justus/Homelab-Ansible
1
0
Fork 0
Code Issues 4 Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Compare commits

base: justus:6766167fd943e53a549349af8ae808a31265f611
Branches Tags
justus:main
justus:renovate/docker.io-actualbudget-actual-server-25.x
justus:renovate/ghcr.io-paperless-ngx-paperless-ngx-2.x
justus:renovate/ghcr.io-dgtlmoon-changedetection.io-0.x
justus:renovate/ghcr.io-goauthentik-server-2025.x
justus:renovate/ansible-core-2.x
justus:renovate/docker.io-redis-6.2-alpine
justus:renovate/crowdsecurity-crowdsec-1.x
justus:renovate/wallabag-wallabag-2.x
justus:renovate/stalwartlabs-mail-server-0.x
justus:renovate/ghcr.io-requarks-wiki-2.x
justus:renovate/dawidd6-action-ansible-playbook-3.x
justus:automate-deployment-with-ansible-action
..
compare: justus:8a9c2d1b07346aa6b4a6170728d1c9abc791b82c
Branches Tags
justus:renovate/docker.io-actualbudget-actual-server-25.x
justus:renovate/ghcr.io-paperless-ngx-paperless-ngx-2.x
justus:renovate/ghcr.io-dgtlmoon-changedetection.io-0.x
justus:renovate/ghcr.io-goauthentik-server-2025.x
justus:renovate/ansible-core-2.x
justus:renovate/docker.io-redis-6.2-alpine
justus:renovate/crowdsecurity-crowdsec-1.x
justus:renovate/wallabag-wallabag-2.x
justus:renovate/stalwartlabs-mail-server-0.x
justus:renovate/ghcr.io-requarks-wiki-2.x
justus:main
justus:renovate/dawidd6-action-ansible-playbook-3.x
justus:automate-deployment-with-ansible-action

1 Commits
6766167fd9 ... 8a9c2d1b07

Author SHA1 Message Date
Renovate Bot
8a9c2d1b07 Update php Docker tag to v8 2024-12-16 22:00:42 +00:00
13 changed files with 38 additions and 104 deletions
Show Stats Expand all files Collapse all files

1
ansible/assets/basementpi/compose.yml.j2
View File

@ -82,7 +82,6 @@ services:
- 'gitea.mycomputer.party:10.11.1.15' - 'gitea.mycomputer.party:10.11.1.15'
- 'pbs pbs.mycomputer.party:10.11.1.30' - 'pbs pbs.mycomputer.party:10.11.1.30'
- 'immich immich.mycomputer.party:10.11.1.13' - 'immich immich.mycomputer.party:10.11.1.13'
- 'wireguard wireguard.injust.us:10.11.1.9'
restart: always restart: always

2
ansible/assets/bastion/wg0.conf.j2
View File

@ -1,7 +1,7 @@
[Interface] [Interface]
Address = {{ wg_interface_ip }} Address = {{ wg_interface_ip }}
ListenPort = 51820 ListenPort = 51820
PrivateKey = {{ bastion_wg_private_key}} PrivateKey = {{ wg_private_key}}
#https://serverfault.com/questions/1162475/iptables-exclude-a-specific-port-from-being-forwarded-to-the-destination #https://serverfault.com/questions/1162475/iptables-exclude-a-specific-port-from-being-forwarded-to-the-destination
PostUp = iptables -t nat -N Inbound PostUp = iptables -t nat -N Inbound
PostUp = iptables -t nat -A PREROUTING -d {{ public_ip }} -j Inbound PostUp = iptables -t nat -A PREROUTING -d {{ public_ip }} -j Inbound

32
ansible/assets/docker-ext/compose.yml.j2
View File

@ -353,7 +353,7 @@ services:
restart: unless-stopped restart: unless-stopped
# To use a pre-built image, remove the above "build" section # To use a pre-built image, remove the above "build" section
# and uncomment the following line: # and uncomment the following line:
image: healthchecks/healthchecks:v3.8 image: healthchecks/healthchecks:v3.7
env_file: env_file:
- .healthchecks-env - .healthchecks-env
ports: ports:
@ -519,36 +519,6 @@ services:
- traefik.http.routers.wiki.tls=true - traefik.http.routers.wiki.tls=true
- "traefik.http.routers.wiki.entrypoints=websecure" - "traefik.http.routers.wiki.entrypoints=websecure"
- "traefik.http.routers.wiki.tls.certresolver=myresolver" - "traefik.http.routers.wiki.tls.certresolver=myresolver"
plik:
image: rootgg/plik:1.3.8
container_name: plik
volumes:
- ./plik/plikd.cfg:/home/plik/server/plikd.cfg
- ./plik/data:/data
ports:
- 8015:8080
restart: "unless-stopped"
labels:
- "traefik.http.routers.plik.rule=Host(`plik.mycomputer.party`)"
- traefik.http.routers.plik.tls=true
- "traefik.http.routers.plik.entrypoints=websecure"
- "traefik.http.routers.plik.tls.certresolver=myresolver"
cmg:
image: gitea.mycomputer.party/justus/cmg:latest
container_name: cmg
volumes:
- ./cmg/static:/usr/local/app/static
- ./cmg/templates:/usr/local/app/templates
- ./cmg/menu:/usr/local/app/menu
ports:
- 8016:5000
restart: unless-stopped
labels:
- "traefik.http.routers.cmg.rule=Host(`cocktailmenu.mycomputer.party`)"
- traefik.http.routers.cmg.tls=true
- "traefik.http.routers.cmg.entrypoints=websecure"
- "traefik.http.routers.cmg.tls.certresolver=myresolver"
volumes: volumes:

15
ansible/assets/docker-ext/wg0.conf.j2
View File

@ -1,7 +1,8 @@
[Interface] [Interface]
PrivateKey = {{ homeserver_wg_private_key }} PrivateKey = {{ docker_ext_wg_private_key }}
Address = 10.11.20.2/24 Address = 10.11.20.2/24
ListenPort = 51820 ListenPort = 51820
DNS = 10.11.1.10
[Peer] [Peer]
PublicKey = {{ bastion_wg_public_key }} PublicKey = {{ bastion_wg_public_key }}
@ -9,3 +10,15 @@ AllowedIPs = 0.0.0.0/0
Endpoint = vps.mycomputer.party:51820 Endpoint = vps.mycomputer.party:51820
PersistentKeepalive = 25 PersistentKeepalive = 25
#MacBook
[Peer]
PublicKey = /A0WduzRrt/LwKmGm6lq/+TS/1gBekU86FSdhvUo82M=
AllowedIPs = 10.11.20.4
[Peer]
PublicKey = eEHA7CSOR5nha9w4SCB+tOXcuCxgkxIXtNU3xB7wZn4=
AllowedIPs = 10.11.20.5/32
[Peer]
PublicKey = QJmTVggRFs6Df/snbb3Fx3PeFFeaOqy3eUruV0eIXyE=
AllowedIPs = 10.11.20.6/32

1
ansible/assets/gitea/compose.yml.j2
View File

@ -8,7 +8,6 @@ services:
GITEA_INSTANCE_URL: "{{ gitea_instance_url }}" GITEA_INSTANCE_URL: "{{ gitea_instance_url }}"
GITEA_RUNNER_REGISTRATION_TOKEN: "{{ gitea_runner_token }}" GITEA_RUNNER_REGISTRATION_TOKEN: "{{ gitea_runner_token }}"
GITEA_RUNNER_NAME: "{{ gitea_runner_name }}" GITEA_RUNNER_NAME: "{{ gitea_runner_name }}"
restart: always
volumes: volumes:
- ./config.yaml:/config.yaml - ./config.yaml:/config.yaml
- ./data:/data - ./data:/data

22
ansible/assets/wireguard/wg0.conf.j2
View File

@ -1,22 +0,0 @@
[Interface]
PrivateKey = {{ docker_int_wg_private_key }}
#pub V7kI33VgyxtJXRGWH0yTnbUXPqE4ZK8wQGPilVUXlWo=
Address = 10.11.19.1/24
ListenPort = 51820
#PostUp = iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
#PostDown = iptables -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE -t nat
#MacBook
[Peer]
PublicKey = /A0WduzRrt/LwKmGm6lq/+TS/1gBekU86FSdhvUo82M=
AllowedIPs = 10.11.19.4
#Work
[Peer]
PublicKey = eEHA7CSOR5nha9w4SCB+tOXcuCxgkxIXtNU3xB7wZn4=
AllowedIPs = 10.11.19.5/32
#Phone
[Peer]
PublicKey = QJmTVggRFs6Df/snbb3Fx3PeFFeaOqy3eUruV0eIXyE=
AllowedIPs = 10.11.19.6/32

14
ansible/buildHomelab.yaml
View File

@ -94,27 +94,18 @@
- name: Prune images - name: Prune images
ansible.builtin.shell: docker image prune -f ansible.builtin.shell: docker image prune -f
- name: Homeserver wireguard - name: Local server Wireguard
hosts: hosts:
- docker-ext - docker-ext
tags: tags:
- bastion - bastion
tasks: tasks:
- name: "Homeserver Wireguard config" - name: "Local server Wireguard"
ansible.builtin.template: ansible.builtin.template:
src: assets/{{ inventory_hostname }}/wg0.conf.j2 src: assets/{{ inventory_hostname }}/wg0.conf.j2
dest: /etc/wireguard/wg0.conf dest: /etc/wireguard/wg0.conf
backup: true backup: true
- name: Setup Wireguard wireguard
hosts: wireguard
vars:
tags:
- wireguard
roles:
- bastion
- name: Traefik config - name: Traefik config
hosts: hosts:
- docker-ext - docker-ext
@ -126,3 +117,4 @@
src: assets/{{ inventory_hostname }}/rules.yaml.j2 src: assets/{{ inventory_hostname }}/rules.yaml.j2
dest: /root/docker/traefik/rules.yaml dest: /root/docker/traefik/rules.yaml
backup: true backup: true

