diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 7d69096..0a0e925 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -6,7 +6,7 @@ hostname: pi timezone: Europe/Copenhagen hdd_name: storage -hdd_mount_point: "/opt/{{ hdd_name }}" +hdd_mount_point: /opt/{{ hdd_name }} ssd_name: pi-ssd -ssd_mount_point: "/opt/{{ ssd_name }}" +ssd_mount_point: /opt/{{ ssd_name }} diff --git a/playbook.yml b/playbook.yml index 72b11f4..9ff64ca 100644 --- a/playbook.yml +++ b/playbook.yml @@ -4,13 +4,13 @@ hosts: all gather_facts: true become: true - tasks: - name: Run OS configuration role import_role: name: os_config tags: - os + - name: Run Docker role import_role: name: docker diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 1b23cab..479f099 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -13,26 +13,26 @@ services: restic: repo: /restic - version: 1.6 + version: '1.6' nextcloud: - domain: "cloud.{{ base_domain }}" + domain: cloud.{{ base_domain }} volume: "{{ base_volume }}/nextcloud" version: 25-apache postgres_version: 14-alpine redis_version: 7-alpine emby: - domain: "watch.{{ base_domain }}" + domain: watch.{{ base_domain }} volume: "{{ base_volume }}/emby" version: latest monerod: - domain: "xmr.{{ base_domain }}" + domain: xmr.{{ base_domain }} version: latest wireguard: - domain: "wg01.vpn.{{ base_domain }}" + domain: wg01.vpn.{{ base_domain }} volume: "{{ base_volume }}/wireguard" version: arm64v8-alpine diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index b43f2ce..37cfd6a 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -2,7 +2,7 @@ --- - name: Add Docker PGP key apt_key: - keyserver: keys.openpgp.org + keyserver: keyserver.ubuntu.com id: '0x8D81803C0EBFCD88' state: present diff --git a/roles/docker/tasks/services.yml b/roles/docker/tasks/services.yml index 2f95cfc..24bb2ef 100644 --- a/roles/docker/tasks/services.yml +++ b/roles/docker/tasks/services.yml @@ -33,11 +33,11 @@ state: present - name: Deploy services - include_tasks: "services/{{ item.service }}.yml" - loop: "{{ services | dict2items(key_name='service') }}" + include_tasks: services/{{ item.key }}.yml + loop: "{{ services | dict2items }}" when: single_service is not defined - name: Deploy single service - include_tasks: "services/{{ single_service }}.yml" + include_tasks: services/{{ single_service }}.yml when: single_service is defined and single_service in services diff --git a/roles/docker/tasks/services/caddy.yml b/roles/docker/tasks/services/caddy.yml index 5b64bfb..bf55b08 100644 --- a/roles/docker/tasks/services/caddy.yml +++ b/roles/docker/tasks/services/caddy.yml @@ -22,14 +22,14 @@ - name: Deploy Caddy Docker container docker_container: name: caddy - image: "caddy:{{ services.caddy.version }}" + image: caddy:{{ services.caddy.version }} restart_policy: unless-stopped networks: - name: services ipv4_address: 172.16.0.2 published_ports: - - '80:80/tcp' - - '443:443/tcp' + - 80:80/tcp + - 443:443/tcp volumes: - "{{ services.caddy.volume }}/Caddyfile:/etc/caddy/Caddyfile:ro" - "{{ services.caddy.volume }}/config:/config:rw" diff --git a/roles/docker/tasks/services/emby.yml b/roles/docker/tasks/services/emby.yml index a3c2eb0..e5e6555 100644 --- a/roles/docker/tasks/services/emby.yml +++ b/roles/docker/tasks/services/emby.yml @@ -16,7 +16,7 @@ - name: Deploy Emby Docker container docker_container: name: emby_app - image: "emby/embyserver_arm64v8:{{ services.emby.version }}" + image: emby/embyserver_arm64v8:{{ services.emby.version }} restart_policy: unless-stopped env: UID: '1000' @@ -30,6 +30,6 @@ - "{{ services.emby.volume }}/tvshows:/mnt/share1:rw" - "{{ services.emby.volume }}/movies:/mnt/share2:rw" published_ports: - - '8096:8096' + - 0.0.0.0:8096:8096/tcp devices: - /dev/vchiq:/dev/vchiq # MMAL/OMX on Raspberry Pi diff --git a/roles/docker/tasks/services/monerod.yml b/roles/docker/tasks/services/monerod.yml index f6fcad7..e9d80f5 100644 --- a/roles/docker/tasks/services/monerod.yml +++ b/roles/docker/tasks/services/monerod.yml @@ -8,7 +8,7 @@ - name: Deploy Monero node Docker container docker_container: name: monerod_node - image: "sethsimmons/simple-monerod:{{ services.monerod.version }}" + image: sethsimmons/simple-monerod:{{ services.monerod.version }} restart_policy: unless-stopped