testing

- Add new primary GPG key in dev config for compose repos
- Slight reorganization of the dockerbox production playbook
- Remove group management in the docker role
- Move HSTS inside the location block
- Add git ignore entry for .ansible files
- Add X-Forwarded-Proto proxy header

.github/workflows/vagrant.yml

@@ -3,8 +3,9 @@ name: homelab-ci
 on:
   push:
     branches:
-      - main
-      - testing
+      - github_actions
+      # - main
+      # - testing
 
 jobs:
   homelab-ci:

.gitignore

@@ -1,4 +1,5 @@
+.ansible*
+/environments/
 .playbook
 .vagrant*
 .vscode
-/environments/

dev/host_vars/dockerbox.yml

@@ -4,8 +4,12 @@ manage_network: false
 
 # Import my GPG key for git signature verification
 root_gpgkeys:
+  - name: kris@lamoureux.io
+    id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96
+  # Older key, but still in use
   - name: kris@lamoureux.io
     id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+    server: keyserver.ubuntu.com
 
 # proxy
 proxy:

dev/host_vars/podman.yml

@@ -0,0 +1,14 @@
+# base
+allow_reboot: false
+manage_network: false
+
+users:
+  kris:
+    uid: 1001
+    gid: 1001
+    home: true
+
+# podman
+user_namespaces:
+  - kris
+

dev/podman.yml

@@ -0,0 +1,8 @@
+- name: Install Podman server
+  hosts: all
+  become: true
+  vars_files:
+    - host_vars/podman.yml
+  roles:
+    - base
+    - podman

playbooks/docker.yml

@@ -4,4 +4,5 @@
   roles:
     - base
     - jenkins
+    - proxy
     - docker

playbooks/dockerbox.yml

@@ -3,9 +3,9 @@
   become: true
   roles:
     - base
+    - jenkins
     - docker
+    - mariadb
     - traefik
     - nextcloud
-    - jenkins
-    - prometheus
-    - nginx
+    - proxy

roles/base/tasks/samba.yml

@@ -26,7 +26,7 @@
   ansible.builtin.template:
     src: smb.conf.j2
     dest: /etc/samba/smb.conf
-    mode: "700"
+    mode: "644"
   notify: restart_samba
 
 - name: Start smbd and enable on boot

roles/base/tasks/system.yml

@@ -80,8 +80,10 @@
     state: present
     uid: "{{ item.value.uid }}"
     group: "{{ item.value.gid }}"
+    groups: "{{ item.value.groups | default([]) }}"
     shell: "{{ item.value.shell | default('/bin/bash') }}"
     create_home: "{{ item.value.home | default(false) }}"
+    home: "{{ item.value.homedir | default('/home/' + item.key) }}"
     system: "{{ item.value.system | default(false) }}"
   loop: "{{ users | dict2items }}"
   loop_control:

roles/base/tasks/wireguard.yml

@@ -18,6 +18,28 @@
     src: /etc/wireguard/privatekey
   register: wgkey
 
+- name: Check if WireGuard preshared key file exists
+  ansible.builtin.stat:
+    path: /etc/wireguard/presharedkey-{{ item.name }}
+  loop: "{{ wireguard.peers }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: presharedkey_files
+
+- name: Grab WireGuard preshared key for configuration
+  ansible.builtin.slurp:
+    src: /etc/wireguard/presharedkey-{{ item.item.name }}
+  register: wgshared
+  loop: "{{ presharedkey_files.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"
+  when: item.stat.exists
+
+- name: Grab WireGuard private key for configuration
+  ansible.builtin.slurp:
+    src: /etc/wireguard/privatekey
+  register: wgkey
+
 - name: Install WireGuard configuration
   ansible.builtin.template:
     src: wireguard.j2

roles/base/templates/wireguard.j2

@@ -1,4 +1,6 @@
-[Interface]
+# {{ ansible_managed }}
+
+[Interface] # {{ ansible_hostname }}
 PrivateKey = {{ wgkey['content'] | b64decode | trim }}
 Address = {{ wireguard.address }}
 {% if wireguard.listenport is defined %}
@@ -6,8 +8,26 @@ ListenPort = {{ wireguard.listenport }}
 {% endif %}
 
