Make mastodon available in tor

It's not ready to forward any requests.

README.md

@@ -1,20 +1,3 @@
 # Home server configuration
 
 Available at [comfycamp.space](https://comfycamp.space).
-
-## Ports
-
-| Number        | Protocol | Service            | Public URL                                         |
-| ---           | ---      | ---                | ---                                                |
-| 3000          |          | Mastodon           | [m.comfycamp.space](https://m.comfycamp.space)     |
-| 3001          |          | Mastodon streaming |                                                    |
-| 3002          |          | Vaultwarden        |                                                    |
-| 3003          |          | Minio console      |                                                    |
-| 3004          |          | Forgejo            | [git.comfycamp.space](https://git.comfycamp.space) |
-| 3005          |          | Synapse            |                                                    |
-| 3006          |          | Comfycamp          | [comfycamp.space](https://comfycamp.space)         |
-| 3478          | tcp/udp  | Coturn             |                                                    |
-| 8022          |          | Forgejo SSH        |                                                    |
-| 8448          |          | Synapse/Haproxy    |                                                    |
-| 9000          |          | Minio              |                                                    |
-| 49152 - 65535 | udp      | Coturn             |                                                    |

comfycamp.yml

@@ -2,6 +2,6 @@
 - hosts: webservers
   roles:
     - name: comfycamp
-      postgresql_password: "{{ comfycamp_postgresql_password }}"
+      postgresql_password: "{{ postgresql_users.comfycamp }}"
       jwt_secret: "{{ comfycamp_jwt_secret }}"
       secret_key_base: "{{ comfycamp_secret_key_base }}"

forgejo.yml

@@ -2,8 +2,8 @@
 - hosts: webservers
   roles:
     - role: forgejo
-      postgresql_password: "{{ forgejo_postgresql_password }}"
-      smtp_password: "{{ forgejo_smtp_password }}"
+      postgresql_password: "{{ postgresql_users.forgejo }}"
+      smtp_password: "{{ mail_users['forgejo@comfycamp.space'] }}"
       oauth2_jwt_secret: "{{ forgejo_oauth2_jwt_secret }}"
       internal_token: "{{ forgejo_internal_token }}"
       secret_key: "{{ forgejo_secret_key }}"

mail.yml

@@ -0,0 +1,5 @@
+---
+- hosts: webservers
+  roles:
+    - role: mail
+      users: "{{ mail_users }}"

mastodon.yml

@@ -2,10 +2,13 @@
 - hosts: webservers
   roles:
     - role: mastodon
-      vapid_public_key: "{{ mastodon_vapid_public_key }}"
-      vapid_private_key: "{{ mastodon_vapid_private_key }}"
-      db_pass: "{{ mastodon_postgresql_password }}"
-      otp_secret: "{{ mastodon_otp_secret }}"
-      secret_key_base: "{{ mastodon_secret_key_base }}"
-      smtp_password: "{{ mastodon_smtp_password }}"
-      aws_secret_access_key: "{{ mastodon_aws_secret_access_key }}"
+      vapid_public_key: "{{ mastodon.vapid_public_key }}"
+      vapid_private_key: "{{ mastodon.vapid_private_key }}"
+      db_pass: "{{ postgresql_users.mastodon }}"
+      otp_secret: "{{ mastodon.otp_secret }}"
+      secret_key_base: "{{ mastodon.secret_key_base }}"
+      smtp_password: "{{ mail_users['mastodon@comfycamp.space'] }}"
+      aws_secret_access_key: "{{ mastodon.aws_secret_access_key }}"
+      active_record_encryption_deterministic_key: "{{ mastodon.active_record_encryption_deterministic_key }}"
+      active_record_encryption_key_derivation_salt: "{{ mastodon.active_record_encryption_key_derivation_salt  }}"
+      active_record_encryption_primary_key: "{{ mastodon.active_record_encryption_primary_key }}"

postgresql.yml

@@ -2,10 +2,5 @@
 - hosts: webservers
   roles:
     - role: postgresql
-      postgres_password: "{{ postgres_password }}"
-      users:
-        mastodon: "{{ mastodon_postgresql_password }}"
-        vaultwarden: "{{ vaultwarden_postgresql_password }}"
-        forgejo: "{{ forgejo_postgresql_password }}"
-        matrix-synapse: "{{ synapse_postgresql_password }}"
-        comfycamp: "{{ comfycamp_postgresql_password }}"
+      postgres_password: "{{ postgresql_users.postgres }}"
+      users: "{{ postgresql_users }}"

roles/comfycamp/tasks/main.yml

@@ -22,6 +22,7 @@
     env_file: /etc/comfycamp/.env
     networks:
       - name: postgresql
+      - name: haproxy
     ports:
       - 127.0.0.1:3006:4000
     restart_policy: unless-stopped

roles/forgejo/tasks/forgejo.yml

@@ -26,6 +26,7 @@
       - name: postgresql
       - name: redis-forgejo
       - name: minio
+      - name: haproxy
     volumes:
       - forgejo:/data
       - /etc/timezone:/etc/timezone:ro

roles/haproxy/files/errors/400.http

@@ -0,0 +1,8 @@
+HTTP/1.0 400 Bad request
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>400 Bad request</h1>
+Your browser sent an invalid request.
+</body></html>

roles/haproxy/files/errors/403.http

@@ -0,0 +1,8 @@
+HTTP/1.0 403 Forbidden
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>403 Forbidden</h1>
+Request forbidden by administrative rules.
+</body></html>

roles/haproxy/files/errors/408.http

@@ -0,0 +1,8 @@
+HTTP/1.0 408 Request Time-out
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>408 Request Time-out</h1>
+Your browser didn't send a complete request in time.
+</body></html>

roles/haproxy/files/errors/500.http

@@ -0,0 +1,8 @@
+HTTP/1.0 500 Internal Server Error
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>500 Internal Server Error</h1>
+An internal server error occurred.
+</body></html>

roles/haproxy/files/errors/502.http

@@ -0,0 +1,8 @@
+HTTP/1.0 502 Bad Gateway
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>502 Bad Gateway</h1>
+The server returned an invalid or incomplete response.
+</body></html>

roles/haproxy/files/errors/503.http

@@ -0,0 +1,8 @@
+HTTP/1.0 503 Service Unavailable
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>503 Service Unavailable</h1>
+No server is available to handle this request.
+</body></html>

roles/haproxy/files/errors/504.http

@@ -0,0 +1,8 @@
+HTTP/1.0 504 Gateway Time-out
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>504 Gateway Time-out</h1>
+The server didn't respond in time.
+</body></html>

roles/haproxy/files/haproxy.cfg

@@ -1,16 +1,8 @@
 global
-	log /dev/log	local0
-	log /dev/log	local1 notice
-	chroot /var/lib/haproxy
-	stats socket /run/haproxy/admin.sock mode 660 level admin
-	stats timeout 30s
+	log /dev/stderr	local0
+	log /dev/stderr	local1 notice
 	user haproxy
 	group haproxy
-	daemon
-
-	# Default SSL material locations
-	ca-base /etc/ssl/certs
-	crt-base /etc/ssl/private
 
