🎉 initial commit

.gitignore

@@ -0,0 +1,7 @@
+.vagrant
+*.retry
+
+# Ignore built binaries
+roles/backup/files/restic-*
+
+/backup-restore/

Vagrantfile

@@ -0,0 +1,19 @@
+# This guide is optimized for Vagrant 1.8 and above.
+# Older versions of Vagrant put less info in the inventory they generate.
+Vagrant.require_version ">= 1.8.0"
+
+Vagrant.configure(2) do |config|
+
+  config.vm.box = "debian/bookworm64"
+  config.vm.network "forwarded_port", guest: 3000, host: 3000
+  config.vm.define "jake-vagrant"
+
+  # Common Ansible options: https://developer.hashicorp.com/vagrant/docs/provisioning/ansible_common
+  config.vm.provision "ansible" do |ansible|
+    ansible.playbook = "playbook-vagrant.yml"
+    ansible.become = true
+    ansible.groups = {
+      "vagrant" => ["jake-vagrant"]
+    }
+  end
+end

ansible.cfg

@@ -0,0 +1,4 @@
+[defaults]
+deprecation_warnings=False
+vault_password_file=~/.vault_pass
+inventory = inventory/production

group_vars/all/all.yml

@@ -0,0 +1,2 @@
+---
+hello: world

group_vars/all/vault.yml

@@ -0,0 +1,31 @@
+$ANSIBLE_VAULT;1.1;AES256
+32393031303830663865643061386435643163366533356536616637376563343435303134326331
+3866366639613362306363623963323964396431656136300a353262663533636435353239663039
+64653566623339346537653236323935346333356633646634393539306238323834363663373161
+6234666363393566620a613866623637383763663639653262303362346665636565623139646439
+37623034303666393462656263383535323566346138623131656161366434333664396264636339
+65383336653932356335383133356463653266646137613865393532663839316531306330633234
+64356133303036666334663034343134653062636639623732373136656565353234346633613937
+35333139386131313462373262393336653661303661373039616561366636656563633838663964
+62663765383363663933343064366131646637323837333133343738653863376638326337663261
+37366463656563613734656334343162656236343463643062356461643639393161353061383139
+36323539333966623061646661373366333838323066353764343833346463623064633066393130
+38663633373537356339386635666236653131363763393736376566313431336664666131623164
+61303666303131663165363462343965323731393566393663326537613164643065376334386133
+33303062626436663631303433323232613731626330326238356633663464663733353432636166
+65323565363566333235306334626336653238346362666630646134663133633237633766613435
+38343762376338636137303832343531373264333535366337393036303739663863646539313433
+37326630383834316265303664326138343132663039343133643132316264383439383261636235
+33623861633537313062323037363830663339663538653034353838643966633662663535346339
+35333736323334656235336437376466613866616432636636626563333666373662626433306534
+63613436623635343035383366396265396362373261333839333362643062373461333233313861
+38346232353864323138656161323535633431313761336563333433643966396130643333363633
+34636632613134383064343334313464393462356539343836623865386433643431303633656166
+35363431393135346530616561363434666535653031393566393664666339383737336333636362
+36643761663039353039313937373861363361656463393865323535356534396565623365636134
+30663232376164323163633165656234646361313939303364316161343236656239653663623930
+34636566383836633064303132373535396337633132306362353632613434396132346564346434
+61623931616630633034633862633165323463643137613133323863633632313861303134343963
+34646263623935313030303830323930383230373462333033343236336539666565313766623739
+62666166643966613462633437646436376565613236356631303066333864613662396336373839
+6362326139663138376239356437343430323637326466373934

