don't suffocate the vm

This reverts commit f447e9e77e.

.ansible-lint

@@ -1,4 +0,0 @@
-strict: true
-use_default_rules: true
-skip_list:
-  - args[module]

.github/workflows/infra.yaml

@@ -11,8 +11,8 @@ on:
       - main
 
 env:
-  DEPLOY: ${{ github.ref == 'refs/heads/main' && ((startsWith(github.event.head_commit.message, '[deploy-all]') && 'all') || ('some')) || 'none' }}
+  # DEPLOY: ${{ github.ref == 'refs/heads/main' && ((startsWith(github.event.head_commit.message, '[deploy-all]') && 'all') || ('some')) || 'none' }}
-  # DEPLOY: all
+  DEPLOY: all
 
 jobs:
   ansible-playbooks:
@@ -29,14 +29,13 @@ jobs:
           apt update
           apt install -y python3-pip
           pip3 install -r requirements.txt
-          ansible-galaxy collection install -r requirements.yml --force
+          ansible-galaxy collection install community.general
-
-      - name: Run ansible-lint
-        uses: ansible/ansible-lint@v6
 
       - name: Check playbooks
         run: |
-          ansible-playbook --inventory ./inventory --syntax-check infra/**/*playbook.yaml
+          for file in $(find . -wholename "*/infra/*playbook.yaml" -type f); do
+            ansible-playbook --inventory ./inventory --syntax-check "$file"
+          done
 
       - name: Get changed playbooks
         id: files
@@ -73,9 +72,4 @@ jobs:
           PROXMOX_TOKEN_ID: ${{ secrets.PROXMOX_TOKEN_ID }}
           PROXMOX_TOKEN_SECRET: ${{ secrets.PROXMOX_TOKEN_SECRET }}
           SSH_PUBLIC: ${{ secrets.SSH_PUBLIC }}
-          SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
+        run: ansible-playbook --inventory ./inventory ${{ steps.playbooks.outputs.to_run }}
-          INFISICAL_ENCRYPTION_KEY: ${{ secrets.INFISICAL_ENCRYPTION_KEY }}
-          INFISICAL_AUTH_SECRET: ${{ secrets.INFISICAL_AUTH_SECRET }}
-          INFISICAL_TOKEN: ${{ secrets.INFISICAL_TOKEN }}
-          INFISICAL_URL: https://secrets.koval.net
-        run: ansible-playbook --inventory ./inventory ${{ steps.playbooks.outputs.to_run }} -vv

infra/cloud/0001_initialise_playbook.yaml

@@ -1,42 +0,0 @@
-- name: Initialise VM
-  hosts: cloud
-  gather_facts: false
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Install system packages
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - qemu-guest-agent
-          - parted
-      become: true
-    - name: Enable qemu-guest-agent
-      ansible.builtin.systemd:
-        name: qemu-guest-agent
-        state: started
-        enabled: true
-      become: true
-
-    - name: Create data partition
-      community.general.parted:
-        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1
-        label: gpt
-        name: data
-        number: 1
-        state: present
-      become: true
-    - name: Create data filesystem
-      community.general.filesystem:
-        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
-        fstype: ext4
-      become: true
-    - name: Mount data partition
-      ansible.posix.mount:
-        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
-        path: /var/lib/docker
-        fstype: ext4
-        opts: rw,errors=remount-ro,x-systemd.growfs
-        state: mounted
-      become: true

infra/cloud/0002_docker_playbook.yaml

@@ -1,47 +0,0 @@
-- name: Install docker
-  hosts: cloud
-  gather_facts: false
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Install dependencies
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - curl
-          - python3-apt
-          - gpg
-      become: true
-    - name: Add docker key
-      ansible.builtin.apt_key:
-        url: https://download.docker.com/linux/debian/gpg
-        keyring: /etc/apt/keyrings/docker.gpg
-      become: true
-    - name: Add docker repo
-      ansible.builtin.apt_repository:
-        repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable
-      become: true
-    - name: Install docker
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - docker-ce
-          - docker-ce-cli
-          - containerd.io
-          - docker-buildx-plugin
-          - docker-compose-plugin
-      become: true
-    - name: Add user to docker group
-      ansible.builtin.user:
-        user: debian
-        groups:
-          - docker
-        append: true
-      become: true
-    - name: Enable docker
-      ansible.builtin.systemd:
-        name: docker
-        state: started
-        enabled: true
-      become: true

infra/cloud/0003_00_cleanup_script_deploy_playbook.yaml

@@ -1,13 +0,0 @@
-- name: Cleanup old ~/nextcloud directory
-  hosts: cloud
-  gather_facts: false
-  vars:
-    app: nextcloud
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Delete nextcloud directory
-      ansible.builtin.file:
-        path: "$HOME/{{ app }}"
-        state: absent

infra/cloud/0003_nextcloud_playbook.yaml

@@ -1,30 +0,0 @@
-- name: Deploy app
-  hosts: cloud
-  gather_facts: false
-  vars:
-    container: nextcloud-aio-mastercontainer
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Deploy master container
-      community.docker.docker_container:
-        image: nextcloud/all-in-one:latest
-        recreate: true
-        state: started
-        restart_policy: unless-stopped
-        init: true
-        name: "{{ container }}"
-        published_ports:
-          - 8080:8080
-        env:
-          NEXTCLOUD_UPLOAD_LIMIT: 16G
-          NEXTCLOUD_MAX_TIME: "7200"
-          NEXTCLOUD_ADDITIONAL_APKS: imagemagick ffmpeg
-          APACHE_PORT: "11000"
-          APACHE_IP_BINDING: "0.0.0.0"
-          TZ: Europe/London
-          AIO_DISABLE_BACKUP_SECTION: "true"
-        volumes:
-          - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
-          - /var/run/docker.sock:/var/run/docker.sock:ro

infra/joplin/0000_proxmox_playbook.yaml

@@ -1,5 +1,5 @@
-- name: Provision cloud Proxmox VM
+- name: Provision joplin Proxmox VM
-  hosts: cloud
+  hosts: joplin
   connection: ansible.builtin.local
   gather_facts: false
   vars:
@@ -36,7 +36,7 @@
       community.general.proxmox_kvm:
         clone: "{{ node }}-debian-12"
         storage: nvme
-      notify: Initial boot
+      register: create
     - name: Wait for status
       community.general.proxmox_kvm:
         state: current
@@ -46,11 +46,11 @@
       until: vm.status is defined
 
