testing

.github/workflows/vagrant.yml

@@ -3,17 +3,22 @@ name: homelab-ci
 on:
   push:
     branches:
-      - github_actions
-      # - main
-      # - testing
+      - main
+      - testing
 
 jobs:
   homelab-ci:
-    runs-on: macos-latest
+    runs-on: macos-13
 
     steps:
       - uses: actions/checkout@v3
 
+      - name: Setup tmate session
+        uses: mxschmitt/action-tmate@v3
+        with:
+          detached: true
+          limit-access-to-actor: true
+
       - name: Cache Vagrant boxes
         uses: actions/cache@v3
         with:
@@ -22,19 +27,23 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-vagrant-
 
+      - name: Install Tools
+        run: brew install nmap tree
+
+      - name: Install VirtualBox
+        run: brew install --cask virtualbox
+
+      - name: Install Vagrant
+        run: brew install --cask vagrant
+
       - name: Install Ansible
-        run: brew install ansible@7
+        run: brew install ansible
 
       - name: Software Versions
         run: |
-          printf "VirtualBox "
-          vboxmanage --version
+          printf "VirtualBox "; vboxmanage --version
           vagrant --version
-          export PATH="/usr/local/opt/ansible@7/bin:$PATH"
           ansible --version
 
       - name: Vagrant Up with Dockerbox Playbook
-        run: |
-          export PATH="/usr/local/opt/ansible@7/bin:$PATH"
-          PLAYBOOK=dockerbox vagrant up
-          vagrant ssh -c "docker ps"
+        run: ./scripts/github-vagrant.sh

.gitignore

@@ -1,5 +1,4 @@
-.ansible*
-/environments/
 .playbook
 .vagrant*
 .vscode
+/environments/

Vagrantfile

@@ -9,7 +9,7 @@ if File.exist?(settings_path)
   settings = YAML.load_file(settings_path)
 end
 
-VAGRANT_BOX  = settings['VAGRANT_BOX']  || 'krislamo.org/debian13'
+VAGRANT_BOX  = settings['VAGRANT_BOX']  || 'debian/bookworm64'
 VAGRANT_CPUS = settings['VAGRANT_CPUS'] || 2
 VAGRANT_MEM  = settings['VAGRANT_MEM']  || 2048
 SSH_FORWARD  = settings['SSH_FORWARD']  || false
@@ -36,6 +36,7 @@ Vagrant.configure("2") do |config|
   config.vm.provider :virtualbox do |vbox|
     vbox.cpus   = VAGRANT_CPUS
     vbox.memory = VAGRANT_MEM
+    vbox.gui    = true
   end
 
   # Provision with Ansible
@@ -43,6 +44,6 @@ Vagrant.configure("2") do |config|
     ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles"
     ansible.compatibility_mode = "2.0"
     ansible.playbook = "dev/" + PLAYBOOK + ".yml"
-    ansible.raw_arguments = ["--diff"]
+    ansible.raw_arguments = ["--diff", "-vvvv"]
   end
 end

dev/host_vars/dockerbox.yml

@@ -4,12 +4,8 @@ manage_network: false
 
 # Import my GPG key for git signature verification
 root_gpgkeys:
-  - name: kris@lamoureux.io
-    id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96
-  # Older key, but still in use
   - name: kris@lamoureux.io
     id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
-    server: keyserver.ubuntu.com
 
 # proxy
 proxy:

dev/host_vars/podman.yml

@@ -1,45 +0,0 @@
-##############
-#### base ####
-##############
-
-allow_reboot: false
-manage_network: false
-
-################
-#### proxy #####
-################
-
-proxy:
-  servers:
-    - domain: cloud.local.krislamo.org
-      proxy_pass: http://127.0.0.1:8000
-
-################
-#### podman ####
-################
-
-podman_compose:
-  vagrant:
-    root: /opt/oci
-    trusted_keys:
-      - id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96
-    compose:
-      - name: traefik
-        url: https://github.com/krislamo/traefik
-        version: d7197ddd5b7019c60faf5d164e555b6374972d40
-        enabled: true
-        accept_newhostkey: true # Consider verifying manually instead
-        env:
-          VERSION: latest
-          SOCKET: /run/user/1000/podman/podman.sock
-          DASHBOARD: true
-      - name: nextcloud
-        url: https://github.com/krislamo/nextcloud
-        version: 245c91a22fa75e5dde1d423e88540529a4fa4f27
-        enabled: true
-        env:
-          VERSION: latest
-          DOMAIN: cloud.local.krislamo.org
-          DATA: /opt/oci/nextcloud/data/
-          REDIS_VERSION: latest
-          REDIS_PASSWORD: changeme

