Move content to klingt.net repository

3 years ago · 502642a436
--- a/ansible/.gitignore
+++ b/ansible/.gitignore
@ -1,3 +0,0 @@
 /.vagrant/
 /*.log
 /vault.pass
--- a/ansible/Makefile
+++ b/ansible/Makefile
@ -1,34 +0,0 @@
 .PHONY: vm vagrant clean clean-all

 APPS:=$(dir $(wildcard build/*/))
 ANSIBLE_OPTS="--vault-password-file=./vault.pass"

 all: vm

 vm: playbook.yml Vagrantfile vagrant
 	ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_OPTS)\
 		--extra-vars='var_domain="klingt.vnet"'\
 		--private-key='./.vagrant/machines/default/virtualbox/private_key'\
 		--inventory-file='./.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory'\
 		--verbose\
 		playbook.yml

 klingt.net: playbook.yml Vagrantfile
 	ansible-playbook $(ANSIBLE_OPTS)\
 		--vault-password-file='./vault.pass'\
 		--verbose\
 		playbook.yml

 vagrant:
 	vagrant up

 clean:
 	rm -f *.retry

 clean-vm:
 	vagrant destroy -f

 clean-all: clean clean-vm
 	@for app in $(APPS); do\
 		make -C "$$app" clean &> /dev/null;\
 	done
--- a/ansible/README.md
+++ b/ansible/README.md
@ -1,29 +1,3 @@
 # Ansible

 A [series of articles](https://www.digitalocean.com/community/tutorials/an-introduction-to-configuration-management) about configuration managment at the example of Ansible.

 > By using a configuration management tool, the procedure necessary for bringing up a new server or updating an existing one will be all documented in the provisioning scripts.

 ## Terms

 - **Inventory** stores information about your servers as INI file
 - **Playbook** is the entry point for Ansible provisionings (imagine it as a set of tasks)
 - **Task** defines a single procedure to be executed, e.g. updating the package cache
 - **Module** typically is a abstraction of a system task (more generalized task?)
 - **Role** is used to organize playbooks and other files for reuse
 - **Play** names a complete provision process, from start to finish
 - **Facts** are variables containing information about the system, e.g. OS, hostname etc.
 - **Handlers** trigger service status changes

 ## Services

 The following list of services should be configured and deployed automatically:

 - [x] caddy
 - [x] gitea
 - [x] prometheus
 - [x] grafana
 - [x] jupyter
 - [x] postgres
 - [x] pgweb
 - [x] ~~netdata~~, node_exporter
 This content has been moved to <https://github.com/klingtnet/klingt.net>.
--- a/ansible/Vagrantfile
+++ b/ansible/Vagrantfile
@ -1,74 +0,0 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :

 # All Vagrant configuration is done below. The "2" in Vagrant.configure
 # configures the configuration version (we support older styles for
 # backwards compatibility). Please don't change it unless you know what
 # you're doing.
 Vagrant.configure("2") do |config|
  # The most common configuration options are documented and commented below.
  # For a complete reference, please see the online documentation at
  # https://docs.vagrantup.com.

  # Every Vagrant development environment requires a box. You can search for
  # boxes at https://vagrantcloud.com/search.
  config.vm.box = "ubuntu/xenial64"

  # Disable automatic box update checking. If you disable this, then
  # boxes will only be checked for updates when the user runs
  # `vagrant box outdated`. This is not recommended.
  # config.vm.box_check_update = false

  # Create a forwarded port mapping which allows access to a specific port
  # within the machine from a port on the host machine. In the example below,
  # accessing "localhost:8080" will access port 80 on the guest machine.
  # NOTE: This will enable public access to the opened port
  # config.vm.network "forwarded_port", guest: 80, host: 8080
  
  # Create a forwarded port mapping which allows access to a specific port
  # within the machine from a port on the host machine and only allow access
  # via 127.0.0.1 to disable public access
  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"

  # Create a private network, which allows host-only access to the machine
  # using a specific IP.
  config.vm.network "private_network", ip: "10.111.111.111"

  # Create a public network, which generally matched to bridged network.
  # Bridged networks make the machine appear as another physical device on
  # your network.
  # config.vm.network "public_network"

  # Share an additional folder to the guest VM. The first argument is
  # the path on the host to the actual folder. The second argument is
  # the path on the guest to mount the folder. And the optional third
  # argument is a set of non-required options.
  # config.vm.synced_folder "../data", "/vagrant_data"

  # Provider-specific configuration so you can fine-tune various
  # backing providers for Vagrant. These expose provider-specific options.
  # Example for VirtualBox:
  #
  # config.vm.provider "virtualbox" do |vb|
  #   # Display the VirtualBox GUI when booting the machine
  #   vb.gui = true
  #
  #   # Customize the amount of memory on the VM:
  #   vb.memory = "1024"
  # end
  #
  # View the documentation for the provider you are using for more
  # information on available options.

  # Enable provisioning with a shell script. Additional provisioners such as
  # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
  # documentation for more information about their specific syntax and use.
  config.vm.provision "shell", inline: <<-SHELL
    apt-get update
    apt-get install -y python
  SHELL

  config.vm.provision "ansible" do |ansible|
    ansible.playbook = "vagrant_playbook.yml"
  end
 end
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -1,2 +0,0 @@
 [defaults]
 inventory = ./hosts
--- a/ansible/build/caddy/.gitignore
+++ b/ansible/build/caddy/.gitignore
@ -1,2 +0,0 @@
 /caddy
 /caddy-src*/
--- a/ansible/build/caddy/Makefile
+++ b/ansible/build/caddy/Makefile
@ -1,30 +0,0 @@
 .PHONY: clean

 VERSION		:=v0.10.8
 CADDY_SRC	:=caddy-src-$(VERSION)
 GOPATH		:=$(shell pwd)/$(CADDY_SRC)/.go

 all: caddy

 caddy: $(CADDY_SRC) checkout-version patch $(GOPATH)
 	cd $(CADDY_SRC) && go get -v github.com/mholt/caddy/caddy
 	cp $(GOPATH)/bin/$@ $@

 $(GOPATH): $(CADDY_SRC)
 	mkdir -p $@/src/github.com/mholt
 	ln -sf $(shell pwd)/$(CADDY_SRC) $(GOPATH)/src/github.com/mholt/caddy

 patch: $(CADDY_SRC)
 	cd $(CADDY_SRC)\
 		&& git apply ../plugins.patch\
 		&& git revert --no-edit --no-commit 56453e9664aa2c24115eb52a4e933febb3cac1f7

 $(CADDY_SRC):
 	git clone https://github.com/mholt/caddy.git $@

 checkout-version: $(CADDY_SRC)
 	cd $(CADDY_SRC) && git checkout --force --quiet $(VERSION)

 clean:
 	rm -f caddy
 	rm -rf caddy-*
--- a/ansible/build/caddy/plugins.patch
+++ b/ansible/build/caddy/plugins.patch
@ -1,27 +0,0 @@
 diff --git a/caddy/caddymain/run.go b/caddy/caddymain/run.go
 index 7bfb587..d12721f 100644
 --- a/caddy/caddymain/run.go
 +++ b/caddy/caddymain/run.go
@@ -21,6 +21,22 @@ import (
 
