justus/Homelab-Ansible
1
0
Fork 0
Code Issues 4 Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Compare commits

base: justus:8736322100397e81291458583b0fb729d82898fe
Branches Tags
justus:main
justus:renovate/docker.io-actualbudget-actual-server-25.x
justus:renovate/ghcr.io-paperless-ngx-paperless-ngx-2.x
justus:renovate/ghcr.io-dgtlmoon-changedetection.io-0.x
justus:renovate/ghcr.io-goauthentik-server-2025.x
justus:renovate/ansible-core-2.x
justus:renovate/docker.io-redis-6.2-alpine
justus:renovate/crowdsecurity-crowdsec-1.x
justus:renovate/wallabag-wallabag-2.x
justus:renovate/stalwartlabs-mail-server-0.x
justus:renovate/ghcr.io-requarks-wiki-2.x
justus:renovate/dawidd6-action-ansible-playbook-3.x
justus:automate-deployment-with-ansible-action
...
compare: justus:ef8d865b2d729162b840db5450e0cf6279cc879d
Branches Tags
justus:renovate/docker.io-actualbudget-actual-server-25.x
justus:renovate/ghcr.io-paperless-ngx-paperless-ngx-2.x
justus:renovate/ghcr.io-dgtlmoon-changedetection.io-0.x
justus:renovate/ghcr.io-goauthentik-server-2025.x
justus:renovate/ansible-core-2.x
justus:renovate/docker.io-redis-6.2-alpine
justus:renovate/crowdsecurity-crowdsec-1.x
justus:renovate/wallabag-wallabag-2.x
justus:renovate/stalwartlabs-mail-server-0.x
justus:renovate/ghcr.io-requarks-wiki-2.x
justus:main
justus:renovate/dawidd6-action-ansible-playbook-3.x
justus:automate-deployment-with-ansible-action

10 Commits
8736322100 ... ef8d865b2d

Author SHA1 Message Date
Justus Grunow
ef8d865b2d Commit before going wild 2024-05-06 21:06:42 -04:00
Justus Grunow
b746571116 Wiregaurd working from phone 2023-08-26 22:08:39 -04:00
Justus Grunow
7e1578b8a7 Added Docker tags to Ansible playbook 2023-08-26 22:02:57 -04:00
Justus Grunow
5b779ef2ea Fixed typo in README 2023-08-26 21:38:20 -04:00
Justus Grunow
cb6aedac73 Added README 2023-08-26 21:25:45 -04:00
Justus Grunow
e6f236421b Added vault password script 2023-08-26 21:24:27 -04:00
Justus Grunow
c409a83685 DNS working over Wireguard 2023-01-22 08:12:21 -05:00
Justus Grunow
c8d704e08a Added Porkbun DDNS, fixed a variable 2023-01-21 10:32:11 -05:00
Justus Grunow
d194eab349 Moved all vars to host_vars file, encryped secrets with Ansible Vault 2023-01-20 21:45:14 -05:00
Justus Grunow
a25ef1882f added .gitignore 2023-01-20 00:36:18 -05:00
17 changed files with 734 additions and 248 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.venv/

1
README Normal file
View File

@ -0,0 +1 @@
ansible-playbook -i inventory/ setup.yaml --vault-password-file=vaultpassword.sh

6
playbooks/assets/01-netcfg.yaml.j2 → ansible/assets/01-netcfg.yaml.j2
View File

@ -5,8 +5,8 @@ network:
addresses: addresses:
- {{ pi_ip }}/{{ pi_mask }} - {{ pi_ip }}/{{ pi_mask }}
nameservers: nameservers:
search: [injust.us] search: [{{ pi_searchdomains }}]
addresses: [127.0.0.1, 1.1.1.1] addresses: [127.0.0.1, {{pi_additional_upstream_dnsservers}}]
routes: routes:
- to: default - to: default
via: 10.11.1.1 via: {{ pi_gateway }}

