjob
36 |   cron:
37 |     name: nginx
38 |     special_time: daily
39 |     job: '/etc/init.d/nginx reload'
40 | 


--------------------------------------------------------------------------------
/roles/letsencrypt/templates/nginx.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80;
 3 |     server_name {{ letsencrypt | join(' ') | replace(',',' ') }};
 4 | 
 5 |     location ~ /.well-known {
 6 |         root /var/www/html;
 7 |         allow all;
 8 |     }
 9 | 
10 |     location / {
11 |         return 302 https://$host$request_uri;
12 |     }
13 | }
14 | 


--------------------------------------------------------------------------------
/roles/lobechat/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lobechat_access_code: ''
3 | lobechat_openai_api_key: ''
4 | lobechat_google_api_key: ''
5 | lobechat_anthropic_api_key: ''
6 | 


--------------------------------------------------------------------------------
/roles/lobechat/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create compose dir
 3 |   file:
 4 |     path: /root/lobechat
 5 |     state: directory
 6 | 
 7 | - name: upload compose file
 8 |   template:
 9 |     src: 'docker-compose.yml'
10 |     dest: '/root/lobechat/docker-compose.yml'
11 | 
12 | - name: docker compose up
13 |   command:
14 |     cmd: docker compose up -d
15 |     chdir: /root/lobechat
16 |   register: compose_upped
17 |   changed_when: compose_upped.stderr is search('Creating|Starting|Recreated')
18 | 


--------------------------------------------------------------------------------
/roles/lobechat/templates/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | services:
 2 |   lobechat:
 3 |     image: 'lobehub/lobe-chat:v1.26.3'
 4 |     container_name: lobechat
 5 |     hostname: lobechat
 6 |     environment:
 7 |       - OPENAI_API_KEY={{ lobechat_openai_api_key }}
 8 |       - GOOGLE_API_KEY={{ lobechat_google_api_key }}
 9 |       - ANTHROPIC_API_KEY={{ lobechat_anthropic_api_key }}
10 |       - ACCESS_CODE={{ lobechat_access_code }}
11 |     ports:
12 |       - '3210:3210'
13 | 


--------------------------------------------------------------------------------
/roles/miniflux/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | miniflux_base_url: 'http://localhost/'
3 | miniflux_postgres_password: 'secret'
4 | miniflux_db: '/storage/db/miniflux'
5 | 


--------------------------------------------------------------------------------
/roles/miniflux/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create miniflux compose dir
 3 |   file:
 4 |     path: /root/miniflux
 5 |     state: directory
 6 | 
 7 | - name: upload compose file
 8 |   template:
 9 |     src: 'docker-compose.yml'
10 |     dest: '/root/miniflux/docker-compose.yml'
11 | 
12 | - name: Start miniflux
13 |   command:
14 |     cmd: docker-compose up -d
15 |     chdir: /root/miniflux
16 | 


--------------------------------------------------------------------------------
/roles/miniflux/templates/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3'
 2 | 
 3 | services:
 4 |   app:
 5 |     image: miniflux/miniflux
 6 |     ports:
 7 |       - 8081:8080
 8 |     depends_on:
 9 |       - db
10 |     environment:
11 |       - DATABASE_URL=postgres://miniflux:{{ miniflux_postgres_password }}@db/miniflux?sslmode=disable
12 |       - BASE_URL={{ miniflux_base_url }}
13 |       - RUN_MIGRATIONS=1
14 | 
15 |   db:
16 |     image: postgres
17 |     environment:
18 |       - POSTGRES_USER=miniflux
19 |       - POSTGRES_PASSWORD={{ miniflux_postgres_password }}
20 |     volumes:
21 |       - '{{ miniflux_db }}:/var/lib/postgresql/data'
22 | 


--------------------------------------------------------------------------------
/roles/mongodb/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart mongod
3 |   service: name=mongod state=restarted
4 | 


--------------------------------------------------------------------------------
/roles/mongodb/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: add apt repository key
 3 |   apt_key:
 4 |     id: 0C49F3730359A14518585931BC711F9BA15703C6
 5 |     keyserver: 'hkp://keyserver.ubuntu.com:80'
 6 | 
 7 | - name: add apt repository
 8 |   apt_repository:
 9 |     repo: 'deb http://repo.mongodb.org/apt/ubuntu {{ ansible_lsb.codename|lower }}/mongodb-org/3.4 multiverse'
10 |     update_cache: yes
11 | 
12 | - name: install apt packages
13 |   apt:
14 |     name: mongodb-org
15 | 


--------------------------------------------------------------------------------
/roles/netdata/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | nextdata_exposed: false
3 | 


--------------------------------------------------------------------------------
/roles/netdata/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart netdata
3 |   service:
4 |     name: netdata
5 |     state: restarted
6 |     enabled: yes
7 | 


--------------------------------------------------------------------------------
/roles/netdata/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: add apt repository key
 3 |   apt_key:
 4 |     url: 'https://packagecloud.io/netdata/netdata/gpgkey'
 5 | 
 6 | - name: add apt repository
 7 |   apt_repository:
 8 |     repo: 'deb https://packagecloud.io/netdata/netdata/ubuntu/ {{ ansible_lsb.codename | lower }} main'
 9 |     update_cache: yes
10 | 
11 | - name: install apt packages
12 |   apt:
13 |     name: netdata
14 | 
15 | - name: config netdata
16 |   lineinfile:
17 |     path: /etc/netdata/netdata.conf
18 |     regexp: '{{ item.regexp }}'
19 |     line: '{{ item.line }}'
20 |     firstmatch: true
21 |   with_items:
22 |     - { regexp: 'bind to =', line: 'bind to = 0.0.0.0' }
23 |   when: nextdata_exposed
24 |   notify: restart netdata
25 | 


--------------------------------------------------------------------------------
/roles/nextcloud/README.md:
--------------------------------------------------------------------------------
1 | Modified from https://github.com/nextcloud/docker/blob/31c59aea24f8516f862ca136766168016e840593/.examples/docker-compose/insecure/mariadb/fpm/docker-compose.yml
2 | 
3 | ## Upgrade
4 | 
5 | Updates between multiple major versions and downgrades are unsupported.
6 | 


--------------------------------------------------------------------------------
/roles/nextcloud/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | nextcloud_root: '/storage/nextcloud'
3 | nextcloud_db: '/storage/db/nextcloud'
4 | nextcloud_mysql_password: 'password'
5 | nextcloud_external_storage: []
6 | 


--------------------------------------------------------------------------------
/roles/nextcloud/files/app/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM nextcloud:25-fpm-alpine
 2 | 
 3 | RUN apk --no-cache add shadow &&\
 4 |     userdel xfs &&\
 5 |     find / -user $(id -u www-data) -exec chown -h 33 {} \; &&\
 6 |     find / -group $(id -g www-data) -exec chgrp -h 33 {} \; &&\
 7 |     usermod -u 33 www-data &&\
 8 |     groupmod -g 33 www-data
 9 | 
10 | RUN ln -s /usr/local/bin/php /usr/bin/php
11 | 
12 | RUN echo '*/15 * * * * php -f /var/www/html/occ files:scan --all' >> /etc/crontabs/www-data
13 | 


--------------------------------------------------------------------------------
/roles/nextcloud/files/web/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM nginx:alpine
2 | 
3 | COPY nginx.conf /etc/nginx/nginx.conf
4 | 


--------------------------------------------------------------------------------
/roles/nextcloud/files/web/nginx.conf:
--------------------------------------------------------------------------------
  1 | worker_processes auto;
  2 | 
  3 | error_log  /var/log/nginx/error.log warn;
  4 | pid        /var/run/nginx.pid;
  5 | 
  6 | 
  7 | events {
  8 |     worker_connections  1024;
  9 | }
 10 | 
 11 | 
 12 | http {
 13 |     include       /etc/nginx/mime.types;
 14 |     default_type  application/octet-stream;
 15 | 
 16 |     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
 17 |                       '$status $body_bytes_sent "$http_referer" '
 18 |                       '"$http_user_agent" "$http_x_forwarded_for"';
 19 | 
 20 |     access_log  /var/log/nginx/access.log  main;
 21 | 
 22 |     sendfile        on;
 23 |     #tcp_nopush     on;
 24 | 
 25 |     # Prevent nginx HTTP Server Detection
 26 |     server_tokens   off;
 27 | 
 28 |     keepalive_timeout  65;
 29 | 
 30 |     #gzip  on;
 31 | 
 32 |     upstream php-handler {
 33 |         server app:9000;
 34 |     }
 35 | 
 36 |     server {
 37 |         listen 80;
 38 | 
 39 |         # HSTS settings
 40 |         # WARNING: Only add the preload option once you read about
 41 |         # the consequences in https://hstspreload.org/. This option
 42 |         # will add the domain to a hardcoded list that is shipped
 43 |         # in all major browsers and getting removed from this list
 44 |         # could take several months.
 45 |         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 46 | 
 47 |         # set max upload size
 48 |         client_max_body_size 512M;
 49 |         fastcgi_buffers 64 4K;
 50 | 
 51 |         # Enable gzip but do not remove ETag headers
 52 |         gzip on;
 53 |         gzip_vary on;
 54 |         gzip_comp_level 4;
 55 |         gzip_min_length 256;
 56 |         gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
 57 |         gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 58 | 
 59 |         # Pagespeed is not supported by Nextcloud, so if your server is built
 60 |         # with the `ngx_pagespeed` module, uncomment this line to disable it.
 61 |         #pagespeed off;
 62 | 
 63 |         # HTTP response headers borrowed from Nextcloud `.htaccess`
 64 |         add_header Referrer-Policy                      "no-referrer"   always;
 65 |         add_header X-Content-Type-Options               "nosniff"       always;
 66 |         add_header X-Download-Options                   "noopen"        always;
 67 |         add_header X-Frame-Options                      "SAMEORIGIN"    always;
 68 |         add_header X-Permitted-Cross-Domain-Policies    "none"          always;
 69 |         add_header X-Robots-Tag                         "none"          always;
 70 |         add_header X-XSS-Protection                     "1; mode=block" always;
 71 | 
 72 |         # Remove X-Powered-By, which is an information leak
 73 |         fastcgi_hide_header X-Powered-By;
 74 | 
 75 |         # Path to the root of your installation
 76 |         root /var/www/html;
 77 | 
 78 |         # Specify how to handle directories -- specifying `/index.php$request_uri`
 79 |         # here as the fallback means that Nginx always exhibits the desired behaviour
 80 |         # when a client requests a path that corresponds to a directory that exists
 81 |         # on the server. In particular, if that directory contains an index.php file,
 82 |         # that file is correctly served; if it doesn't, then the request is passed to
 83 |         # the front-end controller. This consistent behaviour means that we don't need
 84 |         # to specify custom rules for certain paths (e.g. images and other assets,
 85 |         # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
 86 |         # `try_files $uri $uri/ /index.php$request_uri`
 87 |         # always provides the desired behaviour.
 88 |         index index.php index.html /index.php$request_uri;
 89 | 
 90 |         # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
 91 |         location = / {
 92 |             if ( $http_user_agent ~ ^DavClnt ) {
 93 |                 return 302 /remote.php/webdav/$is_args$args;
 94 |             }
 95 |         }
 96 | 
 97 |         location = /robots.txt {
 98 |             allow all;
 99 |             log_not_found off;
100 |             access_log off;
101 |         }
102 | 
103 |         # Make a regex exception for `/.well-known` so that clients can still
104 |         # access it despite the existence of the regex rule
105 |         # `location ~ /(\.|autotest|...)` which would otherwise handle requests
106 |         # for `/.well-known`.
107 |         location ^~ /.well-known {
108 |             # The rules in this block are an adaptation of the rules
109 |             # in `.htaccess` that concern `/.well-known`.
110 | 
111 |             location = /.well-known/carddav { return 301 /remote.php/dav/; }
112 |             location = /.well-known/caldav  { return 301 /remote.php/dav/; }
113 | 
114 |             location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
115 |             location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
116 | 
117 |             # Let Nextcloud's API for `/.well-known` URIs handle all other
118 |             # requests by passing them to the front-end controller.
119 |             return 301 /index.php$request_uri;
120 |         }
121 | 
122 |         # Rules borrowed from `.htaccess` to hide certain paths from clients
123 |         location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
124 |         location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
125 | 
126 |         # Ensure this block, which passes PHP files to the PHP process, is above the blocks
127 |         # which handle static assets (as seen below). If this block is not declared first,
128 |         # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
129 |         # to the URI, resulting in a HTTP 500 error response.
130 |         location ~ \.php(?:$|/) {
131 |             # Required for legacy support
132 |             rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
133 | 
134 |             fastcgi_split_path_info ^(.+?\.php)(/.*)$;
135 |             set $path_info $fastcgi_path_info;
136 | 
137 |             try_files $fastcgi_script_name =404;
138 | 
139 |             include fastcgi_params;
140 |             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
141 |             fastcgi_param PATH_INFO $path_info;
142 |             #fastcgi_param HTTPS on;
143 | 
144 |             fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
145 |             fastcgi_param front_controller_active true;     # Enable pretty urls
146 |             fastcgi_pass php-handler;
147 | 
148 |             fastcgi_intercept_errors on;
149 |             fastcgi_request_buffering off;
150 |         }
151 | 
152 |         location ~ \.(?:css|js|svg|gif)$ {
153 |             try_files $uri /index.php$request_uri;
154 |             expires 6M;         # Cache-Control policy borrowed from `.htaccess`
155 |             access_log off;     # Optional: Don't log access to assets
156 |         }
157 | 
158 |         location ~ \.woff2?$ {
159 |             try_files $uri /index.php$request_uri;
160 |             expires 7d;         # Cache-Control policy borrowed from `.htaccess`
161 |             access_log off;     # Optional: Don't log access to assets
162 |         }
163 | 
164 |         # Rule borrowed from `.htaccess`
165 |         location /remote {
166 |             return 301 /remote.php$request_uri;
167 |         }
168 | 
169 |         location / {
170 |             try_files $uri $uri/ /index.php$request_uri;
171 |         }
172 |     }
173 | }
174 | 


