diff --git a/ansible/roles/authentik/handlers/main.yml b/ansible/roles/authentik/handlers/main.yml deleted file mode 100644 index efff452..0000000 --- a/ansible/roles/authentik/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: restart searxng - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - restarted: true - diff --git a/ansible/roles/authentik/tasks/main.yml b/ansible/roles/authentik/tasks/main.yml deleted file mode 100644 index 67dec53..0000000 --- a/ansible/roles/authentik/tasks/main.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Copy settings file to destionation - template: - src: settings.yml - dest: "{{ data_dir }}/{{ role_name }}/settings.yml" - owner: "{{ docker_user }}" - become: true - notify: restart searxng - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/authentik/templates/docker-compose.yml b/ansible/roles/authentik/templates/docker-compose.yml deleted file mode 100644 index a08bc40..0000000 --- a/ansible/roles/authentik/templates/docker-compose.yml +++ /dev/null @@ -1,37 +0,0 @@ - -networks: - traefik: - external: true - -services: - searxng: - container_name: searxng - image: searxng/searxng - restart: unless-stopped - networks: - - traefik - volumes: - - "{{ data_dir }}/{{ role_name }}:/etc/searxng" - cap_drop: - - ALL - cap_add: - - CHOWN - - SETGID - - SETUID - labels: - traefik.enable: true - traefik.http.routers.searxng.rule: "Host(`search.{{ personal_domain }}`)" - traefik.http.routers.searxng.middlewares: lan-whitelist@file - - redis: - image: redis:alpine - restart: unless-stopped - command: redis-server --save "" --appendonly "no" - tmpfs: - - /var/lib/redis - cap_drop: - - ALL - cap_add: - - SETGID - - SETUID - - DAC_OVERRIDE diff --git a/ansible/roles/authentik/templates/settings.yml b/ansible/roles/authentik/templates/settings.yml deleted file mode 100644 index 224149c..0000000 --- a/ansible/roles/authentik/templates/settings.yml +++ /dev/null @@ -1,1890 +0,0 @@ -general: - debug: false - instance_name: "DuckDuckNo" - privacypolicy_url: false - donation_url: false - contact_url: false - enable_metrics: true - -brand: - new_issue_url: https://github.com/searxng/searxng/issues/new - docs_url: https://docs.searxng.org/ - public_instances: https://searx.space - wiki_url: https://github.com/searxng/searxng/wiki - issue_url: https://github.com/searxng/searxng/issues - -search: - safe_search: 0 - autocomplete: "qwant" - autocomplete_min: 4 - default_lang: "auto" - ban_time_on_fail: 5 - max_ban_time_on_fail: 120 - suspended_times: - # Engine suspension time after error (in seconds; set to 0 to disable) - # For error "Access denied" and "HTTP error [402, 403]" - SearxEngineAccessDenied: 86400 - # For error "CAPTCHA" - SearxEngineCaptcha: 86400 - # For error "Too many request" and "HTTP error 429" - SearxEngineTooManyRequests: 3600 - # Cloudflare CAPTCHA - cf_SearxEngineCaptcha: 1296000 - cf_SearxEngineAccessDenied: 86400 - # ReCAPTCHA - recaptcha_SearxEngineCaptcha: 604800 - - # remove format to deny access, use lower case. - # formats: [html, csv, json, rss] - formats: - - html - -server: - # If you change port, bind_address or base_url don't forget to rebuild - # instance's environment (make buildenv). Is overwritten by ${SEARXNG_PORT} - # and ${SEARXNG_BIND_ADDRESS} - port: 8888 - bind_address: "127.0.0.1" - # public URL of the instance, to ensure correct inbound links. Is overwritten - # by ${SEARXNG_URL}. - base_url: "https://search.{{ personal_domain }}" # "http://example.com/location" - limiter: false # rate limit the number of request on the instance, block some bots - - # If your instance owns a /etc/searxng/settings.yml file, then set the following - # values there. - - secret_key: "{{ searxng_secret_key }}" # Is overwritten by ${SEARXNG_SECRET} - # Proxying image results through searx - image_proxy: true - # 1.0 and 1.1 are supported - http_protocol_version: "1.0" - # POST queries are more secure as they don't show up in history but may cause - # problems when using Firefox containers - method: "POST" - default_http_headers: - X-Content-Type-Options: nosniff - X-XSS-Protection: 1; mode=block - X-Download-Options: noopen - X-Robots-Tag: noindex, nofollow - Referrer-Policy: no-referrer - -redis: - # URL to connect redis database. Is overwritten by ${SEARXNG_REDIS_URL}. - # https://redis-py.readthedocs.io/en/stable/connections.html#redis.client.Redis.from_url - url: redis://redis:6379 - -ui: - # Custom static path - leave it blank if you didn't change - static_path: "" - static_use_hash: false - # Custom templates path - leave it blank if you didn't change - templates_path: "" - # query_in_title: When true, the result page's titles contains the query - # it decreases the privacy, since the browser can records the page titles. - query_in_title: false - # infinite_scroll: When true, automatically loads the next page when scrolling to bottom of the current page. - infinite_scroll: false - # ui theme - default_theme: simple - # center the results ? - center_alignment: false - # URL prefix of the internet archive, don't forgett trailing slash (if needed). - # cache_url: "https://webcache.googleusercontent.com/search?q=cache:" - # Default interface locale - leave blank to detect from browser information or - # use codes from the 'locales' config section - default_locale: "" - # Open result links in a new tab by default - # results_on_new_tab: false - theme_args: - # style of simple theme: auto, light, dark - simple_style: auto - -# Lock arbitrary settings on the preferences page. To find the ID of the user -# setting you want to lock, check the ID of the form on the page "preferences". -# -# preferences: -# lock: -# - language -# - autocomplete -# - method -# - query_in_title - -# searx supports result proxification using an external service: -# https://github.com/asciimoo/morty uncomment below section if you have running -# morty proxy the key is base64 encoded (keep the !!binary notation) -# Note: since commit af77ec3, morty accepts a base64 encoded key. -# -# result_proxy: -# url: http://127.0.0.1:3000/ -# # the key is a base64 encoded string, the YAML !!binary prefix is optional -# key: !!binary "your_morty_proxy_key" -# # [true|false] enable the "proxy" button next to each result -# proxify_results: true - -# communication with search engines -# -outgoing: - # default timeout in seconds, can be override by engine - request_timeout: 3.0 - # the maximum timeout in seconds - # max_request_timeout: 10.0 - # suffix of searx_useragent, could contain information like an email address - # to the administrator - useragent_suffix: "" - # The maximum number of concurrent connections that may be established. - pool_connections: 100 - # Allow the connection pool to maintain keep-alive connections below this - # point. - pool_maxsize: 20 - # See https://www.python-httpx.org/http2/ - enable_http2: true - # uncomment below section if you want to use a custom server certificate - # see https://www.python-httpx.org/advanced/#changing-the-verification-defaults - # and https://www.python-httpx.org/compatibility/#ssl-configuration - # verify: ~/.mitmproxy/mitmproxy-ca-cert.cer - # - # uncomment below section if you want to use a proxyq see: SOCKS proxies - # https://2.python-requests.org/en/latest/user/advanced/#proxies - # are also supported: see - # https://2.python-requests.org/en/latest/user/advanced/#socks - # - # proxies: - # all://: - # - http://proxy1:8080 - # - http://proxy2:8080 - # - # using_tor_proxy: true - # - # Extra seconds to add in order to account for the time taken by the proxy - # - # extra_proxy_timeout: 10.0 - # - # uncomment below section only if you have more than one network interface - # which can be the source of outgoing search requests - # - # source_ips: - # - 1.1.1.1 - # - 1.1.1.2 - # - fe80::/126 - -# External plugin configuration, for more details see -# https://docs.searxng.org/dev/plugins.html -# -# plugins: -# - plugin1 -# - plugin2 -# - ... - -# Comment or un-comment plugin to activate / deactivate by default. -# -# enabled_plugins: -# # these plugins are enabled if nothing is configured .. -# - 'Hash plugin' -# - 'Search on category select' -# - 'Self Information' -# - 'Tracker URL remover' -# - 'Ahmia blacklist' # activation depends on outgoing.using_tor_proxy -# # these plugins are disabled if nothing is configured .. -# - 'Hostname replace' # see hostname_replace configuration below -# - 'Open Access DOI rewrite' -# - 'Vim-like hotkeys' -# - 'Tor check plugin' -# # Read the docs before activate: auto-detection of the language could be -# # detrimental to users expectations / users can activate the plugin in the -# # preferences if they want. -# - 'Autodetect search language' - -# Configuration of the "Hostname replace" plugin: -# -# hostname_replace: -# '(.*\.)?youtube\.com$': 'invidious.example.com' -# '(.*\.)?youtu\.be$': 'invidious.example.com' -# '(.*\.)?youtube-noocookie\.com$': 'yotter.example.com' -# '(.*\.)?reddit\.com$': 'teddit.example.com' -# '(.*\.)?redd\.it$': 'teddit.example.com' -# '(www\.)?twitter\.com$': 'nitter.example.com' -# # to remove matching host names from result list, set value to false -# 'spam\.example\.com': false - -checker: - # disable checker when in debug mode - off_when_debug: true - - # use "scheduling: false" to disable scheduling - # scheduling: interval or int - - # to activate the scheduler: - # * uncomment "scheduling" section - # * add "cache2 = name=searxngcache,items=2000,blocks=2000,blocksize=4096,bitmap=1" - # to your uwsgi.ini - - # scheduling: - # start_after: [300, 1800] # delay to start the first run of the checker - # every: [86400, 90000] # how often the checker runs - - # additional tests: only for the YAML anchors (see the engines section) - # - additional_tests: - rosebud: &test_rosebud - matrix: - query: rosebud - lang: en - result_container: - - not_empty - - ['one_title_contains', 'citizen kane'] - test: - - unique_results - - android: &test_android - matrix: - query: ['android'] - lang: ['en', 'de', 'fr', 'zh-CN'] - result_container: - - not_empty - - ['one_title_contains', 'google'] - test: - - unique_results - - # tests: only for the YAML anchors (see the engines section) - tests: - infobox: &tests_infobox - infobox: - matrix: - query: ["linux", "new york", "bbc"] - result_container: - - has_infobox - -categories_as_tabs: - general: - images: - videos: - news: - map: - music: - it: - science: - files: - social media: - -engines: - - name: 9gag - engine: 9gag - shortcut: 9g - disabled: true - - - name: apk mirror - engine: apkmirror - timeout: 4.0 - shortcut: apkm - disabled: true - - - name: apple app store - engine: apple_app_store - shortcut: aps - disabled: true - - # Requires Tor - - name: ahmia - engine: ahmia - categories: onions - enable_http: true - shortcut: ah - - - name: arch linux wiki - engine: archlinux - shortcut: al - - - name: archive is - engine: xpath - search_url: https://archive.is/search/?q={query} - url_xpath: (//div[@class="TEXT-BLOCK"]/a)/@href - title_xpath: (//div[@class="TEXT-BLOCK"]/a) - content_xpath: //div[@class="TEXT-BLOCK"]/ul/li - categories: general - timeout: 7.0 - disabled: true - shortcut: ai - soft_max_redirects: 1 - about: - website: https://archive.is/ - wikidata_id: Q13515725 - official_api_documentation: https://mementoweb.org/depot/native/archiveis/ - use_official_api: false - require_api_key: false - results: HTML - - - name: artic - engine: artic - shortcut: arc - timeout: 4.0 - - - name: arxiv - engine: arxiv - shortcut: arx - timeout: 4.0 - - # tmp suspended: dh key too small - # - name: base - # engine: base - # shortcut: bs - - - name: bandcamp - engine: bandcamp - shortcut: bc - categories: music - - - name: wikipedia - engine: wikipedia - shortcut: wp - base_url: 'https://{language}.wikipedia.org/' - - - name: bing - engine: bing - shortcut: bi - disabled: true - - - name: bing images - engine: bing_images - shortcut: bii - - - name: bing news - engine: bing_news - shortcut: bin - - - name: bing videos - engine: bing_videos - shortcut: biv - - - name: bitbucket - engine: xpath - paging: true - search_url: https://bitbucket.org/repo/all/{pageno}?name={query} - url_xpath: //article[@class="repo-summary"]//a[@class="repo-link"]/@href - title_xpath: //article[@class="repo-summary"]//a[@class="repo-link"] - content_xpath: //article[@class="repo-summary"]/p - categories: [it, repos] - timeout: 4.0 - disabled: true - shortcut: bb - about: - website: https://bitbucket.org/ - wikidata_id: Q2493781 - official_api_documentation: https://developer.atlassian.com/bitbucket - use_official_api: false - require_api_key: false - results: HTML - - - name: btdigg - engine: btdigg - shortcut: bt - - - name: ccc-tv - engine: xpath - paging: false - search_url: https://media.ccc.de/search/?q={query} - url_xpath: //div[@class="caption"]/h3/a/@href - title_xpath: //div[@class="caption"]/h3/a/text() - content_xpath: //div[@class="caption"]/h4/@title - categories: videos - disabled: true - shortcut: c3tv - about: - website: https://media.ccc.de/ - wikidata_id: Q80729951 - official_api_documentation: https://github.com/voc/voctoweb - use_official_api: false - require_api_key: false - results: HTML - # We don't set language: de here because media.ccc.de is not just - # for a German audience. It contains many English videos and many - # German videos have English subtitles. - - - name: openverse - engine: openverse - categories: images - shortcut: opv - - # - name: core.ac.uk - # engine: core - # categories: science - # shortcut: cor - # # get your API key from: https://core.ac.uk/api-keys/register/ - # api_key: 'unset' - - - name: crossref - engine: crossref - shortcut: cr - timeout: 30 - disabled: true - - - name: yep - engine: json_engine - shortcut: yep - categories: general - disabled: true - paging: false - content_html_to_text: true - title_html_to_text: true - search_url: https://api.yep.com/fs/1/?type=web&q={query}&no_correct=false&limit=100 - results_query: 1/results - title_query: title - url_query: url - content_query: snippet - about: - website: https://yep.com - use_official_api: false - require_api_key: false - results: JSON - - - name: curlie - engine: xpath - shortcut: cl - categories: general - disabled: true - paging: true - lang_all: '' - search_url: https://curlie.org/search?q={query}&lang={lang}&start={pageno}&stime=92452189 - page_size: 20 - results_xpath: //div[@id="site-list-content"]/div[@class="site-item"] - url_xpath: ./div[@class="title-and-desc"]/a/@href - title_xpath: ./div[@class="title-and-desc"]/a/div - content_xpath: ./div[@class="title-and-desc"]/div[@class="site-descr"] - about: - website: https://curlie.org/ - wikidata_id: Q60715723 - use_official_api: false - require_api_key: false - results: HTML - - - name: currency - engine: currency_convert - categories: general - shortcut: cc - - - name: deezer - engine: deezer - shortcut: dz - disabled: true - - - name: deviantart - engine: deviantart - shortcut: da - timeout: 3.0 - - - name: ddg definitions - engine: duckduckgo_definitions - shortcut: ddd - weight: 2 - disabled: true - tests: *tests_infobox - - # cloudflare protected - # - name: digbt - # engine: digbt - # shortcut: dbt - # timeout: 6.0 - # disabled: true - - - name: docker hub - engine: docker_hub - shortcut: dh - categories: [it, packages] - - - name: erowid - engine: xpath - paging: true - first_page_num: 0 - page_size: 30 - search_url: https://www.erowid.org/search.php?q={query}&s={pageno} - url_xpath: //dl[@class="results-list"]/dt[@class="result-title"]/a/@href - title_xpath: //dl[@class="results-list"]/dt[@class="result-title"]/a/text() - content_xpath: //dl[@class="results-list"]/dd[@class="result-details"] - categories: [] - shortcut: ew - disabled: true - about: - website: https://www.erowid.org/ - wikidata_id: Q1430691 - official_api_documentation: - use_official_api: false - require_api_key: false - results: HTML - - # - name: elasticsearch - # shortcut: es - # engine: elasticsearch - # base_url: http://localhost:9200 - # username: elastic - # password: changeme - # index: my-index - # # available options: match, simple_query_string, term, terms, custom - # query_type: match - # # if query_type is set to custom, provide your query here - # #custom_query_json: {"query":{"match_all": {}}} - # #show_metadata: false - # disabled: true - - - name: wikidata - engine: wikidata - shortcut: wd - timeout: 3.0 - weight: 2 - tests: *tests_infobox - - - name: duckduckgo - engine: duckduckgo - shortcut: ddg - - - name: duckduckgo images - engine: duckduckgo_images - shortcut: ddi - timeout: 3.0 - disabled: true - - - name: duckduckgo weather - engine: duckduckgo_weather - shortcut: ddw - disabled: true - - - name: apple maps - engine: apple_maps - shortcut: apm - disabled: true - timeout: 5.0 - - - name: emojipedia - engine: emojipedia - timeout: 4.0 - shortcut: em - disabled: true - - - name: tineye - engine: tineye - shortcut: tin - timeout: 9.0 - disabled: true - - - name: etymonline - engine: xpath - paging: true - search_url: https://etymonline.com/search?page={pageno}&q={query} - url_xpath: //a[contains(@class, "word__name--")]/@href - title_xpath: //a[contains(@class, "word__name--")] - content_xpath: //section[contains(@class, "word__defination")] - first_page_num: 1 - shortcut: et - categories: [dictionaries] - disabled: false - about: - website: https://www.etymonline.com/ - wikidata_id: Q1188617 - official_api_documentation: - use_official_api: false - require_api_key: false - results: HTML - - # - name: ebay - # engine: ebay - # shortcut: eb - # base_url: 'https://www.ebay.com' - # disabled: true - # timeout: 5 - - - name: 1x - engine: www1x - shortcut: 1x - timeout: 3.0 - disabled: true - - - name: fdroid - engine: fdroid - shortcut: fd - disabled: true - - - name: flickr - categories: images - shortcut: fl - # You can use the engine using the official stable API, but you need an API - # key, see: https://www.flickr.com/services/apps/create/ - # engine: flickr - # api_key: 'apikey' # required! - # Or you can use the html non-stable engine, activated by default - engine: flickr_noapi - - - name: free software directory - engine: mediawiki - shortcut: fsd - categories: [it, software wikis] - base_url: https://directory.fsf.org/ - number_of_results: 5 - # what part of a page matches the query string: title, text, nearmatch - # * title - query matches title - # * text - query matches the text of page - # * nearmatch - nearmatch in title - search_type: title - timeout: 5.0 - disabled: true - about: - website: https://directory.fsf.org/ - wikidata_id: Q2470288 - - # - name: freesound - # engine: freesound - # shortcut: fnd - # disabled: true - # timeout: 15.0 - # API key required, see: https://freesound.org/docs/api/overview.html - # api_key: MyAPIkey - - - name: frinkiac - engine: frinkiac - shortcut: frk - disabled: true - - - name: genius - engine: genius - shortcut: gen - - - name: gentoo - engine: gentoo - shortcut: ge - timeout: 10.0 - - - name: gitlab - engine: json_engine - paging: true - search_url: https://gitlab.com/api/v4/projects?search={query}&page={pageno} - url_query: web_url - title_query: name_with_namespace - content_query: description - page_size: 20 - categories: [it, repos] - shortcut: gl - timeout: 10.0 - disabled: true - about: - website: https://about.gitlab.com/ - wikidata_id: Q16639197 - official_api_documentation: https://docs.gitlab.com/ee/api/ - use_official_api: false - require_api_key: false - results: JSON - - - name: github - engine: github - shortcut: gh - - # This a Gitea service. If you would like to use a different instance, - # change codeberg.org to URL of the desired Gitea host. Or you can create a - # new engine by copying this and changing the name, shortcut and search_url. - - - name: codeberg - engine: json_engine - search_url: https://codeberg.org/api/v1/repos/search?q={query}&limit=10 - url_query: html_url - title_query: name - content_query: description - categories: [it, repos] - shortcut: cb - disabled: true - about: - website: https://codeberg.org/ - wikidata_id: - official_api_documentation: https://try.gitea.io/api/swagger - use_official_api: false - require_api_key: false - results: JSON - - - name: google - engine: google - shortcut: go - # additional_tests: - # android: *test_android - - - name: google images - engine: google_images - shortcut: goi - # additional_tests: - # android: *test_android - # dali: - # matrix: - # query: ['Dali Christ'] - # lang: ['en', 'de', 'fr', 'zh-CN'] - # result_container: - # - ['one_title_contains', 'Salvador'] - - - name: google news - engine: google_news - shortcut: gon - # additional_tests: - # android: *test_android - - - name: google videos - engine: google_videos - shortcut: gov - # additional_tests: - # android: *test_android - - - name: google scholar - engine: google_scholar - shortcut: gos - - - name: google play apps - engine: google_play - categories: [files, apps] - shortcut: gpa - play_categ: apps - disabled: true - - - name: google play movies - engine: google_play - categories: videos - shortcut: gpm - play_categ: movies - disabled: true - - - name: gpodder - engine: json_engine - shortcut: gpod - timeout: 4.0 - paging: false - search_url: https://gpodder.net/search.json?q={query} - url_query: url - title_query: title - content_query: description - page_size: 19 - categories: music - disabled: true - about: - website: https://gpodder.net - wikidata_id: Q3093354 - official_api_documentation: https://gpoddernet.readthedocs.io/en/latest/api/ - use_official_api: false - requires_api_key: false - results: JSON - - - name: habrahabr - engine: xpath - paging: true - search_url: https://habrahabr.ru/search/page{pageno}/?q={query} - url_xpath: //article[contains(@class, "post")]//a[@class="post__title_link"]/@href - title_xpath: //article[contains(@class, "post")]//a[@class="post__title_link"] - content_xpath: //article[contains(@class, "post")]//div[contains(@class, "post__text")] - categories: it - timeout: 4.0 - disabled: true - shortcut: habr - about: - website: https://habr.com/ - wikidata_id: Q4494434 - official_api_documentation: https://habr.com/en/docs/help/api/ - use_official_api: false - require_api_key: false - results: HTML - - - name: hoogle - engine: xpath - paging: true - search_url: https://hoogle.haskell.org/?hoogle={query}&start={pageno} - results_xpath: '//div[@class="result"]' - title_xpath: './/div[@class="ans"]//a' - url_xpath: './/div[@class="ans"]//a/@href' - content_xpath: './/div[@class="from"]' - page_size: 20 - categories: [it, packages] - shortcut: ho - about: - website: https://hoogle.haskell.org/ - wikidata_id: Q34010 - official_api_documentation: https://hackage.haskell.org/api - use_official_api: false - require_api_key: false - results: JSON - - - name: imdb - engine: imdb - shortcut: imdb - timeout: 6.0 - disabled: true - - - name: ina - engine: ina - shortcut: in - timeout: 6.0 - disabled: true - - - name: invidious - engine: invidious - # Instanes will be selected randomly, see https://api.invidious.io/ for - # instances that are stable (good uptime) and close to you. - base_url: - - https://invidious.snopyta.org - - https://vid.puffyan.us - # - https://invidious.kavin.rocks # Error 1020 // Access denied by Cloudflare - - https://invidio.xamh.de - - https://inv.riverside.rocks - shortcut: iv - timeout: 3.0 - disabled: true - - - name: jisho - engine: jisho - shortcut: js - timeout: 3.0 - disabled: true - - - name: kickass - engine: kickass - shortcut: kc - timeout: 4.0 - disabled: true - - - name: library genesis - engine: xpath - search_url: https://libgen.fun/search.php?req={query} - url_xpath: //a[contains(@href,"get.php?md5")]/@href - title_xpath: //a[contains(@href,"book/")]/text()[1] - content_xpath: //td/a[1][contains(@href,"=author")]/text() - categories: files - timeout: 7.0 - disabled: true - shortcut: lg - about: - website: https://libgen.fun/ - wikidata_id: Q22017206 - official_api_documentation: - use_official_api: false - require_api_key: false - results: HTML - - # Disabling zlibrary due to z-lib.org domain seizure - # https://github.com/searxng/searxng/pull/1937 - # - # - name: z-library - # engine: zlibrary - # shortcut: zlib - # categories: files - # timeout: 3.0 - # # choose base_url, otherwise engine will do it at initialization time - # # base_url: https://b-ok.cc - # # base_url: https://de1lib.org - # # base_url: https://booksc.eu # does not have cover preview - # # base_url: https://booksc.org # does not have cover preview - - - name: library of congress - engine: loc - shortcut: loc - categories: images - - - name: lingva - engine: lingva - shortcut: lv - # set lingva instance in url, by default it will use the official instance - # url: https://lingva.ml - - - name: lobste.rs - engine: xpath - search_url: https://lobste.rs/search?utf8=%E2%9C%93&q={query}&what=stories&order=relevance - results_xpath: //li[contains(@class, "story")] - url_xpath: .//a[@class="u-url"]/@href - title_xpath: .//a[@class="u-url"] - content_xpath: .