Migration: transfer data and run apps

2026-05-23 17:51:07 +03:00
parent a3e53b21e6
commit 02ea9a3735
3 changed files with 942 additions and 713 deletions
@@ -8,6 +8,245 @@
 ---
 ## Шаг 13 — приложения подняты на target, cutover завершён (2026-05-23, выполнено)
 После rsync'а (Шаг 12) — финальный прогон ансибла без `--skip-tags`,
 поэтапно по приложениям. К ~16:30 DNS уже указывал на target (Шаг
 переключения 15:45 + TTL 20 мин, пропагация подтверждена в 16:20),
 так что Caddy при старте сразу пошёл за LE-сертификатами без задержек.
 Прогоны делал поштучно через `inv pl -- <app>` (после Шага
 переключения `HOSTS_FILE = "timeweb.yml"` в `tasks.py`), не всем
 сразу — чтобы видеть каждый плейбук чисто.
 ### Что подтверждено работающим в браузере
 - `vakhrushev.me` — homepage отдаёт страницу.
 - `auth.vakhrushev.me` — Authelia, логин работает.
 - `matrix.vakhrushev.me` — Tuwunel поднялся, Element подключается.
 - `git.vakhrushev.me` — Gitea, репозитории и issue tracker на месте.
 - `outline.vakhrushev.me` — документы видны.
 - `gramps.vakhrushev.me` — генеалогическое дерево открывается.
 - `wakapi.vakhrushev.me` — статистика времени видна.
 - `status.vakhrushev.me` — Netdata собирает и рисует метрики.
 Точечно зашёл в outline / gramps / wakapi / gitea — данные на месте,
 ничего не потерялось при rsync'е.
 ### Отложенные на «потом по ходу дела» проверки
 - `miniflux`, `memos`, `remembos`, `wanderer`, `calibre`, `rssbridge`,
  `dozzle`, `goaccess` — открыть и убедиться, что отдают свои данные.
 - **SMTP-test** — reset-password из gitea/authelia. Проверит, что
  Postbox после разблокировки в панели Timeweb принимает наши письма.
 - **Backup-cron в 1:00** — самый поздний smoke-тест системы. Покажет,
  что `backup-all.py` отработал на target, restic пишет в S3 с новым
  `host_name`, apprise шлёт уведомление.
 - `docker pull cr.yandex/...` руками — повторная проверка
  OAuth-аутентификации.
 ### Отклонения от плана сегодня
 1. **VPS пересоздан в СПб** (Шаг 8) — первая выдача попала на
   гипервизор с битой сетью.
 2. **Docker Hub rate limit** на pull'е netdata — anonymous лимит
   подсети Timeweb уже выбран соседями. Лечится ручным
   `sudo docker login` на target (через free-аккаунт + PAT).
   **Backlog:** добавить `community.docker.docker_login` для
   `docker.io` в `playbook-docker.yml`, по аналогии с cr.yandex (Шаг
   3). Креды в vault как `dockerhub_username` / `dockerhub_token`.
 3. **Postbox SMTP не доступен извне YC** — оказалось, что в плане
   (`timeweb.md:81`) предпосылка «Postbox доступен извне YC по тем же
   credentials» неверна. Yandex Cloud Postbox дропает SMTP от не-YC
   источников; 443 при этом отвечает. Дополнительно Timeweb по
   умолчанию **сам** блокирует egress SMTP (25/465/587) — toggle в
   панели Timeweb снимает блок, после чего Postbox отвечает баннером.
   Authelia в exit-loop'е поднялась после рестарта. Запись в auto-
   memory `project_timeweb_smtp_block.md` — пригодится при следующих
   миграциях.
 4. **Bug ordering в `playbook-goaccess.yml`** (см. Шаг 9, фикс
   зашит) — латентный bug, проявившийся только на чистой машине.
 ### Что осталось до полной заморозки
 По плану (`timeweb.md:464-473`):
 - **≥ 24 часа** держим источник в выключенном состоянии (docker уже
  остановлен, daemon отключён через `disable`), как горячее запасное.
 - Если за сутки ничего не всплыло — выключить VM в YC.
 - Подождать ещё неделю-две — на всякий случай.
 - Удалить VM и связанные compute-ресурсы. **S3-бакет с
  restic-бэкапами и Container Registry — оставляем**, они продолжают
  использоваться.
 - Удалить `production.yml`, переименовать `timeweb.yml` →
  `production.yml`, откатить `HOSTS_FILE = "production.yml"` в
  `tasks.py`. Закоммитить.
 ---
 ## Шаг 12 — rsync данных с источника на target (2026-05-23, выполнено)
 Перенос `/mnt/applications/` на YC → `/srv/applications/` на Timeweb
 после заморозки источника (Шаг 11). Это финальный канал переноса
 данных — основной для всех приложений, единственный для `caddyproxy`,
 `remembos`, `transcriber` (у которых нет backup-механизма, см. Шаг 7b).