--------------------------------------------------------------------------------
/roles/nextcloud/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create nextcloud compose dir
 3 |   file:
 4 |     path: /root/nextcloud
 5 |     state: directory
 6 | 
 7 | - name: upload compose file
 8 |   template:
 9 |     src: 'docker-compose.yml'
10 |     dest: '/root/nextcloud/docker-compose.yml'
11 |   register: compose_file_result
12 | 
13 | - name: upload web image files
14 |   copy:
15 |     src: '{{ role_path }}/files/{{ item }}'
16 |     dest: '/root/nextcloud'
17 |   loop:
18 |     - web
19 |     - app
20 |   register: image_file_result
21 | 
22 | - name: start nextcloud
23 |   command:
24 |     cmd: docker-compose up --build -d
25 |     chdir: /root/nextcloud
26 |   when: 'compose_file_result.changed or image_file_result.changed'
27 | 


--------------------------------------------------------------------------------
/roles/nextcloud/templates/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3'
 2 | 
 3 | services:
 4 |   db:
 5 |     image: mariadb
 6 |     command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
 7 |     volumes:
 8 |       - '{{ nextcloud_db }}:/var/lib/mysql'
 9 |     environment:
10 |       MYSQL_ROOT_PASSWORD: '{{ nextcloud_mysql_password }}'
11 |       MYSQL_PASSWORD: '{{ nextcloud_mysql_password }}'
12 |       MYSQL_DATABASE: nextcloud
13 |       MYSQL_USER: nextcloud
14 | 
15 |   redis:
16 |     image: redis:alpine
17 | 
18 |   app:
19 |     build: ./app
20 |     volumes:
21 |       - '{{ nextcloud_root }}:/var/www/html'
22 | {% for path in nextcloud_external_storage %}
23 |       - '{{ path }}:{{ path }}:ro'
24 | {% endfor %}
25 |     environment:
26 |       OVERWRITEPROTOCOL: 'https'
27 |       MYSQL_ROOT_PASSWORD: '{{ nextcloud_mysql_password }}'
28 |       MYSQL_PASSWORD: '{{ nextcloud_mysql_password }}'
29 |       MYSQL_DATABASE: nextcloud
30 |       MYSQL_USER: nextcloud
31 |       MYSQL_HOST: db
32 |       REDIS_HOST: redis
33 |     depends_on:
34 |       - db
35 |       - redis
36 | 
37 |   web:
38 |     build: ./web
39 |     ports:
40 |       - 8080:80
41 |     volumes:
42 |       - '{{ nextcloud_root }}:/var/www/html:ro'
43 |     depends_on:
44 |       - app
45 | 
46 |   cron:
47 |     build: ./app
48 |     volumes:
49 |       - '{{ nextcloud_root }}:/var/www/html'
50 |     entrypoint: /cron.sh
51 |     depends_on:
52 |       - db
53 |       - redis
54 | 


--------------------------------------------------------------------------------
/roles/nginx/defaults/main.yml:
--------------------------------------------------------------------------------
1 | nginx_basic_auth: {}
2 | 


--------------------------------------------------------------------------------
/roles/nginx/files/holding/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | 
 4 | <head>
 5 |   <meta charset="utf-8">
 6 |   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 7 |   <title>No content</title>
 8 |   <style>
 9 |     body {
10 |       font-family: 'Georgia', 'Source Han Sans CN', 'Xin Gothic', 'Hiragino Sans GB', 'Microsoft YaHei', sans-serif;
11 |     }
12 | 
13 |     h1 {
14 |       font-weight: 500;
15 |     }
16 | 
17 |     a {
18 |       color: #e45f56;
19 |       text-decoration: none;
20 |     }
21 | 
22 |     .cover {
23 |       display: none;
24 |     }
25 | 
26 |     .container {
27 |       margin-bottom: 180px;
28 |       margin-right: auto;
29 |       margin-left: auto;
30 |       padding-left: 15px;
31 |       padding-right: 15px;
32 |     }
33 | 
34 |     @media (min-width: 768px) {
35 |       .container {
36 |         width: 750px;
37 |       }
38 | 
39 |       .cover {
40 |         display: block;
41 |       }
42 |     }
43 | 
44 |     @media (min-width: 992px) {
45 |       .container {
46 |         width: 970px;
47 |       }
48 |     }
49 |   </style>
50 | </head>
51 | 
52 | <body>
53 |   <div class="container">
54 |     <h1>No content</h1>
55 | 
56 |     <img class='cover' src="http://7xstay.com1.z0.glb.clouddn.com/holding-domains-no-content.jpg?imageView2/1/w/450/h/300" style="float: right; margin-left: 20px;" />
57 | 
58 |     <p>
59 |       这个域名由 <a href="https://jysperm.me/about/">王子亭</a> 注册和管理，但目前尚无任何内容。如果你有好的建议或有意购买该域名，可以通过 <a href="mailto:jysperm@gmail.com">jysperm@gmail.com</a> 联系该域名的持有者。
60 |     </p>
61 | 
62 |     <p>
63 |       This domain was registered and managed by <a href="https://jysperm.me/about/">Wang Ziting</a>. However there are nothing here, If you have any suggestions or you want to buy it, you can contact the owner of this domain by <a href="mailto:jysperm@gmail.com">email</a>.
64 |     </p>
65 | 
66 |     <div style="float: left;">
67 |       <hr />
68 |       <ul>
69 |         <li>Follow <a href="https://twitter.com/jysperm">jysperm</a> on Twitter</li>
70 |         <li>Follow <a href="https://github.com/jysperm">jysperm</a> on GitHub</li>
71 |         <li>Track <a href="https://keybase.io/jysperm">jysperm</a> on Keybase</li>
72 |       </ul>
73 |     </div>
74 |   </div>
75 | 
76 |   <script>
77 |     (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
78 |     (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
79 |     m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
80 |     })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
81 | 
82 |     ga('create', 'UA-49193300-7', 'auto');
83 |     ga('send', 'pageview');
84 |   </script>
85 | </body>
86 | 
87 | </html>
88 | 


--------------------------------------------------------------------------------
/roles/nginx/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart nginx
3 |   service:
4 |     name: nginx
5 |     state: restarted
6 | 


--------------------------------------------------------------------------------
/roles/nginx/tasks/basic-auth.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: touch htpasswd file
 3 |   command:
 4 |     cmd: touch /etc/nginx/.htpasswd
 5 |     creates: /etc/nginx/.htpasswd
 6 | 
 7 | - name: ensure htpasswd permissions
 8 |   file:
 9 |     path: /etc/nginx/.htpasswd
10 |     state: file
11 |     owner: www-data
12 |     group: www-data
13 |     mode: 0600
14 | 
15 | - name: generate htpasswd
16 |   shell:
17 |     cmd: 'htpasswd -i /etc/nginx/.htpasswd {{ item.key }}'
18 |     stdin: '{{ item.value }}'
19 |   loop: '{{ nginx_basic_auth | dict2items }}'
20 |   register: htpasswd_result
21 |   changed_when: htpasswd_result.stdout is search('Adding')
22 |   notify: restart nginx
23 | 


--------------------------------------------------------------------------------
/roles/nginx/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install apt packages
 3 |   apt:
 4 |     name: '{{item}}'
 5 |   loop:
 6 |     - nginx
 7 |     - apache2-utils
 8 | 
 9 | - name: create home dir
10 |   command: usermod -md /home/www-data -s /bin/bash www-data
11 |   args:
12 |     creates: /home/www-data
13 | 
14 | - name: setup ssh public keys
15 |   authorized_key:
16 |     user: 'www-data'
17 |     key: "{{ lookup('file', item) }}"
18 |   with_fileglob:
19 |     - authorized-keys/*
20 | 
21 | - name: setup internal ca
22 |   copy:
23 |     src: internal-certs/ca.pem
24 |     dest: /etc/nginx/internal-ca.pem
25 |   when: "lookup('fileglob', 'internal-certs/ca.pem') != []"
26 | 
27 | - name: upload nginx main config
28 |   template: src=nginx.conf dest=/etc/nginx/nginx.conf
29 |   notify: restart nginx
30 | 
31 | - name: delete nginx built-in default site
32 |   file: path=/etc/nginx/sites-enabled/default state=absent
33 | 
34 | - name: upload nginx default site
35 |   template: src=default.conf dest=/etc/nginx/sites-enabled/default.conf
36 | 
37 | - name: upload nginx resource file
38 |   copy: src={{role_path}}/files/holding dest=/var/www
39 | 
40 | - name: upload nginx site config
41 |   template: src={{ item }} dest=/etc/nginx/sites-enabled/{{ item | basename }}
42 |   notify: restart nginx
43 |   with_fileglob:
44 |     - nginx-sites/{{ ansible_hostname }}/*
45 | 
46 | - include_tasks: basic-auth.yml
47 | 