inventory/production

@@ -0,0 +1,2 @@
+[jake]
+jake.box.nilsnh.no ansible_user=jake

license.md

@@ -0,0 +1,149 @@
+**HIPPOCRATIC LICENSE**
+
+**Version 3.0, October 2021**
+
+<https://firstdonoharm.dev/version/3/0/full.md>
+
+**TERMS AND CONDITIONS**
+
+TERMS AND CONDITIONS FOR USE, COPY, MODIFICATION, PREPARATION OF DERIVATIVE WORK, REPRODUCTION, AND DISTRIBUTION:
+
+**[1.](#1) DEFINITIONS:**
+
+_This section defines certain terms used throughout this license agreement._
+
+[1.1.](#1.1) “License” means the terms and conditions, as stated herein, for use, copy, modification, preparation of derivative work, reproduction, and distribution of Software (as defined below).
+
+[1.2.](#1.2) “Licensor” means the copyright and/or patent owner or entity authorized by the copyright and/or patent owner that is granting the License.
+
+[1.3.](#1.3) “Licensee” means the individual or entity exercising permissions granted by this License, including the use, copy, modification, preparation of derivative work, reproduction, and distribution of Software (as defined below).
+
+[1.4.](#1.4) “Software” means any copyrighted work, including but not limited to software code, authored by Licensor and made available under this License.
+
+[1.5.](#1.5) “Supply Chain” means the sequence of processes involved in the production and/or distribution of a commodity, good, or service offered by the Licensee.
+
+[1.6.](#1.6) “Supply Chain Impacted Party” or “Supply Chain Impacted Parties” means any person(s) directly impacted by any of Licensee’s Supply Chain, including the practices of all persons or entities within the Supply Chain prior to a good or service reaching the Licensee.
+
+[1.7.](#1.7) “Duty of Care” is defined by its use in tort law, delict law, and/or similar bodies of law closely related to tort and/or delict law, including without limitation, a requirement to act with the watchfulness, attention, caution, and prudence that a reasonable person in the same or similar circumstances would use towards any Supply Chain Impacted Party.
+
+[1.8.](#1.8) “Worker” is defined to include any and all permanent, temporary, and agency workers, as well as piece-rate, salaried, hourly paid, legal young (minors), part-time, night, and migrant workers.
+
+**[2.](#2) INTELLECTUAL PROPERTY GRANTS:**
+
+_This section identifies intellectual property rights granted to a Licensee_.
+
+[2.1.](#2.1) _Grant of Copyright License_: Subject to the terms and conditions of this License, Licensor hereby grants to Licensee a worldwide, non-exclusive, no-charge, royalty-free copyright license to use, copy, modify, prepare derivative work, reproduce, or distribute the Software, Licensor authored modified software, or other work derived from the Software.
+
+[2.2.](#2.2) _Grant of Patent License_: Subject to the terms and conditions of this License, Licensor hereby grants Licensee a worldwide, non-exclusive, no-charge, royalty-free patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer Software.
+
+**[3.](#3) ETHICAL STANDARDS:**
+
+_This section lists conditions the Licensee must comply with in order to have rights under this License._
+
+The rights granted to the Licensee by this License are expressly made subject to the Licensee’s ongoing compliance with the following conditions:
+
+* [3.1.](#3.1) The Licensee SHALL NOT, whether directly or indirectly, through agents or assigns:  
+   * [3.1.1.](#3.1.1) Infringe upon any person’s right to life or security of person, engage in extrajudicial killings, or commit murder, without lawful cause (See Article 3, _United Nations Universal Declaration of Human Rights_; Article 6, _International Covenant on Civil and Political Rights_)  
+   * [3.1.2.](#3.1.2) Hold any person in slavery, servitude, or forced labor (See Article 4, _United Nations Universal Declaration of Human Rights_; Article 8, _International Covenant on Civil and Political Rights_);  
+   * [3.1.3.](#3.1.3) Contribute to the institution of slavery, slave trading, forced labor, or unlawful child labor (See Article 4, _United Nations Universal Declaration of Human Rights_; Article 8, _International Covenant on Civil and Political Rights_);  
+   * [3.1.4.](#3.1.4) Torture or subject any person to cruel, inhumane, or degrading treatment or punishment (See Article 5, _United Nations Universal Declaration of Human Rights_; Article 7, _International Covenant on Civil and Political Rights_);  
+   * [3.1.5.](#3.1.5) Discriminate on the basis of sex, gender, sexual orientation, race, ethnicity, nationality, religion, caste, age, medical disability or impairment, and/or any other like circumstances (See Article 7, _United Nations Universal Declaration of Human Rights_; Article 2, _International Covenant on Economic, Social and Cultural Rights_; Article 26, _International Covenant on Civil and Political Rights_);  
+   * [3.1.6.](#3.1.6) Prevent any person from exercising his/her/their right to seek an effective remedy by a competent court or national tribunal (including domestic judicial systems, international courts, arbitration bodies, and other adjudicating bodies) for actions violating the fundamental rights granted to him/her/them by applicable constitutions, applicable laws, or by this License (See Article 8, _United Nations Universal Declaration of Human Rights_; Articles 9 and 14, _International Covenant on Civil and Political Rights_);  
+   * [3.1.7.](#3.1.7) Subject any person to arbitrary arrest, detention, or exile (See Article 9, _United Nations Universal Declaration of Human Rights_; Article 9, _International Covenant on Civil and Political Rights_);  
+   * [3.1.8.](#3.1.8) Subject any person to arbitrary interference with a person’s privacy, family, home, or correspondence without the express written consent of the person (See Article 12, _United Nations Universal Declaration of Human Rights_; Article 17, _International Covenant on Civil and Political Rights_);  
+   * [3.1.9.](#3.1.9) Arbitrarily deprive any person of his/her/their property (See Article 17, _United Nations Universal Declaration of Human Rights_);  
+   * [3.1.10.](#3.1.10) Forcibly remove indigenous peoples from their lands or territories or take any action with the aim or effect of dispossessing indigenous peoples from their lands, territories, or resources, including without limitation the intellectual property or traditional knowledge of indigenous peoples, without the free, prior, and informed consent of indigenous peoples concerned (See Articles 8 and 10, _United Nations Declaration on the Rights of Indigenous Peoples_);  
+   * [3.1.11.](#3.1.11) _Fossil Fuel Divestment_: Be an individual or entity, or a representative, agent, affiliate, successor, attorney, or assign of an individual or entity, on the [FFI Solutions Carbon Underground 200 list](https://www.ffisolutions.com/research-analytics-index-solutions/research-screening/the-carbon-underground-200/?cn-reloaded=1);  
+   * [3.1.12.](#3.1.12) _Ecocide_: Commit ecocide:  
+         * [3.1.12.1.](#3.1.12.1) For the purpose of this section, “ecocide” means unlawful or wanton acts committed with knowledge that there is a substantial likelihood of severe and either widespread or long-term damage to the environment being caused by those acts;  
+         * [3.1.12.2.](#3.1.12.2) For the purpose of further defining ecocide and the terms contained in the previous paragraph:  
+                  * [3.1.12.2.1.](#3.1.12.2.1) “Wanton” means with reckless disregard for damage which would be clearly excessive in relation to the social and economic benefits anticipated;  
+                  * [3.1.12.2.2.](#3.1.12.2.2) “Severe” means damage which involves very serious adverse changes, disruption, or harm to any element of the environment, including grave impacts on human life or natural, cultural, or economic resources;  
+                  * [3.1.12.2.3.](#3.1.12.2.3) “Widespread” means damage which extends beyond a limited geographic area, crosses state boundaries, or is suffered by an entire ecosystem or species or a large number of human beings;  
+                  * [3.1.12.2.4.](#3.1.12.2.4) “Long-term” means damage which is irreversible or which cannot be redressed through natural recovery within a reasonable period of time; and  
+                  * [3.1.12.2.5.](#3.1.12.2.5) “Environment” means the earth, its biosphere, cryosphere, lithosphere, hydrosphere, and atmosphere, as well as outer space  
+                  (See Section II, _Independent Expert Panel for the Legal Definition of Ecocide_, Stop Ecocide Foundation and the Promise Institute for Human Rights at UCLA School of Law, June 2021);  
+   * [3.1.13.](#3.1.13) _Extractive Industries_: Be an individual or entity, or a representative, agent, affiliate, successor, attorney, or assign of an individual or entity, that engages in fossil fuel or mineral exploration, extraction, development, or sale;  
+   * [3.1.14.](#3.1.14) _Boycott / Divestment / Sanctions_: Be an individual or entity, or a representative, agent, affiliate, successor, attorney, or assign of an individual or entity, identified by the Boycott, Divestment, Sanctions (“BDS”) movement on its website (<https://bdsmovement.net/> and <https://bdsmovement.net/get-involved/what-to-boycott>) as a target for boycott;  
+   * [3.1.15.](#3.1.15) _Taliban_: Be an individual or entity that:  
+         * [3.1.15.1.](#3.1.15.1) engages in any commercial transactions with the Taliban; or  
+         * [3.1.15.2.](#3.1.15.2) is a representative, agent, affiliate, successor, attorney, or assign of the Taliban;  
+   * [3.1.16.](#3.1.16) _Myanmar_: Be an individual or entity that:  
+         * [3.1.16.1.](#3.1.16.1) engages in any commercial transactions with the Myanmar/Burmese military junta; or  
+         * [3.1.16.2.](#3.1.16.2) is a representative, agent, affiliate, successor, attorney, or assign of the Myanmar/Burmese government;  
+   * [3.1.17.](#3.1.17) _Xinjiang Uygur Autonomous Region_: Be an individual or entity, or a representative, agent, affiliate, successor, attorney, or assign of any individual or entity, that does business in, purchases goods from, or otherwise benefits from goods produced in the Xinjiang Uygur Autonomous Region of China;  
+   * [3.1.18.](#3.1.18) _US Tariff Act_: Be an individual or entity:  
+         * [3.1.18.1.](#3.1.18.1) which U.S. Customs and Border Protection (CBP) has currently issued a Withhold Release Order (WRO) or finding against based on reasonable suspicion of forced labor; or  
+         * [3.1.18.2.](#3.1.18.2) that is a representative, agent, affiliate, successor, attorney, or assign of an individual or entity that does business with an individual or entity which currently has a WRO or finding from CBP issued against it based on reasonable suspicion of forced labor;  
+   * [3.1.19.](#3.1.19) _Mass Surveillance_: Be a government agency or multinational corporation, or a representative, agent, affiliate, successor, attorney, or assign of a government or multinational corporation, which participates in mass surveillance programs;  
+   * [3.1.20.](#3.1.20) _Military Activities_: Be an entity or a representative, agent, affiliate, successor, attorney, or assign of an entity which conducts military activities;  
+   * [3.1.21.](#3.1.21) _Law Enforcement_: Be an individual or entity, or a representative, agent, affiliate, successor, attorney, or assign of an individual or entity, that provides good or services to, or otherwise enters into any commercial contracts with, any local, state, or federal law enforcement agency;  
+   * [3.1.22.](#3.1.22) _Media_: Be an individual or entity, or a representative, agent, affiliate, successor, attorney, or assign of an individual or entity, that broadcasts messages promoting killing, torture, or other forms of extreme violence;  