//a[@class="domain"] - categories: it - shortcut: lo - timeout: 5.0 - disabled: true - about: - website: https://lobste.rs/ - wikidata_id: Q60762874 - official_api_documentation: - use_official_api: false - require_api_key: false - results: HTML - - - name: azlyrics - shortcut: lyrics - engine: xpath - timeout: 4.0 - disabled: true - categories: [music, lyrics] - paging: true - search_url: https://search.azlyrics.com/search.php?q={query}&w=lyrics&p={pageno} - url_xpath: //td[@class="text-left visitedlyr"]/a/@href - title_xpath: //span/b/text() - content_xpath: //td[@class="text-left visitedlyr"]/a/small - about: - website: https://azlyrics.com - wikidata_id: Q66372542 - official_api_documentation: - use_official_api: false - require_api_key: false - results: HTML - - - name: metacpan - engine: metacpan - shortcut: cpan - disabled: true - number_of_results: 20 - - # - name: meilisearch - # engine: meilisearch - # shortcut: mes - # enable_http: true - # base_url: http://localhost:7700 - # index: my-index - - - name: mixcloud - engine: mixcloud - shortcut: mc - - # MongoDB engine - # Required dependency: pymongo - # - name: mymongo - # engine: mongodb - # shortcut: md - # exact_match_only: false - # host: '127.0.0.1' - # port: 27017 - # enable_http: true - # results_per_page: 20 - # database: 'business' - # collection: 'reviews' # name of the db collection - # key: 'name' # key in the collection to search for - - - name: npm - engine: json_engine - paging: true - first_page_num: 0 - search_url: https://api.npms.io/v2/search?q={query}&size=25&from={pageno} - results_query: results - url_query: package/links/npm - title_query: package/name - content_query: package/description - page_size: 25 - categories: [it, packages] - disabled: true - timeout: 5.0 - shortcut: npm - about: - website: https://npms.io/ - wikidata_id: Q7067518 - official_api_documentation: https://api-docs.npms.io/ - use_official_api: false - require_api_key: false - results: JSON - - - name: nyaa - engine: nyaa - shortcut: nt - disabled: true - - - name: mankier - engine: json_engine - search_url: https://www.mankier.com/api/v2/mans/?q={query} - results_query: results - url_query: url - title_query: name - content_query: description - categories: it - shortcut: man - about: - website: https://www.mankier.com/ - official_api_documentation: https://www.mankier.com/api - use_official_api: true - require_api_key: false - results: JSON - - - name: openairedatasets - engine: json_engine - paging: true - search_url: https://api.openaire.eu/search/datasets?format=json&page={pageno}&size=10&title={query} - results_query: response/results/result - url_query: metadata/oaf:entity/oaf:result/children/instance/webresource/url/$ - title_query: metadata/oaf:entity/oaf:result/title/$ - content_query: metadata/oaf:entity/oaf:result/description/$ - content_html_to_text: true - categories: "science" - shortcut: oad - timeout: 5.0 - about: - website: https://www.openaire.eu/ - wikidata_id: Q25106053 - official_api_documentation: https://api.openaire.eu/ - use_official_api: false - require_api_key: false - results: JSON - - - name: openairepublications - engine: json_engine - paging: true - search_url: https://api.openaire.eu/search/publications?format=json&page={pageno}&size=10&title={query} - results_query: response/results/result - url_query: metadata/oaf:entity/oaf:result/children/instance/webresource/url/$ - title_query: metadata/oaf:entity/oaf:result/title/$ - content_query: metadata/oaf:entity/oaf:result/description/$ - content_html_to_text: true - categories: science - shortcut: oap - timeout: 5.0 - about: - website: https://www.openaire.eu/ - wikidata_id: Q25106053 - official_api_documentation: https://api.openaire.eu/ - use_official_api: false - require_api_key: false - results: JSON - - # - name: opensemanticsearch - # engine: opensemantic - # shortcut: oss - # base_url: 'http://localhost:8983/solr/opensemanticsearch/' - - - name: openstreetmap - engine: openstreetmap - shortcut: osm - - - name: openrepos - engine: xpath - paging: true - search_url: https://openrepos.net/search/node/{query}?page={pageno} - url_xpath: //li[@class="search-result"]//h3[@class="title"]/a/@href - title_xpath: //li[@class="search-result"]//h3[@class="title"]/a - content_xpath: //li[@class="search-result"]//div[@class="search-snippet-info"]//p[@class="search-snippet"] - categories: files - timeout: 4.0 - disabled: true - shortcut: or - about: - website: https://openrepos.net/ - wikidata_id: - official_api_documentation: - use_official_api: false - require_api_key: false - results: HTML - - - name: packagist - engine: json_engine - paging: true - search_url: https://packagist.org/search.json?q={query}&page={pageno} - results_query: results - url_query: url - title_query: name - content_query: description - categories: [it, packages] - disabled: true - timeout: 5.0 - shortcut: pack - about: - website: https://packagist.org - wikidata_id: Q108311377 - official_api_documentation: https://packagist.org/apidoc - use_official_api: true - require_api_key: false - results: JSON - - - name: pdbe - engine: pdbe - shortcut: pdb - # Hide obsolete PDB entries. Default is not to hide obsolete structures - # hide_obsolete: false - - - name: photon - engine: photon - shortcut: ph - - - name: piratebay - engine: piratebay - shortcut: tpb - # You may need to change this URL to a proxy if piratebay is blocked in your - # country - url: https://thepiratebay.org/ - timeout: 3.0 - - # Required dependency: psychopg2 - # - name: postgresql - # engine: postgresql - # database: postgres - # username: postgres - # password: postgres - # limit: 10 - # query_str: 'SELECT * from my_table WHERE my_column = %(query)s' - # shortcut : psql - - - name: pub.dev - engine: xpath - shortcut: pd - search_url: https://pub.dev/packages?q={query}&page={pageno} - paging: true - results_xpath: /html/body/main/div/div[@class="search-results"]/div[@class="packages"]/div - url_xpath: ./div/h3/a/@href - title_xpath: ./div/h3/a - content_xpath: ./p[@class="packages-description"] - categories: [packages, it] - timeout: 3.0 - disabled: true - first_page_num: 1 - about: - website: https://pub.dev/ - official_api_documentation: https://pub.dev/help/api - use_official_api: false - require_api_key: false - results: HTML - - - name: pubmed - engine: pubmed - shortcut: pub - timeout: 3.0 - - - name: pypi - shortcut: pypi - engine: xpath - paging: true - search_url: https://pypi.org/search?q={query}&page={pageno} - results_xpath: /html/body/main/div/div/div/form/div/ul/li/a[@class="package-snippet"] - url_xpath: ./@href - title_xpath: ./h3/span[@class="package-snippet__name"] - content_xpath: ./p - suggestion_xpath: /html/body/main/div/div/div/form/div/div[@class="callout-block"]/p/span/a[@class="link"] - first_page_num: 1 - categories: [it, packages] - about: - website: https://pypi.org - wikidata_id: Q2984686 - official_api_documentation: https://warehouse.readthedocs.io/api-reference/index.html - use_official_api: false - require_api_key: false - results: HTML - - - name: qwant - qwant_categ: web - engine: qwant - shortcut: qw - categories: [general, web] - disabled: false - additional_tests: - rosebud: *test_rosebud - - - name: qwant news - qwant_categ: news - engine: qwant - shortcut: qwn - categories: news - disabled: false - network: qwant - - - name: qwant images - qwant_categ: images - engine: qwant - shortcut: qwi - categories: [images, web] - disabled: false - network: qwant - - - name: qwant videos - qwant_categ: videos - engine: qwant - shortcut: qwv - categories: [videos, web] - disabled: false - network: qwant - - # - name: library - # engine: recoll - # shortcut: lib - # base_url: 'https://recoll.example.org/' - # search_dir: '' - # mount_prefix: /export - # dl_prefix: 'https://download.example.org' - # timeout: 30.0 - # categories: files - # disabled: true - - # - name: recoll library reference - # engine: recoll - # base_url: 'https://recoll.example.org/' - # search_dir: reference - # mount_prefix: /export - # dl_prefix: 'https://download.example.org' - # shortcut: libr - # timeout: 30.0 - # categories: files - # disabled: true - - - name: reddit - engine: reddit - shortcut: re - page_size: 25 - - # Required dependency: redis - # - name: myredis - # shortcut : rds - # engine: redis_server - # exact_match_only: false - # host: '127.0.0.1' - # port: 6379 - # enable_http: true - # password: '' - # db: 0 - - # tmp suspended: bad certificate - # - name: scanr structures - # shortcut: scs - # engine: scanr_structures - # disabled: true - - - name: sepiasearch - engine: sepiasearch - shortcut: sep - - - name: soundcloud - engine: soundcloud - shortcut: sc - - - name: stackoverflow - engine: stackexchange - shortcut: st - api_site: 'stackoverflow' - categories: [it, q&a] - - - name: askubuntu - engine: stackexchange - shortcut: ubuntu - api_site: 'askubuntu' - categories: [it, q&a] - - - name: superuser - engine: stackexchange - shortcut: su - api_site: 'superuser' - categories: [it, q&a] - - - name: searchcode code - engine: searchcode_code - shortcut: scc - disabled: true - - - name: framalibre - engine: framalibre - shortcut: frl - disabled: true - - # - name: searx - # engine: searx_engine - # shortcut: se - # instance_urls : - # - http://127.0.0.1:8888/ - # - ... - # disabled: true - - - name: semantic scholar - engine: semantic_scholar - disabled: true - shortcut: se - - # Spotify needs API credentials - # - name: spotify - # engine: spotify - # shortcut: stf - # api_client_id: ******* - # api_client_secret: ******* - - # - name: solr - # engine: solr - # shortcut: slr - # base_url: http://localhost:8983 - # collection: collection_name - # sort: '' # sorting: asc or desc - # field_list: '' # comma separated list of field names to display on the UI - # default_fields: '' # default field to query - # query_fields: '' # query fields - # enable_http: true - - # - name: springer nature - # engine: springer - # # get your API key from: https://dev.springernature.com/signup - # # working API key, for test & debug: "a69685087d07eca9f13db62f65b8f601" - # api_key: 'unset' - # shortcut: springer - # timeout: 15.0 - - - name: startpage - engine: startpage - shortcut: sp - timeout: 6.0 - disabled: true - additional_tests: - rosebud: *test_rosebud - - - name: tokyotoshokan - engine: tokyotoshokan - shortcut: tt - timeout: 6.0 - disabled: true - - - name: solidtorrents - engine: solidtorrents - shortcut: solid - timeout: 4.0 - disabled: false - base_url: - - https://solidtorrents.net - - https://solidtorrents.eu - - https://solidtorrents.to - - https://bitsearch.to - - # For this demo of the sqlite engine download: - # https://liste.mediathekview.de/filmliste-v2.db.bz2 - # and unpack into searx/data/filmliste-v2.db - # Query to test: "!demo concert" - # - # - name: demo - # engine: sqlite - # shortcut: demo - # categories: general - # result_template: default.html - # database: searx/data/filmliste-v2.db - # query_str: >- - # SELECT title || ' (' || time(duration, 'unixepoch') || ')' AS title, - # COALESCE( NULLIF(url_video_hd,''), NULLIF(url_video_sd,''), url_video) AS url, - # description AS content - # FROM film - # WHERE title LIKE :wildcard OR description LIKE :wildcard - # ORDER BY duration DESC - # disabled: false - - # Requires Tor - - name: torch - engine: xpath - paging: true - search_url: - http://xmh57jrknzkhv6y3ls3ubitzfqnkrwxhopf5aygthi7d6rplyvk3noyd.onion/cgi-bin/omega/omega?P={query}&DEFAULTOP=and - results_xpath: //table//tr - url_xpath: ./td[2]/a - title_xpath: ./td[2]/b - content_xpath: ./td[2]/small - categories: onions - enable_http: true - shortcut: tch - - # torznab engine lets you query any torznab compatible indexer. Using this - # engine in combination with Jackett (https://github.com/Jackett/Jackett) - # opens the possibility to query a lot of public and private indexers directly - # from SearXNG. - # - name: torznab - # engine: torznab - # shortcut: trz - # base_url: http://localhost:9117/api/v2.0/indexers/all/results/torznab - # enable_http: true # if using localhost - # api_key: xxxxxxxxxxxxxxx - # # https://github.com/Jackett/Jackett/wiki/Jackett-Categories - # torznab_categories: # optional - # - 2000 - # - 5000 - - - name: twitter - shortcut: tw - engine: twitter - disabled: true - - # maybe in a fun category - # - name: uncyclopedia - # engine: mediawiki - # shortcut: unc - # base_url: https://uncyclopedia.wikia.com/ - # number_of_results: 5 - - # tmp suspended - too slow, too many errors - # - name: urbandictionary - # engine : xpath - # search_url : https://www.urbandictionary.com/define.php?term={query} - # url_xpath : //*[@class="word"]/@href - # title_xpath : //*[@class="def-header"] - # content_xpath: //*[@class="meaning"] - # shortcut: ud - - - name: unsplash - engine: unsplash - shortcut: us - - - name: yahoo - engine: yahoo - shortcut: yh - disabled: true - - - name: yahoo news - engine: yahoo_news - shortcut: yhn - - - name: youtube - shortcut: yt - # You can use the engine using the official stable API, but you need an API - # key See: https://console.developers.google.com/project - # - # engine: youtube_api - # api_key: 'apikey' # required! - # - # Or you can use the html non-stable engine, activated by default - engine: youtube_noapi - - - name: dailymotion - engine: dailymotion - shortcut: dm - - - name: vimeo - engine: vimeo - shortcut: vm - - - name: wiby - engine: json_engine - paging: true - search_url: https://wiby.me/json/?q={query}&p={pageno} - url_query: URL - title_query: Title - content_query: Snippet - categories: [general, web] - shortcut: wib - disabled: true - about: - website: https://wiby.me/ - - - name: alexandria - engine: json_engine - shortcut: alx - categories: general - paging: true - search_url: https://api.alexandria.org/?a=1&q={query}&p={pageno} - results_query: results - title_query: title - url_query: url - content_query: snippet - timeout: 1.5 - disabled: true - about: - website: https://alexandria.org/ - official_api_documentation: https://github.com/alexandria-org/alexandria-api/raw/master/README.md - use_official_api: true - require_api_key: false - results: JSON - - - name: wikibooks - engine: mediawiki - shortcut: wb - categories: general - base_url: "https://{language}.wikibooks.org/" - number_of_results: 5 - search_type: text - disabled: true - about: - website: https://www.wikibooks.org/ - wikidata_id: Q367 - - - name: wikinews - engine: mediawiki - shortcut: wn - categories: news - base_url: "https://{language}.wikinews.org/" - number_of_results: 5 - search_type: text - disabled: true - about: - website: https://www.wikinews.org/ - wikidata_id: Q964 - - - name: wikiquote - engine: mediawiki - shortcut: wq - categories: general - base_url: "https://{language}.wikiquote.org/" - number_of_results: 5 - search_type: text - disabled: true - additional_tests: - rosebud: *test_rosebud - about: - website: https://www.wikiquote.org/ - wikidata_id: Q369 - - - name: wikisource - engine: mediawiki - shortcut: ws - categories: general - base_url: "https://{language}.wikisource.org/" - number_of_results: 5 - search_type: text - disabled: true - about: - website: https://www.wikisource.org/ - wikidata_id: Q263 - - - name: wiktionary - engine: mediawiki - shortcut: wt - categories: [dictionaries] - base_url: "https://{language}.wiktionary.org/" - number_of_results: 5 - search_type: text - disabled: false - about: - website: https://www.wiktionary.org/ - wikidata_id: Q151 - - - name: wikiversity - engine: mediawiki - shortcut: wv - categories: general - base_url: "https://{language}.wikiversity.org/" - number_of_results: 5 - search_type: text - disabled: true - about: - website: https://www.wikiversity.org/ - wikidata_id: Q370 - - - name: wikivoyage - engine: mediawiki - shortcut: wy - categories: general - base_url: "https://{language}.wikivoyage.org/" - number_of_results: 5 - search_type: text - disabled: true - about: - website: https://www.wikivoyage.org/ - wikidata_id: Q373 - - - name: wolframalpha - shortcut: wa - # You can use the engine using the official stable API, but you need an API - # key. See: https://products.wolframalpha.com/api/ - # - # engine: wolframalpha_api - # api_key: '' - # - # Or you can use the html non-stable engine, activated by default - engine: wolframalpha_noapi - timeout: 6.0 - categories: [] - - - name: dictzone - engine: dictzone - shortcut: dc - - - name: mymemory translated - engine: translated - shortcut: tl - timeout: 5.0 - disabled: false - # You can use without an API key, but you are limited to 1000 words/day - # See: https://mymemory.translated.net/doc/usagelimits.php - # api_key: '' - - # Required dependency: mysql-connector-python - # - name: mysql - # engine: mysql_server - # database: mydatabase - # username: user - # password: pass - # limit: 10 - # query_str: 'SELECT * from mytable WHERE fieldname=%(query)s' - # shortcut: mysql - - - name: 1337x - engine: 1337x - shortcut: 1337x - disabled: true - - - name: duden - engine: duden - shortcut: du - disabled: true - - - name: seznam - shortcut: szn - engine: seznam - disabled: true - - # - name: deepl - # engine: deepl - # shortcut: dpl - # # You can use the engine using the official stable API, but you need an API key - # # See: https://www.deepl.com/pro-api?cta=header-pro-api - # api_key: '' # required! - # timeout: 5.0 - # disabled: true - - - name: mojeek - shortcut: mjk - engine: xpath - paging: true - categories: [general, web] - search_url: https://www.mojeek.com/search?q={query}&s={pageno}&lang={lang}&lb={lang} - results_xpath: //ul[@class="results-standard"]/li/a[@class="ob"] - url_xpath: ./@href - title_xpath: ../h2/a - content_xpath: ..//p[@class="s"] - suggestion_xpath: //div[@class="top-info"]/p[@class="top-info spell"]/em/a - first_page_num: 0 - page_size: 10 - disabled: true - about: - website: https://www.mojeek.com/ - wikidata_id: Q60747299 - official_api_documentation: https://www.mojeek.com/services/api.html/ - use_official_api: false - require_api_key: false - results: HTML - - - name: naver - shortcut: nvr - categories: [general, web] - engine: xpath - paging: true - search_url: https://search.naver.com/search.naver?where=webkr&sm=osp_hty&ie=UTF-8&query={query}&start={pageno} - url_xpath: //a[@class="link_tit"]/@href - title_xpath: //a[@class="link_tit"] - content_xpath: //a[@class="total_dsc"]/div - first_page_num: 1 - page_size: 10 - disabled: true - about: - website: https://www.naver.com/ - wikidata_id: Q485639 - official_api_documentation: https://developers.naver.com/docs/nmt/examples/ - use_official_api: false - require_api_key: false - results: HTML - language: ko - - - name: rubygems - shortcut: rbg - engine: xpath - paging: true - search_url: https://rubygems.org/search?page={pageno}&query={query} - results_xpath: /html/body/main/div/a[@class="gems__gem"] - url_xpath: ./@href - title_xpath: ./span/h2 - content_xpath: ./span/p - suggestion_xpath: /html/body/main/div/div[@class="search__suggestions"]/p/a - first_page_num: 1 - categories: [it, packages] - disabled: true - about: - website: https://rubygems.org/ - wikidata_id: Q1853420 - official_api_documentation: https://guides.rubygems.org/rubygems-org-api/ - use_official_api: false - require_api_key: false - results: HTML - - - name: peertube - engine: peertube - shortcut: ptb - paging: true - # alternatives see: https://instances.joinpeertube.org/instances - # base_url: https://tube.4aem.com - categories: videos - disabled: true - timeout: 6.0 - - - name: mediathekviewweb - engine: mediathekviewweb - shortcut: mvw - disabled: true - - # - name: yacy - # engine: yacy - # shortcut: ya - # base_url: http://localhost:8090 - # required if you aren't using HTTPS for your local yacy instance' - # enable_http: true - # number_of_results: 5 - # timeout: 3.0 - - - name: rumble - engine: rumble - shortcut: ru - base_url: https://rumble.com/ - paging: true - categories: videos - disabled: true - - - name: wordnik - engine: wordnik - shortcut: def - base_url: https://www.wordnik.com/ - categories: [dictionaries] - timeout: 5.0 - disabled: false - - - name: woxikon.de synonyme - engine: xpath - shortcut: woxi - categories: [dictionaries] - timeout: 5.0 - disabled: true - search_url: https://synonyme.woxikon.de/synonyme/{query}.php - url_xpath: //div[@class="upper-synonyms"]/a/@href - content_xpath: //div[@class="synonyms-list-group"] - title_xpath: //div[@class="upper-synonyms"]/a - no_result_for_http_status: [404] - about: - website: https://www.woxikon.de/ - wikidata_id: # No Wikidata ID - use_official_api: false - require_api_key: false - results: HTML - language: de - - - name: sjp.pwn - engine: sjp - shortcut: sjp - base_url: https://sjp.pwn.pl/ - timeout: 5.0 - disabled: true - - # wikimini: online encyclopedia for children - # The fulltext and title parameter is necessary for Wikimini because - # sometimes it will not show the results and redirect instead - - name: wikimini - engine: xpath - shortcut: wkmn - search_url: https://fr.wikimini.org/w/index.php?search={query}&title=Sp%C3%A9cial%3ASearch&fulltext=Search - url_xpath: //li/div[@class="mw-search-result-heading"]/a/@href - title_xpath: //li//div[@class="mw-search-result-heading"]/a - content_xpath: //li/div[@class="searchresult"] - categories: general - disabled: true - about: - website: https://wikimini.org/ - wikidata_id: Q3568032 - use_official_api: false - require_api_key: false - results: HTML - language: fr - - - name: wttr.in - engine: wttr - shortcut: wttr - timeout: 9.0 - - - name: brave - shortcut: brave - engine: xpath - paging: true - time_range_support: true - first_page_num: 0 - time_range_url: "&tf={time_range_val}" - search_url: https://search.brave.com/search?q={query}&offset={pageno}&spellcheck=1{time_range} - url_xpath: //a[@class="result-header"]/@href - title_xpath: //span[@class="snippet-title"] - content_xpath: //p[1][@class="snippet-description"] - suggestion_xpath: //div[@class="text-gray h6"]/a - time_range_map: - day: 'pd' - week: 'pw' - month: 'pm' - year: 'py' - categories: [general, web] - disabled: true - headers: - Accept-Encoding: gzip, deflate - about: - website: https://brave.com/search/ - wikidata_id: Q107355971 - use_official_api: false - require_api_key: false - results: HTML - - - name: petalsearch - shortcut: pts - engine: xpath - paging: true - search_url: https://petalsearch.com/search?query={query}&pn={pageno} - url_xpath: //div[@class='card-source'] - title_xpath: //div[@class='title-name'] - content_xpath: //div[@class='webpage-text'] - first_page_num: 1 - disabled: true - headers: - User-Agent: Mozilla/5.0 (Linux; Android 7.0;) \ - AppleWebKit/537.36 (KHTML, like Gecko) \ - Mobile Safari/537.36 (compatible; PetalBot;+https://webmaster.petalsearch.com/site/petalbot) - about: - website: https://petalsearch.com/ - wikidata_id: Q104399280 - use_official_api: false - require_api_key: false - results: HTML - - - name: petalsearch images - engine: petal_images - shortcut: ptsi - disabled: true - timeout: 3.0 - - - name: lib.rs - shortcut: lrs - engine: xpath - search_url: https://lib.rs/search?q={query} - results_xpath: /html/body/main/div/ol/li/a - url_xpath: ./@href - title_xpath: ./div[@class="h"]/h4 - content_xpath: ./div[@class="h"]/p - categories: [it, packages] - disabled: true - about: - website: https://lib.rs - wikidata_id: Q113486010 - use_official_api: false - require_api_key: false - results: HTML - - - name: sourcehut - shortcut: srht - engine: xpath - paging: true - search_url: https://sr.ht/projects?page={pageno}&search={query} - results_xpath: (//div[@class="event-list"])[1]/div[@class="event"] - url_xpath: ./h4/a[2]/@href - title_xpath: ./h4/a[2] - content_xpath: ./p - first_page_num: 1 - categories: [it, repos] - disabled: true - about: - website: https://sr.ht - wikidata_id: Q78514485 - official_api_documentation: https://man.sr.ht/ - use_official_api: false - require_api_key: false - results: HTML - - - name: goo - shortcut: goo - engine: xpath - paging: true - search_url: https://search.goo.ne.jp/web.jsp?MT={query}&FR={pageno}0 - url_xpath: //div[@class="result"]/p[@class='title fsL1']/a/@href - title_xpath: //div[@class="result"]/p[@class='title fsL1']/a - content_xpath: //p[contains(@class,'url fsM')]/following-sibling::p - first_page_num: 0 - categories: [general, web] - disabled: true - timeout: 4.0 - about: - website: https://search.goo.ne.jp - wikidata_id: Q249044 - use_official_api: false - require_api_key: false - results: HTML - language: ja - -doi_resolvers: - oadoi.org: 'https://oadoi.org/' - doi.org: 'https://doi.org/' - doai.io: 'https://dissem.in/' - sci-hub.se: 'https://sci-hub.se/' - sci-hub.st: 'https://sci-hub.st/' - sci-hub.ru: 'https://sci-hub.ru/' - -default_doi_resolver: 'oadoi.org' diff --git a/ansible/roles/authentik/vars/main.yml b/ansible/roles/authentik/vars/main.yml deleted file mode 100644 index c9b5a2d..0000000 --- a/ansible/roles/authentik/vars/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -searxng_secret_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 33656138666464373665663339363665346566613637626131363335336535313131333265646539 - 3037373439643964343139383764386364623961383737610a313063613736316437366239663238 - 65333735633661316463336665353138623264396534383865363134613165636164303765356265 - 3865626366613966660a313738353339313133393765643136306361373061366132373130656531 - 61396230346333346636356562353733623332333662653164373630626339376433353663313862 - 61303230613135336662313531313836363466623162666233646231616333643536303233616231 - 62353866333465646162633738383866363338383932623335353038393130323932343363653233 - 62663465386661663262 diff --git a/ansible/roles/barassistant/files/nginx.conf b/ansible/roles/barassistant/files/nginx.conf deleted file mode 100644 index 2df22c8..0000000 --- a/ansible/roles/barassistant/files/nginx.conf +++ /dev/null @@ -1,22 +0,0 @@ -server { - listen 3000 default_server; - listen [::]:3000 default_server; - server_name _; - - location = /favicon.ico { access_log off; log_not_found off; } - location = /robots.txt { access_log off; log_not_found off; } - - client_max_body_size 100M; - - location /bar/ { - proxy_pass http://bar-assistant:3000/; - } - - location /search/ { - proxy_pass http://meilisearch:7700/; - } - - location / { - proxy_pass http://salt-rim:8080/; - } -} diff --git a/ansible/roles/barassistant/tasks/main.yml b/ansible/roles/barassistant/tasks/main.yml deleted file mode 100644 index 389e21d..0000000 --- a/ansible/roles/barassistant/tasks/main.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: Create service user - user: - name: "{{ role_name }}" - system: true - register: service_user - become: true - -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Create data directory - file: - path: "{{ data_dir }}/barassistant/barassistant" - state: directory - owner: 33 - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Copy nginx.conf to destination - copy: - src: nginx.conf - dest: "{{ install_directory }}/{{ role_name }}/nginx.conf" - mode: "{{ docker_compose_file_mask }}" - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/barassistant/templates/docker-compose.yml b/ansible/roles/barassistant/templates/docker-compose.yml deleted file mode 100644 index 7f844e8..0000000 --- a/ansible/roles/barassistant/templates/docker-compose.yml +++ /dev/null @@ -1,71 +0,0 @@ - -networks: - traefik: - external: true - -services: - meilisearch: - image: getmeili/meilisearch:v1.12 - restart: unless-stopped - networks: - - default - environment: - MEILI_MASTER_KEY: "{{ meili_master_key }}" - MEILI_ENV: production - volumes: - - "{{ data_dir }}/barassistant/meilisearch:/meili_data" - - redis: - image: redis - restart: unless-stopped - networks: - - default - environment: - ALLOW_EMPTY_PASSWORD: "True" - - bar-assistant: - container_name: bar-assistant - image: barassistant/server:v5 - restart: unless-stopped - networks: - - default - depends_on: - - meilisearch - - redis - environment: - APP_URL: "{{ base_url }}/bar" - LOG_CHANNEL: stderr - MEILISEARCH_KEY: "{{ meili_master_key }}" - MEILISEARCH_HOST: http://meilisearch:7700 - REDIS_HOST: redis - ALLOW_REGISTRATION: "True" - volumes: - - "{{ data_dir }}/barassistant/barassistant:/var/www/cocktails/storage/bar-assistant" - - salt-rim: - image: barassistant/salt-rim:v4 - restart: unless-stopped - networks: - - default - depends_on: - - bar-assistant - environment: - API_URL: "{{ base_url }}/bar" - MEILISEARCH_URL: "{{ base_url }}/search" - BAR_NAME: "Cocktails" - DESCRIPTION: Why is the rum always gone? - DEFAULT_LOCALE: "en-US" - - webserver: - image: nginx:alpine - restart: unless-stopped - networks: - - traefik - - default - volumes: - - "./nginx.conf:/etc/nginx/conf.d/default.conf" - labels: - traefik.enable: true - traefik.http.routers.barassistant.rule: "Host(`cocktails.