 	"github.com/mholt/caddy/caddytls"
 	// This is where other plugins get plugged in (imported)
 +
 +	_ "github.com/SchumacherFM/mailout"
 +	_ "github.com/caddyserver/forwardproxy"
 +	_ "github.com/captncraig/caddy-realip"
 +	_ "github.com/captncraig/cors"
 +	_ "github.com/echocat/caddy-filter"
 +	_ "github.com/hacdias/caddy-minify"
 +	_ "github.com/hacdias/caddy-webdav"
 +	_ "github.com/hacdias/filemanager"
 +	_ "github.com/jung-kurt/caddy-cgi"
 +	_ "github.com/miekg/caddy-prometheus"
 +	_ "github.com/nicolasazrak/caddy-cache"
 +	_ "github.com/pyed/ipfilter"
 +	_ "github.com/restic/caddy"
 +	_ "github.com/xuqingfeng/caddy-rate-limit"
 +	_ "blitznote.com/src/caddy.upload"
 )
 
 func init() {
--- a/ansible/build/gitea/.gitignore
+++ b/ansible/build/gitea/.gitignore
@ -1,2 +0,0 @@
 /gitea
 /gitea-src*/
--- a/ansible/build/gitea/Makefile
+++ b/ansible/build/gitea/Makefile
@ -1,30 +0,0 @@
 .PHONY: clean

 VERSION				:=v1.1.4
 GITEA_SRC			:=gitea-src-$(VERSION)
 GOPATH				:=$(shell pwd)/$(GITEA_SRC)/.go
 GITEA_BUILD_TAGS	:=bindata

 all: gitea

 gitea: $(GITEA_SRC) checkout-version $(GOPATH) $(GOPATH)/bin/go-bindata
 	cd $(GOPATH)/src/code.gitea.io/gitea\
 		&& PATH=$(GOPATH)/bin:$$PATH TAGS=$(GITEA_BUILD_TAGS) make generate build
 	cp $(GITEA_SRC)/$@ $@

 $(GOPATH): $(GITEA_SRC)
 	mkdir -p $@/src/code.gitea.io
 	ln -sf $(shell pwd)/$(GITEA_SRC) $(GOPATH)/src/code.gitea.io/gitea

 $(GOPATH)/bin/go-bindata: $(GOPATH)
 	go get github.com/jteeuwen/go-bindata/...

 $(GITEA_SRC):
 	git clone https://github.com/go-gitea/gitea.git $@

 checkout-version: $(GITEA_SRC)
 	cd $(GITEA_SRC) && git checkout --force --quiet $(VERSION)

 clean:
 	rm -f gitea
 	rm -rf gitea-*
--- a/ansible/build/grafana/.gitignore
+++ b/ansible/build/grafana/.gitignore
@ -1,2 +0,0 @@
 /grafana-*/
 /grafana
--- a/ansible/build/grafana/Makefile
+++ b/ansible/build/grafana/Makefile
@ -1,14 +0,0 @@
 .PHONY: grafana clean

 VERSION:=4.4.1

 all: grafana

 grafana: grafana-$(VERSION)
 	ln -sfn $< $@

 grafana-$(VERSION):
 	curl -Lsf 'https://s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-$(VERSION).linux-x64.tar.gz' | tar -xvzf -

 clean:
 	rm -f "grafana*"
--- a/ansible/build/node_exporter/.gitignore
+++ b/ansible/build/node_exporter/.gitignore
@ -1,2 +0,0 @@
 /node_exporter
 /.go/
--- a/ansible/build/node_exporter/Makefile
+++ b/ansible/build/node_exporter/Makefile
@ -1,16 +0,0 @@
 .PHONY: clean

 VERSION:=0.14.0
 GOPATH:=$(shell pwd)/.go

 all: node_exporter
 	
 $(GOPATH):
 	mkdir -p $@

 node_exporter: $(GOPATH)
 	go get -v github.com/prometheus/node_exporter
 	cp $(GOPATH)/bin/$@ $@

 clean:
 	rm -rf "node_exporter*" .go
--- a/ansible/build/pgweb/.gitignore
+++ b/ansible/build/pgweb/.gitignore
@ -1,2 +0,0 @@
 /pgweb
 /pgweb_*_amd64
--- a/ansible/build/pgweb/Makefile
+++ b/ansible/build/pgweb/Makefile
@ -1,15 +0,0 @@
 .PHONY: clean

 VERSION:=0.9.7

 all: pgweb

 pgweb: pgweb_linux_amd64
 	cp $< $@
 	chmod +x $@

 pgweb_linux_amd64:
 	curl -Lsf 'https://github.com/sosedoff/pgweb/releases/download/v$(VERSION)/pgweb_linux_amd64.zip' | bsdtar -xvzf -

 clean:
 	rm -f pgweb
--- a/ansible/build/prometheus/.gitignore
+++ b/ansible/build/prometheus/.gitignore
@ -1,4 +0,0 @@
 /prometheus-*-amd64/
 /prometheus
 /prometheus*.tar.gz
 /prometheus*.yml
--- a/ansible/build/prometheus/Makefile
+++ b/ansible/build/prometheus/Makefile
@ -1,14 +0,0 @@
 .PHONY: clean

 VERSION=1.7.1

 all: prometheus

 prometheus: prometheus-$(VERSION).linux-amd64.tar.gz
 	tar --strip-components 1 -xvf $< -- prometheus-$(VERSION).linux-amd64/$@ prometheus-$(VERSION).linux-amd64/$@.yml

 prometheus-$(VERSION).linux-amd64.tar.gz:
 	curl -Lsf 'https://github.com/prometheus/prometheus/releases/download/v$(VERSION)/prometheus-$(VERSION).linux-amd64.tar.gz' > $@

 clean:
 	rm -f prometheus "prometheus-*.tar.gz"
--- a/ansible/hosts
+++ b/ansible/hosts
@ -1,6 +0,0 @@
 ---

