diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 0ca3ca8..537331b 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -70,12 +70,12 @@ aya01_ip: "192.168.20.12" zoneminder_host: "zm" zoneminder_port: "8081" -zoneminder_root: "{{ docker_dir }}/zm/" -zoneminder_config: "{{ zoneminder_root }}/config/" -zoneminder_log: "{{ zoneminder_root}}/log/" -zoneminder_db: "{{ zoneminder_root}}/db/" +zoneminder_root: "{{ docker_dir }}/zm" +zoneminder_config: "{{ zoneminder_root }}/config" +zoneminder_log: "{{ zoneminder_root}}/log" +zoneminder_db: "{{ zoneminder_root}}/db" -zoneminder_data: "{{ docker_data_dir }}/zm/data/" +zoneminder_data: "{{ docker_data_dir }}/zm/data" # # Syncthing @@ -210,7 +210,39 @@ netdata_lib: "{{ docker_data_dir }}/netdata/lib/" netdata_cache: "{{ docker_data_dir }}/netdata/cache" # +# swag # -# + swag_port: "443" swag_config: "{{ docker_dir }}/swag/config/" +swag_subdomains: "www,plex,status," +swag_email: "me+swag@tudattr.dev" +swag_site_confs: + - "templates/mii/swag/site-confs/plex.subdomain.conf" + - "templates/mii/swag/site-confs/uptime-kuma.subdomain.conf" +swag_remote_site_confs: "{{swag_config}}/nginx/site-confs/" + +# +# Plex +# + +plex_host: "plex" +plex_port: "32400" +plex_config: "{{docker_data_dir}}/plex/config" +plex_tv: "/media/series" +plex_movies: "/media/movies" + +# +# WireGuard +# + +wg_config: "templates/wg0.conf" +wg_remote_config: "/etc/wireguard/wg0.conf" +wg_service: "wg-quick@wg0.service" +wg_deps: "wireguard" + +wg_ip: "192.168.200.2" +wg_pubkey: "+LaPESyBF6Sb1lqkk4UcestFpXNaKYyyX99tkqwLQhU=" +wg_endpoint: "borg.land:51820" +wg_allowed_ips: "192.168.20.0/24,192.168.200.1/32" +wg_dns: "{{ aya01_ip }},{{ pi_ip }},1.1.1.1" diff --git a/host_vars/aya01.yml b/host_vars/aya01.yml index 886e230..c794f85 100644 --- a/host_vars/aya01.yml +++ b/host_vars/aya01.yml @@ -1,6 +1,5 @@ ansible_user: "{{ user }}" ansible_host: 192.168.20.12 ansible_port: 22 -ansible_ssh_private_key_file: /mnt/veracrypt1/genesis +ansible_ssh_private_key_file: /media/veracrypt1/genesis ansible_become_pass: '{{ vault_aya01_tudattr_password }}' - diff --git a/host_vars/mii.yml b/host_vars/mii.yml index 3acaa46..e26a987 100644 --- a/host_vars/mii.yml +++ b/host_vars/mii.yml @@ -1,5 +1,5 @@ ansible_user: "{{ user }}" ansible_host: 202.61.207.139 ansible_port: 22 -ansible_ssh_private_key_file: /mnt/veracrypt1/genesis +ansible_ssh_private_key_file: /media/veracrypt1/genesis ansible_become_pass: '{{ vault_mii_tudattr_password }}' diff --git a/mii.yml b/mii.yml index 9624f28..c54bed7 100644 --- a/mii.yml +++ b/mii.yml @@ -9,3 +9,6 @@ - role: docker tags: - docker + - role: wireguard + tags: + - wireguard diff --git a/roles/docker/tasks/aya01_compose.yml b/roles/docker/tasks/aya01_compose.yml index ba28be4..1598530 100644 --- a/roles/docker/tasks/aya01_compose.yml +++ b/roles/docker/tasks/aya01_compose.yml @@ -12,22 +12,10 @@ tags: - syncthing -#- include_tasks: grafana.yml -# tags: -# - grafana - - include_tasks: softserve.yml tags: - softserve -#- include_tasks: prometheus.yml -# tags: -# - prometheus -# -#- include_tasks: netdata.yaml -# tags: -# - netdata -# - include_tasks: cupsd.yml tags: - cupsd @@ -40,6 +28,10 @@ tags: - traefik +- include_tasks: plex.yml + tags: + - plex + - name: Copy the compose file template: src: templates/aya01/compose.yaml diff --git a/roles/docker/tasks/cupsd.yml b/roles/docker/tasks/cupsd.yml index cdd9330..07dc746 100644 --- a/roles/docker/tasks/cupsd.yml +++ b/roles/docker/tasks/cupsd.yml @@ -10,7 +10,7 @@ - "{{ cupsd_config }}" become: true -- name: Copy default config +- name: Copy cupsd config template: owner: "{{ puid }}" src: "templates/aya01/cupsd/cupsd.conf" diff --git a/roles/docker/tasks/plex.yml b/roles/docker/tasks/plex.yml new file mode 100644 index 0000000..d12327d --- /dev/null +++ b/roles/docker/tasks/plex.yml @@ -0,0 +1,9 @@ +--- +- name: Create plex-config directory + file: + path: "{{plex_config}}" + owner: 1000 + group: 1000 + mode: '755' + state: directory + become: yes diff --git a/roles/docker/tasks/swag.yml b/roles/docker/tasks/swag.yml index e69de29..67e2671 100644 --- a/roles/docker/tasks/swag.yml +++ b/roles/docker/tasks/swag.yml @@ -0,0 +1,20 @@ +--- + +- name: Create swag-config directory + file: + path: "{{ item }}" + owner: "{{ puid }}" + group: "{{ pgid }}" + state: directory + loop: + - "{{ swag_config }}" + +- name: Copy site-confs + template: + owner: "{{ puid }}" + group: "{{ pgid }}" + src: "{{ item }}" + dest: "{{ swag_remote_site_confs }}" + mode: '644' + loop: "{{ swag_site_confs }}" + become: true diff --git a/roles/docker/tasks/traefik.yml b/roles/docker/tasks/traefik.yml index a582e65..222955f 100644 --- a/roles/docker/tasks/traefik.yml +++ b/roles/docker/tasks/traefik.yml @@ -7,4 +7,5 @@ group: "{{ pgid }}" state: directory loop: - - "{{ swag_config }}" + - "{{ docker_dir }}/traefik/etc-traefik/" + - "{{ docker_dir }}/traefik/var-log/" diff --git a/roles/docker/tasks/zoneminder.yml b/roles/docker/tasks/zoneminder.yml index 84ca038..f15e0d3 100644 --- a/roles/docker/tasks/zoneminder.yml +++ b/roles/docker/tasks/zoneminder.yml @@ -2,16 +2,16 @@ - name: Create zoneminder user user: name: zm - uid: 911 + uid: '911' shell: /bin/false become: true - name: Create Zoneminder config directory file: path: "{{ item }}" - owner: 911 - group: 911 - mode: '700' + owner: '911' + group: '911' + mode: '755' state: directory loop: - "{{ zoneminder_config }}" @@ -20,8 +20,8 @@ - name: Create Zoneminder data directory file: path: "{{ item }}" - owner: 911 - group: 911 + owner: '911' + group: '911' mode: '755' state: directory loop: diff --git a/roles/docker/templates/aya01/compose.yaml b/roles/docker/templates/aya01/compose.yaml index c38c398..8f451ff 100644 --- a/roles/docker/templates/aya01/compose.yaml +++ b/roles/docker/templates/aya01/compose.yaml @@ -63,8 +63,8 @@ services: - "TZ=Europe/Berlin" labels: - "traefik.enable=true" - - "traefik.http.routers.zoneminder.rule=Host(`{{ zoneminder_host}}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.zoneminder.loadbalancer.server.port={{ 80 }}" + - "traefik.http.routers.{{ zoneminder_host }}.rule=Host(`{{ zoneminder_host}}.{{ aya01_host }}.{{ local_domain }}`)" + - "traefik.http.services.{{ zoneminder_host }}.loadbalancer.server.port=80" pihole: container_name: pihole @@ -94,10 +94,10 @@ services: - NET_ADMIN labels: - "traefik.enable=true" - - "traefik.http.routers.pihole.rule=Host(`{{ pihole_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.pihole.loadbalancer.server.port={{ 80 }}" + - "traefik.http.routers.{{ pihole_host }}.rule=Host(`{{ pihole_host }}.{{ aya01_host }}.{{ local_domain }}`)" + - "traefik.http.services.{{ pihole_host }}.loadbalancer.server.port={{ 80 }}" - fyncthing: + syncthing: container_name: syncthing image: syncthing/syncthing restart: unless-stopped @@ -116,24 +116,8 @@ services: hostname: syncthing labels: - "traefik.enable=true" - - "traefik.http.routers.syncthing.rule=Host(`{{ syncthing_host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.syncthing.loadbalancer.server.port={{ syncthing_port }}" - -# grafana: -# container_name: grafana -# image: grafana/grafana-oss -# restart: unless-stopped -# user: "{{ puid }}:{{ pgid }}" -# networks: -# - net -# ports: -# - 3000:3000 -# volumes: -# - "{{ grafana_data }}:/var/lib/grafana/" -# - "{{ grafana_log }}:/var/log/grafana/" -# environment: -# - "GF_LOG_MODE=console file" -# hostname: grafana + - "traefik.http.routers.{{ syncthing_host }}.rule=Host(`{{ syncthing_host }}.{{ aya01_host }}.{{ local_domain }}`)" + - "traefik.http.services.