diff --git a/handlers.yml b/handlers.yml index f397c3e..63cb21a 100644 --- a/handlers.yml +++ b/handlers.yml @@ -1,60 +1,60 @@ -- name: restart systemd-networkd +--- +- name: Restart systemd-networkd become: true - systemd: + ansible.builtin.systemd: name: systemd-networkd state: restarted enabled: true -- name: restart systemd-resolved +- name: Restart systemd-resolved become: true - systemd: + ansible.builtin.systemd: name: systemd-resolved state: restarted enabled: true -- name: restart nftables +- name: Restart nftables become: true - systemd: + ansible.builtin.systemd: name: nftables.service state: restarted enabled: true -- name: restart ssh +- name: Restart ssh become: true - systemd: + ansible.builtin.systemd: name: ssh.service state: restarted enabled: true -- name: restart docker service +- name: Restart docker service become: true - systemd: + ansible.builtin.systemd: name: docker.service state: restarted enabled: true -- name: restart nginx +- name: Restart nginx become: true - systemd: + ansible.builtin.systemd: name: nginx.service state: restarted enabled: true -- name: enable transip-client timer +- name: Enable transip-client timer become: true - systemd: + ansible.builtin.systemd: daemon-reload: true name: transip-client.timer state: restarted enabled: true -- name: regenerate initramfs +- name: Regenerate initramfs become: true - command: update-initramfs -u -k all - -- name: restart certbot + ansible.builtin.command: update-initramfs -u -k all +- name: Restart certbot become: true - systemd: + ansible.builtin.systemd: name: certbot state: restarted enabled: false diff --git a/host_vars/fudiggity/forgejo.yml b/host_vars/fudiggity/forgejo.yml index f133f38..07c2eb6 100644 --- a/host_vars/fudiggity/forgejo.yml +++ b/host_vars/fudiggity/forgejo.yml @@ -1,19 +1,20 @@ -forgejo_app_dir: '/srv/docker/forgejo' -forgejo_data_dir: '/var/lib/vm/forgejo/data' -forgejo_postgres_dir: '/var/lib/vm/forgejo/postgres' +--- +forgejo_app_dir: "/srv/docker/forgejo" +forgejo_data_dir: "/var/lib/vm/forgejo/data" +forgejo_postgres_dir: "/var/lib/vm/forgejo/postgres" -forgejo_image_tag: 'codeberg.org/forgejo/forgejo:11' +forgejo_image_tag: "codeberg.org/forgejo/forgejo:11" forgejo_postgres_user: forgejo forgejo_postgres_name: forgejo # TODO: write to docker secret forgejo_postgres_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 30303039313766373966373364346539306661376564613530656565313131623635666435333564 - 6463316365373564383964316635366337376237386134340a353839313761633865646638356165 - 31306666616235336132363232303639303065343436656233366264333236323435393963373062 - 3165326331633438620a323064663435396666316266396135633463653335323534616264383965 - 33383262373831656335363434333938363230373133646436653261346364353463333065303534 - 66383533646636313662376236373931383065386330663438623363336664353832343263323336 - 366531643930326636343466343732373036 + $ANSIBLE_VAULT;1.1;AES256 + 30303039313766373966373364346539306661376564613530656565313131623635666435333564 + 6463316365373564383964316635366337376237386134340a353839313761633865646638356165 + 31306666616235336132363232303639303065343436656233366264333236323435393963373062 + 3165326331633438620a323064663435396666316266396135633463653335323534616264383965 + 33383262373831656335363434333938363230373133646436653261346364353463333065303534 + 66383533646636313662376236373931383065386330663438623363336664353832343263323336 + 366531643930326636343466343732373036 diff --git a/host_vars/fudiggity/glitchtip.yml b/host_vars/fudiggity/glitchtip.yml index 94bed93..05317e4 100644 --- a/host_vars/fudiggity/glitchtip.yml +++ b/host_vars/fudiggity/glitchtip.yml @@ -1,14 +1,15 @@ +--- glitchtip_image_tag: glitchtip/glitchtip:v4.2 glitchtip_app_dir: /srv/docker/glitchtip glitchtip_secret_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 37363333306434636331626231663964626631616131326335333832323939363865353431633233 - 6263363535646132316130373536303466613436656636300a333231383137326634326230343661 - 63333933363038333865633930663562306163613164623731613866353861616435373865666330 - 6131663965663836300a636366386432666133343364353763333731376561646338383531613363 - 32383834646461383562303564663135633932616536646134393632626664376335373136383638 - 35323934653664666530343562363461396230333435336166343033643732663766383633343337 - 30303938633939623830363661633936323031373362353363346530363535613363393432666462 - 37643033336130393166 + $ANSIBLE_VAULT;1.1;AES256 + 37363333306434636331626231663964626631616131326335333832323939363865353431633233 + 6263363535646132316130373536303466613436656636300a333231383137326634326230343661 + 63333933363038333865633930663562306163613164623731613866353861616435373865666330 + 6131663965663836300a636366386432666133343364353763333731376561646338383531613363 + 32383834646461383562303564663135633932616536646134393632626664376335373136383638 + 35323934653664666530343562363461396230333435336166343033643732663766383633343337 + 30303938633939623830363661633936323031373362353363346530363535613363393432666462 + 37643033336130393166 diff --git a/host_vars/fudiggity/jellyfin.yml b/host_vars/fudiggity/jellyfin.yml index b6d0306..443e040 100644 --- a/host_vars/fudiggity/jellyfin.yml +++ b/host_vars/fudiggity/jellyfin.yml @@ -1,3 +1,4 @@ +--- jellyfin_image_tag: jellyfin/jellyfin:10.10.7 jellyfin_app_dir: /srv/docker/jellyfin jellyfin_configuration_dir: /home/sonny/.config/jellyfin diff --git a/host_vars/fudiggity/main.yml b/host_vars/fudiggity/main.yml index 52eed7c..c0a2d59 100644 --- a/host_vars/fudiggity/main.yml +++ b/host_vars/fudiggity/main.yml @@ -1,3 +1,4 @@ +--- packages: - nftables - syncthing @@ -12,12 +13,12 @@ packages: - certbot - unattended-upgrades -vpn_config_dir: '/etc/wireguard' +vpn_config_dir: "/etc/wireguard" -hostname: 'fudiggity' +hostname: "fudiggity" -xdg_config_dir: '/home/sonny/.config' -xdg_data_dir: '/home/sonny/.local/share' -xdg_state_dir: '/home/sonny/.local/state' +xdg_config_dir: "/home/sonny/.config" +xdg_data_dir: "/home/sonny/.local/share" +xdg_state_dir: "/home/sonny/.local/state" systemd_service_dir: /etc/systemd/system diff --git a/host_vars/fudiggity/mpd.yml b/host_vars/fudiggity/mpd.yml index c039bdd..3c28019 100644 --- a/host_vars/fudiggity/mpd.yml +++ b/host_vars/fudiggity/mpd.yml @@ -1,6 +1,7 @@ -mpd_app_dir: '/srv/docker/mpd' -mpd_music_dir: '/home/sonny/music' +--- +mpd_app_dir: "/srv/docker/mpd" +mpd_music_dir: "/home/sonny/music" -mpd_config_dir: '{{ xdg_config_dir }}/mpd' -mpd_playlist_dir: '{{ xdg_data_dir }}/mpd/playlists' -mpd_state_dir: '{{ xdg_state_dir }}/mpd' +mpd_config_dir: "{{ xdg_config_dir }}/mpd" +mpd_playlist_dir: "{{ xdg_data_dir }}/mpd/playlists" +mpd_state_dir: "{{ xdg_state_dir }}/mpd" diff --git a/host_vars/fudiggity/network.yml b/host_vars/fudiggity/network.yml index 11d6725..478832d 100644 --- a/host_vars/fudiggity/network.yml +++ b/host_vars/fudiggity/network.yml @@ -1,3 +1,4 @@ +--- network_interface: link1 network_mac: 00:1b:21:3b:50:e2 @@ -13,22 +14,22 @@ ssh_port: 39901 vpn_listen_address: 10.0.0.1 vpn_prefix: 24 -vpn_subnet: '10.0.0.0/{{ vpn_prefix }}' +vpn_subnet: "10.0.0.0/{{ vpn_prefix }}" vpn_port: 51902 vpn_interface: wg0 -vpn_domain: 'vpn.{{ domain_name }}' +vpn_domain: "vpn.{{ domain_name }}" vpn_media_listen_address: 10.0.1.1 vpn_media_prefix: 24 -vpn_media_subnet: '10.0.1.0/{{ vpn_media_prefix }}' +vpn_media_subnet: "10.0.1.0/{{ vpn_media_prefix }}" vpn_media_port: 51903 vpn_media_interface: wg1 -vpn_media_domain: 'media-vpn.{{ domain_name }}' +vpn_media_domain: "media-vpn.{{ domain_name }}" -mpd_domain: 'mpd.{{ domain_name }}' +mpd_domain: "mpd.