Compare commits
49 commits
Author | SHA1 | Date | |
---|---|---|---|
88bf9fc54e | |||
569cce616b | |||
ac17b9723b | |||
f0bf44be26 | |||
74a10e95ea | |||
e1ee73e0fa | |||
b48f31cc86 | |||
8b40399358 | |||
c25d5c3181 | |||
989258833e | |||
ad00bcf368 | |||
7c9b228b79 | |||
5f15fe0d84 | |||
b8f8548cdf | |||
e87d82e240 | |||
4990f65fbc | |||
bd168af256 | |||
77415c6c6e | |||
cdc351013a | |||
ce74419b79 | |||
6b483678e4 | |||
58bb364aba | |||
752ada00ff | |||
6f405ef800 | |||
283d5bd0d4 | |||
d8e3d393fc | |||
19964ce161 | |||
e26e79981e | |||
74c509cbce | |||
86934e3326 | |||
45b816dba4 | |||
df43e412f3 | |||
94b229abd0 | |||
4e07e1c8dc | |||
3e355e6715 | |||
7ff8c46c0c | |||
1e25a56cc5 | |||
0e5c8104e2 | |||
3baf591a46 | |||
d10e1c7534 | |||
3111c69814 | |||
3ca2b50307 | |||
d5a7a61171 | |||
25cd394f08 | |||
b50840a2ee | |||
cdaa626068 | |||
66036cd301 | |||
5706a97b4d | |||
e57f1ea13b |
116 changed files with 950 additions and 950 deletions
|
@ -5,8 +5,11 @@ retry_files_enabled = False
|
||||||
roles_path = $PWD/galaxy_roles:$PWD/roles
|
roles_path = $PWD/galaxy_roles:$PWD/roles
|
||||||
collections_path = $PWD/galaxy_collections
|
collections_path = $PWD/galaxy_collections
|
||||||
inventory = ./hosts
|
inventory = ./hosts
|
||||||
become_ask_pass = True
|
|
||||||
interpreter_python = auto_silent
|
interpreter_python = auto_silent
|
||||||
|
|
||||||
|
[privilege_escalation]
|
||||||
|
become = True
|
||||||
|
become_ask_pass = True
|
||||||
|
|
||||||
[ssh_connection]
|
[ssh_connection]
|
||||||
pipelining = True
|
pipelining = True
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
ansible-lint==24.5.0
|
ansible-lint==24.9.2
|
||||||
yamllint==1.33.0
|
yamllint==1.33.0
|
||||||
ansible
|
ansible
|
||||||
passlib
|
passlib
|
||||||
|
|
|
@ -7,6 +7,8 @@ server {
|
||||||
server_name {{ server_name }};
|
server_name {{ server_name }};
|
||||||
set $upstream {{ upstream }};
|
set $upstream {{ upstream }};
|
||||||
|
|
||||||
|
access_log /var/log/nginx/{{ server_name|split|first }}.log main;
|
||||||
|
|
||||||
ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
|
ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ ssl_cert_path }}/privkey.pem;
|
ssl_certificate_key {{ ssl_cert_path }}/privkey.pem;
|
||||||
ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem;
|
ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem;
|
||||||
|
|
|
@ -8,7 +8,7 @@ collections:
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- src: geerlingguy.docker
|
- src: geerlingguy.docker
|
||||||
version: 7.3.0
|
version: 7.4.1
|
||||||
- src: geerlingguy.ntp
|
- src: geerlingguy.ntp
|
||||||
version: 2.5.0
|
version: 2.5.0
|
||||||
- src: realorangeone.reflector
|
- src: realorangeone.reflector
|
||||||
|
@ -17,6 +17,6 @@ roles:
|
||||||
- src: ironicbadger.snapraid
|
- src: ironicbadger.snapraid
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
- src: geerlingguy.certbot
|
- src: geerlingguy.certbot
|
||||||
version: 5.1.0
|
version: 5.2.0
|
||||||
- src: artis3n.tailscale
|
- src: artis3n.tailscale
|
||||||
version: v4.5.0
|
version: v4.5.0
|
||||||
|
|
|
@ -8,4 +8,4 @@ tailscale_port: 41641
|
||||||
|
|
||||||
tailscale_nodes:
|
tailscale_nodes:
|
||||||
casey:
|
casey:
|
||||||
ip: 100.64.0.1
|
ip: 100.64.0.6
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
private_ip: "{{ ansible_tailscale0.ipv4.address }}"
|
||||||
nginx_https_redirect: true
|
nginx_https_redirect: true
|
||||||
|
|
||||||
certbot_certs:
|
certbot_certs:
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
|
private_ip: "{{ ansible_tailscale0.ipv4.address }}"
|
||||||
nginx_https_redirect: true
|
nginx_https_redirect: true
|
||||||
|
|
|
@ -9,12 +9,10 @@
|
||||||
- hosts: casey
|
- hosts: casey
|
||||||
roles:
|
roles:
|
||||||
- nginx
|
- nginx
|
||||||
- role: geerlingguy.certbot
|
- geerlingguy.certbot
|
||||||
become: true
|
|
||||||
- gateway
|
- gateway
|
||||||
- headscale
|
- headscale
|
||||||
- restic
|
- restic
|
||||||
- artis3n.tailscale
|
|
||||||
- glinet_vpn
|
- glinet_vpn
|
||||||
|
|
||||||
- hosts:
|
- hosts:
|
||||||
|
@ -25,7 +23,6 @@
|
||||||
- tang
|
- tang
|
||||||
roles:
|
roles:
|
||||||
- role: geerlingguy.ntp
|
- role: geerlingguy.ntp
|
||||||
become: true
|
|
||||||
vars:
|
vars:
|
||||||
ntp_timezone: "{{ timezone }}"
|
ntp_timezone: "{{ timezone }}"
|
||||||
ntp_manage_config: true
|
ntp_manage_config: true
|
||||||
|
@ -37,8 +34,7 @@
|
||||||
- renovate
|
- renovate
|
||||||
- gitea-runner
|
- gitea-runner
|
||||||
roles:
|
roles:
|
||||||
- role: geerlingguy.docker
|
- geerlingguy.docker
|
||||||
become: true
|
|
||||||
- docker_cleanup
|
- docker_cleanup
|
||||||
|
|
||||||
- hosts:
|
- hosts:
|
||||||
|
@ -53,6 +49,14 @@
|
||||||
roles:
|
roles:
|
||||||
- traefik
|
- traefik
|
||||||
|
|
||||||
|
- hosts:
|
||||||
|
- ingress
|
||||||
|
- walker
|
||||||
|
- casey
|
||||||
|
become: false # Forcefully run as current user
|
||||||
|
roles:
|
||||||
|
- artis3n.tailscale
|
||||||
|
|
||||||
- hosts: pve-docker
|
- hosts: pve-docker
|
||||||
roles:
|
roles:
|
||||||
- pve_docker
|
- pve_docker
|
||||||
|
@ -66,22 +70,20 @@
|
||||||
- authentik
|
- authentik
|
||||||
- minio
|
- minio
|
||||||
- ntfy
|
- ntfy
|
||||||
|
- baby_buddy
|
||||||
|
- bsky
|
||||||
|
|
||||||
- hosts: ingress
|
- hosts: ingress
|
||||||
roles:
|
roles:
|
||||||
- nginx
|
- nginx
|
||||||
- ingress
|
- ingress
|
||||||
- artis3n.tailscale
|
|
||||||
|
|
||||||
- hosts: pve
|
- hosts: pve
|
||||||
roles:
|
roles:
|
||||||
- role: ironicbadger.proxmox_nag_removal
|
- ironicbadger.proxmox_nag_removal
|
||||||
become: true
|
|
||||||
- zfs
|
- zfs
|
||||||
- role: ironicbadger.snapraid
|
- ironicbadger.snapraid
|
||||||
become: true
|
- prometheus.prometheus.node_exporter
|
||||||
- role: prometheus.prometheus.node_exporter
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- hosts: forrest
|
- hosts: forrest
|
||||||
roles:
|
roles:
|
||||||
|
@ -98,13 +100,11 @@
|
||||||
- hosts: walker
|
- hosts: walker
|
||||||
roles:
|
roles:
|
||||||
- nginx
|
- nginx
|
||||||
- role: geerlingguy.certbot
|
- geerlingguy.certbot
|
||||||
become: true
|
|
||||||
- coredns_docker_proxy
|
- coredns_docker_proxy
|
||||||
- plausible
|
- plausible
|
||||||
- restic
|
- restic
|
||||||
- website
|
- website
|
||||||
- artis3n.tailscale
|
|
||||||
- slides
|
- slides
|
||||||
- comentario
|
- comentario
|
||||||
|
|
||||||
|
@ -128,6 +128,5 @@
|
||||||
- hosts: tang
|
- hosts: tang
|
||||||
roles:
|
roles:
|
||||||
- adguardhome
|
- adguardhome
|
||||||
- role: prometheus.prometheus.node_exporter
|
- prometheus.prometheus.node_exporter
|
||||||
become: true
|
|
||||||
- restic
|
- restic
|
||||||
|
|
|
@ -3,11 +3,9 @@
|
||||||
name: coredns
|
name: coredns
|
||||||
state: restarted
|
state: restarted
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: restart systemd-resolved
|
- name: restart systemd-resolved
|
||||||
service:
|
service:
|
||||||
name: systemd-resolved
|
name: systemd-resolved
|
||||||
state: restarted
|
state: restarted
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
- name: Install adguardhome
|
- name: Install adguardhome
|
||||||
kewlfft.aur.aur:
|
kewlfft.aur.aur:
|
||||||
name: adguardhome-bin
|
name: adguardhome-bin
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Disable resolved stub
|
- name: Disable resolved stub
|
||||||
template:
|
template:
|
||||||
|
@ -10,7 +9,6 @@
|
||||||
owner: root
|
owner: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: restart systemd-resolved
|
notify: restart systemd-resolved
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Use resolved resolv.conf
|
- name: Use resolved resolv.conf
|
||||||
file:
|
file:
|
||||||
|
@ -18,12 +16,10 @@
|
||||||
dest: /etc/resolv.conf
|
dest: /etc/resolv.conf
|
||||||
state: link
|
state: link
|
||||||
notify: restart systemd-resolved
|
notify: restart systemd-resolved
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install coredns
|
- name: Install coredns
|
||||||
kewlfft.aur.aur:
|
kewlfft.aur.aur:
|
||||||
name: coredns
|
name: coredns
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install coredns config file
|
- name: Install coredns config file
|
||||||
template:
|
template:
|
||||||
|
@ -32,4 +28,3 @@
|
||||||
owner: coredns
|
owner: coredns
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: restart coredns
|
notify: restart coredns
|
||||||
become: true
|
|
||||||
|
|
|
@ -19,7 +19,7 @@ x-env: &env
|
||||||
|
|
||||||
services:
|
services:
|
||||||
server:
|
server:
|
||||||
image: ghcr.io/goauthentik/server:2024.6
|
image: ghcr.io/goauthentik/server:2024.8
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
command: server
|
command: server
|
||||||
user: "{{ docker_user.id }}"
|
user: "{{ docker_user.id }}"
|
||||||
|
@ -42,7 +42,7 @@ services:
|
||||||
- traefik
|
- traefik
|
||||||
|
|
||||||
worker:
|
worker:
|
||||||
image: ghcr.io/goauthentik/server:2024.6
|
image: ghcr.io/goauthentik/server:2024.8
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
command: worker
|
command: worker
|
||||||
user: "{{ docker_user.id }}"
|
user: "{{ docker_user.id }}"
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,4 +16,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart authentik
|
notify: restart authentik
|
||||||
become: true
|
|
||||||
|
|
38
ansible/roles/baby_buddy/files/docker-compose.yml
Normal file
38
ansible/roles/baby_buddy/files/docker-compose.yml
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
services:
|
||||||
|
baby-buddy:
|
||||||
|
image: lscr.io/linuxserver/babybuddy:latest
|
||||||
|
restart: unless-stopped
|
||||||
|
environment:
|
||||||
|
- PUID={{ docker_user.id }}
|
||||||
|
- PGID={{ docker_user.id }}
|
||||||
|
- TZ={{ timezone }}
|
||||||
|
- DATABASE_URL=postgres://baby-buddy:baby-buddy@db/baby-buddy
|
||||||
|
- ALLOWED_HOSTS=baby-buddy.jakehoward.tech
|
||||||
|
- CSRF_COOKIE_SECURE=True
|
||||||
|
- SECRET_KEY={{ vault_secret_key }}
|
||||||
|
- SECURE_PROXY_SSL_HEADER=True
|
||||||
|
- SESSION_COOKIE_SECURE=True
|
||||||
|
labels:
|
||||||
|
- traefik.enable=true
|
||||||
|
- traefik.http.routers.baby-buddy.rule=Host(`baby-buddy.jakehoward.tech`)
|
||||||
|
- traefik.http.routers.baby-buddy.middlewares=tailscale-only@file
|
||||||
|
volumes:
|
||||||
|
- "{{ app_data_dir }}/baby-buddy:/config"
|
||||||
|
depends_on:
|
||||||
|
- db
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- traefik
|
||||||
|
|
||||||
|
db:
|
||||||
|
image: postgres:14-alpine
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- /mnt/speed/dbs/postgres/baby-buddy:/var/lib/postgresql/data
|
||||||
|
environment:
|
||||||
|
- POSTGRES_PASSWORD=baby-buddy
|
||||||
|
- POSTGRES_USER=baby-buddy
|
||||||
|
|
||||||
|
networks:
|
||||||
|
traefik:
|
||||||
|
external: true
|
4
ansible/roles/baby_buddy/handlers/main.yml
Normal file
4
ansible/roles/baby_buddy/handlers/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
- name: restart baby-buddy
|
||||||
|
shell:
|
||||||
|
chdir: /opt/baby-buddy
|
||||||
|
cmd: "{{ docker_update_command }}"
|
18
ansible/roles/baby_buddy/tasks/main.yml
Normal file
18
ansible/roles/baby_buddy/tasks/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
- name: Include vault
|
||||||
|
include_vars: vault.yml
|
||||||
|
|
||||||
|
- name: Create install directory
|
||||||
|
file:
|
||||||
|
path: /opt/baby-buddy
|
||||||
|
state: directory
|
||||||
|
owner: "{{ docker_user.name }}"
|
||||||
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
|
|
||||||
|
- name: Install compose file
|
||||||
|
template:
|
||||||
|
src: files/docker-compose.yml
|
||||||
|
dest: /opt/baby-buddy/docker-compose.yml
|
||||||
