infra/plays/nas-services.yml

---
- hosts: nas
  gather_facts: true
  become: true

  roles:
    - docker
    - cloud-backups
    - statusservices
    - linux-system-roles.metrics
    - linux-system-roles.firewall

  vars_files:
    - "{{ inventory_dir }}/vars/vault.yaml"

  vars:
    status_services_extra:
      - grafana-server
      - smb

    backups: containers
    backups_ignore:
      - /mergerfs
      - /run/udev

    container_user: "{{ vaulted_media_user }}"
    container_uid: "{{ vaulted_media_uid }}"
    container_group: "{{ vaulted_media_group }}"
    container_gid: "{{ vaulted_media_gid }}"

    global_env_vars:
      - PUID={{ container_uid }}
      - PGID={{ container_gid }}

    container_networks:
      - name: downloaders
        driver: bridge
        subnet: 172.21.10.0/24
        ip_range: 172.21.10.0/24
        gateway: 172.21.10.1

    containers:
      - name: heimdall
        active: true
        image: linuxserver/heimdall
        ports:
          - 80:80
        volumes:
          - /opt/heimdall:/config
        include_global_env_vars: true
        restart: unless-stopped
    

      - name: sickchill
        active: true
        image: linuxserver/sickchill
        ports:
          - 8081:8081
        volumes:
          - /opt/sickchill:/config
          - /mergerfs:/mergerfs
        include_global_env_vars: true
        restart: unless-stopped
        networks:
          - downloaders

      - name: transmission
        active: true
        image: linuxserver/transmission
        ports:
          - 9091:9091
        volumes:
          - /opt/transmission:/config
          - /mergerfs:/mergerfs
        include_global_env_vars: true
        environment:
          - USER={{ vaulted_nas_transmission_username }}
          - PASS={{ vaulted_nas_transmission_password }}
        restart: unless-stopped
        networks:
          - downloaders

      - name: qbittorrent
        active: true
        image: linuxserver/qbittorrent
        ports:
          - 8080:8080
        volumes:
          - /opt/qbittorrent:/config
          - /mergerfs:/mergerfs
        include_global_env_vars: true
        environment:
          - WEBUI_PORT=8080
        restart: unless-stopped
        networks:
          - downloaders

      - name: scrutiny
        active: true
        image: ghcr.io/analogj/scrutiny:master-omnibus
        ports:
          - 8088:8080
          - 8086:8086
        volumes:
          - /opt/scrutiny/config:/opt/scrutiny/config
          - /opt/scrutiny/influxdb2:/opt/scrutiny/influxdb
          - /run/udev:/run/udev:ro
        cap_add:
          - SYS_RAWIO
          - SYS_ADMIN # https://github.com/AnalogJ/scrutiny/issues/26#issuecomment-696817130
        devices:
          - /dev/sda
          - /dev/sdb
          - /dev/sdc
          - /dev/sdd
          - /dev/sde
          - /dev/sdf
          - /dev/sdg

      - name: watchyourlan
        active: true
        image: aceberg/watchyourlan
        network_mode: host
        environment:
          - IFACE=enp42s0
          - TZ=America/Los_Angeles
          - SHOURTRRR_URL=ntfy://ntfy.warchildstory.com/TestNotifications
          - GUIIP=0.0.0.0
          - GUIPORT=8840
        volumes:
          - /opt/wyl:/data
        ports:
          - 8840:8840

    metrics_monitored_hosts:
      - nas.home.arpa
      - gateway.home.arpa
    metrics_retention_days: 14
    metrics_graph_service: yes
    metrics_query_service: yes

    firewall:
      - {'service': 'grafana', 'state': 'enabled' }
      - {'service': 'http', 'state': 'enabled' }

      - {'port': '8080/tcp', 'state': 'enabled'}
      - {'port': '8081/tcp', 'state': 'enabled'}
      - {'port': '8086/tcp', 'state': 'enabled'}
      - {'port': '8088/tcp', 'state': 'enabled'}
      - {'port': '8840/tcp', 'state': 'enabled'}
      - {'port': '9091/tcp', 'state': 'enabled'}