374
ansible/assets/ddclient.conf.j2 Normal file
View File

@ -0,0 +1,374 @@
######################################################################
##
## Define default global variables with lines like:
## var=value [, var=value]*
## These values will be used for each following host unless overridden
## with a local variable definition.
##
## Define local variables for one or more hosts with:
## var=value [, var=value]* host.and.domain[,host2.and.domain...]
##
## Lines can be continued on the following line by ending the line
## with a \
##
##
## Warning: not all supported routers or dynamic DNS services
## are mentioned here.
##
######################################################################
daemon=300 # check every 300 seconds
syslog=yes # log update msgs to syslog
mail=root # mail all msgs to root
mail-failure=root # mail failed update msgs to root
pid=@runstatedir@/ddclient.pid # record PID in file.
ssl=yes # use ssl-support. Works with
# ssl-library
# postscript=script # run script after updating. The
# new IP is added as argument.
#
#use=watchguard-soho, fw=192.168.111.1:80 # via Watchguard's SOHO FW
#use=netopia-r910, fw=192.168.111.1:80 # via Netopia R910 FW
#use=smc-barricade, fw=192.168.123.254:80 # via SMC's Barricade FW
#use=netgear-rt3xx, fw=192.168.0.1:80 # via Netgear's internet FW
#use=linksys, fw=192.168.1.1:80 # via Linksys's internet FW
#use=maxgate-ugate3x00, fw=192.168.0.1:80 # via MaxGate's UGATE-3x00 FW
#use=elsa-lancom-dsl10, fw=10.0.0.254:80 # via ELSA LanCom DSL/10 DSL Router
#use=elsa-lancom-dsl10-ch01, fw=10.0.0.254:80 # via ELSA LanCom DSL/10 DSL Router
#use=elsa-lancom-dsl10-ch02, fw=10.0.0.254:80 # via ELSA LanCom DSL/10 DSL Router
#use=alcatel-stp, fw=10.0.0.138:80 # via Alcatel Speed Touch Pro
#use=xsense-aero, fw=192.168.1.1:80 # via Xsense Aero Router
#use=allnet-1298, fw=192.168.1.1:80 # via AllNet 1298 DSL Router
#use=3com-oc-remote812, fw=192.168.0.254:80 # via 3com OfficeConnect Remote 812
#use=e-tech, fw=192.168.1.1:80 # via E-tech Router
#use=cayman-3220h, fw=192.168.0.1:1080 # via Cayman 3220-H DSL Router
#
#fw-login=admin, fw-password=XXXXXX # FW login and password
#
## To obtain an IP address from FW status page (using fw-login, fw-password)
#use=fw, fw=192.168.1.254/status.htm, fw-skip='IP Address' # found after IP Address
#
## To obtain an IP address from Web status page (using the proxy if defined)
## by default, checkip.dyndns.org is used if you use the dyndns protocol.
## Using use=web is enough to get it working.
## WARNING: set deamon at least to 600 seconds if you use checkip or you could
## get banned from their service.
#use=web, web=checkip.dyndns.org/, web-skip='IP Address' # found after IP Address
#
#use=ip, ip=127.0.0.1 # via static IP's
#use=if, if=eth0 # via interfaces
#use=web # via web
#
#protocol=dyndns2 # default protocol
#proxy=fasthttp.sympatico.ca:80 # default proxy
#server=members.dyndns.org # default server
#server=members.dyndns.org:8245 # default server (bypassing proxies)
#login=your-login # default login
#password=test # default password
#mx=mx.for.your.host # default MX
#backupmx=yes|no # host is primary MX?
