Disabled crowdsec on wiki.my for testing

underscores

.gitea/workflows/ansible-deploy.yaml

@@ -20,14 +20,10 @@ jobs:
         run: |
           apt update -y
           apt install python3-pip -y
-          python3 -m pip install ansible
+          python3 -m pip install -r requirements.txt
-
-      - name: Install Ansible Galaxy requirements
-        run: |
-          ansible-galaxy install -r requirements.yaml
 
       - name: Run playbook
-        uses: dawidd6/action-ansible-playbook@v2
+        uses: dawidd6/action-ansible-playbook@v3
         with:
           # Required, playbook filepath
           playbook: ${{ matrix.playbook }}
@@ -37,6 +33,6 @@ jobs:
           key: ${{secrets.SSH_PRIVATE_KEY}}
           vault_password: ${{secrets.VAULT_PASSWORD}}
           # Optional, galaxy requirements filepath
-          requirements: requirements.yaml
+          #requirements: requirements.yaml
           options: |
-            --inventory ansible/inventory.yaml
+            --inventory ansible/inventory/hosts.yaml

ansible/assets/basementpi/compose.yml.j2

@@ -80,6 +80,9 @@ services:
       - 'git git.mycomputer.party:10.11.1.17'
       - 'gitea gitea.injust.us:10.11.1.18'
       - 'gitea.mycomputer.party:10.11.1.15'
+      - 'pbs pbs.mycomputer.party:10.11.1.30'
+      - 'immich immich.mycomputer.party:10.11.1.13'
+      - 'wireguard wireguard.injust.us:10.11.1.9'
 
 
     restart: always

ansible/assets/bastion/wg0.conf.j2

@@ -1,7 +1,7 @@
 [Interface]
 Address = {{ wg_interface_ip }}
 ListenPort = 51820
-PrivateKey = {{ wg_private_key}}
+PrivateKey = {{ bastion_wg_private_key}}
 #https://serverfault.com/questions/1162475/iptables-exclude-a-specific-port-from-being-forwarded-to-the-destination
 PostUp = iptables -t nat -N Inbound
 PostUp = iptables -t nat -A PREROUTING -d {{ public_ip }} -j Inbound

