diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 921274c..61c2dd6 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -3,15 +3,17 @@ # user: tudattr timezone: Europe/Berlin +rclone_config: "/root/.config/rclone/" +puid: 1000 +pgid: 1000 +pk_path: "/mnt/veracrypt1/genesis" + local_domain: borg.land local_subdomains: "@" remote_domain: tudattr.dev remote_subdomains: "www,plex,status," -rclone_config: "/root/.config/rclone/" -puid: 1000 -pgid: 1000 -pk_path: "/media/veracrypt1/genesis" - +backup_domain: seyshiro.de +backup_subdomains: "hass,qbit,zm," # # aya01 - Disks @@ -243,6 +245,9 @@ swag_email: "me+swag@tudattr.dev" swag_site_confs: - "templates/mii/swag/site-confs/plex.subdomain.conf" - "templates/mii/swag/site-confs/uptime-kuma.subdomain.conf" +# - "templates/mii/swag/site-confs/homeassistant.subdomain.conf" +# - "templates/mii/swag/site-confs/qbittorrent.subdomain.conf" +# - "templates/mii/swag/site-confs/zoneminder.subdomain.conf" swag_remote_site_confs: "{{swag_config}}/nginx/site-confs/" # @@ -334,3 +339,18 @@ qbit_type: "openvpn" qbit_ssl: "no" qbit_lan: "192.168.20.0/24, 192.168.30.0/24, {{ docker_network }}" qbit_dns: "{{ aya01_ip }}, {{ pi_ip }}, 1.1.1.1" + +# +# Home Assistant +# + +hass_port: "" +hass_host: "hass" + +# +# Tautulli +# + +tautulli_port: "8181" +tautulli_host: "tautulli" +tautulli_config: "{{ docker_dir }}/{{ tautulli_host }}/config" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 930b857..1b17917 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,5 +1,6 @@ --- - include_tasks: time.yml - include_tasks: essential.yml +- include_tasks: sshd.yml - include_tasks: aya01_fstab.yml when: inventory_hostname == "aya01" diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml new file mode 100644 index 0000000..a5d1704 --- /dev/null +++ b/roles/common/tasks/sshd.yml @@ -0,0 +1,15 @@ +--- +- name: Copy sshd_config + template: + src: templates/common/ssh/sshd_config + dest: /etc/ssh/sshd_config + mode: 0644 + become: yes + register: sshd + +- name: Restart sshd + service: + name: "sshd" + state: "restarted" + become: yes + when: sshd.changed diff --git a/roles/common/templates/common/ssh/sshd_config b/roles/common/templates/common/ssh/sshd_config new file mode 100644 index 0000000..4e39082 --- /dev/null +++ b/roles/common/templates/common/ssh/sshd_config @@ -0,0 +1,124 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +Protocol 2 +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +MaxAuthTries 3 +#MaxSessions 10 + +PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +AllowAgentForwarding no +AllowTcpForwarding no +#GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +TCPKeepAlive no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +ClientAliveCountMax 2 +UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/roles/docker/tasks/aya01_compose.yml b/roles/docker/tasks/aya01_compose.yml index 8bebf6d..7788d8d 100644 --- a/roles/docker/tasks/aya01_compose.yml +++ b/roles/docker/tasks/aya01_compose.yml @@ -32,6 +32,10 @@ tags: - plex +- include_tasks: tautulli.yml + tags: + - tautulli + - include_tasks: sonarr.yml tags: - sonarr diff --git a/roles/docker/tasks/tautulli.yml b/roles/docker/tasks/tautulli.yml new file mode 100644 index 0000000..48fa4d0 --- /dev/null +++ b/roles/docker/tasks/tautulli.yml @@ -0,0 +1,9 @@ +--- +- name: Create tautulli-config directory + file: + path: "{{ tautulli_config }}" + owner: "{{ puid }}" + group: "{{ pgid }}" + mode: '755' + state: directory + become: yes diff --git a/roles/docker/templates/aya01/compose.yaml b/roles/docker/templates/aya01/compose.yaml index e3ec67b..b2518e5 100644 --- a/roles/docker/templates/aya01/compose.yaml +++ b/roles/docker/templates/aya01/compose.yaml @@ -1,8 +1,8 @@ version: '3' services: traefik: - container_name: traefik image: traefik:latest + container_name: traefik restart: unless-stopped networks: net: {} @@ -16,9 +16,9 @@ services: - "{{ traefik_admin_port}}:8080" db: - container_name: zoneminder_db image: mariadb - restart: always + container_name: zoneminder_db + restart: unless-stopped networks: - zoneminder volumes: @@ -33,9 +33,9 @@ services: - "MAX_LOG_NUMBER=20" - "TZ=Europe/Berlin" zoneminder: - container_name: zoneminder image: ghcr.io/zoneminder-containers/zoneminder-base:latest - restart: always + container_name: zoneminder + restart: unless-stopped stop_grace_period: 45s depends_on: - db @@ -67,8 +67,8 @@ services: - "traefik.http.services.