#wildcard=yes|no # add wildcard CNAME?
##
## dyndns.org dynamic addresses
##
## (supports variables: wildcard,mx,backupmx)
##
# server=members.dyndns.org, \
# protocol=dyndns2 \
# your-dynamic-host.dyndns.org
##
## dyndns.org static addresses
##
## (supports variables: wildcard,mx,backupmx)
##
# static=yes, \
# server=members.dyndns.org, \
# protocol=dyndns2 \
# your-static-host.dyndns.org
##
## dyndns.org custom addresses
##
## (supports variables: wildcard,mx,backupmx)
##
# custom=yes, \
# server=members.dyndns.org, \
# protocol=dyndns2 \
# your-domain.top-level,your-other-domain.top-level
##
## ZoneEdit (zoneedit.com)
##
# server=dynamic.zoneedit.com, \
# protocol=zoneedit1, \
# login=your-zoneedit-login, \
# password=your-zoneedit-password \
# your.any.domain,your-2nd.any.dom
##
## EasyDNS (easydns.com)
##
# server=members.easydns.com, \
# protocol=easydns, \
# login=your-easydns-login, \
# password=your-easydns-password \
# your.any.domain,your-2nd.any.domain
##
## dslreports.com dynamic-host monitoring
##
# server=members.dslreports.com \
# protocol=dslreports1, \
# login=dslreports-login, \
# password=dslreports-password \
# dslreports-unique-id
##
## OrgDNS.org account-configuration
##
# use=web, web=members.orgdns.org/nic/ip
# protocol=dyndns2
# server=www.orgdns.org \
# login=yourLoginName \
# password=yourPassword \
# yourSubdomain.orgdns.org
##
## NameCheap (namecheap.com)
##
# protocol=namecheap, \
# server=dynamicdns.park-your-domain.com, \
# login=example.com, \
# password=example.com-password \
# subdomain.example.com
##
## NearlyFreeSpeech.NET (nearlyfreespeech.net)
##
# protocol = nfsn, \
# login=member-login, \
# password=api-key, \
# zone=example.com \
# example.com,subdomain.example.com
##
## Loopia (loopia.se)
##
# use=web, web=loopia
# protocol=dyndns2
# server=dns.loopia.se
# script=/XDynDNSServer/XDynDNS.php
# login=my-loopia.se-login
# password=my-loopia.se-password
# my.domain.tld,other.domain.tld
##
## NoIP (noip.com)
##
# protocol=noip, \
# ssl=yes, \
# server=dynupdate.no-ip.com, \
# login=your-noip-login, \
# password=your-noip-password, \
# your-host.domain.com, your-2nd-host.domain.com
##
## ChangeIP (changeip.com)
##
## single host update
# protocol=changeip, \
# login=my-my-changeip.com-login, \
# password=my-changeip.com-password \
# myhost.changeip.org
##
## CloudFlare (www.cloudflare.com)
##
#protocol=cloudflare, \
#zone=domain.tld, \
#ttl=1, \
#login=your-login-email, \ # Only needed if you are using your global API key. If you are using an API token, set it to "token" (without double quotes).
#password=APIKey \ # This is either your global API key, or an API token. If you are using an API token, it must have the permissions "Zone - DNS - Edit" and "Zone - Zone - Read". The Zone resources must be "Include - All zones".
#domain.tld,my.domain.tld
