bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

moved ddns, partkeepr, hass to podman, selinux

Browse Source
This commit is contained in:
Bastian de Byl
2022-04-30 03:44:55 -04:00
parent b228012d5a
commit cb2001357f
61 changed files with 481 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1 +1,2 @@
.ansible-vaultpass
.venv/*

7
Makefile
View File

@@ -26,10 +26,11 @@ SSH_KEY=${HOME}/.ssh/id_rsa_home_ansible
# Default to all ansible tags to run (passed via 'make deploy TAGS=sometag')
TAGS?=all
SKIP_TAGS?=none
TARGET?=all
${VENV}:
virtualenv -p python3 ${VENV}
python3 -m venv ${VENV}
${PIP}: ${VENV}
${ANSIBLE} ${ANSIBLE_VAULT} ${LINT_YAML} ${LINT_ANSIBLE}: ${VENV} requirements.txt
@@ -51,7 +52,7 @@ SKIP_FILE=./.lint-vars.sh
# Targets
deploy: ${ANSIBLE} ${VAULT_FILE}
${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
list-tags: ${ANSIBLE} ${VAULT_FILE}
${ANSIBLE} --list-tags -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
@@ -60,7 +61,7 @@ list-tasks: ${ANSIBLE} ${VAULT_FILE}
${ANSIBLE} --list-tasks -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
check: ${ANSIBLE} ${VAULT_FILE}
${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
vault: ${ANSIBLE_VAULT} ${VAULT_FILE}
${ANSIBLE_VAULT} edit --vault-password-file ${VAULT_PASS_FILE} ${VAULT_FILE}

2
ansible.cfg
View File

@@ -2,7 +2,7 @@
callback_enabled = profile_tasks
# Do not gather facts by default
gathering = explicit
#gathering = explicit
# Hide warnings about discovered Python interpreter
interpreter_python = auto_silent

9
ansible/deploy_home.yml
View File

@@ -5,12 +5,9 @@
roles:
- role: common
- role: git
- role: ddns
- role: podman
- role: ssl
- role: pihole
- role: http
#- role: pihole
- role: drone
- role: hass
- role: motion
- role: partkeepr
- role: graylog
- role: http

5
ansible/inventories/home/hosts.yml
View File

@@ -3,3 +3,8 @@ all:
hosts:
home.bdebyl.net:
ansible_user: ansible
children:
newhome:
hosts:
galactica.lan:
ansible_user: fedora

17
ansible/roles/common/defaults/main.yml
View File

@@ -1,12 +1,21 @@
---
deps: [cronie, docker, fail2ban, git, logrotate, python-docker, tmux, weechat]
deps:
[
cockpit-podman,
cronie,
docker,
fail2ban,
fail2ban-selinux,
git,
logrotate,
podman,
python-docker,
]
fail2ban_jails: [sshd.local, nginx.local]
services:
- cronie
- crond
- docker
- fail2ban
- iptables
- nginx
- systemd-timesyncd

14
ansible/roles/common/files/fail2ban/jails/nginx.local
View File

@@ -7,13 +7,13 @@ bantime = 1w
maxretry = 8
ignoreip = 127.0.0.1/32 192.168.1.0/24
[nginx-http-auth]
enabled = true
port = http,https
logpath = %(nginx_error_log)s
bantime = 2w
maxretry = 5
ignoreip = 127.0.0.1/32 192.168.1.0/24
#[nginx-http-auth]
#enabled = true
#port = http,https
#logpath = %(nginx_error_log)s
#bantime = 2w
#maxretry = 5
#ignoreip = 127.0.0.1/32 192.168.1.0/24
[nginx-botsearch]
enabled = true

2
ansible/roles/common/tasks/deps.yml
View File

@@ -1,7 +1,7 @@
---
- name: install common dependencies
become: true
community.general.pacman:
ansible.builtin.package:
name: "{{ deps }}"
state: present
tags: deps

15
ansible/roles/common/tasks/main.yml
View File

@@ -2,3 +2,18 @@
- import_tasks: deps.yml
- import_tasks: security.yml
- import_tasks: service.yml
- name: create the docker group
become: true
ansible.builtin.group:
name: docker
state: present
tags: common
- name: add default user to docker group
become: true
ansible.builtin.user:
name: "{{ ansible_user }}"
groups: docker
append: true
tags: common

