music: Fix mqtt-soundboard

* Use pulseaudio backend
* Run as separate librespot user
* Use linear volume mixer

authorized_keys/blackdragon.keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLZGbt/we3JQ482/NYcdOKGoKDOj1MgmYFP2GDmjLw/ kyan@flandre

bitlair.yaml

@@ -26,7 +26,7 @@
 
 - hosts: git-ci
   roles:
-    - { role: "git-ci", tags: ["git-ci"] }
+    - { role: "git_ci", tags: ["git_ci"] }
 
 - hosts: git
   roles:
@@ -47,7 +47,6 @@
 - hosts: music
   roles:
     - { role: "acme", tags: ["acme"] }
-    - { role: "go", tags: ["go"] }
     - { role: "music", tags: ["music"] }
 
 - hosts: pad
@@ -58,6 +57,7 @@
 
 - hosts: services
   roles:
+    - { role: "deb_forgejo", tags: [ "deb_forgejo" ] }
     - { role: "services", tags: ["services"] }
 
 - hosts: wiki
@@ -65,3 +65,13 @@
     - { role: "acme", tags: ["acme"] }
     - { role: "nginx", tags: ["nginx"] }
     - { role: "www", tags: ["www"] }
+
+- hosts: chat
+  roles:
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "chat", tags: [ "chat" ] }
+
+- hosts: ldap
+  roles:
+    - { role: "common", tags: [ "common" ] }

chat.yaml

@@ -0,0 +1,10 @@
+---
+
+- hosts: chat
+  roles:
+    - { role: "common", tags: [ "common" ] }
+    - { role: "nft", tags: [ "nft" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "nodesource", tags: [ "nodesource" ] }
+    - { role: "chat", tags: [ "chat" ] }

git-ci.yaml

@@ -3,4 +3,4 @@
 - hosts: git-ci
   roles:
     - { role: "common", tags: [ "common" ] }
-    - { role: "git-ci", tags: [ "git-ci" ] }
+    - { role: "git_ci", tags: [ "git_ci" ] }

group_vars/all.yaml

@@ -36,3 +36,8 @@ mqtt_public_host: bitlair.nl
 debian_repourl: "http://deb.debian.org/debian/"
 debian_securityurl: "http://security.debian.org/debian-security"
 
+deb_forgejo_repos:
+  - host: git.bitlair.nl
+    owner: bitlair
+  - host: git.polyfloyd.net
+    owner: polyfloyd

group_vars/chat.yaml

@@ -0,0 +1,36 @@
+---
+
+root_access:
+  - blackdragon
+  - ak
+  - foobar
+  - polyfloyd
+
+nodejs_version: 22.x
+thelounge_version: "4.4.3"
+thelounge_ldap_url: ldaps://ldap.bitlair.nl
+thelounge_ldap_filter: (objectClass=inetOrgPerson)
+thelounge_ldap_base: ou=Members,dc=bitlair,dc=nl
+chat_hostname: chat.bitlair.nl
+
+acme_domains:
+ - "{{ chat_hostname }}"
+
+nginx_sites:
+  - server_name: "{{ chat_hostname }}"
+    config:
+      - |-
+        location / {
+          proxy_pass http://127.0.0.1:9000/;
+          proxy_http_version 1.1;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header X-Forwarded-Proto $scheme;
+
+          # by default nginx times out connections in one minute
+          proxy_read_timeout 1d;
+        }
+
+group_nft_input:
+  - "tcp dport { http, https } accept # Allow web-traffic from world"

group_vars/music.yaml

@@ -6,12 +6,18 @@ nft: false
 root_access:
   - ak
   - bob
-  - eightdot
   - foobar
   - polyfloyd
 
 nginx_client_max_body_size: 512M
+nginx_sites:
+  - server_name: "music.bitlair.nl"
+    snippets:
+      - "music-nginx.j2"
 
 music_domain: music.bitlair.nl
 acme_san_domains:
   - [ music.bitlair.nl ]
+
+music_bitpanel_host: bitpanel.bitlair.nl
+music_bitpanel_port: 1337

inventory

@@ -17,7 +17,8 @@ blockchain.bitlair.nl
 git.bitlair.nl
 
 [git-ci]
-git-ci.bitlair.nl
+git-ci01.bitlair.nl
+git-ci02.bitlair.nl
 
 [pad]
 pad.bitlair.nl
@@ -49,6 +50,9 @@ homeassistant.bitlair.nl
 [chat]
 chat.bitlair.nl
 
+[ldap]
+ldap-new.bitlair.nl
+
 [debian:children]
 bank
 fotos

monitoring.yaml

@@ -4,5 +4,6 @@
   roles:
     - { role: "common", tags: [ "common" ] }
     - { role: "acme", tags: [ "acme" ] }
+    - { role: "deb_forgejo", tags: [ "deb_forgejo" ] }
     - { role: "nginx", tags: [ "nginx" ] }
     - { role: "monitoring", tags: [ "monitoring" ] }

music.yaml

@@ -4,6 +4,6 @@
   roles:
     - { role: "common", tags: [ "common" ] }
     - { role: "acme", tags: [ "acme" ] }
-    - { role: "go", tags: [ "go" ] }
-#    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "deb_forgejo", tags: [ "deb_forgejo" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "music", tags: [ "music" ] }

pad.yaml

@@ -9,4 +9,5 @@
     - { role: "nft", tags: [ "nft" ] }
     - { role: "acme", tags: [ "acme" ] }
     - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "nodesource", tags: [ "nodesource" ] }
     - { role: "etherpad", tags: [ "etherpad" ] }

roles/bank/defaults/main.yaml

@@ -1,3 +1,3 @@
 bank_user: bank
-bank_revbank_git: https://git.bitlair.nl/bitlair/revbank.git
 bank_local_tty: no
+bank_revbank_version: "10.5.1"

roles/bank/tasks/login.yaml

@@ -4,7 +4,7 @@
     name: bank
     password: $6$idklol$QrOE/21LDR0vhZBAXwgA7AvnmR6Ju4ZqzAzgeazC08i2yw9kyQjgwu.uuV692iL/cyE7AteDYUxCpcorONXom. # "bank"
     home: /home/{{ bank_user }}
-    shell: /home/{{ bank_user }}/revbank.git/revbank
+    shell: /usr/local/share/revbank/revbank
     update_password: always
 
 - name: Allow password auth for bank user
@@ -13,7 +13,7 @@
     insertafter: EOF
     validate: "/usr/sbin/sshd -t -f %s"
     block: |-
-      Match User bank
+      Match User {{ bank_user }}
           PasswordAuthentication yes
   notify: reload sshd
 

roles/bank/tasks/revbank.yaml

@@ -1,50 +1,22 @@
 ---
 - name: Install dependencies
   ansible.builtin.apt:
-    name: [ git, libterm-readline-gnu-perl, libcurses-ui-perl, qrencode ]
+    name: [ git, libterm-readline-gnu-perl, libcurses-ui-perl ]
     state: present
 
 - name: Clone revbank source
   ansible.builtin.git:
-    repo: "{{ bank_revbank_git }}"
-    version: master
-    dest: /home/{{ bank_user }}/revbank.git
+    repo: https://github.com/revspace/revbank.git
+    version: "v{{ bank_revbank_version }}"
+    dest: /usr/local/share/revbank
     accept_hostkey: yes
 
-- name: Create data files
-  ansible.builtin.command: cp /home/{{ bank_user }}/revbank.git/{{ item }} /home/{{ bank_user }}/{{ item }}
-  args:
-    creates: /home/{{ bank_user }}/{{ item }}
-  with_items:
-    - revbank.accounts
-    - revbank.market
-    - revbank.products
-
-- name: Ensure data file permissions
-  ansible.builtin.file:
-    path: /home/{{ bank_user }}/{{ item }}
-    state: touch
-    owner: "{{ bank_user }}"
-    group: "{{ bank_user }}"
-    mode: 0644
-  with_items:
-    - revbank.accounts
-    - revbank.market
-    - revbank.products
-
-- name: Link plugins
-  ansible.builtin.file:
-    state: link
-    path: /home/{{ bank_user }}/{{ item }}
-    src: /home/{{ bank_user }}/revbank.git/{{ item }}
-  with_items:
-    - plugins
-    - revbank.plugins
-
-- name: Create git data dir
-  ansible.builtin.file:
-    path: /home/{{ bank_user }}/data.git
-    state: directory
+- name: Clone revbank-plugin source
+  ansible.builtin.git:
+    repo: https://git.bitlair.nl/bitlair/revbank-plugins.git
+    version: main
+    dest: /usr/local/share/revbank-plugins
+    accept_hostkey: yes
 