##
## Gandi (gandi.net)
##
## Single host update
# protocol=gandi, \
# zone=example.com, \
# password=my-gandi-api-key, \
# ttl=3h \
# myhost.example.com
##
## Google Domains (www.google.com/domains)
##
# protocol=googledomains,
# login=my-auto-generated-username,
# password=my-auto-generated-password
# my.domain.tld, otherhost.domain.tld
##
## Duckdns (http://www.duckdns.org/)
##
#
# protocol=duckdns, \
# password=my-auto-generated-password \
# hostwithoutduckdnsorg
##
## Freemyip (http://freemyip.com/)
##
#
# protocol=freemyip,
# password=my-token
# myhost
##
## MyOnlinePortal (http://myonlineportal.net)
##
# # ipv6=yes # optional
# use=web, web=myonlineportal.net/checkip
# # use=if, if=eth0 # alternative to use=web
# # if-skip=Scope:Link # alternative to use=web
# protocol=dyndns2
# ssl=yes
# login=your-myonlineportal-username
# password=your-myonlineportal-password
# domain.myonlineportal.net
##
## nsupdate.info IPV4(https://www.nsupdate.info)
##
#use=web, web=http://ipv4.nsupdate.info/myip
#protocol=dyndns2
#server=ipv4.nsupdate.info
#login=domain.nsupdate.info
#password='123'
#domain.nsupdate.info
##
## nsupdate.info IPV6 (https://www.nsupdate.info)
## ddclient releases <= 3.8.1 do not support IPv6
##
#usev6=if, if=eth0
#protocol=dyndns2
#server=ipv6.nsupdate.info
#login=domain.nsupdate.info
#password='123'
#domain.nsupdate.info
##
## Yandex.Mail for Domain (domain.yandex.com)
##
# protocol=yandex, \
# login=domain.tld, \
# password=yandex-pdd-token \
# my.domain.tld,other.domain.tld \
##
## DNS Made Easy (https://dnsmadeeasy.com)
##
# protocol=dnsmadeeasy,
# login=your-account-email-address
# password=your-generated-password
# your-numeric-record-id-1,your-numeric-record-id-2,...
##
## OVH DynHost (https://ovh.com)
##
# protocol=ovh,
# login=example.com-dynhostuser,
# password=your_password
# test.example.com
##
## Porkbun (https://porkbun.com/)
##
protocol=porkbun
apikey={{ porkbun_api_key }}
secretapikey={{ porkbun_secret_api_key }}
*.home.coxgrunow.ca
#on-root-domain=yes example.com,sub.example.com
#host.example.com,host2.sub.example.com
#on-root-domain=yes example.com,sub.example.com
##
## ClouDNS (https://www.cloudns.net)
##
# protocol=cloudns, \
# dynurl=https://ipv4.cloudns.net/api/dynamicURL/?q=Njc1OTE2OjY3Njk0NDM6YTk2, \
# myhost.example.com
##
## dinahosting (https://dinahosting.com)
##
# protocol=dinahosting, \
# login=myusername, \
# password=mypassword \
# myhost.mydomain.com
##
## dnsexit (www.dnsexit.com)
##
#protocol=dnsexit, \
#login=myusername, \
#password=mypassword, \
#subdomain-1.domain.com,subdomain-2.domain.com
##
## dnsexit2 (API method www.dnsexit.com)
##
#protocol=dnsexit2
#password=MyAPIKey
#subdomain-1.domain.com,subdomain-2.domain.com
##
## domeneshop (www.domeneshop.no)
##
# protocol=domeneshop
# login=<token>
# password=<secret>
# subdomain-1.domain.com,subdomain-2.domain.com
##
## Njal.la (http://njal.la/)
##
# protocol=njalla,
# password=mypassword
# quietreply=no|yes
# my-domain.com
##
## regfish.de (www.regfish.de/)
##
# protocol=regfishde,
# password=mypassword
# my-domain.com
##
## Enom (www.enom.com)
##
# protocol=enom,
# login=domain.name,
# password=domain-password
# my-domain.com
##
## DigitalOcean (www.digitalocean.com)
##
#protocol=digitalocean, \
#zone=example.com, \
#password=api-token \
#example.com,sub.example.com
##
## Infomaniak (www.infomaniak.com)
##
# protocol=infomaniak,
# login=ddns_username,
# password=ddns_password
# example.com

