From d096cc7e8f7f9d0bd2414347f84b38a1276990f0 Mon Sep 17 00:00:00 2001
From: admin <admin@admins-Air.localdomain>
Date: Sat, 1 Feb 2025 13:08:53 +0000
Subject: [PATCH] stabalize containers

---
 tasks/nvidia.yml |  46 +++++++++++++
 tasks/podman.yml | 165 +++++++++++++++++++++++++++++++++++++++++++++--
 tasks/setup.yml  |  59 +++++++++++++----
 vars             |   4 +-
 vault.yml        |  11 ++++
 5 files changed, 262 insertions(+), 23 deletions(-)
 create mode 100644 vault.yml

diff --git a/tasks/nvidia.yml b/tasks/nvidia.yml
index 8c2e8a2..74b27a1 100755
--- a/tasks/nvidia.yml
+++ b/tasks/nvidia.yml
@@ -1,8 +1,46 @@
+
+- name: Create systemd service file for NVIDIA CDI generator
+  become: true
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/nvidia-cdi-generator.service
+    content: |
+      [Unit]
+      Description=Generate NVIDIA CDI YAML for Docker at boot
+      After=network.target
+
+      [Service]
+      Type=oneshot
+      ExecStart=/usr/bin/nvidia-ctk cdi generate --output /var/run/cdi/nvidia.yaml
+      RemainAfterExit=true
+
+      [Install]
+      WantedBy=multi-user.target
+- name: reload systemd daemon
+  ansible.builtin.systemd_service:
+    scope: user
+    daemon_reload: true
+
+- name: Enable the NVIDIA CDI generator service
+  become: true
+  ansible.builtin.systemd_service:
+    name: nvidia-cdi-generator.service
+    enabled: yes
+
+- name: add contrib and nonfree
+  become: true
+  ansible.builtin.apt_repository:
+    repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }} main contrib non-free non-free-firmware
+    state: present
+
 - name: install nvidia-container-toolkit repo
   become: true
   ansible.builtin.shell:
     cmd: "curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --yes --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | tee /etc/apt/sources.list.d/nvidia-container-toolkit.list"
 
+- name: Gather current kernel version
+  ansible.builtin.shell: uname -r
+  register: kernel_version
+
 - name: install Nvidia driver
   become: true
   ansible.builtin.apt:
@@ -10,7 +48,14 @@
       - nvidia-container-toolkit
       - nvidia-driver
       - firmware-misc-nonfree
+      - "linux-headers-{{ kernel_version.stdout }}"
     state: present
+    update_cache: true
+  register: updated_driver
+
+- name: Unconditionally reboot the machine with all defaults
+  ansible.builtin.reboot:
+  when: updated_driver.changed
 