 [klingt-net]
 klingt.net

 # vim set: syntax=yaml
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@ -1,29 +0,0 @@
 ---
 # TODOs
 # - cron for postgres backup (pg_dumpall | tar --use-compress-programm=pixz -cJf postgres-$(date foobar).tar.xz
 - hosts: all
  vars:
    user_name: alinz
    user_email: "{{ user_name }}@email-provider.com"
    domain: "{{ var_domain | default('klingt.net') }}"
    domain_version: unknown
    caddy_email: "{{ user_email }}"
    caddy_restic_user: alinz
    jupyter_password: 'sha1:7ba04f8b7db3:b647b05c2e317857828f9f4fc929b08d485f9c76'
  vars_files:
    - vault_vars.yml
  roles:
    - common
    - postgres
    - gitea
    - jupyter
    - caddy
    - prometheus
    - grafana
  tasks:
  - name: Set version number
    delegate_to: localhost
    shell: git describe --always --tags
    register: git_version
  - set_fact:
      domain_version: "{{ git_version.stdout }}"
--- a/ansible/roles/caddy/defaults/main.yml
+++ b/ansible/roles/caddy/defaults/main.yml
@ -1,10 +0,0 @@
 caddy_user: caddy
 caddy_group: caddy
 caddy_path: /usr/bin/caddy
 caddy_ca_url: https://acme-staging.api.letsencrypt.org/directory
 caddy_prometheus_port: 9180
 caddy_restic_path: "/home/{{ caddy_user }}/restic"
 #caddy_email: user@email-provider.com
 #caddy_restic_user: alinz
 #caddy_restic_password: password
 caddy_file_browser_root: "/var/caddy/files.{{ domain }}"
--- a/ansible/roles/caddy/handlers/main.yml
+++ b/ansible/roles/caddy/handlers/main.yml
@ -1,12 +0,0 @@
 - name: Validate caddy configuration
  listen: caddy-validate
  become: true
  become_user: "{{ caddy_user }}"
  command: "{{ caddy_path }} -conf=/etc/caddy/Caddyfile -validate"
 - name: Restart caddy
  listen: restart-caddy
  become: true
  systemd:
    daemon_reload: yes
    name: caddy
    state: restarted
--- a/ansible/roles/caddy/tasks/main.yml
+++ b/ansible/roles/caddy/tasks/main.yml
@ -1,81 +0,0 @@
 - name: "Create group {{ caddy_group }}"
  become: true
  group:
    name: "{{ caddy_group }}"
 - name: Create caddy user
  become: true
  user:
    name: "{{ caddy_user }}"
    comment: "Caddy run user"
    append: true
    group: "{{ caddy_group }}"
    shell: /bin/false
 - name: Build caddy
  command: make -C ./build/caddy
  delegate_to: localhost
 - name: Install caddy
  become: true
  copy:
    src: ./build/caddy/caddy
    dest: "{{ caddy_path }}"
    mode: 0755
 - name: Create caddy certificate directory
  become: true
  file:
    name: "/home/{{ caddy_user }}/certs"
    owner: "{{ caddy_user }}"
    group: "{{ caddy_group }}"
    state: directory
    mode: 0700
 - name: Create caddy restic path
  become: true
  file:
    name: "{{ caddy_restic_path }}"
    owner: "{{ caddy_user }}"
    group: "{{ caddy_group }}"
    state: directory
    mode: 0700
 - name: "Create {{ caddy_file_browser_root }} directory"
  become: true
  file:
    name: "{{ caddy_file_browser_root }}/public"
    owner: "{{ caddy_user }}"
    group: "{{ caddy_group }}"
    state: directory
    mode: 0700
 - name: Create caddy configuration directory
  become: true
  file:
    name: "/etc/caddy"
    owner: "{{ caddy_user }}"
    group: "{{ caddy_group }}"
    state: directory
    mode: 0700
 - name: Configure caddy
  become: true
  template:
    src: "{{ item }}.tmpl"
    dest: "/etc/caddy/{{ item }}"
    owner: "{{ caddy_user }}"
    group: "{{ caddy_group }}"
    mode: 0600
  with_items:
    - Caddyfile
    - common.caddy
  notify:
    - caddy-validate
    - restart-caddy
 - name: Install caddy systemd unit
  become: true
  template:
    src: caddy.service.tmpl
    dest: /etc/systemd/system/caddy.service
    mode: 0600
 - name: Start caddy
  become: true
  systemd:
    daemon_reload: yes
    name: caddy
    state: started
    enabled: true
  notify: restart-caddy
--- a/ansible/roles/caddy/templates/Caddyfile.tmpl
+++ b/ansible/roles/caddy/templates/Caddyfile.tmpl
@ -1,117 +0,0 @@
 git.{{ domain }}:80 {
    import common.caddy
    redir https://git.{{ domain }}{uri}
 }
 git.{{ domain }}:443 {
    import common.caddy
    tls self_signed
    proxy / localhost:{{ gitea_port }} {
        transparent
    }
 }

 pg.{{ domain }}:80 {
    import common.caddy
    redir https://pg.{{ domain }}{uri}
 }
 pg.{{ domain }}:443 {
    import common.caddy
    tls self_signed
    basicauth / {{ user_name }} {{ user_password }}
    proxy / localhost:{{ pgweb_port }} {
        transparent
    }
 }

 prometheus.{{ domain }}:80 {
    import common.caddy
    redir https://prometheus.{{ domain }}{uri}
 }
 prometheus.{{ domain }}:443 {
    import common.caddy
    tls self_signed
    basicauth / {{ user_name }} {{ user_password }}
    proxy / localhost:{{ prometheus_port }} {
        transparent
    }
 }

 jupyter.{{ domain }}:80 {
    import common.caddy
    redir https://jupyter.{{ domain }}{uri}
 }
 jupyter.{{ domain }}:443 {
    import common.caddy
    tls self_signed
    basicauth / {{ user_name }} {{ user_password }}
    proxy / localhost:{{ jupyter_port }} {
        transparent
    }
 }

 grafana.{{ domain }}:80 {
    import common.caddy
    redir https://grafana.{{ domain }}{uri}
 }
 grafana.{{ domain }}:443 {
    import common.caddy
    tls self_signed
    basicauth / {{ user_name }} {{ user_password }}
    proxy / localhost:{{ grafana_port }} {
        transparent
    }
 }

 restic.{{ domain }}:80 {
    import common.caddy
    redir https://restic.{{ domain }}{uri}
 }
 restic.{{ domain }}:443 {
    import common.caddy
    tls self_signed
    basicauth / {{ caddy_restic_user }} {{ caddy_restic_password }}
    restic / {{ caddy_restic_path }}
 }

 files.{{ domain }}:80 {
    import common.caddy
    redir https://files.{{ domain }}{uri}
 }
 files.{{ domain }}:443 {
    import common.caddy
    tls self_signed
    basicauth / {{ user_name }} {{ user_password }}
    root {{ caddy_file_browser_root }}/public
    upload / {
        to {{ caddy_file_browser_root }}/public
        filenames_form NFC
    }
    mime {
        # video/x-matroska is not supported in firefox
        .mkv video/webm
    }
    browse
 }

 webdav.{{ domain }}:80 {
    import common.caddy
    redir https://webdav.{{ domain }}{uri}
 }
 webdav.{{ domain }}:443 {
    import common.caddy
    tls self_signed
    basicauth / {{ user_name }} {{ user_password }}
    webdav {
        scope {{ caddy_file_browser_root }}
    }
 }

 proxy.{{ domain }}:443 {
    tls self_signed
    log stdout
    forwardproxy {
        basicauth {{ user_name }} {{ user_password }}
        hide_ip
        serve_pac
    }
 }
--- a/ansible/roles/caddy/templates/caddy.service.tmpl
+++ b/ansible/roles/caddy/templates/caddy.service.tmpl
@ -1,54 +0,0 @@
 [Unit]
 Description=Caddy HTTP/2 web server
 Documentation=https://caddyserver.com/docs
 After=network-online.target
 Wants=network-online.target systemd-networkd-wait-online.service

 [Service]
 Restart=on-abnormal

 ; User and group the process will run as.
 User={{ caddy_user }}
 Group={{ caddy_group }}

 ; Letsencrypt-issued certificates will be written to this directory.
 Environment=CADDYPATH=/home/{{ caddy_user }}/certs

 ; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
 ExecStart={{ caddy_path }}\
    -log stdout\
    -agree=true\
    -conf=/etc/caddy/Caddyfile\
    -email={{ caddy_email }}\
    -ca='{{ caddy_ca_url }}'\
    -root=/var/tmp
 ExecReload=/bin/kill -USR1 $MAINPID

