Merge

Signed-off-by: TuDatTr <tuan-dat.tran@tudattr.dev>

roles/backblaze/tasks/backup.yml

@@ -5,9 +5,15 @@
     state: stopped
   become: true
 
+  # - name: Backing up for "{{ inventory_hostname }}"
+  #   shell:
+  #     cmd: "rclone sync {{ item }} secret:{{ item }} --transfers 16"
+  #   loop: "{{ host.backblaze.paths }}"
+  #   become: true
+
 - name: Backing up for "{{ inventory_hostname }}"
   shell:
-    cmd: "rclone sync {{ item }} secret:{{ item }} --transfers 16"
+    cmd: "rclone sync {{ item }} secret:{{ item }} -L"
   loop: "{{ host.backblaze.paths }}"
   become: true
 

roles/docker/tasks/aya01_compose.yml

@@ -86,3 +86,12 @@
 - include_tasks: jellyfin.yml
   tags:
     - jellyfin
+
+- include_tasks: gitea.yml
+  tags:
+    - gitea
+
+- include_tasks: gitea-runner.yml
+  tags:
+    - gitea-runner
+

roles/docker/tasks/ddns.yml

@@ -10,7 +10,7 @@
 - name: Copy ddns-config
   template:
     owner: 1000
-    src: "templates/pi/ddns-updater/data/config.json"
+    src: "templates/{{host.hostname}}/ddns-updater/data/config.json"
     dest: "{{ docker_dir }}/ddns-updater/data/config.json"
     mode: '400'
 

roles/docker/tasks/gitea-runner.yml

@@ -0,0 +1,11 @@
+---
+- name: Create gitea-runner directories
+  file:
+    path: "{{ item }}"
+    owner: "{{ puid }}"
+    group: "{{ pgid }}"
+    mode: '755'
+    state: directory
+  become: yes
+  loop:
+    - "{{ gitea.runner.volumes.data }}"

roles/docker/tasks/gitea.yml

@@ -0,0 +1,12 @@
+---
+- name: Create gitea directories
+  file:
+    path: "{{ item }}"
+    owner: "{{ puid }}"
+    group: "{{ pgid }}"
+    mode: '755'
+    state: directory
+  become: yes
+  loop:
+    - "{{ gitea.volumes.data }}"
+    - "{{ gitea.volumes.config }}"

roles/docker/tasks/gitlab-runner.yml

@@ -0,0 +1,11 @@
+---
+- name: Create gitlab-runner directories
+  file:
+    path: "{{ item }}"
+    owner: "{{ puid }}"
+    group: "{{ pgid }}"
+    mode: '755'
+    state: directory
+  become: yes
+  loop:
+    - "{{ gitlab.runner.volumes.config }}"

roles/docker/tasks/naruto_compose.yml

@@ -0,0 +1,13 @@
+---
+
+- include_tasks: nginx-proxy-manager.yml
+  tags:
+    - nginx
+
+- include_tasks: pihole.yml
+  tags:
+    - pihole
+
+- include_tasks: gitea-runner.yml
+  tags:
+    - gitea-runner

roles/docker/tasks/pi_compose.yml

@@ -7,3 +7,8 @@
 - include_tasks: pihole.yml
   tags:
     - pihole
+
+- include_tasks: gitea-runner.yml
+  tags:
+    - gitea-runner
+

roles/docker/templates/aya01/compose.yaml

@@ -93,6 +93,8 @@ services:
       - PUID={{puid}}
       - PGID={{pgid}}
       - TZ={{timezone}}
+    ports:
+      - "{{kuma_port}}:3001"
     volumes:
       - "{{ kuma_config }}:/app/data"
 
@@ -221,6 +223,8 @@ services:
       - PUID={{ puid }}
       - PGID={{ pgid}}
       - TZ={{ timezone }}
+    ports:
+      - "{{ tautulli_port }}:8181"
     volumes:
       - {{ tautulli_config}}:/config
 