dev/podman.yml

@@ -1,9 +0,0 @@
-- name: Install Podman server
-  hosts: all
-  become: true
-  vars_files:
-    - host_vars/podman.yml
-  roles:
-    - base
-    - proxy
-    - podman

playbooks/docker.yml

@@ -4,5 +4,4 @@
   roles:
     - base
     - jenkins
-    - proxy
     - docker

playbooks/dockerbox.yml

@@ -3,9 +3,9 @@
   become: true
   roles:
     - base
-    - jenkins
     - docker
-    - mariadb
     - traefik
     - nextcloud
-    - proxy
+    - jenkins
+    - prometheus
+    - nginx

roles/base/tasks/samba.yml

@@ -26,7 +26,7 @@
   ansible.builtin.template:
     src: smb.conf.j2
     dest: /etc/samba/smb.conf
-    mode: "644"
+    mode: "700"
   notify: restart_samba
 
 - name: Start smbd and enable on boot

roles/base/tasks/system.yml

@@ -80,30 +80,14 @@
     state: present
     uid: "{{ item.value.uid }}"
     group: "{{ item.value.gid }}"
-    groups: "{{ item.value.groups | default([]) }}"
     shell: "{{ item.value.shell | default('/bin/bash') }}"
     create_home: "{{ item.value.home | default(false) }}"
-    home: "{{ item.value.homedir | default('/home/' + item.key) }}"
     system: "{{ item.value.system | default(false) }}"
   loop: "{{ users | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
   when: users is defined
 
-- name: Create Ansible's temporary remote directory for users
-  ansible.builtin.file:
-    path: "{{ item.value.homedir | default('/home/' + item.key) }}/.ansible/tmp"
-    state: directory
-    mode: "700"
-    owner: "{{ item.key }}"
-    group: "{{ item.value.gid }}"
-  loop: "{{ users | dict2items }}"
-  loop_control:
-    label: "{{ item.key }}"
-  when:
-    - users is defined
-    - item.value.tmp | default(true)
-
 - name: Set authorized_keys for system users
   ansible.posix.authorized_key:
     user: "{{ item.key }}"

roles/base/tasks/wireguard.yml

@@ -18,28 +18,6 @@
     src: /etc/wireguard/privatekey
   register: wgkey
 
-- name: Check if WireGuard preshared key file exists
-  ansible.builtin.stat:
-    path: /etc/wireguard/presharedkey-{{ item.name }}
-  loop: "{{ wireguard.peers }}"
-  loop_control:
-    label: "{{ item.name }}"
-  register: presharedkey_files
-
-- name: Grab WireGuard preshared key for configuration
-  ansible.builtin.slurp:
-    src: /etc/wireguard/presharedkey-{{ item.item.name }}
-  register: wgshared
-  loop: "{{ presharedkey_files.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"
-  when: item.stat.exists
-
-- name: Grab WireGuard private key for configuration
-  ansible.builtin.slurp:
-    src: /etc/wireguard/privatekey
-  register: wgkey
-
 - name: Install WireGuard configuration
   ansible.builtin.template:
     src: wireguard.j2

roles/base/templates/wireguard.j2

@@ -1,6 +1,4 @@
-# {{ ansible_managed }}
-
-[Interface] # {{ ansible_hostname }}
+[Interface]
 PrivateKey = {{ wgkey['content'] | b64decode | trim }}
 Address = {{ wireguard.address }}
 {% if wireguard.listenport is defined %}
@@ -8,26 +6,8 @@ ListenPort = {{ wireguard.listenport }}
 {% endif %}
 
