Memos: update to 0.26.0

Gramps: update to 26.1.0
Outline: update to 1.4.0
2026-02-02 11:00:45 +03:00 · 2026-01-28 09:28:44 +03:00 · 2026-01-28 09:28:26 +03:00 · 2026-01-28 09:28:09 +03:00 · 2026-01-22 09:28:38 +03:00 · 2026-01-22 09:28:04 +03:00
16 changed files with 188 additions and 14 deletions
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -47,4 +47,4 @@ jobs:
          fi

      - name: Run ansible-lint
-        run: ansible-lint --profile production -vv
+        run: ansible-lint -vv
--- a/README.md
+++ b/README.md
@@ -7,6 +7,7 @@

 ## Требования

+- [uv](https://docs.astral.sh/uv/)
 - [ansible](https://docs.ansible.com/ansible/latest/getting_started/index.html)
 - [task](https://taskfile.dev/)
 - [yq](https://github.com/mikefarah/yq)
@@ -14,17 +15,21 @@
 ## Установка

 ```bash
-$ cp ansible-vault-password-file.dist ansible-vault-password-file
-$ ansible-galaxy install --role-file requirements.yml
+uv sync
+
+cp ansible-vault-password-file.dist ansible-vault-password-file
+
+uv run ansible-galaxy install --role-file requirements.yml
 ```

 ## Структура

- Для каждого приложения создается свой пользователь (опционально).
+- Для каждого приложения создается свой пользователь.
 - Для доступа используется ssh-ключ.
+- Безопасность осуществляется с помощью `ufw` и `fail2ban`.
 - Докер используется для запуска и изоляции приложений. Для загрузки образов настраивается Yandex Docker Registry.
 - Выход во внешнюю сеть через proxy server [Caddy](https://caddyserver.com/).
- Чувствительные данные в `vars/vars.yaml` зашифрованы с помощью Ansible Vault.
+- Чувствительные данные в [secrets.yml](vars/secrets.yml) зашифрованы с помощью Ansible Vault.
 - Для мониторинга за сервером устанавливается [netdata](https://github.com/netdata/netdata).

 ## Настройка DNS
@@ -33,8 +38,14 @@ $ ansible-galaxy install --role-file requirements.yml

 ## Деплой приложений

-Деплой всех приложений через ansible:
+Деплой приложения через ansible:

 ```bash
-ansible-playbook -i production.yml --diff playbook-gitea.yml
+uv run ansible-playbook ansible-playbook -i production.yml --diff playbook-gitea.yml
+```
+
+## Удаление приложения <name>
+
+```bash
+uv run ansible-playbook -i production.yml --diff playbook-remove-user-and-app.yml --extra-vars user_name=<name>
 ```
--- a/files/caddyproxy/Caddyfile.j2
+++ b/files/caddyproxy/Caddyfile.j2
@@ -97,6 +97,14 @@ memos.vakhrushev.me {
 }

 calibre.vakhrushev.me {
+    tls anwinged@ya.ru
+
+    reverse_proxy {
+        to calibre_web_app:8083
+    }
+}
+
+wanderbase.vakhrushev.me {
    tls anwinged@ya.ru

    forward_auth authelia_app:9091 {
--- a/files/calibre/docker-compose.template.yml
+++ b/files/calibre/docker-compose.template.yml
@@ -0,0 +1,23 @@
+services:
+
+  calibre_web_app:
+    image: lscr.io/linuxserver/calibre-web:0.6.25
+    container_name: calibre_web_app
+    restart: unless-stopped
+    networks:
+      - "web_proxy_network"
+    volumes:
+      - "{{ config_dir }}:/config"
+      - "{{ books_dir }}:/books:ro"
+    environment:
+      - "PUID={{ owner_create_result.uid }}"
+      - "PGID={{ owner_create_result.group }}"
+      - TZ=Etc/UTC
+#      - DOCKER_MODS=linuxserver/mods:universal-calibre #optional
+#      - OAUTHLIB_RELAX_TOKEN_SCOPE=1 #optional
+#    ports:
+#      - 8083:8083
+
+networks:
+  web_proxy_network:
+    external: true
--- a/files/dozzle/docker-compose.template.yml
+++ b/files/dozzle/docker-compose.template.yml
@@ -1,7 +1,7 @@
 services:

  dozzle_app:
-    image: amir20/dozzle:v8.14.11
+    image: amir20/dozzle:v9.0.3
    container_name: dozzle_app
    restart: unless-stopped
    volumes:
--- a/files/gitea/docker-compose.yml.j2
+++ b/files/gitea/docker-compose.yml.j2
@@ -1,7 +1,7 @@
 services:

  gitea_app:
-    image: gitea/gitea:1.25.3
+    image: gitea/gitea:1.25.4
    restart: unless-stopped
    container_name: gitea_app
    ports:
--- a/files/gramps/docker-compose.template.yml
+++ b/files/gramps/docker-compose.template.yml
@@ -3,7 +3,7 @@
 services:

  gramps_app: &gramps_app
-    image: ghcr.io/gramps-project/grampsweb:25.12.0
+    image: ghcr.io/gramps-project/grampsweb:26.1.0
    container_name: gramps_app
    depends_on:
      - gramps_redis
--- a/files/memos/docker-compose.template.yml
+++ b/files/memos/docker-compose.template.yml
@@ -3,7 +3,7 @@
 services:

  memos_app:
-    image: neosmemo/memos:0.25.3
+    image: neosmemo/memos:0.26.0
    container_name: memos_app
    restart: unless-stopped
    user: "{{ owner_create_result.uid }}:{{ owner_create_result.group }}"
--- a/files/netdata/docker-compose.template.yml
+++ b/files/netdata/docker-compose.template.yml
@@ -1,7 +1,7 @@
 services:

  netdata:
-    image: netdata/netdata:v2.8.4
+    image: netdata/netdata:v2.8.5
    container_name: netdata
    restart: unless-stopped
    cap_add:
--- a/files/outline/docker-compose.template.yml
+++ b/files/outline/docker-compose.template.yml
@@ -3,7 +3,7 @@ services:
  # See sample https://github.com/outline/outline/blob/main/.env.sample

  outline_app:
-    image: outlinewiki/outline:1.1.0
+    image: outlinewiki/outline:1.4.0
    container_name: outline_app
    user: "{{ owner_create_result.uid }}:{{ owner_create_result.group }}"
    restart: unless-stopped
--- a/lefthook.yml
+++ b/lefthook.yml
@@ -25,7 +25,7 @@ pre-commit:
    - name: "ansible-lint"
      glob: "**/*.{yml,yaml}"
      exclude:
-        - ".gitea"
+        - ".gitea/**"
      run: "uv run ansible-lint --profile production --offline -- {staged_files}"

    - name: "gitleaks"
--- a/playbook-all-applications.yml
+++ b/playbook-all-applications.yml
@@ -31,6 +31,9 @@
 - name: 'Configure wanderer'
  ansible.builtin.import_playbook: playbook-wanderer.yml

+- name: 'Configure calibre'
+  ansible.builtin.import_playbook: playbook-calibre.yml
+
 #

 - name: 'Configure homepage'
--- a/playbook-calibre.yml
+++ b/playbook-calibre.yml
@@ -0,0 +1,65 @@
+---
+- name: "Configure calibre application"
+  hosts: all
+
+  vars_files:
+    - vars/secrets.yml
+
+  vars:
+    app_name: "calibre"
+    app_user: "{{ app_name }}"
+    app_owner_uid: 1102
+    app_owner_gid: 1102
+    base_dir: "{{ (application_dir, app_name) | path_join }}"
+    config_dir: "{{ (base_dir, 'config') | path_join }}"
+    books_dir: "{{ (base_dir, 'books') | path_join }}"
+
+  tasks:
+    - name: "Create user and environment"
+      ansible.builtin.import_role:
+        name: owner
+      vars:
+        owner_name: "{{ app_user }}"
+        owner_uid: "{{ app_owner_uid }}"
+        owner_gid: "{{ app_owner_gid }}"
+        owner_extra_groups: ["docker"]
+
+    - name: "Create application internal directories"
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: "directory"
+        owner: "{{ app_user }}"
+        group: "{{ app_user }}"
+        mode: "0750"
+      loop:
+        - "{{ base_dir }}"
+        - "{{ books_dir }}"
+        - "{{ config_dir }}"
+
+    - name: "Create backup targets file"
+      ansible.builtin.lineinfile:
+        path: "{{ base_dir }}/backup-targets"
+        line: "{{ item }}"
+        create: true
+        owner: "{{ app_user }}"
+        group: "{{ app_user }}"
+        mode: "0750"
+      loop:
+        - "{{ books_dir }}"
+        - "{{ config_dir }}"
+
+    - name: "Copy docker compose file"
+      ansible.builtin.template:
+        src: "./files/{{ app_name }}/docker-compose.template.yml"
+        dest: "{{ base_dir }}/docker-compose.yml"
+        owner: "{{ app_user }}"
+        group: "{{ app_user }}"
+        mode: "0640"
+
+    - name: "Run application with docker compose"
+      community.docker.docker_compose_v2:
+        project_src: "{{ base_dir }}"
+        state: "present"
+        remove_orphans: true
+      tags:
+        - run-app
--- a/playbook-remove-user-and-app.yml
+++ b/playbook-remove-user-and-app.yml
@@ -25,6 +25,11 @@
        path: "/var/www/{{ user_name }}"
        state: absent