     # Networking and initial config
-    - name: Add PUB NIC
+    - name: Add HOME NIC
       community.general.proxmox_nic:
         interface: net0
         firewall: false
-        bridge: PUB
+        bridge: HOME
     - name: Add SRV NIC
       community.general.proxmox_nic:
         interface: net1
@@ -65,21 +65,28 @@
           ipconfig0: ip=dhcp,ip6=auto
           ipconfig1: ip=dhcp
 
-    - name: Force all notified handlers to run
+    # Initial boot
-      ansible.builtin.meta: flush_handlers
+    # For some reason debian cloud images don't use
+    # cloud-init for networking on first boot (cloud-init files
+    # are regenerated AFTER networking starts). But we need the
+    # hostname to be registered with DHCP later on so ¯\_(ツ)_/¯
+    - name: Initial boot
+      when: create.changed is true
+      block:
+        - name: Start
+          community.general.proxmox_kvm:
+            state: started
+          register: start
+        - name: Wait 3 min # Initial apt update, apt upgrade, cloud-init
+          ansible.builtin.wait_for:
+            timeout: 180
 
     # VM Configuration
-    - name: Resize root disk
+    - name: Resize disk
       community.general.proxmox_disk:
         disk: scsi0
-        size: 16G
+        size: 64G
         state: resized
-    - name: Create data disk
-      community.general.proxmox_disk:
-        disk: scsi1
-        backup: true
-        storage: nvme
-        size: 2048
     - name: Update VM
       community.general.proxmox_kvm:
         update: true
@@ -88,25 +95,10 @@
           - debian-12
           - managed
         onboot: true
-        cores: 8
+        cores: 2
-        memory: 16384
+        memory: 2048
 
     - name: Retart VM
       community.general.proxmox_kvm:
         state: restarted
         timeout: 60
-  handlers:
-    # Initial boot
-    # For some reason debian cloud images don't use
-    # cloud-init for networking on first boot (cloud-init files
-    # are regenerated AFTER networking starts). But we need the
-    # hostname to be registered with DHCP later on so ¯\_(ツ)_/¯
-    - name: Initial boot
-      block:
-        - name: Start
-          community.general.proxmox_kvm:
-            state: started
-          register: start
-        - name: Wait 1.5 min # Initial apt update, apt upgrade, cloud-init
-          ansible.builtin.wait_for:
-            timeout: 90

infra/joplin/0001_software_playbook.yaml

@@ -0,0 +1,25 @@
+- name: Setup Software
+  hosts: joplin
+  gather_facts: false
+  tasks:
+    - name: Wait for connection
+      ansible.builtin.wait_for_connection:
+        timeout: 300
+    - name: Test some stuff
+      ansible.builtin.shell: |
+        touch ~/hmm
+        echo test > ~/test
+        echo test2 >> ~/test
+        mkdir ~/dir
+        touch ~/dir/testing
+    - name: Install some stuff
+      ansible.builtin.apt:
+        update_cache: true
+        name: qemu-guest-agent
+      become: true
+    - name: Enable some stuff
+      ansible.builtin.systemd:
+        name: qemu-guest-agent
+        state: started
+        enabled: true
+      become: true

infra/music/0000_proxmox_playbook.yaml

@@ -1,118 +0,0 @@
-- name: Provision music Proxmox VM
-  hosts: music
-  connection: ansible.builtin.local
-  gather_facts: false
-  vars:
-    api_user: "{{ lookup('ansible.builtin.env', 'PROXMOX_USER') }}"
-    api_host: "{{ lookup('ansible.builtin.env', 'PROXMOX_HOST' ) }}"
-    api_token_id: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_ID') }}"
-    api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}"
-    ssh_public: "{{ lookup('ansible.builtin.env', 'SSH_PUBLIC') }}"
-    vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}"
-    node: pve2
-  module_defaults:
-    community.general.proxmox_kvm:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-      node: "{{ node }}"
-    community.general.proxmox_nic:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-    community.general.proxmox_disk:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-  tasks:
-    # Initial setup
-    - name: Create VM
-      community.general.proxmox_kvm:
-        clone: "{{ node }}-debian-12"
-        storage: nvme
-      notify: Initial boot
-    - name: Wait for status
-      community.general.proxmox_kvm:
-        state: current
-      register: vm
-      retries: 30
-      delay: 10
-      until: vm.status is defined
-
-    # Networking and initial config
-    - name: Add PUB NIC
-      community.general.proxmox_nic:
-        interface: net0
-        firewall: false
-        bridge: PUB
-    - name: Add SRV NIC
-      community.general.proxmox_nic:
-        interface: net1
-        firewall: false
-        bridge: SRV
-    - name: Configure cloud-init
-      community.general.proxmox_kvm:
-        update: true
-        ciuser: debian
-        sshkeys: "{{ ssh_public }}"
-        ipconfig:
-          ipconfig0: ip=dhcp,ip6=auto
-          ipconfig1: ip=dhcp
-
-    - name: Force all notified handlers to run
-      ansible.builtin.meta: flush_handlers
-
-    # VM Configuration
-    - name: Resize root disk
-      community.general.proxmox_disk:
-        disk: scsi0
-        size: 16G
-        state: resized
-    - name: Create data disk
-      community.general.proxmox_disk:
-        disk: scsi1
-        backup: true
-        storage: nvme
-        size: 64
-    - name: Create media disk
-      community.general.proxmox_disk:
-        disk: scsi2
-        backup: false
-        storage: nvme
-        size: 1024
-    - name: Update VM
-      community.general.proxmox_kvm:
-        update: true
-        agent: enabled=1
-        tags:
-          - debian-12
-          - managed
-        onboot: true
-        cores: 8
-        memory: 16384
-
-    - name: Retart VM
-      community.general.proxmox_kvm:
-        state: restarted
-        timeout: 60
-  handlers:
-    # Initial boot
-    # For some reason debian cloud images don't use
-    # cloud-init for networking on first boot (cloud-init files
-    # are regenerated AFTER networking starts). But we need the
-    # hostname to be registered with DHCP later on so ¯\_(ツ)_/¯
-    - name: Initial boot
-      block:
-        - name: Start
-          community.general.proxmox_kvm:
-            state: started
-          register: start
-        - name: Wait 1.5 min # Initial apt update, apt upgrade, cloud-init
-          ansible.builtin.wait_for:
-            timeout: 90

