blaine
/
infra


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255
							---
- hosts: chloe-nas
  gather_facts: true
  become: true

  roles:
    - snapraid
    - mergerfs
    - vladgh.samba.server
    - dnf-automatic
    - linux-system-roles.firewall 
    - linux-system-roles.selinux
    - quadlet
    - statusservices
    - olivetin
    - cloud-backups

  vars_files:
    - "{{ inventory_dir }}/vars/vault.yaml"

  vars:
    dnf_update_time: 'wed 04:30'

    status_services_extra:
      - smb
      - OliveTin

    backups: containers
    backups_ignore:
      - /storage

    container_user: "{{ vaulted_media_user }}"
    container_uid: "{{ vaulted_media_uid }}"
    container_group: "{{ vaulted_media_group }}"
    container_gid: "{{ vaulted_media_gid }}"

    containers:
      - name: homepage
        image: ghcr.io/gethomepage/homepage
        ports: 
          - 80:3000
        environment:
          HOMEPAGE_ALLOWED_HOSTS: 10.0.0.135 # TODO Update with new IP
          PUID: "{{ container_uid }}"
          PGID: "{{ container_gid }}"
        volumes:
          - /srv/containers/homepage:/app/config:Z
          - /storage:/storage:ro # for utilization info
        restart: unless-stopped
        after:
          - network-online.target

      - name: sickgear
        image: lscr.io/linuxserver/sickgear
        ports:
          - 8081:8081
        volumes:
          - /srv/containers/sickgear:/config:Z
          - /storage:/storage:z
        environment:
          PUID: "{{ container_uid }}"
          PGID: "{{ container_gid }}"
          TZ: America/Los_Angeles
        restart_policy: always
        restart_sec: 5
        quadlet_options: |
                         [Unit]
                         After=nordvpnd.service
                         After=sys-subsystem-net-devices-nordtun.device
                         BindsTo=sys-subsystem-net-devices-nordtun.device
                          

      - name: transmission
        image: lscr.io/linuxserver/transmission
        ports:
          - 9091:9091
        volumes:
          - /srv/containers/transmission:/config:Z
          - /storage:/storage:z
        environment:
          PUID: "{{ container_uid }}"
          PGID: "{{ container_gid }}"
          USER: "{{ vaulted_nas_transmission_username }}"
          PASS: "{{ vaulted_nas_transmission_password }}"
        restart_policy: unless-stopped
        restart_sec: 5
        quadlet_options: |
                         [Unit]
                         After=nordvpnd.service
                         After=sys-subsystem-net-devices-nordtun.device
                         BindsTo=sys-subsystem-net-devices-nordtun.device


      - name: qbittorrent
        active: true
        image: lscr.io/linuxserver/qbittorrent
        ports:
          - 8080:8080
        volumes:
          - /srv/containers/qbittorrent:/config:Z
          - /storage:/storage:z
        environment:
          PUID: "{{ container_uid }}"
          PGID: "{{ container_gid }}"
          WEBUI_PORT: 8080
        restart_policy: unless-stopped
        restart_sec: 5
        quadlet_options: |
                         [Unit]
                         After=nordvpnd.service
                         After=sys-subsystem-net-devices-nordtun.device
                         BindsTo=sys-subsystem-net-devices-nordtun.device


    samba_guest_account: "{{ vaulted_media_user }}"
    samba_map_to_guest: bad user
    samba_netbios_name: "{{ ansible_hostname }}"
    samba_load_printers: False
    samba_mitigate_cve_2017_7494: False # enabling this breaks share browsing on Macs
    samba_shares_root: /storage
    samba_manage_directories: False # already handled by mergerfs/snapraid roles

    samba_users:
      - name: "{{ vaulted_media_user }}"
        password: "{{ vaulted_media_password }}"

    samba_shares:
      - name: storage
        path: /storage
        force_create_mode: '0664'
        force_directory_mode: '0775'
        guest_ok: "yes"
        writable: "yes"
        public: "yes"
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"


    snapraid_data_disks:
      - path: /mnt/datadisk1
        disk: /dev/disk/by-id/ata-WDC_WD60EFAX-68SHWN0_WD-WX21D39PLU7H-part1 # top slot
        opts: defaults
        fs: xfs
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"

      - path: /mnt/datadisk2
        disk: /dev/disk/by-id/ata-WDC_WD60EFAX-68SHWN0_WD-WX91D99DVRJH-part1
        opts: defaults
        fs: xfs
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"

      - path: /mnt/datadisk3
        disk: /dev/disk/by-id/ata-WDC_WD80EFPX-68C4ZN0_WD-RD2VM3XH-part1
        opts: defaults
        fs: xfs
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"


    snapraid_parity_disks:
      - path: /mnt/parity1
        parity: parity
        disk: /dev/disk/by-id/ata-WDC_WD80EFPX-68C4ZN0_WD-RD2V74DH-part1 # bottom slot
        opts: defaults
        fs: xfs


    mergerfs_disks: "{{ snapraid_data_disks }}"


    mergerfs_fstab:
      - path: /storage
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"
        source: /mnt/datadisk*
        opts:
          - allow_other
          - minfreespace=10G
          - category.create=mfs
          - use_ino
          - func.getattr=newest
          - fsname=mergerfs
          - nonempty


    selinux_booleans:
      - name: samba_share_fusefs
        state: on
        persistent: yes


    firewall:
     - service:
         - samba
         - netbios-ns
         - http
       state: enabled

     - port:
         - '1337/tcp'
         - '8080/tcp'
         - '8081/tcp'
         - '9091/tcp'
       state: enabled
  

    server_notifications_topic: "{{ vaulted_server_notifications_topic }}"

  pre_tasks:
    - name: Create Media Group
      group:
        name: "{{ vaulted_media_group }}"
        gid: "{{ vaulted_media_gid }}"


    - name: Create Media User
      user:
        name: "{{ vaulted_media_user }}"
        uid: "{{ vaulted_media_uid }}"
        groups: "{{ vaulted_media_group }}"
        append: yes
        shell: /bin/bash


    - name: Ensure mountpoints exist
      file:
        path: "{{ item.path }}"
        state: directory
      with_items:
        - "{{ snapraid_parity_disks }}"
        - "{{ snapraid_data_disks }}"


    - name: Ensure VPN device config directory exists
      file:
        path: /etc/systemd/system/sys-subsystem-net-devices-nordtun.device.d
        state: directory
        owner: root
        group: root
        mode: '0755'


    - name: Auto-Restart services after VPN re-connects
      copy:
        dest: /etc/systemd/system/sys-subsystem-net-devices-nordtun.device.d/upholds.conf
        owner: root
        group: root
        mode: '0644'
        content: |
                 [Unit]
                 Upholds=transmission.service
                 Upholds=qbittorrent.service
                 Upholds=sickgear.service