 	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
     ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
@@ -25,23 +17,26 @@ defaults
         timeout connect 5000
         timeout client  50000
         timeout server  50000
-	errorfile 400 /etc/haproxy/errors/400.http
-	errorfile 403 /etc/haproxy/errors/403.http
-	errorfile 408 /etc/haproxy/errors/408.http
-	errorfile 500 /etc/haproxy/errors/500.http
-	errorfile 502 /etc/haproxy/errors/502.http
-	errorfile 503 /etc/haproxy/errors/503.http
-	errorfile 504 /etc/haproxy/errors/504.http
+	errorfile 400 /usr/local/etc/haproxy/errors/400.http
+	errorfile 403 /usr/local/etc/haproxy/errors/403.http
+	errorfile 408 /usr/local/etc/haproxy/errors/408.http
+	errorfile 500 /usr/local/etc/haproxy/errors/500.http
+	errorfile 502 /usr/local/etc/haproxy/errors/502.http
+	errorfile 503 /usr/local/etc/haproxy/errors/503.http
+	errorfile 504 /usr/local/etc/haproxy/errors/504.http
 
 frontend www
     mode http
     bind :80
-    bind :443 ssl crt /etc/haproxy/certs
-    http-request redirect scheme https unless { ssl_fc }
+    bind :443 ssl crt /usr/local/etc/haproxy/certs
+
+    acl host_mastodon_tor hdr(host) -i mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion
+
+    http-request redirect scheme https if !{ ssl_fc } !host_mastodon_tor
     http-request set-header X-Forwarded-Proto https if { ssl_fc }
     http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
 
-    acl acl_mastodon hdr(host) -i m.comfycamp.space
+    acl host_mastodon hdr(host) -i m.comfycamp.space
     acl acl_s3 hdr(host) -i s3.comfycamp.space
     acl acl_comfycamp hdr(host) -i comfycamp.space
     acl acl_vaultwarden hdr(host) -i vault.comfycamp.space
@@ -52,8 +47,9 @@ frontend www
     acl matrix-path path_beg /_matrix
     acl matrix-path path_beg /_synapse/client
 
-    use_backend mastodon_streaming if acl_mastodon { path_beg /api/v1/streaming }
-    use_backend mastodon if acl_mastodon
+    use_backend mastodon_streaming if host_mastodon { path_beg /api/v1/streaming }
+    use_backend mastodon_streaming if host_mastodon_tor { path_beg /api/v1/streaming }
+    use_backend mastodon if host_mastodon || host_mastodon_tor
     use_backend minio if acl_s3
     use_backend matrix if matrix-host matrix-path
     use_backend minio_console if acl_minio
@@ -62,7 +58,7 @@ frontend www
     use_backend forgejo if acl_git
 
 frontend matrix-federation
-    bind *:8448 ssl crt /etc/haproxy/certs
+    bind *:8448 ssl crt /usr/local/etc/haproxy/certs
     http-request set-header X-Forwarded-Proto https if { ssl_fc }
     http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
 
@@ -70,42 +66,44 @@ frontend matrix-federation
 
 backend comfycamp
     mode http
-    server green 127.0.0.1:3006 check
+    server green comfycamp:4000 check
 
 backend mastodon
     mode http
     option forwardfor
-    server green 127.0.0.1:3000 check
+    http-response set-header Referrer-Policy same-origin
+    http-response set-header Onion-Location http://mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion%[capture.req.uri]
+    server green mastodon-web:3000 check
 
 backend mastodon_streaming
     mode http
     option forwardfor
     option http-server-close
     timeout tunnel 1h
-    server green 127.0.0.1:3001 check
+    server green mastodon-streaming:4000 check
 
 backend vaultwarden
     mode http
     option forwardfor
-    server green 127.0.0.1:3002 check
+    server green vaultwarden:80 check
 
 backend minio_console
     mode http
     option forwardfor
-    server green 127.0.0.1:3003 check
+    server green minio:9001 check
 
 backend minio
     mode http
     http-response set-header Access-Control-Allow-Origin https://m.comfycamp.space
     option forwardfor
-    server green 127.0.0.1:9000 check
+    server green minio:9000 check
 
 backend forgejo
     mode http
     option forwardfor
-    server green 127.0.0.1:3004 check
+    server green forgejo:3000 check
 
 backend matrix
     mode http
     option forwardfor
-    server matrix 127.0.0.1:3005
+    server matrix synapse:8008

roles/haproxy/tasks/main.yml

@@ -1,18 +1,69 @@
 ---
-- name: Install haproxy
+- name: Create haproxy docker network
   become: true
-  ansible.builtin.apt:
+  community.docker.docker_network:
     name: haproxy
+- name: Create haproxy dirs
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "1755"
+    owner: root
+    group: root
+  loop:
+    - /etc/haproxy
+    - /etc/haproxy/errors
+- name: Copy haproxy config to a temporary location
+  become: true
+  ansible.builtin.copy:
+    src: haproxy.cfg
+    dest: /tmp/haproxy.cfg
+- name: Validate haproxy config
+  become: true
+  community.docker.docker_container:
+    name: haproxy-config-test
+    image: "{{ haproxy_image }}"
+    command: haproxy -c -f /tmp/haproxy.cfg
+    networks:
+      - name: haproxy
+    volumes:
+      - /tmp/haproxy.cfg:/tmp/haproxy.cfg
+      - /etc/haproxy/certs:/usr/local/etc/haproxy/certs:ro
+    detach: no
+- name: Remove temporary container
+  become: true
+  community.docker.docker_container:
+    name: haproxy-config-test
+    state: absent
 - name: Copy haproxy config
   become: true
   ansible.builtin.copy:
     src: haproxy.cfg
     dest: /etc/haproxy/haproxy.cfg
-    validate: /usr/sbin/haproxy -f %s -c
   register: haproxy
+- name: Copy errors
+  become: true
+  ansible.builtin.copy:
+    src: errors/{{ item }}.http
+    dest: /etc/haproxy/errors/{{ item }}.http
+  loop: [400, 403, 408, 500, 502, 503, 504]
+- name: Create haproxy container
+  become: true
+  community.docker.docker_container:
+    name: haproxy
+    image: "{{ haproxy_image }}"
+    networks:
+      - name: haproxy
+    volumes:
+      - /etc/haproxy:/usr/local/etc/haproxy:ro
+    sysctls:
+      net.ipv4.ip_unprivileged_port_start: 0
+    ports:
+      - 80:80
+      - 443:443
+    restart_policy: unless-stopped
 - name: Reload haproxy
   become: true
   when: haproxy.changed
-  ansible.builtin.systemd_service:
-    name: haproxy
-    state: reloaded
+  ansible.builtin.shell: docker kill -s HUP haproxy