--------------------------------------------------------------------------------
/roles/nginx/templates/default.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80 default_server;
 3 |     listen [::]:80 ipv6only=on;
 4 | 
 5 |     root /var/www/html;
 6 | 
 7 |     location ~ /.well-known {
 8 |         allow all;
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/roles/nginx/templates/nginx.conf:
--------------------------------------------------------------------------------
 1 | user www-data;
 2 | worker_processes auto;
 3 | pid /var/run/nginx.pid;
 4 | 
 5 | events {
 6 |     worker_connections 1024;
 7 | }
 8 | 
 9 | http {
10 |     sendfile on;
11 |     tcp_nopush on;
12 |     tcp_nodelay on;
13 |     keepalive_timeout 65;
14 |     types_hash_max_size 2048;
15 | 
16 |     server_names_hash_bucket_size 64;
17 | 
18 |     include /etc/nginx/mime.types;
19 |     default_type application/octet-stream;
20 | 
21 |     types {
22 |       application/font-woff2 woff2;
23 |     }
24 | 
25 |     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
26 |     ssl_prefer_server_ciphers on;
27 |     ssl_session_cache shared:SSL:10m;
28 |     ssl_session_timeout 10m;
29 | 
30 |     access_log /var/log/nginx/access.log;
31 |     error_log /var/log/nginx/error.log;
32 | 
33 |     gzip on;
34 |     gzip_disable "msie6";
35 |     gzip_types text/xml text/css application/javascript application/json application/font-woff2 image/png;
36 | 
37 |     include /etc/nginx/conf.d/*.conf;
38 |     include /etc/nginx/sites-enabled/*;
39 | }
40 | 


--------------------------------------------------------------------------------
/roles/postgres/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | postgres_package_name: postgresql
3 | postgres_remote_access: false
4 | postgres_apps: []
5 | postgres_dump_databases: {}
6 | 


--------------------------------------------------------------------------------
/roles/postgres/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart postgresql
3 |   service:
4 |     name: 'postgresql'
5 |     state: 'restarted'
6 |     enabled: 'yes'
7 | 


--------------------------------------------------------------------------------
/roles/postgres/tasks/dump.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: setup dump cronjob
3 |   cron:
4 |     name: pg_dump
5 |     special_time: daily
6 |     job: su {{ item.key }} -c 'pg_dump {{ item.key }}' > {{ item.value }}
7 |   loop: '{{ postgres_dump_databases | dict2items }}'
8 | 


--------------------------------------------------------------------------------
/roles/postgres/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install the common package
 3 |   apt:
 4 |     name: postgresql-common
 5 | 
 6 | - name: add apt repository key
 7 |   apt_key:
 8 |     url: 'https://www.postgresql.org/media/keys/ACCC4CF8.asc'
 9 | 
10 | - name: add apt repository
11 |   apt_repository:
12 |     repo: 'deb https://apt.postgresql.org/pub/repos/apt {{ ansible_distribution_release }}-pgdg main'
13 | 
14 | - name: install apt packages
15 |   apt:
16 |     name: '{{item}}'
17 |     update_cache: true
18 |   loop:
19 |     - '{{ postgres_package_name }}'
20 |     - python3-psycopg2
21 | 
22 | - name: create users
23 |   become: true
24 |   become_user: postgres
25 |   postgresql_user:
26 |     name: '{{item.user}}'
27 |     password: '{{item.password}}'
28 |   loop: '{{postgres_apps}}'
29 | 
30 | - name: create databases
31 |   become: true
32 |   become_user: postgres
33 |   postgresql_db:
34 |     name: '{{item.db}}'
35 |     owner: '{{item.user}}'
36 |   loop: '{{postgres_apps}}'
37 | 
38 | - name: grant privileges
39 |   become: true
40 |   become_user: postgres
41 |   postgresql_privs:
42 |     database: '{{item.db}}'
43 |     role: '{{item.user}}'
44 |     type: database
45 |     privs: ALL
46 |   loop: '{{postgres_apps}}'
47 | 
48 | - name: find postgresql.conf
49 |   find:
50 |     path: /etc/postgresql/
51 |     recurse: true
52 |     patterns: postgresql.conf
53 |   register: postgresql_conf
54 |   when: postgres_remote_access
55 | 
56 | - name: debug postgresql_conf
57 |   debug:
58 |     var: postgresql_conf
59 | 
60 | - name: listen on all addresses
61 |   lineinfile:
62 |     path: '{{ item.path }}'
63 |     regexp: 'listen_addresses ='
64 |     line: "listen_addresses = '*'"
65 |     firstmatch: true
66 |   loop: "{{ postgresql_conf.files }}"
67 |   when: postgres_remote_access
68 |   notify: restart postgresql
69 | 
70 | - name: find pg_hba.conf
71 |   find:
72 |     path: /etc/postgresql/
73 |     recurse: true
74 |     patterns: pg_hba.conf
75 |   register: pg_hba_conf
76 |   when: postgres_remote_access
77 | 
78 | - name: allow all users to connect from all ipv4 addresses
79 |   lineinfile:
80 |     path: '{{ item.path }}'
81 |     regexp: 'host all all 0.0.0.0/0 scram-sha-256'
82 |     line: "host all all 0.0.0.0/0 scram-sha-256"
83 |     firstmatch: true
84 |   loop: "{{ pg_hba_conf.files }}"
85 |   when: postgres_remote_access
86 |   notify: restart postgresql
87 | 
88 | - name: allow all users to connect from all ipv6 addresses
89 |   lineinfile:
90 |     path: '{{ item.path }}'
91 |     regexp: 'host all all ::/0 scram-sha-256'
92 |     line: "host all all ::/0 scram-sha-256"
93 |     firstmatch: true
94 |   loop: "{{ pg_hba_conf.files }}"
95 |   when: postgres_remote_access
96 |   notify: restart postgresql
97 | 
98 | - include_tasks: dump.yml
99 | 


--------------------------------------------------------------------------------
/roles/pppoe/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: install apt packages
2 |   apt:
3 |     name: 'pppoeconf'
4 | 


--------------------------------------------------------------------------------
/roles/prometheus/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | prometheus_root: '/var/lib/prometheus'
3 | grafana_root: '/var/lib/grafana'
4 | loki_root: '/var/lib/loki'
5 | 


--------------------------------------------------------------------------------
/roles/prometheus/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create compose dir
 3 |   file:
 4 |     path: /root/prometheus
 5 |     state: directory
 6 | 
 7 | - name: upload compose file
 8 |   template:
 9 |     src: 'docker-compose.yml'
10 |     dest: '/root/prometheus/docker-compose.yml'
11 | 
12 | - name: upload prometheus config
13 |   template:
14 |     src: '{{ item }}'
15 |     dest: '/root/prometheus/prometheus.yml'
16 |   with_first_found:
17 |     - 'files/{{ ansible_hostname }}/prometheus.yml'
18 |     - 'templates/prometheus.yml'
19 | 
20 | - name: upload loki config
21 |   template:
22 |     src: '{{ item }}'
23 |     dest: '/root/prometheus/loki.yaml'
24 |   with_first_found:
25 |     - 'files/{{ ansible_hostname }}/loki.yaml'
26 |     - 'templates/loki.yaml'
27 | 
28 | - name: docker compose up
29 |   command:
30 |     cmd: docker compose up -d
31 |     chdir: /root/prometheus
32 |   register: compose_up_result
33 |   changed_when: compose_up_result.stderr is search('Creating|Starting|Recreated')
34 | 


--------------------------------------------------------------------------------
/roles/prometheus/templates/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | services:
 2 |   prometheus:
 3 |     image: prom/prometheus
 4 |     volumes:
 5 |       - './prometheus.yml:/etc/prometheus/prometheus.yml'
 6 |       - '{{ prometheus_root }}:/prometheus'
 7 |     command:
 8 |       - '--config.file=/etc/prometheus/prometheus.yml'
 9 |       - '--storage.tsdb.path=/prometheus'
10 |       - '--web.console.libraries=/usr/share/prometheus/console_libraries'
11 |       - '--web.console.templates=/usr/share/prometheus/consoles'
12 |       - '--storage.tsdb.retention.time=100y'
13 |       - '--web.enable-admin-api'
14 |       - '--web.enable-lifecycle'
15 |     ports:
16 |       - '9090:9090'
17 | 
18 |   grafana:
19 |     image: grafana/grafana-oss
20 |     ports:
21 |       - '3000:3000'
22 |     volumes:
23 |       - '{{ grafana_root }}:/var/lib/grafana'
24 | 
25 |   loki:
26 |     image: grafana/loki:3.0.0
27 |     command: -config.file=/etc/loki/local-config.yaml
28 |     ports:
29 |       - "3100:3100"
30 |     volumes:
31 |       - './loki.yaml:/etc/loki/local-config.yaml'
32 |       - '{{ loki_root }}:/loki'
33 | 


--------------------------------------------------------------------------------
/roles/prometheus/templates/loki.yaml:
--------------------------------------------------------------------------------
 1 | auth_enabled: false
 2 | 
 3 | server:
 4 |   http_listen_port: 3100
 5 | 
 6 | common:
 7 |   instance_addr: 127.0.0.1
 8 |   path_prefix: /loki
 9 |   storage:
10 |     filesystem:
11 |       chunks_directory: /loki/chunks
12 |       rules_directory: /loki/rules
13 |   replication_factor: 1
14 |   ring:
15 |     kvstore:
16 |       store: inmemory
17 | 
18 | schema_config:
19 |   configs:
20 |     - from: 2020-10-24
21 |       store: tsdb
22 |       object_store: filesystem
23 |       schema: v13
24 |       index:
25 |         prefix: index_
26 |         period: 24h
27 | 
28 | # query_scheduler:
29 | #   max_outstanding_requests_per_tenant: 32000
30 | 
31 | ruler:
32 |   alertmanager_url: http://localhost:9093
33 | 
34 | # By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
35 | # analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
36 | #
37 | # Statistics help us better understand how Loki is used, and they show us performance
38 | # levels for most users. This helps us prioritize features and documentation.
39 | # For more information on what's sent, look at
40 | # https://github.com/grafana/loki/blob/main/pkg/usagestats/stats.go
41 | # Refer to the buildReport method to see what goes into a report.
42 | #
43 | # If you would like to disable reporting, uncomment the following lines:
44 | #analytics:
45 | #  reporting_enabled: false
46 | 


--------------------------------------------------------------------------------
/roles/prometheus/templates/prometheus.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jysperm/playbooks/bff581747ffb27f5339e81274b43c9526e103008/roles/prometheus/templates/prometheus.yml


--------------------------------------------------------------------------------
/roles/restic/README.md:
--------------------------------------------------------------------------------
1 | Clean snapshots:
2 | 
3 | ```
4 | restic forget --keep-daily 7 --keep-weekly 5 --keep-monthly 12 --keep-yearly 75 --dry-run
5 | ```
6 | 


--------------------------------------------------------------------------------
/roles/restic/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | restic_backup_paths: []
3 | 


--------------------------------------------------------------------------------
/roles/restic/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: reload systemd
3 |   command: systemctl daemon-reload
4 | 