ansible/assets/docker-ext/compose.yml

@@ -1,647 +0,0 @@
-version: "3.5"
-services:
-  traefik:
-    container_name: traefik
-    # The official v2 Traefik docker image
-    image: traefik:v3.1
-    restart: unless-stopped
-    depends_on:
-      - crowdsec
-    # Enables the web UI and tells Traefik to listen to docker
-    command: 
-      - "--api.insecure=true"
-      - "--providers.docker=true"
-      - "--providers.file=true"
-      - "--accesslog.filepath=/var/log/traefik/access.log"
-      - "--providers.file.filename=/etc/traefik/rules.yaml"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.websecure.address=:443"
-      - "--certificatesresolvers.myresolver.acme.email=jg@justus.ws"
-      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
-      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
-      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
-      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
-      - --experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
-      - --experimental.plugins.crowdsec-bouncer.version=v1.2.1
-        #- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
-    ports:
-      # The HTTP port
-      - "80:80"
-      - "443:443"
-      # The Web UI (enabled by --api.insecure=true)
-      - "8080:8080"
-    volumes:
-      # So that Traefik can listen to the Docker events
-      - /var/run/docker.sock:/var/run/docker.sock
-        #- ./traefik/traefik.yml:/etc/traefik/traefik.yml
-      - ./traefik:/etc/traefik
-      - ./letsencrypt:/letsencrypt
-      - "./logsTraefik:/var/log/traefik"
-    networks:
-      - proxy
-      - backend
-      - docker_default
-    labels:
-      - "traefik.http.middlewares.authtest.basicauth.users=user:$$apr1$$VKJibd3x$$SwY/BRH.QTeVEaRDnLKvv0"
-      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true"
-      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdseclapikey=dTkMpqDs/ryjvw1tQaV3k0VtCFQUlh+hrdZMEWnxfXc"
-      - "traefik.http.middlewares.authchain.chain.middlewares=crowdsec@docker,authentik@docker"
-      - "traefik.http.middlewares.internalOnly.ipallowlist.sourcerange=192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12"
-      - "traefik.http.middlewares.internalOnlyWithAuth.chain.middlewares=internalOnly@docker,crowdsec@docker,authentik@docker"
-        
-        #ddclient:
-        #  image: lscr.io/linuxserver/ddclient:latest
-        #  container_name: ddclient
-        #  environment:
-        #    - PUID=1000
-        #    - PGID=1000
-        #    - TZ=America/Thunder_Bay
-        #  volumes:
-        #    - ./ddclient/:/config
-        #  restart: unless-stopped
-        #porkbunddns:
-        #  image: pavlinchen/porkbun-ddns
-        #  container_name: porkbun-ddns
-        #  restart: unless-stopped
-        #  pull_policy: always
-        #  environment:
-        #      APIKey: pk1_6896ac0da1af81d9b7ae1ef0ee65b7f8bc655fc0099588e1db9bb9708da2d2ec
-        #      SecretAPIKey: k1_8c0d61edd906856c4f4f979b6207049ea0b0b50aec5759dacb86c24cb0bf001d
-        #      Domain: mycomputer.party wiki
-        #      Schedule: "*/5 * * * *" #optional
-        #      TZ: Canada/Eastern #optional
-  dokuwiki:
-    image: bitnami/dokuwiki:20240206
-    restart: unless-stopped
-    container_name: dokuwiki
-    ports:
-      - "8007:8080"
-    environment:
-      PHP_TIMEZONE: America/Toronto
-      DOKUWIKI_USERNAME: admin
-    volumes:
-      - ./dokuwiki:/bitnami/dokuwiki
-    networks:
-      -  backend
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dokuwiki.rule=Host(`wiki.mycomputer.party`)"
-      - "traefik.http.routers.dokuwiki.entrypoints=websecure"
-      - "traefik.http.routers.dokuwiki.tls.certresolver=myresolver"
-      - traefik.http.routers.dokuwiki.tls=true
-      - "traefik.http.routers.dokuwiki.middlewares=crowdsec@docker"
-  mail-server:
-      tty: true
-      stdin_open: true
-      restart: unless-stopped
-      ports:
-          - 8443:443
-          - 8008:8080
-          - 25:25
-          - 587:587
-          - 465:465
-          - 143:143
-          - 993:993
-          - 4190:4190
-      volumes:
-        - ./stalwart-mail:/opt/stalwart-mail
-      container_name: stalwart-mail
-      image: stalwartlabs/mail-server:latest
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.routers.stalwart.rule=Host(`stalwart.mycomputer.party`)"
-        - "traefik.http.routers.stalwart.entrypoints=websecure"
-        - "traefik.http.routers.stalwart.tls.certresolver=myresolver"
-        - "traefik.http.routers.stalwart.tls=true"
-        - "traefik.http.services.stalwart-http.loadbalancer.server.port=8080"
-  # --- MariaDB
-  #linkace-db:
-  #  image: mariadb:11.2
-  #  container_name: linkace-db
-  #  restart: unless-stopped
-  #  command: mariadbd --character-set-server=utf8mb4 --collation-server=utf8mb4_bin
-  #  environment:
-  #    - MYSQL_ROOT_PASSWORD=LRd5^AwDF76CvE6fMb
-  #    - MYSQL_USER=linkace
-  #    - MYSQL_PASSWORD=linkace
-  #    - MYSQL_DATABASE=linkace
-  #  volumes:
-  #    - db:/var/lib/mysql
-
-  ## --- LinkAce Image with PHP and nginx
-  #linkace-app:
-  #  image: linkace/linkace:simple
-  #  container_name: linkace-app
-  #  restart: unless-stopped
-  #  depends_on:
-  #    - linkace-db
-  #  ports:
-  #    - "8009:80"
-  #    #- "0.0.0.0:443:443"
-  #  volumes:
-  #    - ./linkace/.env:/app/.env
-  #    - ./linkace/backups:/app/storage/app/backups
-  #    - linkace_logs:/app/storage/logs
-  #    # Remove the hash of the following line if you want to use HTTPS for this container
-  #    #- ./nginx-ssl.conf:/etc/nginx/conf.d/default.conf:ro
-  #    #- /path/to/your/ssl/certificates:/certs:ro
-  #  labels:
-  #    - "traefik.enable=true"
-  #    - "traefik.http.routers.linkace.rule=Host(`linkace.mycomputer.party`)"
-  #    - "traefik.http.routers.linkace.entrypoints=websecure"
-  #    - "traefik.http.routers.linkace.tls.certresolver=myresolver"
-  #    - "traefik.http.routers.linkace.tls=true"
-  #    - "traefik.http.services.linkace-http.loadbalancer.server.port=80"
-
-  linkding:
-    container_name: "${LD_CONTAINER_NAME:-linkding}"
-    image: sissbruecker/linkding:latest-plus
-    ports:
-      - "${LD_HOST_PORT:-9090}:9090"
-    volumes:
-      - "${LD_HOST_DATA_DIR:-./data}:/etc/linkding/data"
-    env_file:
-      - .env-linkding
-    restart: unless-stopped
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.linkding.rule=Host(`linkding.mycomputer.party`)"
-      - "traefik.http.routers.linkding.entrypoints=websecure"
-      - "traefik.http.routers.linkding.tls.certresolver=myresolver"
-      - "traefik.http.routers.linkding.tls=true"
-      - "traefik.http.services.linkding-http.loadbalancer.server.port=9090"
-      - "traefik.http.routers.linkding.middlewares=authchain@docker"
-  wallabag:
-    container_name: wallabag
-    restart: unless-stopped
-    image: wallabag/wallabag
-    environment:
-      #- MYSQL_ROOT_PASSWORD=wallaroot
-      - POSTGRES_USER=wallabag
-      - POSTGRES_PASSWORD=Mo8ntF92q5oWNV6TbS7t
-      - SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
-      - SYMFONY__ENV__DATABASE_HOST=postgres.injust.us
-      - SYMFONY__ENV__DATABASE_PORT=5432
-      - SYMFONY__ENV__DATABASE_NAME=wallabag
-      - SYMFONY__ENV__DATABASE_USER=wallabag
-      - SYMFONY__ENV__DATABASE_PASSWORD=Mo8ntF92q5oWNV6TbS7t
-      - SYMFONY__ENV__DATABASE_TABLE_PREFIX="wallabag_"
-      - SYMFONY__ENV__MAILER_DSN=smtp://127.0.0.1
-      - SYMFONY__ENV__FROM_EMAIL=wallabag@example.com
-      - SYMFONY__ENV__DOMAIN_NAME=https://wallabag.mycomputer.party
-      - SYMFONY__ENV__SERVER_NAME="My Computer Party Wallabag"
-    ports:
-      - "8010:80"
-    volumes:
-      - ./wallabag/images:/var/www/wallabag/web/assets/images
-    healthcheck:
-      test: ["CMD", "wget" ,"--no-verbose", "--tries=1", "--spider", "http://localhost"]
-      interval: 1m
-      timeout: 3s
-    depends_on:
-      - redis
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.wallabag.rule=Host(`wallabag.mycomputer.party`)"
-      - "traefik.http.routers.wallabag.entrypoints=websecure"
-      - "traefik.http.routers.wallabag.tls.certresolver=myresolver"
-      - "traefik.http.routers.wallabag.tls=true"
-      - "traefik.http.services.wallabag-http.loadbalancer.server.port=80"
-      - "traefik.http.routers.wallabag.middlewares=crowdsec@docker"
-  redis:
-    container_name: redis
-    image: redis:alpine
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
-      interval: 20s
-      timeout: 3s
-  authentik-server:
-    container_name: authentik-server
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.2}
-    restart: unless-stopped
-    command: server
-    environment:
-      AUTHENTIK_REDIS__HOST: redis
-      AUTHENTIK_HOST: https://authentik.mycomputer.party
-      AUTHENTIK_POSTGRESQL__HOST: postgres.injust.us
-      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
-      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
-      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
-    volumes:
-      - ./authentik/media:/media
-      - ./authentik/custom-templates:/templates
-    env_file:
-      - .authentik-env
-    ports:
-      - "${COMPOSE_PORT_HTTP:-9000}:9000"
-      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
-    depends_on:
-      - redis
-    labels:
-      - "traefik.enable=true"
-        #- "traefik.http.routers.authentik.rule=Host(`authentik.mycomputer.party`)"
-      - "traefik.http.routers.authentik.rule=Host(`authentik.mycomputer.party`) || PathPrefix(`/outpost.goauthentik.io/`)"
-      - "traefik.http.routers.authentik.entrypoints=websecure"
-      - "traefik.http.routers.authentik.tls.certresolver=myresolver"
-      - "traefik.http.routers.authentik.tls=true"
-      - "traefik.http.services.authentik-http.loadbalancer.server.port=9000"
-      - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
-      - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
-      - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
-      - "traefik.http.routers.authentik.middlewares=crowdsec@docker"
-  authentik-worker:
-    container_name: authentik-worker
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.2}
-    restart: unless-stopped
-    command: worker
-    environment:
-      AUTHENTIK_REDIS__HOST: redis
-      AUTHENTIK_POSTGRESQL__HOST: postgres.injust.us
-      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
-      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
-      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
-    # `user: root` and the docker socket volume are optional.
-    # See more for the docker socket integration here:
-    # https://goauthentik.io/docs/outposts/integrations/docker
-    # Removing `user: root` also prevents the worker from fixing the permissions
-    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
-    # (1000:1000 by default)
-    user: root
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ./authentik/media:/media
-      - ./authentik/certs:/certs
-      - ./authentik/custom-templates:/templates
-    env_file:
-      - .authentik-env
-    depends_on:
-      - redis
-  changedetection:
-      image: ghcr.io/dgtlmoon/changedetection.io
-      container_name: changedetection
-      hostname: changedetection
-      volumes:
-        - changedetection-data:/datastore
-# Configurable proxy list support, see https://github.com/dgtlmoon/changedetection.io/wiki/Proxy-configuration#proxy-list-support
-#        - ./proxies.json:/datastore/proxies.json
-
-      environment:
-  #        Default listening port, can also be changed with the -p option
-  #      - PORT=5000
-
-  #      - PUID=1000
-  #      - PGID=1000
-  #
-  #        Log levels are in descending order. (TRACE is the most detailed one)
-  #        Log output levels: TRACE, DEBUG(default), INFO, SUCCESS, WARNING, ERROR, CRITICAL
-  #      - LOGGER_LEVEL=DEBUG
-  #
-  #       Alternative WebDriver/selenium URL, do not use "'s or 's!
-  #      - WEBDRIVER_URL=http://browser-chrome:4444/wd/hub
-  #
-  #       WebDriver proxy settings webdriver_proxyType, webdriver_ftpProxy, webdriver_noProxy,
-  #                                webdriver_proxyAutoconfigUrl, webdriver_autodetect,
-  #                                webdriver_socksProxy, webdriver_socksUsername, webdriver_socksVersion, webdriver_socksPassword
-  #
-  #             https://selenium-python.readthedocs.io/api.html#module-selenium.webdriver.common.proxy
-  #
-  #       Alternative Playwright URL, do not use "'s or 's!
-  #      - PLAYWRIGHT_DRIVER_URL=ws://playwright-chrome:3000
-  #