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
|
owner: "{{ docker_user.name }}"
|
||||||
|
validate: docker-compose -f %s config
|
||||||
|
notify: restart baby-buddy
|
8
ansible/roles/baby_buddy/vars/vault.yml
generated
Normal file
8
ansible/roles/baby_buddy/vars/vault.yml
generated
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
31663462633839636531393633633938376534316230626362353733653862623964626232333265
|
||||||
|
3733313066313639363131353963373431363761383537300a613662393631623832613537363034
|
||||||
|
30623931653839636361646231386465383333343535646436656565663137303166366533353866
|
||||||
|
3634643437303034330a646236353831363638633835666239383430636532396466623461303535
|
||||||
|
31383238633430393935653366646666303066316232643733366264353034626461613038323834
|
||||||
|
35383961316663356136363562646636313133346438343965383931353336643434303938373766
|
||||||
|
303432363965616134613933643635626565
|
|
@ -1,25 +1,21 @@
|
||||||
- name: Install fail2ban
|
- name: Install fail2ban
|
||||||
package:
|
package:
|
||||||
name: fail2ban
|
name: fail2ban
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Enable fail2ban
|
- name: Enable fail2ban
|
||||||
service:
|
service:
|
||||||
name: fail2ban
|
name: fail2ban
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: fail2ban SSH jail
|
- name: fail2ban SSH jail
|
||||||
template:
|
template:
|
||||||
src: files/ssh-jail.conf
|
src: files/ssh-jail.conf
|
||||||
dest: /etc/fail2ban/jail.d/ssh.conf
|
dest: /etc/fail2ban/jail.d/ssh.conf
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
become: true
|
|
||||||
register: fail2ban_jail
|
register: fail2ban_jail
|
||||||
|
|
||||||
- name: Restart fail2ban
|
- name: Restart fail2ban
|
||||||
service:
|
service:
|
||||||
name: fail2ban
|
name: fail2ban
|
||||||
state: restarted
|
state: restarted
|
||||||
become: true
|
|
||||||
when: fail2ban_jail.changed
|
when: fail2ban_jail.changed
|
||||||
|
|
|
@ -1,13 +1,11 @@
|
||||||
- name: Install logrotate
|
- name: Install logrotate
|
||||||
package:
|
package:
|
||||||
name: logrotate
|
name: logrotate
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Enable logrotate timer
|
- name: Enable logrotate timer
|
||||||
service:
|
service:
|
||||||
name: logrotate.timer
|
name: logrotate.timer
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
when: ansible_os_family == 'Archlinux'
|
when: ansible_os_family == 'Archlinux'
|
||||||
|
|
||||||
- name: logrotate fail2ban config
|
- name: logrotate fail2ban config
|
||||||
|
@ -15,4 +13,3 @@
|
||||||
src: files/fail2ban-logrotate
|
src: files/fail2ban-logrotate
|
||||||
dest: /etc/logrotate.d/fail2ban
|
dest: /etc/logrotate.d/fail2ban
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
- name: Install Base Packages
|
- name: Install Base Packages
|
||||||
package:
|
package:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
become: true
|
|
||||||
loop:
|
loop:
|
||||||
- htop
|
- htop
|
||||||
- neofetch
|
- neofetch
|
||||||
|
|
|
@ -1,13 +1,11 @@
|
||||||
- name: Install OpenSSH for Debian
|
- name: Install OpenSSH for Debian
|
||||||
package:
|
package:
|
||||||
name: openssh-server
|
name: openssh-server
|
||||||
become: true
|
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
- name: Install OpenSSH for Arch
|
- name: Install OpenSSH for Arch
|
||||||
package:
|
package:
|
||||||
name: openssh
|
name: openssh
|
||||||
become: true
|
|
||||||
when: ansible_os_family == 'Archlinux'
|
when: ansible_os_family == 'Archlinux'
|
||||||
|
|
||||||
- name: Define context
|
- name: Define context
|
||||||
|
@ -22,7 +20,6 @@
|
||||||
validate: /usr/sbin/sshd -t -f %s
|
validate: /usr/sbin/sshd -t -f %s
|
||||||
backup: true
|
backup: true
|
||||||
mode: "644"
|
mode: "644"
|
||||||
become: true
|
|
||||||
register: sshd_config
|
register: sshd_config
|
||||||
|
|
||||||
- name: Set up authorized keys
|
- name: Set up authorized keys
|
||||||
|
@ -38,11 +35,9 @@
|
||||||
service:
|
service:
|
||||||
name: sshd
|
name: sshd
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Restart SSH Daemon
|
- name: Restart SSH Daemon
|
||||||
service:
|
service:
|
||||||
name: sshd
|
name: sshd
|
||||||
state: reloaded
|
state: reloaded
|
||||||
when: sshd_config.changed
|
when: sshd_config.changed
|
||||||
become: true
|
|
||||||
|
|
|
@ -5,11 +5,9 @@
|
||||||
comment: "{{ me.name }}"
|
comment: "{{ me.name }}"
|
||||||
shell: /bin/bash
|
shell: /bin/bash
|
||||||
system: true
|
system: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Give user sudo access
|
- name: Give user sudo access
|
||||||
user:
|
user:
|
||||||
name: "{{ me.user }}"
|
name: "{{ me.user }}"
|
||||||
groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}"
|
groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}"
|
||||||
append: true
|
append: true
|
||||||
become: true
|
|
||||||
|
|
19
ansible/roles/bsky/files/docker-compose.yml
Normal file
19
ansible/roles/bsky/files/docker-compose.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
services:
|
||||||
|
pds:
|
||||||
|
image: ghcr.io/bluesky-social/pds:latest
|
||||||
|
user: "{{ docker_user.id }}"
|
||||||
|
restart: unless-stopped
|
||||||
|
env_file:
|
||||||
|
- /opt/bsky/pds.env
|
||||||
|
labels:
|
||||||
|
- traefik.enable=true
|
||||||
|
- traefik.http.routers.bsky.rule=Host(`bsky.theorangeone.net`)
|
||||||
|
volumes:
|
||||||
|
- "{{ app_data_dir }}/bsky:/pds"
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- traefik
|
||||||
|
|
||||||
|
networks:
|
||||||
|
traefik:
|
||||||
|
external: true
|
17
ansible/roles/bsky/files/pds.env
Normal file
17
ansible/roles/bsky/files/pds.env
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
TZ={{ timezone }}
|
||||||
|
PDS_HOSTNAME=bsky.theorangeone.net
|
||||||
|
PDS_JWT_SECRET={{ vault_jwt_secret }}
|
||||||
|
PDS_ADMIN_PASSWORD={{ vault_admin_password }}
|
||||||
|
PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX={{ vault_plc_rotation_private_key }}
|
||||||
|
PDS_DATA_DIRECTORY=/pds
|
||||||
|
PDS_BLOBSTORE_DISK_LOCATION=/pds/blocks
|
||||||
|
PDS_BLOB_UPLOAD_LIMIT=52428800
|
||||||
|
PDS_DID_PLC_URL=https://plc.directory
|
||||||
|
PDS_BSKY_APP_VIEW_URL=https://api.bsky.app
|
||||||
|
PDS_BSKY_APP_VIEW_DID=did:web:api.bsky.app
|
||||||
|
PDS_REPORT_SERVICE_URL=https://mod.bsky.app
|
||||||
|
PDS_REPORT_SERVICE_DID=did:plc:ar7c4by46qjdydhdevvrndac
|
||||||
|
PDS_CRAWLERS=https://bsky.network
|
||||||
|
LOG_ENABLED=false
|
||||||
|
PDS_EMAIL_SMTP_URL={{ vault_smtp_url }}
|
||||||
|
PDS_EMAIL_FROM_ADDRESS={{ vault_smtp_from_address }}
|
4
ansible/roles/bsky/handlers/main.yml
Normal file
4
ansible/roles/bsky/handlers/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
- name: restart bsky
|
||||||
|
shell:
|
||||||
|
chdir: /opt/bsky
|
||||||
|
cmd: "{{ docker_update_command }}"
|
26
ansible/roles/bsky/tasks/main.yml
Normal file
26
ansible/roles/bsky/tasks/main.yml
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
- name: Include vault
|
||||||
|
include_vars: vault.yml
|
||||||
|
|
||||||
|
- name: Create install directory
|
||||||
|
file:
|
||||||
|
path: /opt/bsky
|
||||||
|
state: directory
|
||||||
|
owner: "{{ docker_user.name }}"
|
||||||
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
|
|
||||||
|
- name: Install environment variables
|
||||||
|
template:
|
||||||
|
src: files/pds.env
|
||||||
|
dest: /opt/bsky/pds.env
|
||||||
|
mode: "660"
|
||||||
|
owner: "{{ docker_user.name }}"
|
||||||
|
notify: restart bsky
|
||||||
|
|
||||||
|
- name: Install compose file
|
||||||
|
template:
|
||||||
|
src: files/docker-compose.yml
|
||||||
|
dest: /opt/bsky/docker-compose.yml
|
||||||
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
|
owner: "{{ docker_user.name }}"
|
||||||
|
validate: docker-compose -f %s config
|
||||||
|
notify: restart bsky
|
24
ansible/roles/bsky/vars/vault.yml
generated
Normal file
24
ansible/roles/bsky/vars/vault.yml
generated
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
35316238376465633461333439343331636238346532623336316231653664653963643331346362
|
||||||
|
3763363363333066636166356465373233323138643961390a343232623866303961316431363534
|
||||||
|
31653234383465356637363636363838393130396364623261353266396533326563303838643366
|
||||||
|
6339666332326439610a666235636432616565643839663234336134343632316538353331396337
|
||||||
|
33303836373037336533623864613966646463333161663965653663326266376234633530393530
|
||||||
|
63303938376338613531623065316339653938666439643035663231646566643334356337343861
|
||||||
|
65353264613465626532643935313262323766666538386239613163366536636335616562613635
|
||||||
|
31643637333266373336323035366465636261346263666239323934616238616366383330336661
|
||||||
|
38386536326137363531636635626232333465613031633031336330316337303237303736656639
|
||||||
|
37313331346165363465326336663536646438363835393138646238353661303937346430303333
|
||||||
|
39663236663530396562626133666434396132356638643563626362636563373464356636313337
|
||||||
|
63303730656338313036313937323462326366366231363265363335636536396335323561663235
|
||||||
|
65333666333033376334303463376666373738376361316463343836323839383735666530656135
|
||||||
|
33316238356536663362646437633866323531353439393561626331326562663366663839393438
|
||||||
|
35653262653262326532386431373336393737363665393030363538356262346435343333373636
|
||||||
|
34343261623832306139623337353137646435613433346630643865333965303334393666336534
|
||||||
|
61353035373034323864356636643930333638396564616134353536663164363932643364656162
|
||||||
|
35366139363939663632353066373932363961656464393131373239356663303736653334336531
|
||||||
|
35303236303065363764313432643664333532343134393965323963636664663536376632323538
|
||||||
|
38356335383934636631643436356563636364646136333637666331363261656236346539373233
|
||||||
|
37306330306531623464663031626337346339613630363635633161336366653638626339356662
|
||||||
|
63383836613863646436346233376563353037373666313631393161333133633132666633663361
|
||||||
|
326132663033396335306165333862666433
|
|
@ -1,6 +1,6 @@
|
||||||
services:
|
services:
|
||||||
comentario:
|
comentario:
|
||||||
image: registry.gitlab.com/comentario/comentario:v3.9.0
|
image: registry.gitlab.com/comentario/comentario:v3.11.0
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
user: "{{ docker_user.id }}:{{ docker_user.id }}"
|
user: "{{ docker_user.id }}:{{ docker_user.id }}"
|
||||||
depends_on:
|
depends_on:
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,7 +16,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart comentario
|
notify: restart comentario
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install secrets
|
- name: Install secrets
|
||||||
copy:
|
copy:
|
||||||
|
@ -26,7 +24,6 @@
|
||||||
mode: "600"
|
mode: "600"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart comentario
|
notify: restart comentario
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install nginx config
|
- name: Install nginx config
|
||||||
template:
|
template:
|
||||||
|
@ -34,7 +31,6 @@
|
||||||
dest: /etc/nginx/http.d/comentario.conf
|
dest: /etc/nginx/http.d/comentario.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
become: true
|
|
||||||
vars:
|
vars:
|
||||||
server_name: comentario.theorangeone.net
|
server_name: comentario.theorangeone.net
|
||||||
upstream: comentario-comentario-1.docker:80
|
upstream: comentario-comentario-1.docker:80
|
||||||
|
|
|
@ -11,6 +11,9 @@ comentario_secrets:
|
||||||
gitlab:
|
gitlab:
|
||||||
key: "{{ vault_comentario_gitlab_application_id }}"
|
key: "{{ vault_comentario_gitlab_application_id }}"
|
||||||
secret: "{{ vault_comentario_gitlab_application_secret }}"