 {% for peer in wireguard.peers %}
-{% if peer.name is defined %}
-[Peer] # {{ peer.name }}
-{% else %}
 [Peer]
-{% endif %}
 PublicKey = {{ peer.publickey }}
-{% if peer.presharedkey is defined %}
-PresharedKey = {{ peer.presharedkey }}
-{% else %}
-{% set preshared_key = (
-    wgshared.results
-    | selectattr('item.item.name', 'equalto', peer.name)
-    | first
-  ).content
-  | default(none)
-%}
-{% if preshared_key is not none %}
-PresharedKey = {{ preshared_key | b64decode | trim }}
-{% endif %}
-{% endif %}
 {% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}
 {% endif %}

roles/docker/tasks/main.yml

@@ -24,21 +24,15 @@
 
 - name: Install/uninstall Docker from Debian repositories
   ansible.builtin.apt:
-    name: ["docker.io", "docker-compose", "containerd", "runc"]
+    name: ['docker.io', 'docker-compose', 'containerd', 'runc']
     state: "{{ 'absent' if docker_official else 'present' }}"
     autoremove: true
     update_cache: true
 
 - name: Install/uninstall Docker from Docker repositories
   ansible.builtin.apt:
-    name:
-      [
-        "docker-ce",
-        "docker-ce-cli",
-        "containerd.io",
-        "docker-buildx-plugin",
-        "docker-compose-plugin",
-      ]
+    name: ['docker-ce', 'docker-ce-cli', 'containerd.io',
+           'docker-buildx-plugin', 'docker-compose-plugin']
     state: "{{ 'present' if docker_official else 'absent' }}"
     autoremove: true
     update_cache: true
@@ -101,7 +95,6 @@
   loop_control:
     label: "{{ item.url }}"
   when: docker_compose_deploy is defined
-  tags: docker
 
 - name: Create directories for docker-compose projects using the systemd service
   ansible.builtin.file:
@@ -112,7 +105,6 @@
   loop_control:
     label: "{{ item.name }}"
   when: docker_compose_deploy is defined
-  tags: docker
 
 - name: Synchronize docker-compose.yml
   ansible.posix.synchronize:
@@ -127,7 +119,6 @@
   loop_control:
     label: "{{ item.name }}"
   when: docker_compose_deploy is defined and docker_compose_deploy | length > 0
-  tags: docker
 
 - name: Set environment variables for docker-compose projects
   ansible.builtin.template:
@@ -143,7 +134,14 @@
   loop_control:
     label: "{{ item.name }}"
   when: docker_compose_deploy is defined and item.env is defined
-  tags: docker
+
+- name: Add users to docker group
+  ansible.builtin.user:
+    name: "{{ item }}"
+    groups: docker
+    append: true
+  loop: "{{ docker_users }}"
+  when: docker_users is defined
 
 - name: Start Docker and enable on boot
   ansible.builtin.service:

roles/jellyfin/templates/docker-compose.yml.j2

@@ -15,7 +15,7 @@ services:
     networks:
       - traefik
     labels:
-      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host({{ jellyfin_domains }})"
+      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host(`{{ jellyfin_domain }}`)"
 {% if traefik_http_only %}
       - "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web"
 {% else %}

roles/mariadb/tasks/main.yml

@@ -16,12 +16,10 @@
     regex: "^bind-address"
     line: "bind-address            = {{ ansible_facts.docker0.ipv4.address }}"
   notify: restart_mariadb
-  when: ansible_facts.docker0 is defined
 
 - name: Flush handlers to ensure MariaDB restarts immediately
   ansible.builtin.meta: flush_handlers
   tags: restart_mariadb
-  when: ansible_facts.docker0 is defined
 
 - name: Allow database connections from Docker
   community.general.ufw:

roles/nextcloud/tasks/main.yml

@@ -23,7 +23,7 @@
     name: "{{ docker_compose_service }}@{{ nextcloud_name }}"
     state: started
     enabled: true
-  when: nextcloud.ENABLE | default(false)
+  when: nextcloud.ENABLE | default('false')
 