-  #       Playwright proxy settings playwright_proxy_server, playwright_proxy_bypass, playwright_proxy_username, playwright_proxy_password
-  #
-  #             https://playwright.dev/python/docs/api/class-browsertype#browser-type-launch-option-proxy
-  #
-  #        Plain requests - proxy support example.
-  #      - HTTP_PROXY=socks5h://10.10.1.10:1080
-  #      - HTTPS_PROXY=socks5h://10.10.1.10:1080
-  #
-  #        An exclude list (useful for notification URLs above) can be specified by with
-  #      - NO_PROXY="localhost,192.168.0.0/24"
-  #
-  #        Base URL of your changedetection.io install (Added to the notification alert)
-        - BASE_URL=https://changedetection.mycomputer.party
-  #        Respect proxy_pass type settings, `proxy_set_header Host "localhost";` and `proxy_set_header X-Forwarded-Prefix /app;`
-  #        More here https://github.com/dgtlmoon/changedetection.io/wiki/Running-changedetection.io-behind-a-reverse-proxy-sub-directory
-        - USE_X_SETTINGS=1
-  #
-  #        Hides the `Referer` header so that monitored websites can't see the changedetection.io hostname.
-  #- HIDE_REFERER=true
-  #
-  #        Default number of parallel/concurrent fetchers
-  #      - FETCH_WORKERS=10
-
-      # Comment out ports: when using behind a reverse proxy , enable networks: etc.
-      ports:
-        - 5000:5000
-      restart: unless-stopped
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.routers.changedetection.rule=Host(`changedetection.mycomputer.party`)"
-        - "traefik.http.routers.changedetection.entrypoints=websecure"
-        - "traefik.http.routers.changedetection.tls.certresolver=myresolver"
-        - "traefik.http.routers.changedetection.tls=true"
-        - "traefik.http.services.changedetection-http.loadbalancer.server.port=5000"
-        - "traefik.http.routers.changedetection.middlewares=authchain@docker"
-
-     # Used for fetching pages via WebDriver+Chrome where you need Javascript support.
-     # Now working on arm64 (needs testing on rPi - tested on Oracle ARM instance)
-     # replace image with seleniarm/standalone-chromium:4.0.0-20211213
-
-     # If WEBDRIVER or PLAYWRIGHT are enabled, changedetection container depends on that
-     # and must wait before starting (substitute "browser-chrome" with "playwright-chrome" if last one is used)
-#    depends_on:
-#        browser-chrome:
-#            condition: service_started
-
-     # Used for fetching pages via Playwright+Chrome where you need Javascript support.
-     # RECOMMENDED FOR FETCHING PAGES WITH CHROME
-#    playwright-chrome:
-#        hostname: playwright-chrome
-#        image: dgtlmoon/sockpuppetbrowser:latest
-#        cap_add:
-#            - SYS_ADMIN
-## SYS_ADMIN might be too much, but it can be needed on your platform https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#running-puppeteer-on-gitlabci
-#        restart: unless-stopped
-#        environment:
-#            - SCREEN_WIDTH=1920
-#            - SCREEN_HEIGHT=1024
-#            - SCREEN_DEPTH=16
-#            - MAX_CONCURRENT_CHROME_PROCESSES=10
-
-     # Used for fetching pages via Playwright+Chrome where you need Javascript support.
-     # Note: Works well but is deprecated, does not fetch full page screenshots (doesnt work with Visual Selector)
-     #       Does not report status codes (200, 404, 403) and other issues
-#    browser-chrome:
-#        hostname: browser-chrome
-#        image: selenium/standalone-chrome:4
-#        environment:
-#            - VNC_NO_PASSWORD=1
-#            - SCREEN_WIDTH=1920
-#            - SCREEN_HEIGHT=1080
-#            - SCREEN_DEPTH=24
-#        volumes:
-#            # Workaround to avoid the browser crashing inside a docker container
-#            # See https://github.com/SeleniumHQ/docker-selenium#quick-start
-#            - /dev/shm:/dev/shm
-#        restart: unless-stopped
-
-  healthchecks:
-    container_name: healthchecks
-    restart: unless-stopped
-    # To use a pre-built image, remove the above "build" section
-    # and uncomment the following line:
-    image: healthchecks/healthchecks:latest
-    env_file:
-        - .healthchecks-env
-    ports:
-        - "8011:8000"
-        # To enable SMTP on port 2525, set SMTPD_PORT=2525 in .env
-        # and uncomment the following line:
-        # - "2525:2525"
-    command: bash -c 'uwsgi /opt/healthchecks/docker/uwsgi.ini'
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.healthchecks.rule=Host(`healthchecks.mycomputer.party`)"
-      - "traefik.http.routers.healthchecks.entrypoints=websecure"
-      - "traefik.http.routers.healthchecks.tls.certresolver=myresolver"
-      - "traefik.http.routers.healthchecks.tls=true"
-      - "traefik.http.services.healthchecks-http.loadbalancer.server.port=8000"
-      - "traefik.http.routers.healthchecks.middlewares=authchain@docker"
-  apache:
-    image: php:7.2-apache
-    volumes: 
-      - ./apache:/var/www/html
-    ports:
-      - 8012:80
-    container_name: apache
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.apache.rule=Host(`apache.mycomputer.party`)"
-      - "traefik.http.routers.apache.entrypoints=websecure"
-      - "traefik.http.routers.apache.tls.certresolver=myresolver"
-      - "traefik.http.routers.apache.tls=true"
-      - "traefik.http.services.apache-http.loadbalancer.server.port=80"
-      - "traefik.http.routers.apache.middlewares=internalOnlyWithAuth@docker"
-    networks:
-      - backend
-  apache2:
-    image: php:7.2-apache
-    volumes: 
-      - ./apache:/var/www/html
-    ports:
-      - 8013:80
-    container_name: apache2
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.apache2.rule=Host(`apache2.mycomputer.party`)"
-      - "traefik.http.routers.apache2.entrypoints=websecure"
-      - "traefik.http.routers.apache2.tls.certresolver=myresolver"
-      - "traefik.http.routers.apache2.tls=true"
-      - "traefik.http.services.apache2-http.loadbalancer.server.port=80"
-        #- traefik.http.routers.apache2.middlewares=authchain@docker
-    networks:
-      - backend
-
-        #wireguard:
-        #  image: lscr.io/linuxserver/wireguard
-        #  container_name: wireguard
-        #  cap_add:
-        #    - NET_ADMIN
-        #    - SYS_MODULE
-        #  environment:
-        #    - PUID=1001
-        #    - PGID=1001
-        #    - TZ=America/Thunder_Bay
-        #    - PEERS=thelma
-        #    - INTERNAL_SUBNET=10.11.20.0/24
-        #    - ALLOWEDIPS=10.11.0.0/16
-        #  volumes:
-        #    - ./wireguard:/config
-        #    - /lib/modules:/lib/modules
-        #  networks:
-        #    wireguard:
-        #      ipv4_address: 172.20.0.50
-        #  sysctls:
-        #    - net.ipv4.conf.all.src_valid_mark=1
-        #  restart: unless-stopped
-  crowdsec:
-    image: crowdsecurity/crowdsec
-    container_name: crowdsec
-    environment:
-      PGID: "1001"
-      COLLECTIONS: "crowdsecurity/sshd crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-cve firix/authentik"
-    ports:
-      - 8081:8080
-    expose:
-      - "8080"
-    volumes:
-      #- ./crowdsec/logs:/var/log/crowdsec:ro
-      - ./crowdsec/db:/var/lib/crowdsec/data
-      - /var/log:/var/log:ro
-      - ./crowdsec/opt:/etc/crowdsec
-      - ./logsTraefik:/logs/traefik:ro
-      - /var/run/docker.sock:/var/run/docker.sock #To read container logs, can use socket-proxy instead
-    restart: unless-stopped
-    labels:
-      - "traefik.enable=false"
-        #- "traefik.http.routers.crowdsec.rule=Host(`crowdsec.mycomputer.party`)"
-        #- "traefik.http.routers.crowdsec.entrypoints=websecure"
-        #- "traefik.http.routers.crowdsec.tls.certresolver=myresolver"
-        #- "traefik.http.routers.crowdsec.tls=true"
-    networks:
-      - proxy
-      - backend
-  ddns-updater:
-    image: docker.io/qmcgaw/ddns-updater
-    container_name: ddns-updater
-    ports:
-      - 8014:8000
-    volumes:
-      - ./ddns-updater:/updater/data
-  bookstack:
-    image: lscr.io/linuxserver/bookstack
-    container_name: bookstack
-    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/Thunder_Bay
-      - APP_URL=https://bookstack.mycomputer.party
-      - DB_HOST=bookstack_db
-      - DB_PORT=3306
-      - DB_USER=bookstack
-      - DB_PASS=Chn8i#ExmX@J1C
-      - DB_DATABASE=bookstackapp
-    env_file:
-      - .env-bookstack
-    volumes:
-      - /path/to/bookstack_app_data:/config
-    ports:
-      - 6875:80
-    restart: unless-stopped
-    depends_on:
-      - bookstack_db
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.bookstack.rule=Host(`bookstack.mycomputer.party`)"
-      - "traefik.http.routers.bookstack.entrypoints=websecure"
-      - "traefik.http.routers.bookstack.tls.certresolver=myresolver"
-      - "traefik.http.routers.bookstack.tls=true"
-  bookstack_db:
-    image: lscr.io/linuxserver/mariadb
-    container_name: bookstack_db
-    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/Thunder_Bay
-      - MYSQL_ROOT_PASSWORD=cSoO1dcaS5sI&t
-      - MYSQL_DATABASE=bookstackapp
-      - MYSQL_USER=bookstack
-      - MYSQL_PASSWORD=Chn8i#ExmX@J1C
-    volumes:
-      - ./bookstack_db_data:/config
-    restart: unless-stopped
-  wikijs:
-    image: ghcr.io/requarks/wiki:2
-    container_name: wikijs
-    environment:
-      DB_TYPE: postgres
-      DB_HOST: postgres.injust.us
-      DB_PORT: 5432
-      DB_USER: wikijs
-      DB_PASS: 3Jfr7nmY4KBauR3nuHno
-      DB_NAME: wikijs
-    restart: unless-stopped
-    labels:
-    - "traefik.http.routers.wiki.rule=Host(`wikijs.mycomputer.party`)"
-    - traefik.http.routers.wiki.tls=true
-    - "traefik.http.routers.wiki.entrypoints=websecure"
-    - "traefik.http.routers.wiki.tls.certresolver=myresolver"
-
-      #  immich-server:
-      #    container_name: immich_server
-      #    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
-      #    # extends:
-      #    #   file: hwaccel.transcoding.yml
-      #    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
-      #    volumes:
-      #      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
-      #      - ${UPLOAD_LOCATION}:/usr/src/app/upload
-      #      - /etc/localtime:/etc/localtime:ro
-      #    env_file:
-      #      - .env-immich
-      #    ports:
-      #      - 2283:3001
-      #    depends_on:
-      #      - redis
-      #        #- database
-      #    restart: always
-      #    healthcheck:
-      #      disable: false
-      #  database:
-      #    container_name: immich_postgres
-      #    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
-      #    environment:
-      #      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      #      POSTGRES_USER: ${DB_USERNAME}
-      #      POSTGRES_DB: ${DB_DATABASE_NAME}
-      #      POSTGRES_INITDB_ARGS: '--data-checksums'
-      #    volumes:
-      #      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
-      #      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
-      #    healthcheck:
-      #      test: pg_isready --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' || exit 1; Chksum="$$(psql --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
-      #      interval: 5m
-      #      start_interval: 30s
-      #      start_period: 5m
-      #    command: ["postgres", "-c", "shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"]
-      #    restart: always
-      #
-      #  immich-machine-learning:
-      #    container_name: immich_machine_learning
-      #    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
-      #    # Example tag: ${IMMICH_VERSION:-release}-cuda
-      #    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
-      #    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
-      #    #   file: hwaccel.ml.yml
-      #    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
-      #    volumes:
-      #      - model-cache:/cache
-      #    env_file:
-      #      - .env-immich
-      #    restart: always
-      #    healthcheck:
-      #      disable: false
-      #
-      #        #  redis:
-      #        #    container_name: immich_redis
-      #        #    image: docker.io/redis:6.2-alpine@sha256:2d1463258f2764328496376f5d965f20c6a67f66ea2b06dc42af351f75248792
-      #        #    healthcheck:
-      #        #      test: redis-cli ping || exit 1
-      #        #    restart: always
-
-
-
-
-volumes:
-  linkace_logs:
-  db:
-    driver: local
-  changedetection-data:
-  model-cache:
-
-networks:
-  wireguard:
-    name: wireguard
-    ipam:
-      driver: default
-      config:
-        - subnet: "172.20.0.0/24"
-  backend:
-  proxy:
-  docker_default:
-    external: True
-
-
-