 {% for peer in wireguard.peers %}
+{% if peer.name is defined %}
+[Peer] # {{ peer.name }}
+{% else %}
 [Peer]
+{% endif %}
 PublicKey = {{ peer.publickey }}
+{% if peer.presharedkey is defined %}
+PresharedKey = {{ peer.presharedkey }}
+{% else %}
+{% set preshared_key = (
+    wgshared.results
+    | selectattr('item.item.name', 'equalto', peer.name)
+    | first
+  ).content
+  | default(none)
+%}
+{% if preshared_key is not none %}
+PresharedKey = {{ preshared_key | b64decode | trim }}
+{% endif %}
+{% endif %}
 {% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}
 {% endif %}

roles/bitwarden/defaults/main.yml

@@ -1,7 +1,10 @@
 bitwarden_name: bitwarden
-bitwarden_root: "/var/lib/{{ bitwarden_name }}"
+bitwarden_user: bitwarden
+bitwarden_root: /home/bitwarden
 bitwarden_logs_identity: "{{ bitwarden_root }}/bwdata/logs/identity/Identity"
-bitwarden_logs_identity_date: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"
+bitwarden_logs_identity_date:
+  "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{
+  ansible_date_time.day }}"
 bitwarden_database: "{{ bitwarden_name }}"
 bitwarden_realips: "172.16.0.0/12"
 bitwarden_standalone: false

roles/bitwarden/tasks/main.yml

@@ -3,35 +3,39 @@
     name: expect
     state: present
 
-- name: Create Bitwarden directory
-  ansible.builtin.file:
-    path: "{{ bitwarden_root }}"
-    state: directory
-    mode: "755"
-
 - name: Download Bitwarden script
   ansible.builtin.get_url:
     url: "https://raw.githubusercontent.com/\
-          bitwarden/self-host/master/bitwarden.sh"
+      bitwarden/self-host/master/bitwarden.sh"
     dest: "{{ bitwarden_root }}"
+    owner: "{{ bitwarden_user }}"
+    group: "{{ bitwarden_user }}"
     mode: u+x
 
 - name: Install Bitwarden script wrapper
   ansible.builtin.template:
     src: bw_wrapper.j2
     dest: "{{ bitwarden_root }}/bw_wrapper"
+    owner: "{{ bitwarden_user }}"
+    group: "{{ bitwarden_user }}"
     mode: u+x
 
 - name: Run Bitwarden installation script
   ansible.builtin.command: "{{ bitwarden_root }}/bw_wrapper"
   args:
     creates: "{{ bitwarden_root }}/bwdata/config.yml"
+  become_user: "{{ bitwarden_user }}"
+  become: true
 
 - name: Install compose override
   ansible.builtin.template:
     src: compose.override.yml.j2
     dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
+    owner: "{{ bitwarden_user }}"
+    group: "{{ bitwarden_user }}"
     mode: "644"
+  become_user: "{{ bitwarden_user }}"
+  become: true
   when: bitwarden_override | default(true)
   notify: rebuild_bitwarden
 
@@ -40,6 +44,8 @@
     path: "{{ bitwarden_root }}/bwdata/config.yml"
     regexp: "^http_port: 80$"
     replace: "http_port: {{ bitwarden_http_port | default('127.0.0.1:9080') }}"
+  become_user: "{{ bitwarden_user }}"
+  become: true
   when: not bitwarden_standalone
   notify: rebuild_bitwarden
 
@@ -47,7 +53,10 @@
   ansible.builtin.replace:
     path: "{{ bitwarden_root }}/bwdata/config.yml"
     regexp: "^https_port: 443$"
-    replace: "https_port: {{ bitwarden_https_port | default('127.0.0.1:9443') }}"
+    replace:
+      "https_port: {{ bitwarden_https_port | default('127.0.0.1:9443') }}"
+  become_user: "{{ bitwarden_user }}"
+  become: true
   when: not bitwarden_standalone
   notify: rebuild_bitwarden
 
@@ -56,6 +65,8 @@
     path: "{{ bitwarden_root }}/bwdata/config.yml"
     regexp: "^ssl_managed_lets_encrypt: true$"
     replace: "ssl_managed_lets_encrypt: false"
+  become_user: "{{ bitwarden_user }}"
+  become: true
   when: not bitwarden_standalone or not bitwarden_production
   notify: rebuild_bitwarden
 
@@ -64,6 +75,8 @@
     path: "{{ bitwarden_root }}/bwdata/config.yml"
     regexp: "^ssl: true$"
     replace: "ssl: false"
+  become_user: "{{ bitwarden_user }}"
+  become: true
   when: not bitwarden_standalone
   notify: rebuild_bitwarden
 