 - name: Grab Nextcloud container information
   community.general.docker_container_info:

roles/podman/defaults/main.yml

@@ -1,4 +0,0 @@
-# Default configuration for podman role
-podman_repos_keytype: ed25519
-podman_ssh_key_path: "{{ ansible_user_dir }}/.ssh"
-podman_nodocker: false

roles/podman/files/docker-host.sh

@@ -1,22 +0,0 @@
-# shellcheck shell=sh
-: "${UID:=$(id -u)}"
-
-if [ "$UID" -ne 0 ]; then
-	if [ -z "$XDG_RUNTIME_DIR" ] && [ -d "/run/user/$UID" ]; then
-		XDG_RUNTIME_DIR="/run/user/$UID"
-		export XDG_RUNTIME_DIR
-	fi
-
-	PODMAN_SOCKET="$XDG_RUNTIME_DIR/podman/podman.sock"
-	if [ -S "$PODMAN_SOCKET" ]; then
-		DOCKER_HOST="unix://$PODMAN_SOCKET"
-		export DOCKER_HOST
-	fi
-
-	if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
-		if [ -S "$XDG_RUNTIME_DIR/bus" ]; then
-			DBUS_SESSION_BUS_ADDRESS="unix:path=$XDG_RUNTIME_DIR/bus"
-			export DBUS_SESSION_BUS_ADDRESS
-		fi
-	fi
-fi

roles/podman/handlers/main.yml

@@ -1,33 +0,0 @@
-- name: Reload systemd manager configuration for all podman users
-  ansible.builtin.systemd:
-    daemon_reload: true
-    scope: user
-  become: true
-  become_user: "{{ item }}"
-  loop: "{{ podman_compose.keys() | list }}"
-  listen: podman_compose_systemd
-
-- name: Restart docker compose (podman) services
-  ansible.builtin.systemd:
-    state: restarted
-    name: "compose@{{ item.service }}"
-    scope: user
-  become: true
-  become_user: "{{ item.user }}"
-  loop: "{{ podman_compose_restart_list | default([]) | unique }}"
-  when: podman_compose_restart_list is defined
-  listen: podman_compose_restart
-
-- name: Start docker compose (podman) services and enable on boot
-  ansible.builtin.systemd:
-    name: "compose@{{ item.service }}"
-    state: started
-    enabled: true
-    scope: user
-  become: true
-  become_user: "{{ item.user }}"
-  loop: "{{ podman_compose_enable_list | default([]) }}"
-  loop_control:
-    label: "{{ item.user }}/{{ item.service }}"
-  when: item.enabled is defined and item.enabled is true
-  listen: podman_compose_enable