ansible/assets/docker-ext/compose.yml.j2

@@ -4,7 +4,7 @@ services:
   traefik:
     container_name: traefik
     # The official v2 Traefik docker image
-    image: traefik:v3.1
+    image: traefik:v3.4
     restart: unless-stopped
     depends_on:
       - crowdsec
@@ -25,6 +25,7 @@ services:
       - --experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
       - --experimental.plugins.crowdsec-bouncer.version=v1.2.1
       # - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
+      - --accesslog=true
     ports:
       # The HTTP port
       - "80:80"
@@ -71,7 +72,7 @@ services:
       #      Schedule: "*/5 * * * *" #optional
       #      TZ: Canada/Eastern #optional
   dokuwiki:
-    image: bitnami/dokuwiki:20240206
+    image: linuxserver/dokuwiki:version-2025-05-14a
     restart: unless-stopped
     container_name: dokuwiki
     ports:
@@ -89,7 +90,7 @@ services:
       - "traefik.http.routers.dokuwiki.entrypoints=websecure"
       - "traefik.http.routers.dokuwiki.tls.certresolver=myresolver"
       - traefik.http.routers.dokuwiki.tls=true
-      - "traefik.http.routers.dokuwiki.middlewares=crowdsec@docker"
+      #- "traefik.http.routers.dokuwiki.middlewares=crowdsec@docker"
   mail-server:
     tty: true
     stdin_open: true
@@ -106,7 +107,7 @@ services:
     volumes:
       - ./stalwart-mail:/opt/stalwart-mail
     container_name: stalwart-mail
-    image: stalwartlabs/mail-server:v0.10.6
+    image: stalwartlabs/mail-server:v0.11.6
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.stalwart.rule=Host(`stalwart.mycomputer.party`)"
@@ -114,48 +115,9 @@ services:
       - "traefik.http.routers.stalwart.tls.certresolver=myresolver"
       - "traefik.http.routers.stalwart.tls=true"
       - "traefik.http.services.stalwart-http.loadbalancer.server.port=8080"
-  # --- MariaDB
-  # linkace-db:
-  #  image: mariadb:11.2
-  #  container_name: linkace-db
-  #  restart: unless-stopped
-  #  command: mariadbd --character-set-server=utf8mb4 --collation-server=utf8mb4_bin
-  #  environment:
-  #    - MYSQL_ROOT_PASSWORD=LRd5^AwDF76CvE6fMb
-  #    - MYSQL_USER=linkace
-  #    - MYSQL_PASSWORD=linkace
-  #    - MYSQL_DATABASE=linkace
-  #  volumes:
-  #    - db:/var/lib/mysql
-
-  ## --- LinkAce Image with PHP and nginx
-  # linkace-app:
-  #  image: linkace/linkace:simple
-  #  container_name: linkace-app
-  #  restart: unless-stopped
-  #  depends_on:
-  #    - linkace-db
-  #  ports:
-  #    - "8009:80"
-  #    #- "0.0.0.0:443:443"
-  #  volumes:
-  #    - ./linkace/.env:/app/.env
-  #    - ./linkace/backups:/app/storage/app/backups
-  #    - linkace_logs:/app/storage/logs
-  #    # Remove the hash of the following line if you want to use HTTPS for this container
-  #    #- ./nginx-ssl.conf:/etc/nginx/conf.d/default.conf:ro
-  #    #- /path/to/your/ssl/certificates:/certs:ro
-  #  labels:
-  #    - "traefik.enable=true"
-  #    - "traefik.http.routers.linkace.rule=Host(`linkace.mycomputer.party`)"
-  #    - "traefik.http.routers.linkace.entrypoints=websecure"
-  #    - "traefik.http.routers.linkace.tls.certresolver=myresolver"
-  #    - "traefik.http.routers.linkace.tls=true"
-  #    - "traefik.http.services.linkace-http.loadbalancer.server.port=80"
-
   linkding:
     container_name: "${LD_CONTAINER_NAME:-linkding}"
-    image: sissbruecker/linkding:1.36.0-plus
+    image: sissbruecker/linkding:1.39.1-plus
     ports:
       - "${LD_HOST_PORT:-9090}:9090"
     volumes:
@@ -218,7 +180,7 @@ services:
       timeout: 3s
   authentik-server:
     container_name: authentik-server
-    image: ghcr.io/goauthentik/server:2024.8.2
+    image: ghcr.io/goauthentik/server:2025.6.2
     restart: unless-stopped
     command: server
     environment:
@@ -252,7 +214,7 @@ services:
       - "traefik.http.routers.authentik.middlewares=crowdsec@docker"
   authentik-worker:
     container_name: authentik-worker
-    image: ghcr.io/goauthentik/server:2024.8.2
+    image: ghcr.io/goauthentik/server:2025.6.2
     restart: unless-stopped
     command: worker
     environment:
@@ -278,7 +240,7 @@ services:
     depends_on:
       - redis
   changedetection:
-    image: ghcr.io/dgtlmoon/changedetection.io:0.47.06
+    image: ghcr.io/dgtlmoon/changedetection.io:0.49.7
     container_name: changedetection
     hostname: changedetection
     volumes:
@@ -392,7 +354,7 @@ services:
     restart: unless-stopped
     # To use a pre-built image, remove the above "build" section
     # and uncomment the following line:
-    image: healthchecks/healthchecks:v3.7
+    image: healthchecks/healthchecks:v3.9
     env_file:
       - .healthchecks-env
     ports:
@@ -410,7 +372,7 @@ services:
       - "traefik.http.services.healthchecks-http.loadbalancer.server.port=8000"
       - "traefik.http.routers.healthchecks.middlewares=authchain@docker"
   apache:
-    image: php:7.2-apache
+    image: php:8.4-apache
     volumes:
       - ./apache:/var/www/html
     ports:
@@ -427,7 +389,7 @@ services:
     networks:
       - backend
   apache2:
-    image: php:7.2-apache
+    image: php:8.4-apache
     volumes:
       - ./apache:/var/www/html
     ports:
@@ -443,6 +405,23 @@ services:
       # - traefik.http.routers.apache2.middlewares=authchain@docker
     networks:
       - backend
+  cocktails:
+    image: php:8.4-apache
+    volumes:
+      - ./cocktails_static:/var/www/html
+    ports:
+      - 8017:80
+    container_name: cocktails
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.cocktails.rule=Host(`cocktails.mycomputer.party`)"
+      - "traefik.http.routers.cocktails.entrypoints=websecure"
+      - "traefik.http.routers.cocktails.tls.certresolver=myresolver"
+      - "traefik.http.routers.cocktails.tls=true"
+      - "traefik.http.services.cocktails-http.loadbalancer.server.port=80"
+      # - traefik.http.routers.cocktails.middlewares=authchain@docker
+    networks:
+      - backend
 