2
ansible/roles/ddns/tasks/main.yml
View File

@@ -1,2 +0,0 @@
---
- import_tasks: awsddns.yml

4
ansible/roles/drone/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restorecon drone
become: true
ansible.builtin.command: sh -c 'restorecon -Firv /var/lib/drone'

4
ansible/roles/drone/tasks/drone.yml
View File

@@ -4,7 +4,7 @@
community.general.docker_container:
name: drone
image: drone/drone:latest
recreate: true
recreate: false
restart: true
restart_policy: on-failure
restart_retries: 3
@@ -32,7 +32,7 @@
community.general.docker_container:
name: drone-runner
image: drone/drone-runner-docker:latest
recreate: true
recreate: false
restart: true
restart_policy: on-failure
restart_retries: 3

1
ansible/roles/drone/tasks/main.yml
View File

@@ -1,2 +1,3 @@
---
- import_tasks: drone.yml
- import_tasks: selinux.yml

9
ansible/roles/drone/tasks/selinux.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: selinux context for drone directory
become: true
community.general.sefcontext:
target: "/var/lib/drone(/.*)?"
setype: svirt_sandbox_file_t
state: present
notify: restorecon drone
tags: selinux

9
ansible/roles/graylog/tasks/graylog.yml
View File

@@ -44,9 +44,10 @@
transport.host: "localhost"
network.host: "0.0.0.0"
cluster.name: "graylog"
ES_JAVA_OPTS: "-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx512m"
ES_JAVA_OPTS: "-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx2048m"
ulimits:
- "memlock:-1:-1"
- "nofile:64000:64000"
memory: 1G
tags: graylog
@@ -58,14 +59,18 @@
restart: true
restart_policy: on-failure
restart_retries: 3
sysctls:
net.ipv6.conf.all.disable_ipv6: 1
net.ipv6.conf.default.disable_ipv6: 1
networks:
- name: "graylog"
volumes:
- graylog-conf:/usr/share/graylog/data/config
- /var/lib/docker/shared/graylog:/usr/share/graylog/bin:z
env:
GRAYLOG_PASSWORD_SECRET: "{{ graylog_secret }}"
GRAYLOG_ROOT_PASSWORD_SHA2: "{{ graylog_root_pass_sha2 }}"
GRAYLOG_HTTP_EXTERNAL_URI: http://192.168.1.12:9000/
GRAYLOG_HTTP_EXTERNAL_URI: http://192.168.1.10:9000/
GRAYLOG_HTTP_BIND_ADDRESS: 0.0.0.0:9000
GRAYLOG_MONGODB_URI: mongodb://graylog-mongo/graylog
GRAYLOG_ELASTICSEARCH_HOSTS: http://graylog-elastic:9200

BIN
ansible/roles/hass/files/automations.yaml
View File

Binary file not shown.

BIN
ansible/roles/hass/files/configuration.yaml
View File

Binary file not shown.

4
ansible/roles/hass/meta/main.yml
View File

@@ -1,4 +0,0 @@
---
dependencies:
- role: http
- role: graylog

44
ansible/roles/hass/tasks/hass.yml
View File

@@ -1,44 +0,0 @@
---
- name: create home-assistant host directory volumes
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: 0640
with_items:
- /usr/share/hass
- /usr/share/hass/media
- /var/lib/private/hass
tags: hass
- name: copy configuration and automations
become: true
ansible.builtin.copy:
src: "files/{{ item }}"
dest: "/var/lib/private/hass/{{ item }}"
mode: 0644
with_items:
- configuration.yaml
- automations.yaml
tags: hass
- name: create home-assistant server container
diff: false
community.general.docker_container:
name: hass
image: ghcr.io/home-assistant/home-assistant:stable
recreate: false
restart: true
restart_policy: on-failure
restart_retries: 3
log_driver: syslog
log_options:
syslog-address: "udp://localhost:{{ syslog_udp_default }}"
syslog-facility: daemon
tag: "docker/{{'{{'}}.Name{{'}}'}}"
volumes:
- /var/lib/hass:/config
- /usr/share/hass:/share
ports:
- "8123:8123"
tags: hass