 ; Use graceful shutdown with a reasonable timeout
 KillMode=mixed
 KillSignal=SIGQUIT
 TimeoutStopSec=5s

 ; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
 LimitNOFILE=1048576
 ; Unmodified caddy is not expected to use more than that.
 LimitNPROC=64

 ; Use private /tmp and /var/tmp, which are discarded after caddy stops.
 PrivateTmp=true
 ; Use a minimal /dev
 PrivateDevices=true
 ; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
 ;ProtectHome=true
 ; Make /usr, /boot, /etc and possibly some more folders read-only.
 ProtectSystem=full

 ; The following additional security directives only work with systemd v229 or later.
 ; They further retrict privileges that can be gained by caddy. Uncomment if you like.
 ; Note that you may have to add capabilities required by any plugins in use.
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true

 [Install]
 WantedBy=multi-user.target
--- a/ansible/roles/caddy/templates/common.caddy.tmpl
+++ b/ansible/roles/caddy/templates/common.caddy.tmpl
@ -1,3 +0,0 @@
 log stdout
 prometheus
 header / X-klingt-net-version "{{ domain_version }}"
--- a/ansible/roles/common/defaults/main.yml
+++ b/ansible/roles/common/defaults/main.yml
@ -1,8 +0,0 @@
 #user_name: default_user
 #user_password: ThisIsInsecure
 #user_email: user@email-provider.com
 locale: en_US.UTF-8
 domain: klingt.net
 domain_version: unknown-version
 db_name: klingt-net
 #db_password: password
--- a/ansible/roles/common/handlers/main.yml
+++ b/ansible/roles/common/handlers/main.yml
@ -1,6 +0,0 @@
 - name: Restart journal process
  listen: restart-journald
  become: true
  systemd:
    name: systemd-journald
    state: restarted
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@ -1,42 +0,0 @@
 - name: "Generate {{ locale }}"
  locale_gen:
    name: "{{ locale }}"
    state: present
 - name: "Set {{ locale }}"
  become: true
  command: "update-locale LANG={{ locale }}"
 - name: Set timezone to UTC
  timezone:
    name: Etc/UTC
 - name: Create systemd-journald log path
  become: true
  file:
    path: /var/log/journal
    state: directory
    mode: 0600
  notify: restart-journald
 - name: Update package index
  apt: update_cache=yes package=sudo
  become: true
 - name: Check wheel group
  become: true
  group:
    name: wheel
    state: present
 - name: Allow wheel to sudo (with password)
  become: true
  lineinfile:
    dest: /etc/sudoers
    state: present
    backup: true
    regexp: '^#\s*%wheel\s+ALL=\(ALL\)\s+ALL$'
    line: '%wheel ALL=(ALL) ALL'
 - name: "Create user {{ user_name }}"
  become: true
  user:
    name: "{{ user_name }}"
    comment: "{{ user_email }}"
    append: true
    groups: wheel
    # http://docs.ansible.com/ansible/user_module.html
    password: "{{ user_password }}"
--- a/ansible/roles/gitea/defaults/main.yml
+++ b/ansible/roles/gitea/defaults/main.yml
@ -1,7 +0,0 @@
 gitea_user: gitea
 gitea_group: gitea
 gitea_db_name: gitea
 gitea_path: /usr/bin/gitea
 gitea_port: 10000
 #gitea_db_password: password
 #gitea_admin_password: password
--- a/ansible/roles/gitea/handlers/main.yml
+++ b/ansible/roles/gitea/handlers/main.yml
@ -1,7 +0,0 @@
 - name: Restart gitea
  listen: restart-gitea
  become: true
  systemd:
    daemon_reload: true
    name: gitea
    state: restarted
--- a/ansible/roles/gitea/tasks/main.yml
+++ b/ansible/roles/gitea/tasks/main.yml
@ -1,88 +0,0 @@
 # GITEA
 - name: Build gitea
  command: make -C ./build/gitea
  delegate_to: localhost
 - name: Install gitea
  become: true
  copy:
    src: ./build/gitea/gitea
    dest: "{{ gitea_path }}"
    mode: 0755
 - name: Install gitea systemd unit
  become: true
  template:
    src: gitea.service.tmpl
    dest: /etc/systemd/system/gitea.service
    mode: 0600
  notify: restart-gitea
 - name: "Create group {{ gitea_group }}"
  become: true
  group:
    name: "{{ gitea_group }}"
 - name: "Create user {{ gitea_user }}"
  become: true
  user:
    name: "{{ gitea_user }}"
    comment: "Gitea run user"
    append: true
    group: "{{ gitea_group }}"
    # needs a shell because of git
 - name: Create gitea folder
  become: true
  become_user: "{{ gitea_user }}"
  file:
    path: "/home/{{ gitea_user }}/gitea/{{ item }}"
    state: directory
    mode: 0700
  with_items:
    - repos
    - logs
    - custom/conf
 - name: Create postgres user gitea
  become: true
  become_user: postgres
  postgresql_user:
    name: gitea
    password: "{{ gitea_db_password }}"
 - name: "Create database {{ gitea_db_name }}"
  become: true
  become_user: "postgres"
  postgresql_db:
    name: gitea
    owner: "{{ gitea_db_name }}"
    state: present
 - name: Create gitea configuration
  become: true
  template:
    src: app.ini.tmpl
    dest: /home/gitea/gitea/custom/conf/app.ini
    mode: 0600
    owner: "{{ gitea_user }}"
  notify: restart-gitea
 - name: Start gitea
  become: true
  systemd:
    daemon_reload: yes
    name: gitea
    state: started
    enabled: true
 - name: Wait for Gitea to startup
  uri:
    url: "http://127.0.0.1:{{ gitea_port }}/"
    status_code: 200
  register: result
  until: result.status == 200
  retries: 3
  delay: 1
 - name: Check if gitea admin user was created
  become: true
  become_user: "{{ gitea_user }}"
  command: "psql 'postgresql://{{ gitea_user }}:{{ gitea_db_password }}@localhost/{{ gitea_db_name }}' --no-align --tuples-only --quiet --command 'select exists (select 1 from \"user\" where is_admin);'"
  register: gitea_admin_check
 - name: "Create gitea admin user {{ user_name }}"
  become: true
  become_user: gitea
  command: "gitea admin create-user --name {{ user_name }} --password {{ gitea_admin_password }} --email {{ user_email }} --admin --config ./gitea/custom/conf/app.ini"
  args:
    chdir: "/home/{{ gitea_user }}"
  when: gitea_admin_check.stdout.strip() == 'f'
--- a/ansible/roles/gitea/templates/app.ini.tmpl
+++ b/ansible/roles/gitea/templates/app.ini.tmpl
@ -1,52 +0,0 @@
 APP_NAME = Gitea
 RUN_USER = {{ gitea_user }}
 RUN_MODE = prod

 [database]
 DB_TYPE  = postgres
 HOST     = 127.0.0.1:5432
 NAME     = {{ gitea_db_name }}
 USER     = {{ gitea_user }}
 PASSWD   = {{ gitea_db_password }}
 SSL_MODE = disable