 ### Пилотный прогон на remembos
 Прежде чем гнать всё дерево, проверил рецепт на самом маленьком
 приложении (~35 КБ всего):
 ```bash
 sudo -E rsync -aAX --info=progress2 --delete --rsync-path="sudo rsync" \
    -e "ssh -o StrictHostKeyChecking=accept-new" \
    major@158.160.46.255:/mnt/applications/remembos/ \
    /srv/applications/remembos/
 ```
 Проверка после прогона:
 ```
 $ sudo ls -la /srv/applications/remembos/
 drwxr-x---  4 remembos remembos 4096 Apr 30 13:22 .
 drwxr-x---  2 remembos remembos 4096 Feb 12 17:22 config
 drwxr-x---  2 remembos remembos 4096 May 23 12:41 data
 -rw-r-----  1 remembos remembos  494 Apr 30 13:22 docker-compose.yml
 ```
 Owner отрисован именами (`remembos:remembos`, не numeric `1103:1103`)
 — значит на обеих сторонах ансибл создал юзера с одним и тем же uid,
 mapping сошёлся. Mode (750) и mtime сохранены.
 ### Засада с agent-forwarding'ом под sudo
 Первая попытка упала с `Permission denied (publickey)`. Причина:
 rsync запускается через `sudo` на target, а sudo по дефолту чистит
 `SSH_AUTH_SOCK` из env (`Defaults env_reset` в /etc/sudoers) — ssh
 внутри sudo не видит проброшенный agent, пытается парольную
 аутентификацию, проваливается.
 Лечится разрешением sudo проносить именно эту переменную:
 ```bash
 echo 'Defaults env_keep += "SSH_AUTH_SOCK"' | sudo tee -a /etc/sudoers.d/major
 sudo visudo -cf /etc/sudoers.d/major
 ```
 Безопасно: сокет агента принадлежит `major`, root к нему имеет доступ
 по определению; мы просто говорим sudo не вычищать переменную с путём
 к нему. После этого `sudo -E rsync …` отрабатывает.
 ### Полный прогон по всем приложениям
 ```bash
 sudo -E rsync -aAX --info=progress2 --delete --exclude='lost+found' \
    --rsync-path="sudo rsync" \
    -e "ssh -o StrictHostKeyChecking=accept-new" \
    major@158.160.46.255:/mnt/applications/ \
    /srv/applications/
 ```
 ### Что делает каждый флаг
 - **`sudo -E`** — локальный rsync на target запускается под root
  (нужно, чтобы писать файлы с любым owner'ом / mode); `-E` сохраняет
  env, в первую очередь `SSH_AUTH_SOCK` для agent forwarding.
 - **`-a`** (`--archive`) — собирательный флаг `-rlptgoD`: recursive +
  symlinks как symlinks + permissions + times + group + owner +
  special files. Базовое «копировать всё как есть».
 - **`-A`** — сохранить POSIX ACL.
 - **`-X`** — сохранить extended attributes (xattrs), включая
  security-атрибуты типа capabilities или SELinux-меток.
 - **`--info=progress2`** — совокупный прогресс по всему transfer'у,
  а не per-file (для больших деревьев читабельнее).
 - **`--delete`** — стереть на target всё, чего нет на источнике.
  Безопасно в нашем случае: после rsync'а прогоняем ансибл, он
  перерендерит конфиги и пересоздаст любые отсутствующие структурные
  каталоги. Стирается, по сути, только содержимое, отрендеренное
  плейбуком на Шаге 9 без `run-app`.
 - **`--exclude='lost+found'`** — на YC `/mnt/applications/` это mount
  point внешнего диска, в его корне может лежать системный
  `lost+found`. Нам он не нужен и на target такого монтирования
  больше нет (`mount_external_storage: false`).
 - **`--rsync-path="sudo rsync"`** — критично: на удалённой стороне
  (источнике) rsync запускается через sudo. Иначе он стартует под
  `major`, у которого нет прав читать чужие `/mnt/applications/<app>/`
  (mode 750, owner — приложение). У `major` на источнике NOPASSWD
  sudo, так что sudo прокатывает молча.
 - **`-e "ssh -o StrictHostKeyChecking=accept-new"`** — кастомная
  команда транспорта. По умолчанию rsync запускает чистый `ssh`; мы
  добавляем флаг для автопринятия host key источника (на target
  `known_hosts` ещё пустой).
 - **`major@158.160.46.255:/mnt/applications/`** — источник. Trailing
  slash важен: «копировать содержимое каталога», а не сам каталог.
  Без слэша получили бы `/srv/applications/applications/...`.
 - **`/srv/applications/`** — назначение. Trailing slash для
  симметрии — содержимое кладётся в существующий каталог,
  созданный ансиблом на Шаге 9.
 ### Результат
 ```
 22,613,081,829  99%  7.11MB/s  0:50:34 (xfr#21837, to-chk=0/31024)
 ```
 - Объём — ~22.6 ГБ, файлов — 31 024.
 - Длительность — 50 минут 34 секунды, средняя скорость ~7 МБ/с
  (предсказуемо для YC↔Timeweb).
 - `du -s` после прогона: источник 22 088 224 КБ, target 22 164 172 КБ
  — разница ~76 МБ (0.34%). Это не рассинхрон данных, а разница в
  аллокации блоков ФС и метаданных между источником и target (разные
  inode-таблицы, journal, group descriptors). Содержимое файлов
  совпадает — rsync'у на это указали checksum'ы, errors не было.
