Red Ranger! GO!

2026-06-02 00:30:56 +00:00 · 2026-06-02 00:30:56 +00:00 · 6afb19a45c
commit 6afb19a45c
parent ce6b85bc09
31 changed files with 675 additions and 34 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,3 +1,10 @@
 {
-  "ansible.python.interpreterPath": "/usr/bin/python"
+  "ansible.python.interpreterPath": "/usr/bin/python",
  "yaml.schemas": {
    "https://www.schemastore.org/traefik-v2.json": [
      "file:///workspaces/minilab/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/basic.yaml",
      "file:///workspaces/minilab/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/umm.yaml",
      "file:///workspaces/minilab/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/dynamic.yaml"
    ]
  }
 }
--- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/homarr.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/homarr.yaml
@ -11,3 +11,16 @@ services:
      - SECRET_ENCRYPTION_KEY=${HOMARR_ENCRYPTION_KEY}
    ports:
      - "7575:7575"
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.homarr.rule: Host(`homarr.local.cobb.lgbt`)
      traefik.http.routers.homarr.entryPoints: websecure
      traefik.http.routers.homarr.tls.certResolver: letsEncrypt
      traefik.http.routers.homarr.observability.metrics: "true"
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/lidarr.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/lidarr.yaml
@ -15,3 +15,16 @@ services:
    volumes:
      - /opt/arr/lidarr/config:/config
      - /mnt/storage:/data
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.lidarr.rule: Host(`lidarr.local.cobb.lgbt`)
      traefik.http.routers.lidarr.entryPoints: websecure
      traefik.http.routers.lidarr.tls.certResolver: letsEncrypt
      traefik.http.routers.lidarr.observability.metrics: "true"
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/prowlarr.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/prowlarr.yaml
@ -14,3 +14,16 @@ services:
      - WEBUI_PORTS=9696/tcp
    volumes:
      - /opt/arr/prowlarr/config:/config
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.prowlarr.rule: Host(`prowlarr.local.cobb.lgbt`)
      traefik.http.routers.prowlarr.entryPoints: websecure
      traefik.http.routers.prowlarr.tls.certResolver: letsEncrypt
      traefik.http.routers.prowlarr.observability.metrics: "true"
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/radarr.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/radarr.yaml
@ -15,3 +15,16 @@ services:
    volumes:
      - /opt/arr/radarr/config:/config
      - /mnt/storage:/data
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.radarr.rule: Host(`radarr.local.cobb.lgbt`)
      traefik.http.routers.radarr.entryPoints: websecure
      traefik.http.routers.radarr.tls.certResolver: letsEncrypt
      traefik.http.routers.radarr.observability.metrics: "true"
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sabnzbd.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sabnzbd.yaml
@ -13,3 +13,16 @@ services:
    ports:
      - 8081:8080
    restart: unless-stopped
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.sabnzbd.rule: Host(`sabnzbd.local.cobb.lgbt`)
      traefik.http.routers.sabnzbd.entryPoints: websecure
      traefik.http.routers.sabnzbd.tls.certResolver: letsEncrypt
      traefik.http.routers.sabnzbd.observability.metrics: "true"
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sonarr.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sonarr.yaml
@ -15,3 +15,16 @@ services:
    volumes:
      - /opt/arr/sonarr/config:/config
      - /mnt/storage:/data
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.sonarr.rule: Host(`sonarr.local.cobb.lgbt`)
      traefik.http.routers.sonarr.entryPoints: websecure
      traefik.http.routers.sonarr.tls.certResolver: letsEncrypt
      traefik.http.routers.sonarr.observability.metrics: "true"
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/whisparr.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/whisparr.yaml
@ -15,3 +15,16 @@ services:
    volumes:
      - /opt/arr/whisparr/config:/config
      - /mnt/storage:/data
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.whisparr.rule: Host(`whisparr.local.cobb.lgbt`)
