obfuscate things

tasks/podman.yml

@@ -20,35 +20,6 @@
         [Install]
         WantedBy=default.target
 
-- name: comfyui
-  containers.podman.podman_container:
-    state: quadlet
-    name: podman_comfyui
-    image: ghcr.io/ai-dock/comfyui:latest
-    network: bridge
-    device: "nvidia.com/gpu=all"
-    volumes:
-      - "/home/admin/podman/comfyui:/workspace"
-    ports:
-      - "1111:1111"
-      - "8188:8188"
-    env:
-      COMFYUI_PORT_HOST: "8188"
-      DIRECT_ADDRESS: "192.168.0.30"
-      COMFYUI_URL: "http://192.168.0.30:1111"
-      WEB_USER: "admin"
-      WEB_PASSWORD: "{{ rtsp_password }}"
-    quadlet_options:
-      - "AutoUpdate=registry"
-      - "Pull=newer"
-      - |
-        [Service]
-        Restart=always
-        TimeoutStartSec=900
-        [Install]
-        WantedBy=default.target
-
-
 - name: ollama
   containers.podman.podman_container:
     state: quadlet
@@ -87,7 +58,7 @@
       RAG_WEB_SEARCH_ENGINE: "searxng"
       RAG_WEB_SEARCH_RESULT_COUNT: 3
       RAG_WEB_SEARCH_CONCURRENT_REQUESTS: 10
-      SEARXNG_QUERY_URL: "http://192.168.0.30:8880/search?q=<query>"
+      SEARXNG_QUERY_URL: "http://{{ ansible_ssh_host }}:8880/search?q=<query>"
     quadlet_options:
       - "AutoUpdate=registry"
       - "Pull=newer"
@@ -167,6 +138,7 @@
         TimeoutStartSec=900
         [Install]
         WantedBy=default.target
+
 - name: eclipse-mosquitto
   containers.podman.podman_container:
     state: quadlet
@@ -208,7 +180,7 @@
       - "8554:8554"
     env:
       FRIGATE_RTSP_PASSWORD: "{{ rtsp_password }}"
-      YOLO_MODELS: "yolov7-tiny-288"
+      YOLO_MODELS: "yolov7-320"
       USE_FP16: "false"
     quadlet_options:
       - "Tmpfs=/tmp/cache"
@@ -226,16 +198,17 @@
   containers.podman.podman_container:
     state: quadlet
     name: podman_nginx-proxy-manager
-    image: docker.io/jc21/nginx-proxy-manager:2.10.4
+    image: docker.io/jc21/nginx-proxy-manager:latest
     network: bridge
+    #ip: 192.168.50.10
     privileged: true
     volumes:
       - "/home/admin/podman/nginx-proxy-manager:/data"
       - "/home/admin/podman/letsencrypt:/etc/letsencrypt"
     ports:
-      - "5080:80"
-      - "5443:443"
-      - "5081:81"
+      - "80:80"
+      - "443:443"
+      - "81:81"
     env: 
       TZ: "Europe/London"
     quadlet_options:
@@ -274,6 +247,7 @@
     name: podman_gitea
     image: docker.io/gitea/gitea:latest
     network: bridge
+    #ip: 192.168.50.30
     env:
       TZ: "Europe/London"
       DISABLE_REGISTRATION: "true"
@@ -294,19 +268,20 @@
         [Install]
         WantedBy=default.target
 
