blaine
/
infra


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262
							---
- hosts: nas
  gather_facts: true
  become: true

  roles:
    - docker
#    - yt-dlp
#    - rtl_433
#    - cloud-backups
#    - statusservices
#    - linux-system-roles.timesync
    #- linux-system-roles.firewall # fw is disabled for homeassistant
    #- linux-system-roles.metrics

  vars_files:
    - "{{ inventory_dir }}/vars/vault.yaml"

  vars:
    status_services_extra:
      - grafana-server
      - rtl_433
      - smb

    backups: containers
    backups_ignore:
      - /mergerfs
      - /run/udev
      - /run/dbus

    container_user: "{{ vaulted_media_user }}"
    container_uid: "{{ vaulted_media_uid }}"
    container_group: "{{ vaulted_media_group }}"
    container_gid: "{{ vaulted_media_gid }}"

    global_env_vars:
      - PUID={{ container_uid }}
      - PGID={{ container_gid }}

    container_networks:
      - name: downloaders
        driver: bridge
        subnet: 172.21.10.0/24
        ip_range: 172.21.10.0/24
        gateway: 172.21.10.1

    containers:
      - name: heimdall
        active: true
        image: linuxserver/heimdall
        ports:
          - 80:80
        volumes:
          - /opt/heimdall:/config
        include_global_env_vars: true
        restart: unless-stopped
    
      - name: homeassistant
        active: true
        image: ghcr.io/home-assistant/home-assistant:stable
        privileged: true
        network_mode: host
        environment:
          - TZ=America/Los_Angeles
        volumes:
          - /opt/homeassistant:/config
          - /run/dbus:/run/dbus:ro
        restart: unless-stopped

      - name: frigate
        active: true
        image: ghcr.io/blakeblackshear/frigate:stable
        privileged: true
        shm_size: 20gb
        devices:
          - /dev/dri/renderD128:/dev/dri/renderD128
        volumes:
          - /etc/localtime:/etc/localtime:ro
          - /opt/frigate/config:/config
          - /mergerfs/public/Videos/frigate:/media/frigate
        ports:
          - 8971:8971
          - 8554:8554 # RTSP feeds
          - 8555:8555/tcp # WebRTC over tcp
          - 8555:8555/udp # WebRTC over udp
        environment:
          - FRIGATE_RTSP_PASSWORD: sqordfish

      - name: kodi-db
        active: true
        image: mariadb
        ports:
          - 3306:3306
        include_global_env_vars: true
        restart: unless-stopped
        environment:
          - MARIADB_RANDOM_ROOT_PASSWORD=1
          - MARIADB_USER={{ vaulted_kodi_db_user }}
          - MARIADB_PASSWORD={{ vaulted_kodi_db_pass }}
        volumes:
          - /opt/kodi-db:/var/lib/mysql

      - name: esphome
        active: true
        image: ghcr.io/esphome/esphome
        privileged: true
        network_mode: host
        volumes:
          - /opt/esphome:/config
          - /etc/localtime:/etc/localtime:ro
        environment:
          - USERNAME={{ vaulted_esphome_username }}
          - PASSWORD={{ vaulted_esphome_password }}
        devices:
          - /dev/ttyUSB1:/dev/ttyUSB1
        restart: unless-stopped

      - name: zigbee2mqtt
        active: true
        image: koenkk/zigbee2mqtt
        volumes:
          - /opt/zigbee2mqtt:/app/data
          - /run/udev:/run/udev:ro
        ports:
          - 8095:8095
        environment:
          - TZ=America/Los_Angeles
        devices:
          - /dev/ttyUSB0:/dev/ttyUSB0
        networks:
          - jarvis

      - name: mqtt
        active: true
        image: eclipse-mosquitto
        ports:
          - 1883:1883
          - 9001:9001
        volumes:
          - /opt/mqtt/config:/mosquitto/config
          - /opt/mqtt/data:/mosquitto/data
          - /opt/mqtt/logs:/mosquitto/log
        restart: unless-stopped
        networks:
          - jarvis

      - name: nginx
        active: true
        image: nginx
        ports:
          - 8092:80
        volumes:
          - /opt/nginx:/usr/share/nginx/html:ro

      - name: sickgear
        active: true
        image: linuxserver/sickgear
        ports:
          - 8082:8081
        volumes:
          - /opt/sickgear:/config
          - /mergerfs:/mergerfs
        include_global_env_vars: true
        restart: unless-stopped
        networks:
          - downloaders

      - name: transmission
        active: true
        image: linuxserver/transmission
        ports:
          - 9091:9091
        volumes:
          - /opt/transmission:/config
          - /mergerfs:/mergerfs
        include_global_env_vars: true
        environment:
          - USER={{ vaulted_nas_transmission_username }}
          - PASS={{ vaulted_nas_transmission_password }}
        restart: unless-stopped
        networks:
          - downloaders

      - name: qbittorrent
        active: true
        image: linuxserver/qbittorrent
        ports:
          - 8080:8080
        volumes:
          - /opt/qbittorrent:/config
          - /mergerfs:/mergerfs
        include_global_env_vars: true
        environment:
          - WEBUI_PORT=8080
        restart: unless-stopped
        networks:
          - downloaders

      - name: scrutiny
        active: true
        image: ghcr.io/analogj/scrutiny:master-omnibus
        ports:
          - 8088:8080
          - 8086:8086
        volumes:
          - /opt/scrutiny/config:/opt/scrutiny/config
          - /opt/scrutiny/influxdb2:/opt/scrutiny/influxdb
          - /run/udev:/run/udev:ro
        cap_add:
          - SYS_RAWIO
          - SYS_ADMIN # https://github.com/AnalogJ/scrutiny/issues/26#issuecomment-696817130
        devices:
          - /dev/sda
          - /dev/sdb
          - /dev/sdc
          - /dev/sdd
          - /dev/sde
          - /dev/sdf
          - /dev/sdg
          - /dev/sdh

      - name: watchyourlan
        active: true
        image: aceberg/watchyourlan
        network_mode: host
        environment:
          - IFACE=enp42s0
          - TZ=America/Los_Angeles
          - SHOURTRRR_URL=ntfy://ntfy.warchildstory.com/TestNotifications
          - GUIIP=0.0.0.0
          - GUIPORT=8840
        volumes:
          - /opt/wyl:/data
        ports:
          - 8840:8840


    timesync_ntp_servers:
      - hostname: 2.centos.pool.ntp.org
        iburst: true
        pool: true

    timesync_chrony_custom_settings:
      - "allow 10.0.0.0/24"

    metrics_monitored_hosts:
      - nas.home.arpa
      - gateway.home.arpa
    metrics_retention_days: 14
    metrics_graph_service: yes
    metrics_query_service: yes

    firewall:
      - {'service': 'grafana', 'state': 'enabled' }
      - {'service': 'http', 'state': 'enabled' }

      - {'port': '8080/tcp', 'state': 'enabled'}
      - {'port': '8081/tcp', 'state': 'enabled'}
      - {'port': '8086/tcp', 'state': 'enabled'}
      - {'port': '8088/tcp', 'state': 'enabled'}
      - {'port': '8840/tcp', 'state': 'enabled'}
      - {'port': '9091/tcp', 'state': 'enabled'}