Merge

Signed-off-by: TuDatTr <tuan-dat.tran@tudattr.dev>
2023-11-06 10:10:24 +01:00 · 2023-11-06 10:10:24 +01:00 · 4cbcf57141
parent c6df5f904d 860b1a6be4
commit 4cbcf57141
21 changed files with 261 additions and 263 deletions
--- a/README.md
+++ b/README.md
@ -17,34 +17,36 @@ usermod -a -G sudo tudattr
 Backup for aya01 and raspberry are in a backblaze b2, which gets encrypted on the clientside by rclone.
 but first of all we need to create the buckets and provide ansible with the needed information.
-When creating your own rclone config the `password` and `password2` entries have to be passed though `rclone obscure` like this:
+First we need to create a api key for backblaze, consists of an id and a key.
 we use clone to sync to backblaze.
 we can encrypt the data with rclone before sending it to backblaze.
 to do this we need two buckets:
 - b2
 - crypt
 on each device that should be backupped.
-``` sh
+we create these by running `rclone config` and creating one [remote] b2 config and a [secret] crypt config. The crypt config should have two passwords that we store in our secrets file.
 echo "$PASSWORD" | rclone obscure -
 ```
 `
 ## Vault
 - Create vault with: `ansible-vault create secrets.yml`
 - Create entry in vault with: `ansible-vault edit secrets.yml`
- Add following entries: 
+- Add following entries: TODO
  - `vault_pi_tudattr_password: <YOURPASSWORD>` (password you've setup on the device)
  - `vault_aya01_tudattr_password: <YOURPASSWORD>` (password you've setup on the device)
  - `vault_pihole_password: <YOURPASSWORD>` (arbitrary password you want to log in with)
  - `vault_mysql_root_password: <YOURPASSWORD>` (arbitrary password, used internally)
  - `vault_mysql_user_password: <YOURPASSWORD>` (arbitrary password, used internally)
  - `vault_ddns_tudattrdev_password: <YOURPASSWORD>` (password needed for ddns, refer to [here](https://www.namecheap.com/support/knowledgebase/article.aspx/595/11/how-do-i-enable-dynamic-dns-for-a-domain/))
  - `vault_ddns_borgland_password: <YOURPASSWORD>` (password needed for ddns, refer to [here](https://www.namecheap.com/support/knowledgebase/article.aspx/595/11/how-do-i-enable-dynamic-dns-for-a-domain/))
 ## Docker
 To add new docker containers to the docker role you need to add the following and replace `service` with the name of your service:
 - Add relevent vars to `group_vars/all/vars.yaml`:
 ```yaml
-service_port: "19999" # Exposed port
+service:
-service_config: "{{ docker_dir }}/service/" # config folder or your dir
+  host: "service"
-service_data: "{{ docker_data_dir }}/service/" # data folder or your dir (only works on aya01)
+  ports:
    http: "19999"
  volumes:
    config: "{{ docker_dir }}/service/" # config folder or your dir
    data: "{{ docker_data_dir }}/service/" # data folder or your dir (only works on aya01)
 ```
 - Create necessary directories for service in the docker role `roles/docker/tasks/service.yaml`
 ```yaml
 - name: Create service dirs
@ -52,11 +54,11 @@ service_data: "{{ docker_data_dir }}/service/" # data folder or your dir (only w
    path: "{{ item }}"
    owner: 1000
    group: 1000
-    mode: '777'
+    mode: '775'
    state: directory
  loop:
-    - "{{ service_config }}"
+    - "{{ service.volumes.config }}"
-    - "{{ service_data }}"
+    - "{{ service.volumes.data }}"
 # optional:
 # - name: Place service config
@ -90,8 +92,6 @@ service_data: "{{ docker_data_dir }}/service/" # data folder or your dir (only w
