- import_playbook: ../playbooks/pi/security.yml - import_playbook: hass-io.yml - hosts: on_fire_within become: yes tasks: - name: Set authorized keys from GitHub authorized_key: user: alpha state: present key: https://github.com/kejadlen.keys - name: Install dependencies apt: name: - git - vim # Needed for Docker stuff - docker-compose - python3-pip - python-backports-shutil-get-terminal-size - python-backports.ssl-match-hostname - name: Install python docker packages pip: name: - docker - docker-compose state: latest - name: Create necessary dirs file: path: "{{ item }}" state: directory with_items: - /etc/ddclient - /etc/minio - /etc/mitmproxy - /etc/traefik - /mnt/mushu/minio - /mnt/mushu/syncthing - name: Mount USB drive mount: path: /mnt/mushu src: /dev/sda fstype: ext4 state: mounted - name: Configure ddclient copy: content: | daemon=300 use=web ssl=yes protocol=googledomains {% for host in hosts %} login={{ host.login }}, password={{ host.password }} {{ host.host }} {% endfor %} dest: /etc/ddclient/ddclient.conf mode: 0600 vars: hosts: "{{ ddclient.hosts }}" notify: Restart ddclient - name: Traefik static configuration copy: content: | providers: docker: exposedByDefault: false file: filename: /etc/traefik/dynamic_conf.toml watch: true entryPoints: http: address: ":80" https: address: ":443" certificatesResolvers: le: acme: email: {{ email }} storage: "/etc/traefik/acme.json" httpChallenge: entryPoint: http api: insecure: true accessLog: {} dest: /etc/traefik/traefik.yml mode: 0600 # https://docs.syncthing.net/users/faq.html#inotify-limits - name: Increase inotify limit for syncthing lineinfile: path: /etc/sysctl.conf regexp: '^fs.inotify.max_user_watches=' line: fs.inotify.max_user_watches=204800 # The docker_compose module overwrites our existing variables, so this is a # workaround to save off ones that we need later on in the playbook. # # https://github.com/ansible/ansible/issues/33960 - name: Save original host facts set_fact: "{{ item }}_original": "{{ lookup('vars', item) }}" with_items: - minio - traefik # Workaround for https://github.com/pi-hole/docker-pi-hole/issues/1048 # - https://github.com/pi-hole/docker-pi-hole/issues/1042#issuecomment-1086728157 # - https://github.com/pi-hole/docker-pi-hole/issues/1043#issuecomment-1086936352 - name: Work around a Docker libseccomp issue w/Pi-Hole block: - apt_key: keyserver: keyserver.ubuntu.com id: "{{ item }}" loop: - 04EE7237B7D453EC - 648ACFD622F3D138 - apt_repository: repo: deb http://deb.debian.org/debian buster-backports main filename: buster-backports state: present - shell: apt-cache policy libseccomp2 | grep buster-backports -B1 | head -n1 | sed -e 's/^\s*\**\s*\(\S*\).*/\1/' register: libseccomp2_version - apt: update_cache: yes name: libseccomp2={{ libseccomp2_version.stdout_lines[0] }} - name: Docker ALL the things! docker_compose: project_name: on-fire-within pull: yes definition: version: '2' services: ddclient: image: kejadlen/ddclient:latest container_name: ddclient volumes: - /etc/ddclient:/etc/ddclient restart: unless-stopped minio: image: kejadlen/minio:latest container_name: minio environment: MINIO_ACCESS_KEY: "{{ minio.access_key }}" MINIO_SECRET_KEY: "{{ minio.secret_key }}" volumes: - /etc/minio:/root/.minio - /mnt/mushu/minio:/data user: 0:0 # root labels: - traefik.enable=true - traefik.http.routers.minio.rule=Host(`{{ traefik.host_rules.minio }}`) - traefik.http.routers.minio.tls=true - traefik.http.routers.minio.tls.certresolver=le - traefik.http.services.minio.loadbalancer.server.port=9000 # mitmproxy: # image: mitmproxy/mitmproxy:latest-ARMv7 # container_name: mitmproxy # command: mitmweb --web-iface "" # volumes: # - /etc/mitmproxy:/home/mitmproxy/.mitmproxy # labels: # - traefik.enable=true # - traefik.tcp.routers.mitmproxy.rule=HostSNI(`{{ traefik.host_rules.mitmproxy }}`) # - traefik.tcp.routers.mitmproxy.tls.passthrough=true # - traefik.tcp.services.mitmproxy.loadbalancer.server.port=8080 # - traefik.http.routers.mitmproxy-web.rule=Host(`{{ traefik.host_rules.mitmproxy_web }}`) # - traefik.http.routers.mitmproxy-web.tls.certresolver=le # - traefik.http.services.mitmproxy-web.loadbalancer.server.port=8081 pihole: image: pihole/pihole:latest container_name: pihole ports: - 53:53/tcp - 53:53/udp environment: TZ: America/Los_Angeles VIRTUAL_HOST: "{{ pihole.host }}" WEBPASSWORD: "{{ pihole.password }}" LOCAL_IPV4: "{{ ansible_default_ipv4.address }}" volumes: - /etc/pihole:/etc/pihole - /etc/dnsmasq.d:/etc/dnsmasq.d dns: - 127.0.0.1 - 1.1.1.1 labels: - traefik.enable=true - traefik.http.routers.pihole.rule=Host(`{{ traefik.host_rules.pihole }}`) - traefik.http.routers.pihole.tls=true - traefik.http.routers.pihole.tls.certresolver=le - traefik.http.services.pihole.loadbalancer.server.port=80 restart: unless-stopped syncthing: image: kejadlen/syncthing:latest container_name: syncthing ports: - 22000:22000/tcp - 21027:21027/udp volumes: - /etc/syncthing:/etc/syncthing - /mnt/mushu/syncthing:/sync user: 0:0 # root labels: - traefik.enable=true - traefik.http.routers.syncthing.rule=Host(`{{ traefik.host_rules.syncthing }}`) - traefik.http.routers.syncthing.tls=true - traefik.http.routers.syncthing.tls.certresolver=le - traefik.http.services.syncthing.loadbalancer.server.port=8384 traefik: image: traefik:v2.5 container_name: traefik ports: - 80:80 - 8080:8080 - 443:443 volumes: - /var/run/docker.sock:/var/run/docker.sock - /etc/traefik:/etc/traefik labels: - traefik.enable=true - traefik.http.middlewares.auth.basicauth.users=alpha:{{ traefik.password | password_hash("md5") | replace("$", "$$") }} - traefik.http.routers.traefik.rule=Host(`{{ traefik.host_rules.traefik }}`) - traefik.http.routers.traefik.tls=true - traefik.http.routers.traefik.tls.certresolver=le - traefik.http.routers.traefik.middlewares=auth - traefik.http.routers.traefik.service=api@internal restart: unless-stopped - name: Route Home Assistant through Traefik block: # - shell: ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+' | head -n 1 - shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway register: docker_gateway_result - shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway register: docker_subnet_result - set_fact: docker_gateway: "{{ docker_gateway_result.stdout | trim }}" docker_subnet: "{{ docker_subnet_result.stdout | trim }}" - copy: content: | [http.routers] [http.routers.hassio] rule = "Host(`{{ traefik_original.host_rules.hassio }}`)" service = "hassio" [http.routers.hassio.tls] certResolver = "le" [http.services] [http.services.hassio.loadBalancer] [[http.services.hassio.loadBalancer.servers]] url = "http://{{ docker_gateway }}:8123/" dest: /etc/traefik/dynamic_conf.toml mode: 0600 notify: Restart Traefik handlers: - name: Restart ddclient docker_container: name: ddclient restart: yes ignore_errors: yes - name: Restart Traefik docker_container: name: traefik restart: yes ignore_errors: yes - name: Restart Home Assistant docker_container: name: homeassistant restart: yes ignore_errors: yes