|
secret: "{{ vault_comentario_gitlab_application_secret }}"
|
||||||
|
twitter:
|
||||||
|
key: "{{ vault_comentario_twitter_api_key }}"
|
||||||
|
secret: "{{ vault_comentario_twitter_api_secret }}"
|
||||||
smtpServer:
|
smtpServer:
|
||||||
host: smtp.eu.mailgun.org
|
host: smtp.eu.mailgun.org
|
||||||
port: 587
|
port: 587
|
||||||
|
|
66
ansible/roles/comentario/vars/vault.yml
generated
66
ansible/roles/comentario/vars/vault.yml
generated
|
@ -1,30 +1,38 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
33656462373736356363313738643335333930343461366666663532653264363963653732656366
|
36376264363334643335646564636336613234393261326366386234663464633966666133383933
|
||||||
3034323730613334326462326332323763323665636165390a303639633036303831373966303037
|
3731363234333962306638323737336237343230653439650a343362336166626633666161313863
|
||||||
37376233383138323265396531303739316330396230333464383963333035343735303866626334
|
33623130623239626532663063633436616665653135343266336330353538306265323739326262
|
||||||
6562393435303264620a633139616164303337363863616138306531656365353964346638646165
|
3066643432643465350a643436366637623765663265316665386564663933663730383264396336
|
||||||
35346539326339623364343662643038336238613535623964666562383662613661616564646433
|
39396139396238653065366663333533343336363631616332616362386639313766656136666532
|
||||||
30653432666538616565373832353434303565386333643735313866396436393732303466376237
|
63336131346563323733333139636233353465643766643562643632653062373737353364336536
|
||||||
64383236373364383338613530353830353334326331636436323766353565656664356138386532
|
64653162656233383136363339623933643834363931663830656364396637333632613838323461
|
||||||
62366266656461663330396562316439393038666534663564633037623237363532363637356336
|
38666362663831363363636363346164343032376366346530393864306332326339323836643062
|
||||||
63336633393666343064383735363664643936333130636465623139393838373134636265366439
|
66346265643039663636616464383330366539343832373839663361393661353861643364633534
|
||||||
64326538653236306437346165333934303134313032383135313335626136626162363831613430
|
38383461323031626161663938326339386634363165303238333365323235303535333765613734
|
||||||
30636436343162376637616262393633306330663362396638393166643131343564646162616530
|
30363032386333353962306131373466356137666334303230343561616639363238633630386330
|
||||||
62343735343832636661326265396262643136346366663337636335656137393231646438633338
|
32383537646430666331313530343033376238646334313335343661313665626631663331656638
|
||||||
61613137366661333462363134343732666330373864393636643665396435653064623030626466
|
31303637343263343566386634623362373366323136663032663966313836353136616564646563
|
||||||
65633536346531383565616130626461376566316535316339326363646336626266376330393939
|
66653938326539343130346439666264663962323661386131643432663237643334633837376163
|
||||||
33653438656438316532393665333939613334666464656635323566326439363964316535623233
|
62393330336434393232646163353539303831336638663135393734393064353964623032616233
|
||||||
38636236616637336230363032396635613563313966353334313365663434653138303764393938
|
32393037313965313933363236653537306634613265633764636436653332623339316132373964
|
||||||
37643561346338323934663936356563363833383435373933396138663334616563666562653935
|
39313334653831366533663661653934633338393539326564396236373462623262333530346436
|
||||||
33666631373964396265393233636631336632386537663663366439313137656661653265323162
|
66646266623666333034346634613365356333343934363963366137303030646638373466643564
|
||||||
64656333336165326563323333653036386334386566386664306638656130323665366136373732
|
66356265363634623363646266633137363966666361366463383266663032316665373430383031
|
||||||
34383532303363646334356534316630363133303031343665353465656239306338386238313262
|
33303530323561366531356133363035353732333135303762316337626330333530303563643935
|
||||||
30363438383164343661343730386162633430373765313834313739393638333963393234613564
|
35303465633536373833386435336638386662353032383861633965393564303839666463616263
|
||||||
30356134646431353132316565346331613137353431383863383866306632626336633764393036
|
39353934343965316134663634363135616338353734656361343433313837313639303931356233
|
||||||
66626466623034666335356539653136633331636365623061613433393335303535333433616137
|
39643135353661306461393962646238613062356361386533316362633233353235666262653738
|
||||||
65383231373230653838316630303736353237666431366134353534366564656338646265396162
|
33616465653435303736636165343239336139383162616463613232656639393338363766396434
|
||||||
61663366663532636635663337363063306466626463396630636236363736303963353062376163
|
32353965363537666366623066313461316463373130653637343430366231366263616261393564
|
||||||
63653530346335393934656531386139663136383132306564383937396364626365373839613766
|
36323038383238633239323365326334393132643832373033643432653032613665646666336338
|
||||||
62633264336335313932396164373363623061363262616330343735633862623234643365353035
|
30316565346630396537363431366337656236363462646435393731323866313366373438386265
|
||||||
36616231636461323832663837323232396636363561376563386530306339333431613935613263
|
61373366383865336334356638653065333839303663636266393933663833313931333133663966
|
||||||
30366335393834643066343763636561346336383463333535323932326663633338
|
35306163373462613335616265316563313062623139343061306465656463336162396266636437
|
||||||
|
36646439613433306464383133636466383430363363393762646534343133333732613530626162
|
||||||
|
31633430313039643636666365613232373335336235633832666139643937373766336563303266
|
||||||
|
34396137656436373438383035316133343132313130636536393536393862386531386531303761
|
||||||
|
64613337353463383032636636643963636235346262646366366539646233313939633864306335
|
||||||
|
38373465373863383964633038373334386632666236303436376438666132623964396434626439
|
||||||
|
38356235353430323236623962396461346438633962333163393535373362373164313132356232
|
||||||
|
63313639333862313565396165613265623135626635373134626137633638333561353732313036
|
||||||
|
3837
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
services:
|
services:
|
||||||
coredns:
|
coredns:
|
||||||
image: coredns/coredns:latest
|
image: coredns/coredns:1.11.3
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
volumes:
|
volumes:
|
||||||
- ./Corefile:/home/nonroot/Corefile:ro
|
- ./Corefile:/home/nonroot/Corefile:ro
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
- name: Create network
|
- name: Create network
|
||||||
docker_network:
|
docker_network:
|
||||||
name: coredns
|
name: coredns
|
||||||
internal: true
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create install directory
|
- name: Create install directory
|
||||||
file:
|
file:
|
||||||
|
@ -10,7 +8,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -20,4 +17,11 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart coredns
|
notify: restart coredns
|
||||||
become: true
|
|
||||||
|
- name: Install Corefile
|
||||||
|
template:
|
||||||
|
src: files/Corefile
|
||||||
|
dest: /opt/coredns/Corefile
|
||||||
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
|
owner: "{{ docker_user.name }}"
|
||||||
|
notify: restart coredns
|
||||||
|
|
|
@ -9,6 +9,9 @@ services:
|
||||||
- HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
|
- HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
|
||||||
depends_on:
|
depends_on:
|
||||||
- docker_proxy
|
- docker_proxy
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- backup_private
|
||||||
|
|
||||||
docker_proxy:
|
docker_proxy:
|
||||||
image: lscr.io/linuxserver/socket-proxy:latest
|
image: lscr.io/linuxserver/socket-proxy:latest
|
||||||
|
@ -20,5 +23,13 @@ services:
|
||||||
- EXEC=1
|
- EXEC=1
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
networks:
|
||||||
|
- backup_private
|
||||||
|
tmpfs:
|
||||||
|
- /run
|
||||||
logging:
|
logging:
|
||||||
driver: none
|
driver: none
|
||||||
|
|
||||||
|
networks:
|
||||||
|
backup_private:
|
||||||
|
internal: true
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -14,4 +13,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart db-auto-backup
|
notify: restart db-auto-backup
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
- name: Install docker-compose
|
- name: Install docker-compose
|
||||||
package:
|
package:
|
||||||
name: docker-compose
|
name: docker-compose
|
||||||
become: true
|
|
||||||
when: ansible_os_family != 'Debian'
|
when: ansible_os_family != 'Debian'
|
||||||
|
|
||||||
- name: Install compose-switch
|
- name: Install compose-switch
|
||||||
|
@ -9,7 +8,6 @@
|
||||||
url: "{{ docker_compose_url }}"
|
url: "{{ docker_compose_url }}"
|
||||||
dest: "{{ docker_compose_path }}"
|
dest: "{{ docker_compose_path }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
become: true
|
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
- name: Create docker group
|
- name: Create docker group
|
||||||
|
@ -17,7 +15,6 @@
|
||||||
name: "{{ docker_user.name }}"
|
name: "{{ docker_user.name }}"
|
||||||
state: present
|
state: present
|
||||||
gid: "{{ docker_user.id }}"
|
gid: "{{ docker_user.id }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create docker user
|
- name: Create docker user
|
||||||
user:
|
user:
|
||||||
|
@ -25,21 +22,18 @@
|
||||||
uid: "{{ docker_user.id }}"
|
uid: "{{ docker_user.id }}"
|
||||||
group: "{{ docker_user.name }}"
|
group: "{{ docker_user.name }}"
|
||||||
create_home: false
|
create_home: false
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Add user to docker user group
|
- name: Add user to docker user group
|
||||||
user:
|
user:
|
||||||
name: "{{ me.user }}"
|
name: "{{ me.user }}"
|
||||||
groups: "{{ docker_user.name }}"
|
groups: "{{ docker_user.name }}"
|
||||||
append: true
|
append: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Add user to docker group
|
- name: Add user to docker group
|
||||||
user:
|
user:
|
||||||
name: "{{ me.user }}"
|
name: "{{ me.user }}"
|
||||||
groups: docker
|
groups: docker
|
||||||
append: true
|
append: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Clean up docker containers
|
- name: Clean up docker containers
|
||||||
cron:
|
cron:
|
||||||
|
@ -47,6 +41,8 @@
|
||||||
hour: 1
|
hour: 1
|
||||||
minute: 0
|
minute: 0
|
||||||
job: docker system prune -af --volumes
|
job: docker system prune -af --volumes
|
||||||
|
cron_file: docker_cleanup
|
||||||
|
user: root
|
||||||
|
|
||||||
- name: Install util scripts
|
- name: Install util scripts
|
||||||
copy:
|
copy:
|
||||||
|
@ -54,6 +50,7 @@
|
||||||
dest: "{{ me.home }}"
|
dest: "{{ me.home }}"
|
||||||
mode: "755"
|
mode: "755"
|
||||||
directory_mode: "755"
|
directory_mode: "755"
|
||||||
|
owner: "{{ me.user }}"
|
||||||
|
|
||||||
- name: override docker service for zfs dependencies
|
- name: override docker service for zfs dependencies
|
||||||
include_tasks: zfs-override.yml
|
include_tasks: zfs-override.yml
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
path: /etc/systemd/system/docker.service.d
|
path: /etc/systemd/system/docker.service.d
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create override.conf
|
- name: Create override.conf
|
||||||
copy:
|
copy:
|
||||||
|
@ -12,4 +11,3 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
services:
|
services:
|
||||||
forgejo:
|
forgejo:
|
||||||
image: code.forgejo.org/forgejo/forgejo:8-rootless
|
image: code.forgejo.org/forgejo/forgejo:9-rootless
|
||||||
user: "{{ docker_user.id }}:{{ docker_user.id }}"
|