infra/music/0001_initialise_playbook.yaml

@@ -1,64 +0,0 @@
-- name: Initialise VM
-  hosts: music
-  gather_facts: false
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Install system packages
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - qemu-guest-agent
-          - parted
-      become: true
-    - name: Enable qemu-guest-agent
-      ansible.builtin.systemd:
-        name: qemu-guest-agent
-        state: started
-        enabled: true
-      become: true
-
-    - name: Create data partition
-      community.general.parted:
-        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1
-        label: gpt
-        name: data
-        number: 1
-        state: present
-      become: true
-    - name: Create data filesystem
-      community.general.filesystem:
-        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
-        fstype: ext4
-      become: true
-    - name: Mount data partition
-      ansible.posix.mount:
-        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
-        path: /var/lib/docker
-        fstype: ext4
-        opts: rw,errors=remount-ro,x-systemd.growfs
-        state: mounted
-      become: true
-
-    - name: Create media partition
-      community.general.parted:
-        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2
-        label: gpt
-        name: media
-        number: 1
-        state: present
-      become: true
-    - name: Create media filesystem
-      community.general.filesystem:
-        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
-        fstype: ext4
-      become: true
-    - name: Mount media partition
-      ansible.posix.mount:
-        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
-        path: /mnt/media
-        fstype: ext4
-        opts: rw,errors=remount-ro,x-systemd.growfs
-        state: mounted
-      become: true

infra/music/0002_docker_playbook.yaml

@@ -1,47 +0,0 @@
-- name: Install docker
-  hosts: music
-  gather_facts: false
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Install dependencies
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - curl
-          - python3-apt
-          - gpg
-      become: true
-    - name: Add docker key
-      ansible.builtin.apt_key:
-        url: https://download.docker.com/linux/debian/gpg
-        keyring: /etc/apt/keyrings/docker.gpg
-      become: true
-    - name: Add docker repo
-      ansible.builtin.apt_repository:
-        repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable
-      become: true
-    - name: Install docker
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - docker-ce
-          - docker-ce-cli
-          - containerd.io
-          - docker-buildx-plugin
-          - docker-compose-plugin
-      become: true
-    - name: Add user to docker group
-      ansible.builtin.user:
-        user: debian
-        groups:
-          - docker
-        append: true
-      become: true
-    - name: Enable docker
-      ansible.builtin.systemd:
-        name: docker
-        state: started
-        enabled: true
-      become: true

infra/music/0003_music_playbook.yaml

@@ -1,60 +0,0 @@
-- name: Deploy app
-  hosts: music
-  gather_facts: false
-  vars:
-    app: music
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Docker compose down
-      community.docker.docker_compose_v2:
-        project_src: "$HOME/{{ app }}"
-        state: absent
-    - name: Copy project
-      ansible.builtin.copy:
-        src: "./{{ app }}"
-        dest: "$HOME"
-        mode: "0744"
-    - name: Replace LastFM API key secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "LASTFM_APIKEY_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/music', secret_name='LASTFM_APIKEY')['value'] }}"
-    - name: Replace LastFM secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "LASTFM_SECRET_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/music', secret_name='LASTFM_SECRET')['value'] }}"
-    - name: Replace Mongo Password secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "SPOTIFY_ID_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/music', secret_name='SPOTIFY_ID')['value'] }}"
-    - name: Replace SMTP Password secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "SPOTIFY_SECRET_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/music', secret_name='SPOTIFY_SECRET')['value'] }}"
-
-    - name: Docker compose up
-      community.docker.docker_compose_v2:
-        project_src: "$HOME/{{ app }}"
-
-    - name: Update data permissions
-      ansible.builtin.file:
-        path: /mnt/nvme
-        state: directory
-        recurse: true
-        owner: debian
-        group: debian
-      become: true
-
-    - name: Update media permissions
-      ansible.builtin.file:
-        path: /mnt/media
-        state: directory
-        recurse: true
-        owner: debian
-        group: debian
-      become: true

infra/music/music/.env

@@ -1,4 +0,0 @@
-LASTFM_APIKEY=LASTFM_APIKEY_VALUE
-LASTFM_SECRET=LASTFM_SECRET_VALUE
-SPOTIFY_ID=SPOTIFY_ID_VALUE
-SPOTIFY_SECRET=SPOTIFY_SECRET_VALUE