 Окно даунтайма с момента стопа docker'а (Шаг 11) до конца rsync'а —
 около часа. С учётом параллельно запущенного DNS-переключения
 (Шаг между 11 и 12, 15:45) к моменту запуска приложений на target
 пропагация уже прошла (16:20).
 ---
 ## Шаг 11 — источник заморожен (docker + cron остановлены) (2026-05-23, выполнено)
 Сразу после финального бэкапа (Шаг 10) — отключил docker и cron на
 источнике, чтобы зафиксировать состояние данных перед rsync'ом и
 исключить случайные записи в `/mnt/applications/` во время переноса.
 ```bash
 sudo systemctl stop docker.service docker.socket
 sudo systemctl disable docker.service docker.socket
 sudo systemctl stop cron
 ```
 `disable` — страховка от автостарта docker'а при возможной
 перезагрузке источника (если вернёмся для отката или проверки).
 `cron stop` — чтобы ночной `backup-all.py` не запустился впустую без
 работающего daemon'а.
 С этого момента источник «мёртв» для пользователей — окно даунтайма
 открыто. Следующий шаг — переключить DNS и параллельно гнать rsync.
 ---
 ## Шаг 10 — финальный бэкап на источнике (2026-05-23, выполнено)
 Прогнал `backup-all.py` на источнике, пока docker ещё жив (он нужен
 для `pg_dump` и других in-container backup-команд внутри
 `backup.sh`-скриптов отдельных приложений).
 ```bash
 sudo /usr/local/sbin/backup-all.py 2>&1 | tee /tmp/final-backup.log
 ```
 Свежий restic-снапшот в `yandex_cloud_s3` зафиксирован — страховочный
 канал на случай, если rsync пойдёт криво (для приложений с
 `backup.sh` можно будет восстановить из S3; для `caddyproxy`,
 `remembos`, `transcriber` страховки нет, для них только rsync).
 После прогона можно гасить docker без риска потерять backup-окно.
 ---
 ## Шаг 9 — раскатана база и приложения без запуска (2026-05-23, выполнено)
 На свежей Timeweb-машине прогнаны два плейбука без даунтайма источника
@@ -104,7 +104,7 @@ server:
    ## Configure the authz endpoints.
    authz:
      forward-auth:
-        implementation: 'ForwardAuth'
+        implementation: "ForwardAuth"
        # authn_strategies: []
      # ext-authz:
      # implementation: 'ExtAuthz'
@@ -121,10 +121,10 @@ server:
 ##
 log:
  ## Level of verbosity for logs: info, debug, trace.
-  level: 'debug'
+  level: "debug"
  ## Format the logs are written as: json, text.
-  format: 'json'
+  format: "json"
  ## File path where the logs will be written. If not set logs are written to stdout.
  # file_path: '/config/authelia.log'
@@ -136,7 +136,6 @@ log:
 ## Telemetry Configuration
 ##
 telemetry:
  ##
  ## Metrics Configuration
  ##
@@ -151,7 +150,7 @@ telemetry:
    ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', 'unix', or 'fd'.
    ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '9959'.
    ## If the path is not specified it defaults to `/metrics`.
-    address: 'tcp://:9959/metrics'
+    address: "tcp://:9959/metrics"
    ## Metrics Server Buffers configuration.
    # buffers:
@@ -179,128 +178,128 @@ telemetry:
 ##
 ## Parameters used for TOTP generation.
 # totp:
-  ## Disable TOTP.
+## Disable TOTP.
-  # disable: false
+# disable: false
-  ## The issuer name displayed in the Authenticator application of your choice.
+## The issuer name displayed in the Authenticator application of your choice.
-  # issuer: 'authelia.com'
+# issuer: 'authelia.com'
-  ## The TOTP algorithm to use.
+## The TOTP algorithm to use.
-  ## It is CRITICAL you read the documentation before changing this option:
+## It is CRITICAL you read the documentation before changing this option:
-  ## https://www.authelia.com/c/totp#algorithm
+## https://www.authelia.com/c/totp#algorithm
-  # algorithm: 'SHA1'
+# algorithm: 'SHA1'
-  ## The number of digits a user has to input. Must either be 6 or 8.
+## The number of digits a user has to input. Must either be 6 or 8.
-  ## Changing this option only affects newly generated TOTP configurations.
+## Changing this option only affects newly generated TOTP configurations.
-  ## It is CRITICAL you read the documentation before changing this option:
+## It is CRITICAL you read the documentation before changing this option:
-  ## https://www.authelia.com/c/totp#digits
+## https://www.authelia.com/c/totp#digits
-  # digits: 6
+# digits: 6
-  ## The period in seconds a Time-based One-Time Password is valid for.
+## The period in seconds a Time-based One-Time Password is valid for.
-  ## Changing this option only affects newly generated TOTP configurations.
+## Changing this option only affects newly generated TOTP configurations.
-  # period: 30
+# period: 30
-  ## The skew controls number of Time-based One-Time Passwords either side of the current one that are valid.
+## The skew controls number of Time-based One-Time Passwords either side of the current one that are valid.
-  ## Warning: before changing skew read the docs link below.
+## Warning: before changing skew read the docs link below.
-  # skew: 1
+# skew: 1
-  ## See: https://www.authelia.com/c/totp#input-validation to read
+## See: https://www.authelia.com/c/totp#input-validation to read
-  ## the documentation.