{{ personal_domain }}`)" - traefik.http.services.barassistant.loadbalancer.server.port: 3000 - traefik.http.routers.bariassistant.middlewares: lan-whitelist@file diff --git a/ansible/roles/barassistant/vars/main.yml b/ansible/roles/barassistant/vars/main.yml deleted file mode 100644 index b7855b5..0000000 --- a/ansible/roles/barassistant/vars/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -meili_master_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 61306335316339383330323264646132363837376264646235353562666239386463613431366361 - 3333666463623564393061616339393164353465633866320a303530613862386466383161623532 - 61653861653032303232666530623739303231363536316530386566313466333236613331303833 - 3734656334333366650a366261323139363635316264383966626237396338663030393931313532 - 33343737316535336539363135333834333462393330663038376132393661323866656132356566 - 39653732366333306134393965383339336330326566303230613362393366383561303939363937 - 64396230323664393236303939643337393034646637643766323938663961636639326466653332 - 30343132636534613835646163643832373835663030326635323236386361346133633964303137 - 36623631353931343861383232373231613837393936316635393838323466656330653835343932 - 64333432386133313363626630623837643237616132336664303963323062386365623266623333 - 343233663635306361333065313334313361 - -base_url: "https://cocktails.{{ personal_domain }}" diff --git a/ansible/roles/deemix/tasks/main.yml b/ansible/roles/deemix/tasks/main.yml deleted file mode 100644 index 36e627b..0000000 --- a/ansible/roles/deemix/tasks/main.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: Create service user - user: - name: "{{ role_name }}" - groups: "{{ media_group }}" - append: yes - system: true - register: service_user - become: true - -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/deemix/templates/docker-compose.yml b/ansible/roles/deemix/templates/docker-compose.yml deleted file mode 100644 index 87228b4..0000000 --- a/ansible/roles/deemix/templates/docker-compose.yml +++ /dev/null @@ -1,25 +0,0 @@ - -networks: - traefik: - external: true - -services: - {{ role_name }}: - container_name: "{{ role_name }}" - image: registry.gitlab.com/bockiii/deemix-docker - restart: unless-stopped - networks: - - traefik - environment: - - "PUID={{ service_user.uid }}" - - "PGID={{ media_gid }}" - - "TZ={{ timezone }}" - - "UMASK_SET=002" - - "DEEMIX_SINGLE_USER=true" - volumes: - - "{{ data_dir }}/{{ role_name }}:/config" - - "{{ media_storage_mnt }}/data/import/music/deemix:/downloads" - labels: - traefik.enable: true - traefik.http.routers.{{ role_name }}.rule: "Host(`{{ role_name }}.local.{{ personal_domain }}`)" - traefik.http.routers.{{ role_name }}.middlewares: lan-whitelist@file diff --git a/ansible/roles/firefly3/tasks/main.yml b/ansible/roles/firefly3/tasks/main.yml deleted file mode 100644 index ebf6e65..0000000 --- a/ansible/roles/firefly3/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/firefly3/templates/docker-compose.yml b/ansible/roles/firefly3/templates/docker-compose.yml deleted file mode 100644 index 3e3d564..0000000 --- a/ansible/roles/firefly3/templates/docker-compose.yml +++ /dev/null @@ -1,65 +0,0 @@ - -networks: - firefly_iii: - driver: bridge - traefik: - external: true - -services: - app: - image: fireflyiii/core:latest - container_name: firefly_iii_core - restart: unless-stopped - volumes: - - "{{ data_dir }}/firefly3/upload:/var/www/html/storage/upload" - depends_on: - - db - networks: - - traefik - - default - environment: - APP_ENV: local - APP_DEBUG: "false" - APP_KEY: "{{ app_key }}" - SITE_OWNER: {{ owner_email_address }} - DEFAULT_LANGUAGE: "en_US" - DEFAULT_LOCALE: equal - TZ: {{ timezone }} - TRUSTED_PROXIES: "*" - APP_LOG_LEVEL: notice - AUDIT_LOG_LEVEL: info - DB_CONNECTION: mysql - DB_HOST: db - DB_PORT: 3306 - DB_DATABASE: firefly - DB_USERNAME: firefly - DB_PASSWORD: firefly - APP_URL: "https://firefly.local.{{ personal_domain }}" - STATIC_CRON_TOKEN: "Y5uNSbJoK4FKUC9gVE5hq8YFEbFmc6BK" - labels: - traefik.enable: true - traefik.http.routers.firefly.rule: "Host(`firefly.local.{{ personal_domain }}`)" - traefik.http.routers.firefly.middlewares: lan-whitelist@file - - db: - image: mariadb - restart: always - volumes: - - "{{ data_dir }}/mariadb/firefly3:/var/lib/mysql" - environment: - MYSQL_RANDOM_ROOT_PASSWORD: "yes" - MYSQL_USER: firefly - MYSQL_PASSWORD: firefly - MYSQL_DATABASE: firefly - cron: - # - # To make this work, set STATIC_CRON_TOKEN in your .env file or as an environment variable and replace REPLACEME below - # The STATIC_CRON_TOKEN must be *exactly* 32 characters long - # - image: alpine - restart: always - container_name: firefly_iii_cron - command: sh -c "echo \"0 3 * * * wget -qO- https://firefly.local.{{ personal_domain }}/api/v1/cron/Y5uNSbJoK4FKUC9gVE5hq8YFEbFmc6BK\" | crontab - && crond -f -L /dev/stdout" - networks: - - firefly_iii - - default diff --git a/ansible/roles/firefly3/vars/main.yml b/ansible/roles/firefly3/vars/main.yml deleted file mode 100644 index f795754..0000000 --- a/ansible/roles/firefly3/vars/main.yml +++ /dev/null @@ -1,17 +0,0 @@ -owner_email_address: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 61373861363433363938396137653461363830323539316438323861326437663364383032363064 - 6438303462336466373233663366303263313139333830330a623465633166653530633961643162 - 65303032386661393063393134643436653737666163373833383036316234393563313536353036 - 3839663034393730340a626361646463636137636535653632343064353461656532656236633865 - 66636634323434356436313737336635363832333262383331333034313530663463 - -app_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 31333563616230396135363562313038346138633631613832646463343666643733333366303561 - 3461316337303862616662333031306231613532383534340a643236306232383466333531626466 - 33313830646365333935313237663134343033396166623730303030636438656435313462633762 - 3134643738616365330a636366343736306539666565663866626537303431366633646638663563 - 32616439336338393663373466323630323733393031633564383737383465313434313230323038 - 6534636266653166633539326632623165663436323936643031 - diff --git a/ansible/roles/lubelogger/tasks/main.yml b/ansible/roles/lubelogger/tasks/main.yml deleted file mode 100644 index ebf6e65..0000000 --- a/ansible/roles/lubelogger/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/lubelogger/templates/docker-compose.yml b/ansible/roles/lubelogger/templates/docker-compose.yml deleted file mode 100644 index 368e990..0000000 --- a/ansible/roles/lubelogger/templates/docker-compose.yml +++ /dev/null @@ -1,27 +0,0 @@ - -networks: - traefik: - external: true - -services: - lubelogger: - container_name: lubelogger - image: ghcr.io/hargata/lubelogger:latest - restart: unless-stopped - networks: - - traefik - environment: - - LC_ALL=en_US.UTF-8 - - LANG=en_US.UTF-8 - - MailConfig__EmailServer="" - - MailConfig__EmailFrom="" - - MailConfig__Port=587 - - MailConfig__Username="" - - MailConfig__Password="" - - LOGGING__LOGLEVEL__DEFAULT=Error - volumes: - - "{{ data_dir }}/{{ role_name }}:/App" - labels: - traefik.enable: true - traefik.http.routers.lubelogger.rule: "Host(`lubelogger.local.{{ personal_domain }}`)" - traefik.http.routers.lubelogger.middlewares: lan-whitelist@file diff --git a/ansible/roles/mealie/tasks/main.yml b/ansible/roles/mealie/tasks/main.yml deleted file mode 100644 index abd6bac..0000000 --- a/ansible/roles/mealie/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: Create service user - user: - name: "{{ role_name }}" - system: true - register: service_user - become: true - -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/mealie/templates/docker-compose.yml b/ansible/roles/mealie/templates/docker-compose.yml deleted file mode 100644 index c204cd6..0000000 --- a/ansible/roles/mealie/templates/docker-compose.yml +++ /dev/null @@ -1,66 +0,0 @@ - -networks: - traefik: - external: true - default: - internal: true - -services: - mealie-frontend: - image: hkotel/mealie:frontend-v1.0.0beta-5 - container_name: mealie-frontend - restart: unless-stopped - depends_on: - - mealie-api - networks: - - default - - traefik - environment: - - API_URL=http://mealie-api:9000 # - volumes: - - "{{ data_dir }}/mealie:/app/data" - labels: - traefik.enable: true - traefik.http.routers.mealie.rule: "Host(`mealie.{{ personal_domain }}`)" - traefik.http.services.mealie.loadbalancer.server.port: 3000 - - mealie-api: - image: hkotel/mealie:api-v1.0.0beta-5 - container_name: mealie-api - restart: unless-stopped - depends_on: - - postgres - networks: - - default - volumes: - - "{{ data_dir }}/mealie:/app/data" - environment: - - ALLOW_SIGNUP=false - - "PUID={{ service_user.uid }}" - - "PGID={{ service_user.uid }}" - - "TZ={{ timezone }}" - - MAX_WORKERS=1 - - WEB_CONCURRENCY=1 - - "BASE_URL=https://mealie.{{ personal_domain }}" - - DB_ENGINE=postgres - - POSTGRES_USER=mealie - - POSTGRES_PASSWORD=mealie - - POSTGRES_SERVER=postgres - - POSTGRES_PORT=5432 - - POSTGRES_DB=mealie - - "DEFAULT_EMAIL={{ email }}" - - TOKEN_TIME=168 - dns: - - 10.0.0.1 - - postgres: - container_name: postgres - image: postgres - restart: always - networks: - - default - volumes: - - "{{ data_dir }}/postgres/mealie:/var/lib/postgresql/data" - environment: - POSTGRES_PASSWORD: mealie - POSTGRES_USER: mealie diff --git a/ansible/roles/mealie/vars/main.yml b/ansible/roles/mealie/vars/main.yml deleted file mode 100644 index 862b3cd..0000000 --- a/ansible/roles/mealie/vars/main.yml +++ /dev/null @@ -1,7 +0,0 @@ -email: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 30343965383433393930313337303637353362616563313863396433323939393864393436376534 - 6438663537386464623830316136643461356631316436360a636664323436303464376630616639 - 62653263633531343733313137303863623562616632313236376466313132636234633438616164 - 3030303934343761390a663734333566323234613434633636353665623530643262353162383237 - 66633863376332663064346132356238333561663438643232646463646632656361 diff --git a/ansible/roles/ntfy/handlers/main.yml b/ansible/roles/ntfy/handlers/main.yml deleted file mode 100644 index 0ec784e..0000000 --- a/ansible/roles/ntfy/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: restart ntfy - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/ntfy" - restarted: true diff --git a/ansible/roles/ntfy/tasks/main.yml b/ansible/roles/ntfy/tasks/main.yml deleted file mode 100644 index b787de8..0000000 --- a/ansible/roles/ntfy/tasks/main.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Install configuration file - template: - src: server.yml - dest: "{{ data_dir }}/ntfy/server.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - notify: restart ntfy - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/ntfy/templates/docker-compose.yml b/ansible/roles/ntfy/templates/docker-compose.yml deleted file mode 100644 index 84e9efe..0000000 --- a/ansible/roles/ntfy/templates/docker-compose.yml +++ /dev/null @@ -1,24 +0,0 @@ - -networks: - traefik: - external: true - -services: - ntfy: - container_name: ntfy - image: binwiederhier/ntfy:latest - restart: unless-stopped - networks: - - traefik - user: "{{ primary_uid }}:{{ primary_gid }}" - environment: - - TZ={{ timezone }} - command: - - serve - volumes: - - "{{ data_dir }}/ntfy:/etc/ntfy" - - /var/cache/ntfy:/var/cache/ntfy - labels: - traefik.enable: true - traefik.http.routers.ntfy.rule: "Host(`push.{{ personal_domain }}`)" - traefik.http.routers.ntfy.middlewares: lan-whitelist@file diff --git a/ansible/roles/ntfy/templates/server.yml b/ansible/roles/ntfy/templates/server.yml deleted file mode 100644 index da85750..0000000 --- a/ansible/roles/ntfy/templates/server.yml +++ /dev/null @@ -1,279 +0,0 @@ -# ntfy server config file -# -# Please refer to the documentation at https://ntfy.sh/docs/config/ for details. -# All options also support underscores (_) instead of dashes (-) to comply with the YAML spec. - -# Public facing base URL of the service (e.g. https://ntfy.sh or https://ntfy.example.com) -# -# This setting is required for any of the following features: -# - attachments (to return a download URL) -# - e-mail sending (for the topic URL in the email footer) -# - iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic) -# - Matrix Push Gateway (to validate that the pushkey is correct) -# -base-url: "https://push.{{ personal_domain }}" - -# Listen address for the HTTP & HTTPS web server. If "listen-https" is set, you must also -# set "key-file" and "cert-file". Format: []:, e.g. "1.2.3.4:8080". -# -# To listen on all interfaces, you may omit the IP address, e.g. ":443". -# To disable HTTP, set "listen-http" to "-". -# -# listen-http: ":80" -# listen-https: - -# Listen on a Unix socket, e.g. /var/lib/ntfy/ntfy.sock -# This can be useful to avoid port issues on local systems, and to simplify permissions. -# -# listen-unix: -# listen-unix-mode: - -# Path to the private key & cert file for the HTTPS web server. Not used if "listen-https" is not set. -# -# key-file: -# cert-file: - -# If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app. -# This is optional and only required to save battery when using the Android app. -# -# firebase-key-file: - -# If "cache-file" is set, messages are cached in a local SQLite database instead of only in-memory. -# This allows for service restarts without losing messages in support of the since= parameter. -# -# The "cache-duration" parameter defines the duration for which messages will be buffered -# before they are deleted. This is required to support the "since=..." and "poll=1" parameter. -# To disable the cache entirely (on-disk/in-memory), set "cache-duration" to 0. -# The cache file is created automatically, provided that the correct permissions are set. -# -# The "cache-startup-queries" parameter allows you to run commands when the database is initialized, -# e.g. to enable WAL mode (see https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)). -# Example: -# cache-startup-queries: | -# pragma journal_mode = WAL; -# pragma synchronous = normal; -# pragma temp_store = memory; -# pragma busy_timeout = 15000; -# vacuum; -# -# The "cache-batch-size" and "cache-batch-timeout" parameter allow enabling async batch writing -# of messages. If set, messages will be queued and written to the database in batches of the given -# size, or after the given timeout. This is only required for high volume servers. -# -# Debian/RPM package users: -# Use /var/cache/ntfy/cache.db as cache file to avoid permission issues. The package -# creates this folder for you. -# -# Check your permissions: -# If you are running ntfy with systemd, make sure this cache file is owned by the -# ntfy user and group by running: chown ntfy.ntfy . -# -# cache-file: -# cache-duration: "12h" -# cache-startup-queries: -# cache-batch-size: 0 -# cache-batch-timeout: "0ms" - -# If set, access to the ntfy server and API can be controlled on a granular level using -# the 'ntfy user' and 'ntfy access' commands. See the --help pages for details, or check the docs. -# -# - auth-file is the SQLite user/access database; it is created automatically if it doesn't already exist -# - auth-default-access defines the default/fallback access if no access control entry is found; it can be -# set to "read-write" (default), "read-only", "write-only" or "deny-all". -# - auth-startup-queries allows you to run commands when the database is initialized, e.g. to enable -# WAL mode. This is similar to cache-startup-queries. See above for details. -# -# Debian/RPM package users: -# Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package -# creates this folder for you. -# -# Check your permissions: -# If you are running ntfy with systemd, make sure this user database file is owned by the -# ntfy user and group by running: chown ntfy.ntfy . -# -# auth-file: -# auth-default-access: "read-write" -# auth-startup-queries: - -# If set, the X-Forwarded-For header is used to determine the visitor IP address -# instead of the remote address of the connection. -# -# WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited -# as if they are one. -# -behind-proxy: true - -# If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments -# are "attachment-cache-dir" and "base-url". -# -# - attachment-cache-dir is the cache directory for attached files -# - attachment-total-size-limit is the limit of the on-disk attachment cache directory (total size) -# - attachment-file-size-limit is the per-file attachment size limit (e.g. 300k, 2M, 100M) -# - attachment-expiry-duration is the duration after which uploaded attachments will be deleted (e.g. 3h, 20h) -# -attachment-cache-dir: "/var/cache/ntfy/attachments" -# attachment-total-size-limit: "5G" -# attachment-file-size-limit: "15M" -# attachment-expiry-duration: "3h" - -# If enabled, allow outgoing e-mail notifications via the 'X-Email' header. If this header is set, -# messages will additionally be sent out as e-mail using an external SMTP server. As of today, only -# SMTP servers with plain text auth and STARTLS are supported. Please also refer to the rate limiting settings -# below (visitor-email-limit-burst & visitor-email-limit-burst). -# -# - smtp-sender-addr is the hostname:port of the SMTP server -# - smtp-sender-user/smtp-sender-pass are the username and password of the SMTP user -# - smtp-sender-from is the e-mail address of the sender -# -# smtp-sender-addr: -# smtp-sender-user: -# smtp-sender-pass: -# smtp-sender-from: - -# If enabled, ntfy will launch a lightweight SMTP server for incoming messages. Once configured, users can send -# emails to a topic e-mail address to publish messages to a topic. -# -# - smtp-server-listen defines the IP address and port the SMTP server will listen on, e.g. :25 or 1.2.3.4:25 -# - smtp-server-domain is the e-mail domain, e.g. ntfy.sh -# - smtp-server-addr-prefix is an optional prefix for the e-mail addresses to prevent spam. If set to "ntfy-", -# for instance, only e-mails to ntfy-$topic@ntfy.sh will be accepted. If this is not set, all emails to -# $topic@ntfy.sh will be accepted (which may obviously be a spam problem). -# -# smtp-server-listen: -# smtp-server-domain: -# smtp-server-addr-prefix: - -# Interval in which keepalive messages are sent to the client. This is to prevent -# intermediaries closing the connection for inactivity. -# -# Note that the Android app has a hardcoded timeout at 77s, so it should be less than that. -# -# keepalive-interval: "45s" - -# Interval in which the manager prunes old messages, deletes topics -# and prints the stats. -# -# manager-interval: "1m" - -# Defines topic names that are not allowed, because they are otherwise used. There are a few default topics -# that cannot be used (e.g. app, account, settings, ...). To extend the default list, define them here. -# -# Example: -# disallowed-topics: -# - about -# - pricing -# - contact -# -# disallowed-topics: - -# Defines if the root route (/) is pointing to the landing page (as on ntfy.sh) or the -# web app. If you self-host, you don't want to change this. -# Can be "app" (default), "home" or "disable" to disable the web app entirely. -# -# web-root: app - -# Various feature flags used to control the web app, and API access, mainly around user and -# account management. -# -# - enable-signup allows users to sign up via the web app, or API -# - enable-login allows users to log in via the web app, or API -# - enable-reservations allows users to reserve topics (if their tier allows it) -# -# enable-signup: false -# enable-login: false -# enable-reservations: false - -# Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh"). -# -# iOS users: -# If you use the iOS ntfy app, you MUST configure this to receive timely notifications. You'll like want this: -# upstream-base-url: "https://ntfy.sh" -# -# If set, all incoming messages will publish a "poll_request" message to the configured upstream server, containing -# the message ID of the original message, instructing the iOS app to poll this server for the actual message contents. -# This is to prevent the upstream server and Firebase/APNS from being able to read the message. -# -# upstream-base-url: - -# Rate limiting: Total number of topics before the server rejects new topics. -# -# global-topic-limit: 15000 - -# Rate limiting: Number of subscriptions per visitor (IP address) -# -# visitor-subscription-limit: 30 - -# Rate limiting: Allowed GET/PUT/POST requests per second, per visitor: -# - visitor-request-limit-burst is the initial bucket of requests each visitor has -# - visitor-request-limit-replenish is the rate at which the bucket is refilled -# - visitor-request-limit-exempt-hosts is a comma-separated list of hostnames, IPs or CIDRs to be -# exempt from request rate limiting. Hostnames are resolved at the time the server is started. -# Example: "1.2.3.4,ntfy.example.com,8.7.6.0/24" -# -# visitor-request-limit-burst: 60 -# visitor-request-limit-replenish: "5s" -# visitor-request-limit-exempt-hosts: "" - -# Rate limiting: Hard daily limit of messages per visitor and day. The limit is reset -# every day at midnight UTC. If the limit is not set (or set to zero), the request -# limit (see above) governs the upper limit. -# -# visitor-message-daily-limit: 0 - -# Rate limiting: Allowed emails per visitor: -# - visitor-email-limit-burst is the initial bucket of emails each visitor has -# - visitor-email-limit-replenish is the rate at which the bucket is refilled -# -# visitor-email-limit-burst: 16 -# visitor-email-limit-replenish: "1h" - -# Rate limiting: Attachment size and bandwidth limits per visitor: -# - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor -# - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor -# -# visitor-attachment-total-size-limit: "100M" -# visitor-attachment-daily-bandwidth-limit: "500M" - -# Payments integration via Stripe -# -# - stripe-secret-key is the key used for the Stripe API communication. Setting this values -# enables payments in the ntfy web app (e.g. Upgrade dialog). See https://dashboard.stripe.com/apikeys. -# - stripe-webhook-key is the key required to validate the authenticity of incoming webhooks from Stripe. -# Webhooks are essential up keep the local database in sync with the payment provider. See https://dashboard.stripe.com/webhooks. -# -# stripe-secret-key: -# stripe-webhook-key: - -# Logging options -# -# By default, ntfy logs to the console (stderr), with an "info" log level, and in a human-readable text format. -# ntfy supports five different log levels, can also write to a file, log as JSON, and even supports granular -# log level overrides for easier debugging. Some options (log-level and log-level-overrides) can be hot reloaded -# by calling "kill -HUP $pid" or "systemctl reload ntfy". -# -# - log-format defines the output format, can be "text" (default) or "json" -# - log-file is a filename to write logs to. If this is not set, ntfy logs to stderr. -# - log-level defines the default log level, can be one of "trace", "debug", "info" (default), "warn" or "error". -# Be aware that "debug" (and particularly "trace") can be VERY CHATTY. Only turn them on briefly for debugging purposes. -# - log-level-overrides lets you override the log level if certain fields match. This is incredibly powerful -# for debugging certain parts of the system (e.g. only the account management, or only a certain visitor). -# This is an array of strings in the format: -# - "field=value -> level" to match a value exactly, e.g. "tag=manager -> trace" -# - "field -> level" to match any value, e.g. "time_taken_ms -> debug" -# Warning: Using log-level-overrides has a performance penalty. Only use it for temporary debugging. -# -# Example (good for production): -# log-level: info -# log-format: json -# log-file: /var/log/ntfy.log -# -# Example level overrides (for debugging, only use temporarily): -# log-level-overrides: -# - "tag=manager -> trace" -# - "visitor_ip=1.2.3.4 -> debug" -# - "time_taken_ms -> debug" -# -# log-level: info -# log-level-overrides: -# log-format: text -# log-file: diff --git a/ansible/roles/readarr/tasks/main.yml b/ansible/roles/readarr/tasks/main.yml deleted file mode 100644 index 36e627b..0000000 --- a/ansible/roles/readarr/tasks/main.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: Create service user - user: - name: "{{ role_name }}" - groups: "{{ media_group }}" - append: yes - system: true - register: service_user - become: true - -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/readarr/templates/docker-compose.yml b/ansible/roles/readarr/templates/docker-compose.yml deleted file mode 100644 index 3ed091b..0000000 --- a/ansible/roles/readarr/templates/docker-compose.yml +++ /dev/null @@ -1,24 +0,0 @@ - -networks: - traefik: - external: true - -services: - {{ role_name }}: - container_name: "{{ role_name }}" - image: cr.hotio.dev/hotio/readarr - restart: unless-stopped - networks: - - traefik - environment: - - "PUID={{ service_user.uid }}" - - "PGID={{ media_gid }}" - - "TZ={{ timezone }}" - - "UMASK=002" - volumes: - - "{{ data_dir }}/{{ role_name }}:/config" - - "{{ media_storage_mnt }}/data:/data" - labels: - traefik.enable: true - traefik.http.routers.{{ role_name }}.rule: "Host(`{{ role_name }}.local.{{ personal_domain }}`)" - traefik.http.routers.{{ role_name }}.middlewares: lan-whitelist@file diff --git a/ansible/roles/renovate/tasks/main.yml b/ansible/roles/renovate/tasks/main.yml deleted file mode 100644 index 872934f..0000000 --- a/ansible/roles/renovate/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Copy config.js to destination - template: - src: config.js - dest: "{{ install_directory }}/renovate/config.js" - mode: "{{ docker_compose_file_mask }}" - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/renovate/templates/config.js b/ansible/roles/renovate/templates/config.js deleted file mode 100644 index 86ffcfe..0000000 --- a/ansible/roles/renovate/templates/config.js +++ /dev/null @@ -1,14 +0,0 @@ -module.exports = { - endpoint: "git.