From 2ca5418b4f2b3d52d4eaed492b6a8122fd68415d Mon Sep 17 00:00:00 2001 From: admin Date: Thu, 6 Feb 2025 00:53:53 +0000 Subject: [PATCH] obfuscate things --- tasks/podman.yml | 247 +++++++++++++++++++++++++++++++++---------- tasks/pre-podman.yml | 1 + tasks/setup.yml | 21 ++++ vault.yml | 23 ++-- 4 files changed, 227 insertions(+), 65 deletions(-) diff --git a/tasks/podman.yml b/tasks/podman.yml index 2b87386..3c6945c 100755 --- a/tasks/podman.yml +++ b/tasks/podman.yml @@ -20,35 +20,6 @@ [Install] WantedBy=default.target -- name: comfyui - containers.podman.podman_container: - state: quadlet - name: podman_comfyui - image: ghcr.io/ai-dock/comfyui:latest - network: bridge - device: "nvidia.com/gpu=all" - volumes: - - "/home/admin/podman/comfyui:/workspace" - ports: - - "1111:1111" - - "8188:8188" - env: - COMFYUI_PORT_HOST: "8188" - DIRECT_ADDRESS: "192.168.0.30" - COMFYUI_URL: "http://192.168.0.30:1111" - WEB_USER: "admin" - WEB_PASSWORD: "{{ rtsp_password }}" - quadlet_options: - - "AutoUpdate=registry" - - "Pull=newer" - - | - [Service] - Restart=always - TimeoutStartSec=900 - [Install] - WantedBy=default.target - - - name: ollama containers.podman.podman_container: state: quadlet @@ -87,7 +58,7 @@ RAG_WEB_SEARCH_ENGINE: "searxng" RAG_WEB_SEARCH_RESULT_COUNT: 3 RAG_WEB_SEARCH_CONCURRENT_REQUESTS: 10 - SEARXNG_QUERY_URL: "http://192.168.0.30:8880/search?q=" + SEARXNG_QUERY_URL: "http://{{ ansible_ssh_host }}:8880/search?q=" quadlet_options: - "AutoUpdate=registry" - "Pull=newer" @@ -167,6 +138,7 @@ TimeoutStartSec=900 [Install] WantedBy=default.target + - name: eclipse-mosquitto containers.podman.podman_container: state: quadlet @@ -208,7 +180,7 @@ - "8554:8554" env: FRIGATE_RTSP_PASSWORD: "{{ rtsp_password }}" - YOLO_MODELS: "yolov7-tiny-288" + YOLO_MODELS: "yolov7-320" USE_FP16: "false" quadlet_options: - "Tmpfs=/tmp/cache" @@ -226,16 +198,17 @@ containers.podman.podman_container: state: quadlet name: podman_nginx-proxy-manager - image: docker.io/jc21/nginx-proxy-manager:2.10.4 + image: docker.io/jc21/nginx-proxy-manager:latest network: bridge + #ip: 192.168.50.10 privileged: true volumes: - "/home/admin/podman/nginx-proxy-manager:/data" - "/home/admin/podman/letsencrypt:/etc/letsencrypt" ports: - - "5080:80" - - "5443:443" - - "5081:81" + - "80:80" + - "443:443" + - "81:81" env: TZ: "Europe/London" quadlet_options: @@ -274,6 +247,7 @@ name: podman_gitea image: docker.io/gitea/gitea:latest network: bridge + #ip: 192.168.50.30 env: TZ: "Europe/London" DISABLE_REGISTRATION: "true" @@ -294,19 +268,20 @@ [Install] WantedBy=default.target -- name: nginx_mektem_com +- name: nginx-personal-site containers.podman.podman_container: state: quadlet - name: podman_nginx_mektem_com + name: podman_nginx-personal-site image: docker.io/nginx:latest network: bridge + #ip: 192.168.50.20 volumes: - "/home/admin/podman/nginx/nginx.conf:/etc/nginx/nginx.conf:ro" - "/home/admin/podman/nginx/html:/usr/share/nginx/html" ports: "888:80" env: - NGINX_HOST: "mektem.com" + NGINX_HOST: "{{ personal_site_host }}" NGINX_PORT: "80" quadlet_options: - "AutoUpdate=registry" @@ -328,7 +303,7 @@ "22300:22300" env: APP_PORT: "22300" - APP_BASE_URL: "https://notes.mektem.com" + APP_BASE_URL: "http://{{ ansible_ssh_host }}:22300" DB_CLIENT: "pg" POSTGRES_PASSWORD: "{{ joplin_password }}" POSTGRES_DATABASE: "joplin-db" @@ -377,6 +352,8 @@ image: lscr.io/linuxserver/wireguard:latest network: bridge privileged: true + sysctl: net.ipv4.ip_forward=1 + sysctl: net.ipv4.conf.all.src_valid_mark=1 cap_add: - NET_RAW - NET_ADMIN @@ -388,10 +365,11 @@ - "51820:51820/udp" env: TZ: "Europe/London" - SERVERURL: "81.99.39.74" + PEERDNS: "1.1.1.1" + SERVERURL: "{{ public_ip }}" SERVERPORT: "51820" PEERS: "FarisIOS,FarisMacbook,SafaPhone" - ALLOWEDIPS: "0.0.0.0/0" + ALLOWEDIPS: "192.168.0.1/24" LOG_CONFS: "true" quadlet_options: - "AutoUpdate=registry" @@ -416,7 +394,7 @@ - "3012:3012" env: TZ: "Europe/London" - DOMAIN: "https://vault.mektem.com" + DOMAIN: "https://{{ personal_site_host }}" SIGNUPS_ALLOWED: "false" EXPERIMENTAL_CLIENT_FEATURE_FLAGS: "ssh-key-vault-item,ssh-agent" quadlet_options: @@ -511,6 +489,7 @@ - "/home/admin/podman/sonarr:/config" - "/mnt/media/video/tv:/tv" - "/mnt/media/torrents:/downloads" + - "/mnt/media/video/anime/tv:/anime-tv" ports: - "8989:8989" env: @@ -535,6 +514,7 @@ - "/home/admin/podman/radarr:/config" - "/mnt/media/video/movies:/movies" - "/mnt/media/torrents:/downloads" + - "/mnt/media/video/anime/movies:/anime-movies" ports: - "7878:7878" env: @@ -572,6 +552,7 @@ TimeoutStartSec=900 [Install] WantedBy=default.target + - name: lidarr containers.podman.podman_container: state: quadlet @@ -596,6 +577,29 @@ [Install] WantedBy=default.target +- name: bazarr + containers.podman.podman_container: + state: quadlet + name: podman_bazarr + image: lscr.io/linuxserver/bazarr:latest + network: bridge + volumes: + - "/home/admin/podman/lidarr:/config" + - "/mnt/media/video/movies:/movies" + - "/mnt/media/video/tv:/tv" + ports: + - "6767:6767" + env: + TZ: "Europe/London" + quadlet_options: + - "AutoUpdate=registry" + - "Pull=newer" + - | + [Service] + Restart=always + TimeoutStartSec=900 + [Install] + WantedBy=default.target - name: kiwix containers.podman.podman_container: @@ -708,12 +712,12 @@ [Install] WantedBy=default.target - - name: metube containers.podman.podman_container: state: quadlet name: podman_metube image: ghcr.io/alexta69/metube:latest + network: bridge volumes: - "/mnt/media/youtube-dl:/downloads" - "/mnt/media/audio/music/flac:/music" @@ -736,18 +740,22 @@ state: quadlet name: podman_unifi-network-application image: lscr.io/linuxserver/unifi-network-application:latest + network: bridge volumes: - "/home/admin/podman/unifi-network-application:/config" ports: - "8443:8443" - "10001:10001/udp" env: - - TZ: "Europe/London" - - MONGO_USER: "unifi" - - MONGO_PASS: "{{ rtsp_password }}" - - MONGO_HOST: "{{ ansible_ssh_host }}" - - MONGO_PORT: "27017" - - MONGO_DBNAME: "unifi" + TZ: "Europe/London" + MONGO_INITDB_ROOT_USERNAME: "root" + MONGO_INITDB_ROOT_PASSWORD: "{{ rtsp_password }}" + MONGO_USER: "unifi" + MONGO_PASS: "{{ rtsp_password }}" + MONGO_HOST: "{{ ansible_ssh_host }}" + MONGO_PORT: "27017" + MONGO_DBNAME: "unifi" + MONGO_AUTHSOURCE: "admin" quadlet_options: - "AutoUpdate=registry" - "Pull=newer" @@ -763,16 +771,145 @@ state: quadlet name: podman_unifi-network-application-db image: docker.io/mongo:7.0 + network: bridge volumes: - - "/home/admin/podman/unifi-db" + - "/home/admin/podman/unifi-network-application-db" + - "/home/admin/init-mongo.