+## the documentation.
-  ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
+## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
-  # secret_size: 32
+# secret_size: 32
-  ## The allowed algorithms for a user to pick from.
+## The allowed algorithms for a user to pick from.
-  # allowed_algorithms:
+# allowed_algorithms:
-  # - 'SHA1'
+# - 'SHA1'
-  ## The allowed digits for a user to pick from.
+## The allowed digits for a user to pick from.
-  # allowed_digits:
+# allowed_digits:
-  # - 6
+# - 6
-  ## The allowed periods for a user to pick from.
+## The allowed periods for a user to pick from.
-  # allowed_periods:
+# allowed_periods:
-  # - 30
+# - 30
-  ## Disable the reuse security policy which prevents replays of one-time password code values.
+## Disable the reuse security policy which prevents replays of one-time password code values.
-  # disable_reuse_security_policy: false
+# disable_reuse_security_policy: false
 ##
 ## WebAuthn Configuration
 ##
 ## Parameters used for WebAuthn.
 # webauthn:
-  ## Disable WebAuthn.
+## Disable WebAuthn.
-  # disable: false
+# disable: false
-  ## Enables logins via a Passkey.
+## Enables logins via a Passkey.
-  # enable_passkey_login: false
+# enable_passkey_login: false
-  ## The display name the browser should show the user for when using WebAuthn to login/register.
+## The display name the browser should show the user for when using WebAuthn to login/register.
-  # display_name: 'Authelia'
+# display_name: 'Authelia'
-  ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
+## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
-  ## Options are none, indirect, direct.
+## Options are none, indirect, direct.
-  # attestation_conveyance_preference: 'indirect'
+# attestation_conveyance_preference: 'indirect'
-  ## The interaction timeout for WebAuthn dialogues in the duration common syntax.
+## The interaction timeout for WebAuthn dialogues in the duration common syntax.
-  # timeout: '60 seconds'
+# timeout: '60 seconds'
-  ## Authenticator Filtering.
+## Authenticator Filtering.
-  # filtering:
+# filtering:
-    ## Prohibits registering Authenticators that claim they can export their credentials in some way.
+## Prohibits registering Authenticators that claim they can export their credentials in some way.
-    # prohibit_backup_eligibility: false
+# prohibit_backup_eligibility: false
-    ## Permitted AAGUID's. If configured specifically only allows the listed AAGUID's.
+## Permitted AAGUID's. If configured specifically only allows the listed AAGUID's.
-    # permitted_aaguids: []
+# permitted_aaguids: []
-    ## Prohibited AAGUID's. If configured prohibits the use of specific AAGUID's.
+## Prohibited AAGUID's. If configured prohibits the use of specific AAGUID's.
-    # prohibited_aaguids: []
+# prohibited_aaguids: []
-  ## Selection Criteria controls the preferences for registration.
+## Selection Criteria controls the preferences for registration.
-  # selection_criteria:
+# selection_criteria:
-    ## The attachment preference. Either 'cross-platform' for dedicated authenticators, or 'platform' for embedded
+## The attachment preference. Either 'cross-platform' for dedicated authenticators, or 'platform' for embedded
-    ## authenticators.
+## authenticators.
-    # attachment: 'cross-platform'
+# attachment: 'cross-platform'
-    ## The discoverability preference. Options are 'discouraged', 'preferred', and 'required'.
+## The discoverability preference. Options are 'discouraged', 'preferred', and 'required'.
-    # discoverability: 'discouraged'
+# discoverability: 'discouraged'
-    ## User verification controls if the user must make a gesture or action to confirm they are present.
+## User verification controls if the user must make a gesture or action to confirm they are present.
-    ## Options are required, preferred, discouraged.
+## Options are required, preferred, discouraged.
-    # user_verification: 'preferred'
+# user_verification: 'preferred'
-  ## Metadata Service validation via MDS3.
+## Metadata Service validation via MDS3.
-  # metadata:
+# metadata:
-    ## Enable the metadata fetch behaviour.
+## Enable the metadata fetch behaviour.
-    # enabled: false
+# enabled: false
-    ## Enable Validation of the Trust Anchor. This generally should be enabled if you're using the metadata. It
+## Enable Validation of the Trust Anchor. This generally should be enabled if you're using the metadata. It
-    ## ensures the attestation certificate presented by the authenticator is valid against the MDS3 certificate that
+## ensures the attestation certificate presented by the authenticator is valid against the MDS3 certificate that
-    ## issued the attestation certificate.
+## issued the attestation certificate.
-    # validate_trust_anchor: true
+# validate_trust_anchor: true
-    ## Enable Validation of the Entry. This ensures that the MDS3 actually contains the metadata entry. If not enabled
+## Enable Validation of the Entry. This ensures that the MDS3 actually contains the metadata entry. If not enabled
-    ## attestation certificates which are not formally registered will be skipped. This may potentially exclude some
+## attestation certificates which are not formally registered will be skipped. This may potentially exclude some
-    ## virtual authenticators.
+## virtual authenticators.
-    # validate_entry: true
+# validate_entry: true
-    ## Enabling this allows attestation certificates with a zero AAGUID to pass validation. This is important if you do
+## Enabling this allows attestation certificates with a zero AAGUID to pass validation. This is important if you do
-    ## use non-conformant authenticators like Apple ID.