 - name: Install git cronjob
   ansible.builtin.template:

roles/bank/templates/git.cron

@@ -1,4 +1,4 @@
 SHELL=/bin/bash
 
-#m   h  dom mon dow user             command
- 0   *  *   *   *   {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git pull -r && git push && git gc --auto && cp revbank.products ../revbank.products)
+#m    h  dom mon dow user             command
+ */10 *  *   *   *   {{ bank_user }}  git -C ~/.revbank pull -r && git -C ~/.revbank push && git -C ~/.revbank gc

roles/chat/defaults/main.yaml

@@ -0,0 +1,5 @@
+---
+
+chat_user: thelounge
+chat_group: thelounge
+chat_configdir: "/etc/thelounge"

roles/chat/handlers/main.yaml

@@ -0,0 +1,11 @@
+---
+
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: yes
+
+- name: Restart thelounge
+  ansible.builtin.systemd:
+    name: thelounge
+    state: restarted
+    enabled: true

roles/chat/tasks/main.yaml

@@ -0,0 +1,92 @@
+---
+
+- name: Install dependencies
+  ansible.builtin.apt:
+    state: present
+    pkg:
+      - build-essential
+      - nodejs
+
+- name: Ensure directories are present
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: "{{ chat_user }}"
+    group: "{{ chat_group }}"
+    state: "{{ item.state | default('directory') }}"
+    mode: "{{ item.mode | default('0770') }}"
+  with_items:
+    - { path: "{{ chat_configdir }}" }
+    - { path: "/var/local/thelounge/users" }
+    - { path: "/var/local/thelounge/storage" }
+  notify:
+    - Restart thelounge
+
+- name: Install nodejs
+  ansible.builtin.apt:
+
+- name: Install yarn
+  ansible.builtin.shell:
+    cmd: npm install --global yarn
+
+- ansible.builtin.stat:
+    path: /opt/thelounge
+  register: src_path
+
+- name: Retreive thelounge source
+  block:
+    - name: Checkout source
+      ansible.builtin.git:
+        repo: 'https://github.com/revspace/thelounge.git'
+        dest: /opt/thelounge
+        version: 9d6dc83
+        force: true
+
+    - name: Copy patch
+      ansible.builtin.template:
+        src: thelounge-bitlair.patch
+        dest: /tmp/thelounge-bitlair.patch
+
+    - name: Apply patch
+      ansible.builtin.shell:
+        chdir: /opt/thelounge
+        cmd: git apply /tmp/thelounge-bitlair.patch
+  when: not src_path.stat.exists
+
+- name: Build and install thelounge
+  ansible.builtin.shell:
+    chdir: /opt/thelounge
+    cmd: yarn add sharp --ignore-engines && yarn install --include-optional sharp && NODE_ENV=production yarn build && ln -sf $(pwd)/index.js /usr/local/bin/thelounge
+  notify:
+    - Restart thelounge
+
+- name: Ensure user thelounge is present
+  ansible.builtin.user:
+    name: thelounge
+    createhome: no
+    comment: The Lounge (IRC client)
+    system: yes
+    state: present
+
+- name: Ensure JS and JSON syntax checking packages are installed
+  community.general.yarn:
+    name: "{{ item }}"
+    global: yes
+    # state: latest # FIXME: Remove when https://github.com/ansible/ansible/pull/39557 makes it in
+  with_items:
+    - esprima
+    - jsonlint
+      # changed_when: no # FIXME: Remove when https://github.com/ansible/ansible/pull/39557 makes it in
+
+- name: Configure templates
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ item.owner | default( chat_user ) }}"
+    group: "{{ item.group | default( chat_group ) }}"
+    mode: "{{ item.mode | default('0640') }}"
+    validate: "{{ item.validate | default([]) }}"
+  with_items:
+    - { src: "config.js.j2", dest: "/etc/thelounge/config.js", validate: 'esvalidate %s' }
+    - { src: "thelounge.service", dest: "/etc/systemd/system/thelounge.service", owner: root, group: root, notify: "Reload systemd" }
+  notify: "{{ item.notify | default('Restart thelounge') }}"
+

roles/chat/templates/config.js.j2

@@ -0,0 +1,59 @@
+"use strict";
+
+module.exports = {
+    public: false,
+    port: 9000,
+    bind: "0.0.0.0",
+    host: "127.0.0.1",
+    reverseProxy: true,
+    lockNetwork: true,
+    maxHistory: 10000,
+    leaveMessage: "Doei!",
+    defaults: {
+        name: "Smurfnet",
+        password: "",
+        rejectUnauthorized: true,
+        nick: "",
+        username: "",
+        realname: "",
+        join: "#bitlair",
+    },
+    messageStorage: ["sqlite", "text"],
+    fileUpload: {
+        enable: true,
+    },
+    networks: {
+        Smurfnet: {
+            host: "irc.smurfnet.ch",
+            port: 6697,
+            tls: true,
+            rejectUnauthorized: false,
+        },
+        "Libera.Chat": {
+            host: "irc.libera.chat",
+            port: 6697,
+            tls: true,
+            rejectUnauthorized: true,
+        },
+        OFTC: {
+            host: "irc.oftc.net",
+            port: 6697,
+            tls: true,
+            rejectUnauthorized: true,
+        },
+    },
+    identd: {
+        enable: false,
+    },
+    ldap: {
+        enable: true,
+        url: "{{ thelounge_ldap_url }}",
+        primaryKey: "uid",
+        searchDN: {
+            rootDN: "{{ lookup('passwordstore', 'chat/thelounge/ldap_rootDN subkey=binddn') }}",
+            rootPassword: "{{ lookup('passwordstore', 'chat/thelounge/ldap_rootDN') }}",
+            filter: "{{ thelounge_ldap_filter }}",
+            base: "{{ thelounge_ldap_base }}",
+        },
+    },
+};

roles/chat/templates/thelounge-bitlair.patch

@@ -0,0 +1,28 @@
+diff --git a/package.json b/package.json
+index 2991a6ec..dac43f16 100644
+--- a/package.json
++++ b/package.json
+@@ -84,9 +84,7 @@
+     "ua-parser-js": "1.0.33",
+     "uuid": "8.3.2",
+     "web-push": "3.4.5",
+-    "yarn": "1.22.17"
+-  },
+-  "optionalDependencies": {
++    "yarn": "1.22.17",
+     "sqlite3": "5.1.7"
+   },
+   "devDependencies": {
+diff --git a/server/plugins/auth/ldap.ts b/server/plugins/auth/ldap.ts
+index e6093b0f..d30b9a1c 100644
+--- a/server/plugins/auth/ldap.ts
++++ b/server/plugins/auth/ldap.ts
+@@ -134,7 +134,7 @@ const ldapAuth: AuthHandler = (manager, client, user, password, callback) => {
+ 	// auth plugin API
+ 	function callbackWrapper(valid: boolean) {
+ 		if (valid && !client) {
+-			manager.addUser(user, null, false);
++			manager.addUser(user, null, true);
+ 		}
+ 
+ 		callback(valid);

roles/chat/templates/thelounge.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=The Lounge (IRC client)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User={{ chat_user }}
+Group={{ chat_group }}
+Type=simple
+Environment=THELOUNGE_HOME=/var/local/thelounge
+ExecStart=/usr/local/bin/thelounge start
+ProtectSystem=yes
+ProtectHome=yes
+PrivateTmp=yes
+
+[Install]
+WantedBy=multi-user.target

roles/common/handlers/main.yaml

@@ -3,7 +3,7 @@
   ansible.builtin.command:
     cmd: update-grub
 
-- name: Apt update
+- name: apt update
   ansible.builtin.apt:
     update_cache: true
 

roles/deb_forgejo/defaults/main.yaml

@@ -0,0 +1 @@
+deb_private_host: git.polyfloyd.net

roles/deb_forgejo/handlers/default.yaml

@@ -0,0 +1,3 @@
+---
+- ansible.builtin.import_tasks:
+    file: ../../common/handlers/main.yaml

roles/deb_forgejo/tasks/main.yaml

@@ -0,0 +1,26 @@
+---
+- tags: deb_forgejo
+  block:
+    - name: Install dependencies
+      apt:
+        name: apt-transport-https
+        state: present
+
+    - name: Install packaging key
+      get_url:
+        url: https://{{ item.host }}/api/packages/{{ item.owner }}/debian/repository.key
+        dest: /etc/apt/keyrings/{{ item.host }}-{{ item.owner }}.asc
+        mode: "0644"
+      with_items: "{{ deb_forgejo_repos }}"
+      notify: apt update
+
+    - name: Install sources.list
+      template:
+        src: sources.list
+        dest: /etc/apt/sources.list.d/deb-forgejo.list
+        owner: root
+        group: root
+        mode: "0644"
+      notify: apt update
+
+    - meta: flush_handlers

roles/deb_forgejo/templates/sources.list

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% for repo in deb_forgejo_repos %}
+deb [signed-by=/etc/apt/keyrings/{{ repo.host }}-{{ repo.owner }}.asc] https://{{ repo.host }}/api/packages/{{ repo.owner }}/debian {{ repo.distro | default('stable') }} {{ repo.component | default('main') }}
+{% endfor %}

roles/etherpad/defaults/main.yaml

@@ -1,4 +1,3 @@
-nodejs_version: 22.x
 etherpad_db_user: etherpad
 etherpad_db_password: "{{ lookup('password', '/tmp/etherpad_db_password length=32') }}"
 etherpad_db_name: etherpad

roles/etherpad/tasks/main.yaml

@@ -3,43 +3,10 @@
 - name: Install dependencies
   ansible.builtin.apt:
     state: present
-    pkg: 
-      - gpg
+    pkg:
+      - nodejs
       - postgresql
       - python3-psycopg2
-      - apt-transport-https
-
-- name: Import nodesource signing key
-  ansible.builtin.shell:
-    cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
-      -o /usr/share/keyrings/nodesource.gpg
-  args:
-    creates: /usr/share/keyrings/nodesource.gpg
-  notify: Apt update
-
-- name: Install nodesource source list
-  ansible.builtin.template:
-    src: nodesource.list
-    dest: /etc/apt/sources.list.d/nodesource.list
-    owner: root
-    group: root
-    mode: 0644
-  notify: Apt update
-
-- name: Install nodejs apt preference
-  ansible.builtin.template:
-    src: nodejs-apt-pref
-    dest: /etc/apt/preferences.d/nodejs
-    owner: root
-    group: root
-    mode: 0644
-  notify: Apt update
-
-- ansible.builtin.meta: flush_handlers
-
-- name: Install nodejs
-  ansible.builtin.apt:
-    name: nodejs
 
