obfuscate things

2025-02-06 00:53:53 +00:00 · 2025-02-06 00:53:53 +00:00 · 2ca5418b4f
commit 2ca5418b4f
parent 79c2b93e37
4 changed files with 227 additions and 65 deletions
--- a/tasks/podman.yml
+++ b/tasks/podman.yml
@ -20,35 +20,6 @@
        [Install]
        WantedBy=default.target
 - name: comfyui
  containers.podman.podman_container:
    state: quadlet
    name: podman_comfyui
    image: ghcr.io/ai-dock/comfyui:latest
    network: bridge
    device: "nvidia.com/gpu=all"
    volumes:
      - "/home/admin/podman/comfyui:/workspace"
    ports:
      - "1111:1111"
      - "8188:8188"
    env:
      COMFYUI_PORT_HOST: "8188"
      DIRECT_ADDRESS: "192.168.0.30"
      COMFYUI_URL: "http://192.168.0.30:1111"
      WEB_USER: "admin"
      WEB_PASSWORD: "{{ rtsp_password }}"
    quadlet_options:
      - "AutoUpdate=registry"
      - "Pull=newer"
      - |
        [Service]
        Restart=always
        TimeoutStartSec=900
        [Install]
        WantedBy=default.target
 - name: ollama
  containers.podman.podman_container:
    state: quadlet
@ -87,7 +58,7 @@
      RAG_WEB_SEARCH_ENGINE: "searxng"
      RAG_WEB_SEARCH_RESULT_COUNT: 3
      RAG_WEB_SEARCH_CONCURRENT_REQUESTS: 10
-      SEARXNG_QUERY_URL: "http://192.168.0.30:8880/search?q=<query>"
+      SEARXNG_QUERY_URL: "http://{{ ansible_ssh_host }}:8880/search?q=<query>"
    quadlet_options:
      - "AutoUpdate=registry"
      - "Pull=newer"
@ -167,6 +138,7 @@
        TimeoutStartSec=900
        [Install]
        WantedBy=default.target
 - name: eclipse-mosquitto
  containers.podman.podman_container:
    state: quadlet
@ -208,7 +180,7 @@
      - "8554:8554"
    env:
      FRIGATE_RTSP_PASSWORD: "{{ rtsp_password }}"
-      YOLO_MODELS: "yolov7-tiny-288"
+      YOLO_MODELS: "yolov7-320"
      USE_FP16: "false"
    quadlet_options:
      - "Tmpfs=/tmp/cache"
@ -226,16 +198,17 @@
  containers.podman.podman_container:
    state: quadlet
    name: podman_nginx-proxy-manager
-    image: docker.io/jc21/nginx-proxy-manager:2.10.4
+    image: docker.io/jc21/nginx-proxy-manager:latest
    network: bridge
    #ip: 192.168.50.10
    privileged: true
    volumes:
      - "/home/admin/podman/nginx-proxy-manager:/data"
      - "/home/admin/podman/letsencrypt:/etc/letsencrypt"
    ports:
-      - "5080:80"
+      - "80:80"
-      - "5443:443"
+      - "443:443"
-      - "5081:81"
+      - "81:81"
    env: 
      TZ: "Europe/London"
    quadlet_options:
@ -274,6 +247,7 @@
    name: podman_gitea
    image: docker.io/gitea/gitea:latest
    network: bridge
    #ip: 192.168.50.30
    env:
      TZ: "Europe/London"
      DISABLE_REGISTRATION: "true"
@ -294,19 +268,20 @@
        [Install]
        WantedBy=default.target
- name: nginx_mektem_com
+- name: nginx-personal-site
  containers.podman.podman_container:
    state: quadlet
-    name: podman_nginx_mektem_com
+    name: podman_nginx-personal-site
    image: docker.io/nginx:latest
    network: bridge
    #ip: 192.168.50.20
    volumes:
      - "/home/admin/podman/nginx/nginx.conf:/etc/nginx/nginx.conf:ro"
      - "/home/admin/podman/nginx/html:/usr/share/nginx/html"
    ports:
      "888:80"
    env:
-      NGINX_HOST: "mektem.com"
+      NGINX_HOST: "{{ personal_site_host }}"
      NGINX_PORT: "80"
    quadlet_options:
      - "AutoUpdate=registry"
@ -328,7 +303,7 @@
      "22300:22300"
    env:
      APP_PORT: "22300"
-      APP_BASE_URL: "https://notes.mektem.com"
+      APP_BASE_URL: "http://{{ ansible_ssh_host }}:22300"
      DB_CLIENT: "pg"
      POSTGRES_PASSWORD: "{{ joplin_password }}"