user: "{{ docker_user.id }}:{{ docker_user.id }}"
|
||||||
environment:
|
environment:
|
||||||
- TZ={{ timezone }}
|
- TZ={{ timezone }}
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,7 +16,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart gitea
|
notify: restart gitea
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install config file
|
- name: Install config file
|
||||||
template:
|
template:
|
||||||
|
@ -26,7 +24,6 @@
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart gitea
|
notify: restart gitea
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create custom templates directory
|
- name: Create custom templates directory
|
||||||
file:
|
file:
|
||||||
|
@ -35,7 +32,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
recurse: true
|
recurse: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install custom footer
|
- name: Install custom footer
|
||||||
copy:
|
copy:
|
||||||
|
@ -44,4 +40,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
notify: restart gitea
|
notify: restart gitea
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,20 +1,44 @@
|
||||||
services:
|
services:
|
||||||
forgejo-runner:
|
forgejo-runner:
|
||||||
image: code.forgejo.org/forgejo/runner:3.5.1
|
image: code.forgejo.org/forgejo/runner:4.0.1
|
||||||
user: "{{ docker_user.id }}"
|
user: "{{ docker_user.id }}"
|
||||||
volumes:
|
volumes:
|
||||||
- /mnt/data:/data
|
- /mnt/data:/data
|
||||||
|
- ./config.yml:/data/config.yml
|
||||||
environment:
|
environment:
|
||||||
- TZ={{ timezone }}
|
- TZ={{ timezone }}
|
||||||
- DOCKER_HOST=tcp://dind:2375
|
- DOCKER_HOST=tcp://docker_proxy:2375
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
command: forgejo-runner daemon
|
command: forgejo-runner daemon
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- forgejo_private
|
||||||
depends_on:
|
depends_on:
|
||||||
dind:
|
- docker_proxy
|
||||||
condition: service_started
|
|
||||||
|
|
||||||
dind:
|
docker_proxy:
|
||||||
image: docker:dind
|
image: lscr.io/linuxserver/socket-proxy:latest
|
||||||
privileged: true
|
|
||||||
command: [dockerd, -H, tcp://0.0.0.0:2375, --tls=false]
|
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
environment:
|
||||||
|
- POST=1
|
||||||
|
- CONTAINERS=1
|
||||||
|
- INFO=1
|
||||||
|
- IMAGES=1
|
||||||
|
- VOLUMES=1
|
||||||
|
- NETWORKS=1
|
||||||
|
- ALLOW_START=1
|
||||||
|
- ALLOW_STOP=1
|
||||||
|
- ALLOW_RESTARTS=1
|
||||||
|
- EXEC=1
|
||||||
|
tmpfs:
|
||||||
|
- /run
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
networks:
|
||||||
|
- forgejo_private
|
||||||
|
logging:
|
||||||
|
driver: none
|
||||||
|
|
||||||
|
networks:
|
||||||
|
forgejo_private:
|
||||||
|
internal: true
|
||||||
|
|
|
@ -4,24 +4,14 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create data directory
|
|
||||||
file:
|
|
||||||
path: /opt/forgejo-runner/data
|
|
||||||
state: directory
|
|
||||||
mode: "700"
|
|
||||||
owner: "{{ docker_user.name }}"
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install config file
|
- name: Install config file
|
||||||
template:
|
template:
|
||||||
src: files/config.yml
|
src: files/config.yml
|
||||||
dest: /opt/forgejo-runner/data/config.yml
|
dest: /opt/forgejo-runner/config.yml
|
||||||
mode: "600"
|
mode: "600"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart forgejo-runner
|
notify: restart forgejo-runner
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -31,4 +21,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart forgejo-runner
|
notify: restart forgejo-runner
|
||||||
become: true
|
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
src: files/nginx-fail2ban-filter.conf
|
src: files/nginx-fail2ban-filter.conf
|
||||||
dest: /etc/fail2ban/filter.d/nginx-tcp.conf
|
dest: /etc/fail2ban/filter.d/nginx-tcp.conf
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
become: true
|
|
||||||
register: fail2ban_filter
|
register: fail2ban_filter
|
||||||
|
|
||||||
- name: fail2ban jail
|
- name: fail2ban jail
|
||||||
|
@ -11,12 +10,10 @@
|
||||||
src: files/nginx-fail2ban-jail.conf
|
src: files/nginx-fail2ban-jail.conf
|
||||||
dest: /etc/fail2ban/jail.d/nginx.conf
|
dest: /etc/fail2ban/jail.d/nginx.conf
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
become: true
|
|
||||||
register: fail2ban_jail
|
register: fail2ban_jail
|
||||||
|
|
||||||
- name: Restart fail2ban
|
- name: Restart fail2ban
|
||||||
service:
|
service:
|
||||||
name: fail2ban
|
name: fail2ban
|
||||||
state: restarted
|
state: restarted
|
||||||
become: true
|
|
||||||
when: fail2ban_filter.changed or fail2ban_jail.changed
|
when: fail2ban_filter.changed or fail2ban_jail.changed
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
src: files/nginx.conf
|
src: files/nginx.conf
|
||||||
dest: /etc/nginx/stream.d/gateway.conf
|
dest: /etc/nginx/stream.d/gateway.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
|
||||||
register: nginx_config
|
register: nginx_config
|
||||||
|
|
||||||
- name: Install CDN config
|
- name: Install CDN config
|
||||||
|
@ -11,12 +10,10 @@
|
||||||
src: files/nginx-cdn.conf
|
src: files/nginx-cdn.conf
|
||||||
dest: /etc/nginx/http.d/cdn.conf
|
dest: /etc/nginx/http.d/cdn.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
|
||||||
register: nginx_config
|
register: nginx_config
|
||||||
|
|
||||||
- name: Reload Nginx
|
- name: Reload Nginx
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: reloaded
|
state: reloaded
|
||||||
become: true
|
|
||||||
when: nginx_config.changed
|
when: nginx_config.changed
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
- name: Install wireguard tools
|
- name: Install wireguard tools
|
||||||
package:
|
package:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
become: true
|
|
||||||
loop:
|
loop:
|
||||||
- wireguard-tools
|
- wireguard-tools
|
||||||
- qrencode
|
- qrencode
|
||||||
|
@ -12,21 +11,18 @@
|
||||||
dest: /etc/wireguard/wg0.conf
|
dest: /etc/wireguard/wg0.conf
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
backup: true
|
backup: true
|
||||||
become: true
|
|
||||||
register: wireguard_conf
|
register: wireguard_conf
|
||||||
|
|
||||||
- name: Enable wireguard
|
- name: Enable wireguard
|
||||||
service:
|
service:
|
||||||
name: wg-quick@wg0
|
name: wg-quick@wg0
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Restart wireguard
|
- name: Restart wireguard
|
||||||
service:
|
service:
|
||||||
name: wg-quick@wg0
|
name: wg-quick@wg0
|
||||||
state: restarted
|
state: restarted
|
||||||
when: wireguard_conf.changed
|
when: wireguard_conf.changed
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create wireguard client directory
|
- name: Create wireguard client directory
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -2,4 +2,3 @@
|
||||||
service:
|
service:
|
||||||
name: wg-quick@glinet
|
name: wg-quick@glinet
|
||||||
state: restarted
|
state: restarted
|
||||||
become: true
|
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
- name: Install wireguard tools
|
- name: Install wireguard tools
|
||||||
package:
|
package:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
become: true
|
|
||||||
loop:
|
loop:
|
||||||
- wireguard-tools
|
- wireguard-tools
|
||||||
- qrencode
|
- qrencode
|
||||||
|
@ -15,7 +14,6 @@
|
||||||
dest: /etc/wireguard/glinet.conf
|
dest: /etc/wireguard/glinet.conf
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
backup: true
|
backup: true
|
||||||
become: true
|
|
||||||
notify: restart wireguard
|
notify: restart wireguard
|
||||||
|
|
||||||
- name: Wireguard client config
|
- name: Wireguard client config
|
||||||
|
@ -24,11 +22,9 @@
|
||||||
dest: "{{ me.home }}/glinet-vpn.conf"
|
dest: "{{ me.home }}/glinet-vpn.conf"
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
owner: "{{ me.user }}"
|
owner: "{{ me.user }}"
|
||||||
become: true
|
|
||||||
notify: restart wireguard
|
notify: restart wireguard
|
||||||
|
|
||||||
- name: Enable wireguard
|
- name: Enable wireguard
|
||||||
service:
|
service:
|
||||||
name: wg-quick@glinet
|
name: wg-quick@glinet
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{
|
{
|
||||||
"tagOwners": {
|
"tagOwners": {
|
||||||
"tag:client": []
|
"tag:client": [],
|
||||||
|
"tag:private-svcs": []
|
||||||
|
|
||||||
},
|
},
|
||||||
"acls": [
|
"acls": [
|
||||||
|
@ -8,6 +9,11 @@
|
||||||
"action": "accept",
|
"action": "accept",
|
||||||
"src": ["tag:client"],
|
"src": ["tag:client"],
|
||||||
"dst": ["*:*"]
|
"dst": ["*:*"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"action": "accept",
|
||||||
|
"src": ["tag:private-svcs"],
|
||||||
|
"dst": ["{{ vps_hosts.private_ipv6_marker }}:80,443"]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -63,9 +63,11 @@ noise:
|
||||||
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
|
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
|
||||||
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
|
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
|
||||||
# Any other range is NOT supported, and it will cause unexpected issues.
|
# Any other range is NOT supported, and it will cause unexpected issues.
|
||||||
ip_prefixes:
|
prefixes:
|
||||||
- fd7a:115c:a1e0::/48
|
v6: fd7a:115c:a1e0::/48
|
||||||
- 100.64.0.0/10
|
v4: 100.64.0.0/10
|
||||||
|
|
||||||
|
allocation: sequential
|
||||||
|
|
||||||
# DERP is a relay system that Tailscale uses when a direct
|
# DERP is a relay system that Tailscale uses when a direct
|
||||||
# connection cannot be established.
|
# connection cannot be established.
|
||||||
|
@ -77,7 +79,7 @@ derp:
|
||||||
server:
|
server:
|
||||||
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
|
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
|
||||||
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
|
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
|
||||||
enabled: true
|
enabled: false
|
||||||
|
|
||||||
# Region ID to use for the embedded DERP server.
|
# Region ID to use for the embedded DERP server.
|
||||||
# The local DERP prevails if the region ID collides with other region ID coming from
|
# The local DERP prevails if the region ID collides with other region ID coming from
|
||||||
|
@ -95,7 +97,8 @@ derp:
|
||||||
stun_listen_addr: 0.0.0.0:3478
|
stun_listen_addr: 0.0.0.0:3478
|
||||||
|
|
||||||
# List of externally available DERP maps encoded in JSON
|
# List of externally available DERP maps encoded in JSON
|
||||||
urls: []
|
urls:
|
||||||
|
- https://controlplane.tailscale.com/derpmap/default
|
||||||
|
|
||||||
# Locally available DERP map files encoded in YAML
|
# Locally available DERP map files encoded in YAML
|
||||||
#
|
#
|
||||||
|
@ -128,10 +131,25 @@ ephemeral_node_inactivity_timeout: 30m
|
||||||
node_update_check_interval: 20s
|
node_update_check_interval: 20s
|
||||||
|
|
||||||
# SQLite config
|
# SQLite config
|
||||||
db_type: sqlite3
|
database:
|
||||||
|
type: sqlite
|
||||||
|
|
||||||
# For production:
|
gorm:
|
||||||
db_path: /var/lib/headscale/db.sqlite
|
# Enable prepared statements.
|
||||||
|
prepare_stmt: true
|
||||||
|
|
||||||
|
# Enable parameterized queries.
|
||||||
|
parameterized_queries: true
|
||||||
|
|
||||||
|
# Skip logging "record not found" errors.
|
||||||
|
skip_err_record_not_found: true
|
||||||
|
|
||||||
|
# Threshold for slow queries in milliseconds.
|
||||||
|
slow_threshold: 3000
|
||||||
|
|
||||||
|
sqlite:
|
||||||
|
path: /var/lib/headscale/db.sqlite
|
||||||
|
write_ahead_log: true
|
||||||
|
|
||||||
# # Postgres config
|
# # Postgres config
|
||||||
# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
|
# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
|
||||||
|
@ -188,7 +206,9 @@ log:
|
||||||
# Path to a file containg ACL policies.
|
# Path to a file containg ACL policies.
|
||||||
# ACLs can be defined as YAML or HUJSON.
|
# ACLs can be defined as YAML or HUJSON.
|
||||||
# https://tailscale.com/kb/1018/acls/
|
# https://tailscale.com/kb/1018/acls/
|
||||||
acl_policy_path: /etc/headscale/acls.json
|
policy:
|
||||||
|
mode: file
|
||||||
|
path: /etc/headscale/acls.json
|
||||||
|
|
||||||
## DNS
|
## DNS
|
||||||
#
|
#
|
||||||
|
@ -199,13 +219,13 @@ acl_policy_path: /etc/headscale/acls.json
|
||||||
# - https://tailscale.com/kb/1081/magicdns/
|
# - https://tailscale.com/kb/1081/magicdns/
|
||||||
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
|
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
|
||||||
#
|
#
|
||||||
dns_config:
|
dns:
|
||||||
# Whether to prefer using Headscale provided DNS or use local.
|
# Whether to prefer using Headscale provided DNS or use local.
|
||||||
override_local_dns: false
|
override_local_dns: false
|
||||||
|
|
||||||
# List of DNS servers to expose to clients.
|
# List of DNS servers to expose to clients.
|
||||||
nameservers:
|
nameservers:
|
||||||
- 1.1.1.1
|
global: []
|
||||||
|
|
||||||
# NextDNS (see https://tailscale.com/kb/1218/nextdns/).
|
# NextDNS (see https://tailscale.com/kb/1218/nextdns/).
|
||||||
# "abc123" is example NextDNS ID, replace with yours.
|
# "abc123" is example NextDNS ID, replace with yours.
|
||||||
|
@ -251,7 +271,7 @@ dns_config:
|
||||||
# `base_domain` must be a FQDNs, without the trailing dot.
|
# `base_domain` must be a FQDNs, without the trailing dot.
|
||||||
# The FQDN of the hosts will be
|
# The FQDN of the hosts will be
|
||||||
# `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
|
# `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
|
||||||
base_domain: headscale.jakehoward.tech
|
base_domain: hs.sys.theorangeone.net
|
||||||
|
|
||||||
# Unix socket used for the CLI to connect without authentication
|
# Unix socket used for the CLI to connect without authentication
|
||||||
# Note: for production you will want to set this to something like:
|
# Note: for production you will want to set this to something like:
|
||||||
|
|
|
@ -3,4 +3,3 @@
|
||||||
name: headscale
|
name: headscale
|
||||||
state: restarted
|
state: restarted
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
- name: Install Headscale
|
- name: Install Headscale
|
||||||
package:
|
package:
|
||||||
name: headscale
|
name: headscale
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install headscale config file
|
- name: Install headscale config file
|
||||||
template:
|
template:
|
||||||
|
@ -13,7 +12,6 @@
|
||||||
owner: headscale
|
owner: headscale
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
notify: restart headscale
|
notify: restart headscale
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install ACLs
|
- name: Install ACLs
|
||||||
template:
|
template:
|
||||||
|
@ -22,12 +20,10 @@
|
||||||
owner: headscale
|
owner: headscale
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
notify: restart headscale
|
notify: restart headscale
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install nginx config
|
- name: Install nginx config
|
||||||
template:
|
template:
|
||||||
src: files/nginx.conf
|
src: files/nginx.conf
|
||||||
dest: /etc/nginx/http.d/headscale.conf
|
dest: /etc/nginx/http.d/headscale.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
|
|
|
@ -2,4 +2,3 @@
|
||||||
service:
|
service:
|
||||||
name: squid
|
name: squid
|
||||||
state: restarted
|
state: restarted
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,18 +1,15 @@
|
||||||
- name: Install squid
|
- name: Install squid
|
||||||
package:
|
package:
|
||||||
name: squid
|
name: squid
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Squid config
|
- name: Squid config
|
||||||
template:
|
template:
|
||||||
src: files/squid.conf
|
src: files/squid.conf
|
||||||
dest: /etc/squid/squid.conf
|
dest: /etc/squid/squid.conf
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
become: true
|
|
||||||
notify: restart squid
|
notify: restart squid
|
||||||
|
|
||||||
- name: Enable squid
|
- name: Enable squid
|
||||||
service:
|
service:
|
||||||
name: squid
|
name: squid
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
|
|
|
@ -2,13 +2,11 @@
|
||||||
service:
|
service:
|
||||||
name: wg-quick@wg0
|
name: wg-quick@wg0
|
||||||
state: restarted
|
state: restarted
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: reload nginx
|
- name: reload nginx
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: reloaded
|
state: reloaded
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: reload nftables
|
- name: reload nftables
|
||||||
command:
|
command:
|
||||||
|
@ -16,4 +14,3 @@
|
||||||
- nft
|
- nft
|
||||||
- -f
|
- -f
|
||||||
- /etc/nftables.conf
|
- /etc/nftables.conf
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
- name: Install nftables
|
- name: Install nftables
|
||||||
package:
|
package:
|
||||||
name: nftables
|
name: nftables
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Copy firewall config
|
- name: Copy firewall config
|
||||||
template:
|
template:
|
||||||
|
@ -9,7 +8,6 @@
|
||||||
dest: /etc/nftables.conf
|
dest: /etc/nftables.conf
|
||||||
validate: nft -c -f %s
|
validate: nft -c -f %s
|
||||||
mode: "644"
|
mode: "644"
|
||||||
become: true
|
|
||||||
notify: reload nftables
|
notify: reload nftables
|
||||||
|
|
||||||
- name: Enable nftables
|
- name: Enable nftables
|
||||||
|
@ -17,4 +15,3 @@
|
||||||
name: nftables
|
name: nftables
|
||||||
enabled: true
|
enabled: true
|
||||||
state: started
|
state: started
|
||||||
become: true
|
|
||||||
|
|
|
@ -3,5 +3,4 @@
|
||||||
src: files/nginx.conf
|
src: files/nginx.conf
|
||||||
dest: /etc/nginx/stream.d/ingress.conf
|
dest: /etc/nginx/stream.d/ingress.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
- name: Install Wireguard
|
- name: Install Wireguard
|
||||||
package:
|
package:
|
||||||
name:
|
name: wireguard
|
||||||
- wireguard
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Get wireguard credentials
|
- name: Get wireguard credentials
|
||||||
set_fact:
|
set_fact:
|
||||||
|
@ -14,14 +12,12 @@
|
||||||
dest: /etc/wireguard/wg0.conf
|
dest: /etc/wireguard/wg0.conf
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
backup: true
|
backup: true
|
||||||
become: true
|
|
||||||
notify: restart wireguard
|
notify: restart wireguard
|
||||||
|
|
||||||
- name: Enable wireguard
|
- name: Enable wireguard
|
||||||
service:
|
service:
|
||||||
name: wg-quick@wg0
|
name: wg-quick@wg0
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Enable p2p communication
|
- name: Enable p2p communication
|
||||||
sysctl:
|
sysctl:
|
||||||
|
@ -31,4 +27,3 @@
|
||||||
state: present
|
state: present
|
||||||
reload: true
|
reload: true
|
||||||
sysctl_file: /etc/sysctl.d/99-sysctl.conf
|
sysctl_file: /etc/sysctl.d/99-sysctl.conf
|
||||||
become: true
|
|
||||||
|
|
|
@ -2,23 +2,19 @@
|
||||||
ansible.builtin.apt_key:
|
ansible.builtin.apt_key:
|
||||||
url: https://repo.jellyfin.org/jellyfin_team.gpg.key
|
url: https://repo.jellyfin.org/jellyfin_team.gpg.key
|
||||||
state: present
|
state: present
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Add Jellyfin repository
|
- name: Add Jellyfin repository
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: deb [arch=amd64] https://repo.jellyfin.org/debian {{ ansible_distribution_release }} main
|
repo: deb [arch=amd64] https://repo.jellyfin.org/debian {{ ansible_distribution_release }} main
|
||||||
filename: jellyfin
|
filename: jellyfin
|
||||||
state: present
|
state: present
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install jellyfin
|
- name: Install jellyfin
|
||||||
package:
|
package:
|
||||||
name: jellyfin
|
name: jellyfin
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Set media dir permissions
|
- name: Set media dir permissions
|
||||||
cron:
|
cron:
|
||||||
name: Set media permissions
|
name: Set media permissions
|
||||||
special_time: daily
|
special_time: daily
|
||||||
job: chown -R jellyfin:jellyfin /mnt/media
|
job: chown -R jellyfin:jellyfin /mnt/media
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,19 +1,22 @@
|
||||||
services:
|
services:
|
||||||
mastodon:
|
mastodon:
|
||||||
image: lscr.io/linuxserver/mastodon:4.2.12
|
image: lscr.io/linuxserver/mastodon:4.3.1
|
||||||
environment:
|
environment:
|
||||||
- TZ={{ timezone }}
|
- TZ={{ timezone }}
|
||||||
- PUID={{ docker_user.id }}
|
- PUID={{ docker_user.id }}
|
||||||
- PGID={{ docker_user.id }}
|
- PGID={{ docker_user.id }}
|
||||||
- LOCAL_DOMAIN=theorangeone.net
|
- LOCAL_DOMAIN=theorangeone.net
|
||||||
- WEB_DOMAIN=mastodon.theorangeone.net
|
- WEB_DOMAIN=mastodon.theorangeone.net
|
||||||
- DATABASE_URL=postgresql://mastodon:mastodon@db/mastodon
|
- DATABASE_URL=postgresql://mastodon:mastodon@db:5432/mastodon
|
||||||
- REDIS_URL=redis://redis
|
- REDIS_URL=redis://redis
|
||||||
- SIDEKIQ_REDIS_URL=redis://redis/1
|
- SIDEKIQ_REDIS_URL=redis://redis/1
|
||||||
- SECRET_KEY_BASE={{ vault_secret_key_base }}
|
- SECRET_KEY_BASE={{ vault_secret_key_base }}
|
||||||
- OTP_SECRET={{ vault_otp_secret }}
|
- OTP_SECRET={{ vault_otp_secret }}
|
||||||
- VAPID_PRIVATE_KEY={{ vault_vapid_private_key }}
|
- VAPID_PRIVATE_KEY={{ vault_vapid_private_key }}
|
||||||
- VAPID_PUBLIC_KEY={{ vault_vapid_public_key }}
|
- VAPID_PUBLIC_KEY={{ vault_vapid_public_key }}
|
||||||
|
- ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY={{ vault_active_record_encryption_deterministic_key }}
|
||||||
|
- ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{ vault_active_record_encryption_key_derivation_salt }}
|
||||||
|
- ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{ vault_active_record_encryption_primary_key }}
|
||||||
- SINGLE_USER_MODE=true
|
- SINGLE_USER_MODE=true
|
||||||
- DEFAULT_LOCALE=en
|
- DEFAULT_LOCALE=en
|
||||||
- STREAMING_CLUSTER_NUM=1
|
- STREAMING_CLUSTER_NUM=1
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,7 +16,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart mastodon
|
notify: restart mastodon
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install media cleanup script
|
- name: Install media cleanup script
|
||||||
template:
|
template:
|
||||||
|
@ -25,7 +23,6 @@
|
||||||
dest: /opt/mastodon/purge-media.sh
|
dest: /opt/mastodon/purge-media.sh
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Schedule media cleanup
|
- name: Schedule media cleanup
|
||||||
cron:
|
cron:
|
||||||
|
@ -35,4 +32,3 @@
|
||||||
weekday: 1
|
weekday: 1
|
||||||
job: /opt/mastodon/purge-media.sh
|
job: /opt/mastodon/purge-media.sh
|
||||||
user: "{{ me.user }}"
|
user: "{{ me.user }}"
|
||||||
become: true
|
|
||||||
|
|
70
ansible/roles/mastodon/vars/vault.yml
generated
70
ansible/roles/mastodon/vars/vault.yml
generated
|
@ -1,30 +1,42 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
63646161653431383335313735643535313434613362343161373961633539373932313338343633
|
61313731363564306234653163633231356330313936636631393536356434396530643065333731
|
||||||
6637323935616636353731336531663635656532383166640a633335666633363136333433343266
|
3534663665643665613164343931646262643231356337350a333262356130636265643465323263
|
||||||
37383237623837616464613561633931613230623633313533393464646464646566366330323365
|
34333463353131323930636566633462613561333733636230363066343834316664363036346635
|
||||||
6563396262363238320a303433636266616635313536396132366239343230656432626639653230
|
6666363330383337340a316635663663343034613039353835633035633036646131303365626466
|
||||||
63336165323337393664373635616532643935343363303766376533366661663366623939653564
|
38636438323537303134356162633666376236346635366161356430376366626637343362363039
|
||||||
35363335396266363532653038623038383836383236366466366339343433393338343566653834
|
33356332333362363834373137633130306161393430393830643363636463633234646634306265
|
||||||
30393761626537313531346466373136666565653731663430376664353737663039643263303533
|
34366438333132633937303661356134383831373765306339363161643132393737356434653832
|
||||||
35663836626462333262356330616131316432326139616165363831393036343235663736626661
|
31346166333539643161346130386565376630333435376661343666636239666138316337633463
|
||||||
35666264346563306133306565636261633766616135616366376430643763333031353534373033
|
37633237393063313633393732616364653930353661366136346139663030393530383533646265
|
||||||
35373739333562313639376264343562363130373531313563643834613533653034316536323339
|
34393236643439316364376236373431643536333561613135616338643538313238303530356136
|
||||||
39646337376462656362666330643831653730393562316661326433633334353963306664396264
|
34393864323365633166643434363262346233393938313463643162343761643831373639313830
|
||||||
30373238653832613861633263383663616538366361336163373861613538613132353963373666
|
31363837393934333064316463313562393939613034653762303764333730353165623765653430
|
||||||
34376464333462633839396263396335613233356261666661313763333033376434626463663133
|
32383961353162306431393331643262353635383761663330323239383732346535636138636634