 - name: Add database user
   become: true

roles/git-ci/defaults/main.yaml

@@ -1,2 +0,0 @@
-runner_wd: /var/lib/forgejo-runner
-runner_version: 6.3.0

roles/git-ci/tasks/main.yaml

@@ -1,50 +0,0 @@
----
-
-- name: Install dependencies
-  ansible.builtin.apt:
-    name: docker.io
-
-- name: Download forgejo-runner
-  ansible.builtin.get_url:
-    url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
-    dest: /usr/local/bin/forgejo-runner
-    mode: 0755
-  notify: restart forgejo-runner
-
-- name: Create runner dir
-  ansible.builtin.file:
-    state: directory
-    path: "{{ runner_wd }}"
-    owner: root
-    group: root
-    mode: 0755
-
-- name: Register runner
-  ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
-  args:
-    chdir: "{{ runner_wd }}"
-    creates: "{{ runner_wd }}/.runner"
-
-- name: Install service file
-  ansible.builtin.template:
-    src: forgejo-runner.service
-    dest: /etc/systemd/system/forgejo-runner.service
-    owner: root
-    group: root
-    mode: 0644
-  notify: restart forgejo-runner
-
-- name: Enable service
-  ansible.builtin.systemd:
-    name: forgejo-runner
-    enabled: true
-    daemon_reload: true
-
-- name: Start service
-  ansible.builtin.systemd:
-    name: forgejo-runner
-    state: started
-    daemon_reload: true
-
-- name: Flush handlers
-  ansible.builtin.meta: flush_handlers

roles/git-server/templates/cronjob

@@ -1,4 +1,4 @@
 # {{ ansible_managed }}
 
-#m   h  dom mon dow user             command
- 0   2  *   *   1   {{ git_server_user }} {{ git_server_working_dir }}/update.sh
+#m   h  dom mon dow user command
+ 0   2  *   *   1   root {{ git_server_working_dir }}/update.sh

roles/git_ci/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+git_ci_runner_wd: /var/lib/forgejo-runner

roles/git_ci/handlers/main.yaml

@@ -3,6 +3,6 @@
     file: ../../common/handlers/main.yaml
 
 - name: restart forgejo-runner
-  ansible.builtin.systemd:
+  systemd:
     name: forgejo-runner
     state: restarted

roles/git_ci/tasks/main.yaml

@@ -0,0 +1,83 @@
+---
+- tags: git_ci
+  block:
+    - name: Install dependencies
+      apt:
+        name: docker.io
+
+    - name: Query latest forgejo-runner version
+      uri:
+        url: https://code.forgejo.org/api/v1/repos/forgejo/runner/tags
+        return_content: true
+      register: response
+      changed_when: false
+      check_mode: false
+      failed_when: "response is failed or 'json' not in response"
+
+    - name: Format forgejo-runner latest version
+      set_fact:
+        forgejo_runner_version: "{{ response['json'][0]['name'] | trim('v') }}"
+
+    - name: Detect installed forgejo-runner version
+      shell:
+        cmd: |
+          set -o pipefail
+          forgejo-runner --version | grep --color=never -Po '\d\.\d+(\.\d+)?' || echo none
+        executable: /bin/bash
+      register: forgejo_runner_installed_version_shell
+      changed_when: false
+      check_mode: false
+
+    - name: Format installed forgejo-runner version
+      set_fact:
+        forgejo_runner_installed_version: "{{ forgejo_runner_installed_version_shell.stdout }}"
+
+    - debug:
+        msg:
+          - "Forgejo Runner latest version: {{ forgejo_runner_version }}"
+          - "Forgejo Runner installed version: {{ forgejo_runner_installed_version }}"
+
+    - name: Download forgejo-runner
+      get_url:
+        url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ forgejo_runner_version }}/forgejo-runner-{{ forgejo_runner_version }}-linux-amd64"
+        dest: /usr/local/bin/forgejo-runner
+        mode: "0755"
+      notify: restart forgejo-runner
+      when: forgejo_runner_installed_version != forgejo_runner_version
+
+    - name: Create runner dir
+      file:
+        state: directory
+        path: "{{ git_ci_runner_wd }}"
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: Register runner
+      command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
+      args:
+        chdir: "{{ git_ci_runner_wd }}"
+        creates: "{{ git_ci_runner_wd }}/.runner"
+
+    - name: Install service file
+      template:
+        src: forgejo-runner.service
+        dest: /etc/systemd/system/forgejo-runner.service
+        owner: root
+        group: root
+        mode: "0644"
+      notify: restart forgejo-runner
+
+    - name: Enable service
+      systemd:
+        name: forgejo-runner
+        enabled: true
+        daemon_reload: true
+
+    - name: Start service
+      systemd:
+        name: forgejo-runner
+        state: started
+        daemon_reload: true
+
+    - meta: flush_handlers

roles/git_ci/templates/forgejo-runner.service

@@ -6,7 +6,7 @@ After=network.target
 
 [Service]
 ExecStart=/usr/local/bin/forgejo-runner daemon
-WorkingDirectory={{ runner_wd }}
+WorkingDirectory={{ git_ci_runner_wd }}
 Restart=on-failure
 RestartSec=10s
 

roles/monitoring/tasks/mqtt_exporter.yaml

@@ -1,47 +1,22 @@
 ---
-- name: Clone source
-  ansible.builtin.git:
-    repo: https://github.com/polyfloyd/mqtt-exporter.git
-    version: main
-    dest: /opt/mqtt_exporter
-    accept_hostkey: yes
-  notify: restart mqtt_exporter
-
 - name: Install apt dependencies
   ansible.builtin.apt:
-    name:
-      - jq
-      - python3-paho-mqtt
-      - python3-prometheus-client
-      - python3-yaml
+    name: mqtt-exporter
     state: present
 
-- name: Install service
-  ansible.builtin.template:
-    src: mqtt_exporter.service
-    dest: /etc/systemd/system/mqtt_exporter.service
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - Daemon reload
-    - restart mqtt_exporter
-
 - name: Install config file
   ansible.builtin.template:
     src: mqtt_exporter_config.yaml
-    dest: /etc/mqtt_exporter.yaml
+    dest: /etc/mqtt-exporter.yaml
     owner: root
     group: root
     mode: 0644
-  notify:
-    - Daemon reload
-    - restart mqtt_exporter
+  notify: restart mqtt_exporter
 
 - ansible.builtin.meta: flush_handlers
 
 - name: Start service
   ansible.builtin.systemd:
-    name: mqtt_exporter
+    name: mqtt-exporter
     state: started
     enabled: true

roles/mqtt/defaults/main.yaml

@@ -1 +0,0 @@
-mqtt_bambulab_cafile: /etc/mosquitto/ca_certificates/bambulab.pem

roles/mqtt/tasks/main.yaml

@@ -9,8 +9,10 @@
 - name: Install bambulab cafile
   # openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p'
   ansible.builtin.copy:
-    dest: "{{ mqtt_bambulab_cafile }}"
-    content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}"
+    dest: "/etc/mosquitto/ca_certificates/bambu_{{ item.name }}.pem"
+    content: "{{ item.cafile }}"
+  notify: restart mosquitto
+  with_items: "{{ lookup('passwordstore', 'bambulab subkey=printers') }}"
 
 - name: Configure Mosquitto
   ansible.builtin.template:

roles/mqtt/templates/bambulab.conf

@@ -1,10 +1,11 @@
 # {{ ansible_managed }}
+{% for bambu in lookup('passwordstore', 'bambulab subkey=printers') %}
 