2
ansible/roles/hass/tasks/main.yml
View File

@@ -1,2 +0,0 @@
---
- import_tasks: hass.yml

2
ansible/roles/http/defaults/main.yml
View File

@@ -1,6 +1,4 @@
---
deps: [certbot, nginx, nginx-mod-modsecurity]
ci_server_name: ci.bdebyl.net
pi_server_name: pi.bdebyl.net
assistant_server_name: assistant.bdebyl.net

13
ansible/roles/http/handlers/main.yml
View File

@@ -1,6 +1,17 @@
---
- name: restart_nginx
become: true
ansible.builtin.command: docker restart nginx
- name: restart firewalld
become: true
ansible.builtin.service:
name: nginx
name: firewalld
state: restarted
- name: restorecon nginx
become: true
ansible.builtin.command: restorecon -irv /etc/{{ item }}
with_items:
- nginx
- letsencrypt

2
ansible/roles/http/tasks/deps.yml
View File

@@ -1,7 +1,7 @@
---
- name: install http dependencies
become: true
pacman:
ansible.builtin.package:
name: "{{ deps }}"
state: present
tags: deps

12
ansible/roles/http/tasks/firewall.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: set http/https firewall rules
become: true
ansible.posix.firewalld:
service: "{{ item }}"
permanent: true
state: enabled
with_items:
- http
- https
notify: restart firewalld
tags: firewall

16
ansible/roles/http/tasks/http.yml
View File

@@ -5,7 +5,7 @@
src: templates/nginx/nginx.conf.j2
dest: /etc/nginx/nginx.conf
owner: root
group: http
group: nginx
mode: 0644
notify: restart_nginx
tags: http
@@ -26,8 +26,8 @@
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: http
group: http
owner: nginx
group: nginx
mode: 0755
loop:
- /srv/http
@@ -38,8 +38,8 @@
become: true
ansible.builtin.file:
path: /srv/http
owner: http
group: http
owner: nginx
group: nginx
mode: 0755
recurse: true
tags: http
@@ -84,9 +84,3 @@
- "{{ logs_server_name }}.conf"
notify: restart_nginx
tags: http
- name: validate nginx configurations
become: true
ansible.builtin.command: nginx -t
changed_when: false
tags: http

10
ansible/roles/http/tasks/logrotate.yml
View File

@@ -1,10 +0,0 @@
---
- name: template nginx log rotation
become: true
ansible.builtin.template:
src: logrotate/nginx.j2
dest: /etc/logrotate.d/nginx
mode: 0644
tags:
- http
- logrotate

4
ansible/roles/http/tasks/main.yml
View File

@@ -1,7 +1,7 @@
---
- import_tasks: deps.yml
- import_tasks: security.yml
- import_tasks: firewall.yml
- import_tasks: modsec.yml
- import_tasks: http.yml
- import_tasks: https.yml
- import_tasks: logrotate.yml
- import_tasks: nginx.yml

33
ansible/roles/http/tasks/nginx.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: selinux context for nginx directories
become: true
community.general.sefcontext:
target: "/etc/{{ item }}"
setype: container_file_t
state: present
with_items:
- "nginx(/.*)?"
- "letsencrypt(/.*)?"
notify: restorecon nginx
tags: selinux
- name: create nginx modsecurity container
community.general.docker_container:
name: nginx
image: owasp/modsecurity:nginx
entrypoint: ["nginx", "-g", "daemon off;"]
command_handling: correct
recreate: true
restart: true
restart_policy: on-failure
restart_retries: 3
network_mode: host
log_driver: syslog
log_options:
syslog-address: "udp://localhost:{{ syslog_udp_default }}"
syslog-facility: daemon
tag: "docker/{{'{{'}}.Name{{'}}'}}"
volumes:
- /etc/nginx:/etc/nginx:ro
- /etc/letsencrypt:/etc/letsencrypt:ro
tags: nginx