|
||||||
32646130333635656665396335393232346661303861626566663931303637653065313031323936
|
64616631373765393033306562343433373733646331643930373663323837393438643331663062
|
||||||
64333931393165343761376630666462343136353335343632323435306261633232633662353137
|
39323564376436353032303362653261363730383062346664663462656230613238303430303561
|
||||||
32323863343365623566316537343062393638393434323134633535313531333135666535323439
|
63663461376139616237333864643461343130326637616264353132613930306238613634343636
|
||||||
35613439373737396562613834373638356534326438646330663564366436333962626135363833
|
62393835393336646133616438336266653762366163623032323131656638393234383532333237
|
||||||
63653731383163653932383632306239663365323237363562306639643662393530633430386164
|
34333030356638326139333636343865636335333665656534656466333135663562303637333136
|
||||||
61613137663734636666633966663366393832353166343239656335396630323138366338616430
|
62386134633330663364323730646134383534623835636633653236653232393232653163613435
|
||||||
37653036303735383664656530626630616437373762343263643661343464326466353234316363
|
64663437383233323435386163653933383634666630383862323831316166353837323461333961
|
||||||
64643733363435656365343537626364643430316630663666373932663564623835646336633034
|
39626563323364653731316361333534616361366435643266626164666463613836336639373835
|
||||||
65646264346439356161353838353064626230636664373035336433356530326632613035316434
|
64393038336333356431326532626463333332373465613364386461623533646266626264383332
|
||||||
31613434366530323263383337316432316432373835343164313963643733626362393334623266
|
61393338663162343831616566346133646166353431396139393237356332616437353538313236
|
||||||
65356131626135336337383139643838333134616137366530353730646634633364353333646563
|
35323263383036623761643430336462656430356164313561663437383530346434306438386533
|
||||||
66333134616639363932613238346538623764663831353031383834613230393936386432623434
|
34366262663261636365323235326532393436333962383032353236323761373239613836646564
|
||||||
37393935346238633338323432613638616466623264656434393761623363356330623632323261
|
33316433656636313261653364663966633431663762363133666631653835386131643061626161
|
||||||
36393064316263666432663633323535363035323535653834323064383437343530306166306239
|
39633065326130643134343139363266363362393938623261646231333833643034633638386162
|
||||||
37316236313533393062623066336561373138636339393631313866303433643832383230656532
|
37376263613839353365336563623830333338373339393830323834326234373833336237326365
|
||||||
3137
|
63366664323136303638643237366265653235363266333738343437313636663163663134363262
|
||||||
|
32663533363539313238663237366330633738613733363932653031356263643935666166363536
|
||||||
|
61383532373565383730363662613533333265636361333230333233396534353337653662363065
|
||||||
|
38393937396337633430303831353831376666623061356239363534333537323662306530303639
|
||||||
|
65303735343431623561356361373330343033643130393235336535623530303236356432353834
|
||||||
|
62376163646362616465643730353866333464666365336336383466653462346334646231633736
|
||||||
|
62336132343737303061396636313334333538396333626263396361386631313730363766653530
|
||||||
|
66663461616530326261343931343330313836633966646661626361643064316261313234386635
|
||||||
|
30306534396136656432653236343337656433396337393064313466653165396562393665363938
|
||||||
|
63393232646164333263313136303236353465636139376232626563613835303561653935316332
|
||||||
|
61373432613632663366383933343839363765396637306339363162616237366361306237336464
|
||||||
|
37353336306536396466356432393766623061363938633736323431313237663464646364666131
|
||||||
|
3737
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,4 +16,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart minio
|
notify: restart minio
|
||||||
become: true
|
|
||||||
|
|
|
@ -2,4 +2,3 @@
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: reloaded
|
state: reloaded
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
- name: Install nginx
|
- name: Install nginx
|
||||||
package:
|
package:
|
||||||
name: nginx
|
name: nginx
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install nginx modules
|
- name: Install nginx modules
|
||||||
package:
|
package:
|
||||||
|
@ -11,7 +10,6 @@
|
||||||
- libnginx-mod-http-brotli-filter
|
- libnginx-mod-http-brotli-filter
|
||||||
- libnginx-mod-stream
|
- libnginx-mod-stream
|
||||||
when: ansible_os_family != 'Archlinux'
|
when: ansible_os_family != 'Archlinux'
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install nginx modules (on Arch)
|
- name: Install nginx modules (on Arch)
|
||||||
kewlfft.aur.aur:
|
kewlfft.aur.aur:
|
||||||
|
@ -20,12 +18,10 @@
|
||||||
- nginx-mod-headers-more
|
- nginx-mod-headers-more
|
||||||
- nginx-mod-brotli
|
- nginx-mod-brotli
|
||||||
when: ansible_os_family == 'Archlinux'
|
when: ansible_os_family == 'Archlinux'
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Generate Diffie-Hellman parameters
|
- name: Generate Diffie-Hellman parameters
|
||||||
community.crypto.openssl_dhparam:
|
community.crypto.openssl_dhparam:
|
||||||
path: /etc/nginx/dhparams.pem
|
path: /etc/nginx/dhparams.pem
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create config directories
|
- name: Create config directories
|
||||||
file:
|
file:
|
||||||
|
@ -36,7 +32,6 @@
|
||||||
- http.d
|
- http.d
|
||||||
- stream.d
|
- stream.d
|
||||||
- includes
|
- includes
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Copy config files
|
- name: Copy config files
|
||||||
template:
|
template:
|
||||||
|
@ -44,7 +39,6 @@
|
||||||
dest: /etc/nginx/includes/{{ item | basename }}
|
dest: /etc/nginx/includes/{{ item | basename }}
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
with_fileglob: files/includes/*.conf
|
with_fileglob: files/includes/*.conf
|
||||||
become: true
|
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
|
|
||||||
- name: Install config
|
- name: Install config
|
||||||
|
@ -52,7 +46,6 @@
|
||||||
src: files/nginx.conf
|
src: files/nginx.conf
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: /etc/nginx/nginx.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
|
|
||||||
- name: Install HTTPS redirect
|
- name: Install HTTPS redirect
|
||||||
|
@ -60,6 +53,5 @@
|
||||||
src: files/nginx-https-redirect.conf
|
src: files/nginx-https-redirect.conf
|
||||||
dest: /etc/nginx/http.d/https-redirect.conf
|
dest: /etc/nginx/http.d/https-redirect.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
when: nginx_https_redirect
|
when: nginx_https_redirect
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,4 +16,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart ntfy
|
notify: restart ntfy
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,18 +1,15 @@
|
||||||
- name: Install Pacman utils
|
- name: Install Pacman utils
|
||||||
package:
|
package:
|
||||||
name: pacman-contrib
|
name: pacman-contrib
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create hooks directory
|
- name: Create hooks directory
|
||||||
file:
|
file:
|
||||||
path: /etc/pacman.d/hooks/
|
path: /etc/pacman.d/hooks/
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install pacman hook
|
- name: Install pacman hook
|
||||||
template:
|
template:
|
||||||
src: files/paccache.hook
|
src: files/paccache.hook
|
||||||
dest: /etc/pacman.d/hooks/clean_package_cache.hook
|
dest: /etc/pacman.d/hooks/clean_package_cache.hook
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install clickhouse config
|
- name: Install clickhouse config
|
||||||
template:
|
template:
|
||||||
|
@ -15,7 +14,6 @@
|
||||||
dest: /opt/plausible/docker_related_config.xml
|
dest: /opt/plausible/docker_related_config.xml
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: restart plausible
|
notify: restart plausible
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install clickhouse user config
|
- name: Install clickhouse user config
|
||||||
template:
|
template:
|
||||||
|
@ -23,7 +21,6 @@
|
||||||
dest: /opt/plausible/docker_related_user_config.xml
|
dest: /opt/plausible/docker_related_user_config.xml
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: restart plausible
|
notify: restart plausible
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -33,7 +30,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart plausible
|
notify: restart plausible
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install nginx config
|
- name: Install nginx config
|
||||||
template:
|
template:
|
||||||
|
@ -41,7 +37,6 @@
|
||||||
dest: /etc/nginx/http.d/plausible.conf
|
dest: /etc/nginx/http.d/plausible.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
become: true
|
|
||||||
vars:
|
vars:
|
||||||
server_name: plausible.theorangeone.net elbisualp.theorangeone.net
|
server_name: plausible.theorangeone.net elbisualp.theorangeone.net
|
||||||
upstream: plausible-plausible-1.docker:8000
|
upstream: plausible-plausible-1.docker:8000
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -14,7 +13,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart privatebin
|
notify: restart privatebin
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install config file
|
- name: Install config file
|
||||||
template:
|
template:
|
||||||
|
@ -23,4 +21,3 @@
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart privatebin
|
notify: restart privatebin
|
||||||
become: true
|
|
||||||
|
|
|
@ -8,7 +8,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install grafana compose file
|
- name: Install grafana compose file
|
||||||
template:
|
template:
|
||||||
|
@ -18,4 +17,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart grafana
|
notify: restart grafana
|
||||||
become: true
|
|
||||||
|
|
|
@ -17,7 +17,6 @@
|
||||||
- "{{ vps_hosts.private_ipv6_range }}"
|
- "{{ vps_hosts.private_ipv6_range }}"
|
||||||
register: routes
|
register: routes
|
||||||
changed_when: false
|
changed_when: false
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Add route to private services via ingress
|
- name: Add route to private services via ingress
|
||||||
command:
|
command:
|
||||||
|
@ -31,5 +30,4 @@
|
||||||
- "{{ pve_hosts.ingress.ipv6 }}"
|
- "{{ pve_hosts.ingress.ipv6 }}"
|
||||||
- dev
|
- dev
|
||||||
- eth0
|
- eth0
|
||||||
become: true
|
|
||||||
when: vps_hosts.private_ipv6_marker not in routes.stdout
|
when: vps_hosts.private_ipv6_marker not in routes.stdout
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install prometheus config
|
- name: Install prometheus config
|
||||||
template:
|
template:
|
||||||
|
@ -13,7 +12,6 @@
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: reload prometheus
|
notify: reload prometheus
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install prometheus compose file
|
- name: Install prometheus compose file
|
||||||
template:
|
template:
|
||||||
|
@ -23,7 +21,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart prometheus
|
notify: restart prometheus
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install blackbox config
|
- name: Install blackbox config
|
||||||
template:
|
template:
|
||||||
|
@ -32,7 +29,6 @@
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart prometheus
|
notify: restart prometheus
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install alertmanager config
|
- name: Install alertmanager config
|
||||||
template:
|
template:
|
||||||
|
@ -41,7 +37,6 @@
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart prometheus
|
notify: restart prometheus
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install prometheus alert rules
|
- name: Install prometheus alert rules
|
||||||
copy:
|
copy:
|
||||||
|
@ -50,4 +45,3 @@
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: reload prometheus
|
notify: reload prometheus
|
||||||
become: true
|
|
||||||
|
|
|
@ -19,7 +19,7 @@ $CONFIG = array (
|
||||||
0 => 'intersect.jakehoward.tech',
|
0 => 'intersect.jakehoward.tech',
|
||||||
),
|
),
|
||||||
'dbtype' => 'mysql',
|
'dbtype' => 'mysql',
|
||||||
'version' => '29.0.4.1',
|
'version' => '30.0.1.2',
|
||||||
'overwrite.cli.url' => 'https://intersect.jakehoward.tech',
|
'overwrite.cli.url' => 'https://intersect.jakehoward.tech',
|
||||||
'dbname' => 'nextcloud',
|
'dbname' => 'nextcloud',
|
||||||
'dbhost' => 'mariadb',
|
'dbhost' => 'mariadb',
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
services:
|
services:
|
||||||
nextcloud:
|
nextcloud:
|
||||||
image: lscr.io/linuxserver/nextcloud:29.0.4
|
image: lscr.io/linuxserver/nextcloud:30.0.1
|
||||||
environment:
|
environment:
|
||||||
- PUID={{ docker_user.id }}
|
- PUID={{ docker_user.id }}
|
||||||
- PGID={{ docker_user.id }}
|
- PGID={{ docker_user.id }}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
services:
|
services:
|
||||||
wallabag:
|
wallabag:
|
||||||
image: wallabag/wallabag:2.6.9
|
image: wallabag/wallabag:2.6.10
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
environment:
|
environment:
|
||||||
- SYMFONY__ENV__SECRET={{ wallabag_secret }}
|
- SYMFONY__ENV__SECRET={{ wallabag_secret }}
|
||||||
|
|
|
@ -4,7 +4,7 @@ services:
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- traefik.enable=true
|
||||||
- traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`)
|
- traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`) || Host(`who.0rng.one`)
|
||||||
|
|
||||||
- traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`)
|
- traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`)
|
||||||
- traefik.http.routers.whoami-private.middlewares=tailscale-only@file
|
- traefik.http.routers.whoami-private.middlewares=tailscale-only@file
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install calibre compose file
|
- name: Install calibre compose file
|
||||||
template:
|
template:
|
||||||
|
@ -14,7 +13,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
register: compose_file
|
register: compose_file
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: restart calibre
|
- name: restart calibre
|
||||||
shell:
|
shell:
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install librespeed compose file
|
- name: Install librespeed compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,7 +16,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
register: compose_file
|
register: compose_file
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: restart librespeed
|
- name: restart librespeed
|
||||||
shell:
|
shell:
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install nextcloud compose file
|
- name: Install nextcloud compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,7 +16,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
register: compose_file
|
register: compose_file
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install nextcloud config
|
- name: Install nextcloud config
|
||||||
template:
|
template:
|
||||||
|
@ -26,7 +24,6 @@
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
register: config_file
|
register: config_file
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install occ script
|
- name: Install occ script
|
||||||
template:
|
template:
|
||||||
|
@ -34,7 +31,6 @@
|
||||||
dest: /opt/nextcloud/occ
|
dest: /opt/nextcloud/occ
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: restart nextcloud
|
- name: restart nextcloud
|
||||||
shell:
|
shell:
|
||||||
|
@ -47,4 +43,3 @@
|
||||||
name: Set nextcloud data permissions
|
name: Set nextcloud data permissions
|
||||||
special_time: daily
|
special_time: daily
|
||||||
job: chown -R {{ docker_user.name }}:{{ docker_user.name }} /mnt/tank/files/nextcloud
|
job: chown -R {{ docker_user.name }}:{{ docker_user.name }} /mnt/tank/files/nextcloud
|
||||||
become: true
|
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install quassel compose file
|
- name: Install quassel compose file
|
||||||
template:
|
template:
|
||||||
|
@ -14,7 +13,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
register: compose_file
|
register: compose_file
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: restart quassel
|
- name: restart quassel
|
||||||
shell:
|
shell:
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install synapse compose file
|
- name: Install synapse compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,7 +16,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
register: compose_file
|
register: compose_file
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install synapse config
|
- name: Install synapse config
|
||||||
template:
|
template:
|
||||||
|
@ -26,7 +24,6 @@
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
register: homeserver_config
|
register: homeserver_config
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: restart synapse
|
- name: restart synapse
|
||||||
shell:
|
shell:
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create tt-rss plugins directory
|
- name: Create tt-rss plugins directory
|
||||||
file:
|
file:
|
||||||
|
@ -13,7 +12,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
register: plugins_dir
|
register: plugins_dir
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install tt-rss compose file
|
- name: Install tt-rss compose file
|
||||||
template:
|
template:
|
||||||
|
@ -23,7 +21,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
register: compose_file
|
register: compose_file
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install fever plugin
|
- name: Install fever plugin
|
||||||
git:
|
git:
|
||||||
|
@ -41,7 +38,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: u=rwX,g=rwX,o=rX
|
mode: u=rwX,g=rwX,o=rX
|
||||||
recurse: true
|
recurse: true
|
||||||
become: true
|
|
||||||
when: fever_plugin.changed
|
when: fever_plugin.changed
|
||||||
|
|
||||||
- name: restart tt-rss
|
- name: restart tt-rss
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install wallabag compose file
|
- name: Install wallabag compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,7 +16,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
register: compose_file
|
register: compose_file
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: restart wallabag
|
- name: restart wallabag
|
||||||
shell:
|
shell:
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install whoami compose file
|
- name: Install whoami compose file
|
||||||
template:
|
template:
|
||||||
|
@ -14,7 +13,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
register: compose_file
|
register: compose_file
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: restart whoami
|
- name: restart whoami
|
||||||
shell:
|
shell:
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
- "{{ tailscale_cidr }}"
|
- "{{ tailscale_cidr }}"
|
||||||
register: routes
|
register: routes
|
||||||
changed_when: false
|
changed_when: false
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Add route to tailscale hosts via ingress
|
- name: Add route to tailscale hosts via ingress
|
||||||
command:
|
command:
|
||||||
|
@ -18,5 +17,4 @@
|
||||||
- "{{ tailscale_cidr }}"
|
- "{{ tailscale_cidr }}"
|
||||||
- via
|
- via
|
||||||
- "{{ pve_hosts.ingress.ip }}"
|
- "{{ pve_hosts.ingress.ip }}"
|
||||||
become: true
|
|
||||||
when: tailscale_cidr not in routes.stdout
|
when: tailscale_cidr not in routes.stdout
|
||||||
|
|
|
@ -2,10 +2,8 @@
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: reloaded
|
state: reloaded
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: restart qbittorrent
|
- name: restart qbittorrent
|
||||||
service:
|
service:
|
||||||
name: qbittorrent-nox@{{ qbittorrent_user.name }}
|
name: qbittorrent-nox@{{ qbittorrent_user.name }}
|
||||||
state: restarted
|
state: restarted
|
||||||
become: true
|
|
||||||
|
|
|
@ -3,5 +3,4 @@
|
||||||
src: files/nginx.conf
|
src: files/nginx.conf
|
||||||
dest: /etc/nginx/http.d/downloads.conf
|
dest: /etc/nginx/http.d/downloads.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
|
|
|
@ -1,20 +1,17 @@
|
||||||
- name: Install qbittorrent
|
- name: Install qbittorrent
|
||||||
package:
|
package:
|
||||||
name: qbittorrent-nox
|
name: qbittorrent-nox
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create user
|
- name: Create user
|
||||||
user:
|
user:
|
||||||
name: qbittorrent
|
name: qbittorrent
|
||||||
system: true
|
system: true
|
||||||
become: true
|
|
||||||
register: qbittorrent_user
|
register: qbittorrent_user
|
||||||
|
|
||||||
- name: Enable service
|
- name: Enable service
|
||||||
service:
|
service:
|
||||||
name: qbittorrent-nox@{{ qbittorrent_user.name }}
|
name: qbittorrent-nox@{{ qbittorrent_user.name }}
|
||||||
enabled: true
|
enabled: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Set configuration
|
- name: Set configuration
|
||||||
ini_file:
|
ini_file:
|
||||||
|
@ -42,5 +39,4 @@
|
||||||
- {section: Preferences, option: Bittorrent\MaxConnecsPerTorrent, value: -1"}
|
- {section: Preferences, option: Bittorrent\MaxConnecsPerTorrent, value: -1"}
|
||||||
- {section: Preferences, option: Bittorrent\MaxUploads, value: -1"}
|
- {section: Preferences, option: Bittorrent\MaxUploads, value: -1"}
|
||||||
- {section: Preferences, option: Bittorrent\MaxUploadsPerTorrent, value: -1"}
|
- {section: Preferences, option: Bittorrent\MaxUploadsPerTorrent, value: -1"}
|
||||||
become: true
|
|
||||||
notify: restart qbittorrent
|
notify: restart qbittorrent
|
||||||
|
|
|
@ -9,6 +9,9 @@ services:
|
||||||
- DOCKER_HOST=tcp://docker_proxy:2375
|
- DOCKER_HOST=tcp://docker_proxy:2375
|
||||||
- LOG_LEVEL=debug # Noisy, but required for debugging
|
- LOG_LEVEL=debug # Noisy, but required for debugging
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- renovate_private
|
||||||
depends_on:
|
depends_on:
|
||||||
- redis
|
- redis
|
||||||
- docker_proxy
|
- docker_proxy
|
||||||
|
@ -33,5 +36,13 @@ services:
|
||||||
- IMAGES=1
|
- IMAGES=1
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
networks:
|
||||||
|
- renovate_private
|
||||||
|
tmpfs:
|
||||||
|
- /run
|
||||||
logging:
|
logging:
|
||||||
driver: none
|
driver: none
|
||||||
|
|
||||||
|
networks:
|
||||||
|
renovate_private:
|
||||||
|
internal: true
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,7 +16,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart renovate
|
notify: restart renovate
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install config file
|
- name: Install config file
|
||||||
template:
|
template:
|
||||||
|
@ -26,7 +24,6 @@
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart renovate
|
notify: restart renovate
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install custom entrypoint
|
- name: Install custom entrypoint
|
||||||
template:
|
template:
|
||||||
|
@ -35,4 +32,3 @@
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart renovate
|
notify: restart renovate
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,21 +1,18 @@
|
||||||
- name: Install CIFS utils
|
- name: Install CIFS utils
|
||||||
package:
|
package:
|
||||||
name: cifs-utils
|
name: cifs-utils
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create dir for CIFS mount
|
- name: Create dir for CIFS mount
|
||||||
file:
|
file:
|
||||||
path: /mnt/home-assistant
|
path: /mnt/home-assistant
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create dir for each CIFS mount
|
- name: Create dir for each CIFS mount
|
||||||
file:
|
file:
|
||||||
path: /mnt/home-assistant/{{ item }}
|
path: /mnt/home-assistant/{{ item }}
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
become: true
|
|
||||||
loop: "{{ restic_homeassistant_mounts }}"
|
loop: "{{ restic_homeassistant_mounts }}"
|
||||||
|
|
||||||
- name: Create mounts
|
- name: Create mounts
|
||||||
|
@ -25,5 +22,4 @@
|
||||||
opts: username=homeassistant,password={{ vault_homeassistant_smb_password }}
|
opts: username=homeassistant,password={{ vault_homeassistant_smb_password }}
|
||||||
src: //{{ pve_hosts.homeassistant.ip }}/{{ item }}
|
src: //{{ pve_hosts.homeassistant.ip }}/{{ item }}
|
||||||
state: mounted
|
state: mounted
|
||||||
become: true
|
|
||||||
loop: "{{ restic_homeassistant_mounts }}"
|
loop: "{{ restic_homeassistant_mounts }}"
|
||||||
|
|
|
@ -1,19 +1,16 @@
|
||||||
- name: Install restic
|
- name: Install restic
|
||||||
package:
|
package:
|
||||||
name: restic
|
name: restic
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install runitor
|
- name: Install runitor
|
||||||
kewlfft.aur.aur:
|
kewlfft.aur.aur:
|
||||||
name: runitor-bin
|
name: runitor-bin
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Make user
|
- name: Make user
|
||||||
user:
|
user:
|
||||||
name: restic
|
name: restic
|
||||||
shell: /bin/nologin
|
shell: /bin/nologin
|
||||||
system: false
|
system: false
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install scripts
|
- name: Install scripts
|
||||||
template:
|
template:
|
||||||
|
@ -25,7 +22,6 @@
|
||||||
- backrest.sh
|
- backrest.sh
|
||||||
- restic-backup.sh
|
- restic-backup.sh
|
||||||
- restic-forget.sh
|
- restic-forget.sh
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install includes files
|
- name: Install includes files
|
||||||
copy:
|
copy:
|
||||||
|
@ -33,7 +29,6 @@
|
||||||
dest: /home/restic/restic-include.txt
|
dest: /home/restic/restic-include.txt
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: restic
|
owner: restic
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install excludes files
|
- name: Install excludes files
|
||||||
copy:
|
copy:
|
||||||
|
@ -41,7 +36,6 @@
|
||||||
dest: /home/restic/restic-excludes.txt
|
dest: /home/restic/restic-excludes.txt
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: restic
|
owner: restic
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Set restic binary permissions
|
- name: Set restic binary permissions
|
||||||
file:
|
file:
|
||||||
|
@ -49,13 +43,11 @@
|
||||||
mode: "0750"
|
mode: "0750"
|
||||||
owner: root
|
owner: root
|
||||||
group: restic
|
group: restic
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Set cap_sys_chroot=+ep on restic
|
- name: Set cap_sys_chroot=+ep on restic
|
||||||
community.general.capabilities:
|
community.general.capabilities:
|
||||||
path: /usr/bin/restic
|
path: /usr/bin/restic
|
||||||
capability: cap_dac_read_search=+ep
|
capability: cap_dac_read_search=+ep
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Schedule backup
