|
|
|
- import_playbook: pi.yml
|
|
|
|
- import_playbook: tailscale.yml
|
|
|
|
- import_playbook: hass-io.yml
|
|
|
|
- import_playbook: pi-hole.yml
|
|
|
|
|
|
|
|
- hosts: on-fire-within
|
|
|
|
become: true
|
|
|
|
vars_files:
|
|
|
|
- vars.private
|
|
|
|
tasks:
|
|
|
|
|
|
|
|
- name: Set authorized keys from GitHub
|
|
|
|
ansible.posix.authorized_key:
|
|
|
|
user: alpha
|
|
|
|
state: present
|
|
|
|
key: https://github.com/kejadlen.keys
|
|
|
|
|
|
|
|
- name: Install dependencies
|
|
|
|
ansible.builtin.apt:
|
|
|
|
name:
|
|
|
|
- git
|
|
|
|
- vim
|
|
|
|
|
|
|
|
# Needed for Docker stuff
|
|
|
|
- docker-compose
|
|
|
|
- python3-pip
|
|
|
|
- python-backports-shutil-get-terminal-size
|
|
|
|
- python-backports.ssl-match-hostname
|
|
|
|
|
|
|
|
- name: Install python docker packages
|
|
|
|
pip:
|
|
|
|
name:
|
|
|
|
- docker
|
|
|
|
- docker-compose
|
|
|
|
state: latest
|
|
|
|
|
|
|
|
- name: Create necessary dirs
|
|
|
|
file:
|
|
|
|
path: "{{ item }}"
|
|
|
|
state: directory
|
|
|
|
with_items:
|
|
|
|
- /etc/ddclient
|
|
|
|
- /etc/minio
|
|
|
|
- /etc/mitmproxy
|
|
|
|
- /etc/traefik
|
|
|
|
- /mnt/mushu/minio
|
|
|
|
- /mnt/mushu/syncthing
|
|
|
|
|
|
|
|
- name: Mount USB drive
|
|
|
|
ansible.posix.mount:
|
|
|
|
path: /mnt/mushu
|
|
|
|
src: /dev/sda
|
|
|
|
fstype: ext4
|
|
|
|
state: mounted
|
|
|
|
|
|
|
|
- name: Configure ddclient
|
|
|
|
ansible.builtin.copy:
|
|
|
|
content: |
|
|
|
|
daemon=300
|
|
|
|
|
|
|
|
use=web
|
|
|
|
ssl=yes
|
|
|
|
protocol=googledomains
|
|
|
|
|
|
|
|
{% for host in ddclient_hosts %}
|
|
|
|
login={{ host.login }}, password={{ host.password }} {{ host.host }}
|
|
|
|
{% endfor %}
|
|
|
|
dest: /etc/ddclient/ddclient.conf
|
|
|
|
mode: "0600"
|
|
|
|
vars:
|
|
|
|
ddclient_hosts: "{{ ddclient.hosts }}"
|
|
|
|
notify: Restart ddclient
|
|
|
|
|
|
|
|
- name: Traefik static configuration
|
|
|
|
ansible.builtin.copy:
|
|
|
|
content: |
|
|
|
|
providers:
|
|
|
|
docker:
|
|
|
|
exposedByDefault: false
|
|
|
|
file:
|
|
|
|
filename: /etc/traefik/dynamic_conf.toml
|
|
|
|
watch: true
|
|
|
|
|
|
|
|
entryPoints:
|
|
|
|
http:
|
|
|
|
address: ":80"
|
|
|
|
https:
|
|
|
|
address: ":443"
|
|
|
|
|
|
|
|
certificatesResolvers:
|
|
|
|
le:
|
|
|
|
acme:
|
|
|
|
email: {{ email }}
|
|
|
|
storage: "/etc/traefik/acme.json"
|
|
|
|
httpChallenge:
|
|
|
|
entryPoint: http
|
|
|
|
|
|
|
|
api:
|
|
|
|
insecure: true
|
|
|
|
|
|
|
|
accessLog: {}
|
|
|
|
dest: /etc/traefik/traefik.yml
|
|
|
|
mode: 0600
|
|
|
|
|
|
|
|
# https://docs.syncthing.net/users/faq.html#inotify-limits
|
|
|
|
- name: Increase inotify limit for syncthing
|
|
|
|
lineinfile:
|
|
|
|
path: /etc/sysctl.conf
|
|
|
|
regexp: '^fs.inotify.max_user_watches='
|
|
|
|
line: fs.inotify.max_user_watches=204800
|
|
|
|
|
|
|
|
# The docker_compose module overwrites our existing variables, so this is a
|
|
|
|
# workaround to save off ones that we need later on in the playbook.
|
|
|
|
#
|
|
|
|
# https://github.com/ansible/ansible/issues/33960
|
|
|
|
- name: Save original host facts
|
|
|
|
set_fact:
|
|
|
|
"{{ item }}_original": "{{ lookup('vars', item) }}"
|
|
|
|
with_items:
|
|
|
|
- minio
|
|
|
|
- traefik
|
|
|
|
tags:
|
|
|
|
- debug
|
|
|
|
|
|
|
|
- name: Docker ALL the things!
|
|
|
|
community.docker.docker_compose:
|
|
|
|
project_name: on-fire-within
|
|
|
|
pull: true
|
|
|
|
definition:
|
|
|
|
version: '2'
|
|
|
|
services:
|
|
|
|
ddclient:
|
|
|
|
image: kejadlen/ddclient:latest
|
|
|
|
container_name: ddclient
|
|
|
|
volumes:
|
|
|
|
- /etc/ddclient:/etc/ddclient
|
|
|
|
restart: unless-stopped
|
|
|
|
minio:
|
|
|
|
image: kejadlen/minio:latest
|
|
|
|
container_name: minio
|
|
|
|
environment:
|
|
|
|
MINIO_ACCESS_KEY: "{{ minio.access_key }}"
|
|
|
|
MINIO_SECRET_KEY: "{{ minio.secret_key }}"
|
|
|
|
volumes:
|
|
|
|
- /etc/minio:/root/.minio
|
|
|
|
- /mnt/mushu/minio:/data
|
|
|
|
user: 0:0 # root
|
|
|
|
labels:
|
|
|
|
- traefik.enable=true
|
|
|
|
- traefik.http.routers.minio.rule=Host(`{{ traefik.host_rules.minio }}`)
|
|
|
|
- traefik.http.routers.minio.tls=true
|
|
|
|
- traefik.http.routers.minio.tls.certresolver=le
|
|
|
|
- traefik.http.services.minio.loadbalancer.server.port=9000
|
|
|
|
# mitmproxy:
|
|
|
|
# image: mitmproxy/mitmproxy:latest-ARMv7
|
|
|
|
# container_name: mitmproxy
|
|
|
|
# command: mitmweb --web-iface ""
|
|
|
|
# volumes:
|
|
|
|
# - /etc/mitmproxy:/home/mitmproxy/.mitmproxy
|
|
|
|
# labels:
|
|
|
|
# - traefik.enable=true
|
|
|
|
# - traefik.tcp.routers.mitmproxy.rule=HostSNI(`{{ traefik.host_rules.mitmproxy }}`)
|
|
|
|
# - traefik.tcp.routers.mitmproxy.tls.passthrough=true
|
|
|
|
# - traefik.tcp.services.mitmproxy.loadbalancer.server.port=8080
|
|
|
|
# - traefik.http.routers.mitmproxy-web.rule=Host(`{{ traefik.host_rules.mitmproxy_web }}`)
|
|
|
|
# - traefik.http.routers.mitmproxy-web.tls.certresolver=le
|
|
|
|
# - traefik.http.services.mitmproxy-web.loadbalancer.server.port=8081
|
|
|
|
pihole:
|
|
|
|
image: pihole/pihole:2023.10.0
|
|
|
|
container_name: pihole
|
|
|
|
ports:
|
|
|
|
- 53:53/tcp
|
|
|
|
- 53:53/udp
|
|
|
|
environment:
|
|
|
|
TZ: America/Los_Angeles
|
|
|
|
VIRTUAL_HOST: "{{ pihole.host }}"
|
|
|
|
WEBPASSWORD: "{{ pihole.password }}"
|
|
|
|
LOCAL_IPV4: "{{ ansible_default_ipv4.address }}"
|
|
|
|
volumes:
|
|
|
|
- /etc/pihole:/etc/pihole
|
|
|
|
- /etc/dnsmasq.d:/etc/dnsmasq.d
|
|
|
|
dns:
|
|
|
|
- 127.0.0.1
|
|
|
|
- 1.1.1.1
|
|
|
|
labels:
|
|
|
|
- traefik.enable=true
|
|
|
|
- traefik.http.routers.pihole.rule=Host(`{{ traefik.host_rules.pihole }}`)
|
|
|
|
- traefik.http.routers.pihole.tls=true
|
|
|
|
- traefik.http.routers.pihole.tls.certresolver=le
|
|
|
|
- traefik.http.services.pihole.loadbalancer.server.port=80
|
|
|
|
restart: unless-stopped
|
|
|
|
syncthing:
|
|
|
|
image: syncthing/syncthing:1.23.5
|
|
|
|
container_name: syncthing
|
|
|
|
ports:
|
|
|
|
- 22000:22000/tcp # TCP file transfers
|
|
|
|
- 22000:22000/udp # QUIC file transfers
|
|
|
|
- 21027:21027/udp # Receive local discovery broadcasts
|
|
|
|
volumes:
|
|
|
|
- /etc/syncthing:/var/syncthing
|
|
|
|
- /mnt/mushu/syncthing:/sync
|
|
|
|
environment:
|
|
|
|
PUID: 0
|
|
|
|
PGID: 0
|
|
|
|
labels:
|
|
|
|
- traefik.enable=true
|
|
|
|
- traefik.http.routers.syncthing.rule=Host(`{{ traefik.host_rules.syncthing }}`)
|
|
|
|
- traefik.http.routers.syncthing.tls=true
|
|
|
|
- traefik.http.routers.syncthing.tls.certresolver=le
|
|
|
|
- traefik.http.services.syncthing.loadbalancer.server.port=8384
|
|
|