      traefik.http.routers.whisparr.entryPoints: websecure
      traefik.http.routers.whisparr.tls.certResolver: letsEncrypt
      traefik.http.routers.whisparr.observability.metrics: "true"
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/caddy/tasks/main.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/caddy/tasks/main.yaml
@ -9,6 +9,17 @@
 - name: Ensure Caddy is running on this device
  block:
    - name: Load IP addresses for other hosts
      tags: packages,caddy,network
      ansible.builtin.set_fact:
        caddy_adguard_address: "{{ hostvars['adguard']['ansible_host'] }}"
        caddy_nemetona_address: "{{ hostvars['nemetona']['ansible_host'] }}"
        caddy_pve_address: "{{ hostvars['pve']['ansible_host'] }}"
        caddy_code_address: "{{ hostvars['stephanie']['ansible_host'] }}"
        caddy_home_assistant_address: "{{ hostvars['home_assistant']['ansible_host'] }}"
        caddy_frigate_address: "{{ hostvars['curren']['ansible_host'] }}"
        caddy_truenas_address: "{{ hostvars['mors']['ansible_host'] }}"
        cacheable: true
    - name: Ensure presense of folders for Caddy Home
      tags: packages,docker,caddy
      ansible.builtin.file:
--- a/collections/ansible_collections/adhdgirl/minilab/roles/caddy/templates/Caddyfile.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/caddy/templates/Caddyfile.j2
@ -4,13 +4,13 @@
 }
 authentik.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:9000 {
+    reverse_proxy {{ caddy_nemetona_address }}:9000 {
        trusted_proxies private_ranges
    }
 }
 pve.local.cobb.lgbt {
-    reverse_proxy 10.69.1.7:8006 {
+    reverse_proxy {{ caddy_pve_address }}:8006 {
        transport http {
            tls_insecure_skip_verify
        }
@ -18,7 +18,7 @@ pve.local.cobb.lgbt {
 }
 code.local.cobb.lgbt {
-  reverse_proxy 10.69.10.52:8443
+  reverse_proxy {{ caddy_code_address }}:8443
 }
 guac.local.cobb.lgbt {
@ -26,62 +26,62 @@ guac.local.cobb.lgbt {
        not path /guacamole*
    }
    redir @notGuac /guacamole/
-    reverse_proxy 10.69.10.50:8080 {
+    reverse_proxy {{ caddy_nemetona_address }}:8080 {
        flush_interval -1
    }
 }
 homarr.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:7575
+    reverse_proxy {{ caddy_nemetona_address }}:7575
 }
 sabnzbd.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:8081
+    reverse_proxy {{ caddy_nemetona_address }}:8081
 }
 sonarr.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:8989
+    reverse_proxy {{ caddy_nemetona_address }}:8989
 }
 radarr.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:7878
+    reverse_proxy {{ caddy_nemetona_address }}:7878
 }
 prowlarr.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:9696
+    reverse_proxy {{ caddy_nemetona_address }}:9696
 }
 lidarr.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:8686
+    reverse_proxy {{ caddy_nemetona_address }}:8686
 }
 ha.local.cobb.lgbt {
-    reverse_proxy 10.69.10.199:8123
+    reverse_proxy {{ caddy_home_assistant_address }}:8123
 }
 ntfy.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:8085
+    reverse_proxy {{ caddy_nemetona_address }}:8085
 }
 truenas.local.cobb.lgbt {
-    reverse_proxy 10.69.10.30:443 {
+    reverse_proxy {{ caddy_truenas_address}}:443 {
        transport http {
            tls_insecure_skip_verify
        }
    }
 }
 termix.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:8082
+    reverse_proxy {{ caddy_nemetona_address }}:8082
 }
 frigate.local.cobb.lgbt {
-    reverse_proxy 10.69.10.51:8971 {
+    reverse_proxy {{ caddy_frigate_address }}:8971 {
        transport http {
            tls_insecure_skip_verify
        }
    }
 }
 immich.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:2283
+    reverse_proxy {{ caddy_nemetona_address }}:2283
 }
 readeck.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:8083
+    reverse_proxy {{ caddy_nemetona_address }}:8083
 }
 readeck.cobb.lgbt {
-    reverse_proxy 10.69.10.50:8083
+    reverse_proxy {{ caddy_nemetona_address }}:8083
 }
 cwa.local.cobb.lgbt {
-    reverse_proxy 10.69.10.50:8086
+    reverse_proxy {{ caddy_nemetona_address }}:8086
 }
