179 lines
5.5 KiB
YAML
Executable File
179 lines
5.5 KiB
YAML
Executable File
---
|
|
|
|
- name: set localtime (only needed for gitea and frigate)
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: /usr/share/zoneinfo/Europe/London
|
|
dest: /etc/localtime
|
|
state: link
|
|
|
|
- name: set timezone (only neede for gitea)
|
|
become: true
|
|
ansible.builtin.shell:
|
|
cmd: echo "Europe/London" | tee /etc/timezone && dpkg-reconfigure -f noninteractive tzdata
|
|
changed_when: false
|
|
|
|
|
|
- name: Update apt and install required programs
|
|
become: true
|
|
ansible.builtin.apt:
|
|
pkg:
|
|
- gpg
|
|
- ansible
|
|
- cron
|
|
- curl
|
|
- git
|
|
- tmux
|
|
- podman
|
|
- neovim
|
|
- nfs-common
|
|
- fzf
|
|
- rsync
|
|
- restic
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: create mount directories
|
|
become: true
|
|
block:
|
|
- name: create /mnt/data
|
|
ansible.builtin.file:
|
|
path: /mnt/data
|
|
state: directory
|
|
- name: create /mnt/services
|
|
ansible.builtin.file:
|
|
path: /mnt/services
|
|
state: directory
|
|
- name: create /mnt/media
|
|
ansible.builtin.file:
|
|
path: /mnt/media
|
|
state: directory
|
|
|
|
- name: mount shares
|
|
become: true
|
|
block:
|
|
- name: mount data
|
|
ansible.posix.mount:
|
|
path: /mnt/data
|
|
src: "{{ truenas_ip }}:/mnt/pool/data"
|
|
fstype: nfs4
|
|
opts: defaults,auto,rw
|
|
state: mounted
|
|
- name: mount services
|
|
ansible.posix.mount:
|
|
path: /mnt/services
|
|
src: "{{ truenas_ip }}:/mnt/pool/services"
|
|
fstype: nfs4
|
|
opts: defaults,auto,rw
|
|
state: mounted
|
|
- name: mount media
|
|
ansible.posix.mount:
|
|
path: /mnt/media
|
|
src: "{{ truenas_ip }}:/mnt/pool/media"
|
|
fstype: nfs4
|
|
opts: defaults,auto,rw
|
|
state: mounted
|
|
|
|
- name: setup cronjob to sync podman folder to nfs
|
|
become: true
|
|
ansible.builtin.cron:
|
|
minute: "0"
|
|
hour: "4"
|
|
name: "backup"
|
|
user: "admin"
|
|
job: "/bin/bash '/usr/bin/systemctl --user stop podman_* && /usr/bin/rsync -a --delete /home/admin/podman /mnt/services/podman && /usr/bin/systemctl --user start podman_* --all'"
|
|
cron_file: backup
|
|
|
|
- name: setup cronjob to backup data to b2
|
|
become: true
|
|
ansible.builtin.cron:
|
|
minute: "40"
|
|
hour: "15"
|
|
name: "backup-restic"
|
|
user: "admin"
|
|
job: /bin/bash "env RESTIC_PASSWORD='Outshine-Playmaker-Earthen' B2_ACCOUNT_KEY='004e1d35edc52cd716719a747edd66d5f42111d604' B2_ACCOUNT_ID='257549133968' RESTIC_REPOSITORY='b2:faris-backup' GOGC=20 restic backup --cache-dir=/home/admin/.cache/restic /mnt/services/ /mnt/media/video/family/ /mnt/data/ --exclude /mnt/services/cctv/** --exclude /mnt/services/podman/ollama/models/** --exclude /mnt/services/immich/encoded-video/** --exclude /mnt/services/immich/thumbs/** && restic forget --keep-within 1y --prune --cache-dir=/home/admin/.cache/restic"
|
|
|
|
cron_file: backup
|
|
|
|
# env RESTIC_PASSWORD="Outshine-Playmaker-Earthen3" B2_ACCOUNT_KEY="004e1d35edc52cd716719a747edd66d5f42111d604" B2_ACCOUNT_ID="257549133968" RESTIC_REPOSITORY="b2:faris-backup" GOGC=20 restic backup --cache-dir=/home/admin/.cache/restic /mnt/services/ /mnt/media/video/family/ /mnt/data/ --exclude /mnt/services/cctv/** --exclude /mnt/services/podman/ollama/models/** --exclude /mnt/services/immich/encoded-video --exclude /mnt/services/immich/thumbs && restic forget --keep-within 1y --prune --cache-dir=/home/admin/.cache/restic
|
|
- name: Check if /home/admin/podman exists
|
|
ansible.builtin.stat:
|
|
path: /home/admin/podman
|
|
register: podman_dir
|
|
|
|
- name: create /home/admin/podman if it doesn't exist
|
|
ansible.builtin.file:
|
|
path: /home/admin/podman
|
|
state: directory
|
|
when: not podman_dir.stat.exists
|
|
|
|
- name: initialize podman-compose
|
|
ansible.posix.synchronize:
|
|
src: /mnt/services/podman/
|
|
dest: /home/admin/podman
|
|
archive: true
|
|
delegate_to: "{{ inventory_hostname }}"
|
|
when: not podman_dir.stat.exists
|
|
|
|
- name: change podman to overlayfs (system might need to be reset after this)
|
|
block:
|
|
- name: create directory if doesn't exist
|
|
ansible.builtin.file:
|
|
state: directory
|
|
path: /home/admin/.config/containers/
|
|
- name: create file if doesn't exist
|
|
ansible.builtin.file:
|
|
state: touch
|
|
path: /home/admin/.config/containers/storage.conf
|
|
- name: storage
|
|
ansible.builtin.lineinfile:
|
|
path: /home/admin/.config/containers/storage.conf
|
|
search_string: [storage]
|
|
line: [storage]
|
|
- name: overlay
|
|
ansible.builtin.lineinfile:
|
|
path: /home/admin/.config/containers/storage.conf
|
|
search_string: driver
|
|
line: driver = 'overlay'
|
|
|
|
- name: allow rootless podman to access ports below 1000
|
|
become: true
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.ip_unprivileged_port_start
|
|
value: 80
|
|
sysctl_file: /etc/sysctl.d/99-ports.conf
|
|
|
|
- name: allow rootless wireguard src_valid_mark
|
|
become: true
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.conf.all.src_valid_mark
|
|
value: 1
|
|
sysctl_file: /etc/sysctl.d/99-ports.conf
|
|
|
|
- name: allow rootless wireguard forwarding all
|
|
become: true
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.conf.all.forwarding
|
|
value: 1
|
|
sysctl_file: /etc/sysctl.d/99-ports.conf
|
|
|
|
- name: allow rootless wireguard ip_forward
|
|
become: true
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: 1
|
|
sysctl_file: /etc/sysctl.d/99-ports.conf
|
|
|
|
# this might not be needed, haven't tested
|
|
- name: allow rootless podmad (wireguard) to access net src
|
|
become: true
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.conf.all.src_valid_mark
|
|
value: 1
|
|
sysctl_file: /etc/sysctl.d/99-ports.conf
|
|
|
|
|
|
- name: enable linger (so user services start without login required)
|
|
ansible.builtin.shell:
|
|
cmd: loginctl enable-linger
|