--------------------------------------------------------------------------------
/roles/restic/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install apt dependencies
 3 |   apt:
 4 |     name: bzip2
 5 | 
 6 | - name: ensures directory exists
 7 |   file:
 8 |     path: '/root/downloads'
 9 |     state: 'directory'
10 | 
11 | - name: download restic
12 |   get_url:
13 |     url: 'https://github.com/restic/restic/releases/download/v0.9.6/restic_0.9.6_linux_amd64.bz2'
14 |     dest: '/root/downloads/restic-0.9.6.bz2'
15 |   tags: [download]
16 | 
17 | - name: unarchive restic
18 |   command: bzip2 -d restic-0.9.6.bz2
19 |   args:
20 |     chdir: /root/downloads
21 |     creates: restic-0.9.6
22 | 
23 | - name: install restic
24 |   copy:
25 |     src: '/root/downloads/restic-0.9.6'
26 |     dest: /usr/local/bin/restic
27 |     remote_src: yes
28 |     mode: '0755'
29 | 
30 | - name: install systemd files
31 |   template:
32 |     src: '{{ item }}'
33 |     dest: '/etc/systemd/system/{{ item }}'
34 |   loop:
35 |     - restic-backup.service
36 |     - restic-backup.timer
37 |   notify: reload systemd
38 | 
39 | - name: enable timers
40 |   service:
41 |     name: '{{ item }}'
42 |     state: 'started'
43 |     enabled: 'yes'
44 |   loop:
45 |     - restic-backup.timer
46 | 


--------------------------------------------------------------------------------
/roles/restic/templates/restic-backup.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Backup via restic
 3 | 
 4 | [Service]
 5 | Type=simple
 6 | Environment="B2_ACCOUNT_ID={{ restic_b2_account_id }}"
 7 | Environment="B2_ACCOUNT_KEY={{ restic_b2_account_key }}"
 8 | Environment="RESTIC_CACHE_DIR=/tmp/restic"
 9 | ExecStart=/bin/bash -c "restic -r {{ restic_repository }} -p /storage/.restic/key backup -v {{ restic_backup_paths | join(' ') }}"
10 | 


--------------------------------------------------------------------------------
/roles/restic/templates/restic-backup.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Backup via restic every week
3 | 
4 | [Timer]
5 | OnCalendar=weekly
6 | 
7 | [Install]
8 | WantedBy=timers.target
9 | 


--------------------------------------------------------------------------------
/roles/router/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | lan_gateway_cidr: '10.0.0.1/24'
 3 | lan_interface: 'brlan'
 4 | wan_interface: 'enp1s0'
 5 | 
 6 | allowed_income_tcp_ports: [22]
 7 | allowed_income_udp_ports: []
 8 | 
 9 | lan_port_forwarding:
10 |   - port: 80
11 |     protocol: tcp
12 |     destination: 127.0.0.1
13 |     destination_port: 19999
14 | 
15 | wan_port_forwarding: []
16 | 


--------------------------------------------------------------------------------
/roles/router/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: reload systemd
 3 |   command: systemctl daemon-reload
 4 | 
 5 | - name: apply netplan
 6 |   command: netplan apply
 7 | 
 8 | - name: netfilter-persistent
 9 |   command: netfilter-persistent save
10 | 


--------------------------------------------------------------------------------
/roles/router/tasks/main.yml:
--------------------------------------------------------------------------------
  1 | - name: install apt packages
  2 |   apt:
  3 |     name: '{{ item }}'
  4 |   loop:
  5 |     - nethogs
  6 |     - iftop
  7 |     - iptables-persistent
  8 | 
  9 | - name: enable forward
 10 |   sysctl:
 11 |     name: 'net.ipv4.ip_forward'
 12 |     value: '1'
 13 | 
 14 | - name: configure forward (nat)
 15 |   iptables:
 16 |     table: nat
 17 |     chain: POSTROUTING
 18 |     out_interface: '{{ wan_interface }}'
 19 |     jump: 'MASQUERADE'
 20 |   notify: netfilter-persistent
 21 |   tags: [iptables]
 22 | 
 23 | - name: enable netfilter-persistent
 24 |   service:
 25 |     name: 'netfilter-persistent'
 26 |     enabled: 'yes'
 27 | 
 28 | - name: upload netplan config
 29 |   template:
 30 |     src: 'netplan.yaml'
 31 |     dest: /etc/netplan/bridges.yaml
 32 |   notify: apply netplan
 33 |   tags: [config]
 34 | 
 35 | - name: setup allow established
 36 |   iptables:
 37 |     table: filter
 38 |     chain: INPUT
 39 |     protocol: all
 40 |     in_interface: '{{ wan_interface }}'
 41 |     ctstate: ESTABLISHED,RELATED
 42 |     jump: ACCEPT
 43 |   notify: netfilter-persistent
 44 |   tags: [iptables]
 45 | 
 46 | - name: setup allowed icmp
 47 |   iptables:
 48 |     table: filter
 49 |     chain: INPUT
 50 |     in_interface: '{{ wan_interface }}'
 51 |     protocol: icmp
 52 |     jump: ACCEPT
 53 |   notify: netfilter-persistent
 54 |   tags: [iptables]
 55 | 
 56 | - name: setup allowed income tcp ports
 57 |   iptables:
 58 |     table: filter
 59 |     chain: INPUT
 60 |     protocol: tcp
 61 |     in_interface: '{{ wan_interface }}'
 62 |     destination_port: '{{ item }}'
 63 |     jump: ACCEPT
 64 |   loop: '{{ allowed_income_tcp_ports }}'
 65 |   notify: netfilter-persistent
 66 |   tags: [iptables]
 67 | 
 68 | - name: setup allowed income udp ports
 69 |   iptables:
 70 |     table: filter
 71 |     chain: INPUT
 72 |     protocol: udp
 73 |     in_interface: '{{ wan_interface }}'
 74 |     destination_port: '{{ item }}'
 75 |     jump: ACCEPT
 76 |   loop: '{{ allowed_income_udp_ports }}'
 77 |   notify: netfilter-persistent
 78 |   tags: [iptables]
 79 | 
 80 | - name: reject other packet from wan
 81 |   iptables:
 82 |     table: filter
 83 |     chain: INPUT
 84 |     protocol: all
 85 |     in_interface: '{{ wan_interface }}'
 86 |     jump: REJECT
 87 |   notify: netfilter-persistent
 88 |   tags: [iptables]
 89 | 
 90 | - name: lan port forwarding
 91 |   iptables:
 92 |     table: nat
 93 |     chain: PREROUTING
 94 |     protocol: '{{ item.protocol }}'
 95 |     in_interface: '{{ lan_interface }}'
 96 |     destination: '{{ item.destination }}'
 97 |     destination_port: '{{ item.port }}'
 98 |     jump: REDIRECT
 99 |     to_ports: '{{ item.destination_port }}'
100 |   loop: '{{ lan_port_forwarding }}'
101 |   notify: netfilter-persistent
102 |   tags: [iptables]
103 | 
104 | - name: wan port forwarding
105 |   iptables:
106 |     table: nat
107 |     chain: PREROUTING
108 |     protocol: '{{ item.protocol }}'
109 |     in_interface: '{{ wan_interface }}'
110 |     destination_port: '{{ item.port }}'
111 |     jump: DNAT
112 |     to_destination: '{{ item.destination }}'
113 |   loop: '{{ wan_port_forwarding }}'
114 |   notify: netfilter-persistent
115 |   tags: [iptables]
116 | 


--------------------------------------------------------------------------------
/roles/router/templates/netplan.yaml:
--------------------------------------------------------------------------------
 1 | network:
 2 |   version: 2
 3 |   renderer: networkd
 4 |   ethernets:
 5 |     enp1s0:
 6 |       dhcp4: true
 7 |     enp2s0:
 8 |       optional: true
 9 |     enp3s0:
10 |       optional: true
11 |     enp4s0:
12 |       optional: true
13 |   bridges:
14 |     brlan:
15 |       addresses:
16 |         - {{ lan_gateway_cidr }}
17 |       interfaces:
18 |         - enp2s0
19 |         - enp3s0
20 |         - enp4s0
21 | 


--------------------------------------------------------------------------------
/roles/rsync/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart rsync
3 |   service:
4 |     name: rsync
5 |     state: restarted
6 | 


--------------------------------------------------------------------------------
/roles/rsync/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create rsync users
 3 |   user:
 4 |     name: '{{ item.username }}'
 5 |     shell: /bin/bash
 6 |     home: '/home/{{ item.username }}'
 7 |   with_items: '{{ rsync_users }}'
 8 | 
 9 | - name: enable rsync daemon
10 |   lineinfile:
11 |     path: '/etc/default/rsync'
12 |     regexp: '^RSYNC_ENABLE='
13 |     line: 'RSYNC_ENABLE=true'
14 | 
15 | - name: upload rsyncd configuration
16 |   template:
17 |     src: 'rsyncd.conf'
18 |     dest: '/etc/rsyncd.conf'
19 |   notify: restart rsync
20 | 
21 | - name: upload rsyncd secrets
22 |   template:
23 |     src: 'rsyncd.secrets'
24 |     dest: '/etc/rsyncd.secrets'
25 |     mode: '0600'
26 |   notify: restart rsync
27 | 
28 | - name: enable rsyncd service
29 |   service:
30 |     name: rsync
31 |     enabled: yes
32 | 


--------------------------------------------------------------------------------
/roles/rsync/templates/rsyncd.conf:
--------------------------------------------------------------------------------
 1 | pid file = /var/run/rsyncd.pid
 2 | lock file = /var/run/rsync.lock
 3 | log file = /var/log/rsync.log
 4 | 
 5 | secrets file = /etc/rsyncd.secrets
 6 | 
 7 | {% for rsync_user in rsync_users -%}
 8 | [{{ rsync_user.username }}]
 9 | path = /home/{{rsync_user.username}}
10 | uid = {{ rsync_user.username }}
11 | gid = {{ rsync_user.username }}
12 | read only = no
13 | list = yes
14 | auth users = {{ rsync_user.username }}
15 | {% endfor %}
16 | 


--------------------------------------------------------------------------------
/roles/rsync/templates/rsyncd.secrets:
--------------------------------------------------------------------------------
1 | {% for rsync_user in rsync_users -%}
2 | {{ rsync_user.username }}:{{ rsync_user.password }}
3 | {% endfor %}
4 | 


--------------------------------------------------------------------------------
/roles/samba/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | samba_hostname: Infinity
 3 | samba_root: /storage
 4 | samba_home_root: /storage/private/homes
 5 | samba_backup_root: /storage/backups
 6 | samba_timemachine_root: /storage/backups/timemachines
 7 | samba_users:
 8 |   - name: jysperm
 9 |     time_machine_quota: 512GB
10 | smb_conf: |
11 |   [Home]
12 |     path = /storage/private/homes/%U
13 |     writeable = yes
14 |     valid users = jysperm
15 | 
16 |   [NextCloud]
17 |     path = /storage/nextcloud/data/%U/files
18 |     writeable = yes
19 |     valid users = @staff
20 |     force user = www-data
21 | 
22 |   [TimeMachine]
23 |     path = /storage/backups/timemachines/%U
24 |     writable = yes
25 |     valid users = @staff
26 | 
27 |     durable handles = yes
28 |     kernel oplocks = no
29 |     kernel share modes = no
30 |     posix locking = no
31 |     vfs objects = catia fruit streams_xattr
32 |     ea support = yes
33 |     inherit acls = yes
34 |     fruit:time machine = yes
35 | 
36 |   [Backup]
37 |     path = /storage/backups/%U
38 |     writeable = yes
39 |     valid users = jysperm
40 | 
41 |   [VideoWorks]
42 |     path = /storage/shares/VideoWorks
43 |     writeable = yes
44 |     valid users = @staff
45 |     force group = staff
46 |     create mask = 0775
47 | 
48 |   [Resources]
49 |     path = /storage/public/Resources
50 |     guest ok = yes
51 |     write list = @staff
52 |     force group = +staff
53 |     create mask = 0775
54 | 