207
ansible/assets/docker-compose.yml.j2 Normal file
View File

@ -0,0 +1,207 @@
version: "3.5"
# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md
networks:
network_pihole:
ipam:
driver: default
config:
- subnet: 172.16.3.0/24
services:
nginx-proxy:
image: nginxproxy/nginx-proxy
ports:
- '80:80'
environment:
DEFAULT_HOST: {{ pihole_hostname }}.{{ pihole_domain }}
volumes:
- '/var/run/docker.sock:/tmp/docker.sock'
restart: always
networks:
network_pihole:
ipv4_address: 172.16.3.6
pihole:
image: pihole/pihole:latest
ports:
- '53:53/tcp'
- '53:53/udp'
- "67:67/udp"
- '8053:80/tcp'
networks:
network_pihole:
ipv4_address: 172.16.3.2
volumes:
- './etc-pihole:/etc/pihole'
- './etc-dnsmasq.d:/etc/dnsmasq.d'
# run `touch ./var-log/pihole.log` first unless you like errors
# - './var-log/pihole.log:/var/log/pihole/pihole.log'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
expose:
- 80
environment:
ServerIP: 10.11.1.10
PIHOLE_DNS_: unbound#53;{{ pihole_additional_upstream_dnsservers }}
PROXY_LOCATION: {{ pihole_hostname }}
VIRTUAL_HOST: {{ pihole_hostname}}.{{ pihole_domain }}
VIRTUAL_PORT: 80
WEBPASSWORD: {{ pihole_password }}
FTLCONF_LOCAL_IPV4: {{ pi_ip }}
DNSMASQ_LISTENING: all
extra_hosts:
# Resolve to nothing domains (terminate connection)
- 'nw2master.bioware.com nwn2.master.gamespy.com:0.0.0.0'
# LAN hostnames for other docker containers using nginx-proxy
- 'yourDomain.lan:192.168.41.55'
- '{{ pihole_hostname }} {{ pihole_hostname }}.{{ pihole_domain }}:{{ pi_ip }}'
- 'citadel.tedupnorth.com:10.10.10.10'
- 'postgres postgres.injust.us:10.11.1.14'
- 'proxmox proxmox.injust.us:10.11.1.5'
- 'omv omv.injust.us:10.11.1.12'
- 'docker-int docker-int.injust.us:10.11.1.13'
- 'docker-ext docker-ext.injust.us:10.11.1.15'
- 'linkwarden linkwarden.injust.us:10.11.1.15'
- 'linkwarden.coxgrunow.ca:10.11.1.15'
- 'wiki.mycomputer.party:10.11.1.15'
- 'wiki.coxgrunow.ca:10.11.1.15'
- 'paperless.injust.us:10.11.1.13'
- 'wiki.injust.us:10.11.1.13'
- 'testweb.injust.us:10.11.1.13'
- 'stalwart.mycomputer.party:10.11.1.15'
- 'linkace.mycomputer.party:10.11.1.15'
- 'linkding.mycomputer.party:10.11.1.15'
- 'wallabag.mycomputer.party:10.11.1.15'
- 'test.mycomputer.party:10.11.1.15'
- 'matrix matrix.mycomputer.party:10.11.1.16'
- 'wiki wiki.injust.us:10.11.1.13'
restart: always
unbound:
image: klutchell/unbound
volumes:
- ./unbound:/etc/unbound/unbound.conf.d
ports:
- '5335:53/tcp'
- '5335:53/udp'
restart: always
networks:
network_pihole:
ipv4_address: 172.16.3.3
porkbunddns:
image: pavlinchen/porkbun-ddns
container_name: porkbun-ddns
restart: always
pull_policy: always
environment:
APIKey: {{ porkbun_api_key }}
SecretAPIKey: {{ porkbun_secret_api_key }}
Domain: {{ porkbun_domain }}
Schedule: "{{ porkbun_cron_sched }}"
TZ: {{ porkbun_tz }}
networks:
network_pihole:
ipv4_address: 172.16.3.4
porkbunddns2:
image: pavlinchen/porkbun-ddns
container_name: porkbun-ddns2
restart: always
pull_policy: always
environment:
APIKey: {{ porkbun_api_key }}
SecretAPIKey: {{ porkbun_secret_api_key }}
Domain: {{ porkbun_domain2 }}
Schedule: "{{ porkbun_cron_sched }}"
TZ: {{ porkbun_tz }}
networks:
network_pihole:
ipv4_address: 172.16.3.7
ddclient:
image: lscr.io/linuxserver/ddclient:latest
container_name: ddclient
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
volumes:
- ./ddclient/:/config
restart: unless-stopped
wireguard:
depends_on:
- pihole
networks:
network_pihole:
ipv4_address: 172.16.3.5
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=0
- PGID=0
- TZ=Canada/Eastern
- SERVERURL=vpn.coxgrunow.ca
- SERVERPORT=51820
- PEERS=phone,tedupnorth #oAdded Docker tags to Ansible playbookptional
- PEERDNS=172.16.3.2 #optional
- INTERNAL_SUBNET=10.11.4.0 #optional
- ALLOWEDIPS=10.11.1.0/24,172.16.3.2 #optional
- SERVER_ALLOWEDIPS_PEER_tedupnorth=10.10.0.0/16
- PERSISTENTKEEPALIVE_PEERS=all #optional - for dynamic DNS
- LOG_CONFS=true #optional
volumes:
- ./wireguard/config:/config
- /lib/modules:/lib/modules #optional
ports:
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
# Another container you might want to have running through the proxy
# Note it also have ENV Vars like pihole and a host under pihole's extra_hosts
# ghost:
# image: fractalf/ghost
# ports:
# - '2368:2368/tcp'
# volumes:
# - '/etc/ghost:/ghost-override'
# environment:
# PROXY_LOCATION: ghost
# VIRTUAL_HOST: ghost.yourDomain.lan
# VIRTUAL_PORT: 2368
# restart: always
# homeassistant:
# container_name: homeassistant
# image: "ghcr.io/home-assistant/home-assistant:stable"
# volumes:
# - ./homeassistant/config:/config
# - /etc/localtime:/etc/localtime:ro
# restart: unless-stopped
# privileged: true
# network_mode: host
# #environment:
# # - VIRTUAL_HOST=homeassistant.coxgrunow.ca
# # - VIRTUAL_PORT=8123
yacy:
container_name: yacy
image: "docker.io/yacy/yacy_search_server:aarch64-latest"
volumes:
- ./yacy:/opt/yacy_search_server/DATA
ports:
- 8090:8090/tcp
- 8443:8443/tcp