roles/podman/tasks/deploy.yml

@@ -1,219 +0,0 @@
-- name: Get user info for podman compose user
-  ansible.builtin.getent:
-    database: passwd
-    key: "{{ podman_user }}"
-  register: podman_user_info
-
-- name: Set user-specific variables
-  ansible.builtin.set_fact:
-    podman_rootdir: "{{ podman_compose_config.root }}"
-    podman_userid: "{{ podman_user_info.ansible_facts.getent_passwd[podman_user][1] }}"
-    podman_homedir: "{{ podman_user_info.ansible_facts.getent_passwd[podman_user][4] }}"
-    podman_project: "{{ podman_compose_config.compose }}"
-    podman_repos: "{{ podman_compose_config.root }}/.compose_repos"
-
-- name: Create docker compose (podman) root directory for user
-  ansible.builtin.file:
-    path: "{{ podman_rootdir }}"
-    state: directory
-    owner: "{{ podman_user }}"
-    group: "{{ podman_user }}"
-    mode: "0700"
-
-- name: Create user systemd directory
-  ansible.builtin.file:
-    path: "/home/{{ podman_user }}/.config/systemd/user"
-    state: directory
-    owner: "{{ podman_user }}"
-    group: "{{ podman_user }}"
-    mode: "0755"
-
-- name: Install docker compose (podman) systemd service for user
-  ansible.builtin.template:
-    src: compose.service.j2
-    dest: "/home/{{ podman_user }}/.config/systemd/user/compose@.service"
-    owner: "{{ podman_user }}"
-    group: "{{ podman_user }}"
-    mode: "0644"
-  notify: podman_compose_systemd
-
-- name: Create directories for cloning docker compose (podman) repositories
-  ansible.builtin.file:
-    path: "{{ repo_dir }}"
-    state: directory
-    owner: "{{ podman_user }}"
-    group: "{{ podman_user }}"
-    mode: "0700"
-  loop:
-    - "{{ podman_repos }}"
-  loop_control:
-    loop_var: repo_dir
-  when:
-    - podman_project is defined
-    - podman_project | length > 0
-
-- name: Create .ssh directory for podman compose user
-  ansible.builtin.file:
-    path: "{{ podman_homedir }}/.ssh"
-    state: directory
-    owner: "{{ podman_user }}"
-    group: "{{ podman_user }}"
-    mode: "0700"
-  when:
-    - podman_project is defined
-    - podman_project | length > 0
-
-- name: Generate OpenSSH deploy keys for docker compose (podman) clones
-  community.crypto.openssh_keypair:
-    path: "{{ podman_ssh_key_path }}/podman-id_{{ podman_repos_keytype }}"
-    type: "{{ podman_repos_keytype }}"
-    comment: "{{ ansible_hostname }}-{{ podman_user }}-deploy-key"
-    owner: "{{ podman_user }}"
-    group: "{{ podman_user }}"
-    mode: "0600"
-    state: present
-  when: podman_project is defined
-
-- name: Import trusted GPG keys for docker compose (podman) projects
-  ansible.builtin.command:
-    cmd: "gpg --keyserver {{ key.keyserver | default('keys.openpgp.org') }} --recv-key {{ key.id }}"
-  become: true
-  become_user: "{{ podman_user }}"
-  loop: "{{ podman_compose_config.trusted_keys }}"
-  loop_control:
-    loop_var: key
-    label: "{{ key.id }}"
-  changed_when: false
-  when: podman_compose_config.trusted_keys is defined
-
-- name: Clone external docker compose (podman) projects
-  ansible.builtin.git:
-    repo: "{{ project.url }}"
-    dest: "{{ podman_repos }}/{{ project.name }}"
-    version: "{{ project.version }}"
-    accept_newhostkey: "{{ project.accept_newhostkey | default(false) }}"
-    gpg_allowlist: "{{ (project.trusted_keys |
-      default(podman_compose_config.trusted_keys | default([]))) |
-      map(attribute='id') | list }}"
-    verify_commit: >-
-      {{
-        true if
-        (project.trusted_keys is defined and project.trusted_keys) or
-        (
-          podman_compose_config.trusted_keys is defined and
-          podman_compose_config.trusted_keys
-        )
-        else false
-      }}