{{ zoneminder_host }}.loadbalancer.server.port=80" pihole: - container_name: pihole image: pihole/pihole:latest + container_name: pihole restart: unless-stopped networks: - net @@ -101,8 +101,8 @@ services: - "traefik.http.services.{{ pihole_host }}.loadbalancer.server.port=80" syncthing: - container_name: syncthing image: syncthing/syncthing + container_name: syncthing restart: unless-stopped networks: - net @@ -161,7 +161,7 @@ services: kuma: container_name: kuma image: louislam/uptime-kuma:1 - restart: always + restart: unless-stopped networks: - net environment: @@ -180,7 +180,7 @@ services: plex: image: lscr.io/linuxserver/plex:latest container_name: plex - restart: always + restart: unless-stopped networks: - net ports: @@ -210,7 +210,7 @@ services: sonarr: image: lscr.io/linuxserver/sonarr:latest container_name: sonarr - restart: always + restart: unless-stopped networks: - net environment: @@ -231,7 +231,7 @@ services: radarr: image: lscr.io/linuxserver/radarr:latest container_name: radarr - restart: always + restart: unless-stopped networks: - net environment: @@ -252,7 +252,7 @@ services: lidarr: image: lscr.io/linuxserver/lidarr:latest container_name: lidarr - restart: always + restart: unless-stopped networks: - net environment: @@ -273,7 +273,7 @@ services: prowlarr: image: lscr.io/linuxserver/prowlarr:latest container_name: prowlarr - restart: always + restart: unless-stopped networks: - net environment: @@ -292,7 +292,7 @@ services: pastebin: image: wantguns/bin container_name: pastebin - restart: always + restart: unless-stopped networks: - net ports: @@ -313,7 +313,7 @@ services: qbittorrentvpn: image: dyonr/qbittorrentvpn container_name: {{ qbit_host }} - restart: always + restart: unless-stopped privileged: true networks: - net @@ -337,6 +337,24 @@ services: - "traefik.http.routers.{{ qbit_host }}.rule=Host(`{{ qbit_host }}.{{ aya01_host }}.{{ local_domain }}`)" - "traefik.http.services.{{ qbit_host }}.loadbalancer.server.port=8080" + tautulli: + image: lscr.io/linuxserver/tautulli:latest + container_name: tautulli + restart: unless-stopped + networks: + - net + environment: + - PUID={{ puid }} + - PGID={{ pgid}} + - TZ={{ timezone }} + volumes: + - {{ tautulli_config}}:/config + ports: + - {{ tautulli_port }}:8181 + labels: + - "traefik.enable=true" + - "traefik.http.routers.{{ tautulli_host }}.rule=Host(`{{ tautulli_host }}.{{ aya01_host }}.{{ local_domain }}`)" + - "traefik.http.services.{{ tautulli_host }}.loadbalancer.server.port={{ tautulli_port }}" networks: zoneminder: diff --git a/roles/docker/templates/mii/compose.yaml b/roles/docker/templates/mii/compose.yaml index 0497629..df7d738 100644 --- a/roles/docker/templates/mii/compose.yaml +++ b/roles/docker/templates/mii/compose.yaml @@ -23,7 +23,7 @@ services: - PROPAGATION= #optional - EMAIL={{ swag_email }} #optional - ONLY_SUBDOMAINS=false #optional - - EXTRA_DOMAINS= #optional + - EXTRA_DOMAINS= # qbit.seyshiro.de,zm.seyshiro.de,hass.seyshiro.de - STAGING=false #optional volumes: - "{{ swag_config }}:/config" diff --git a/roles/docker/templates/mii/swag/site-confs/homeassistant.subdomain.conf b/roles/docker/templates/mii/swag/site-confs/homeassistant.subdomain.conf new file mode 100644 index 0000000..7758e7e --- /dev/null +++ b/roles/docker/templates/mii/swag/site-confs/homeassistant.subdomain.conf @@ -0,0 +1,20 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ hass_host }}.{{ backup_domain }}; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + location / { + include /config/nginx/resolver.conf; + proxy_pass http://{{ hass_host }}.{{ pi_host }}.{{ local_domain }}; + } + + location ~ ^/(api|local|media)/ { + include /config/nginx/resolver.conf; + proxy_pass http://{{ hass_host }}.{{ pi_host }}.