From 05e79ae90a59c7168db2c31c2eeec181c2d05e3b Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Fri, 8 Nov 2024 00:05:55 +0100
Subject: [PATCH] Fix issues (backup, watchtower, firewall)

Remove remote_docker backups
Add option to monitor with watchtower
Add teamspeak ports to firewall
---
 inventory/group_vars/all/compose_defaults.yml |  3 +-
 playbooks/roles/_TEMPLATE/vars/main.yml       |  2 +-
 playbooks/roles/acme_dns/vars/main.yml        |  2 +-
 playbooks/roles/forgejo/vars/main.yml         |  2 +-
 playbooks/roles/forgejo_runner/vars/main.yml  |  2 +-
 playbooks/roles/gatus/vars/main.yml           |  2 +-
 playbooks/roles/homebox/vars/main.yml         |  2 +-
 playbooks/roles/immich/vars/main.yml          |  2 +-
 playbooks/roles/influxdb/vars/main.yml        |  2 +-
 playbooks/roles/jellyfin/vars/main.yml        |  2 +-
 playbooks/roles/linkwarden/vars/main.yml      |  2 +-
 playbooks/roles/minio/vars/main.yml           |  2 +-
 playbooks/roles/ntfy/vars/main.yml            |  2 +-
 playbooks/roles/shlink/vars/main.yml          |  2 +-
 playbooks/roles/synapse/vars/main.yml         |  2 +-
 playbooks/roles/tandoor/vars/main.yml         |  2 +-
 .../roles/teamspeak_fallback/vars/main.yml    |  2 +-
 playbooks/roles/umami/vars/main.yml           |  2 +-
 playbooks/roles/vikunja/vars/main.yml         |  2 +-
 playbooks/roles/wiki_js/vars/main.yml         |  2 +-
 playbooks/roles/woodpecker/vars/main.yml      |  2 +-
 services.auto.tfvars                          | 36 ++++++++++++++-----
 22 files changed, 50 insertions(+), 29 deletions(-)

diff --git a/inventory/group_vars/all/compose_defaults.yml b/inventory/group_vars/all/compose_defaults.yml
index 0094c6e..536e2ca 100644
--- a/inventory/group_vars/all/compose_defaults.yml
+++ b/inventory/group_vars/all/compose_defaults.yml
@@ -4,7 +4,8 @@ compose_file_main:
       image: "{{ compose.image }}"
       restart: always
       labels:
-        com.centurylinklabs.watchtower.enable: "{{ compose.watchtower | default(false) }}"
+        com.centurylinklabs.watchtower.enable: "{{ compose.watchtower | default('') == 'update' }}"
+        com.centurylinklabs.watchtower.monitor-only: "{{ compose.watchtower | default('') == 'monitor' }}"
 
 compose_file_env:
   services:
diff --git a/playbooks/roles/_TEMPLATE/vars/main.yml b/playbooks/roles/_TEMPLATE/vars/main.yml
index 8465219..59b9754 100644
--- a/playbooks/roles/_TEMPLATE/vars/main.yml
+++ b/playbooks/roles/_TEMPLATE/vars/main.yml
@@ -7,7 +7,7 @@ NAME_env:
   EXAMPLE: value
 
 NAME_compose:
-  watchtower: true
+  watchtower: update
   image: 
   volumes:
     - data:/data
diff --git a/playbooks/roles/acme_dns/vars/main.yml b/playbooks/roles/acme_dns/vars/main.yml
index f13d9ff..5a47809 100644
--- a/playbooks/roles/acme_dns/vars/main.yml
+++ b/playbooks/roles/acme_dns/vars/main.yml
@@ -14,7 +14,7 @@ acme_dns_svc:
     db: "{{ opentofu.postgresql_data.acme_dns.database }}"
 
 acme_dns_compose:
-  watchtower: true
+  watchtower: update
   monitoring: true
   image: joohoi/acme-dns
   volumes:
diff --git a/playbooks/roles/forgejo/vars/main.yml b/playbooks/roles/forgejo/vars/main.yml
index 75ba21f..33403ee 100644
--- a/playbooks/roles/forgejo/vars/main.yml
+++ b/playbooks/roles/forgejo/vars/main.yml
@@ -81,7 +81,7 @@ forgejo_env:
   FORGEJO__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
 
 forgejo_compose:
-  watchtower: true
+  watchtower: update
   image: codeberg.org/forgejo/forgejo:9
   volumes:
     - data:/data
diff --git a/playbooks/roles/forgejo_runner/vars/main.yml b/playbooks/roles/forgejo_runner/vars/main.yml
index e567170..19705d3 100644
--- a/playbooks/roles/forgejo_runner/vars/main.yml
+++ b/playbooks/roles/forgejo_runner/vars/main.yml
@@ -5,7 +5,7 @@ forgejo_runner_env:
   DOCKER_HOST: tcp://docker-in-docker:2375
 
 forgejo_runner_compose:
-  watchtower: true
+  watchtower: update
   image: code.forgejo.org/forgejo/runner:3.3.0
   volumes:
     - ./config.yml:/config/config.yml
diff --git a/playbooks/roles/gatus/vars/main.yml b/playbooks/roles/gatus/vars/main.yml
index 5b6660a..c440fe9 100644
--- a/playbooks/roles/gatus/vars/main.yml
+++ b/playbooks/roles/gatus/vars/main.yml
@@ -65,7 +65,7 @@ gatus_yml:
   endpoints: "{{ gatus_endpoints_hosts | union(gatus_endpoints_services) | union(gatus_endpoints_other) }}"
 
 gatus_compose:
-  watchtower: true
+  watchtower: update
   image: twinproduction/gatus
   volumes:
     - ./config.yaml:/config/config.yaml
diff --git a/playbooks/roles/homebox/vars/main.yml b/playbooks/roles/homebox/vars/main.yml
index 422476f..3eecfed 100644
--- a/playbooks/roles/homebox/vars/main.yml
+++ b/playbooks/roles/homebox/vars/main.yml
@@ -13,7 +13,7 @@ homebox_env:
   HBOX_SWAGGER_SCHEMA: https
 
 homebox_compose:
-  watchtower: true
+  watchtower: update
   image: ghcr.io/hay-kot/homebox:latest-rootless
   volumes:
     - data:/data
diff --git a/playbooks/roles/immich/vars/main.yml b/playbooks/roles/immich/vars/main.yml
index 1d440e0..0398c53 100644
--- a/playbooks/roles/immich/vars/main.yml
+++ b/playbooks/roles/immich/vars/main.yml
@@ -30,7 +30,7 @@ immich_env:
   REDIS_HOSTNAME: redis
 
 immich_compose:
-  watchtower: false
+  watchtower: monitor
   image: ghcr.io/immich-app/immich-server:release
   volumes:
     - upload:/usr/src/app/upload
diff --git a/playbooks/roles/influxdb/vars/main.yml b/playbooks/roles/influxdb/vars/main.yml
index 1769065..b5bbc76 100644
--- a/playbooks/roles/influxdb/vars/main.yml
+++ b/playbooks/roles/influxdb/vars/main.yml
@@ -62,7 +62,7 @@ influxdb_yml:
   vault-token: ""
 
 influxdb_compose:
-  watchtower: false
+  watchtower: monitor
   image: influxdb:2.7
   volumes:
     - ./influxdb.yml:/etc/influxdb2/config.yml
diff --git a/playbooks/roles/jellyfin/vars/main.yml b/playbooks/roles/jellyfin/vars/main.yml
index 9781164..3dabc6d 100644
--- a/playbooks/roles/jellyfin/vars/main.yml
+++ b/playbooks/roles/jellyfin/vars/main.yml
@@ -10,7 +10,7 @@ jellyfin_env:
   JELLYFIN_PublishedServerUrl: https://{{ svc.domain }}
 
 jellyfin_compose:
-  watchtower: true
+  watchtower: update
   image: jellyfin/jellyfin
   volumes:
     - config:/config
diff --git a/playbooks/roles/linkwarden/vars/main.yml b/playbooks/roles/linkwarden/vars/main.yml
index 220e28a..8157572 100644
--- a/playbooks/roles/linkwarden/vars/main.yml
+++ b/playbooks/roles/linkwarden/vars/main.yml
@@ -34,5 +34,5 @@ linkwarden_env:
   AUTHENTIK_CLIENT_SECRET: "{{ opentofu.authentik_data.linkwarden.client_secret }}"
 
 linkwarden_compose:
-  watchtower: true
+  watchtower: update
   image: ghcr.io/linkwarden/linkwarden:latest
diff --git a/playbooks/roles/minio/vars/main.yml b/playbooks/roles/minio/vars/main.yml
index e1721c6..dca102b 100644
--- a/playbooks/roles/minio/vars/main.yml
+++ b/playbooks/roles/minio/vars/main.yml
@@ -29,7 +29,7 @@ minio_env:
 
 
 minio_compose:
-  watchtower: true
+  watchtower: update
   image: minio/minio
   volumes:
     - data:/data
diff --git a/playbooks/roles/ntfy/vars/main.yml b/playbooks/roles/ntfy/vars/main.yml
index d5631c9..eb560db 100644
--- a/playbooks/roles/ntfy/vars/main.yml
+++ b/playbooks/roles/ntfy/vars/main.yml
@@ -39,7 +39,7 @@ ntfy_env:
   NTFY_ENABLE_METRICS: true
 
 ntfy_compose:
-  watchtower: true
+  watchtower: update
   image: binwiederhier/ntfy
   volumes:
     - cache:/var/cache/ntfy
diff --git a/playbooks/roles/shlink/vars/main.yml b/playbooks/roles/shlink/vars/main.yml
index 9c4e887..d4e5c7b 100644
--- a/playbooks/roles/shlink/vars/main.yml
+++ b/playbooks/roles/shlink/vars/main.yml
@@ -26,5 +26,5 @@ shlink_env:
   GEOLITE_LICENSE_KEY: "{{ vault_shlink.geolite_key }}"
 
 shlink_compose:
-  watchtower: true
+  watchtower: update
   image: shlinkio/shlink
diff --git a/playbooks/roles/synapse/vars/main.yml b/playbooks/roles/synapse/vars/main.yml
index 621ec7a..cefe1b0 100644
--- a/playbooks/roles/synapse/vars/main.yml
+++ b/playbooks/roles/synapse/vars/main.yml
@@ -98,7 +98,7 @@ synapse_yml:
     notif_from: "matrix <{{ opentofu.mailcow_data.synapse.address }}>"
 
 synapse_compose:
-  watchtower: true
+  watchtower: update
   image: ghcr.io/element-hq/synapse:latest
   volumes:
     - ./config:/config
diff --git a/playbooks/roles/tandoor/vars/main.yml b/playbooks/roles/tandoor/vars/main.yml
index 2c73b78..3bd624c 100644
--- a/playbooks/roles/tandoor/vars/main.yml
+++ b/playbooks/roles/tandoor/vars/main.yml
@@ -35,7 +35,7 @@ tandoor_env:
   SOCIAL_DEFAULT_GROUP: guest
 
 tandoor_compose:
-  watchtower: true
+  watchtower: update
   image: nginx:mainline-alpine
   volumes:
     - nginx_config:/etc/nginx/conf.d:ro
diff --git a/playbooks/roles/teamspeak_fallback/vars/main.yml b/playbooks/roles/teamspeak_fallback/vars/main.yml
index 1cb77ce..dce4f4a 100644
--- a/playbooks/roles/teamspeak_fallback/vars/main.yml
+++ b/playbooks/roles/teamspeak_fallback/vars/main.yml
@@ -36,7 +36,7 @@ teamspeak_fallback_yml:
               name: X-Webhook-Token
 
 teamspeak_fallback_compose:
-  watchtower: true
+  watchtower: update
   image: ghcr.io/thecatlady/webhook
   volumes:
     - ./config:/config:ro
diff --git a/playbooks/roles/umami/vars/main.yml b/playbooks/roles/umami/vars/main.yml
index eaad8e8..092e8c4 100644
--- a/playbooks/roles/umami/vars/main.yml
+++ b/playbooks/roles/umami/vars/main.yml
@@ -20,5 +20,5 @@ umami_env:
   CLIENT_IP_HEADER: X-Analytics-IP
 
 umami_compose:
-  watchtower: true
+  watchtower: update
   image: "{{ umami_docker_image }}"
diff --git a/playbooks/roles/vikunja/vars/main.yml b/playbooks/roles/vikunja/vars/main.yml
index 7cd6e8c..3003e4a 100644
--- a/playbooks/roles/vikunja/vars/main.yml
+++ b/playbooks/roles/vikunja/vars/main.yml
@@ -48,7 +48,7 @@ vikunja_yml:
     enabled: true
 
 vikunja_compose:
-  watchtower: true
+  watchtower: update
   image: vikunja/vikunja
   volumes:
     - data:/app/vikunja/files
diff --git a/playbooks/roles/wiki_js/vars/main.yml b/playbooks/roles/wiki_js/vars/main.yml
index 91f46ff..cab231d 100644
--- a/playbooks/roles/wiki_js/vars/main.yml
+++ b/playbooks/roles/wiki_js/vars/main.yml
@@ -21,5 +21,5 @@ wiki_js_env:
   DB_SSL: 1
 
 wiki_js_compose:
-  watchtower: true
+  watchtower: update
   image: requarks/wiki
diff --git a/playbooks/roles/woodpecker/vars/main.yml b/playbooks/roles/woodpecker/vars/main.yml
index 96fbf3f..81653ca 100644
--- a/playbooks/roles/woodpecker/vars/main.yml
+++ b/playbooks/roles/woodpecker/vars/main.yml
@@ -32,7 +32,7 @@ woodpecker_env:
   WOODPECKER_DATABASE_DATASOURCE: postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/{{ svc.db.database }}?sslmode=verify-full
 
 woodpecker_compose:
-  watchtower: true
+  watchtower: update
   image: woodpeckerci/woodpecker-server
   file:
     services:
diff --git a/services.auto.tfvars b/services.auto.tfvars
index 4a6ada5..ffc3270 100644
--- a/services.auto.tfvars
+++ b/services.auto.tfvars
@@ -215,10 +215,10 @@ services = {
       domain = "gallery.serguzim.me"
     }]
     backup = [
-      {
-        name = "immich_upload"
-        type = "docker_remote"
-      },
+      #{
+      #  name = "immich_upload"
+      #  type = "docker_remote"
+      #},
       {
         name = "immich_database"
         type = "hook"
@@ -265,10 +265,10 @@ services = {
         name = "jellyfin_config"
         type = "docker"
       },
-      {
-        name = "jellyfin_media"
-        type = "docker_remote"
-      }
+      #{
+      #  name = "jellyfin_media"
+      #  type = "docker_remote"
+      #}
     ]
     monitoring = {
       url = "/health"
@@ -552,6 +552,26 @@ services = {
     monitoring = {
       group = "7-support"
     }
+    ports = [
+      {
+        description = "Teamspeak server"
+        port = 9987
+        protocol = "udp"
+        type = "firewall"
+      },
+      {
+        description = "Teamspeak filetransfer"
+        port = 30033
+        protocol = "tcp"
+        type = "firewall"
+      },
+      {
+        description = "Teamspeak serverquery"
+        port = 10011
+        protocol = "tcp"
+        type = "firewall"
+      }
+    ]
     auth = false
     database = false
     s3 = false