 - name: configure nvidia for rootless podman
   become: true
@@ -19,3 +64,4 @@
   register: nvidia_ctk_result
   ignore_errors: true
   failed_when: nvidia_ctk+result.rc != 1
+
diff --git a/tasks/podman.yml b/tasks/podman.yml
index c5fe875..0c9e87d 100755
--- a/tasks/podman.yml
+++ b/tasks/podman.yml
@@ -14,16 +14,49 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
+- name: comfyui
+  containers.podman.podman_container:
+    state: quadlet
+    name: podman_comfyui
+    image: ghcr.io/ai-dock/comfyui:latest
+    network: bridge
+    device: "nvidia.com/gpu=all"
+    volumes:
+      - "/home/admin/podman/comfyui:/workspace"
+    ports:
+      - "1111:1111"
+      - "8188:8188"
+    env:
+      COMFYUI_PORT_HOST: "8188"
+      DIRECT_ADDRESS: "192.168.0.30"
+      COMFYUI_URL: "http://192.168.0.30:1111"
+      WEB_USER: "admin"
+      WEB_PASSWORD: "{{ rtsp_password }}"
+    quadlet_options:
+      - "AutoUpdate=registry"
+      - "Pull=newer"
+      - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
+        [Install]
+        WantedBy=default.target
+
+
 - name: ollama
   containers.podman.podman_container:
     state: quadlet
     name: podman_ollama
     image: docker.io/ollama/ollama:latest
     network: bridge
-    volumes: 
+    device: "nvidia.com/gpu=all"
+    volumes:
       - "/home/admin/podman/ollama:/root/.ollama"
     ports:
       - "11434:11434"
@@ -33,6 +66,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -56,6 +92,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -73,6 +112,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -82,18 +124,25 @@
     name: podman_jellyfin
     image: docker.io/jellyfin/jellyfin
     network: bridge
-    volumes: 
+    device: "nvidia.com/gpu=all"
+    volumes:
       - "/home/admin/podman/jellyfin:/config"
       - "/mnt/media/video/movies:/movies:ro"
       - "/mnt/media/video/tv:/tv:ro"
       - "/mnt/media/audio/music/flac:/music:ro"
-      - "/mnt/media/video/Family:/family:ro"
+      - "/mnt/media/video/family:/family:ro"
+      - "/mnt/media/video/anime/tv:/anime-tv:ro"
+      - "/mnt/media/video/anime/movies:/anime-movies:ro"
+      - "/mnt/media/video/livetv:/livetv:ro"
     ports:
       - "8096:8096"
     quadlet_options:
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -113,6 +162,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 - name: eclipse-mosquitto
@@ -130,6 +182,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -139,10 +194,13 @@
     name: podman_frigate
     image: "ghcr.io/blakeblackshear/frigate:{{ frigate_version }}"
     network: bridge
+    device: "nvidia.com/gpu=all"
+    privileged: true
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - /home/admin/podman/frigate:/config
-      - /mnt/share/services/cctv:/media/frigate
+      - /mnt/services/cctv:/media/frigate
+      - /usr/lib/x86_64-linux-gnu/libcuda.so:/usr/lib/x86_64-linux-gnu/libcuda.so:ro
     ports:
       - "5005:5000"
       - "5001:8971"
@@ -150,12 +208,17 @@
       - "8554:8554"
     env:
       FRIGATE_RTSP_PASSWORD: "{{ rtsp_password }}"
+      YOLO_MODELS: "yolov7-tiny-288"
+      USE_FP16: "false"
     quadlet_options:
       - "Tmpfs=/tmp/cache"
       - "ShmSize=128mb"
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -179,6 +242,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -196,6 +262,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -219,6 +288,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -240,6 +312,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -264,6 +339,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -286,6 +364,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -316,6 +397,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -339,6 +423,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -359,6 +446,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -383,6 +473,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -402,6 +495,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -423,6 +519,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -444,9 +543,35 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
+- name: readarr
+  containers.podman.podman_container:
+    state: quadlet
+    name: podman_readarr
+    image: lscr.io/linuxserver/readarr:develop
+    network: bridge
+    volumes:
+      - "/home/admin/podman/readarr:/config"
+      - "/mnt/media/books:/books"
+      - "/mnt/media/torrents:/downloads"
+    ports:
+      - "8787:8787"
+    env:
+      TZ: "Europe/London"
+    quadlet_options:
+      - "AutoUpdate=registry"
+      - "Pull=newer"
+      - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
+        [Install]
+        WantedBy=default.target
 - name: lidarr
   containers.podman.podman_container:
     state: quadlet
@@ -465,6 +590,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -477,13 +605,16 @@
     network: bridge
     command: "*.zim"
     volumes:
-      - "/mnt/share/shared/Faris/1 documents/zim:/data"
+      - "/mnt/media/kiwix:/data"
     ports:
       - "8088:8080"
     quadlet_options:
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -494,8 +625,9 @@
     name: podman_immich-server
     image: "ghcr.io/immich-app/immich-server:{{ immich_version }}"
     network: bridge
+    device: "nvidia.com/gpu=all"
     volumes:
-      - "/mnt/share/services/immich:/usr/src/app/upload"
+      - "/mnt/services/immich:/usr/src/app/upload"
       - "/etc/localtime:/etc/localtime:ro"
     ports:
       - "2283:2283"
@@ -505,6 +637,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -512,16 +647,22 @@
   containers.podman.podman_container:
     state: quadlet
     name: podman_immich-machine-learning
-    image: "ghcr.io/immich-app/immich-machine-learning:{{ immich_version }}"
+    image: "ghcr.io/immich-app/immich-machine-learning:{{ immich_version }}-cuda"
     network: bridge
+    device: "nvidia.com/gpu=all"
     volumes:
       - "/home/admin/podman/immich/cache:/cache"
     env_file:
       - "/home/admin/podman/.env"
+    ports:
+      - "3003:3003"
     quadlet_options:
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -537,6 +678,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -558,6 +702,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
 
@@ -578,5 +725,9 @@
       - "AutoUpdate=registry"
       - "Pull=newer"
       - |
+        [Service]
+        Restart=always
+        TimeoutStartSec=900
         [Install]
         WantedBy=default.target
+
diff --git a/tasks/setup.yml b/tasks/setup.yml
index 7ccecd0..72e35c0 100755
--- a/tasks/setup.yml
+++ b/tasks/setup.yml
@@ -29,15 +29,20 @@
       - nfs-common
       - fzf
       - rsync
+      - restic
     state: present
     update_cache: true
 