+## use non-conformant authenticators like Apple ID.
-    # validate_entry_permit_zero_aaguid: false
+# validate_entry_permit_zero_aaguid: false
-    ## Enable Validation of the Authenticator Status.
+## Enable Validation of the Authenticator Status.
-    # validate_status: true
+# validate_status: true
-    ## List of statuses which are considered permitted when validating an authenticator's metadata. Generally it is
+## List of statuses which are considered permitted when validating an authenticator's metadata. Generally it is
-    ## recommended that this is not configured as any other status the authenticator's metadata has will result in an
+## recommended that this is not configured as any other status the authenticator's metadata has will result in an
-    ## error. This option is ineffectual if validate_status is false.
+## error. This option is ineffectual if validate_status is false.
-    # validate_status_permitted: ~
+# validate_status_permitted: ~
-    ## List of statuses that should be prohibited when validating an authenticator's metadata. Generally it is
+## List of statuses that should be prohibited when validating an authenticator's metadata. Generally it is
-    ## recommended that this is not configured as there are safe defaults. This option is ineffectual if validate_status
+## recommended that this is not configured as there are safe defaults. This option is ineffectual if validate_status
-    ## is false, or validate_status_permitted has values.
+## is false, or validate_status_permitted has values.
-    # validate_status_prohibited: ~
+# validate_status_prohibited: ~
 ##
 ## Duo Push API Configuration
@@ -308,19 +307,18 @@ telemetry:
 ## Parameters used to contact the Duo API. Those are generated when you protect an application of type
 ## "Partner Auth API" in the management panel.
 # duo_api:
-  # disable: false
+# disable: false
-  # hostname: 'api-123456789.example.com'
+# hostname: 'api-123456789.example.com'
-  # integration_key: 'ABCDEF'
+# integration_key: 'ABCDEF'
-  ## Secret can also be set using a secret: https://www.authelia.com/c/secrets
+## Secret can also be set using a secret: https://www.authelia.com/c/secrets
-  # secret_key: 'secret'
+# secret_key: 'secret'
-  # enable_self_enrollment: false
+# enable_self_enrollment: false
 ##
 ## Identity Validation Configuration
 ##
 ## This configuration tunes the identity validation flows.
 identity_validation:
  ## Reset Password flow. Adjusts how the reset password flow operates.
  reset_password:
    ## Maximum allowed time before the JWT is generated and when the user uses it in the duration common syntax.
@@ -330,7 +328,7 @@ identity_validation:
    # jwt_algorithm: 'HS256'
    ## The secret key used to sign and verify the JWT.
-    jwt_secret: '{{ identity_validation__jwt_secret }}'
+    jwt_secret: "{{ identity_validation__jwt_secret }}"
  ## Elevated Session flows. Adjusts the flow which require elevated sessions for example managing credentials, adding,
  ## removing, etc.
@@ -357,26 +355,26 @@ identity_validation:
 ##
 ## This is used to validate the servers time is accurate enough to validate TOTP.
 # ntp:
-  ## The address of the NTP server to connect to in the address common syntax.
+## The address of the NTP server to connect to in the address common syntax.
-  ## Format: [<scheme>://]<hostname>[:<port>].
+## Format: [<scheme>://]<hostname>[:<port>].
-  ## Square brackets indicate optional portions of the format. Scheme must be 'udp', 'udp4', or 'udp6'.
+## Square brackets indicate optional portions of the format. Scheme must be 'udp', 'udp4', or 'udp6'.
-  ## The default scheme is 'udp'. The default port is '123'.
+## The default scheme is 'udp'. The default port is '123'.
-  # address: 'udp://time.cloudflare.com:123'
+# address: 'udp://time.cloudflare.com:123'
-  ## NTP version.
+## NTP version.
-  # version: 4
+# version: 4
-  ## Maximum allowed time offset between the host and the NTP server in the duration common syntax.
+## Maximum allowed time offset between the host and the NTP server in the duration common syntax.
-  # max_desync: '3 seconds'
+# max_desync: '3 seconds'
-  ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
+## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
-  ## set this to true, and can operate in a truly offline mode.
+## set this to true, and can operate in a truly offline mode.
-  # disable_startup_check: false
+# disable_startup_check: false
-  ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
+## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
-  ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
+## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
-  ## will continue regardless of results.
+## will continue regardless of results.
-  # disable_failure: false
+# disable_failure: false
 ##
 ## Definitions
@@ -384,22 +382,22 @@ identity_validation:
 ## The definitions are used in other areas as reference points to reduce duplication.
 ##
 # definitions:
-  ## The user attribute definitions.
+## The user attribute definitions.
-  # user_attributes:
+# user_attributes:
-    ## The name of the definition.
+## The name of the definition.
-    # definition_name:
+# definition_name:
-      ## The common expression language expression for this definition.
+## The common expression language expression for this definition.
-      # expression: ''
+# expression: ''
-  ## The network definitions.
+## The network definitions.
-  # network:
+# network:
-    ## The name of the definition followed by the list of CIDR network addresses in this definition.
+## The name of the definition followed by the list of CIDR network addresses in this definition.
