ansible
/
homelab
1
0
Fork 0
Code Issues 33 Pull Requests Projects 1 Releases Wiki Activity

Compare commits

base: ansible:main
Branches Tags
ansible:main
..
compare: ansible:e98699146630e7f6e6e9a577e145ae7867dbe823
Branches Tags
ansible:main

No commits in common. "main" and "e98699146630e7f6e6e9a577e145ae7867dbe823" have entirely different histories.
main ... e986991466

27 changed files with 95 additions and 385 deletions
Show Stats Expand all files Collapse all files

8
README.adoc
View File

@ -12,14 +12,10 @@ homelab.
=== Containers === Containers
* Authelia
* Jellyfin
* Keycloak
* NGINX * NGINX
* OpenLDAP * Jellyfin
* Portainer
* PostgreSQL * PostgreSQL
* Radarr * Keycloak
=== Testing === Testing
To run locally, specify the inventory file with `-i hosts`. To run locally, specify the inventory file with `-i hosts`.

5
group_vars/all
View File

@ -14,8 +14,3 @@ tz: "Europe/Prague"
media: media:
tv: "{{ data_folder }}/media/tv" tv: "{{ data_folder }}/media/tv"
movies: "{{ data_folder }}/media/movies" movies: "{{ data_folder }}/media/movies"
downloads:
nzb: "{{ data_folder }}/downloads/nzb"
torrent: "{{ data_folder }}/downloads/torrent"
torrent_blackhole: "{{ data_folder }}/downloads/blackhole"
music: "{{ data_folder }}/downloads/music"

5
playbook.yml
View File

@ -3,13 +3,10 @@
roles: roles:
- docker - docker
- nginx - nginx
- openldap
- portainer
- jellyfin - jellyfin
- openldap
- postgres - postgres
- authelia
- keycloak - keycloak
- radarr
vars_files: vars_files:
- vault/certs/{{ base_domain }}.yml - vault/certs/{{ base_domain }}.yml
- vault/passwords.yml - vault/passwords.yml

2
provision.sh
View File

@ -1,2 +0,0 @@
#!/bin/env fish
ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision

39
roles/authelia/tasks/main.yml
View File

@ -1,39 +0,0 @@
- name: ensure directories exist
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- "{{ data_folder }}/authelia"
- name: copy configuration.yml
template:
src: "configuration.yml.j2"
dest: "{{ data_folder }}/authelia/configuration.yml"
mode: "755"
- name: run container
docker_container:
name: "authelia"
image: "authelia/authelia"
ports:
- "9091:9091"
networks:
- name: external
- name: openldap
volumes:
- "{{ data_folder }}/authelia:/config"
- name: copy nginx endpoint conf
template:
src: "authelia-endpoint.conf.j2"
dest: "{{ data_folder }}/nginx/snippets/authelia-endpoint.conf"
mode: "755"
- name: copy nginx auth conf
template:
src: "authelia-auth.conf.j2"
dest: "{{ data_folder }}/nginx/snippets/authelia-auth.conf"
mode: "755"
- name: copy nginx conf
template:
src: "authelia.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

11
roles/authelia/templates/authelia-auth.conf.j2
View File

@ -1,11 +0,0 @@
auth_request /authelia/api/verify;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
error_page 401 =302 https://$http_host/authelia/?rd=$target_url;

47
roles/authelia/templates/authelia-endpoint.conf.j2
View File

@ -1,47 +0,0 @@
location ^~ /authelia {
include /etc/nginx/snippets/proxy.conf;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9091;
}
location = /authelia/api/verify {
internal;
if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
return 401;
}
set $upstream_authelia authelia;
proxy_pass_request_body off;
proxy_pass http://$upstream_authelia:9091;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# [REQUIRED] Needed by Authelia to check authorizations of the resource.
# Provide either X-Original-URL and X-Forwarded-Proto or
# X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
# Those headers will be used by Authelia to deduce the target url of the user.
# Basic Proxy Config
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}

16
roles/authelia/templates/authelia.conf.j2
View File

@ -1,16 +0,0 @@
server {
server_name auth.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name auth.{{ base_domain }};
listen 443 ssl http2;
location / {
include /etc/nginx/snippets/proxy.conf;
set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment
proxy_pass $upstream_authelia;
}
}