-connection bambulab
-address {{ lookup('passwordstore', 'bambulab subkey=host') }}:8883
-bridge_cafile {{ mqtt_bambulab_cafile }}
+connection bambulab_{{ bambu.name }}
+address {{ bambu.host }}:8883
+bridge_cafile /etc/mosquitto/ca_certificates/bambu_{{ bambu.name }}.pem
 bridge_insecure true
 remote_username bblp
-remote_password {{ lookup('passwordstore', 'bambulab subkey=key') }}
-
-topic # in 2 bambulab/ ""
+remote_password {{ bambu.key }}
+topic # in 2 bambulab/{{ bambu.name }}/ ""
+{% endfor %}

roles/music/defaults/main.yaml

@@ -1,2 +1,10 @@
 music_audio_user: audio
+music_audio_user_id: 998
+music_audio_group: audio
+music_bitvis_user: bitvis
+music_librespot_user: librespot
+music_trollibox_user: trollibox
+
+music_pulse_server: /tmp/pipewire-pulse-socket
+
 music_mqtt_mpd_volume: bitlair/music/space/volume

roles/music/handlers/main.yaml

@@ -2,27 +2,65 @@
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: Restart trollibox
+- name: restart pipewire
+  become: true
+  become_user: "{{ music_audio_user }}"
+  become_method: machinectl
+  ansible.builtin.systemd:
+    name: pipewire
+    state: restarted
+    daemon_reload: true
+    scope: user
+
+- name: restart filter-chain
+  become: true
+  become_user: "{{ music_audio_user }}"
+  become_method: machinectl
+  ansible.builtin.systemd:
+    name: filter-chain
+    state: restarted
+    daemon_reload: true
+    scope: user
+
+- name: restart bitvis
+  ansible.builtin.systemd:
+    name: bitvis
+    state: restarted
+    daemon_reload: true
+
+- name: restart bitvis-tee
+  ansible.builtin.systemd:
+    name: bitvis-tee
+    state: restarted
+    daemon_reload: true
+
+- name: restart mpd
+  ansible.builtin.systemd:
+    name: mpd
+    state: restarted
+    daemon_reload: true
+
+- name: restart trollibox
   ansible.builtin.systemd:
     name: trollibox
     state: restarted
     daemon_reload: true
 
-- name: Rebuild librespot
+- name: rebuild librespot
   ansible.builtin.command:
-    cmd: /root/.cargo/bin/cargo build --release --features jackaudio-backend
+    cmd: /root/.cargo/bin/cargo build --release --features pulseaudio-backend,jackaudio-backend
   args:
     chdir: /opt/librespot
 
-- name: Restart librespot
+- name: restart librespot
   ansible.builtin.systemd:
     name: librespot
     state: restarted
     daemon_reload: true
 
-- name: Restart soundboard
+- name: restart mqtt-soundboard
   ansible.builtin.systemd:
-    name: soundboard
+    name: mqtt-soundboard
     state: restarted
     daemon_reload: true
 
@@ -37,3 +75,12 @@
     name: skipbutton
     state: restarted
     daemon_reload: true
+
+- name: restart ampswitch
+  ansible.builtin.systemd:
+    name: "ampswitch-{{ item }}"
+    state: restarted
+    daemon_reload: true
+  with_items:
+    - librespot
+    - mpd

roles/music/tasks/ampswitch.yaml

@@ -0,0 +1,31 @@
+---
+- name: Install ampswitch
+  apt:
+    name: ampswitch
+
+- name: Install ampswitch service file
+  template:
+    src: ampswitch.service
+    dest: /etc/systemd/system/ampswitch-{{ item.instance }}.service
+    owner: root
+    group: root
+    mode: 0755
+  with_items:
+    - instance: mpd
+      pw_inputs:
+        - "Music Player Daemon:output_FL"
+        - "Music Player Daemon:output_FR"
+    - instance: librespot
+      pw_inputs:
+        - "librespot:out_0"
+        - "librespot:out_1"
+  notify: restart ampswitch
+
+- name: Enable ampswitch
+  ansible.builtin.systemd:
+    name: "ampswitch-{{ item }}"
+    state: started
+    enabled: true
+  with_items:
+    - librespot
+    - mpd

roles/music/tasks/base.yaml

@@ -0,0 +1,68 @@
+---
+- name: Install pipewire
+  apt:
+    name:
+      - systemd-container
+      - pipewire
+      - pipewire-jack
+      - pipewire-pulse
+      - pulseaudio-utils
+      - pulsemixer
+      - wireplumber
+    state: present
+
+- name: Add audio group
+  group:
+    name: audio
+    system: true
+
+- name: Add {{ music_audio_user }} user
+  user:
+    name: "{{ music_audio_user }}"
+    uid: "{{ music_audio_user_id }}"
+    system: true
+    groups:
+      - audio
+
+- name: Enable linger for {{ music_audio_user }}
+  copy:
+    dest: "/var/lib/systemd/linger/{{ music_audio_user }}"
+    content: ""
+
+- name: Enable pipewire
+  become: true
+  become_user: "{{ music_audio_user }}"
+  become_method: machinectl
+  ansible.builtin.systemd:
+    name: pipewire
+    state: started
+    enabled: true
+    scope: user
+
+- name: Set PULSE_SERVER env var for all shells
+  copy:
+    dest: /etc/profile.d/pulse-server.sh
+    content: |+
+      # Ansible managed
+      export PULSE_SERVER={{ music_pulse_server }}
+
+- name: Create pipewire-pulse config dir
+  file:
+    path: /etc/pipewire/pipewire-pulse.conf.d/
+    state: directory
+
+- name: Configure system socket
+  ansible.builtin.copy:
+    dest: /etc/pipewire/pipewire-pulse.conf.d/system-socket.conf
+    content: |+
+      # Ansible managed
+      context.exec = [
+        { path = "/bin/chgrp"  args = "{{ music_audio_group }} {{ music_pulse_server }}" }
+        { path = "/bin/chmod"  args = "g+rwx,o-rwx {{ music_pulse_server }}" }
+      ]
+      pulse.properties = {
+        server.address = [
+          "unix:{{ music_pulse_server }}"
+        ]
+      }
+  notify: restart pipewire

roles/music/tasks/bitvis.yaml

@@ -0,0 +1,72 @@
+---
+- name: Install bitvis dependencies
+  apt:
+    name:
+      - bitvis
+      - bitvis-http
+      - swh-plugins
+
+- name: Create bitvis user
+  user:
+    name: "{{ music_bitvis_user }}"
+    system: true
+    home: /var/lib/bitvis
+    groups:
+      - "{{ music_audio_group }}"
+
+- name: Install bitvis-tee
+  ansible.builtin.template:
+    src: bitvis-tee.sh
+    dest: /opt/bitvis-tee.sh
+    owner: root
+    group: root
+    mode: 0755
+  notify: restart {{ item }}
+  with_items:
+    - bitvis
+    - bitvis-tee
+
+- name: Install service file
+  ansible.builtin.template:
+    src: "{{ item }}.service"
+    dest: /etc/systemd/system/{{ item }}.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart {{ item }}
+  with_items:
+    - bitvis
+    - bitvis-tee
+
+- name: Enable service
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+    daemon_reload: true
+  with_items:
+    - bitvis
+    - bitvis-tee
+
+- name: Install bitvis gain filter
+  ansible.builtin.template:
+    src: pw-bitvis-mixer.conf
+    dest: /etc/pipewire/filter-chain.conf.d/bitvis-mixer.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart filter-chain
+    - restart bitvis
+
+- name: Enable filter-chain
+  become: true
+  become_user: "{{ music_audio_user }}"
+  become_method: machinectl
+  ansible.builtin.systemd:
+    name: filter-chain
+    state: started
+    enabled: true
+    scope: user
+
+- meta: flush_handlers

roles/music/tasks/librespot.yaml

@@ -1,8 +1,18 @@
 ---
-- name: Install dependencies
-  ansible.builtin.apt:
-    name: libjack-jackd2-dev
-    state: present
+- name: Install apt dependencies
+  apt:
+    name:
+      - libasound2-dev
+      - libjack-dev
+      - pkg-config
+
+- name: Create librespot user
+  user:
+    name: "{{ music_librespot_user }}"
+    system: true
+    home: /var/lib/librespot
+    groups:
+      - "{{ music_audio_group }}"
 
 - name: Clone librespot source
   ansible.builtin.git:
@@ -11,8 +21,8 @@
     dest: /opt/librespot
     accept_hostkey: yes
   notify:
-    - Rebuild librespot
-    - Restart librespot
+    - rebuild librespot
+    - restart librespot
 
 - name: Install service file
   ansible.builtin.template:
@@ -21,7 +31,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart librespot
+  notify: restart librespot
 
 - name: Enable Librespot
   ansible.builtin.systemd:
@@ -29,3 +39,5 @@
     state: started
     enabled: true
     daemon_reload: true
+
+- meta: flush_handlers

roles/music/tasks/main.yaml

@@ -1,4 +1,9 @@
 ---
+- name: Import base
+  ansible.builtin.import_tasks:
+    file: base.yaml
+  tags:
+    - music_base
 
 - name: Import mpd
   ansible.builtin.import_tasks:
@@ -6,6 +11,18 @@
   tags:
     - music_mpd
 
+- name: Bitvis
+  ansible.builtin.import_tasks:
+    file: bitvis.yaml
+  tags:
+    - music_bitvis
+
+- name: Import airplay
+  ansible.builtin.import_tasks:
+    file: airplay.yaml
+  tags:
+    - music_airplay
+
 - name: Import trollibox
   ansible.builtin.import_tasks:
     file: trollibox.yaml
@@ -24,11 +41,8 @@
   tags:
     - music_soundboard
 