+   * [3.1.23.](#3.1.23) Interfere with Workers' free exercise of the right to organize and associate (See Article 20, United Nations Universal Declaration of Human Rights; C087 - Freedom of Association and Protection of the Right to Organise Convention, 1948 (No. 87), International Labour Organization; Article 8, International Covenant on Economic, Social and Cultural Rights); and  
+   * [3.1.24.](#3.1.24) Harm the environment in a manner inconsistent with local, state, national, or international law.
+* [3.2.](#3.2) The Licensee SHALL:  
+   * [3.2.1.](#3.2.1) _Social Auditing_: Only use social auditing mechanisms that adhere to Worker-Driven Social Responsibility Network’s Statement of Principles (<https://wsr-network.org/what-is-wsr/statement-of-principles/>) over traditional social auditing mechanisms, to the extent the Licensee uses any social auditing mechanisms at all;  
+   * [3.2.2.](#3.2.2) _Workers on Board of Directors_: Ensure that if the Licensee has a Board of Directors, 30% of Licensee’s board seats are held by Workers paid no more than 200% of the compensation of the lowest paid Worker of the Licensee;  
+   * [3.2.3.](#3.2.3) _Supply Chain_: Provide clear, accessible supply chain data to the public in accordance with the following conditions:  
+         * [3.2.3.1.](#3.2.3.1) All data will be on Licensee’s website and/or, to the extent Licensee is a representative, agent, affiliate, successor, attorney, subsidiary, or assign, on Licensee’s principal’s or parent’s website or some other online platform accessible to the public via an internet search on a common internet search engine; and  
+         * [3.2.3.2.](#3.2.3.2) Data published will include, where applicable, manufacturers, top tier suppliers, subcontractors, cooperatives, component parts producers, and farms;  
+   * [3.2.4.](#3.2.4) Provide equal pay for equal work where the performance of such work requires equal skill, effort, and responsibility, and which are performed under similar working conditions, except where such payment is made pursuant to:  
+         * [3.2.4.1.](#3.2.4.1) A seniority system;  
+         * [3.2.4.2.](#3.2.4.2) A merit system;  
+         * [3.2.4.3.](#3.2.4.3) A system which measures earnings by quantity or quality of production; or  
+         * [3.2.4.4.](#3.2.4.4) A differential based on any other factor other than sex, gender, sexual orientation, race, ethnicity, nationality, religion, caste, age, medical disability or impairment, and/or any other like circumstances (See 29 U.S.C.A. § 206(d)(1); Article 23, _United Nations Universal Declaration of Human Rights_; Article 7, _International Covenant on Economic, Social and Cultural Rights_; Article 26, _International Covenant on Civil and Political Rights_); and  
+   * [3.2.5.](#3.2.5) Allow for reasonable limitation of working hours and periodic holidays with pay (See Article 24, _United Nations Universal Declaration of Human Rights_; Article 7, _International Covenant on Economic, Social and Cultural Rights_).
+
+**[4.](#4) SUPPLY CHAIN IMPACTED PARTIES:**
+
+_This section identifies additional individuals or entities that a Licensee could harm as a result of violating the Ethical Standards section, the condition that the Licensee must voluntarily accept a Duty of Care for those individuals or entities, and the right to a private right of action that those individuals or entities possess as a result of violations of the Ethical Standards section._
+
+[4.1.](#4.1) In addition to the above Ethical Standards, Licensee voluntarily accepts a Duty of Care for Supply Chain Impacted Parties of this License, including individuals and communities impacted by violations of the Ethical Standards. The Duty of Care is breached when a provision within the Ethical Standards section is violated by a Licensee, one of its successors or assigns, or by an individual or entity that exists within the Supply Chain prior to a good or service reaching the Licensee.
+
+[4.2.](#4.2) Breaches of the Duty of Care, as stated within this section, shall create a private right of action, allowing any Supply Chain Impacted Party harmed by the Licensee to take legal action against the Licensee in accordance with applicable negligence laws, whether they be in tort law, delict law, and/or similar bodies of law closely related to tort and/or delict law, regardless if Licensee is directly responsible for the harms suffered by a Supply Chain Impacted Party. Nothing in this section shall be interpreted to include acts committed by individuals outside of the scope of his/her/their employment.
+
+[5.](#5) **NOTICE:** _This section explains when a Licensee must notify others of the License._
+
+[5.1.](#5.1) _Distribution of Notice_: Licensee must ensure that everyone who receives a copy of or uses any part of Software from Licensee, with or without changes, also receives the License and the copyright notice included with Software (and if included by the Licensor, patent, trademark, and attribution notice). Licensee must ensure that License is prominently displayed so that any individual or entity seeking to download, copy, use, or otherwise receive any part of Software from Licensee is notified of this License and its terms and conditions. Licensee must cause any modified versions of the Software to carry prominent notices stating that Licensee changed the Software.
+
+[5.2.](#5.2) _Modified Software_: Licensee is free to create modifications of the Software and distribute only the modified portion created by Licensee, however, any derivative work stemming from the Software or its code must be distributed pursuant to this License, including this Notice provision.
+
+[5.3.](#5.3) _Recipients as Licensees_: Any individual or entity that uses, copies, modifies, reproduces, distributes, or prepares derivative work based upon the Software, all or part of the Software’s code, or a derivative work developed by using the Software, including a portion of its code, is a Licensee as defined above and is subject to the terms and conditions of this License.
+
+**[6.](#6) REPRESENTATIONS AND WARRANTIES:**
+
+[6.1.](#6.1) _Disclaimer of Warranty_: TO THE FULL EXTENT ALLOWED BY LAW, THIS SOFTWARE COMES “AS IS,” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, AND LICENSOR SHALL NOT BE LIABLE TO ANY PERSON OR ENTITY FOR ANY DAMAGES OR OTHER LIABILITY ARISING FROM, OUT OF, OR IN CONNECTION WITH THE SOFTWARE OR THIS LICENSE, UNDER ANY LEGAL CLAIM.
+
+[6.2.](#6.2) _Limitation of Liability_: LICENSEE SHALL HOLD LICENSOR HARMLESS AGAINST ANY AND ALL CLAIMS, DEBTS, DUES, LIABILITIES, LIENS, CAUSES OF ACTION, DEMANDS, OBLIGATIONS, DISPUTES, DAMAGES, LOSSES, EXPENSES, ATTORNEYS' FEES, COSTS, LIABILITIES, AND ALL OTHER CLAIMS OF EVERY KIND AND NATURE WHATSOEVER, WHETHER KNOWN OR UNKNOWN, ANTICIPATED OR UNANTICIPATED, FORESEEN OR UNFORESEEN, ACCRUED OR UNACCRUED, DISCLOSED OR UNDISCLOSED, ARISING OUT OF OR RELATING TO LICENSEE’S USE OF THE SOFTWARE. NOTHING IN THIS SECTION SHOULD BE INTERPRETED TO REQUIRE LICENSEE TO INDEMNIFY LICENSOR, NOR REQUIRE LICENSOR TO INDEMNIFY LICENSEE.
+
+**[7.](#7) TERMINATION**
+
+[7.1.](#7.1) _Violations of Ethical Standards or Breaching Duty of Care_: If Licensee violates the Ethical Standards section or Licensee, or any other person or entity within the Supply Chain prior to a good or service reaching the Licensee, breaches its Duty of Care to Supply Chain Impacted Parties, Licensee must remedy the violation or harm caused by Licensee within 30 days of being notified of the violation or harm. If Licensee fails to remedy the violation or harm within 30 days, all rights in the Software granted to Licensee by License will be null and void as between Licensor and Licensee.
+
+[7.2.](#7.2) _Failure of Notice_: If any person or entity notifies Licensee in writing that Licensee has not complied with the Notice section of this License, Licensee can keep this License by taking all practical steps to comply within 30 days after the notice of noncompliance. If Licensee does not do so, Licensee’s License (and all rights licensed hereunder) will end immediately.
+
+[7.3.](#7.3) _Judicial Findings_: In the event Licensee is found by a civil, criminal, administrative, or other court of competent jurisdiction, or some other adjudicating body with legal authority, to have committed actions which are in violation of the Ethical Standards or Supply Chain Impacted Party sections of this License, all rights granted to Licensee by this License will terminate immediately.
+
+[7.4.](#7.4) _Patent Litigation_: If Licensee institutes patent litigation against any entity (including a cross-claim or counterclaim in a suit) alleging that the Software, all or part of the Software’s code, or a derivative work developed using the Software, including a portion of its code, constitutes direct or contributory patent infringement, then any patent license, along with all other rights, granted to Licensee under this License will terminate as of the date such litigation is filed.
+
+[7.5.](#7.5) _Additional Remedies_: Termination of the License by failing to remedy harms in no way prevents Licensor or Supply Chain Impacted Party from seeking appropriate remedies at law or in equity.
+
+**[8.](#8) MISCELLANEOUS:**
+
+[8.1.](#8.1) _Conditions_: Sections 3, 4.1, 5.1, 5.2, 7.1, 7.2, 7.3, and 7.4 are conditions of the rights granted to Licensee in the License.
+
+[8.2.](#8.2) _Equitable Relief_: Licensor and any Supply Chain Impacted Party shall be entitled to equitable relief, including injunctive relief or specific performance of the terms hereof, in addition to any other remedy to which they are entitled at law or in equity.
+
+[8.3.](#8.3) _Copyleft_: Modified software, source code, or other derivative work must be licensed, in its entirety, under the exact same conditions as this License.
+
+[8.4.](#8.4) _Severability_: If any term or provision of this License is determined to be invalid, illegal, or unenforceable by a court of competent jurisdiction, any such determination of invalidity, illegality, or unenforceability shall not affect any other term or provision of this License or invalidate or render unenforceable such term or provision in any other jurisdiction. If the determination of invalidity, illegality, or unenforceability by a court of competent jurisdiction pertains to the terms or provisions contained in the Ethical Standards section of this License, all rights in the Software granted to Licensee shall be deemed null and void as between Licensor and Licensee.
+
+[8.5.](#8.5) _Section Titles_: Section titles are solely written for organizational purposes and should not be used to interpret the language within each section.
+
+[8.6.](#8.6) _Citations_: Citations are solely written to provide context for the source of the provisions in the Ethical Standards.
+
+[8.7.](#8.7) _Section Summaries_: Some sections have a brief _italicized description_ which is provided for the sole purpose of briefly describing the section and should not be used to interpret the terms of the License.
+
+[8.8.](#8.8) _Entire License_: This is the entire License between the Licensor and Licensee with respect to the claims released herein and that the consideration stated herein is the only consideration or compensation to be paid or exchanged between them for this License. This License cannot be modified or amended except in a writing signed by Licensor and Licensee.
+
+[8.9.](#8.9) _Successors and Assigns_: This License shall be binding upon and inure to the benefit of the Licensor’s and Licensee’s respective heirs, successors, and assigns.