@@ -412,8 +416,6 @@ services:
       - broker
     networks:
       - net
-    ports:
-      - "{{ paperless.port }}:{{ paperless.port }}"
     healthcheck:
       test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:{{ paperless.port }}"]
       interval: 30s
@@ -435,6 +437,51 @@ services:
       - "PAPERLESS_TIME_ZONE={{ timezone }}"
       - "PAPERLESS_OCR_LANGUAGE=deu"
 
+  {{ homarr.host }}:
+    container_name: {{ homarr.host }}
+    image: ghcr.io/ajnart/homarr:latest
+    restart: unless-stopped
+    depends_on:
+      - pihole
+    networks:
+      - net
+    volumes:
+      - {{ homarr.volumes.configs }}:/app/data/configs
+      - {{ homarr.volumes.icons }}:/app/public/icons
+
+
+  {{ gitea.host }}:
+    container_name: {{ gitea.host }}
+    image: gitea/gitea:1.20.5-rootless
+    restart: unless-stopped
+    depends_on:
+      - pihole
+    networks:
+      - net
+    volumes:
+      - {{ gitea.volumes.data }}:/var/lib/gitea
+      - {{ gitea.volumes.config }}:/etc/gitea
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "{{ gitea.ports.http }}:3000"
+      - "{{ gitea.ports.ssh }}:2222"
+
+
+  {{ gitea.runner.host }}:
+    container_name: {{ gitea.runner.host }}
+    image: gitea/act_runner:nightly
+    restart: unless-stopped
+    depends_on:
+      - {{ gitea.host }}
+    networks:
+      - net
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - "GITEA_INSTANCE_URL={{ gitea.url }}"
+      - "GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea.runner.token }}"
+
 networks:
   zoneminder:
     driver: bridge

roles/docker/templates/naruto/compose.yaml

@@ -0,0 +1,40 @@
+version: '3'
+services:
+  nginx:
+    container_name: "{{nginx.host}}"
+    image: 'jc21/nginx-proxy-manager:latest'
+    restart: unless-stopped
+    networks:
+      net: {}
+    ports:
+      - '{{nginx.endpoints.http}}:80'
+      - '{{nginx.endpoints.https}}:443'
+      - '{{nginx.endpoints.admin}}:81'
+    volumes:
+      - "{{nginx.paths.data}}:/data"
+      - "{{nginx.paths.letsencrypt}}:/etc/letsencrypt"
+      - '/var/run/docker.sock:/var/run/docker.sock'
+
+  {{ gitea.runner.host }}:
+    container_name: {{ gitea.runner.host }}
+    image: gitea/act_runner:nightly
+    restart: unless-stopped
+    depends_on:
+      - nginx
+    networks:
+      - net
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - {{ gitea.runner.volumes.data }}:/data
+    environment:
+      - "GITEA_INSTANCE_URL={{ gitea.url }}"
+      - "GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea.runner.token }}"
+
+networks:
+  net:
+    driver: bridge
+    ipam:
+#      driver: default
+      config:
+        - subnet: 172.16.69.0/24
+          gateway: 172.16.69.1

roles/docker/templates/pi/compose.yaml

@@ -43,6 +43,21 @@ services:
     cap_add:
       - NET_ADMIN
 
+  {{ gitea.runner.host }}:
+    container_name: {{ gitea.runner.host }}
+    image: gitea/act_runner:nightly
+    restart: unless-stopped
+    depends_on:
+      - nginx
+    networks:
+      - net
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - {{ gitea.runner.volumes.data }}:/data
+    environment:
+      - "GITEA_INSTANCE_URL={{ gitea.url }}"
+      - "GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea.runner.token }}"
+
 networks:
   net:
     driver: bridge

roles/docker/templates/pi/ddns-updater/data/config.json

@@ -1,11 +0,0 @@
-{
-    "settings": [
-        {
-            "provider": "namecheap",
-            "domain": "{{ local_domain }}",
-            "host": "{{ local_subdomains }}",
-            "password": "{{ vault_ddns_borgland_password }}",
-            "provider_ip": true
-        }
-    ]
-}

roles/samba/tasks/install.yaml

@@ -20,10 +20,13 @@
 
 - name: Change permission on share
   file:
-    path: "{{ samba.media_dir }}"
+    path: "{{ item }}"
     group: "{{ samba.group }}"
     mode: "2770"
   become: true
+  loop:
+    - "{{ samba.shares.media.path }}"
+    - "{{ samba.shares.paperless.path }}"
 
