switch Authentik SMTP to use SSL instead of TLS

Also add a README.md with instructions on how to use submodules

.gitignore

@@ -1 +1,6 @@
-.*~
+*~
+abra/catalogue
+abra/recipes/*
+!abra/recipes/rtm-astro-recipe
+!abra/recipes/mapbattle-recipe
+abra/logs

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "abra/recipes/rtm-astro-recipe"]
+	path = abra/recipes/rtm-astro-recipe
+	url = https://git.coopcloud.tech/RTM/rtm-astro-recipe
+[submodule "abra/recipes/mapbattle-recipe"]
+	path = abra/recipes/mapbattle-recipe
+	url = ssh://git@git.coopcloud.tech:2222/RTM/mapbattle-recipe.git

README.md

@@ -0,0 +1,33 @@
+## Setup
+
+Members of RTM: check out the "RTM Reference" collective on our nextcloud for information on how to set up tailscale, ssh access, and user accounts on our servers. Without this, you won't be able to do operations.
+
+Once you have network access, install abra. Read the "Install" and "Quick start"/"New operators tutorial" sections of https://docs.coopcloud.tech/abra/, which will guide you through `wget`ting abra.
+
+Then, run:
+
+```
+$ git clone --recurse-submodules https://git.coopcloud.tech/RTM/rtm-config.git
+$ cd rtm-config
+$ abra server add laylotta.resisttechmonopolies.online
+$ abra server add mango.resisttechmonmopolies.online
+$ abra server add sootie.resisttechmonopolies.online
+```
+
+If you skipped the `--recurse-submodules` flag, you can still do `git submodule update --init` later to get the rtm-astro-recipe recipe.
+
+## Usage
+
+Once you've got this repo cloned and abra installed, you can run abra commands. To test:
+
+```
+$ abra app logs resisttechmonopolies.online
+```
+
+Should give a list of logs for our website! Other abra commands will work here.
+
+From here, use `abra` to make changes (and reach out to a member of our infra/member-services working group for a tutorial if you would like!). Then, contribute your git changes back to this repository so everyone else sees what you've done and doesn't clobber your changes.
+
+## Dev environment
+
+Sootie is our dev server. If you would like to experiment with changes and fuck around there, use sootie! The implication here is that sootie has a greater chance of having uncommitted changes in its environment than other servers, and that these changes are safe to clobber over.

abra/servers/laylotta.resisttechmonopolies.online/auth.resisttechmonopolies.online.env

@@ -1,4 +1,4 @@
-TYPE=authentik:7.4.0+2025.6.3
+TYPE=authentik:11.0.4+2026.2.1
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
 POST_DEPLOY_CMDS="worker set_admin_pass"
@@ -25,11 +25,11 @@ AUTHENTIK_LOG_LEVEL=info
 AUTHENTIK_BOOTSTRAP_EMAIL=ammar@ammaratef45.ddns.net
 
 ## EMAIL
-AUTHENTIK_EMAIL__HOST=smtp.protonmail.ch
-AUTHENTIK_EMAIL__PORT=587
+AUTHENTIK_EMAIL__HOST=mail.resisttechmonopolies.online
+AUTHENTIK_EMAIL__PORT=465
 AUTHENTIK_EMAIL__USERNAME="besties@resisttechmonopolies.online"
-AUTHENTIK_EMAIL__USE_TLS=true
-AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__USE_TLS=false
+AUTHENTIK_EMAIL__USE_SSL=true
 AUTHENTIK_EMAIL__TIMEOUT=10
 AUTHENTIK_EMAIL__FROM=besties@resisttechmonopolies.online
 
@@ -38,7 +38,7 @@ SECRET_SECRET_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_TOKEN_VERSION=v1
 SECRET_ADMIN_PASS_VERSION=v1
-SECRET_EMAIL_PASS_VERSION=v2
+SECRET_EMAIL_PASS_VERSION=v5
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
 

abra/servers/laylotta.resisttechmonopolies.online/headscale.laylotta.resisttechmonopolies.online.env

@@ -0,0 +1,29 @@
+TYPE=headscale:00a12a21
+
+DOMAIN=headscale.laylotta.resisttechmonopolies.online
+
+## Domain aliases
+#EXTRA_DOMAINS=', `www.headscale.laylotta.resisttechmonopolies.online`'
+
+LETS_ENCRYPT_ENV=production
+
+COMPOSE_FILE="compose.yml"
+
+# Defines the base domain to create the hostnames for MagicDNS.
+BASE_DOMAIN=rtm.online
+
+# set this to true to enable using the built-in DERP rather than tailscale's
+ENABLE_DERP=true
+
+# enable oidc
+OIDC_ENABLED=1
+OIDC_ISSUER=https://auth.resisttechmonopolies.online/application/o/headscale/
+SECRET_OIDC_CLIENT_KEY_VERSION=v1
+COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
+
+# See https://git.coopcloud.tech/coop-cloud/backup-bot-two
+ENABLE_BACKUPS=true
+
+## allow cron updater
+COMPOSE_FILE="$COMPOSE_FILE:compose.dns.yml"
+DNS_REPO=RTM/sootie-dynamic-dns

abra/servers/laylotta.resisttechmonopolies.online/loomio.resisttechmonopolies.online.env

