Draft: big refactor

.ansible-lint

@@ -1 +1,2 @@
+---
 profile: production

.ansible-lint-ignore

@@ -0,0 +1 @@
+vars/main.yml yaml[line-length]

.github/workflows/ansible-galaxy-push-role.yml

@@ -1,3 +1,4 @@
+---
 # Pushes a Ansible role to Ansible Galaxy
 
 name: Ansible Galaxy Push Role
@@ -6,13 +7,11 @@ on:
   release:
     types: [published]
   workflow_dispatch:
-
 jobs:
   ansible_galaxy_push_role:
     runs-on: ubuntu-latest
 
     steps:
-
       - uses: actions/checkout@v2
 
       - name: Push to Galaxy

.github/workflows/ansible-lint.yml

@@ -1,9 +1,6 @@
-# .github/workflows/ansible-lint.yml
+---
 name: ansible-lint
 on:
-  push:
-    branches:
-      - main
   pull_request:
     branches:
       - main

.gitlab-ci.yml

@@ -7,8 +7,3 @@ ansible-lint:
   image: registry.gitlab.com/pipeline-components/ansible-lint:latest
   script:
     - ansible-lint --show-relpath
-  artifacts:
-    reports:
-      coverage_report:
-        coverage_format: cobertura
-        path: coverage.xml

README.md

@@ -2,10 +2,27 @@
 # work in progess, big rebase on the way ;)
 Ansible role to install and configure [Jellyfin](https://jellyfin.org/) on Debian-like systems.
 
-![ansible-lint](https://github.com/sleepy-nols/ansible-jellyfin/actions/workflows/ansible-lint.yml/badge.svg)
-![push-galaxy](https://github.com/sleepy-nols/ansible-jellyfin/actions/workflows/ansible-galaxy-push-role.yml/badge.svg)
-![Ansible Galaxy](https://img.shields.io/badge/Ansible_Galaxy-sleepy--nols.jellyfin-blue)
-
+<a href="https://github.com/sleepy-nols/ansible-jellyfin/actions/workflows/ansible-lint.yml">
+<img alt="ansible-lint" src="https://github.com/sleepy-nols/ansible-jellyfin/actions/workflows/ansible-lint.yml/badge.svg"/>
+</a>
+
+<a href="https://github.com/sleepy-nols/ansible-jellyfin/actions/workflows/ansible-galaxy-push-role.yml">
+<img alt="push-galaxy" src="https://github.com/sleepy-nols/ansible-jellyfin/actions/workflows/ansible-galaxy-push-role.yml/badge.svg"/>
+</a>
+
+<a href="https://galaxy.ansible.com/ui/standalone/roles/sleepy-nols/jellyfin">
+<img alt="Ansible Galaxy" src="https://img.shields.io/badge/Ansible_Galaxy-sleepy--nols.jellyfin-blue"/>
+</a>
+<br><br>
+
+The default deployment without any variables changed is not a vanilla deployment as several quality of life improvements are made.
+
+**Features:**
+- fully configurable config files (ansible management of settings normally tweaked in webUI)
+- fail2ban support
+- logrotate support
+- deployment of webserver(reverse-proxy) (currently only nginx)
+- configuration of ssl with webserver
 
 ---
 ## Role Variables and Defaults

defaults/main.yml

@@ -1,24 +1,93 @@
 ---
-jellyfin_name: "jellyfin"
-jellyfin_user: "{{ jellyfin_name }}"
-jellyfin_skip_apt_key: false
+jellyfin_name: jellyfin
+jellyfin_unix_user: "{{ jellyfin_name }}"
+jellyfin_unix_group: "{{ jellyfin_name }}"
 jellyfin_skip_restart: false
 