 - name: Add user "{{ samba.user }}"
   user:

roles/samba/templates/smb.conf

@@ -1,222 +1,14 @@
-#======================= Global Settings =======================
+[{{ samba.shares.media.name }}]
+    comment = {{ samba.shares.media.name }}
+    path = "{{ samba.shares.media.path }}"
+    writable = no
+    guest ok = no
+    valid users = "@{{samba.group}}"
 
-[global]
-
-## Browsing/Identification ###
-
-# Change this to the workgroup/NT-domain name your Samba server will part of
-   workgroup = TUDATTR
-
-#### Networking ####
-
-# The specific set of interfaces / networks to bind to
-# This can be either the interface name or an IP address/netmask;
-# interface names are normally preferred
-;   interfaces = 127.0.0.0/8 eth0
-
-# Only bind to the named interfaces and/or networks; you must use the
-# 'interfaces' option above to use this.
-# It is recommended that you enable this feature if your Samba machine is
-# not protected by a firewall or is a firewall itself.  However, this
-# option cannot handle dynamic or non-broadcast interfaces correctly.
-;   bind interfaces only = yes
-
-#### Debugging/Accounting ####
-
-# This tells Samba to use a separate log file for each machine
-# that connects
-   log file = /var/log/samba-%m.log
-
-# Cap the size of the individual log files (in KiB).
-   max log size = 1000
-
-# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
-# Append syslog@1 if you want important messages to be sent to syslog too.
-   logging = file
-
-# Do something sensible when Samba crashes: mail the admin a backtrace
-   panic action = /usr/share/samba/panic-action %d
-
-
-####### Authentication #######
-
-# Server role. Defines in which mode Samba will operate. Possible
-# values are "standalone server", "member server", "classic primary
-# domain controller", "classic backup domain controller", "active
-# directory domain controller". 
-#
-# Most people will want "standalone server" or "member server".
-# Running as "active directory domain controller" will require first
-# running "samba-tool domain provision" to wipe databases and create a
-# new domain.
-   server role = standalone server
-
-   obey pam restrictions = yes
-
-# This boolean parameter controls whether Samba attempts to sync the Unix
-# password with the SMB password when the encrypted SMB password in the
-# passdb is changed.
-   unix password sync = yes
-
-# For Unix password sync to work on a Debian GNU/Linux system, the following
-# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
-# sending the correct chat script for the passwd program in Debian Sarge).
-   passwd program = /usr/bin/passwd %u
-   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
-
-# This boolean controls whether PAM will be used for password changes
-# when requested by an SMB client instead of the program listed in
-# 'passwd program'. The default is 'no'.
-   pam password change = yes
-
-# This option controls how unsuccessful authentication attempts are mapped
-# to anonymous connections
-   map to guest = bad user
-
-########## Domains ###########
-
-#
-# The following settings only takes effect if 'server role = classic
-# primary domain controller', 'server role = classic backup domain controller'
-# or 'domain logons' is set 
-#
-
-# It specifies the location of the user's
-# profile directory from the client point of view) The following
-# required a [profiles] share to be setup on the samba server (see
-# below)
-;   logon path = \\%N\profiles\%U
-# Another common choice is storing the profile in the user's home directory
-# (this is Samba's default)
-#   logon path = \\%N\%U\profile
-
-# The following setting only takes effect if 'domain logons' is set
-# It specifies the location of a user's home directory (from the client
-# point of view)
-;   logon drive = H:
-#   logon home = \\%N\%U
-
-# The following setting only takes effect if 'domain logons' is set
-# It specifies the script to run during logon. The script must be stored
-# in the [netlogon] share
-# NOTE: Must be store in 'DOS' file format convention
-;   logon script = logon.cmd
-
-# This allows Unix users to be created on the domain controller via the SAMR
-# RPC pipe.  The example command creates a user account with a disabled Unix