@@ -72,12 +85,16 @@
     path: "{{ bitwarden_root }}/bwdata/config.yml"
     line: "- {{ bitwarden_realips }}"
     insertafter: "^real_ips"
+  become_user: "{{ bitwarden_user }}"
+  become: true
   notify: rebuild_bitwarden
 
 - name: Install Bitwarden systemd service
   ansible.builtin.template:
     src: bitwarden.service.j2
     dest: "/etc/systemd/system/{{ bitwarden_name }}.service"
+    owner: "{{ bitwarden_user }}"
+    group: "{{ bitwarden_user }}"
     mode: "644"
   register: bitwarden_systemd
   notify: rebuild_bitwarden
@@ -86,6 +103,8 @@
   ansible.builtin.file:
     path: "{{ bitwarden_logs_identity }}"
     state: directory
+    owner: "{{ bitwarden_user }}"
+    group: "{{ bitwarden_user }}"
     mode: "755"
   notify: touch_bitwarden
 

roles/docker/tasks/main.yml

@@ -24,15 +24,21 @@
 
 - name: Install/uninstall Docker from Debian repositories
   ansible.builtin.apt:
-    name: ['docker.io', 'docker-compose', 'containerd', 'runc']
+    name: ["docker.io", "docker-compose", "containerd", "runc"]
     state: "{{ 'absent' if docker_official else 'present' }}"
     autoremove: true
     update_cache: true
 
 - name: Install/uninstall Docker from Docker repositories
   ansible.builtin.apt:
-    name: ['docker-ce', 'docker-ce-cli', 'containerd.io',
-           'docker-buildx-plugin', 'docker-compose-plugin']
+    name:
+      [
+        "docker-ce",
+        "docker-ce-cli",
+        "containerd.io",
+        "docker-buildx-plugin",
+        "docker-compose-plugin",
+      ]
     state: "{{ 'present' if docker_official else 'absent' }}"
     autoremove: true
     update_cache: true
@@ -135,14 +141,6 @@
     label: "{{ item.name }}"
   when: docker_compose_deploy is defined and item.env is defined
 
-- name: Add users to docker group
-  ansible.builtin.user:
-    name: "{{ item }}"
-    groups: docker
-    append: true
-  loop: "{{ docker_users }}"
-  when: docker_users is defined
-
 - name: Start Docker and enable on boot
   ansible.builtin.service:
     name: docker

roles/jellyfin/templates/docker-compose.yml.j2

@@ -15,7 +15,7 @@ services:
     networks:
       - traefik
     labels:
-      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host(`{{ jellyfin_domain }}`)"
+      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host({{ jellyfin_domains }})"
 {% if traefik_http_only %}
       - "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web"
 {% else %}

roles/mariadb/tasks/main.yml

@@ -16,10 +16,12 @@
     regex: "^bind-address"
     line: "bind-address            = {{ ansible_facts.docker0.ipv4.address }}"
   notify: restart_mariadb
+  when: ansible_facts.docker0 is defined
 
 - name: Flush handlers to ensure MariaDB restarts immediately
   ansible.builtin.meta: flush_handlers
   tags: restart_mariadb
+  when: ansible_facts.docker0 is defined
 
 - name: Allow database connections from Docker
   community.general.ufw:

roles/podman/tasks/main.yml

@@ -0,0 +1,62 @@
+- name: Install Podman
+  ansible.builtin.apt:
+    name: ["podman", "podman-compose", "podman-docker"]
+    state: present
+
+- name: Get user info for namespace users
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ item }}"
+  loop: "{{ user_namespaces }}"
+  register: user_info
+
+- name: Configure /etc/subuid for rootless users
+  ansible.builtin.lineinfile:
+    path: "/etc/subuid"
+    line:
+      "{{ item.item }}:{{ 100000 +
+      ((item.ansible_facts.getent_passwd[item.item][1] | int - 1000) * 65536)
+      }}:65536"
+    regexp: "^{{ item.item }}:"
+    create: true
+    backup: true
+    mode: "0644"
+  loop: "{{ user_info.results }}"
+
+- name: Configure /etc/subgid for rootless users
+  ansible.builtin.lineinfile:
+    path: "/etc/subgid"
+    line:
+      "{{ item.item }}:{{ 100000 +
+      ((item.ansible_facts.getent_passwd[item.item][1] | int - 1000) * 65536)
+      }}:65536"
+    regexp: "^{{ item.item }}:"
+    create: true
+    backup: true
+    mode: "0644"
+  loop: "{{ user_info.results }}"
+
+- name: Create nodocker file to disable Docker CLI emulation message
+  ansible.builtin.file:
+    path: /etc/containers/nodocker
+    state: touch
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Create global containers config directory
+  ansible.builtin.file:
+    path: /etc/containers
+    state: directory
+    mode: "0755"
+
+- name: Configure global containers.conf for rootless
+  ansible.builtin.copy:
+    content: |
+      [engine]
+      cgroup_manager = "cgroupfs"
+      events_logger = "journald"
+      runtime = "crun"
+    dest: /etc/containers/containers.conf
+    mode: "0644"
+    backup: true

