Post-Tyranny-Tech-Infrastru.../ansible/roles/diun/templates/diun.yml.j2

---
# Diun configuration for {{ inventory_hostname }}
# Documentation: https://crazymax.dev/diun/

db:
  path: /data/diun.db

watch:
  workers: {{ diun_watch_workers }}
  schedule: "{{ diun_schedule }}"
  firstCheckNotif: {{ diun_first_check_notif | lower }}

defaults:
  watchRepo: {{ diun_watch_repo | default(true) | lower }}
  notifyOn:
    - new
    - update

{% if diun_docker_hub_username is defined and diun_docker_hub_password is defined %}
regopts:
  - selector: image
    username: {{ diun_docker_hub_username }}
    password: {{ diun_docker_hub_password }}
{% endif %}

providers:
  docker:
    watchByDefault: {{ diun_watch_all | lower }}
{% if diun_exclude_containers | length > 0 %}
    excludeContainers:
{% for container in diun_exclude_containers %}
      - {{ container }}
{% endfor %}
{% endif %}

notif:
{% if diun_notif_enabled and diun_notif_type == 'webhook' and diun_webhook_endpoint %}
  webhook:
    endpoint: {{ diun_webhook_endpoint }}
    method: {{ diun_webhook_method }}
    timeout: 10s
{% if diun_webhook_headers | length > 0 %}
    headers:
{% for key, value in diun_webhook_headers.items() %}
      {{ key }}: {{ value }}
{% endfor %}
{% endif %}
{% endif %}

{% if diun_slack_webhook_url %}
  slack:
    webhookURL: {{ diun_slack_webhook_url }}
{% endif %}

{% if diun_email_enabled and diun_smtp_username_final is defined and diun_smtp_password_final is defined and diun_smtp_password_final != '' %}
  mail:
    host: {{ diun_smtp_host }}
    port: {{ diun_smtp_port }}
    ssl: false
    insecureSkipVerify: false
    username: {{ diun_smtp_username_final }}
    password: {{ diun_smtp_password_final }}
    from: {{ diun_smtp_from }}
    to: {{ diun_smtp_to }}
{% endif %}

{% if diun_matrix_enabled and diun_matrix_homeserver_url and diun_matrix_user and diun_matrix_room_id %}
  matrix:
    homeserverURL: {{ diun_matrix_homeserver_url }}
    user: "{{ diun_matrix_user }}"
{% if diun_matrix_access_token %}
    accessToken: {{ diun_matrix_access_token }}
{% elif diun_matrix_password %}
    password: "{{ diun_matrix_password }}"
{% endif %}
    roomID: "{{ diun_matrix_room_id }}"
{% endif %}
feat: Add infrastructure roles for multi-tenant architecture Add new Ansible roles and configuration for the edge proxy and private network architecture: ## New Roles: - edge-traefik: Edge reverse proxy that routes to private clients - Dynamic routing configuration for multiple clients - SSL termination at the edge - Routes traffic to private IPs (10.0.0.x) - nat-gateway: NAT/gateway configuration for edge server - IP forwarding and masquerading - Allows private network clients to access internet - iptables rules for Docker integration - diun: Docker Image Update Notifier - Monitors containers for available updates - Email notifications via Mailgun - Per-client configuration - kuma: Uptime monitoring integration - Registers HTTP monitors for client services - Automated monitor creation via API - Checks Authentik, Nextcloud, Collabora endpoints ## New Playbooks: - setup-edge.yml: Configure edge server with proxy and NAT ## Configuration: - host_vars: Per-client Ansible configuration (valk, white) - SSH bastion configuration for private IPs - Client-specific secrets file references This enables the scalable multi-tenant architecture where: - Edge server has public IP and routes traffic - Client servers use private IPs only (cost savings) - All traffic flows through edge proxy with SSL termination 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-20 19:05:51 +01:00			`---`
			`# Diun configuration for {{ inventory_hostname }}`
			`# Documentation: https://crazymax.dev/diun/`

