Post-Tyranny-Tech-Infrastru.../ansible/playbooks/260124-configure-diun-watchrepo.yml

---
# Configure Diun to disable watchRepo and add Docker Hub authentication
# This playbook updates all servers to:
# - Only watch specific image tags (not entire repositories) to reduce API calls
# - Add Docker Hub authentication for higher rate limits
#
# Background:
# - watchRepo: true checks ALL tags in a repository (hundreds of API calls)
# - watchRepo: false only checks the specific tag being used (1-2 API calls)
# - Docker Hub auth increases rate limit from 100 to 5000 pulls per 6 hours
#
# Usage:
#   cd ansible/
#   SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
#     ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml
#
# Or for specific servers:
#   SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
#     ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml \
#     --limit das,uil,vos --private-key "../keys/ssh/das"

- name: Configure Diun watchRepo and Docker Hub authentication
  hosts: all
  become: yes

  vars:
    # Diun base configuration
    diun_version: "latest"
    diun_log_level: "info"
    diun_watch_workers: 10
    diun_watch_all: true
    diun_exclude_containers: []
    diun_first_check_notif: false

    # Schedule: Weekly on Monday at 6am UTC (to reduce API calls)
    diun_schedule: "0 6 * * 1"

    # Disable watchRepo - only check the specific tags we're using
    diun_watch_repo: false

    # Webhook configuration - sends to Matrix via custom webhook
    diun_notif_enabled: true
    diun_notif_type: webhook
    diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"
    diun_webhook_method: POST
    diun_webhook_headers:
      Content-Type: application/json

    # Disable email notifications
    diun_email_enabled: false

    # SMTP defaults (not used when email disabled, but needed for template)
    diun_smtp_host: "smtp.eu.mailgun.org"
    diun_smtp_port: 587
    diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
    diun_smtp_to: "pieter@postxsociety.org"

    # Optional notification defaults (unused but needed for template)
    diun_slack_webhook_url: ""
    diun_matrix_enabled: false
    diun_matrix_homeserver_url: ""
    diun_matrix_user: ""
    diun_matrix_password: ""
    diun_matrix_room_id: ""

  pre_tasks:
    - name: Gather facts
      setup:

    - name: Determine client name from hostname
      set_fact:
        client_name: "{{ inventory_hostname }}"

    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true

    - name: Load shared secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true

    - name: Merge shared secrets into client_secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true

  tasks:
    - name: Set SMTP credentials (required by template even if unused)
      set_fact:
        diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user | default('') }}"
        diun_smtp_password_final: ""
      no_log: true

    - name: Set Docker Hub credentials for higher rate limits
      set_fact:
        diun_docker_hub_username: "{{ client_secrets.docker_hub_username }}"
        diun_docker_hub_password: "{{ client_secrets.docker_hub_password }}"
      no_log: true

    - name: Display configuration summary
      debug:
        msg: |
          Configuring Diun on {{ inventory_hostname }}:
          - Webhook endpoint: {{ diun_webhook_endpoint }}
          - Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}
          - Schedule: {{ diun_schedule }} (Weekly on Monday at 6am UTC)
          - Watch entire repositories: {{ 'yes' if diun_watch_repo else 'no (only specific tags)' }}
          - Docker Hub auth: {{ 'enabled' if diun_docker_hub_username else 'disabled' }}

    - name: Deploy Diun configuration with watchRepo disabled and Docker Hub auth
      template:
        src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"
        dest: /opt/docker/diun/diun.yml
        mode: '0644'
      notify: Restart Diun

    - name: Restart Diun to apply new configuration
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted

    - name: Wait for Diun to start
      pause:
        seconds: 5

    - name: Check Diun status
      shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"
      register: diun_status
      changed_when: false

    - name: Display Diun status
      debug:
        msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"

    - name: Verify Diun configuration
      shell: docker exec diun cat /diun.yml | grep -E "(watchRepo|regopts)" || echo "Config deployed"
      register: diun_config_check
      changed_when: false

    - name: Display configuration verification
      debug:
        msg: |
          Configuration applied on {{ inventory_hostname }}:
          {{ diun_config_check.stdout }}

  handlers:
    - name: Restart Diun
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted
feat: Configure Diun with Docker Hub auth and watchRepo control This commit resolves Docker Hub rate limiting issues on all servers by: 1. Adding Docker Hub authentication support to Diun configuration 2. Making watchRepo configurable (disabled to reduce API calls) 3. Creating automation to deploy changes across all 17 servers Changes: - Enhanced diun.yml.j2 template to support: - Configurable watchRepo setting (defaults to true for compatibility) - Docker Hub authentication via regopts when credentials provided - Created 260124-configure-diun-watchrepo.yml playbook to: - Disable watchRepo (only checks specific tags vs entire repo) - Enable Docker Hub authentication (5000 pulls/6h vs 100/6h) - Change schedule to weekly (Monday 6am UTC) - Created configure-diun-all-servers.sh automation script with: - Proper SOPS age key file path handling - Per-server SSH key management - Sequential deployment across all servers - Fixed Authentik OIDC provider meta_launch_url to use client_domain Successfully deployed to all 17 servers (bever, das, egel, haas, kikker, kraai, mees, mol, mus, otter, ree, specht, uil, valk, vos, wolf, zwaan). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-24 13:16:25 +01:00			`---`
			`# Configure Diun to disable watchRepo and add Docker Hub authentication`
			`# This playbook updates all servers to:`
			`# - Only watch specific image tags (not entire repositories) to reduce API calls`
			`# - Add Docker Hub authentication for higher rate limits`
			`#`
			`# Background:`
			`# - watchRepo: true checks ALL tags in a repository (hundreds of API calls)`
			`# - watchRepo: false only checks the specific tag being used (1-2 API calls)`
			`# - Docker Hub auth increases rate limit from 100 to 5000 pulls per 6 hours`
			`#`
			`# Usage:`
			`# cd ansible/`
			`# SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \`
			`# ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml`
			`#`
			`# Or for specific servers:`
			`# SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \`
			`# ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml \`
			`# --limit das,uil,vos --private-key "../keys/ssh/das"`