|
- name: Schedule backup
|
||||||
cron:
|
cron:
|
||||||
|
@ -64,7 +56,6 @@
|
||||||
minute: 0
|
minute: 0
|
||||||
job: CHECK_UUID={{ vault_restic_healthchecks_id }} /usr/bin/runitor -- /home/restic/restic-backup.sh
|
job: CHECK_UUID={{ vault_restic_healthchecks_id }} /usr/bin/runitor -- /home/restic/restic-backup.sh
|
||||||
user: restic
|
user: restic
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Schedule forget
|
- name: Schedule forget
|
||||||
cron:
|
cron:
|
||||||
|
@ -74,7 +65,6 @@
|
||||||
weekday: 0
|
weekday: 0
|
||||||
job: CHECK_UUID={{ vault_restic_forget_healthchecks_id }} /usr/bin/runitor -- /home/restic/restic-forget.sh
|
job: CHECK_UUID={{ vault_restic_forget_healthchecks_id }} /usr/bin/runitor -- /home/restic/restic-forget.sh
|
||||||
user: restic
|
user: restic
|
||||||
become: true
|
|
||||||
when: restic_forget
|
when: restic_forget
|
||||||
|
|
||||||
- name: Install pacman post script
|
- name: Install pacman post script
|
||||||
|
@ -82,7 +72,6 @@
|
||||||
src: files/restic-post.sh
|
src: files/restic-post.sh
|
||||||
dest: /usr/share/libalpm/scripts/restic-post.sh
|
dest: /usr/share/libalpm/scripts/restic-post.sh
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
become: true
|
|
||||||
when: ansible_os_family == 'Archlinux'
|
when: ansible_os_family == 'Archlinux'
|
||||||
|
|
||||||
- name: Install pacman post hook
|
- name: Install pacman post hook
|
||||||
|
@ -90,7 +79,6 @@
|
||||||
src: files/restic-post.hook
|
src: files/restic-post.hook
|
||||||
dest: /usr/share/libalpm/hooks/restic-post.hook
|
dest: /usr/share/libalpm/hooks/restic-post.hook
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
become: true
|
|
||||||
when: ansible_os_family == 'Archlinux'
|
when: ansible_os_family == 'Archlinux'
|
||||||
|
|
||||||
- name: Install HomeAssistant mounts
|
- name: Install HomeAssistant mounts
|
||||||
|
|
|
@ -4,12 +4,10 @@
|
||||||
- name: Install rclone
|
- name: Install rclone
|
||||||
package:
|
package:
|
||||||
name: rclone
|
name: rclone
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install runitor
|
- name: Install runitor
|
||||||
kewlfft.aur.aur:
|
kewlfft.aur.aur:
|
||||||
name: runitor-bin
|
name: runitor-bin
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Make user
|
- name: Make user
|
||||||
user:
|
user:
|
||||||
|
@ -17,7 +15,6 @@
|
||||||
shell: /bin/nologin
|
shell: /bin/nologin
|
||||||
system: false
|
system: false
|
||||||
register: rclone_user
|
register: rclone_user
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create config directory
|
- name: Create config directory
|
||||||
file:
|
file:
|
||||||
|
@ -25,7 +22,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: rclone
|
owner: rclone
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install rclone config
|
- name: Install rclone config
|
||||||
template:
|
template:
|
||||||
|
@ -33,7 +29,6 @@
|
||||||
dest: "{{ rclone_user.home }}/.config/rclone/rclone.conf"
|
dest: "{{ rclone_user.home }}/.config/rclone/rclone.conf"
|
||||||
owner: rclone
|
owner: rclone
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create config directory
|
- name: Create config directory
|
||||||
file:
|
file:
|
||||||
|
@ -41,7 +36,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: rclone
|
owner: rclone
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Schedule sync
|
- name: Schedule sync
|
||||||
cron:
|
cron:
|
||||||
|
@ -50,4 +44,3 @@
|
||||||
minute: 0
|
minute: 0
|
||||||
job: CHECK_UUID={{ vault_healthchecks_id }} /usr/bin/runitor -- /usr/bin/rclone sync s3:0rng-terraform {{ rclone_user.home }}/sync/0rng-terraform
|
job: CHECK_UUID={{ vault_healthchecks_id }} /usr/bin/runitor -- /usr/bin/rclone sync s3:0rng-terraform {{ rclone_user.home }}/sync/0rng-terraform
|
||||||
user: rclone
|
user: rclone
|
||||||
become: true
|
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,7 +16,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart slides
|
notify: restart slides
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create credentials
|
- name: Create credentials
|
||||||
htpasswd:
|
htpasswd:
|
||||||
|
@ -30,7 +28,6 @@
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.user }}"
|
label: "{{ item.user }}"
|
||||||
notify: restart slides
|
notify: restart slides
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install nginx config
|
- name: Install nginx config
|
||||||
template:
|
template:
|
||||||
|
@ -38,7 +35,6 @@
|
||||||
dest: /etc/nginx/http.d/slides.conf
|
dest: /etc/nginx/http.d/slides.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
become: true
|
|
||||||
vars:
|
vars:
|
||||||
server_name: slides.jakehoward.tech
|
server_name: slides.jakehoward.tech
|
||||||
upstream: slides-slides-1.docker:80
|
upstream: slides-slides-1.docker:80
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -17,4 +16,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart tandoor
|
notify: restart tandoor
|
||||||
become: true
|
|
||||||
|
|
|
@ -3,7 +3,8 @@ services:
|
||||||
image: traefik:v2.11
|
image: traefik:v2.11
|
||||||
user: "{{ docker_user.id }}"
|
user: "{{ docker_user.id }}"
|
||||||
environment:
|
environment:
|
||||||
- GANDIV5_PERSONAL_ACCESS_TOKEN={{ vault_gandi_personal_access_token }}
|
- CF_DNS_API_TOKEN={{ vault_cloudflare_api_token }}
|
||||||
|
- GANDIV5_API_KEY={{ vault_gandi_api_key }}
|
||||||
volumes:
|
volumes:
|
||||||
- ./traefik:/etc/traefik
|
- ./traefik:/etc/traefik
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
@ -28,6 +29,8 @@ services:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
networks:
|
networks:
|
||||||
- proxy_private
|
- proxy_private
|
||||||
|
tmpfs:
|
||||||
|
- /run
|
||||||
logging:
|
logging:
|
||||||
driver: none
|
driver: none
|
||||||
|
|
||||||
|
|
|
@ -50,6 +50,17 @@ api:
|
||||||
|
|
||||||
certificatesResolvers:
|
certificatesResolvers:
|
||||||
le:
|
le:
|
||||||
|
acme:
|
||||||
|
email: "{{ vault_letsencrypt_email }}"
|
||||||
|
storage: /etc/traefik/acme.json
|
||||||
|
dnsChallenge:
|
||||||
|
provider: cloudflare
|
||||||
|
delayBeforeCheck: 0
|
||||||
|
resolvers:
|
||||||
|
- 1.1.1.1:53
|
||||||
|
- 1.0.0.1:53
|
||||||
|
|
||||||
|
gandi:
|
||||||
acme:
|
acme:
|
||||||
email: "{{ vault_letsencrypt_email }}"
|
email: "{{ vault_letsencrypt_email }}"
|
||||||
storage: /etc/traefik/acme.json
|
storage: /etc/traefik/acme.json
|
||||||
|
@ -57,8 +68,8 @@ certificatesResolvers:
|
||||||
provider: gandiv5
|
provider: gandiv5
|
||||||
delayBeforeCheck: 0
|
delayBeforeCheck: 0
|
||||||
resolvers:
|
resolvers:
|
||||||
- 9.9.9.9:53
|
- 1.1.1.1:53
|
||||||
- 149.112.112.112:53
|
- 1.0.0.1:53
|
||||||
|
|
||||||
serversTransport:
|
serversTransport:
|
||||||
insecureSkipVerify: true
|
insecureSkipVerify: true
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
docker_network:
|
docker_network:
|
||||||
name: traefik
|
name: traefik
|
||||||
internal: true
|
internal: true
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create install directory
|
- name: Create install directory
|
||||||
file:
|
file:
|
||||||
|
@ -13,7 +12,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create config directory
|
- name: Create config directory
|
||||||
file:
|
file:
|
||||||
|
@ -21,7 +19,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create file provider directory
|
- name: Create file provider directory
|
||||||
file:
|
file:
|
||||||
|
@ -29,7 +26,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -39,7 +35,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart traefik
|
notify: restart traefik
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install config
|
- name: Install config
|
||||||
template:
|
template:
|
||||||
|
@ -50,7 +45,6 @@
|
||||||
lstrip_blocks: true
|
lstrip_blocks: true
|
||||||
trim_blocks: true
|
trim_blocks: true
|
||||||
notify: restart traefik
|
notify: restart traefik
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install file provider
|
- name: Install file provider
|
||||||
template:
|
template:
|
||||||
|
@ -59,7 +53,6 @@
|
||||||
mode: "{{ docker_compose_file_mask }}"
|
mode: "{{ docker_compose_file_mask }}"
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart traefik
|
notify: restart traefik
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install homeassistant provider
|
- name: Install homeassistant provider
|
||||||
template:
|
template:
|
||||||
|
@ -69,7 +62,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart traefik
|
notify: restart traefik
|
||||||
when: traefik_provider_homeassistant
|
when: traefik_provider_homeassistant
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install jellyfin provider
|
- name: Install jellyfin provider
|
||||||
template:
|
template:
|
||||||
|
@ -79,7 +71,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart traefik
|
notify: restart traefik
|
||||||
when: traefik_provider_jellyfin
|
when: traefik_provider_jellyfin
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install grafana provider
|
- name: Install grafana provider
|
||||||
template:
|
template:
|
||||||
|
@ -89,7 +80,6 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart traefik
|
notify: restart traefik
|
||||||
when: traefik_provider_grafana
|
when: traefik_provider_grafana
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install uptime-kuma provider
|
- name: Install uptime-kuma provider
|
||||||
template:
|
template:
|
||||||
|
@ -99,4 +89,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
notify: restart traefik
|
notify: restart traefik
|
||||||
when: traefik_provider_uptime_kuma
|
when: traefik_provider_uptime_kuma
|
||||||
become: true
|
|
||||||
|
|
23
ansible/roles/traefik/vars/vault.yml
generated
23
ansible/roles/traefik/vars/vault.yml
generated
|
@ -1,11 +1,14 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
30393461663462666434333462386264383831333936633961636237616338303335393861626336
|
63373634636339343234383662613339643138346430336463613834363661376334303131656565
|
||||||
3566306338633735613431393736653061636536353335620a366335623630643137343863636161
|
6439633136396264356263663961383565636138333135660a366239313136663331386139386566
|
||||||
37383436323439393965623436393465626362633134346239356463633936396236666164333762
|
61653432613237656635316336313064396433393939306330353739343439336165653866343030
|
||||||
3565623930353964620a303965626164396536646336313438346464663236633465353036303935
|
6432366565396639640a636662356238636130326237613632643738643639313664393639323561
|
||||||
30373230393432643330663434313637396234306563336137653861333839623530636465653532
|
39633939353663386566396534366166646631353461643062373363393566306538653730306362
|
||||||
37363239663939303834633332656365363437356236633933313339656563343130383262626539
|
36306532343933643830643564313166366530363139623564633061623238303866633037383032
|
||||||
61363762663630366430326635386163613936653938303366636363363334643035396233646430
|
31313765393134326561626264323336356539376263333765366162613363313138633932396136
|
||||||
32636431616335326264343931343064646363393736303263633038623562623965393763636562
|
35663737366132613133376431643333663466363737386664663036623839616333653231366536
|
||||||
35316264636264366161326463343730613232663539306532303838656338343535376439343834
|
38356566653933316462333462616362623535643866636332356563326136356563616632323034
|
||||||
3234663334333866376233336538343264623930653662303835
|
39303437363535636433353961353964313733333164396538643563343338633432343232346235
|
||||||
|
39626331376163356466313435616362613334346132666461633566393662363039393363613366
|
||||||
|
63613333643039626161653962353636366364353730383534336662336138643231333864633536
|
||||||
|
3232
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
services:
|
services:
|
||||||
uptime-kuma:
|
uptime-kuma:
|
||||||
image: louislam/uptime-kuma:1.23.13-alpine
|
image: louislam/uptime-kuma:1.23.15-alpine
|
||||||
environment:
|
environment:
|
||||||
- TZ={{ timezone }}
|
- TZ={{ timezone }}
|
||||||
- PUID={{ docker_user.id }}
|
- PUID={{ docker_user.id }}
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -14,4 +13,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart uptime-kuma
|
notify: restart uptime-kuma
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
services:
|
services:
|
||||||
vaultwarden:
|
vaultwarden:
|
||||||
image: vaultwarden/server:1.32.0-alpine
|
image: vaultwarden/server:1.32.5-alpine
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
user: "{{ docker_user.id }}:{{ docker_user.id }}"
|
user: "{{ docker_user.id }}:{{ docker_user.id }}"
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
mode: "{{ docker_compose_directory_mask }}"
|
mode: "{{ docker_compose_directory_mask }}"
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install compose file
|
- name: Install compose file
|
||||||
template:
|
template:
|
||||||
|
@ -14,4 +13,3 @@
|
||||||
owner: "{{ docker_user.name }}"
|
owner: "{{ docker_user.name }}"
|
||||||
validate: docker-compose -f %s config
|
validate: docker-compose -f %s config
|
||||||
notify: restart vaultwarden
|
notify: restart vaultwarden
|
||||||
become: true
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue