- import_playbook: pi.yml - import_playbook: tailscale.yml - import_playbook: hass-io.yml - import_playbook: pi-hole.yml - hosts: on-fire-within become: true vars_files: - vars.private tasks: - name: Set authorized keys from GitHub ansible.posix.authorized_key: user: alpha state: present key: https://github.com/kejadlen.keys - name: Install dependencies ansible.builtin.apt: name: - git - vim # Needed for Docker stuff - docker-compose - python3-pip - python-backports-shutil-get-terminal-size - python-backports.ssl-match-hostname - name: Install python docker packages pip: name: - docker - docker-compose state: latest - name: Create necessary dirs file: path: "{{ item }}" state: directory with_items: - /etc/ddclient - /etc/minio - /etc/mitmproxy - /etc/traefik - /mnt/mushu/minio - /mnt/mushu/syncthing - name: Mount USB drive ansible.posix.mount: path: /mnt/mushu src: /dev/sda fstype: ext4 state: mounted - name: Configure ddclient ansible.builtin.copy: content: | daemon=300 use=web ssl=yes protocol=googledomains {% for host in ddclient_hosts %} login={{ host.login }}, password={{ host.password }} {{ host.host }} {% endfor %} dest: /etc/ddclient/ddclient.conf mode: "0600" vars: ddclient_hosts: "{{ ddclient.hosts }}" notify: Restart ddclient - name: Traefik static configuration ansible.builtin.copy: content: | providers: docker: exposedByDefault: false file: filename: /etc/traefik/dynamic_conf.toml watch: true entryPoints: http: address: ":80" https: address: ":443" certificatesResolvers: le: acme: email: {{ email }} storage: "/etc/traefik/acme.json" httpChallenge: entryPoint: http api: insecure: true accessLog: {} dest: /etc/traefik/traefik.yml mode: 0600 # https://docs.syncthing.net/users/faq.html#inotify-limits - name: Increase inotify limit for syncthing lineinfile: path: /etc/sysctl.conf regexp: '^fs.inotify.max_user_watches=' line: fs.inotify.max_user_watches=204800 # The docker_compose module overwrites our existing variables, so this is a # workaround to save off ones that we need later on in the playbook. # # https://github.com/ansible/ansible/issues/33960 - name: Save original host facts set_fact: "{{ item }}_original": "{{ lookup('vars', item) }}" with_items: - minio - traefik tags: - debug - name: Docker ALL the things! community.docker.docker_compose: project_name: on-fire-within pull: true definition: version: '2' services: ddclient: image: kejadlen/ddclient:latest container_name: ddclient volumes: - /etc/ddclient:/etc/ddclient restart: unless-stopped minio: image: kejadlen/minio:latest container_name: minio environment: MINIO_ACCESS_KEY: "{{ minio.access_key }}" MINIO_SECRET_KEY: "{{ minio.secret_key }}" volumes: - /etc/minio:/root/.minio - /mnt/mushu/minio:/data user: 0:0 # root labels: - traefik.enable=true - traefik.http.routers.minio.rule=Host(`{{ traefik.host_rules.minio }}`) - traefik.http.routers.minio.tls=true - traefik.http.routers.minio.tls.certresolver=le - traefik.http.services.minio.loadbalancer.server.port=9000 # mitmproxy: # image: mitmproxy/mitmproxy:latest-ARMv7 # container_name: mitmproxy # command: mitmweb --web-iface "" # volumes: # - /etc/mitmproxy:/home/mitmproxy/.mitmproxy # labels: # - traefik.enable=true # - traefik.tcp.routers.mitmproxy.rule=HostSNI(`{{ traefik.host_rules.mitmproxy }}`) # - traefik.tcp.routers.mitmproxy.tls.passthrough=true # - traefik.tcp.services.mitmproxy.loadbalancer.server.port=8080 # - traefik.http.routers.mitmproxy-web.rule=Host(`{{ traefik.host_rules.mitmproxy_web }}`) # - traefik.http.routers.mitmproxy-web.tls.certresolver=le # - traefik.http.services.mitmproxy-web.loadbalancer.server.port=8081 pihole: image: pihole/pihole:2023.11.0 container_name: pihole ports: - 53:53/tcp - 53:53/udp environment: TZ: America/Los_Angeles VIRTUAL_HOST: "{{ pihole.host }}" WEBPASSWORD: "{{ pihole.password }}" LOCAL_IPV4: "{{ ansible_default_ipv4.address }}" volumes: - /etc/pihole:/etc/pihole - /etc/dnsmasq.d:/etc/dnsmasq.d dns: - 127.0.0.1 - 1.1.1.1 labels: - traefik.enable=true - traefik.http.routers.pihole.rule=Host(`{{ traefik.host_rules.pihole }}`) - traefik.http.routers.pihole.tls=true - traefik.http.routers.pihole.tls.certresolver=le - traefik.http.services.pihole.loadbalancer.server.port=80 restart: unless-stopped syncthing: image: syncthing/syncthing:1.23.5 container_name: syncthing ports: - 22000:22000/tcp # TCP file transfers - 22000:22000/udp # QUIC file transfers - 21027:21027/udp # Receive local discovery broadcasts volumes: - /etc/syncthing:/var/syncthing - /mnt/mushu/syncthing:/sync environment: PUID: 0 PGID: 0 labels: - traefik.enable=true - traefik.http.routers.syncthing.rule=Host(`{{ traefik.host_rules.syncthing }}`) - traefik.http.routers.syncthing.tls=true - traefik.http.routers.syncthing.tls.certresolver=le - traefik.http.services.syncthing.loadbalancer.server.port=8384 restart: unless-stopped traefik: image: traefik:v2.10.4 container_name: traefik ports: - 80:80 - 8080:8080 - 443:443 volumes: - /var/run/docker.sock:/var/run/docker.sock - /etc/traefik:/etc/traefik labels: - traefik.enable=true - traefik.http.middlewares.auth.basicauth.users=alpha:{{ traefik.password | password_hash("md5") | replace("$", "$$") }} - traefik.http.routers.traefik.rule=Host(`{{ traefik.host_rules.traefik }}`) - traefik.http.routers.traefik.tls=true - traefik.http.routers.traefik.tls.certresolver=le - traefik.http.routers.traefik.middlewares=auth - traefik.http.routers.traefik.service=api@internal restart: unless-stopped - name: Route Home Assistant through Traefik block: # - shell: ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+' | head -n 1 - shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway register: docker_gateway_result - shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway register: docker_subnet_result - set_fact: docker_gateway: "{{ docker_gateway_result.stdout | trim }}" docker_subnet: "{{ docker_subnet_result.stdout | trim }}" - copy: content: | [http.routers] [http.routers.appdaemon] rule = "Host(`{{ traefik_original.host_rules.appdaemon }}`)" service = "appdaemon" [http.routers.appdaemon.tls] certResolver = "le" [http.routers.hassio] rule = "Host(`{{ traefik_original.host_rules.hassio }}`)" service = "hassio" [http.routers.hassio.tls] certResolver = "le" [http.services] [http.services.appdaemon.loadBalancer] [[http.services.appdaemon.loadBalancer.servers]] url = "http://{{ docker_gateway }}:5050/" [http.services.hassio.loadBalancer] [[http.services.hassio.loadBalancer.servers]] url = "http://{{ docker_gateway }}:8123/" dest: /etc/traefik/dynamic_conf.toml mode: 0600 notify: Restart Traefik tags: - debug - name: Ship logs via rsyslog ansible.builtin.copy: content: | *.* action(type="omfwd" protocol="tcp" target="lotus-land-story" port="514" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted" KeepAlive="on") dest: /etc/rsyslog.d/50-promtail.conf mode: "0644" notify: Restart rsyslog handlers: - name: Restart ddclient docker_container: name: ddclient restart: yes ignore_errors: yes - name: Restart Traefik docker_container: name: traefik restart: yes ignore_errors: yes - name: Restart Home Assistant docker_container: name: homeassistant restart: yes ignore_errors: yes - name: Restart rsyslog ansible.builtin.service: name: rsyslog state: restarted # vim: ft=yaml.ansible