      - "{{service_lib}}:/var/lib/service"
      - "{{service_cache}}:/var/cache/service"
 ```
 ### Qbittorrent/Openvpn
 You'll need to add a openvpn config to =./roles/docker/templates/aya01/qbittorrentvpn/config/=
 ## Server
 - Install Debian (debian-11.5.0-amd64-netinst.iso) on remote system
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -240,7 +240,13 @@ samba:
  user: "smbuser"
  group: "smbshare"
  config: "templates/smb.conf"
-  media_dir: "/media"
+  shares:
    media:
      name: "media"
      path: "/media"
    paperless:
      name: "paperless"
      path: "{{ paperless.data.consume }}"
 #
@ -493,3 +499,32 @@ paperless:
  redis:
    host: "paperless-redis"
    data: "{{ docker_dir }}/paperless/redis/data"
 #
 # Homarr
 #
 homarr:
  host: "homarr"
  volumes:
    configs: "{{docker_dir}}/homarr/configs"
    icons: "{{docker_dir}}/homarr/icons"
 #
 # gitea
 #
 gitea:
  host: "git"
  url: "https://git.tudattr.dev"
  volumes:
    data: "{{ docker_data_dir }}/gitea/data"
    config: "{{ docker_dir }}/gitea/config"
  ports:
    http: "3000"
    ssh: "2222"
  runner:
    host: "gitea-runner-{{ host.hostname }}"
    token: "{{ host.gitea.runner.token }}"
    volumes:
      data: "{{ docker_data_dir }}/gitea/runner/data/"
--- a/host_vars/aya01.yml
+++ b/host_vars/aya01.yml
@ -47,3 +47,6 @@ host:
  paperless:
    db:
      password: "{{ vault.aya01.paperless.db.password }}"
  gitea:
    runner:
      token: "{{ vault.aya01.gitea.runner.token }}"
--- a/host_vars/mii.yml
+++ b/host_vars/mii.yml
@ -5,6 +5,7 @@ ansible_ssh_private_key_file: '{{ pk_path }}'
 ansible_become_pass: '{{ vault.mii.sudo }}'
 host:
  hostname: "mii"
  ip: "192.168.200.2"
  backblaze:
    account: "{{ vault.mii.backblaze.account }}"
--- a/host_vars/naruto.yml
+++ b/host_vars/naruto.yml
@ -5,15 +5,19 @@ ansible_ssh_private_key_file: '{{ pk_path }}'
 ansible_become_pass: '{{ vault.naruto.sudo }}'
 host:
  hostname: "naruto"
  ip: "{{ ansible_host }}"
  backblaze:
    account: "{{ vault.naruto.backblaze.account }}"
    key: "{{ vault.naruto.backblaze.key }}"
    remote: "remote:naruto-tudattr-dev"
-#    password: "{{}}"
+    password: "{{ vault.naruto.rclone.password }}"
-#    password2: "{{}}"
+    password2: "{{ vault.naruto.rclone.password2 }}"
-#    paths:
+    paths:
-#      - "{{}}"
+      - "{{ docker_compose_dir }}"
-#      - "{{}}"
+      - "{{ docker_dir }}"
  fstab:
  mergerfs:
  gitea:
    runner:
      token: "{{ vault.naruto.gitea.runner.token }}"
--- a/host_vars/pi.yml
+++ b/host_vars/pi.yml
@ -5,6 +5,7 @@ ansible_ssh_private_key_file: '{{ pk_path }}'
 ansible_become_pass: '{{ vault.pi.sudo }}'
 host:
  hostname: "pi"
  ip: "{{ ansible_host }}"
  backblaze:
    account: "{{ vault.pi.backblaze.account }}"
@ -17,3 +18,6 @@ host:
      - "{{ docker_dir }}"
  fstab:
  mergerfs:
  gitea:
    runner:
      token: "{{ vault.pi.gitea.runner.token }}"
--- a/4
+++ b/4
@ -3,9 +3,7 @@ aya01
 [raspberry]
 pi
 naruto
 [vps]
 mii
 [nas]
 naruto
--- a/roles/backblaze/tasks/backup.yml
+++ b/roles/backblaze/tasks/backup.yml
@ -5,9 +5,15 @@
    state: stopped
  become: true
  # - name: Backing up for "{{ inventory_hostname }}"
  #   shell:
  #     cmd: "rclone sync {{ item }} secret:{{ item }} --transfers 16"
  #   loop: "{{ host.backblaze.paths }}"
  #   become: true
 - name: Backing up for "{{ inventory_hostname }}"