4
playbooks/assets/unbound.conf.j2 → ansible/assets/unbound.conf.j2
View File

@ -36,8 +36,8 @@ server:
# when fragmentation does work, it may not be secure; it is theoretically # when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy # possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study # detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< # Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) ### by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the # in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for # the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should # IPv4 and IPv6 and in different scenarios. They advise that servers should

19
ansible/inventory/host_vars/basementpi.local/vars Normal file
View File

@ -0,0 +1,19 @@
---
pi_ip: 10.11.1.10
pi_mask: 255.255.255.0
pi_gateway: 10.11.1.1
pi_searchdomains: injust.us
# Comma separated, e.g.: 1.1.1.1,8.8.8.8
pi_additional_upstream_dnsservers: 1.1.1.1
# Semicolon separated, e.g.: 1.1.1.1;8.8.8.8
pihole_additional_upstream_dnsservers: 1.1.1.1
pihole_password: "{{ vault_pihole_password }}"
pihole_hostname: pihole
pihole_domain: injust.us
porkbun_api_key: pk1_6e6d69e80434b0aa61727637f5d7f71713f505a65004567bc8f5e34b8e516d4b
porkbun_secret_api_key: "{{ vault_porkbun_secret_api_key }}"
porkbun_domain: mycomputer.party justus
porkbun_domain2: coxgrunow.ca *
porkbun_cron_sched: "*/5 * * * *"
porkbun_tz: Canada/Eastern

12
ansible/inventory/host_vars/basementpi.local/vault Normal file
View File

@ -0,0 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256
64353737376438383965326136653836383636656437633234356664643732636338336164343862
3965626430323133666566313831393938346261366634650a316664633739353663353866326565
31663635393533316138333333373465643364386163326165633036613331363938336133643166
6166396537313761640a623865326663666238376265353438383330663338356535373836396639
38326139373435336237656234333837393931323561323332666237373339306638303563393834
34363039336634393239373262663034336363313736356534353233623731643735303661393937
33633933323632356537616663633736643132656561393631653363306261613362356664633565
33636664373331336333623839323434386632343534656563386339303537366265323361313039
38353664333461336332353962643233626564303863333132323366383264653937656635353265
36346161613961363964663265393439383934313130363436653666623664303031373435326265
393931643933363936336161356636313338

2
ansible/inventory/hosts Normal file
View File

@ -0,0 +1,2 @@
[rasperrypi]
basementpi.local ansible_host=10.11.1.10 ansible_ssh_user=root

89
ansible/setup-vm.yaml Normal file
View File

@ -0,0 +1,89 @@
---
- name: Setup
hosts: all
remote_user: root
vars:
tasks:
- name: Disable cloud-init network config
ansible.builtin.command: 'echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg'
- name: Delete existing netplan
ansible.builtin.command: rm -f /etc/netplan/*
- name: Copy netplan
ansible.builtin.template:
src: assets/01-netcfg.yaml.j2
dest: /etc/netplan
- name: Copy unbound config
ansible.builtin.template:
src: assets/unbound.conf.j2
dest: ./unbound/
tags: vm
- name: Apply Netplan
ansible.builtin.command: netplan apply
- name: Docker Prereqs
ansible.builtin.apt:
update_cache: true
name:
- ca-certificates
- curl
- gnupg
- lsb-release
- name: Create keyring directory
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
- name: Create Docker directory
ansible.builtin.file:
path: /root/docker
state: directory
- name: Download Docker GPG keys
ansible.builtin.shell: curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg --batch --yes
- name: Add Docker repo
ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
- name: Disable Ubunut stub DNS resolver
ansible.builtin.shell: sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
- name: symlink /etc/resolv to /run/systemd/resolve/resolv.conf
ansible.builtin.shell: sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'
- name: Restart resolved
ansible.builtin.shell: systemctl restart systemd-resolved
- name: Install restic
ansible.builtin.apt:
update_cache: true
name:
- restic
- name: Install Docker
ansible.builtin.apt:
update_cache: true
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-compose-plugin
- name: Copy Docker Compose file
ansible.builtin.template:
src: assets/docker-compose.yml.j2
dest: /root/docker/docker-compose-wg.yml
tags: wireguard,docker,vm
- name: Copy ddclient config
ansible.builtin.template:
src: assets/ddclient.conf.j2
dest: /root/docker/ddclient/ddclient.conf
tags: docker,vm
- name: Run Docker
ansible.builtin.shell: docker compose up -d --remove-orphans
args:
chdir: /root/docker
tags: wireguard,docker

