commit b08350ffd96e7e33fccb5997c2a8639a4eb827a1 · krasovs.ky/homelab

+15 -9

README.md

···

       6
        
       - VM can be fully removed and re-provisioned within 3 minutes, including container autostart.

     

       7
        
       - Provisioning of everything is done using Terraform/OpenTofu.

     

       8
        
       - Secrets are provided using Bitwarden Secrets Manager.

     

       9
       -
       - Source IP is preserved using [systemd socket activation](https://github.com/eriksjolund/podman-networking-docs?tab=readme-ov-file#socket-activation-systemd-user-service) mechanism.

     

       0
        
       
     

       0
        
       
     

       10
        
       - Native network performance due to the reason above.

     

       11
        
       - Stores Podman and application data on dedicated iSCSI disk.

     

       12
        
       - Stores media and downloads on NFS share.

     
···

       14
        
       

     

       15
        
       I also have some observability:

     

       16
        
       

     

       17
       -
         - Storage: VictoriaMetrics and VictoriaLogs.

     

       18
       -
         - Scrapping and writing: Grafana Alloy.

     

       19
       -
         - Visualization: Grafana.

     

       20
       -
         - Traces are not supported for now.

     

       21
        
       

     

       22
        
       ## Current services

     

       23
        
       

     
···

       25
        
       |-----------------------------------------|--------------------------------------------|-----|

     

       26
        
       | Actual Budget                           | Budgeting App                              |     |

     

       27
        
       | Bluesky PDS                             | ATProto Personal Data Server               |     |

     

       0
        
       
     

       0
        
       
     

       28
        
       | Glance                                  | Homelab Dashboard                          |     |

     

       29
        
       | Grafana                                 | Data-visualization Platform                |     |

     

       30
        
       | Grafana Alloy                           | OpenTelemetry Collector                    |     |

     

       31
        
       | Davmail                                 | Exchange to IMAP/SMTP Gateway              |     |

     

       32
        
       | Karakeep                                | Bookmark App                               | ☑️  |

     

       33
        
       | Immich                                  | Image & Video Management                   | ☑️  |

     

       0
        
       
     

       0
        
       
     

       34
        
       | Miniflux                                | RSS Reader                                 | ☑️  |

     

       35
        
       | OAuth2 Proxy                            | Identity-Aware Proxy                       |     |

     

       36
        
       | OpenCloud                               | File Management and Collaboration platform | ☑️  |

     
···

       45
        
       | Tangled Knot                            | Git Platform based on ATProto              |     |

     

       46
        
       | Telegraf                                | Only for MQTT to OpenTelemetry conversion  |     |

     

       47
        
       | Traefik                                 | Application Proxy                          |     |

     

       48
       -
       | Tuwunel                                 | Matrix Homeserver                          |     |

     

       49
        
       | Gatus                                   | Uptime Monitoring[^1]                      |     |

     

       50
        
       | VictoriaMetrics / VictoriaLogs / vmauth | Metrics and Logs Storage                   | ☑️  |

     

       51
        
       

     
···

       60
        
       

     

       61
        
       ## Future plans

     

       62
        
       

     

       63
       -
       - [x] Move Traefik, Grafana Alloy and other configs to the repository. 

     

       64
        
       - [ ] Consider switching to Flatcar Linux. Personally I like it more, but in the current version they didn't ship

     

       65
       -
            `i915` driver, which is a dealbreaker for me. However, it's [already merged](https://github.com/flatcar/scripts/pull/2349)

     

       66
       -
             and will soon be available in the Alpha channel.

     

       0
        
       
     

       67
        
       - [x] Monitor uptime and setup alerts with Uptime Kuma.

     

       68
        
       - [ ] Harden network setup; for now it's pretty permissive.

     

       69
        
       - [ ] Integrate `hashicorp/assert` support.

···

       6
        
       - VM can be fully removed and re-provisioned within 3 minutes, including container autostart.

     

       7
        
       - Provisioning of everything is done using Terraform/OpenTofu.

     

       8
        
       - Secrets are provided using Bitwarden Secrets Manager.

     

       9
       +
       - Source IP is preserved

     

       10
       +
         using [systemd socket activation](https://github.com/eriksjolund/podman-networking-docs?tab=readme-ov-file#socket-activation-systemd-user-service)

     

       11
       +
         mechanism.

     

       12
        
       - Native network performance due to the reason above.

     

       13
        
       - Stores Podman and application data on dedicated iSCSI disk.

     

       14
        
       - Stores media and downloads on NFS share.

     
···

       16
        
       

     

       17
        
       I also have some observability:

     

       18
        
       

     

       19
       +
       - Storage: VictoriaMetrics and VictoriaLogs.

     

       20
       +
       - Scrapping and writing: Grafana Alloy.

     

       21
       +
       - Visualization: Grafana.

     

       22
       +
       - Traces are not supported for now.

     

       23
        
       

     

       24
        
       ## Current services

     

       25
        
       

     
···

       27
        
       |-----------------------------------------|--------------------------------------------|-----|

     

       28
        
       | Actual Budget                           | Budgeting App                              |     |

     

       29
        
       | Bluesky PDS                             | ATProto Personal Data Server               |     |

     

       30
       +
       | Element Web                             | Element Web Client                         |     |

     

       31
       +
       | Element Call                            | Element Call Client                        |     |

     

       32
        
       | Glance                                  | Homelab Dashboard                          |     |

     

       33
        
       | Grafana                                 | Data-visualization Platform                |     |

     

       34
        
       | Grafana Alloy                           | OpenTelemetry Collector                    |     |

     

       35
        
       | Davmail                                 | Exchange to IMAP/SMTP Gateway              |     |

     

       36
        
       | Karakeep                                | Bookmark App                               | ☑️  |

     

       37
        
       | Immich                                  | Image & Video Management                   | ☑️  |

     

       38
       +
       | Matrix                                  | Matrix Homeserver                          | ☑️  |

     

       39
       +
       | MatrixRTC                               | Matrix Realtime Stack                      | ☑️  |

     

       40
        
       | Miniflux                                | RSS Reader                                 | ☑️  |

     

       41
        
       | OAuth2 Proxy                            | Identity-Aware Proxy                       |     |

     

       42
        
       | OpenCloud                               | File Management and Collaboration platform | ☑️  |

     
···

       51
        
       | Tangled Knot                            | Git Platform based on ATProto              |     |

     

       52
        
       | Telegraf                                | Only for MQTT to OpenTelemetry conversion  |     |

     

       53
        
       | Traefik                                 | Application Proxy                          |     |

     

       0
        
       
     

       54
        
       | Gatus                                   | Uptime Monitoring[^1]                      |     |

     

       55
        
       | VictoriaMetrics / VictoriaLogs / vmauth | Metrics and Logs Storage                   | ☑️  |

     

       56
        
       

     
···

       65
        
       

     

       66
        
       ## Future plans

     

       67
        
       

     

       68
       +
       - [x] Move Traefik, Grafana Alloy and other configs to the repository.

     

       69
        
       - [ ] Consider switching to Flatcar Linux. Personally I like it more, but in the current version they didn't ship

     

       70
       +
         `i915` driver, which is a dealbreaker for me. However,

     

       71
       +
         it's [already merged](https://github.com/flatcar/scripts/pull/2349)

     

       72
       +
         and will soon be available in the Alpha channel.

     

       73
        
       - [x] Monitor uptime and setup alerts with Uptime Kuma.

     

       74
        
       - [ ] Harden network setup; for now it's pretty permissive.

     

       75
        
       - [ ] Integrate `hashicorp/assert` support.

butane/fcos.yml.tftpl

···

       295
        
                 		tcp dport 8465 accept

     

       296
        
                 		tcp dport 8636 accept

     

       297
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       298
        
                 		# allow plex

     

       299
        
                 		tcp dport 32400 accept

     

       300
        
                 		udp dport 1900 accept

···

       295
        
                 		tcp dport 8465 accept

     

       296
        
                 		tcp dport 8636 accept

     

       297
        
       

     

       298
       +
                 		# allow livekit

     

       299
       +
                 		udp dport 59900-60000 accept

     

       300
       +
                 		udp dport 3478 accept

     

       301
       +
                 		tcp dport 7881 accept

     

       302
       +
       

     

       303
        
                 		# allow plex

     

       304
        
                 		tcp dport 32400 accept

     

       305
        
                 		udp dport 1900 accept

+54 -5

configs/alloy/config.alloy

···

       3
        
         format = "json"

     

       4
        
       }

     

       5
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       6
        
       discovery.docker "fcos" {

     

       7
        
         host = "unix:///var/run/docker.sock"

     

       8
        
       }

     
···

       27
        
       loki.process "copy_msg" {

     

       28
        
         forward_to = [loki.write.victoria_logs.receiver]

     

       29
        
       

     

       30
       -
         // Bluesky logs plain json, so we need to manually remap msg to _msg.

     

       31
        
         stage.match {

     

       32
        
           selector = "{_msg=\"\"}"

     

       33
        
       

     

       34
       -
           stage.json {

     

       35
       -
             expressions = { "msg" = "" }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       36
        
           }

     

       37
        
       

     

       38
       -
           stage.labels {

     

       39
       -
             values = { "_msg" = "msg" }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       40
        
           }

     

       41
        
         }

     

       42
        
       }

     
···

       51
        
         targets         = [

     

       52
        
           { __address__ = "host.containers.internal:9558" },

     

       53
        
           { __address__ = "prometheus-podman-exporter:9882" },

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       54
        
           { __address__ = "rmqtt:6060", __metrics_path__ = "/api/v1/metrics/prometheus" },

     

       55
        
         ]

     

       56
        
         forward_to      = [prometheus.remote_write.victoria_metrics.receiver]

···

       3
        
         format = "json"

     

       4
        
       }

     

       5
        
       

     

       6
       +
       livedebugging {

     

       7
       +
         enabled = true

     

       8
       +
       }

     

       9
       +
       

     

       10
        
       discovery.docker "fcos" {

     

       11
        
         host = "unix:///var/run/docker.sock"

     

       12
        
       }

     
···

       31
        
       loki.process "copy_msg" {

     

       32
        
         forward_to = [loki.write.victoria_logs.receiver]

     

       33
        
       

     

       34
       +
         // Some services require to manually remap message field to _msg.