      POSTGRES_DATABASE: "joplin-db"
@ -377,6 +352,8 @@
    image: lscr.io/linuxserver/wireguard:latest
    network: bridge
    privileged: true
    sysctl: net.ipv4.ip_forward=1
    sysctl: net.ipv4.conf.all.src_valid_mark=1
    cap_add:
      - NET_RAW
      - NET_ADMIN
@ -388,10 +365,11 @@
      - "51820:51820/udp"
    env:
      TZ: "Europe/London"
-      SERVERURL: "81.99.39.74"
+      PEERDNS: "1.1.1.1"
      SERVERURL: "{{ public_ip }}"
      SERVERPORT: "51820"
      PEERS: "FarisIOS,FarisMacbook,SafaPhone"
-      ALLOWEDIPS: "0.0.0.0/0"
+      ALLOWEDIPS: "192.168.0.1/24"
      LOG_CONFS: "true"
    quadlet_options:
      - "AutoUpdate=registry"
@ -416,7 +394,7 @@
      - "3012:3012"
    env:
      TZ: "Europe/London"
-      DOMAIN: "https://vault.mektem.com"
+      DOMAIN: "https://{{ personal_site_host }}"
      SIGNUPS_ALLOWED: "false"
      EXPERIMENTAL_CLIENT_FEATURE_FLAGS: "ssh-key-vault-item,ssh-agent"
    quadlet_options:
@ -511,6 +489,7 @@
      - "/home/admin/podman/sonarr:/config"
      - "/mnt/media/video/tv:/tv"
      - "/mnt/media/torrents:/downloads"
      - "/mnt/media/video/anime/tv:/anime-tv"
    ports:
      - "8989:8989"
    env:
@ -535,6 +514,7 @@
      - "/home/admin/podman/radarr:/config"
      - "/mnt/media/video/movies:/movies"
      - "/mnt/media/torrents:/downloads"
      - "/mnt/media/video/anime/movies:/anime-movies"
    ports:
      - "7878:7878"
    env:
@ -572,6 +552,7 @@
        TimeoutStartSec=900
        [Install]
        WantedBy=default.target
 - name: lidarr
  containers.podman.podman_container:
    state: quadlet
@ -596,6 +577,29 @@
        [Install]
        WantedBy=default.target
 - name: bazarr
  containers.podman.podman_container:
    state: quadlet
    name: podman_bazarr
    image: lscr.io/linuxserver/bazarr:latest
    network: bridge
    volumes:
      - "/home/admin/podman/lidarr:/config"
      - "/mnt/media/video/movies:/movies"
      - "/mnt/media/video/tv:/tv"
    ports:
      - "6767:6767"
    env:
      TZ: "Europe/London"
    quadlet_options:
      - "AutoUpdate=registry"
      - "Pull=newer"
      - |
        [Service]
        Restart=always
        TimeoutStartSec=900
        [Install]
        WantedBy=default.target
 - name: kiwix
  containers.podman.podman_container:
@ -708,12 +712,12 @@
        [Install]
        WantedBy=default.target
 - name: metube
  containers.podman.podman_container:
    state: quadlet
    name: podman_metube
    image: ghcr.io/alexta69/metube:latest
    network: bridge
    volumes:
      - "/mnt/media/youtube-dl:/downloads"
      - "/mnt/media/audio/music/flac:/music"
@ -736,18 +740,22 @@
    state: quadlet
    name: podman_unifi-network-application
    image: lscr.io/linuxserver/unifi-network-application:latest
    network: bridge
    volumes:
      - "/home/admin/podman/unifi-network-application:/config"
    ports:
      - "8443:8443"
      - "10001:10001/udp"
    env:
-      - TZ: "Europe/London"
+      TZ: "Europe/London"
-      - MONGO_USER: "unifi"
+      MONGO_INITDB_ROOT_USERNAME: "root"
-      - MONGO_PASS: "{{ rtsp_password }}"
+      MONGO_INITDB_ROOT_PASSWORD: "{{ rtsp_password }}"
-      - MONGO_HOST: "{{ ansible_ssh_host }}"
+      MONGO_USER: "unifi"
-      - MONGO_PORT: "27017"
+      MONGO_PASS: "{{ rtsp_password }}"
-      - MONGO_DBNAME: "unifi"
+      MONGO_HOST: "{{ ansible_ssh_host }}"
      MONGO_PORT: "27017"
      MONGO_DBNAME: "unifi"
      MONGO_AUTHSOURCE: "admin"
    quadlet_options:
      - "AutoUpdate=registry"
      - "Pull=newer"