 [repository]
 ROOT = /home/{{ gitea_user }}/gitea/repos

 [server]
 SSH_DOMAIN       = localhost
 HTTP_PORT        = {{ gitea_port }}
 ROOT_URL         = http://localhost:{{ gitea_port }}/
 DISABLE_SSH      = false
 SSH_PORT         = 22
 LFS_START_SERVER = false
 OFFLINE_MODE     = false

 [mailer]
 ENABLED = false

 [service]
 REGISTER_EMAIL_CONFIRM     = false
 ENABLE_NOTIFY_MAIL         = false
 DISABLE_REGISTRATION       = true
 ENABLE_CAPTCHA             = false
 REQUIRE_SIGNIN_VIEW        = false
 DEFAULT_KEEP_EMAIL_PRIVATE = false
 NO_REPLY_ADDRESS           = noreply.example.org

 [picture]
 DISABLE_GRAVATAR        = false
 ENABLE_FEDERATED_AVATAR = false

 [session]
 PROVIDER = file

 [log]
 MODE      = console
 LEVEL     = Info
 ROOT_PATH = /home/gitea/gitea/logs

 [security]
 INSTALL_LOCK = true
 # TODO change this
 SECRET_KEY   = jU7wm95B2j
--- a/ansible/roles/gitea/templates/gitea.service.tmpl
+++ b/ansible/roles/gitea/templates/gitea.service.tmpl
@ -1,20 +0,0 @@
 [Unit]
 Description=gitea - A painless self-hosted Git service
 Documentation=https://gitea.io/
 After=postgresql.target
 Wants=network-online.target systemd-networkd-wait-online.service sshd.service

 [Service]
 Restart=on-abnormal
 ExecStart={{ gitea_path }} web --port {{ gitea_port }} --config /home/{{ gitea_user }}/gitea/custom/conf/app.ini
 User={{ gitea_user }}
 Group={{ gitea_group }}
 WorkingDirectory=/home/{{ gitea_user }}/gitea
 PrivateTmp=true
 PrivateDevices=true
 ProtectSystem=full
 NoNewPrivileges=true

 [Install]
 WantedBy=multi-user.target

--- a/ansible/roles/grafana/defaults/main.yml
+++ b/ansible/roles/grafana/defaults/main.yml
@ -1,11 +0,0 @@
 grafana_user: grafana
 grafana_group: grafana
 grafana_address: 127.0.0.1
 grafana_port: 10002
 grafana_db_name: grafana
 grafana_db_password: ThisIsInsecure
 grafana_domain: "grafana.{{ domain }}"
 #grafana_password: password
 node_exporter_path: /usr/bin/node_exporter
 node_exporter_port: 9091
 node_exporter_address: "127.0.0.1:{{ node_exporter_port }}"
--- a/ansible/roles/grafana/handlers/main.yml
+++ b/ansible/roles/grafana/handlers/main.yml
@ -1,7 +0,0 @@
 - name: Restart grafana
  listen: restart-grafana
  become: true
  systemd:
    daemon_reload: true
    name: grafana
    state: restarted
--- a/ansible/roles/grafana/tasks/main.yml
+++ b/ansible/roles/grafana/tasks/main.yml
@ -1,77 +0,0 @@
 - name: "Create group {{ grafana_group }}"
  become: true
  group:
    name: "{{ grafana_group }}"
 - name: Create grafana user
  become: true
  user:
    name: "{{ grafana_user }}"
    comment: "Grafana run user"
    append: true
    group: "{{ grafana_group }}"
    shell: /bin/false
 - name: Create postgres user grafana
  become: true
  become_user: postgres
  postgresql_user:
    name: grafana
    password: "{{ grafana_db_password }}"
 - name: Build grafana
  command: make -C ./build/grafana
  delegate_to: localhost
 - name: Create grafana homepath
  become: true
  file:
    path: /usr/share/grafana
    state: directory
    mode: 0755
 - name: Install grafana
  become: true
  # copy does not scale for directories
  synchronize:
    src: "./build/grafana/grafana/{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
    - { src: 'bin/grafana-server', dest: '/usr/bin/grafana-server' }
    - { src: 'conf', dest: '/usr/share/grafana' }      
    - { src: 'public', dest: '/usr/share/grafana' }
 - name: Create grafana config path
  become: true
  file:
    path: /etc/grafana
    state: directory
    mode: 0755
 - name: Install grafana configuration
  become: true
  template:
    src: config.ini.tmpl
    dest: /etc/grafana/config.ini
    mode: 0644
  notify: restart-grafana 
 - name: Install grafana systemd unit
  become: true
  template:
    src: grafana.service.tmpl
    dest: /etc/systemd/system/grafana.service
    mode: 0600
  notify: restart-grafana
 - name: Create postgres user grafana
  become: true
  become_user: postgres
  postgresql_user:
    name: grafana
    password: "{{ grafana_db_password }}"
 - name: "Create database {{ grafana_db_name }}"
  become: true
  become_user: "postgres"
  postgresql_db:
    name: grafana
    owner: "{{ grafana_db_name }}"
    state: present
 - name: Start grafana
  become: true
  systemd:
    daemon_reload: yes
    name: grafana
    state: started
    enabled: true
--- a/ansible/roles/grafana/templates/config.ini.tmpl
+++ b/ansible/roles/grafana/templates/config.ini.tmpl
@ -1,406 +0,0 @@
 ##################### Grafana Configuration Example #####################
 #
 # Everything has defaults so you only need to uncomment things you want to
 # change

 # possible values : production, development
 ; app_mode = production

 # instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
 ; instance_name = ${HOSTNAME}

 #################################### Paths ####################################
 [paths]
 # Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
 #
 ;data = /var/lib/grafana
 #
 # Directory where grafana can store logs
 #
 ;logs = /var/log/grafana
 #
 # Directory where grafana will automatically scan and look for plugins
 #
 ;plugins = /var/lib/grafana/plugins

 #
 #################################### Server ####################################
 [server]
 # Protocol (http, https, socket)
 ;protocol = http

 # The ip address to bind to, empty will bind to all interfaces
 http_addr = {{ grafana_address }}

 # The http port  to use
 http_port = {{ grafana_port }}

 # The public facing domain name used to access grafana from a browser
 domain = {{ grafana_domain }}

 # Redirect to correct domain if host header does not match domain
 # Prevents DNS rebinding attacks
 ;enforce_domain = false

 # The full public facing url you use in browser, used for redirects and emails
 # If you use reverse proxy and sub path specify full url (with sub path)
 root_url = http://{{ grafana_domain }}

 # Log web requests
 ;router_logging = false

 # the path relative working path
 ;static_root_path = public

 # enable gzip
 enable_gzip = true

 # https certs & key file
 ;cert_file =
 ;cert_key =

 # Unix socket path
 ;socket =

 #################################### Database ####################################
 [database]
 # You can configure the database connection by specifying type, host, name, user and password
 # as seperate properties or as on string using the url propertie.