-    key_file: "{{ podman_ssh_key_path }}/podman-id_{{ podman_repos_keytype }}"
-  become: true
-  become_user: "{{ podman_user }}"
-  loop: "{{ podman_project }}"
-  loop_control:
-    loop_var: project
-    label: "{{ project.url }}"
-  when:
-    - podman_project is defined
-    - podman_project | length > 0
-
-- name: Create directories for docker compose (podman) projects
-  ansible.builtin.file:
-    path: "{{ podman_rootdir }}/{{ project.name }}"
-    state: directory
-    owner: "{{ podman_user }}"
-    group: "{{ podman_user }}"
-    mode: "0700"
-  loop: "{{ podman_project }}"
-  loop_control:
-    loop_var: project
-    label: "{{ project.name }}"
-  when:
-    - podman_project is defined
-    - podman_project | length > 0
-
-- name: Synchronize docker-compose.yml
-  ansible.posix.synchronize:
-    # noqa jinja[spacing]
-    src: >-
-      {{ podman_repos }}/{{ project.name }}/
-      {{- project.path | default('docker-compose.yml') }}
-    dest: "{{ podman_rootdir }}/{{ project.name }}/docker-compose.yml"
-    owner: false
-    group: false
-  delegate_to: "{{ inventory_hostname }}"
-  register: podman_compose_update
-  notify:
-    - podman_compose_restart
-    - podman_compose_enable
-  loop: "{{ podman_project | default([]) }}"
-  loop_control:
-    loop_var: project
-    label: "{{ project.name }}"
-  when:
-    - podman_project is defined
-    - podman_project | length > 0
-
-- name: Update list of compose projects updated
-  ansible.builtin.set_fact:
-    podman_compose_restart_list:
-      "{{ (podman_compose_restart_list | default([])) +
-      [{'user': podman_user, 'service': item.project.name}] }}"
-  loop: "{{ podman_compose_update.results }}"
-  loop_control:
-    label: "{{ podman_user }}/{{ item.project.name }}"
-  when: (podman_compose_update.results | default([]) | length) > 0
-
-- name: Fix ownership of synchronized compose files
-  ansible.builtin.file:
-    path: "{{ podman_rootdir }}/{{ project.name }}/docker-compose.yml"
-    owner: "{{ podman_user }}"
-    group: "{{ podman_user }}"
-    mode: "0664"
-  loop: "{{ podman_project | default([]) }}"
-  loop_control:
-    loop_var: project
-    label: "{{ project.name }}"
-  when:
-    - podman_project is defined
-    - podman_project | length > 0
-
-- name: Set environment variables for docker compose (podman) projects
-  ansible.builtin.template:
-    src: compose-env.j2
-    dest: "{{ podman_rootdir }}/{{ project.name }}/.env"
-    owner: "{{ podman_user }}"
-    group: "{{ podman_user }}"
-    mode: "0600"
-  register: podman_compose_env_update
-  notify:
-    - podman_compose_restart
-    - podman_compose_enable
-  no_log: true
-  loop: "{{ podman_project }}"
-  loop_control:
-    loop_var: project
-    label: "{{ project.name }}"
-  when: podman_project is defined and project.env is defined
-
-- name: Update list of compose projects who updated their .env
-  ansible.builtin.set_fact:
-    # noqa jinja[spacing]
-    podman_compose_restart_list: "{{
-      (podman_compose_restart_list | default([]))
-      + ([{'user': podman_user,'service': item.project.name}]
-      if {'user': podman_user, 'service': item.project.name}
-      not in (podman_compose_restart_list | default([]))
-      else [])
-      }}"
-  loop: "{{ podman_compose_env_update.results }}"
-  loop_control:
-    label: "{{ podman_user }}/{{ item.project.name }}"
-  when: (podman_compose_env_update.results | default([]) | length) > 0
-
-- name: Update list of enabled compose projects
-  ansible.builtin.set_fact:
-    podman_compose_enable_list: >-
-      {{ (podman_compose_enable_list | default([]))
-         + [{'user': podman_user, 'service': project.name}] }}
-  when: project.enabled | default(false)
-  notify: podman_compose_enable