31
playbooks/setup.yaml → ansible/setup.yaml
View File

@ -3,11 +3,6 @@
hosts: all hosts: all
remote_user: root remote_user: root
vars: vars:
pi_ip: 10.11.1.10
pihole_additional_upstream_dnsservers: 1.1.1.1
pihole_password: password!
pihole_hostname: pihole
pihole_domain: injust.us
tasks: tasks:
- name: Disable cloud-init network config - name: Disable cloud-init network config
@ -17,12 +12,13 @@
ansible.builtin.command: rm -f /etc/netplan/* ansible.builtin.command: rm -f /etc/netplan/*
- name: Copy netplan - name: Copy netplan
ansible.builtin.copy: ansible.builtin.template:
src: configfiles/01-netcfg.yaml src: assets/01-netcfg.yaml.j2
dest: /etc/netplan dest: /etc/netplan
- name: Copy unbound config - name: Copy unbound config
ansible.builtin.copy: ansible.builtin.template:
src: configfiles/unbound.conf src: assets/unbound.conf.j2
dest: ./unbound/ dest: ./unbound/
- name: Apply Netplan - name: Apply Netplan
@ -57,6 +53,12 @@
- name: Restart resolved - name: Restart resolved
ansible.builtin.shell: systemctl restart systemd-resolved ansible.builtin.shell: systemctl restart systemd-resolved
- name: Install restic
ansible.builtin.apt:
update_cache: true
name:
- restic
- name: Install Docker - name: Install Docker
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
@ -70,8 +72,17 @@
ansible.builtin.template: ansible.builtin.template:
src: assets/docker-compose.yml.j2 src: assets/docker-compose.yml.j2
dest: /root/docker/docker-compose.yml dest: /root/docker/docker-compose.yml
tags: wireguard,docker
- name: Copy ddclient config
ansible.builtin.template:
src: assets/ddclient.conf.j2
dest: /root/docker/ddclient/ddclient.conf
tags: docker
- name: Run Docker - name: Run Docker
ansible.builtin.shell: docker compose up -d ansible.builtin.shell: docker compose up -d --remove-orphans
args: args:
chdir: /root/docker chdir: /root/docker
tags: wireguard,docker