--- a/collections/ansible_collections/adhdgirl/minilab/roles/calibre/templates/docker-compose.yaml.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/calibre/templates/docker-compose.yaml.j2
@ -34,3 +34,16 @@ services:
    # cap_add:
    #   - NET_BIND_SERVICE
    restart: unless-stopped
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.calibre.rule: Host(`calibre.local.cobb.lgbt`)
      traefik.http.routers.calibre.entryPoints: websecure
      traefik.http.routers.calibre.tls.certResolver: letsEncrypt
      traefik.http.routers.calibre.observability.metrics: "true"
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/immich/files/docker-compose.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/immich/files/docker-compose.yaml
@ -31,6 +31,15 @@ services:
    restart: always
    healthcheck:
      disable: false
    networks:
      - traefik
      - immich-internal
    labels:
      traefik.enable: "true"
      traefik.http.routers.immich.rule: Host(`immich.local.cobb.lgbt`)
      traefik.http.routers.immich.entryPoints: websecure
      traefik.http.routers.immich.tls.certResolver: letsEncrypt
      traefik.http.routers.immich.observability.metrics: "true"
  immich-machine-learning:
    container_name: immich_machine_learning
@ -47,6 +56,8 @@ services:
    restart: always
    healthcheck:
      disable: false
    networks:
      - immich-internal
  redis:
    container_name: immich_redis
@ -54,6 +65,8 @@ services:
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
    networks:
      - immich-internal
  database:
    container_name: immich_postgres
@ -72,6 +85,15 @@ services:
    restart: always
    healthcheck:
      disable: false
    networks:
      - immich-internal
 volumes:
  model-cache:
 networks:
  traefik:
    name: traefik
    external: true
  immich-internal:
    name: immich-internal
--- a/collections/ansible_collections/adhdgirl/minilab/roles/ntfy/templates/docker-compose.yaml.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/ntfy/templates/docker-compose.yaml.j2
@ -13,6 +13,8 @@ services:
    ports:
      - 8085:80
      - 8025:25
    networks:
      - traefik
    healthcheck: # optional: remember to adapt the host:port to your environment
      test:
        [
@ -25,3 +27,15 @@ services:
      start_period: 40s
    restart: unless-stopped
    init: true # needed, if healthcheck is used. Prevents zombie processes
    labels:
      traefik.enable: 'true'
      traefik.http.routers.ntfy.rule: Host(`ntfy.local.cobb.lgbt`)
      traefik.http.routers.ntfy.entryPoints: websecure
      traefik.http.routers.ntfy.tls.certResolver: letsEncrypt
      traefik.http.routers.ntfy.observability.metrics: 'true'
      traefik.http.services.ntfy.loadBalancer.server.port: 80
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/readeck/files/docker-compose.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/readeck/files/docker-compose.yaml
@ -15,3 +15,16 @@ services:
      interval: 30s
      timeout: 2s
      retries: 3
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.readeck.rule: Host(`readeck.local.cobb.lgbt`)
      traefik.http.routers.readeck.entryPoints: websecure
      traefik.http.routers.readeck.tls.certResolver: letsEncrypt
      traefik.http.routers.readeck.observability.metrics: "true"
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/technitium/templates/docker-compose_yaml.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/technitium/templates/docker-compose_yaml.j2
@ -0,0 +1,55 @@
 services:
  dns-server:
    container_name: dns-server
    hostname: dns-server
    image: docker.io/technitium/dns-server:latest
    ports:
      # - "5380:5380/tcp" #DNS web console (HTTP)
      # - "53443:53443/tcp" #DNS web console (HTTPS)
      - "53:53/udp" #DNS service
      - "53:53/tcp" #DNS service
      # - "853:853/udp" #DNS-over-QUIC service
      # - "853:853/tcp" #DNS-over-TLS service
      # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
      # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
      # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
      # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
      # - "67:67/udp" #DHCP service
    environment:
      - DNS_SERVER_DOMAIN=local.cobb.lgbt #The primary domain name used by this DNS Server to identify itself.