  shell:
-    cmd: "rclone sync {{ item }} secret:{{ item }} --transfers 16"
+    cmd: "rclone sync {{ item }} secret:{{ item }} -L"
  loop: "{{ host.backblaze.paths }}"
  become: true
--- a/roles/docker/tasks/aya01_compose.yml
+++ b/roles/docker/tasks/aya01_compose.yml
@ -86,3 +86,12 @@
 - include_tasks: jellyfin.yml
  tags:
    - jellyfin
 - include_tasks: gitea.yml
  tags:
    - gitea
 - include_tasks: gitea-runner.yml
  tags:
    - gitea-runner
--- a/roles/docker/tasks/ddns.yml
+++ b/roles/docker/tasks/ddns.yml
@ -10,7 +10,7 @@
 - name: Copy ddns-config
  template:
    owner: 1000
-    src: "templates/pi/ddns-updater/data/config.json"
+    src: "templates/{{host.hostname}}/ddns-updater/data/config.json"
    dest: "{{ docker_dir }}/ddns-updater/data/config.json"
    mode: '400'
--- a/roles/docker/tasks/gitea-runner.yml
+++ b/roles/docker/tasks/gitea-runner.yml
@ -0,0 +1,11 @@
 ---
 - name: Create gitea-runner directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ gitea.runner.volumes.data }}"
--- a/roles/docker/tasks/gitea.yml
+++ b/roles/docker/tasks/gitea.yml
@ -0,0 +1,12 @@
 ---
 - name: Create gitea directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ gitea.volumes.data }}"
    - "{{ gitea.volumes.config }}"
--- a/roles/docker/tasks/gitlab-runner.yml
+++ b/roles/docker/tasks/gitlab-runner.yml
@ -0,0 +1,11 @@
 ---
 - name: Create gitlab-runner directories
  file:
    path: "{{ item }}"
    owner: "{{ puid }}"
    group: "{{ pgid }}"
    mode: '755'
    state: directory
  become: yes
  loop:
    - "{{ gitlab.runner.volumes.config }}"
--- a/roles/docker/tasks/naruto_compose.yml
+++ b/roles/docker/tasks/naruto_compose.yml
@ -0,0 +1,13 @@
 ---
 - include_tasks: nginx-proxy-manager.yml
  tags:
    - nginx
 - include_tasks: pihole.yml
  tags:
    - pihole
 - include_tasks: gitea-runner.yml
  tags:
    - gitea-runner
--- a/roles/docker/tasks/pi_compose.yml
+++ b/roles/docker/tasks/pi_compose.yml
@ -7,3 +7,8 @@
 - include_tasks: pihole.yml
  tags:
    - pihole
 - include_tasks: gitea-runner.yml
  tags:
    - gitea-runner
--- a/roles/docker/templates/aya01/compose.yaml
+++ b/roles/docker/templates/aya01/compose.yaml
@ -93,6 +93,8 @@ services:
      - PUID={{puid}}
      - PGID={{pgid}}
      - TZ={{timezone}}
    ports:
      - "{{kuma_port}}:3001"
    volumes:
      - "{{ kuma_config }}:/app/data"
@ -221,6 +223,8 @@ services:
      - PUID={{ puid }}
      - PGID={{ pgid}}
      - TZ={{ timezone }}
    ports:
      - "{{ tautulli_port }}:8181"
    volumes:
      - {{ tautulli_config}}:/config
@ -412,8 +416,6 @@ services:
      - broker
    networks:
      - net
    ports:
      - "{{ paperless.port }}:{{ paperless.port }}"
    healthcheck:
      test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:{{ paperless.port }}"]
      interval: 30s
@ -435,6 +437,51 @@ services:
      - "PAPERLESS_TIME_ZONE={{ timezone }}"
      - "PAPERLESS_OCR_LANGUAGE=deu"
  {{ homarr.host }}:
    container_name: {{ homarr.host }}
    image: ghcr.io/ajnart/homarr:latest
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    volumes:
      - {{ homarr.volumes.configs }}:/app/data/configs
      - {{ homarr.volumes.icons }}:/app/public/icons
  {{ gitea.host }}:
    container_name: {{ gitea.host }}
    image: gitea/gitea:1.20.5-rootless
    restart: unless-stopped
    depends_on:
      - pihole
    networks:
      - net
    volumes:
      - {{ gitea.volumes.data }}:/var/lib/gitea
