immich

.vscode/tasks.json

@@ -130,6 +130,16 @@
             "panel": "dedicated"
         }
     },
+    {
+        "label": "Deploy: immich",
+        "type": "shell",
+        "command": "make deploy-immich",
+        "group": "build",
+        "presentation": {
+            "reveal": "always",
+            "panel": "dedicated"
+        }
+    },
     {
         "label": "Build & Push: postfix",
         "type": "shell",

archive/anope/anope.yml

@@ -1,5 +1,5 @@
 - name: Nginx
-  hosts: pi
+  hosts: beepi
   become: true
   vars:
     uplink_password: !vault |

archive/inspircd/inspircd.yml

@@ -1,5 +1,5 @@
 - name: Inspircd
-  hosts: pi
+  hosts: beepi
   become: true
   vars:
     inspircd_sendpass: !vault |

archive/thelounge/thelounge.yml

@@ -1,5 +1,5 @@
 - name: Thelounge
-  hosts: pi
+  hosts: beepi
   become: true
   tasks:
     - name: Install nodejs

playbooks/autodns/autodns.yml

@@ -1,5 +1,5 @@
 - name: Inspircd
-  hosts: pi
+  hosts: beepi
   become: true
   vars:
     njalla_api_token: !vault |

playbooks/backup/backup.yml

@@ -1,5 +1,5 @@
 - name: Backup
-  hosts: pi
+  hosts: beepi
   become: true
   vars:
     gpg_password: !vault |

playbooks/fail2ban-ingress/fail2ban-ingress.yml

@@ -0,0 +1,29 @@
+- name: Fail2ban-ingress
+  hosts: animeistrash
+  become: true
+
+  tasks:
+    - name: Install fail2ban
+      ansible.builtin.apt:
+        name: fail2ban
+        state: present
+
+    - name: Create user
+      ansible.builtin.user:
+        name: fail2forward
+        create_home: true
+
+    - name: Copy jail.local
+      ansible.builtin.template:
+        src: jail.local.j2
+        dest: /etc/fail2ban/jail.local
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Restart fail2ban
+
+  handlers:
+    - name: Restart fail2ban
+      ansible.builtin.service:
+        name: fail2ban
+        state: restarted

playbooks/fail2ban-ingress/jail.local.j2

@@ -0,0 +1,27 @@
+[DEFAULT]
+bantime  = 24h
+findtime = 10m
+maxretry = 5
+banaction = ufw
+bantime.increment = true
+bantime.multipliers = 1 5 30 60 300 720 1440 2880
+
+[sshd]
+enabled = true
+port    = ssh,2222,4444
+
+[nginx-http-auth]
+enabled = true
+
+[nginx-limit-req]
+enabled = true
+
+[postfix]
+enabled  = true
+port     = smtp,submission
+logpath  = /opt/beeserver/mail/mail-logs/mail.log
+
+[dovecot]
+enabled  = true
+port     = imaps,pop3s
+logpath  = /opt/beeserver/mail/mail-logs/mail.log

playbooks/fail2ban/fail2ban.yml

@@ -1,5 +1,5 @@
 - name: Fail2ban
-  hosts: pi
+  hosts: beepi
   become: true
 
   tasks:
@@ -8,6 +8,27 @@
         name: fail2ban
         state: present
 
+    - name: Create user
+      ansible.builtin.user:
+        name: fail2forward
+        create_home: true
+
+    - name: Create key
+      ansible.builtin.user:
+        name: fail2forward
+        generate_ssh_key: true
+        ssh_key_bits: 2048
+        ssh_key_file: .ssh/id_rsa
+      register: ssh_public_key
+
+    - name: Save public key locally
+      ansible.builtin.copy:
+        content: "{{ ssh_public_key.ssh_public_key }}"
+        dest: ./fail2forward_id_rsa.pub
+        mode: '0644'
+      delegate_to: localhost
+      become: false
+
     - name: Copy jail.local
       ansible.builtin.template:
         src: jail.local.j2

playbooks/gitea/gitea.yml

@@ -1,5 +1,5 @@
 - name: Inspircd
-  hosts: pi
+  hosts: beepi
   become: true
   vars:
     gitea_db_password: !vault |

playbooks/immich/immich-db.container.j2

@@ -7,7 +7,7 @@ Image=ghcr.io/immich-app/postgres:14-vectorchord0.4.3
 Network=immich.network
 Volume=immich-pgdata.volume:/var/lib/postgresql/data
 Environment=POSTGRES_USER=immich
-Environment=POSTGRES_PASSWORD={{ pico_db_password }}
+Environment=POSTGRES_PASSWORD={{ immich_db_password }}
 Environment=POSTGRES_DB=immich
 
 [Service]

playbooks/immich/immich-server.container.j2

@@ -11,9 +11,10 @@ PublishPort=127.0.0.1:2283:2283
 Volume=immich-upload.volume:/usr/src/app/upload
 Environment=DB_HOSTNAME=immich-db
 Environment=DB_USERNAME=immich
-Environment=DB_PASSWORD={{ pico_db_password }}
+Environment=DB_PASSWORD={{ immich_db_password }}
 Environment=DB_DATABASE_NAME=immich
 Environment=REDIS_HOSTNAME=immich-redis
+Environment=IMMICH_MACHINE_LEARNING_ENABLED=false
 