{{ personal_domain }}/api/v2", - token: '{{ renovate_gitea_token }}', - platform: 'gitea', - dryRun: true, - autodiscover: true, - onboarding: false, - redisUrl: 'redis://redis', - repositoryCache: 'enabled', - persistRepoData: true, - binarySource: "docker", - dockerUser: "{{ primary_uid }}", - baseDir: "{{ data_dir }}/renovate", -}; diff --git a/ansible/roles/renovate/templates/docker-compose.yml b/ansible/roles/renovate/templates/docker-compose.yml deleted file mode 100644 index fe1d795..0000000 --- a/ansible/roles/renovate/templates/docker-compose.yml +++ /dev/null @@ -1,26 +0,0 @@ - -networks: - docker-socket-proxy: - external: true - -services: - renovate: - container_name: renovate - image: renovate/renovate:slim - restart: unless-stopped - depends_on: - - redis - networks: - - docker-socket-proxy - user: "{{ service_user.uid }}:{{ service_user.group }}" - environment: - - TZ={{ timezone }} - - DOCKER_HOST=tcp://docker_socket_proxy:2375 - - "RENOVATE_TOKEN={{ renovate_gitea_token }}" - volumes: - - "{{ data_dir }}/renovate:/{{ data_dir }}/renovate" # These must be the same - - ./config.js:/usr/src/app/config.js:ro - - redis: - image: redis:7-alpine - restart: unless-stopped diff --git a/ansible/roles/renovate/vars/main.yml b/ansible/roles/renovate/vars/main.yml deleted file mode 100644 index 1714a59..0000000 --- a/ansible/roles/renovate/vars/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -renovate_gitea_token: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 61383064643566343633633962376238346137633933643634353564316266656338333665613235 - 3230613339633561313064393163393537623763393336300a383332626538376335613763313439 - 64326566393761666266303438313435346535626231376661653863663664623839663431363632 - 6434306532613065650a636562663030363162396435346262353839653736343530393365633331 - 65366534333234353239376566326234666566303038396661343137316265306433313235366530 - 6164656437346131376165613136363161646437343038393266 diff --git a/ansible/roles/sabnzbd/tasks/main.yml b/ansible/roles/sabnzbd/tasks/main.yml deleted file mode 100644 index 377c4ee..0000000 --- a/ansible/roles/sabnzbd/tasks/main.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: Create service user - user: - name: "{{ role_name }}" - groups: "{{ media_group }}" - append: yes - system: true - register: service_user - become: true - -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Start docker containers - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/sabnzbd/templates/docker-compose.yml b/ansible/roles/sabnzbd/templates/docker-compose.yml deleted file mode 100644 index e2985de..0000000 --- a/ansible/roles/sabnzbd/templates/docker-compose.yml +++ /dev/null @@ -1,25 +0,0 @@ - -networks: - traefik: - external: true - -services: - sabnzbd: - container_name: sabnzbd - image: lscr.io/linuxserver/sabnzbd:latest - restart: unless-stopped - networks: - - traefik - environment: - - "PUID={{ service_user.uid }}" - - "PGID={{ media_gid }}" - - "TZ={{ timezone }}" - - "UMASK=002" - volumes: - - "{{ data_dir }}/{{ role_name }}:/config" - - "{{ media_storage_mnt }}/data/usenet:/data/usenet" - labels: - traefik.enable: true - traefik.http.routers.{{ role_name }}.rule: "Host(`{{ role_name }}.local.{{ personal_domain }}`)" - traefik.http.routers.{{ role_name }}.middlewares: lan-whitelist@file - traefik.http.services.sabnzbd.loadbalancer.server.port: 8080 diff --git a/ansible/roles/synapse/handlers/main.yml b/ansible/roles/synapse/handlers/main.yml deleted file mode 100644 index 9096f30..0000000 --- a/ansible/roles/synapse/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: restart synapse - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - restarted: true diff --git a/ansible/roles/synapse/tasks/main.yml b/ansible/roles/synapse/tasks/main.yml deleted file mode 100644 index 58e1dcf..0000000 --- a/ansible/roles/synapse/tasks/main.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: Create service user - user: - name: "{{ role_name }}" - system: true - register: service_user - become: true - -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Copy homeserver.yaml to destination - template: - src: homeserver.yaml - dest: "{{ install_directory }}/synapse/homeserver.yaml" - owner: "{{ service_user.uid }}" - mode: "{{ docker_compose_file_mask }}" - notify: restart synapse - become: true - -- name: Create config directory and set synapse user to owner - file: - path: "{{ data_dir }}/synapse" - state: directory - owner: "{{ service_user.uid }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Create nginx config directory - file: - path: "{{ data_dir }}/nginx/synapse/www/.well-known/matrix/" - state: directory - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Install nginx config file - template: - src: nginx/matrix.conf - dest: "{{ data_dir }}/nginx/synapse/matrix.conf" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - become: true - -- name: Install well known client file - template: - src: nginx/client.json - dest: "{{ data_dir }}/nginx/synapse/www/.well-known/matrix/client" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - become: true - -- name: Install well known server file - template: - src: nginx/server.json - dest: "{{ data_dir }}/nginx/synapse/www/.well-known/matrix/server" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/synapse/templates/docker-compose.yml b/ansible/roles/synapse/templates/docker-compose.yml deleted file mode 100644 index 7fd431f..0000000 --- a/ansible/roles/synapse/templates/docker-compose.yml +++ /dev/null @@ -1,67 +0,0 @@ - -networks: - traefik: - external: true - -services: - synapse: - container_name: "synapse" - image: matrixdotorg/synapse - restart: unless-stopped - depends_on: - - db - networks: - - traefik - - default - environment: - - "UID={{ service_user.uid }}" - - "GID={{ service_user.uid }}" - - "TZ={{ timezone }}" - volumes: - - "{{ data_dir }}/{{ role_name }}:/data" - - ./homeserver.yaml:/data/homeserver.yaml - labels: - traefik.enable: true - traefik.http.routers.synapse.rule: "Host(`matrix.{{ personal_domain }}`) || (Host(`{{ personal_domain }}`) && PathPrefix(`/_matrix/`))" - - db: - image: postgres:14-alpine - restart: unless-stopped - networks: - - default - environment: - - POSTGRES_USER=synapse - - POSTGRES_PASSWORD=synapse - - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C - volumes: - - "{{ data_dir }}/postgres/synapse:/var/lib/postgresql/data" - - redis: - networks: - - default - image: redis:7-alpine - restart: unless-stopped - volumes: - - "{{ data_dir }}/redis/synapse:/data" - - admin: - image: awesometechnologies/synapse-admin:latest - restart: unless-stopped - networks: - - traefik - labels: - traefik.enable: true - traefik.http.routers.synapse-admin.rule: "Host(`synapse-admin.local.{{ personal_domain }}`)" - traefik.http.routers.synapse-admin.middlewares: lan-whitelist@file - - nginx: - image: nginx:latest - restart: unless-stopped - networks: - - traefik - volumes: - - "{{ data_dir }}/nginx/synapse/matrix.conf:/etc/nginx/conf.d/matrix.conf" - - "{{ data_dir }}/nginx/synapse/www:/var/www" - labels: - traefik.enable: true - traefik.http.routers.matrix.rule: "Host(`{{ personal_domain }}`)" diff --git a/ansible/roles/synapse/templates/homeserver.yaml b/ansible/roles/synapse/templates/homeserver.yaml deleted file mode 100644 index 678760b..0000000 --- a/ansible/roles/synapse/templates/homeserver.yaml +++ /dev/null @@ -1,42 +0,0 @@ -server_name: "{{ personal_domain }}" -pid_file: /data/homeserver.pid -public_baseurl: "https://matrix.{{ personal_domain }}" - -ip_range_whitelist: - - 10.0.0.0/24 - -acme: - enabled: false - -database: - name: psycopg2 - args: - user: synapse - password: synapse - database: synapse - host: db - -redis: - enabled: true - host: redis - port: 6379 - -listeners: - - port: 8008 - tls: false - type: http - x_forwarded: true - resources: - - names: [client, federation] - compress: false - -registration_shared_secret: "{{ synapse_registration_shared_secret }}" - -report_stats: true - -media_store_path: /data/media_store -uploads_path: /data/uploads - -trusted_key_servers: - - server_name: matrix.org -suppress_key_server_warning: true diff --git a/ansible/roles/synapse/templates/nginx/client.json b/ansible/roles/synapse/templates/nginx/client.json deleted file mode 100644 index 939a0e0..0000000 --- a/ansible/roles/synapse/templates/nginx/client.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "m.homeserver": { - "base_url": "https://matrix.{{ personal_domain }}" - } -} diff --git a/ansible/roles/synapse/templates/nginx/matrix.conf b/ansible/roles/synapse/templates/nginx/matrix.conf deleted file mode 100644 index 735d5fe..0000000 --- a/ansible/roles/synapse/templates/nginx/matrix.conf +++ /dev/null @@ -1,17 +0,0 @@ -server { - listen 80 default_server; - server_name {{ personal_domain }}; - - # Traefik -> nginx -> synapse - location /_matrix { - proxy_pass http://synapse:8008; - proxy_set_header X-Forwarded-For $remote_addr; - client_max_body_size 128m; - } - - location /.well-known/matrix/ { - root /var/www/; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } -} diff --git a/ansible/roles/synapse/templates/nginx/server.json b/ansible/roles/synapse/templates/nginx/server.json deleted file mode 100644 index 8b08597..0000000 --- a/ansible/roles/synapse/templates/nginx/server.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "m.server": "matrix.{{ personal_domain }}:443" -} - diff --git a/ansible/roles/synapse/vars/main.yml b/ansible/roles/synapse/vars/main.yml deleted file mode 100644 index 4be44c9..0000000 --- a/ansible/roles/synapse/vars/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -synapse_registration_shared_secret: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 33393864663831636636616361333635343366613633353234363761303235333361376230333863 - 6432326363656232323531636139356663623734313161350a653262636439363334353266393563 - 61646265303161396630653839346266336335613030623237363537663839306331333064626436 - 6262623236353061380a306335356365633164313639633031353663373633306539343464376639 - 37396535386631363866343030653835636437303230333430303033616364383734626563336265 - 37643164393334316534386266613930383136663934613233313939316533643164623163626334 - 31396163383132333365383364323866626264323234353939653236386231636536666261616534 - 37353930663863343533636536356363373432383437643965663636323234303730623434386264 - 31653131653964376164623039616166376162323235363164303163353363643733643761353264 - 63393632366139313538656566393239393465653536356131333430323165356263323839666636 - 353466373866616536383761343036666561 diff --git a/ansible/roles/unifi-controller/tasks/main.yml b/ansible/roles/unifi-controller/tasks/main.yml deleted file mode 100644 index abd6bac..0000000 --- a/ansible/roles/unifi-controller/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: Create service user - user: - name: "{{ role_name }}" - system: true - register: service_user - become: true - -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/unifi-controller/templates/docker-compose.yml b/ansible/roles/unifi-controller/templates/docker-compose.yml deleted file mode 100644 index 18527dd..0000000 --- a/ansible/roles/unifi-controller/templates/docker-compose.yml +++ /dev/null @@ -1,29 +0,0 @@ - -networks: - traefik: - external: true - -services: - unifi-controller: - container_name: unifi-controller - image: lscr.io/linuxserver/unifi-controller:latest - restart: unless-stopped - networks: - - traefik - ports: - - 8443:8443 # WebUI - - 3478:3478/udp # STUN - - 10001:10001/udp # AP discovery - - 8080:8080 # Device communication - environment: - - "PUID={{ service_user.uid }}" - - "PGID={{ service_user.uid }}" - - "TZ={{ timezone }}" - volumes: - - "{{ data_dir }}/{{ role_name }}:/config" - labels: - traefik.enable: true - traefik.http.routers.unifi.rule: "Host(`unifi.local.{{ personal_domain }}`)" - traefik.http.routers.unifi.middlewares: lan-whitelist@file - traefik.http.services.unifi.loadbalancer.server.scheme: https - traefik.http.services.unifi.loadbalancer.server.port: 8443 diff --git a/ansible/roles/wger/files/nginx.conf b/ansible/roles/wger/files/nginx.conf deleted file mode 100644 index e4d4088..0000000 --- a/ansible/roles/wger/files/nginx.conf +++ /dev/null @@ -1,28 +0,0 @@ -upstream wger { - server web:8000; -} - -server { - - listen 80; - - location / { - proxy_pass http://wger; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_redirect off; - } - - location /static/ { - alias /wger/static/; - } - - location /media/ { - alias /wger/media/; - } - - # Increase max body size to allow for video uploads - client_max_body_size 100M; -} \ No newline at end of file diff --git a/ansible/roles/wger/files/redis.conf b/ansible/roles/wger/files/redis.conf deleted file mode 100644 index 54824eb..0000000 --- a/ansible/roles/wger/files/redis.conf +++ /dev/null @@ -1,2359 +0,0 @@ -# Downloaded from https://redis.io/docs/latest/operate/oss_and_stack/management/config/ -# -# Changed from default: -# - bind * -::* -# - protected-mode no -# - maxmemory 1gb -# - maxmemory-policy volatile-lru -# - save 3600 1 300 100 60 10000 -# - dir /data -# - commented out pidfile - -# Redis configuration file example. -# -# Note that in order to read the configuration file, Redis must be -# started with the file path as first argument: -# -# ./redis-server /path/to/redis.conf - -# Note on units: when memory size is needed, it is possible to specify -# it in the usual form of 1k 5GB 4M and so forth: -# -# 1k => 1000 bytes -# 1kb => 1024 bytes -# 1m => 1000000 bytes -# 1mb => 1024*1024 bytes -# 1g => 1000000000 bytes -# 1gb => 1024*1024*1024 bytes -# -# units are case insensitive so 1GB 1Gb 1gB are all the same. - -################################## INCLUDES ################################### - -# Include one or more other config files here. This is useful if you -# have a standard template that goes to all Redis servers but also need -# to customize a few per-server settings. Include files can include -# other files, so use this wisely. -# -# Note that option "include" won't be rewritten by command "CONFIG REWRITE" -# from admin or Redis Sentinel. Since Redis always uses the last processed -# line as value of a configuration directive, you'd better put includes -# at the beginning of this file to avoid overwriting config change at runtime. -# -# If instead you are interested in using includes to override configuration -# options, it is better to use include as the last line. -# -# Included paths may contain wildcards. All files matching the wildcards will -# be included in alphabetical order. -# Note that if an include path contains a wildcards but no files match it when -# the server is started, the include statement will be ignored and no error will -# be emitted. It is safe, therefore, to include wildcard files from empty -# directories. -# -# include /path/to/local.conf -# include /path/to/other.conf -# include /path/to/fragments/*.conf -# - -################################## MODULES ##################################### - -# Load modules at startup. If the server is not able to load modules -# it will abort. It is possible to use multiple loadmodule directives. -# -# loadmodule /path/to/my_module.so -# loadmodule /path/to/other_module.so -# loadmodule /path/to/args_module.so [arg [arg ...]] - -################################## NETWORK ##################################### - -# By default, if no "bind" configuration directive is specified, Redis listens -# for connections from all available network interfaces on the host machine. -# It is possible to listen to just one or multiple selected interfaces using -# the "bind" configuration directive, followed by one or more IP addresses. -# Each address can be prefixed by "-", which means that redis will not fail to -# start if the address is not available. Being not available only refers to -# addresses that does not correspond to any network interface. Addresses that -# are already in use will always fail, and unsupported protocols will always BE -# silently skipped. -# -# Examples: -# -# bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses -# bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6 -# bind * -::* # like the default, all available interfaces -# -# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the -# internet, binding to all the interfaces is dangerous and will expose the -# instance to everybody on the internet. So by default we uncomment the -# following bind directive, that will force Redis to listen only on the -# IPv4 and IPv6 (if available) loopback interface addresses (this means Redis -# will only be able to accept client connections from the same host that it is -# running on). -# -# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES -# COMMENT OUT THE FOLLOWING LINE. -# -# You will also need to set a password unless you explicitly disable protected -# mode. -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -bind * -::* - -# By default, outgoing connections (from replica to master, from Sentinel to -# instances, cluster bus, etc.) are not bound to a specific local address. In -# most cases, this means the operating system will handle that based on routing -# and the interface through which the connection goes out. -# -# Using bind-source-addr it is possible to configure a specific address to bind -# to, which may also affect how the connection gets routed. -# -# Example: -# -# bind-source-addr 10.0.0.1 - -# Protected mode is a layer of security protection, in order to avoid that -# Redis instances left open on the internet are accessed and exploited. -# -# When protected mode is on and the default user has no password, the server -# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address -# (::1) or Unix domain sockets. -# -# By default protected mode is enabled. You should disable it only if -# you are sure you want clients from other hosts to connect to Redis -# even if no authentication is configured. -protected-mode no - -# Redis uses default hardened security configuration directives to reduce the -# attack surface on innocent users. Therefore, several sensitive configuration -# directives are immutable, and some potentially-dangerous commands are blocked. -# -# Configuration directives that control files that Redis writes to (e.g., 'dir' -# and 'dbfilename') and that aren't usually modified during runtime -# are protected by making them immutable. -# -# Commands that can increase the attack surface of Redis and that aren't usually -# called by users are blocked by default. -# -# These can be exposed to either all connections or just local ones by setting -# each of the configs listed below to either of these values: -# -# no - Block for any connection (remain immutable) -# yes - Allow for any connection (no protection) -# local - Allow only for local connections. Ones originating from the -# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets. -# -# enable-protected-configs no -# enable-debug-command no -# enable-module-command no - -# Accept connections on the specified port, default is 6379 (IANA #815344). -# If port 0 is specified Redis will not listen on a TCP socket. -port 6379 - -# TCP listen() backlog. -# -# In high requests-per-second environments you need a high backlog in order -# to avoid slow clients connection issues. Note that the Linux kernel -# will silently truncate it to the value of /proc/sys/net/core/somaxconn so -# make sure to raise both the value of somaxconn and tcp_max_syn_backlog -# in order to get the desired effect. -tcp-backlog 511 - -# Unix socket. -# -# Specify the path for the Unix socket that will be used to listen for -# incoming connections. There is no default, so Redis will not listen -# on a unix socket when not specified. -# -# unixsocket /run/redis.sock -# unixsocketperm 700 - -# Close the connection after a client is idle for N seconds (0 to disable) -timeout 0 - -# TCP keepalive. -# -# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence -# of communication. This is useful for two reasons: -# -# 1) Detect dead peers. -# 2) Force network equipment in the middle to consider the connection to be -# alive. -# -# On Linux, the specified value (in seconds) is the period used to send ACKs. -# Note that to close the connection the double of the time is needed. -# On other kernels the period depends on the kernel configuration. -# -# A reasonable value for this option is 300 seconds, which is the new -# Redis default starting with Redis 3.2.1. -tcp-keepalive 300 - -# Apply OS-specific mechanism to mark the listening socket with the specified -# ID, to support advanced routing and filtering capabilities. -# -# On Linux, the ID represents a connection mark. -# On FreeBSD, the ID represents a socket cookie ID. -# On OpenBSD, the ID represents a route table ID. -# -# The default value is 0, which implies no marking is required. -# socket-mark-id 0 - -################################# TLS/SSL ##################################### - -# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration -# directive can be used to define TLS-listening ports. To enable TLS on the -# default port, use: -# -# port 0 -# tls-port 6379 - -# Configure a X.509 certificate and private key to use for authenticating the -# server to connected clients, masters or cluster peers. These files should be -# PEM formatted. -# -# tls-cert-file redis.crt -# tls-key-file redis.key -# -# If the key file is encrypted using a passphrase, it can be included here -# as well. -# -# tls-key-file-pass secret - -# Normally Redis uses the same certificate for both server functions (accepting -# connections) and client functions (replicating from a master, establishing -# cluster bus connections, etc.). -# -# Sometimes certificates are issued with attributes that designate them as -# client-only or server-only certificates. In that case it may be desired to use -# different certificates for incoming (server) and outgoing (client) -# connections. To do that, use the following directives: -# -# tls-client-cert-file client.crt -# tls-client-key-file client.key -# -# If the key file is encrypted using a passphrase, it can be included here -# as well. -# -# tls-client-key-file-pass secret - -# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange, -# required by older versions of OpenSSL (<3.0). Newer versions do not require -# this configuration and recommend against it. -# -# tls-dh-params-file redis.dh - -# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL -# clients and peers. Redis requires an explicit configuration of at least one -# of these, and will not implicitly use the system wide configuration. -# -# tls-ca-cert-file ca.crt -# tls-ca-cert-dir /etc/ssl/certs - -# By default, clients (including replica servers) on a TLS port are required -# to authenticate using valid client side certificates. -# -# If "no" is specified, client certificates are not required and not accepted. -# If "optional" is specified, client certificates are accepted and must be -# valid if provided, but are not required. -# -# tls-auth-clients no -# tls-auth-clients optional - -# By default, a Redis replica does not attempt to establish a TLS connection -# with its master. -# -# Use the following directive to enable TLS on replication links. -# -# tls-replication yes - -# By default, the Redis Cluster bus uses a plain TCP connection. To enable -# TLS for the bus protocol, use the following directive: -# -# tls-cluster yes - -# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended -# that older formally deprecated versions are kept disabled to reduce the attack surface. -# You can explicitly specify TLS versions to support. -# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2", -# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination. -# To enable only TLSv1.2 and TLSv1.3, use: -# -# tls-protocols "TLSv1.2 TLSv1.3" - -# Configure allowed ciphers. See the ciphers(1ssl) manpage for more information -# about the syntax of this string. -# -# Note: this configuration applies only to <= TLSv1.2. -# -# tls-ciphers DEFAULT:!MEDIUM - -# Configure allowed TLSv1.3 ciphersuites. See the ciphers(1ssl) manpage for more -# information about the syntax of this string, and specifically for TLSv1.3 -# ciphersuites. -# -# tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256 - -# When choosing a cipher, use the server's preference instead of the client -# preference. By default, the server follows the client's preference. -# -# tls-prefer-server-ciphers yes - -# By default, TLS session caching is enabled to allow faster and less expensive -# reconnections by clients that support it. Use the following directive to disable -# caching. -# -# tls-session-caching no - -# Change the default number of TLS sessions cached. A zero value sets the cache -# to unlimited size. The default size is 20480. -# -# tls-session-cache-size 5000 - -# Change the default timeout of cached TLS sessions. The default timeout is 300 -# seconds. -# -# tls-session-cache-timeout 60 - -################################# GENERAL ##################################### - -# By default Redis does not run as a daemon. Use 'yes' if you need it. -# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. -# When Redis is supervised by upstart or systemd, this parameter has no impact. -daemonize no - -# If you run Redis from upstart or systemd, Redis can interact with your -# supervision tree. Options: -# supervised no - no supervision interaction -# supervised upstart - signal upstart by putting Redis into SIGSTOP mode -# requires "expect stop" in your upstart job config -# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET -# on startup, and updating Redis status on a regular -# basis. -# supervised auto - detect upstart or systemd method based on -# UPSTART_JOB or NOTIFY_SOCKET environment variables -# Note: these supervision methods only signal "process is ready." -# They do not enable continuous pings back to your supervisor. -# -# The default is "no". To run under upstart/systemd, you can simply uncomment -# the line below: -# -# supervised auto - -# If a pid file is specified, Redis writes it where specified at startup -# and removes it at exit. -# -# When the server runs non daemonized, no pid file is created if none is -# specified in the configuration. When the server is daemonized, the pid file -# is used even if not specified, defaulting to "/var/run/redis.pid". -# -# Creating a pid file is best effort: if Redis is not able to create it -# nothing bad happens, the server will start and run normally. -# -# Note that on modern Linux systems "/run/redis.pid" is more conforming -# and should be used instead. -# pidfile /var/run/redis_6379.pid - -# Specify the server verbosity level. -# This can be one of: -# debug (a lot of information, useful for development/testing) -# verbose (many rarely useful info, but not a mess like the debug level) -# notice (moderately verbose, what you want in production probably) -# warning (only very important / critical messages are logged) -# nothing (nothing is logged) -loglevel notice - -# Specify the log file name. Also the empty string can be used to force -# Redis to log on the standard output. Note that if you use standard -# output for logging but daemonize, logs will be sent to /dev/null -logfile "" - -# To enable logging to the system logger, just set 'syslog-enabled' to yes, -# and optionally update the other syslog parameters to suit your needs. -# syslog-enabled no - -# Specify the