infra/music/music/.gitignore

@@ -1 +0,0 @@
-!.env

infra/music/music/docker-compose.yml

@@ -1,52 +0,0 @@
-version: "3"
-
-services:
-  navidrome:
-    image: deluan/navidrome:latest
-    restart: unless-stopped
-    user: 1000:1000
-    ports:
-      - 4533:4533
-    env_file: .env
-    environment:
-      - ND_BASEURL=https://music.koval.net
-      - ND_LASTFM_APIKEY=${LASTFM_APIKEY}
-      - ND_LASTFM_SECRET=${LASTFM_SECRET}
-      - ND_SPOTIFY_ID=${SPOTIFY_ID}
-      - ND_SPOTIFY_SECRET=${SPOTIFY_SECRET}
-      - ND_COVERARTPRIORITY=cover.*, folder.*, front.*, external, embedded
-    volumes:
-      - /mnt/nvme/navidrome:/data
-      - /mnt/media/music:/music:ro
-  metube:
-    image: ghcr.io/alexta69/metube
-    restart: unless-stopped
-    ports:
-      - 8081:8081
-    environment:
-      - STATE_DIR=/data/.metube
-      - TEMP_DIR=/data/downloads
-    volumes:
-      - /mnt/nvme/metube:/data
-      - /mnt/media/downloads:/downloads
-  picard:
-    image: mikenye/picard:latest
-    restart: unless-stopped
-    ports:
-      - 5800:5800
-    volumes:
-      - /mnt/nvme/picard:/config:rw
-      - /mnt/media/music:/storage/music:rw
-      - /mnt/media/downloads:/storage/downloads:rw
-  filebrowser:
-    image: filebrowser/filebrowser
-    restart: unless-stopped
-    user: 1000:1000
-    ports:
-      - 8080:80
-    environment:
-      - FB_DATABASE=/config/database.db
-    volumes:
-      - /mnt/nvme/filebrowser:/config
-      - /mnt/media/downloads:/srv/downloads
-      - /mnt/media/music:/srv/music

infra/photos/0000_proxmox_playbook.yaml

@@ -1,118 +0,0 @@
-- name: Provision photos Proxmox VM
-  hosts: photos
-  connection: ansible.builtin.local
-  gather_facts: false
-  vars:
-    api_user: "{{ lookup('ansible.builtin.env', 'PROXMOX_USER') }}"
-    api_host: "{{ lookup('ansible.builtin.env', 'PROXMOX_HOST' ) }}"
-    api_token_id: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_ID') }}"
-    api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}"
-    ssh_public: "{{ lookup('ansible.builtin.env', 'SSH_PUBLIC') }}"
-    vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}"
-    node: pve
-  module_defaults:
-    community.general.proxmox_kvm:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-      node: "{{ node }}"
-    community.general.proxmox_nic:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-    community.general.proxmox_disk:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-  tasks:
-    # Initial setup
-    - name: Create VM
-      community.general.proxmox_kvm:
-        clone: "{{ node }}-debian-12"
-        storage: nvme
-      notify: Initial boot
-    - name: Wait for status
-      community.general.proxmox_kvm:
-        state: current
-      register: vm
-      retries: 30
-      delay: 10
-      until: vm.status is defined
-
-    # Networking and initial config
-    - name: Add PUB NIC
-      community.general.proxmox_nic:
-        interface: net0
-        firewall: false
-        bridge: PUB
-    - name: Add SRV NIC
-      community.general.proxmox_nic:
-        interface: net1
-        firewall: false
-        bridge: SRV
-    - name: Configure cloud-init
-      community.general.proxmox_kvm:
-        update: true
-        ciuser: debian
-        sshkeys: "{{ ssh_public }}"
-        ipconfig:
-          ipconfig0: ip=dhcp,ip6=auto
-          ipconfig1: ip=dhcp
-
-    - name: Force all notified handlers to run
-      ansible.builtin.meta: flush_handlers
-
-    # VM Configuration
-    - name: Resize root disk
-      community.general.proxmox_disk:
-        disk: scsi0
-        size: 16G
-        state: resized
-    - name: Create data disk
-      community.general.proxmox_disk:
-        disk: scsi1
-        backup: true
-        storage: nvme
-        size: 64
-    - name: Create media disk
-      community.general.proxmox_disk:
-        disk: scsi2
-        backup: true
-        storage: nvme
-        size: 2048
-    - name: Update VM
-      community.general.proxmox_kvm:
-        update: true
-        agent: enabled=1
-        tags:
-          - debian-12
-          - managed
-        onboot: true
-        cores: 8
-        memory: 16384
-
-    - name: Retart VM
-      community.general.proxmox_kvm:
-        state: restarted
-        timeout: 60
-  handlers:
-    # Initial boot
-    # For some reason debian cloud images don't use
-    # cloud-init for networking on first boot (cloud-init files
-    # are regenerated AFTER networking starts). But we need the
-    # hostname to be registered with DHCP later on so ¯\_(ツ)_/¯
-    - name: Initial boot
-      block:
-        - name: Start
-          community.general.proxmox_kvm:
-            state: started
-          register: start
-        - name: Wait 1.5 min # Initial apt update, apt upgrade, cloud-init
-          ansible.builtin.wait_for:
-            timeout: 90

infra/photos/0001_initialise_playbook.yaml

@@ -1,64 +0,0 @@
-- name: Initialise VM
-  hosts: photos
-  gather_facts: false
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Install system packages
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - qemu-guest-agent
-          - parted
-      become: true
-    - name: Enable qemu-guest-agent
-      ansible.builtin.systemd:
-        name: qemu-guest-agent
-        state: started
-        enabled: true
-      become: true
-
-    - name: Create data partition
-      community.general.parted:
-        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1
-        label: gpt
-        name: data
-        number: 1
-        state: present
-      become: true
-    - name: Create data filesystem
-      community.general.filesystem:
-        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
-        fstype: ext4
-      become: true
-    - name: Mount data partition
-      ansible.posix.mount:
-        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
-        path: /var/lib/docker
-        fstype: ext4
-        opts: rw,errors=remount-ro,x-systemd.growfs
-        state: mounted
-      become: true
-
-    - name: Create media partition
-      community.general.parted:
-        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2
-        label: gpt
-        name: media
-        number: 1
-        state: present
-      become: true
-    - name: Create media filesystem
-      community.general.filesystem:
-        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
-        fstype: ext4
-      become: true
-    - name: Mount media partition
-      ansible.posix.mount:
-        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
-        path: /mnt/media
-        fstype: ext4
-        opts: rw,errors=remount-ro,x-systemd.growfs
-        state: mounted
-      become: true