roles/haproxy/vars/main.yml

@@ -0,0 +1 @@
+haproxy_image: haproxy:3.0-bookworm

roles/mail/tasks/main.yml

@@ -0,0 +1,71 @@
+---
+- name: Create mail network
+  become: true
+  community.docker.docker_network:
+    name: mail
+- name: Create maddy volume
+  become: true
+  community.docker.docker_volume:
+    name: maddy
+- name: Copy maddy config
+  become: true
+  ansible.builtin.template:
+    src: maddy.conf.j2
+    dest: /var/lib/docker/volumes/maddy/_data/maddy.conf
+  register: maddy_conf
+- name: Run maddy
+  become: true
+  community.docker.docker_container:
+    name: maddy
+    image: foxcpp/maddy:0.7.1
+    networks:
+      - name: mail
+    env:
+      MADDY_HOSTNAME: mail.comfycamp.space
+      MADDY_DOMAIN: comfycamp.space
+    ports:
+      - 25:25
+      - 143:143
+      - 465:465
+      - 587:587
+      - 993:993
+    volumes:
+      - maddy:/data
+      - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/etc/tls/fullchain.pem:ro
+      - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/etc/tls/privkey.pem:ro
+    recreate: "{{ maddy_conf.changed }}"
+- name: Get users
+  become: true
+  community.docker.docker_container_exec:
+    container: maddy
+    argv: ["maddy", "creds", "list"]
+  register: maddy_users
+- name: Create users
+  become: true
+  community.docker.docker_container_exec:
+    container: maddy
+    argv: ["sh", "-c", "echo '{{ item.value }}' | maddy creds create {{ item.key }}"]
+  when: not item.key in maddy_users.stdout
+  no_log: True
+  loop: "{{ users | dict2items }}"
+- name: Update passwords
+  become: true
+  community.docker.docker_container_exec:
+    container: maddy
+    argv: ["sh", "-c", "echo '{{ item.value }}' | maddy creds password {{ item.key }}"]
+  no_log: True
+  loop: "{{ users | dict2items }}"
+- name: Get imap accounts
+  become: true
+  community.docker.docker_container_exec:
+    container: maddy
+    argv: ["maddy", "imap-acct", "list"]
+  register: maddy_imap_accounts
+- name: Create imap accounts
+  become: true
+  community.docker.docker_container_exec:
+    container: maddy
+    argv: ["maddy", "imap-acct", "create", "{{ item.key }}"]
+  when: not item.key in maddy_imap_accounts.stdout
+  no_log: True
+  loop: "{{ users | dict2items }}"

roles/mail/templates/maddy.conf.j2

@@ -0,0 +1,175 @@
+## Maddy Mail Server
+
+# Base variables
+
+$(hostname) = {env:MADDY_HOSTNAME}
+$(primary_domain) = {env:MADDY_DOMAIN}
+$(local_domains) = $(primary_domain)
+
+#        public                 private
+tls file /etc/tls/fullchain.pem /etc/tls/privkey.pem
+
+# Local storage & authentication
+
+# pass_table provides local hashed passwords storage for authentication of
+# users. It can be configured to use any "table" module, in default
+# configuration a table in SQLite DB is used.
+# Table can be replaced to use e.g. a file for passwords. Or pass_table module
+# can be replaced altogether to use some external source of credentials (e.g.
+# PAM, /etc/shadow file).
+#
+# If table module supports it (sql_table does) - credentials can be managed
+# using 'maddy creds' command.
+
+auth.pass_table local_authdb {
+    table sql_table {
+        driver sqlite3
+        dsn credentials.db
+        table_name passwords
+    }
+}
+
+# imapsql module stores all indexes and metadata necessary for IMAP using a
+# relational database. It is used by IMAP endpoint for mailbox access and
+# also by SMTP & Submission endpoints for delivery of local messages.
+#
+# IMAP accounts, mailboxes and all message metadata can be inspected using
+# imap-* subcommands of maddy.
+
+storage.imapsql local_mailboxes {
+    driver sqlite3
+    dsn imapsql.db
+}
+
+# ----------------------------------------------------------------------------
+# SMTP endpoints + message routing
+
+hostname $(hostname)
+
+table.chain local_rewrites {
+    optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
+    optional_step static {
+        entry postmaster postmaster@$(primary_domain)
+    }
+    optional_step file /etc/maddy/aliases
+}
+
+msgpipeline local_routing {
+    # Insert handling for special-purpose local domains here.
+    # e.g.
+    # destination lists.example.org {
+    #     deliver_to lmtp tcp://127.0.0.1:8024
+    # }
+
+    destination postmaster $(local_domains) {
+        modify {
+            replace_rcpt &local_rewrites
+        }
+
+        deliver_to &local_mailboxes
+    }
+
+    default_destination {
+        reject 550 5.1.1 "User doesn't exist"
+    }
+}
+
+smtp tcp://0.0.0.0:25 {
+    limits {
+        # Up to 20 msgs/sec across max. 10 SMTP connections.
+        all rate 20 1s
+        all concurrency 10
+    }
+
+    dmarc yes
+    check {
+        require_mx_record
+        dkim
+        spf
+    }
+
+    source $(local_domains) {
+        reject 501 5.1.8 "Use Submission for outgoing SMTP"
+    }
+    default_source {
+        destination postmaster $(local_domains) {
+            deliver_to &local_routing
+        }
+        default_destination {
+            reject 550 5.1.1 "User doesn't exist"
+        }
+    }
+}
+
+submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
+    limits {
+        # Up to 50 msgs/sec across any amount of SMTP connections.
+        all rate 50 1s
+    }
+
+    auth &local_authdb
+
+    source $(local_domains) {
+        check {
+            authorize_sender {
+                prepare_email &local_rewrites
+                user_to_email identity
+            }
+        }
+
+        destination postmaster $(local_domains) {
+            deliver_to &local_routing
+        }
+        default_destination {
+            modify {
+                dkim $(primary_domain) $(local_domains) default
+            }
+            deliver_to &remote_queue
+        }
+    }
+    default_source {
+        reject 501 5.1.8 "Non-local sender domain"
+    }
+}
+
+target.remote outbound_delivery {
+    limits {
+        # Up to 20 msgs/sec across max. 10 SMTP connections
+        # for each recipient domain.
+        destination rate 20 1s
+        destination concurrency 10
+    }
+    mx_auth {
+        dane
+        mtasts {
+            cache fs
+            fs_dir mtasts_cache/
+        }
+        local_policy {
+            min_tls_level encrypted
+            min_mx_level none
+        }
+    }
+}
+
+target.queue remote_queue {
+    target &outbound_delivery
+
+    autogenerated_msg_domain $(primary_domain)
+    bounce {
+        destination postmaster $(local_domains) {
+            deliver_to &local_routing
+        }
+        default_destination {
+            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+        }
+    }
+}
+
+# ----------------------------------------------------------------------------
+# IMAP endpoints
+
+imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
+    auth &local_authdb
+    storage &local_mailboxes
+}