14
ansible/roles/http/tasks/security.yml
View File

@@ -1,14 +0,0 @@
---
- name: touch nginx logs, enable jail
become: true
ansible.builtin.file:
path: "/var/log/nginx/{{ item }}.log"
state: touch
mode: 0644
loop:
- access
- error
notify: restart_fail2ban
tags:
- http
- security

2
ansible/roles/http/templates/nginx/nginx.conf.j2
View File

@@ -1,4 +1,4 @@
user http;
user nginx;
worker_processes 1;
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;

1
ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2
View File

@@ -1,6 +1,5 @@
server {
listen 80;
listen [::]:80;
server_name {{ ci_server_name }};
location /.well-known {

3
ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
View File

@@ -12,13 +12,12 @@ server {
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ ci_server_name }};
ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_dhparam ssl/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

2
ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2
View File

@@ -10,7 +10,7 @@ server {
listen 80 default_server;
server_name {{ home_server_name }};
if ($whitelisted = 1) {
return 302 http://pi.bdebyl.net;
return 302 http://192.168.1.12;
}
if ($whitelisted = 0) {

1
ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2
View File

@@ -12,6 +12,7 @@ server {
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
listen 80;
listen [::]:80;
server_name {{ logs_server_name }};
location / {

1
ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2
View File

@@ -8,7 +8,6 @@ server {
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
listen 80;
listen [::]:80;
server_name {{ parts_server_name }};
location /.well-known {

3
ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
View File

@@ -14,13 +14,12 @@ server {
resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ parts_server_name }};
ssl_certificate /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ parts_server_name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_dhparam ssl/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

1
ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
View File

@@ -9,7 +9,6 @@ server {
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
listen 80;
listen [::]:80;
root /srv/http/pihole;
server_name {{ pi_server_name }};

2
ansible/roles/motion/defaults/main.yml
View File

@@ -1,2 +0,0 @@
---
deps: ["cifs-utils"]

6
ansible/roles/motion/handlers/main.yml
View File

@@ -1,6 +0,0 @@
---
- name: restart_motion
become: true
ansible.builtin.service:
name: motion
state: restarted

4
ansible/roles/motion/meta/main.yml
View File

@@ -1,4 +0,0 @@
---
dependencies:
- role: http
- role: graylog

9
ansible/roles/motion/tasks/deps.yml
View File

@@ -1,9 +0,0 @@
---
- name: install shinobi dependencies
become: true
community.general.pacman:
name: "{{ deps }}"
state: present
tags:
- deps
- motion

3
ansible/roles/motion/tasks/main.yml
View File

@@ -1,3 +0,0 @@
---
- import_tasks: deps.yml
- import_tasks: motion.yml

55
ansible/roles/motion/tasks/motion.yml
View File

@@ -1,55 +0,0 @@
---
- name: create shinobi user
become: true
ansible.builtin.user:
name: "{{ motion_user }}"
shell: /bin/nologin
tags: motion
- name: mount shinob videos folder
become: true
ansible.builtin.file:
path: /mnt/shinobi
state: directory
owner: "{{ motion_user }}"
group: "{{ motion_user }}"
mode: 0755
tags: motion
- name: mount smb via cifs
become: true
ansible.posix.mount:
path: /mnt/shinobi
src: "//{{ motion_hostname }}/share/GardenCamera"
fstype: cifs
# yamllint disable-line rule:line-length
opts: "username={{ motion_user }},password={{ motion_pass }},workgroup=workgroup,iocharset=utf8,uid={{ motion_user }},gid={{ motion_user }}"
state: mounted
tags: motion
- name: create shinobi data volume
become: true
community.general.docker_volume:
name: shinobi_data
tags: motion
- name: create shinobi server container
diff: false
community.general.docker_container:
name: shinobi
image: migoller/shinobidocker:latest
recreate: false
restart: true
restart_policy: on-failure
restart_retries: 3
log_driver: syslog
log_options:
syslog-address: "udp://localhost:{{ syslog_udp_default }}"
syslog-facility: daemon
tag: "docker/{{'{{'}} .Name {{'}}'}}"
volumes:
- "shinobi_data:/var/lib/mysql"
- "/mnt/shinobi:/opt/shinobi/videos"
ports:
- "8085:8080"
tags: motion