2
ansible/vaultpassword.sh Executable file
View File

@ -0,0 +1,2 @@
#!/bin/bash
bw get password b0297774-6cf6-4858-9b77-af910022dd78

3
inventory/inventory.yaml
View File

@ -1,3 +0,0 @@
all:
hosts:
basementpi.local

74
playbooks/assets/docker-compose.yml.j2
View File

@ -1,74 +0,0 @@
version: "3"
# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md
services:
nginx-proxy:
image: nginxproxy/nginx-proxy
ports:
- '80:80'
environment:
DEFAULT_HOST: {{ pihole_hostname }}.{{ pihole_domain }}
volumes:
- '/var/run/docker.sock:/tmp/docker.sock'
restart: always
pihole:
image: pihole/pihole:latest
ports:
- '53:53/tcp'
- '53:53/udp'
- "67:67/udp"
- '8053:80/tcp'
volumes:
- './etc-pihole:/etc/pihole'
- './etc-dnsmasq.d:/etc/dnsmasq.d'
# run `touch ./var-log/pihole.log` first unless you like errors
# - './var-log/pihole.log:/var/log/pihole/pihole.log'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
expose:
- 80
environment:
ServerIP: 10.11.1.10
PIHOLE_DNS_: unbound#53;{{ pihole_additional_upstream_dnsservers }}
PROXY_LOCATION: {{ pihole_hostname }}
VIRTUAL_HOST: {{ pihole_hostname}}.{{ pihole_domain }}
VIRTUAL_PORT: 80
WEBPASSWORD: {{ pihole_password }}
FTLCONF_LOCAL_IPV4: {{ pi_ip }}
extra_hosts:
# Resolve to nothing domains (terminate connection)
- 'nw2master.bioware.com nwn2.master.gamespy.com:0.0.0.0'
# LAN hostnames for other docker containers using nginx-proxy
- 'yourDomain.lan:192.168.41.55'
- '{{ pihole_hostname }} {{ pihole_hostname }}.{{ pihole_domain }}:{{ pi_ip }}'
restart: always
unbound:
image: klutchell/unbound
volumes:
- ./unbound:/etc/unbound/unbound.conf.d
ports:
- '5335:53/tcp'
- '5335:53/udp'
restart: always
# Another container you might want to have running through the proxy
# Note it also have ENV Vars like pihole and a host under pihole's extra_hosts
# ghost:
# image: fractalf/ghost
# ports:
# - '2368:2368/tcp'
# volumes:
# - '/etc/ghost:/ghost-override'
# environment:
# PROXY_LOCATION: ghost
# VIRTUAL_HOST: ghost.yourDomain.lan
# VIRTUAL_PORT: 2368
# restart: always

12
playbooks/configfiles/01-netcfg.yaml
View File

@ -1,12 +0,0 @@
network:
version: 2
ethernets:
eth0:
addresses:
- 10.11.1.10/24
nameservers:
search: [injust.us]
addresses: [127.0.0.1, 1.1.1.1]
routes:
- to: default
via: 10.11.1.1

67
playbooks/configfiles/unbound.conf
View File

@ -1,67 +0,0 @@
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 53
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

76
playbooks/dockercompose/docker-compose.yml
View File

@ -1,76 +0,0 @@
version: "3"
# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md
services:
nginx-proxy:
image: nginxproxy/nginx-proxy
ports:
- '80:80'
environment:
DEFAULT_HOST: pihole.injust.us
volumes:
- '/var/run/docker.sock:/tmp/docker.sock'
restart: always
pihole:
image: pihole/pihole:latest
ports:
- '53:53/tcp'
- '53:53/udp'
- "67:67/udp"
- '8053:80/tcp'
volumes:
- './etc-pihole:/etc/pihole'
- './etc-dnsmasq.d:/etc/dnsmasq.d'
# run `touch ./var-log/pihole.log` first unless you like errors
# - './var-log/pihole.log:/var/log/pihole/pihole.log'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
expose:
- 80
environment:
ServerIP: 10.11.1.10
PIHOLE_DNS_: 127.0.0.1#5053;1.1.1.1
PROXY_LOCATION: pihole
VIRTUAL_HOST: pihole.injust.us
VIRTUAL_PORT: 80
WEBPASSWORD: password
FTLCONF_LOCAL_IPV4: 10.11.1.10
extra_hosts:
# Resolve to nothing domains (terminate connection)
- 'nw2master.bioware.com nwn2.master.gamespy.com:0.0.0.0'
# LAN hostnames for other docker containers using nginx-proxy
- 'yourDomain.lan:192.168.41.55'
- 'pihole pihole.injust.us:10.11.1.10'
- 'ghost ghost.yourDomain.lan:192.168.41.55'
- 'wordpress wordpress.yourDomain.lan:192.168.41.55'
restart: always
unbound:
image: klutchell/unbound
volumes:
- ./unbound:/etc/unbound/unbound.conf.d
ports:
- '5335:53/tcp'
- '5335:53/udp'
restart: always
# Another container you might want to have running through the proxy
# Note it also have ENV Vars like pihole and a host under pihole's extra_hosts
# ghost:
# image: fractalf/ghost
# ports:
# - '2368:2368/tcp'
# volumes:
# - '/etc/ghost:/ghost-override'
# environment:
# PROXY_LOCATION: ghost
# VIRTUAL_HOST: ghost.yourDomain.lan
# VIRTUAL_PORT: 2368
# restart: always