roles/mail/vars/main.yml

@@ -0,0 +1 @@
+users: {}

roles/mastodon/tasks/mastodon.yml

@@ -23,13 +23,14 @@
   become: true
   community.docker.docker_container:
     name: mastodon-web
-    image: ghcr.io/mastodon/mastodon:v4.2.12
+    image: ghcr.io/mastodon/mastodon:{{ version }}
     env_file: /etc/mastodon/.env
     command: ["bundle", "exec", "puma", "-C", "config/puma.rb"]
     networks:
       - name: redis-mastodon
       - name: postgresql
       - name: minio
+      - name: haproxy
     ports:
       - 127.0.0.1:3000:3000
     volumes:
@@ -39,12 +40,13 @@
   become: true
   community.docker.docker_container:
     name: mastodon-streaming
-    image: ghcr.io/mastodon/mastodon-streaming:nightly.2024-08-19
+    image: ghcr.io/mastodon/mastodon-streaming:{{ version }}
     env_file: /etc/mastodon/.env
     command: ["node", "./streaming/index.js"]
     networks:
       - name: redis-mastodon
       - name: postgresql
+      - name: haproxy
     ports:
       - 127.0.0.1:3001:4000
     restart_policy: unless-stopped
@@ -52,7 +54,7 @@
   become: true
   community.docker.docker_container:
     name: mastodon-sidekiq
-    image: ghcr.io/mastodon/mastodon:v4.2.12
+    image: ghcr.io/mastodon/mastodon:{{ version }}
     env_file: /etc/mastodon/.env
     command: ["bundle", "exec", "sidekiq"]
     networks:

roles/mastodon/templates/mastodon.env.j2

@@ -1,4 +1,5 @@
 LOCAL_DOMAIN={{ local_domain }}
+ALTERNATE_DOMAINS=mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion
 
 REDIS_HOST=redis-mastodon
 REDIS_PORT=6379
@@ -32,3 +33,7 @@ AWS_SECRET_ACCESS_KEY={{ aws_secret_access_key }}
 
 S3_PROTOCOL=https
 S3_HOSTNAME={{ s3_hostname }}
+
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY={{ active_record_encryption_deterministic_key }}
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{ active_record_encryption_key_derivation_salt }}
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{ active_record_encryption_primary_key }}

roles/mastodon/vars/main.yml

@@ -1,3 +1,5 @@
+version: v4.3.0
+
 local_domain: m.comfycamp.space
 
 vapid_public_key: change_me

roles/minio/tasks/main.yml

@@ -15,6 +15,7 @@
     command: ["minio", "server", "--console-address", ":9001"]
     networks:
       - name: minio
+      - name: haproxy
     volumes:
       - minio:/data
     ports:

roles/postgresql/files/create-user.sql

@@ -4,7 +4,7 @@ BEGIN
     IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = username) THEN
         EXECUTE format('CREATE ROLE %I LOGIN PASSWORD %L', username, passwd);
     ELSE
-        RAISE NOTICE 'User % already exists.', username;
+        EXECUTE format('ALTER ROLE %I WITH PASSWORD %L', username, passwd);
     END IF;
 END;
 \$\$ LANGUAGE plpgsql;

roles/postgresql/tasks/main.yml

@@ -28,7 +28,7 @@
     env:
       POSTGRES_USER: postgres
       POSTGRES_DB: postgres
-      POSTGRES_PASSWORD: "{{ postgres_password }}"
+      POSTGRES_PASSWORD: "{{ users.postgres }}"
     restart_policy: unless-stopped
     recreate: "{{ pgconf.changed }}"
 - name: Create a function to manage users
@@ -50,3 +50,10 @@
   no_log: True
   loop:
     "{{ users | dict2items }}"
+- name: Create databases
+  become: true
+  community.docker.docker_container_exec:
+    container: postgresql
+    argv: ["sh", "-c", "createdb {{ item.key }} -O {{ item.key }} -U postgres || exit 0"]
+  no_log: True
+  loop: "{{ users | dict2items }}"

roles/postgresql/vars/main.yml

@@ -1,2 +1,2 @@
 postgres_password: change_me
-users: []
+users: {}

roles/synapse/tasks/synapse.yml

@@ -41,6 +41,7 @@
       SYNAPSE_CONFIG_PATH: /etc/synapse/homeserver.yaml
     networks:
       - name: postgresql
+      - name: haproxy
     ports:
       - 127.0.0.1:3005:8008/tcp
     restart_policy: unless-stopped

roles/tls/tasks/main.yml

@@ -32,7 +32,9 @@
   ansible.builtin.file:
     path: /etc/haproxy/certs
     state: directory
-    mode: '1750'
+    mode: '1700'
+    owner: "99"
+    group: "99"
 - name: Combine certificate and private key
   become: true
   ansible.builtin.shell:

roles/tor/docker/Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:3.20.3
+
+RUN apk update && apk add tor
+RUN apk add lyrebird --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing
+
+USER tor
+
+ENTRYPOINT ["tor"]
+CMD ["-f", "/etc/tor/torrc"]

roles/tor/files/mastodon/hostname

@@ -0,0 +1 @@
+mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion

roles/tor/files/mastodon/hs_ed25519_secret_key

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+61396332323030333966396133656338343630386661646431393233313061633436656138356264
+3666343065366430303331333733383535646133373964370a353666666535386261346632313838
+39393637333937383934393131636432653730373639653737623066633737323665326530366334
+3235663166373338320a616365626364306333396263396462633334663037626538646333643439
+38383632373537626537646134663532323633616638636166393335303130666565636234373266
+65343932316465306139336365373539356161616166323930383466353430366465376336393535
+61363863386436393530373434656435626430366263346262386439336263323765313333396137
+32326334383364653838326436386561623264626335643434626663663236633730306437373766
+65613939666433383732363634656437346432323339396161386630313562336332