-- name: Install nginx config
-  ansible.builtin.template:
-    src: nginx-site.conf
-    dest: /etc/nginx/sites-enabled/trollibox
-    owner: root
-    group: root
-    mode: 0644
-  notify: Reload nginx
+- name: Ampswitch
+  ansible.builtin.import_tasks:
+    file: ampswitch.yaml
+  tags:
+    - music_ampswitch

roles/music/tasks/mpd.yaml

@@ -1,14 +1,32 @@
 ---
-
 - name: Install MPD
   ansible.builtin.apt:
-    name:
-      - jackd
-      - mpd
-      - python3-mpd
-      - python3-serial
+    name: mpd
     state: present
 
+- name: Add mpd user to the {{ music_audio_group }} group
+  user:
+    name: mpd
+    groups:
+      - "{{ music_audio_group }}"
+  notify: restart mpd
+
+- name: Install mpd file
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart mpd
+  with_items:
+    - src: mpd.conf
+      dest: /etc/mpd.conf
+    - src: mpd.service
+      dest: /etc/systemd/system/mpd.service
+    - src: mpd_state
+      dest: /var/lib/mpd/state.default
+
 - name: Install mpd-volume-to-mqtt script
   ansible.builtin.template:
     src: mpd-volume-to-mqtt.sh
@@ -33,27 +51,3 @@
     state: started
     enabled: true
     daemon_reload: true
-
-- name: Clone skipbutton source
-  ansible.builtin.git:
-    repo: https://github.com/bitlair/skipbutton.git
-    version: master
-    dest: /opt/skipbutton
-    accept_hostkey: yes
-  notify: Restart skipbutton
-
-- name: Install skipbutton service
-  ansible.builtin.template:
-    src: skipbutton.service
-    dest: /etc/systemd/system/skipbutton.service
-    owner: root
-    group: root
-    mode: 0644
-  notify: Restart skipbutton
-
-- name: Enable skipbutton
-  ansible.builtin.systemd:
-    name: skipbutton
-    state: started
-    enabled: true
-    daemon_reload: true

roles/music/tasks/soundboard.yaml

@@ -1,50 +1,28 @@
 ---
 - name: Install dependencies
   ansible.builtin.apt:
-    name: virtualenv
+    name:
+      - mqtt-soundboard
+      - mplayer
     state: present
 
-- name: Clone soundboard source
-  ansible.builtin.git:
-    repo: https://github.com/polyfloyd/mqtt-soundboard.git
-    version: main
-    dest: /opt/soundboard
-    accept_hostkey: yes
-  notify: Restart soundboard
-
-- name: Create virtualenv
-  ansible.builtin.command:
-    cmd: virtualenv /opt/soundboard/.venv
-  args:
-    creates: /opt/soundboard/.venv
-
-- name: Install Python dependencies
-  ansible.builtin.shell:
-    cmd: . .venv/bin/activate && pip install -r requirements.txt
-  args:
-    chdir: /opt/soundboard
-
 - name: Install soundboard config file
   ansible.builtin.template:
-    src: soundboard.yaml
-    dest: /etc/soundboard.yaml
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     owner: root
     group: root
     mode: 0644
-  notify: Restart soundboard
-
-- name: Install soundboard service file
-  ansible.builtin.template:
-    src: soundboard.service
-    dest: /etc/systemd/system/soundboard.service
-    owner: root
-    group: root
-    mode: 0644
-  notify: Restart soundboard
+  notify: restart mqtt-soundboard
+  with_items:
+    - src: mqtt-soundboard.service
+      dest: /etc/systemd/system/mqtt-soundboard.service
+    - src: mqtt-soundboard.yaml
+      dest: /etc/mqtt-soundboard.yaml
 
 - name: Enable soundboard
   ansible.builtin.systemd:
-    name: soundboard
+    name: mqtt-soundboard
     state: started
     enabled: true
     daemon_reload: true

roles/music/tasks/trollibox.yaml

@@ -1,4 +1,10 @@
 ---
+- name: Create trollibox user
+  user:
+    name: "{{ music_trollibox_user }}"
+    system: true
+    home: /var/lib/trollibox
+
 - name: Install Trollibox config
   ansible.builtin.template:
     src: trollibox.yaml
@@ -6,27 +12,29 @@
     owner: root
     group: root
     mode: "0644"
-  notify: Restart trollibox
+  notify: restart trollibox
 
 - name: Get latest Trollibox version from Github API
-  ansible.builtin.get_url:
+  uri:
     url: "https://api.github.com/repos/polyfloyd/trollibox/releases/latest"
-    dest: "/tmp/_ansible_trollibox_latest_release.json"
+    return_content: true
+  register: response
+  changed_when: false
+  check_mode: false
+  failed_when: "response is failed or 'json' not in response"
 
-- name: Get download url
-  ansible.builtin.shell:
-    cmd: cat /tmp/_ansible_trollibox_latest_release.json | jq .assets[] | select(.name
-      | contains("linux-amd64")) | .browser_download_url -r
-  register: "trollibox_download_url"
+- name: Format trollibox latest version
+  set_fact:
+    trollibox_version: "{{ response['json']['tag_name'] | trim('v') }}"
 
 - name: Download Trollibox
   ansible.builtin.unarchive:
-    src: "{{ trollibox_download_url.stdout }}"
+    src: "https://github.com/polyfloyd/trollibox/releases/download/v{{ trollibox_version }}/trollibox-x86_64-unknown-linux-gnu.tar.gz"
     remote_src: yes
     dest: /usr/local/bin
     include: [ trollibox ]
     mode: "0755"
-  notify: Restart trollibox
+  notify: restart trollibox
 
 - name: Install service file
   ansible.builtin.template:
@@ -35,7 +43,7 @@
     owner: root
     group: root
     mode: "0644"
-  notify: Restart trollibox
+  notify: restart trollibox
 
 - name: Enable Trollibox
   ansible.builtin.systemd:

roles/music/templates/ampswitch.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=Script hook for {{ item }} playback
+After=network.target {{ item.instance }}.service
+Requires={{ item.instance }}.service
+StopPropagatedFrom={{ item.instance }}.service
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=10s
+ExecStart=/usr/bin/pw-jack ampswitch --jack-name ampswitch-{{ item.instance }} --on-command /opt/on-{{ item.instance }}-start.sh --switch-time 10 --trigger-level 0.001
+ExecStartPost=/usr/bin/sleep 4
+{% for pw_input in item.pw_inputs %}
+ExecStartPost=-/usr/bin/pw-link "{{ pw_input }}" ampswitch-{{ item.instance }}:Input
+{% endfor %}
+User=root
+Environment="XDG_RUNTIME_DIR=/run/user/{{ music_audio_user_id }}"
+
+[Install]
+WantedBy=multi-user.target

roles/music/templates/bitvis-tee.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Multiplexer for bitvis
+Before=bitvis.service
+After=bitvis-http.service
+Requires=bitvis-http.service
+PropagatesStopTo=bitvis.service
+StopPropagatedFrom=bitvis.service
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/screen -dmS bitvis-tee /opt/bitvis-tee.sh
+User={{ music_bitvis_user }}
+
+[Install]
+WantedBy=multi-user.target

roles/music/templates/bitvis-tee.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# {{ ansible_managed }}
+
+loop=`mktemp --suffix -bitvis`
+mkfifo -f "$loop"
+trap "rm -f $loop" EXIT TERM
+
+cat "$loop" | while true; do nc -4 -w 2 localhost 1338; done &
+nc -klp 1337 | tee "$loop" | while true; do nc -w 2 {{ music_bitpanel_host }} {{ music_bitpanel_port }}; done

roles/music/templates/bitvis.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Audio visualizer for the bitpanel
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=10s
+ExecStart=/usr/bin/pw-jack bitvis -a localhost -p 1337 -m localhost -o 6600
+ExecStartPost=/usr/bin/sleep 4
+ExecStartPost=-/usr/bin/pw-link bitvis-mixer:output_FL bitvis:input
+ExecStartPost=-/usr/bin/pw-link alsa_output.usb-ASUS_Xonar_U7_MKII-00.analog-stereo:monitor_FL bitvis-mixer:playback_FL
+ExecStartPost=-/usr/bin/pw-link alsa_output.usb-ASUS_Xonar_U7_MKII-00.analog-stereo:monitor_FR bitvis-mixer:playback_FR
+
+User={{ music_audio_user }}
+Environment="XDG_RUNTIME_DIR=/run/user/{{ music_audio_user_id }}"
+
+[Install]
+WantedBy=multi-user.target

roles/music/templates/librespot.service

@@ -3,16 +3,18 @@
 [Unit]
 Description=Spotify through Librespot
 After=network.target
-Requires=jackd.service
 