      - DNS_SERVER_ADMIN_PASSWORD=${SERVER_ADMIN_PASSWORD} #DNS web console admin user password.
      # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
      # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
      # - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode.
      - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
      # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
      - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
      # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
      # - DNS_SERVER_WEB_SERVICE_TLS_CERTIFICATE_PATH=/etc/dns/tls/cert.pfx #The file path to the TLS certificate for the DNS web console.
      # - DNS_SERVER_WEB_SERVICE_TLS_CERTIFICATE_PASSWORD=password #The password for the TLS certificate for the DNS web console.
      - DNS_SERVER_WEB_SERVICE_HTTP_TO_TLS_REDIRECT=false #Enables HTTP to HTTPS redirection for the DNS web console.
      - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=true #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
      - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
      # - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option.
      # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
      # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.  This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
      - DNS_SERVER_ENABLE_BLOCKING=true #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
      # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
      # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
      - DNS_SERVER_FORWARDERS=1.1.1.1, 9.9.9.9 #Comma separated list of forwarder addresses.
      - DNS_SERVER_FORWARDER_PROTOCOL=Udp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
      - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging.
      - DNS_SERVER_LOG_FOLDER_PATH=/var/log/technitium/dns #The folder path on the server where the log files should be saved.
      # - DNS_SERVER_LOG_MAX_LOG_FILE_DAYS=365 #Max number of days to keep the log files. Log files older than the specified number of days will be deleted automatically. Set 0 to disable auto delete.
      # - DNS_SERVER_STATS_ENABLE_IN_MEMORY_STATS=false #This option will enable in-memory stats and only Last Hour data will be available on Dashboard. No stats data will be stored on disk.
      # - DNS_SERVER_STATS_MAX_STAT_FILE_DAYS=365 #Max number of days to keep the dashboard stats. Stat files older than the specified number of days will be deleted automatically. Set 0 to disable auto delete.
    volumes:
      - config:/etc/dns
      - logs:/var/log/technitium/dns
    restart: unless-stopped
    sysctls:
      - net.ipv4.ip_local_port_range=1024 65535 #remove when using "host" network mode
 volumes:
  config:
  logs:
--- a/collections/ansible_collections/adhdgirl/minilab/roles/termix/files/docker-compose.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/termix/files/docker-compose.yaml
@ -5,8 +5,21 @@ services:
    container_name: termix
    restart: unless-stopped
    ports:
-      - '8082:8080'
+      - "8082:8080"
    volumes:
      - /opt/termix/data:/app/data
    environment:
-      PORT: '8080'
+      PORT: "8080"
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.termix.rule: Host(`termix.local.cobb.lgbt`)
      traefik.http.routers.termix.entryPoints: websecure
      traefik.http.routers.termix.tls.certResolver: letsEncrypt
      traefik.http.routers.termix.observability.metrics: "true"
 networks:
  traefik:
    name: traefik
    external: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/routers.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/routers.yaml
@ -0,0 +1,55 @@
 ---
 http:
  routers:
    dashboard:
      entryPoints:
        - websecure
      rule: "Host(`traefik-dashboard.local.cobb.lgbt`)"
      tls:
        certResolver: letsEncrypt
      observability:
        metrics: true
      service: api@internal
      middlewares:
        - known-ips@file
        - dashboard-auth@file
    proxmox:
      entryPoints:
        - websecure
      rule: "Host(`pve.local.cobb.lgbt`)"
      tls:
        certResolver: letsEncrypt
      observability:
        metrics: true
      service: proxmox@file
      middlewares:
        - known-ips@file
    home-assistant:
      entryPoints:
        - websecure
      rule: "Host(`ha.local.cobb.lgbt`)"
      tls:
        certResolver: letsEncrypt
      observability:
        metrics: true
      service: home-assistant@file
    truenas:
      entryPoints:
        - websecure
      rule: "Host(`truenas.local.cobb.lgbt`)"
      tls:
        certResolver: letsEncrypt
      observability:
        metrics: true
      service: truenas@file
      middlewares:
        - known-ips@file
    frigate:
      entryPoints:
        - websecure
      rule: "Host(`frigate.local.cobb.lgbt`)"
      tls:
        certResolver: letsEncrypt
      observability:
        metrics: true
      service: frigate@file
--- a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/tasks/main.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/tasks/main.yaml
@ -0,0 +1,68 @@
 ---
 - name: Load distro-specific variables
  ansible.builtin.include_vars: "{{ item }}"
  tags: always
  with_first_found:
    - files:
        - "{{ ansible_facts['distribution'] }}.yaml"
      skip: true
 - name: Ensure Traefik is running on this device
  block:
    - name: Load IP addresses for other hosts
      tags: packages,traefik,network
      ansible.builtin.set_fact:
        traefik_adguard_address: "{{ hostvars['adguard']['ansible_host'] }}"
        traefik_nemetona_address: "{{ hostvars['nemetona']['ansible_host'] }}"
        traefik_pve_address: "{{ hostvars['pve']['ansible_host'] }}"
        traefik_code_address: "{{ hostvars['stephanie']['ansible_host'] }}"
        traefik_home_assistant_address: "{{ hostvars['home_assistant']['ansible_host'] }}"
        traefik_frigate_address: "{{ hostvars['curren']['ansible_host'] }}"
        traefik_truenas_address: "{{ hostvars['mors']['ansible_host'] }}"
        cacheable: true
    - name: Ensure presense of folders for Traefik
      tags: packages,docker,traefik
      ansible.builtin.file:
        path: "/opt/traefik/{{ item }}"
        state: directory
        recurse: true
        owner: 1000
        group: 1000
      loop:
        - dynamic
        - lets-encrypt
    - name: Ensure config templates are available
      tags: traefik,settings
      ansible.builtin.template:
        src: "{{ item.src }}"
        dest: "/opt/traefik/{{ item.dest }}"
        owner: 1000
        group: 1000
        mode: u=rw,g=r,o=r
      loop:
        - { src: "traefik-compose.j2", dest: "docker-compose.yaml" }
        - { src: "cloudflare.env.j2", dest: "cloudflare.env" }
        - { src: "traefik.yaml.j2", dest: "traefik.yaml" }
        - { src: "middlewares.yaml.j2", dest: "dynamic/middlewares.yaml" }
        - { src: "services.yaml.j2", dest: "dynamic/services.yaml" }
    - name: Ensure dynamic configs are available to the server
      tags: traefik,settings
      ansible.builtin.copy:
        src: "{{ item }}"
        dest: /opt/traefik/dynamic/{{ item }}
        owner: 1000
        group: 1000
        mode: u=rw,g=r,o=r
      loop:
        - routers.yaml
    - name: Ensure docker containers are pulled and running
      tags: docker,traefik
      community.docker.docker_compose_v2:
        project_src: /opt/traefik
        pull: policy
        recreate: always
  rescue:
    - name: Set that this task failed # noqa: var-naming[no-role-prefix]
      ansible.builtin.set_fact:
        task_failed: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/cloudflare.env.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/cloudflare.env.j2
@ -0,0 +1 @@
 CF_DNS_API_TOKEN={{ traefik_cobblgbt_key }}
--- a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/middlewares.yaml.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/middlewares.yaml.j2
@ -0,0 +1,27 @@
 ---
 http:
  middlewares:
    redirect:
      redirectScheme:
        scheme: https
    corsAll:
      headers:
        accessControlAllowMethods:
          - "GET"
          - "OPTIONS"
          - "PUT"
        accessControlAllowHeaders:
          - "*"
        accessControlAllowOriginList:
          - "*"
        accessControlMaxAge: 100
        addVaryHeader: true
    known-ips:
      ipallowlist:
        sourcerange:
          - 10.0.0.0/8
          - 172.16.0.0/12
          - 192.168.0.0/24
    dashboard-auth:
      basicauth:
        users: "admin:{{ traefik_dashboard_basicauth }}"
--- a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/services.yaml.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/services.yaml.j2
@ -0,0 +1,29 @@
 ---
 http:
  serversTransports:
    insecureTransport:
      insecureSkipVerify: true
  services:
    proxmox:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "http://{{ traefik_pve_address }}:9000"
    home-assistant:
      loadBalancer:
        servers:
          - url: "http://{{ traefik_home_assistant_address }}:8123"
    coder:
      loadBalancer:
        servers:
          - url: "http://{{ traefik_code_address }}:8443"
    truenas:
      loadBalancer:
        serversTransport: insecureTransport
        servers:
          - url: "https://{{ traefik_truenas_address }}:443"
    frigate:
      loadBalancer:
        serversTransport: insecureTransport
        servers:
          - url: "https://{{ traefik_frigate_address }}:8971"
--- a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik-compose.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik-compose.j2
@ -0,0 +1,29 @@
 ---
 services:
  traefik:
    image: traefik:v3.7
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik
    ports:
      - "80:80"
      - "443:443"
    env_file:
      - path: /opt/traefik/cloudflare.env
        required: true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/traefik/dynamic:/dynamic:ro
      - /opt/traefik/lets-encrypt:/lets-encrypt
      - /opt/traefik/traefik.yaml:/traefik.yaml
    command:
      - "--configfile=/traefik.yaml"
    labels:
      - "traefik.enable=true"
 networks:
  traefik:
    name: traefik
--- a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik.yaml.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik.yaml.j2
@ -0,0 +1,58 @@
 ---
 log:
  level: DEBUG
 accessLog:
  filters:
    statusCodes:
      - "200"
      - "300-302"
    retryAttempts: true
    minDuration: "10ms"
 api:
  dashboard: true
  insecure: false
 metrics:
  prometheus: {}
 providers:
  docker:
    watch: true
    endpoint: unix:///var/run/docker.sock
    exposedByDefault: false
    network: traefik
  file:
    directory: /dynamic
    watch: true
  redis:
    endpoints:
      - "nemetona.local.cobb.lgbt:6379"
    username: traefik
    password: {{ traefik_valkey_auth_pass }}
 entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
    observability:
      accessLogs: false
      metrics: false
      tracing: false
  websecure:
    address: :443
    http:
      tls: {}
 certificatesResolvers:
  letsEncrypt:
    acme:
      dnsChallenge:
        provider: cloudflare
      email: annika@adhdgirl.dev
      storage: /lets-encrypt/acme.json
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
--- a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/vars/main.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/vars/main.yaml
@ -0,0 +1,30 @@
 ---
 traefik_cobblgbt_key: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  32396232646666616261393537613662386165353765323763353739343232323363636331656338
  3133323662636436326535323637633261313163366237300a383865393032326331336335636262
  30646461653832323262373863646261333865613763356365666130636262636430616238643538
  3039316461356630620a323536643638396164303965346465356563326131663939633236343532
  61363338313435316334616462376433643732343936316437656165373961306438393665343265
  3132636333313635633533353461333236666561363865653236
 traefik_valkey_auth_pass: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  61343838393634376266333639646239363362396133363238393830306561626362623734333464
  6634346639363361353965386339396331363463323265390a646565366634326539356631393838
  30613564383635303731316365366262333530313030303866656235643061623263623133346264
  3561316334363561630a663234383633336161383439633538316162656462653833343731373366
  61323038656631663236666265383031376561653535653062666262633939396431336632393537
  37346263393637653933373263346362383634363461363966393831643035383061326330343035
  61333462313933333533626432666634633835373733613365623937346438663866396666373038
  64643333663565636530363138643465613333313034656437366333643762316239376633303431
  32366335663865316366626231633237326633393334343130343738326265303861663333353637
  34373136303933383236326133633035326530626430393762383337373531643761393166643933
  616361656162353561636639363637636137
 traefik_dashboard_basicauth: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  34376233363435633734353965336332346335613234336565653633333265386634336335303135
  6265613466353333623830653764366234343036393463310a356338306162633661363939653633
  64376562363633626366663663666436393739323131323464613263613462323664323664666562
  3835363566666537340a353262366536626335653034623236306162633031616533653065613638
  37303063393365306332656565393661653563343461396264396538616539643236656163303431
  6533646238316539363632383936646339303162636137316263
--- a/collections/ansible_collections/adhdgirl/minilab/roles/udpbroadcastrelay/tasks/main.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/udpbroadcastrelay/tasks/main.yaml
@ -0,0 +1,27 @@
 ---
 - name: Load distro-specific variables
  ansible.builtin.include_vars: "{{ item }}"
  tags: always
  with_first_found:
    - files:
        - "{{ ansible_facts['distribution'] }}.yaml"
      skip: true
 - name: Ensure udpbroadcastrelay is properly built for and installed
  block:
    - name: Get current version
      ansible.builtin.shell:
        cmd:
          "git describe --tags --exact-match 2>/dev/null || git rev-parse --short
          HEAD"
        chdir: { { udpbroadcastrelay_code_dir } }
      register: udpbroadcastrelay_current_version
      changed_when: false
      failed_when: false
    - name: Fetch source from github
      tags: packages,git,network
      ansible.builtin.git:
        repo: ""
        dest: "/opt/udpbroadcastrelay"
        version: "{{ udpbroadcastrelay_tag }}"
      register:
--- a/collections/ansible_collections/adhdgirl/minilab/roles/valkey/tasks/main.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/tasks/main.yaml
@ -0,0 +1,49 @@
 ---
 - name: Load distro-specific variables
  ansible.builtin.include_vars: "{{ item }}"
  tags: always
  with_first_found:
    - files:
        - "{{ ansible_facts['distribution'] }}.yaml"
      skip: true
 - name: Ensure Valkey is running on this device
  block:
    - name: Ensure presense of folders for Valkey
      tags: packages,docker,valkey
      ansible.builtin.file:
        path: "/opt/valkey/{{ item }}"
        state: directory
        recurse: true
        owner: 1000
        group: 1000
      loop:
        - persist
        - config
    - name: Ensure compose file is available on the server
      tags: docker,valkey,settings
      ansible.builtin.template:
        src: valkey-compose.j2
        dest: /opt/valkey/docker-compose.yaml
        owner: 1000
        group: 1000
        mode: u=rw,g=r,o=r
    - name: Ensure environment file is available on the server
      tags: docker,valkey,settings
      ansible.builtin.template:
        src: valkey_conf.j2
        dest: /opt/valkey/config/valkey.conf
        owner: 1000
        group: 1000
        mode: u=rw,g=,o=
    - name: Ensure docker containers are pulled and running