 [Service]
 Restart=on-failure

playbooks/immich/immich.yml

@@ -1,11 +1,8 @@
 - name: Immich
-  hosts: pi
+  hosts: beepi
   become: true
   vars:
-    immich_user: immich
-    immich_home: /home/immich
-    quadlet_dir: "{{ immich_home }}/.config/containers/systemd"
-    pico_db_password: !vault |
+    immich_db_password: !vault |
               $ANSIBLE_VAULT;1.1;AES256
               64666332336435616365303563636634373333346537643336626235316432643336303665646463
               3735653065653561643635376237393666313137303661370a336664623937623061313663303835
@@ -14,46 +11,50 @@
               30633861353033656264663439623264383536376664613665613138623262623261
 
   tasks:
-    - name: Install podman
+    - name: Install dependencies
       ansible.builtin.apt:
-        name: podman
+        name: "{{ item }}"
         state: present
+      loop:
+        - podman
+        - systemd-container
+        - passt
 
     - name: Create immich user
       ansible.builtin.user:
-        name: "{{ immich_user }}"
-        home: "{{ immich_home }}"
+        name: immich
+        home: /home/immich
         shell: /usr/sbin/nologin
         create_home: true
       register: immich_user_info
 
     - name: Enable linger
       ansible.builtin.command:
-        cmd: "loginctl enable-linger {{ immich_user }}"
-        creates: "/var/lib/systemd/linger/{{ immich_user }}"
+        cmd: "loginctl enable-linger immich"
+        creates: "/var/lib/systemd/linger/immich"
 
     - name: Create quadlet directory
       ansible.builtin.file:
-        path: "{{ quadlet_dir }}"
+        path: "/home/immich/.config/containers/systemd"
         state: directory
-        owner: "{{ immich_user }}"
-        group: "{{ immich_user }}"
+        owner: "immich"
+        group: "immich"
         mode: '0755'
 
-    - name: Deploy network
+    - name: Copy network
       ansible.builtin.copy:
-        dest: "{{ quadlet_dir }}/immich.network"
+        dest: "/home/immich/.config/containers/systemd/immich.network"
         content: "[Network]\n"
-        owner: "{{ immich_user }}"
-        group: "{{ immich_user }}"
+        owner: immich
+        group: immich
         mode: '0644'
 
-    - name: Deploy volumes
+    - name: Copy volumes
       ansible.builtin.copy:
-        dest: "{{ quadlet_dir }}/{{ item }}.volume"
+        dest: "/home/immich/.config/containers/systemd/{{ item }}.volume"
         content: "[Volume]\n"
-        owner: "{{ immich_user }}"
-        group: "{{ immich_user }}"
+        owner: immich
+        group: immich
         mode: '0644'
       loop:
         - immich-pgdata
@@ -62,29 +63,30 @@
     - name: Deploy db quadlet
       ansible.builtin.template:
         src: immich-db.container.j2
-        dest: "{{ quadlet_dir }}/immich-db.container"
-        owner: "{{ immich_user }}"
-        group: "{{ immich_user }}"
-        mode: '0644'
+        dest: "/home/immich/.config/containers/systemd/immich-db.container"
+        owner: immich
+        group: immich
+        mode: '0600'
 
     - name: Deploy redis quadlet
       ansible.builtin.copy:
         src: immich-redis.container
-        dest: "{{ quadlet_dir }}/immich-redis.container"
-        owner: "{{ immich_user }}"
-        group: "{{ immich_user }}"
+        dest: "/home/immich/.config/containers/systemd/immich-redis.container"
+        owner: immich
+        group: immich
         mode: '0644'
 
     - name: Deploy server quadlet
       ansible.builtin.template:
         src: immich-server.container.j2
-        dest: "{{ quadlet_dir }}/immich-server.container"
-        owner: "{{ immich_user }}"
-        group: "{{ immich_user }}"
-        mode: '0644'
+        dest: "/home/immich/.config/containers/systemd/immich-server.container"
+        owner: immich
+        group: immich
+        mode: '0600'
 
     - name: Reload user systemd
-      become_user: "{{ immich_user }}"
+      become: true
+      become_user: immich
       environment:
         XDG_RUNTIME_DIR: "/run/user/{{ immich_user_info.uid }}"
         DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ immich_user_info.uid }}/bus"
@@ -92,8 +94,14 @@
         daemon_reload: true
         scope: user
 