 # Either "mysql", "postgres" or "sqlite3", it's your choice
 ;type = sqlite3
 ;host = 127.0.0.1:3306
 ;name = grafana
 ;user = root
 # If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
 ;password =

 # Use either URL or the previous fields to configure the database
 # Example: mysql://user:secret@host:port/database
 url = postgres://{{ grafana_user }}:{{ grafana_db_password }}@{{ postgres_host }}:{{ postgres_port }}/{{ grafana_db_name }}

 # For "postgres" only, either "disable", "require" or "verify-full"
 ;ssl_mode = disable

 # For "sqlite3" only, path relative to data_path setting
 ;path = grafana.db

 # Max conn setting default is 0 (mean not set)
 ;max_idle_conn =
 ;max_open_conn =


 #################################### Session ####################################
 [session]
 # Either "memory", "file", "redis", "mysql", "postgres", default is "file"
 provider = memory

 # Provider config options
 # memory: not have any config yet
 # file: session dir path, is relative to grafana data_path
 # redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana`
 # mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name`
 # postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable
 ;provider_config = sessions

 # Session cookie name
 ;cookie_name = grafana_sess

 # If you use session in https only, default is false
 ;cookie_secure = false

 # Session life time, default is 86400
 ;session_life_time = 86400

 #################################### Data proxy ###########################
 [dataproxy]

 # This enables data proxy logging, default is false
 ;logging = false


 #################################### Analytics ####################################
 [analytics]
 # Server reporting, sends usage counters to stats.grafana.org every 24 hours.
 # No ip addresses are being tracked, only simple counters to track
 # running instances, dashboard and error counts. It is very helpful to us.
 # Change this option to false to disable reporting.
 ;reporting_enabled = true

 # Set to false to disable all checks to https://grafana.net
 # for new vesions (grafana itself and plugins), check is used
 # in some UI views to notify that grafana or plugin update exists
 # This option does not cause any auto updates, nor send any information
 # only a GET request to http://grafana.com to get latest versions
 ;check_for_updates = true

 # Google Analytics universal tracking code, only enabled if you specify an id here
 ;google_analytics_ua_id =

 #################################### Security ####################################
 [security]
 # default admin user, created on startup
 ;admin_user = admin

 # default admin password, can be changed before first start of grafana,  or in profile settings
 admin_password = {{ grafana_password }}

 # used for signing
 ;secret_key = SW2YcwTIb9zpOOhoPsMm

 # Auto-login remember days
 ;login_remember_days = 7
 ;cookie_username = grafana_user
 ;cookie_remember_name = grafana_remember

 # disable gravatar profile images
 ;disable_gravatar = false

 # data source proxy whitelist (ip_or_domain:port separated by spaces)
 ;data_source_proxy_whitelist =

 [snapshots]
 # snapshot sharing options
 external_enabled = false
 ;external_snapshot_url = https://snapshots-origin.raintank.io
 ;external_snapshot_name = Publish to snapshot.raintank.io

 # remove expired snapshot
 ;snapshot_remove_expired = true

 # remove snapshots after 90 days
 ;snapshot_TTL_days = 90

 #################################### Users ####################################
 [users]
 # disable user signup / registration
 allow_sign_up = false

 # Allow non admin users to create organizations
 allow_org_create = false

 # Set to true to automatically assign new users to the default organization (id 1)
 ;auto_assign_org = true

 # Default role new users will be automatically assigned (if disabled above is set to true)
 ;auto_assign_org_role = Viewer

 # Background text for the user field on the login page
 ;login_hint = email or username

 # Default UI theme ("dark" or "light")
 ;default_theme = dark

 [auth]
 # Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
 ;disable_login_form = false

 # Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
 ;disable_signout_menu = false

 #################################### Anonymous Auth ##########################
 [auth.anonymous]
 # enable anonymous access
 ;enabled = false

 # specify organization name that should be used for unauthenticated users
 ;org_name = Main Org.

 # specify role for unauthenticated users
 ;org_role = Viewer

 #################################### Github Auth ##########################
 [auth.github]
 ;enabled = false
 ;allow_sign_up = true
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = user:email,read:org
 ;auth_url = https://github.com/login/oauth/authorize
 ;token_url = https://github.com/login/oauth/access_token
 ;api_url = https://api.github.com/user
 ;team_ids =
 ;allowed_organizations =

 #################################### Google Auth ##########################
 [auth.google]
 ;enabled = false
 ;allow_sign_up = true
 ;client_id = some_client_id
 ;client_secret = some_client_secret
 ;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
 ;auth_url = https://accounts.google.com/o/oauth2/auth
 ;token_url = https://accounts.google.com/o/oauth2/token
 ;api_url = https://www.googleapis.com/oauth2/v1/userinfo
 ;allowed_domains =

 #################################### Generic OAuth ##########################
 [auth.generic_oauth]
 ;enabled = false
 ;name = OAuth
 ;allow_sign_up = true
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = user:email,read:org
 ;auth_url = https://foo.bar/login/oauth/authorize
 ;token_url = https://foo.bar/login/oauth/access_token
 ;api_url = https://foo.bar/user
 ;team_ids =
 ;allowed_organizations =

 #################################### Grafana.com Auth ####################
 [auth.grafana_com]
 ;enabled = false
 ;allow_sign_up = true
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = user:email
 ;allowed_organizations =

 #################################### Auth Proxy ##########################
 [auth.proxy]
 ;enabled = false
 ;header_name = X-WEBAUTH-USER
 ;header_property = username
 ;auto_sign_up = true
 ;ldap_sync_ttl = 60
 ;whitelist = 192.168.1.1, 192.168.2.1

 #################################### Basic Auth ##########################
 [auth.basic]
 ;enabled = true

 #################################### Auth LDAP ##########################
 [auth.ldap]
 ;enabled = false
 ;config_file = /etc/grafana/ldap.toml
 ;allow_sign_up = true

 #################################### SMTP / Emailing ##########################
 [smtp]
 ;enabled = false
 ;host = localhost:25
 ;user =
 # If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
 ;password =
 ;cert_file =
 ;key_file =
 ;skip_verify = false
 ;from_address = admin@grafana.localhost
 ;from_name = Grafana

 [emails]
 ;welcome_email_on_sign_up = false

 #################################### Logging ##########################
 [log]
 # Either "console", "file", "syslog". Default is console and  file
 # Use space to separate multiple modes, e.g. "console file"
 ;mode = console

 # Either "debug", "info", "warn", "error", "critical", default is "info"
 ;level = info

 # optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
 ;filters =

 # For "console" mode only
 [log.console]
 ;level =

 # log line format, valid options are text, console and json
 ;format = console

 # For "file" mode only
 [log.file]
 ;level =

 # log line format, valid options are text, console and json
 ;format = text

 # This enables automated log rotate(switch of following options), default is true
 ;log_rotate = true

 # Max line number of single file, default is 1000000
 ;max_lines = 1000000

 # Max size shift of single file, default is 28 means 1 << 28, 256MB
 ;max_size_shift = 28

 # Segment log daily, default is true
 ;daily_rotate = true

 # Expired days of log file(delete after max days), default is 7
 ;max_days = 7

 [log.syslog]
 ;level =

 # log line format, valid options are text, console and json
 ;format = text

 # Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
 ;network =
 ;address =

 # Syslog facility. user, daemon and local0 through local7 are valid.
 ;facility =

 # Syslog tag. By default, the process' argv[0] is used.
 ;tag =


 #################################### AMQP Event Publisher ##########################
 [event_publisher]
 ;enabled = false
 ;rabbitmq_url = amqp://localhost/
 ;exchange = grafana_events

 ;#################################### Dashboard JSON files ##########################
 [dashboards.json]
 ;enabled = false
 ;path = /var/lib/grafana/dashboards

 #################################### Alerting ############################
 [alerting]
 # Disable alerting engine & UI features
 ;enabled = true
 # Makes it possible to turn off alert rule execution but alerting UI is visible
 ;execute_alerts = true

 #################################### Internal Grafana Metrics ##########################
 # Metrics available at HTTP API Url /api/metrics
 [metrics]
 # Disable / Enable internal metrics
 ;enabled           = true

 # Publish interval
 ;interval_seconds  = 10

 # Send internal metrics to Graphite
 [metrics.graphite]
 # Enable by setting the address setting (ex localhost:2003)
 ;address =
 ;prefix = prod.grafana.%(instance_name)s.