roles/tor/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+- name: Create tor directories
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "1700"
+    owner: 100
+  loop:
+    - /etc/tor
+    - /var/lib/tor
+    - /var/lib/tor/mastodon
+- name: Copy tor config
+  become: true
+  ansible.builtin.template:
+    src: torrc.j2
+    dest: /etc/tor/torrc
+    owner: 100
+    mode: "0600"
+  register: torrc
+- name: Copy tor files
+  become: true
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /var/lib/tor/{{ item }}
+    owner: 100
+    mode: "0600"
+  loop:
+    - mastodon/hostname
+    - mastodon/hs_ed25519_public_key
+    - mastodon/hs_ed25519_secret_key
+  register: tor_files
+- name: Create tor network
+  become: true
+  community.docker.docker_network:
+    name: tor
+- name: Run tor container
+  become: true
+  community.docker.docker_container:
+    name: tor
+    image: git.comfycamp.space/lumin/homelab-tor:v0.0.2
+    networks:
+      - name: tor
+      - name: haproxy
+    volumes:
+      - /etc/tor:/etc/tor:ro
+      - /var/lib/tor:/var/lib/tor
+    restart_policy: unless-stopped
+    recreate: "{{ torrc.changed or tor_files.changed }}"

roles/tor/templates/torrc.j2

@@ -0,0 +1,192 @@
+## Configuration file for a typical Tor user
+##
+## Lines that begin with "## " try to explain what's going on. Lines
+## that begin with just "#" are disabled commands: you can enable them
+## by removing the "#" symbol.
+##
+## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
+## for more options you can use in this file.
+##
+## Tor will look for this file in various places based on your platform:
+## https://www.torproject.org/docs/faq#torrc
+
+## Tor opens a socks proxy on port 9050 by default -- even if you don't
+## configure one below. Set "SocksPort 0" if you plan to run Tor only
+## as a relay, and not make any local application connections yourself.
+#SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
+SocksPort 0.0.0.0:9100 # Bind to this address:port too.
+
+## Entry policies to allow/deny SOCKS requests based on IP address.
+## First entry that matches wins. If no SocksPolicy is set, we accept
+## all (and only) requests that reach a SocksPort. Untrusted users who
+## can access your SocksPort may be able to learn about the connections
+## you make.
+#SocksPolicy accept 192.168.0.0/16
+#SocksPolicy reject *
+
+## Logs go to stdout at level "notice" unless redirected by something
+## else, like one of the below lines. You can have as many Log lines as
+## you want.
+##
+## We advise using "notice" in most cases, since anything more verbose
+## may provide sensitive information to an attacker who obtains the logs.
+##
+## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
+#Log notice file /var/log/tor/notices.log
+## Send every possible message to /var/log/tor/debug.log
+#Log debug file /var/log/tor/debug.log
+## Use the system log instead of Tor's logfiles
+#Log notice syslog
+## To send all messages to stderr:
+Log notice stderr
+
+## Uncomment this to start the process in the background... or use
+## --runasdaemon 1 on the command line. This is ignored on Windows;
+## see the FAQ entry if you want Tor to run as an NT service.
+#RunAsDaemon 1
+
+## The directory for keeping all the keys/etc. By default, we store
+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+DataDirectory /var/lib/tor
+
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+#ControlPort 9051
+## If you enable the controlport, be sure to enable one of these
+## authentication methods, to prevent attackers from accessing it.
+#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
+#CookieAuthentication 1
+
+############### This section is just for location-hidden services ###
+
+## Once you have configured a hidden service, you can look at the
+## contents of the file ".../hidden_service/hostname" for the address
+## to tell people.
+##
+## HiddenServicePort x y:z says to redirect requests on port x to the
+## address y:z.
+
+HiddenServiceDir /var/lib/tor/mastodon/
+HiddenServicePort 80 haproxy:80
+
+################ This section is just for relays #####################
+#
+## See https://www.torproject.org/docs/tor-doc-relay for details.
+
+## Required: what port to advertise for incoming Tor connections.
+#ORPort 9001
+## If you want to listen on a port other than the one advertised in
+## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
+## follows.  You'll need to do ipchains or other port forwarding
+## yourself to make this work.
+#ORPort 443 NoListen
+#ORPort 127.0.0.1:9090 NoAdvertise
+
+## The IP address or full DNS name for incoming connections to your
+## relay. Leave commented out and Tor will guess.
+#Address noname.example.com
+
+## If you have multiple network interfaces, you can specify one for
+## outgoing traffic to use.
+# OutboundBindAddress 10.0.0.5
+
+## A handle for your relay, so people don't have to refer to it by key.
+#Nickname ididnteditheconfig
+
+## Define these to limit how much relayed traffic you will allow. Your
+## own traffic is still unthrottled. Note that RelayBandwidthRate must
+## be at least 20 KB.
+## Note that units for these config options are bytes per second, not bits
+## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
+#RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
+#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
+
+## Use these to restrict the maximum traffic per day, week, or month.
+## Note that this threshold applies separately to sent and received bytes,
+## not to their sum: setting "4 GB" may allow up to 8 GB total before
+## hibernating.
+##
+## Set a maximum of 4 gigabytes each way per period.
+#AccountingMax 4 GB
+## Each period starts daily at midnight (AccountingMax is per day)
+#AccountingStart day 00:00
+## Each period starts on the 3rd of the month at 15:00 (AccountingMax
+## is per month)
+#AccountingStart month 3 15:00
+
+## Administrative contact information for this relay or bridge. This line
+## can be used to contact you if your relay or bridge is misconfigured or
+## something else goes wrong. Note that we archive and publish all
+## descriptors containing these lines and that Google indexes them, so
+## spammers might also collect them. You may want to obscure the fact that
+## it's an email address and/or generate a new address for this purpose.
+#ContactInfo Random Person <nobody AT example dot com>
+## You might also include your PGP or GPG fingerprint if you have one:
+#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
+
+## Uncomment this to mirror directory information for others. Please do
+## if you have enough bandwidth.
+#DirPort 9030 # what port to advertise for directory connections
+## If you want to listen on a port other than the one advertised in
+## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
+## follows.  below too. You'll need to do ipchains or other port
+## forwarding yourself to make this work.
+#DirPort 80 NoListen
+#DirPort 127.0.0.1:9091 NoAdvertise
+## Uncomment to return an arbitrary blob of html on your DirPort. Now you
+## can explain what Tor is if anybody wonders why your IP address is
+## contacting them. See contrib/tor-exit-notice.html in Tor's source
+## distribution for a sample.
+#DirPortFrontPage /etc/tor/tor-exit-notice.html
+
+## Uncomment this if you run more than one Tor relay, and add the identity
+## key fingerprint of each Tor relay you control, even if they're on
+## different networks. You declare it here so Tor clients can avoid
+## using more than one of your relays in a single circuit. See
+## https://www.torproject.org/docs/faq#MultipleRelays
+## However, you should never include a bridge's fingerprint here, as it would
+## break its concealability and potentionally reveal its IP/TCP address.
+#MyFamily $keyid,$keyid,...
+
+## A comma-separated list of exit policies. They're considered first
+## to last, and the first match wins. If you want to _replace_
+## the default exit policy, end this with either a reject *:* or an
+## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
+## default exit policy. Leave commented to just use the default, which is
+## described in the man page or at
+## https://www.torproject.org/documentation.html
+##
+## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
+## for issues you might encounter if you use the default exit policy.
+##
+## If certain IPs and ports are blocked externally, e.g. by your firewall,
+## you should update your exit policy to reflect this -- otherwise Tor
+## users will be told that those destinations are down.
+##
+## For security, by default Tor rejects connections to private (local)
+## networks, including to your public IP address. See the man page entry
+## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
+##
+#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
+#ExitPolicy accept *:119 # accept nntp as well as default exit policy
+#ExitPolicy reject *:* # no exits allowed
+
+## Bridge relays (or "bridges") are Tor relays that aren't listed in the
+## main directory. Since there is no complete public list of them, even an
+## ISP that filters connections to all the known Tor relays probably
+## won't be able to block all the bridges. Also, websites won't treat you
+## differently because they won't know you're running Tor. If you can
+## be a real relay, please do; but if not, be a bridge!
+#BridgeRelay 1
+## By default, Tor will advertise your bridge to users through various
+## mechanisms like https://bridges.torproject.org/. If you want to run
+## a private bridge, for example because you'll give out your bridge
+## address manually to your friends, uncomment this line:
+#PublishServerDescriptor 0
+
+UseBridges 1
+ClientTransportPlugin obfs4 exec /usr/bin/lyrebird managed
+
+{% for bridge in bridges %}
+Bridge {{ bridge }}
+{% endfor %}