-- name: nginx_mektem_com
+- name: nginx-personal-site
   containers.podman.podman_container:
     state: quadlet
-    name: podman_nginx_mektem_com
+    name: podman_nginx-personal-site
     image: docker.io/nginx:latest
     network: bridge
+    #ip: 192.168.50.20
     volumes:
       - "/home/admin/podman/nginx/nginx.conf:/etc/nginx/nginx.conf:ro"
       - "/home/admin/podman/nginx/html:/usr/share/nginx/html"
     ports:
       "888:80"
     env:
-      NGINX_HOST: "mektem.com"
+      NGINX_HOST: "{{ personal_site_host }}"
       NGINX_PORT: "80"
     quadlet_options:
       - "AutoUpdate=registry"
@@ -328,7 +303,7 @@
       "22300:22300"
     env:
       APP_PORT: "22300"
-      APP_BASE_URL: "https://notes.mektem.com"
+      APP_BASE_URL: "http://{{ ansible_ssh_host }}:22300"
       DB_CLIENT: "pg"
       POSTGRES_PASSWORD: "{{ joplin_password }}"
       POSTGRES_DATABASE: "joplin-db"
@@ -377,6 +352,8 @@
     image: lscr.io/linuxserver/wireguard:latest
     network: bridge
     privileged: true
+    sysctl: net.ipv4.ip_forward=1
+    sysctl: net.ipv4.conf.all.src_valid_mark=1
     cap_add:
       - NET_RAW
       - NET_ADMIN
@@ -388,10 +365,11 @@
       - "51820:51820/udp"
     env:
       TZ: "Europe/London"
-      SERVERURL: "81.99.39.74"
+      PEERDNS: "1.1.1.1"
+      SERVERURL: "{{ public_ip }}"
       SERVERPORT: "51820"
       PEERS: "FarisIOS,FarisMacbook,SafaPhone"
-      ALLOWEDIPS: "0.0.0.0/0"
+      ALLOWEDIPS: "192.168.0.1/24"
       LOG_CONFS: "true"
     quadlet_options:
       - "AutoUpdate=registry"
@@ -416,7 +394,7 @@
       - "3012:3012"
     env:
       TZ: "Europe/London"
-      DOMAIN: "https://vault.mektem.com"
+      DOMAIN: "https://{{ personal_site_host }}"
       SIGNUPS_ALLOWED: "false"
       EXPERIMENTAL_CLIENT_FEATURE_FLAGS: "ssh-key-vault-item,ssh-agent"
     quadlet_options:
@@ -511,6 +489,7 @@
       - "/home/admin/podman/sonarr:/config"
       - "/mnt/media/video/tv:/tv"
       - "/mnt/media/torrents:/downloads"
+      - "/mnt/media/video/anime/tv:/anime-tv"
     ports:
       - "8989:8989"
     env:
@@ -535,6 +514,7 @@
       - "/home/admin/podman/radarr:/config"
       - "/mnt/media/video/movies:/movies"
       - "/mnt/media/torrents:/downloads"
+      - "/mnt/media/video/anime/movies:/anime-movies"
     ports:
       - "7878:7878"
     env:
@@ -572,6 +552,7 @@
         TimeoutStartSec=900
         [Install]
         WantedBy=default.target
+
 - name: lidarr
   containers.podman.podman_container:
     state: quadlet
@@ -596,6 +577,29 @@
         [Install]
         WantedBy=default.target
 
+- name: bazarr
+  containers.podman.podman_container:
+    state: quadlet
+    name: podman_bazarr
+    image: lscr.io/linuxserver/bazarr:latest
+    network: bridge
+    volumes:
+      - "/home/admin/podman/lidarr:/config"
+      - "/mnt/media/video/movies:/movies"
+      - "/mnt/media/video/tv:/tv"
+    ports:
+      - "6767:6767"
+    env:
+      TZ: "Europe/London"
+    quadlet_options:
+      - "AutoUpdate=registry"
+      - "Pull=newer"
+      - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
+        [Install]
+        WantedBy=default.target
 
 - name: kiwix
   containers.podman.podman_container:
@@ -708,12 +712,12 @@
         [Install]
         WantedBy=default.target
 