{{ syncthing_host }}.loadbalancer.server.port={{ syncthing_port }}" soft-serve: container_name: soft-serve @@ -146,56 +130,6 @@ services: volumes: - "{{ softserve_data }}:/soft-serve" - # prometheus: - # container_name: prometheus - # image: prom/prometheus - # restart: unless-stopped - # networks: - # - net - # ports: - # - "{{ prm_port }}:9090" - # volumes: - # - "{{ prm_config }}:/etc/prometheus" - - # exporter_mikrotik: - # container_name: exporter_mikrotik - # image: "nshttpd/mikrotik-exporter:{{ e_mikrotik_version }}" - # restart: unless-stopped - # user: "{{ puid }}:{{ pgid }}" - # networks: - # - net - # ports: - # - "{{ e_mikrotik_port }}:9436" - # volumes: - # - "{{ e_mikrotik_config }}:/config" - # environment: - # - "CONFIG_FILE=/config/config.yml" - - # netdata: - # container_name: netdata - # image: netdata/netdata - # restart: unless-stopped - # networks: - # - net - # ports: - # - "{{netdata_port}}:19999" - # volumes: - # - "{{netdata_config}}:/etc/netdata" - # - "{{netdata_lib}}:/var/lib/netdata" - # - "{{netdata_cache}}:/var/cache/netdata" - # - /etc/passwd:/host/etc/passwd:ro - # - /etc/group:/host/etc/group:ro - # - /proc:/host/proc:ro - # - /sys:/host/sys:ro - # - /etc/os-release:/host/etc/os-release:ro - # environment: - # - "DO_NOT_TRACK=1" - # cap_add: - # - SYS_PTRACE - # security_opt: - # - apparmor:unconfined - # hostname: "{{ aya01_host }}" - cupsd: container_name: cupsd image: olbat/cupsd @@ -209,8 +143,8 @@ services: - "{{cupsd_config}}:/etc/cups" labels: - "traefik.enable=true" - - "traefik.http.routers.cupsd.rule=Host(`{{ cupsd_host }}.{{ aya01_host }}.{{local_domain}}`)" - - "traefik.http.services.cupsd.loadbalancer.server.port={{ cupsd_port }}" + - "traefik.http.routers.{{ cupsd_host }}.rule=Host(`{{ cupsd_host }}.{{ aya01_host }}.{{local_domain}}`)" + - "traefik.http.services.{{ cupsd_host }}.loadbalancer.server.port={{ cupsd_port }}" kuma: container_name: kuma @@ -224,11 +158,48 @@ services: - "{{ kuma_config }}:/app/data" labels: - "traefik.enable=true" - - "traefik.http.routers.kuma.rule=Host(`{{ kuma_host }}.{{ aya01_host }}.{{local_domain}}`)" - - "traefik.http.services.kuma.loadbalancer.server.port={{ kuma_port }}" + - "traefik.http.routers.{{kuma_host}}.rule=Host(`{{ kuma_host }}.{{ aya01_host }}.{{local_domain}}`)" + - "traefik.http.services.{{kuma_host}}.loadbalancer.server.port={{ kuma_port }}" + + plex: + image: lscr.io/linuxserver/plex:latest + container_name: plex + restart: always + networks: + - net + ports: + - "{{ plex_port }}:32400" + - "1900:1900" + - "3005:3005" + - "5353:5353" + - "32410:32410" + - "8324:8324" + - "32412:32412" + - "32469:32469" + environment: + - PUID={{puid}} + - PGID={{pgid}} + - TZ={{timezone}} + - VERSION=docker + - PLEX_CLAIM=claim-wofbDBCEMQT8SxUs1-Rw #optional + volumes: + - "{{ plex_config }}:/config" + - "{{ plex_tv }}:/tv" + - "{{ plex_movies }}:/movies" + labels: + - "traefik.enable=true" + - "traefik.http.routers.{{plex_host}}.rule=Host(`{{ plex_host }}.{{ aya01_host }}.{{local_domain}}`)" + - "traefik.http.services.{{plex_host}}.loadbalancer.server.port={{ plex_port }}" networks: zoneminder: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.16.42.0/24 + ip_range: 172.28.42.0/24 + gateway: 172.16.42.1 net: driver: bridge ipam: diff --git a/roles/docker/templates/mii/compose.yaml b/roles/docker/templates/mii/compose.yaml index f22563a..0497629 100644 --- a/roles/docker/templates/mii/compose.yaml +++ b/roles/docker/templates/mii/compose.yaml @@ -5,6 +5,10 @@ services: container_name: swag networks: net: {} + dns: + - {{ aya01_ip }} + - {{ pi_ip }} + - 1.1.1.1 cap_add: - NET_ADMIN environment: @@ -13,11 +17,11 @@ services: - TZ={{ timezone }} - URL={{ remote_domain }} - VALIDATION=http - - SUBDOMAINS=www, #optional + - SUBDOMAINS={{ swag_subdomains }} #optional - CERTPROVIDER= #optional - DNSPLUGIN=cloudflare #optional - PROPAGATION= #optional - - EMAIL= #optional + - EMAIL={{ swag_email }} #optional - ONLY_SUBDOMAINS=false #optional - EXTRA_DOMAINS= #optional - STAGING=false #optional diff --git a/roles/docker/templates/mii/swag/site-confs/plex.subdomain.conf b/roles/docker/templates/mii/swag/site-confs/plex.subdomain.conf new file mode 100644 index 0000000..b32936a --- /dev/null +++ b/roles/docker/templates/mii/swag/site-confs/plex.subdomain.conf @@ -0,0 +1,30 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name plex.tudattr.dev; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + proxy_redirect off; + proxy_buffering off; + + location / { + include /config/nginx/resolver.conf; + proxy_pass http://plex.aya01.borg.land; + + proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; + proxy_set_header X-Plex-Device $http_x_plex_device; + proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; + proxy_set_header X-Plex-Platform $http_x_plex_platform; + proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; + proxy_set_header X-Plex-Product $http_x_plex_product; + proxy_set_header X-Plex-Token $http_x_plex_token; + proxy_set_header X-Plex-Version $http_x_plex_version; + proxy_set_header X-Plex-Nocache $http_x_plex_nocache; + proxy_set_header X-Plex-Provides $http_x_plex_provides; + proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; + proxy_set_header X-Plex-Model $http_x_plex_model; + } +} diff --git a/roles/docker/templates/mii/swag/site-confs/uptime-kuma.subdomain.conf b/roles/docker/templates/mii/swag/site-confs/uptime-kuma.subdomain.conf new file mode 100644 index 0000000..23c5812 --- /dev/null +++ b/roles/docker/templates/mii/swag/site-confs/uptime-kuma.subdomain.conf @@ -0,0 +1,17 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name status.tudattr.dev; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + location / { + include /config/nginx/resolver.conf; + proxy_pass http://uptime.aya01.borg.land; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} diff --git a/roles/samba/tasks/config.yaml b/roles/samba/tasks/config.yaml index 1a45dd1..03dbdc9 100644 --- a/roles/samba/tasks/config.yaml +++ b/roles/samba/tasks/config.yaml @@ -10,5 +10,6 @@ systemd: name: nmbd state: restarted + enabled: yes become: true when: smbconf.changed diff --git a/roles/wireguard/tasks/config.yml b/roles/wireguard/tasks/config.yml new file mode 100644 index 0000000..0a0acb9 --- /dev/null +++ b/roles/wireguard/tasks/config.yml @@ -0,0 +1,16 @@ +--- +- name: Copy "{{ wg_config }}" + template: + src: "{{ wg_config }}" + dest: "{{ wg_remote_config }}" + owner: "root" + group: "root" + mode: "0600" + become: true + +- name: Start wireguard + service: + name: "{{ wg_service }}" + state: started + enabled: yes + become: true diff --git a/roles/wireguard/tasks/install.yml b/roles/wireguard/tasks/install.yml new file mode 100644 index 0000000..da1826e --- /dev/null +++ b/roles/wireguard/tasks/install.yml @@ -0,0 +1,20 @@ +--- +- name: Update and upgrade packages + apt: + update_cache: true + upgrade: true + autoremove: true + become: true + +- name: Install WireGuard dependencies + apt: + name: "{{ wg_deps }}" + state: present + become: true + +- name: Create resolveconf symlink Debian bug #939904 + file: + src: /usr/bin/resolvectl + dest: /usr/local/bin/resolvconf + state: link + become: true diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..1c2de2c --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,2 @@ +- include_tasks: install.yml +- include_tasks: config.yml diff --git a/roles/wireguard/templates/wg0.conf b/roles/wireguard/templates/wg0.conf new file mode 100644 index 0000000..62507a3 --- /dev/null +++ b/roles/wireguard/templates/wg0.conf @@ -0,0 +1,9 @@ +[Interface] +PrivateKey = {{ vault_wg_pk }} +Address = {{ wg_ip }} +DNS = {{ wg_dns }} + +[Peer] +PublicKey = {{ wg_pubkey }} +Endpoint = {{ wg_endpoint }} +AllowedIPs = {{ wg_allowed_ips }}