@@ -1,4 +1,4 @@
-TYPE=loomio:5.1.2+v3.0.0
+TYPE=loomio:5.2.0+v3.0.20
 COMPOSE_FILE="compose.yml"
 
 DOMAIN=loomio.resisttechmonopolies.online
@@ -10,13 +10,13 @@ LETS_ENCRYPT_ENV=production
 COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 SUPPORT_EMAIL=besties@resisttechmonopolies.online
 SMTP_AUTH=plain
-SMTP_DOMAIN=smtp.protonmail.ch
-SMTP_SERVER=smtp.protonmail.ch
-SMTP_PORT=587
+SMTP_DOMAIN=mail.resisttechmonopolies.online
+SMTP_SERVER=mail.resisttechmonopolies.online
+SMTP_PORT=465
 SMTP_USERNAME=besties@resisttechmonopolies.online
-# SMTP_USE_SSL=1
+SMTP_USE_SSL=1
 # to disable SSL comment out line rather than changing to 0
-SECRET_SMTP_PASSWORD_VERSION=v2
+SECRET_SMTP_PASSWORD_VERSION=v4
 
 
 # From field for notification e-mails
@@ -104,4 +104,4 @@ OAUTH_ATTR_UID=email
 OAUTH_ATTR_NAME=name
 OAUTH_ATTR_EMAIL=email
 OAUTH_LOGIN_PROVIDER_NAME="loomio SSO"
-SECRET_OAUTH_APP_SECRET_VERSION=v2
+SECRET_OAUTH_APP_SECRET_VERSION=v2

abra/servers/laylotta.resisttechmonopolies.online/m.laylotta.resisttechmonopolies.online.env

@@ -0,0 +1,84 @@
+TYPE=monitoring-ng:23b13cb8
+LETS_ENCRYPT_ENV=production
+COMPOSE_FILE=compose.yml
+DOMAIN=m.laylotta.resisttechmonopolies.online
+TIMEOUT=120
+ENABLE_BACKUPS=true
+
+## Enable this secret for Promtail / Prometheus
+SECRET_BASIC_AUTH_VERSION=v1
+
+## Promtail (Gathering Logs)
+COMPOSE_FILE="$COMPOSE_FILE:compose.promtail.yml"
+LOKI_PUSH_URL=https://loki.${DOMAIN}/loki/api/v1/push
+
+## Expose node and cadvisor ports instead of traefik
+COMPOSE_FILE="$COMPOSE_FILE:compose.expose-ports.yml"
+
+# Monitoring Server
+#
+## Prometheus
+COMPOSE_FILE="$COMPOSE_FILE:compose.prometheus.yml"
+PROMETHEUS_RETENTION_TIME=1y
+
+## Prometheus Pushgateway
+COMPOSE_FILE="$COMPOSE_FILE:compose.pushgateway.yml"
+
+## Loki
+# Loki Server
+COMPOSE_FILE="$COMPOSE_FILE:compose.loki.yml"
+
+# Set to 0 to disable retention
+LOKI_RETENTION_PERIOD=744h
+LOKI_STORAGE_FILESYSTEM=1
+
+## S3 Storage
+# LOKI_STORAGE_S3=1
+# LOKI_AWS_ENDPOINT=https://minio.autonomic.zone
+# LOKI_AWS_REGION=eu-west-1
+# LOKI_ACCESS_KEY_ID=bush-debrief-approval-robust-scraggly-molecule
+# LOKI_BUCKET_NAMES=loki
+# SECRET_LOKI_AWS_SECRET_ACCESS_KEY_VERSION=v1
+#
+## Grafana
+#
+# COMPOSE_FILE="$COMPOSE_FILE:compose.grafana.yml"
+# GF_SERVER_ROOT_URL=https://monitoring.example.com
+# SECRET_GRAFANA_ADMIN_PASSWORD_VERSION=v1
+## Seperate domain for Grafana
+#GRAFANA_DOMAIN=grafana.example.com
+#
+## Single-Sign-On with OIDC
+# OIDC_ENABLED=1
+# SECRET_GRAFANA_OIDC_CLIENT_SECRET_VERSION=v1
+# OIDC_CLIENT_ID=grafana
+# OIDC_AUTH_URL="https://authentik.example.com/application/o/authorize/"
+# OIDC_API_URL="https://authentik.example.com/application/o/userinfo/"
+# OIDC_TOKEN_URL="https://authentik.example.com/application/o/token/"
+#
+## Additional grafana settings (unlikely to require editing)
+# GF_SECURITY_ALLOW_EMBEDDING=1
+# GF_INSTALL_PLUGINS=grafana-piechart-panel
+#
+## grafana SMTP configuration (optional)
+# GF_SMTP_HOST=changeme
+# GF_SMTP_USER=changme
+# GF_SMTP_ENABLED=true
+# GF_SMTP_FROM_ADDRESS=grafana@example.com
+# GF_SMTP_SKIP_VERIFY=false
+# SECRET_GRAFANA_SMTP_PASSWORD_VERSION=v1
+#
+
+## Grafana Matrix Contact Point (optional)
+#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix-alertmanager-receiver.yml"
+#SECRET_MATRIX_ACCESS_TOKEN_VERSION=v1
+#GF_MATRIX_USER_ID="<user-id>"
+#GF_MATRIX_ROOM_ID="<room-id>"
+#GF_MATRIX_HOMESERVER_URL="<homeserver-url>"
+
+# ALerts
+#ALERT_BACKUP_FAILED_ENABLED=true
+#ALERT_BACKUP_MISSING_ENABLED=true
+#ALERT_BACKUP_NOT_SUCCESSFULL_ENABLED=true
+#ALERT_NODE_DISK_SPACE_ENABLED=true
+#ALERT_NODE_MEMORY_USAGE_ENABLED=true