playbook-vagrant.yml

@@ -0,0 +1,17 @@
+---
+- hosts: vagrant
+  vars:
+    mta_user: "{{ vault_mta_user }}" 
+    mta_user_pw: "{{ vault_mta_user_pw }}"
+    machine_from_email: "noreply+jake@nilsnh.no"
+    machine_notifications_receiver: "mail@nilsnh.no" 
+    forgejo_load_backup: "/vagrant/backup-restore/forgejo"
+    forgejo_domain: "code.on.nilsnh.no"
+    forgejo_from: "\"Forgejo at nilsnh.no\" <{{ machine_from_email }}>"
+  roles:
+    # - backup
+    # - base
+    # - sendmail
+    - forgejo
+
+# Tip! Use Valet proxy to setup local proxies.

playbook.yml

@@ -0,0 +1,17 @@
+---
+- hosts: jake
+  handlers:
+  vars:
+    restic_repo_pw: "{{ vault_restic_pw_jake }}"
+    restic_repo_url: "{{ vault_restic_url_jake }}"
+    mta_user: "{{ vault_mta_user }}" 
+    mta_user_pw: "{{ vault_mta_user_pw }}"
+    machine_from_email: "noreply+jake@nilsnh.no"
+    machine_notifications_receiver: "mail@nilsnh.no" 
+    forgejo_domain: "code.on.nilsnh.no"
+    forgejo_from: "\"Forgejo at nilsnh.no\" <{{ machine_from_email }}>"
+  roles:
+    - backup
+    - sendmail
+    - forgejo
+    - caddy

readme.md

@@ -0,0 +1,71 @@
+# My homelab documentation
+
+Servers tend to get weird over time. Hence, I maintain this overview to remind myself of all the stuff running various places. This makes it easier to get everything back up and running when the hardware eventually fails. 
+
+I also hope that sharing this can inspire others to try self-hosting as well.
+
+Services currently handled by this Ansible setup:
+
+- [code.on.nilsnh.no](https://code.on.nilsnh.no/)
+
+## Getting started with local development
+
+Prerequisites:
+ - [Ansible](https://www.ansible.com/)
+ - [Vagrant](https://www.vagrantup.com/)
+ - [Go](https://go.dev/) for building [Restic](https://restic.readthedocs.io/) from source.
+
+1. Run `git clone --recurse-submodules git@code.on.nilsnh.no:nilsnh/ansible-homelab.git` to download this repo including any git submodules.
+1. Run `./scripts/build.sh` to build binaries from source.
+1. Start local Vagrant with `vagrant up --provision-with ansible`.
+    - Use `vagrant destroy` to fully delete box.
+    - Use `vagrant ssh` to ssh inside a running box.
+    - Use `vagrant provision` to quickly re-run Ansible changes when developing.
+    - You can use [Valet](https://cpriego.github.io/valet-linux/) to setup local SSL proxy and get URLs like `https://myniceservice.test`.
+
+:point_up: This will fail if you don't have configured [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) password.
+
+## Deploying changes
+
+1. First ensure that you have Ansible Vault correctly configured. See section below.
+1. Call `ansible-playbook --become playbook.yml`.
+
+If you're deploying to a lot of different machines, you should consider a different deployment strategy.
+
+## How-to setup Raspberry Pi to use SSD storage
+
+1. Use [Raspberry Pi Imager](https://www.raspberrypi.com/software/).
+1. Flash a new SSD
+  - Use my default SSH public key.
+  - Activate SSH login.
+  - Skip configuring wi-fi, if you're relying on ethernet instead.
+
+## Configuring Ansible Vault
+
+A `ansible.cfg` file in project root is configured to check `~/.vault_pass` for Vault password.
+
+To edit Vault entries run `ansible-vault edit group_vars/all/vault.yml`.
+
+### Current Ansible Vault variables
+
+Credentials for accessing remote mailserver:
+
+- `vault_mta_user`
+- `vault_mta_user_pw`
+
+Credentials initially created by Forgejo and then stored here:
+
+- `vault_forgejo_lfs_secret`
+- `vault_forgejo_internal_token`
+- `vault_forgejo_jwt_secret`
+
+Credentials for accessing the Restic backup destination:
+
+- `vault_restic_url_jake`
+- `vault_restic_pw_jake`
+
+## License
+
+Unless otherwise specified the contents of this project is licensed under the [Hippocratic License](https://firstdonoharm.dev/), see [license](license.md). 
+
+Any code in the `vendor/` sub-directory come with its own respective licensing, and is not covered by the Hippocratic License.