       # wireguard:
       #  image: lscr.io/linuxserver/wireguard
@@ -467,7 +446,7 @@ services:
       #    - net.ipv4.conf.all.src_valid_mark=1
       #  restart: unless-stopped
   crowdsec:
-    image: crowdsecurity/crowdsec:v1.6.3
+    image: crowdsecurity/crowdsec:v1.6.9
     container_name: crowdsec
     environment:
       PGID: "1001"
@@ -494,7 +473,7 @@ services:
       - proxy
       - backend
   ddns-updater:
-    image: docker.io/qmcgaw/ddns-updater:v2.8
+    image: docker.io/qmcgaw/ddns-updater:v2.9
     container_name: ddns-updater
     ports:
       - 8014:8000
@@ -543,7 +522,7 @@ services:
       - ./bookstack_db_data:/config
     restart: unless-stopped
   wikijs:
-    image: ghcr.io/requarks/wiki:2.5.305
+    image: ghcr.io/requarks/wiki:2.5.307
     container_name: wikijs
     environment:
       DB_TYPE: postgres
@@ -558,68 +537,38 @@ services:
       - traefik.http.routers.wiki.tls=true
       - "traefik.http.routers.wiki.entrypoints=websecure"
       - "traefik.http.routers.wiki.tls.certresolver=myresolver"
+  plik:
+    image: rootgg/plik:1.3.8
+    container_name: plik
+    volumes:
+      - ./plik/plikd.cfg:/home/plik/server/plikd.cfg
+      - ./plik/data:/data
+    ports:
+      - 8015:8080
+    restart: "unless-stopped"
+    labels:
+      - "traefik.http.routers.plik.rule=Host(`plik.mycomputer.party`)"
+      - traefik.http.routers.plik.tls=true
+      - "traefik.http.routers.plik.entrypoints=websecure"
+      - "traefik.http.routers.plik.tls.certresolver=myresolver"
+  #cmg:
+  #  image: gitea.mycomputer.party/justus/cmg:latest
+  #  container_name: cmg
+  #  volumes:
+  #    - ./cmg/static:/usr/local/app/static
+  #    - ./cmg/templates:/usr/local/app/templates
+  #    - ./cmg/menu:/usr/local/app/menu
+  #  ports:
+  #    - 8016:5000
+  #  restart: unless-stopped
+  #  labels:
+  #    - "traefik.http.routers.cmg.rule=Host(`cocktailmenu.mycomputer.party`)"
+  #    - traefik.http.routers.cmg.tls=true
+  #    - "traefik.http.routers.cmg.entrypoints=websecure"
+  #    - "traefik.http.routers.cmg.tls.certresolver=myresolver"
+
+
 
-      #  immich-server:
-      #    container_name: immich_server
-      #    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
-      #    # extends:
-      #    #   file: hwaccel.transcoding.yml
-      #    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
-      #    volumes:
-      #      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
-      #      - ${UPLOAD_LOCATION}:/usr/src/app/upload
-      #      - /etc/localtime:/etc/localtime:ro
-      #    env_file:
-      #      - .env-immich
-      #    ports:
-      #      - 2283:3001
-      #    depends_on:
-      #      - redis
-      #        #- database
-      #    restart: always
-      #    healthcheck:
-      #      disable: false
-      #  database:
-      #    container_name: immich_postgres
-      #    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
-      #    environment:
-      #      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      #      POSTGRES_USER: ${DB_USERNAME}
-      #      POSTGRES_DB: ${DB_DATABASE_NAME}
-      #      POSTGRES_INITDB_ARGS: '--data-checksums'
-      #    volumes:
-      #      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
-      #      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
-      #    healthcheck:
-      #      test: pg_isready --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' || exit 1; Chksum="$$(psql --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
-      #      interval: 5m
-      #      start_interval: 30s
-      #      start_period: 5m
-      #    command: ["postgres", "-c", "shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"]
-      #    restart: always
-      #
-      #  immich-machine-learning:
-      #    container_name: immich_machine_learning
-      #    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
-      #    # Example tag: ${IMMICH_VERSION:-release}-cuda
-      #    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
-      #    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
-      #    #   file: hwaccel.ml.yml
-      #    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
-      #    volumes:
-      #      - model-cache:/cache
-      #    env_file:
-      #      - .env-immich
-      #    restart: always
-      #    healthcheck:
-      #      disable: false
-      #
-      #        #  redis:
-      #        #    container_name: immich_redis
-      #        #    image: docker.io/redis:6.2-alpine@sha256:2d1463258f2764328496376f5d965f20c6a67f66ea2b06dc42af351f75248792
-      #        #    healthcheck:
-      #        #      test: redis-cli ping || exit 1
-      #        #    restart: always
 
 volumes:
   linkace_logs:

ansible/assets/docker-ext/wg0.conf.j2

@@ -1,9 +1,11 @@
 [Interface]
-PrivateKey = {{ docker-ext_wg_private_key }}
+PrivateKey = {{ homeserver_wg_private_key }}
 Address = 10.11.20.2/24
+ListenPort = 51820
 