roles/tor/vars/main.yml

@@ -0,0 +1 @@
+bridges: []

roles/vaultwarden/tasks/main.yml

@@ -14,6 +14,7 @@
       DATABASE_URL: "{{ db_url }}"
     networks:
       - name: postgresql
+      - name: haproxy
     ports:
       - 127.0.0.1:3002:80
     volumes:

synapse.yml

@@ -2,5 +2,5 @@
 - hosts: webservers
   roles:
     - role: synapse
-      postgresql_password: "{{ synapse_postgresql_password }}"
+      postgresql_password: "{{ postgresql_users['matrix-synapse'] }}"
       turn_shared_secret: "{{ coturn_static_auth_secret }}"

tor.yml

@@ -0,0 +1,5 @@
+---
+- hosts: webservers
+  roles:
+    - role: tor
+      bridges: "{{ tor.bridges }}"

vaulted_vars.yml

@@ -1,96 +1,136 @@
 $ANSIBLE_VAULT;1.1;AES256
-63343761613930653938356262623436643464393561623536613262636539373936393535616432
-6237316564613462613061353465613939666134633961640a316436353566353339626266373161
-63666530323933613361613033623134383433336634343661303537316336366632316337356430
-3164303839376564320a356664363932383965303564616264646633643162616330346538336433
-32313039616332363966393730653738306433323730656434653335356265316233633261616534
-39323439353562343631336430646238336232663062373965636266353862323230363563636634
-39376363376431326362386561393234656462653363383962363862376430636462306161656338
-37396338356138383334396664666238613834633861656533356631643338323937656462313761
-64316363653366613165646337336537336132333631396439356262323034353265663334353033
-66663939323533373836343365643762383737306566396430323762373235663765623238356231
-61336232636663353764336139653931343064623566373435653836396434316431303065373332
-65353838333265666431643130313939323331643064393662663739363430363636356231643838
-35613336383334326533616637613839656161303664313761356533373538303964396231386430
-62306364646337356265666432323464343265613233343162313031353665306332306437656437
-33613834643839353639646637646433326665366530616362386130613734383937303933653463
-33333336316534616266663035363834336430303965623936653363373465663332393333646135
-61643766626339616632343739376633393335383535313463313434333336323134376437366637
-66656336663634316631616233663964646263626337626261373032386131363330653035373034
-63303035333434343839666534343563653761353064343035323634646564663236363365313366
-66336434313866633432393030656235383466376435373061616663663863306239656235653037
-65366361616366326163383733623666613065316463353863663365653530636432303932313235
-35656432333833363934666164326634646631346137663731613737313564333836393632323839
-36386563666465616561343961376266623533316461366431366433663330363932656231373434
-64623530373164323436393636383862373936633938646565616536383865616165623132383635
-30393262386438343634313937313865643832353939316539646662383166323966336231653139
-30363535323363353263613633373231623866646338656538383163613731643631623061366363
-32656332616433383463373334356538613365383632336532333939333863633033333339333265
-30336135373539353633393532363965663765353734366665336537393435616233306533373430
-34666236386430613831643836626136396233306634383561316664633831336535653562326338
-34666336343963616666343937653665666634653332353839373531383231393863316130353365
-61383465326564646333303861616337656636643032623732383565396331663430356139323835
-65396333666436643236353531353732373537306365323566366437653331616661316463393064
-32653736333037313438653432666237336435646565343239613434643437396535646532356538
-62643962353637313363376665376634346136633036366662303434613437326233613634373463
-65336266343631663639343031653761323665353734346565303065656132653265383634386665
-31666634303565363963336266653561343166333634383835383839616438363434373765396462
-34656364663564346430323436623636663034613936613831393634346262356137646364633537
-62643634366639663763613030653339626633373433346437613833643337303831613738356665
-34653237393231636665666233663833656436356163393163316439373532313664326336386563
-30383661616433663264613065343430393230373037363966383866353636316337656166373034
-33316232393834326163613230653830383064653831633936303939643331396535373633646532
-31303232626132353830316261353131636637343538363662343530396339646535653231343038
-34393333393839356538343838663330323961656233663466326132326363396131393964633639
-34306534653766343039363862373366613731303137613533636230306463366434663862633938
-37353334313562646563366339386330333462646533666561613536653434306135616464383436
-30633735636665346233623361373133623663663836323536396561346333383530386564613663
-30376639653330636161616462376462336238613235363762356232623863666638316561383034
-63323330626331623032363035646263396438336466356265656430366338336266663463616334
-61626163656133613562373432393066323839303333343261616564343761303130303064373265
-39633862656139383966636333613632376261323364633264343434353765346331313761356533
-66346662656261623161356332393733313862666330663666326463366230653435373032393461
-36333935393236343164323862346265303630373561613164663038653665313265613133303638
-31353038386537313064623838346262363266313763636661626535663337393235333635366462
-35663565666661373131323138393034613236373530333034636330353364623536643635626137
-39376634643230353466383664626565333137616330393030663338633931646535343266636537
-30363937396133333862396130393338306133626133663436303933313661356566323861316239
-33653433643438303565663263326362633039656433663333623565313235303630383466353862
-37303937646430626163353634323861613437336137346335636666633939396637633864353261
-65343831373735326435633461346436613732346639363338306133343332336239376539626137
-30633332353238323335363832643630373737613964666632333431366133663761316134303238
-31363165366637363933393835666636623430303832356563653738316364316635313434643434
-31336539323833386165343365383833383634643830323435393062373636646337333737323063
-30663435656165393331633166633738373963346161323137333035363766393539343635306330
-62323638636663373134313064623564656332386531396663653832316435633665316235616438
-31323766326164663736626333633031653865626566616464396231366639303338633835363163
-30353032353237363966363836653839393833373361383266666631356561303762356362613266
-39386161313236323431303237646164663431663730343164363766386433383631303230613462
-61613063653661396662313734383431303039393566306533376531363164653231316234623236
-32373333346332383663383433353234663565386361356333656634643539616230623162323939
-36646163303130323932326237346664346433623466396661323437626263353437336665636334
-35376633386532313830346661666365623566376161316430613139333430363732396665666437
-30356362613638366138326431643332386534653963316362656538363739653036356535353763