roles/backup/files/backup.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Backup relevant services
+OnFailure=status-email@%n
+
+[Service]
+Type=oneshot
+ExecStart=/root/backup.sh
+User=root
+Group=root
+

roles/backup/files/backup.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Run backups daily
+
+[Timer]
+OnCalendar=daily
+Persistent=false
+
+[Install]
+WantedBy=timers.target

roles/backup/tasks/main.yml

@@ -0,0 +1,67 @@
+- name: upload restic binary
+  become: true
+  ansible.builtin.copy:
+    src: restic-arm64
+    dest: /usr/local/bin/restic
+    mode: '0755'
+    owner: root
+    group: root
+
+- name: upload restic.sh script 
+  become: true
+  ansible.builtin.template:
+    src: restic.j2
+    dest: /root/restic.sh
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: initialize restic repository
+  become: true
+  ansible.builtin.shell: /root/restic.sh init
+  # Handle if restic has already been initialized
+  register: result
+  failed_when:
+    - result.rc == 1
+    - '"config file already exists" not in result.stderr'
+  changed_when: '"config file already exists" not in result.stderr'
+
+- name: upload backup script
+  become: true
+  ansible.builtin.template:
+    src: backup.j2
+    dest: /root/backup.sh
+    mode: '0700'
+    owner: root
+    group: root
+
+- name: upload system-email notification script
+  become: true
+  ansible.builtin.template:
+    src: system-email.sh.j2
+    dest: /usr/local/bin/system-email
+    mode: '0755'
+    owner: root
+    group: root
+
+- name: setup status-email.service
+  become: true
+  ansible.builtin.template:
+    src: status-email.service.j2
+    dest: /etc/systemd/system/status-email@.service
+  
+- name: upload systemd unit files
+  become: true
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/systemd/system/{{ item }}"
+  with_items:
+    - backup.service
+    - backup.timer
+
+- name: Enable backup.timer
+  become: true
+  ansible.builtin.systemd:
+    name: backup.timer
+    state: started
+    enabled: true

roles/backup/templates/backup.j2

@@ -0,0 +1,17 @@
+#!/bin/env bash
+
+# Fail fast
+set -e
+
+# Dump data from one or more services
+(cd "/tmp" && forgejo.sh dump --file="forgejo.zip")
+
+/root/restic.sh backup /tmp/forgejo.zip
+
+/root/restic.sh forget \
+    --keep-daily 7 \
+    --keep-weekly 4 \
+    --keep-monthly 3 \
+    --prune
+
+/root/restic.sh check

roles/backup/templates/restic.j2

@@ -0,0 +1,7 @@
+#!/bin/env bash
+
+# Helper script to target correct repo and password. It passes
+# any arguments to the restic binary.
+RESTIC_PASSWORD="{{ restic_repo_pw }}" \
+    RESTIC_REPOSITORY="{{ restic_repo_url }}" \
+    restic "$@"

roles/backup/templates/status-email.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=status email for %i to {{ machine_notifications_receiver }}
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/systemd-email %i
+User=root
+Group=root

roles/backup/templates/system-email.sh.j2

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Tailored to be called as a systemd error notification.
+# Inspired by: https://wiki.archlinux.org/title/Systemd/Timers#As_a_cron_replacement
+
+sendmail -t <<ERRMAIL
+To: {{ machine_notifications_receiver }}
+From: {{ machine_from_email }}
+Subject: "$1.service" stumbled
+Content-Transfer-Encoding: 8bit
+Content-Type: text/plain; charset=UTF-8
+
+$(systemctl status --full "$1")
+ERRMAIL

roles/base/files/20auto-upgrades

@@ -0,0 +1,18 @@
+//
+// !!! WARNING: This file is managed by Ansible, DON'T EDIT it manually !!!
+//
+
+// Enable unattended upgrades.
+APT::Periodic::Enable "1";
+
+// Do "apt-get upgrade" every n-days (0=disable).
+APT::Periodic::Unattended-Upgrade "1";
+
+// Do "apt-get upgrade --download-only" every n-days (0=disable).
+APT::Periodic::Update-Package-Lists "1";
+
+// Do "apt-get upgrade --download-only" every n-days (0=disable).
+APT::Periodic::Download-Upgradeable-Packages "1";
+
+// Do "apt-get autoclean" every n-days (0=disable).
+APT::Periodic::AutocleanInterval "7";  

roles/base/files/50unattended-upgrades

@@ -0,0 +1,36 @@
+//
+// !!! WARNING: This file is managed by Ansible, DON'T EDIT it manually !!!
+//
+
+Unattended-Upgrade::Origins-Pattern {
+    "o=Debian,n=${distro_codename},l=Debian-Security";
+};
+
+Unattended-Upgrade::Package-Blacklist {
+};
+
+// Automatically run "dpkg --force-confold --configure -a".
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+// Do automatic removal of new unused dependencies after the upgrade.
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+// Install upgrades when the machine is shuting down instead of doing it in the background.
+Unattended-Upgrade::InstallOnShutdown "false";
+
+// Automatically reboot if the file /var/run/reboot-required is found after the upgrade.
+Unattended-Upgrade::Automatic-Reboot "false";
+
+// Automatically reboot even if there are users currently logged in.
+Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific time.
+Unattended-Upgrade::Automatic-Reboot-Time "now";
+
+// Enable mail notifications.
+Unattended-Upgrade::Mail "mail@nilsnh.no";
+Unattended-Upgrade::MailOnlyOnError "true";
+
+// Enable logging via syslog.
+Unattended-Upgrade::SyslogEnable "true";
+Unattended-Upgrade::SyslogFacility "daemon";

roles/base/handlers/main.yml

@@ -0,0 +1,3 @@
+- name: regenerate locales
+  become: true
+  shell: locale-gen

roles/base/tasks/main.yml

@@ -0,0 +1,38 @@
+# Learn more: https://wiki.debian.org/Locale
+- name: enable additional locales
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/locale.gen
+    regexp: "{{ item }}"
+    line: "{{ item }}"
+  with_items:
+    - nb_NO.UTF-8 UTF-8
+  notify: regenerate locales
+
+- name: install basic packages
+  become: yes
+  package:
+    name:
+      - vim
+      - git
+      - curl
+      - zsh
+      - unattended-upgrades
+      - apt-listchanges
+      - tmux
+      - ranger
+    state: latest
+
+# Inspired by this guide
+# https://blog.confirm.ch/unattended-upgrades-in-debian/
+- name: configure unattended upgrades
+  become: yes
+  copy:
+    src: "{{ item }}"
+    dest: /etc/apt/apt.conf.d
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - 20auto-upgrades
+    - 50unattended-upgrades

roles/caddy/files/Caddyfile

@@ -0,0 +1,16 @@
+# The Caddyfile is an easy way to configure your Caddy web server.
+#
+# Unless the file starts with a global options block, the first
+# uncommented line is always the address of your site.
+#
+# To use your own domain name (with automatic HTTPS), first make
+# sure your domain's A/AAAA DNS records are properly pointed to
+# this machine's public IP, then replace ":80" below with your
+# domain name.
+
+code.on.nilsnh.no {
+	reverse_proxy :3000
+}
+
+# Refer to the Caddy docs for more information:
+# https://caddyserver.com/docs/caddyfile

roles/caddy/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: reload caddy
+  become: true
+  systemd:
+    name: caddy
+    state: reloaded
+    enabled: yes
+    masked: no

roles/caddy/tasks/main.yml

@@ -0,0 +1,47 @@
+- name: Ensure dependencies are installed.
+  apt:
+    name:
+      - debian-keyring
+      - debian-archive-keyring
+      - apt-transport-https
+      - gnupg2
+      - curl 
+    state: present
+
+- name: Check if Caddy's GPG is present
+  stat:
+    path: "/usr/share/keyrings/caddy-stable-archive-keyring.gpg"
+  register: caddy_gpg_key
+
+- name: Download Caddy GPG key
+  ansible.builtin.get_url:
+    url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
+    dest: /tmp/caddy-stable-gpg.key
+    checksum: md5:2d4a43cd25514f24ddf35467d6abfe5f
+  when: not caddy_gpg_key.stat.exists
+
+- name: Unpack (dearmor) GPG key
+  ansible.builtin.shell: gpg --dearmor < /tmp/caddy-stable-gpg.key > /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+  when: not caddy_gpg_key.stat.exists
+
+- name: Add Caddy repository.
+  apt_repository:
+    repo: "deb [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main"
+    state: present
+    update_cache: true
+    filename: caddy
+    mode: 0644
+
+- name: Install Caddy
+  apt:
+    name:
+      - caddy
+    state: present
+
+- name: upload Caddyfile
+  copy:
+    owner: root
+    mode: 644
+    src: Caddyfile
+    dest: /etc/caddy/Caddyfile
+  notify: reload caddy