4
ansible/roles/partkeepr/meta/main.yml
View File

@@ -1,4 +0,0 @@
---
dependencies:
- role: http
- role: graylog

87
ansible/roles/partkeepr/tasks/main.yml
View File

@@ -1,87 +0,0 @@
---
- name: create required partkeepr volumes
community.general.docker_volume:
name: "{{ item }}"
with_items:
- partkeepr-web-vol
- partkeepr-conf-vol
- partkeepr-data-vol
- partkeepr-db-vol
tags: partkeepr
- name: create partkeepr network
community.general.docker_network:
name: "partkeepr"
tags: partkeepr
- name: create partkeepr-db container
diff: false
community.general.docker_container:
name: partkeepr-db
image: mariadb:10.0
recreate: false
restart: true
restart_policy: unless-stopped
restart_retries: 3
log_driver: syslog
log_options:
syslog-address: "udp://localhost:{{ syslog_udp_default }}"
syslog-facility: daemon
tag: "docker/{{'{{'}}.Name{{'}}'}}"
networks:
- name: "partkeepr"
env:
MYSQL_RANDOM_ROOT_PASSWORD: "yes"
MYSQL_DATABASE: partkeepr
MYSQL_USER: partkeepr
MYSQL_PASSWORD: partkeepr
volumes:
- partkeepr-db-vol:/var/lib/mysql
tags: partkeepr
- name: create partkeepr container
diff: false
community.general.docker_container:
name: partkeepr
image: mhubig/partkeepr:latest
recreate: false
restart: true
restart_policy: unless-stopped
restart_retries: 3
log_driver: syslog
log_options:
syslog-address: "udp://localhost:{{ syslog_udp_default }}"
syslog-facility: daemon
tag: "docker/{{'{{'}}.Name{{'}}'}}"
networks:
- name: "partkeepr"
ports:
- "8081:80"
volumes:
- partkeepr-db-conf-vol:/var/www/html/app/config
- partkeepr-db-data-vol:/var/www/html/data
- partkeepr-db-web-vol:/var/www/html/web
tags: partkeepr
- name: create partkeepr-cron container
diff: false
community.general.docker_container:
name: partkeepr-cron
image: mhubig/partkeepr:latest
command_handling: correct
entrypoint: []
command: bash -c "crontab /etc/cron.d/partkeepr && cron -f"
recreate: false
restart: true
restart_policy: unless-stopped
restart_retries: 3
log_driver: syslog
log_options:
syslog-address: "udp://localhost:{{ syslog_udp_default }}"
syslog-facility: daemon
tag: "docker/{{'{{'}}.Name{{'}}'}}"
volumes:
- partkeepr-db-conf-vol:/var/www/html/app/config:ro
- partkeepr-db-data-vol:/var/www/html/data
- partkeepr-db-web-vol:/var/www/html/web
tags: partkeepr

2
ansible/roles/pihole/tasks/deps.yml
View File

@@ -6,6 +6,6 @@
- name: install pi-hole-server dependencies
become: true
community.general.pacman:
ansible.builtin.package:
name: "{{ deps }}"
state: present

3
ansible/roles/podman/defaults/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
partkeepr_path: "{{ podman_volumes }}/partkeepr"
hass_path: "{{ podman_volumes }}/hass"

41
ansible/roles/podman/files/automations.yaml Normal file
View File

@@ -0,0 +1,41 @@
- id: '1649042254031'
alias: Office Lights Morning
description: ''
trigger:
- platform: time
at: '10:30:00'
condition: []
action:
- type: turn_on
device_id: 04a5b4bea0caafe63bca3fb31c49091b
entity_id: light.bastian_s_office_lights
domain: light
brightness_pct: 100
mode: single
- id: '1649042299713'
alias: Office Lights Evening
description: ''
trigger:
- platform: time
at: '17:00:00'
condition: []
action:
- type: turn_on
device_id: 04a5b4bea0caafe63bca3fb31c49091b
entity_id: light.bastian_s_office_lights
domain: light
brightness_pct: 1
mode: single
- id: '1649042328061'
alias: Office Lights Off
description: ''
trigger:
- platform: time
at: '20:00:00'
condition: []
action:
- type: turn_off
device_id: 04a5b4bea0caafe63bca3fb31c49091b
entity_id: light.bastian_s_office_lights
domain: light
mode: single