71
roles/authelia/templates/configuration.yml.j2
View File

@ -1,71 +0,0 @@
host: 0.0.0.0
port: 9091
server:
read_buffer_size: 4096
write_buffer_size: 4096
path: "authelia"
log_level: debug
jwt_secret: somethingsomethingrandomrecret
default_redirection_url: https://{{ base_domain }}
authentication_backend:
disable_reset_password: false
ldap:
implementation: custom
url: ldap://openldap
start_tls: false
tls:
server_name: openldap
skip_verify: false
minimum_version: TLS1.2
base_dn: dc=kucharczyk,dc=xyz
username_attribute: uid
users_filter: ({username_attribute}={input})
groups_filter: (member={dn})
mail_attribute: mail
user: cn=admin,dc=kucharczyk,dc=xyz
password: {{ vault_openldap_admin_password }}
access_control:
default_policy: deny
networks:
- name: local
networks:
- 192.168.0.0/24
rules:
- domain: "*.{{ base_domain }}"
networks:
- local
policy: bypass
- domain: portainer.{{ base_domain }}
policy: one_factor
- domain: keycloak.{{ base_domain }}
policy: one_factor
- domain: radarr.{{ base_domain }}
policy: two_factor
session:
name: authelia_session
secret: somerandomsecret
expiration: 1h
inactivity: 5m
remember_me_duration: 1M
domain: {{ base_domain }}
regulation:
max_retries: 3
find_time: 2m
ban_time: 99y
storage:
local:
path: /config/db.sqlite3
notifier:
disable_startup_check: false
smtp:
username: kucharczyk.lukas@gmail.com
password: {{ vault_email_gmail_password }}
host: smtp.gmail.com
port: 587
sender: kucharczyk.lukas@gmail.com
subject: "[Authelia] {title}"
startup_check_address: test@authelia.com
disable_require_tls: false
tls:
skip_verify: false
minimum_version: TLS1.2

6
roles/docker/tasks/main.yml
View File

@ -3,9 +3,6 @@
name: name:
- docker - docker
- python-pip - python-pip
- neovim
- fish
- curlie
state: present state: present
update_cache: true update_cache: true
- name: start - name: start
@ -15,9 +12,8 @@
- name: add user to group - name: add user to group
user: user:
name: lukas name: lukas
groups: docker,wheel groups: docker
append: true append: true
shell: /usr/bin/fish
- name: install python docker - name: install python docker
pip: pip:
name: name:

3
roles/jellyfin/tasks/main.yml
View File

@ -12,7 +12,7 @@
name: 'jellyfin' name: 'jellyfin'
image: linuxserver/jellyfin image: linuxserver/jellyfin
networks: networks:
- name: external - name: nginx-internal
volumes: volumes:
- "{{ data_folder }}/jellyfin:/config" - "{{ data_folder }}/jellyfin:/config"
- "{{ media.tv }}:/data/tv" - "{{ media.tv }}:/data/tv"
@ -29,6 +29,7 @@
devices: devices:
- /dev/dri:/dev/dri - /dev/dri:/dev/dri
state: started state: started
restart: yes
- name: copy jellyfin nginx config - name: copy jellyfin nginx config
template: template:
src: jellyfin.conf.j2 src: jellyfin.conf.j2

3
roles/jellyfin/templates/jellyfin.conf.j2
View File

@ -1,7 +1,6 @@
server { server {
server_name "jellyfin.{{ base_domain }}";
listen 80; listen 80;
return 301 https://$server_name$request_uri; return 301 https://$host$request_uri;
} }
server { server {

3
roles/keycloak/tasks/main.yml
View File

@ -5,9 +5,8 @@
ports: ports:
- "8080:8080" - "8080:8080"
networks: networks:
- name: external
- name: postgres - name: postgres
- name: openldap - name: nginx-internal
env: env:
"KEYCLOAK_USER": "{{ vault_keycloak_user }}" "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}" "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"

6
roles/keycloak/templates/keycloak.conf.j2
View File

@ -1,7 +1,6 @@
server { server {
server_name "keycloak.{{ base_domain }}";
listen 80; listen 80;
return 301 https://$server_name$request_uri; return 301 https://$host$request_uri;
} }
server { server {
@ -14,11 +13,8 @@ server {
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
include /etc/nginx/snippets/authelia-endpoint.conf;
location / { location / {
proxy_pass http://$keycloak:8080; proxy_pass http://$keycloak:8080;
include /etc/nginx/snippets/authelia-auth.conf;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