{{ local_domain }}; + } +} diff --git a/roles/docker/templates/mii/swag/site-confs/plex.subdomain.conf b/roles/docker/templates/mii/swag/site-confs/plex.subdomain.conf index ca0e88a..e1321dd 100644 --- a/roles/docker/templates/mii/swag/site-confs/plex.subdomain.conf +++ b/roles/docker/templates/mii/swag/site-confs/plex.subdomain.conf @@ -12,7 +12,7 @@ server { location / { include /config/nginx/resolver.conf; - proxy_pass http://172-16-69-11.{{ vault_plex_server_id }}.plex.direct:{{ plex_port }}/ + proxy_pass http://{{ aya01_ip | replace('.', '-') }}.{{ vault_plex_server_id }}.plex.direct:{{ plex_port }}/; proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; proxy_set_header X-Plex-Device $http_x_plex_device; diff --git a/roles/docker/templates/mii/swag/site-confs/qbittorrent.subdomain.conf b/roles/docker/templates/mii/swag/site-confs/qbittorrent.subdomain.conf new file mode 100644 index 0000000..04cec8a --- /dev/null +++ b/roles/docker/templates/mii/swag/site-confs/qbittorrent.subdomain.conf @@ -0,0 +1,84 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ qbit_host }}.{{ backup_domain }}; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + location / { + include /config/nginx/resolver.conf; + proxy_pass http://{{ qbit_host }}.{{ aya01_host }}.{{ local_domain }}; + + proxy_set_header Referer ''; + proxy_set_header X-Forwarded-Host $host; + } + + location ~ (/qbittorrent)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + proxy_pass http://{{ qbit_host }}.{{ aya01_host }}.{{ local_domain }}; + + rewrite /qbittorrent(.*) $1 break; + + proxy_set_header Referer ''; + proxy_set_header X-Forwarded-Host $host; + } + + location ~ (/qbittorrent)?/command { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + proxy_pass http://{{ qbit_host }}.{{ aya01_host }}.{{ local_domain }}; + + rewrite /qbittorrent(.*) $1 break; + + proxy_set_header Referer ''; + proxy_set_header X-Forwarded-Host $host; + } + + location ~ (/qbittorrent)?/query { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + proxy_pass http://{{ qbit_host }}.{{ aya01_host }}.{{ local_domain }}; + + rewrite /qbittorrent(.*) $1 break; + + proxy_set_header Referer ''; + proxy_set_header X-Forwarded-Host $host; + } + + location ~ (/qbittorrent)?/login { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + proxy_pass http://{{ qbit_host }}.{{ aya01_host }}.{{ local_domain }}; + + rewrite /qbittorrent(.*) $1 break; + + proxy_set_header Referer ''; + proxy_set_header X-Forwarded-Host $host; + } + + location ~ (/qbittorrent)?/sync { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + proxy_pass http://{{ qbit_host }}.{{ aya01_host }}.{{ local_domain }}; + + rewrite /qbittorrent(.*) $1 break; + + proxy_set_header Referer ''; + proxy_set_header X-Forwarded-Host $host; + } + + location ~ (/qbittorrent)?/scripts { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + proxy_pass http://{{ qbit_host }}.{{ aya01_host }}.{{ local_domain }}; + + rewrite /qbittorrent(.*) $1 break; + + proxy_set_header Referer ''; + proxy_set_header X-Forwarded-Host $host; + } +} diff --git a/roles/docker/templates/mii/swag/site-confs/zoneminder.subdomain.conf b/roles/docker/templates/mii/swag/site-confs/zoneminder.subdomain.conf new file mode 100644 index 0000000..2706e70 --- /dev/null +++ b/roles/docker/templates/mii/swag/site-confs/zoneminder.subdomain.conf @@ -0,0 +1,15 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ zoneminder_host }}.{{ backup_domain }}; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + location / { + include /config/nginx/resolver.conf; + proxy_pass http://{{ zoneminder_host }}.{{ aya01_host }}.{{ local_domain }}; + + } +} diff --git a/roles/node_exporter/tasks/install.yml b/roles/node_exporter/tasks/install.yml new file mode 100644 index 0000000..6e8f1c1 --- /dev/null +++ b/roles/node_exporter/tasks/install.yml @@ -0,0 +1,11 @@ +--- +- name: Download {{ exporter_node_dl_filename }} + get_url: + url: {{ exporter_node_dl_url }} + dest: {{ exporter_node_full_path }} + mode: '0664' + +- name: Extract {{ exporter_node_dl_filename }} + unarchive: + src: {{ exporter_node_full_path }} + dest: {{ exporter_node_dl_path }}/node_exporter diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml new file mode 100644 index 0000000..d0baf73 --- /dev/null +++ b/roles/node_exporter/tasks/main.yml @@ -0,0 +1,3 @@ +- include_tasks: install.yml +- include_tasks: systemd.yml +- include_tasks: run.yml