- import_playbook: ../playbooks/pi/security.yml - import_playbook: hass-io.yml - hosts: on_fire_within become: yes tasks: - name: Set authorized keys from GitHub authorized_key: user: alpha state: present key: https://github.com/kejadlen.keys - name: Install dependencies apt: name: - git - vim # Needed for Docker stuff - docker-compose - python-pip - python-backports-shutil-get-terminal-size - python-backports.ssl-match-hostname - name: Install python docker packages pip: name: - docker - docker-compose state: latest - name: Create necessary dirs file: path: "{{ item }}" state: directory with_items: - /etc/ddclient - /etc/minio - /etc/mitmproxy - /etc/traefik - /mnt/mushu/minio - /mnt/mushu/syncthing - name: Mount USB drive mount: path: /mnt/mushu src: /dev/sda fstype: ext4 state: mounted - name: Configure ddclient copy: content: | daemon=300 use=web ssl=yes protocol=googledomains {% for host in hosts %} login={{ host.login }}, password={{ host.password }} {{ host.host }} {% endfor %} dest: /etc/ddclient/ddclient.conf mode: 0600 vars: hosts: "{{ ddclient.hosts }}" notify: Restart ddclient - name: Traefik static configuration copy: content: | [providers] [providers.docker] exposedByDefault = false [providers.file] filename = "/etc/traefik/dynamic_conf.toml" watch = true [entryPoints] [entryPoints.http] address = ":80" [entryPoints.https] address = ":443" [certificatesResolvers.le.acme] email = "{{ email }}" storage = "/etc/traefik/acme.json" [certificatesResolvers.le.acme.httpChallenge] entryPoint = "http" [api] insecure = true [accessLog] dest: /etc/traefik/traefik.toml mode: 0600 # https://docs.syncthing.net/users/faq.html#inotify-limits - name: Increase inotify limit for syncthing lineinfile: path: /etc/sysctl.conf regexp: '^fs.inotify.max_user_watches=' line: fs.inotify.max_user_watches=204800 # The docker_compose module overwrites our existing variables, so this is a # workaround to save off ones that we need later on in the playbook. # # https://github.com/ansible/ansible/issues/33960 - name: Save original host facts set_fact: "{{ item }}_original": "{{ lookup('vars', item) }}" with_items: - minio - traefik - name: Docker ALL the things! docker_compose: project_name: on-fire-within pull: yes definition: version: '2' services: ddclient: image: kejadlen/ddclient:latest container_name: ddclient volumes: - /etc/ddclient:/etc/ddclient restart: unless-stopped minio: image: kejadlen/minio:latest container_name: minio environment: MINIO_ACCESS_KEY: "{{ minio.access_key }}" MINIO_SECRET_KEY: "{{ minio.secret_key }}" volumes: - /etc/minio:/root/.minio - /mnt/mushu/minio:/data user: 0:0 # root labels: - traefik.enable=true - traefik.http.routers.minio.rule=Host(`{{ traefik.host_rules.minio }}`) - traefik.http.routers.minio.tls=true - traefik.http.routers.minio.tls.certresolver=le - traefik.http.services.minio.loadbalancer.server.port=9000 mitmproxy: image: mitmproxy/mitmproxy:latest-ARMv7 container_name: mitmproxy command: mitmweb --web-iface "" volumes: - /etc/mitmproxy:/home/mitmproxy/.mitmproxy labels: - traefik.enable=true - traefik.tcp.routers.mitmproxy.rule=HostSNI(`{{ traefik.host_rules.mitmproxy }}`) - traefik.tcp.routers.mitmproxy.tls.passthrough=true - traefik.tcp.services.mitmproxy.loadbalancer.server.port=8080 - traefik.http.routers.mitmproxy-web.rule=Host(`{{ traefik.host_rules.mitmproxy_web }}`) - traefik.http.routers.mitmproxy-web.tls.certresolver=le - traefik.http.services.mitmproxy-web.loadbalancer.server.port=8081 pihole: image: pihole/pihole:latest container_name: pihole ports: - 53:53/tcp - 53:53/udp environment: TZ: America/Los_Angeles VIRTUAL_HOST: "{{ pihole.host }}" WEBPASSWORD: "{{ pihole.password }}" volumes: - /etc/pihole:/etc/pihole - /etc/dnsmasq.d:/etc/dnsmasq.d dns: - 127.0.0.1 - 1.1.1.1 labels: - traefik.enable=true - traefik.http.routers.pihole.rule=Host(`{{ traefik.host_rules.pihole }}`) - traefik.http.routers.pihole.tls=true - traefik.http.routers.pihole.tls.certresolver=le - traefik.http.services.pihole.loadbalancer.server.port=80 restart: unless-stopped rzz: image: kejadlen/rzz:latest container_name: rzz labels: - traefik.enable=true - traefik.http.routers.rzz.rule=Host(`{{ traefik.host_rules.rzz }}`) - traefik.http.routers.rzz.tls=true - traefik.http.routers.rzz.tls.certresolver=le - traefik.http.services.rzz.loadbalancer.server.port=9292 syncthing: image: kejadlen/syncthing:latest container_name: syncthing ports: - 22000:22000/tcp - 21027:21027/udp volumes: - /etc/syncthing:/etc/syncthing - /mnt/mushu/syncthing:/sync user: 0:0 # root labels: - traefik.enable=true - traefik.http.routers.syncthing.rule=Host(`{{ traefik.host_rules.syncthing }}`) - traefik.http.routers.syncthing.tls=true - traefik.http.routers.syncthing.tls.certresolver=le - traefik.http.services.syncthing.loadbalancer.server.port=8384 traefik: image: traefik:latest container_name: traefik ports: - 80:80 - 8080:8080 - 443:443 volumes: - /var/run/docker.sock:/var/run/docker.sock - /etc/traefik:/etc/traefik labels: - traefik.enable=true - traefik.http.middlewares.auth.basicauth.users=alpha:{{ traefik.password | password_hash("md5") | replace("$", "$$") }} - traefik.http.routers.traefik.rule=Host(`{{ traefik.host_rules.traefik }}`) - traefik.http.routers.traefik.tls=true - traefik.http.routers.traefik.tls.certresolver=le - traefik.http.routers.traefik.middlewares=auth - traefik.http.routers.traefik.service=api@internal restart: unless-stopped - name: Route Home Assistant through Traefik block: # - shell: ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+' | head -n 1 - shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway register: docker_ip_result - set_fact: docker_ip: "{{ docker_ip_result.stdout | trim }}" - copy: content: | [http.routers] [http.routers.hassio] rule = "Host(`{{ traefik_original.host_rules.hassio }}`)" service = "hassio" [http.routers.hassio.tls] certResolver = "le" [http.services] [http.services.hassio.loadBalancer] [[http.services.hassio.loadBalancer.servers]] url = "http://{{ docker_ip }}:8123/" dest: /etc/traefik/dynamic_conf.toml mode: 0600 handlers: - name: Restart ddclient docker_container: name: ddclient restart: yes ignore_errors: yes