10
roles/nginx/tasks/main.yml
View File

@ -14,11 +14,11 @@
- name: generate self-signed certs - name: generate self-signed certs
import_tasks: self-signed.yml import_tasks: self-signed.yml
when: self_signed when: self_signed
- name: create external bridge network - name: create nginx bridge network
docker_network: docker_network:
name: external name: nginx-internal
attachable: true attachable: true
internal: false internal: true
state: present state: present
- name: copy nginx.conf - name: copy nginx.conf
template: template:
@ -37,7 +37,8 @@
name: 'nginx' name: 'nginx'
image: nginx image: nginx
networks: networks:
- name: external - name: bridge
- name: nginx-internal
volumes: volumes:
- "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d" - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf" - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
@ -53,3 +54,4 @@
NGINX_HOST: "{{ base_domain }}" NGINX_HOST: "{{ base_domain }}"
NGINX_PORT: '80' NGINX_PORT: '80'
state: started state: started
restart: yes

2
roles/nginx/templates/nginx.conf.j2
View File

@ -14,8 +14,6 @@ http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
log_subrequest on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" ' '$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'; '"$http_user_agent" "$http_x_forwarded_for"';

36
roles/nginx/templates/snippets/proxy.conf.j2
View File

@ -1,36 +0,0 @@
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 172.17.0.0/16;
set_real_ip_from 172.18.0.0/16;
set_real_ip_from 172.19.0.0/16;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

35
roles/openldap/tasks/main.yml
View File

@ -6,27 +6,44 @@
loop: loop:
- "{{ data_folder }}/openldap" - "{{ data_folder }}/openldap"
- "{{ data_folder }}/openldap/data" - "{{ data_folder }}/openldap/data"
- name: create network - "{{ data_folder }}/openldap/slapd.d"
docker_network: - "{{ data_folder }}/openldap/ldifs"
name: openldap # - name: copy slapd.conf
attachable: true # template:
internal: true # src: slapd.conf.j2
state: present # dest: "{{ data_folder }}/openldap/slapd.d/slapd.conf"
# mode: '0755'
- name: copy user ldif
template:
src: lukas.ldif.j2
dest: "{{ data_folder }}/openldap/ldifs/lukas.ldif"
mode: '0755'
- name: run container - name: run container
docker_container: docker_container:
name: "openldap" name: "openldap"
image: osixia/openldap image: osixia/openldap
hostname: openldap command: "--loglevel debug"
hostname: ldap.dev.local
networks: networks:
- name: openldap # - name: bridge
- name: nginx-internal
ports: ports:
- "389:389" - "389:389"
- "636:636" - "636:636"
volumes: volumes:
- "{{ data_folder }}/openldap/data:/var/lib/ldap" - "{{ data_folder }}/openldap/data:/var/lib/ldap"
- "{{ data_folder }}/openldap/slapd.d:/etc/ldap/slapd.d"
- "{{ data_folder }}/openldap/ldifs:/container/service/slapd/assets/config/bootstrap/ldif/custom"
env: env:
LDAP_ORGANISATION: "Homelab" LDAP_ORGANISATION: "Homelab"
LDAP_DOMAIN: "kucharczyk.xyz" LDAP_DOMAIN: "kucharczyk.xyz"
LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
LDAP_ADMIN_PASSWORD: !vault |
$ANSIBLE_VAULT;1.1;AES256
35623735376134353839323136623133393035343162363366643632376262393539653736326431
6635373265313033653861393463633835333639346239650a303463323063373866316162616131
66356335346631386265363462353034393735366430636634643466376435313638303938363363
3838396139663964300a633931303135376566633363303336373937373138643564636263656233
6239
state: started state: started
restart: yes

6
roles/openldap/templates/base.ldif.j2 Normal file
View File

@ -0,0 +1,6 @@
dn: dc=kucharczyk,dc=xyz
objectclass: top
objectclass: dcObject
objectclass: organization
dc: kucharczyk
o: Homelab

14
roles/openldap/templates/lukas.ldif.j2 Normal file
View File

@ -0,0 +1,14 @@
dn: uid=lukas,dc=kucharczyk,dc=xyz
uid: lukas
cn: lukas
givenName: Lukas
sn: Kucharczyk
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/lukas
uidNumber: 1000
gidNumber: 1000
userPassword: {SSHA}zsJllCeWKbz1we+L/gu/yt0hxeBdvJfT
mail: lukas@kucharczyk.xyz

16
roles/openldap/templates/slapd.conf.j2 Normal file
View File

@ -0,0 +1,16 @@
# default config from /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
pidfile /run/openldap/slapd.pid
argsfile /run/openldap/slapd.args
# custom config
allow bind_anon_dn
access to attrs=userPassword by * auth
access to * by * read
loglevel 256
database mdb
suffix "dc=kucharczyk, dc=xyz"
rootdn "cn=admin, dc=kucharczyk, dc=xyz"
rootpw {SSHA}sgIeW4kyz3t0OyfZ1IZjzEDDb31JI3xK
directory /var/lib/ldap

