add chloe nas playbook

plays/nodes/chloe-nas.yml

@@ -0,0 +1,254 @@
+---
+- hosts: chloe-nas
+  gather_facts: true
+  become: true
+
+  roles:
+    - snapraid
+    - mergerfs
+    - vladgh.samba.server
+    - dnf-automatic
+    - linux-system-roles.firewall 
+    - linux-system-roles.selinux
+    - quadlet
+    - statusservices
+    - olivetin
+    - cloud-backups
+
+  vars_files:
+    - "{{ inventory_dir }}/vars/vault.yaml"
+
+  vars:
+    dnf_update_time: 'wed 04:30'
+
+    status_services_extra:
+      - smb
+      - OliveTin
+
+    backups: containers
+    backups_ignore:
+      - /storage
+
+    container_user: "{{ vaulted_media_user }}"
+    container_uid: "{{ vaulted_media_uid }}"
+    container_group: "{{ vaulted_media_group }}"
+    container_gid: "{{ vaulted_media_gid }}"
+
+    containers:
+      - name: homepage
+        image: ghcr.io/gethomepage/homepage
+        ports: 
+          - 80:3000
+        environment:
+          HOMEPAGE_ALLOWED_HOSTS: 10.0.0.135 # TODO Update with new IP
+          PUID: "{{ container_uid }}"
+          PGID: "{{ container_gid }}"
+        volumes:
+          - /srv/containers/homepage:/app/config:Z
+          - /storage:/storage:ro # for utilization info
+        restart: unless-stopped
+        after:
+          - network-online.target
+
+      - name: sickgear
+        image: lscr.io/linuxserver/sickgear
+        ports:
+          - 8081:8081
+        volumes:
+          - /srv/containers/sickgear:/config:Z
+          - /storage:/storage:z
+        environment:
+          PUID: "{{ container_uid }}"
+          PGID: "{{ container_gid }}"
+          TZ: America/Los_Angeles
+        restart_policy: always
+        restart_sec: 5
+        quadlet_options: |
+                         [Unit]
+                         After=nordvpnd.service
+                         After=sys-subsystem-net-devices-nordtun.device
+                         BindsTo=sys-subsystem-net-devices-nordtun.device
+                          
+
+      - name: transmission
+        image: lscr.io/linuxserver/transmission
+        ports:
+          - 9091:9091
+        volumes:
+          - /srv/containers/transmission:/config:Z
+          - /storage:/storage:z
+        environment:
+          PUID: "{{ container_uid }}"
+          PGID: "{{ container_gid }}"
+          USER: "{{ vaulted_nas_transmission_username }}"
+          PASS: "{{ vaulted_nas_transmission_password }}"
+        restart_policy: unless-stopped
+        restart_sec: 5
+        quadlet_options: |
+                         [Unit]
+                         After=nordvpnd.service
+                         After=sys-subsystem-net-devices-nordtun.device
+                         BindsTo=sys-subsystem-net-devices-nordtun.device
+
+
+      - name: qbittorrent
+        active: true
+        image: lscr.io/linuxserver/qbittorrent
+        ports:
+          - 8080:8080
+        volumes:
+          - /srv/containers/qbittorrent:/config:Z
+          - /storage:/storage:z
+        environment:
+          PUID: "{{ container_uid }}"
+          PGID: "{{ container_gid }}"
+          WEBUI_PORT: 8080
+        restart_policy: unless-stopped
+        restart_sec: 5
+        quadlet_options: |
+                         [Unit]
+                         After=nordvpnd.service
+                         After=sys-subsystem-net-devices-nordtun.device
+                         BindsTo=sys-subsystem-net-devices-nordtun.device
+
+
+    samba_guest_account: "{{ vaulted_media_user }}"
+    samba_map_to_guest: bad user
+    samba_netbios_name: "{{ ansible_hostname }}"
+    samba_load_printers: False
+    samba_mitigate_cve_2017_7494: False # enabling this breaks share browsing on Macs
+    samba_shares_root: /storage
+    samba_manage_directories: False # already handled by mergerfs/snapraid roles
+
+    samba_users:
+      - name: "{{ vaulted_media_user }}"
+        password: "{{ vaulted_media_password }}"
+
+    samba_shares:
+      - name: storage
+        path: /storage
+        force_create_mode: '0664'
+        force_directory_mode: '0775'
+        guest_ok: "yes"
+        writable: "yes"
+        public: "yes"
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+
+    snapraid_parity_disks:
+      - path: /mnt/parity1
+        parity: parity
+        disk: /dev/disk/by-id/ata-WDC_WD80EFPX-68C4ZN0_WD-RD2V74DH-part1 # bottom slot
+        opts: defaults
+        fs: xfs
+
+    snapraid_data_disks:
+      - path: /mnt/datadisk1
+        disk: /dev/disk/by-id/ata-WDC_WD60EFAX-68SHWN0_WD-WX21D39PLU7H-part1 # top slot
+        opts: defaults
+        fs: xfs
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+      - path: /mnt/datadisk2
+        disk: /dev/disk/by-id/ata-WDC_WD60EFAX-68SHWN0_WD-WX91D99DVRJH-part1
+        opts: defaults
+        fs: xfs
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+      - path: /mnt/datadisk3
+        disk: /dev/disk/by-id/ata-WDC_WD80EFPX-68C4ZN0_WD-RD2VM3XH-part1
+        opts: defaults
+        fs: xfs
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+
+    mergerfs_disks: "{{ snapraid_data_disks }}"
+
+
+    mergerfs_fstab:
+      - path: /storage
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+        source: /mnt/datadisk*
+        opts:
+          - allow_other
+          - minfreespace=10G
+          - category.create=mfs
+          - use_ino
+          - func.getattr=newest
+          - fsname=mergerfs
+          - nonempty
+
+
+    selinux_booleans:
+      - name: samba_share_fusefs
+        state: on
+        persistent: yes
+
+
+    firewall:
+     - service:
+         - samba
+         - netbios-ns
+         - http
+       state: enabled
+
+     - port:
+         - '1337/tcp'
+         - '8080/tcp'
+         - '8081/tcp'
+         - '9091/tcp'
+       state: enabled
+  
+
+    server_notifications_topic: "{{ vaulted_server_notifications_topic }}"
+
+  pre_tasks:
+    - name: Create Media Group
+      group:
+        name: "{{ vaulted_media_group }}"
+        gid: "{{ vaulted_media_gid }}"
+
+
+    - name: Create Media User
+      user:
+        name: "{{ vaulted_media_user }}"
+        uid: "{{ vaulted_media_uid }}"
+        groups: "{{ vaulted_media_group }}"
+        append: yes
+        shell: /bin/bash
+
+
+    - name: Ensure mountpoints exist
+      file:
+        path: "{{ item.path }}"
+        state: directory
+      with_items:
+        - "{{ snapraid_parity_disks }}"
+        - "{{ snapraid_data_disks }}"
+
+
+    - name: Ensure VPN device config directory exists
+      file:
+        path: /etc/systemd/system/sys-subsystem-net-devices-nordtun.device.d
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+
+    - name: Auto-Restart services after VPN re-connects
+      copy:
+        dest: /etc/systemd/system/sys-subsystem-net-devices-nordtun.device.d/upholds.conf
+        owner: root
+        group: root
+        mode: '0644'
+        content: |
+                 [Unit]
+                 Upholds=transmission.service
+                 Upholds=qbittorrent.service
+                 Upholds=sickgear.service