infra/photos/0002_docker_playbook.yaml

@@ -1,47 +0,0 @@
-- name: Install docker
-  hosts: photos
-  gather_facts: false
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Install dependencies
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - curl
-          - python3-apt
-          - gpg
-      become: true
-    - name: Add docker key
-      ansible.builtin.apt_key:
-        url: https://download.docker.com/linux/debian/gpg
-        keyring: /etc/apt/keyrings/docker.gpg
-      become: true
-    - name: Add docker repo
-      ansible.builtin.apt_repository:
-        repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable
-      become: true
-    - name: Install docker
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - docker-ce
-          - docker-ce-cli
-          - containerd.io
-          - docker-buildx-plugin
-          - docker-compose-plugin
-      become: true
-    - name: Add user to docker group
-      ansible.builtin.user:
-        user: debian
-        groups:
-          - docker
-        append: true
-      become: true
-    - name: Enable docker
-      ansible.builtin.systemd:
-        name: docker
-        state: started
-        enabled: true
-      become: true

infra/photos/0003_immich_playbook.yaml

@@ -1,31 +0,0 @@
-- name: Deploy app
-  hosts: photos
-  gather_facts: false
-  vars:
-    app: immich
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Docker compose down
-      community.docker.docker_compose_v2:
-        project_src: "$HOME/{{ app }}"
-        state: absent
-    - name: Copy project
-      ansible.builtin.copy:
-        src: "./{{ app }}"
-        dest: "$HOME"
-        mode: "0744"
-    - name: Replace Typesense secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "TYPESENSE_API_KEY_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/photos', secret_name='TYPESENSE_API_KEY')['value'] }}"
-    - name: Replace DB secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "DB_PASSWORD_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/photos', secret_name='DB_PASSWORD')['value'] }}"
-    - name: Docker compose up -d
-      community.docker.docker_compose_v2:
-        project_src: "$HOME/{{ app }}"

infra/photos/immich/.env

@@ -1,22 +0,0 @@
-# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
-
-# The location where your uploaded files are stored
-UPLOAD_LOCATION=/mnt/media/immich
-
-# The Immich version to use. You can pin this to a specific version like "v1.71.0"
-IMMICH_VERSION=release
-
-# Connection secrets for postgres and typesense. You should change these to random passwords
-TYPESENSE_API_KEY=TYPESENSE_API_KEY_VALUE
-DB_PASSWORD=DB_PASSWORD_VALUE
-
-# Other
-PUBLIC_LOGIN_PAGE_MESSAGE="KovalHome Photos & Videos"
-
-# The values below this line do not need to be changed
-###################################################################################
-DB_HOSTNAME=immich_postgres
-DB_USERNAME=postgres
-DB_DATABASE_NAME=immich
-
-REDIS_HOSTNAME=immich_redis

infra/photos/immich/.gitignore

@@ -1 +0,0 @@
-!.env

infra/photos/immich/docker-compose.yml

@@ -1,64 +0,0 @@
-version: "3.8"
-
-services:
-  immich-server:
-    container_name: immich_server
-    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
-    command: ["start.sh", "immich"]
-    volumes:
-      - ${UPLOAD_LOCATION}:/usr/src/app/upload
-    env_file:
-      - .env
-    ports:
-      - 2283:3001
-    depends_on:
-      - redis
-      - database
-    restart: always
-
-  immich-microservices:
-    container_name: immich_microservices
-    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
-    # extends:
-    #   file: hwaccel.yml
-    #   service: hwaccel
-    command: ["start.sh", "microservices"]
-    volumes:
-      - ${UPLOAD_LOCATION}:/usr/src/app/upload
-    env_file:
-      - .env
-    depends_on:
-      - redis
-      - database
-    restart: always
-
-  immich-machine-learning:
-    container_name: immich_machine_learning
-    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
-    volumes:
-      - model-cache:/cache
-    env_file:
-      - .env
-    restart: always
-
-  redis:
-    container_name: immich_redis
-    image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3
-    restart: always
-
-  database:
-    container_name: immich_postgres
-    image: tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
-    env_file:
-      - .env
-    environment:
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      POSTGRES_USER: ${DB_USERNAME}
-      POSTGRES_DB: ${DB_DATABASE_NAME}
-    volumes:
-      - pgdata:/var/lib/postgresql/data
-    restart: always
-
-volumes:
-  pgdata:
-  model-cache:

infra/samba/0000_proxmox_playbook.yaml

@@ -1,117 +0,0 @@
-- name: Provision samba Proxmox VM
-  hosts: samba
-  connection: ansible.builtin.local
-  gather_facts: false
-  vars:
-    api_user: "{{ lookup('ansible.builtin.env', 'PROXMOX_USER') }}"
-    api_host: "{{ lookup('ansible.builtin.env', 'PROXMOX_HOST' ) }}"
-    api_token_id: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_ID') }}"
-    api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}"
-    ssh_public: "{{ lookup('ansible.builtin.env', 'SSH_PUBLIC') }}"
-    vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}"
-    node: pve
-  module_defaults:
-    community.general.proxmox_kvm:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-      node: "{{ node }}"
-    community.general.proxmox_nic:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-    community.general.proxmox_disk:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-  tasks:
-    # Initial setup
-    - name: Create VM
-      community.general.proxmox_kvm:
-        clone: "{{ node }}-debian-12"
-        storage: nvme
-      notify: Initial boot
-    - name: Wait for status
-      community.general.proxmox_kvm:
-        state: current
-      register: vm
-      retries: 30
-      delay: 10
-      until: vm.status is defined
-
-    # Networking and initial config
-    - name: Add PUB NIC
-      community.general.proxmox_nic:
-        interface: net0
-        firewall: false
-        bridge: PUB
-    - name: Add SRV NIC
-      community.general.proxmox_nic:
-        interface: net1
-        firewall: false
-        bridge: SRV
-    - name: Configure cloud-init
-      community.general.proxmox_kvm:
-        update: true
-        ciuser: debian
-        sshkeys: "{{ ssh_public }}"
-        ipconfig:
-          ipconfig0: ip=dhcp,ip6=auto
-          ipconfig1: ip=dhcp
-
-    - name: Force all notified handlers to run
-      ansible.builtin.meta: flush_handlers
-
-    # VM Configuration
-    - name: Resize root disk
-      community.general.proxmox_disk:
-        disk: scsi0
-        size: 16G
-        state: resized
-    - name: Create data disk
-      community.general.proxmox_disk:
-        disk: scsi1
-        backup: true
-        storage: nvme
-        size: 64
-    - name: Create share disk
-      community.general.proxmox_disk:
-        disk: scsi2
-        backup: false
-        storage: zfs
-        size: 2048
-    - name: Update VM
-      community.general.proxmox_kvm:
-        update: true
-        agent: enabled=1
-        tags:
-          - debian-12
-          - managed
-        onboot: true
-        cores: 4
-        memory: 8192
-    - name: Retart VM
-      community.general.proxmox_kvm:
-        state: restarted
-        timeout: 60
-  handlers:
-    # Initial boot
-    # For some reason debian cloud images don't use
-    # cloud-init for networking on first boot (cloud-init files
-    # are regenerated AFTER networking starts). But we need the
-    # hostname to be registered with DHCP later on so ¯\_(ツ)_/¯
-    - name: Initial boot
-      block:
-        - name: Start
-          community.general.proxmox_kvm:
-            state: started
-          register: start
-        - name: Wait 1.5 min # Initial apt update, apt upgrade, cloud-init
-          ansible.builtin.wait_for:
-            timeout: 90