-    # internal:
+# internal:
-      # - '10.10.0.0/16'
+# - '10.10.0.0/16'
-      # - '172.16.0.0/12'
+# - '172.16.0.0/12'
-      # - '192.168.2.0/24'
+# - '192.168.2.0/24'
-    # VPN:
+# VPN:
-      # - '10.9.0.0/16'
+# - '10.9.0.0/16'
 ##
 ## Authentication Backend Provider Configuration
@@ -408,7 +406,6 @@ identity_validation:
 ##
 ## The available providers are: `file`, `ldap`. You must use only one of these providers.
 authentication_backend:
  ## Password Change Options.
  password_change:
    ## Disable both the HTML element and the API for password change functionality.
@@ -606,7 +603,7 @@ authentication_backend:
  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
  ##
  file:
-    path: '/config/users.yml'
+    path: "/config/users.yml"
    # watch: false
    # search:
    # email: false
@@ -643,34 +640,34 @@ authentication_backend:
 ##
 # password_policy:
-  ## The standard policy allows you to tune individual settings manually.
+## The standard policy allows you to tune individual settings manually.
-  # standard:
+# standard:
-    # enabled: false
+# enabled: false
-    ## Require a minimum length for passwords.
+## Require a minimum length for passwords.
-    # min_length: 8
+# min_length: 8
-    ## Require a maximum length for passwords.
+## Require a maximum length for passwords.
-    # max_length: 0
+# max_length: 0
-    ## Require uppercase characters.
+## Require uppercase characters.
-    # require_uppercase: true
+# require_uppercase: true
-    ## Require lowercase characters.
+## Require lowercase characters.
-    # require_lowercase: true
+# require_lowercase: true
-    ## Require numeric characters.
+## Require numeric characters.
-    # require_number: true
+# require_number: true
-    ## Require special characters.
+## Require special characters.
-    # require_special: true
+# require_special: true
-  ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
+## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
-  # zxcvbn:
+# zxcvbn:
-    # enabled: false
+# enabled: false
-    ## Configures the minimum score allowed.
+## Configures the minimum score allowed.
-    # min_score: 3
+# min_score: 3
 ##
 ## Privacy Policy Configuration
@@ -678,16 +675,16 @@ authentication_backend:
 ## Parameters used for displaying the privacy policy link and drawer.
 # privacy_policy:
-  ## Enables the display of the privacy policy using the policy_url.
+## Enables the display of the privacy policy using the policy_url.
-  # enabled: false
+# enabled: false
-  ## Enables the display of the privacy policy drawer which requires users accept the privacy policy
+## Enables the display of the privacy policy drawer which requires users accept the privacy policy
-  ## on a per-browser basis.
+## on a per-browser basis.
-  # require_user_acceptance: false
+# require_user_acceptance: false
-  ## The URL of the privacy policy document. Must be an absolute URL and must have the 'https://' scheme.
+## The URL of the privacy policy document. Must be an absolute URL and must have the 'https://' scheme.
-  ## If the privacy policy enabled option is true, this MUST be provided.
+## If the privacy policy enabled option is true, this MUST be provided.
-  # policy_url: ''
+# policy_url: ''
 ##
 ## Access Control Configuration
@@ -719,33 +716,33 @@ authentication_backend:
 access_control:
  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
  ## resource if there is no policy to be applied to the user.
-  default_policy: 'deny'
+  default_policy: "deny"
  rules:
    ## Rules applied to everyone
-    - domain: 'status.vakhrushev.me'
+    - domain: "status.vakhrushev.me"
-      subject: 'group:admins'
+      subject: "group:admins"
-      policy: 'two_factor'
+      policy: "two_factor"
-    - domain: 'dozzle.vakhrushev.me'
+    - domain: "dozzle.vakhrushev.me"
-      subject: 'group:admins'
+      subject: "group:admins"
-      policy: 'two_factor'
+      policy: "two_factor"
-    - domain: 'goaccess.vakhrushev.me'
+    - domain: "goaccess.vakhrushev.me"
-      subject: 'group:admins'
+      subject: "group:admins"
-      policy: 'two_factor'
+      policy: "two_factor"
-    - domain: 'wanderbase.vakhrushev.me'
+    - domain: "wanderbase.vakhrushev.me"
-      subject: 'group:admins'
+      subject: "group:admins"
-      policy: 'two_factor'
+      policy: "two_factor"
-    - domain: 'remembos.vakhrushev.me'
+    - domain: "remembos.vakhrushev.me"
-      subject: 'group:admins'
+      subject: "group:admins"
-      policy: 'two_factor'
+      policy: "two_factor"
-    - domain: 'rssbridge.vakhrushev.me'
+    - domain: "rssbridge.vakhrushev.me"
-      subject: 'group:admins'
+      subject: "group:admins"
-      policy: 'one_factor'
+      policy: "one_factor"
    ## Domain Regex examples. Generally we recommend just using a standard domain.
    # - domain_regex: '^(?P<User>\w+)\.example\.com$'
@@ -826,18 +823,17 @@ access_control:
 session:
  ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
  ## Secret can also be set using a secret: https://www.authelia.com/c/secrets
-  secret: '{{ session__secret }}'
+  secret: "{{ session__secret }}"
  ## Cookies configures the list of allowed cookie domains for sessions to be created on.
  ## Undefined values will default to the values below.
  cookies:
-    -
+    - ## The name of the session cookie.