 [Peer]
-PublicKey = s3Ch/zcv5IeSpIbHBT5pdzpHWwV2qh4Z9W/0DSZg/CQ=
+PublicKey = {{ bastion_wg_public_key }}
 AllowedIPs = 0.0.0.0/0
 Endpoint = vps.mycomputer.party:51820
 PersistentKeepalive = 25
+

ansible/assets/docker-int/.env-immich.j2

@@ -0,0 +1,20 @@
+# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
+
+# The location where your uploaded files are stored
+UPLOAD_LOCATION=./immich/library
+# The location where your database files are stored
+DB_DATA_LOCATION=./immich/postgres
+
+# To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
+# TZ=Etc/UTC
+
+# The Immich version to use. You can pin this to a specific version like "v1.71.0"
+IMMICH_VERSION=v1.121.0
+
+#DB_URL='postgresql://immich:immichdbpassword@postgres.injust.us:5432/immich'
+DB_HOSTNAME=postgres.injust.us
+DB_PORT=5432
+DB_USERNAME=immich
+DB_PASSWORD={{ immich_db_password }}
+DB_DATABASE_NAME=immich
+

ansible/assets/docker-int/compose.yml.j2

@@ -1,170 +1,205 @@
 ---
-version: '3.3'
 services:
-    traefik:
+  traefik:
-        container_name: traefik
+    container_name: traefik
-        # The official v2 Traefik docker image
+    # The official v2 Traefik docker image
-        image: traefik:v2.11
+    image: traefik:v3.4
-        # Enables the web UI and tells Traefik to listen to docker
+    # Enables the web UI and tells Traefik to listen to docker
-        command:
+    restart: unless-stopped
-            - --api.insecure=true
+    command:
-            - --providers.docker
+      - --api.insecure=true
-            - "--log.filePath=/var/log/traefik/traefik.log"
+      - --providers.docker
-            - "--entryPoints.web.address=:80"
+      - "--log.filePath=/var/log/traefik/traefik.log"
-            - "--entryPoints.websecure.address=:443"
+      - "--entryPoints.web.address=:80"
-            - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
+      - "--entryPoints.websecure.address=:443"
-            - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
-            # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
-            - "--certificatesresolvers.myresolver.acme.email=jg@justus.ws"
+      # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
-            - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.myresolver.acme.email=jg@justus.ws"
-        ports:
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
-            # The HTTP port
+    ports:
-            - "80:80"
+      # The HTTP port
-            - "443:443"
+      - "80:80"
-            # The Web UI (enabled by --api.insecure=true)
+      - "443:443"
-            - "8080:8080"
+      # The Web UI (enabled by --api.insecure=true)
-        volumes:
+      - "8080:8080"
-            # So that Traefik can listen to the Docker events
+    volumes:
-            - /var/run/docker.sock:/var/run/docker.sock
+      # So that Traefik can listen to the Docker events
-            - "./letsencrypt:/letsencrypt"
+      - /var/run/docker.sock:/var/run/docker.sock
-            - "./logsTraefik:/var/log/traefik"
+      - "./letsencrypt:/letsencrypt"
-        environment:
+      - "./logsTraefik:/var/log/traefik"
-            - "CF_API_KEY={{ cf_api_key }}"
+    environment:
-            - "CF_API_EMAIL=jg@justus.ws"
+      - "CF_API_KEY={{ cf_api_key }}"
-    # squid:
+      - "CF_API_EMAIL=jg@justus.ws"
-    #    container_name: squid
+  # squid:
-    #    volumes:
+  #    container_name: squid
-    #        # - '/root/docker/squid/logs:/var/log/squid'
+  #    volumes:
-    #        #  - '/root/docker/squid/data:/var/spool/squid'
+  #        # - '/root/docker/squid/logs:/var/log/squid'
-    #        - '/root/docker/squid/squid.conf:/etc/squid/squid.conf'
+  #        #  - '/root/docker/squid/data:/var/spool/squid'
-    #        #  - '/rood/docker/squid/config-snippet:/etc/squid/conf.d/snippet.conf'
+  #        - '/root/docker/squid/squid.conf:/etc/squid/squid.conf'
-    #    environment:
+  #        #  - '/rood/docker/squid/config-snippet:/etc/squid/conf.d/snippet.conf'
-    #        - TZ=America/Thunder_Bay
+  #    environment:
-    #    ports:
+  #        - TZ=America/Thunder_Bay
-    #        - '3128:3128'
+  #    ports:
-    #    image: 'ubuntu/squid:5.2-22.04_beta'
+  #        - '3128:3128'
-    #      # yacy_search_server:
+  #    image: 'ubuntu/squid:5.2-22.04_beta'
-    #      #    container_name: yacy
+  #      # yacy_search_server:
-    #      #    ports:
+  #      #    container_name: yacy
-    #      #        - '8090:8090'
+  #      #    ports:
-    #      #        - '8443:8443'
+  #      #        - '8090:8090'
-    #      #    logging:
+  #      #        - '8443:8443'
-    #      #        options:
+  #      #    logging:
-    #      #          max-size: 200
+  #      #        options:
-    #      #          max-file: 2
+  #      #          max-size: 200
-    #      #    image: 'yacy/yacy_search_server:latest'
+  #      #          max-file: 2
-    paperless-broker:
+  #      #    image: 'yacy/yacy_search_server:latest'
-        image: docker.io/library/redis:7
+  paperless-broker:
-        container_name: paperless-broker
+    image: docker.io/library/redis:7
-        restart: unless-stopped
+    container_name: paperless-broker
-        volumes:
+    restart: unless-stopped
-            - redisdata:/data
+    volumes:
-            #    db:
+      - redisdata:/data
-            #      image: docker.io/library/postgres:15
+  paperless-webserver:
-            #      restart: unless-stopped
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.16.3
-            #      volumes:
+    container_name: paperless-webserver
-            #        - pgdata:/var/lib/postgresql/data
+    restart: unless-stopped
-            #      environment:
+    depends_on:
-            #        POSTGRES_DB: paperless
+      #        - db
-            #        POSTGRES_USER: paperless
+      - paperless-broker
-            #        POSTGRES_PASSWORD: paperless
+    ports:
-    paperless-webserver:
+      - "8000:8000"
-        image: ghcr.io/paperless-ngx/paperless-ngx:2.7.2
+    volumes:
-        container_name: paperless-webserver
+      - data:/usr/src/paperless/data
-        restart: unless-stopped
+      - media:/usr/src/paperless/media
-        depends_on:
+      - export:/usr/src/paperless/export
-            #        - db
+      - consume:/usr/src/paperless/consume
-            - paperless-broker
+    #env_file: docker-compose.env
-        ports:
+    environment:
-            - "8000:8000"
+      PAPERLESS_DATE_ORDER: MDY
-        volumes:
+    labels:
-            - data:/usr/src/paperless/data
+      - "traefik.http.routers.paperless.rule=Host(`paperless.injust.us`)"
-            - media:/usr/src/paperless/media
+      - "traefik.http.routers.paperless.entrypoints=websecure"
-            - export:/usr/src/paperless/export
+      - traefik.http.routers.paperless.tls=true
-            - consume:/usr/src/paperless/consume
+      - "traefik.http.routers.paperless.tls.certresolver=myresolver"
-        env_file: docker-compose.env
+  webdav:
-        # environment:
+    container_name: webdav
-        labels:
+    image: ionelmc/webdav
-            - "traefik.http.routers.paperless.rule=Host(`paperless.injust.us`)"
+    restart: unless-stopped
-            - "traefik.http.routers.paperless.entrypoints=websecure"
+    ports:
-            - traefik.http.routers.paperless.tls=true
+      - "8081:8080"
-            - "traefik.http.routers.paperless.tls.certresolver=myresolver"
+    environment:
-    webdav:
+      WEBDAV_USERNAME: alice
-        container_name: webdav
+      WEBDAV_PASSWORD: "{{ webdav_password }}"
-        image: ionelmc/webdav
+      UID: 1001
-        restart: unless-stopped
+    volumes:
-        ports:
+      - ./consume:/media
-            - "8081:8080"
+    labels:
-        environment:
+      - "traefik.http.routers.webdav.rule=Host(`webdav.injust.us`)"
-            WEBDAV_USERNAME: alice
+  testweb:
-            WEBDAV_PASSWORD: "{{ webdav_password }}"
+    image: httpd:2.4
-            UID: 1001
+    ports:
-        volumes:
+      - "8008:80"
-            - ./consume:/media
+    volumes:
-            # webdav:
+      - ./htdocs:/usr/local/apache2/htdocs/
-            #  container_name: webdav
+    labels:
-            #  image: bytemark/webdav
+      - "traefik.http.routers.testweb.rule=Host(`testweb.injust.us`)"
-            #  restart: unless-stopped
+      - traefik.http.routers.testweb.tls=true
-            #  ports:
+      - "traefik.http.routers.testweb.entrypoints=websecure"
-            #    - "8081:80"
+      - "traefik.http.routers.testweb.tls.certresolver=myresolver"
-            #  environment:
+  actual_server:
-            #    AUTH_TYPE: Digest
+    image: docker.io/actualbudget/actual-server:25.3.1
-            #    USERNAME: alice
+    ports:
-            #    PASSWORD: secret1234
+      # This line makes Actual available at port 5006 of the device you run the server on,
-            #  volumes:
+      # i.e. http://localhost:5006. You can change the first number to change the port, if you want.
-            #    - consume:/var/lib/dav/data/ScannerPro
+      - '5006:5006'
-        labels:
+      # environment:
-            - "traefik.http.routers.webdav.rule=Host(`webdav.injust.us`)"
+      # Uncomment any of the lines below to set configuration options.
-    testweb:
+      # - ACTUAL_HTTPS_KEY=/data/selfhost.key
-        image: httpd:2.4
+      # - ACTUAL_HTTPS_CERT=/data/selfhost.crt
-        ports:
+      # - ACTUAL_PORT=5006
-            - "8008:80"
+      # - ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB=20
-        volumes:
+      # - ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SYNC_SIZE_LIMIT_MB=50
-            - ./htdocs:/usr/local/apache2/htdocs/
+      # - ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB=20
-        labels:
+      # See all options and more details at https://actualbudget.github.io/docs/Installing/Configuration
-            - "traefik.http.routers.testweb.rule=Host(`testweb.injust.us`)"
+      # !! If you are not using any of these options, remove the 'environment:' tag entirely.
-            - traefik.http.routers.testweb.tls=true
+    volumes:
-            - "traefik.http.routers.testweb.entrypoints=websecure"
+      # Change './actual-data' below to the path to the folder you want Actual to store its data in on your server.
-            - "traefik.http.routers.testweb.tls.certresolver=myresolver"
+      # '/data' is the path Actual will look for its files in by default, so leave that as-is.
-    actual_server:
+      - ./actual-data:/data
-        image: docker.io/actualbudget/actual-server:24.11.0
+    labels:
-        ports:
+      - "traefik.http.routers.actual.rule=Host(`actual.injust.us`)"
-            # This line makes Actual available at port 5006 of the device you run the server on,
+      - traefik.http.routers.actual.tls=true
-            # i.e. http://localhost:5006. You can change the first number to change the port, if you want.
+      - "traefik.http.routers.actual.entrypoints=websecure"
-            - '5006:5006'
+      - "traefik.http.routers.actual.tls.certresolver=myresolver"
-            # environment:
+    restart: unless-stopped
-            # Uncomment any of the lines below to set configuration options.
+
-            # - ACTUAL_HTTPS_KEY=/data/selfhost.key
+  immich-server:
-            # - ACTUAL_HTTPS_CERT=/data/selfhost.crt
+    container_name: immich_server
-            # - ACTUAL_PORT=5006
+    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
-            # - ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB=20
+    # extends:
-            # - ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SYNC_SIZE_LIMIT_MB=50
+    #   file: hwaccel.transcoding.yml
-            # - ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB=20
+    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
-            # See all options and more details at https://actualbudget.github.io/docs/Installing/Configuration
+    volumes:
-            # !! If you are not using any of these options, remove the 'environment:' tag entirely.
+      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
-        volumes:
+      - immich:/usr/src/app/upload
-            # Change './actual-data' below to the path to the folder you want Actual to store its data in on your server.
+      - /etc/localtime:/etc/localtime:ro
-            # '/data' is the path Actual will look for its files in by default, so leave that as-is.
+    env_file:
-            - ./actual-data:/data
+      - .env-immich
-        labels:
+    ports:
-            - "traefik.http.routers.actual.rule=Host(`actual.injust.us`)"
+      - 2283:2283
-            - traefik.http.routers.actual.tls=true
+    depends_on:
-            - "traefik.http.routers.actual.entrypoints=websecure"
+      - redis
-            - "traefik.http.routers.actual.tls.certresolver=myresolver"
+      #- database
-        restart: unless-stopped
+    restart: always
+    healthcheck:
+      disable: false
+    labels:
+      - "traefik.http.routers.immich.rule=Host(`immich.mycomputer.party`)"
+      - traefik.http.routers.immich.tls=true
+      - "traefik.http.routers.immich.entrypoints=websecure"
+      - "traefik.http.routers.immich.tls.certresolver=myresolver"
+
+  redis:
+    container_name: immich_redis
+    image: docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
+    healthcheck:
+      test: redis-cli ping || exit 1
+    restart: always
+
+  immich-machine-learning:
+    container_name: immich_machine_learning
+    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
+    # Example tag: ${IMMICH_VERSION:-release}-cuda
+    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
+    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
+    #   file: hwaccel.ml.yml
+    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
+    volumes:
+      - model-cache:/cache
+    env_file:
+      - .env-immich
+    restart: always
+    healthcheck:
+      disable: false
 