+    - name: Start user manager for immich
+      ansible.builtin.systemd:
+        name: "user@{{ immich_user_info.uid }}.service"
+        state: started
+
     - name: Start immich-server
-      become_user: "{{ immich_user }}"
+      become: true
+      become_user: immich
       environment:
         XDG_RUNTIME_DIR: "/run/user/{{ immich_user_info.uid }}"
         DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ immich_user_info.uid }}/bus"
@@ -101,3 +109,10 @@
         name: immich-server.service
         state: started
         scope: user
+
+    - name: Debug
+      ansible.builtin.debug:
+        msg:
+          - "Service status: systemctl --user --machine {{ immich_user_info.name }}@.host status immich-server"
+          - "Read logs: sudo journalctl _UID={{ immich_user_info.uid }} -n 200 --no-pager"
+          - "Shell: machinectl shell {{ immich_user_info.name }}@.host /bin/bash"

playbooks/letsencrypt/letsencrypt.yml

@@ -1,5 +1,5 @@
 - name: Letsencrypt
-  hosts: pi
+  hosts: beepi
   become: true
   tasks:
     - name: Install Certbot
@@ -9,31 +9,14 @@
 
     - name: Request root certificates
       changed_when: true
-      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains secretbee.buzz
-
-    - name: Request root certificates
-      changed_when: true
-      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains lounge.secretbee.buzz
-
-    - name: Request irc certificates
-      changed_when: true
-      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains irc.secretbee.buzz
-
-    - name: Request git certificates
-      changed_when: true
-      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains git.secretbee.buzz
-
-    - name: Request grafana certificates
-      changed_when: true
-      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains grafana.secretbee.buzz
-
-    - name: Request mail certificates
-      changed_when: true
-      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains mail.secretbee.buzz
-
-    - name: Request matrix certificates
-      changed_when: true
-      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains matrix.secretbee.buzz
+      ansible.builtin.command: "certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains {{ item }}"
+      loop:
+        - secretbee.buzz
+        - git.secretbee.buzz
+        - grafana.secretbee.buzz
+        - mail.secretbee.buzz
+        - matrix.secretbee.buzz
+        - gallery.secretbee.buzz
 
     - name: Add post hook script
       ansible.builtin.copy:

playbooks/mail/mail.yml

@@ -1,5 +1,5 @@
 - name: Mail
-  hosts: pi
+  hosts: beepi
   become: true
   vars:
     relay_password: !vault |

playbooks/matrix/matrix.yml

@@ -1,5 +1,5 @@
 - name: Matrix
-  hosts: pi
+  hosts: beepi
   become: true
 
   tasks:

playbooks/monitoring/monitoring.yml

@@ -1,5 +1,5 @@
 - name: Prometheus
-  hosts: pi
+  hosts: beepi
   become: true
   vars:
     grafana_secret: !vault |

playbooks/nginx/nginx.yml

@@ -1,5 +1,5 @@
 - name: Nginx
-  hosts: pi
+  hosts: beepi
   become: true
   tasks:
     - name: Install nginx
@@ -20,7 +20,7 @@
         group: root
         mode: '0644'
 
-    - name: Copy upstreamc.onf
+    - name: Copy upstream.conf
       ansible.builtin.copy:
         src: upstream.conf
         dest: /etc/nginx/conf.d/upstream.conf

playbooks/nginx/sites-enabled/gallery.secretbee.buzz

@@ -0,0 +1,52 @@
+server {
+  listen          80;
+  server_name     gallery.secretbee.buzz;
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+}
+
+server {
+    listen         443 ssl;
+    server_name gallery.secretbee.buzz;
+
+    ssl_certificate     /etc/letsencrypt/live/gallery.secretbee.buzz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/gallery.secretbee.buzz/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    # allow large file uploads
+    client_max_body_size 50000M;
+
+    # disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause)
+    proxy_request_buffering off;
+
+    # increase body buffer to avoid limiting upload speed
+    client_body_buffer_size 1024k;
+
+    # Set headers
+    proxy_set_header Host              $host;
+    proxy_set_header X-Real-IP         $remote_addr;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    # enable websockets: http://nginx.org/en/docs/http/websocket.html
+    proxy_http_version 1.1;
+    proxy_redirect     off;
+
+    # set timeout
+    proxy_read_timeout 600s;
+    proxy_send_timeout 600s;
+    send_timeout       600s;
+
+    location / {
+        proxy_pass http://localhost:2283;
+        proxy_set_header   Upgrade    $http_upgrade;
+        proxy_set_header   Connection "upgrade";
+    }
+
+    location /siri {
+        return 301 https://gallery.secretbee.buzz/s/siri;
+    }
+}

playbooks/nginx/sites-enabled/secretbee.buzz

@@ -49,4 +49,8 @@ server {
     default_type "text/html";
     try_files  $uri $uri.html $uri/index.html index.html;
   }
+
+  location /siri {
+    return 301 https://gallery.secretbee.buzz/s/siri;
+  }
 }

playbooks/ufw/ufw.yml

@@ -1,5 +1,5 @@
 - name: Ufw
-  hosts: pi
+  hosts: beepi
   become: true
   tasks:
     - name: Install ufw

playbooks/wireguard/wireguard.yml

@@ -1,5 +1,5 @@
 - name: Wireguard
-  hosts: pi
+  hosts: beepi
   become: true
   vars:
     wireguard_private_key: !vault |