			`db:`
			`path: /data/diun.db`

			`watch:`
			`workers: {{ diun_watch_workers }}`
			`schedule: "{{ diun_schedule }}"`
chore: Post-workshop state - January 23rd, 2026 This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-23 20:36:31 +01:00			`firstCheckNotif: {{ diun_first_check_notif \| lower }}`
feat: Add infrastructure roles for multi-tenant architecture Add new Ansible roles and configuration for the edge proxy and private network architecture: ## New Roles: - edge-traefik: Edge reverse proxy that routes to private clients - Dynamic routing configuration for multiple clients - SSL termination at the edge - Routes traffic to private IPs (10.0.0.x) - nat-gateway: NAT/gateway configuration for edge server - IP forwarding and masquerading - Allows private network clients to access internet - iptables rules for Docker integration - diun: Docker Image Update Notifier - Monitors containers for available updates - Email notifications via Mailgun - Per-client configuration - kuma: Uptime monitoring integration - Registers HTTP monitors for client services - Automated monitor creation via API - Checks Authentik, Nextcloud, Collabora endpoints ## New Playbooks: - setup-edge.yml: Configure edge server with proxy and NAT ## Configuration: - host_vars: Per-client Ansible configuration (valk, white) - SSH bastion configuration for private IPs - Client-specific secrets file references This enables the scalable multi-tenant architecture where: - Edge server has public IP and routes traffic - Client servers use private IPs only (cost savings) - All traffic flows through edge proxy with SSL termination 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-20 19:05:51 +01:00
			`defaults:`
feat: Configure Diun with Docker Hub auth and watchRepo control This commit resolves Docker Hub rate limiting issues on all servers by: 1. Adding Docker Hub authentication support to Diun configuration 2. Making watchRepo configurable (disabled to reduce API calls) 3. Creating automation to deploy changes across all 17 servers Changes: - Enhanced diun.yml.j2 template to support: - Configurable watchRepo setting (defaults to true for compatibility) - Docker Hub authentication via regopts when credentials provided - Created 260124-configure-diun-watchrepo.yml playbook to: - Disable watchRepo (only checks specific tags vs entire repo) - Enable Docker Hub authentication (5000 pulls/6h vs 100/6h) - Change schedule to weekly (Monday 6am UTC) - Created configure-diun-all-servers.sh automation script with: - Proper SOPS age key file path handling - Per-server SSH key management - Sequential deployment across all servers - Fixed Authentik OIDC provider meta_launch_url to use client_domain Successfully deployed to all 17 servers (bever, das, egel, haas, kikker, kraai, mees, mol, mus, otter, ree, specht, uil, valk, vos, wolf, zwaan). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-24 13:16:25 +01:00			`watchRepo: {{ diun_watch_repo \| default(true) \| lower }}`
feat: Add infrastructure roles for multi-tenant architecture Add new Ansible roles and configuration for the edge proxy and private network architecture: ## New Roles: - edge-traefik: Edge reverse proxy that routes to private clients - Dynamic routing configuration for multiple clients - SSL termination at the edge - Routes traffic to private IPs (10.0.0.x) - nat-gateway: NAT/gateway configuration for edge server - IP forwarding and masquerading - Allows private network clients to access internet - iptables rules for Docker integration - diun: Docker Image Update Notifier - Monitors containers for available updates - Email notifications via Mailgun - Per-client configuration - kuma: Uptime monitoring integration - Registers HTTP monitors for client services - Automated monitor creation via API - Checks Authentik, Nextcloud, Collabora endpoints ## New Playbooks: - setup-edge.yml: Configure edge server with proxy and NAT ## Configuration: - host_vars: Per-client Ansible configuration (valk, white) - SSH bastion configuration for private IPs - Client-specific secrets file references This enables the scalable multi-tenant architecture where: - Edge server has public IP and routes traffic - Client servers use private IPs only (cost savings) - All traffic flows through edge proxy with SSL termination 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-20 19:05:51 +01:00			`notifyOn:`
			`- new`
			`- update`