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro" ports: - "27017:27017" env: - - MONGO_USER: "unifi" - - MONGO_PASS: "{{ rtsp_password }}" - - MONGO_HOST: "{{ ansible_ssh_host }}" - - MONGO_PORT: "27017" - - MONGO_DBNAME: "unifi" + MONGO_USER: "unifi" + MONGO_PASS: "{{ rtsp_password }}" + MONGO_HOST: "{{ ansible_ssh_host }}" + MONGO_PORT: "27017" + MONGO_DBNAME: "unifi" + MONGO_AUTHSOURCE: "admin" + quadlet_options: + - "AutoUpdate=registry" + - "Pull=newer" + - | + [Service] + Restart=always + TimeoutStartSec=900 + [Install] + WantedBy=default.target + +- name: tube-archivist + containers.podman.podman_container: + state: quadlet + name: podman_tube-archivist + image: docker.io/bbilly1/tubearchivist:latest + network: bridge + volumes: + - "/mnt/media/video/youtube:/youtube" + - "/home/admin/podman/tube-archivist/cache" + ports: + - "8001:8000" + env: + ES_URL: "http://{{ ansible_ssh_host }}:9200" + REDIS_HOST: "{{ ansible_ssh_host }}" + REDIS_PORT: "6380" + TA_HOST: "{{ ansible_ssh_host }}" + TA_USERNAME: "admin" + TA_PASSWORD: "{{ rtsp_password }}" + ELASTIC_PASSWORD: "{{ rtsp_password }}" + TZ: "Europe/London" + quadlet_options: + - "AutoUpdate=registry" + - "Pull=newer" + - | + [Service] + Restart=always + TimeoutStartSec=900 + [Install] + WantedBy=default.target + +- name: tube-archivist-es + containers.podman.podman_container: + state: quadlet + name: podman_tube-archivist-es + image: docker.io/bbilly1/tubearchivist-es:latest + network: bridge + volumes: + - "/home/admin/podman/tube-archivist/es:/usr/share/elasticsearch/data" + ports: + - "9200:9200" + env: + ELASTIC_PASSWORD: "{{ rtsp_password }}" # matching Elasticsearch password + ES_JAVA_OPTS: "-Xms1g -Xmx1g" + xpack.security.enabled: "true" + discovery.type: "single-node" + path.repo: "/usr/share/elasticsearch/data/snapshot" + quadlet_options: + - "AutoUpdate=registry" + - "Pull=newer" + - | + [Service] + Restart=always + TimeoutStartSec=900 + [Install] + WantedBy=default.target + +- name: tube-archivist-redis + containers.podman.podman_container: + state: quadlet + name: podman_tube-archivist-redis + image: docker.io/redis/redis-stack-server + network: bridge + volumes: + - "/home/admin/podman/tube-archivist/redis:/data" + ports: + - "6380:6379" + quadlet_options: + - "AutoUpdate=registry" + - "Pull=newer" + - | + [Service] + Restart=always + TimeoutStartSec=900 + [Install] + WantedBy=default.target + +- name: archivebox + containers.podman.podman_container: + state: quadlet + name: podman_archivebox + image: docker.io/archivebox/archivebox:latest + network: bridge + volumes: + - "/home/admin/podman/archivebox:/data" + ports: + - "8002:8000" + env: + ADMIN_USERNAME: "admin" + ADMIN_PASSWORD: "{{ rtsp_password }}" + PGID: "1000" + PUID: "1000" + SEARCH_BACKEND_ENGINE: "sonic" + SEARCH_BACKEND_HOST_NAME: "sonic" + SEARCH_BACKEND_PASSWORD: "{{ rtsp_password }}" + quadlet_options: + - "AutoUpdate=registry" + - "Pull=newer" + - | + [Service] + Restart=always + TimeoutStartSec=900 + [Install] + WantedBy=default.target + +- name: zigbee2mqtt + containers.podman.podman_container: + state: quadlet + name: podman_zigbee2mqtt + image: docker.io/koenkk/zigbee2mqtt + network: bridge + device: "/dev/ttyACM0:/dev/ttyACM0" + group_add: "keep-groups" + volumes: + - "/home/admin/podman/zigbee2mqtt:/app/data" + ports: + - "8808:8080" quadlet_options: - "AutoUpdate=registry" - "Pull=newer" diff --git a/tasks/pre-podman.yml b/tasks/pre-podman.yml index bb36dc4..a69a939 100755 --- a/tasks/pre-podman.yml +++ b/tasks/pre-podman.yml @@ -4,3 +4,4 @@ ansible.builtin.file: state: absent path: /home/admin/.config/containers/systemd/ + diff --git a/tasks/setup.yml b/tasks/setup.yml index 72e35c0..6fe9a2b 100755 --- a/tasks/setup.yml +++ b/tasks/setup.yml @@ -143,6 +143,27 @@ value: 80 sysctl_file: /etc/sysctl.d/99-ports.conf +- name: allow rootless wireguard src_valid_mark + become: true + ansible.posix.sysctl: + name: net.ipv4.conf.all.src_valid_mark + value: 1 + sysctl_file: /etc/sysctl.d/99-ports.conf + +- name: allow rootless wireguard forwarding all + become: true + ansible.posix.sysctl: + name: net.ipv4.conf.all.forwarding + value: 1 + sysctl_file: /etc/sysctl.d/99-ports.conf + +- name: allow rootless wireguard ip_forward + become: true + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: 1 + sysctl_file: /etc/sysctl.d/99-ports.conf + # this might not be needed, haven't tested - name: allow rootless podmad (wireguard) to access net src become: true diff --git a/vault.yml b/vault.yml index 7718cff..014ccfb 100644 --- a/vault.yml +++ b/vault.yml @@ -1,11 +1,14 @@ $ANSIBLE_VAULT;1.1;AES256 -30303833326339323836646434313236366533396465303564636439666631366336393833613138 -3731306362373238386361333866343464353030313338640a373135353164303132623231393930 -36653335353866326161333430656634306232343235636666306463623034343234366432303730 -6236653964306161310a323965373830353839366161353236643061396533346463373232383963 -31383934336239616666663332353035656534666438633861656434303136353834313235653536 -61326537393935393730393932393930343134346131353264636263396134356466356266323163 -39363364653436613337636262633961303334363162386265653133393538636332636235663262 -63386231326261663135663462313532303764386533356561356636636563353464613230383938 -39633436643131633665363763323732626137356335376463396565636363313338336634376630 -6164373439633233613463633933313966366532363666343564 +66383037336532363438336262613162663731646161323137653465663138393532323561663633 +3132393938316133323035663233313534626431343731610a393737393461323530646238316266 +39643135653663343836623030653266643738343638346565373239346637336332616139396633 +3037346663633238660a353533383638666631343565306461623230393364343463346232633836 +34353037313932323130393761633438643437393561636635326233386632613633343261373833 +34643233303862393961643366633735623561363038313137383962313666646333636638356637 +63343163366231623336363030366235653665323961616633633733356437643737343836643337 +37373934643230306264613363343932336130383337336435393536613335663265393739383530 +37386230333131396337373130633465653733393830306334303333356536636563363366393031 +66646338356132656665663665636335366564346233623539336432323932333238323066633530 +31343364613265616366616433633661353439333438323230366230663939336361613139383235 +32656664323731363334626230613834663864373232396566363137393233376562353564636638 +37343466643562313261323764326638636264666239313061346134346166343831