syslog identity. -# syslog-ident redis - -# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. -# syslog-facility local0 - -# To disable the built in crash log, which will possibly produce cleaner core -# dumps when they are needed, uncomment the following: -# -# crash-log-enabled no - -# To disable the fast memory check that's run as part of the crash log, which -# will possibly let redis terminate sooner, uncomment the following: -# -# crash-memcheck-enabled no - -# Set the number of databases. The default database is DB 0, you can select -# a different one on a per-connection basis using SELECT where -# dbid is a number between 0 and 'databases'-1 -databases 16 - -# By default Redis shows an ASCII art logo only when started to log to the -# standard output and if the standard output is a TTY and syslog logging is -# disabled. Basically this means that normally a logo is displayed only in -# interactive sessions. -# -# However it is possible to force the pre-4.0 behavior and always show a -# ASCII art logo in startup logs by setting the following option to yes. -always-show-logo no - -# To avoid logging personal identifiable information (PII) into server log file, -# uncomment the following: -# -# hide-user-data-from-log yes - -# By default, Redis modifies the process title (as seen in 'top' and 'ps') to -# provide some runtime information. It is possible to disable this and leave -# the process name as executed by setting the following to no. -set-proc-title yes - -# When changing the process title, Redis uses the following template to construct -# the modified title. -# -# Template variables are specified in curly brackets. The following variables are -# supported: -# -# {title} Name of process as executed if parent, or type of child process. -# {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or -# Unix socket if only that's available. -# {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]". -# {port} TCP port listening on, or 0. -# {tls-port} TLS port listening on, or 0. -# {unixsocket} Unix domain socket listening on, or "". -# {config-file} Name of configuration file used. -# -proc-title-template "{title} {listen-addr} {server-mode}" - -# Set the local environment which is used for string comparison operations, and -# also affect the performance of Lua scripts. Empty String indicates the locale -# is derived from the environment variables. -locale-collate "" - -################################ SNAPSHOTTING ################################ - -# Save the DB to disk. -# -# save [ ...] -# -# Redis will save the DB if the given number of seconds elapsed and it -# surpassed the given number of write operations against the DB. -# -# Snapshotting can be completely disabled with a single empty string argument -# as in following example: -# -# save "" -# -# Unless specified otherwise, by default Redis will save the DB: -# * After 3600 seconds (an hour) if at least 1 change was performed -# * After 300 seconds (5 minutes) if at least 100 changes were performed -# * After 60 seconds if at least 10000 changes were performed -# -# You can set these explicitly by uncommenting the following line. -# -save 3600 1 300 100 60 10000 - -# By default Redis will stop accepting writes if RDB snapshots are enabled -# (at least one save point) and the latest background save failed. -# This will make the user aware (in a hard way) that data is not persisting -# on disk properly, otherwise chances are that no one will notice and some -# disaster will happen. -# -# If the background saving process will start working again Redis will -# automatically allow writes again. -# -# However if you have setup your proper monitoring of the Redis server -# and persistence, you may want to disable this feature so that Redis will -# continue to work as usual even if there are problems with disk, -# permissions, and so forth. -stop-writes-on-bgsave-error yes - -# Compress string objects using LZF when dump .rdb databases? -# By default compression is enabled as it's almost always a win. -# If you want to save some CPU in the saving child set it to 'no' but -# the dataset will likely be bigger if you have compressible values or keys. -rdbcompression yes - -# Since version 5 of RDB a CRC64 checksum is placed at the end of the file. -# This makes the format more resistant to corruption but there is a performance -# hit to pay (around 10%) when saving and loading RDB files, so you can disable it -# for maximum performances. -# -# RDB files created with checksum disabled have a checksum of zero that will -# tell the loading code to skip the check. -rdbchecksum yes - -# Enables or disables full sanitization checks for ziplist and listpack etc when -# loading an RDB or RESTORE payload. This reduces the chances of a assertion or -# crash later on while processing commands. -# Options: -# no - Never perform full sanitization -# yes - Always perform full sanitization -# clients - Perform full sanitization only for user connections. -# Excludes: RDB files, RESTORE commands received from the master -# connection, and client connections which have the -# skip-sanitize-payload ACL flag. -# The default should be 'clients' but since it currently affects cluster -# resharding via MIGRATE, it is temporarily set to 'no' by default. -# -# sanitize-dump-payload no - -# The filename where to dump the DB -dbfilename dump.rdb - -# Remove RDB files used by replication in instances without persistence -# enabled. By default this option is disabled, however there are environments -# where for regulations or other security concerns, RDB files persisted on -# disk by masters in order to feed replicas, or stored on disk by replicas -# in order to load them for the initial synchronization, should be deleted -# ASAP. Note that this option ONLY WORKS in instances that have both AOF -# and RDB persistence disabled, otherwise is completely ignored. -# -# An alternative (and sometimes better) way to obtain the same effect is -# to use diskless replication on both master and replicas instances. However -# in the case of replicas, diskless is not always an option. -rdb-del-sync-files no - -# The working directory. -# -# The DB will be written inside this directory, with the filename specified -# above using the 'dbfilename' configuration directive. -# -# The Append Only File will also be created inside this directory. -# -# Note that you must specify a directory here, not a file name. -dir /data - -################################# REPLICATION ################################# - -# Master-Replica replication. Use replicaof to make a Redis instance a copy of -# another Redis server. A few things to understand ASAP about Redis replication. -# -# +------------------+ +---------------+ -# | Master | ---> | Replica | -# | (receive writes) | | (exact copy) | -# +------------------+ +---------------+ -# -# 1) Redis replication is asynchronous, but you can configure a master to -# stop accepting writes if it appears to be not connected with at least -# a given number of replicas. -# 2) Redis replicas are able to perform a partial resynchronization with the -# master if the replication link is lost for a relatively small amount of -# time. You may want to configure the replication backlog size (see the next -# sections of this file) with a sensible value depending on your needs. -# 3) Replication is automatic and does not need user intervention. After a -# network partition replicas automatically try to reconnect to masters -# and resynchronize with them. -# -# replicaof - -# If the master is password protected (using the "requirepass" configuration -# directive below) it is possible to tell the replica to authenticate before -# starting the replication synchronization process, otherwise the master will -# refuse the replica request. -# -# masterauth -# -# However this is not enough if you are using Redis ACLs (for Redis version -# 6 or greater), and the default user is not capable of running the PSYNC -# command and/or other commands needed for replication. In this case it's -# better to configure a special user to use with replication, and specify the -# masteruser configuration as such: -# -# masteruser -# -# When masteruser is specified, the replica will authenticate against its -# master using the new AUTH form: AUTH . - -# When a replica loses its connection with the master, or when the replication -# is still in progress, the replica can act in two different ways: -# -# 1) if replica-serve-stale-data is set to 'yes' (the default) the replica will -# still reply to client requests, possibly with out of date data, or the -# data set may just be empty if this is the first synchronization. -# -# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error -# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'" -# to all data access commands, excluding commands such as: -# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE, -# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST, -# HOST and LATENCY. -# -replica-serve-stale-data yes - -# You can configure a replica instance to accept writes or not. Writing against -# a replica instance may be useful to store some ephemeral data (because data -# written on a replica will be easily deleted after resync with the master) but -# may also cause problems if clients are writing to it because of a -# misconfiguration. -# -# Since Redis 2.6 by default replicas are read-only. -# -# Note: read only replicas are not designed to be exposed to untrusted clients -# on the internet. It's just a protection layer against misuse of the instance. -# Still a read only replica exports by default all the administrative commands -# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve -# security of read only replicas using 'rename-command' to shadow all the -# administrative / dangerous commands. -replica-read-only yes - -# Replication SYNC strategy: disk or socket. -# -# New replicas and reconnecting replicas that are not able to continue the -# replication process just receiving differences, need to do what is called a -# "full synchronization". An RDB file is transmitted from the master to the -# replicas. -# -# The transmission can happen in two different ways: -# -# 1) Disk-backed: The Redis master creates a new process that writes the RDB -# file on disk. Later the file is transferred by the parent -# process to the replicas incrementally. -# 2) Diskless: The Redis master creates a new process that directly writes the -# RDB file to replica sockets, without touching the disk at all. -# -# With disk-backed replication, while the RDB file is generated, more replicas -# can be queued and served with the RDB file as soon as the current child -# producing the RDB file finishes its work. With diskless replication instead -# once the transfer starts, new replicas arriving will be queued and a new -# transfer will start when the current one terminates. -# -# When diskless replication is used, the master waits a configurable amount of -# time (in seconds) before starting the transfer in the hope that multiple -# replicas will arrive and the transfer can be parallelized. -# -# With slow disks and fast (large bandwidth) networks, diskless replication -# works better. -repl-diskless-sync yes - -# When diskless replication is enabled, it is possible to configure the delay -# the server waits in order to spawn the child that transfers the RDB via socket -# to the replicas. -# -# This is important since once the transfer starts, it is not possible to serve -# new replicas arriving, that will be queued for the next RDB transfer, so the -# server waits a delay in order to let more replicas arrive. -# -# The delay is specified in seconds, and by default is 5 seconds. To disable -# it entirely just set it to 0 seconds and the transfer will start ASAP. -repl-diskless-sync-delay 5 - -# When diskless replication is enabled with a delay, it is possible to let -# the replication start before the maximum delay is reached if the maximum -# number of replicas expected have connected. Default of 0 means that the -# maximum is not defined and Redis will wait the full delay. -repl-diskless-sync-max-replicas 0 - -# ----------------------------------------------------------------------------- -# WARNING: Since in this setup the replica does not immediately store an RDB on -# disk, it may cause data loss during failovers. RDB diskless load + Redis -# modules not handling I/O reads may cause Redis to abort in case of I/O errors -# during the initial synchronization stage with the master. -# ----------------------------------------------------------------------------- -# -# Replica can load the RDB it reads from the replication link directly from the -# socket, or store the RDB to a file and read that file after it was completely -# received from the master. -# -# In many cases the disk is slower than the network, and storing and loading -# the RDB file may increase replication time (and even increase the master's -# Copy on Write memory and replica buffers). -# However, when parsing the RDB file directly from the socket, in order to avoid -# data loss it's only safe to flush the current dataset when the new dataset is -# fully loaded in memory, resulting in higher memory usage. -# For this reason we have the following options: -# -# "disabled" - Don't use diskless load (store the rdb file to the disk first) -# "swapdb" - Keep current db contents in RAM while parsing the data directly -# from the socket. Replicas in this mode can keep serving current -# dataset while replication is in progress, except for cases where -# they can't recognize master as having a data set from same -# replication history. -# Note that this requires sufficient memory, if you don't have it, -# you risk an OOM kill. -# "on-empty-db" - Use diskless load only when current dataset is empty. This is -# safer and avoid having old and new dataset loaded side by side -# during replication. -repl-diskless-load disabled - -# Master send PINGs to its replicas in a predefined interval. It's possible to -# change this interval with the repl-ping-replica-period option. The default -# value is 10 seconds. -# -# repl-ping-replica-period 10 - -# The following option sets the replication timeout for: -# -# 1) Bulk transfer I/O during SYNC, from the point of view of replica. -# 2) Master timeout from the point of view of replicas (data, pings). -# 3) Replica timeout from the point of view of masters (REPLCONF ACK pings). -# -# It is important to make sure that this value is greater than the value -# specified for repl-ping-replica-period otherwise a timeout will be detected -# every time there is low traffic between the master and the replica. The default -# value is 60 seconds. -# -# repl-timeout 60 - -# Disable TCP_NODELAY on the replica socket after SYNC? -# -# If you select "yes" Redis will use a smaller number of TCP packets and -# less bandwidth to send data to replicas. But this can add a delay for -# the data to appear on the replica side, up to 40 milliseconds with -# Linux kernels using a default configuration. -# -# If you select "no" the delay for data to appear on the replica side will -# be reduced but more bandwidth will be used for replication. -# -# By default we optimize for low latency, but in very high traffic conditions -# or when the master and replicas are many hops away, turning this to "yes" may -# be a good idea. -repl-disable-tcp-nodelay no - -# Set the replication backlog size. The backlog is a buffer that accumulates -# replica data when replicas are disconnected for some time, so that when a -# replica wants to reconnect again, often a full resync is not needed, but a -# partial resync is enough, just passing the portion of data the replica -# missed while disconnected. -# -# The bigger the replication backlog, the longer the replica can endure the -# disconnect and later be able to perform a partial resynchronization. -# -# The backlog is only allocated if there is at least one replica connected. -# -# repl-backlog-size 1mb - -# After a master has no connected replicas for some time, the backlog will be -# freed. The following option configures the amount of seconds that need to -# elapse, starting from the time the last replica disconnected, for the backlog -# buffer to be freed. -# -# Note that replicas never free the backlog for timeout, since they may be -# promoted to masters later, and should be able to correctly "partially -# resynchronize" with other replicas: hence they should always accumulate backlog. -# -# A value of 0 means to never release the backlog. -# -# repl-backlog-ttl 3600 - -# During a fullsync, the master may decide to send both the RDB file and the -# replication stream to the replica in parallel. This approach shifts the -# responsibility of buffering the replication stream to the replica during the -# fullsync process. The replica accumulates the replication stream data until -# the RDB file is fully loaded. Once the RDB delivery is completed and -# successfully loaded, the replica begins processing and applying the -# accumulated replication data to the db. The configuration below controls how -# much replication data the replica can accumulate during a fullsync. -# -# When the replica reaches this limit, it will stop accumulating further data. -# At this point, additional data accumulation may occur on the master side -# depending on the 'client-output-buffer-limit ' config of master. -# -# A value of 0 means replica inherits hard limit of -# 'client-output-buffer-limit ' config to limit accumulation size. -# -# replica-full-sync-buffer-limit 0 - -# The replica priority is an integer number published by Redis in the INFO -# output. It is used by Redis Sentinel in order to select a replica to promote -# into a master if the master is no longer working correctly. -# -# A replica with a low priority number is considered better for promotion, so -# for instance if there are three replicas with priority 10, 100, 25 Sentinel -# will pick the one with priority 10, that is the lowest. -# -# However a special priority of 0 marks the replica as not able to perform the -# role of master, so a replica with priority of 0 will never be selected by -# Redis Sentinel for promotion. -# -# By default the priority is 100. -replica-priority 100 - -# The propagation error behavior controls how Redis will behave when it is -# unable to handle a command being processed in the replication stream from a master -# or processed while reading from an AOF file. Errors that occur during propagation -# are unexpected, and can cause data inconsistency. However, there are edge cases -# in earlier versions of Redis where it was possible for the server to replicate or persist -# commands that would fail on future versions. For this reason the default behavior -# is to ignore such errors and continue processing commands. -# -# If an application wants to ensure there is no data divergence, this configuration -# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas' -# to only panic when a replica encounters an error on the replication stream. One of -# these two panic values will become the default value in the future once there are -# sufficient safety mechanisms in place to prevent false positive crashes. -# -# propagation-error-behavior ignore - -# Replica ignore disk write errors controls the behavior of a replica when it is -# unable to persist a write command received from its master to disk. By default, -# this configuration is set to 'no' and will crash the replica in this condition. -# It is not recommended to change this default, however in order to be compatible -# with older versions of Redis this config can be toggled to 'yes' which will just -# log a warning and execute the write command it got from the master. -# -# replica-ignore-disk-write-errors no - -# ----------------------------------------------------------------------------- -# By default, Redis Sentinel includes all replicas in its reports. A replica -# can be excluded from Redis Sentinel's announcements. An unannounced replica -# will be ignored by the 'sentinel replicas ' command and won't be -# exposed to Redis Sentinel's clients. -# -# This option does not change the behavior of replica-priority. Even with -# replica-announced set to 'no', the replica can be promoted to master. To -# prevent this behavior, set replica-priority to 0. -# -# replica-announced yes - -# It is possible for a master to stop accepting writes if there are less than -# N replicas connected, having a lag less or equal than M seconds. -# -# The N replicas need to be in "online" state. -# -# The lag in seconds, that must be <= the specified value, is calculated from -# the last ping received from the replica, that is usually sent every second. -# -# This option does not GUARANTEE that N replicas will accept the write, but -# will limit the window of exposure for lost writes in case not enough replicas -# are available, to the specified number of seconds. -# -# For example to require at least 3 replicas with a lag <= 10 seconds use: -# -# min-replicas-to-write 3 -# min-replicas-max-lag 10 -# -# Setting one or the other to 0 disables the feature. -# -# By default min-replicas-to-write is set to 0 (feature disabled) and -# min-replicas-max-lag is set to 10. - -# A Redis master is able to list the address and port of the attached -# replicas in different ways. For example the "INFO replication" section -# offers this information, which is used, among other tools, by -# Redis Sentinel in order to discover replica instances. -# Another place where this info is available is in the output of the -# "ROLE" command of a master. -# -# The listed IP address and port normally reported by a replica is -# obtained in the following way: -# -# IP: The address is auto detected by checking the peer address -# of the socket used by the replica to connect with the master. -# -# Port: The port is communicated by the replica during the replication -# handshake, and is normally the port that the replica is using to -# listen for connections. -# -# However when port forwarding or Network Address Translation (NAT) is -# used, the replica may actually be reachable via different IP and port -# pairs. The following two options can be used by a replica in order to -# report to its master a specific set of IP and port, so that both INFO -# and ROLE will report those values. -# -# There is no need to use both the options if you need to override just -# the port or the IP address. -# -# replica-announce-ip 5.5.5.5 -# replica-announce-port 1234 - -############################### KEYS TRACKING ################################# - -# Redis implements server assisted support for client side caching of values. -# This is implemented using an invalidation table that remembers, using -# a radix key indexed by key name, what clients have which keys. In turn -# this is used in order to send invalidation messages to clients. Please -# check this page to understand more about the feature: -# -# https://redis.io/docs/latest/develop/use/client-side-caching/ -# -# When tracking is enabled for a client, all the read only queries are assumed -# to be cached: this will force Redis to store information in the invalidation -# table. When keys are modified, such information is flushed away, and -# invalidation messages are sent to the clients. However if the workload is -# heavily dominated by reads, Redis could use more and more memory in order -# to track the keys fetched by many clients. -# -# For this reason it is possible to configure a maximum fill value for the -# invalidation table. By default it is set to 1M of keys, and once this limit -# is reached, Redis will start to evict keys in the invalidation table -# even if they were not modified, just to reclaim memory: this will in turn -# force the clients to invalidate the cached values. Basically the table -# maximum size is a trade off between the memory you want to spend server -# side to track information about who cached what, and the ability of clients -# to retain cached objects in memory. -# -# If you set the value to 0, it means there are no limits, and Redis will -# retain as many keys as needed in the invalidation table. -# In the "stats" INFO section, you can find information about the number of -# keys in the invalidation table at every given moment. -# -# Note: when key tracking is used in broadcasting mode, no memory is used -# in the server side so this setting is useless. -# -# tracking-table-max-keys 1000000 - -################################## SECURITY ################################### - -# Warning: since Redis is pretty fast, an outside user can try up to -# 1 million passwords per second against a modern box. This means that you -# should use very strong passwords, otherwise they will be very easy to break. -# Note that because the password is really a shared secret between the client -# and the server, and should not be memorized by any human, the password -# can be easily a long string from /dev/urandom or whatever, so by using a -# long and unguessable password no brute force attack will be possible. - -# Redis ACL users are defined in the following format: -# -# user ... acl rules ... -# -# For example: -# -# user worker +@list +@connection ~jobs:* on >ffa9203c493aa99 -# -# The special username "default" is used for new connections. If this user -# has the "nopass" rule, then new connections will be immediately authenticated -# as the "default" user without the need of any password provided via the -# AUTH command. Otherwise if the "default" user is not flagged with "nopass" -# the connections will start in not authenticated state, and will require -# AUTH (or the HELLO command AUTH option) in order to be authenticated and -# start to work. -# -# The ACL rules that describe what a user can do are the following: -# -# on Enable the user: it is possible to authenticate as this user. -# off Disable the user: it's no longer possible to authenticate -# with this user, however the already authenticated connections -# will still work. -# skip-sanitize-payload RESTORE dump-payload sanitization is skipped. -# sanitize-payload RESTORE dump-payload is sanitized (default). -# + Allow the execution of that command. -# May be used with `|` for allowing subcommands (e.g "+config|get") -# - Disallow the execution of that command. -# May be used with `|` for blocking subcommands (e.g "-config|set") -# +@ Allow the execution of all the commands in such category -# with valid categories are like @admin, @set, @sortedset, ... -# and so forth, see the full list in the server.c file where -# the Redis command table is described and defined. -# The special category @all means all the commands, but currently -# present in the server, and that will be loaded in the future -# via