abra/servers/laylotta.resisttechmonopolies.online/m.laylotta.resisttechmonopolies.online.scrape-config.yml

@@ -0,0 +1,6 @@
+# https://git.coopcloud.tech/coop-cloud/monitoring-ng/src/branch/main/scrape-config.example.yml
+# https://prometheus.io/docs/prometheus/latest/getting_started/#configure-prometheus-to-monitor-the-sample-targets
+- targets
+  - 'm.laylotta.resisttechmonopolies.online:8082'
+  - 'node.m.laylotta.resisttechmonopolies.online'
+  - 'cadvisor.m.laylotta.resisttechmonopolies.online'

abra/servers/laylotta.resisttechmonopolies.online/mail.resisttechmonopolies.online.env

@@ -4,7 +4,7 @@
 ###############################################################################
 # BOILERPLATE SETTINGS (shouldn't need to change these)                       #
 ###############################################################################
-TYPE=mailu:23309a1a+U
+TYPE=mailu:3.0.1+2024.06.37
 LETS_ENCRYPT_ENV=production
 COMPOSE_FILE="compose.yml"
 

abra/servers/laylotta.resisttechmonopolies.online/nextcloud.resisttechmonopolies.online.occ

@@ -19,3 +19,5 @@ abra app command nextcloud.resisttechmonopolies.online app run_occ "'db:add-miss
 #     Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add "default_phone_region" with the respective ISO 3166-1 code of the region to your config file.
 # Solution found at: https://help.nextcloud.com/t/your-installation-has-no-default-phone-region-set/153632/3
 abra app command nextcloud.resisttechmonopolies.online app run_occ "'config:system:set default_phone_region --value=\"us\"'"
+# move shared folder: "Node for share not found": https://github.com/nextcloud/server/issues/46467#issuecomment-2336672900
+abra app command nextcloud.resisttechmonopolies.online app run_occ "'sharing:delete-orphan-shares'"

abra/servers/laylotta.resisttechmonopolies.online/resisttechmonopolies.online.env

@@ -0,0 +1,9 @@
+TYPE=rtm-astro-recipe:6e6418fb
+
+DOMAIN=resisttechmonopolies.online
+
+## Domain aliases
+#EXTRA_DOMAINS=', `www.website.resisttechmonopolies.online`'
+
+LETS_ENCRYPT_ENV=production
+VERSION=0.0.21

abra/servers/laylotta.resisttechmonopolies.online/scj.laylotta.resisttechmonopolies.online.env

@@ -0,0 +1,5 @@
+RECIPE=swarm-cronjob:1.11.0+1.15.0
+
+TZ=UTC
+LOG_LEVEL=info
+LOG_JSON=false

abra/servers/laylotta.resisttechmonopolies.online/shlink.resisttechmonopolies.online.env

@@ -1,4 +1,4 @@
-TYPE=shlink:21d93464
+TYPE=shlink:0.1.0+4.4
 
 DOMAIN=shlink.resisttechmonopolies.online
 

abra/servers/laylotta.resisttechmonopolies.online/t.laylotta.resisttechmonopolies.online.env

@@ -96,9 +96,9 @@ COMPOSE_FILE="compose.yml"
 
 ## BASIC_AUTH
 ## Use httpasswd to generate the secret
-#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
-#BASIC_AUTH=1
-#SECRET_USERSFILE_VERSION=v1
+COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
+BASIC_AUTH=1
+SECRET_USERSFILE_VERSION=v1
 