 [Service]
 Type=simple
 Restart=always
-RestartSec=2s
-ExecStart=/opt/librespot/target/release/librespot --name Trollibox --backend jackaudio
-User={{ music_audio_user }}
-Group={{ music_audio_user }}
-AmbientCapabilities=CAP_IPC_LOCK,CAP_SYS_NICE
+RestartSec=10s
+ExecStart=/usr/bin/pw-jack -s 44100 /opt/librespot/target/release/librespot --name Trollibox --backend jackaudio
+ExecStartPost=/usr/bin/sleep 4
+ExecStartPost=-/usr/bin/pw-link librespot:out_0 alsa_output.usb-ASUS_Xonar_U7_MKII-00.analog-stereo:playback_FL
+ExecStartPost=-/usr/bin/pw-link librespot:out_1 alsa_output.usb-ASUS_Xonar_U7_MKII-00.analog-stereo:playback_FR
+# User={{ music_librespot_user }}
+User=root
+Environment="XDG_RUNTIME_DIR=/run/user/{{ music_audio_user_id }}"
 
 [Install]
 WantedBy=multi-user.target

roles/music/templates/mpd-volume-to-mqtt.sh

@@ -14,7 +14,7 @@ prev_volume=x
     if [ $event = "mixer" ]; then
         volume=`mpc volume | sed -nr 's/^volume: ([0-9]+)%$/\1/p'`
         if [ "$prev_volume" != "$volume" ]; then
-            mqtt-simple -h {{ mqtt_internal_host }} -p '{{ music_mqtt_mpd_volume }} -r' -m "$volume"
+            mqtt-simple -h {{ mqtt_internal_host }} -p '{{ music_mqtt_mpd_volume }}' -r -m "$volume"
         fi
         prev_volume=$volume
     fi

roles/music/templates/mpd.conf

@@ -0,0 +1,40 @@
+# {{ ansible_managed }}
+
+user "mpd"
+group "{{ music_audio_group }}"
+
+bind_to_address "any"
+port "6600"
+max_connections "20"
+
+zeroconf_enabled "yes"
+zeroconf_name "MPD @ %h"
+
+music_directory "/srv/media/music"
+auto_update "yes"
+filesystem_charset "UTF-8"
+
+playlist_directory "/var/lib/mpd/playlists"
+db_file "/var/lib/mpd/tag_cache"
+state_file "/var/lib/mpd/state"
+sticker_file "/var/lib/mpd/sticker.sql"
+
+input {
+        plugin "curl" # Required for web streams.
+}
+
+decoder {
+        plugin  "hybrid_dsd"
+        enabled "no"
+}
+
+decoder {
+        plugin  "wildmidi"
+        enabled "no"
+}
+
+audio_output {
+       type     "pulse"
+       name     "Pulse"
+       server   "{{ music_pulse_server }}"
+}

roles/music/templates/mpd.service

@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Music Player Daemon
+After=network.target
+
+[Service]
+Type=simple
+ExecStartPre=/bin/mkdir -p /run/mpd
+ExecStartPre=/bin/chown -R mpd:nogroup /run/mpd
+ExecStartPre=/bin/touch /var/log/mpd.log
+ExecStartPre=/bin/chown mpd:nogroup /var/log/mpd.log
+ExecStartPre=/usr/bin/cp /var/lib/mpd/state.default /var/lib/mpd/state
+ExecStart=/usr/bin/mpd --no-daemon /etc/mpd.conf
+# MDP will fork itself to the user defined in its config
+User=root
+LimitMEMLOCK=infinity
+LimitRTPRIO=99
+
+[Install]
+WantedBy=multi-user.target

roles/music/templates/mpd_state

@@ -0,0 +1,17 @@
+sw_volume: 20
+audio_device_state:1:Pulse
+state: play
+current: 0
+time: 0
+random: 0
+repeat: 0
+single: 0
+consume: 0
+crossfade: 0
+mixrampdb: 0.000000
+mixrampdelay: -1.000000
+playlist_begin
+song_begin: http://ice4.somafm.com/groovesalad-256-mp3
+Name: SomaFM Groove Salad
+song_end
+playlist_end

roles/music/templates/mqtt-soundboard.service

@@ -6,12 +6,11 @@ After=network.target
 
 [Service]
 Type=simple
-ExecStart=/opt/soundboard/.venv/bin/python /opt/soundboard/soundboard.py /etc/soundboard.yaml
+ExecStart=/lib/python3/dist-packages/mqtt-soundboard.py /etc/mqtt-soundboard.yaml
 Restart=always
 RestartSec=10
-User=audio
-LimitMEMLOCK=infinity
-LimitRTPRIO=99
+User=root
+Environment="XDG_RUNTIME_DIR=/run/user/{{ music_audio_user_id }}"
 
 [Install]
 WantedBy=multi-user.target

roles/music/templates/mqtt-soundboard.yaml

@@ -1,13 +1,13 @@
 # {{ ansible_managed }}
 
-loglevel: INFO
+loglevel: DEBUG
 
 mqtt:
   host: {{ mqtt_internal_host }}
 
 sounds:
   directory: /opt/sounds
-  play_cmd: "mplayer -volume 10 -ao jack:name=MPlayer %s"
+  play_cmd: "pw-jack mplayer -volume 20 -ao jack:name=MPlayer %s"
   topic: bitlair/soundboard
 
 aliases:

roles/music/templates/nginx-site.conf

@@ -1,70 +0,0 @@
-# {{ ansible_managed }}
-
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-    listen 443 ssl default_server;
-    listen [::]:443 ssl default_server;
-
-    server_name {{ music_domain }};
-
-    {% if acme_bootstrap_certs %}
-    include "snippets/snakeoil.conf";
-    {% else %}
-    ssl_certificate     "/var/lib/dehydrated/certs/{{ music_domain }}/fullchain.pem";
-    ssl_certificate_key "/var/lib/dehydrated/certs/{{ music_domain }}/privkey.pem";
-    {% endif %}
-
-    {% for range in trusted_ranges %}
-    allow {{ range.cidr }};
-    {% endfor %}
-    deny all;
-
-    location / {
-        rewrite ^/(.*) https://{{ music_domain }}/trollibox/player/space?;
-    }
-
-    location /trollibox/ {
-        proxy_pass http://[::1]:3000/;
-        client_max_body_size 512M;
-        include proxy_params;
-    }
-
-    location ~ ^/trollibox/(.+/events)$ {
-        proxy_pass http://[::1]:3000/$1;
-        include proxy_params;
-        proxy_http_version 1.1;
-        chunked_transfer_encoding off;
-        add_header X-Test "123";
-        proxy_set_header Connection '';
-        proxy_buffering off;
-        proxy_read_timeout 7d;
-    }
-
-    location ~ ^/trollibox/(.+/listen)$ {
-        proxy_pass http://[::1]:3000/$1;
-        include proxy_params;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        proxy_read_timeout 7d;
-    }
-
-    location /bobdsp/ {
-        proxy_pass http://[::1]:8081/;
-        include proxy_params;
-    }
-
-    location /vis/ {
-        allow all;
-        proxy_pass http://[::1]:13378/;
-        include proxy_params;
-    }
-
-    location = /vis/ {
-        rewrite ^(.*)$ /vis/index.html;
-        include proxy_params;
-    }
-
-    include "snippets/acme.conf";
-}

roles/music/templates/pw-bitvis-mixer.conf

@@ -0,0 +1,49 @@
+# {{ ansible_managed }}
+
+context.modules = [
+    {
+        name = libpipewire-module-filter-chain
+        args = {
+            node.description = "bitvis-mixer"
+            media.name       = "bitvis-mixer"
+            filter.graph = {
+                nodes = [
+                    {
+                        name    = normalize
+                        type    = ladspa
+                        plugin  = fast_lookahead_limiter_1913
+                        label   = fastLookaheadLimiter
+                        control = {
+                            "Input gain (dB)" = 40
+                            "Limit (dB)" = 0
+                            "Release time (s)" = 1
+                        }
+                    }
+                    {
+                        name  = mono
+                        type  = builtin
+                        label = mixer
+                    }
+                ]
+                links = [
+                    { output = "normalize:Output 1", input = "mono:In 1" }
+                    { output = "normalize:Output 2", input = "mono:In 2" }
+                ]
+                inputs  = [ "normalize:Input 1" "normalize:Input 2" ]
+                outputs = [ "mono:Out" ]
+            }
+            capture.props = {
+                node.name         = "mix_input.bitvis"
+                audio.position    = [ FL FR ]
+                media.class       = "Audio/Sink"
+            }
+            playback.props = {
+                node.name         = "mix_output.bitvis"
+                audio.position    = [ FL ]
+                stream.dont-remix = true
+                node.passive      = true
+                node.autoconnect  = false
+            }
+        }
+    }
+]

roles/music/templates/skipbutton.service

@@ -1,17 +0,0 @@
-# {{ ansible_managed }}
-
-[Unit]
-Description=MPD Skipbutton
-After=network.target
-Requires=mpd.service
-
-[Service]
-Type=simple
-Restart=always
-RestartSec=10s
-ExecStart=/opt/skipbutton/skipbutton.py /dev/ttyS0
-DynamicUser=true
-Group=dialout
-
-[Install]
-WantedBy=multi-user.target

roles/music/templates/trollibox.service

@@ -10,8 +10,7 @@ Type=simple
 Restart=always
 RestartSec=2s
 ExecStart=/usr/local/bin/trollibox -conf /etc/trollibox.yaml
-User={{ music_audio_user }}
-Group={{ music_audio_user }}
+User={{ music_trollibox_user }}
 
