bumped cloud versions, remove signup, venv improvements, ansible bump

.gitignore

@@ -1,2 +1,3 @@
 .ansible-vaultpass
 .venv/*
+.git-crypt-backup/

CLAUDE.md

@@ -17,6 +17,8 @@ This is a home infrastructure deployment repository using Ansible for automated
 - `make vault` - Edit encrypted Ansible vault file
 - `make list-tags` - List all available Ansible tags
 - `make list-tasks` - List all Ansible tasks
+- `make git-crypt-backup` - Backup git-crypt symmetric key (encrypted with GPG)
+- `make git-crypt-restore` - Restore git-crypt symmetric key from backup
 
 ### Environment Setup
 The project uses Python virtualenv for dependency management:
@@ -54,6 +56,9 @@ Containers are organized in `ansible/roles/podman/tasks/containers/`:
 - Ansible vault for encrypted secrets management
 - Password sourced from external password manager
 - Git-crypt for repository-level encryption (see `.gitattributes`)
+  - Symmetric key can be backed up locally in `.git-crypt-backup/` (encrypted with GPG)
+  - Use `make git-crypt-backup` to create a local encrypted backup
+  - Use `make git-crypt-restore` to recover from git-crypt corruption
 - SSH key-based authentication to target hosts
 - Caddy provides automatic HTTPS with LetsEncrypt certificates
 - Built-in security headers and IP-based access restrictions

Makefile

@@ -31,6 +31,7 @@ EXTRA_VARS?=
 
 ${VENV}:
 	python3 -m venv ${VENV}
+	${VENV_BIN}/python3 -m pip install --upgrade pip
 ${PIP}: ${VENV}
 
 ${ANSIBLE} ${ANSIBLE_VAULT} ${LINT_YAML}: ${VENV} requirements.txt
@@ -69,3 +70,17 @@ vault: ${ANSIBLE_VAULT} ${VAULT_FILE}
 lint: ${LINT_YAML} ${SKIP_FILE}
 	@printf "Running yamllint...\n"
 	-@${LINT_YAML} ${YAML_FILES}
+
+# Git-crypt management
+git-crypt-backup:
+	@printf "Backing up git-crypt symmetric key...\n"
+	@mkdir -p .git-crypt-backup
+	@gpg --batch --yes -e -r 70A4AA02555DBD559189B4E0F32BE05EADAA54FC -o .git-crypt-backup/symmetric-key.gpg .git/git-crypt/keys/default
+	@printf "Backup created at .git-crypt-backup/symmetric-key.gpg\n"
+
+git-crypt-restore:
+	@printf "Restoring git-crypt symmetric key from backup...\n"
+	@mkdir -p .git/git-crypt/keys
+	@gpg --batch --yes -d .git-crypt-backup/symmetric-key.gpg > .git/git-crypt/keys/default
+	@chmod 600 .git/git-crypt/keys/default
+	@printf "Key restored. Run 'git-crypt unlock' or just checkout files.\n"

ansible/roles/podman/tasks/containers/skudak/cloud.yml

@@ -98,3 +98,13 @@
   include_tasks: podman/systemd-generate.yml
   vars:
     container_name: skudak-cloud
+
+- name: disable nextcloud signup link in config
+  become: true
+  ansible.builtin.lineinfile:
+    path: "{{ cloud_skudak_path }}/config/config.php"
+    regexp: "^\\s*'simpleSignUpLink\\.shown'\\s*=>"
+    line: "  'simpleSignUpLink.shown' => false,"
+    insertbefore: '^\);'
+    create: false
+  failed_when: false

ansible/roles/podman/tasks/main.yml

@@ -62,13 +62,13 @@
 - import_tasks: containers/home/cloud.yml
   vars:
     db_image: docker.io/library/mariadb:10.6
-    image: docker.io/library/nextcloud:31.0.6-apache
+    image: docker.io/library/nextcloud:32.0.1-apache
   tags: cloud
 
 - import_tasks: containers/skudak/cloud.yml
   vars:
     db_image: docker.io/library/mariadb:10.6
-    image: docker.io/library/nextcloud:31.0.6-apache
+    image: docker.io/library/nextcloud:32.0.1-apache
   tags: skudak, skudak-cloud
 
 - import_tasks: containers/debyltech/fulfillr.yml

requirements.txt

@@ -1,2 +1,2 @@
-ansible==11.0.0
+ansible==12.2.0
 yamllint==1.37.1