{{ domain_name }}" mpd_listen_address: 0.0.0.0 mpd_prefix: 24 -mpd_subnet: '172.128.238.0/{{ mpd_prefix }}' +mpd_subnet: "172.128.238.0/{{ mpd_prefix }}" mpd_port: 21000 mpd_http_stream_port: 8000 mpd_http_mobile_stream_port: 8001 @@ -51,31 +52,31 @@ glitchtip_ip: 127.0.0.1 glitchtip_app_port: 7200 glitchtip_domain: glitchtip.fudiggity.nl -syncthing_domain: 'syncthing.{{ domain_name }}' +syncthing_domain: "syncthing.{{ domain_name }}" syncthing_listen_address: 0.0.0.0 syncthing_prefix: 24 -syncthing_subnet: '172.32.238.0/{{ syncthing_prefix }}' +syncthing_subnet: "172.32.238.0/{{ syncthing_prefix }}" syncthing_gui_port: 8384 syncthing_protocol_port: 22000 syncthing_nginx_ip: 172.32.238.10 syncthing_app_ip: 172.32.238.11 -radicale_domain: 'radicale.{{ domain_name }}' +radicale_domain: "radicale.{{ domain_name }}" radicale_prefix: 24 -radicale_subnet: '172.64.238.0/{{ radicale_prefix }}' +radicale_subnet: "172.64.238.0/{{ radicale_prefix }}" radicale_nginx_ip: 172.64.238.10 radicale_app_port: 5232 radicale_app_ip: 172.64.238.11 -transmission_domain: 'transmission.{{ domain_name }}' +transmission_domain: "transmission.{{ domain_name }}" transmission_prefix: 24 -transmission_subnet: '172.16.238.0/{{ transmission_prefix }}' +transmission_subnet: "172.16.238.0/{{ transmission_prefix }}" transmission_web_port: 9091 transmission_peer_port: 51413 transmission_nginx_ip: 172.16.238.10 -jellyfin_domain: 'jellyfin.{{ domain_name }}' +jellyfin_domain: "jellyfin.{{ domain_name }}" jellyfin_prefix: 24 -jellyfin_subnet: '172.8.238.0/{{ jellyfin_prefix }}' +jellyfin_subnet: "172.8.238.0/{{ jellyfin_prefix }}" jellyfin_web_port: 8096 jellyfin_nginx_ip: 172.8.238.10 diff --git a/host_vars/fudiggity/newsreader.yml b/host_vars/fudiggity/newsreader.yml index b395818..2d9a5fa 100644 --- a/host_vars/fudiggity/newsreader.yml +++ b/host_vars/fudiggity/newsreader.yml @@ -1,3 +1,4 @@ +--- newsreader_app_name: newsreader newsreader_app_repository: https://forgejo.fudiggity.nl/sonny/newsreader newsreader_app_ref: 0.5.3 @@ -8,32 +9,32 @@ newsreader_postgres_port: 5432 newsreader_postgres_db: newsreader newsreader_postgres_user: newsreader newsreader_postgres_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65613063373266623636626561646639393263313030386337633737636137363730353561356339 - 6433646638316465623338396637623732623563643561640a616639393639356533316431663665 - 30646637363364353062353338303331343234626138653037373661636234373238343264356265 - 6539643939376662650a613631636531383534666435383763613038393966633031353765323234 - 62613865373661333661373562366466333732663737643739663862376466646331386133326364 - 6638366665623036666634616131636634663933323136303334 + $ANSIBLE_VAULT;1.1;AES256 + 65613063373266623636626561646639393263313030386337633737636137363730353561356339 + 6433646638316465623338396637623732623563643561640a616639393639356533316431663665 + 30646637363364353062353338303331343234626138653037373661636234373238343264356265 + 6539643939376662650a613631636531383534666435383763613038393966633031353765323234 + 62613865373661333661373562366466333732663737643739663862376466646331386133326364 + 6638366665623036666634616131636634663933323136303334 newsreader_django_settings_module: newsreader.conf.production newsreader_django_secret_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65353236663439393937623930623830313365663766663966343661376662366131313838316536 - 3430633837666138633063333630373338366331653865320a646563663262656464636434323166 - 63616435356533643735343165363761336537616439303464353164633233626632666263636633 - 3237613866353131300a653366313635313365623539393438383434653134396137666533353063 - 63363335643135653535613231653434653566343964363431636264633963326239646633663031 - 38323266326165303064333666653630316634383864666232376165393362323261363833376334 - 323636376639353730366332323039633036 + $ANSIBLE_VAULT;1.1;AES256 + 65353236663439393937623930623830313365663766663966343661376662366131313838316536 + 3430633837666138633063333630373338366331653865320a646563663262656464636434323166 + 63616435356533643735343165363761336537616439303464353164633233626632666263636633 + 3237613866353131300a653366313635313365623539393438383434653134396137666533353063 + 63363335643135653535613231653434653566343964363431636264633963326239646633663031 + 38323266326165303064333666653630316634383864666232376165393362323261363833376334 + 323636376639353730366332323039633036 newsreader_sentry_dsn: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 33323865313232393535336363613261663030656465323734323266303837393561633435613736 - 3135353435633337346363316262373431393738303033390a333230343037656266366539323366 - 31373761356431666332396665393564656662396339393531326232366333323861376133653664 - 3739646664623230630a366239623838393766666237643663626261636237393839646136303931 - 66396263623432636430643839336463343438383461646165666131633762646438663532313633 - 66343562376632316665356163633064336530346463636432396537363938363062333861656362 - 63333832663737396330366430336632376638393632656565376436653839363634373437376261 - 36313337616533633239 + $ANSIBLE_VAULT;1.1;AES256 + 33323865313232393535336363613261663030656465323734323266303837393561633435613736 + 3135353435633337346363316262373431393738303033390a333230343037656266366539323366 + 31373761356431666332396665393564656662396339393531326232366333323861376133653664 + 3739646664623230630a366239623838393766666237643663626261636237393839646136303931 + 66396263623432636430643839336463343438383461646165666131633762646438663532313633 + 66343562376632316665356163633064336530346463636432396537363938363062333861656362 + 63333832663737396330366430336632376638393632656565376436653839363634373437376261 + 36313337616533633239 diff --git a/host_vars/fudiggity/radicale.yml b/host_vars/fudiggity/radicale.yml index ae0b24d..da6296f 100644 --- a/host_vars/fudiggity/radicale.yml +++ b/host_vars/fudiggity/radicale.yml @@ -1,5 +1,6 @@ -radicale_app_dir: '/srv/docker/radicale' -radicale_collection_dir: '{{ radicale_app_dir }}/collections' +--- +radicale_app_dir: "/srv/docker/radicale" +radicale_collection_dir: "{{ radicale_app_dir }}/collections" radicale_version: 3.5.1 radicale_python_version: 3.13 diff --git a/host_vars/fudiggity/syncthing.yml b/host_vars/fudiggity/syncthing.yml index 4816b55..8ca4cf8 100644 --- a/host_vars/fudiggity/syncthing.yml +++ b/host_vars/fudiggity/syncthing.yml @@ -1,13 +1,14 @@ -syncthing_app_dir: '/srv/docker/syncthing' +--- +syncthing_app_dir: "/srv/docker/syncthing" syncthing_config_version: 37 syncthing_api_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 31663863326431623139663861316432656264646533323934393033386263613162303266613265 - 3239613930623264383161363664636232663764616138360a643239393735393862376133313062 - 63643434636462306663303434393837353230623830323065626432346336363332363063313533 - 6334633838636664610a323762373839393331653130393136356136303535393662643736643735 - 30316565373866326337383137633639636566623263333061633830366634666537633765343533 - 3736383135393238663963353131663733363962343163363539 + $ANSIBLE_VAULT;1.1;AES256 + 31663863326431623139663861316432656264646533323934393033386263613162303266613265 + 3239613930623264383161363664636232663764616138360a643239393735393862376133313062 + 63643434636462306663303434393837353230623830323065626432346336363332363063313533 + 6334633838636664610a323762373839393331653130393136356136303535393662643736643735 + 30316565373866326337383137633639636566623263333061633830366634666537633765343533 + 3736383135393238663963353131663733363962343163363539 syncthing_devices: - name: Desktop diff --git a/host_vars/fudiggity/transip_client.yml b/host_vars/fudiggity/transip_client.yml index a6e69ef..d4d524a 100644 --- a/host_vars/fudiggity/transip_client.yml +++ b/host_vars/fudiggity/transip_client.yml @@ -1,3 +1,4 @@ +--- transip_client_repository: https://forgejo.fudiggity.nl/sonny/transip-client transip_client_app_ref: 0.7.0 diff --git a/host_vars/fudiggity/transmission.yml b/host_vars/fudiggity/transmission.yml index d308c7d..afa5ff7 100644 --- a/host_vars/fudiggity/transmission.yml +++ b/host_vars/fudiggity/transmission.yml @@ -1,5 +1,6 @@ -transmission_app_dir: '/srv/docker/tranmission' -transmission_download_dir: '/home/sonny/downloads' -transmission_incomplete_dir: '/home/sonny/downloads/incomplete_downloads' +--- +transmission_app_dir: "/srv/docker/tranmission" +transmission_download_dir: "/home/sonny/downloads" +transmission_incomplete_dir: "/home/sonny/downloads/incomplete_downloads" transmission_ratelimit_ratio: 2 diff --git a/host_vars/fudiggity/vpn.yml b/host_vars/fudiggity/vpn.yml index 78ab740..ab4a583 100644 --- a/host_vars/fudiggity/vpn.yml +++ b/host_vars/fudiggity/vpn.yml @@ -1,31 +1,32 @@ -vpn_server_public_key_path: '{{ vpn_config_dir }}/keys/public/server.pub' -vpn_server_public_key_source_path: 'files/wireguard/default/server.pub' -vpn_server_key_path: '{{ vpn_config_dir }}/keys/private/server.key' +--- +vpn_server_public_key_path: "{{ vpn_config_dir }}/keys/public/server.pub" +vpn_server_public_key_source_path: "files/wireguard/default/server.pub" +vpn_server_key_path: "{{ vpn_config_dir }}/keys/private/server.key" copy_vpn_configurations: false vpn_peers: laptop: - ip: '10.0.0.2' - public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=' - preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-laptop.psk' - preshared_key_source_path: 'files/wireguard/default/preshared-laptop.psk' + ip: "10.0.0.2" + public_key: "EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=" + preshared_key_path: "{{ vpn_config_dir }}/keys/private/preshared-laptop.psk" + preshared_key_source_path: "files/wireguard/default/preshared-laptop.psk" desktop: - ip: '10.0.0.3' - public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=' - preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-desktop.psk' - preshared_key_source_path: 'files/wireguard/default/preshared-desktop.psk' + ip: "10.0.0.3" + public_key: "izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=" + preshared_key_path: "{{ vpn_config_dir }}/keys/private/preshared-desktop.psk" + preshared_key_source_path: "files/wireguard/default/preshared-desktop.psk" # has extra key to generate mobile configuration file mobile: - ip: '10.0.0.4' + ip: "10.0.0.4" allowed_ips: - - '{{ vpn_subnet }}' - - '{{ transmission_subnet }}' - - '{{ syncthing_subnet }}' - - '{{ radicale_subnet }}' - public_key: '4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY=' - preshared_key_path: '{{ vpn_config_dir }}/keys/private/preshared-mobile.psk' - preshared_key_source_path: 'files/wireguard/default/preshared-mobile.psk' - private_key_source_path: 'files/wireguard/default/mobile.key' + - "{{ vpn_subnet }}" + - "{{ transmission_subnet }}" + - "{{ syncthing_subnet }}" + - "{{ radicale_subnet }}" + public_key: "4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY=" + preshared_key_path: "{{ vpn_config_dir }}/keys/private/preshared-mobile.psk" + preshared_key_source_path: "files/wireguard/default/preshared-mobile.psk" + private_key_source_path: "files/wireguard/default/mobile.key" diff --git a/host_vars/fudiggity/vpn_media.yml b/host_vars/fudiggity/vpn_media.yml index bc67f12..7598b16 100644 --- a/host_vars/fudiggity/vpn_media.yml +++ b/host_vars/fudiggity/vpn_media.yml @@ -1,3 +1,4 @@ +--- vpn_media_server_public_key_path: "{{ vpn_config_dir }}/keys/public/media_server.pub" vpn_media_server_public_key_source_path: files/wireguard/media/server.pub vpn_media_server_key_path: "{{ vpn_config_dir }}/keys/private/media_server.key" diff --git a/host_vars/fudiggity/woodpecker_ci.yml b/host_vars/fudiggity/woodpecker_ci.yml index 5b02358..3886c36 100644 --- a/host_vars/fudiggity/woodpecker_ci.yml +++ b/host_vars/fudiggity/woodpecker_ci.yml @@ -1,42 +1,43 @@ -woodpecker_domain: 'woodpecker.fudiggity.nl' +--- +woodpecker_domain: "woodpecker.fudiggity.nl" -woodpecker_image_tag: 'woodpeckerci/woodpecker-server:v2.8.0' -woodpecker_agent_tag: 'woodpeckerci/woodpecker-agent:v2.8.0' +woodpecker_image_tag: "woodpeckerci/woodpecker-server:v2.8.0" +woodpecker_agent_tag: "woodpeckerci/woodpecker-agent:v2.8.0" woodpecker_postgres_user: woodpecker woodpecker_postgres_name: woodpecker -woodpecker_app_dir: '/srv/docker/woodpecker' +woodpecker_app_dir: "/srv/docker/woodpecker" woodpecker_forgejo_url: https://forgejo.fudiggity.nl woodpecker_forgejo_client: f467d6ee-6095-4c90-9d14-674d60b07183 woodpecker_forgejo_secret: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 31656532363665313866353961373862363031356437326234623030623235363039643663633662 - 6139656163646464613166653033663266313264646666620a336465306235336534633038333436 - 31306630323165646565333466383962626163303433393166326264633566623938366339326662 - 3261623736656631300a306161363061353463363361636433326431356532333761666637626163 - 35323065623661363638643062663066306134643035636561346663303138373634643466306161 - 36643037303932323032613432386230356139333963613038373531316536333461643166306261 - 613738363231323938653439373262663633 + $ANSIBLE_VAULT;1.1;AES256 + 31656532363665313866353961373862363031356437326234623030623235363039643663633662 + 6139656163646464613166653033663266313264646666620a336465306235336534633038333436 + 31306630323165646565333466383962626163303433393166326264633566623938366339326662 + 3261623736656631300a306161363061353463363361636433326431356532333761666637626163 + 35323065623661363638643062663066306134643035636561346663303138373634643466306161 + 36643037303932323032613432386230356139333963613038373531316536333461643166306261 + 613738363231323938653439373262663633 woodpecker_agent_secret: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 62306636643432613934633038643363373831346639383635356366333634376337303438386339 - 3264363234653362646364326263313465356261313738340a616133663630376166653364376363 - 34353165373663343236336330643365663830393836393264373032666536633733636161663661 - 3464333936613066630a636166343931306365646334373731383430646233316332313861663838 - 64663761303237613335613366343731326630386239633061633363666330663336623730303061 - 38376266636662363834663664643466643361363563396539316234623764363464303336663662 - 613362623365363563323934653562366138 + $ANSIBLE_VAULT;1.1;AES256 + 62306636643432613934633038643363373831346639383635356366333634376337303438386339 + 3264363234653362646364326263313465356261313738340a616133663630376166653364376363 + 34353165373663343236336330643365663830393836393264373032666536633733636161663661 + 3464333936613066630a636166343931306365646334373731383430646233316332313861663838 + 64663761303237613335613366343731326630386239633061633363666330663336623730303061 + 38376266636662363834663664643466643361363563396539316234623764363464303336663662 + 613362623365363563323934653562366138 woodpecker_postgres_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 33363337656661326362396537336638383036386631643935323136636661363865633763303138 - 6566643036333166326230366531633062306362636236630a626235323439663231363164366166 - 34633166313431623236323039643164396130653664393062306334653761663264666636316436 - 3963646536663863350a633836376238333939313363613932353039353465306330623965633161 - 37376336353664386166303865373939616434613966393163623536616432623035653235623763 - 35623063333766636131653065313064383163383261383866626232343335326566316431623233 - 326434353932373335366636613863666635 + $ANSIBLE_VAULT;1.1;AES256 + 33363337656661326362396537336638383036386631643935323136636661363865633763303138 + 