roles/podman/tasks/main.yml

@@ -1,116 +0,0 @@
-- name: Install Podman with Docker CLI tools
-  ansible.builtin.apt:
-    name: ["podman", "docker-cli", "docker-compose"]
-    state: present
-
-- name: Install GnuPG tools and trusted CA bundle
-  ansible.builtin.apt:
-    name: ["gnupg", "ca-certificates"]
-    state: present
-  when: podman_compose is defined
-
-- name: Get podman user info for user namespace configuration
-  ansible.builtin.getent:
-    database: passwd
-    key: "{{ item }}"
-  loop: "{{ podman_compose.keys() | list }}"
-  register: user_info
-  loop_control:
-    label: "{{ item }}"
-  when: podman_compose is defined
-
-- name: Configure /etc/subuid for rootless users
-  ansible.builtin.lineinfile:
-    path: "/etc/subuid"
-    line:
-      "{{ item.item }}:{{ 100000 +
-      ((item.ansible_facts.getent_passwd[item.item][1] | int - 1000) * 65536)
-      }}:65536"
-    regexp: "^{{ item.item }}:"
-    create: true
-    backup: true
-    mode: "0644"
-  loop: "{{ user_info.results }}"
-  loop_control:
-    label: "{{ item.item }}"
-
-- name: Configure /etc/subgid for rootless users
-  ansible.builtin.lineinfile:
-    path: "/etc/subgid"
-    line:
-      "{{ item.item }}:{{ 100000 +
-      ((item.ansible_facts.getent_passwd[item.item][1] | int - 1000) * 65536)
-      }}:65536"
-    regexp: "^{{ item.item }}:"
-    create: true
-    backup: true
-    mode: "0644"
-  loop: "{{ user_info.results }}"
-  loop_control:
-    label: "{{ item.item }}"
-
-- name: Enable lingering for podman compose user
-  ansible.builtin.command:
-    cmd: "loginctl enable-linger {{ item.item }}"
-  changed_when: false
-  loop: "{{ user_info.results }}"
-  loop_control:
-    label: "{{ item.item }}"
-
-- name: Start and enable the Podman socket
-  ansible.builtin.systemd:
-    name: podman.socket
-    state: started
-    enabled: true
-    scope: user
-  vars:
-    uid: "{{ item.ansible_facts.getent_passwd[item.item][1] }}"
-  environment:
-    XDG_RUNTIME_DIR: "/run/user/{{ uid }}"
-    DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ uid }}/bus"
-  become: true
-  become_user: "{{ item.item }}"
-  loop: "{{ user_info.results }}"
-  loop_control:
-    label: "{{ item.item }}"
-
-- name: Create global containers config directory
-  ansible.builtin.file:
-    path: /etc/containers
-    state: directory
-    mode: "0755"
-
-- name: Configure global containers.conf for rootless
-  ansible.builtin.copy:
-    content: |
-      [engine]
-      cgroup_manager = "cgroupfs"
-      events_logger = "journald"
-      runtime = "crun"
-    dest: /etc/containers/containers.conf
-    backup: true
-    mode: "0644"
-
-- name: Configure Docker CLI to use rootless Podman socket
-  ansible.builtin.copy:
-    src: files/docker-host.sh
-    dest: /etc/profile.d/docker-host.sh
-    owner: root
-    group: root
-    mode: '0755'
-
-- name: Install git for repository cloning
-  ansible.builtin.apt:
-    name: git
-    state: present
-  when: podman_compose is defined
-
-- name: Deploy Podman compose projects for each user
-  ansible.builtin.include_tasks: deploy.yml
-  vars:
-    podman_user: "{{ compose_user.key }}"
-    podman_compose_config: "{{ compose_user.value }}"
-  loop: "{{ podman_compose | dict2items }}"
-  loop_control:
-    loop_var: compose_user
-  when: podman_compose is defined

roles/podman/templates/compose-env.j2

@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-{% if project.env is defined %}
-{% for key, value in project.env.items() %}
-{% if value is boolean %}
-{{ key }}={{ value | lower }}
-{% else %}
-{{ key }}={{ value }}
-{% endif %}
-{% endfor %}
-{% endif %}

roles/podman/templates/compose.service.j2

@@ -1,15 +0,0 @@
-[Unit]
-Description=%i docker compose (podman) service
-Requires=podman.socket
-After=podman.socket
-
-[Service]
-Type=oneshot
-RemainAfterExit=true
-WorkingDirectory={{ podman_rootdir }}/%i
-Environment=DOCKER_HOST=unix://%t/podman/podman.sock
-ExecStart=/usr/bin/docker compose up -d --remove-orphans
-ExecStop=/usr/bin/docker compose down
-
-[Install]
-WantedBy=default.target

roles/proxy/tasks/main.yml

@@ -45,11 +45,10 @@
   register: nginx_sites
 
 - name: Generate self-signed certificate
-  ansible.builtin.command:
-    'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
-    -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
-    -keyout /etc/ssl/private/nginx-selfsigned.key \
-    -out    /etc/ssl/certs/nginx-selfsigned.crt'
+  ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
+          -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
+          -keyout /etc/ssl/private/nginx-selfsigned.key \
+          -out    /etc/ssl/certs/nginx-selfsigned.crt'
   args:
     creates: /etc/ssl/certs/nginx-selfsigned.crt
   when: proxy.production is not defined or not proxy.production
@@ -57,22 +56,15 @@
 
 - name: Install LE's certbot
   ansible.builtin.apt:
-    name: ["certbot", "python3-certbot-dns-cloudflare"]
+    name: ['certbot', 'python3-certbot-dns-cloudflare']
     state: present
   when: proxy.production is defined and proxy.production
 
-- name: Grab Cloudflare API token for configuration
-  ansible.builtin.slurp:
-    src: /root/.cloudflare-api
-  register: cfapi
-  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
-
 - name: Install Cloudflare API token
   ansible.builtin.template:
     src: cloudflare.ini.j2
     dest: /root/.cloudflare.ini
     mode: "400"
-  diff: false
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 
 - name: Create nginx post renewal hook directory
@@ -86,19 +78,19 @@
   ansible.builtin.copy:
     src: reload-nginx.sh
     dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
-    mode: "0755"
+    mode: '0755'
   when: proxy.production is defined and proxy.production
 