 #################################### Grafana.com integration  ##########################
 # Url used to to import dashboards directly from Grafana.com
 [grafana_com]
 ;url = https://grafana.com

 #################################### External image storage ##########################
 [external_image_storage]
 # Used for uploading images to public servers so they can be included in slack/email messages.
 # you can choose between (s3, webdav)
 ;provider =

 [external_image_storage.s3]
 ;bucket_url =
 ;access_key =
 ;secret_key =

 [external_image_storage.webdav]
 ;url =
 ;public_url =
 ;username =
 ;password =
--- a/ansible/roles/grafana/templates/grafana.service.tmpl
+++ b/ansible/roles/grafana/templates/grafana.service.tmpl
@ -1,19 +0,0 @@
 [Unit]
 Description=grafana - monitoring and metric analytics & dashboards
 Documentation=https://grafana.org/
 After=prometheus.target
 Wants=network-online.target systemd-networkd-wait-online.service

 [Service]
 Restart=on-abnormal
 ExecStart=/usr/bin/grafana-server -homepath=/usr/share/grafana -config=/etc/grafana/config.ini
 User={{ grafana_user }}
 Group={{ grafana_group }}
 PrivateTmp=true
 PrivateDevices=true
 ProtectSystem=full
 NoNewPrivileges=true

 [Install]
 WantedBy=multi-user.target

--- a/ansible/roles/grafana/templates/jupyter.service.tmpl
+++ b/ansible/roles/grafana/templates/jupyter.service.tmpl
@ -1,20 +0,0 @@
 [Unit]
 Description=jupyter - Python notebook server
 Documentation=http://jupyter.github.io/
 After=network-online.target
 Wants=systemd-networkd-wait-online.service

 [Service]
 Restart=on-abnormal
 ExecStart=/home/{{ jupyter_user }}/.local/bin/jupyter notebook
 User={{ jupyter_user }}
 Group={{ jupyter_group }}
 WorkingDirectory=/home/{{ jupyter_user }}
 PrivateTmp=true
 PrivateDevices=true
 ProtectSystem=full
 NoNewPrivileges=true

 [Install]
 WantedBy=multi-user.target

--- a/ansible/roles/grafana/templates/jupyter_notebook_config.py.tmpl
+++ b/ansible/roles/grafana/templates/jupyter_notebook_config.py.tmpl
@ -1,605 +0,0 @@
 # Configuration file for jupyter-notebook.

 #------------------------------------------------------------------------------
 # Application(SingletonConfigurable) configuration
 #------------------------------------------------------------------------------

 ## This is an application.

 ## The date format used by logging formatters for %(asctime)s
 #c.Application.log_datefmt = '%Y-%m-%d %H:%M:%S'

 ## The Logging format template
 #c.Application.log_format = '[%(name)s]%(highlevel)s %(message)s'

 ## Set the log level by value or name.
 #c.Application.log_level = 30

 #------------------------------------------------------------------------------
 # JupyterApp(Application) configuration
 #------------------------------------------------------------------------------

 ## Base class for Jupyter applications

 ## Answer yes to any prompts.
 c.JupyterApp.answer_yes = True

 ## Full path of a config file.
 #c.JupyterApp.config_file = ''

 ## Specify a config file to load.
 #c.JupyterApp.config_file_name = ''

 ## Generate default config file.
 c.JupyterApp.generate_config = False

 #------------------------------------------------------------------------------
 # NotebookApp(JupyterApp) configuration
 #------------------------------------------------------------------------------

 ## Set the Access-Control-Allow-Credentials: true header
 #c.NotebookApp.allow_credentials = False

 ## Set the Access-Control-Allow-Origin header
 #  
 #  Use '*' to allow any origin to access your server.
 #  
 #  Takes precedence over allow_origin_pat.
 #c.NotebookApp.allow_origin = ''

 ## Use a regular expression for the Access-Control-Allow-Origin header
 #  
 #  Requests from an origin matching the expression will get replies with:
 #  
 #      Access-Control-Allow-Origin: origin
 #  
 #  where `origin` is the origin of the request.
 #  
 #  Ignored if allow_origin is set.
 #c.NotebookApp.allow_origin_pat = ''

 ## Whether to allow the user to run the notebook as root.
 #c.NotebookApp.allow_root = False

 ## DEPRECATED use base_url
 #c.NotebookApp.base_project_url = '/'

 ## The base URL for the notebook server.
 #  
 #  Leading and trailing slashes can be omitted, and will automatically be added.
 #c.NotebookApp.base_url = '/'

 ## Specify what command to use to invoke a web browser when opening the notebook.
 #  If not specified, the default browser will be determined by the `webbrowser`
 #  standard library module, which allows setting of the BROWSER environment
 #  variable to override it.
 #c.NotebookApp.browser = ''

 ## The full path to an SSL/TLS certificate file.
 #c.NotebookApp.certfile = ''

 ## The full path to a certificate authority certificate for SSL/TLS client
 #  authentication.
 #c.NotebookApp.client_ca = ''

 ## The config manager class to use
 #c.NotebookApp.config_manager_class = 'notebook.services.config.manager.ConfigManager'

 ## The notebook manager class to use.
 #c.NotebookApp.contents_manager_class = 'notebook.services.contents.largefilemanager.LargeFileManager'

 ## Extra keyword arguments to pass to `set_secure_cookie`. See tornado's
 #  set_secure_cookie docs for details.
 #c.NotebookApp.cookie_options = {}

 ## The random bytes used to secure cookies. By default this is a new random
 #  number every time you start the Notebook. Set it to a value in a config file
 #  to enable logins to persist across server sessions.
 #  
 #  Note: Cookie secrets should be kept private, do not share config files with
 #  cookie_secret stored in plaintext (you can read the value from a file).
 #c.NotebookApp.cookie_secret = b''

 ## The file where the cookie secret is stored.
 #c.NotebookApp.cookie_secret_file = ''

 ## The default URL to redirect to from `/`
 #c.NotebookApp.default_url = '/tree'

 ## Disable cross-site-request-forgery protection
 #  
 #  Jupyter notebook 4.3.1 introduces protection from cross-site request
 #  forgeries, requiring API requests to either:
 #  
 #  - originate from pages served by this server (validated with XSRF cookie and
 #  token), or - authenticate with a token
 #  
 #  Some anonymous compute resources still desire the ability to run code,
 #  completely without authentication. These services can disable all
 #  authentication and security checks, with the full knowledge of what that
 #  implies.
 #c.NotebookApp.disable_check_xsrf = False