6566643036333166326230366531633062306362636236630a626235323439663231363164366166 + 34633166313431623236323039643164396130653664393062306334653761663264666636316436 + 3963646536663863350a633836376238333939313363613932353039353465306330623965633161 + 37376336353664386166303865373939616434613966393163623536616432623035653235623763 + 35623063333766636131653065313064383163383261383866626232343335326566316431623233 + 326434353932373335366636613863666635 diff --git a/inventory.yml b/inventory.yml index b41db92..9fb4b53 100644 --- a/inventory.yml +++ b/inventory.yml @@ -1,3 +1,4 @@ +--- bookworm: hosts: fudiggity: diff --git a/playbook.yml b/playbook.yml index caaad76..e52e3c0 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,10 +1,11 @@ +--- - name: Provision debian server hosts: bookworm pre_tasks: - name: Install shared packages become: true ansible.builtin.apt: - name: '{{ packages }}' + name: "{{ packages }}" tasks: - name: Generic provisioning ansible.builtin.import_tasks: tasks/setup.yml @@ -71,4 +72,4 @@ tags: transip-client handlers: - name: Import handlers - ansible.builtin.import_tasks: 'handlers.yml' + ansible.builtin.import_tasks: "handlers.yml" diff --git a/tasks/docker.yml b/tasks/docker.yml index 7d32d83..2e854df 100644 --- a/tasks/docker.yml +++ b/tasks/docker.yml @@ -1,35 +1,37 @@ -- name: 'prepare apt keyring' +--- +- name: "Prepare apt keyring" become: true - command: install -m 0755 -d /etc/apt/keyrings + ansible.builtin.command: install -m 0755 -d /etc/apt/keyrings -- name: 'create docker directory' +- name: "Create docker directory" become: true - file: - path: '/etc/docker' + ansible.builtin.file: + path: "/etc/docker" state: directory owner: root -- name: 'copy docker files' +- name: "Copy docker files" become: true - copy: - src: '{{ item.src }}' - dest: '{{ item.dest }}' + ansible.builtin.copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" owner: root loop: - - { src: 'files/docker/apt.gpg', dest: '/etc/apt/keyrings/docker.gpg' } - - { src: 'files/docker/config.json', dest: '/etc/docker/daemon.json' } + - { src: "files/docker/apt.gpg", dest: "/etc/apt/keyrings/docker.gpg" } + - { src: "files/docker/config.json", dest: "/etc/docker/daemon.json" } notify: restart docker service -- name: 'install docker apt source' +- name: "Install docker apt source" become: true - template: - src: 'templates/docker.j2' - dest: '/etc/apt/sources.list.d/docker.list' + ansible.builtin.template: + src: "templates/docker.j2" + dest: "/etc/apt/sources.list.d/docker.sources" + mode: "0664" owner: root -- name: 'install docker' +- name: "Install docker" become: true - apt: + ansible.builtin.apt: update_cache: true state: present name: diff --git a/tasks/forgejo.yml b/tasks/forgejo.yml index 22efb41..4d3622f 100644 --- a/tasks/forgejo.yml +++ b/tasks/forgejo.yml @@ -1,3 +1,4 @@ +--- - name: Create git user become: true ansible.builtin.user: @@ -9,54 +10,54 @@ - name: Create required directories become: true ansible.builtin.file: - path: '{{ item.path }}' - state: '{{ item.state }}' - mode: '{{ item.mode }}' - owner: '{{ item.owner }}' - group: '{{ item.group }}' + path: "{{ item.path }}" + state: "{{ item.state }}" + mode: "{{ item.mode }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" loop: - - path: '{{ forgejo_app_dir }}' + - path: "{{ forgejo_app_dir }}" owner: sonny group: sonny state: directory - mode: '0755' + mode: "0755" - - path: '{{ forgejo_data_dir }}' + - path: "{{ forgejo_data_dir }}" owner: sonny group: sonny state: directory - mode: '0755' + mode: "0755" - - path: '{{ forgejo_postgres_password }}' + - path: "{{ forgejo_postgres_password }}" owner: sonny group: sonny state: directory - mode: '0755' + mode: "0755" - name: Copy docker-compose file ansible.builtin.template: src: templates/forgejo/docker-compose.j2 - dest: '{{ forgejo_app_dir }}/docker-compose.yml' - mode: '0755' + dest: "{{ forgejo_app_dir }}/docker-compose.yml" + mode: "0755" - name: Stop current containers community.docker.docker_compose_v2: - project_src: '{{ forgejo_app_dir }}' + project_src: "{{ forgejo_app_dir }}" state: stopped - name: Pull missing image community.docker.docker_compose_v2: - project_src: '{{ forgejo_app_dir }}' + project_src: "{{ forgejo_app_dir }}" pull: missing state: stopped - name: Remove dangling containers community.docker.docker_compose_v2: - project_src: '{{ forgejo_app_dir }}' + project_src: "{{ forgejo_app_dir }}" remove_orphans: true state: stopped - name: Start container community.docker.docker_compose_v2: - project_src: '{{ forgejo_app_dir }}' + project_src: "{{ forgejo_app_dir }}" state: present diff --git a/tasks/glitchtip.yml b/tasks/glitchtip.yml index bc317d6..4601298 100644 --- a/tasks/glitchtip.yml +++ b/tasks/glitchtip.yml @@ -1,42 +1,43 @@ +--- - name: Create required directories become: true ansible.builtin.file: - path: '{{ item.path }}' - state: '{{ item.state }}' - mode: '{{ item.mode }}' - owner: '{{ item.owner }}' - group: '{{ item.group }}' + path: "{{ item.path }}" + state: "{{ item.state }}" + mode: "{{ item.mode }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" loop: - - path: '{{ glitchtip_app_dir }}' + - path: "{{ glitchtip_app_dir }}" owner: sonny group: sonny state: directory - mode: '0755' + mode: "0755" - name: Copy docker-compose file ansible.builtin.template: src: templates/glitchtip/docker-compose.j2 - dest: '{{ glitchtip_app_dir }}/docker-compose.yml' - mode: '0750' + dest: "{{ glitchtip_app_dir }}/docker-compose.yml" + mode: "0750" - name: Stop current containers community.docker.docker_compose_v2: - project_src: '{{ glitchtip_app_dir }}' + project_src: "{{ glitchtip_app_dir }}" state: stopped - name: Pull missing image community.docker.docker_compose_v2: - project_src: '{{ glitchtip_app_dir }}' + project_src: "{{ glitchtip_app_dir }}" pull: missing state: stopped - name: Remove dangling containers community.docker.docker_compose_v2: - project_src: '{{ glitchtip_app_dir }}' + project_src: "{{ glitchtip_app_dir }}" remove_orphans: true state: stopped - name: Start container community.docker.docker_compose_v2: - project_src: '{{ glitchtip_app_dir }}' + project_src: "{{ glitchtip_app_dir }}" state: present diff --git a/tasks/jellyfin.yml b/tasks/jellyfin.yml index d0657f1..0b57c54 100644 --- a/tasks/jellyfin.yml +++ b/tasks/jellyfin.yml @@ -1,29 +1,30 @@ +--- - name: Create directories become: true ansible.builtin.file: - path: '{{ item.path }}' + path: "{{ item.path }}" state: directory - owner: '{{ item.owner }}' - group: '{{ item.group }}' - mode: '0755' + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "0755" loop: - - path: '{{ jellyfin_configuration_dir }}' + - path: "{{ jellyfin_configuration_dir }}" owner: sonny group: sonny - - path: '{{ jellyfin_media_dir }}' + - path: "{{ jellyfin_media_dir }}" owner: sonny group: sonny - - path: '{{ jellyfin_cache_dir }}' + - path: "{{ jellyfin_cache_dir }}" owner: sonny group: sonny - - path: '{{ jellyfin_app_dir }}' + - path: "{{ jellyfin_app_dir }}" owner: root group: root - - path: '{{ jellyfin_app_dir }}/nginx.conf.d' + - path: "{{ jellyfin_app_dir }}/nginx.conf.d" owner: sonny group: sonny @@ -31,38 +32,38 @@ become: true ansible.builtin.template: src: templates/jellyfin/docker-compose.j2 - dest: '{{ jellyfin_app_dir }}/docker-compose.yml' + dest: "{{ jellyfin_app_dir }}/docker-compose.yml" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Copy NGINX configuration become: true ansible.builtin.template: - src: 'templates/jellyfin/nginx.j2' - dest: '{{ jellyfin_app_dir }}/nginx.conf.d/default.conf' + src: "templates/jellyfin/nginx.j2" + dest: "{{ jellyfin_app_dir }}/nginx.conf.d/default.conf" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Stop jellyfin community.docker.docker_compose_v2: - project_src: '{{ jellyfin_app_dir }}' + project_src: "{{ jellyfin_app_dir }}" state: stopped - name: Pull {{ image_tag }} community.docker.docker_compose_v2: - project_src: '{{ jellyfin_app_dir }}' + project_src: "{{ jellyfin_app_dir }}" pull: missing state: stopped - name: Remove dangling containers community.docker.docker_compose_v2: - project_src: '{{ jellyfin_app_dir }}' + project_src: "{{ jellyfin_app_dir }}" remove_orphans: true state: stopped - name: Start jellyfin community.docker.docker_compose_v2: - project_src: '{{ jellyfin_app_dir }}' + project_src: "{{ jellyfin_app_dir }}" state: present diff --git a/tasks/mpd.yml b/tasks/mpd.yml index 0fa42c8..e8a3c1a 100644 --- a/tasks/mpd.yml +++ b/tasks/mpd.yml @@ -1,3 +1,4 @@ +--- - name: Stop systemd mpd service become: true ansible.builtin.systemd: @@ -15,92 +16,92 @@ - name: Remove previous configurations become: true ansible.builtin.file: - path: '{{ item.path }}' + path: "{{ item.path }}" state: absent loop: - - path: '/etc/systemd/system/mpd.service.d' - - path: '/etc/systemd/system/mpd.socket.d' + - path: "/etc/systemd/system/mpd.service.d" + - path: "/etc/systemd/system/mpd.socket.d" - name: Create mpd directories become: true ansible.builtin.file: - path: '{{ item.path }}' - owner: '{{ item.owner }}' - group: '{{ item.group }}' - mode: '0755' + path: "{{ item.path }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "0755" state: directory loop: - - path: '{{ mpd_config_dir }}' + - path: "{{ mpd_config_dir }}" owner: sonny group: sonny - - path: '{{ mpd_playlist_dir }}' + - path: "{{ mpd_playlist_dir }}" owner: sonny group: sonny - - path: '{{ mpd_state_dir }}' + - path: "{{ mpd_state_dir }}" owner: sonny group: sonny - - path: '{{ mpd_app_dir }}' + - path: "{{ mpd_app_dir }}" owner: root group: root - name: Copy mpd templates become: true ansible.builtin.template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - mode: '{{ item.mode }}' - owner: '{{ item.owner }}' - group: '{{ item.group }}' + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" loop: - src: templates/mpd/config.j2 - dest: '{{ mpd_config_dir }}/mpd.conf' - mode: '0640' + dest: "{{ mpd_config_dir }}/mpd.conf" + mode: "0640" owner: sonny group: sonny - src: templates/mpd/dockerfile.j2 - dest: '{{ mpd_app_dir }}/Dockerfile' - mode: '0755' + dest: "{{ mpd_app_dir }}/Dockerfile" + mode: "0755" owner: sonny group: sonny - src: templates/mpd/docker-compose.j2 - dest: '{{ mpd_app_dir }}/docker-compose.yml' - mode: '0755' + dest: "{{ mpd_app_dir }}/docker-compose.yml" + mode: "0755" owner: sonny group: sonny - name: Create mpd files ansible.builtin.file: - path: '{{ item }}' - mode: '0755' + path: "{{ item }}" + mode: "0755" state: touch loop: - - '{{ mpd_config_dir }}/db' - - '{{ mpd_config_dir }}/sticker.sql' - - '{{ mpd_state_dir }}/state' + - "{{ mpd_config_dir }}/db" + - "{{ mpd_config_dir }}/sticker.sql" + - "{{ mpd_state_dir }}/state" - name: Stop current containers community.docker.docker_compose_v2: - project_src: '{{ mpd_app_dir }}' + project_src: "{{ mpd_app_dir }}" state: stopped - name: Build image community.docker.docker_compose_v2: - project_src: '{{ mpd_app_dir }}' + project_src: "{{ mpd_app_dir }}" build: always state: stopped - name: Remove dangling containers community.docker.docker_compose_v2: - project_src: '{{ mpd_app_dir }}' + project_src: "{{ mpd_app_dir }}" remove_orphans: true state: stopped - name: Start container community.docker.docker_compose_v2: - project_src: '{{ mpd_app_dir }}' + project_src: "{{ mpd_app_dir }}" state: present diff --git a/tasks/network.yml b/tasks/network.yml index 28cc96d..0696f3c 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -1,17 +1,18 @@ +--- - name: Copy network configuration files become: true ansible.builtin.template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' + src: "{{ item.src }}" + dest: "{{ item.dest }}" owner: root group: systemd-network - mode: '0640' + mode: "0640" loop: - - src: 'templates/network/link1.link.j2' - dest: '/etc/systemd/network/98-link1.link' + - src: "templates/network/link1.link.j2" + dest: "/etc/systemd/network/98-link1.link" - - src: 'templates/network/link1.network.j2' - dest: '/etc/systemd/network/98-link1.network' + - src: "templates/network/link1.network.j2" + dest: "/etc/systemd/network/98-link1.network" notify: - restart systemd-networkd - regenerate initramfs # copies the files into the initramfs for when udev needs them @@ -19,34 +20,34 @@ - name: Set hostname become: true ansible.builtin.hostname: - name: '{{ hostname }}' + name: "{{ hostname }}" use: systemd - name: Copy hosts file become: true ansible.builtin.template: - src: 'network/hosts.j2' - dest: '/etc/hosts' - mode: '0644' + src: "network/hosts.j2" + dest: "/etc/hosts" + mode: "0644" owner: root - name: Copy resolved.conf configuration become: true ansible.builtin.template: - src: 'network/resolved.j2' - dest: '/etc/systemd/resolved.conf' - mode: '0644' + src: "network/resolved.j2" + dest: "/etc/systemd/resolved.conf" + mode: "0644" owner: root notify: restart systemd-resolved - name: Copy firewall template become: true ansible.builtin.template: - src: 'templates/nftables.j2' - dest: '/etc/nftables.conf' + src: "templates/nftables.j2" + dest: "/etc/nftables.conf" owner: root group: root - mode: '0644' + mode: "0644" notify: - restart nftables - restart docker service diff --git a/tasks/newsreader.yml b/tasks/newsreader.yml index 411999c..443dfc9 100644 --- a/tasks/newsreader.yml +++ b/tasks/newsreader.yml @@ -1,41 +1,42 @@ +--- - name: Create newsreader app directory become: true ansible.builtin.file: - path: '{{ newsreader_app_dir }}' + path: "{{ newsreader_app_dir }}" state: directory owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Clone project ansible.builtin.git: - repo: '{{ newsreader_app_repository }}' - dest: '{{ newsreader_app_dir }}' - version: '{{ newsreader_app_ref }}' + repo: "{{ newsreader_app_repository }}" + dest: "{{ newsreader_app_dir }}" + version: "{{ newsreader_app_ref }}" - name: Copy templates ansible.builtin.template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - mode: '{{ item.mode }}' + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" loop: - src: templates/newsreader/env.j2 - dest: '{{ newsreader_app_dir }}/.production.env' - mode: '0750' + dest: "{{ newsreader_app_dir }}/.production.env" + mode: "0750" - src: templates/newsreader/docker-compose.j2 - dest: '{{ newsreader_app_dir }}/docker-compose.resources.yml' - mode: '0750' + dest: "{{ newsreader_app_dir }}/docker-compose.resources.yml" + mode: "0750" - name: Stop current containers community.docker.docker_compose_v2: - project_src: '{{ newsreader_app_dir }}' + project_src: "{{ newsreader_app_dir }}" env_files: - .production.env state: absent - name: Remove dangling containers community.docker.docker_compose_v2: - project_src: '{{ newsreader_app_dir }}' + project_src: "{{ newsreader_app_dir }}" remove_orphans: true state: absent @@ -53,6 +54,6 @@ - docker-compose.yml - docker-compose.production.yml - docker-compose.resources.yml - project_src: '{{ newsreader_app_dir }}' + project_src: "{{ newsreader_app_dir }}" build: always state: present diff --git a/tasks/nginx.yml b/tasks/nginx.yml index ec78900..be63aba 100644 --- a/tasks/nginx.yml +++ b/tasks/nginx.yml @@ -1,44 +1,44 @@ +--- - name: Copy nginx configuration files become: true ansible.builtin.template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' + src: "{{ item.src }}" + dest: "{{ item.dest }}" owner: root group: root - mode: '0644' + mode: "0644" loop: - - src: 'templates/nginx/default.j2' - dest: '/etc/nginx/sites-available/default' - - src: 'templates/nginx/forgejo.j2' - dest: '/etc/nginx/sites-available/forgejo' - - src: 