--------------------------------------------------------------------------------
/roles/samba/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: restart samba
 3 |   service:
 4 |     name: 'smbd'
 5 |     state: 'restarted'
 6 |     enabled: 'yes'
 7 | 
 8 | - name: restart avahi
 9 |   service:
10 |     name: 'avahi-daemon'
11 |     state: 'restarted'
12 |     enabled: 'yes'
13 | 


--------------------------------------------------------------------------------
/roles/samba/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | - name: install apt packages
 2 |   apt:
 3 |     name: '{{ item }}'
 4 |   loop:
 5 |     - samba
 6 |     - avahi-daemon
 7 | 
 8 | - name: create group
 9 |   group:
10 |     name: staff
11 | 
12 | - name: create user
13 |   user:
14 |     name: '{{ item.name }}'
15 |     group: '{{ item.name }}'
16 |     groups:
17 |       - staff
18 |     home: '/home/{{ item.name }}'
19 |   loop: '{{ samba_users }}'
20 | 
21 | - name: create Home dir
22 |   file:
23 |     path: '{{ samba_home_root }}/{{ item.name }}'
24 |     state: directory
25 |     owner: '{{ item.name }}'
26 |     group: '{{ item.name }}'
27 |   loop: '{{ samba_users }}'
28 | 
29 | - name: create Backup dir
30 |   file:
31 |     path: '{{ samba_backup_root }}/{{ item.name }}'
32 |     state: directory
33 |     owner: '{{ item.name }}'
34 |     group: '{{ item.name }}'
35 |   loop: '{{ samba_users }}'
36 | 
37 | - name: create TimeMachine dir
38 |   file:
39 |     path: '{{ samba_timemachine_root }}/{{ item.name }}'
40 |     state: directory
41 |     owner: '{{item.name}}'
42 |     group: '{{item.name}}'
43 |   loop: '{{ samba_users }}'
44 |   when: 'item.time_machine_quota | default(false)'
45 | 
46 | - name: setup TimeMachine quota
47 |   template:
48 |     src: com.apple.TimeMachine.quota.plist
49 |     dest: '{{ samba_timemachine_root }}/{{ item.name }}/.com.apple.TimeMachine.quota.plist'
50 |   loop: '{{ samba_users }}'
51 |   when: 'item.time_machine_quota'
52 | 
53 | - name: install samba configure
54 |   template:
55 |     src: smb.conf
56 |     dest: /etc/samba/smb.conf
57 |   notify: restart samba
58 | 
59 | - name: install avahi configure
60 |   template:
61 |     src: avahi.service
62 |     dest: /etc/avahi/services/timemachine.service
63 |   notify: restart avahi
64 | 


--------------------------------------------------------------------------------
/roles/samba/templates/avahi.service:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" standalone='no'?>
 2 | <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
 3 | <service-group>
 4 |  <name replace-wildcards="yes">%h</name>
 5 |  <service>
 6 |    <type>_smb._tcp</type>
 7 |    <port>445</port>
 8 |  </service>
 9 |  <service>
10 |    <type>_device-info._tcp</type>
11 |    <port>0</port>
12 |    <txt-record>model=RackMac</txt-record>
13 |  </service>
14 |  <service>
15 |    <type>_adisk._tcp</type>
16 |    <txt-record>sys=waMa=0,adVF=0x100</txt-record>
17 |    <txt-record>dk0=adVN=TimeMachine,adVF=0x82</txt-record>
18 |  </service>
19 | </service-group>
20 | 


--------------------------------------------------------------------------------
/roles/samba/templates/com.apple.TimeMachine.quota.plist:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3 | <plist version="1.0">
4 | <dict>
5 |   <key>GlobalQuota</key>
6 |     <integer>{{ item.time_machine_quota | human_to_bytes }}</integer>
7 |   </dict>
8 | </plist>
9 | 


--------------------------------------------------------------------------------
/roles/samba/templates/smb.conf:
--------------------------------------------------------------------------------
  1 | #
  2 | # Sample configuration file for the Samba suite for Debian GNU/Linux.
  3 | #
  4 | #
  5 | # This is the main Samba configuration file. You should read the
  6 | # smb.conf(5) manual page in order to understand the options listed
  7 | # here. Samba has a huge number of configurable options most of which
  8 | # are not shown in this example
  9 | #
 10 | # Some options that are often worth tuning have been included as
 11 | # commented-out examples in this file.
 12 | #  - When such options are commented with ";", the proposed setting
 13 | #    differs from the default Samba behaviour
 14 | #  - When commented with "#", the proposed setting is the default
 15 | #    behaviour of Samba but the option is considered important
 16 | #    enough to be mentioned here
 17 | #
 18 | # NOTE: Whenever you modify this file you should run the command
 19 | # "testparm" to check that you have not made any basic syntactic
 20 | # errors.
 21 | 
 22 | #======================= Global Settings =======================
 23 | 
 24 | [global]
 25 | 
 26 | min protocol = SMB2
 27 | vfs objects = catia fruit streams_xattr
 28 | fruit:metadata = stream
 29 | fruit:model = MacSamba
 30 | fruit:posix_rename = yes
 31 | fruit:veto_appledouble = no
 32 | fruit:wipe_intentionally_left_blank_rfork = yes
 33 | fruit:delete_empty_adfiles = ye
 34 | fruit:advertise_fullsync = true
 35 | fruit:aapl = yes
 36 | passdb backend = tdbsam
 37 | security = user
 38 | printcap name = /dev/null
 39 | load printers = no
 40 | socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=524288 SO_SNDBUF=524288
 41 | dns proxy = no
 42 | wide links = yes
 43 | follow symlinks = yes
 44 | unix extensions = no
 45 | acl allow execute always = yes
 46 | access based share enum = yes
 47 | 
 48 | ## Browsing/Identification ###
 49 | 
 50 | # Change this to the workgroup/NT-domain name your Samba server will part of
 51 |    workgroup = WORKGROUP
 52 | 
 53 | # server string is the equivalent of the NT Description field
 54 |    server string = Infinity
 55 | 
 56 | #### Networking ####
 57 | 
 58 | # The specific set of interfaces / networks to bind to
 59 | # This can be either the interface name or an IP address/netmask;
 60 | # interface names are normally preferred
 61 | ;   interfaces = 127.0.0.0/8 eth0
 62 | 
 63 | # Only bind to the named interfaces and/or networks; you must use the
 64 | # 'interfaces' option above to use this.
 65 | # It is recommended that you enable this feature if your Samba machine is
 66 | # not protected by a firewall or is a firewall itself.  However, this
 67 | # option cannot handle dynamic or non-broadcast interfaces correctly.
 68 | ;   bind interfaces only = yes
 69 | 
 70 | #### Debugging/Accounting ####
 71 | 
 72 | # This tells Samba to use a separate log file for each machine
 73 | # that connects
 74 |    log file = /var/log/samba/log.%m
 75 | 
 76 | # Cap the size of the individual log files (in KiB).
 77 |    max log size = 1000
 78 | 
 79 | # We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
 80 | # Append syslog@1 if you want important messages to be sent to syslog too.
 81 |    logging = file
 82 | 
 83 | # Do something sensible when Samba crashes: mail the admin a backtrace
 84 |    panic action = /usr/share/samba/panic-action %d
 85 | 
 86 | ####### Authentication #######
 87 | 
 88 | # Server role. Defines in which mode Samba will operate. Possible
 89 | # values are "standalone server", "member server", "classic primary
 90 | # domain controller", "classic backup domain controller", "active
 91 | # directory domain controller".
 92 | #
 93 | # Most people will want "standalone server" or "member server".
 94 | # Running as "active directory domain controller" will require first
 95 | # running "samba-tool domain provision" to wipe databases and create a
 96 | # new domain.
 97 |    server role = standalone server
 98 | 
 99 |    obey pam restrictions = yes
100 | 
101 | # This boolean parameter controls whether Samba attempts to sync the Unix
102 | # password with the SMB password when the encrypted SMB password in the
103 | # passdb is changed.
104 |    unix password sync = yes
105 | 
106 | # For Unix password sync to work on a Debian GNU/Linux system, the following
107 | # parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
108 | # sending the correct chat script for the passwd program in Debian Sarge).
109 |    passwd program = /usr/bin/passwd %u
110 |    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
111 | 
112 | # This boolean controls whether PAM will be used for password changes
113 | # when requested by an SMB client instead of the program listed in
114 | # 'passwd program'. The default is 'no'.
115 |    pam password change = yes
116 | 
117 | # This option controls how unsuccessful authentication attempts are mapped
118 | # to anonymous connections
119 |    map to guest = bad user
120 | 
121 | ########## Domains ###########
122 | 
123 | #
124 | # The following settings only takes effect if 'server role = primary
125 | # classic domain controller', 'server role = backup domain controller'
126 | # or 'domain logons' is set
127 | #
128 | 
129 | # It specifies the location of the user's
130 | # profile directory from the client point of view) The following
131 | # required a [profiles] share to be setup on the samba server (see
132 | # below)
133 | ;   logon path = \\%N\profiles\%U
134 | # Another common choice is storing the profile in the user's home directory
135 | # (this is Samba's default)
136 | #   logon path = \\%N\%U\profile
137 | 
138 | # The following setting only takes effect if 'domain logons' is set
139 | # It specifies the location of a user's home directory (from the client
140 | # point of view)
141 | ;   logon drive = H:
142 | #   logon home = \\%N\%U
143 | 
144 | # The following setting only takes effect if 'domain logons' is set
145 | # It specifies the script to run during logon. The script must be stored
146 | # in the [netlogon] share
147 | # NOTE: Must be store in 'DOS' file format convention
148 | ;   logon script = logon.cmd
149 | 
150 | # This allows Unix users to be created on the domain controller via the SAMR
151 | # RPC pipe.  The example command creates a user account with a disabled Unix
152 | # password; please adapt to your needs
153 | ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
154 | 
155 | # This allows machine accounts to be created on the domain controller via the
156 | # SAMR RPC pipe.
157 | # The following assumes a "machines" group exists on the system
158 | ; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
159 | 
160 | # This allows Unix groups to be created on the domain controller via the SAMR
161 | # RPC pipe.
162 | ; add group script = /usr/sbin/addgroup --force-badname %g
163 | 
164 | ############ Misc ############
165 | 
166 | # Using the following line enables you to customise your configuration
167 | # on a per machine basis. The %m gets replaced with the netbios name
168 | # of the machine that is connecting
169 | ;   include = /home/samba/etc/smb.conf.%m
170 | 
171 | # Some defaults for winbind (make sure you're not using the ranges
172 | # for something else.)
173 | ;   idmap config * :              backend = tdb
174 | ;   idmap config * :              range   = 3000-7999
175 | ;   idmap config YOURDOMAINHERE : backend = tdb
176 | ;   idmap config YOURDOMAINHERE : range   = 100000-999999
177 | ;   template shell = /bin/bash
178 | 
179 | # Setup usershare options to enable non-root users to share folders
180 | # with the net usershare command.
181 | 
182 | # Maximum number of usershare. 0 means that usershare is disabled.
183 | #   usershare max shares = 100
184 | 
185 | # Allow users who've been granted usershare privileges to create
186 | # public shares, not just authenticated ones
187 |    usershare allow guests = yes
188 | 
189 | #======================= Share Definitions =======================
190 | 
191 | # Un-comment the following (and tweak the other settings below to suit)
192 | # to enable the default home directory shares. This will share each
193 | # user's home directory as \\server\username
194 | ;[homes]
195 | ;   comment = Home Directories
196 | ;   browseable = no
197 | 
198 | # By default, the home directories are exported read-only. Change the
199 | # next parameter to 'no' if you want to be able to write to them.
200 | ;   read only = yes
201 | 
202 | # File creation mask is set to 0700 for security reasons. If you want to
203 | # create files with group=rw permissions, set next parameter to 0775.
204 | ;   create mask = 0700
205 | 
206 | # Directory creation mask is set to 0700 for security reasons. If you want to
207 | # create dirs. with group=rw permissions, set next parameter to 0775.
208 | ;   directory mask = 0700
209 | 
210 | # By default, \\server\username shares can be connected to by anyone
211 | # with access to the samba server.
212 | # Un-comment the following parameter to make sure that only "username"
213 | # can connect to \\server\username
214 | # This might need tweaking when using external authentication schemes
215 | ;   valid users = %S
216 | 
217 | # Un-comment the following and create the netlogon directory for Domain Logons
218 | # (you need to configure Samba to act as a domain controller too.)
219 | ;[netlogon]
220 | ;   comment = Network Logon Service
221 | ;   path = /home/samba/netlogon
222 | ;   guest ok = yes
223 | ;   read only = yes
224 | 
225 | # Un-comment the following and create the profiles directory to store
226 | # users profiles (see the "logon path" option above)
227 | # (you need to configure Samba to act as a domain controller too.)
228 | # The path below should be writable by all users so that their
229 | # profile directory may be created the first time they log on
230 | ;[profiles]
231 | ;   comment = Users profiles
232 | ;   path = /home/samba/profiles
233 | ;   guest ok = no
234 | ;   browseable = no
235 | ;   create mask = 0600
236 | ;   directory mask = 0700
237 | 
238 | {{ smb_conf }}
239 | 