-      ## The name of the session cookie.
+      name: "authelia_session"
      name: 'authelia_session'
      ## The domain to protect.
      ## Note: the Authelia portal must also be in that domain.
-      domain: 'vakhrushev.me'
+      domain: "vakhrushev.me"
      ## Required. The fully qualified URI of the portal to redirect users to on proxies that support redirections.
      ## Rules:
@@ -845,7 +841,7 @@ session:
      ##   - The above 'domain' option MUST either:
      ##      - Match the host portion of this URI.
      ##      - Match the suffix of the host portion when prefixed with '.'.
-      authelia_url: 'https://auth.vakhrushev.me'
+      authelia_url: "https://auth.vakhrushev.me"
      ## Optional. The fully qualified URI used as the redirection location if the portal is accessed directly. Not
      ## configuring this option disables the automatic redirection behaviour.
@@ -904,7 +900,7 @@ session:
  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
  ##
  redis:
-    host: 'authelia_redis'
+    host: "authelia_redis"
    port: 6379
    ## Use a unix socket instead
    # host: '/var/run/redis/redis.sock'
@@ -1000,19 +996,19 @@ session:
 ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
 ## in a short period of time.
 # regulation:
-  ## Regulation Mode.
+## Regulation Mode.
-  # modes:
+# modes:
-    # - 'user'
+# - 'user'
-  ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
+## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
-  # max_retries: 3
+# max_retries: 3
-  ## The time range during which the user can attempt login before being banned in the duration common syntax. The user
+## The time range during which the user can attempt login before being banned in the duration common syntax. The user
-  ## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
+## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
-  # find_time: '2 minutes'
+# find_time: '2 minutes'
-  ## The length of time before a banned user can login again in the duration common syntax.
+## The length of time before a banned user can login again in the duration common syntax.
-  # ban_time: '5 minutes'
+# ban_time: '5 minutes'
 ##
 ## Storage Provider Configuration
@@ -1022,7 +1018,7 @@ storage:
  ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
  ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use
  ## the CLI to change this in the database if you want to change it from a previously configured value.
-  encryption_key: '{{ storage__encryption_key }}'
+  encryption_key: "{{ storage__encryption_key }}"
  ##
  ## Local (Storage Provider)
@@ -1034,7 +1030,7 @@ storage:
  ##
  local:
    ## Path to the SQLite3 Database.
-    path: '/data/authelia_storage.sqlite3'
+    path: "/data/authelia_storage.sqlite3"
  ##
  ## MySQL / MariaDB (Storage Provider)
@@ -1212,22 +1208,22 @@ notifier:
  ##     (configure in tls section)
  smtp:
    ## The address of the SMTP server to connect to in the address common syntax.
-    address: 'smtp://{{ postbox_host }}:{{ postbox_port }}'
+    address: "smtp://{{ postbox_host }}:{{ postbox_port }}"
    ## The connection timeout in the duration common syntax.
    # timeout: '5 seconds'
    ## The username used for SMTP authentication.
-    username: '{{ postbox_user }}'
+    username: "{{ postbox_user }}"
    ## The password used for SMTP authentication.
    ## Can also be set using a secret: https://www.authelia.com/c/secrets
-    password: '{{ postbox_pass }}'
+    password: "{{ postbox_pass }}"
    ## The sender is used to is used for the MAIL FROM command and the FROM header.
    ## If this is not defined and the username is an email, we use the username as this value. This can either be just
    ## an email address or the RFC5322 'Name <email address>' format.
-    sender: 'Authelia <authelia@vakhrushev.me>'
+    sender: "Authelia <authelia@vakhrushev.me>"
    ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
    # identifier: 'localhost'
@@ -1237,7 +1233,7 @@ notifier:
    ## This address is used during the startup check to verify the email configuration is correct.
    ## It's not important what it is except if your email server only allows local delivery.
-    startup_check_address: '{{ smtp__startup_check_address }}'
+    # startup_check_address: '{{ smtp__startup_check_address }}'
    ## By default we require some form of TLS. This disables this check though is not advised.
    # disable_require_tls: false
@@ -1285,7 +1281,6 @@ notifier:
 ## Identity Providers
 ##
 identity_providers:
  ##
  ## OpenID Connect (Identity Provider)
  ##
@@ -1294,13 +1289,12 @@ identity_providers:
  oidc:
    ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
    ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
-    hmac_secret: '{{ oidc__hmac_secret }}'
+    hmac_secret: "{{ oidc__hmac_secret }}"
    ## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's
    ## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key.
    jwks:
-      -
+      - ## Key ID embedded into the JWT header for key matching.