-38643635333136386536613663653133623339613330666263636362623165356339383735393162
-38633234333932343234613565373264363839323130363730323436306638306634356266653731
-30333238313361616338666334656130656639393830383633363035393131343863373162336464
-35386134656339306266633438636333333439336535306238393962376134633064376637383064
-32633565646230346533636339653466396338663936313734626265373232306230346434626533
-38613539646334303661633365643562613266303735666663356366383539666564616231366264
-66323533613131646631333864343238316166643631323633623339313861306163623363663034
-30656530316639646662653438636131393338323931386533313163393530633835623663353861
-30396665326539333964333333313833663762373463313930623033386362376135623732663330
-64323232613338353237303932623637353963633735636131356238623130616537366233303932
-34626565353963386533393936333636666337323737623738663537616464333032373930363761
-31303035623636633537633739316135396661326330653366666562633835326565663563653662
-66643634346263336530303936393030313063623962306664613465636630613265363834613766
-39383130313031636437343662393932633033393638323664376265343765666465326238616634
-38366433306232313461346661396230636164383932383031653631663164383462633132363330
-30333237383435346566336463353439663932653036323736316630366465323734616435343737
-66613935323434306334323733313838356635396166616133633036343330656665333535373030
-36306632346239333832616434373361303465663232393732636338663764386666356335663734
-64376230666339363763373637333033663232323466356538653738393931316337653566336664
-61653931626464623935663630613262366633383934393535303565343239383139386461613237
-34363735306136323338643731316336343866373032343964376630663765383334653262333532
-62313136326562353463623161353538336436663330303361333763353365623333383830353736
-353834646363363865643138663131653333
+30373832336334383031646564333333653031653261353835306230386636653566316661303737
+6364386435343864386361393466663839663563363430370a303030613533363830626134363862
+37376436353530383662643338373936313566313165376134656532356139666136313635383635
+3961666334376565640a646130383664323466616566316539636663643338306162353162393065
+33663031643362323434623836336664643762303139303031613065346661323262383938623764
+35323862623835623037343537313533333362306666396237333839313835303665306130623933
+63333038666232643936353062353562316263306338623161636463376132343665393139333434
+38373165343465343131616130613739633437636361663563373730643631663534383735663266
+35383535383732636236383831626130633333633535386430356666393533386562636633333365
+61666136353163396462346535326631626238356430636465636464373634313765653735666436
+38313435326330346131376332663161323061323633636363336662333135623265366139653831
+64616333303464373331323562613433343935343731393531333063346130653462616535396562
+66653935313339373339626139376139623335353761656638653666333632383037366665623739
+37666539346165616165653633643661356638326333396364626465373662343134386336373637
+31356531363062346533323835343666623062373239313435363863373133366131326430363963
+61343438366532346631313532643363343932636566336338383138623138363761663533306463
+33386333663261633464333264616161366164376262646265366431346330363834626138656662
+35613063303735653039303664343065386663616335343433386264346635343639636432653633
+30393137663230323764376434383966363335663831633634613564626366646563343937386435
+31303237356332313432306163356531656364323032636338636264356636393137383066353961
+36363266393166306439663764326339373037303063653036383733656237653930376262623963
+64663462306161366530343232336436353237303565323939353534653863653736373033633132
+38323736663961373938363862663262623030643532623761303036616438373665646263613730
+66393436623339333035393237343734636561656363643938373539316435313337363531333335
+61656139643035366361316630623630646664323438346466353234396233376634376230313638
+30646630623362333334656533326164343831646463623965383461336336303362386134366463
+37633030363636636161303735333734323939323534313131343837663634643830383836653864
+63313834623439636439643734376134316334326337316337623437333566303537303030373662
+63383630633564393164356534646562656139653063306438646164383437356635616337333234
+61633066323636666135303761373863373934623135323163356434323231363965346264373363
+65356139396636326538326166636338353536623432626363643566333165376331666131393061
+30666436306137643333616365333165346363633061363534313662306430613433623461393439
+38353037303064306631303461386163316135663636613534313037666361363935613763373835
+64666465383238366335383635363962313534313937326338663134316439346638393164363463
+62393835383734316232623039656231303234613132373634363564346635663938613762623733
+64353437623031643066643832313039623763663238393933326563646637623333356661313336
+63616462333261316130666365336261343639353737346438666237653430326531323437626664
+61623863613336333232666139343534636433653333336661626436343332373363306337666466
+61353532613630626564666437363766343834646632333266396630393261343965336537333632
+33653934646265663833366562343331363763653961326132353530636166363135336436303362
+64373262666666633961393537623036363763323262303435333036633362623366383765333764
+66656338636634636265343066386332643332653433623838386630373930363065386433316630
+39653834326533306161616366333761626165653233646462336566633664663836376337663961
+62366335626132323661356362643564633634366331303663336336643535383039663964393330
+30353966373862643038626532313539373666646161373437656635633033666166323664316162
+64363632366337356234376265333164393261656634313133343966643364666535383532663931
+65643764393363383732313637333734323137383830643533383330373465363861653138356563
+63356338653066623630333639336535613939313663663865616562653038356661356539373439
+38656337613835613939623736623234356234623932643130613437643333356333306166623835
+35643133383466313861373236333435326633326232366233656538663261396663326563386437
+39663633653230343063663663373430333933353931313638346239626538386361343866353933
+32366439633137626239373938646264663537373135373031653062663465376332646561383431
+35386532303134323463633761323165333831626566393966376561303261373832313336623439
+39653631383638393364333061663839323632343638326330323064303036386162666334633066
+65356636366664373165383163316465383566646530633561376266356636306263653039613361
+36326165336135636438666132386366356230326435393234333862663432633364333430316266
+32373230323735623162353938373466623337303765366665316530323731316233643266633930
+62643737326661613961313430333763663035646262626264323639383635343264326535363263