roles/proxy/tasks/main.yml

@@ -45,10 +45,11 @@
   register: nginx_sites
 
 - name: Generate self-signed certificate
-  ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
-          -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
-          -keyout /etc/ssl/private/nginx-selfsigned.key \
-          -out    /etc/ssl/certs/nginx-selfsigned.crt'
+  ansible.builtin.command:
+    'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
+    -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
+    -keyout /etc/ssl/private/nginx-selfsigned.key \
+    -out    /etc/ssl/certs/nginx-selfsigned.crt'
   args:
     creates: /etc/ssl/certs/nginx-selfsigned.crt
   when: proxy.production is not defined or not proxy.production
@@ -56,15 +57,22 @@
 
 - name: Install LE's certbot
   ansible.builtin.apt:
-    name: ['certbot', 'python3-certbot-dns-cloudflare']
+    name: ["certbot", "python3-certbot-dns-cloudflare"]
     state: present
   when: proxy.production is defined and proxy.production
 
+- name: Grab Cloudflare API token for configuration
+  ansible.builtin.slurp:
+    src: /root/.cloudflare-api
+  register: cfapi
+  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
+
 - name: Install Cloudflare API token
   ansible.builtin.template:
     src: cloudflare.ini.j2
     dest: /root/.cloudflare.ini
     mode: "400"
+  diff: false
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 
 - name: Create nginx post renewal hook directory
@@ -78,19 +86,19 @@
   ansible.builtin.copy:
     src: reload-nginx.sh
     dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
-    mode: '0755'
+    mode: "0755"
   when: proxy.production is defined and proxy.production
 
 - name: Run Cloudflare DNS-01 challenges on wildcard domains
   ansible.builtin.shell: '/usr/bin/certbot certonly \
-            --non-interactive \
-            --agree-tos \
-            --email "{{ proxy.dns_cloudflare.email }}" \
-            --dns-cloudflare \
-            --dns-cloudflare-credentials /root/.cloudflare.ini \
-            -d "*.{{ item }}" \
-            -d "{{ item }}" \
-            {{ proxy.dns_cloudflare.opts | default("") }}'
+    --non-interactive \
+    --agree-tos \
+    --email "{{ proxy.dns_cloudflare.email }}" \
+    --dns-cloudflare \
+    --dns-cloudflare-credentials /root/.cloudflare.ini \
+    -d "*.{{ item }}" \
+    -d "{{ item }}" \
+    {{ proxy.dns_cloudflare.opts | default("") }}'
   args:
     creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"

roles/proxy/templates/cloudflare.ini.j2

@@ -1,2 +1,2 @@
 # Cloudflare API token used by Certbot
-dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}
+dns_cloudflare_api_token = {{ cfapi['content'] | b64decode | trim }}

roles/proxy/templates/server-nginx.conf.j2

@@ -28,14 +28,20 @@ server {
   ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
   ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
 {% endif %}
-{% if item.hsts is defined %}
-  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
-{% endif %}
 {% if item.client_max_body_size is defined %}
   client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
   location / {
-{% if item.restrict is defined and item.restrict  %}
+{% if item.hsts is defined %}
+    add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
+{% endif %}
+{% if item.allowedips is defined %}
+{% for ip in item.allowedips %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+{% endif %}
+{% if item.restrict is defined and item.restrict %}
     auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
     auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
     proxy_set_header Authorization "";
@@ -43,6 +49,7 @@ server {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
     proxy_pass {{ item.proxy_pass }};
 {% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
     proxy_ssl_verify off;