        ## Key ID embedded into the JWT header for key matching.
        ## Must be an alphanumeric string with 7 or less characters.
        ## This value is automatically generated if not provided. It's recommended to not configure this.
        # key_id: 'example'
@@ -1352,8 +1346,8 @@ identity_providers:
    authorization_policies:
      outline_policy:
        rules:
-          - policy: 'one_factor'
+          - policy: "one_factor"
-            subject: 'group:outline'
+            subject: "group:outline"
    ## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
    ## syntax the lifespans can be customized per-client.
@@ -1390,53 +1384,49 @@ identity_providers:
    ## It's recommended you read the documentation before configuration of a registered client.
    ## See: https://www.authelia.com/c/oidc/registered-clients
    clients:
-      -
+      - client_name: "Miniflux"
-        client_name: 'Miniflux'
+        client_id: "{{ oidc__miniflux__client_id }}"
-        client_id: '{{ oidc__miniflux__client_id }}'
+        client_secret: "{{ oidc__miniflux__client_secret }}"
        client_secret: '{{ oidc__miniflux__client_secret }}'
        redirect_uris:
-          - 'https://miniflux.vakhrushev.me/oauth2/oidc/callback'
+          - "https://miniflux.vakhrushev.me/oauth2/oidc/callback"
        scopes:
-          - 'openid'
+          - "openid"
-          - 'profile'
+          - "profile"
-          - 'email'
+          - "email"
        response_types:
-          - 'code'
+          - "code"
        grant_types:
-          - 'authorization_code'
+          - "authorization_code"
-        access_token_signed_response_alg: 'none'
+        access_token_signed_response_alg: "none"
-        userinfo_signed_response_alg: 'none'
+        userinfo_signed_response_alg: "none"
-        token_endpoint_auth_method: 'client_secret_basic'
+        token_endpoint_auth_method: "client_secret_basic"
-      -
+      - client_name: "Wakapi"
-        client_name: 'Wakapi'
+        client_id: "{{ oidc__wakapi__client_id }}"
-        client_id: '{{ oidc__wakapi__client_id }}'
+        client_secret: "{{ oidc__wakapi__client_secret }}"
        client_secret: '{{ oidc__wakapi__client_secret }}'
        redirect_uris:
-          - 'https://wakapi.vakhrushev.me/oidc/authelia/callback'
+          - "https://wakapi.vakhrushev.me/oidc/authelia/callback"
        scopes:
-          - 'openid'
+          - "openid"
-          - 'profile'
+          - "profile"
-          - 'email'
+          - "email"
-#        response_types:
+      #        response_types:
-#          - 'code'
+      #          - 'code'
-#        grant_types:
+      #        grant_types:
-#          - 'authorization_code'
+      #          - 'authorization_code'
-#        access_token_signed_response_alg: 'none'
+      #        access_token_signed_response_alg: 'none'
-#        userinfo_signed_response_alg: 'none'
+      #        userinfo_signed_response_alg: 'none'
-#        token_endpoint_auth_method: 'client_secret_basic'
+      #        token_endpoint_auth_method: 'client_secret_basic'
-
+      - ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
-      -
+        client_name: "Outline"
        ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
        client_name: 'Outline'
        ## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
        ## configuration.
-        client_id: '{{ oidc__outline__client_id }}'
+        client_id: "{{ oidc__outline__client_id }}"
        ## The client secret is a shared secret between Authelia and the consumer of this client.
        # yamllint disable-line rule:line-length
-        client_secret: '{{ oidc__outline__client_secret }}'
+        client_secret: "{{ oidc__outline__client_secret }}"
        ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
        ## necessary. It is critical to read the documentation for more information.
@@ -1447,7 +1437,7 @@ identity_providers:
        ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
        redirect_uris:
-          - 'https://outline.vakhrushev.me/auth/oidc.callback'
+          - "https://outline.vakhrushev.me/auth/oidc.callback"
        ## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
        ## URIs to fetch Request Objects.
@@ -1459,9 +1449,9 @@ identity_providers:
        ## Scopes this client is allowed to request.
        scopes:
-          - 'openid'
+          - "openid"
-          - 'profile'
+          - "profile"
-          - 'email'
+          - "email"
        ## Grant Types configures which grants this client can obtain.
        ## It's not recommended to define this unless you know what you're doing.
@@ -1480,7 +1470,7 @@ identity_providers:
        ## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
        ## authorization policies section.
-        authorization_policy: 'outline_policy'
+        authorization_policy: "outline_policy"
        ## The custom lifespan name to use for this client. This must be configured independent of the client before
        ## utilization. Custom lifespans are reusable similar to authorization policies.
@@ -1581,7 +1571,7 @@ identity_providers:
        ## The signing algorithm used for signing the User Info Request responses.
        ## Please read the documentation before adjusting this option.
        ## See: https://www.authelia.com/c/oidc/registered-clients#userinfo_signed_response_alg
-        userinfo_signed_response_alg: 'none'
+        userinfo_signed_response_alg: "none"
        ## The signing key id used for signing the User Info Request responses.
        ## Please read the documentation before adjusting this option.
@@ -1645,7 +1635,7 @@ identity_providers:
        ## The permitted client authentication method for the Token Endpoint for this client.
        ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
        ## defaults to 'none' per the specifications.
-        token_endpoint_auth_method: 'client_secret_post'
+        token_endpoint_auth_method: "client_secret_post"
        ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
        ## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
@@ -9,7 +9,7 @@ from invoke.context import Context
 from invoke.exceptions import Exit
 from invoke.tasks import task
-HOSTS_FILE = "production.yml"
+HOSTS_FILE = "timeweb.yml"
 VARS_FILE = "vars/vars.yml"
 AUTHELIA_DOCKER = "docker run --rm -v $PWD:/data authelia/authelia:4.39.4 authelia"