kris/homelab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: kris:2bd80bcfed6ef40029b88993972437b118364d81
Branches Tags
kris:main kris:scripts kris:bitwarden kris:testing kris:dockerbox_update kris:HOST_IP kris:gitea kris:organize kris:staticweb kris:vagrantfile kris:proxy_script kris:master kris:jellyfin kris:traefik kris:dockerbox_bullseye kris:readme kris:kutt kris:mediawiki kris:jekyll kris:docs
...
compare: kris:main
Branches Tags
kris:main kris:scripts kris:bitwarden kris:testing kris:dockerbox_update kris:HOST_IP kris:gitea kris:organize kris:staticweb kris:vagrantfile kris:proxy_script kris:master kris:jellyfin kris:traefik kris:dockerbox_bullseye kris:readme kris:kutt kris:mediawiki kris:jekyll kris:docs

3 Commits
2bd80bcfed ... main

Author SHA1 Message Date
Kris Lamoureux
19a65cb742 Add zrepl role 2026-02-25 22:36:37 -05:00
Kris Lamoureux
7404bab63f Set SSH UFW rule via role default 2026-02-24 00:50:20 -05:00
Kris Lamoureux
929d549217 Enable SELinux deployment in dev config 2026-02-24 00:18:34 -05:00
9 changed files with 206 additions and 28 deletions
Expand all files Collapse all files

35
dev/host_vars/podman.yml
View File

@@ -4,7 +4,7 @@
selinux: selinux:
state: enforcing state: enforcing
base_allow_reboot: false base_allow_reboot: true
base_manage_network: false base_manage_network: false
root_gpgkeys: root_gpgkeys:
@@ -27,35 +27,34 @@ scripts:
proxy: proxy:
servers: servers:
- domain: cloud.local.krislamo.org - domain: music.local.krislamo.org
proxy_pass: http://127.0.0.1:8000 proxy_pass: http://127.0.0.1:4533
################ ################
#### podman #### #### podman ####
################ ################
podman_label:
- path: /home/vagrant/navidrome
label: system_u:object_r:container_file_t:s0
owner: vagrant
group: vagrant
podman_compose: podman_compose:
vagrant: vagrant:
root: /opt/oci root: /opt/oci
trusted_keys: trusted_keys:
- id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96 - id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96
compose: compose:
- name: traefik - name: navidrome
url: https://github.com/krislamo/traefik url: https://github.com/krislamo/navidrome
version: d7197ddd5b7019c60faf5d164e555b6374972d40 version: 305f92cff143c0d497d21277145f605d9da830de
enabled: true enabled: true
accept_newhostkey: true # Consider verifying manually instead accept_newhostkey: true # Consider verifying manually instead
env: env:
VERSION: latest VERSION: latest
SOCKET: /run/user/1000/podman/podman.sock BASEURL: https://music.local.krislamo.org
DASHBOARD: true MUSIC: /home/vagrant/navidrome
- name: nextcloud LASTFM_ENABLED: "false"
url: https://github.com/krislamo/nextcloud LASTFM_APIKEY: "n/a"
version: 245c91a22fa75e5dde1d423e88540529a4fa4f27 LASTFM_SECRET: "n/a"
enabled: true
env:
VERSION: latest
DOMAIN: cloud.local.krislamo.org
DATA: /opt/oci/nextcloud/data/
REDIS_VERSION: latest
REDIS_PASSWORD: changeme

1
roles/base/defaults/main.yml
View File

@@ -23,3 +23,4 @@ base_packages:
base_scripts: /srv/.scripts base_scripts: /srv/.scripts
base_ssh_ufw_rule: limit

4
roles/base/tasks/firewall.yml
View File

@@ -18,10 +18,10 @@
default: allow default: allow
direction: outgoing direction: outgoing
- name: Allow OpenSSH with rate limiting - name: "{{ base_ssh_ufw_rule | capitalize }} OpenSSH"
community.general.ufw: community.general.ufw:
name: ssh name: ssh
rule: limit rule: "{{ base_ssh_ufw_rule | default('limit') }}"
- name: Remove Fail2ban defaults-debian.conf - name: Remove Fail2ban defaults-debian.conf
ansible.builtin.file: ansible.builtin.file:

32
roles/base/tasks/system.yml
View File

@@ -16,6 +16,38 @@
policy: "{{ selinux.policy | default('default') }}" policy: "{{ selinux.policy | default('default') }}"
when: selinux is defined and selinux is not false when: selinux is defined and selinux is not false
- name: Check for GRUB
ansible.builtin.stat:
path: /etc/default/grub
register: grub_config
when: selinux is defined and selinux is not false
- name: Check if SELinux is already activated in GRUB
ansible.builtin.command: grep -q 'security=selinux' /etc/default/grub
register: selinux_grub
changed_when: false
failed_when: false
when:
- selinux is defined
- selinux is not false
- grub_config.stat.exists
- name: Activate SELinux
ansible.builtin.command: selinux-activate
changed_when: true
when:
- selinux is defined
- selinux is not false
- grub_config.stat.exists
- selinux_grub.rc != 0
register: selinux_activated
- name: Reboot after SELinux activation
ansible.builtin.reboot:
when:
- selinux_activated is changed
- base_allow_reboot
- name: Install GPG - name: Install GPG
ansible.builtin.apt: ansible.builtin.apt:
name: gpg name: gpg

82
roles/podman/tasks/main.yml
View File

@@ -112,6 +112,88 @@
loop_var: podman_user loop_var: podman_user
when: podman_login is defined when: podman_login is defined
- name: Stat rootless Podman directory
ansible.builtin.stat:
path: "/home/{{ compose_user.key }}/.local/share/containers"
loop: "{{ podman_compose | dict2items }}"
loop_control:
loop_var: compose_user
label: "{{ compose_user.key }}"
register: podman_user_containers_stat
when:
- podman_compose is defined
- selinux is defined
- selinux is not false
- name: Create rootless Podman directory
ansible.builtin.file:
path: "/home/{{ item.compose_user.key }}/.local/share/containers"
state: directory
owner: "{{ item.compose_user.key }}"
group: "{{ item.compose_user.key }}"
mode: "700"
loop: "{{ podman_user_containers_stat.results }}"
loop_control:
label: "{{ item.compose_user.key }}"
when:
- podman_compose is defined
- selinux is defined
- selinux is not false
- not item.stat.exists
- name: Label rootless Podman directory
ansible.builtin.command: >-
restorecon -Rv /home/{{ item.compose_user.key }}/.local/share/containers
loop: "{{ podman_user_containers_stat.results }}"
loop_control:
label: "/home/{{ item.compose_user.key }}/.local/share/containers"
changed_when: true
when:
- podman_compose is defined
- selinux is defined
- selinux is not false
- not item.stat.exists
- name: Stat Podman label directories
ansible.builtin.stat:
path: "{{ item.path }}"
loop: "{{ podman_label }}"
register: podman_label_stat
loop_control:
label: "{{ item.path }}"
when:
- podman_label is defined
- selinux is defined
- selinux is not false
- name: Create Podman label directories
ansible.builtin.file:
path: "{{ item.item.path }}"
owner: "{{ item.item.owner | default(omit) }}"
group: "{{ item.item.group | default(omit) }}"
mode: "{{ item.item.mode | default('700') }}"
state: directory
loop: "{{ podman_label_stat.results }}"
loop_control:
label: "{{ item.item.path }}"
when:
- podman_label is defined
- selinux is defined
- selinux is not false
- not item.stat.exists
- name: Set labels on Podman label directories
ansible.builtin.command: "chcon {{ item.item.label }} {{ item.item.path }}"
loop: "{{ podman_label_stat.results }}"
changed_when: true
loop_control:
label: "{{ item.item.path }} => {{ item.item.label }}"
when:
- podman_label is defined
- selinux is defined
- selinux is not false
- not item.stat.exists
- name: Deploy Podman compose projects for each user - name: Deploy Podman compose projects for each user
ansible.builtin.include_tasks: deploy.yml ansible.builtin.include_tasks: deploy.yml
vars: vars:

15
roles/proxy/tasks/main.yml
View File

@@ -10,18 +10,17 @@
state: started state: started
enabled: true enabled: true
- name: Check for cached dhparams.pem file - name: Check if environment is vagrant
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ proxy_cached_dhparams_pem }}" path: /home/vagrant
register: dhparams_file register: vagrant_home
- name: Copy cached dhparams.pem to /etc/ssl/ - name: Download Mozilla's standard DH params (dev only)
ansible.builtin.copy: ansible.builtin.get_url:
src: "{{ proxy_cached_dhparams_pem }}" url: https://ssl-config.mozilla.org/ffdhe4096.txt
dest: /etc/ssl/dhparams.pem dest: /etc/ssl/dhparams.pem
mode: "600" mode: "600"
remote_src: true when: vagrant_home.stat.exists
when: dhparams_file.stat.exists
- name: Generate DH Parameters - name: Generate DH Parameters
community.crypto.openssl_dhparam: community.crypto.openssl_dhparam:

1
roles/zrepl/defaults/main.yml Normal file
View File

@@ -0,0 +1 @@
zrepl_pkg_hold: true

40
roles/zrepl/tasks/install.yml Normal file
View File

@@ -0,0 +1,40 @@
- name: Download zrepl APT signing key
ansible.builtin.get_url:
url: https://zrepl.cschwarz.com/apt/apt-key.asc
dest: /tmp/zrepl-apt-key.asc
mode: "600"
force: true
- name: Get fingerprint of downloaded key
ansible.builtin.shell: |
set -euo pipefail
gpg --with-colons --import-options show-only \
--import /tmp/zrepl-apt-key.asc | awk -F: '$1=="fpr"{print $10; exit}'
args:
executable: /bin/bash
changed_when: false
register: gpg_key_info
- name: Verify key fingerprint matches expected value
ansible.builtin.assert:
that: gpg_key_info.stdout == expected_fingerprint
vars:
expected_fingerprint: "E101418FD3D6FBCB9D65A62D708699FC5F2EBF16"
- name: Dearmor zrepl key into APT keyring
ansible.builtin.command:
cmd: >-
gpg --dearmor --yes --output /usr/share/keyrings/zrepl-archive-keyring.gpg
/tmp/zrepl-apt-key.asc
args:
creates: /usr/share/keyrings/zrepl-archive-keyring.gpg
- name: Add zrepl apt repository
ansible.builtin.apt_repository:
repo: "deb [signed-by={{ zrepl_keyring_path }}] {{ zrepl_url }} {{ zrepl_suite }} main"
filename: zrepl
state: present
vars:
zrepl_keyring_path: /usr/share/keyrings/zrepl-archive-keyring.gpg
zrepl_url: "https://zrepl.cschwarz.com/apt/debian"
zrepl_suite: "{{ ansible_distribution_release }}"

24
roles/zrepl/tasks/main.yml Normal file
View File

@@ -0,0 +1,24 @@
- name: Install GnuPG
ansible.builtin.apt:
name: gnupg
state: present
update_cache: true
- name: Check if zrepl repo exists
ansible.builtin.stat:
path: /etc/apt/sources.list.d/zrepl.list
register: zrepl_repo_file
- name: Install zrepl repo
ansible.builtin.include_tasks: install.yml
when: not zrepl_repo_file.stat.exists
- name: Install zrepl
ansible.builtin.apt:
name: zrepl
state: present
- name: Set zrepl package hold state
ansible.builtin.dpkg_selections:
name: zrepl
selection: "{{ 'hold' if zrepl_pkg_hold else 'install' }}"