19
roles/portainer/tasks/main.yml
View File

@ -1,19 +0,0 @@
- name: run container
docker_container:
name: 'portainer'
image: portainer/portainer-ce
networks:
- name: external
- name: openldap
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
ports:
- "8000:8000"
- "9000:9000"
state: started
- name: copy nginx conf
template:
src: portainer.conf.j2
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

20
roles/portainer/templates/portainer.conf.j2
View File

@ -1,20 +0,0 @@
server {
server_name portainer.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name portainer.{{ base_domain }};
listen 443 ssl http2;
include /etc/nginx/snippets/authelia-endpoint.conf;
location / {
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-auth.conf;
set $upstream http://portainer:9000; # This example assumes a Docker deployment
proxy_pass $upstream;
}
}

34
roles/radarr/tasks/main.yml
View File

@ -1,34 +0,0 @@
- name: ensure directories exist
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- "{{ data_folder }}/radarr"
- "{{ media.tv }}"
- "{{ media.movies }}"
- "{{ downloads.nzb }}"
- name: run container
docker_container:
name: "{{ role_name }}"
image: "linuxserver/radarr"
networks:
- name: external
env:
"TZ": "{{ tz }}"
"PUID": "{{ puid }}"
"PGID": "{{ pgid }}"
"UMASK": "022"
volumes:
- "{{ data_folder }}/radarr:/config"
- "{{ downloads.nzb }}:/downloads"
- "{{ media.movies }}:/movies"
ports:
- "7878:7878"
state: started
- name: copy nginx conf
template:
src: "{{ role_name }}.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

20
roles/radarr/templates/radarr.conf.j2
View File

@ -1,20 +0,0 @@
server {
server_name {{ role_name }}.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name {{ role_name }}.{{ base_domain }};
listen 443 ssl http2;
include /etc/nginx/snippets/authelia-endpoint.conf;
location / {
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-auth.conf;
set $upstream http://{{ role_name }}:7878;
proxy_pass $upstream;
}
}

2
show-pass.sh
View File

@ -1,2 +0,0 @@
#!/bin/env fish
ansible-vault view --vault-password-file (pass show ansible-homelab | psub) vault/passwords.yml

31
vault/passwords.yml
View File

@ -1,19 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
35356537316639386637316365393533643061363734323630393363313237643935666639653963 32656133366339323166343734353434356561306461363033383266373733646161323166353438
3734376266353938653631323266663139306335646635660a373233663964623335663366333434 3537666138666438373366353530626339303866353162340a386539353333323835383237356566
34386136656530386639646234316238326132616131616632346537613963636637393839613661 66636133383662333334396162323637393335336463316235386334353930616238623133613636
6366326639643632320a386436316165343166366134633464393461653434323934326238313430 6535613536633662340a386333373465613466303137643232356664363233326561653235656263
39323439306637306134326635323138616337646336653238636539643538613664303764303661 63316130346236376235623632356364353538306439616362313837303438363736316137346237
39636661353538393532663937396363656664613334383261336664336237356366663334633430 36623333643062626532383439663730653139633836613636343232323437643564643531336661
36356235383930653835393439373737623036613565313131626462363034303062323662663832 34386135386437656135616536356538663731336261393636396562666337616462323330623732
66613833613336646633383835653161386363386136663764653734313763383231626434393864 65363536383238376166393563636532353336306335613131653261333662613965633265333462
63313061346335383933623630396336336561633938613237643238616531343766613734666132 30353564316435636330623434623832623463336231393630616266336435646434303963353665
32306362616131396266656162653563356137383239616464306662643032623438373764306361 63616631313863303838613362343538663236656235353966306231643132633938373935646466
32363133626662633435626232653061373831626563323861626635383039613136303632613335 63333036376136353831653236663631343761303830336461326264316563643037363935623731
61363265316534653033393763646565393330633063323634353932353936303638356433306362 38393037396530346232656366626535363539653462393663653739653935376436333934616562
65383938306637333765383263653939633964613230613835326630313761323561376162646439 3931
62323035323634323766393233326363383364653531306432663263303831623936616139306639
64303863386265343165666435363761653464386366636366323261353731643263356635383536
66326666616339653731633530663161363933383334376238313637356331663431336433643338
64313861306161373538363332663363623131303561373237326436373838393965306663333835
3764356534323963303832653964666431626538316361613137