 - name: create mount directories
   become: true
   block:
-  - name: create /mnt/share
+  - name: create /mnt/data
     ansible.builtin.file:
-      path: /mnt/share
+      path: /mnt/data
+      state: directory
+  - name: create /mnt/services
+    ansible.builtin.file:
+      path: /mnt/services
       state: directory
   - name: create /mnt/media
     ansible.builtin.file:
@@ -49,11 +54,18 @@
   block:
   - name: mount data
     ansible.posix.mount:
-      path: /mnt/share
+      path: /mnt/data
       src: "{{ truenas_ip }}:/mnt/pool/data"
       fstype: nfs4
       opts: defaults,auto,rw
       state: mounted
+  - name: mount services
+    ansible.posix.mount:
+      path: /mnt/services
+      src: "{{ truenas_ip }}:/mnt/pool/services"
+      fstype: nfs4
+      opts: defaults,auto,rw
+      state: mounted
   - name: mount media
     ansible.posix.mount:
       path: /mnt/media
@@ -62,27 +74,46 @@
       opts: defaults,auto,rw
       state: mounted
 
-- name: setup backup
+- name: setup cronjob to sync podman folder to nfs
   become: true
   ansible.builtin.cron:
     minute: "0"
     hour: "4"
     name: "backup"
-    user: "root"
-    job: "/bin/bash '/mnt/share/services/scripts/backup.sh'"
+    user: "admin"
+    job: "/bin/bash '/usr/bin/systemctl --user stop podman_* && /usr/bin/rsync -a --delete /home/admin/podman /mnt/services/podman && /usr/bin/systemctl --user start podman_* --all'"
     cron_file: backup
 
-- name: check for podman folder
+- name: setup cronjob to backup data to b2
+  become: true
+  ansible.builtin.cron:
+    minute: "40"
+    hour: "15"
+    name: "backup-restic"
+    user: "admin"
+    job: /bin/bash "env RESTIC_PASSWORD='Outshine-Playmaker-Earthen' B2_ACCOUNT_KEY='004e1d35edc52cd716719a747edd66d5f42111d604' B2_ACCOUNT_ID='257549133968' RESTIC_REPOSITORY='b2:faris-backup' GOGC=20  restic backup --cache-dir=/home/admin/.cache/restic /mnt/services/ /mnt/media/video/family/ /mnt/data/ --exclude /mnt/services/cctv/** --exclude /mnt/services/podman/ollama/models/** --exclude /mnt/services/immich/encoded-video/** --exclude /mnt/services/immich/thumbs/** && restic forget --keep-within 1y --prune --cache-dir=/home/admin/.cache/restic"
+
+    cron_file: backup 
+
+# env RESTIC_PASSWORD="Outshine-Playmaker-Earthen3" B2_ACCOUNT_KEY="004e1d35edc52cd716719a747edd66d5f42111d604" B2_ACCOUNT_ID="257549133968" RESTIC_REPOSITORY="b2:faris-backup" GOGC=20  restic backup --cache-dir=/home/admin/.cache/restic /mnt/services/ /mnt/media/video/family/ /mnt/data/ --exclude /mnt/services/cctv/** --exclude /mnt/services/podman/ollama/models/** --exclude /mnt/services/immich/encoded-video --exclude /mnt/services/immich/thumbs && restic forget --keep-within 1y --prune --cache-dir=/home/admin/.cache/restic
+- name: Check if /home/admin/podman exists
+  ansible.builtin.stat:
+    path: /home/admin/podman
+  register: podman_dir
+
+- name: create /home/admin/podman if it doesn't exist
   ansible.builtin.file:
     path: /home/admin/podman
     state: directory
-#  - name: initialize podman-compose
-#    become: true
-#    ignore_errors: true
-#    ansible.posix.synchronize:
-#      src: /mnt/share/DUNNO
-#      dest: /home/admin
-#      checksum: true
+  when: not podman_dir.stat.exists
+
+- name: initialize podman-compose
+  ansible.posix.synchronize:
+    src: /mnt/services/podman/
+    dest: /home/admin/podman
+    archive: true
+  delegate_to: "{{ inventory_hostname }}"
+  when: not podman_dir.stat.exists
 
 - name: change podman to overlayfs (system might need to be reset after this)
   block:
diff --git a/vars b/vars
index 1ee3939..9291b48 100755
--- a/vars
+++ b/vars
@@ -1,2 +1,2 @@
-immich_version: v1.124.2
-frigate_version: 0.14.1
+immich_version: v1.125.7
+frigate_version: 0.15.0-rc1-tensorrt
diff --git a/vault.yml b/vault.yml
new file mode 100644
index 0000000..7718cff
--- /dev/null
+++ b/vault.yml
@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+30303833326339323836646434313236366533396465303564636439666631366336393833613138
+3731306362373238386361333866343464353030313338640a373135353164303132623231393930
+36653335353866326161333430656634306232343235636666306463623034343234366432303730
+6236653964306161310a323965373830353839366161353236643061396533346463373232383963
+31383934336239616666663332353035656534666438633861656434303136353834313235653536
+61326537393935393730393932393930343134346131353264636263396134356466356266323163
+39363364653436613337636262633961303334363162386265653133393538636332636235663262
+63386231326261663135663462313532303764386533356561356636636563353464613230383938
+39633436643131633665363763323732626137356335376463396565636363313338336634376630
+6164373439633233613463633933313966366532363666343564