diff --git a/group_vars/docker/docker.yml b/group_vars/docker/docker.yml new file mode 100644 index 0000000..1fe0fed --- /dev/null +++ b/group_vars/docker/docker.yml @@ -0,0 +1,521 @@ +docker: + url: "https://download.docker.com/linux" + apt_release_channel: "stable" + directories: + local: "/opt/local/" + config: "/opt/docker/config/" + compose: "/opt/docker/compose/" + +services: + - name: syncthing + vm: + - docker-host00 + container_name: syncthing + image: syncthing/syncthing:1.29 + restart: unless-stopped + volumes: + - name: "Data" + internal: /var/syncthing/ + external: /media/docker/data/syncthing/ + ports: + - name: "http" + internal: 8384 + external: "{{ services_external_http.syncthing }}" + - name: "" + internal: 22000 + external: 22000 + - name: "" + internal: 22000 + external: 22000 + - name: "" + internal: 21027 + external: 21027 + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - name: status + vm: + - docker-host00 + container_name: kuma + image: louislam/uptime-kuma:1.23.16 + restart: unless-stopped + volumes: + - name: "Data" + internal: /app/data + external: "{{ docker.directories.local }}/kuma/" + ports: + - name: "http" + internal: 3001 + external: "{{ services_external_http.kuma }}" + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - name: plex + vm: + - docker-host00 + container_name: plex + image: lscr.io/linuxserver/plex:1.41.5 + restart: unless-stopped + volumes: + - name: "Configuration" + internal: /config + external: "{{ docker.directories.local }}/plex/config/" + - name: "TV Series" + internal: /tv:ro + external: /media/series + - name: "Movies" + internal: /movies:ro + external: /media/movies + - name: "Music" + internal: /music:ro + external: /media/songs + devices: + - name: "Graphics Card" + internal: /dev/dri + external: /dev/dri + ports: + - name: "http" + internal: 32400 + external: "{{ services_external_http.plex }}" + - name: "" + internal: 1900 + external: 1900 + - name: "" + internal: 3005 + external: 3005 + - name: "" + internal: 5353 + external: 5353 + - name: "" + internal: 32410 + external: 32410 + - name: "" + internal: 8324 + external: 8324 + - name: "" + internal: 32412 + external: 32412 + - name: "" + internal: 32469 + external: 32469 + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - VERSION=docker + - name: jellyfin + vm: + - docker-host01 + container_name: jellyfin + image: jellyfin/jellyfin:10.10 + restart: "unless-stopped" + volumes: + - name: "Configuration" + internal: /config + external: "{{ docker.directories.local }}/jellyfin/config" + - name: "Cache" + internal: /cache + external: "{{ docker.directories.config }}/jellyfin/cache" + - name: "Tv Series" + internal: /tv:ro + external: /media/series + - name: "Music" + internal: /movies:ro + external: /media/movies + - name: "Music" + internal: /music:ro + external: /media/songs + devices: + - name: "Graphics Card" + internal: /dev/dri + external: /dev/dri + ports: + - name: "http" + internal: 8096 + external: "{{ services_external_http.jellyfin }}" + environment: + - name: hass + vm: + - docker-host01 + container_name: homeassistant + image: "ghcr.io/home-assistant/home-assistant:stable" + restart: unless-stopped + privileged: true + volumes: + - name: "Configuration" + internal: /config/ + external: "{{ docker.directories.local }}/home-assistant/config/" + - name: "Local Time" + internal: /etc/localtime:ro + external: /etc/localtime + ports: + - name: "http" + internal: 8123 + external: "{{ services_external_http.hass }}" + - name: "" + internal: 4357 + external: 4357 + - name: "" + internal: 5683 + external: 5683 + - name: "" + internal: 5683 + external: 5683 + - name: ddns + vm: + - docker-host00 + container_name: ddns-updater + image: qmcgaw/ddns-updater:2 + restart: unless-stopped + volumes: + - name: "Configuration" + internal: /updater/data/" + external: "{{ docker.directories.config }}/ddns-updater/data/" + ports: + - name: "http" + internal: 8000 + external: "{{ services_external_http.ddns }}" + - name: sonarr + vm: + - docker-host00 + container_name: sonarr + image: linuxserver/sonarr:4.0.14 + restart: unless-stopped + volumes: + - name: "Configuration" + internal: /config + external: "{{ docker.directories.local }}/sonarr/config" + - name: "Tv Series" + internal: /tv + external: /media/series + - name: "Torrent Downloads" + internal: /downloads + external: /media/docker/data/arr_downloads/sonarr + ports: + - name: "http" + internal: 8989 + external: "{{ services_external_http.sonarr }}" + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - name: radarr + vm: + - docker-host00 + container_name: radarr + image: linuxserver/radarr:5.21.1 + restart: unless-stopped + volumes: + - name: "Configuration" + internal: /config + external: "{{ docker.directories.local }}/radarr/config" + - name: "Movies" + internal: /movies + external: /media/movies + - name: "Torrent Downloads" + internal: /downloads + external: /media/docker/data/arr_downloads/radarr + ports: + - name: "http" + internal: 7878 + external: "{{ services_external_http.radarr }}" + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - name: lidarr + vm: + - docker-host00 + container_name: lidarr + image: linuxserver/lidarr:2.10.3 + restart: unless-stopped + volumes: + - name: "Configuration" + internal: /config + external: "{{ docker.directories.local }}/lidarr/config" + - name: "Music" + internal: /music + external: /media/songs + - name: "Torrent Downloads" + internal: /downloads + external: /media/docker/data/arr_downloads/lidarr + ports: + - name: "http" + internal: 8686 + external: "{{ services_external_http.lidarr }}" + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - name: prowlarr + vm: + - docker-host00 + container_name: prowlarr + image: linuxserver/prowlarr:1.32.2 + restart: unless-stopped + volumes: + - name: "Configuration" + internal: /config + external: "{{ docker.directories.local }}/prowlarr/config" + ports: + - name: "http" + internal: 9696 + external: "{{ services_external_http.prowlarr }}" + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - name: paperless + vm: + - docker-host00 + container_name: paperless + image: ghcr.io/paperless-ngx/paperless-ngx:2.14 + restart: unless-stopped + depends_on: + - paperless-postgres + - paperless-broker + volumes: + - name: "Configuration" + internal: /usr/src/paperless/data + external: "{{ docker.directories.local }}/paperless/data/data" + - name: "Media" + internal: /usr/src/paperless/media + external: "{{ docker.directories.local }}/paperless/data/media" + - name: "Document Export" + internal: /usr/src/paperless/export + external: "{{ docker.directories.local }}/paperless/data/export" + - name: "Document Consume" + internal: /usr/src/paperless/consume + external: "{{ docker.directories.local }}/paperless/data/consume" + environment: + - "PAPERLESS_REDIS=redis://paperless-broker:6379" + - "PAPERLESS_DBHOST=paperless-postgres" + - "PAPERLESS_DBUSER=paperless" + - "PAPERLESS_DBPASS={{ vault.docker.paperless.dbpass }}" + - "USERMAP_UID=1000" + - "USERMAP_GID=1000" + - "PAPERLESS_URL=https://paperless.{{ domain }}" + - "PAPERLESS_TIME_ZONE=Europe/Berlin" + - "PAPERLESS_OCR_LANGUAGE=deu" + ports: + - name: "http" + internal: 8000 + external: "{{ services_external_http.paperless }}" + - name: pdf + vm: + - docker-host00 + container_name: stirling + image: frooodle/s-pdf:0.45.0 + restart: unless-stopped + ports: + - name: "http" + internal: 8080 + external: "{{ services_external_http.pdf }}" + - name: git + vm: + - docker-host01 + container_name: gitea + image: gitea/gitea:1.23-rootless + restart: unless-stopped + volumes: + - name: "Configuration" + internal: /etc/gitea + external: "{{ docker.directories.local }}/gitea/config" + - name: "Data" + internal: /var/lib/gitea + external: "{{ docker.directories.local }}/gitea/data" + - name: "Time Zone" + internal: /etc/timezone:ro + external: /etc/timezone + - name: "Local Time" + internal: /etc/localtime:ro + external: /etc/localtime + ports: + - name: "http" + internal: 3000 + external: "{{ services_external_http.git }}" + - name: "ssh" + internal: 2222 + external: 2222 + environment: + - USER_UID=1000 + - USER_GID=1000 + - name: changedetection + vm: + - docker-host00 + container_name: changedetection + image: dgtlmoon/changedetection.io:0.49 + restart: unless-stopped + volumes: + - name: "Data" + internal: /datastore + external: "{{ docker.directories.config }}/changedetection/data/" + ports: + - name: "http" + internal: 5000 + external: "{{ services_external_http.changedetection }}" + - name: gluetun + vm: + - docker-host00 + container_name: gluetun + image: qmcgaw/gluetun:v3.40 + restart: unless-stopped + cap_add: + - NET_ADMIN + devices: + - name: "Tunnel" + internal: /dev/net/tun + external: /dev/net/tun + volumes: + - name: "Configuration" + internal: /gluetun + external: "{{ docker.directories.config }}/gluetun/config" + ports: + - name: "Qbit Client" + internal: 8082 + external: 8082 + - name: "Torrentleech Client" + internal: 8083 + external: 8083 + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - VPN_SERVICE_PROVIDER=protonvpn + - UPDATER_VPN_SERVICE_PROVIDERS=protonvpn + - UPDATER_PERIOD=24h + - "SERVER_COUNTRIES={{ vault.docker.proton.country }}" + - "OPENVPN_USER={{ vault.docker.proton.openvpn_user }}" + - "OPENVPN_PASSWORD={{ vault.docker.proton.openvpn_password }}" + - name: torrentleech + vm: + - docker-host00 + container_name: torrentleech + image: qbittorrentofficial/qbittorrent-nox + restart: unless-stopped + depends_on: + - gluetun + network_mode: "container:gluetun" + volumes: + - name: "Configuration" + internal: /config + external: "{{ docker.directories.config }}/torrentleech/config" + - name: "Downloads" + internal: /downloads + external: /media/docker/data/arr_downloads + ports: + - name: "http" + internal: proxy_only + external: 8083 + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - QBT_EULA="accept" + - QBT_WEBUI_PORT="8083" + - name: qbit + vm: + - docker-host00 + container_name: qbit + image: qbittorrentofficial/qbittorrent-nox:5.0.4-1 + restart: unless-stopped + depends_on: + - gluetun + network_mode: "container:gluetun" + volumes: + - name: "Configuration" + internal: /config + external: "{{ docker.directories.config }}/qbit/config" + - name: "Downloads" + internal: /downloads + external: /media/docker/data/arr_downloads + ports: + - name: "http" + internal: proxy_only + external: 8082 + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - QBT_EULA="accept" + - QBT_WEBUI_PORT="8082" + - name: cadvisor + vm: + - docker-host00 + - docker-host01 + container_name: cadvisor + image: gcr.io/cadvisor/cadvisor:v0.52.1 + restart: unless-stopped + ports: + - name: "" + internal: 8080 + external: 8081 + volumes: + - name: "Root" + internal: /rootfs:ro + external: / + - name: "Run" + internal: /var/run:rw + external: /var/run + - name: "System" + internal: /sys:ro + external: /sys + - name: "Docker" + internal: /var/lib/docker:ro + external: /var/lib/docker + - name: karakeep + vm: + - docker-host01 + container_name: karakeep + image: ghcr.io/karakeep-app/karakeep:0.23.2 + restart: unless-stopped + ports: + - name: "http" + internal: 3000 + external: "{{ services_external_http.karakeep }}" + volumes: + - name: "Data" + internal: /data + external: "{{ docker.directories.local }}/karakeep/config" + environment: + - MEILI_ADDR=http://karakeep-meilisearch:7700 + - BROWSER_WEB_URL=http://karakeep-chrome:9222 + - NEXTAUTH_SECRET={{ vault.docker.karakeep.nextauth_secret }} + - MEILI_MASTER_KEY={{ vault.docker.karakeep.meili_master_key }} + - NEXTAUTH_URL=https://karakeep.tudattr.dev/ + - OPENAI_API_KEY={{ vault.docker.karakeep.openai_key }} + - DATA_DIR=/data + - DISABLE_SIGNUPS=true + - name: keycloak + vm: + - docker-host01 + container_name: keycloak + image: quay.io/keycloak/keycloak:26.2 + restart: unless-stopped + ports: + - name: "http" + internal: 8080 + external: "{{ services_external_http.keycloak }}" + volumes: + - name: "config" + internal: /opt/keycloak/data/import/homelab-realm.json + external: "{{ docker.directories.local }}/keycloak/homelab-realm.json" + command: + - "start" + - "--import-realm" + environment: + - KC_DB=postgres + - KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak + - KC_DB_USERNAME=keycloak + - KC_DB_PASSWORD=password + - KC_HOSTNAME=keycloak.{{ internal_domain }} + - KC_HTTP_ENABLED=true + - KC_HTTP_RELATIVE_PATH=/ + - KC_PROXY=edge + - KC_PROXY_HEADERS=xforwarded + - KC_HOSTNAME_URL=https://keycloak.{{ internal_domain }} + - KC_HOSTNAME_ADMIN_URL=https://keycloak.{{ internal_domain }} + - KC_BOOTSTRAP_ADMIN_USERNAME=serviceadmin-{{ keycloak_admin_hash }} + - KC_BOOTSTRAP_ADMIN_PASSWORD={{ vault.docker.keycloak.admin.password } diff --git a/group_vars/docker/keycloak.yml b/group_vars/docker/keycloak.yml new file mode 100644 index 0000000..4909ae8 --- /dev/null +++ b/group_vars/docker/keycloak.yml @@ -0,0 +1,51 @@ +keycloak_admin_hash: "{{ vault.docker.keycloak.admin.hash }}" + +keycloak_config: + reals: + - realm: homelab + display_name: "Homelab Realm" + users: + - username: tudattr + password: "{{ vault.docker.keycloak.user.password }}" + realm_roles: + - offline_access + - uma_authorization + client_roles: + account: + - view-profile + - manage-account + admin: + username: "serviceadmin-{{ keycloak_admin_hash }}" + password: "{{ vault.docker.keycloak.admin.password }}" + realm_roles: + - offline_access + - uma_authorization + - admin + client_roles: + realm_management: + - realm-admin + account: + - view-profile + - manage-account + roles: + realm: + - name: admin + description: "Administrator role for the homelab realm" + default_roles: + - offline_access + - uma_authorization + - realm: master + display_name: "master" + admin: + username: "serviceadmin-{{ keycloak_admin_hash }}" + password: "{{ vault.docker.keycloak.admin.password }}" + realm_roles: + - offline_access + - uma_authorization + - admin + client_roles: + realm_management: + - realm-admin + account: + - view-profile + - manage-account diff --git a/group_vars/docker/port_mapping.yml b/group_vars/docker/port_mapping.yml new file mode 100644 index 0000000..a496330 --- /dev/null +++ b/group_vars/docker/port_mapping.yml @@ -0,0 +1,19 @@ +services_external_http: + syncthing: 8384 + kuma: 3001 + plex: 32400 + jellyfin: 8096 + hass: 8123 + ddns: 8001 + sonarr: 8989 + radarr: 7878 + lidarr: 8686 + prowlarr: 9696 + paperless: 8000 + pdf: 8080 + git: 3000 + changedetection: 5000 + torrentleech: 8083 + qbit: 8082 + karakeep: 3002 + keycloak: 3003 diff --git a/group_vars/docker/secrets.yml b/group_vars/docker/secrets.yml index 1c0b4ef..1d1db0d 100644 --- a/group_vars/docker/secrets.yml +++ b/group_vars/docker/secrets.yml @@ -1,32 +1,51 @@ $ANSIBLE_VAULT;1.1;AES256 -30383661646632613539633934643164373364323632396664653738383461643436633438616663 -6532323935383966363234373262313135316338333163350a373034356562316438643339643731 -65323462663363313935313763643461633932323763633032346537653431643838643632316431 -3464646137303635300a613464346161636563343664386135663038346464343663323738356432 -66353638616631353765393462353234323437356666316332396661663063363435363039323966 -31303361323432333934353738613233363431366261623433356437626638353063623363373761 -63313437666132373762643530353432353066393861363964663531333439653939313563626334 -31646265316238626639316330373635396538666535373034366131353535343766663833656161 -35326364303262323133633236656632303537636665303061613362336631643261373061393462 -32343263623162643866366361376165633165383733663636363632393634316164356433343766 -30373634623161343363303936396436613265396432616432643064383231326561646533646532 -64393136313438343433643134666164373236383634333838363662323133343833363435306234 -39366662616634323837333231663964633834316163663036613433663630303566303330663765 -38346137393637323434396364333063393961393232363839636334643339333930363131396637 -63383034386535346337633263323130353338393135326535646134336264643136396331653337 -63643035393135623762663763306234313336326465623530393764663131636262386435316235 -38373761333762653531613365336234363238623864393062626166373862623239386164346465 -63393062343166306563636332643966336435303161636533316234353332646131373731313234 -33366465653663643938386439313134666662373865313061316135653639366161303631643436 -64656332616533333338336437323262336463653439613530366430633161616166626461333263 -36643231656133316135373936303361336535393661643363303636343331313461643561303266 -32303438333261613635373165636630363264376638633563353438663236663733346662303661 -35656265373530333063373136343132323461643136336137323361613166336461386565366562 -62343466643334636536653932373433356137373339333235656532643935373661663234633564 -31356630356164646533323134353138666563356431633262306465343731303937323439353236 -66323464633330363031383566313137303766373331653234396131366462633861653031316562 -65346537383436353333303062396139313036386562663630623834306635306230363661353965 -63613239663835623365393432336532636230386635313262623439386338623538626565613765 -63646334313933613963623961633831393737366166363366313138393436633537376166663365 -63333965363465376365353436326236343832653164393563653236376132393463616365616139 -623130306134323838303339653664646539 +66363634613334353739343565353932393932633064623536666362323639643230343866313864 +6331373639363262343664396131626632653232666439630a663333323564343763303266626362 +30356631633633623535616136326438353166633637353339353461333439333364313437653364 +6565653535616330330a386639643730366535346233303463303030306437303931623839356538 +36666562353861373435366131373535613733323338393030396335646138653361653538386263 +63373763643031343831643339653964653337316264356536376261643664373465323231643534 +64646565643734613035326463653331613366356163326561383765653264336265313439346130 +39623661643264633838386362313866386536326461336232333564343634363437653863346664 +63376662643731663834303830393561353031653334386161663938636665383362313236626530 +34663231343039376639306264383539663263306166343335363663303664326631633534333263 +63613565656263623066376239313330313464303635613366613537333063616666393532363635 +65363237613262303161326530336464313262653665633630396562616534653464666638666138 +35396139363033353530353266376230366165653261323837303966623032356236303631363234 +63366338333266616263376636373836313333373936313562626237306631646434383738396537 +63333262306637326330623236323335326530383231626534616666616530373463656534336330 +37383239376237663730323137623638353062666566373464343935613239343038386335323064 +62653436343563643065373238326339663032636634326365393131373439343736633332366566 +64366635633939326262336238653531653738353263663539383361303466393661616231326532 +66666537653230396661616361653163663231653463336639343236333462656138386163346537 +62613866623862383236366161623939386337396133393563623133656461633036633731353234 +37643733343333613063656531356432363666383638343439396332316164633532383934663666 +32373039636232343930613762386339613963613933316130313565323364343863363139306262 +31636532306234613534366364386666366538663231386166666538633737373134396637306664 +62376537356137626366376636373564373039633135376462343865393831303733356165393938 +34633534356466313530333762333631336563346338613737633930386461346132613338346438 +64663362646364626362396264333563623263306133343438383166663339333133623639613435 +66373831353862323432666132626265656536653163343437373465303139326536326534373832 +63626137643031356335353137333962633535323331613038646265313037616431353761383465 +37623134656163613835353866313562623366336439386138646337363764333662346139323565 +34386463313730333761646465633936626436343166613636353938343039636239663031366335 +65336661343635346665393766623730316665323865643663623361666265373439376336396431 +34333035633337353663623966303738393261663433373039666539333861663538663431333664 +34363036313332616435383638353165663333343638356661326538333734313136636630623832 +37303663633433623638616364313239623736323832336161303735663030386138643636386633 +34396234363238623635633135373439643839333266643331633365326161353836643735636463 +63613538313839336337616561353836346339623761636630303037383766393362366636323533 +64333139623532346463346532316132323664366132646636636639636361653734343733386465 +39643437666464663930303934343239383539346638643332396166383737336461646333326335 +62626230396662366563356664366662396331613235356665376162626637613336333764313261 +32393663306163613235336262663562646636656366393538656561333139323339313233373833 +33376633303964356261656265653435663339333031323133656331663231626339633533396638 +33316339356339383031306535373434636464376337303938636261363833363830613464323263 +31353764353933656332353633393338386637373334623766396430646261666236333162633136 +64623034653163303166346235373335396533343461663763643664363561383331386335393631 +65333534636139356538306434356364656339313938383566343633626663376533373564636430 +35356539343233313234343232323465323433313839633764326433303732356665666630616534 +34343736663263303336656135393534366462323936383161646533623064376638346330396339 +64653066343062396135666335643533353439663535333037373661346166623030613235396433 +37653335666533373365633233393338376166343637393432383666313139643564383638333666 +3461306330623163336465303963643836653238306330363034 diff --git a/group_vars/docker/vars.yml b/group_vars/docker/vars.yml index aa57f4b..8bd5706 100644 --- a/group_vars/docker/vars.yml +++ b/group_vars/docker/vars.yml @@ -1,589 +1,4 @@ -docker: - url: "https://download.docker.com/linux" - apt_release_channel: "stable" - directories: - opt: "/opt/docker/" - compose: "/opt/docker/compose" - caddy: admin_email: me+acme@tudattr.dev domain: "seyshiro.de" - -services: - - name: syncthing - vm: - - docker-host00 - container_name: syncthing - image: syncthing/syncthing:1.29 - restart: unless-stopped - volumes: - - name: "Data" - internal: /var/syncthing/ - external: /media/docker/data/syncthing/ - ports: - - name: "http" - internal: 8384 - external: 8384 - - name: "" - internal: 22000 - external: 22000 - - name: "" - internal: 22000 - external: 22000 - - name: "" - internal: 21027 - external: 21027 - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Berlin - - name: status - vm: - - docker-host00 - container_name: kuma - image: louislam/uptime-kuma:1.23.16 - restart: unless-stopped - volumes: - - name: "Data" - internal: /app/data - external: /opt/local/kuma/ - ports: - - name: "http" - internal: 3001 - external: 3001 - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Berlin - - name: plex - vm: - - docker-host00 - container_name: plex - image: lscr.io/linuxserver/plex:1.41.5 - restart: unless-stopped - volumes: - - name: "Configuration" - internal: /config - external: /opt/local/plex/config/ - - name: "TV Series" - internal: /tv:ro - external: /media/series - - name: "Movies" - internal: /movies:ro - external: /media/movies - - name: "Music" - internal: /music:ro - external: /media/songs - devices: - - name: "Graphics Card" - internal: /dev/dri - external: /dev/dri - ports: - - name: "http" - internal: 32400 - external: 32400 - - name: "" - internal: 1900 - external: 1900 - - name: "" - internal: 3005 - external: 3005 - - name: "" - internal: 5353 - external: 5353 - - name: "" - internal: 32410 - external: 32410 - - name: "" - internal: 8324 - external: 8324 - - name: "" - internal: 32412 - external: 32412 - - name: "" - internal: 32469 - external: 32469 - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Berlin - - VERSION=docker - - name: jellyfin - vm: - - docker-host01 - container_name: jellyfin - image: jellyfin/jellyfin:10.10 - restart: "unless-stopped" - volumes: - - name: "Configuration" - internal: /config - external: /opt/local/jellyfin/config - - name: "Cache" - internal: /cache - external: /opt/docker/config/jellyfin/cache - - name: "Tv Series" - internal: /tv:ro - external: /media/series - - name: "Music" - internal: /movies:ro - external: /media/movies - - name: "Music" - internal: /music:ro - external: /media/songs - devices: - - name: "Graphics Card" - internal: /dev/dri - external: /dev/dri - ports: - - name: "http" - internal: 8096 - external: 8096 - environment: - - name: hass - vm: - - docker-host01 - container_name: homeassistant - image: "ghcr.io/home-assistant/home-assistant:stable" - restart: unless-stopped - privileged: true - volumes: - - name: "Configuration" - internal: /config/ - external: /opt/local/home-assistant/config/ - - name: "Local Time" - internal: /etc/localtime:ro - external: /etc/localtime - ports: - - name: "http" - internal: 8123 - external: 8123 - - name: "" - internal: 4357 - external: 4357 - - name: "" - internal: 5683 - external: 5683 - - name: "" - internal: 5683 - external: 5683 - - name: ddns - vm: - - docker-host00 - container_name: ddns-updater - image: qmcgaw/ddns-updater:2 - restart: unless-stopped - volumes: - - name: "Configuration" - internal: /updater/data/" - external: /opt/docker/config/ddns-updater/data/ - ports: - - name: "http" - internal: 8000 - external: 8001 - - name: sonarr - vm: - - docker-host00 - container_name: sonarr - image: linuxserver/sonarr:4.0.14 - restart: unless-stopped - volumes: - - name: "Configuration" - internal: /config - external: /opt/local/sonarr/config - - name: "Tv Series" - internal: /tv - external: /media/series - - name: "Torrent Downloads" - internal: /downloads - external: /media/docker/data/arr_downloads/sonarr - ports: - - name: "http" - internal: 8989 - external: 8989 - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Berlin - - name: radarr - vm: - - docker-host00 - container_name: radarr - image: linuxserver/radarr:5.21.1 - restart: unless-stopped - volumes: - - name: "Configuration" - internal: /config - external: /opt/local/radarr/config - - name: "Movies" - internal: /movies - external: /media/movies - - name: "Torrent Downloads" - internal: /downloads - external: /media/docker/data/arr_downloads/radarr - ports: - - name: "http" - internal: 7878 - external: 7878 - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Berlin - - name: lidarr - vm: - - docker-host00 - container_name: lidarr - image: linuxserver/lidarr:2.10.3 - restart: unless-stopped - volumes: - - name: "Configuration" - internal: /config - external: /opt/local/lidarr/config - - name: "Music" - internal: /music - external: /media/songs - - name: "Torrent Downloads" - internal: /downloads - external: /media/docker/data/arr_downloads/lidarr - ports: - - name: "http" - internal: 8686 - external: 8686 - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Berlin - - name: prowlarr - vm: - - docker-host00 - container_name: prowlarr - image: linuxserver/prowlarr:1.32.2 - restart: unless-stopped - volumes: - - name: "Configuration" - internal: /config - external: /opt/local/prowlarr/config - ports: - - name: "http" - internal: 9696 - external: 9696 - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Berlin - - name: paperless - vm: - - docker-host00 - container_name: paperless - image: ghcr.io/paperless-ngx/paperless-ngx:2.14 - restart: unless-stopped - depends_on: - - paperless-postgres - - paperless-broker - volumes: - - name: "Configuration" - internal: /usr/src/paperless/data - external: /opt/local/paperless/data/data - - name: "Media" - internal: /usr/src/paperless/media - external: /opt/local/paperless/data/media - - name: "Document Export" - internal: /usr/src/paperless/export - external: /opt/local/paperless/data/export - - name: "Document Consume" - internal: /usr/src/paperless/consume - external: /opt/local/paperless/data/consume - environment: - - "PAPERLESS_REDIS=redis://paperless-broker:6379" - - "PAPERLESS_DBHOST=paperless-postgres" - - "PAPERLESS_DBUSER=paperless" - - "PAPERLESS_DBPASS={{ vault.docker.paperless.dbpass }}" - - "USERMAP_UID=1000" - - "USERMAP_GID=1000" - - "PAPERLESS_URL=https://paperless.{{ domain }}" - - "PAPERLESS_TIME_ZONE=Europe/Berlin" - - "PAPERLESS_OCR_LANGUAGE=deu" - ports: - - name: "http" - internal: 8000 - external: 8000 - - name: pdf - vm: - - docker-host00 - container_name: stirling - image: frooodle/s-pdf:0.45.0 - restart: unless-stopped - ports: - - name: "http" - internal: 8080 - external: 8080 - - name: git - vm: - - docker-host01 - container_name: gitea - image: gitea/gitea:1.23-rootless - restart: unless-stopped - volumes: - - name: "Configuration" - internal: /etc/gitea - external: /opt/local/gitea/config - - name: "Data" - internal: /var/lib/gitea - external: /opt/local/gitea/data - - name: "Time Zone" - internal: /etc/timezone:ro - external: /etc/timezone - - name: "Local Time" - internal: /etc/localtime:ro - external: /etc/localtime - ports: - - name: "http" - internal: 3000 - external: 3000 - - name: "ssh" - internal: 2222 - external: 2222 - environment: - - USER_UID=1000 - - USER_GID=1000 - - name: changedetection - vm: - - docker-host00 - container_name: changedetection - image: dgtlmoon/changedetection.io:0.49 - restart: unless-stopped - volumes: - - name: "Data" - internal: /datastore - external: /opt/docker/config/changedetection/data/ - ports: - - name: "http" - internal: 5000 - external: 5000 - - name: gluetun - vm: - - docker-host00 - container_name: gluetun - image: qmcgaw/gluetun:v3.40 - restart: unless-stopped - cap_add: - - NET_ADMIN - devices: - - name: "Tunnel" - internal: /dev/net/tun - external: /dev/net/tun - volumes: - - name: "Configuration" - internal: /gluetun - external: /opt/docker/config/gluetun/config - ports: - - name: "Qbit Client" - internal: 8082 - external: 8082 - - name: "Torrentleech Client" - internal: 8083 - external: 8083 - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Berlin - - VPN_SERVICE_PROVIDER=protonvpn - - UPDATER_VPN_SERVICE_PROVIDERS=protonvpn - - UPDATER_PERIOD=24h - - "SERVER_COUNTRIES={{ vault.docker.proton.country }}" - - "OPENVPN_USER={{ vault.docker.proton.openvpn_user }}" - - "OPENVPN_PASSWORD={{ vault.docker.proton.openvpn_password }}" - - name: torrentleech - vm: - - docker-host00 - container_name: torrentleech - image: qbittorrentofficial/qbittorrent-nox - restart: unless-stopped - depends_on: - - gluetun - network_mode: "container:gluetun" - volumes: - - name: "Configuration" - internal: /config - external: /opt/docker/config/torrentleech/config - - name: "Downloads" - internal: /downloads - external: /media/docker/data/arr_downloads - ports: - - name: "http" - internal: proxy_only - external: 8083 - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Berlin - - QBT_EULA="accept" - - QBT_WEBUI_PORT="8083" - - name: qbit - vm: - - docker-host00 - container_name: qbit - image: qbittorrentofficial/qbittorrent-nox:5.0.4-1 - restart: unless-stopped - depends_on: - - gluetun - network_mode: "container:gluetun" - volumes: - - name: "Configuration" - internal: /config - external: /opt/docker/config/qbit/config - - name: "Downloads" - internal: /downloads - external: /media/docker/data/arr_downloads - ports: - - name: "http" - internal: proxy_only - external: 8082 - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Berlin - - QBT_EULA="accept" - - QBT_WEBUI_PORT="8082" - - name: cadvisor - vm: - - docker-host00 - - docker-host01 - container_name: cadvisor - image: gcr.io/cadvisor/cadvisor:v0.52.1 - restart: unless-stopped - ports: - - name: "" - internal: 8080 - external: 8081 - volumes: - - name: "Root" - internal: /rootfs:ro - external: / - - name: "Run" - internal: /var/run:rw - external: /var/run - - name: "System" - internal: /sys:ro - external: /sys - - name: "Docker" - internal: /var/lib/docker:ro - external: /var/lib/docker - - name: karakeep - vm: - - docker-host01 - container_name: karakeep - image: ghcr.io/karakeep-app/karakeep:0.23.2 - restart: unless-stopped - ports: - - name: "http" - internal: 3000 - external: 3000 - volumes: - - name: "Data" - internal: /data - external: /opt/local/karakeep/config - environment: - - MEILI_ADDR: http://karakeep-meilisearch:7700 - - BROWSER_WEB_URL: http://karakeep-chrome:9222 - - NEXTAUTH_SECRET: "{{ vault.docker.karakeep.nextauth_secret }}" - - MEILI_MASTER_KEY: "{{ vault.docker.karakeep.meili_master_key }}" - - NEXTAUTH_URL: http://localhost:3000 -# - name: anubis -# vm: -# - docker-host00 -# - docker-host01 -# container_name: anubis -# image: ghcr.io/techarohq/anubis:v1.15.2 -# restart: unless-stopped -# ports: -# - name: "" -# internal: 8080 -# external: 8080 -# volumes: -# - name: "" -# internal: "/data/cfg/botPolicy.json:ro" -# external: "./botPolicy.json" -# environment: -# - BIND=":8080" -# - DIFFICULTY="5" -# - METRICS_BIND=":9090" -# - SERVE_ROBOTS_TXT="true" -# - TARGET="http://{{ hostvars[docker-lb].host.ip }}" -# - POLICY_FNAME="/data/cfg/botPolicy.json" -# - name: template -# vm: -# - -# container_name: -# image: -# restart: -# volumes: -# - name: -# internal: -# external: -# ports: -# - name: -# internal: -# external: -# environment: -# - -# - name: calibre -# vm: -# - docker-host00 -# container_name: calibre -# image: lscr.io/linuxserver/calibre-web:latest -# restart: unless-stopped -# volumes: -# - name: "Configuration" -# internal: /config" -# external: /opt/local/calibre/ -# - name: "Books" -# internal: /books" -# external: /media/docker/data/calibre/ -# ports: -# - name: "http" -# internal: 5000 -# external: 5000 -# environment: -# - PUID=1000 -# - PGID=1000 -# - TZ=Europe/Berlin -# - DOCKER_MODS=linuxserver/mods:universal-calibre -# - name: grafana -# vm: -# container_name: grafana -# image: grafana/grafana-oss -# restart: unless-stopped -# volumes: -# - name: "Configuration" -# internal: /etc/grafana/ -# external: /opt/docker/config/grafana/config/ -# - name: "Data" -# internal: /var/lib/grafana/ -# external: /media/docker/data/grafana/ -# ports: -# environment: -# - PUID=472 -# - PGID=472 -# - TZ=Europe/Berlin -# - name: prometheus -# vm: -# - docker-host00 -# container_name: prometheus -# image: prom/prometheus -# restart: unless-stopped -# volumes: -# - name: "Configuration" -# internal: /etc/prometheus/ -# external: /opt/docker/config/prometheus/ -# - name: "Data" -# internal: /prometheus/ -# external: prometheus_data -# ports: -# - name: "http" -# internal: 5000 -# external: 5000 -# environment: -# - PUID=65534 -# - PGID=65534 -# - TZ=Europe/Berlin diff --git a/roles/docker_host/handlers/main.yml b/roles/docker_host/handlers/main.yml index d60311a..44cc369 100644 --- a/roles/docker_host/handlers/main.yml +++ b/roles/docker_host/handlers/main.yml @@ -11,5 +11,3 @@ state: present retries: 3 delay: 5 - register: result - until: result.rc == 0 diff --git a/roles/docker_host/tasks/directory_setup.yml b/roles/docker_host/tasks/directory_setup.yml index 776f2f8..d4d3a6e 100644 --- a/roles/docker_host/tasks/directory_setup.yml +++ b/roles/docker_host/tasks/directory_setup.yml @@ -9,9 +9,9 @@ - /media/series - /media/movies - /media/songs - - "{{ docker.directories.opt }}" + - "{{ docker.directories.local }}" + - "{{ docker.directories.config }}" - "{{ docker.directories.compose }}" - - /opt/local become: true - name: Set ownership to {{ user }} @@ -20,8 +20,9 @@ owner: "{{ user }}" group: "{{ user }}" loop: - - "{{ docker.directories.opt }}" - - /opt/local + - "{{ docker.directories.local }}" + - "{{ docker.directories.config }}" + - "{{ docker.directories.compose }}" - /media become: true diff --git a/roles/docker_host/tasks/main.yml b/roles/docker_host/tasks/main.yml index 39f520b..2bc2612 100644 --- a/roles/docker_host/tasks/main.yml +++ b/roles/docker_host/tasks/main.yml @@ -11,6 +11,9 @@ - name: Setup directory structure for docker ansible.builtin.include_tasks: directory_setup.yml +- name: Deploy configs + ansible.builtin.include_tasks: provision.yml + - name: Deploy docker compose ansible.builtin.include_tasks: deploy_compose.yml diff --git a/roles/docker_host/tasks/provision.yml b/roles/docker_host/tasks/provision.yml new file mode 100644 index 0000000..28e94ea --- /dev/null +++ b/roles/docker_host/tasks/provision.yml @@ -0,0 +1,31 @@ +--- +- name: Set fact if this host should run Keycloak + ansible.builtin.set_fact: + is_keycloak_host: "{{ inventory_hostname in (services | selectattr('name', 'equalto', 'keycloak') | map(attribute='vm') | first) }}" + +- name: Run Keycloak tasks + ansible.builtin.file: + path: "{{ docker.directories.local }}/keycloak/" + owner: "{{ user }}" + group: "{{ user }}" + state: directory + mode: "0755" + when: is_keycloak_host | bool + become: true + +- name: Run Keycloak tasks + ansible.builtin.template: + src: "templates/keycloak/realm.json.j2" + dest: "{{ docker.directories.local }}/keycloak/{{ keycloak.realm }}-realm.json" + owner: "{{ user }}" + group: "{{ user }}" + mode: "644" + backup: true + when: is_keycloak_host | bool + loop: "{{ keycloak_config.realms }}" + loop_control: + loop_var: keycloak + notify: + - Restart docker + - Restart compose + become: true diff --git a/roles/docker_host/templates/compose.yaml.j2 b/roles/docker_host/templates/compose.yaml.j2 index 31036f9..e177237 100644 --- a/roles/docker_host/templates/compose.yaml.j2 +++ b/roles/docker_host/templates/compose.yaml.j2 @@ -56,10 +56,16 @@ services: - {{ device.external }}:{{ device.internal }} {% endfor %} {% endif %} +{% if service.command is defined and service.command is iterable %} + command: +{% for command in service.command %} + - {{ command }} +{% endfor %} +{% endif %} {% if service.name == 'paperless' %} {{ service.name }}-broker: - container_name: paperless-broker + container_name: {{ service.name }}-broker image: docker.io/library/redis:7 restart: unless-stopped networks: @@ -68,7 +74,7 @@ services: - /opt/local/paperless/redis/data:/data {{ service.name }}-postgres: - container_name: paperless-postgres + container_name: {{ service.name }}-postgres image: docker.io/library/postgres:15 restart: unless-stopped networks: @@ -84,7 +90,10 @@ services: {{ service.name }}-chrome: image: gcr.io/zenika-hub/alpine-chrome:123 + container_name: {{ service.name }}-chrome restart: unless-stopped + networks: + - net command: - --no-sandbox - --disable-gpu @@ -95,14 +104,17 @@ services: {{ service.name }}-meilisearch: image: getmeili/meilisearch:v1.11.1 + container_name: {{ service.name }}-meilisearch restart: unless-stopped + networks: + - net environment: - MEILI_NO_ANALYTICS: "true" - NEXTAUTH_SECRET={{ vault.docker.karakeep.nextauth_secret }} - MEILI_MASTER_KEY={{ vault.docker.karakeep.meili_master_key }} - NEXTAUTH_URL=http://localhost:3000 + - MEILI_NO_ANALYTICS=true + - NEXTAUTH_SECRET={{ vault.docker.karakeep.nextauth_secret }} + - MEILI_MASTER_KEY={{ vault.docker.karakeep.meili_master_key }} + - OPENAI_API_KEY="{{ vault.docker.karakeep.openai_key }}" volumes: - - meilisearch:/meili_data + - /opt/local/karakeep/meili/data:/meili_data {% endif %} {% endif %} diff --git a/roles/docker_host/templates/keycloak/realm.json.j2 b/roles/docker_host/templates/keycloak/realm.json.j2 new file mode 100644 index 0000000..e77073d --- /dev/null +++ b/roles/docker_host/templates/keycloak/realm.json.j2 @@ -0,0 +1,77 @@ +{ + "realm": "{{ keycloak.realm }}", + "enabled": true, + "displayName": "{{ keycloak.display_name }}", + "displayNameHtml": "
{{keycloak.display_name}}
", + "bruteForceProtected": true, + "users": [ + {%- for user in keycloak.users %} + { + "username": "{{ user.username }}", + "enabled": true, + "credentials": [ + { + "type": "password", + "value": "{{ user.password }}", + "temporary": false + } + ], + "realmRoles": [ + {%- for realm_role in user.realm_roles %} + "{{ realm_role }}"{%- if not loop.last %},{%- endif %} + {% endfor %} + ], + "clientRoles": { + "account": [ + {%- for account in user.client_roles.account %} + "{{ account }}"{%- if not loop.last %},{%- endif %} + {% endfor %} + ] + } + }, + {% endfor %} + { + "username": "{{ keycloak.admin.username }}", + "enabled": true, + "credentials": [ + { + "type": "password", + "value": "{{ keycloak.admin.password }}", + "temporary": false + } + ], + "realmRoles": [ + {%- for realm_role in keycloak.admin.realm_roles %} + "{{ realm_role }}"{% if not loop.last %},{% endif %} + {% endfor %} + ], + "clientRoles": { + "realm-management": [ + {%- for realm_management in keycloak.admin.client_roles.realm_management %} + "{{ realm_management }}"{%- if not loop.last %},{%- endif %} + {% endfor %} + ], + "account": [ + {%- for account in keycloak.admin.client_roles.account %} + "{{ account }}"{%- if not loop.last %},{%- endif %} + {% endfor %} + ] + } + } + ], + "roles": { + "realm": [ + {%- for role in keycloak.roles.realm %} + { + "name": "{{ role.name }}", + "description": "{{ role.name }}" + }{% if not loop.last %},{% endif %} + {% endfor %} + ] + }, + "defaultRoles": [ + {%- for role in keycloak.roles.default_roles %} + "{{ role }}"{% if not loop.last %},{% endif %} + {% endfor %} + ] +}