     

       35
        
         stage.match {

     

       36
        
           selector = "{_msg=\"\"}"

     

       37
        
       

     

       38
       +
           stage.match {

     

       39
       +
             selector = "{container_name=\"/synapse\"}"

     

       40
       +
       

     

       41
       +
             stage.json {

     

       42
       +
               expressions = { "log" = "" }

     

       43
       +
             }

     

       44
       +
       

     

       45
       +
             stage.labels {

     

       46
       +
               values = { "_msg" = "log" }

     

       47
       +
             }

     

       48
       +
           }

     

       49
       +
       

     

       50
       +
           stage.match {

     

       51
       +
             selector = "{container_name=\"/grafana\"}"

     

       52
       +
       

     

       53
       +
             stage.json {

     

       54
       +
               expressions = { "msg" = "" }

     

       55
       +
             }

     

       56
       +
       

     

       57
       +
             stage.labels {

     

       58
       +
               values = { "_msg" = "msg" }

     

       59
       +
             }

     

       60
       +
           }

     

       61
       +
       

     

       62
       +
           stage.match {

     

       63
       +
             selector = "{container_name=\"/grafana-alloy\"}"

     

       64
       +
       

     

       65
       +
             stage.json {

     

       66
       +
               expressions = { "msg" = "" }

     

       67
       +
             }

     

       68
       +
       

     

       69
       +
             stage.labels {

     

       70
       +
               values = { "_msg" = "msg" }

     

       71
       +
             }

     

       72
        
           }

     

       73
        
       

     

       74
       +
           stage.match {

     

       75
       +
             selector = "{container_name=\"/bluesky-pds\"}"

     

       76
       +
       

     

       77
       +
             stage.json {

     

       78
       +
               expressions = { "msg" = "" }

     

       79
       +
             }

     

       80
       +
       

     

       81
       +
             stage.labels {

     

       82
       +
               values = { "_msg" = "msg" }

     

       83
       +
             }

     

       84
        
           }

     

       85
        
         }

     

       86
        
       }

     
···

       95
        
         targets         = [

     

       96
        
           { __address__ = "host.containers.internal:9558" },

     

       97
        
           { __address__ = "prometheus-podman-exporter:9882" },

     

       98
       +
           { __address__ = "immich:8081" },

     

       99
       +
           { __address__ = "immich:8082" },

     

       100
       +
           { __address__ = "opencloud:9205" },

     

       101
       +
           { __address__ = "opencloud:9304" },

     

       102
       +
           { __address__ = "synapse:9000" },

     

       103
        
           { __address__ = "rmqtt:6060", __metrics_path__ = "/api/v1/metrics/prometheus" },

     

       104
        
         ]

     

       105
        
         forward_to      = [prometheus.remote_write.victoria_metrics.receiver]

+28

configs/containers/systemd/element-call.container.tftpl

···

       1
       +
       [Unit]

     

       2
       +
       Description=Element Call Quadlet

     

       3
       +
       

     

       4
       +
       [Container]

     

       5
       +
       Image=ghcr.io/element-hq/element-call:v0.16.0

     

       6
       +
       AutoUpdate=registry

     

       7
       +
       ContainerName=element-call

     

       8
       +
       

     

       9
       +
       User=1000:1000

     

       10
       +
       UserNS=keep-id:uid=1000,gid=1000

     

       11
       +
       

     

       12
       +
       Label="glance.parent=element-web"

     

       13
       +
       Label="glance.name=Element Call"

     

       14
       +
       Label="glance.hide=false"

     

       15
       +
       

     

       16
       +
       Label="traefik.enable=true"

     

       17
       +
       Label="traefik.http.routers.element-call.rule=Host(`call.element.${base_domain}`)"

     

       18
       +
       

     

       19
       +
       Volume=%E/element/call.json:/app/config.json:Z

     

       20
       +
       

     

       21
       +
       Network=reverse-proxy.network

     

       22
       +
       

     

       23
       +
       [Service]

     

       24
       +
       TimeoutStartSec=900

     

       25
       +
       Restart=always

     

       26
       +
       

     

       27
       +
       [Install]

     

       28
       +
       WantedBy=multi-user.target default.target

+31

configs/containers/systemd/element-web.container.tftpl

···

       1
       +
       [Unit]

     

       2
       +
       Description=Element Web Quadlet

     

       3
       +
       

     

       4
       +
       [Container]

     

       5
       +
       Image=docker.io/vectorim/element-web:latest

     

       6
       +
       AutoUpdate=registry

     

       7
       +
       ContainerName=element-web

     

       8
       +
       

     

       9
       +
       User=1000:1000

     

       10
       +
       UserNS=keep-id:uid=1000,gid=1000

     

       11
       +
       

     

       12
       +
       Label="glance.id=element-web"

     

       13
       +
       Label="glance.name=Element"

     

       14
       +
       Label="glance.icon=di:element"

     

       15
       +
       Label="glance.url=https://element.${base_domain}"

     

       16
       +
       Label="glance.description=Matrix web client"

     

       17
       +
       Label="glance.hide=false"

     

       18
       +
       

     

       19
       +
       Label="traefik.enable=true"

     

       20
       +
       Label="traefik.http.routers.element-web.rule=Host(`element.${base_domain}`)"

     

       21
       +
       

     

       22
       +
       Volume=%E/element/web.json:/app/config.json:Z

     

       23
       +
       

     

       24
       +
       Network=reverse-proxy.network

     

       25
       +
       

     

       26
       +
       [Service]

     

       27
       +
       TimeoutStartSec=900

     

       28
       +
       Restart=always

     

       29
       +
       

     

       30
       +
       [Install]

     

       31
       +
       WantedBy=multi-user.target default.target

+9 -2

configs/containers/systemd/grafana-alloy.container.tftpl

···

       15
        
       Label="glance.description=OpenTelemetry Collector"

     

       16
        
       Label="glance.hide=false"

     

       17
        
       

     

       18
       -
       Exec=run --storage.path=/var/lib/alloy/data --disable-reporting /etc/alloy/config.alloy

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       19
        
       

     

       20
        
       Volume=%E/alloy/config.alloy:/etc/alloy/config.alloy:Z

     

       21
        
       Volume=%t/podman/podman.sock:/var/run/docker.sock

     
···

       30
        
       Restart=always

     

       31
        
       

     

       32
        
       [Install]

     

       33
       -
       WantedBy=multi-user.target default.target

···

       15
        
       Label="glance.description=OpenTelemetry Collector"

     

       16
        
       Label="glance.hide=false"

     

       17
        
       

     

       18
       +
       Exec=run --server.http.listen-addr=0.0.0.0:12345 --storage.path=/var/lib/alloy/data --disable-reporting /etc/alloy/config.alloy

     

       19
       +
       

     

       20
       +
       Label="traefik.enable=true"

     

       21
       +
       Label="traefik.http.routers.grafana-alloy.rule=Host(`alloy.${base_domain}`)"

     

       22
       +
       Label="traefik.http.routers.grafana-alloy.middlewares=oauth2-proxy@file"

     

       23
       +
       Label="traefik.http.services.grafana-alloy.loadbalancer.server.port=12345"

     

       24
       +
       Label="traefik.http.routers.grafana-alloy-auth.rule=Host(`alloy.${base_domain}`) && PathPrefix(`/oauth2/`)"

     

       25
       +
       Label="traefik.http.routers.grafana-alloy-auth.service=oauth2-proxy"

     

       26
        
       

     

       27
        
       Volume=%E/alloy/config.alloy:/etc/alloy/config.alloy:Z

     

       28
        
       Volume=%t/podman/podman.sock:/var/run/docker.sock

     
···

       37
        
       Restart=always

     

       38
        
       

     

       39
        
       [Install]

     

       40
       +
       WantedBy=multi-user.target default.target

configs/containers/systemd/immich/immich-server.container.tftpl

···

       11
        
       User=1000:1000

     

       12
        
       GroupAdd=keep-groups

     

       13
        
       

     

       0
        
       
     

       14
        
       Environment=IMMICH_MEDIA_LOCATION=/usr/src/app/upload

     

       15
        
       Environment=TZ=Europe/Belgrade

     

       16
        
       Environment=DB_HOSTNAME=immich-postgres

···

       11
        
       User=1000:1000

     

       12
        
       GroupAdd=keep-groups

     

       13
        
       

     

       14
       +
       Environment=IMMICH_TELEMETRY_INCLUDE=all

     

       15
        
       Environment=IMMICH_MEDIA_LOCATION=/usr/src/app/upload

     

       16
        
       Environment=TZ=Europe/Belgrade

     

       17
        
       Environment=DB_HOSTNAME=immich-postgres

+35

configs/containers/systemd/matrix-rtc/matrix-rtc-jwt.container.tftpl

···

       1
       +
       [Unit]

     

       2
       +
       Description=MatrixRTC Authorization Service Quadlet

     

       3
       +
       

     

       4
       +
       [Container]

     

       5
       +
       Image=ghcr.io/element-hq/lk-jwt-service:0.3.0

     

       6
       +
       AutoUpdate=registry

     

       7
       +
       ContainerName=matrix-rtc-jwt

     

       8
       +
       

     

       9
       +
       User=1000:1000

     

       10
       +
       

     

       11
       +
       Environment=LIVEKIT_URL=wss://matrix-rtc.${base_domain}/livekit/sfu

     

       12
       +
       Environment=LIVEKIT_JWT_PORT=9090

     

       13
       +
       Environment=LIVEKIT_FULL_ACCESS_HOMESERVERS=${base_domain}

     

       14
       +
       Secret=matrix-rtc-livekit-key,type=env,target=LIVEKIT_KEY

     

       15
       +
       Secret=matrix-rtc-livekit-secret,type=env,target=LIVEKIT_SECRET

     

       16
       +
       

     

       17
       +
       Label="glance.parent=matrix-rtc"

     

       18
       +
       Label="glance.name=MatrixRTC Authorization Service"

     

       19
       +
       Label="glance.hide=false"

     

       20
       +
       

     

       21
       +
       Label="traefik.enable=true"

     

       22
       +
       Label="traefik.http.routers.matrix-rtc-jwt.rule=Host(`matrix-rtc.${base_domain}`) && PathPrefix(`/livekit/jwt`)"

     

       23
       +
       Label="traefik.http.routers.matrix-rtc-jwt.middlewares=strip-jwt-prefix"

     

       24
       +
       Label="traefik.http.middlewares.strip-jwt-prefix.stripprefix.prefixes=/livekit/jwt"

     

       25
       +
       Label="traefik.http.services.matrix-rtc-jwt.loadbalancer.server.port=9090"

     

       26
       +
       

     

       27
       +
       Pod=matrix-rtc.pod

     

       28
       +
       

     

       29
       +
       [Service]

     

       30
       +
       TimeoutStartSec=900

     

       31
       +
       Restart=always

     

       32
       +
       

     

       33
       +
       [Install]

     

       34
       +
       WantedBy=multi-user.target default.target

     

       35
       +

+43

configs/containers/systemd/matrix-rtc/matrix-rtc-sfu.container.tftpl

···

       1
       +
       [Unit]

     

       2
       +
       Description=MatrixRTC Livekit Quadlet

     

       3
       +
       Wants=matrix-rtc-valkey.service

     

       4
       +
       After=matrix-rtc-valkey.service

     

       5
       +
       

     

       6
       +
       [Container]

     

       7
       +
       Image=docker.io/livekit/livekit-server:v1.9

     

       8
       +
       AutoUpdate=registry

     

       9
       +
       ContainerName=matrix-rtc-sfu

     

       10
       +
       

     

       11
       +
       User=1000:1000

     

       12
       +
       

     

       13
       +
       Label="glance.id=matrix-rtc"

     

       14
       +
       Label="glance.icon=di:matrix-light"

     

       15
       +
       Label="glance.description=Matrix Realtime Stack"

     

       16
       +
       Label="glance.name=MatrixRTC"

     

       17
       +
       Label="glance.hide=false"

     

       18
       +
       

     

       19
       +
       Label="traefik.enable=true"

     

       20
       +
       Label="traefik.http.routers.matrix-rtc-sfu.rule=Host(`matrix-rtc.${base_domain}`) && PathPrefix(`/livekit/sfu`)"

     

       21
       +
       Label="traefik.http.routers.matrix-rtc-sfu.middlewares=strip-sfu-prefix"

     

       22
       +
       Label="traefik.http.middlewares.strip-sfu-prefix.stripprefix.prefixes=/livekit/sfu"

     

       23
       +
       Label="traefik.http.services.matrix-rtc-sfu.loadbalancer.server.port=7880"

     

       24
       +
       

     

       25
       +
       Label="traefik.tcp.routers.matrix-rtc-turn.rule=HostSNI(`turn.${base_domain}`)"

     

       26
       +
       Label="traefik.tcp.routers.matrix-rtc-turn.tls=true"

     

       27
       +
       Label="traefik.tcp.routers.matrix-rtc-turn.tls.certresolver=leresolver"

     

       28
       +
       Label="traefik.tcp.routers.matrix-rtc-turn.service=matrix-rtc-turn"

     

       29
       +
       Label="traefik.tcp.services.matrix-rtc-turn.loadbalancer.server.port=5349"

     

       30
       +
       

     

       31
       +
       Exec=--config /etc/livekit.yaml

     

       32
       +
       

     

       33
       +
       Volume=%E/matrix-rtc/livekit.yaml:/etc/livekit.yaml:Z

     

       34
       +
       

     

       35
       +
       Pod=matrix-rtc.pod

     

       36
       +
       

     

       37
       +
       [Service]

     

       38
       +
       TimeoutStartSec=900

     

       39
       +
       Restart=always

     

       40
       +
       

     

       41
       +
       [Install]

     

       42
       +
       WantedBy=multi-user.target default.target

     

       43
       +

+27

configs/containers/systemd/matrix-rtc/matrix-rtc-valkey.container.tftpl

···

       1
       +
       [Unit]

     

       2
       +
       Description=MatrixRTC Valkey Quadlet

     

       3
       +
       

     

       4
       +
       [Container]

     

       5
       +
       Image=docker.io/valkey/valkey:8-alpine

     

       6
       +
       AutoUpdate=registry

     

       7
       +
       ContainerName=matrix-rtc-valkey

     

       8
       +
       

     

       9
       +
       User=1000:1000

     

       10
       +
       

     

       11
       +
       Label="glance.parent=matrix-rtc"

     

       12
       +
       Label="glance.name=Valkey"

     

       13
       +
       Label="glance.hide=false"

     

       14
       +
       

     

       15
       +
       HealthCmd=valkey-cli ping || exit 1

     

       16
       +
       

     

       17
       +
       Volume=/var/mnt/docker/app_data/matrix-rtc/valkey:/data:Z

     

       18
       +
       

     

       19
       +
       Pod=matrix-rtc.pod

     

       20
       +
       Notify=healthy

     

       21
       +
       

     

       22
       +
       [Service]

     

       23
       +
       TimeoutStartSec=900

     

       24
       +
       Restart=always

     

       25
       +
       

     

       26
       +
       [Install]

     

       27
       +
       WantedBy=multi-user.target default.target

+34

configs/containers/systemd/matrix/matrix-authentication-service.container.tftpl

···

       1
       +
       [Unit]

     

       2
       +
       Description=Matrix Authencation Service Quadlet

     

       3
       +
       Wants=matrix-postgres.service

     

       4
       +
       After=matrix-postgres.service

     

       5
       +
       

     

       6
       +
       [Container]

     

       7
       +
       Image=ghcr.io/element-hq/matrix-authentication-service:1.4

     

       8
       +
       AutoUpdate=registry

     

       9
       +
       ContainerName=matrix-authentication-service

     

       10
       +
       

     

       11
       +
       User=1000:1000

     

       12
       +
       

     

       13
       +
       Label="glance.parent=matrix"

     

       14
       +
       Label="glance.name=Matrix Authentication Service"

     

       15
       +
       Label="glance.hide=false"

     

       16
       +
       

     

       17
       +
       Label="traefik.enable=true"

     

       18
       +
       Label="traefik.http.routers.matrix-authentication-service.rule=Host(`matrix-account.${base_domain}`) || (Host(`matrix.${base_domain}`) && PathRegexp(`^/_matrix/client/(.*)/(login|logout|refresh)`))"

     

       19
       +
       Label="traefik.http.services.matrix-authentication-service.loadbalancer.server.port=8080"

     

       20
       +
       

     

       21
       +
       Exec=--config /data/config.yaml

     

       22
       +
       

     

       23
       +
       Volume=%E/matrix/mas.yaml:/data/config.yaml:Z

     

       24
       +
       Volume=/var/mnt/docker/app_data/matrix/mas:/data:Z

     

       25
       +
       

     

       26
       +
       Pod=matrix.pod

     

       27
       +
       

     

       28
       +
       [Service]

     

       29
       +
       TimeoutStartSec=900

     

       30
       +
       Restart=always

     

       31
       +
       

     

       32
       +
       [Install]

     

       33
       +
       WantedBy=multi-user.target default.target

     

       34
       +

+33

configs/containers/systemd/matrix/matrix-postgres.container.tftpl

···

       1
       +
       [Unit]

     

       2
       +
       Description=Matrix Postgres Quadlet

     

       3
       +
       

     

       4
       +
       [Container]

     

       5
       +
       Image=docker.io/postgres:18-bookworm

     

       6
       +
       AutoUpdate=registry

     

       7
       +
       ContainerName=matrix-postgres

     

       8
       +
       

     

       9
       +
       User=1000:1000

     

       10
       +
       

     

       11
       +
       Environment=POSTGRES_USER=synapse

     

       12
       +
       Environment=POSTGRES_DB=synapse

     

       13
       +
       Environment=POSTGRES_INITDB_ARGS="--encoding=UTF-8 --lc-collate=C --lc-ctype=C"

     

       14
       +
       Secret=synapse-postgres-password,type=env,target=POSTGRES_PASSWORD

     

       15
       +
       

     

       16
       +
       Label="glance.parent=matrix"

     

       17
       +
       Label="glance.name=Postgres"

     

       18
       +
       Label="glance.hide=false"

     

       19
       +
       

     

       20
       +
       HealthCmd=pg_isready --dbname="$$${POSTGRES_DB}" --username="$$${POSTGRES_USER}" || exit 1;

     

       21
       +
       HealthStartupInterval=5s

     

       22
       +
       

     

       23
       +
       Volume=/var/mnt/docker/app_data/matrix/postgres:/var/lib/postgresql/data:Z

     

       24
       +
       

     

       25
       +
       Pod=matrix.pod

     

       26
       +
       Notify=healthy

     

       27
       +
       

     

       28
       +
       [Service]

     

       29
       +
       TimeoutStartSec=900

     

       30
       +
       Restart=always

     

       31
       +
       

     

       32
       +
       [Install]

     

       33
       +
       WantedBy=multi-user.target default.target

+35

configs/containers/systemd/matrix/matrix-synapse.container.tftpl

···

       1
       +
       [Unit]

     

       2
       +
       Description=Matrix Synapse Quadlet

     

       3
       +
       Wants=matrix-valkey.service matrix-postgres.service

     

       4
       +
       After=matrix-valkey.service matrix-postgres.service

     

       5
       +
       

     

       6
       +
       [Container]

     

       7
       +
       Image=docker.io/matrixdotorg/synapse:v1.140.0

     

       8
       +
       AutoUpdate=registry

     

       9
       +
       ContainerName=matrix-synapse

     

       10
       +
       

     

       11
       +
       User=1000:1000

     

       12
       +
       

     

       13
       +
       Label="glance.id=matrix"

     

       14
       +
       Label="glance.name=Matrix"

     

       15
       +
       Label="glance.icon=di:matrix-light"

     

       16
       +
       Label="glance.description=Matrix Homeserver"

     

       17
       +
       Label="glance.hide=false"

     

       18
       +
       

     

       19
       +
       Label="traefik.enable=true"

     

       20
       +
       Label="traefik.http.routers.matrix-synapse.rule=Host(`matrix.${base_domain}`)"

     

       21
       +
       Label="traefik.http.services.matrix-synapse.loadbalancer.server.port=8008"

     

       22
       +
       

     

       23
       +
       Volume=%E/matrix/homeserver.yaml:/data/homeserver.yaml:Z

     

       24
       +
       Volume=%E/matrix/log.config:/data/${base_domain}.log.config:Z

     

       25
       +
       Volume=/var/mnt/docker/app_data/matrix/synapse:/data:Z

     

       26
       +
       

     

       27
       +
       Pod=matrix.pod

     

       28
       +
       

     

       29
       +
       [Service]

     

       30
       +
       TimeoutStartSec=900

     

       31
       +
       Restart=always

     

       32
       +
       

     

       33
       +
       [Install]

     

       34
       +
       WantedBy=multi-user.target default.target

     

       35
       +

+27

configs/containers/systemd/matrix/matrix-valkey.container.tftpl

···

       1
       +
       [Unit]

     

       2
       +
       Description=Matrix Valkey Quadlet

     

       3
       +
       

     

       4
       +
       [Container]

     

       5
       +
       Image=docker.io/valkey/valkey:8-alpine

     

       6
       +
       AutoUpdate=registry

     

       7
       +
       ContainerName=matrix-valkey

     

       8
       +
       

     

       9
       +
       User=1000:1000

     

       10
       +
       

     

       11
       +
       Label="glance.parent=matrix"

     

       12
       +
       Label="glance.name=Valkey"

     

       13
       +
       Label="glance.hide=false"

     

       14
       +
       

     

       15
       +
       HealthCmd=valkey-cli ping || exit 1

     

       16
       +
       

     

       17
       +
       Volume=/var/mnt/docker/app_data/matrix/valkey:/data:Z

     

       18
       +
       

     

       19
       +
       Pod=matrix.pod

     

       20
       +
       Notify=healthy

     

       21
       +
       

     

       22
       +
       [Service]

     

       23
       +
       TimeoutStartSec=900

     

       24
       +
       Restart=always

     

       25
       +
       

     

       26
       +
       [Install]

     

       27
       +
       WantedBy=multi-user.target default.target

configs/containers/systemd/networks/matrix-rtc.network

···

       0

···

       1
       +
       [Network]

configs/containers/systemd/networks/matrix.network

···

       0

···

       1
       +
       [Network]

configs/containers/systemd/opencloud/opencloud-collaboration.container.tftpl

···

       13
        
       Environment=OC_URL="https://cloud.${base_domain}"

     

       14
        
       Environment=COLLABORATION_GRPC_ADDR=0.0.0.0:9301

     

       15
        
       Environment=COLLABORATION_HTTP_ADDR=0.0.0.0:9300

     

       0
        
       
     

       16
        
       Environment=COLLABORATION_WOPI_SRC=https://wopiserver.${base_domain}

     

       17
        
       Environment=COLLABORATION_APP_NAME=CollaboraOnline

     

       18
        
       Environment=COLLABORATION_APP_PRODUCT=Collabora

···

       13
        
       Environment=OC_URL="https://cloud.${base_domain}"

     

       14
        
       Environment=COLLABORATION_GRPC_ADDR=0.0.0.0:9301

     

       15
        
       Environment=COLLABORATION_HTTP_ADDR=0.0.0.0:9300

     

       16
       +
       Environment=COLLABORATION_DEBUG_ADDR=0.0.0.0:9304

     

       17
        
       Environment=COLLABORATION_WOPI_SRC=https://wopiserver.${base_domain}

     

       18
        
       Environment=COLLABORATION_APP_NAME=CollaboraOnline

     

       19
        
       Environment=COLLABORATION_APP_PRODUCT=Collabora

+4 -1

configs/containers/systemd/pocket-id.container.tftpl

···

       10
        
       UserNS=keep-id:uid=1000,gid=1000

     

       11
        
       

     

       12
        
       Environment=APP_URL=https://id.${base_domain}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       13
        
       Secret=pocket-id-maxmind-license-key,type=env,target=MAXMIND_LICENSE_KEY

     

       14
        
       

     

       15
        
       Label="glance.name=Pocket ID"

     
···

       20
        
       

     

       21
        
       Label="traefik.enable=true"

     

       22
        
       Label="traefik.http.routers.pocket-id.rule=Host(`id.${base_domain}`)"

     

       23
       -
       Label="traefik.http.routers.pocket-id.service=pocket-id"

     

       24
        
       

     

       25
        
       Volume=/var/mnt/docker/app_data/pocket-id:/app/data:Z

     

       26

···

       10
        
       UserNS=keep-id:uid=1000,gid=1000

     

       11
        
       

     

       12
        
       Environment=APP_URL=https://id.${base_domain}

     

       13
       +
       Environment=METRICS_ENABLED=true

     

       14
       +
       Environment=OTEL_LOGS_EXPORTER=otlp

     

       15
       +
       Environment=OTEL_EXPORTER_OTLP_ENDPOINT=http://grafana-alloy:4317

     

       16
       +
       Environment=OTEL_EXPORTER_OTLP_PROTOCOL=grpc

     

       17
        
       Secret=pocket-id-maxmind-license-key,type=env,target=MAXMIND_LICENSE_KEY

     

       18
        
       

     

       19
        
       Label="glance.name=Pocket ID"

     
···

       24
        
       

     

       25
        
       Label="traefik.enable=true"

     

       26
        
       Label="traefik.http.routers.pocket-id.rule=Host(`id.${base_domain}`)"

     

       0
        
       
     

       27
        
       

     

       28
        
       Volume=/var/mnt/docker/app_data/pocket-id:/app/data:Z

     

       29

configs/containers/systemd/pods/immich.pod

···

       5
        
       PodName=immich

     

       6
        
       UserNS=keep-id:uid=1000,gid=1000

     

       7
        
       Network=immich.network

     

       0

···

       5
        
       PodName=immich

     

       6
        
       UserNS=keep-id:uid=1000,gid=1000

     

       7
        
       Network=immich.network

     

       8
       +
       Network=reverse-proxy.network

configs/containers/systemd/pods/matrix-rtc.pod

···

       1
       +
       [Unit]

     

       2
       +
       Description=MatrixRTC Pod

     

       3
       +
       

     

       4
       +
       [Pod]

     

       5
       +
       PodName=matrix-rtc

     

       6
       +
       UserNS=keep-id:uid=1000,gid=1000

     

       7
       +
       Network=host

configs/containers/systemd/pods/matrix.pod

···

       1
       +
       [Unit]

     

       2
       +
       Description=Matrix Pod

     

       3
       +
       

     

       4
       +
       [Pod]

     

       5
       +
       PodName=matrix

     

       6
       +
       UserNS=keep-id:uid=1000,gid=1000

     

       7
       +
       Network=matrix.network

     

       8
       +
       Network=reverse-proxy.network

configs/containers/systemd/pods/opencloud.pod

···

       5
        
       PodName=opencloud

     

       6
        
       UserNS=keep-id:uid=1000,gid=1000

     

       7
        
       Network=opencloud.network

     

       0

···

       5
        
       PodName=opencloud

     

       6
        
       UserNS=keep-id:uid=1000,gid=1000

     

       7
        
       Network=opencloud.network

     

       8
       +
       Network=reverse-proxy.network

+1 -1

configs/containers/systemd/tangled.container.tftpl

···

       2
        
       Description=Tangled Knot Quadlet

     

       3
        
       

     

       4
        
       [Container]

     

       5
       -
       Image=ghcr.io/savely-krasovsky/knot-docker:v1.9.0-alpha

     

       6
        
       AutoUpdate=registry

     

       7
        
       ContainerName=tangled

     

       8

···

       2
        
       Description=Tangled Knot Quadlet

     

       3
        
       

     

       4
        
       [Container]

     

       5
       +
       Image=ghcr.io/savely-krasovsky/knot-docker:1.9.1-alpha

     

       6
        
       AutoUpdate=registry

     

       7
        
       ContainerName=tangled

     

       8

-46

configs/containers/systemd/tuwunel.container.tftpl

···

       1
       -
       [Unit]

     

       2
       -
       Description=Tuwunel Quadlet

     

       3
       -
       Requires=podman.socket

     

       4
       -
       After=podman.socket

     

       5
       -
       

     

       6
       -
       [Container]

     

       7
       -
       Image=ghcr.io/matrix-construct/tuwunel:latest

     

       8
       -
       AutoUpdate=registry

     

       9
       -
       ContainerName=tuwunel

     

       10
       -
       

     

       11
       -
       User=1000:1000

     

       12
       -
       UserNS=keep-id:uid=1000,gid=1000

     

       13
       -
       

     

       14
       -
       Environment=TUWUNEL_CONFIG=

     

       15
       -
       Environment=TUWUNEL_SERVER_NAME=${base_domain}

     

       16
       -
       Environment=TUWUNEL_DATABASE_PATH=/var/lib/tuwunel/

     

       17
       -
       Environment=TUWUNEL_ADDRESS=0.0.0.0

     

       18
       -
       Environment=TUWUNEL_PORT=6167

     

       19
       -
       Environment=TUWUNEL_ALLOW_FEDERATION=true

     

       20
       -
       Environment=TUWUNEL_ALLOW_REGISTRATION=true

     

       21
       -
       Environment=TUWUNEL_LOG=info

     

       22
       -
       Environment=TUWUNEL_TURN_URIS="[\"turn:turn.${base_domain}?transport=udp\", \"turn:turn.${base_domain}?transport=tcp\"]"

     

       23
       -
       Environment=TUWUNEL_ALLOW_LEGACY_MEDIA=true

     

       24
       -
       Secret=tuwunel-registration-token,type=env,target=TUWUNEL_REGISTRATION_TOKEN

     

       25
       -
       Secret=tuwunel-turn-secret,type=env,target=TUWUNEL_TURN_SECRET

     

       26
       -
       

     

       27
       -
       Label="glance.name=Tuwunel"

     

       28
       -
       Label="glance.icon=di:matrix-light"

     

       29
       -
       Label="glance.description=Matrix Homeserver"

     

       30
       -
       Label="glance.hide=false"

     

       31
       -
       

     

       32
       -
       Label="traefik.enable=true"

     

       33
       -
       Label="traefik.http.routers.tuwunel.rule=Host(`matrix.${base_domain}`)"

     

       34
       -
       Label="traefik.http.services.tuwunel.loadbalancer.server.port=6167"

     

       35
       -
       

     

       36
       -
       Volume=/var/mnt/docker/app_data/tuwunel:/var/lib/tuwunel/:Z

     

       37
       -
       

     

       38
       -
       Network=reverse-proxy.network

     

       39
       -
       

     

       40
       -
       [Service]

     

       41
       -
       TimeoutStartSec=900

     

       42
       -
       Restart=always

     

       43
       -
       

     

       44
       -
       [Install]

     

       45
       -
       WantedBy=multi-user.target default.target

     

       46
       -

+22

configs/element/call.json.tftpl

···

       1
       +
       {

     

       2
       +
         "default_server_config": {

     

       3
       +
           "m.homeserver": {

     

       4
       +
             "base_url": "https://matrix.${base_domain}",

     

       5
       +
             "server_name": "${base_domain}"

     

       6
       +
           }

     

       7
       +
         },

     

       8
       +
         "livekit": {

     

       9
       +
           "livekit_service_url": "https://matrix-rtc.${base_domain}/livekit/jwt"

     

       10
       +
         },

     

       11
       +
         "features": {

     

       12
       +
           "feature_use_device_session_member_events": true

     

       13
       +
         },

     

       14
       +
         "ssla": "https://static.element.io/legal/element-software-and-services-license-agreement-uk-1.pdf",

     

       15
       +
         "matrix_rtc_session": {

     

       16
       +
           "wait_for_key_rotation_ms": 3000,

     

       17
       +
           "membership_event_expiry_ms": 180000000,

     

       18
       +
           "delayed_leave_event_delay_ms": 18000,

     

       19
       +
           "delayed_leave_event_restart_ms": 4000,

     

       20
       +
           "network_error_retry_ms": 100

     

       21
       +
         }

     

       22
       +
       }

+67

configs/element/web.json.tftpl

···

       1
       +
       {

     

       2
       +
           "default_server_name": "${base_domain}",

     

       3
       +
           "default_server_config": {

     

       4
       +
               "m.homeserver": {

     

       5
       +
                   "base_url": "https://matrix.${base_domain}"

     

       6
       +
               },

     

       7
       +
               "m.identity_server": {

     

       8
       +
                   "base_url": "https://vector.im"

     

       9
       +
               },

     

       10
       +
               "org.matrix.msc2965.authentication": {

     

       11
       +
                   "issuer": "https://matrix-account.${base_domain}/",

     

       12
       +
                   "account": "https://matrix-account.${base_domain}/account/"

     

       13
       +
               },

     

       14
       +
               "org.matrix.msc4143.rtc_foci": [

     

       15
       +
                   {

     

       16
       +
                       "type": "livekit",

     

       17
       +
                       "livekit_service_url": "https://matrix-rtc.${base_domain}/livekit/jwt"

     

       18
       +
                   }

     

       19
       +
               ]

     

       20
       +
           },

     

       21
       +
           "brand": "Element",

     

       22
       +
           "integrations_ui_url": "https://scalar.vector.im/",

     

       23
       +
           "integrations_rest_url": "https://scalar.vector.im/api",

     

       24
       +
           "integrations_widgets_urls": [

     

       25
       +
               "https://scalar.vector.im/_matrix/integrations/v1",

     

       26
       +
               "https://scalar.vector.im/api",

     

       27
       +
               "https://scalar-staging.vector.im/_matrix/integrations/v1",

     

       28
       +
               "https://scalar-staging.vector.im/api"

     

       29
       +
           ],

     

       30
       +
           "bug_report_endpoint_url": "https://element.io/bugreports/submit",

     

       31
       +
           "uisi_autorageshake_app": "element-auto-uisi",

     

       32
       +
           "show_labs_settings": false,

     

       33
       +
           "room_directory": {

     

       34
       +
               "servers": ["matrix.org", "gitter.im"]

     

       35
       +
           },

     

       36
       +
           "enable_presence_by_hs_url": {

     

       37
       +
               "https://matrix.org": false,

     

       38
       +
               "https://matrix-client.matrix.org": false

     

       39
       +
           },

     

       40
       +
           "terms_and_conditions_links": [

     

       41
       +
               {

     

       42
       +
                   "url": "https://element.io/privacy",

     

       43
       +
                   "text": "Privacy Policy"

     

       44
       +
               },

     

       45
       +
               {

     

       46
       +
                   "url": "https://element.io/cookie-policy",

     

       47
       +
                   "text": "Cookie Policy"

     

       48
       +
               }

     

       49
       +
           ],

     

       50
       +
           "posthog": {

     

       51
       +
               "project_api_key": "phc_Jzsm6DTm6V2705zeU5dcNvQDlonOR68XvX2sh1sEOHO",

     

       52
       +
               "api_host": "https://posthog.element.io"

     

       53
       +
           },

     

       54
       +
           "privacy_policy_url": "https://element.io/cookie-policy",

     

       55
       +
           "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx",

     

       56
       +
           "setting_defaults": {

     

       57
       +
               "RustCrypto.staged_rollout_percent": 60

     

       58
       +
           },

     

       59
       +
           "features": {

     

       60
       +
               "feature_video_rooms": true,

     

       61
       +
               "feature_group_calls": true,

     

       62
       +
               "feature_element_call_video_rooms": true

     

       63
       +
           },

     

       64
       +
           "element_call": {

     

       65
       +
               "url": "https://call.element.krasovs.ky"

     

       66
       +
           }

     

       67
       +
       }

+23

configs/matrix-rtc/livekit.yaml.tftpl

···

       1
       +
       port: 7880

     

       2
       +
       log_level: info

     

       3
       +
       

     

       4
       +
       rtc:

     

       5
       +
         tcp_port: 7881

     

       6
       +
         port_range_start: 59900

     

       7
       +
         port_range_end: 60000

     

       8
       +
         use_external_ip: true

     

       9
       +
       

     

       10
       +
       redis:

     

       11
       +
         address: localhost:6379

     

       12
       +
       

     

       13
       +
       turn:

     

       14
       +
         enabled: true

     

       15
       +
         domain: turn.${base_domain}

     

       16
       +
         udp_port: 3478

     

       17
       +
         tls_port: 5349

     

       18
       +
         relay_range_start: 59000

     

       19
       +
         relay_range_end: 59100

     

       20
       +
         external_tls: true

     

       21
       +
       

     

       22
       +
       keys:

     

       23
       +
         ${secrets.matrix_rtc_livekit_key}: ${secrets.matrix_rtc_livekit_secret}

+78

configs/matrix/homeserver.yaml.tftpl

···

       1
       +
       server_name: "${base_domain}"

     

       2
       +
       pid_file: /data/homeserver.pid

     

       3
       +
       web_client_location: "https://element.${base_domain}"

     

       4
       +
       public_baseurl: "https://matrix.${base_domain}"

     

       5
       +
       listeners:

     

       6
       +
         - port: 8008

     

       7
       +
           tls: false

     

       8
       +
           type: http

     

       9
       +
           x_forwarded: true

     

       10
       +
           resources:

     

       11
       +
             - names: [client, federation]

     

       12
       +
               compress: false

     

       13
       +
         - port: 9000

     

       14
       +
           type: metrics

     

       15
       +
       

     

       16
       +
       database:

     

       17
       +
         name: psycopg2

     

       18
       +
         args:

     

       19
       +
           user: synapse

     

       20
       +
           password: ${secrets.synapse_postgres_password}

     

       21
       +
           dbname: synapse

     

       22
       +
           host: matrix-postgres

     

       23
       +
           cp_min: 5

     

       24
       +
           cp_max: 10

     

       25
       +
       

     

       26
       +
       redis:

     

       27
       +
         enabled: true

     

       28
       +
         host: matrix-valkey

     

       29
       +
         port: 6379

     

       30
       +
       

     

       31
       +
       log_config: "/data/${base_domain}.log.config"

     

       32
       +
       media_store_path: /data/media_store

     

       33
       +
       registration_shared_secret: "${secrets.synapse_registration_shared_secret}"

     

       34
       +
       report_stats: false

     

       35
       +
       macaroon_secret_key: "${secrets.synapse_macaroon_secret_key}"

     

       36
       +
       form_secret: "${secrets.synapse_form_secret}"

     

       37
       +
       signing_key_path: "/data/${base_domain}.signing.key"

     

       38
       +
       trusted_key_servers:

     

       39
       +
         - server_name: "matrix.org"

     

       40
       +
       

     

       41
       +
       turn_uris: [ "turn:turn.${base_domain}?transport=udp", "turn:turn.${base_domain}?transport=tcp" ]

     

       42
       +
       turn_shared_secret: "${secrets.coturn_turn_shared_secret}"

     

       43
       +
       turn_user_lifetime: 86400000

     

       44
       +
       turn_allow_guests: false

     

       45
       +
       

     

       46
       +
       password_config:

     

       47
       +
         enabled: false

     

       48
       +
       

     

       49
       +
       matrix_authentication_service:

     

       50
       +
         enabled: true

     

       51
       +
         endpoint: http://matrix-authentication-service:8080/

     

       52
       +
         secret: ${secrets.matrix_authentication_service_secret}

     

       53
       +
       

     

       54
       +
       enable_metrics: true

     

       55
       +
       

     

       56
       +
       # Support Element Call

     

       57
       +
       experimental_features:

     

       58
       +
         # MSC3266: Room summary API. Used for knocking over federation

     

       59
       +
         msc3266_enabled: true

     

       60
       +
         # MSC4222 needed for syncv2 state_after. This allow clients to

     

       61
       +
         # correctly track the state of the room.

     

       62
       +
         msc4222_enabled: true

     

       63
       +
       

     

       64
       +
       # The maximum allowed duration by which sent events can be delayed, as

     

       65
       +
       # per MSC4140.

     

       66
       +
       max_event_delay_duration: 24h

     

       67
       +
       

     

       68
       +
       rc_message:

     

       69
       +
         # This needs to match at least e2ee key sharing frequency plus a bit of headroom

     

       70
       +
         # Note key sharing events are bursty

     

       71
       +
         per_second: 0.5

     

       72
       +
         burst_count: 30

     

       73
       +
       

     

       74
       +
       rc_delayed_event_mgmt:

     

       75
       +
         # This needs to match at least the heart-beat frequency plus a bit of headroom

     

       76
       +
         # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s

     

       77
       +
         per_second: 1

     

       78
       +
         burst_count: 20

+24

configs/matrix/log.config

···

       1
       +
       version: 1

     

       2
       +
       

     

       3
       +
       formatters:

     

       4
       +
         structured:

     

       5
       +
           class: synapse.logging.TerseJsonFormatter

     

       6
       +
       

     

       7
       +
       handlers:

     

       8
       +
         console:

     

       9
       +
           class: logging.StreamHandler

     

       10
       +
           formatter: structured

     

       11
       +
       

     

       12
       +
       loggers:

     

       13
       +
         # This is just here so we can leave `loggers` in the config regardless of whether

     

       14
       +
         # we configure other loggers below (avoid empty yaml dict error).

     

       15
       +
         _placeholder:

     

       16
       +
           level: "INFO"

     

       17
       +
         synapse.storage.SQL:

     

       18
       +
           level: INFO

     

       19
       +
       

     

       20
       +
       root:

     

       21
       +
         level: INFO

     

       22
       +
         handlers: [console]

     

       23
       +
       

     

       24
       +
       disable_existing_loggers: false

+88

configs/matrix/mas.yaml.tftpl

···

       1
       +
       http:

     

       2
       +
         public_base: https://matrix-account.${base_domain}/

     

       3
       +
         listeners:

     

       4
       +
         - name: web

     

       5
       +
           resources:

     

       6
       +
           - name: discovery

     

       7
       +
           - name: human

     

       8
       +
           - name: oauth

     

       9
       +
           - name: compat

     

       10
       +
           - name: graphql

     

       11
       +
           - name: assets

     

       12
       +
           binds:

     

       13
       +
           - address: '[::]:8080'

     

       14
       +
           proxy_protocol: false

     

       15
       +
         - name: internal

     

       16
       +
           resources:

     

       17
       +
           - name: health

     

       18
       +
           binds:

     

       19
       +
           - host: localhost

     

       20
       +
             port: 8081

     

       21
       +
           proxy_protocol: false

     

       22
       +
         trusted_proxies:

     

       23
       +
         - 192.168.0.0/16

     

       24
       +
         - 172.16.0.0/12

     

       25
       +
         - 10.0.0.0/10

     

       26
       +
         - 127.0.0.1/8

     

       27
       +
         - fd00::/8

     

       28
       +
         - ::1/128

     

       29
       +
       

     

       30
       +
       database:

     

       31
       +
         uri: "postgresql://synapse:${secrets.synapse_postgres_password}@matrix-postgres/mas"

     

       32
       +
         max_connections: 10

     

       33
       +
         min_connections: 0

     

       34
       +
         connect_timeout: 30

     

       35
       +
         idle_timeout: 600

     

       36
       +
         max_lifetime: 1800

     

       37
       +
       

     

       38
       +
       email:

     

       39
       +
         from: '"Matrix Authentication Service" <noreply+matrix@krasovs.ky>'

     

       40
       +
         reply_to: '"Matrix Authentication Service" <noreply+matrix@krasovs.ky>'

     

       41
       +
         transport: smtp

     

       42
       +
         mode: tls

     

       43
       +
         hostname: smtps-proxy.fastmail.com

     

       44
       +
         port: 443

     

       45
       +
         username: savely@${base_domain}

     

       46
       +
         password: ${secrets.matrix_authentication_service_smtp_password}

     

       47
       +
       

     

       48
       +
       secrets:

     

       49
       +
         encryption: ${secrets.matrix_authentication_service_secrets_encryption}

     

       50
       +
         keys:

     

       51
       +
         - key: |

     

       52
       +
             ${indent(6, secrets.matrix_authentication_service_secrets_rsa_key)}

     

       53
       +
         - key: |

     

       54
       +
             ${indent(6, secrets.matrix_authentication_service_secrets_p256_key)}

     

       55
       +
         - key: |

     

       56
       +
             ${indent(6, secrets.matrix_authentication_service_secrets_p384_key)}

     

       57
       +
         - key: |

     

       58
       +
             ${indent(6, secrets.matrix_authentication_service_secrets_secp256k1_key)}

     

       59
       +
       

     

       60
       +
       passwords:

     

       61
       +
         enabled: false

     

       62
       +
       

     

       63
       +
       matrix:

     

       64
       +
         kind: synapse

     

       65
       +
         homeserver: ${base_domain}

     

       66
       +
         secret: ${secrets.matrix_authentication_service_secret}

     

       67
       +
         endpoint: https://matrix.${base_domain}/

     

       68
       +
       

     

       69
       +
       upstream_oauth2:

     

       70
       +
         providers:

     

       71
       +
         - id: 01K7WMWMAB8M7J0HR3S5FM5DR2

     

       72
       +
           synapse_idp_id: oidc-pocket-id

     

       73
       +
           issuer: "https://id.${base_domain}"

     

       74
       +
           human_name: "Pocket ID"

     

       75
       +
           client_id: "c6e8a96b-647f-47fe-8e75-2b05a6c79242"

     

       76
       +
           client_secret: "${secrets.synapse_oidc_client_secret}"

     

       77
       +
           token_endpoint_auth_method: client_secret_basic

     

       78
       +
           scope: "email openid profile"

     

       79
       +
           claims_imports:

     

       80
       +
             localpart:

     

       81
       +
               action: require

     

       82
       +
               template: '{{ user.preferred_username }}'

     

       83
       +
             displayname:

     

       84
       +
               action: force

     

       85
       +
               template: '{{ user.name }}'

     

       86
       +
             email:

     

       87
       +
               action: force

     

       88
       +
               template: "{{ user.email }}"

+71 -8

fcos.tf

···

       10
        
         id = var.containers_secret_config.immich_map_key

     

       11
        
       }

     

       12
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       13
        
       locals {

     

       14
        
         // Add secrets into quadlets config

     

       15
        
         containers_config = merge(var.containers_config, {

     

       16
        
           proxmox_ip : var.proxmox_config.host,

     

       17
        
           truenas_ip : var.fcos_config.truenas_ip,

     

       0
        
       
     

       18
        
           secrets : {

     

       19
        
             vmauth_traefik_bearer_token : data.bitwarden_secret.vmauth_traefik_bearer_token.value

     

       20
        
             vmauth_proxmox_bearer_token : data.bitwarden_secret.vmauth_proxmox_bearer_token.value

     

       21
        
             immich_map_key : data.bitwarden_secret.immich_map_key.value

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       22
        
           }

     

       23
        
         })

     

       24
        
       

     
···

       33
        
       

     

       34
        
         butane_config = merge(var.fcos_config, {

     

       35
        
           config_files : local.config_files

     

       36
       -
           config_dirs  : local.config_dirs,

     

       37
        
         })

     

       38
        
       

     

       39
        
         config_rendered_files = {

     
···

       50
        
       

     

       51
        
       data "ct_config" "fcos_ignition" {

     

       52
        
         content = templatefile("${path.module}/butane/fcos.yml.tftpl", local.butane_config)

     

       53
       -
         strict = true

     

       54
        
       }

     

       55
        
       

     

       56
        
       resource "proxmox_virtual_environment_vm" "fcos" {

     

       57
       -
         node_name = "pve"

     

       58
       -
         name      = "fcos"

     

       59
        
         description = "Managed by OpenTofu"

     

       60
        
       

     

       61
        
         lifecycle {

     
···

       158
        
         }

     

       159
        
       

     

       160
        
         provisioner "remote-exec" {

     

       161
       -
           inline = ["sh /tmp/init.sh"]

     

       162
        
           on_failure = fail

     

       163
        
         }

     

       164
        
       }

     
···

       171
        
         }

     

       172
        
       

     

       173
        
         connection {

     

       174
       -
           type = "ssh"

     

       175
       -
           user = "core"

     

       176
        
           private_key = file(pathexpand(var.fcos_config.ssh_private_key_path))

     

       177
       -
           host = var.fcos_config.ip

     

       178
        
         }

     

       179
        
       

     

       180
        
         // Create directories if not exist

···

       10
        
         id = var.containers_secret_config.immich_map_key

     

       11
        
       }

     

       12
        
       

     

       13
       +
       // Matrix secrets

     

       14
       +
       data "bitwarden_secret" "coturn_turn_shared_secret" {

     

       15
       +
         id = var.containers_secret_config.coturn_turn_shared_secret

     

       16
       +
       }

     

       17
       +
       data "bitwarden_secret" "synapse_postgres_password" {

     

       18
       +
         id = var.containers_secret_config.synapse_postgres_password

     

       19
       +
       }

     

       20
       +
       data "bitwarden_secret" "synapse_registration_shared_secret" {

     

       21
       +
         id = var.containers_secret_config.synapse_registration_shared_secret

     

       22
       +
       }

     

       23
       +
       data "bitwarden_secret" "synapse_macaroon_secret_key" {

     

       24
       +
         id = var.containers_secret_config.synapse_macaroon_secret_key

     

       25
       +
       }

     

       26
       +
       data "bitwarden_secret" "synapse_form_secret" {

     

       27
       +
         id = var.containers_secret_config.synapse_form_secret

     

       28
       +
       }

     

       29
       +
       data "bitwarden_secret" "synapse_oidc_client_secret" {

     

       30
       +
         id = var.containers_secret_config.synapse_oidc_client_secret

     

       31
       +
       }

     

       32
       +
       data "bitwarden_secret" "matrix_authentication_service_secret" {

     

       33
       +
         id = var.containers_secret_config.matrix_authentication_service_secret

     

       34
       +
       }

     

       35
       +
       data "bitwarden_secret" "matrix_authentication_service_secrets_encryption" {

     

       36
       +
         id = var.containers_secret_config.matrix_authentication_service_secrets_encryption

     

       37
       +
       }

     

       38
       +
       data "bitwarden_secret" "matrix_authentication_service_secrets_rsa_key" {

     

       39
       +
         id = var.containers_secret_config.matrix_authentication_service_secrets_rsa_key

     

       40
       +
       }

     

       41
       +
       data "bitwarden_secret" "matrix_authentication_service_secrets_p256_key" {

     

       42
       +
         id = var.containers_secret_config.matrix_authentication_service_secrets_p256_key

     

       43
       +
       }

     

       44
       +
       data "bitwarden_secret" "matrix_authentication_service_secrets_p384_key" {

     

       45
       +
         id = var.containers_secret_config.matrix_authentication_service_secrets_p384_key

     

       46
       +
       }

     

       47
       +
       data "bitwarden_secret" "matrix_authentication_service_secrets_secp256k1_key" {

     

       48
       +
         id = var.containers_secret_config.matrix_authentication_service_secrets_secp256k1_key

     

       49
       +
       }

     

       50
       +
       data "bitwarden_secret" "matrix_authentication_service_smtp_password" {

     

       51
       +
         id = var.containers_secret_config.matrix_authentication_service_smtp_password

     

       52
       +
       }

     

       53
       +
       data "bitwarden_secret" "matrix_rtc_livekit_key" {

     

       54
       +
         id = var.containers_secret_config.matrix_rtc_livekit_key

     

       55
       +
       }

     

       56
       +
       data "bitwarden_secret" "matrix_rtc_livekit_secret" {

     

       57
       +
         id = var.containers_secret_config.matrix_rtc_livekit_secret

     

       58
       +
       }

     

       59
       +
       

     

       60
        
       locals {

     

       61
        
         // Add secrets into quadlets config

     

       62
        
         containers_config = merge(var.containers_config, {

     

       63
        
           proxmox_ip : var.proxmox_config.host,

     

       64
        
           truenas_ip : var.fcos_config.truenas_ip,

     

       65
       +
           fcos_ip : var.fcos_config.ip,

     

       66
        
           secrets : {

     

       67
        
             vmauth_traefik_bearer_token : data.bitwarden_secret.vmauth_traefik_bearer_token.value

     

       68
        
             vmauth_proxmox_bearer_token : data.bitwarden_secret.vmauth_proxmox_bearer_token.value

     

       69
        
             immich_map_key : data.bitwarden_secret.immich_map_key.value

     

       70
       +
             coturn_turn_shared_secret : data.bitwarden_secret.coturn_turn_shared_secret.value

     

       71
       +
             synapse_postgres_password : data.bitwarden_secret.synapse_postgres_password.value

     

       72
       +
             synapse_registration_shared_secret : data.bitwarden_secret.synapse_registration_shared_secret.value

     

       73
       +
             synapse_macaroon_secret_key : data.bitwarden_secret.synapse_macaroon_secret_key.value

     

       74
       +
             synapse_form_secret : data.bitwarden_secret.synapse_form_secret.value

     

       75
       +
             synapse_oidc_client_secret : data.bitwarden_secret.synapse_oidc_client_secret.value

     

       76
       +
             matrix_authentication_service_secret : data.bitwarden_secret.matrix_authentication_service_secret.value

     

       77
       +
             matrix_authentication_service_secrets_encryption : data.bitwarden_secret.matrix_authentication_service_secrets_encryption.value

     

       78
       +
             matrix_authentication_service_secrets_rsa_key : data.bitwarden_secret.matrix_authentication_service_secrets_rsa_key.value

     

       79
       +
             matrix_authentication_service_secrets_p256_key : data.bitwarden_secret.matrix_authentication_service_secrets_p256_key.value

     

       80
       +
             matrix_authentication_service_secrets_p384_key : data.bitwarden_secret.matrix_authentication_service_secrets_p384_key.value

     

       81
       +
             matrix_authentication_service_secrets_secp256k1_key : data.bitwarden_secret.matrix_authentication_service_secrets_secp256k1_key.value

     

       82
       +
             matrix_authentication_service_smtp_password : data.bitwarden_secret.matrix_authentication_service_smtp_password.value

     

       83
       +
             matrix_rtc_livekit_key : data.bitwarden_secret.matrix_rtc_livekit_key.value

     

       84
       +
             matrix_rtc_livekit_secret : data.bitwarden_secret.matrix_rtc_livekit_secret.value

     

       85
        
           }

     

       86
        
         })

     

       87
        
       

     
···

       96
        
       

     

       97
        
         butane_config = merge(var.fcos_config, {

     

       98
        
           config_files : local.config_files

     

       99
       +
           config_dirs : local.config_dirs,

     

       100
        
         })

     

       101
        
       

     

       102
        
         config_rendered_files = {

     
···

       113
        
       

     

       114
        
       data "ct_config" "fcos_ignition" {

     

       115
        
         content = templatefile("${path.module}/butane/fcos.yml.tftpl", local.butane_config)

     

       116
       +
         strict  = true

     

       117
        
       }

     

       118
        
       

     

       119
        
       resource "proxmox_virtual_environment_vm" "fcos" {

     

       120
       +
         node_name   = "pve"

     

       121
       +
         name        = "fcos"

     

       122
        
         description = "Managed by OpenTofu"

     

       123
        
       

     

       124
        
         lifecycle {

     
···

       221
        
         }

     

       222
        
       

     

       223
        
         provisioner "remote-exec" {

     

       224
       +
           inline     = ["sh /tmp/init.sh"]

     

       225
        
           on_failure = fail

     

       226
        
         }

     

       227
        
       }

     
···

       234
        
         }

     

       235
        
       

     

       236
        
         connection {

     

       237
       +
           type        = "ssh"

     

       238
       +
           user        = "core"

     

       239
        
           private_key = file(pathexpand(var.fcos_config.ssh_private_key_path))

     

       240
       +
           host        = var.fcos_config.ip

     

       241
        
         }

     

       242
        
       

     

       243
        
         // Create directories if not exist

+73 -59

variables.tf

···

       1
        
       variable "bws_access_token" {

     

       2
        
         description = "Bitwarden Secrets CLI access token"

     

       3
       -
         type = string

     

       4
       -
         sensitive = true

     

       5
        
       }

     

       6
        
       

     

       7
        
       variable "proxmox_config" {

     

       8
        
         description = "Proxmox credentials"

     

       9
        
         type = object({

     

       10
       -
           host = string

     

       11
        
           password_secret_id = string

     

       12
        
         })

     

       13
        
       }

     
···

       15
        
       variable "containers_config" {

     

       16
        
         description = "Shared configuration"

     

       17
        
         type = object({

     

       18
       -
           email = string

     

       19
        
           base_domain = string

     

       20
       -
           ews_domain = string

     

       21
        
         })

     

       22
        
       }

     

       23
        
       

     

       24
        
       variable "containers_secret_config" {

     

       25
        
         description = "Quadlet Ssecret"

     

       26
       -
         type = map(string)

     

       27
        
         default = {

     

       28
       -
           traefik_cf_dns_api_token                  = "e9e0f0f0-abc8-4bde-b05f-b292018179bb"

     

       29
       -
           vmauth_traefik_bearer_token               = "fba802cf-948f-4ff7-8965-b29f00e2da48"

     

       30
       -
           vmauth_proxmox_bearer_token               = "bb281df0-e5e8-4348-a92e-b2a300a30117"

     

       31
       -
           oauth2_proxy_cookie_secret                = "289c0832-27c2-463b-97b7-b29200a8cebd"

     

       32
       -
           oauth2_proxy_client_secret                = "afdb8ef2-a3d4-4a17-b839-b29200ab6f87"

     

       33
       -
           pocket_id_maxmind_license_key             = "08c549a4-bf48-4998-8cb0-b29200ac845d"

     

       34
       -
           actual_budget_openid_client_secret        = "5754702b-d9d5-4127-b5ab-b29200abdd6a"

     

       35
       -
           open_webui_secret_key                     = "aeeb7cdd-d10e-41d4-abb4-b33300dabc1a"

     

       36
       -
           open_webui_oauth_client_secret            = "b595040b-a23a-44af-8bff-b29200ad6258"

     

       37
       -
           open_webui_google_drive_api_key           = "d24bf77b-622d-4ef0-88ae-b2b200d67ee1"

     

       38
       -
           open_webui_anthropic_api_key              = "104a349b-a4be-4d3a-9c0b-b2c700e64c9a"

     

       39
       -
           open_webui_google_api_key                 = "3016f3ef-c14c-4f4c-8439-b2c700e62f21"

     

       40
       -
           open_webui_openai_api_key                 = "24fd45e2-0fd3-42cd-8fd5-b2c700e66731"

     

       41
       -
           karakeep_oauth_client_secret              = "784d379b-bcaf-424f-bc77-b29500ff1be6"

     

       42
       -
           karakeep_openai_api_key                   = "98f5ccdf-d4b1-4883-b4e3-b295010ba589"

     

       43
       -
           meili_master_key                          = "a67874c5-95c2-4f7a-b335-b295010010e0"

     

       44
       -
           nextauth_secret                           = "94b4b746-f005-46e0-b60a-b29501010c06"

     

       45
       -
           immich_postgres_password                  = "386f1adc-878f-4755-a06b-b29700b15cd0"

     

       46
       -
           immich_map_key                            = "b5735614-bc05-441d-a2e2-b29800d3b25c"

     

       47
       -
           miniflux_postgres_password                = "1c6a587e-9dda-47de-953a-b29a01697231"

     

       48
       -
           miniflux_database_url                     = "456f8488-cdeb-4246-959d-b29a016be9ac"

     

       49
       -
           miniflux_oauth2_client_secret             = "3bb3cedd-1ee4-4624-b865-b29a016c2318"

     

       50
       -
           pds_jwt_secret                            = "b9dfaefd-3083-4e2f-a23f-b29a017db774"

     

       51
       -
           pds_admin_password                        = "00e810b5-6d8b-4342-8189-b29a017dca5e"

     

       52
       -
           pds_plc_rotation_key_k256_private_key_hex = "e0825e62-8d49-4b4a-99cd-b29a017def90"

     

       53
       -
           pds_email_smtp_url                        = "5a940d99-28cb-4792-9825-b29a017e11ad"

     

       54
       -
           outline_secret_key                        = "501e040c-5574-4058-a0c0-b29d01010c09"

     

       55
       -
           outline_utils_secret                      = "b032948f-bce3-46bb-bd26-b29d01012dde"

     

       56
       -
           outline_database_url                      = "5887f243-6332-4041-8457-b29d0104be2e"

     

       57
       -
           outline_postgres_password                 = "4212e3a7-acd3-4804-ac0e-b29d01015850"

     

       58
       -
           outline_oidc_client_secret                = "9c8cae9a-db6d-45d0-8cc0-b29d0101844c"

     

       59
       -
           outline_smtp_password                     = "5fdbfb32-257e-4cc3-8b07-b29d01063ba6"

     

       60
       -
           grafana_oauth2_client_secret              = "697cf367-a80c-41f6-b975-b2a200a986d8"

     

       61
       -
           glance_github_token                       = "de3353d8-09d9-4063-b513-b2a3008cc2c9"

     

       62
       -
           tangled_knot_server_secret                = "a58caac0-1c07-4152-89e6-b2a900c8fe8f"

     

       63
       -
           forward_info_bot_telegram_token           = "f8eda775-f945-4eb8-b48a-b2b80092cf54"

     

       64
       -
           restic_aws_access_key_id                  = "2743cf63-05ae-45b4-997f-b2c700dfabef"

     

       65
       -
           restic_aws_secret_access_key              = "134279a9-b3ee-4309-ae9e-b2c700dfe86c"

     

       66
       -
           restic_b2_account_id                      = "3e058bd3-e13d-4b6a-9d48-b2c700e00d62"

     

       67
       -
           restic_b2_account_key                     = "ddc2f07b-47ca-49b2-ae41-b2c700e02f01"

     

       68
       -
           restic_password                           = "52ce5eb2-98ae-4243-ba08-b2c700e04b7e"

     

       69
       -
           opencloud_collabora_password              = "bced1168-9741-4b8e-abf4-b2d4000e2c9e"

     

       70
       -
           opencloud_smtp_password                   = "5e0889ac-3b11-4fc4-81ca-b2d400170e85"

     

       71
       -
           simplex_smp_pass                          = "ebc8a3cb-4b85-44d6-b61c-b33800e45456"

     

       72
       -
           simplex_xftp_pass                         = "c6feec9d-2622-4322-acbf-b338013f79e9"

     

       73
       -
           tuwunel-turn-secret                       = "5b69585c-03e8-454f-94e0-b357000002d4"

     

       74
       -
           tuwunel-registration-token                = "92e470e2-c88e-43d3-ae0c-b3570039c4c9"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       75
        
         }

     

       76
        
       }

     

       77
        
       

     
···

       80
        
         type = object({

     

       81
        
           hostname = string

     

       82
        
           ssh_keys = list(string)

     

       83
       -
           root_ca = string

     

       84
        
       

     

       85
        
           mac_address = string

     

       86
       -
           ip = string

     

       87
       -
           gateway = string

     

       88
       -
           mask = string

     

       89
       -
           nameserver = string

     

       90
        
       

     

       91
       -
           truenas_ip = string

     

       92
        
           truenas_iqn = string

     

       93
        
       

     

       94
        
           # To sync configs afterwards

···

       1
        
       variable "bws_access_token" {

     

       2
        
         description = "Bitwarden Secrets CLI access token"

     

       3
       +
         type        = string

     

       4
       +
         sensitive   = true

     

       5
        
       }

     

       6
        
       

     

       7
        
       variable "proxmox_config" {

     

       8
        
         description = "Proxmox credentials"

     

       9
        
         type = object({

     

       10
       +
           host               = string

     

       11
        
           password_secret_id = string

     

       12
        
         })

     

       13
        
       }

     
···

       15
        
       variable "containers_config" {

     

       16
        
         description = "Shared configuration"

     

       17
        
         type = object({

     

       18
       +
           email       = string

     

       19
        
           base_domain = string

     

       20
       +
           ews_domain  = string

     

       21
        
         })

     

       22
        
       }

     

       23
        
       

     

       24
        
       variable "containers_secret_config" {

     

       25
        
         description = "Quadlet Ssecret"

     

       26
       +
         type        = map(string)

     

       27
        
         default = {

     

       28
       +
           traefik_cf_dns_api_token                            = "e9e0f0f0-abc8-4bde-b05f-b292018179bb"

     

       29
       +
           vmauth_traefik_bearer_token                         = "fba802cf-948f-4ff7-8965-b29f00e2da48"

     

       30
       +
           vmauth_proxmox_bearer_token                         = "bb281df0-e5e8-4348-a92e-b2a300a30117"

     

       31
       +
           oauth2_proxy_cookie_secret                          = "289c0832-27c2-463b-97b7-b29200a8cebd"

     

       32
       +
           oauth2_proxy_client_secret                          = "afdb8ef2-a3d4-4a17-b839-b29200ab6f87"

     

       33
       +
           pocket_id_maxmind_license_key                       = "08c549a4-bf48-4998-8cb0-b29200ac845d"

     

       34
       +
           actual_budget_openid_client_secret                  = "5754702b-d9d5-4127-b5ab-b29200abdd6a"

     

       35
       +
           open_webui_secret_key                               = "aeeb7cdd-d10e-41d4-abb4-b33300dabc1a"

     

       36
       +
           open_webui_oauth_client_secret                      = "b595040b-a23a-44af-8bff-b29200ad6258"

     

       37
       +
           open_webui_google_drive_api_key                     = "d24bf77b-622d-4ef0-88ae-b2b200d67ee1"

     

       38
       +
           open_webui_anthropic_api_key                        = "104a349b-a4be-4d3a-9c0b-b2c700e64c9a"

     

       39
       +
           open_webui_google_api_key                           = "3016f3ef-c14c-4f4c-8439-b2c700e62f21"

     

       40
       +
           open_webui_openai_api_key                           = "24fd45e2-0fd3-42cd-8fd5-b2c700e66731"

     

       41
       +
           karakeep_oauth_client_secret                        = "784d379b-bcaf-424f-bc77-b29500ff1be6"

     

       42
       +
           karakeep_openai_api_key                             = "98f5ccdf-d4b1-4883-b4e3-b295010ba589"

     

       43
       +
           meili_master_key                                    = "a67874c5-95c2-4f7a-b335-b295010010e0"

     

       44
       +
           nextauth_secret                                     = "94b4b746-f005-46e0-b60a-b29501010c06"

     

       45
       +
           immich_postgres_password                            = "386f1adc-878f-4755-a06b-b29700b15cd0"

     

       46
       +
           immich_map_key                                      = "b5735614-bc05-441d-a2e2-b29800d3b25c"

     

       47
       +
           miniflux_postgres_password                          = "1c6a587e-9dda-47de-953a-b29a01697231"

     

       48
       +
           miniflux_database_url                               = "456f8488-cdeb-4246-959d-b29a016be9ac"

     

       49
       +
           miniflux_oauth2_client_secret                       = "3bb3cedd-1ee4-4624-b865-b29a016c2318"

     

       50
       +
           pds_jwt_secret                                      = "b9dfaefd-3083-4e2f-a23f-b29a017db774"

     

       51
       +
           pds_admin_password                                  = "00e810b5-6d8b-4342-8189-b29a017dca5e"

     

       52
       +
           pds_plc_rotation_key_k256_private_key_hex           = "e0825e62-8d49-4b4a-99cd-b29a017def90"

     

       53
       +
           pds_email_smtp_url                                  = "5a940d99-28cb-4792-9825-b29a017e11ad"

     

       54
       +
           outline_secret_key                                  = "501e040c-5574-4058-a0c0-b29d01010c09"

     

       55
       +
           outline_utils_secret                                = "b032948f-bce3-46bb-bd26-b29d01012dde"

     

       56
       +
           outline_database_url                                = "5887f243-6332-4041-8457-b29d0104be2e"

     

       57
       +
           outline_postgres_password                           = "4212e3a7-acd3-4804-ac0e-b29d01015850"

     

       58
       +
           outline_oidc_client_secret                          = "9c8cae9a-db6d-45d0-8cc0-b29d0101844c"

     

       59
       +
           outline_smtp_password                               = "5fdbfb32-257e-4cc3-8b07-b29d01063ba6"

     

       60
       +
           grafana_oauth2_client_secret                        = "697cf367-a80c-41f6-b975-b2a200a986d8"

     

       61
       +
           glance_github_token                                 = "de3353d8-09d9-4063-b513-b2a3008cc2c9"

     

       62
       +
           tangled_knot_server_secret                          = "a58caac0-1c07-4152-89e6-b2a900c8fe8f"

     

       63
       +
           forward_info_bot_telegram_token                     = "f8eda775-f945-4eb8-b48a-b2b80092cf54"

     

       64
       +
           restic_aws_access_key_id                            = "2743cf63-05ae-45b4-997f-b2c700dfabef"

     

       65
       +
           restic_aws_secret_access_key                        = "134279a9-b3ee-4309-ae9e-b2c700dfe86c"

     

       66
       +
           restic_b2_account_id                                = "3e058bd3-e13d-4b6a-9d48-b2c700e00d62"

     

       67
       +
           restic_b2_account_key                               = "ddc2f07b-47ca-49b2-ae41-b2c700e02f01"

     

       68
       +
           restic_password                                     = "52ce5eb2-98ae-4243-ba08-b2c700e04b7e"

     

       69
       +
           opencloud_collabora_password                        = "bced1168-9741-4b8e-abf4-b2d4000e2c9e"

     

       70
       +
           opencloud_smtp_password                             = "5e0889ac-3b11-4fc4-81ca-b2d400170e85"

     

       71
       +
           simplex_smp_pass                                    = "ebc8a3cb-4b85-44d6-b61c-b33800e45456"

     

       72
       +
           simplex_xftp_pass                                   = "c6feec9d-2622-4322-acbf-b338013f79e9"

     

       73
       +
           tuwunel_registration_token                          = "92e470e2-c88e-43d3-ae0c-b3570039c4c9"

     

       74
       +
           coturn_turn_shared_secret                           = "5b69585c-03e8-454f-94e0-b357000002d4"

     

       75
       +
           synapse_postgres_password                           = "2209bd8d-f6a7-43e0-afa8-b37a00bbfd2c"

     

       76
       +
           synapse_registration_shared_secret                  = "9dab9863-5dac-4748-a1fc-b37a0145f7f1"

     

       77
       +
           synapse_macaroon_secret_key                         = "cfa20ae3-8103-46be-a129-b37a014627aa"

     

       78
       +
           synapse_form_secret                                 = "c11840ef-11f0-40c7-a08e-b37a0146564f"

     

       79
       +
           synapse_oidc_client_secret                          = "6e0f179f-631c-480c-b9ec-b37a0146e95c"

     

       80
       +
           matrix_rtc_livekit_key                              = "5c336187-6139-413b-bbf1-b37a01588b03"

     

       81
       +
           matrix_rtc_livekit_secret                           = "a24e0995-d297-4c23-849f-b37a0158a5d4"

     

       82
       +
           matrix_authentication_service_secret                = "bcaa7f79-c9fc-4448-9c79-b37a016954f5"

     

       83
       +
           matrix_authentication_service_secrets_encryption    = "012d8da3-3f7c-471a-b9cb-b37b0001dc1b"

     

       84
       +
           matrix_authentication_service_secrets_rsa_key       = "c2c1d0d3-1c80-4c36-961e-b37b000049ca"

     

       85
       +
           matrix_authentication_service_secrets_p256_key      = "8a19b557-c518-43f7-90a8-b37b0000b7c6"

     

       86
       +
           matrix_authentication_service_secrets_p384_key      = "557701bc-7430-4dc8-98ae-b37b0000e3c1"

     

       87
       +
           matrix_authentication_service_secrets_secp256k1_key = "a6624b6b-1f2c-4883-94dd-b37b00010dc9"

     

       88
       +
           matrix_authentication_service_smtp_password         = "e25452b1-480c-4581-b407-b37b00042943"

     

       89
        
         }

     

       90
        
       }

     

       91
        
       

     
···

       94
        
         type = object({

     

       95
        
           hostname = string

     

       96
        
           ssh_keys = list(string)

     

       97
       +
           root_ca  = string

     

       98
        
       

     

       99
        
           mac_address = string

     

       100
       +
           ip          = string

     

       101
       +
           gateway     = string

     

       102
       +
           mask        = string

     

       103
       +
           nameserver  = string

     

       104
        
       

     

       105
       +
           truenas_ip  = string

     

       106
        
           truenas_iqn = string

     

       107
        
       

     

       108
        
           # To sync configs afterwards