      - {{ gitea.volumes.config }}:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "{{ gitea.ports.http }}:3000"
      - "{{ gitea.ports.ssh }}:2222"
  {{ gitea.runner.host }}:
    container_name: {{ gitea.runner.host }}
    image: gitea/act_runner:nightly
    restart: unless-stopped
    depends_on:
      - {{ gitea.host }}
    networks:
      - net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - "GITEA_INSTANCE_URL={{ gitea.url }}"
      - "GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea.runner.token }}"
 networks:
  zoneminder:
    driver: bridge
--- a/roles/docker/templates/naruto/compose.yaml
+++ b/roles/docker/templates/naruto/compose.yaml
@ -0,0 +1,40 @@
 version: '3'
 services:
  nginx:
    container_name: "{{nginx.host}}"
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    networks:
      net: {}
    ports:
      - '{{nginx.endpoints.http}}:80'
      - '{{nginx.endpoints.https}}:443'
      - '{{nginx.endpoints.admin}}:81'
    volumes:
      - "{{nginx.paths.data}}:/data"
      - "{{nginx.paths.letsencrypt}}:/etc/letsencrypt"
      - '/var/run/docker.sock:/var/run/docker.sock'
  {{ gitea.runner.host }}:
    container_name: {{ gitea.runner.host }}
    image: gitea/act_runner:nightly
    restart: unless-stopped
    depends_on:
      - nginx
    networks:
      - net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - {{ gitea.runner.volumes.data }}:/data
    environment:
      - "GITEA_INSTANCE_URL={{ gitea.url }}"
      - "GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea.runner.token }}"
 networks:
  net:
    driver: bridge
    ipam:
 #      driver: default
      config:
        - subnet: 172.16.69.0/24
          gateway: 172.16.69.1
--- a/roles/docker/templates/pi/compose.yaml
+++ b/roles/docker/templates/pi/compose.yaml
@ -43,6 +43,21 @@ services:
    cap_add:
      - NET_ADMIN
  {{ gitea.runner.host }}:
    container_name: {{ gitea.runner.host }}
    image: gitea/act_runner:nightly
    restart: unless-stopped
    depends_on:
      - nginx
    networks:
      - net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - {{ gitea.runner.volumes.data }}:/data
    environment:
      - "GITEA_INSTANCE_URL={{ gitea.url }}"
      - "GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea.runner.token }}"
 networks:
  net:
    driver: bridge
--- a/roles/docker/templates/pi/ddns-updater/data/config.json
+++ b/roles/docker/templates/pi/ddns-updater/data/config.json
@ -1,11 +0,0 @@
 {
    "settings": [
        {
            "provider": "namecheap",
            "domain": "{{ local_domain }}",
            "host": "{{ local_subdomains }}",
            "password": "{{ vault_ddns_borgland_password }}",
            "provider_ip": true
        }
    ]
 }
--- a/roles/samba/tasks/install.yaml
+++ b/roles/samba/tasks/install.yaml
@ -20,10 +20,13 @@
 - name: Change permission on share
  file:
-    path: "{{ samba.media_dir }}"
+    path: "{{ item }}"
    group: "{{ samba.group }}"
    mode: "2770"
  become: true
  loop:
    - "{{ samba.shares.media.path }}"
    - "{{ samba.shares.paperless.path }}"
 - name: Add user "{{ samba.user }}"
  user:
--- a/roles/samba/templates/smb.conf
+++ b/roles/samba/templates/smb.conf
@ -1,222 +1,14 @@
-#======================= Global Settings =======================
+[{{ samba.shares.media.name }}]
    comment = {{ samba.shares.media.name }}
    path = "{{ samba.shares.media.path }}"