+62393235326631343035346530613631316638643661653164356134663163383235613330353030
+63616532346363376361643334666233656664303837333237326366623136313937633961613434
+35393834313538353936383638303466316234366665353832386430616131326365613635303338
+65343130373032323538333364313633353966343561373366613831396463363961326561313366
+34323833363761386433633961636266326632356331613563306230663739613134623532626532
+38316531346636323361613331646332373661613665626338646161393332656434663139396164
+64613962363635396538343365616665626439623466316334356638653733303338363264633361
+31393237393964613062356566303361623933346537383032303530623232666166643436313164
+36373435656234313639303463663861653661323737343232386230303131613962353132633261
+61333739393831313630663864626535623832326535653437383932356163656533313231306566
+33663231336461323464316138366232346432333937613335623966353235646235346231636436
+30616533343330373263666136373234303061383632396530303734633361613133613735356162
+31643835313463623034393530373933386630393064306465336234373763646437376263306365
+39663436623430316362356261383064656530393330313662373731316135633937313432646630
+39646431653663386432323961663530643436663436313461663264656134353231386365323931
+34323438306363306537363137393830666463313462336631636438323365626334643162333466
+63626334623433666431316339383830336438666139383437383132613831343237376134346563
+63633337633262303561353862313137383563343336636366626238396636313765623334376432
+31336436383532646532663636333461343635363933313533613539626664393061646237376431
+39613337333730373263353836353731356264653131356535323532623862323262353862386535
+34323764646137353063303237396464303666643132313861633534616637323363663238653362
+62303336356237376534333534656262383433306266333663343535376664383034356662613663
+37343365363436346538646334363833323731636533316664316632366162346535633463306439
+36633336623632383736363761396331303239376535316230323339616163363230663030393761
+30623461646130326338613262373135656264393963326364373065663030366566383036396464
+66613130373435383236383430353262356537323038663665633631343838383433613062316432
+66616233343938326236323364623965643364356565316666663338306133643738393638393532
+32636662663066353132363065353939613161383765663538333233316165613537646162383136
+32313434663834396165336236333763646435643163393938346234646563386639386234303163
+35313537636564323366376337643465373162306138613561326462633035343638326533386330
+31646436356264393832313265663238363765313639336431346166356261356430366162396531
+61376234616631393435613837663036613663373334393066366366353966626266303562666134
+32333763373936376663343233663165313332336263656234346234356465653462316531313737
+34386566346132313639613465336634613737616331306164313866316530623832616565353936
+36383930306563336634383234356536633638303833636535386535343937383865386232626238
+31653235303336656466636363323333656333343037633935613964306664393931623938396537
+65346136626665653933346639613261313666633736323735633265633762356462353739363636
+31616333653831343631333736376433326135313963643363663766323065366538393437366631
+65363332643066666663316134613430613239383666313135663839643236346537303238316533
+34323432653863323966366461653361356232356466316162653739346563643138643965313363
+64663266376461383066613538613134333638316333646363333537646132643836363136303336
+64353431393133353666333865376139316664306434356464623563643733353763633738336261
+36626130366362393061626434333365373164373037303439316263316530323333663261346232
+39303463646364633562656565646235616637363464636631333138363663306531313464643535
+30353738636162373866356438356237343837623136366365613739383234633335306431646139
+65353565316530313461333863353161383464323439643132653136613962613133303731346162
+66653237323738333537356464323362383062326531613039386235633063336666316631326366
+32316233373237333163373532336633326565396237363432323236393231396435323365653139
+36313732353437656231373334613732613063306634666235643330386463653338306162663965
+34623933356231643861353733613933326332326539303036366431383937383132616138663965
+39393631313635653035636339663034373862376534663365333863393531346236373038653031
+35343065316533653639356366306230656362646239373138386439613161366162633361356563
+61356461356362613063346530356634333839376637383762353437666430653439613831303032
+31653564633362623232616330623134306638306262613135663861396338643363663266313732
+62373732323134303335383165323164393737376338636134313265383963343936303863336431
+38356337383537393630323939653063396366653735643437343261336362313765383833313337
+65306435326531306630623236643438356337636364636437396533663361336338316133306237
+34666561393730346132366339333361623631316636323263666462353533336161663731613434
+30643338653264643636373735353130396436613231303535323965656439393932366262313837
+33386333653534613763663133396430633938653737646132303566643863316666636238613864
+38646137346163643933363736626662343863636533323563343438646539376535626464393863
+63346435643138326134316638346139643635373064316631643265313437343466383536396265
+36643236323933626663366663396636343835623861653361653239643138366138373338353939
+65383836353334386432393132376433323831393461303133313631333634353938316166336539
+64626633386262346136386336313432636365333861643463613264393264643331336361626361
+37373333323935323663663561333630333565633665653836356632373337356165623166656538
+62336437356431393136303037633662663762306436373538323135316130356165616366366336
+34363235623133363961363462383934373830396133356232303938656131386632666133633062
+64323330633731616264393263326137353434373538623537646431646133646234353034326462
+64306139353834616639613638326238386632363232356338306337623136326563653334666564
+64353765343630306535653430376431343132396232303466393964383333613666626561333766
+34646430616231633061366332323337336462363437626166363561363232353563633563323332
+33616534643335343832393164646434636430363366333037666539626132376161303731386561
+36663830303433343932366661343536623865303438366132313832386637643063663439353038
+65643335353163316533306633363037616232383530393839616334663336306237303531613832
+65636663336239376235643036623032646331663962633430633161306539646464656131623163
+346539663562636361616135326237383664

vaultwarden.yml

@@ -2,4 +2,4 @@
 - hosts: webservers
   roles:
     - role: vaultwarden
-      db_url: postgresql://vaultwarden:{{ vaultwarden_postgresql_password }}@postgresql:5432/vaultwarden
+      db_url: postgresql://vaultwarden:{{ postgresql_users.vaultwarden }}@postgresql:5432/vaultwarden