'templates/nginx/woodpecker.j2' - dest: '/etc/nginx/sites-available/woodpecker' - - src: 'templates/nginx/glitchtip.j2' - dest: '/etc/nginx/sites-available/glitchtip' - - src: 'templates/nginx/newsreader.j2' - dest: '/etc/nginx/sites-available/newsreader' + - src: "templates/nginx/default.j2" + dest: "/etc/nginx/sites-available/default" + - src: "templates/nginx/forgejo.j2" + dest: "/etc/nginx/sites-available/forgejo" + - src: "templates/nginx/woodpecker.j2" + dest: "/etc/nginx/sites-available/woodpecker" + - src: "templates/nginx/glitchtip.j2" + dest: "/etc/nginx/sites-available/glitchtip" + - src: "templates/nginx/newsreader.j2" + dest: "/etc/nginx/sites-available/newsreader" notify: restart nginx - name: Create configuration links become: true ansible.builtin.file: - src: '{{ item.src }}' - dest: '{{ item.dest }}' + src: "{{ item.src }}" + dest: "{{ item.dest }}" state: link loop: - - src: '/etc/nginx/sites-available/default' - dest: '/etc/nginx/sites-enabled/default' - - src: '/etc/nginx/sites-available/forgejo' - dest: '/etc/nginx/sites-enabled/forgejo' - - src: '/etc/nginx/sites-available/woodpecker' - dest: '/etc/nginx/sites-enabled/woodpecker' - - src: '/etc/nginx/sites-available/glitchtip' - dest: '/etc/nginx/sites-enabled/glitchtip' - - src: '/etc/nginx/sites-available/newsreader' - dest: '/etc/nginx/sites-enabled/newsreader' + - src: "/etc/nginx/sites-available/default" + dest: "/etc/nginx/sites-enabled/default" + - src: "/etc/nginx/sites-available/forgejo" + dest: "/etc/nginx/sites-enabled/forgejo" + - src: "/etc/nginx/sites-available/woodpecker" + dest: "/etc/nginx/sites-enabled/woodpecker" + - src: "/etc/nginx/sites-available/glitchtip" + dest: "/etc/nginx/sites-enabled/glitchtip" + - src: "/etc/nginx/sites-available/newsreader" + dest: "/etc/nginx/sites-enabled/newsreader" notify: restart nginx - # Run the folowing command to regenerate a certificate: # # sudo certbot certonly \ @@ -55,11 +55,11 @@ - name: Copy letsencrypt configuration become: true ansible.builtin.template: - src: 'templates/letsencrypt/cli.j2' - dest: '/etc/letsencrypt/cli.ini' + src: "templates/letsencrypt/cli.j2" + dest: "/etc/letsencrypt/cli.ini" owner: root group: root - mode: '0644' + mode: "0644" notify: restart certbot - name: Enable certbot periodic certificate renewal diff --git a/tasks/radicale.yml b/tasks/radicale.yml index 952b575..a6aa23a 100644 --- a/tasks/radicale.yml +++ b/tasks/radicale.yml @@ -1,3 +1,4 @@ +--- - name: Stop previous radicale service become: true ansible.builtin.systemd: @@ -24,13 +25,13 @@ - name: Remove radicale virtualenv directory become: true ansible.builtin.file: - path: '/usr/local/lib/radicale' + path: "/usr/local/lib/radicale" state: absent - name: Remove Radicale files become: true ansible.builtin.file: - path: '{{ item }}' + path: "{{ item }}" state: absent loop: - /etc/nginx/radicale @@ -41,85 +42,85 @@ - name: Create Radicale directories become: true ansible.builtin.file: - path: '{{ item.path }}' - owner: '{{ item.owner }}' - group: '{{ item.group }}' - mode: '0755' + path: "{{ item.path }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "0755" state: directory loop: - - path: '{{ radicale_app_dir }}' + - path: "{{ radicale_app_dir }}" owner: root group: root - - path: '{{ radicale_collection_dir }}' + - path: "{{ radicale_collection_dir }}" owner: sonny group: sonny - - path: '{{ radicale_app_dir }}/nginx.conf.d' + - path: "{{ radicale_app_dir }}/nginx.conf.d" owner: sonny group: sonny - name: Copy Radicale docker file become: true ansible.builtin.template: - src: 'templates/radicale/dockerfile.j2' - dest: '{{ radicale_app_dir }}/Dockerfile' + src: "templates/radicale/dockerfile.j2" + dest: "{{ radicale_app_dir }}/Dockerfile" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Copy docker compose become: true ansible.builtin.template: - src: 'templates/radicale/docker-compose.j2' - dest: '{{ radicale_app_dir }}/docker-compose.yml' + src: "templates/radicale/docker-compose.j2" + dest: "{{ radicale_app_dir }}/docker-compose.yml" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Copy Radicale configuration become: true ansible.builtin.template: - src: 'templates/radicale/conf.j2' - dest: '{{ radicale_app_dir }}/config' + src: "templates/radicale/conf.j2" + dest: "{{ radicale_app_dir }}/config" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Copy Radicale user file become: true ansible.builtin.copy: - src: 'files/radicale/radicale_users' - dest: '{{ radicale_app_dir }}/radicale_users' + src: "files/radicale/radicale_users" + dest: "{{ radicale_app_dir }}/radicale_users" owner: sonny group: sonny - mode: '0750' + mode: "0750" - name: Copy NGINX configuration become: true ansible.builtin.template: - src: 'templates/radicale/nginx.j2' - dest: '{{ radicale_app_dir }}/nginx.conf.d/default.conf' + src: "templates/radicale/nginx.j2" + dest: "{{ radicale_app_dir }}/nginx.conf.d/default.conf" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Stop current containers community.docker.docker_compose_v2: - project_src: '{{ radicale_app_dir }}' + project_src: "{{ radicale_app_dir }}" state: stopped - name: Pull missing image community.docker.docker_compose_v2: - project_src: '{{ radicale_app_dir }}' + project_src: "{{ radicale_app_dir }}" build: always state: stopped - name: Remove dangling containers community.docker.docker_compose_v2: - project_src: '{{ radicale_app_dir }}' + project_src: "{{ radicale_app_dir }}" remove_orphans: true state: stopped - name: Start container community.docker.docker_compose_v2: - project_src: '{{ radicale_app_dir }}' + project_src: "{{ radicale_app_dir }}" state: present diff --git a/tasks/setup.yml b/tasks/setup.yml index 6408a0f..3ed15f3 100644 --- a/tasks/setup.yml +++ b/tasks/setup.yml @@ -1,26 +1,27 @@ +--- - name: Copy nsswitch file become: true ansible.builtin.template: - src: 'nsswitch.j2' - dest: '/etc/nsswitch.conf' - mode: '0644' + src: "nsswitch.j2" + dest: "/etc/nsswitch.conf" + mode: "0644" owner: root - name: Copy ssh template become: true ansible.builtin.template: - src: 'templates/ssh.j2' - dest: '/etc/ssh/sshd_config' + src: "templates/ssh.j2" + dest: "/etc/ssh/sshd_config" owner: root group: root - mode: '0644' + mode: "0644" notify: restart ssh - name: Copy wezterm terminfo file ansible.builtin.copy: - src: 'files/wezterm.terminfo' + src: "files/wezterm.terminfo" dest: /home/sonny/.terminfo - mode: '0755' + mode: "0755" notify: Compile wezterm terminfo file - name: Disable user lingering @@ -31,10 +32,10 @@ become: true ansible.builtin.template: src: templates/unattended-upgrades.j2 - dest: '/etc/apt/apt.conf.d/10periodic' + dest: "/etc/apt/apt.conf.d/10periodic" owner: root group: root - mode: '0755' + mode: "0755" - name: Enable unattended upgrades timer become: true diff --git a/tasks/syncthing.yml b/tasks/syncthing.yml index 877b45d..e4649d3 100644 --- a/tasks/syncthing.yml +++ b/tasks/syncthing.yml @@ -1,3 +1,4 @@ +--- - name: Disable system process become: true ansible.builtin.systemd: @@ -8,19 +9,19 @@ - name: Create Syncthing directories become: true ansible.builtin.file: - path: '{{ item.path }}' - owner: '{{ item.owner }}' - group: '{{ item.group }}' - mode: '0755' + path: "{{ item.path }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "0755" state: directory loop: - - path: '{{ syncthing_app_dir }}' + - path: "{{ syncthing_app_dir }}" owner: root group: root - - path: '{{ syncthing_app_dir }}/state' + - path: "{{ syncthing_app_dir }}/state" owner: sonny group: sonny - - path: '{{ syncthing_app_dir }}/nginx.conf.d' + - path: "{{ syncthing_app_dir }}/nginx.conf.d" owner: sonny group: sonny @@ -33,48 +34,48 @@ - name: Copy docker compose configuration become: true ansible.builtin.template: - src: 'templates/syncthing/docker-compose.j2' - dest: '{{ syncthing_app_dir }}/docker-compose.yml' + src: "templates/syncthing/docker-compose.j2" + dest: "{{ syncthing_app_dir }}/docker-compose.yml" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Copy Syncthing configuration become: true ansible.builtin.template: - src: 'templates/syncthing/config.j2' - dest: '{{ syncthing_app_dir }}/state/config.xml' + src: "templates/syncthing/config.j2" + dest: "{{ syncthing_app_dir }}/state/config.xml" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Copy NGINX configuration become: true ansible.builtin.template: - src: 'templates/syncthing/nginx.j2' - dest: '{{ syncthing_app_dir }}/nginx.conf.d/default.conf' + src: "templates/syncthing/nginx.j2" + dest: "{{ syncthing_app_dir }}/nginx.conf.d/default.conf" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Stop current containers community.docker.docker_compose_v2: - project_src: '{{ syncthing_app_dir }}' + project_src: "{{ syncthing_app_dir }}" state: stopped - name: Pull missing image community.docker.docker_compose_v2: - project_src: '{{ syncthing_app_dir }}' + project_src: "{{ syncthing_app_dir }}" pull: missing state: stopped - name: Remove dangling containers community.docker.docker_compose_v2: - project_src: '{{ syncthing_app_dir }}' + project_src: "{{ syncthing_app_dir }}" remove_orphans: true state: stopped - name: Start container community.docker.docker_compose_v2: - project_src: '{{ syncthing_app_dir }}' + project_src: "{{ syncthing_app_dir }}" state: present diff --git a/tasks/transip_client.yml b/tasks/transip_client.yml index 3738fca..1e5512c 100644 --- a/tasks/transip_client.yml +++ b/tasks/transip_client.yml @@ -1,32 +1,33 @@ +--- - name: Create application directory ansible.builtin.file: - path: '{{ transip_client_app_dir }}' + path: "{{ transip_client_app_dir }}" state: directory - mode: '0755' + mode: "0755" - name: Clone project ansible.builtin.git: - repo: '{{ transip_client_repository }}' - dest: '{{ transip_client_app_dir }}' - version: '{{ transip_client_app_ref }}' + repo: "{{ transip_client_repository }}" + dest: "{{ transip_client_app_dir }}" + version: "{{ transip_client_app_ref }}" - name: Copy environment variables file ansible.builtin.template: src: templates/transip_client/env.j2 - dest: '{{ transip_client_env_src_path }}' - mode: '0640' + dest: "{{ transip_client_env_src_path }}" + mode: "0640" - name: Copy private key file ansible.builtin.copy: src: files/transip_client/private_key.key - dest: '{{ transip_client_private_key_src_path }}' - mode: '0600' + dest: "{{ transip_client_private_key_src_path }}" + mode: "0600" - name: Build docker image community.docker.docker_image_build: - name: '{{ transip_client_image_name }}' - path: '{{ transip_client_app_dir }}' - dockerfile: '{{ transip_client_app_dir }}/Dockerfile' + name: "{{ transip_client_image_name }}" + path: "{{ transip_client_app_dir }}" + dockerfile: "{{ transip_client_app_dir }}/Dockerfile" rebuild: always args: UV_ARGS: "--extra sentry-enabled" @@ -34,21 +35,21 @@ - name: Copy start script ansible.builtin.template: src: templates/transip_client/start.j2 - dest: '{{ transip_client_start_script }}' - mode: '0750' + dest: "{{ transip_client_start_script }}" + mode: "0750" - name: Copy systemd templates become: true ansible.builtin.template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - mode: '{{ item.mode }}' + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" loop: - src: templates/transip_client/timer.j2 - dest: '{{ systemd_service_dir }}/transip-client.timer' - mode: '0644' + dest: "{{ systemd_service_dir }}/transip-client.timer" + mode: "0644" - src: templates/transip_client/service.j2 - dest: '{{ systemd_service_dir }}/transip-client.service' - mode: '0640' + dest: "{{ systemd_service_dir }}/transip-client.service" + mode: "0640" notify: enable transip-client timer diff --git a/tasks/transmission.yml b/tasks/transmission.yml index 31385b4..dc21442 100644 --- a/tasks/transmission.yml +++ b/tasks/transmission.yml @@ -1,3 +1,4 @@ +--- # Note: requires an up-to-date ansible version to make us of docker compose file ## TODO: use tracker blocklist # @@ -11,32 +12,32 @@ - name: Create Transmission directories become: true ansible.builtin.file: - path: '{{ item.path }}' - owner: '{{ item.owner }}' - group: '{{ item.group }}' - mode: '0755' + path: "{{ item.path }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "0755" state: directory loop: - - path: '{{ transmission_app_dir }}' + - path: "{{ transmission_app_dir }}" owner: root group: root - - path: '{{ transmission_app_dir }}/config' + - path: "{{ transmission_app_dir }}/config" owner: root group: root - - path: '{{ transmission_app_dir }}/nginx.conf.d' + - path: "{{ transmission_app_dir }}/nginx.conf.d" owner: sonny group: sonny - - path: '{{ transmission_download_dir }}' + - path: "{{ transmission_download_dir }}" owner: sonny group: sonny - - path: '{{ transmission_incomplete_dir }}' + - path: "{{ transmission_incomplete_dir }}" owner: sonny group: sonny - name: Remove previous transmission configurations become: true ansible.builtin.file: - path: '{{ item }}' + path: "{{ item }}" state: absent loop: - /etc/systemd/system/transmission-daemon.service.d @@ -46,47 +47,47 @@ become: true ansible.builtin.copy: src: files/transmission/Dockerfile - dest: '{{ transmission_app_dir }}/Dockerfile' + dest: "{{ transmission_app_dir }}/Dockerfile" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Copy docker compose configuration become: true ansible.builtin.template: src: templates/transmission/docker-compose.j2 - dest: '{{ transmission_app_dir }}/docker-compose.yml' + dest: "{{ transmission_app_dir }}/docker-compose.yml" owner: sonny group: sonny - mode: '0755' + mode: "0755" # Prevents Tranmission from overwiting configuration files - name: Stop docker compose containers community.docker.docker_compose_v2: - project_src: '{{ transmission_app_dir }}' + project_src: "{{ transmission_app_dir }}" state: stopped - name: Copy Transmission configuration become: true ansible.builtin.template: - src: 'templates/transmission/config.j2' - dest: '{{ transmission_app_dir }}/config/settings.json' + src: "templates/transmission/config.j2" + dest: "{{ transmission_app_dir }}/config/settings.json" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Copy NGINX configuration become: true ansible.builtin.template: src: templates/transmission/nginx.j2 - dest: '{{ transmission_app_dir }}/nginx.conf.d/default.conf' + dest: "{{ transmission_app_dir }}/nginx.conf.d/default.conf" owner: sonny group: sonny - mode: '0755' + mode: "0755" - name: Start container community.docker.docker_compose_v2: - project_src: '{{ transmission_app_dir }}' + project_src: "{{ transmission_app_dir }}" build: always remove_orphans: true state: restarted diff --git a/tasks/wireguard.yml b/tasks/wireguard.yml index c363f39..e49b709 100644 --- a/tasks/wireguard.yml +++ b/tasks/wireguard.yml @@ -1,3 +1,4 @@ +--- - name: Copy Wireguard configuration files become: true ansible.builtin.template: diff --git a/tasks/wireguard_media.yml b/tasks/wireguard_media.yml index b906e76..c7046d7 100644 --- a/tasks/wireguard_media.yml +++ b/tasks/wireguard_media.yml @@ -1,11 +1,12 @@ +--- - name: Copy Wireguard media configuration files become: true ansible.builtin.template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' + src: "{{ item.src }}" + dest: "{{ item.dest }}" owner: root group: systemd-network - mode: '0640' + mode: "0640" loop: - src: templates/network/wireguard/media/wg1.netdev.j2 dest: /etc/systemd/network/wg1.netdev @@ -16,81 +17,81 @@ - name: Create Wireguard media directories become: true ansible.builtin.file: - path: '{{ item }}' + path: "{{ item }}" owner: root group: systemd-network - mode: '0750' + mode: "0750" state: directory recurse: true loop: - - '{{ vpn_config_dir }}' - - '{{ vpn_media_server_public_key_path | dirname }}' - - '{{ vpn_media_server_key_path | dirname }}' + - "{{ vpn_config_dir }}" + - "{{ vpn_media_server_public_key_path | dirname }}" + - "{{ vpn_media_server_key_path | dirname }}" - name: Copy Wireguard server media credentials become: true ansible.builtin.copy: - src: '{{ item.src }}' - dest: '{{ item.dest }}' + src: "{{ item.src }}" + dest: "{{ item.dest }}" owner: root group: systemd-network - mode: '0640' + mode: "0640" loop: - - src: 'files/wireguard/media/server.pub' - dest: '{{ vpn_media_server_public_key_path }}' - - src: 'files/wireguard/media/server.key' - dest: '{{ vpn_media_server_key_path }}' + - src: "files/wireguard/media/server.pub" + dest: "{{ vpn_media_server_public_key_path }}" + - src: "files/wireguard/media/server.key" + dest: "{{ vpn_media_server_key_path }}" - name: Copy Wireguard mobile media credentials become: true ansible.builtin.copy: - src: '{{ item.src }}' - dest: '{{ item.dest }}' + src: "{{ item.src }}" + dest: "{{ item.dest }}" owner: root group: systemd-network - mode: '0640' + mode: "0640" loop: - - src: 'files/wireguard/media/mobile-1.pub' - dest: '{{ vpn_config_dir }}/keys/public/mobile_1.pub' + - src: "files/wireguard/media/mobile-1.pub" + dest: "{{ vpn_config_dir }}/keys/public/mobile_1.pub" - - src: 'files/wireguard/media/mobile-1.key' - dest: '{{ vpn_config_dir }}/keys/private/mobile_1.key' + - src: "files/wireguard/media/mobile-1.key" + dest: "{{ vpn_config_dir }}/keys/private/mobile_1.key" - - src: 'files/wireguard/media/mobile-2.pub' - dest: '{{ vpn_config_dir }}/keys/public/mobile_2.pub' + - src: "files/wireguard/media/mobile-2.pub" + dest: "{{ vpn_config_dir }}/keys/public/mobile_2.pub" - - src: 'files/wireguard/media/mobile-2.key' - dest: '{{ vpn_config_dir }}/keys/private/mobile_2.key' + - src: "files/wireguard/media/mobile-2.key" + dest: "{{ vpn_config_dir }}/keys/private/mobile_2.key" - - src: 'files/wireguard/media/tv-1.pub' - dest: '{{ vpn_config_dir }}/keys/public/tv-1.pub' + - src: "files/wireguard/media/tv-1.pub" + dest: "{{ vpn_config_dir }}/keys/public/tv-1.pub" - - src: 'files/wireguard/media/tv-1.key' - dest: '{{ vpn_config_dir }}/keys/private/tv-1.key' + - src: "files/wireguard/media/tv-1.key" + dest: "{{ vpn_config_dir }}/keys/private/tv-1.key" - - src: 'files/wireguard/media/tv-2.pub' - dest: '{{ vpn_config_dir }}/keys/public/tv-2.pub' + - src: "files/wireguard/media/tv-2.pub" + dest: "{{ vpn_config_dir }}/keys/public/tv-2.pub" - - src: 'files/wireguard/media/tv-2.key' - dest: '{{ vpn_config_dir }}/keys/private/tv-2.key' + - src: "files/wireguard/media/tv-2.key" + dest: "{{ vpn_config_dir }}/keys/private/tv-2.key" - name: Copy wireguard media preshared keys become: true ansible.builtin.copy: - src: '{{ item.value.preshared_key_source_path }}' - dest: '{{ item.value.preshared_key_path }}' + src: "{{ item.value.preshared_key_source_path }}" + dest: "{{ item.value.preshared_key_path }}" owner: root group: systemd-network - mode: '0640' - with_dict: '{{ vpn_media_peers }}' + mode: "0640" + with_dict: "{{ vpn_media_peers }}" - name: Copy Wireguard external media configurations become: true ansible.builtin.template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - mode: '0600' - owner: '{{ ansible_user_id }}' + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "0600" + owner: "{{ ansible_user_id }}" loop: - src: templates/network/wireguard/media/mobile_1.wireguard.j2 dest: /tmp/mobile_1.conf diff --git a/tasks/woodpecker_ci.yml b/tasks/woodpecker_ci.yml index 6172b9f..a589f66 100644 --- a/tasks/woodpecker_ci.yml +++ b/tasks/woodpecker_ci.yml @@ -1,42 +1,43 @@ +--- - name: Create required directories become: true ansible.builtin.file: - path: '{{ item.path }}' - state: '{{ item.state }}' - mode: '{{ item.mode }}' - owner: '{{ item.owner }}' - group: '{{ item.group }}' + path: "{{ item.path }}" + state: "{{ item.state }}" + mode: "{{ item.mode }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" loop: - - path: '{{ woodpecker_app_dir }}' + - path: "{{ woodpecker_app_dir }}" owner: sonny group: sonny state: directory - mode: '0755' + mode: "0755" - name: Copy docker-compose file ansible.builtin.template: - src: 'templates/woodpecker_ci/docker-compose.j2' - dest: '{{ woodpecker_app_dir }}/docker-compose.yml' - mode: '0750' + src: "templates/woodpecker_ci/docker-compose.j2" + dest: "{{ woodpecker_app_dir }}/docker-compose.yml" + mode: "0750" - name: Stop current containers community.docker.docker_compose_v2: - project_src: '{{ woodpecker_app_dir }}' + project_src: "{{ woodpecker_app_dir }}" state: stopped - name: Pull missing image community.docker.docker_compose_v2: - project_src: '{{ woodpecker_app_dir }}' + project_src: "{{ woodpecker_app_dir }}" pull: missing state: stopped - name: Remove dangling containers community.docker.docker_compose_v2: - project_src: '{{ woodpecker_app_dir }}' + project_src: "{{ woodpecker_app_dir }}" remove_orphans: true state: stopped - name: Start container community.docker.docker_compose_v2: - project_src: '{{ woodpecker_app_dir }}' + project_src: "{{ woodpecker_app_dir }}" state: present diff --git a/templates/docker.j2 b/templates/docker.j2 index 9047bb7..f49d8a8 100644 --- a/templates/docker.j2 +++ b/templates/docker.j2 @@ -1,3 +1,9 @@ # {{ ansible_managed }} -deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable +Enabled: yes +Types: deb +URIs: https://download.docker.com/linux/debian +Suites: trixie +Components: stable +Architectures: amd64 +Signed-By: /etc/apt/keyrings/docker.gpg diff --git a/templates/nftables.j2 b/templates/nftables.j2 index 100bd44..98f079c 100644 --- a/templates/nftables.j2 +++ b/templates/nftables.j2 @@ -85,4 +85,8 @@ table ip filter { iifname {{ vpn_media_interface }} ip saddr {{ vpn_media_subnet }} ip daddr {{ jellyfin_nginx_ip }} accept } + + chain output { + type filter hook output priority filter; + } } diff --git a/templates/ssh.j2 b/templates/ssh.j2 index d6446eb..a7d1d46 100644 --- a/templates/ssh.j2 +++ b/templates/ssh.j2 @@ -1,6 +1,6 @@ # {{ ansible_managed }} # -# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -28,14 +28,14 @@ HostKey /etc/ssh/ssh_host_ed25519_key # Logging #SyslogFacility AUTH -LogLevel INFO +#LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin prohibit-password #StrictModes yes -MaxAuthTries 6 +#MaxAuthTries 6 #MaxSessions 10 PubkeyAuthentication yes @@ -56,13 +56,15 @@ AuthorizedKeysFile .ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes -# To disable tunneled clear text passwords, change to no here! +# To disable tunneled clear text passwords, change to "no" here! PasswordAuthentication no #PermitEmptyPasswords no -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no +# Change to "yes" to enable keyboard-interactive authentication. Depending on +# the system's configuration, this may involve passwords, challenge-response, +# one-time passwords or some combination of these and other methods. +# Beware issues with some PAM modules and threads. +KbdInteractiveAuthentication no # Kerberos options #KerberosAuthentication no @@ -78,13 +80,13 @@ ChallengeResponseAuthentication no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and +# be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. +# and KbdInteractiveAuthentication to 'no'. UsePAM yes #AllowAgentForwarding yes @@ -112,7 +114,7 @@ PrintMotd no #Banner none # Allow client to pass locale environment variables -AcceptEnv LANG LC_* +AcceptEnv LANG LC_* COLORTERM NO_COLOR # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server