 ## Whether to enable MathJax for typesetting math/TeX
 #  
 #  MathJax is the javascript library Jupyter uses to render math/LaTeX. It is
 #  very large, so you may want to disable it if you have a slow internet
 #  connection, or for offline use of the notebook.
 #  
 #  When disabled, equations etc. will appear as their untransformed TeX source.
 #c.NotebookApp.enable_mathjax = True

 ## extra paths to look for Javascript notebook extensions
 #c.NotebookApp.extra_nbextensions_path = []

 ## Extra paths to search for serving static files.
 #  
 #  This allows adding javascript/css to be available from the notebook server
 #  machine, or overriding individual files in the IPython
 #c.NotebookApp.extra_static_paths = []

 ## Extra paths to search for serving jinja templates.
 #  
 #  Can be used to override templates from notebook.templates.
 #c.NotebookApp.extra_template_paths = []

 ## 
 #c.NotebookApp.file_to_run = ''

 ## Deprecated: Use minified JS file or not, mainly use during dev to avoid JS
 #  recompilation
 #c.NotebookApp.ignore_minified_js = False

 ## (bytes/sec) Maximum rate at which messages can be sent on iopub before they
 #  are limited.
 #c.NotebookApp.iopub_data_rate_limit = 1000000

 ## (msgs/sec) Maximum rate at which messages can be sent on iopub before they are
 #  limited.
 #c.NotebookApp.iopub_msg_rate_limit = 1000

 ## The IP address the notebook server will listen on.
 c.NotebookApp.ip = '0.0.0.0'

 ## Supply extra arguments that will be passed to Jinja environment.
 #c.NotebookApp.jinja_environment_options = {}

 ## Extra variables to supply to jinja templates when rendering.
 #c.NotebookApp.jinja_template_vars = {}

 ## The kernel manager class to use.
 #c.NotebookApp.kernel_manager_class = 'notebook.services.kernels.kernelmanager.MappingKernelManager'

 ## The kernel spec manager class to use. Should be a subclass of
 #  `jupyter_client.kernelspec.KernelSpecManager`.
 #  
 #  The Api of KernelSpecManager is provisional and might change without warning
 #  between this version of Jupyter and the next stable one.
 #c.NotebookApp.kernel_spec_manager_class = 'jupyter_client.kernelspec.KernelSpecManager'

 ## The full path to a private key file for usage with SSL/TLS.
 #c.NotebookApp.keyfile = ''

 ## The login handler class to use.
 #c.NotebookApp.login_handler_class = 'notebook.auth.login.LoginHandler'

 ## The logout handler class to use.
 #c.NotebookApp.logout_handler_class = 'notebook.auth.logout.LogoutHandler'

 ## The MathJax.js configuration file that is to be used.
 #c.NotebookApp.mathjax_config = 'TeX-AMS-MML_HTMLorMML-full,Safe'

 ## A custom url for MathJax.js. Should be in the form of a case-sensitive url to
 #  MathJax, for example:  /static/components/MathJax/MathJax.js
 #c.NotebookApp.mathjax_url = ''

 ## Dict of Python modules to load as notebook server extensions.Entry values can
 #  be used to enable and disable the loading ofthe extensions. The extensions
 #  will be loaded in alphabetical order.
 #c.NotebookApp.nbserver_extensions = {}

 ## The directory to use for notebooks and kernels.
 #c.NotebookApp.notebook_dir = ''

 ## Whether to open in a browser after starting. The specific browser used is
 #  platform dependent and determined by the python standard library `webbrowser`
 #  module, unless it is overridden using the --browser (NotebookApp.browser)
 #  configuration option.
 c.NotebookApp.open_browser = False

 ## Hashed password to use for web authentication.
 #  
 #  To generate, type in a python/IPython shell:
 #  
 #    from notebook.auth import passwd; passwd()
 #  
 #  The string should be of the form type:salt:hashed-password.
 c.NotebookApp.password = '{{ jupyter_password }}'

 ## Forces users to use a password for the Notebook server. This is useful in a
 #  multi user environment, for instance when everybody in the LAN can access each
 #  other's machine though ssh.
 #  
 #  In such a case, server the notebook server on localhost is not secure since
 #  any user can connect to the notebook server via ssh.
 c.NotebookApp.password_required = True

 ## The port the notebook server will listen on.
 c.NotebookApp.port = {{ jupyter_port }}

 ## The number of additional ports to try if the specified port is not available.
 #c.NotebookApp.port_retries = 0

 ## DISABLED: use %pylab or %matplotlib in the notebook to enable matplotlib.
 #c.NotebookApp.pylab = 'disabled'

 ## (sec) Time window used to  check the message and data rate limits.
 #c.NotebookApp.rate_limit_window = 3

 ## Reraise exceptions encountered loading server extensions?
 #c.NotebookApp.reraise_server_extension_failures = False

 ## DEPRECATED use the nbserver_extensions dict instead
 #c.NotebookApp.server_extensions = []

 ## The session manager class to use.
 #c.NotebookApp.session_manager_class = 'notebook.services.sessions.sessionmanager.SessionManager'

 ## Supply SSL options for the tornado HTTPServer. See the tornado docs for
 #  details.
 #c.NotebookApp.ssl_options = {}

 ## Supply overrides for terminado. Currently only supports "shell_command".
 #c.NotebookApp.terminado_settings = {}

 ## Token used for authenticating first-time connections to the server.
 #  
 #  When no password is enabled, the default is to generate a new, random token.
 #  
 #  Setting to an empty string disables authentication altogether, which is NOT
 #  RECOMMENDED.
 # c.NotebookApp.token = ''

 ## Supply overrides for the tornado.web.Application that the Jupyter notebook
 #  uses.
 #c.NotebookApp.tornado_settings = {}

 ## Whether to trust or not X-Scheme/X-Forwarded-Proto and X-Real-Ip/X-Forwarded-
 #  For headerssent by the upstream reverse proxy. Necessary if the proxy handles
 #  SSL
 #c.NotebookApp.trust_xheaders = False

 ## DEPRECATED, use tornado_settings
 #c.NotebookApp.webapp_settings = {}

 ## The base URL for websockets, if it differs from the HTTP server (hint: it
 #  almost certainly doesn't).
 #  
 #  Should be in the form of an HTTP origin: ws[s]://hostname[:port]
 #c.NotebookApp.websocket_url = ''

 #------------------------------------------------------------------------------
 # ConnectionFileMixin(LoggingConfigurable) configuration
 #------------------------------------------------------------------------------

 ## Mixin for configurable classes that work with connection files

 ## JSON file in which to store connection info [default: kernel-<pid>.json]
 #  
 #  This file will contain the IP, ports, and authentication key needed to connect
 #  clients to this kernel. By default, this file will be created in the security
 #  dir of the current profile, but can be specified by absolute path.
 #c.ConnectionFileMixin.connection_file = ''

 ## set the control (ROUTER) port [default: random]
 #c.ConnectionFileMixin.control_port = 0

 ## set the heartbeat port [default: random]