    writable = no
    guest ok = no
    valid users = "@{{samba.group}}"
-[global]
+[{{ samba.shares.paperless.name }}]
-
+    comment = {{ samba.shares.paperless.name }}
-## Browsing/Identification ###
+    path = "{{ samba.shares.paperless.path }}"
 # Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = TUDATTR
 #### Networking ####
 # The specific set of interfaces / networks to bind to
 # This can be either the interface name or an IP address/netmask;
 # interface names are normally preferred
 ;   interfaces = 127.0.0.0/8 eth0
 # Only bind to the named interfaces and/or networks; you must use the
 # 'interfaces' option above to use this.
 # It is recommended that you enable this feature if your Samba machine is
 # not protected by a firewall or is a firewall itself.  However, this
 # option cannot handle dynamic or non-broadcast interfaces correctly.
 ;   bind interfaces only = yes
 #### Debugging/Accounting ####
 # This tells Samba to use a separate log file for each machine
 # that connects
   log file = /var/log/samba-%m.log
 # Cap the size of the individual log files (in KiB).
   max log size = 1000
 # We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
 # Append syslog@1 if you want important messages to be sent to syslog too.
   logging = file
 # Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d
 ####### Authentication #######
 # Server role. Defines in which mode Samba will operate. Possible
 # values are "standalone server", "member server", "classic primary
 # domain controller", "classic backup domain controller", "active
 # directory domain controller". 
 #
 # Most people will want "standalone server" or "member server".
 # Running as "active directory domain controller" will require first
 # running "samba-tool domain provision" to wipe databases and create a
 # new domain.
   server role = standalone server
   obey pam restrictions = yes
 # This boolean parameter controls whether Samba attempts to sync the Unix
 # password with the SMB password when the encrypted SMB password in the
 # passdb is changed.
   unix password sync = yes
 # For Unix password sync to work on a Debian GNU/Linux system, the following
 # parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
 # sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 # This boolean controls whether PAM will be used for password changes
 # when requested by an SMB client instead of the program listed in
 # 'passwd program'. The default is 'no'.
   pam password change = yes
 # This option controls how unsuccessful authentication attempts are mapped
 # to anonymous connections
   map to guest = bad user
 ########## Domains ###########
 #
 # The following settings only takes effect if 'server role = classic
 # primary domain controller', 'server role = classic backup domain controller'
 # or 'domain logons' is set 
 #
 # It specifies the location of the user's
 # profile directory from the client point of view) The following
 # required a [profiles] share to be setup on the samba server (see
 # below)
 ;   logon path = \\%N\profiles\%U
 # Another common choice is storing the profile in the user's home directory
 # (this is Samba's default)
 #   logon path = \\%N\%U\profile
 # The following setting only takes effect if 'domain logons' is set
 # It specifies the location of a user's home directory (from the client
 # point of view)
 ;   logon drive = H:
 #   logon home = \\%N\%U
 # The following setting only takes effect if 'domain logons' is set
 # It specifies the script to run during logon. The script must be stored
 # in the [netlogon] share
 # NOTE: Must be store in 'DOS' file format convention
 ;   logon script = logon.cmd
 # This allows Unix users to be created on the domain controller via the SAMR
 # RPC pipe.  The example command creates a user account with a disabled Unix
 # password; please adapt to your needs
 ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
 # This allows machine accounts to be created on the domain controller via the 
 # SAMR RPC pipe.  
 # The following assumes a "machines" group exists on the system
 ; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
 # This allows Unix groups to be created on the domain controller via the SAMR
 # RPC pipe.  
 ; add group script = /usr/sbin/addgroup --force-badname %g
 ############ Misc ############
 # Using the following line enables you to customise your configuration
 # on a per machine basis. The %m gets replaced with the netbios name
 # of the machine that is connecting
 ;   include = /home/samba/etc/smb.conf.%m
 # Some defaults for winbind (make sure you're not using the ranges
 # for something else.)
 ;   idmap config * :              backend = tdb
 ;   idmap config * :              range   = 3000-7999
 ;   idmap config YOURDOMAINHERE : backend = tdb
 ;   idmap config YOURDOMAINHERE : range   = 100000-999999
 ;   template shell = /bin/bash
 # Setup usershare options to enable non-root users to share folders
 # with the net usershare command.
 # Maximum number of usershare. 0 means that usershare is disabled.
 #   usershare max shares = 100
 # Allow users who've been granted usershare privileges to create
 # public shares, not just authenticated ones
   usershare allow guests = yes
 #======================= Share Definitions =======================
 [homes]
   comment = Home Directories
   browseable = no
 # By default, the home directories are exported read-only. Change the
 # next parameter to 'no' if you want to be able to write to them.
   read only = yes
 # File creation mask is set to 0700 for security reasons. If you want to
 # create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700
 # Directory creation mask is set to 0700 for security reasons. If you want to
 # create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700
 # By default, \\server\username shares can be connected to by anyone
 # with access to the samba server.
 # The following parameter makes sure that only "username" can connect
 # to \\server\username
 # This might need tweaking when using external authentication schemes
   valid users = %S
 # Un-comment the following and create the netlogon directory for Domain Logons
 # (you need to configure Samba to act as a domain controller too.)
 ;[netlogon]
 ;   comment = Network Logon Service
 ;   path = /home/samba/netlogon
 ;   guest ok = yes
 ;   read only = yes
 # Un-comment the following and create the profiles directory to store
 # users profiles (see the "logon path" option above)
 # (you need to configure Samba to act as a domain controller too.)
 # The path below should be writable by all users so that their
 # profile directory may be created the first time they log on
 ;[profiles]
 ;   comment = Users profiles
 ;   path = /home/samba/profiles
 ;   guest ok = no
 ;   browseable = no
 ;   create mask = 0600
 ;   directory mask = 0700
 ;[printers]
 ;   comment = All Printers
 ;   browseable = no
 ;   path = /var/spool/samba
 ;   printable = yes
 ;   guest ok = no
 ;   read only = yes
 ;   create mask = 0700
 # Windows clients look for this share name as a source of downloadable
 # printer drivers
 ;[print$]
 ;   comment = Printer Drivers
 ;   path = /var/lib/samba/printers
 ;   browseable = yes
 ;   read only = yes
 ;   guest ok = no
 # Uncomment to allow remote administration of Windows print drivers.
 # You may need to replace 'lpadmin' with the name of the group your
 # admin users are members of.
 # Please note that you also need to set appropriate Unix permissions
 # to the drivers directory for these users to have write rights in it
 ;   write list = root, @lpadmin
 [media]
    comment = Media
    path = "{{ samba.media_dir }}"
    writable = yes
    guest ok = no
    valid users = "@{{samba.group}}"
-    force create mode = 770
+    create mask = 755
    force directory mode = 770
    inherit permissions = yes