roles/caddy/templates/Caddyfile

@@ -0,0 +1 @@
+

roles/firewall/tasks/main.yml

@@ -0,0 +1,6 @@
+- name: install firewall
+  become: yes
+  package:
+    name:
+      - ufw
+    state: latest

roles/forgejo/files/custom/public/assets/img/favicon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 72 72" width="32" height="32"><path fill="#FCEA2B" d="M43.278 20.52c.275-.645 1.445-3.289 1.915-3.859 2.592-3.144 7.54-3.344 7.54-3.344s.742 4.896-1.848 8.039c-.7.85-1.573 1.484-2.474 1.957l-1.864.85c.816-.435 3.59-1.634 4.574-1.757 4.043-.504 7.777 2.748 7.777 2.748s-2.823 4.068-6.864 4.574c-1.504.187-2.966-.145-4.208-.637l-1.513-.562c1.072.4 3.645 1.562 4.525 2.46 2.852 2.91 2.528 7.852 2.528 7.852s-4.947.219-7.798-2.689c-.63-.642-1.885-3.776-2.243-4.541l.767 2.397c.238.713.392 1.474.407 2.268.074 4.074-3.555 7.443-3.555 7.443s-3.747-3.238-3.822-7.31c-.015-.833 1.347-4.705 1.347-4.705l-1.14 2.622c-1.772 2.489-4.516 4.144-7.555 4.449-.925.093-1.544.066-1.544.066s-.323-4.942 2.529-7.852c.828-.846 1.834-1.427 2.844-1.826l1.71-.71c-.003 0-4.314 1.454-5.75 1.275-4.04-.506-6.865-4.574-6.865-4.574s3.734-3.252 7.778-2.748c.837.105 3.842 1.578 4.56 1.92l-2.21-1.211c-.77-.449-1.507-1.023-2.114-1.76-2.59-3.142-1.849-8.038-1.849-8.038s4.948.2 7.54 3.344c.502.608 1.854 3.216 2.136 3.907l-.91-1.94a7.721 7.721 0 0 1-.507-2.55c-.074-4.073 3.555-7.442 3.555-7.442s3.747 3.236 3.822 7.31a7.713 7.713 0 0 1-.411 2.559"/><circle cx="40.792" cy="26.177" r="5" fill="#F1B31C"/><path fill="#5C9E31" d="M23.365 38.967c2.344 2.868 1.647 7.316 1.647 7.316s-4.498-.203-6.842-3.072-1.647-7.317-1.647-7.317 4.498.206 6.842 3.073zM36.653 52.501c2.858-2.334 7.289-1.64 7.289-1.64s-.203 4.48-3.06 6.815c-2.858 2.335-7.29 1.64-7.29 1.64s.206-4.48 3.061-6.815z"/><g fill="none" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><circle cx="40.792" cy="26.177" r="5"/><path d="M23.859 38.563c2.79 3.414 1.96 8.708 1.96 8.708s-5.353-.242-8.143-3.657-1.96-8.707-1.96-8.707 5.353.245 8.143 3.656zM43.278 20.52c.275-.645 1.445-3.289 1.915-3.859 2.592-3.144 7.54-3.344 7.54-3.344s.742 4.896-1.848 8.039c-.7.85-1.573 1.484-2.474 1.957l-1.864.85c.816-.435 3.59-1.634 4.574-1.757 4.043-.504 7.777 2.748 7.777 2.748s-2.823 4.068-6.864 4.574c-1.504.187-2.966-.145-4.208-.637l-1.513-.562c1.072.4 3.645 1.562 4.525 2.46 2.852 2.91 2.528 7.852 2.528 7.852s-4.947.219-7.798-2.689c-.63-.642-1.885-3.776-2.243-4.541l.767 2.397c.238.713.392 1.474.407 2.268.074 4.074-3.555 7.443-3.555 7.443s-3.747-3.238-3.822-7.31c-.015-.833 1.347-4.705 1.347-4.705l-1.14 2.622c-1.772 2.489-4.516 4.144-7.555 4.449-.925.093-1.544.066-1.544.066s-.323-4.942 2.529-7.852c.828-.846 1.834-1.427 2.844-1.826l1.71-.71c-.003 0-4.314 1.454-5.75 1.275-4.04-.506-6.865-4.574-6.865-4.574s3.734-3.252 7.778-2.748c.837.105 3.842 1.578 4.56 1.92l-2.21-1.211c-.77-.449-1.507-1.023-2.114-1.76-2.59-3.142-1.849-8.038-1.849-8.038s4.948.2 7.54 3.344c.502.608 1.854 3.216 2.136 3.907l-.91-1.94a7.721 7.721 0 0 1-.507-2.55c-.074-4.073 3.555-7.442 3.555-7.442s3.747 3.236 3.822 7.31a7.713 7.713 0 0 1-.411 2.559M36.242 51.997c3.414-2.79 8.708-1.96 8.708-1.96s-.243 5.353-3.657 8.143c-3.414 2.79-8.708 1.96-8.708 1.96s.245-5.353 3.657-8.143z"/><path d="M34.366 41.03c-3.438 3.547-7.676 10.245-5.829 20.734"/></g></svg>

roles/forgejo/files/custom/public/assets/img/logo.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 72 72" width="32" height="32"><path fill="#FCEA2B" d="M43.278 20.52c.275-.645 1.445-3.289 1.915-3.859 2.592-3.144 7.54-3.344 7.54-3.344s.742 4.896-1.848 8.039c-.7.85-1.573 1.484-2.474 1.957l-1.864.85c.816-.435 3.59-1.634 4.574-1.757 4.043-.504 7.777 2.748 7.777 2.748s-2.823 4.068-6.864 4.574c-1.504.187-2.966-.145-4.208-.637l-1.513-.562c1.072.4 3.645 1.562 4.525 2.46 2.852 2.91 2.528 7.852 2.528 7.852s-4.947.219-7.798-2.689c-.63-.642-1.885-3.776-2.243-4.541l.767 2.397c.238.713.392 1.474.407 2.268.074 4.074-3.555 7.443-3.555 7.443s-3.747-3.238-3.822-7.31c-.015-.833 1.347-4.705 1.347-4.705l-1.14 2.622c-1.772 2.489-4.516 4.144-7.555 4.449-.925.093-1.544.066-1.544.066s-.323-4.942 2.529-7.852c.828-.846 1.834-1.427 2.844-1.826l1.71-.71c-.003 0-4.314 1.454-5.75 1.275-4.04-.506-6.865-4.574-6.865-4.574s3.734-3.252 7.778-2.748c.837.105 3.842 1.578 4.56 1.92l-2.21-1.211c-.77-.449-1.507-1.023-2.114-1.76-2.59-3.142-1.849-8.038-1.849-8.038s4.948.2 7.54 3.344c.502.608 1.854 3.216 2.136 3.907l-.91-1.94a7.721 7.721 0 0 1-.507-2.55c-.074-4.073 3.555-7.442 3.555-7.442s3.747 3.236 3.822 7.31a7.713 7.713 0 0 1-.411 2.559"/><circle cx="40.792" cy="26.177" r="5" fill="#F1B31C"/><path fill="#5C9E31" d="M23.365 38.967c2.344 2.868 1.647 7.316 1.647 7.316s-4.498-.203-6.842-3.072-1.647-7.317-1.647-7.317 4.498.206 6.842 3.073zM36.653 52.501c2.858-2.334 7.289-1.64 7.289-1.64s-.203 4.48-3.06 6.815c-2.858 2.335-7.29 1.64-7.29 1.64s.206-4.48 3.061-6.815z"/><g fill="none" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><circle cx="40.792" cy="26.177" r="5"/><path d="M23.859 38.563c2.79 3.414 1.96 8.708 1.96 8.708s-5.353-.242-8.143-3.657-1.96-8.707-1.96-8.707 5.353.245 8.143 3.656zM43.278 20.52c.275-.645 1.445-3.289 1.915-3.859 2.592-3.144 7.54-3.344 7.54-3.344s.742 4.896-1.848 8.039c-.7.85-1.573 1.484-2.474 1.957l-1.864.85c.816-.435 3.59-1.634 4.574-1.757 4.043-.504 7.777 2.748 7.777 2.748s-2.823 4.068-6.864 4.574c-1.504.187-2.966-.145-4.208-.637l-1.513-.562c1.072.4 3.645 1.562 4.525 2.46 2.852 2.91 2.528 7.852 2.528 7.852s-4.947.219-7.798-2.689c-.63-.642-1.885-3.776-2.243-4.541l.767 2.397c.238.713.392 1.474.407 2.268.074 4.074-3.555 7.443-3.555 7.443s-3.747-3.238-3.822-7.31c-.015-.833 1.347-4.705 1.347-4.705l-1.14 2.622c-1.772 2.489-4.516 4.144-7.555 4.449-.925.093-1.544.066-1.544.066s-.323-4.942 2.529-7.852c.828-.846 1.834-1.427 2.844-1.826l1.71-.71c-.003 0-4.314 1.454-5.75 1.275-4.04-.506-6.865-4.574-6.865-4.574s3.734-3.252 7.778-2.748c.837.105 3.842 1.578 4.56 1.92l-2.21-1.211c-.77-.449-1.507-1.023-2.114-1.76-2.59-3.142-1.849-8.038-1.849-8.038s4.948.2 7.54 3.344c.502.608 1.854 3.216 2.136 3.907l-.91-1.94a7.721 7.721 0 0 1-.507-2.55c-.074-4.073 3.555-7.442 3.555-7.442s3.747 3.236 3.822 7.31a7.713 7.713 0 0 1-.411 2.559M36.242 51.997c3.414-2.79 8.708-1.96 8.708-1.96s-.243 5.353-3.657 8.143c-3.414 2.79-8.708 1.96-8.708 1.96s.245-5.353 3.657-8.143z"/><path d="M34.366 41.03c-3.438 3.547-7.676 10.245-5.829 20.734"/></g></svg>