-
 - name: metube
   containers.podman.podman_container:
     state: quadlet
     name: podman_metube
     image: ghcr.io/alexta69/metube:latest
+    network: bridge
     volumes:
       - "/mnt/media/youtube-dl:/downloads"
       - "/mnt/media/audio/music/flac:/music"
@@ -736,18 +740,22 @@
     state: quadlet
     name: podman_unifi-network-application
     image: lscr.io/linuxserver/unifi-network-application:latest
+    network: bridge
     volumes:
       - "/home/admin/podman/unifi-network-application:/config"
     ports:
       - "8443:8443"
       - "10001:10001/udp"
     env:
-      - TZ: "Europe/London"
-      - MONGO_USER: "unifi"
-      - MONGO_PASS: "{{ rtsp_password }}"
-      - MONGO_HOST: "{{ ansible_ssh_host }}"
-      - MONGO_PORT: "27017"
-      - MONGO_DBNAME: "unifi"
+      TZ: "Europe/London"
+      MONGO_INITDB_ROOT_USERNAME: "root"
+      MONGO_INITDB_ROOT_PASSWORD: "{{ rtsp_password }}"
+      MONGO_USER: "unifi"
+      MONGO_PASS: "{{ rtsp_password }}"
+      MONGO_HOST: "{{ ansible_ssh_host }}"
+      MONGO_PORT: "27017"
+      MONGO_DBNAME: "unifi"
+      MONGO_AUTHSOURCE: "admin"
     quadlet_options:
       - "AutoUpdate=registry"
       - "Pull=newer"
@@ -763,16 +771,145 @@
     state: quadlet
     name: podman_unifi-network-application-db
     image: docker.io/mongo:7.0
+    network: bridge
     volumes:
-      - "/home/admin/podman/unifi-db"
+      - "/home/admin/podman/unifi-network-application-db"
+      - "/home/admin/init-mongo.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro"
     ports:
       - "27017:27017"
     env:
-      - MONGO_USER: "unifi"
-      - MONGO_PASS: "{{ rtsp_password }}"
-      - MONGO_HOST: "{{ ansible_ssh_host }}"
-      - MONGO_PORT: "27017"
-      - MONGO_DBNAME: "unifi"
+      MONGO_USER: "unifi"
+      MONGO_PASS: "{{ rtsp_password }}"
+      MONGO_HOST: "{{ ansible_ssh_host }}"
+      MONGO_PORT: "27017"
+      MONGO_DBNAME: "unifi"
+      MONGO_AUTHSOURCE: "admin"
+    quadlet_options:
+      - "AutoUpdate=registry"
+      - "Pull=newer"
+      - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
+        [Install]
+        WantedBy=default.target
+
+- name: tube-archivist
+  containers.podman.podman_container:
+    state: quadlet
+    name: podman_tube-archivist
+    image: docker.io/bbilly1/tubearchivist:latest
+    network: bridge
+    volumes:
+      - "/mnt/media/video/youtube:/youtube"
+      - "/home/admin/podman/tube-archivist/cache"
+    ports:
+      - "8001:8000"
+    env:
+      ES_URL: "http://{{ ansible_ssh_host }}:9200"
+      REDIS_HOST: "{{ ansible_ssh_host }}"
+      REDIS_PORT: "6380"
+      TA_HOST: "{{ ansible_ssh_host }}"
+      TA_USERNAME: "admin"
+      TA_PASSWORD: "{{ rtsp_password }}"
+      ELASTIC_PASSWORD: "{{ rtsp_password }}"
+      TZ: "Europe/London"
+    quadlet_options:
+      - "AutoUpdate=registry"
+      - "Pull=newer"
+      - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
+        [Install]
+        WantedBy=default.target
+
+- name: tube-archivist-es
+  containers.podman.podman_container:
+    state: quadlet
+    name: podman_tube-archivist-es
+    image: docker.io/bbilly1/tubearchivist-es:latest
+    network: bridge
+    volumes:
+      - "/home/admin/podman/tube-archivist/es:/usr/share/elasticsearch/data"
+    ports:
+      - "9200:9200"
+    env:
+      ELASTIC_PASSWORD: "{{ rtsp_password }}"       # matching Elasticsearch password
+      ES_JAVA_OPTS: "-Xms1g -Xmx1g"
+      xpack.security.enabled: "true"
+      discovery.type: "single-node"
+      path.repo: "/usr/share/elasticsearch/data/snapshot"
+    quadlet_options:
+      - "AutoUpdate=registry"
+      - "Pull=newer"
+      - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
+        [Install]
+        WantedBy=default.target
+
+- name: tube-archivist-redis
+  containers.podman.podman_container:
+    state: quadlet
+    name: podman_tube-archivist-redis
+    image: docker.io/redis/redis-stack-server
+    network: bridge
+    volumes:
+      - "/home/admin/podman/tube-archivist/redis:/data"
+    ports:
+      - "6380:6379"
+    quadlet_options:
+      - "AutoUpdate=registry"
+      - "Pull=newer"
+      - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
+        [Install]
+        WantedBy=default.target
+
+- name: archivebox
+  containers.podman.podman_container:
+    state: quadlet
+    name: podman_archivebox
+    image: docker.io/archivebox/archivebox:latest
+    network: bridge
+    volumes:
+      - "/home/admin/podman/archivebox:/data"
+    ports:
+      - "8002:8000"
+    env:
+      ADMIN_USERNAME: "admin"
+      ADMIN_PASSWORD: "{{ rtsp_password }}"
+      PGID: "1000"
+      PUID: "1000"
+      SEARCH_BACKEND_ENGINE: "sonic"
+      SEARCH_BACKEND_HOST_NAME: "sonic"
+      SEARCH_BACKEND_PASSWORD: "{{ rtsp_password }}"
+    quadlet_options:
+      - "AutoUpdate=registry"
+      - "Pull=newer"
+      - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
+        [Install]
+        WantedBy=default.target
+
+- name: zigbee2mqtt
+  containers.podman.podman_container:
+    state: quadlet
+    name: podman_zigbee2mqtt
+    image: docker.io/koenkk/zigbee2mqtt
+    network: bridge
+    device: "/dev/ttyACM0:/dev/ttyACM0"
+    group_add: "keep-groups"
+    volumes:
+      - "/home/admin/podman/zigbee2mqtt:/app/data"
+    ports:
+      - "8808:8080"
     quadlet_options:
       - "AutoUpdate=registry"
       - "Pull=newer"