modules. -# +|first-arg Allow a specific first argument of an otherwise -# disabled command. It is only supported on commands with -# no sub-commands, and is not allowed as negative form -# like -SELECT|1, only additive starting with "+". This -# feature is deprecated and may be removed in the future. -# allcommands Alias for +@all. Note that it implies the ability to execute -# all the future commands loaded via the modules system. -# nocommands Alias for -@all. -# ~ Add a pattern of keys that can be mentioned as part of -# commands. For instance ~* allows all the keys. The pattern -# is a glob-style pattern like the one of KEYS. -# It is possible to specify multiple patterns. -# %R~ Add key read pattern that specifies which keys can be read -# from. -# %W~ Add key write pattern that specifies which keys can be -# written to. -# allkeys Alias for ~* -# resetkeys Flush the list of allowed keys patterns. -# & Add a glob-style pattern of Pub/Sub channels that can be -# accessed by the user. It is possible to specify multiple channel -# patterns. -# allchannels Alias for &* -# resetchannels Flush the list of allowed channel patterns. -# > Add this password to the list of valid password for the user. -# For example >mypass will add "mypass" to the list. -# This directive clears the "nopass" flag (see later). -# < Remove this password from the list of valid passwords. -# nopass All the set passwords of the user are removed, and the user -# is flagged as requiring no password: it means that every -# password will work against this user. If this directive is -# used for the default user, every new connection will be -# immediately authenticated with the default user without -# any explicit AUTH command required. Note that the "resetpass" -# directive will clear this condition. -# resetpass Flush the list of allowed passwords. Moreover removes the -# "nopass" status. After "resetpass" the user has no associated -# passwords and there is no way to authenticate without adding -# some password (or setting it as "nopass" later). -# reset Performs the following actions: resetpass, resetkeys, resetchannels, -# allchannels (if acl-pubsub-default is set), off, clearselectors, -@all. -# The user returns to the same state it has immediately after its creation. -# () Create a new selector with the options specified within the -# parentheses and attach it to the user. Each option should be -# space separated. The first character must be ( and the last -# character must be ). -# clearselectors Remove all of the currently attached selectors. -# Note this does not change the "root" user permissions, -# which are the permissions directly applied onto the -# user (outside the parentheses). -# -# ACL rules can be specified in any order: for instance you can start with -# passwords, then flags, or key patterns. However note that the additive -# and subtractive rules will CHANGE MEANING depending on the ordering. -# For instance see the following example: -# -# user alice on +@all -DEBUG ~* >somepassword -# -# This will allow "alice" to use all the commands with the exception of the -# DEBUG command, since +@all added all the commands to the set of the commands -# alice can use, and later DEBUG was removed. However if we invert the order -# of two ACL rules the result will be different: -# -# user alice on -DEBUG +@all ~* >somepassword -# -# Now DEBUG was removed when alice had yet no commands in the set of allowed -# commands, later all the commands are added, so the user will be able to -# execute everything. -# -# Basically ACL rules are processed left-to-right. -# -# The following is a list of command categories and their meanings: -# * keyspace - Writing or reading from keys, databases, or their metadata -# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE, -# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace, -# key or metadata will also have `write` category. Commands that only read -# the keyspace, key or metadata will have the `read` category. -# * read - Reading from keys (values or metadata). Note that commands that don't -# interact with keys, will not have either `read` or `write`. -# * write - Writing to keys (values or metadata) -# * admin - Administrative commands. Normal applications will never need to use -# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc. -# * dangerous - Potentially dangerous (each should be considered with care for -# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS, -# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc. -# * connection - Commands affecting the connection or other connections. -# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc. -# * blocking - Potentially blocking the connection until released by another -# command. -# * fast - Fast O(1) commands. May loop on the number of arguments, but not the -# number of elements in the key. -# * slow - All commands that are not Fast. -# * pubsub - PUBLISH / SUBSCRIBE related -# * transaction - WATCH / MULTI / EXEC related commands. -# * scripting - Scripting related. -# * set - Data type: sets related. -# * sortedset - Data type: zsets related. -# * list - Data type: lists related. -# * hash - Data type: hashes related. -# * string - Data type: strings related. -# * bitmap - Data type: bitmaps related. -# * hyperloglog - Data type: hyperloglog related. -# * geo - Data type: geo related. -# * stream - Data type: streams related. -# -# For more information about ACL configuration please refer to -# the Redis web site at https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/ - -# ACL LOG -# -# The ACL Log tracks failed commands and authentication events associated -# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked -# by ACLs. The ACL Log is stored in memory. You can reclaim memory with -# ACL LOG RESET. Define the maximum entry length of the ACL Log below. -acllog-max-len 128 - -# Using an external ACL file -# -# Instead of configuring users here in this file, it is possible to use -# a stand-alone file just listing users. The two methods cannot be mixed: -# if you configure users here and at the same time you activate the external -# ACL file, the server will refuse to start. -# -# The format of the external ACL user file is exactly the same as the -# format that is used inside redis.conf to describe users. -# -# aclfile /etc/redis/users.acl - -# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility -# layer on top of the new ACL system. The option effect will be just setting -# the password for the default user. Clients will still authenticate using -# AUTH as usually, or more explicitly with AUTH default -# if they follow the new protocol: both will work. -# -# The requirepass is not compatible with aclfile option and the ACL LOAD -# command, these will cause requirepass to be ignored. -# -# requirepass foobared - -# New users are initialized with restrictive permissions by default, via the -# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it -# is possible to manage access to Pub/Sub channels with ACL rules as well. The -# default Pub/Sub channels permission if new users is controlled by the -# acl-pubsub-default configuration directive, which accepts one of these values: -# -# allchannels: grants access to all Pub/Sub channels -# resetchannels: revokes access to all Pub/Sub channels -# -# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission. -# -# acl-pubsub-default resetchannels - -# Command renaming (DEPRECATED). -# -# ------------------------------------------------------------------------ -# WARNING: avoid using this option if possible. Instead use ACLs to remove -# commands from the default user, and put them only in some admin user you -# create for administrative purposes. -# ------------------------------------------------------------------------ -# -# It is possible to change the name of dangerous commands in a shared -# environment. For instance the CONFIG command may be renamed into something -# hard to guess so that it will still be available for internal-use tools -# but not available for general clients. -# -# Example: -# -# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 -# -# It is also possible to completely kill a command by renaming it into -# an empty string: -# -# rename-command CONFIG "" -# -# Please note that changing the name of commands that are logged into the -# AOF file or transmitted to replicas may cause problems. - -################################### CLIENTS #################################### - -# Set the max number of connected clients at the same time. By default -# this limit is set to 10000 clients, however if the Redis server is not -# able to configure the process file limit to allow for the specified limit -# the max number of allowed clients is set to the current file limit -# minus 32 (as Redis reserves a few file descriptors for internal uses). -# -# Once the limit is reached Redis will close all the new connections sending -# an error 'max number of clients reached'. -# -# IMPORTANT: When Redis Cluster is used, the max number of connections is also -# shared with the cluster bus: every node in the cluster will use two -# connections, one incoming and another outgoing. It is important to size the -# limit accordingly in case of very large clusters. -# -# maxclients 10000 - -############################## MEMORY MANAGEMENT ################################ - -# Set a memory usage limit to the specified amount of bytes. -# When the memory limit is reached Redis will try to remove keys -# according to the eviction policy selected (see maxmemory-policy). -# -# If Redis can't remove keys according to the policy, or if the policy is -# set to 'noeviction', Redis will start to reply with errors to commands -# that would use more memory, like SET, LPUSH, and so on, and will continue -# to reply to read-only commands like GET. -# -# This option is usually useful when using Redis as an LRU or LFU cache, or to -# set a hard memory limit for an instance (using the 'noeviction' policy). -# -# WARNING: If you have replicas attached to an instance with maxmemory on, -# the size of the output buffers needed to feed the replicas are subtracted -# from the used memory count, so that network problems / resyncs will -# not trigger a loop where keys are evicted, and in turn the output -# buffer of replicas is full with DELs of keys evicted triggering the deletion -# of more keys, and so forth until the database is completely emptied. -# -# In short... if you have replicas attached it is suggested that you set a lower -# limit for maxmemory so that there is some free RAM on the system for replica -# output buffers (but this is not needed if the policy is 'noeviction'). -# -# maxmemory - -# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory -# is reached. You can select one from the following behaviors: -# -# volatile-lru -> Evict using approximated LRU, only keys with an expire set. -# allkeys-lru -> Evict any key using approximated LRU. -# volatile-lfu -> Evict using approximated LFU, only keys with an expire set. -# allkeys-lfu -> Evict any key using approximated LFU. -# volatile-random -> Remove a random key having an expire set. -# allkeys-random -> Remove a random key, any key. -# volatile-ttl -> Remove the key with the nearest expire time (minor TTL) -# noeviction -> Don't evict anything, just return an error on write operations. -# -# LRU means Least Recently Used -# LFU means Least Frequently Used -# -# Both LRU, LFU and volatile-ttl are implemented using approximated -# randomized algorithms. -# -# Note: with any of the above policies, when there are no suitable keys for -# eviction, Redis will return an error on write operations that require -# more memory. These are usually commands that create new keys, add data or -# modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE, -# SORT (due to the STORE argument), and EXEC (if the transaction includes any -# command that requires memory). -# -# The default is: -# -maxmemory-policy volatile-lru - -# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated -# algorithms (in order to save memory), so you can tune it for speed or -# accuracy. By default Redis will check five keys and pick the one that was -# used least recently, you can change the sample size using the following -# configuration directive. -# -# The default of 5 produces good enough results. 10 Approximates very closely -# true LRU but costs more CPU. 3 is faster but not very accurate. The maximum -# value that can be set is 64. -# -# maxmemory-samples 5 - -# Eviction processing is designed to function well with the default setting. -# If there is an unusually large amount of write traffic, this value may need to -# be increased. Decreasing this value may reduce latency at the risk of -# eviction processing effectiveness -# 0 = minimum latency, 10 = default, 100 = process without regard to latency -# -# maxmemory-eviction-tenacity 10 - -# Starting from Redis 5, by default a replica will ignore its maxmemory setting -# (unless it is promoted to master after a failover or manually). It means -# that the eviction of keys will be just handled by the master, sending the -# DEL commands to the replica as keys evict in the master side. -# -# This behavior ensures that masters and replicas stay consistent, and is usually -# what you want, however if your replica is writable, or you want the replica -# to have a different memory setting, and you are sure all the writes performed -# to the replica are idempotent, then you may change this default (but be sure -# to understand what you are doing). -# -# Note that since the replica by default does not evict, it may end using more -# memory than the one set via maxmemory (there are certain buffers that may -# be larger on the replica, or data structures may sometimes take more memory -# and so forth). So make sure you monitor your replicas and make sure they -# have enough memory to never hit a real out-of-memory condition before the -# master hits the configured maxmemory setting. -# -# replica-ignore-maxmemory yes - -# Redis reclaims expired keys in two ways: upon access when those keys are -# found to be expired, and also in background, in what is called the -# "active expire key". The key space is slowly and interactively scanned -# looking for expired keys to reclaim, so that it is possible to free memory -# of keys that are expired and will never be accessed again in a short time. -# -# The default effort of the expire cycle will try to avoid having more than -# ten percent of expired keys still in memory, and will try to avoid consuming -# more than 25% of total memory and to add latency to the system. However -# it is possible to increase the expire "effort" that is normally set to -# "1", to a greater value, up to the value "10". At its maximum value the -# system will use more CPU, longer cycles (and technically may introduce -# more latency), and will tolerate less already expired keys still present -# in the system. It's a tradeoff between memory, CPU and latency. -# -# active-expire-effort 1 - -############################# LAZY FREEING #################################### - -# Redis has two primitives to delete keys. One is called DEL and is a blocking -# deletion of the object. It means that the server stops processing new commands -# in order to reclaim all the memory associated with an object in a synchronous -# way. If the key deleted is associated with a small object, the time needed -# in order to execute the DEL command is very small and comparable to most other -# O(1) or O(log_N) commands in Redis. However if the key is associated with an -# aggregated value containing millions of elements, the server can block for -# a long time (even seconds) in order to complete the operation. -# -# For the above reasons Redis also offers non blocking deletion primitives -# such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and -# FLUSHDB commands, in order to reclaim memory in background. Those commands -# are executed in constant time. Another thread will incrementally free the -# object in the background as fast as possible. -# -# DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled. -# It's up to the design of the application to understand when it is a good -# idea to use one or the other. However the Redis server sometimes has to -# delete keys or flush the whole database as a side effect of other operations. -# Specifically Redis deletes objects independently of a user call in the -# following scenarios: -# -# 1) On eviction, because of the maxmemory and maxmemory policy configurations, -# in order to make room for new data, without going over the specified -# memory limit. -# 2) Because of expire: when a key with an associated time to live (see the -# EXPIRE command) must be deleted from memory. -# 3) Because of a side effect of a command that stores data on a key that may -# already exist. For example the RENAME command may delete the old key -# content when it is replaced with another one. Similarly SUNIONSTORE -# or SORT with STORE option may delete existing keys. The SET command -# itself removes any old content of the specified key in order to replace -# it with the specified string. -# 4) During replication, when a replica performs a full resynchronization with -# its master, the content of the whole database is removed in order to -# load the RDB file just transferred. -# -# In all the above cases the default is to delete objects in a blocking way, -# like if DEL was called. However you can configure each case specifically -# in order to instead release memory in a non-blocking way like if UNLINK -# was called, using the following configuration directives. - -lazyfree-lazy-eviction no -lazyfree-lazy-expire no -lazyfree-lazy-server-del no -replica-lazy-flush no - -# It is also possible, for the case when to replace the user code DEL calls -# with UNLINK calls is not easy, to modify the default behavior of the DEL -# command to act exactly like UNLINK, using the following configuration -# directive: - -lazyfree-lazy-user-del no - -# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous -# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the -# commands. When neither flag is passed, this directive will be used to determine -# if the data should be deleted asynchronously. - -lazyfree-lazy-user-flush no - -################################ THREADED I/O ################################# - -# Redis is mostly single threaded, however there are certain threaded -# operations such as UNLINK, slow I/O accesses and other things that are -# performed on side threads. -# -# Now it is also possible to handle Redis clients socket reads and writes -# in different I/O threads. Since especially writing is so slow, normally -# Redis users use pipelining in order to speed up the Redis performances per -# core, and spawn multiple instances in order to scale more. Using I/O -# threads it is possible to easily speedup several times Redis without resorting -# to pipelining nor sharding of the instance. -# -# By default threading is disabled, we suggest enabling it only in machines -# that have at least 4 or more cores, leaving at least one spare core. -# We also recommend using threaded I/O only if you actually have performance -# problems, with Redis instances being able to use a quite big percentage of -# CPU time, otherwise there is no point in using this feature. -# -# So for instance if you have a four cores boxes, try to use 3 I/O -# threads, if you have a 8 cores, try to use 7 threads. In order to -# enable I/O threads use the following configuration directive: -# -# io-threads 4 -# -# Setting io-threads to 1 will just use the main thread as usual. -# When I/O threads are enabled, we not only use threads for writes, that -# is to thread the write(2) syscall and transfer the client buffers to the -# socket, but also use threads for reads and protocol parsing. -# -# NOTE: If you want to test the Redis speedup using redis-benchmark, make -# sure you also run the benchmark itself in threaded mode, using the -# --threads option to match the number of Redis threads, otherwise you'll not -# be able to notice the improvements. - -############################ KERNEL OOM CONTROL ############################## - -# On Linux, it is possible to hint the kernel OOM killer on what processes -# should be killed first when out of memory. -# -# Enabling this feature makes Redis actively control the oom_score_adj value -# for all its processes, depending on their role. The default scores will -# attempt to have background child processes killed before all others, and -# replicas killed before masters. -# -# Redis supports these options: -# -# no: Don't make changes to oom-score-adj (default). -# yes: Alias to "relative" see below. -# absolute: Values in oom-score-adj-values are written as is to the kernel. -# relative: Values are used relative to the initial value of oom_score_adj when -# the server starts and are then clamped to a range of -1000 to 1000. -# Because typically the initial value is 0, they will often match the -# absolute values. -oom-score-adj no - -# When oom-score-adj is used, this directive controls the specific values used -# for master, replica and background child processes. Values range -2000 to -# 2000 (higher means more likely to be killed). -# -# Unprivileged processes (not root, and without CAP_SYS_RESOURCE capabilities) -# can freely increase their value, but not decrease it below its initial -# settings. This means that setting oom-score-adj to "relative" and setting the -# oom-score-adj-values to positive values will always succeed. -oom-score-adj-values 0 200 800 - - -#################### KERNEL transparent hugepage CONTROL ###################### - -# Usually the kernel Transparent Huge Pages control is set to "madvise" or -# "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which -# case this config has no effect. On systems in which it is set to "always", -# redis will attempt to disable it specifically for the redis process in order -# to avoid latency problems specifically with fork(2) and CoW. -# If for some reason you prefer to keep it enabled, you can set this config to -# "no" and the kernel global to "always". - -disable-thp yes - -############################## APPEND ONLY MODE ############################### - -# By default Redis asynchronously dumps the dataset on disk. This mode is -# good enough in many applications, but an issue with the Redis process or -# a power outage may result into a few minutes of writes lost (depending on -# the configured save points). -# -# The Append Only File is an alternative persistence mode that provides -# much better durability. For instance using the default data fsync policy -# (see later in the config file) Redis can lose just one second of writes in a -# dramatic event like a server power outage, or a single write if something -# wrong with the Redis process itself happens, but the operating system is -# still running correctly. -# -# AOF and RDB persistence can be enabled at the same time without problems. -# If the AOF is enabled on startup Redis will load the AOF, that is the file -# with the better durability guarantees. -# -# Note that changing this value in a config file of an existing database and -# restarting the server can lead to data loss. A conversion needs to be done -# by setting it via CONFIG command on a live server first. -# -# Please check https://redis.io/docs/latest/operate/oss_and_stack/management/persistence/ for more information. - -appendonly no - -# The base name of the append only file. -# -# Redis 7 and newer use a set of append-only files to persist the dataset -# and changes applied to it. There are two basic types of files in use: -# -# - Base files, which are a snapshot representing the complete state of the -# dataset at the time the file was created. Base files can be either in -# the form of RDB (binary serialized) or AOF (textual commands). -# - Incremental files, which contain additional commands that were applied -# to the dataset following the previous file. -# -# In addition, manifest files are used to track the files and the order in -# which they were created and should be applied. -# -# Append-only file names are created by Redis following a specific pattern. -# The file name's prefix is based on the 'appendfilename' configuration -# parameter, followed by additional information about the sequence and type. -# -# For example, if appendfilename is set to appendonly.aof, the following file -# names could be derived: -# -# - appendonly.aof.1.base.rdb as a base file. -# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files. -# - appendonly.aof.manifest as a manifest file. - -appendfilename "appendonly.aof" - -# For convenience, Redis stores all persistent append-only files in a dedicated -# directory. The name of the directory is determined by the appenddirname -# configuration parameter. - -appenddirname "appendonlydir" - -# The fsync() call tells the Operating System to actually write data on disk -# instead of waiting for more data in the output buffer. Some OS will really flush -# data on disk, some other OS will just try to do it ASAP. -# -# Redis supports three different modes: -# -# no: don't fsync, just let the OS flush the data when it wants. Faster. -# always: fsync after every write to the append only log. Slow, Safest. -# everysec: fsync only one time every second. Compromise. -# -# The default is "everysec", as that's usually the right compromise between -# speed and data safety. It's up to you to understand if you can relax this to -# "no" that will let the operating system flush the output buffer when -# it wants, for better performances (but if you can live with the idea of -# some data loss consider the default persistence mode that's snapshotting), -# or on the contrary, use "always" that's very slow but a bit safer than -# everysec. -# -# More details please check the following article: -# http://antirez.com/post/redis-persistence-demystified.html -# -# If unsure, use "everysec". - -# appendfsync always -appendfsync everysec -# appendfsync no - -# When the AOF fsync policy is set to always or everysec, and a background -# saving process (a background save or AOF log background rewriting) is -# performing a lot of I/O against the disk, in some Linux configurations -# Redis may block too long on the fsync() call. Note that there is no fix for -# this currently, as even performing fsync in a different thread will block -# our synchronous write(2) call. -# -# In order to mitigate this problem it's possible to use the following option -# that will prevent fsync() from being called in the main process while a -# BGSAVE or BGREWRITEAOF is in progress. -# -# This means that while another child is