--------------------------------------------------------------------------------
/roles/shadowsocks/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | shadowsocks_password: 'password'
3 | shadowsocks_port: 443
4 | 


--------------------------------------------------------------------------------
/roles/shadowsocks/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart shadowsocks
3 |   command: ssserver -c /root/config.json -d restart
4 | 


--------------------------------------------------------------------------------
/roles/shadowsocks/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install apt packages
 3 |   apt: name={{item}}
 4 |   with_items:
 5 |     - python-pip
 6 |     - python-m2crypto
 7 | 
 8 | - name: install python version of shadowsocks
 9 |   pip: name=shadowsocks
10 | 
11 | - name: create config file
12 |   template: src=config.json dest=/root/config.json
13 |   notify: restart shadowsocks
14 | 
15 | - name: create cronjob to start shadowsocks
16 |   cron: name=shadowsocks special_time=reboot job='ssserver -c /root/config.json -d start'
17 | 
18 | - name: tweak sysctl
19 |   sysctl: name="{{item.name}}"
20 |           value="{{item.value}}"
21 |           ignoreerrors=yes
22 |   with_items:
23 |     - { "name": "fs.file-max", "value": "51200" }
24 |     - { "name": "net.core.rmem_max", "value": "67108864" }
25 |     - { "name": "net.core.wmem_max", "value": "67108864" }
26 |     - { "name": "net.core.rmem_default", "value": "65536" }
27 |     - { "name": "net.core.wmem_default", "value": "65536" }
28 |     - { "name": "net.core.netdev_max_backlog", "value": "4096" }
29 |     - { "name": "net.core.somaxconn", "value": "4096" }
30 |     - { "name": "net.ipv4.tcp_syncookies", "value": "1" }
31 |     - { "name": "net.ipv4.tcp_tw_reuse", "value": "1" }
32 |     - { "name": "net.ipv4.tcp_tw_recycle", "value": "0" }
33 |     - { "name": "net.ipv4.tcp_fin_timeout", "value": "30" }
34 |     - { "name": "net.ipv4.tcp_keepalive_time", "value": "1200" }
35 |     - { "name": "net.ipv4.ip_local_port_range", "value": "10000 65000" }
36 |     - { "name": "net.ipv4.tcp_max_syn_backlog", "value": "4096" }
37 |     - { "name": "net.ipv4.tcp_max_tw_buckets", "value": "5000" }
38 |     - { "name": "net.ipv4.tcp_fastopen", "value": "3" }
39 |     - { "name": "net.ipv4.tcp_rmem", "value": "4096 87380 67108864" }
40 |     - { "name": "net.ipv4.tcp_wmem", "value": "4096 65536 67108864" }
41 |     - { "name": "net.ipv4.tcp_mtu_probing", "value": "1" }
42 |     - { "name": "net.ipv4.tcp_congestion_control", "value": "hybla" }
43 | 


--------------------------------------------------------------------------------
/roles/shadowsocks/templates/config.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "server": "0.0.0.0",
 3 |   "server_port": {{ shadowsocks_port }},
 4 |   "local_address": "127.0.0.1",
 5 |   "local_port": 1080,
 6 |   "password": "{{ shadowsocks_password }}",
 7 |   "timeout": 300,
 8 |   "method": "rc4-md5",
 9 |   "fast_open": true
10 | }
11 | 


--------------------------------------------------------------------------------
/roles/syncthing/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart syncthing
3 |   service: name=syncthing state=restarted
4 | 


--------------------------------------------------------------------------------
/roles/syncthing/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: add apt repository key
 3 |   apt_key: url=https://syncthing.net/release-key.txt
 4 | 
 5 | - name: add apt repository
 6 |   apt_repository: repo='deb http://apt.syncthing.net/ syncthing release'
 7 | 
 8 | - name: install apt packages
 9 |   apt: name=syncthing
10 | 
11 | - name: create syncthing user
12 |   user: name=syncthing
13 | 
14 | - name: create upstart config
15 |   template: src=syncthing.conf dest=/etc/init/syncthing.conf
16 |   notify: restart syncthing
17 | 
18 | - name: export webui on all interfaces
19 |   replace: dest=/home/syncthing/.config/syncthing/config.xml regexp='<address>127\.0\.0\.1:8384</address>' replace='<address>0.0.0.0:8384</address>'
20 |   notify: restart syncthing
21 | 


--------------------------------------------------------------------------------
/roles/syncthing/templates/syncthing.conf:
--------------------------------------------------------------------------------
 1 | description "Syncthing P2P sync service"
 2 | 
 3 | start on (local-filesystems and net-device-up IFACE!=lo)
 4 | stop on runlevel [!2345]
 5 | 
 6 | env STNORESTART=yes
 7 | env HOME=/home/syncthing
 8 | setuid "syncthing"
 9 | 
10 | exec /usr/bin/syncthing
11 | 
12 | respawn
13 | 


--------------------------------------------------------------------------------
/roles/traefik/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: reload systemd
 3 |   command: systemctl daemon-reload
 4 | 
 5 | - name: restart traefik
 6 |   service:
 7 |     name: 'traefik'
 8 |     state: 'restarted'
 9 |     enabled: 'yes'
10 | 


--------------------------------------------------------------------------------
/roles/traefik/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: ensures directory exists
 3 |   file:
 4 |     path: '{{ item }}'
 5 |     state: 'directory'
 6 |   with_items:
 7 |     - '/root/downloads'
 8 |     - '/etc/traefik'
 9 |     - '/etc/traefik/fileprovider'
10 |     - '/var/lib/traefik'
11 | 
12 | - name: download traefik
13 |   get_url:
14 |     url: 'https://github.com/traefik/traefik/releases/download/v3.2.1/traefik_v3.2.1_linux_amd64.tar.gz'
15 |     dest: '/root/downloads/traefik.tar.gz'
16 |   tags: [download]
17 | 
18 | - name: unarchive traefik
19 |   unarchive:
20 |     src: '/root/downloads/traefik.tar.gz'
21 |     dest: '/root/downloads'
22 |     remote_src: 'yes'
23 | 
24 | - name: install traefik
25 |   copy:
26 |     src: '/root/downloads/traefik'
27 |     dest: /usr/bin/traefik
28 |     remote_src: 'yes'
29 |     mode: '0755'
30 |   notify: restart traefik
31 | 
32 | - name: upload traefix config
33 |   template:
34 |     src: '{{item}}'
35 |     dest: '/etc/traefik/traefik.yaml'
36 |   with_first_found:
37 |     - 'files/{{ ansible_hostname }}/traefik.yaml'
38 |     - 'templates/traefik.yaml'
39 |   notify: restart traefik
40 | 
41 | - name: upload fileprovider config
42 |   template:
43 |     src: 'templates/fileprovider/{{item}}'
44 |     dest: '/etc/traefik/fileprovider/{{item}}'
45 |   with_items:
46 |     - 'middleware.yaml'
47 |     - 'serversTransport.yaml'
48 |     - 'dashboard.yaml'
49 |   notify: restart traefik
50 | 
51 | - name: create systemd service
52 |   template:
53 |     src: 'traefik.service'
54 |     dest: '/etc/systemd/system/traefik.service'
55 |     mode: '0644'
56 |   notify:
57 |     - reload systemd
58 |     - restart traefik
59 | 


--------------------------------------------------------------------------------
/roles/traefik/templates/fileprovider/dashboard.yaml:
--------------------------------------------------------------------------------
 1 | http:
 2 |   routers:
 3 |     dashboard:
 4 |       rule: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
 5 |       service: api@internal
 6 |       middlewares:
 7 |         - auth
 8 | 
 9 |   middlewares:
10 |     auth:
11 |       basicAuth:
12 |         users: {}
13 | 


--------------------------------------------------------------------------------
/roles/traefik/templates/fileprovider/middleware.yaml:
--------------------------------------------------------------------------------
1 | http:
2 |   middlewares:
3 |     compress:
4 |       compress: {}
5 | 


--------------------------------------------------------------------------------
/roles/traefik/templates/traefik.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=traefik daemon
 3 | 
 4 | [Service]
 5 | Type=simple
 6 | ExecStart=/usr/bin/traefik --configFile=/etc/traefik.yaml
 7 | 
 8 | [Install]
 9 | WantedBy=multi-user.target
10 | 


--------------------------------------------------------------------------------
/roles/traefik/templates/traefik.yaml:
--------------------------------------------------------------------------------
 1 | entryPoints:
 2 |   web:
 3 |     address: :80
 4 | 
 5 |   websecure:
 6 |     address: :443
 7 | 
 8 | providers:
 9 |   docker: {}
10 | 


