Post-Tyranny-Tech-Infrastru.../ansible/roles/diun/defaults/main.yml

---
# Diun default configuration
diun_version: "latest"
diun_schedule: "0 6 * * *"  # Daily at 6am UTC
diun_log_level: "info"
diun_watch_workers: 10

# Notification configuration
diun_notif_enabled: true
diun_notif_type: "webhook"  # Options: webhook, slack, discord, email, gotify
diun_webhook_endpoint: ""   # Set per environment or via secrets
diun_webhook_method: "POST"
diun_webhook_headers: {}

# Optional: Slack notification
diun_slack_webhook_url: ""

# Optional: Email notification (Mailgun)
# Note: Uses per-client SMTP credentials from mailgun role
diun_email_enabled: true
diun_smtp_host: "smtp.eu.mailgun.org"
diun_smtp_port: 587
diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
diun_smtp_to: "pieter@postxsociety.org"

# Which containers to watch
diun_watch_all: true
diun_exclude_containers: []

# Don't send notifications on first check (prevents spam on initial run)
diun_first_check_notif: false

# Optional: Matrix notification
diun_matrix_enabled: false
diun_matrix_homeserver_url: ""  # e.g., https://matrix.postxsociety.cloud
diun_matrix_user: ""            # e.g., @diun:matrix.postxsociety.cloud
diun_matrix_password: ""        # Bot user password (if using password auth)
diun_matrix_access_token: ""    # Bot access token (preferred over password)
diun_matrix_room_id: ""         # e.g., !abc123:matrix.postxsociety.cloud
feat: Add infrastructure roles for multi-tenant architecture Add new Ansible roles and configuration for the edge proxy and private network architecture: ## New Roles: - edge-traefik: Edge reverse proxy that routes to private clients - Dynamic routing configuration for multiple clients - SSL termination at the edge - Routes traffic to private IPs (10.0.0.x) - nat-gateway: NAT/gateway configuration for edge server - IP forwarding and masquerading - Allows private network clients to access internet - iptables rules for Docker integration - diun: Docker Image Update Notifier - Monitors containers for available updates - Email notifications via Mailgun - Per-client configuration - kuma: Uptime monitoring integration - Registers HTTP monitors for client services - Automated monitor creation via API - Checks Authentik, Nextcloud, Collabora endpoints ## New Playbooks: - setup-edge.yml: Configure edge server with proxy and NAT ## Configuration: - host_vars: Per-client Ansible configuration (valk, white) - SSH bastion configuration for private IPs - Client-specific secrets file references This enables the scalable multi-tenant architecture where: - Edge server has public IP and routes traffic - Client servers use private IPs only (cost savings) - All traffic flows through edge proxy with SSL termination 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-20 19:05:51 +01:00			`---`
			`# Diun default configuration`
			`diun_version: "latest"`
feat: Add Nextcloud maintenance automation and cleanup - Add 260124-nextcloud-maintenance.yml playbook for database indices and mimetypes - Add run-maintenance-all-servers.sh script to run maintenance on all servers - Update ansible.cfg with IdentitiesOnly SSH option to prevent auth failures - Remove orphaned SSH keys for deleted servers (black, dev, purple, white, edge) - Remove obsolete edge-traefik and nat-gateway roles - Remove old upgrade playbooks and fix-private-network playbook - Update host_vars for egel, ree, zwaan - Update diun webhook configuration Successfully ran maintenance on all 17 active servers: - Database indices optimized - Mimetypes updated (145-157 new types on most servers) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-24 12:44:54 +01:00			`diun_schedule: "0 6 * * *" # Daily at 6am UTC`
feat: Add infrastructure roles for multi-tenant architecture Add new Ansible roles and configuration for the edge proxy and private network architecture: ## New Roles: - edge-traefik: Edge reverse proxy that routes to private clients - Dynamic routing configuration for multiple clients - SSL termination at the edge - Routes traffic to private IPs (10.0.0.x) - nat-gateway: NAT/gateway configuration for edge server - IP forwarding and masquerading - Allows private network clients to access internet - iptables rules for Docker integration - diun: Docker Image Update Notifier - Monitors containers for available updates - Email notifications via Mailgun - Per-client configuration - kuma: Uptime monitoring integration - Registers HTTP monitors for client services - Automated monitor creation via API - Checks Authentik, Nextcloud, Collabora endpoints ## New Playbooks: - setup-edge.yml: Configure edge server with proxy and NAT ## Configuration: - host_vars: Per-client Ansible configuration (valk, white) - SSH bastion configuration for private IPs - Client-specific secrets file references This enables the scalable multi-tenant architecture where: - Edge server has public IP and routes traffic - Client servers use private IPs only (cost savings) - All traffic flows through edge proxy with SSL termination 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-20 19:05:51 +01:00			`diun_log_level: "info"`
			`diun_watch_workers: 10`

			`# Notification configuration`
			`diun_notif_enabled: true`
			`diun_notif_type: "webhook" # Options: webhook, slack, discord, email, gotify`
			`diun_webhook_endpoint: "" # Set per environment or via secrets`
			`diun_webhook_method: "POST"`
			`diun_webhook_headers: {}`

			`# Optional: Slack notification`
			`diun_slack_webhook_url: ""`

			`# Optional: Email notification (Mailgun)`
			`# Note: Uses per-client SMTP credentials from mailgun role`
			`diun_email_enabled: true`
			`diun_smtp_host: "smtp.eu.mailgun.org"`
			`diun_smtp_port: 587`
			`diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"`
			`diun_smtp_to: "pieter@postxsociety.org"`

			`# Which containers to watch`
			`diun_watch_all: true`
			`diun_exclude_containers: []`
chore: Post-workshop state - January 23rd, 2026 This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-23 20:36:31 +01:00
feat: Add Nextcloud maintenance automation and cleanup - Add 260124-nextcloud-maintenance.yml playbook for database indices and mimetypes - Add run-maintenance-all-servers.sh script to run maintenance on all servers - Update ansible.cfg with IdentitiesOnly SSH option to prevent auth failures - Remove orphaned SSH keys for deleted servers (black, dev, purple, white, edge) - Remove obsolete edge-traefik and nat-gateway roles - Remove old upgrade playbooks and fix-private-network playbook - Update host_vars for egel, ree, zwaan - Update diun webhook configuration Successfully ran maintenance on all 17 active servers: - Database indices optimized - Mimetypes updated (145-157 new types on most servers) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-24 12:44:54 +01:00			`# Don't send notifications on first check (prevents spam on initial run)`
chore: Post-workshop state - January 23rd, 2026 This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-23 20:36:31 +01:00			`diun_first_check_notif: false`
fix: Correct docker_compose_v2 pull parameter syntax 2026-01-23 21:13:49 +01:00
			`# Optional: Matrix notification`
			`diun_matrix_enabled: false`
			`diun_matrix_homeserver_url: "" # e.g., https://matrix.postxsociety.cloud`
			`diun_matrix_user: "" # e.g., @diun:matrix.postxsociety.cloud`
			`diun_matrix_password: "" # Bot user password (if using password auth)`
			`diun_matrix_access_token: "" # Bot access token (preferred over password)`
			`diun_matrix_room_id: "" # e.g., !abc123:matrix.postxsociety.cloud`