19
ansible/roles/podman/files/configuration.yaml Normal file
View File

@@ -0,0 +1,19 @@
# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:
# Text to speech
tts:
- platform: google_translate
api:
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- 172.0.0.0/8
homeassistant:
time_zone: America/New_York
media_dirs:
media: /share
automation: !include automations.yaml

8
ansible/roles/podman/handlers/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: restorecon podman
become: true
ansible.builtin.command: |
restorecon -Frv {{ podman_home }}
tags:
- podman
- selinux

0
ansible/roles/ddns/meta/main.yml → ansible/roles/podman/meta/main.yml
View File

17
ansible/roles/ddns/tasks/awsddns.yml → ansible/roles/podman/tasks/container-awsddns.yml
View File

@@ -1,14 +1,15 @@
---
- name: create awsddns server container
become: true
become_user: "{{ podman_user }}"
diff: false
docker_container:
containers.podman.podman_container:
name: awsddns
image: bdebyl/awsddns
pull: true
recreate: true
image: docker.io/bdebyl/awsddns
recreate: false
restart: true
restart_policy: on-failure
restart_retries: 3
log_driver: journald
env:
AWS_ZONE_ID: "{{ aws_zone_id }}"
AWS_ZONE_HOSTNAME: "{{ aws_zone_hostname }}"
@@ -16,3 +17,9 @@
AWS_SECRET_ACCESS_KEY: "{{ aws_secret_access_key }}"
AWS_DEFAULT_REGION: "{{ aws_default_region }}"
tags: ddns
- name: create systemd startup job for awsddns
include_tasks: systemd-generate.yml
vars:
container_name: awsddns
tags: ddns

57
ansible/roles/podman/tasks/container-hass.yml Normal file
View File

@@ -0,0 +1,57 @@
---
- name: create home-assistant host directory volumes
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0755
notify: restorecon podman
with_items:
- "{{ hass_path }}/media"
- "{{ hass_path }}/config"
tags: hass
- name: copy configuration and automations
become: true
ansible.builtin.copy:
src: "files/{{ item }}"
dest: "{{ hass_path }}/config/{{ item }}"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
notify: restorecon podman
with_items:
- configuration.yaml
- automations.yaml
tags: hass
- meta: flush_handlers
tags: hass
- name: create home-assistant server container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: hass
image: ghcr.io/home-assistant/home-assistant:stable
recreate: false
restart: true
restart_policy: on-failure
log_driver: journald
cap_add:
- CAP_NET_RAW
- CAP_NET_BIND_SERVICE
volumes:
- "{{ hass_path }}/config:/config"
- "{{ hass_path }}/media:/share"
ports:
- "8123:8123"
tags: hass
- name: create systemd startup job for hass
include_tasks: systemd-generate.yml
vars:
container_name: hass
tags: hass

95
ansible/roles/podman/tasks/container-partkeepr.yml Normal file
View File

@@ -0,0 +1,95 @@
---
- name: create required partkeepr volumes
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0755
notify: restorecon podman
with_items:
- "{{ partkeepr_path }}/mysql"
tags: partkeepr
- meta: flush_handlers
tags: partkeepr
- name: create partkeepr network
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_network:
name: partkeepr
tags: partkeepr
- name: create partkeepr-db container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: partkeepr-db
image: docker.io/mariadb:10.0
recreate: false
restart: false
restart_policy: on-failure
log_driver: journald
network:
- partkeepr
env:
MYSQL_RANDOM_ROOT_PASSWORD: "yes"
MYSQL_DATABASE: partkeepr
MYSQL_USER: partkeepr
MYSQL_PASSWORD: "{{ partkeepr_mysql_password }}"
volumes:
- "{{ partkeepr_path }}/mysql:/var/lib/mysql"
tags: partkeepr
- name: create systemd startup job for partkeepr-db
include_tasks: systemd-generate.yml
vars:
container_name: partkeepr-db
tags: partkeepr
- name: create partkeepr container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: partkeepr
image: docker.io/mhubig/partkeepr:latest
recreate: false
restart: false
restart_policy: on-failure
log_driver: journald
network:
- partkeepr
ports:
- "8081:80"
tags: partkeepr
- name: create systemd startup job for partkeepr
include_tasks: systemd-generate.yml
vars:
container_name: partkeepr
tags: partkeepr
- name: create partkeepr-cron container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: partkeepr-cron
image: docker.io/mhubig/partkeepr:latest
entrypoint: ""
command: >
bash -c "crontab /etc/cron.d/partkeepr && cron -f"
recreate: false
restart: true
restart_policy: on-failure
log_driver: journald
network:
- partkeepr
tags: partkeepr
- name: create systemd startup job for partkeepr-cron
include_tasks: systemd-generate.yml
vars:
container_name: partkeepr-cron
tags: partkeepr