saving, the durability of Redis is -# the same as "appendfsync no". In practical terms, this means that it is -# possible to lose up to 30 seconds of log in the worst scenario (with the -# default Linux settings). -# -# If you have latency problems turn this to "yes". Otherwise leave it as -# "no" that is the safest pick from the point of view of durability. - -no-appendfsync-on-rewrite no - -# Automatic rewrite of the append only file. -# Redis is able to automatically rewrite the log file implicitly calling -# BGREWRITEAOF when the AOF log size grows by the specified percentage. -# -# This is how it works: Redis remembers the size of the AOF file after the -# latest rewrite (if no rewrite has happened since the restart, the size of -# the AOF at startup is used). -# -# This base size is compared to the current size. If the current size is -# bigger than the specified percentage, the rewrite is triggered. Also -# you need to specify a minimal size for the AOF file to be rewritten, this -# is useful to avoid rewriting the AOF file even if the percentage increase -# is reached but it is still pretty small. -# -# Specify a percentage of zero in order to disable the automatic AOF -# rewrite feature. - -auto-aof-rewrite-percentage 100 -auto-aof-rewrite-min-size 64mb - -# An AOF file may be found to be truncated at the end during the Redis -# startup process, when the AOF data gets loaded back into memory. -# This may happen when the system where Redis is running -# crashes, especially when an ext4 filesystem is mounted without the -# data=ordered option (however this can't happen when Redis itself -# crashes or aborts but the operating system still works correctly). -# -# Redis can either exit with an error when this happens, or load as much -# data as possible (the default now) and start if the AOF file is found -# to be truncated at the end. The following option controls this behavior. -# -# If aof-load-truncated is set to yes, a truncated AOF file is loaded and -# the Redis server starts emitting a log to inform the user of the event. -# Otherwise if the option is set to no, the server aborts with an error -# and refuses to start. When the option is set to no, the user requires -# to fix the AOF file using the "redis-check-aof" utility before to restart -# the server. -# -# Note that if the AOF file will be found to be corrupted in the middle -# the server will still exit with an error. This option only applies when -# Redis will try to read more data from the AOF file but not enough bytes -# will be found. -aof-load-truncated yes - -# Redis can create append-only base files in either RDB or AOF formats. Using -# the RDB format is always faster and more efficient, and disabling it is only -# supported for backward compatibility purposes. -aof-use-rdb-preamble yes - -# Redis supports recording timestamp annotations in the AOF to support restoring -# the data from a specific point-in-time. However, using this capability changes -# the AOF format in a way that may not be compatible with existing AOF parsers. -aof-timestamp-enabled no - -################################ SHUTDOWN ##################################### - -# Maximum time to wait for replicas when shutting down, in seconds. -# -# During shut down, a grace period allows any lagging replicas to catch up with -# the latest replication offset before the master exists. This period can -# prevent data loss, especially for deployments without configured disk backups. -# -# The 'shutdown-timeout' value is the grace period's duration in seconds. It is -# only applicable when the instance has replicas. To disable the feature, set -# the value to 0. -# -# shutdown-timeout 10 - -# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default -# an RDB snapshot is written to disk in a blocking operation if save points are configured. -# The options used on signaled shutdown can include the following values: -# default: Saves RDB snapshot only if save points are configured. -# Waits for lagging replicas to catch up. -# save: Forces a DB saving operation even if no save points are configured. -# nosave: Prevents DB saving operation even if one or more save points are configured. -# now: Skips waiting for lagging replicas. -# force: Ignores any errors that would normally prevent the server from exiting. -# -# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously. -# Example: "nosave force now" -# -# shutdown-on-sigint default -# shutdown-on-sigterm default - -################ NON-DETERMINISTIC LONG BLOCKING COMMANDS ##################### - -# Maximum time in milliseconds for EVAL scripts, functions and in some cases -# modules' commands before Redis can start processing or rejecting other clients. -# -# If the maximum execution time is reached Redis will start to reply to most -# commands with a BUSY error. -# -# In this state Redis will only allow a handful of commands to be executed. -# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some -# module specific 'allow-busy' commands. -# -# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not -# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop -# the server in the case a write command was already issued by the script when -# the user doesn't want to wait for the natural termination of the script. -# -# The default is 5 seconds. It is possible to set it to 0 or a negative value -# to disable this mechanism (uninterrupted execution). Note that in the past -# this config had a different name, which is now an alias, so both of these do -# the same: -# lua-time-limit 5000 -# busy-reply-threshold 5000 - -################################ REDIS CLUSTER ############################### - -# Normal Redis instances can't be part of a Redis Cluster; only nodes that are -# started as cluster nodes can. In order to start a Redis instance as a -# cluster node enable the cluster support uncommenting the following: -# -# cluster-enabled yes - -# Every cluster node has a cluster configuration file. This file is not -# intended to be edited by hand. It is created and updated by Redis nodes. -# Every Redis Cluster node requires a different cluster configuration file. -# Make sure that instances running in the same system do not have -# overlapping cluster configuration file names. -# -# cluster-config-file nodes-6379.conf - -# Cluster node timeout is the amount of milliseconds a node must be unreachable -# for it to be considered in failure state. -# Most other internal time limits are a multiple of the node timeout. -# -# cluster-node-timeout 15000 - -# The cluster port is the port that the cluster bus will listen for inbound connections on. When set -# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires -# you to specify the cluster bus port when executing cluster meet. -# cluster-port 0 - -# A replica of a failing master will avoid to start a failover if its data -# looks too old. -# -# There is no simple way for a replica to actually have an exact measure of -# its "data age", so the following two checks are performed: -# -# 1) If there are multiple replicas able to failover, they exchange messages -# in order to try to give an advantage to the replica with the best -# replication offset (more data from the master processed). -# Replicas will try to get their rank by offset, and apply to the start -# of the failover a delay proportional to their rank. -# -# 2) Every single replica computes the time of the last interaction with -# its master. This can be the last ping or command received (if the master -# is still in the "connected" state), or the time that elapsed since the -# disconnection with the master (if the replication link is currently down). -# If the last interaction is too old, the replica will not try to failover -# at all. -# -# The point "2" can be tuned by user. Specifically a replica will not perform -# the failover if, since the last interaction with the master, the time -# elapsed is greater than: -# -# (node-timeout * cluster-replica-validity-factor) + repl-ping-replica-period -# -# So for example if node-timeout is 30 seconds, and the cluster-replica-validity-factor -# is 10, and assuming a default repl-ping-replica-period of 10 seconds, the -# replica will not try to failover if it was not able to talk with the master -# for longer than 310 seconds. -# -# A large cluster-replica-validity-factor may allow replicas with too old data to failover -# a master, while a too small value may prevent the cluster from being able to -# elect a replica at all. -# -# For maximum availability, it is possible to set the cluster-replica-validity-factor -# to a value of 0, which means, that replicas will always try to failover the -# master regardless of the last time they interacted with the master. -# (However they'll always try to apply a delay proportional to their -# offset rank). -# -# Zero is the only value able to guarantee that when all the partitions heal -# the cluster will always be able to continue. -# -# cluster-replica-validity-factor 10 - -# Cluster replicas are able to migrate to orphaned masters, that are masters -# that are left without working replicas. This improves the cluster ability -# to resist to failures as otherwise an orphaned master can't be failed over -# in case of failure if it has no working replicas. -# -# Replicas migrate to orphaned masters only if there are still at least a -# given number of other working replicas for their old master. This number -# is the "migration barrier". A migration barrier of 1 means that a replica -# will migrate only if there is at least 1 other working replica for its master -# and so forth. It usually reflects the number of replicas you want for every -# master in your cluster. -# -# Default is 1 (replicas migrate only if their masters remain with at least -# one replica). To disable migration just set it to a very large value or -# set cluster-allow-replica-migration to 'no'. -# A value of 0 can be set but is useful only for debugging and dangerous -# in production. -# -# cluster-migration-barrier 1 - -# Turning off this option allows to use less automatic cluster configuration. -# It both disables migration to orphaned masters and migration from masters -# that became empty. -# -# Default is 'yes' (allow automatic migrations). -# -# cluster-allow-replica-migration yes - -# By default Redis Cluster nodes stop accepting queries if they detect there -# is at least a hash slot uncovered (no available node is serving it). -# This way if the cluster is partially down (for example a range of hash slots -# are no longer covered) all the cluster becomes, eventually, unavailable. -# It automatically returns available as soon as all the slots are covered again. -# -# However sometimes you want the subset of the cluster which is working, -# to continue to accept queries for the part of the key space that is still -# covered. In order to do so, just set the cluster-require-full-coverage -# option to no. -# -# cluster-require-full-coverage yes - -# This option, when set to yes, prevents replicas from trying to failover its -# master during master failures. However the replica can still perform a -# manual failover, if forced to do so. -# -# This is useful in different scenarios, especially in the case of multiple -# data center operations, where we want one side to never be promoted if not -# in the case of a total DC failure. -# -# cluster-replica-no-failover no - -# This option, when set to yes, allows nodes to serve read traffic while the -# cluster is in a down state, as long as it believes it owns the slots. -# -# This is useful for two cases. The first case is for when an application -# doesn't require consistency of data during node failures or network partitions. -# One example of this is a cache, where as long as the node has the data it -# should be able to serve it. -# -# The second use case is for configurations that don't meet the recommended -# three shards but want to enable cluster mode and scale later. A -# master outage in a 1 or 2 shard configuration causes a read/write outage to the -# entire cluster without this option set, with it set there is only a write outage. -# Without a quorum of masters, slot ownership will not change automatically. -# -# cluster-allow-reads-when-down no - -# This option, when set to yes, allows nodes to serve pubsub shard traffic while -# the cluster is in a down state, as long as it believes it owns the slots. -# -# This is useful if the application would like to use the pubsub feature even when -# the cluster global stable state is not OK. If the application wants to make sure only -# one shard is serving a given channel, this feature should be kept as yes. -# -# cluster-allow-pubsubshard-when-down yes - -# Cluster link send buffer limit is the limit on the memory usage of an individual -# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed -# this limit. This is to primarily prevent send buffers from growing unbounded on links -# toward slow peers (E.g. PubSub messages being piled up). -# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field -# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase. -# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single -# PubSub message by default. (client-query-buffer-limit default value is 1gb) -# -# cluster-link-sendbuf-limit 0 - -# Clusters can configure their announced hostname using this config. This is a common use case for -# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based -# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS -# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is -# communicated along the clusterbus to all nodes, setting it to an empty string will remove -# the hostname and also propagate the removal. -# -# cluster-announce-hostname "" - -# Clusters can configure an optional nodename to be used in addition to the node ID for -# debugging and admin information. This name is broadcasted between nodes, so will be used -# in addition to the node ID when reporting cross node events such as node failures. -# cluster-announce-human-nodename "" - -# Clusters can advertise how clients should connect to them using either their IP address, -# a user defined hostname, or by declaring they have no endpoint. Which endpoint is -# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type -# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how -# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS. -# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?' -# will be returned instead. -# -# When a cluster advertises itself as having an unknown endpoint, it's indicating that -# the server doesn't know how clients can reach the cluster. This can happen in certain -# networking situations where there are multiple possible routes to the node, and the -# server doesn't know which one the client took. In this case, the server is expecting -# the client to reach out on the same endpoint it used for making the last request, but use -# the port provided in the response. -# -# cluster-preferred-endpoint-type ip - -# This configuration defines the sampling ratio (0-100) for checking command -# compatibility in cluster mode. When a command is executed, it is sampled at -# the specified ratio to determine if it complies with Redis cluster constraints, -# such as cross-slot restrictions. -# -# - A value of 0 means no commands are sampled for compatibility checks. -# - A value of 100 means all commands are checked. -# - Intermediate values (e.g., 10) mean that approximately 10% of the commands -# are randomly selected for compatibility verification. -# -# Higher sampling ratios may introduce additional performance overhead, especially -# under high QPS. The default value is 0 (no sampling). -# -# cluster-compatibility-sample-ratio 0 - -# In order to setup your cluster make sure to read the documentation -# available at https://redis.io web site. - -########################## CLUSTER DOCKER/NAT support ######################## - -# In certain deployments, Redis Cluster nodes address discovery fails, because -# addresses are NAT-ted or because ports are forwarded (the typical case is -# Docker and other containers). -# -# In order to make Redis Cluster working in such environments, a static -# configuration where each node knows its public address is needed. The -# following four options are used for this scope, and are: -# -# * cluster-announce-ip -# * cluster-announce-port -# * cluster-announce-tls-port -# * cluster-announce-bus-port -# -# Each instructs the node about its address, client ports (for connections -# without and with TLS) and cluster message bus port. The information is then -# published in the header of the bus packets so that other nodes will be able to -# correctly map the address of the node publishing the information. -# -# If tls-cluster is set to yes and cluster-announce-tls-port is omitted or set -# to zero, then cluster-announce-port refers to the TLS port. Note also that -# cluster-announce-tls-port has no effect if tls-cluster is set to no. -# -# If the above options are not used, the normal Redis Cluster auto-detection -# will be used instead. -# -# Note that when remapped, the bus port may not be at the fixed offset of -# clients port + 10000, so you can specify any port and bus-port depending -# on how they get remapped. If the bus-port is not set, a fixed offset of -# 10000 will be used as usual. -# -# Example: -# -# cluster-announce-ip 10.1.1.5 -# cluster-announce-tls-port 6379 -# cluster-announce-port 0 -# cluster-announce-bus-port 6380 - -################################## SLOW LOG ################################### - -# The Redis Slow Log is a system to log queries that exceeded a specified -# execution time. The execution time does not include the I/O operations -# like talking with the client, sending the reply and so forth, -# but just the time needed to actually execute the command (this is the only -# stage of command execution where the thread is blocked and can not serve -# other requests in the meantime). -# -# You can configure the slow log with two parameters: one tells Redis -# what is the execution time, in microseconds, to exceed in order for the -# command to get logged, and the other parameter is the length of the -# slow log. When a new command is logged the oldest one is removed from the -# queue of logged commands. - -# The following time is expressed in microseconds, so 1000000 is equivalent -# to one second. Note that a negative number disables the slow log, while -# a value of zero forces the logging of every command. -slowlog-log-slower-than 10000 - -# There is no limit to this length. Just be aware that it will consume memory. -# You can reclaim memory used by the slow log with SLOWLOG RESET. -slowlog-max-len 128 - -################################ LATENCY MONITOR ############################## - -# The Redis latency monitoring subsystem samples different operations -# at runtime in order to collect data related to possible sources of -# latency of a Redis instance. -# -# Via the LATENCY command this information is available to the user that can -# print graphs and obtain reports. -# -# The system only logs operations that were performed in a time equal or -# greater than the amount of milliseconds specified via the -# latency-monitor-threshold configuration directive. When its value is set -# to zero, the latency monitor is turned off. -# -# By default latency monitoring is disabled since it is mostly not needed -# if you don't have latency issues, and collecting data has a performance -# impact, that while very small, can be measured under big load. Latency -# monitoring can easily be enabled at runtime using the command -# "CONFIG SET latency-monitor-threshold " if needed. -latency-monitor-threshold 0 - -################################ LATENCY TRACKING ############################## - -# The Redis extended latency monitoring tracks the per command latencies and enables -# exporting the percentile distribution via the INFO latencystats command, -# and cumulative latency distributions (histograms) via the LATENCY command. -# -# By default, the extended latency monitoring is enabled since the overhead -# of keeping track of the command latency is very small. -# latency-tracking yes - -# By default the exported latency percentiles via the INFO latencystats command -# are the p50, p99, and p999. -# latency-tracking-info-percentiles 50 99 99.9 - -############################# EVENT NOTIFICATION ############################## - -# Redis can notify Pub/Sub clients about events happening in the key space. -# This feature is documented at https://redis.io/docs/latest/develop/use/keyspace-notifications/ -# -# For instance if keyspace events notification is enabled, and a client -# performs a DEL operation on key "foo" stored in the Database 0, two -# messages will be published via Pub/Sub: -# -# PUBLISH __keyspace@0__:foo del -# PUBLISH __keyevent@0__:del foo -# -# It is possible to select the events that Redis will notify among a set -# of classes. Every class is identified by a single character: -# -# K Keyspace events, published with __keyspace@__ prefix. -# E Keyevent events, published with __keyevent@__ prefix. -# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... -# $ String commands -# l List commands -# s Set commands -# h Hash commands -# z Sorted set commands -# x Expired events (events generated every time a key expires) -# e Evicted events (events generated when a key is evicted for maxmemory) -# n New key events (Note: not included in the 'A' class) -# t Stream commands -# d Module key type events -# m Key-miss events (Note: It is not included in the 'A' class) -# A Alias for g$lshzxetd, so that the "AKE" string means all the events -# (Except key-miss events which are excluded from 'A' due to their -# unique nature). -# -# The "notify-keyspace-events" takes as argument a string that is composed -# of zero or multiple characters. The empty string means that notifications -# are disabled. -# -# Example: to enable list and generic events, from the point of view of the -# event name, use: -# -# notify-keyspace-events Elg -# -# Example 2: to get the stream of the expired keys subscribing to channel -# name __keyevent@0__:expired use: -# -# notify-keyspace-events Ex -# -# By default all notifications are disabled because most users don't need -# this feature and the feature has some overhead. Note that if you don't -# specify at least one of K or E, no events will be delivered. -notify-keyspace-events "" - -############################### ADVANCED CONFIG ############################### - -# Hashes are encoded using a memory efficient data structure when they have a -# small number of entries, and the biggest entry does not exceed a given -# threshold. These thresholds can be configured using the following directives. -hash-max-listpack-entries 512 -hash-max-listpack-value 64 - -# Lists are also encoded in a special way to save a lot of space. -# The number of entries allowed per internal list node can be specified -# as a fixed maximum size or a maximum number of elements. -# For a fixed maximum size, use -5 through -1, meaning: -# -5: max size: 64 Kb <-- not recommended for normal workloads -# -4: max size: 32 Kb <-- not recommended -# -3: max size: 16 Kb <-- probably not recommended -# -2: max size: 8 Kb <-- good -# -1: max size: 4 Kb <-- good -# Positive numbers mean store up to _exactly_ that number of elements -# per list node. -# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), -# but if your use case is unique, adjust the settings as necessary. -list-max-listpack-size -2 - -# Lists may also be compressed. -# Compress depth is the number of quicklist ziplist nodes from *each* side of -# the list to *exclude* from compression. The head and tail of the list -# are always uncompressed for fast push/pop operations. Settings are: -# 0: disable all list compression -# 1: depth 1 means "don't start compressing until after 1 node into the list, -# going from either the head or tail" -# So: [head]->node->node->...->node->[tail] -# [head], [tail] will always be uncompressed; inner nodes will compress. -# 2: [head]->[next]->node->node->...