 #####################################################################
 # Prometheus metrics                                                #

abra/servers/mango.resisttechmonopolies.online/bbt.mango.resisttechmonopolies.online.env

@@ -0,0 +1,34 @@
+TYPE=backup-bot-two:2.3.0+2.3.0-beta
+
+SECRET_RESTIC_PASSWORD_VERSION=v1
+
+COMPOSE_FILE=compose.yml
+
+RESTIC_REPOSITORY=/backups/restic
+
+CRON_SCHEDULE='30 3 * * *'
+
+# Push Notifiactions
+#PUSH_URL_START=https://status.example.com/api/push/xxxxxxxxxx?status=up&msg=start
+#PUSH_URL_SUCCESS=https://status.example.com/api/push/xxxxxxxxxx?status=up&msg=OK
+#PUSH_URL_FAIL=https://status.example.com/api/push/xxxxxxxxxx?status=down&msg=fail
+
+# swarm-cronjob, instead of built-in cron
+#COMPOSE_FILE="$COMPOSE_FILE:compose.swarm-cronjob.yml"
+
+# SSH storage
+#SECRET_SSH_KEY_VERSION=v1
+#SSH_HOST_KEY="hostname ssh-rsa AAAAB3...
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ssh.yml"
+
+# S3 storage
+#SECRET_AWS_SECRET_ACCESS_KEY_VERSION=v1
+#AWS_ACCESS_KEY_ID=something-secret
+#COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
+
+# Secret restic repository
+# use a secret to store the RESTIC_REPOSITORY if the repository location contains a secret value
+# i.E rest:https://user:SECRET_PASSWORD@host:8000/
+# it overwrites the RESTIC_REPOSITORY variable
+SECRET_RESTIC_REPO_VERSION=v2
+COMPOSE_FILE="$COMPOSE_FILE:compose.secret.yml"

abra/servers/mango.resisttechmonopolies.online/uk.mango.resisttechmonopolies.online.env

@@ -1,4 +1,4 @@
-TYPE=uptime-kuma:2.0.0+2.0.0-beta.1
+TYPE=uptime-kuma:3.0.0+2.2.1
 COMPOSE_FILE="compose.yml"
 LETS_ENCRYPT_ENV=production
 

abra/servers/mango.resisttechmonopolies.online/vw.resisttechmonopolies.online.env

@@ -1,4 +1,4 @@
-TYPE=vaultwarden:2.1.1+1.34.3
+TYPE=vaultwarden:2.1.3+1.35.4
 
 DOMAIN=vw.resisttechmonopolies.online
 LETS_ENCRYPT_ENV=production

abra/servers/resisttechmonopolies.online/draupnir.resisttechmonopolies.online.env

@@ -1,31 +0,0 @@
-TYPE=draupnir:785815dd+U
-
-DOMAIN=draupnir.resisttechmonopolies.online
-
-## Domain aliases
-#EXTRA_DOMAINS=', `www.draupnir.resisttechmonopolies.online`'
-
-LETS_ENCRYPT_ENV=production
-
-HOME_SERVER_URL="https://matrix.resisttechmonopolies.online"
-RAW_HOMESERVER_URL="https://matrix.resisttechmonopolies.online"
-DRAUPNIR_LOG_LEVEL="DEBUG"
-
-# The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir.
-#
-# Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
-#
-# This should be a room alias or room ID - not a matrix.to URL.
-#
-# Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room.
-# (see verboseLogging to adjust this a bit.)
-MANAGEMENT_ROOM="!KTOGIJKnLqziezPzuO:matrix.org" 
-
-# If true (the default), Draupnir will only accept invites from users present in managementRoom.
-AUTO_JOIN_ONLY_IF_MANAGER=true
-
-# If `autojoinOnlyIfManager` is false, only the members in this space can invite
-# the bot to new rooms.
-# ACCEPT_INVITES_FROM_SPACE="!example:example.org"
-
-ACCESS_TOKEN_VERSION=v1

abra/servers/resisttechmonopolies.online/resisttechmonopolies.online.env

@@ -1,10 +0,0 @@
-TYPE=rtm-astro-recipe:6e6418f
-
-DOMAIN=resisttechmonopolies.online
-
-## Domain aliases
-#EXTRA_DOMAINS=', `www.resisttechmonopolies.online`'
-
-LETS_ENCRYPT_ENV=production
-
-VERSION=0.0.10

abra/servers/sootie.resisttechmonopolies.online/scj.sootie.resisttechmonopolies.online.env

@@ -0,0 +1,5 @@
+RECIPE=swarm-cronjob:1.11.0+1.15.0
+
+TZ=UTC
+LOG_LEVEL=info
+LOG_JSON=false