-# password; please adapt to your needs
-; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
-
-# This allows machine accounts to be created on the domain controller via the 
-# SAMR RPC pipe.  
-# The following assumes a "machines" group exists on the system
-; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
-
-# This allows Unix groups to be created on the domain controller via the SAMR
-# RPC pipe.  
-; add group script = /usr/sbin/addgroup --force-badname %g
-
-############ Misc ############
-
-# Using the following line enables you to customise your configuration
-# on a per machine basis. The %m gets replaced with the netbios name
-# of the machine that is connecting
-;   include = /home/samba/etc/smb.conf.%m
-
-# Some defaults for winbind (make sure you're not using the ranges
-# for something else.)
-;   idmap config * :              backend = tdb
-;   idmap config * :              range   = 3000-7999
-;   idmap config YOURDOMAINHERE : backend = tdb
-;   idmap config YOURDOMAINHERE : range   = 100000-999999
-;   template shell = /bin/bash
-
-# Setup usershare options to enable non-root users to share folders
-# with the net usershare command.
-
-# Maximum number of usershare. 0 means that usershare is disabled.
-#   usershare max shares = 100
-
-# Allow users who've been granted usershare privileges to create
-# public shares, not just authenticated ones
-   usershare allow guests = yes
-
-#======================= Share Definitions =======================
-
-[homes]
-   comment = Home Directories
-   browseable = no
-
-# By default, the home directories are exported read-only. Change the
-# next parameter to 'no' if you want to be able to write to them.
-   read only = yes
-
-# File creation mask is set to 0700 for security reasons. If you want to
-# create files with group=rw permissions, set next parameter to 0775.
-   create mask = 0700
-
-# Directory creation mask is set to 0700 for security reasons. If you want to
-# create dirs. with group=rw permissions, set next parameter to 0775.
-   directory mask = 0700
-
-# By default, \\server\username shares can be connected to by anyone
-# with access to the samba server.
-# The following parameter makes sure that only "username" can connect
-# to \\server\username
-# This might need tweaking when using external authentication schemes
-   valid users = %S
-
-# Un-comment the following and create the netlogon directory for Domain Logons
-# (you need to configure Samba to act as a domain controller too.)
-;[netlogon]
-;   comment = Network Logon Service
-;   path = /home/samba/netlogon
-;   guest ok = yes
-;   read only = yes
-
-# Un-comment the following and create the profiles directory to store
-# users profiles (see the "logon path" option above)
-# (you need to configure Samba to act as a domain controller too.)
-# The path below should be writable by all users so that their
-# profile directory may be created the first time they log on
-;[profiles]
-;   comment = Users profiles
-;   path = /home/samba/profiles
-;   guest ok = no
-;   browseable = no
-;   create mask = 0600
-;   directory mask = 0700
-
-;[printers]
-;   comment = All Printers
-;   browseable = no
-;   path = /var/spool/samba
-;   printable = yes
-;   guest ok = no
-;   read only = yes
-;   create mask = 0700
-
-# Windows clients look for this share name as a source of downloadable
-# printer drivers
-;[print$]
-;   comment = Printer Drivers
-;   path = /var/lib/samba/printers
-;   browseable = yes
-;   read only = yes
-;   guest ok = no
-# Uncomment to allow remote administration of Windows print drivers.
-# You may need to replace 'lpadmin' with the name of the group your
-# admin users are members of.
-# Please note that you also need to set appropriate Unix permissions
-# to the drivers directory for these users to have write rights in it
-;   write list = root, @lpadmin
-
-[media]
-    comment = Media
-    path = "{{ samba.media_dir }}"
+[{{ samba.shares.paperless.name }}]
+    comment = {{ samba.shares.paperless.name }}
+    path = "{{ samba.shares.paperless.path }}"
     writable = yes
     guest ok = no
     valid users = "@{{samba.group}}"
-    force create mode = 770
-    force directory mode = 770
-    inherit permissions = yes
+    create mask = 755