->node->[prev]->[tail] -# 2 here means: don't compress head or head->next or tail->prev or tail, -# but compress all nodes between them. -# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] -# etc. -list-compress-depth 0 - -# Sets have a special encoding when a set is composed -# of just strings that happen to be integers in radix 10 in the range -# of 64 bit signed integers. -# The following configuration setting sets the limit in the size of the -# set in order to use this special memory saving encoding. -set-max-intset-entries 512 - -# Sets containing non-integer values are also encoded using a memory efficient -# data structure when they have a small number of entries, and the biggest entry -# does not exceed a given threshold. These thresholds can be configured using -# the following directives. -set-max-listpack-entries 128 -set-max-listpack-value 64 - -# Similarly to hashes and lists, sorted sets are also specially encoded in -# order to save a lot of space. This encoding is only used when the length and -# elements of a sorted set are below the following limits: -zset-max-listpack-entries 128 -zset-max-listpack-value 64 - -# HyperLogLog sparse representation bytes limit. The limit includes the -# 16 bytes header. When a HyperLogLog using the sparse representation crosses -# this limit, it is converted into the dense representation. -# -# A value greater than 16000 is totally useless, since at that point the -# dense representation is more memory efficient. -# -# The suggested value is ~ 3000 in order to have the benefits of -# the space efficient encoding without slowing down too much PFADD, -# which is O(N) with the sparse encoding. The value can be raised to -# ~ 10000 when CPU is not a concern, but space is, and the data set is -# composed of many HyperLogLogs with cardinality in the 0 - 15000 range. -hll-sparse-max-bytes 3000 - -# Streams macro node max size / items. The stream data structure is a radix -# tree of big nodes that encode multiple items inside. Using this configuration -# it is possible to configure how big a single node can be in bytes, and the -# maximum number of items it may contain before switching to a new node when -# appending new stream entries. If any of the following settings are set to -# zero, the limit is ignored, so for instance it is possible to set just a -# max entries limit by setting max-bytes to 0 and max-entries to the desired -# value. -stream-node-max-bytes 4096 -stream-node-max-entries 100 - -# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in -# order to help rehashing the main Redis hash table (the one mapping top-level -# keys to values). The hash table implementation Redis uses (see dict.c) -# performs a lazy rehashing: the more operation you run into a hash table -# that is rehashing, the more rehashing "steps" are performed, so if the -# server is idle the rehashing is never complete and some more memory is used -# by the hash table. -# -# The default is to use this millisecond 10 times every second in order to -# actively rehash the main dictionaries, freeing memory when possible. -# -# If unsure: -# use "activerehashing no" if you have hard latency requirements and it is -# not a good thing in your environment that Redis can reply from time to time -# to queries with 2 milliseconds delay. -# -# use "activerehashing yes" if you don't have such hard requirements but -# want to free memory asap when possible. -activerehashing yes - -# The client output buffer limits can be used to force disconnection of clients -# that are not reading data from the server fast enough for some reason (a -# common reason is that a Pub/Sub client can't consume messages as fast as the -# publisher can produce them). -# -# The limit can be set differently for the three different classes of clients: -# -# normal -> normal clients including MONITOR clients -# replica -> replica clients -# pubsub -> clients subscribed to at least one pubsub channel or pattern -# -# The syntax of every client-output-buffer-limit directive is the following: -# -# client-output-buffer-limit -# -# A client is immediately disconnected once the hard limit is reached, or if -# the soft limit is reached and remains reached for the specified number of -# seconds (continuously). -# So for instance if the hard limit is 32 megabytes and the soft limit is -# 16 megabytes / 10 seconds, the client will get disconnected immediately -# if the size of the output buffers reach 32 megabytes, but will also get -# disconnected if the client reaches 16 megabytes and continuously overcomes -# the limit for 10 seconds. -# -# By default normal clients are not limited because they don't receive data -# without asking (in a push way), but just after a request, so only -# asynchronous clients may create a scenario where data is requested faster -# than it can read. -# -# Instead there is a default limit for pubsub and replica clients, since -# subscribers and replicas receive data in a push fashion. -# -# Note that it doesn't make sense to set the replica clients output buffer -# limit lower than the repl-backlog-size config (partial sync will succeed -# and then replica will get disconnected). -# Such a configuration is ignored (the size of repl-backlog-size will be used). -# This doesn't have memory consumption implications since the replica client -# will share the backlog buffers memory. -# -# Both the hard or the soft limit can be disabled by setting them to zero. -client-output-buffer-limit normal 0 0 0 -client-output-buffer-limit replica 256mb 64mb 60 -client-output-buffer-limit pubsub 32mb 8mb 60 - -# Client query buffers accumulate new commands. They are limited to a fixed -# amount by default in order to avoid that a protocol desynchronization (for -# instance due to a bug in the client) will lead to unbound memory usage in -# the query buffer. However you can configure it here if you have very special -# needs, such as a command with huge argument, or huge multi/exec requests or alike. -# -# client-query-buffer-limit 1gb - -# In some scenarios client connections can hog up memory leading to OOM -# errors or data eviction. To avoid this we can cap the accumulated memory -# used by all client connections (all pubsub and normal clients). Once we -# reach that limit connections will be dropped by the server freeing up -# memory. The server will attempt to drop the connections using the most -# memory first. We call this mechanism "client eviction". -# -# Client eviction is configured using the maxmemory-clients setting as follows: -# 0 - client eviction is disabled (default) -# -# A memory value can be used for the client eviction threshold, -# for example: -# maxmemory-clients 1g -# -# A percentage value (between 1% and 100%) means the client eviction threshold -# is based on a percentage of the maxmemory setting. For example to set client -# eviction at 5% of maxmemory: -# maxmemory-clients 5% - -# In the Redis protocol, bulk requests, that are, elements representing single -# strings, are normally limited to 512 mb. However you can change this limit -# here, but must be 1mb or greater -# -# proto-max-bulk-len 512mb - -# Redis calls an internal function to perform many background tasks, like -# closing connections of clients in timeout, purging expired keys that are -# never requested, and so forth. -# -# Not all tasks are performed with the same frequency, but Redis checks for -# tasks to perform according to the specified "hz" value. -# -# By default "hz" is set to 10. Raising the value will use more CPU when -# Redis is idle, but at the same time will make Redis more responsive when -# there are many keys expiring at the same time, and timeouts may be -# handled with more precision. -# -# The range is between 1 and 500, however a value over 100 is usually not -# a good idea. Most users should use the default of 10 and raise this up to -# 100 only in environments where very low latency is required. -hz 10 - -# Normally it is useful to have an HZ value which is proportional to the -# number of clients connected. This is useful in order, for instance, to -# avoid too many clients are processed for each background task invocation -# in order to avoid latency spikes. -# -# Since the default HZ value by default is conservatively set to 10, Redis -# offers, and enables by default, the ability to use an adaptive HZ value -# which will temporarily raise when there are many connected clients. -# -# When dynamic HZ is enabled, the actual configured HZ will be used -# as a baseline, but multiples of the configured HZ value will be actually -# used as needed once more clients are connected. In this way an idle -# instance will use very little CPU time while a busy instance will be -# more responsive. -dynamic-hz yes - -# When a child rewrites the AOF file, if the following option is enabled -# the file will be fsync-ed every 4 MB of data generated. This is useful -# in order to commit the file to the disk more incrementally and avoid -# big latency spikes. -aof-rewrite-incremental-fsync yes - -# When redis saves RDB file, if the following option is enabled -# the file will be fsync-ed every 4 MB of data generated. This is useful -# in order to commit the file to the disk more incrementally and avoid -# big latency spikes. -rdb-save-incremental-fsync yes - -# Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good -# idea to start with the default settings and only change them after investigating -# how to improve the performances and how the keys LFU change over time, which -# is possible to inspect via the OBJECT FREQ command. -# -# There are two tunable parameters in the Redis LFU implementation: the -# counter logarithm factor and the counter decay time. It is important to -# understand what the two parameters mean before changing them. -# -# The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis -# uses a probabilistic increment with logarithmic behavior. Given the value -# of the old counter, when a key is accessed, the counter is incremented in -# this way: -# -# 1. A random number R between 0 and 1 is extracted. -# 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1). -# 3. The counter is incremented only if R < P. -# -# The default lfu-log-factor is 10. This is a table of how the frequency -# counter changes with a different number of accesses with different -# logarithmic factors: -# -# +--------+------------+------------+------------+------------+------------+ -# | factor | 100 hits | 1000 hits | 100K hits | 1M hits | 10M hits | -# +--------+------------+------------+------------+------------+------------+ -# | 0 | 104 | 255 | 255 | 255 | 255 | -# +--------+------------+------------+------------+------------+------------+ -# | 1 | 18 | 49 | 255 | 255 | 255 | -# +--------+------------+------------+------------+------------+------------+ -# | 10 | 10 | 18 | 142 | 255 | 255 | -# +--------+------------+------------+------------+------------+------------+ -# | 100 | 8 | 11 | 49 | 143 | 255 | -# +--------+------------+------------+------------+------------+------------+ -# -# NOTE: The above table was obtained by running the following commands: -# -# redis-benchmark -n 1000000 incr foo -# redis-cli object freq foo -# -# NOTE 2: The counter initial value is 5 in order to give new objects a chance -# to accumulate hits. -# -# The counter decay time is the time, in minutes, that must elapse in order -# for the key counter to be decremented. -# -# The default value for the lfu-decay-time is 1. A special value of 0 means we -# will never decay the counter. -# -# lfu-log-factor 10 -# lfu-decay-time 1 - - -# The maximum number of new client connections accepted per event-loop cycle. This configuration -# is set independently for TLS connections. -# -# By default, up to 10 new connection will be accepted per event-loop cycle for normal connections -# and up to 1 new connection per event-loop cycle for TLS connections. -# -# Adjusting this to a larger number can slightly improve efficiency for new connections -# at the risk of causing timeouts for regular commands on established connections. It is -# not advised to change this without ensuring that all clients have limited connection -# pools and exponential backoff in the case of command/connection timeouts. -# -# If your application is establishing a large number of new connections per second you should -# also consider tuning the value of tcp-backlog, which allows the kernel to buffer more -# pending connections before dropping or rejecting connections. -# -# max-new-connections-per-cycle 10 -# max-new-tls-connections-per-cycle 1 - - -########################### ACTIVE DEFRAGMENTATION ####################### -# -# What is active defragmentation? -# ------------------------------- -# -# Active (online) defragmentation allows a Redis server to compact the -# spaces left between small allocations and deallocations of data in memory, -# thus allowing to reclaim back memory. -# -# Fragmentation is a natural process that happens with every allocator (but -# less so with Jemalloc, fortunately) and certain workloads. Normally a server -# restart is needed in order to lower the fragmentation, or at least to flush -# away all the data and create it again. However thanks to this feature -# implemented by Oran Agra for Redis 4.0 this process can happen at runtime -# in a "hot" way, while the server is running. -# -# Basically when the fragmentation is over a certain level (see the -# configuration options below) Redis will start to create new copies of the -# values in contiguous memory regions by exploiting certain specific Jemalloc -# features (in order to understand if an allocation is causing fragmentation -# and to allocate it in a better place), and at the same time, will release the -# old copies of the data. This process, repeated incrementally for all the keys -# will cause the fragmentation to drop back to normal values. -# -# Important things to understand: -# -# 1. This feature is disabled by default, and only works if you compiled Redis -# to use the copy of Jemalloc we ship with the source code of Redis. -# This is the default with Linux builds. -# -# 2. You never need to enable this feature if you don't have fragmentation -# issues. -# -# 3. Once you experience fragmentation, you can enable this feature when -# needed with the command "CONFIG SET activedefrag yes". -# -# The configuration parameters are able to fine tune the behavior of the -# defragmentation process. If you are not sure about what they mean it is -# a good idea to leave the defaults untouched. - -# Active defragmentation is disabled by default -# activedefrag no - -# Minimum amount of fragmentation waste to start active defrag -# active-defrag-ignore-bytes 100mb - -# Minimum percentage of fragmentation to start active defrag -# active-defrag-threshold-lower 10 - -# Maximum percentage of fragmentation at which we use maximum effort -# active-defrag-threshold-upper 100 - -# Minimal effort for defrag in CPU percentage, to be used when the lower -# threshold is reached -# active-defrag-cycle-min 1 - -# Maximal effort for defrag in CPU percentage, to be used when the upper -# threshold is reached -# active-defrag-cycle-max 25 - -# Maximum number of set/hash/zset/list fields that will be processed from -# the main dictionary scan -# active-defrag-max-scan-fields 1000 - -# Jemalloc background thread for purging will be enabled by default -jemalloc-bg-thread yes - -# It is possible to pin different threads and processes of Redis to specific -# CPUs in your system, in order to maximize the performances of the server. -# This is useful both in order to pin different Redis threads in different -# CPUs, but also in order to make sure that multiple Redis instances running -# in the same host will be pinned to different CPUs. -# -# Normally you can do this using the "taskset" command, however it is also -# possible to this via Redis configuration directly, both in Linux and FreeBSD. -# -# You can pin the server/IO threads, bio threads, aof rewrite child process, and -# the bgsave child process. The syntax to specify the cpu list is the same as -# the taskset command: -# -# Set redis server/io threads to cpu affinity 0,2,4,6: -# server-cpulist 0-7:2 -# -# Set bio threads to cpu affinity 1,3: -# bio-cpulist 1,3 -# -# Set aof rewrite child process to cpu affinity 8,9,10,11: -# aof-rewrite-cpulist 8-11 -# -# Set bgsave child process to cpu affinity 1,10,11 -# bgsave-cpulist 1,10-11 - -# In some cases redis will emit warnings and even refuse to start if it detects -# that the system is in bad state, it is possible to suppress these warnings -# by setting the following config which takes a space delimited list of warnings -# to suppress -# -# ignore-warnings ARM64-COW-BUG diff --git a/ansible/roles/wger/tasks/main.yml b/ansible/roles/wger/tasks/main.yml deleted file mode 100644 index 9370a84..0000000 --- a/ansible/roles/wger/tasks/main.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: Create install directory - file: - path: "{{ install_directory }}/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Create database data directory - file: - path: "{{ data_dir }}/postgres/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Create redis data directory - file: - path: "{{ data_dir }}/redis/{{ role_name }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - -- name: Create data and config directories - file: - path: "{{ data_dir }}/{{ role_name }}/{{ item }}" - state: directory - owner: "{{ docker_user }}" - mode: "{{ docker_compose_directory_mask }}" - loop: - - config - - static - - media - - celery-beat - -- name: Install wger config file (templatized) - template: - src: prod.env - dest: "{{ data_dir }}/{{ role_name }}/config/prod.env" - -- name: Install config files - copy: - src: ./ - dest: "{{ data_dir }}/{{ role_name }}/config" - -- name: Copy docker-compose file to destination - template: - src: docker-compose.yml - dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" - owner: "{{ docker_user }}" - mode: "{{ docker_compose_file_mask }}" - validate: docker compose -f %s config - become: true - -- name: Start docker container - community.docker.docker_compose_v2: - project_src: "{{ install_directory }}/{{ role_name }}" - pull: always - remove_orphans: yes diff --git a/ansible/roles/wger/templates/docker-compose.yml b/ansible/roles/wger/templates/docker-compose.yml deleted file mode 100644 index affc576..0000000 --- a/ansible/roles/wger/templates/docker-compose.yml +++ /dev/null @@ -1,132 +0,0 @@ -networks: - traefik: - external: true - -services: - web: - image: wger/server:latest - depends_on: - db: - condition: service_healthy - cache: - condition: service_healthy - networks: - - default - env_file: - - {{ data_dir }}/{{ role_name }}/config/prod.env - volumes: - - {{ data_dir }}/{{ role_name }}/static:/home/wger/static - - {{ data_dir }}/{{ role_name }}/media:/home/wger/media - expose: - - 8000 - healthcheck: - test: wget --no-verbose --tries=1 --spider http://localhost:8000 - interval: 10s - timeout: 5s - start_period: 300s - retries: 5 - restart: unless-stopped - - nginx: - image: nginx:stable - depends_on: - - web - networks: - - traefik - - default - volumes: - - {{ data_dir }}/{{ role_name }}/config/nginx.conf:/etc/nginx/conf.d/default.conf - - {{ data_dir }}/{{ role_name }}/static:/wger/static:ro - - {{ data_dir }}/{{ role_name }}/media:/wger/media:ro - healthcheck: - test: service nginx status - interval: 10s - timeout: 5s - retries: 5 - start_period: 30s - restart: unless-stopped - labels: - traefik.enable: true - traefik.http.routers.wger.rule: "Host(`wger.{{ personal_domain }}`)" - #traefik.http.services.wger.loadbalancer.server.port: 8000 - #traefik.http.routers.wger.middlewares: lan-whitelist@file - - db: - image: postgres:15-alpine - environment: - - POSTGRES_USER=wger - - POSTGRES_PASSWORD=wger - - POSTGRES_DB=wger - - "TZ={{ timezone }}" - networks: - - default - volumes: - - {{ data_dir }}/postgres/{{ role_name }}:/var/lib/postgresql/data/ - expose: - - 5432 - healthcheck: - test: pg_isready -U wger - interval: 10s - timeout: 5s - retries: 5 - start_period: 30s - restart: unless-stopped - - cache: - image: redis - expose: - - 6379 - networks: - - default - volumes: - - {{ data_dir }}/{{ role_name }}/config/redis.conf:/usr/local/etc/redis/redis.conf - - {{ data_dir }}/redis/{{ role_name }}/data:/data - command: [ "redis-server", "/usr/local/etc/redis/redis.conf"] - healthcheck: - test: redis-cli ping - interval: 10s - timeout: 5s - retries: 5 - start_period: 30s - restart: unless-stopped - - # You probably want to limit the memory usage of the cache, otherwise it might - # hog all the available memory. Remove or change according to your needs. - #mem_limit: 2gb - - celery_worker: - image: wger/server:latest - command: /start-worker - networks: - - default - env_file: - - {{ data_dir }}/{{ role_name }}/config/prod.env - volumes: - - {{ data_dir }}/{{ role_name }}/media:/home/wger/media - depends_on: - web: - condition: service_healthy - healthcheck: - test: celery -A wger inspect ping - interval: 10s - timeout: 5s - retries: 5 - start_period: 30s - - celery_beat: - image: wger/server:latest - command: /start-beat - networks: - - default - volumes: - - {{ data_dir }}/{{ role_name }}/celery-beat:/home/wger/beat/ - env_file: - - {{ data_dir }}/{{ role_name }}/config/prod.env - depends_on: - celery_worker: - condition: service_healthy - - - # Heads up, if you remove these volumes and use folders directly you need to chown them - # to the UID and GID 1000 even if it doesn't exist on your system. Also, they should - # be readable by everyone. diff --git a/ansible/roles/wger/templates/prod.env b/ansible/roles/wger/templates/prod.env deleted file mode 100644 index c55a335..0000000 --- a/ansible/roles/wger/templates/prod.env +++ /dev/null @@ -1,172 +0,0 @@ -SECRET_KEY="{{ DJANGO_SECRET }}" -SIGNING_KEY="{{ JWT_SECRET }}" - -TIME_ZONE=America/New_York -TZ=America/New_York - -CSRF_TRUSTED_ORIGINS="https://wger.{{ personal_domain }}" -X_FORWARDED_PROTO_HEADER_SET=True - -MEDIA_URL="https://wger.{{ personal_domain }}/media/" -STATIC_URL="https://wger.{{ personal_domain }}/static/" - -# -# These settings usually don't need changing -# - -# -# Application -WGER_INSTANCE=https://wger.de # Wger instance from which to sync exercises, images, etc. -ALLOW_REGISTRATION=True -ALLOW_GUEST_USERS=True -ALLOW_UPLOAD_VIDEOS=True -# Users won't be able to contribute to exercises if their account age is -# lower than this amount in days. -MIN_ACCOUNT_AGE_TO_TRUST=21 -# Synchronzing exercises -# It is recommended to keep the local database synchronized with the wger -# instance specified in WGER_INSTANCE since there are new added or translations -# improved. For this you have different possibilities: -# - Sync exercises on startup: -# SYNC_EXERCISES_ON_STARTUP=True -# DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP=True -# - Sync them in the background with celery. This will setup a job that will run -# once a week at a random time (this time is selected once when starting the server) -SYNC_EXERCISES_CELERY=True -SYNC_EXERCISE_IMAGES_CELERY=True -SYNC_EXERCISE_VIDEOS_CELERY=True -# - Manually trigger the process as needed: -# docker compose exec web python3 manage.py sync-exercises -# docker compose exec web python3 manage.py download-exercise-images -# docker compose exec web python3 manage.py download-exercise-videos - -# Synchronzing ingredients -# You can also syncronize the ingredients from a remote wger instance, and have -# basically the same options as for the ingredients: -# - Sync them in the background with celery. This will setup a job that will run -# once a week at a random time (this time is selected once when starting the server) -SYNC_INGREDIENTS_CELERY=True -# - Manually trigger the process as needed: -# docker compose exec web python3 manage.py sync-ingredients - -# This option controls whether to download ingredients and their images from the -# configured wger instance. When scanning products with the barcode scanner, it is -# possible to dynamically fetch the ingredient if it is not known in the local database. -# Possible values: WGER or None. Requires USE_CELERY to be set to true. -DOWNLOAD_INGREDIENTS_FROM=WGER - -# Whether celery is configured and should be used. Can be left to true with -# this setup but can be deactivated if you are using the app in some other way -USE_CELERY=True - -# -# Celery -CELERY_BROKER=redis://cache:6379/2 -CELERY_BACKEND=redis://cache:6379/2 -CELERY_FLOWER_PASSWORD=adminadmin - -# -# Database -DJANGO_DB_ENGINE=django.db.backends.postgresql -DJANGO_DB_DATABASE=wger -DJANGO_DB_USER=wger -DJANGO_DB_PASSWORD=wger -DJANGO_DB_HOST=db -DJANGO_DB_PORT=5432 -DJANGO_PERFORM_MIGRATIONS=True # Perform any new database migrations on startup - -# -# Cache -DJANGO_CACHE_BACKEND=django_redis.cache.RedisCache -DJANGO_CACHE_LOCATION=redis://cache:6379/1 -DJANGO_CACHE_TIMEOUT=1296000 # in seconds - 60*60*24*15, 15 Days -DJANGO_CACHE_CLIENT_CLASS=django_redis.client.DefaultClient -# DJANGO_CACHE_CLIENT_PASSWORD=abcde... # Only if you changed the redis config -# DJANGO_CACHE_CLIENT_SSL_KEYFILE=/path/to/ssl_keyfile # Path to an ssl private key. -# DJANGO_CACHE_CLIENT_SSL_CERTFILE=/path/to/ssl_certfile # Path to an ssl certificate. -# DJANGO_CACHE_CLIENT_SSL_CERT_REQS= # The string value for the verify_mode. -# DJANGO_CACHE_CLIENT_SSL_CHECK_HOSTNAME=False # If set, match the hostname during the SSL handshake. - -# -# Brute force login attacks -# https://django-axes.readthedocs.io/en/latest/index.html -AXES_ENABLED=True -AXES_FAILURE_LIMIT=10 -AXES_COOLOFF_TIME=30 # in minutes -AXES_HANDLER=axes.handlers.cache.AxesCacheHandler -AXES_LOCKOUT_PARAMETERS=ip_address -AXES_IPWARE_PROXY_COUNT=1 -AXES_IPWARE_META_PRECEDENCE_ORDER=HTTP_X_FORWARDED_FOR,REMOTE_ADDR -# -# Others -DJANGO_DEBUG=False -WGER_USE_GUNICORN=True -EXERCISE_CACHE_TTL=18000 # in seconds - 5*60*60, 5 hours -SITE_URL=http://localhost - -# -# JWT auth -ACCESS_TOKEN_LIFETIME=10 # The lifetime duration of the access token, in minutes -REFRESH_TOKEN_LIFETIME=24 # The lifetime duration of the refresh token, in hours - -# -# Auth Proxy Authentication -# -# Please read the documentation before enabling this feature: -# https://wger.readthedocs.io/en/latest/administration/auth_proxy.html -AUTH_PROXY_HEADER='' -AUTH_PROXY_TRUSTED_IPS='' -AUTH_PROXY_CREATE_UNKNOWN_USER=False -AUTH_PROXY_USER_EMAIL_HEADER='' -AUTH_PROXY_USER_NAME_HEADER='' - -# -# Other possible settings - -# Recaptcha keys. You will need to create an account and register your domain -# https://www.google.com/recaptcha/ -# RECAPTCHA_PUBLIC_KEY=abcde... -# RECAPTCHA_PRIVATE_KEY=abcde... -USE_RECAPTCHA=False - -# Clears the static files before copying the new ones (i.e. just calls collectstatic -# with the appropriate flag: "manage.py collectstatic --no-input --clear"). Usually -# This can be left like this but if you have problems and new static files are not -# being copied correctly, clearing everything might help -DJANGO_CLEAR_STATIC_FIRST=False - -# -# Email -# https://docs.djangoproject.com/en/4.1/topics/email/#smtp-backend -# ENABLE_EMAIL=False -# EMAIL_HOST=email.example.com -# EMAIL_PORT=587 -# EMAIL_HOST_USER=username -# EMAIL_HOST_PASSWORD=password -# EMAIL_USE_TLS=True -# EMAIL_USE_SSL=False -FROM_EMAIL='wger Workout Manager ' - -# Set your name and email to be notified if an internal server error occurs. -# Needs a working email configuration -# DJANGO_ADMINS=your name,email@example.com - -# Whether to compress css and js files into one (of each) -# COMPRESS_ENABLED=True - -# -# Django Rest Framework -# The number of proxies in front of the application. In the default configuration -# only nginx is. Change as approtriate if your setup differs. Also note that this -# is only used when throttling API requests. -NUMBER_OF_PROXIES=1 - -# -# Gunicorn -# -# Additional gunicorn options, change as needed. -# For the number of workers to spawn, a usually recommended value is (2 x $num_cores) + 1 -# see: -# - https://docs.gunicorn.org/en/stable/settings.html -# - https://github.com/wger-project/wger/blob/master/extras/docker/production/entrypoint.sh#L95 -GUNICORN_CMD_ARGS="--workers 3 --threads 2 --worker-class gthread --proxy-protocol True --timeout 240" diff --git a/ansible/roles/wger/vars/main.yml b/ansible/roles/wger/vars/main.yml deleted file mode 100644 index 3197928..0000000 --- a/ansible/roles/wger/vars/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -DJANGO_SECRET: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 64326466343139613339363438386534363564626662366266353732383831613735613130666663 - 6464623832646233653332313434303939666633613261640a393132616662326637356263373966 - 30623465363333306430636462653738353737376635393366623162383437343430336163373832 - 3931363133376466330a373565353636353932653436306165303664366539333263626566393436 - 35386366633735373137616238303462616162636362306563343064383764383136 - -JWT_SECRET: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 36306265373261313533313237653432663230666162373062373166323061373932366434616532 - 6538393830396535633434373530626566316538313732620a636439363632666430613938326164 - 36363432363361653665303965353566623861323331306630316265633430616266363462636362 - 6132636138306335620a393662663431623566663165383362663138356237343063363239353063 - 61336633373963356533396132316432356534373930613434326235346639326634 -