networks: - name: services @@ -17,4 +17,4 @@ volumes: - monerod-node-blockchain:/home/monero/.bitmonero:rw published_ports: - - '18080:18080' + - 18080:18080/tcp diff --git a/roles/docker/tasks/services/nextcloud.yml b/roles/docker/tasks/services/nextcloud.yml index 432413f..e77a37c 100644 --- a/roles/docker/tasks/services/nextcloud.yml +++ b/roles/docker/tasks/services/nextcloud.yml @@ -17,7 +17,7 @@ - name: Copy Apache2 config files copy: - src: "nextcloud/apache2/{{ file }}" + src: nextcloud/apache2/{{ file }} dest: "{{ services.nextcloud.volume }}/apache2/{{ file }}" owner: root mode: u=rw,g=r,o=r @@ -36,7 +36,7 @@ services: postgres: - image: "postgres:{{ services.nextcloud.postgres_version }}" + image: postgres:{{ services.nextcloud.postgres_version }} restart: unless-stopped environment: POSTGRES_DB: nextcloud @@ -46,14 +46,14 @@ - "{{ services.nextcloud.volume }}/postgres:/var/lib/postgresql/data:rw" redis: - image: "redis:{{ services.nextcloud.redis_version }}" + image: redis:{{ services.nextcloud.redis_version }} restart: unless-stopped - command: "redis-server --requirepass {{ secrets.nextcloud.redis_pw }}" + command: redis-server --requirepass {{ secrets.nextcloud.redis_pw }} tmpfs: - /var/lib/redis cron: - image: "nextcloud:{{ services.nextcloud.version }}" + image: nextcloud:{{ services.nextcloud.version }} restart: unless-stopped entrypoint: /cron.sh volumes: @@ -63,7 +63,7 @@ - redis app: - image: "nextcloud:{{ services.nextcloud.version }}" + image: nextcloud:{{ services.nextcloud.version }} restart: unless-stopped environment: POSTGRES_HOST: postgres diff --git a/roles/docker/tasks/services/restic.yml b/roles/docker/tasks/services/restic.yml index 0c9fa1b..51c1989 100644 --- a/roles/docker/tasks/services/restic.yml +++ b/roles/docker/tasks/services/restic.yml @@ -9,12 +9,12 @@ services: backup: - image: "mazzolino/restic:{{ services.restic.version }}" + image: mazzolino/restic:{{ services.restic.version }} restart: unless-stopped environment: RUN_ON_STARTUP: 'false' - BACKUP_CRON: '0 0 3 * * *' - RESTIC_REPOSITORY: "b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }}" + BACKUP_CRON: 0 0 3 * * * + RESTIC_REPOSITORY: b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }} RESTIC_PASSWORD: "{{ secrets.restic.repo_pw }}" RESTIC_BACKUP_SOURCES: /mnt/volumes RESTIC_BACKUP_ARGS: >- @@ -35,12 +35,12 @@ - "{{ services.emby.volume }}/programdata:/mnt/volumes/emby/programdata:ro" prune: - image: "mazzolino/restic:{{ services.restic.version }}" + image: mazzolino/restic:{{ services.restic.version }} restart: unless-stopped environment: RUN_ON_STARTUP: 'false' - PRUNE_CRON: '0 0 4 * * *' - RESTIC_REPOSITORY: "b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }}" + PRUNE_CRON: 0 0 4 * * * + RESTIC_REPOSITORY: b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }} RESTIC_PASSWORD: "{{ secrets.restic.repo_pw }}" RESTIC_PRUNE_ARGS: >- --verbose @@ -49,12 +49,12 @@ TZ: "{{ timezone }}" check: - image: "mazzolino/restic:{{ services.restic.version }}" + image: mazzolino/restic:{{ services.restic.version }} restart: unless-stopped environment: RUN_ON_STARTUP: 'false' - CHECK_CRON: '0 0 5 * * *' - RESTIC_REPOSITORY: "b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }}" + CHECK_CRON: 0 0 5 * * * + RESTIC_REPOSITORY: b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }} RESTIC_PASSWORD: "{{ secrets.restic.repo_pw }}" RESTIC_CHECK_ARGS: >- --verbose diff --git a/roles/docker/tasks/services/snowflake.yml b/roles/docker/tasks/services/snowflake.yml index 928a5c1..06eb27c 100644 --- a/roles/docker/tasks/services/snowflake.yml +++ b/roles/docker/tasks/services/snowflake.yml @@ -3,6 +3,6 @@ - name: Deploy snowflake-proxy Docker container docker_container: name: snowflake-proxy - image: "thetorproject/snowflake-proxy:{{ services.snowflake.version }}" + image: thetorproject/snowflake-proxy:{{ services.snowflake.version }} restart_policy: unless-stopped network_mode: host diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index c610f1d..c03b3c1 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -3,7 +3,7 @@ - name: Deploy Watchtower Docker container docker_container: name: watchtower - image: "containrrr/watchtower:{{ services.watchtower.version }}" + image: containrrr/watchtower:{{ services.watchtower.version }} restart_policy: unless-stopped env: WATCHTOWER_POLL_INTERVAL: '3600' diff --git a/roles/docker/tasks/services/wireguard.yml b/roles/docker/tasks/services/wireguard.yml index f6266af..05298b6 100644 --- a/roles/docker/tasks/services/wireguard.yml +++ b/roles/docker/tasks/services/wireguard.yml @@ -10,7 +10,7 @@ - name: Deploy Wireguard Docker container docker_container: name: wireguard - image: "linuxserver/wireguard:{{ services.wireguard.version }}" + image: linuxserver/wireguard:{{ services.wireguard.version }} restart_policy: unless-stopped env: SERVERURL: "{{ services.wireguard.domain }}" @@ -22,7 +22,7 @@ - "{{ services.wireguard.volume }}:/config:rw" - /lib/modules:/lib/modules:rw published_ports: - - '51820:51820/udp' + - 51820:51820/udp capabilities: - net_admin - sys_module diff --git a/roles/os_config/handlers/main.yml b/roles/os_config/handlers/main.yml index 0fbb6b4..e531692 100644 --- a/roles/os_config/handlers/main.yml +++ b/roles/os_config/handlers/main.yml @@ -3,30 +3,30 @@ - name: Create .env for apt-update-push template: src: env.j2 - dest: "/home/{{ ansible_user }}/apt-update-push/.env" + dest: /home/{{ ansible_user }}/apt-update-push/.env owner: root mode: u=rw,go= listen: apt-update-push - name: Install apt-update-push - command: "/home/{{ ansible_user }}/apt-update-push/install.sh" + command: /home/{{ ansible_user }}/apt-update-push/install.sh listen: apt-update-push - name: Change GPIO_PIN lineinfile: regexp: '^GPIO_PIN = ' line: GPIO_PIN = 14 - dest: "/home/{{ ansible_user }}/pi-fan-controller/fancontrol.py" + dest: /home/{{ ansible_user }}/pi-fan-controller/fancontrol.py listen: pi-fan-controller - name: Install requirements for pi-fan-controller pip: - requirements: "/home/{{ ansible_user }}/pi-fan-controller/requirements.txt" + requirements: /home/{{ ansible_user }}/pi-fan-controller/requirements.txt executable: pip3 listen: pi-fan-controller - name: Install pi-fan-controller - command: "/home/{{ ansible_user }}/pi-fan-controller/script/install" + command: /home/{{ ansible_user }}/pi-fan-controller/script/install listen: pi-fan-controller - name: Restart sshd diff --git a/roles/os_config/tasks/base.yml b/roles/os_config/tasks/base.yml index ca83195..144682e 100644 --- a/roles/os_config/tasks/base.yml +++ b/roles/os_config/tasks/base.yml @@ -30,7 +30,7 @@ - name: Clone apt-update-push git: - dest: "/home/{{ ansible_user }}/apt-update-push" + dest: /home/{{ ansible_user }}/apt-update-push repo: https://github.com/samsapti/apt-update-push.git clone: true update: true @@ -41,7 +41,7 @@ - name: Clone pi-fan-controller git: - dest: "/home/{{ ansible_user }}/pi-fan-controller" + dest: /home/{{ ansible_user }}/pi-fan-controller repo: https://github.com/Howchoo/pi-fan-controller.git clone: true update: false diff --git a/roles/os_config/tasks/disks.yml b/roles/os_config/tasks/disks.yml index b78947f..8f81201 100644 --- a/roles/os_config/tasks/disks.yml +++ b/roles/os_config/tasks/disks.yml @@ -19,8 +19,8 @@ fstype: ext4 state: present loop: - - "/dev/mapper/{{ hdd_name }}" - - "/dev/mapper/{{ ssd_name }}" + - /dev/mapper/{{ hdd_name }} + - /dev/mapper/{{ ssd_name }} when: ansible_mounts | selectattr('device', 'eq', item) | length == 0 - name: Mount filesystems @@ -31,9 +31,9 @@ fstab: /tmp/fstab.ansible state: mounted loop: - - dev: "/dev/mapper/{{ hdd_name }}" + - dev: /dev/mapper/{{ hdd_name }} path: "{{ hdd_mount_point }}" - - dev: "/dev/mapper/{{ ssd_name }}" + - dev: /dev/mapper/{{ ssd_name }} path: "{{ ssd_mount_point }}" when: ansible_mounts | selectattr('device', 'eq', item.dev) | length == 0 diff --git a/roles/os_config/tasks/firewall.yml b/roles/os_config/tasks/firewall.yml index 0e7f073..9a72129 100644 --- a/roles/os_config/tasks/firewall.yml +++ b/roles/os_config/tasks/firewall.yml @@ -6,12 +6,12 @@ port: "{{ item.port }}" proto: "{{ item.proto | default('tcp') }}" loop: - - port: 22 # SSH - - port: 80 # HTTP - - port: 443 # HTTPS - - port: 18080 # monerod P2P - - port: 18089 # monerod RPC - - port: 51820 # Wireguard + - port: '22' # SSH + - port: '80' # HTTP + - port: '443' # HTTPS + - port: '18080' # monerod P2P + - port: '18089' # monerod RPC + - port: '51820' # Wireguard proto: udp - name: Enable UFW