 volumes:
-    data:
+  data:
-    media:
+  media:
-    pgdata:
+  pgdata:
-    redisdata:
+  redisdata:
-    consume:
+  consume:
-        driver_opts:
+    driver_opts:
-            type: "nfs"
+      type: "nfs"
-            o: "addr=omv.injust.us,nolock,soft,rw"
+      o: "addr=omv.injust.us,nolock,soft,rw"
-            device: ":/export/Paperless"
+      device: ":/export/Paperless"
-    export:
+  export:
-        driver_opts:
+    driver_opts:
-            type: "nfs"
+      type: "nfs"
-            o: "addr=omv.injust.us,nolock,soft,rw"
+      o: "addr=omv.injust.us,nolock,soft,rw"
-            device: ":/export/Paperless_Export"
+      device: ":/export/Paperless_Export"
+  immich:
+    driver_opts:
+      type: "nfs"
+      o: "addr=omv.injust.us,nolock,soft,rw"
+      device: ":/export/Immich"
+  model-cache:

ansible/assets/git/compose.yml.j2

@@ -11,7 +11,7 @@ volumes:
 
 services:
   server:
-    image: gitea/gitea:1.22.3
+    image: gitea/gitea:1.23.5
     container_name: gitea
     restart: unless-stopped
     environment:

ansible/assets/gitea/compose.yml.j2

@@ -8,6 +8,7 @@ services:
       GITEA_INSTANCE_URL: "{{ gitea_instance_url }}"
       GITEA_RUNNER_REGISTRATION_TOKEN: "{{ gitea_runner_token }}"
       GITEA_RUNNER_NAME: "{{ gitea_runner_name }}"
+    restart: always
     volumes:
       - ./config.yaml:/config.yaml
       - ./data:/data

ansible/assets/wireguard/wg0.conf.j2

@@ -0,0 +1,22 @@
+[Interface]
+PrivateKey = {{ docker_int_wg_private_key }}
+#pub V7kI33VgyxtJXRGWH0yTnbUXPqE4ZK8wQGPilVUXlWo=
+Address = 10.11.19.1/24
+ListenPort = 51820
+#PostUp = iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
+#PostDown = iptables -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE -t nat
+
+#MacBook
+[Peer]
+PublicKey = /A0WduzRrt/LwKmGm6lq/+TS/1gBekU86FSdhvUo82M=
+AllowedIPs = 10.11.19.4
+
+#Work
+[Peer]
+PublicKey = eEHA7CSOR5nha9w4SCB+tOXcuCxgkxIXtNU3xB7wZn4=
+AllowedIPs = 10.11.19.5/32
+
+#Phone
+[Peer]
+PublicKey = QJmTVggRFs6Df/snbb3Fx3PeFFeaOqy3eUruV0eIXyE=
+AllowedIPs = 10.11.19.6/32

ansible/buildHomelab.yaml

@@ -10,7 +10,7 @@
 
     - name: Delete existing netplan
       ansible.builtin.command: rm -f /etc/netplan/*
-     
+    
     - name: Copy netplan
       ansible.builtin.template:
         src: assets/{{ inventory_hostname }}/01-netcfg.yaml.j2
@@ -36,6 +36,7 @@
       ansible.builtin.shell: systemctl restart systemd-resolved
 
     - name: Install restic
+      ignore_errors: true
       ansible.builtin.apt:
         update_cache: true
         name:
@@ -56,9 +57,21 @@
   roles:
     - bastion
 