 [Install]
 WantedBy=multi-user.target

roles/nodesource/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+nodesource_version: 22.x

roles/nodesource/handlers/main.yaml

@@ -0,0 +1,3 @@
+---
+- ansible.builtin.import_tasks:
+    file: ../../common/handlers/main.yaml

roles/nodesource/tasks/main.yaml

@@ -0,0 +1,33 @@
+---
+- name: Install dependencies
+  ansible.builtin.apt:
+    state: present
+    pkg:
+      - apt-transport-https
+      - gpg
+
+- name: Import nodesource signing key
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg
+    executable: /bin/bash
+  args:
+    creates: /usr/share/keyrings/nodesource.gpg
+  notify: apt update
+
+- name: Install nodesource apt files
+  ansible.builtin.template:
+    src: nodesource.list
+    dest: /etc/apt/sources.list.d/nodesource.list
+    owner: root
+    group: root
+    mode: 0644
+  notify: apt update
+  with_items:
+    - src: nodesource.list
+      dest: /etc/apt/sources.list.d/nodesource.list
+    - src: nodejs-apt-pref
+      dest: /etc/apt/preferences.d/nodejs
+
+- ansible.builtin.meta: flush_handlers

roles/nodesource/templates/nodesource.list

@@ -1,3 +1,3 @@
 # {{ ansible_managed }}
 
-deb [arch=$arch signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_{{ nodejs_version }} nodistro main
+deb [arch=$arch signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_{{ nodesource_version }} nodistro main

roles/services/handlers/main.yaml

@@ -2,30 +2,24 @@
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: Restart irc-bot
+- name: Restart ircbot
   ansible.builtin.systemd:
-    name: irc-bot
+    name: ircbot
     state: restarted
     daemon_reload: true
 
-- name: Restart irc-photos
-  ansible.builtin.systemd:
-    name: irc-photos
-    state: restarted
-    daemon_reload: true
-
-- name: Restart irc-doorduino
-  ansible.builtin.systemd:
-    name: irc-doorduino
-    state: restarted
-    daemon_reload: true
-
-- name: Restart discord-bot
+- name: restart discord-bot
   ansible.builtin.systemd:
     name: discord-bot
     state: restarted
     daemon_reload: true
 
+- name: restart irc-bot
+  ansible.builtin.systemd:
+    name: irc-bot
+    state: restarted
+    daemon_reload: true
+
 - name: Restart siahsd
   ansible.builtin.systemd:
     name: siahsd

roles/services/tasks/discord_bot.yaml

@@ -3,39 +3,58 @@
 - name: Install dependencies
   ansible.builtin.apt:
     name:
-      - python3-paho-mqtt
-      - python3-tz
+      - openscad
       - virtualenv
 
 - name: Create virtualenv
   ansible.builtin.command:
-    cmd: virtualenv /opt/miflora_exporter/.venv
+    cmd: virtualenv /var/lib/discord-bot/.venv
   args:
     creates: /var/lib/discord-bot/.venv
 
-- name: Install Python dependencies
-  ansible.builtin.shell:
-    cmd: . .venv/bin/activate && pip install -r requirements.txt
-  args:
-    chdir: /var/lib/discord-bot
-
-- name: Clone source
+- name: Clone bottleclip source
   ansible.builtin.git:
-    repo: https://github.com/bitlair/discord-bot.git
+    repo: https://git.bitlair.nl/bitlair/bottle-clip.git
+    version: main
+    dest: /var/lib/bottle-clip
+    accept_hostkey: yes
+
+- name: Clone discord-bot source
+  ansible.builtin.git:
+    repo: https://git.bitlair.nl/bitlair/discord-bot.git
     version: main
     dest: /var/lib/discord-bot
     accept_hostkey: yes
-  notify: Restart discord-bot
-  ignore_errors: true
+  notify:
+    - restart discord-bot
+    - restart irc-bot
 
-- name: Install service file
+- name: Install Python dependencies
+  ansible.builtin.shell:
+    cmd: . .venv/bin/activate && pip install -e .
+  args:
+    chdir: /var/lib/discord-bot
+  notify:
+    - restart discord-bot
+    - restart irc-bot
+
+- name: Install discord-bot service file
   ansible.builtin.template:
     src: discord-bot.service
     dest: /etc/systemd/system/discord-bot.service
     owner: root
     group: root
     mode: "0644"
-  notify: Restart discord-bot
+  notify: restart discord-bot
+
+- name: Install irc-bot service file
+  ansible.builtin.template:
+    src: irc-bot.service
+    dest: /etc/systemd/system/irc-bot.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart irc-bot
 
 - name: Start discord-bot
   ansible.builtin.systemd:
@@ -43,3 +62,10 @@
     state: started
     enabled: true
     daemon_reload: true
+
+- name: Start irc-bot
+  ansible.builtin.systemd:
+    name: irc-bot
+    state: started
+    enabled: true
+    daemon_reload: true

roles/services/tasks/ircbot.yaml

@@ -1,12 +1,12 @@
 ---
 - name: Clone source
   ansible.builtin.git:
-    repo: https://github.com/bitlair/irc-bot.git
-    version: master
+    repo: https://git.bitlair.nl/bitlair/irc-bot.git
+    version: main
     dest: /var/lib/irc-bot
     accept_hostkey: yes
   ignore_errors: true
-  notify: Restart irc-bot
+  notify: Restart ircbot
 
 - name: Link irc-say
   ansible.builtin.file:
@@ -17,81 +17,18 @@
 - name: Install service file
   ansible.builtin.template:
     src: generic.service
-    dest: /etc/systemd/system/irc-bot.service
+    dest: /etc/systemd/system/ircbot.service
     owner: root
     group: root
     mode: 0644
   vars:
     description: Bitlair IRC bot
     exec: /bin/bash /var/lib/irc-bot/irc-bot
-  notify: Restart irc-bot
+  notify: Restart ircbot
 
-- name: Start irc-bot
+- name: Start ircbot
   ansible.builtin.systemd:
-    name: irc-bot
-    state: started
-    enabled: true
-    daemon_reload: true
-
-- name: Create helpers dir
-  ansible.builtin.file:
-    path: /var/lib/irc-helpers
-    state: directory
-
-- name: Install photos notification
-  ansible.builtin.template:
-    src: irc-photos.sh
-    dest: /var/lib/irc-helpers/photos.sh
-    owner: root
-    group: root
-    mode: 0755
-  notify: Restart irc-photos
-
-- name: Install photos notification service
-  ansible.builtin.template:
-    src: generic.service
-    dest: /etc/systemd/system/irc-photos.service
-    owner: root
-    group: root
-    mode: 0644
-  vars:
-    description: Bitlair IRC photos notification
-    requires: irc-bot.service
-    exec: /bin/bash /var/lib/irc-helpers/photos.sh
-  notify: Restart irc-photos
-
-- name: Start irc-photos
-  ansible.builtin.systemd:
-    name: irc-photos
-    state: started
-    enabled: true
-    daemon_reload: true
-
-- name: Install doorduino notification
-  ansible.builtin.template:
-    src: irc-doorduino.sh
-    dest: /var/lib/irc-helpers/doorduino.sh
-    owner: root
-    group: root
-    mode: 0755
-  notify: Restart irc-doorduino
-
-- name: Install doorduino notification service
-  ansible.builtin.template:
-    src: generic.service
-    dest: /etc/systemd/system/irc-doorduino.service
-    owner: root
-    group: root
-    mode: 0644
-  vars:
-    description: Bitlair IRC doorduino notification
-    requires: irc-bot.service
-    exec: /bin/bash /var/lib/irc-helpers/doorduino.sh
-  notify: Restart irc-doorduino
-
-- name: Start irc-doorduino
-  ansible.builtin.systemd:
-    name: irc-doorduino
+    name: ircbot
     state: started
     enabled: true
     daemon_reload: true

roles/services/tasks/mastodon_spacestate.yaml

@@ -7,7 +7,7 @@
 
 - name: Clone source
   ansible.builtin.git:
-    repo: https://github.com/bitlair/mastodon-spacestate.git
+    repo: https://git.bitlair.nl/bitlair/mastodon-spacestate.git
     version: main
     dest: /var/lib/mastodon-spacestate
     accept_hostkey: yes

roles/services/tasks/siahsd.yaml

@@ -1,16 +1,24 @@
 ---
-# TODO: Install and build
+- name: Install siahsd
+  apt:
+    name:
+      - debianutils
+      - siahsd
 
-- name: Create directories
+- name: Clone alarm-handlers
+  ansible.builtin.git:
+    repo: https://git.bitlair.nl/bitlair/alarm-handlers.git
+    version: main
+    dest: /opt/alarm
+    accept_hostkey: yes
+
+- name: Create log directory
   ansible.builtin.file:
-    path: "{{ item }}"
+    path: /var/log/siahsd
     state: directory
     owner: siahsd
     group: nogroup
     mode: "0750"
-  with_items:
-    - /var/log/siahsd
-    - /var/lib/siahsd
 
 - name: Install config file
   ansible.builtin.template:
@@ -21,19 +29,9 @@
     mode: "0644"
   notify: Restart siahsd
 