--------------------------------------------------------------------------------
/roles/transmission/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | transmission_user: username
3 | transmission_password: password
4 | transmission_downloads: /storage/public/Downloads
5 | 


--------------------------------------------------------------------------------
/roles/transmission/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: create transmission compose dir
 3 |   file:
 4 |     path: /root/transmission
 5 |     state: directory
 6 | 
 7 | - name: upload compose file
 8 |   template:
 9 |     src: 'docker-compose.yml'
10 |     dest: '/root/transmission/docker-compose.yml'
11 |   register: compose_file_result
12 | 
13 | - name: Start transmission
14 |   command:
15 |     cmd: docker-compose up -d
16 |     chdir: /root/transmission
17 |   when: compose_file_result.changed
18 | 


--------------------------------------------------------------------------------
/roles/transmission/templates/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3'
 2 | 
 3 | services:
 4 |   miniflux:
 5 |     image: linuxserver/transmission
 6 |     container_name: transmission
 7 |     ports:
 8 |       - 9091:9091
 9 |       - 51413:51413
10 |       - 51413:51413/udp
11 |     environment:
12 |       - PUID=1000
13 |       - PGID=1000
14 |       - TZ=Asia/Shanghai
15 |       - USER={{ transmission_user }}
16 |       - PASS={{ transmission_password }}
17 |     volumes:
18 |       - '{{ transmission_downloads }}:/downloads'
19 | 


--------------------------------------------------------------------------------
/roles/trojan/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | trojan_password: 'password'
3 | trojan_port: 443
4 | trojan_domain: 'trojan.example.com'
5 | 


--------------------------------------------------------------------------------
/roles/trojan/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: reload systemd
 3 |   command: systemctl daemon-reload
 4 | 
 5 | - name: restart trojan
 6 |   service:
 7 |     name: 'trojan'
 8 |     state: 'restarted'
 9 |     enabled: 'yes'
10 | 


--------------------------------------------------------------------------------
/roles/trojan/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install apt packages
 3 |   apt:
 4 |     name: trojan
 5 | 
 6 | - name: create config file
 7 |   template:
 8 |     src: config.json
 9 |     dest: /etc/trojan/config.json
10 |   notify: restart trojan
11 | 
12 | - name: run trojan as root
13 |   lineinfile:
14 |     path: '/lib/systemd/system/trojan.service'
15 |     regexp: 'User='
16 |     line: 'User=root'
17 |   notify: reload systemd
18 | 
19 | - name: tweak sysctl
20 |   sysctl: name="{{item.name}}"
21 |           value="{{item.value}}"
22 |           ignoreerrors=yes
23 |   with_items:
24 |     - { "name": "fs.file-max", "value": "51200" }
25 |     - { "name": "net.core.rmem_max", "value": "67108864" }
26 |     - { "name": "net.core.wmem_max", "value": "67108864" }
27 |     - { "name": "net.core.rmem_default", "value": "65536" }
28 |     - { "name": "net.core.wmem_default", "value": "65536" }
29 |     - { "name": "net.core.netdev_max_backlog", "value": "4096" }
30 |     - { "name": "net.core.somaxconn", "value": "4096" }
31 |     - { "name": "net.ipv4.tcp_syncookies", "value": "1" }
32 |     - { "name": "net.ipv4.tcp_tw_reuse", "value": "1" }
33 |     - { "name": "net.ipv4.tcp_tw_recycle", "value": "0" }
34 |     - { "name": "net.ipv4.tcp_fin_timeout", "value": "30" }
35 |     - { "name": "net.ipv4.tcp_keepalive_time", "value": "1200" }
36 |     - { "name": "net.ipv4.ip_local_port_range", "value": "10000 65000" }
37 |     - { "name": "net.ipv4.tcp_max_syn_backlog", "value": "4096" }
38 |     - { "name": "net.ipv4.tcp_max_tw_buckets", "value": "5000" }
39 |     - { "name": "net.ipv4.tcp_fastopen", "value": "3" }
40 |     - { "name": "net.ipv4.tcp_rmem", "value": "4096 87380 67108864" }
41 |     - { "name": "net.ipv4.tcp_wmem", "value": "4096 65536 67108864" }
42 |     - { "name": "net.ipv4.tcp_mtu_probing", "value": "1" }
43 |     - { "name": "net.ipv4.tcp_congestion_control", "value": "hybla" }
44 | 


--------------------------------------------------------------------------------
/roles/trojan/templates/config.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "run_type": "server",
 3 |     "local_addr": "0.0.0.0",
 4 |     "local_port": {{ trojan_port }},
 5 |     "remote_addr": "127.0.0.1",
 6 |     "remote_port": 80,
 7 |     "password": [
 8 |         "{{ trojan_password }}"
 9 |     ],
10 |     "log_level": 1,
11 |     "ssl": {
12 |         "cert": "/etc/letsencrypt/live/{{ trojan_domain }}/fullchain.pem",
13 |         "key": "/etc/letsencrypt/live/{{ trojan_domain }}/privkey.pem",
14 |         "key_password": "",
15 |         "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
16 |         "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
17 |         "prefer_server_cipher": true,
18 |         "alpn": [
19 |             "http/1.1"
20 |         ],
21 |         "alpn_port_override": {
22 |             "h2": 81
23 |         },
24 |         "reuse_session": true,
25 |         "session_ticket": false,
26 |         "session_timeout": 600,
27 |         "plain_http_response": "",
28 |         "curves": "",
29 |         "dhparam": ""
30 |     },
31 |     "tcp": {
32 |         "prefer_ipv4": false,
33 |         "no_delay": true,
34 |         "keep_alive": true,
35 |         "reuse_port": false,
36 |         "fast_open": false,
37 |         "fast_open_qlen": 20
38 |     },
39 |     "mysql": {
40 |         "enabled": false,
41 |         "server_addr": "127.0.0.1",
42 |         "server_port": 3306,
43 |         "database": "trojan",
44 |         "username": "trojan",
45 |         "password": "",
46 |         "key": "",
47 |         "cert": "",
48 |         "ca": ""
49 |     }
50 | }
51 | 


--------------------------------------------------------------------------------
/roles/wireguard/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | wireguard_self_cidr: '10.0.1.1/24'
3 | wireguard_port: '41194'
4 | wireguard_peers:
5 |   - public_key: R4jEchX+mi+lezwltGQavd9d8jY2gIzk4fYW69mu/BE=
6 |     address: '10.0.1.2/32'
7 | 


--------------------------------------------------------------------------------
/roles/wireguard/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart wireguard
3 |   service:
4 |     name: 'wg-quick@wg0'
5 |     state: 'restarted'
6 |     enabled: 'yes'
7 | 


--------------------------------------------------------------------------------
/roles/wireguard/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install apt packages
 3 |   apt:
 4 |     name: wireguard
 5 | 
 6 | - name: generate keys
 7 |   shell: umask 077; wg genkey | tee privatekey | wg pubkey > publickey
 8 |   args:
 9 |     chdir: /etc/wireguard
10 |     creates: /etc/wireguard/privatekey
11 | 
12 | - name: load private key
13 |   slurp:
14 |     src: /etc/wireguard/privatekey
15 |   register: private_key
16 | 
17 | - name: install wireguard configure
18 |   template:
19 |     src: wg0.conf
20 |     dest: /etc/wireguard/wg0.conf
21 |   notify: restart wireguard
22 | 


--------------------------------------------------------------------------------
/roles/wireguard/templates/wg0.conf:
--------------------------------------------------------------------------------
 1 | [Interface]
 2 | Address = {{ wireguard_self_cidr }}
 3 | ListenPort = {{ wireguard_port }}
 4 | PrivateKey = {{ private_key.content | b64decode }}
 5 | 
 6 | {% for peer in wireguard_peers -%}
 7 | [Peer]
 8 | PublicKey = {{ peer.public_key }}
 9 | AllowedIPs = {{ peer.address }}
10 | {% endfor %}
11 | 


--------------------------------------------------------------------------------
/roles/zfs/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | zfs_datasets: []
3 | 


--------------------------------------------------------------------------------
/roles/zfs/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: reload systemd
3 |   command: systemctl daemon-reload
4 | 


--------------------------------------------------------------------------------
/roles/zfs/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install apt packages
 3 |   apt:
 4 |     name: '{{item}}'
 5 |   loop:
 6 |     - zfs-dkms
 7 |     - zfsutils-linux
 8 | 
 9 | - name: get ZFS info
10 |   zfs_facts:
11 |     name: '{{zpool_name}}'
12 |     recurse: yes
13 | 
14 | - name: create dataset
15 |   zfs:
16 |     name: '{{item.name}}'
17 |     state: present
18 |     extra_zfs_properties: '{{item.properties}}'
19 |   loop: '{{zfs_datasets}}'
20 |   when: item.name not in (ansible_zfs_datasets | map(attribute='name'))
21 | 
22 | - name: create directories
23 |   file:
24 |     path: '/{{item.0.name}}/{{item.1}}'
25 |     state: directory
26 |   with_subelements:
27 |     - '{{zfs_datasets}}'
28 |     - directories
29 | 
30 | - name: install systemd files
31 |   template:
32 |     src: '{{ item }}'
33 |     dest: '/etc/systemd/system/{{ item }}'
34 |   loop:
35 |     - zfs-snapshot.service
36 |     - zfs-snapshot.timer
37 |   notify: reload systemd
38 | 
39 | - name: enable timers
40 |   service:
41 |     name: '{{ item }}'
42 |     state: 'started'
43 |     enabled: 'yes'
44 |   loop:
45 |     - zfs-snapshot.timer
46 | 


--------------------------------------------------------------------------------
/roles/zfs/templates/clean-zfs-snapshots:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Use at Your Own Risk: clean-zfs-snapshots | xargs -L 1 zfs destroy -v
 4 | 
 5 | SNAPSHOTS=$(zfs list -t snapshot -Ho name | sed '1!G;h;$!d')
 6 | DELETED_SNAPSHOTS=()
 7 | 
 8 | diff_date() {
 9 |     d1=$(date -d "$1" +%s)
10 |     d2=$(date -d "$2" +%s)
11 |     echo $(( (d1 - d2) / 86400 ))
12 | }
13 | 
14 | exists_snapshot_after_days() {
15 |     local line
16 |     local AGE_ATLEAST=$(diff_date now $2)
17 |     local DAYS_ATMOST=$3
18 | 
19 |     while IFS= read -r line; do
20 |         local DATE=${line#*@}
21 |         local AGE=$(diff_date now $DATE)
22 |         local DAYS=$((AGE_ATLEAST - AGE))
23 | 
24 |         if [[ ! " ${DELETED_SNAPSHOTS[@]} " =~ " ${line} " ]]; then
25 |             if (( DAYS > 0 && DAYS < DAYS_ATMOST )); then
26 |                 >&2 echo "Delete ${1}@${2} due to ${line} in ${3} days"
27 |             return 0
28 |         fi
29 |     fi
30 |     done <<< "$(zfs list $1 -t snapshot -Ho name)"
31 | 
32 |     >&2 echo "Keep ${1}@${2}"
33 |     return 1
34 | }
35 | 
36 | while IFS= read -r line; do
37 |     DATASET=${line%@*}
38 |     DATE=${line#*@}
39 |     AGE=$(diff_date now $DATE)
40 | 
41 |     if (( AGE > 336)); then
42 |         if exists_snapshot_after_days $DATASET $DATE 336; then
43 |             echo $line
44 |             DELETED_SNAPSHOTS+=($line)
45 |         fi
46 |     elif (( AGE > 28 )); then
47 |         if exists_snapshot_after_days $DATASET $DATE 28; then
48 |             echo $line
49 |             DELETED_SNAPSHOTS+=($line)
50 |         fi
51 |     elif (( AGE > 7 )); then
52 |         if exists_snapshot_after_days $DATASET $DATE 7; then
53 |                 echo $line
54 |             DELETED_SNAPSHOTS+=($line)
55 |         fi
56 |     else
57 |         >&2 echo "Keep ${line}"
58 |     fi
59 | done <<< "$SNAPSHOTS"
60 | 