 - name: Run Cloudflare DNS-01 challenges on wildcard domains
   ansible.builtin.shell: '/usr/bin/certbot certonly \
-    --non-interactive \
-    --agree-tos \
-    --email "{{ proxy.dns_cloudflare.email }}" \
-    --dns-cloudflare \
-    --dns-cloudflare-credentials /root/.cloudflare.ini \
-    -d "*.{{ item }}" \
-    -d "{{ item }}" \
-    {{ proxy.dns_cloudflare.opts | default("") }}'
+            --non-interactive \
+            --agree-tos \
+            --email "{{ proxy.dns_cloudflare.email }}" \
+            --dns-cloudflare \
+            --dns-cloudflare-credentials /root/.cloudflare.ini \
+            -d "*.{{ item }}" \
+            -d "{{ item }}" \
+            {{ proxy.dns_cloudflare.opts | default("") }}'
   args:
     creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"

roles/proxy/templates/cloudflare.ini.j2

@@ -1,2 +1,2 @@
 # Cloudflare API token used by Certbot
-dns_cloudflare_api_token = {{ cfapi['content'] | b64decode | trim }}
+dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}

roles/proxy/templates/server-nginx.conf.j2

@@ -28,20 +28,14 @@ server {
   ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
   ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
 {% endif %}
+{% if item.hsts is defined %}
+  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
+{% endif %}
 {% if item.client_max_body_size is defined %}
   client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
   location / {
-{% if item.hsts is defined %}
-    add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
-{% endif %}
-{% if item.allowedips is defined %}
-{% for ip in item.allowedips %}
-    allow {{ ip }};
-{% endfor %}
-    deny all;
-{% endif %}
-{% if item.restrict is defined and item.restrict %}
+{% if item.restrict is defined and item.restrict  %}
     auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
     auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
     proxy_set_header Authorization "";
@@ -49,7 +43,6 @@ server {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
     proxy_pass {{ item.proxy_pass }};
 {% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
     proxy_ssl_verify off;

roles/traefik/tasks/main.yml

@@ -33,4 +33,4 @@
     name: "{{ docker_compose_service }}@{{ traefik_name }}"
     state: started
     enabled: true
-  when: traefik.ENABLED | default(false)
+  when: traefik.ENABLED | default('false')

scripts/github-vagrant.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Defaults
+TIMEOUT=600
+ELAPSED=0
+INITIAL_SLEEP=60
+SLEEP_DURATION=30
+SSH_AVAILABLE=0
+DEBUG_ID="[homelab-ci]"
+
+# Run Vagrant Up in the background
+PLAYBOOK=dockerbox vagrant up &
+VAGRANT_UP_PID=$!
+
+# Initial delay
+echo "$DEBUG_ID Waiting for VM to start..."
+sleep $INITIAL_SLEEP
+
+# Loop until timeout or breaks
+while [[ $ELAPSED -lt $TIMEOUT ]]; do
+	VAGRANT_SSH_CONFIG=$(mktemp)
+	vagrant ssh-config > "$VAGRANT_SSH_CONFIG"
+	echo "$DEBUG_ID SSH config at $VAGRANT_SSH_CONFIG"
+	cat "$VAGRANT_SSH_CONFIG"
+	echo "$DEBUG_ID Vagrant status"
+	vagrant status
+
+	# SSH attempt
+	set -x
+	ssh -vvv -F "$VAGRANT_SSH_CONFIG" default 'cat /etc/os-release' && set +x; break \
+	|| echo "$DEBUG_ID SSH connection failed, retrying in $SLEEP_DURATION seconds..."
+	set +x
+
+	# Sleep and start again
+	sleep $SLEEP_DURATION
+	((ELAPSED+=SLEEP_DURATION))
+done
+
+# Success?
+if [[ $SSH_AVAILABLE -ne 1 ]]; then
+	echo "$DEBUG_ID Timeout reached without successful SSH connection."
+fi
+
+# Ensure the Vagrant up process completes
+wait $VAGRANT_UP_PID