roles/forgejo/files/custom/templates/custom/extra_links.tmpl

@@ -0,0 +1 @@
+<a class="item" href="https://nilsnh.no/" target="_blank">nilsnh.no</a>

roles/forgejo/files/custom/templates/home.tmpl

@@ -0,0 +1,14 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}" class="gt-pt-4">
+	<div class="ui text container">
+		<h1>{{AppName}}</h1>
+
+		<p>Welcome to this humble abode, nestled somewhere on the web's outer rim.</p>
+
+		<p>Here's where you can <a href="/explore">explore projects on this server</a>.</p>
+
+		<p>Have a good one! ☕</p>
+
+	</div>
+</div>
+{{template "base/footer" .}}

roles/forgejo/files/forgejo.service

@@ -0,0 +1,20 @@
+# File adapted from here:
+# https://codeberg.org/forgejo/forgejo/src/branch/forgejo/contrib/systemd/forgejo.service
+
+[Unit]
+Description=Forgejo (Beyond coding. We forge.)
+After=syslog.target
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/lib/forgejo/
+ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/forgejo
+
+[Install]
+WantedBy=multi-user.target

roles/forgejo/files/forgejo.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+# Sourced from: https://forgejo.org/docs/latest/admin/installation-binary/#general-hints-for-using-forgejo
+sudo -u git forgejo -w /var/lib/forgejo -c /etc/forgejo/app.ini "$@"

roles/forgejo/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: restart forgejo
+  become: true
+  systemd:
+    name: forgejo
+    state: restarted
+    enabled: yes
+    masked: no

roles/forgejo/tasks/load-backups.yml

@@ -0,0 +1,19 @@
+- name: load forgejo data folder
+  become: true
+  ansible.builtin.copy:
+    src: "{{ forgejo_load_backup }}/data"
+    remote_src: true
+    dest: /var/lib/forgejo
+    owner: git
+    group: git
+    mode: u=rwx,g=rx,o=x
+
+- name: load forgejo repositories
+  become: true
+  ansible.builtin.copy:
+    src: "{{ forgejo_load_backup }}/repos/"
+    remote_src: true
+    dest: /var/lib/forgejo/data/forgejo-repositories
+    owner: git
+    group: git
+    mode: u=rwx,g=rx,o=x

roles/forgejo/tasks/main.yml

@@ -0,0 +1,105 @@
+- name: ensure required packages for forgejo is present 
+  ansible.builtin.apt:
+    pkg: 
+      - git
+      - rsync
+    state: present
+    # using generous time because unattended upgrades will keep packages updated.
+    cache_valid_time: 604800 
+
+- name: check if Forgejo is installed
+  shell: /usr/local/bin/forgejo --version | awk '{print $3}' | sed 's/\+/-/g'
+  register: forgejo_found_version
+  changed_when: false
+
+- name: download forgejo (arm)
+  get_url:
+    url: "https://codeberg.org/forgejo/forgejo/releases/download/v{{ forgejo_version }}/forgejo-{{ forgejo_version }}-linux-arm64"
+    dest: /usr/local/bin/forgejo
+    checksum: "{{ forgejo_checksum_arm64 }}"
+  when: 
+    - ansible_architecture == 'aarch64'
+    - forgejo_version != forgejo_found_version.stdout
+  notify: restart forgejo
+
+- name: download forgejo (x86_64)
+  get_url:
+    url: "https://codeberg.org/forgejo/forgejo/releases/download/v{{ forgejo_version }}/forgejo-{{ forgejo_version }}-linux-amd64"
+    dest: /usr/local/bin/forgejo
+    checksum: "{{ forgejo_checksum_amd64 }}"
+  when: 
+    - ansible_architecture == 'x86_64'
+    - forgejo_version != forgejo_found_version.stdout
+  notify: restart forgejo
+
+- name: set correct rights on forgejo executable
+  file:
+    path: /usr/local/bin/forgejo
+    mode: '0755'
+
+- name: create a git user responsible for forgejo
+  user:
+    comment: "user responsible for forgejo"
+    system: yes
+    password: "!"
+    shell: /bin/bash
+    state: present
+    name: git
+    create_home: yes
+
+- name: create data folders required by forgejo
+  file:
+    path: '{{ item }}'
+    state: directory
+    owner: git
+    group: git
+    mode: '0750'
+  loop:
+    - /var/lib/forgejo
+
+- name: create configuration folder required by forgejo
+  file:
+    path: '{{ item }}'
+    state: directory
+    mode: '0770'
+    owner: root
+    group: git
+  loop:
+    - /etc/forgejo
+
+- name: Load Forgejo backup
+  ansible.builtin.import_tasks: load-backups.yml
+  when: forgejo_load_backup is defined
+
+- name: upload forgejo configuration
+  notify: restart forgejo
+  template:
+    src: app.ini.j2
+    dest: /etc/forgejo/app.ini
+    mode: '0400'
+    owner: git
+    group: git
+
+- name: upload custom adjustments
+  notify: restart forgejo
+  ansible.posix.synchronize:
+    recursive: true
+    src: custom
+    dest: /var/lib/forgejo
+    rsync_opts:
+      - --chown=git:git
+      - --chmod=755
+
+- name: upload systemd unit file
+  notify: restart forgejo
+  copy:
+    src: forgejo.service
+    dest: /etc/systemd/system/forgejo.service
+
+- name: upload forgejo.sh helper script
+  ansible.builtin.copy:
+    src: forgejo.sh
+    dest: /usr/local/bin/forgejo.sh
+    mode: '0755'
+    owner: root
+    group: root