4
ansible/inventory/group_vars/external_access/vars
View File

@ -1,4 +0,0 @@
bastion_wg_public_key: s3Ch/zcv5IeSpIbHBT5pdzpHWwV2qh4Z9W/0DSZg/CQ=
bastion_wg_private_key: "{{ vault_bastion_wg_private_key }}"
homeserver_wg_public_key: 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo=
homeserver_wg_private_key: "{{ vault_homeserver_wg_private_key }}"

13
ansible/inventory/group_vars/external_access/vault
View File

@ -1,13 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
63313365346334336431303631306338366438616433623333343531653765363531303966653661
6265393431346631346661363264393937663663333832360a346634306132633839383731353036
65353434616566623963323134353234316362663636333162366561386137363431393936363437
3636326139363765640a333736363530616238303531663637303064633961323332353766323134
39306535636566333165623835363239333331383830616564626437656463376464663238663731
64373335343135333535356231613733633565623530396165663237656135333032626138643364
62343665663832653165323263643230343738363066633938373961386332333131306636643564
65616635343065646261333930363635376133626462646532326436323130396266653263376331
65653430373333633536356233616230363538323032616337363139666330353836653036376264
35326439323939656639616665633265623264396132313337376661373731313138376136336664
37656138373131303263343266643439333035356635636664646638373539373130336638383233
31303139366130303137

5
ansible/inventory/group_vars/wireguard/vars
View File

@ -1 +1,4 @@
docker_int_wg_private_key: "{{ vault_docker_int_wg_private_key }}" bastion_wg_public_key: uBjwOBqEeH/2V7qo5GLGQaX159I1YBztzxvYE9pXOnI=
bastion_wg_private_key: "{{ vault_bastion_wg_private_key }}"
docker_ext_wg_public_key: 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo=
docker_ext_wg_private_key: "{{ vault_docker_ext_wg_private_key }}"

20
ansible/inventory/group_vars/wireguard/vault
View File

@ -1,9 +1,13 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
62643663333863323162613131393738396338666162623530336235613164636337666235333166 65633461333438396463383333323364616536316536363136646361613837353938316562363466
3533366265333931623439666134346130356430333531330a636561363132666339353861396332 6431373436363535666662323636623439643532323865610a356334333430356138363561363039
37646564626364306264636539633362663139643238353532393661666165643531343930316637 37613232333932663833303038353531636261663830653436633132386432623835643433663532
3365663330326131630a663062343535376438343462373733363762343637333730396463643638 6533343630353634320a326139346666643135326566336263653965623835396236366433313031
62363235623765386133336466663433633430316531316364643233303061626664653761303930 37656666613035663764626430366635316430303835396436666563653531373635303633383264
31366162666239656333626232323334373865653561326131336262343133663030306363626461 64356631393433303337373631313034323339623338383937653565376261633034666330656331
64306466373764343132333564626638633932633538306536626666636338316433346666656135 38663262656264323639643261623263646537343430396265663762393835646566646563353766
34643761633861656135 61363237393033643034343862663739303736336636326230386131356632626630633361646664
66343637393439393463363434303331343161656364386535366535666433356332396364353630
62376262373839656339353530656666626235643630303665643633326365616266656330333538
62626237383835306534643839353465316664643161373465306461373366356433343863393635
63363235633339373538

12
ansible/inventory/hosts.yaml
View File

@ -1,8 +1,4 @@
--- ---
all:
vars:
ansible_ssh_user: root
ungrouped: ungrouped:
hosts: hosts:
bastion: bastion:
@ -20,12 +16,10 @@ docker:
ansible_ssh_user: root ansible_ssh_user: root
gitea: gitea:
ansible_ssh_user: root ansible_ssh_user: root
wireguard: wireguard:
hosts:
wireguard:
external_access:
hosts: hosts:
docker-ext: docker-ext:
ansible_ssh_user: root
bastion: bastion:
ansible_host: 51.222.155.202
ansible_ssh_user: root

1
ansible/roles/bastion/tasks/main.yml
View File

@ -7,7 +7,6 @@
ansible.builtin.package: ansible.builtin.package:
name: wireguard name: wireguard
state: present state: present
update_cache: true
- name: Shutdown Wireguard (remove iptables rules) - name: Shutdown Wireguard (remove iptables rules)
ansible.builtin.shell: wg-quick down wg0 ansible.builtin.shell: wg-quick down wg0
ignore_errors: true ignore_errors: true