infra/samba/0001_initialise_playbook.yaml

@@ -1,65 +0,0 @@
-- name: Initialise VM
-  hosts: samba
-  gather_facts: false
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-
-    - name: Install system packages
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - qemu-guest-agent
-          - parted
-      become: true
-    - name: Enable qemu-guest-agent
-      ansible.builtin.systemd:
-        name: qemu-guest-agent
-        state: started
-        enabled: true
-      become: true
-
-    - name: Create data partition
-      community.general.parted:
-        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1
-        label: gpt
-        name: data
-        number: 1
-        state: present
-      become: true
-    - name: Create data filesystem
-      community.general.filesystem:
-        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
-        fstype: ext4
-      become: true
-    - name: Mount data partition
-      ansible.posix.mount:
-        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
-        path: /var/lib/docker/volumes
-        fstype: ext4
-        opts: rw,errors=remount-ro,x-systemd.growfs
-        state: mounted
-      become: true
-
-    - name: Create share partition
-      community.general.parted:
-        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2
-        label: gpt
-        name: data
-        number: 1
-        state: present
-      become: true
-    - name: Create share filesystem
-      community.general.filesystem:
-        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
-        fstype: ext4
-      become: true
-    - name: Mount data partition
-      ansible.posix.mount:
-        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
-        path: /mnt/share
-        fstype: ext4
-        opts: rw,errors=remount-ro,x-systemd.growfs
-        state: mounted
-      become: true

infra/samba/0002_docker_playbook.yaml

@@ -1,48 +0,0 @@
-- name: Install docker
-  hosts: samba
-  gather_facts: false
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-
-    - name: Install dependencies
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - curl
-          - python3-apt
-          - gpg
-      become: true
-    - name: Add docker key
-      ansible.builtin.apt_key:
-        url: https://download.docker.com/linux/debian/gpg
-        keyring: /etc/apt/keyrings/docker.gpg
-      become: true
-    - name: Add docker repo
-      ansible.builtin.apt_repository:
-        repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable
-      become: true
-    - name: Install docker
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - docker-ce
-          - docker-ce-cli
-          - containerd.io
-          - docker-buildx-plugin
-          - docker-compose-plugin
-      become: true
-    - name: Add user to docker group
-      ansible.builtin.user:
-        user: debian
-        groups:
-          - docker
-        append: true
-      become: true
-    - name: Enable docker
-      ansible.builtin.systemd:
-        name: docker
-        state: started
-        enabled: true
-      become: true

infra/samba/0003_samba_playbook.yaml

@@ -1,37 +0,0 @@
-- name: Deploy app
-  hosts: samba
-  gather_facts: false
-  vars:
-    app: samba
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Docker compose down
-      community.docker.docker_compose_v2:
-        project_src: "$HOME/{{ app }}"
-        state: absent
-    - name: Copy project
-      ansible.builtin.copy:
-        src: "./{{ app }}"
-        dest: "$HOME"
-        mode: "0744"
-
-    - name: Replace KVK Password secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/config.yml"
-        regexp: "KVK_PASSWORD"
-        replace: "{{ lookup('infisical.vault.read_secrets', env_slug='prod', path='/samba', secret_name='KVK_PASSWORD')['value'] }}"
-
-    - name: Docker compose up
-      community.docker.docker_compose_v2:
-        project_src: "$HOME/{{ app }}"
-
-    - name: Update samba permissions
-      ansible.builtin.file:
-        path: /mnt/share/samba
-        state: directory
-        recurse: true
-        owner: debian
-        group: debian
-      become: true

infra/samba/samba/config.yml

@@ -1,26 +0,0 @@
-auth:
-  - user: debian
-    group: debian
-    uid: 1000
-    gid: 1000
-
-  - user: kvk
-    group: kvk
-    uid: 1001
-    gid: 1001
-    password: KVK_PASSWORD
-
-global:
-  - "force user = debian"
-  - "force group = debian"
-
-share:
-  - name: kvkbackups
-    comment: KVK Backups
-    path: /samba/kvkbackups
-    validusers: kvk
-    writelist: kvk
-    browsable: true
-    readonly: false
-    guestok: false
-    veto: false

infra/samba/samba/docker-compose.yml

@@ -1,16 +0,0 @@
-version: "3"
-
-services:
-  samba:
-    image: crazymax/samba
-    restart: unless-stopped
-    network_mode: host
-    volumes:
-      - samba-data:/data
-      - ./config.yml:/data/config.yml
-      - /mnt/share/samba/kvkbackups:/samba/kvkbackups
-    environment:
-      - TZ=Europe/London
-
-volumes:
-  samba-data:

infra/secrets/0000_proxmox_playbook.yaml

@@ -1,112 +0,0 @@
-- name: Provision secrets Proxmox VM
-  hosts: secrets
-  connection: ansible.builtin.local
-  gather_facts: false
-  vars:
-    api_user: "{{ lookup('ansible.builtin.env', 'PROXMOX_USER') }}"
-    api_host: "{{ lookup('ansible.builtin.env', 'PROXMOX_HOST' ) }}"
-    api_token_id: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_ID') }}"
-    api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}"
-    ssh_public: "{{ lookup('ansible.builtin.env', 'SSH_PUBLIC') }}"
-    vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}"
-    node: pve2
-  module_defaults:
-    community.general.proxmox_kvm:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-      node: "{{ node }}"
-    community.general.proxmox_nic:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-    community.general.proxmox_disk:
-      api_user: "{{ api_user }}"
-      api_host: "{{ api_host }}"
-      api_token_id: "{{ api_token_id }}"
-      api_token_secret: "{{ api_token_secret }}"
-      name: "{{ vmname }}"
-  tasks:
-    # Initial setup
-    - name: Create VM
-      community.general.proxmox_kvm:
-        clone: "{{ node }}-debian-12"
-        storage: nvme
-      notify: Initial boot
-    - name: Wait for status
-      community.general.proxmox_kvm:
-        state: current
-      register: vm
-      retries: 30
-      delay: 10
-      until: vm.status is defined
-
-    # Networking and initial config
-    - name: Add PUB NIC
-      community.general.proxmox_nic:
-        interface: net0
-        firewall: false
-        bridge: PUB
-    - name: Add SRV NIC
-      community.general.proxmox_nic:
-        interface: net1
-        firewall: false
-        bridge: SRV
-    - name: Configure cloud-init
-      community.general.proxmox_kvm:
-        update: true
-        ciuser: debian
-        sshkeys: "{{ ssh_public }}"
-        ipconfig:
-          ipconfig0: ip=dhcp,ip6=auto
-          ipconfig1: ip=dhcp
-
-    - name: Force all notified handlers to run
-      ansible.builtin.meta: flush_handlers
-
-    # VM Configuration
-    - name: Resize root disk
-      community.general.proxmox_disk:
-        disk: scsi0
-        size: 16G
-        state: resized
-    - name: Create data disk
-      community.general.proxmox_disk:
-        disk: scsi1
-        backup: true
-        storage: nvme
-        size: 64
-    - name: Update VM
-      community.general.proxmox_kvm:
-        update: true
-        agent: enabled=1
-        tags:
-          - debian-12
-          - managed
-        onboot: true
-        cores: 4
-        memory: 4096
-        cpu: x86-64-v3,flags=+spec-ctrl;+aes
-    - name: Retart VM
-      community.general.proxmox_kvm:
-        state: restarted
-        timeout: 60
-  handlers:
-    # Initial boot
-    # For some reason debian cloud images don't use
-    # cloud-init for networking on first boot (cloud-init files
-    # are regenerated AFTER networking starts). But we need the
-    # hostname to be registered with DHCP later on so ¯\_(ツ)_/¯
-    - name: Initial boot
-      block:
-        - name: Start
-          community.general.proxmox_kvm:
-            state: started
-          register: start
-        - name: Wait 1.5 min # Initial apt update, apt upgrade, cloud-init
-          ansible.builtin.wait_for:
-            timeout: 90

infra/secrets/0001_initialise_playbook.yaml

@@ -1,42 +0,0 @@
-- name: Initialise VM
-  hosts: secrets
-  gather_facts: false
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Install system packages
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - qemu-guest-agent
-          - parted
-      become: true
-    - name: Enable qemu-guest-agent
-      ansible.builtin.systemd:
-        name: qemu-guest-agent
-        state: started
-        enabled: true
-      become: true
-
-    - name: Create data partition
-      community.general.parted:
-        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1
-        label: gpt
-        name: data
-        number: 1
-        state: present
-      become: true
-    - name: Create data filesystem
-      community.general.filesystem:
-        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
-        fstype: ext4
-      become: true
-    - name: Mount data partition
-      ansible.posix.mount:
-        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
-        path: /var/lib/docker
-        fstype: ext4
-        opts: rw,errors=remount-ro,x-systemd.growfs
-        state: mounted
-      become: true

infra/secrets/0002_docker_playbook.yaml

@@ -1,48 +0,0 @@
-- name: Install docker
-  hosts: secrets
-  gather_facts: false
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-
-    - name: Install dependencies
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - curl
-          - python3-apt
-          - gpg
-      become: true
-    - name: Add docker key
-      ansible.builtin.apt_key:
-        url: https://download.docker.com/linux/debian/gpg
-        keyring: /etc/apt/keyrings/docker.gpg
-      become: true
-    - name: Add docker repo
-      ansible.builtin.apt_repository:
-        repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable
-      become: true
-    - name: Install docker
-      ansible.builtin.apt:
-        update_cache: true
-        pkg:
-          - docker-ce
-          - docker-ce-cli
-          - containerd.io
-          - docker-buildx-plugin
-          - docker-compose-plugin
-      become: true
-    - name: Add user to docker group
-      ansible.builtin.user:
-        user: debian
-        groups:
-          - docker
-        append: true
-      become: true
-    - name: Enable docker
-      ansible.builtin.systemd:
-        name: docker
-        state: started
-        enabled: true
-      become: true

