--- - name: set localtime (only needed for gitea and frigate) become: true ansible.builtin.file: path: /usr/share/zoneinfo/Europe/London dest: /etc/localtime state: link - name: set timezone (only neede for gitea) become: true ansible.builtin.shell: cmd: echo "Europe/London" | tee /etc/timezone && dpkg-reconfigure -f noninteractive tzdata changed_when: false - name: Update apt and install required programs become: true ansible.builtin.apt: pkg: - gpg - ansible - cron - curl - git - tmux - podman - neovim - nfs-common - fzf - rsync - restic state: present update_cache: true - name: create mount directories become: true block: - name: create /mnt/data ansible.builtin.file: path: /mnt/data state: directory - name: create /mnt/services ansible.builtin.file: path: /mnt/services state: directory - name: create /mnt/media ansible.builtin.file: path: /mnt/media state: directory - name: mount shares become: true block: - name: mount data ansible.posix.mount: path: /mnt/data src: "{{ truenas_ip }}:/mnt/pool/data" fstype: nfs4 opts: defaults,auto,rw state: mounted - name: mount services ansible.posix.mount: path: /mnt/services src: "{{ truenas_ip }}:/mnt/pool/services" fstype: nfs4 opts: defaults,auto,rw state: mounted - name: mount media ansible.posix.mount: path: /mnt/media src: "{{ truenas_ip }}:/mnt/pool/media" fstype: nfs4 opts: defaults,auto,rw state: mounted - name: setup cronjob to sync podman folder to nfs become: true ansible.builtin.cron: minute: "0" hour: "4" name: "backup" user: "admin" job: "/bin/bash '/usr/bin/systemctl --user stop podman_* && /usr/bin/rsync -a --delete /home/admin/podman /mnt/services/podman && /usr/bin/systemctl --user start podman_* --all'" cron_file: backup - name: setup cronjob to backup data to b2 become: true ansible.builtin.cron: minute: "40" hour: "15" name: "backup-restic" user: "admin" job: /bin/bash "env RESTIC_PASSWORD='Outshine-Playmaker-Earthen' B2_ACCOUNT_KEY='004e1d35edc52cd716719a747edd66d5f42111d604' B2_ACCOUNT_ID='257549133968' RESTIC_REPOSITORY='b2:faris-backup' GOGC=20 restic backup --cache-dir=/home/admin/.cache/restic /mnt/services/ /mnt/media/video/family/ /mnt/data/ --exclude /mnt/services/cctv/** --exclude /mnt/services/podman/ollama/models/** --exclude /mnt/services/immich/encoded-video/** --exclude /mnt/services/immich/thumbs/** && restic forget --keep-within 1y --prune --cache-dir=/home/admin/.cache/restic" cron_file: backup # env RESTIC_PASSWORD="Outshine-Playmaker-Earthen3" B2_ACCOUNT_KEY="004e1d35edc52cd716719a747edd66d5f42111d604" B2_ACCOUNT_ID="257549133968" RESTIC_REPOSITORY="b2:faris-backup" GOGC=20 restic backup --cache-dir=/home/admin/.cache/restic /mnt/services/ /mnt/media/video/family/ /mnt/data/ --exclude /mnt/services/cctv/** --exclude /mnt/services/podman/ollama/models/** --exclude /mnt/services/immich/encoded-video --exclude /mnt/services/immich/thumbs && restic forget --keep-within 1y --prune --cache-dir=/home/admin/.cache/restic - name: Check if /home/admin/podman exists ansible.builtin.stat: path: /home/admin/podman register: podman_dir - name: create /home/admin/podman if it doesn't exist ansible.builtin.file: path: /home/admin/podman state: directory when: not podman_dir.stat.exists - name: initialize podman-compose ansible.posix.synchronize: src: /mnt/services/podman/ dest: /home/admin/podman archive: true delegate_to: "{{ inventory_hostname }}" when: not podman_dir.stat.exists - name: change podman to overlayfs (system might need to be reset after this) block: - name: create directory if doesn't exist ansible.builtin.file: state: directory path: /home/admin/.config/containers/ - name: create file if doesn't exist ansible.builtin.file: state: touch path: /home/admin/.config/containers/storage.conf - name: storage ansible.builtin.lineinfile: path: /home/admin/.config/containers/storage.conf search_string: [storage] line: [storage] - name: overlay ansible.builtin.lineinfile: path: /home/admin/.config/containers/storage.conf search_string: driver line: driver = 'overlay' - name: allow rootless podman to access ports below 1000 become: true ansible.posix.sysctl: name: net.ipv4.ip_unprivileged_port_start value: 80 sysctl_file: /etc/sysctl.d/99-ports.conf - name: allow rootless wireguard src_valid_mark become: true ansible.posix.sysctl: name: net.ipv4.conf.all.src_valid_mark value: 1 sysctl_file: /etc/sysctl.d/99-ports.conf - name: allow rootless wireguard forwarding all become: true ansible.posix.sysctl: name: net.ipv4.conf.all.forwarding value: 1 sysctl_file: /etc/sysctl.d/99-ports.conf - name: allow rootless wireguard ip_forward become: true ansible.posix.sysctl: name: net.ipv4.ip_forward value: 1 sysctl_file: /etc/sysctl.d/99-ports.conf # this might not be needed, haven't tested - name: allow rootless podmad (wireguard) to access net src become: true ansible.posix.sysctl: name: net.ipv4.conf.all.src_valid_mark value: 1 sysctl_file: /etc/sysctl.d/99-ports.conf - name: enable linger (so user services start without login required) ansible.builtin.shell: cmd: loginctl enable-linger