+- name: Immich env
+  hosts:
+    - docker-int
+  tags:
+    - docker
+    - docker_hosts
+  tasks:
+    - name: "Immich env"
+      ansible.builtin.template:
+        src: assets/{{ inventory_hostname }}/.env-immich.j2
+        dest: /root/docker/.env-immich
+        backup: true
 
 - name: Configure Docker hosts
-  hosts: 
+  hosts:
     - docker
   vars:
   tags:
@@ -70,23 +83,38 @@
         src: assets/{{ inventory_hostname }}/compose.yml.j2
         dest: /root/docker/compose.yml
         backup: true
+    - name: Pull images
+      ansible.builtin.shell: docker compose pull
+      args:
+        chdir: /root/docker
     - name: Run Docker
       ansible.builtin.shell: docker compose up -d --remove-orphans
       args:
         chdir: /root/docker
+    - name: Prune images
+      ansible.builtin.shell: docker image prune -f
 
-- name: Local server Wireguard
+- name: Homeserver wireguard
-  hosts: 
+  hosts:
     - docker-ext
   tags:
     - bastion
   tasks:
-    - name: "Local server Wireguard"
+    - name: "Homeserver Wireguard config"
       ansible.builtin.template:
         src: assets/{{ inventory_hostname }}/wg0.conf.j2
         dest: /etc/wireguard/wg0.conf
         backup: true
 
+
+- name: Setup Wireguard wireguard
+  hosts: wireguard
+  vars:
+  tags:
+    - wireguard
+  roles:
+    - bastion
+
 - name: Traefik config
   hosts:
     - docker-ext

ansible/inventory/group_vars/external_access/vars

@@ -0,0 +1,4 @@
+bastion_wg_public_key: s3Ch/zcv5IeSpIbHBT5pdzpHWwV2qh4Z9W/0DSZg/CQ=
+bastion_wg_private_key: "{{ vault_bastion_wg_private_key }}"
+homeserver_wg_public_key: 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo=
+homeserver_wg_private_key: "{{ vault_homeserver_wg_private_key }}"

ansible/inventory/group_vars/external_access/vault

@@ -0,0 +1,13 @@
+$ANSIBLE_VAULT;1.1;AES256
+63313365346334336431303631306338366438616433623333343531653765363531303966653661
+6265393431346631346661363264393937663663333832360a346634306132633839383731353036
+65353434616566623963323134353234316362663636333162366561386137363431393936363437
+3636326139363765640a333736363530616238303531663637303064633961323332353766323134
+39306535636566333165623835363239333331383830616564626437656463376464663238663731
+64373335343135333535356231613733633565623530396165663237656135333032626138643364
+62343665663832653165323263643230343738363066633938373961386332333131306636643564
+65616635343065646261333930363635376133626462646532326436323130396266653263376331
+65653430373333633536356233616230363538323032616337363139666330353836653036376264
+35326439323939656639616665633265623264396132313337376661373731313138376136336664
+37656138373131303263343266643439333035356635636664646638373539373130336638383233
+31303139366130303137

ansible/inventory/group_vars/wireguard/vars

@@ -0,0 +1 @@
+docker_int_wg_private_key: "{{ vault_docker_int_wg_private_key }}"

ansible/inventory/group_vars/wireguard/vault

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+62643663333863323162613131393738396338666162623530336235613164636337666235333166
+3533366265333931623439666134346130356430333531330a636561363132666339353861396332
+37646564626364306264636539633362663139643238353532393661666165643531343930316637
+3365663330326131630a663062343535376438343462373733363762343637333730396463643638
+62363235623765386133336466663433633430316531316364643233303061626664653761303930
+31366162666239656333626232323334373865653561326131336262343133663030306363626461
+64306466373764343132333564626638633932633538306536626666636338316433346666656135
+34643761633861656135

ansible/inventory/host_vars/all/vars

@@ -1,2 +1,3 @@
-docker-ext_wg_public_key: 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo=
+ansible_ssh_user: root
-docker-ext_wg_private_key: GFNTkhkNuQe63+SgCrPVGgAtU98WKHdtUPSmsqjiDVs=
+docker_ext_wg_public_key: 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo=
+docker_ext_wg_private_key: GFNTkhkNuQe63+SgCrPVGgAtU98WKHdtUPSmsqjiDVs=

ansible/inventory/host_vars/basementpi/vars

@@ -1,4 +1,6 @@
 ---
+ansible_host: 10.11.1.10 
+
 pi_ip: 10.11.1.10
 pi_mask: 255.255.255.0
 pi_gateway: 10.11.1.1

ansible/inventory/host_vars/bastion/vars

@@ -1,4 +1,6 @@
 ---
+ansible_host: 51.222.155.202 
+
 wg_private_key: "{{ vault_wg_private_key }}"
 wg_interface_ip: 10.11.20.1/24
 

ansible/inventory/host_vars/docker-int/vars

@@ -1,3 +1,4 @@
 ---
 cf_api_key: "{{ vault_cf_api_key }}"
 webdav_password: "{{ vault_webdav_password }}"
+immich_db_password: "{{ vault_immich_db_password }}"

ansible/inventory/host_vars/docker-int/vault

@@ -1,10 +1,12 @@
 $ANSIBLE_VAULT;1.1;AES256
-35353935306336363466613765393230363230396162346665373961653631636464383737356331
+34663465306462326661306266323134336338363766303132656636313539383733353264326633
-3835326264613564613034663166656333663464373835610a346239366162323935383362316263
+6665376137656137306632336264333131383237623461610a353038623739336134633336393038
-31346237376639376331616463306165643462633032366136626464313063373032646162336539
+66363366386131313534353466616161393634346335616536333335383765356162653635373933
-3832653562376661610a386663313034326165336630333463333131343432613636613539643365
+3930636333346261390a343836356163626264353662376165356139373537656234376363353562
-39653238646535613962373234363732636539623262363361663038303930353965316535373262
+36363666646661633332336433663766613065653032656339663432356564303237633138376366
-31306136336663643634376366396537653162376635303961643864613335653364316163386538
+36656332653433343130353934336239616165396365383038623661663461373930303530633037
-37396531623265656431306635343230386365353364316264353431613138326264666561346439
+30386532633062636330303333323462653430363765613366326539386565633266626162323234
-34373464653764303062353532333865666133373562313232613136383234306139633036386238
+31353534336537343038353934343633386463313339616331303731643331313831303730663963
-30303430303334613735313534663935663266393036666262376635656536323230
+39643965646234336431343037313034653536396332356564393063306561633838316139626531
+65313866303536373361316638333263653337623666306465663435356330636538303465653037
+303064646233663837323064616338643761

ansible/inventory/hosts.yaml

@@ -1,7 +1,12 @@
+---
+all:
+  vars:
+    ansible_ssh_user: root
+
 ungrouped:
   hosts:
     bastion:
-      ansible_host: 51.222.155.202 
+      ansible_host: 51.222.155.202
       ansible_ssh_user: root
 
 docker:
@@ -10,10 +15,17 @@ docker:
       ansible_ssh_user: root
     docker-int:
       ansible_ssh_user: root
-    git:
-      ansible_ssh_user: root
     basementpi:
-      ansible_host: 10.11.1.10 
+      ansible_host: 10.11.1.10
       ansible_ssh_user: root
     gitea:
       ansible_ssh_user: root
+
+#wireguard:
+# hosts:
+#    wireguard:
+
+external_access:
+  hosts:
+    docker-ext:
+    bastion:

ansible/roles/bastion/tasks/main.yml

@@ -7,6 +7,7 @@
   ansible.builtin.package:
     name: wireguard
     state: present
+    update_cache: true
 - name: Shutdown Wireguard (remove iptables rules)
   ansible.builtin.shell: wg-quick down wg0
   ignore_errors: true

requirements.txt

@@ -1,10 +1,10 @@
 ansible==8.7.0
 ansible-core==2.15.11
-cffi==1.15.1
+#cffi==1.15.1
-cryptography==39.0.0
+#cryptography==39.0.0
-Jinja2==3.1.2
+#Jinja2==3.1.2
-MarkupSafe==2.1.1
+#MarkupSafe==2.1.1
-packaging==23.0
+#packaging==23.0
-pycparser==2.21
+#pycparser==2.21
-PyYAML==6.0
+#PyYAML==6.0
-resolvelib==0.8.1
+#resolvelib==0.8.1