      tags: docker,valkey
      community.docker.docker_compose_v2:
        project_src: /opt/valkey
        pull: policy
        recreate: always
  rescue:
    - name: Set that this task failed # noqa: var-naming[no-role-prefix]
      ansible.builtin.set_fact:
        task_failed: true
--- a/collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey-compose.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey-compose.j2
@ -0,0 +1,15 @@
 ---
 services:
  valkey:
    image: valkey/valkey:9.1.0
    container_name: valkey
    restart: unless-stopped
    user: 1000:1000
    ports:
      - "6379:6379"
    volumes:
      - /opt/valkey/persist:/data
      - /opt/valkey/config:/usr/local/etc/valkey
    command:
      - "valkey-server"
      - "/usr/local/etc/valkey/valkey.conf"
--- a/collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey_conf.j2
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey_conf.j2
@ -0,0 +1,2 @@
 # Do config things
 user traefik on +@all ~* &* >{{ valkey_traefik_auth_pass }}
--- a/collections/ansible_collections/adhdgirl/minilab/roles/valkey/vars/main.yaml
+++ b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/vars/main.yaml
@ -0,0 +1,14 @@
 ---
 valkey_traefik_auth_pass: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  61343838393634376266333639646239363362396133363238393830306561626362623734333464
  6634346639363361353965386339396331363463323265390a646565366634326539356631393838
  30613564383635303731316365366262333530313030303866656235643061623263623133346264
  3561316334363561630a663234383633336161383439633538316162656462653833343731373366
  61323038656631663236666265383031376561653535653062666262633939396431336632393537
  37346263393637653933373263346362383634363461363966393831643035383061326330343035
  61333462313933333533626432666634633835373733613365623937346438663866396666373038
  64643333663565636530363138643465613333313034656437366333643762316239376633303431
  32366335663865316366626231633237326633393334343130343738326265303861663333353637
  34373136303933383236326133633035326530626430393762383337373531643761393166643933
  616361656162353561636639363637636137
--- a/inventory/hosts.yaml
+++ b/inventory/hosts.yaml
@ -5,10 +5,6 @@ all:
      ansible_host: 10.69.10.10
    adguardpi:
      ansible_host: 10.69.10.11
    # maxim:
    #   ansible_host: 10.69.10.50
    # pump:
    #   ansible_host: 10.69.10.51
    fifi:
      ansible_host: 10.69.10.100
    knivi:
@ -27,6 +23,12 @@ all:
      ansible_host: 10.69.10.51
    emosen:
      ansible_host: 10.69.10.54
    pve:
      ansible_host: 10.69.1.7
    home_assistant:
      ansible_host: 10.69.10.199
    mors:
      ansible_host: 10.69.10.30
  children:
    alpine:
      hosts:
@ -38,26 +40,20 @@ all:
    debian:
      hosts:
        adguardpi:
        # maxim:
        # pump:
        fifi:
        knivi:
        reir:
        # trady:
        curren:
    docker:
      hosts:
        adguard:
        adguardpi:
        # pump:
        # trady:
        stephanie:
        nemetona:
        curren:
        ida:
    unifi_controller:
      hosts:
        # pump:
    adguard_servers:
      hosts:
        adguard:
--- a/minilab.yaml
+++ b/minilab.yaml
@ -49,11 +49,12 @@
    - adhdgirl.minilab.coder
 - name: Configure nemetona
  hosts: nemetona
-  tags: docker,authentik,caddy
+  tags: docker,authentik,caddy,ntfy
  become: true
  roles:
    - adhdgirl.minilab.traefik
    - adhdgirl.minilab.authentik
-    - adhdgirl.minilab.caddy
+    # - adhdgirl.minilab.caddy
    - adhdgirl.minilab.arr
    - adhdgirl.minilab.ntfy
    - adhdgirl.minilab.cloudflared
@ -61,6 +62,7 @@
    - adhdgirl.minilab.immich
    - adhdgirl.minilab.readeck
    - adhdgirl.minilab.calibre
    - adhdgirl.minilab.valkey
 - name: Configure frigate
  hosts: curren
  tags: docker,frigate
		`@ -0,0 +1,2 @@`
							`# Do config things`
							`user traefik on +@all ~* &* >{{ valkey_traefik_auth_pass }}`