roles/forgejo/templates/app.ini.j2

@@ -0,0 +1,79 @@
+APP_NAME = code.on.nilsnh.no
+RUN_USER = git
+WORK_PATH = /var/lib/forgejo
+RUN_MODE = prod
+
+[database]
+DB_TYPE = sqlite3
+HOST = 127.0.0.1:3306
+NAME = forgejo
+USER = forgejo
+PASSWD = 
+SCHEMA = 
+SSL_MODE = disable
+PATH = /var/lib/forgejo/data/forgejo.db
+LOG_SQL = false
+
+[repository]
+ROOT = /var/lib/forgejo/data/forgejo-repositories
+
+[server]
+SSH_DOMAIN = {{ forgejo_domain }}
+DOMAIN = {{ forgejo_domain }}
+HTTP_PORT = 3000
+ROOT_URL = https://{{ forgejo_domain }}/
+APP_DATA_PATH = /var/lib/forgejo/data
+DISABLE_SSH = false
+SSH_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = {{ vault_forgejo_lfs_secret }}
+OFFLINE_MODE = false
+
+[lfs]
+PATH = /var/lib/forgejo/data/lfs
+
+[mailer]
+ENABLED = true
+PROTOCOL = sendmail
+FROM = {{ forgejo_from }}
+
+[service]
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+DISABLE_REGISTRATION = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+REQUIRE_SIGNIN_VIEW = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = {{ machine_from_email }}
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[cron.update_checker]
+ENABLED = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /var/lib/forgejo/log
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[security]
+INSTALL_LOCK = true
+INTERNAL_TOKEN = {{ vault_forgejo_internal_token }}
+PASSWORD_HASH_ALGO = pbkdf2_hi
+
+[oauth2]
+JWT_SECRET = {{ vault_forgejo_jwt_secret }}

roles/forgejo/vars/main.yml

@@ -0,0 +1,4 @@
+
+forgejo_version: "1.21.3-0"
+forgejo_checksum_arm64: sha256:00375a2fb8bf3975371c7e99dc8986d35997c43e01cf3ddaf97dad86bf063277
+forgejo_checksum_amd64: sha256:8c8f34e889f968b4f9357701ceee7daab5b47ea605793325da8e3e740457b45a

roles/postgres/tasks/main.yml

@@ -0,0 +1,22 @@
+- name: install postgres
+  package:
+    name:
+      - postgresql
+      - python-psycopg2
+      # needed because we need to become the unprivileged postgres user.
+      - acl
+    state: latest
+
+- name: create gitea database
+  postgresql_db:
+    name: giteadb
+  become: yes
+  become_user: postgres
+
+- name: create gitea postgres user
+  postgresql_user:
+    db: giteadb
+    name: gitea
+    password: "{{ gitea_postgres_pw }}"
+  become: yes
+  become_user: postgres

roles/sendmail/tasks/main.yml

@@ -0,0 +1,21 @@
+- name: install sendmail (ssmtp)
+  ansible.builtin.package:
+    name:
+      - ssmtp
+    state: present
+
+- name: configure ssmtp
+  ansible.builtin.template:
+    src: ssmtp.conf.j2
+    dest: /etc/ssmtp/ssmtp.conf
+    mode: '0640'
+    owner: root
+    group: mail
+  
+- name: configure ssmtp revaliases
+  ansible.builtin.blockinfile:
+    path: /etc/ssmtp/revaliases
+    block: |
+      jake:{{ machine_from_email }}
+      root:{{ machine_from_email }}
+      git:{{ machine_from_email }}

roles/sendmail/templates/ssmtp.conf.j2

@@ -0,0 +1,25 @@
+#
+# Config file for sSMTP sendmail
+#
+# The person who gets all mail for userids < 1000
+# Make this empty to disable rewriting.
+root={{ machine_notifications_receiver }}
+
+# The place where the mail goes. The actual machine name is required no 
+# MX records are consulted. Commonly mailhosts are named mail.domain.com
+mailhub=box.nilsnh.no:465
+
+# Where will the mail seem to come from?
+rewriteDomain=nilsnh.no
+
+# The full hostname
+hostname=jake.box.nilsnh.no
+
+AuthUser={{ mta_user }}
+AuthPass={{ mta_user_pw }}
+UseTLS=YES
+
+# Are users allowed to set their own From: address?
+# YES - Allow the user to specify their own From: address
+# NO - Use the system generated From: address
+FromLineOverride=YES

scripts/build.sh

@@ -0,0 +1,19 @@
+#!/bin/env bash
+
+# Source: https://stackoverflow.com/a/4774063
+PROJECT_ROOT="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )/.."
+
+RESTIC_VERSION=tags/v0.16.2
+
+# Checkout correct version
+(cd "$PROJECT_ROOT/vendor/restic" && git checkout $RESTIC_VERSION)
+
+echo "Building restic binary for local usage ..."
+(cd "$PROJECT_ROOT/vendor/restic" && go run build.go)
+
+echo "Building restic binary for ARM architecture ..."
+(cd "$PROJECT_ROOT/vendor/restic" && \
+    go run build.go --goos linux --goarch arm \
+    --output "$PROJECT_ROOT/roles/backup/files/restic-arm64")
+
+echo "Done with work"

scripts/restic.sh

@@ -0,0 +1,12 @@
+#!/bin/env bash
+
+# Source: https://stackoverflow.com/a/4774063
+PROJECT_ROOT="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )/.."
+
+VAULT=$(ansible-vault decrypt "$PROJECT_ROOT/group_vars/all/vault.yml" --output=-)
+REPO=$(echo "$VAULT" | grep restic_url | awk '{print $2}')
+REPO_PW=$(echo "$VAULT" | grep restic_pw | awk '{print $2}')
+
+# Helper script for calling Restic using correct repo and password.
+
+RESTIC_REPOSITORY=$REPO RESTIC_PASSWORD=$REPO_PW "$PROJECT_ROOT/vendor/restic/restic" "$@"

scripts/restore-latest-backup.sh

@@ -0,0 +1,12 @@
+#!/bin/env bash
+
+# Source: https://stackoverflow.com/a/4774063
+PROJECT_ROOT="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )/.."
+
+rm -rf "$PROJECT_ROOT/backup-restore"
+
+"$PROJECT_ROOT/scripts/restic.sh" restore latest --target "$PROJECT_ROOT/backup-restore"
+
+(cd "$PROJECT_ROOT/backup-restore/tmp" && unzip forgejo.zip -d ../forgejo)
+
+rm -rf "$PROJECT_ROOT/backup-restore/tmp"

scripts/verify-download.sh

@@ -0,0 +1,32 @@
+#!/bin/env bash
+
+set -e
+
+# Helper script to download binaries and check signatures and checksums.
+# It assumes a very rigid file structure
+
+# Example
+# URL="https://codeberg.org/forgejo/forgejo/releases/download/v1.20.6-1/forgejo-1.20.6-1-linux-amd64"
+URL=$1
+
+if [ -z "$1" ] 
+    then
+        echo "No argument supplied. Please provide a download URL."
+        exit 1
+fi
+
+FILENAME=$(echo $URL | grep --only-matching --extended-regexp "([^\/]+$)")
+
+DIR="/tmp/verify-binaries"
+
+mkdir -p $DIR
+
+wget -nv --timestamping --directory-prefix $DIR $URL
+wget -nv --timestamping --directory-prefix $DIR "$URL.asc"
+wget -nv --timestamping --directory-prefix $DIR "$URL.sha256"
+
+(cd $DIR && gpg --verify "$FILENAME.asc" $FILENAME)
+
+(cd $DIR && cat "$FILENAME.sha256")
+
+(cd $DIR && sha256sum --check "$FILENAME.sha256")