tasks/pre-podman.yml

@@ -4,3 +4,4 @@
   ansible.builtin.file:
     state: absent
     path: /home/admin/.config/containers/systemd/
+

tasks/setup.yml

@@ -143,6 +143,27 @@
     value: 80
     sysctl_file: /etc/sysctl.d/99-ports.conf
 
+- name: allow rootless wireguard src_valid_mark
+  become: true
+  ansible.posix.sysctl:
+    name: net.ipv4.conf.all.src_valid_mark
+    value: 1
+    sysctl_file: /etc/sysctl.d/99-ports.conf
+
+- name: allow rootless wireguard forwarding all
+  become: true
+  ansible.posix.sysctl:
+    name: net.ipv4.conf.all.forwarding
+    value: 1
+    sysctl_file: /etc/sysctl.d/99-ports.conf
+
+- name: allow rootless wireguard ip_forward
+  become: true
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: 1
+    sysctl_file: /etc/sysctl.d/99-ports.conf
+
 # this might not be needed, haven't tested
 - name: allow rootless podmad (wireguard) to access net src
   become: true

vault.yml

@@ -1,11 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-30303833326339323836646434313236366533396465303564636439666631366336393833613138
-3731306362373238386361333866343464353030313338640a373135353164303132623231393930
-36653335353866326161333430656634306232343235636666306463623034343234366432303730
-6236653964306161310a323965373830353839366161353236643061396533346463373232383963
-31383934336239616666663332353035656534666438633861656434303136353834313235653536
-61326537393935393730393932393930343134346131353264636263396134356466356266323163
-39363364653436613337636262633961303334363162386265653133393538636332636235663262
-63386231326261663135663462313532303764386533356561356636636563353464613230383938
-39633436643131633665363763323732626137356335376463396565636363313338336634376630
-6164373439633233613463633933313966366532363666343564
+66383037336532363438336262613162663731646161323137653465663138393532323561663633
+3132393938316133323035663233313534626431343731610a393737393461323530646238316266
+39643135653663343836623030653266643738343638346565373239346637336332616139396633
+3037346663633238660a353533383638666631343565306461623230393364343463346232633836
+34353037313932323130393761633438643437393561636635326233386632613633343261373833
+34643233303862393961643366633735623561363038313137383962313666646333636638356637
+63343163366231623336363030366235653665323961616633633733356437643737343836643337
+37373934643230306264613363343932336130383337336435393536613335663265393739383530
+37386230333131396337373130633465653733393830306334303333356536636563363366393031
+66646338356132656665663665636335366564346233623539336432323932333238323066633530
+31343364613265616366616433633661353439333438323230366230663939336361613139383235
+32656664323731363334626230613834663864373232396566363137393233376562353564636638
+37343466643562313261323764326638636264666239313061346134346166343831