|
restart: unless-stopped
|
|
|
|
traefik:
|
|
|
|
image: traefik:v2.10.4
|
|
|
|
container_name: traefik
|
|
|
|
ports:
|
|
|
|
- 80:80
|
|
|
|
- 8080:8080
|
|
|
|
- 443:443
|
|
|
|
volumes:
|
|
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
|
|
- /etc/traefik:/etc/traefik
|
|
|
|
labels:
|
|
|
|
- traefik.enable=true
|
|
|
|
- traefik.http.middlewares.auth.basicauth.users=alpha:{{ traefik.password | password_hash("md5") | replace("$", "$$") }}
|
|
|
|
- traefik.http.routers.traefik.rule=Host(`{{ traefik.host_rules.traefik }}`)
|
|
|
|
- traefik.http.routers.traefik.tls=true
|
|
|
|
- traefik.http.routers.traefik.tls.certresolver=le
|
|
|
|
- traefik.http.routers.traefik.middlewares=auth
|
|
|
|
- traefik.http.routers.traefik.service=api@internal
|
|
|
|
restart: unless-stopped
|
|
|
|
|
|
|
|
- name: Route Home Assistant through Traefik
|
|
|
|
block:
|
|
|
|
# - shell: ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+' | head -n 1
|
|
|
|
- shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway
|
|
|
|
register: docker_gateway_result
|
|
|
|
- shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway
|
|
|
|
register: docker_subnet_result
|
|
|
|
- set_fact:
|
|
|
|
docker_gateway: "{{ docker_gateway_result.stdout | trim }}"
|
|
|
|
docker_subnet: "{{ docker_subnet_result.stdout | trim }}"
|
|
|
|
- copy:
|
|
|
|
content: |
|
|
|
|
[http.routers]
|
|
|
|
[http.routers.appdaemon]
|
|
|
|
rule = "Host(`{{ traefik_original.host_rules.appdaemon }}`)"
|
|
|
|
service = "appdaemon"
|
|
|
|
[http.routers.appdaemon.tls]
|
|
|
|
certResolver = "le"
|
|
|
|
[http.routers.hassio]
|
|
|
|
rule = "Host(`{{ traefik_original.host_rules.hassio }}`)"
|
|
|
|
service = "hassio"
|
|
|
|
[http.routers.hassio.tls]
|
|
|
|
certResolver = "le"
|
|
|
|
|
|
|
|
[http.services]
|
|
|
|
[http.services.appdaemon.loadBalancer]
|
|
|
|
[[http.services.appdaemon.loadBalancer.servers]]
|
|
|
|
url = "http://{{ docker_gateway }}:5050/"
|
|
|
|
[http.services.hassio.loadBalancer]
|
|
|
|
[[http.services.hassio.loadBalancer.servers]]
|
|
|
|
url = "http://{{ docker_gateway }}:8123/"
|
|
|
|
dest: /etc/traefik/dynamic_conf.toml
|
|
|
|
mode: 0600
|
|
|
|
notify: Restart Traefik
|
|
|
|
tags:
|
|
|
|
- debug
|
|
|
|
|
|
|
|
- name: Ship logs via rsyslog
|
|
|
|
ansible.builtin.copy:
|
|
|
|
content: |
|
|
|
|
*.* action(type="omfwd"
|
|
|
|
protocol="tcp"
|
|
|
|
target="lotus-land-story"
|
|
|
|
port="514"
|
|
|
|
Template="RSYSLOG_SyslogProtocol23Format"
|
|
|
|
TCP_Framing="octet-counted"
|
|
|
|
KeepAlive="on")
|
|
|
|
dest: /etc/rsyslog.d/50-promtail.conf
|
|
|
|
mode: "0644"
|
|
|
|
notify: Restart rsyslog
|
|
|
|
|
|
|
|
handlers:
|
|
|
|
- name: Restart ddclient
|
|
|
|
docker_container:
|
|
|
|
name: ddclient
|
|
|
|
restart: yes
|
|
|
|
ignore_errors: yes
|
|
|
|
|
|
|
|
- name: Restart Traefik
|
|
|
|
docker_container:
|
|
|
|
name: traefik
|
|
|
|
restart: yes
|
|
|
|
ignore_errors: yes
|
|
|
|
|
|
|
|
- name: Restart Home Assistant
|
|
|
|
docker_container:
|
|
|
|
name: homeassistant
|
|
|
|
restart: yes
|
|
|
|
ignore_errors: yes
|
|
|
|
|
|
|
|
- name: Restart rsyslog
|
|
|
|
ansible.builtin.service:
|
|
|
|
name: rsyslog
|
|
|
|
state: restarted
|
|
|
|
|
|
|
|
# vim: ft=yaml.ansible
|