14 files changed, 81 insertions, 15 deletions

diff --git a/adguard-home/templates/AdGuardHome.service.j2 b/adguard-home/templates/AdGuardHome.service.j2
index f4bdd2d..79a9181 100644
--- a/adguard-home/templates/AdGuardHome.service.j2
+++ b/adguard-home/templates/AdGuardHome.service.j2
@@ -9,8 +9,6 @@ ExecStart=/usr/local/bin/AdGuardHome -c /etc/AdGuardHome/AdGuardHome.yaml -w {{a
 
 WorkingDirectory={{adguard_home_data_dir}}
 
-StandardOutput=file:/var/log/AdGuardHome.out
-StandardError=file:/var/log/AdGuardHome.err
 Restart=always
 RestartSec=10
 EnvironmentFile=-/etc/sysconfig/AdGuardHome
diff --git a/dendrite/server/templates/nginx.conf.j2 b/dendrite/server/templates/nginx.conf.j2
index 8e2d34f..aa7125c 100644
--- a/dendrite/server/templates/nginx.conf.j2
+++ b/dendrite/server/templates/nginx.conf.j2
@@ -1,3 +1,5 @@
+limit_req_zone $binary_remote_addr zone=dendrite_reg:10m rate=2r/m;
+
 server {
     listen 80;
     server_name {{nginx_server_name}};
@@ -36,6 +38,11 @@ server {
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_read_timeout                 600;
 
+    location ~* ^/_matrix/client/[^/]+/register {
+        limit_req zone=dendrite_reg burst=3 nodelay;
+        proxy_pass http://127.0.0.1:{{nginx_proxy_port}};
+    }
+
     location /_matrix {
         proxy_pass http://127.0.0.1:{{nginx_proxy_port}};
     }
diff --git a/ergo/defaults/main.yaml b/ergo/defaults/main.yaml
index 23bcec3..c1edf28 100644
--- a/ergo/defaults/main.yaml
+++ b/ergo/defaults/main.yaml
@@ -7,4 +7,6 @@ ergo_arch: "arm64"
 ergo_tar_name: "ergo-{{ergo_version}}-linux-{{ergo_arch}}"
 ergo_tar: "{{ergo_tar_name}}.tar.gz"
 ergo_url: "https://github.com/ergochat/ergo/releases/download/v{{ergo_version}}/{{ergo_tar}}"
+ergo_run_dir: "/var/ergo"
+ergo_data_dir: "/var/ergo"
 ergo_force_nick_equals_account: false
diff --git a/ergo/tasks/main.yaml b/ergo/tasks/main.yaml
index fd5da50..5998713 100644
--- a/ergo/tasks/main.yaml
+++ b/ergo/tasks/main.yaml
@@ -26,14 +26,15 @@
 - name: create ergo dirs
   become: yes
   file:
-    path: "{{item}}/ergo"
+    path: "{{item}}"
     owner: "ergo"
     group: "ergo"
     mode: "0755"
     state: "directory"
   loop:
-    - "/etc"
-    - "/var"
+    - "/etc/ergo"
+    - "{{ergo_run_dir}}"
+    - "{{ergo_data_dir}}"
 
 - name: configure ergo
   become: yes
@@ -54,8 +55,8 @@
 
 - name: install ergo service
   become: yes
-  copy:
-    src: "ergo.service"
+  template:
+    src: "ergo.service.j2"
     dest: "/lib/systemd/system/ergo.service"
     mode: "0644"
   notify: restart ergo
diff --git a/ergo/templates/config.yaml.j2 b/ergo/templates/config.yaml.j2
index a0c3249..c2e22a8 100644
--- a/ergo/templates/config.yaml.j2
+++ b/ergo/templates/config.yaml.j2
@@ -58,7 +58,7 @@ server:
         #         proxy: false
 
         # Example of a Unix domain socket for proxying:
-        "/var/ergo/socket":
+        "{{ergo_run_dir}}/socket":
 
         # Example of a Tor listener: any connection that comes in on this listener will
         # be considered a Tor connection. It is strongly recommended that this listener
@@ -288,7 +288,7 @@ server:
     # ergo will write files to disk under certain circumstances, e.g.,
     # CPU profiling or data export. by default, these files will be written
     # to the working directory. set this to customize:
-    output-path: "/var/ergo"
+    output-path: "{{ergo_run_dir}}"
 
 # account options
 accounts:
@@ -685,7 +685,7 @@ debug:
 # datastore configuration
 datastore:
     # path to the datastore
-    path: "/var/ergo/ergo.db"
+    path: "{{ergo_data_dir}}/ergo.db"
 
     # if the database schema requires an upgrade, `autoupgrade` will attempt to
     # perform it automatically on startup. the database will be backed
diff --git a/ergo/files/ergo.service b/ergo/templates/ergo.service.j2
index 54ff847..a885a3d 100644
--- a/ergo/files/ergo.service
+++ b/ergo/templates/ergo.service.j2
@@ -10,7 +10,7 @@ After=network.target mysql.service
 [Service]
 Type=simple
 User=ergo
-WorkingDirectory=/var/ergo
+WorkingDirectory={{ergo_run_dir}}
 ExecStart=/usr/local/bin/ergo run --conf /etc/ergo/config.yaml
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure
diff --git a/ergo/templates/nginx.conf.j2 b/ergo/templates/nginx.conf.j2
index 1b1a83b..b6c9354 100644
--- a/ergo/templates/nginx.conf.j2
+++ b/ergo/templates/nginx.conf.j2
@@ -1,6 +1,6 @@
 server {
       listen 6697 ssl;
-      proxy_pass unix:/var/ergo/socket;
+      proxy_pass unix:{{ergo_run_dir}}/socket;
       proxy_protocol on;
 
       ssl_certificate {{nginx_ssl_cert}};
diff --git a/jellyfin/defaults/main.yaml b/jellyfin/defaults/main.yaml
new file mode 100644
index 0000000..b73ef72
--- /dev/null
+++ b/jellyfin/defaults/main.yaml
@@ -0,0 +1,3 @@
+---
+
+jellyfin_data_dir: "/var/lib/jellyfin"
diff --git a/jellyfin/tasks/main.yaml b/jellyfin/tasks/main.yaml
index 6e93cb5..29b7bca 100644
--- a/jellyfin/tasks/main.yaml
+++ b/jellyfin/tasks/main.yaml
@@ -23,6 +23,24 @@
   apt: name="jellyfin"
   notify: restart jellyfin service
 
+- name: create jellyfin data dir
+  become: yes
+  file:
+    path: "{{jellyfin_data_dir}}"
+    state: "directory"
+    owner: "jellyfin"
+    group: "jellyfin"
+    mode: "0755"
+
+- name: configure jellyfin data dir
+  become: yes
+  lineinfile:
+    path: "/etc/jellyfin/jellyfin"
+    regexp: "^JELLYFIN_DATA_DIR="
+    line: "JELLYFIN_DATA_DIR={{jellyfin_data_dir}}"
+    create: yes
+  notify: restart jellyfin service
+
 - name: ensure jellyfin service is running
   become: yes
   systemd: name="jellyfin.service" state="started" daemon_reload="yes"
diff --git a/rpi-base/files/journald.conf b/rpi-base/files/journald.conf
new file mode 100644
index 0000000..523f571
--- /dev/null
+++ b/rpi-base/files/journald.conf
@@ -0,0 +1,2 @@
+[Journal]
+SystemMaxUse=100M
diff --git a/rpi-base/files/logrotate.conf b/rpi-base/files/logrotate.conf
new file mode 100644
index 0000000..e6690c0
--- /dev/null
+++ b/rpi-base/files/logrotate.conf
@@ -0,0 +1,11 @@
+# Sized to fit within log2ram's RAM disk.
+# Defaults: daily, 7 rotations, compress immediately, max 50M per log.
+# Worst case per log: 50M active + 7 x compressed ~ 100M
+
+daily
+su root adm
+rotate 7
+maxsize 50M
+create
+compress
+include /etc/logrotate.d
diff --git a/rpi-base/handlers/main.yaml b/rpi-base/handlers/main.yaml
index 7d9c45e..5335035 100644
--- a/rpi-base/handlers/main.yaml
+++ b/rpi-base/handlers/main.yaml
@@ -3,3 +3,7 @@
 - name: restart log2ram service
   systemd: name="log2ram" state="restarted" daemon_reload="yes"
   become: yes
+
+- name: restart journald
+  systemd: name="systemd-journald" state="restarted"
+  become: yes
diff --git a/rpi-base/tasks/main.yaml b/rpi-base/tasks/main.yaml
index 390134a..c9626b6 100644
--- a/rpi-base/tasks/main.yaml
+++ b/rpi-base/tasks/main.yaml
@@ -40,6 +40,15 @@
   become: yes
   copy: src="20auto-upgrades" dest="/etc/apt/apt.conf.d/20auto-upgrades"
 
+- name: configure logrotate
+  become: yes
+  copy: src="logrotate.conf" dest="/etc/logrotate.conf"
+
+- name: configure journald max size
+  become: yes
+  copy: src="journald.conf" dest="/etc/systemd/journald.conf"
+  notify: restart journald
+
 - name: configure log2ram disk size
   become: yes
   lineinfile:
diff --git a/scrypted/tasks/main.yaml b/scrypted/tasks/main.yaml
index 57bf38c..9ddae41 100644
--- a/scrypted/tasks/main.yaml
+++ b/scrypted/tasks/main.yaml
@@ -1,12 +1,23 @@
 ---
 
-- name: add scrypted user
+- name: add docker apt key
   become: yes
-  user: name="scrypted" shell="/bin/false" system="yes" create_home="no" groups="docker"
+  get_url:
+    url: "https://download.docker.com/linux/ubuntu/gpg"
+    dest: "/etc/apt/trusted.gpg.d/docker.asc"
+    mode: "0644"
+
+- name: add docker apt repo
+  become: yes
+  apt_repository: repo="deb [arch=arm64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/ubuntu noble stable"
 
 - name: install docker apt packages
   become: yes
-  apt: name="docker-ce"
+  apt: name="docker-ce" update_cache="yes"
+
+- name: add scrypted user
+  become: yes
+  user: name="scrypted" shell="/bin/false" system="yes" create_home="no" groups="docker"
 
 - name: make scrypted dir
   become: yes