5
ansible/roles/podman/tasks/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- import_tasks: podman.yml
- import_tasks: container-awsddns.yml
- import_tasks: container-partkeepr.yml
- import_tasks: container-hass.yml

58
ansible/roles/podman/tasks/podman.yml Normal file
View File

@@ -0,0 +1,58 @@
---
- name: create podman user
become: true
ansible.builtin.user:
name: "{{ podman_user }}"
comment: Rootless podman user
shell: /sbin/nologin
home: "{{ podman_home }}"
tags: podman
- name: check if podman user lingering enabled
become: true
ansible.builtin.stat:
path: "/var/lib/systemd/linger/{{ podman_user }}"
register: user_lingering
tags: podman
- name: enable podman user lingering
become: true
become_user: "{{ podman_user }}"
ansible.builtin.command: |
loginctl enable-linger {{ podman_user }}
when:
- not user_lingering.stat.exists
tags: podman
- name: selinux context for podman directories
become: true
community.general.sefcontext:
target: "{{ item.target }}(/.*)?"
setype: "{{ item.setype }}"
state: present
notify: restorecon podman
with_items:
- { target: "{{ podman_home }}", setype: "user_home_dir_t" }
- { target: "{{ podman_path }}", setype: "container_file_t" }
tags:
- podman
- selinux
- name: create podman system directories
become: true
become_user: "{{ podman_user }}"
ansible.builtin.file:
path: "{{ podman_home }}/{{ item }}"
state: directory
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0755
notify: restorecon podman
with_items:
- ".config/systemd/user"
- "{{ podman_containers }}"
- "{{ podman_volumes }}"
tags: podman
- meta: flush_handlers
tags: podman

17
ansible/roles/podman/tasks/systemd-generate.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: create systemd startup job for {{ container_name }}
become: true
become_user: "{{ podman_user }}"
ansible.builtin.shell: |
podman generate systemd {{ container_name }} > {{ podman_home}}/.config/systemd/user/{{ container_name }}.service
tags: systemd
- name: enable systemd startup job for {{ container_name }}
become: true
become_user: "{{ podman_user }}"
ansible.builtin.systemd:
name: "{{ container_name }}.service"
daemon_reload: true
enabled: true
scope: user
tags: systemd

2
ansible/roles/ssl/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
deps: [certbot]

16
ansible/roles/ssl/tasks/certbot.yml
View File

@@ -1,18 +1,28 @@
---
- name: create nginx ssl directory
become: true
ansible.builtin.file:
path: /etc/nginx/ssl
owner: root
group: root
mode: 0644
state: directory
tags: ssl
- name: stat dhparam
become: true
ansible.builtin.stat:
path: /etc/ssl/certs/dhparam.pem
path: /etc/nginx/ssl/dhparam.pem
register: dhparam
tags: ssl
- name: generate openssl dhparam for nginx
become: true
ansible.builtin.command: |
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
when: not dhparam.stat.exists
args:
creates: /etc/ssl/certs/dhparam.pem
creates: /etc/nginx/ssl/dhparam.pem
tags: ssl
- name: create ssl certificate for ci server

7
ansible/roles/ssl/tasks/deps.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: install ssl dependencies
become: true
ansible.builtin.package:
name: "{{ deps }}"
state: present
tags: deps

BIN
ansible/vars/vault.yml
View File

Binary file not shown.