-- name: Install service file
-  ansible.builtin.template:
-    src: siahsd.service
-    dest: /etc/systemd/system/siahsd.service
-    owner: root
-    group: root
-    mode: "0644"
-  notify: Restart siahsd
-
 - name: Start siahsd
   ansible.builtin.systemd:
     name: siahsd
     state: started
     enabled: true
     daemon_reload: true
-

roles/services/tasks/spacestated.yaml

@@ -21,7 +21,7 @@
 
 - name: Clone source
   ansible.builtin.git:
-    repo: https://github.com/bitlair/spacestated.git
+    repo: https://git.bitlair.nl/bitlair/spacestated.git
     version: main
     dest: /var/lib/spacestated/spacestated
     accept_hostkey: yes

roles/services/tasks/wifi_mqtt.yaml

@@ -8,7 +8,7 @@
 
 - name: Clone source
   ansible.builtin.git:
-    repo: https://github.com/bitlair/wifi-mqtt.git
+    repo: https://git.bitlair.nl/bitlair/wifi-mqtt.git
     version: main
     dest: /var/lib/wifi-mqtt
     accept_hostkey: yes

roles/services/templates/discord-bot.service

@@ -1,16 +1,17 @@
-# Managed by Ansible
+# {{ ansible_managed }}
 
 [Unit]
-Description=HobbyBot
+Description=Bitlair Discord Bot
 After=network.target
 
 [Service]
 Type=simple
-Restart=on-failure
+Restart=always
 RestartSec=10s
-ExecStart=/var/lib/discord-bot/.venv/bin/python /var/lib/discord-bot/main.py
+ExecStart=/var/lib/discord-bot/.venv/bin/python /var/lib/discord-bot/discordbot.py
 DynamicUser=true
 Environment="MQTT_HOST={{ mqtt_internal_host }}"
+Environment="BOTTLECLIP_RESOURCES=/var/lib/bottle-clip"
 Environment="DISCORD_WEBHOOK_URL={{ lookup('passwordstore', 'services/discord', subkey='webhook_url') }}"
 Environment="DISCORD_TOKEN={{ lookup('passwordstore', 'services/discord', subkey='token') }}"
 

roles/services/templates/irc-bot.service

@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Bitlair IRC Bot
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=10s
+ExecStart=/var/lib/discord-bot/.venv/bin/python /var/lib/discord-bot/ircbot.py
+DynamicUser=true
+Environment="MQTT_HOST={{ mqtt_internal_host }}"
+Environment="BOTTLECLIP_RESOURCES=/var/lib/bottle-clip"
+Environment="IRC_SERVER=irc.smurfnet.ch"
+Environment="IRC_CHANNEL=#bitlair"
+Environment="IRC_NICK=bitlair"
+
+[Install]
+WantedBy=multi-user.target

roles/services/templates/irc-doorduino.sh

@@ -1,24 +0,0 @@
-#!/bin/bash
-
-# Managed by Ansible
-
-set -eu
-set -o pipefail
-
-initial=1
-
-mqtt-simple -h {{ mqtt_internal_host }} -t "bitlair/doorduino/+" |
-  while read line; do
-      topic=$(echo "$line" | cut -d' ' -f1 | sed "s/bitlair\/doorduino\///")
-      value=$(echo "$line" | cut -s -d' ' -f2-)
-
-      if [ $initial == 0 ] && [ $value != 0 ]; then
-         if [ $topic == "doorbell" ]; then
-            irc-say "DEURBEL! Open de deur beneden!"
-         elif [ $topic != "dooropen" ]; then
-            irc-say "Doorduino: $topic $value"
-         fi
-      fi
-      initial=0
-  done
-

roles/services/templates/irc-photos.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-
-# Managed by Ansible
-
-set -eu
-set -o pipefail
-
-mqtt-simple -h {{ mqtt_internal_host }} -s "bitlair/photos" |
-    while read event; do
-        path=$(echo $event | cut -d ' ' -f 2)
-        url="https://bitlair.nl/fotos/view/$path"
-        irc-say "WIP: $url"
-    done

roles/services/templates/siahsd.conf

@@ -1,3 +1,5 @@
+# {{ ansible_managed }}
+
 [siahsd]
 pid file = /var/lib/siahsd/siahsd.pid
 log file = /var/log/siahsd/siahsd.log
@@ -5,13 +7,6 @@ log level = 3
 foreground = 0
 event handlers = script
 
-#[database]
-#driver = mysql
-#host = localhost
-#name = siahsd
-#username = siahsd
-#password = MysbJxAaawmwKPqD
-
 [siahs]
 port = 4000
 
@@ -19,21 +14,5 @@ port = 4000
 port = 9000
 rsa key file = something.sexp
 
-#[jsonbot]
-#address = 192.168.88.15
-#port = 5500
-#aes key = blablablablablaz
-#password = mekker
-#privmsg to = #bitlair
-
-#[spacestate]
-#driver = mysql
-#host = localhost
-#name = bitwifi
-#username = bitwifi
-#password = aGWERQpLEQPUaXJV
-#open script = /opt/alarm/disarmed.sh
-#close script = /opt/alarm/armed.sh
-
 [script]
 path = /opt/alarm/siahsd_handler.sh

roles/services/templates/siahsd.service

@@ -1,17 +0,0 @@
-# Managed by Ansible
-
-[Unit]
-Description=Siahsd
-After=network.target
-
-[Service]
-Type=forking
-PIDFile=/var/lib/siahsd/siahsd.pid
-Restart=always
-RestartSec=10s
-ExecStartPre=-/bin/rm /var/lib/siahsd/siahsd.pid
-ExecStart=/usr/local/src/siahsd/build/siahsd
-User=siahsd
-
-[Install]
-WantedBy=multi-user.target

roles/www/tasks/calendar.yaml

@@ -5,7 +5,7 @@
 
 - name: Clone source
   ansible.builtin.git:
-    repo: https://github.com/bitlair/calendar-parser.git
+    repo: https://git.bitlair.nl/bitlair/wiki-calendar-exporter.git
     version: main
     dest: /usr/local/src/bitlair-calendar
     accept_hostkey: yes

roles/www/tasks/spaceapi.yaml

@@ -1,7 +1,7 @@
 ---
 - name: Clone spaceapi source
   ansible.builtin.git:
-    repo: https://github.com/bitlair/spaceapi.git
+    repo: https://git.bitlair.nl/bitlair/spaceapi.git
     version: main
     dest: /opt/spaceapi
     accept_hostkey: true

roles/www/templates/matrix-delegation.json

@@ -1,3 +0,0 @@
-{
-    "m.server": "matrix.bitlair.nl"
-}

roles/www/templates/nginx-site.conf

@@ -119,13 +119,6 @@ server {
         rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
     }
 
-    # Matrix realm delegation
-    location = /.well-known/matrix/server {
-        add_header "Content-Type" "application/json";
-        add_header "Access-Control-Allow-Origin" "*";
-        alias /opt/matrix-delegation.json;
-    }
-
     location = /.well-known/security.txt {
         alias /opt/security.txt;
     }

services.yaml

@@ -3,4 +3,5 @@
 - hosts: services
   roles:
     - { role: "common", tags: [ "common" ] }
+    - { role: "deb_forgejo", tags: [ "deb_forgejo" ] }
     - { role: "services", tags: [ "services" ] }

snippets/music-nginx.j2

@@ -0,0 +1,44 @@
+{% for range in trusted_ranges %}
+allow {{ range.cidr }};
+{% endfor %}
+deny all;
+
+location / {
+    rewrite ^/(.*) https://{{ music_domain }}/trollibox/player/space?;
+}
+
+location /trollibox/ {
+    proxy_pass http://[::1]:3000/;
+    include proxy_params;
+}
+
+location ~ ^/trollibox/(.+/events)$ {
+    proxy_pass http://[::1]:3000/$1;
+    include proxy_params;
+    proxy_http_version 1.1;
+    chunked_transfer_encoding off;
+    add_header X-Test "123";
+    proxy_set_header Connection '';
+    proxy_buffering off;
+    proxy_read_timeout 7d;
+}
+
+location ~ ^/trollibox/(.+/listen)$ {
+    proxy_pass http://[::1]:3000/$1;
+    include proxy_params;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_read_timeout 7d;
+}
+
+location /vis/ {
+    allow all;
+    proxy_pass http://[::1]:13378/;
+    include proxy_params;
+}
+
+location = /vis/ {
+    rewrite ^(.*)$ /vis/index.html;
+    include proxy_params;
+}

snippets/www-nginx.j2

@@ -1,4 +1,4 @@
-root /opt/mediawiki-1.41.1/;
+root /opt/mediawiki-1.43.0/;
 index index.php index.html index.htm;
 
 # Photo gallery
@@ -78,13 +78,6 @@ location /Pages/ {
     rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
 }
 
-# Matrix realm delegation
-location = /.well-known/matrix/server {
-    add_header "Content-Type" "application/json";
-    add_header "Access-Control-Allow-Origin" "*";
-    alias /opt/matrix-delegation.json;
-}
-
 location = /.well-known/security.txt {
     alias /opt/security.txt;
 }