--------------------------------------------------------------------------------
/roles/zfs/templates/mountall:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | echo -n 'Password: '
3 | read -s password
4 | 
5 | printf "${password}\n%.0s" {1..10} | zfs mount -al
6 | 


--------------------------------------------------------------------------------
/roles/zfs/templates/zfs-snapshot.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Make ZFS snapshot
3 | 
4 | [Service]
5 | Type=simple
6 | ExecStart=/bin/bash -c "zfs snapshot -r storage@$(date '+%%Y-%%m-%%d')"
7 | 


--------------------------------------------------------------------------------
/roles/zfs/templates/zfs-snapshot.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Make ZFS snapshoot every day
3 | 
4 | [Timer]
5 | OnCalendar=daily
6 | 
7 | [Install]
8 | WantedBy=timers.target
9 | 


--------------------------------------------------------------------------------
/secrets.yml.asc:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP MESSAGE-----
 2 | 
 3 | hQEMAyp325QokoazAQgAnY9bxfiGIgaNFzGhpdV9+NUfX+n8P2XNXhvCMOtIudLR
 4 | KwJF4pI8ktDRupzmfrLllu0GVTeXogDQRqMRHGvdByMk6YifBfDVs25VhyRynNTu
 5 | Ah63YnZEtzbfv19PHmdY7wYzrTJiqim+8x/zxgWiF/EFOaNu8nSvnu7lS357tx3d
 6 | JxvpG+Jk8wIDEZkppnU1Wp7gxPjuXzUodecf0Vt5UDy6kx0fPfWRlCQzypjnIBSx
 7 | 5InSVLORUNYqtYlEVaUx2V5m1mbV2VTZVYPV7nEPscOwLfOp9BFIQTnPLhDCU+Ae
 8 | HKPx+ON389pZt4ZDpXLLRoqd0aqrzzTf7wA/rV17KtLA9QFrI9b0Y4hYXvSndvDc
 9 | c80B8q4bgziGm77ILcPFASMk3283q/wrzxMqfxYUy5hGnXbJ7rMBTs5tCb4vARvv
10 | rtFUte+dvd9N5Nc3mQaZM5a6HvpR4DA77gDQgAglfBtvfUWLM5MgDC7NHrSPIyTH
11 | bT5ABj9ss8LIvOaAsejoB7KIEEWMtI5EAtjfUW59xIkAdnig/4e9y1nJZrwNVjb3
12 | fbKZVLvpUf5BnInLwyCtFTO4MaUWpxPelpC/qtVJQuFqmbOafJUqUEjc5xGjxLFx
13 | b5FaWZS6hSspsHeS2fkDcLqz59LOL4BY3AGm/EkyptmK9rUBgF+HhDVPc2ontC3/
14 | +0hk+Zllxoiz7u0BJvlGFfONKRFYslP1Z2oQ9E5q3FsWvm9usxV+RQwKsNTaCgwY
15 | pGW0O7dMKP9s7U7mCss7UiQLg0bgf4g2eFj2RYfQA6uAUTV6qcDNsWw0HxQmySE/
16 | LCmSC3ypUOpViV3VzGZjIrwp7uR6hvpHviuhLbJEHQFbvGr5tfQdNI0IVbuxRk+U
17 | PTM7ip3CkP23jafhVNOpBH1MCqbMQfQY3Fc1UevsfCyMdhBOeHSW
18 | =KR1c
19 | -----END PGP MESSAGE-----
20 | 


--------------------------------------------------------------------------------
/voyager-secrets.yml.asc:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP MESSAGE-----
 2 | 
 3 | hQEMAyp325QokoazAQgAhpAmJAKQpfFGnNytFoZSOOVLDAShXFkJEqHPY+8XzQro
 4 | o+24sqYZDiuECTnZ1uS89QL50L9dPVKdhYnmCS8qwqvkhpH4n774Y8kYcUSbKK3e
 5 | ynFqZLq4IdTvr3FP7mTjyrfDMAAnqyNDJYzibTautf87xdz8UUWG1m0CkEqaafe/
 6 | JBjEwcXTPqvVS3anUxZyMD9OnjFgvtqCWQ3PYtEbueAe07GGKRgTpuQCZ2WzN8fW
 7 | L2Z4tJavJOyQQGPQJvGL6UiFUqgV6/V41LcIjsiDXtZq0GmzgRgMb8iFEA4ElvfY
 8 | oJwtY47eGIfFOyLNiFAs/IEdfe4wX04eqbXDdgVP3NLqAYxh7gffAXhqgttYjYk4
 9 | YD7IKotQVUPr2G68nECaJzIRF+aLzt218SzriY8b1hk6biTKiJztPegVA0lDD0JP
10 | wYj/ikMA8Qs8iBLOKzcYXl7JGKmPTjF5g+0s9SEwWU0rmMnWsSAT2aWT8seP9qx5
11 | IJBKeNLZ9MRhmmxylAPz/hOJfGZuLozQPcQilykXbT25GEfZxEU8NFmCEuT19jAb
12 | surbS1/vle8B7WxsaX3KwcZ+oWl5c93Sj5c49W+ga0Vk5hhJ4AclXvY30mpStbJT
13 | kdP23O5eTBzjQBJgSYeWiHbaCj78zbcxk09+Q4Drrd8FwZOzAPMwFUWFFHtzHvbI
14 | 52VbC53KlBIRvIwCi8B6STVipR6tC4lFc0NZMWbRE0AXKNauHdZ6TBynG/08LbNw
15 | By+fPU2oZ8NVDF9QF3oGwcDbQUAo1zPd49thNJ/lAuBlFN1bRh/KdmkZjdv9nkVo
16 | vA3HTkp/kDXZIC6eR27FWUsEQbPIZWljYOz8r2cLU8MVMHroPmZ4gB2dJe48er2P
17 | 25Stgl+fSTEG4ZJOphjnBm9C7gBB80QDghEg8MxuXbmPjJRtqeu22HLhvu8fryw4
18 | 2UlijpfuB/pdeOyEbYgXloxxC/d0YsGdZXITp3MEm5/30qb9bHu/2jyVDiTUEGmY
19 | uyWrUbDudy1JrIkaJvp8dhpDus0183IZkBYjDdDyk+SUThPfi+ANV0vUwkRQzodg
20 | JlodkivtTSBXTwCRnovP0H6icw4/goEXgo7IdibDYg2TAheWqy7kFxYC4xN4Qqta
21 | EGU+78G/zawBfaJ0BvXk7FaMdTf8n4GA3AR8SGIe8lPRHy9Z49KAnkFPcI36U2DE
22 | ZMgn5fLq3T0GTZyZg2B77jSCwWTECC/GI8v4kv1ZmeYR/hi6OvTIxYbzDrJL8rV0
23 | FX1I9CGutx3eDIudSuX7HNEggO2LXOJZkLyyVSc6Yk/txqprYLew7NP5Dun8htRw
24 | jQ35u8MZqwBxKhRXRDBs5N4p71h4JOSga0S33zEx1MJ/vDTWcqyxbgFS+PQLx5k7
25 | 7RZKvQ58FEmL9Qu/Hzgs3z7qvzJxjSqKK5Ydw73An0AOu8X2WUSPZmrncMXh2tRL
26 | NSUW3dDznzzpdB/1IvliTM9qSG856gk7+9jP+gLZ+4mBndNAP+DtGhR6byQRnBDU
27 | HTYVm8nPxGmSmeqL8d0yfB0SOC9RsRpEnA1GbqfJzDc0erzphnjVFX6NyWuWnf0F
28 | kFT00iYIN3HFKgkpE6onaIKSdZlaaJAc/5eb2uvX9bXDloS7NhRUXnda9LQbMr/L
29 | F1JhAw7wu8dhbPzplqU1bD4KBuAfZATF1Fj+wCaqBTtU7xj7MTOXM27QqygZz4vD
30 | eennzVQXDpTkjr2aHmcd/EfJ1CZlh74TugCf4C7Uu9vY4qEBJPsMYX+cT+SnH0jk
31 | DFmIuzdg2LTJD9Qaq6t7w3+yFmO7GHjByi2/TuFGWiPVsXJgxUkIsuXL+qqtbtZo
32 | raV6g8GleZjAgxC/X6VpYtuTaGiJbWB6CDyEPTJVlGnzIFzgD192kLrdMcYmKuM2
33 | IDTo4xjBgP92joKxSzOFmX+41t/gRD9AZyl8KGsWiLH7haUcSKXmuSpiKJ2GRo8t
34 | vIVxJx/pOMSPAtbTA2trXcBO5+N6bMyngYl4LURsmgPzeaZa/KZsYxnC5wv9pTwr
35 | jXJOoD6eRdai2Q5l23MdpsxHPP8Jwcqv1cUMOXKoQgEmsW6HfVc3EB7V6+8dml4M
36 | CU0ZGAWMFjtxud+DgRQ987F3uzVge1dXqYCMdRPFrkrBOiA5VG7FXPtdA1Yybe2U
37 | XWNIzHLw8o+8jfXO/z9mlNsi7sb/6UhVIEGjymCxm9kD2ZW6a6gvg6uNHTSBZ8Q2
38 | DMwJ8bvz81kG3ZRaN5LjSTThPwlYR1vF5M8hAN9Td51Y19g0GzC4M4++dyVBy8Dz
39 | Cho2yIdnMr06JiGKubTYZQ9nj4wr/lCuIvPVtVcJ0otiWLOYvpaesYUTpzlNJcGR
40 | dTtynRqCuC3O8TT+cBdTz73VZzB1Ds6XqbkV2VTtFjzVAsBvqGLt4aVir2FhSaqk
41 | er3YTxkDqs0OJExraR9Ia8JTPj9GMGlumphEKr8o147Soh40PawKOK1h/bd+deFu
42 | 6b8u9g2aEkwCXvGUnl5brVBjj3+96DSRlhgZ9AFYh1LWrX2ak0YbIviGEEif4xOA
43 | FmeYo/+10oA9TAoxjB6c/bNZ3FASqEnola8JJYtPbpRNTpRF9FaaH2+Kp9DpRs72
44 | iQT5D1ilE589HOyU7jAThpOKixpBMUVmTKJ22hbt408efaMLkCqeXNFrNUGdSSSb
45 | z6HGHGwSd4gtTXbPK9SykdAsv2yeDXxNDZF+gG/YNiyyImm4XMChh0VEL96EgL0N
46 | hj8/rGMcpeTX0rRqUFp8EhBn+pp27v6p+WvFbF7HvWa533An+UawkbY7Krp+IGDf
47 | d6TA
48 | =9ZbH
49 | -----END PGP MESSAGE-----
50 | 


--------------------------------------------------------------------------------