infra/secrets/0003_infiscal_playbook.yaml

@@ -1,37 +0,0 @@
-- name: Deploy app
-  hosts: secrets
-  gather_facts: false
-  vars:
-    app: infisical
-  tasks:
-    - name: Wait for connection
-      ansible.builtin.wait_for_connection:
-        timeout: 300
-    - name: Docker compose down
-      community.docker.docker_compose_v2:
-        project_src: "$HOME/{{ app }}"
-        state: absent
-    - name: Copy project
-      ansible.builtin.copy:
-        src: "./{{ app }}"
-        dest: "$HOME"
-        mode: "0744"
-    - name: Replace Encryption Key secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "ENCRYPTION_KEY_VALUE"
-        replace: "{{ lookup('ansible.builtin.env', 'INFISICAL_ENCRYPTION_KEY') }}"
-    - name: Replace Auth secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "AUTH_SECRET_VALUE"
-        replace: "{{ lookup('ansible.builtin.env', 'INFISICAL_AUTH_SECRET') }}"
-    - name: Replace SMTP Password secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "SMTP_PASSWORD_VALUE"
-        replace: "{{ lookup('ansible.builtin.env', 'SMTP_PASSWORD') }}"
-
-    - name: Docker compose up -d
-      community.docker.docker_compose_v2:
-        project_src: "$HOME/{{ app }}"

infra/secrets/infisical/.env

@@ -1,71 +0,0 @@
-# Keys
-# Required key for platform encryption/decryption ops
-# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
-ENCRYPTION_KEY=ENCRYPTION_KEY_VALUE
-
-# JWT
-# Required secrets to sign JWT tokens
-# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
-AUTH_SECRET=AUTH_SECRET_VALUE
-
-# Postgres creds
-POSTGRES_PASSWORD=infisical
-POSTGRES_USER=infisical
-POSTGRES_DB=infisical
-
-# Required
-DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
-
-# Redis
-REDIS_URL=redis://redis:6379
-
-# Website URL
-# Required
-SITE_URL=https://secrets.koval.net
-
-# Mail/SMTP 
-SMTP_HOST=mx.koval.net
-SMTP_PORT=465
-SMTP_SECURE=true
-SMTP_USERNAME=no-reply@koval.net
-SMTP_PASSWORD=SMTP_PASSWORD_VALUE
-SMTP_FROM_NAME=KovalHome Infisical
-SMTP_FROM_ADDRESS=no-reply@koval.net
-
-# Integration
-# Optional only if integration is used
-CLIENT_ID_HEROKU=
-CLIENT_ID_VERCEL=
-CLIENT_ID_NETLIFY=
-CLIENT_ID_GITHUB=
-CLIENT_ID_GITLAB=
-CLIENT_ID_BITBUCKET=
-CLIENT_SECRET_HEROKU=
-CLIENT_SECRET_VERCEL=
-CLIENT_SECRET_NETLIFY=
-CLIENT_SECRET_GITHUB=
-CLIENT_SECRET_GITLAB=
-CLIENT_SECRET_BITBUCKET=
-CLIENT_SLUG_VERCEL=
-
-# Sentry (optional) for monitoring errors
-SENTRY_DSN=
-
-# Infisical Cloud-specific configs
-# Ignore - Not applicable for self-hosted version
-POSTHOG_HOST=
-POSTHOG_PROJECT_API_KEY=
-
-# SSO-specific variables
-CLIENT_ID_GOOGLE_LOGIN=
-CLIENT_SECRET_GOOGLE_LOGIN=
-
-CLIENT_ID_GITHUB_LOGIN=
-CLIENT_SECRET_GITHUB_LOGIN=
-
-CLIENT_ID_GITLAB_LOGIN=
-CLIENT_SECRET_GITLAB_LOGIN=
-
-# Other
-INVITE_ONLY_SIGNUP=true
-TELEMETRY_ENABLED=false

infra/secrets/infisical/.gitignore

@@ -1 +0,0 @@
-!.env

infra/secrets/infisical/docker-compose.yml

@@ -1,50 +0,0 @@
-version: "3"
-
-services:
-  db-migration:
-    depends_on:
-      db:
-        condition: service_healthy
-    image: infisical/infisical:latest-postgres
-    env_file: .env
-    command: npm run migration:latest
-    pull_policy: always
-
-  backend:
-    restart: unless-stopped
-    depends_on:
-      db:
-        condition: service_healthy
-      redis:
-        condition: service_started
-      db-migration:
-        condition: service_completed_successfully
-    image: infisical/infisical:latest-postgres
-    pull_policy: always
-    env_file: .env
-    ports:
-      - 80:8080
-    environment:
-      - NODE_ENV=production
-
-  redis:
-    image: redis
-    env_file: .env
-    environment:
-      - ALLOW_EMPTY_PASSWORD=yes
-    ports:
-      - 6379:6379
-    volumes:
-      - /mnt/nvme/redis_data:/data
-
-  db:
-    image: postgres:14-alpine
-    restart: always
-    env_file: .env
-    volumes:
-      - /mnt/nvme/pg_data:/var/lib/postgresql/data
-    healthcheck:
-      test: "pg_isready --username=${POSTGRES_USER} && psql --username=${POSTGRES_USER} --list"
-      interval: 5s
-      timeout: 10s
-      retries: 10

inventory/proxmox.yaml

@@ -8,21 +8,9 @@ proxmox:
             pve2.mgmt.home.local.koval.net:
         managed:
           children:
-            cloud:
+            joplin:
               hosts:
-                cloud.srv.home.local.koval.net:
+                joplin2.srv.home.local.koval.net:
-            photos:
-              hosts:
-                photos.srv.home.local.koval.net:
-            secrets:
-              hosts:
-                secrets.srv.home.local.koval.net:
-            music:
-              hosts:
-                music.srv.home.local.koval.net:
-            samba:
-              hosts:
-                samba.srv.home.local.koval.net:
           vars:
             ansible_user: debian
             ansible_ssh_private_key_file: ~/.ssh/id_rsa

requirements.txt

@@ -1,4 +1,3 @@
 ansible
 proxmoxer
 requests
-infisical

requirements.yml

@@ -1,4 +0,0 @@
-collections:
-  - name: community.general
-  - name: community.docker
-  - name: infisical.vault