+    - name: "Remove application dir"
+      ansible.builtin.file:
+        path: "/mnt/applications/{{ user_name }}"
+        state: absent
+
    - name: "Remove home dir"
      ansible.builtin.file:
        path: "/home/{{ user_name }}"
--- a/playbook-ufw.yml
+++ b/playbook-ufw.yml
@@ -0,0 +1,58 @@
+---
+- name: "Configure UFW firewall"
+  hosts: all
+
+  vars_files:
+    - vars/secrets.yml
+
+  tasks:
+    - name: "Ensure UFW is installed"
+      ansible.builtin.apt:
+        name: ufw
+        state: present
+        update_cache: true
+
+    - name: "Set default incoming policy to deny"
+      community.general.ufw:
+        direction: incoming
+        policy: deny
+
+    - name: "Set default outgoing policy to allow"
+      community.general.ufw:
+        direction: outgoing
+        policy: allow
+
+    - name: "Allow SSH on port 22"
+      community.general.ufw:
+        rule: allow
+        port: "22"
+        proto: tcp
+
+    - name: "Allow Gitea SSH on port 2222"
+      community.general.ufw:
+        rule: allow
+        port: "2222"
+        proto: tcp
+
+    - name: "Allow HTTP on port 80/tcp"
+      community.general.ufw:
+        rule: allow
+        port: "80"
+        proto: tcp
+
+    - name: "Allow HTTPS on port 443/tcp"
+      community.general.ufw:
+        rule: allow
+        port: "443"
+        proto: tcp
+
+    - name: "Allow HTTPS QUIC on port 443/udp"
+      community.general.ufw:
+        rule: allow
+        port: "443"
+        proto: udp
+
+    - name: "Enable UFW"
+      community.general.ufw:
+        state: enabled
+        logging: true
--- a/requirements.yml
+++ b/requirements.yml
@@ -11,3 +11,4 @@ roles:

 collections:
  - name: 'community.docker'
+  - name: 'community.general'
Author	SHA1	Message	Date
Anton Vakhrushev	5ce2f1fbd4	Memos: update to 0.26.0 Some checks failed Linting / YAML Lint (push) Successful in 15s Details Linting / Ansible Lint (push) Failing after 51s Details	2026-02-02 11:00:45 +03:00
Anton Vakhrushev	e39981eee2	Gramps: update to 26.1.0 Some checks failed Linting / YAML Lint (push) Successful in 12s Details Linting / Ansible Lint (push) Failing after 34s Details	2026-01-28 09:28:44 +03:00
Anton Vakhrushev	83bfba2180	Outline: update to 1.4.0	2026-01-28 09:28:26 +03:00
Anton Vakhrushev	b42dd429fd	Dozzle: update to 9.0.3	2026-01-28 09:28:09 +03:00
Anton Vakhrushev	a056e8662d	Gitea: upgrade to 1.25.4 Some checks failed Linting / YAML Lint (push) Successful in 11s Details Linting / Ansible Lint (push) Failing after 32s Details	2026-01-22 09:28:38 +03:00
Anton Vakhrushev	4a693470fc	Dozzle: upgrade to 9.0.2	2026-01-22 09:28:04 +03:00
Anton Vakhrushev	ab9ac67b2e	Outline: upgrade to 1.3.0 Some checks failed Linting / YAML Lint (push) Successful in 9s Details Linting / Ansible Lint (push) Failing after 28s Details	2026-01-18 10:26:18 +03:00
Anton Vakhrushev	8728eb0203	Improve docs Some checks failed Linting / YAML Lint (push) Successful in 9s Details Linting / Ansible Lint (push) Failing after 29s Details	2026-01-18 10:02:44 +03:00
Anton Vakhrushev	926f4ea135	Calibre: add application Some checks failed Linting / YAML Lint (push) Successful in 11s Details Linting / Ansible Lint (push) Failing after 33s Details Remove Kavita	2026-01-18 09:56:11 +03:00
Anton Vakhrushev	7fb65caf66	Kavita: add application	2026-01-15 13:21:25 +03:00
Anton Vakhrushev	d5d8bb71d8	Netdata: upgrade to 2.8.5 Some checks failed Linting / YAML Lint (push) Successful in 10s Details Linting / Ansible Lint (push) Failing after 31s Details	2026-01-14 09:50:25 +03:00
Anton Vakhrushev	07443e4b2e	Dozzle: upgrade to 9.0.1 Some checks failed Linting / YAML Lint (push) Successful in 11s Details Linting / Ansible Lint (push) Failing after 31s Details	2026-01-09 10:46:08 +03:00
Anton Vakhrushev	396c2048ae	Outline: upgrade to 1.2.0 Some checks failed Linting / YAML Lint (push) Successful in 10s Details Linting / Ansible Lint (push) Failing after 31s Details	2026-01-07 12:13:19 +03:00
Anton Vakhrushev	62c47cc5d7	Dozzle: upgrade to 9.0.0	2026-01-07 10:18:29 +03:00
Anton Vakhrushev	a44e3d6766	add ufw settings Some checks failed Linting / YAML Lint (push) Successful in 10s Details Linting / Ansible Lint (push) Failing after 46s Details	2026-01-05 21:00:32 +03:00
Anton Vakhrushev	2e56cc97d9	remove production profile Some checks failed Linting / YAML Lint (push) Successful in 9s Details Linting / Ansible Lint (push) Failing after 28s Details	2026-01-02 20:33:48 +03:00