@ -763,16 +771,145 @@
    state: quadlet
    name: podman_unifi-network-application-db
    image: docker.io/mongo:7.0
    network: bridge
    volumes:
-      - "/home/admin/podman/unifi-db"
+      - "/home/admin/podman/unifi-network-application-db"
      - "/home/admin/init-mongo.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro"
    ports:
      - "27017:27017"
    env:
-      - MONGO_USER: "unifi"
+      MONGO_USER: "unifi"
-      - MONGO_PASS: "{{ rtsp_password }}"
+      MONGO_PASS: "{{ rtsp_password }}"
-      - MONGO_HOST: "{{ ansible_ssh_host }}"
+      MONGO_HOST: "{{ ansible_ssh_host }}"
-      - MONGO_PORT: "27017"
+      MONGO_PORT: "27017"
-      - MONGO_DBNAME: "unifi"
+      MONGO_DBNAME: "unifi"
      MONGO_AUTHSOURCE: "admin"
    quadlet_options:
      - "AutoUpdate=registry"
      - "Pull=newer"
      - |
        [Service]
        Restart=always
        TimeoutStartSec=900
        [Install]
        WantedBy=default.target
 - name: tube-archivist
  containers.podman.podman_container:
    state: quadlet
    name: podman_tube-archivist
    image: docker.io/bbilly1/tubearchivist:latest
    network: bridge
    volumes:
      - "/mnt/media/video/youtube:/youtube"
      - "/home/admin/podman/tube-archivist/cache"
    ports:
      - "8001:8000"
    env:
      ES_URL: "http://{{ ansible_ssh_host }}:9200"
      REDIS_HOST: "{{ ansible_ssh_host }}"
      REDIS_PORT: "6380"
      TA_HOST: "{{ ansible_ssh_host }}"
      TA_USERNAME: "admin"
      TA_PASSWORD: "{{ rtsp_password }}"
      ELASTIC_PASSWORD: "{{ rtsp_password }}"
      TZ: "Europe/London"
    quadlet_options:
      - "AutoUpdate=registry"
      - "Pull=newer"
      - |
        [Service]
        Restart=always
        TimeoutStartSec=900
        [Install]
        WantedBy=default.target
 - name: tube-archivist-es
  containers.podman.podman_container:
    state: quadlet
    name: podman_tube-archivist-es
    image: docker.io/bbilly1/tubearchivist-es:latest
    network: bridge
    volumes:
      - "/home/admin/podman/tube-archivist/es:/usr/share/elasticsearch/data"
    ports:
      - "9200:9200"
    env:
      ELASTIC_PASSWORD: "{{ rtsp_password }}"       # matching Elasticsearch password
      ES_JAVA_OPTS: "-Xms1g -Xmx1g"
      xpack.security.enabled: "true"
      discovery.type: "single-node"
      path.repo: "/usr/share/elasticsearch/data/snapshot"
    quadlet_options:
      - "AutoUpdate=registry"
      - "Pull=newer"
      - |
        [Service]
        Restart=always
        TimeoutStartSec=900
        [Install]
        WantedBy=default.target
 - name: tube-archivist-redis
  containers.podman.podman_container:
    state: quadlet
    name: podman_tube-archivist-redis
    image: docker.io/redis/redis-stack-server
    network: bridge
    volumes:
      - "/home/admin/podman/tube-archivist/redis:/data"
    ports:
      - "6380:6379"
    quadlet_options:
      - "AutoUpdate=registry"
      - "Pull=newer"
      - |
        [Service]
        Restart=always
        TimeoutStartSec=900
        [Install]
        WantedBy=default.target
 - name: archivebox
  containers.podman.podman_container:
    state: quadlet
    name: podman_archivebox
    image: docker.io/archivebox/archivebox:latest
    network: bridge
    volumes:
      - "/home/admin/podman/archivebox:/data"
    ports:
      - "8002:8000"
    env:
      ADMIN_USERNAME: "admin"
      ADMIN_PASSWORD: "{{ rtsp_password }}"
      PGID: "1000"
      PUID: "1000"
      SEARCH_BACKEND_ENGINE: "sonic"
      SEARCH_BACKEND_HOST_NAME: "sonic"