feat: Configure Diun with Docker Hub auth and watchRepo control This commit resolves Docker Hub rate limiting issues on all servers by: 1. Adding Docker Hub authentication support to Diun configuration 2. Making watchRepo configurable (disabled to reduce API calls) 3. Creating automation to deploy changes across all 17 servers Changes: - Enhanced diun.yml.j2 template to support: - Configurable watchRepo setting (defaults to true for compatibility) - Docker Hub authentication via regopts when credentials provided - Created 260124-configure-diun-watchrepo.yml playbook to: - Disable watchRepo (only checks specific tags vs entire repo) - Enable Docker Hub authentication (5000 pulls/6h vs 100/6h) - Change schedule to weekly (Monday 6am UTC) - Created configure-diun-all-servers.sh automation script with: - Proper SOPS age key file path handling - Per-server SSH key management - Sequential deployment across all servers - Fixed Authentik OIDC provider meta_launch_url to use client_domain Successfully deployed to all 17 servers (bever, das, egel, haas, kikker, kraai, mees, mol, mus, otter, ree, specht, uil, valk, vos, wolf, zwaan). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-24 13:16:25 +01:00			`{% if diun_docker_hub_username is defined and diun_docker_hub_password is defined %}`
			`regopts:`
			`- selector: image`
			`username: {{ diun_docker_hub_username }}`
			`password: {{ diun_docker_hub_password }}`
			`{% endif %}`

feat: Add infrastructure roles for multi-tenant architecture Add new Ansible roles and configuration for the edge proxy and private network architecture: ## New Roles: - edge-traefik: Edge reverse proxy that routes to private clients - Dynamic routing configuration for multiple clients - SSL termination at the edge - Routes traffic to private IPs (10.0.0.x) - nat-gateway: NAT/gateway configuration for edge server - IP forwarding and masquerading - Allows private network clients to access internet - iptables rules for Docker integration - diun: Docker Image Update Notifier - Monitors containers for available updates - Email notifications via Mailgun - Per-client configuration - kuma: Uptime monitoring integration - Registers HTTP monitors for client services - Automated monitor creation via API - Checks Authentik, Nextcloud, Collabora endpoints ## New Playbooks: - setup-edge.yml: Configure edge server with proxy and NAT ## Configuration: - host_vars: Per-client Ansible configuration (valk, white) - SSH bastion configuration for private IPs - Client-specific secrets file references This enables the scalable multi-tenant architecture where: - Edge server has public IP and routes traffic - Client servers use private IPs only (cost savings) - All traffic flows through edge proxy with SSL termination 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-20 19:05:51 +01:00			`providers:`
			`docker:`
			`watchByDefault: {{ diun_watch_all \| lower }}`
			`{% if diun_exclude_containers \| length > 0 %}`
			`excludeContainers:`
			`{% for container in diun_exclude_containers %}`
			`- {{ container }}`
			`{% endfor %}`
			`{% endif %}`

			`notif:`
			`{% if diun_notif_enabled and diun_notif_type == 'webhook' and diun_webhook_endpoint %}`
			`webhook:`
			`endpoint: {{ diun_webhook_endpoint }}`
			`method: {{ diun_webhook_method }}`
			`timeout: 10s`
			`{% if diun_webhook_headers \| length > 0 %}`
			`headers:`
			`{% for key, value in diun_webhook_headers.items() %}`
			`{{ key }}: {{ value }}`
			`{% endfor %}`
			`{% endif %}`
			`{% endif %}`

			`{% if diun_slack_webhook_url %}`
			`slack:`
			`webhookURL: {{ diun_slack_webhook_url }}`
			`{% endif %}`

			`{% if diun_email_enabled and diun_smtp_username_final is defined and diun_smtp_password_final is defined and diun_smtp_password_final != '' %}`
			`mail:`
			`host: {{ diun_smtp_host }}`
			`port: {{ diun_smtp_port }}`
			`ssl: false`
			`insecureSkipVerify: false`
			`username: {{ diun_smtp_username_final }}`
			`password: {{ diun_smtp_password_final }}`
			`from: {{ diun_smtp_from }}`
			`to: {{ diun_smtp_to }}`
			`{% endif %}`
fix: Correct docker_compose_v2 pull parameter syntax 2026-01-23 21:13:49 +01:00
			`{% if diun_matrix_enabled and diun_matrix_homeserver_url and diun_matrix_user and diun_matrix_room_id %}`
			`matrix:`
			`homeserverURL: {{ diun_matrix_homeserver_url }}`
			`user: "{{ diun_matrix_user }}"`
			`{% if diun_matrix_access_token %}`
			`accessToken: {{ diun_matrix_access_token }}`
			`{% elif diun_matrix_password %}`
			`password: "{{ diun_matrix_password }}"`
			`{% endif %}`
			`roomID: "{{ diun_matrix_room_id }}"`
			`{% endif %}`