			`- name: Configure Diun watchRepo and Docker Hub authentication`
			`hosts: all`
			`become: yes`

			`vars:`
			`# Diun base configuration`
			`diun_version: "latest"`
			`diun_log_level: "info"`
			`diun_watch_workers: 10`
			`diun_watch_all: true`
			`diun_exclude_containers: []`
			`diun_first_check_notif: false`

			`# Schedule: Weekly on Monday at 6am UTC (to reduce API calls)`
			`diun_schedule: "0 6 * * 1"`

			`# Disable watchRepo - only check the specific tags we're using`
			`diun_watch_repo: false`

			`# Webhook configuration - sends to Matrix via custom webhook`
			`diun_notif_enabled: true`
			`diun_notif_type: webhook`
			`diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"`
			`diun_webhook_method: POST`
			`diun_webhook_headers:`
			`Content-Type: application/json`

			`# Disable email notifications`
			`diun_email_enabled: false`

			`# SMTP defaults (not used when email disabled, but needed for template)`
			`diun_smtp_host: "smtp.eu.mailgun.org"`
			`diun_smtp_port: 587`
			`diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"`
			`diun_smtp_to: "pieter@postxsociety.org"`

			`# Optional notification defaults (unused but needed for template)`
			`diun_slack_webhook_url: ""`
			`diun_matrix_enabled: false`
			`diun_matrix_homeserver_url: ""`
			`diun_matrix_user: ""`
			`diun_matrix_password: ""`
			`diun_matrix_room_id: ""`

			`pre_tasks:`
			`- name: Gather facts`
			`setup:`

			`- name: Determine client name from hostname`
			`set_fact:`
			`client_name: "{{ inventory_hostname }}"`

			`- name: Load client secrets`
			`community.sops.load_vars:`
			`file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"`
			`name: client_secrets`
			`age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"`
			`no_log: true`

			`- name: Load shared secrets`
			`community.sops.load_vars:`
			`file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"`
			`name: shared_secrets`
			`age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"`
			`no_log: true`

			`- name: Merge shared secrets into client_secrets`
			`set_fact:`
			`client_secrets: "{{ client_secrets \| combine(shared_secrets) }}"`
			`no_log: true`

			`tasks:`
			`- name: Set SMTP credentials (required by template even if unused)`
			`set_fact:`
			`diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user \| default('') }}"`
			`diun_smtp_password_final: ""`
			`no_log: true`

			`- name: Set Docker Hub credentials for higher rate limits`
			`set_fact:`
			`diun_docker_hub_username: "{{ client_secrets.docker_hub_username }}"`
			`diun_docker_hub_password: "{{ client_secrets.docker_hub_password }}"`
			`no_log: true`

			`- name: Display configuration summary`
			`debug:`
			`msg: \|`
			`Configuring Diun on {{ inventory_hostname }}:`
			`- Webhook endpoint: {{ diun_webhook_endpoint }}`
			`- Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}`
			`- Schedule: {{ diun_schedule }} (Weekly on Monday at 6am UTC)`
			`- Watch entire repositories: {{ 'yes' if diun_watch_repo else 'no (only specific tags)' }}`
			`- Docker Hub auth: {{ 'enabled' if diun_docker_hub_username else 'disabled' }}`

			`- name: Deploy Diun configuration with watchRepo disabled and Docker Hub auth`
			`template:`
			`src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"`
			`dest: /opt/docker/diun/diun.yml`
			`mode: '0644'`
			`notify: Restart Diun`

			`- name: Restart Diun to apply new configuration`
			`community.docker.docker_compose_v2:`
			`project_src: /opt/docker/diun`
			`state: restarted`

			`- name: Wait for Diun to start`
			`pause:`
			`seconds: 5`

			`- name: Check Diun status`
			`shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"`
			`register: diun_status`
			`changed_when: false`

			`- name: Display Diun status`
			`debug:`
			`msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"`

			`- name: Verify Diun configuration`
			`shell: docker exec diun cat /diun.yml \| grep -E "(watchRepo\|regopts)" \|\| echo "Config deployed"`
			`register: diun_config_check`
			`changed_when: false`

			`- name: Display configuration verification`
			`debug:`
			`msg: \|`
			`Configuration applied on {{ inventory_hostname }}:`
			`{{ diun_config_check.stdout }}`

			`handlers:`
			`- name: Restart Diun`
			`community.docker.docker_compose_v2:`
			`project_src: /opt/docker/diun`
			`state: restarted`