      SEARCH_BACKEND_PASSWORD: "{{ rtsp_password }}"
    quadlet_options:
      - "AutoUpdate=registry"
      - "Pull=newer"
      - |
        [Service]
        Restart=always
        TimeoutStartSec=900
        [Install]
        WantedBy=default.target
 - name: zigbee2mqtt
  containers.podman.podman_container:
    state: quadlet
    name: podman_zigbee2mqtt
    image: docker.io/koenkk/zigbee2mqtt
    network: bridge
    device: "/dev/ttyACM0:/dev/ttyACM0"
    group_add: "keep-groups"
    volumes:
      - "/home/admin/podman/zigbee2mqtt:/app/data"
    ports:
      - "8808:8080"
    quadlet_options:
      - "AutoUpdate=registry"
      - "Pull=newer"
--- a/tasks/pre-podman.yml
+++ b/tasks/pre-podman.yml
@ -4,3 +4,4 @@
  ansible.builtin.file:
    state: absent
    path: /home/admin/.config/containers/systemd/
--- a/tasks/setup.yml
+++ b/tasks/setup.yml
@ -143,6 +143,27 @@
    value: 80
    sysctl_file: /etc/sysctl.d/99-ports.conf
 - name: allow rootless wireguard src_valid_mark
  become: true
  ansible.posix.sysctl:
    name: net.ipv4.conf.all.src_valid_mark
    value: 1
    sysctl_file: /etc/sysctl.d/99-ports.conf
 - name: allow rootless wireguard forwarding all
  become: true
  ansible.posix.sysctl:
    name: net.ipv4.conf.all.forwarding
    value: 1
    sysctl_file: /etc/sysctl.d/99-ports.conf
 - name: allow rootless wireguard ip_forward
  become: true
  ansible.posix.sysctl:
    name: net.ipv4.ip_forward
    value: 1
    sysctl_file: /etc/sysctl.d/99-ports.conf
 # this might not be needed, haven't tested
 - name: allow rootless podmad (wireguard) to access net src
  become: true
--- a/vault.yml
+++ b/vault.yml
@ -1,11 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-30303833326339323836646434313236366533396465303564636439666631366336393833613138
+66383037336532363438336262613162663731646161323137653465663138393532323561663633
-3731306362373238386361333866343464353030313338640a373135353164303132623231393930
+3132393938316133323035663233313534626431343731610a393737393461323530646238316266
-36653335353866326161333430656634306232343235636666306463623034343234366432303730
+39643135653663343836623030653266643738343638346565373239346637336332616139396633
-6236653964306161310a323965373830353839366161353236643061396533346463373232383963
+3037346663633238660a353533383638666631343565306461623230393364343463346232633836
-31383934336239616666663332353035656534666438633861656434303136353834313235653536
+34353037313932323130393761633438643437393561636635326233386632613633343261373833
-61326537393935393730393932393930343134346131353264636263396134356466356266323163
+34643233303862393961643366633735623561363038313137383962313666646333636638356637
-39363364653436613337636262633961303334363162386265653133393538636332636235663262
+63343163366231623336363030366235653665323961616633633733356437643737343836643337
-63386231326261663135663462313532303764386533356561356636636563353464613230383938
+37373934643230306264613363343932336130383337336435393536613335663265393739383530
-39633436643131633665363763323732626137356335376463396565636363313338336634376630
+37386230333131396337373130633465653733393830306334303333356536636563363366393031
-6164373439633233613463633933313966366532363666343564
+66646338356132656665663665636335366564346233623539336432323932333238323066633530
 31343364613265616366616433633661353439333438323230366230663939336361613139383235
 32656664323731363334626230613834663864373232396566363137393233376562353564636638
 37343466643562313261323764326638636264666239313061346134346166343831