-jellyfin_enable_fail2ban: false
+# --- config files ---
+# TODO: if domain empty, unset in templating
+jellyfin_domain: jellyfin.foo.bar
+jellyfin_instance_name: jellyfin
+
+jellyfin_package_dependencies:
+  - gnupg
+  - libicu72
+  - python3-debian # deb822_repository module
+  - ssl-cert # snakeoil certs
+
+# convert new architecture naming to old architecture naming
+jellyfin_deb_architecture: "{{ jellyfin_ansible_deb_architectures[ansible_architecture] }}"
+
+# --- paths/urls---
+jellyfin_data_dir: /var/lib/jellyfin
+jellyfin_config_dir: /etc/jellyfin
+jellyfin_cache_dir: /var/cache/jellyfin
+jellyfin_log_dir: /var/log/jellyfin
+
+jellyfin_web_bin: /usr/share/jellyfin/web
+jellyfin_restart_bin: /usr/lib/jellyfin/restart.sh
+jellyfin_ffmpeg_bin: /usr/lib/jellyfin-ffmpeg/ffmpeg
+
+jellyfin_log_file_path: "{{ jellyfin_log_dir }}/{{ jellyfin_log_file_name }}"
+
+jellyfin_apt_signing_key_uri: https://repo.jellyfin.org/jellyfin_team.gpg.key
+
+# --- permissions ---
+jellyfin_permission_etc_file: "0644"
+jellyfin_permission_etc_dir: "0755"
+
+# --- fail2ban ---
+jellyfin_fail2ban_enabled: false
 jellyfin_fail2ban_ports:
+  - "8096"
+  - "8920"
   - "80"
   - "443"
-jellyfin_fail2ban_maxretry: 3
-jellyfin_fail2ban_bantime: 6000
-jellyfin_fail2ban_findtime: 600
+jellyfin_fail2ban_maxretry: 10
+jellyfin_fail2ban_bantime: 1800 # 30 min
+jellyfin_fail2ban_findtime: 900 # 15 min
+
+# --- logging ---
+jellyfin_log_level: Warning # Verbose, Debug, Information, Warning, Error, Fatal
+jellyfin_log_level_override:
+  Microsoft: Warning
+  System: Warning
+
+jellyfin_log_file_name: jellyfin.log
+jellyfin_log_rolling_interval: Infinite # Infinite, Year, Month, Day, Hour, Minute
+jellyfin_log_retained_file_count_limit: "null"
+jellyfin_log_roll_on_file_size_limit: false
+jellyfin_log_file_size_limit_bytes: ""
+jellyfin_log_output_template: "[{Timestamp:yyyy-MM-dd HH:mm:ss.fff zzz}] [{Level:u3}] [{ThreadId}] {SourceContext}: {Message}{NewLine}{Exception}"
+jellyfin_console_log_output_template: "[{Timestamp:HH:mm:ss}] [{Level:u3}] [{ThreadId}] {SourceContext}: {Message:lj}{NewLine}{Exception}"
+
+# use logrotate instead of native jellyfin serilog to manage logs
+jellyfin_logrotate:
+  enabled: true
+  rotate: 7
+  frequency: daily
+  compress: true
+  shred: true
 
-jellyfin_cache_dir: "/var/cache/jellyfin"
-jellyfin_log_dir: "/var/log/jellyfin"
+# --- webserver/proxy ---
+# TODO: when webserver enabled, bind jellyfin only to 127.0.0.1 to not expose outside
+jellyfin_webserver:
+  enabled: false
+  type: nginx # nginx, apache not yet supported
+  http_port: 80
+  https_port: 443
+  censor_logs: true
+  client_max_body_size: 20M
+  disable_insecure_tls_versions: true
 
-jellyfin_web_bin: "/usr/share/jellyfin/web"
-jellyfin_restart_bin: "/usr/lib/jellyfin/restart.sh"
-jellyfin_ffmpeg_bin: "/usr/lib/jellyfin-ffmpeg/ffmpeg"
+jellyfin_ssl_enabled: true
+jellyfin_ssl_mode: certbot
+jellyfin_ssl_snakeoil_certs: false
+jellyfin_ssl_cert_path: /etc/ssl/certs/ssl-cert-snakeoil.pem
+jellyfin_ssl_key_path: /etc/ssl/private/ssl-cert-snakeoil.key
 
+# --- jellyfin runtime args ---
 jellyfin_additional_opts: ""
 
 jellyfin_malloc_trim_threshold: 131072
+jellyfin_complus_gcserver: ""

handlers/main.yml

@@ -1,13 +1,24 @@
 ---
-- name: Restart Jellyfin
+- name: Restart jellyfin
   ansible.builtin.systemd:
     name: jellyfin.service
     state: restarted
-    enabled: true
+  listen: restart_jellyfin
   when: not (jellyfin_skip_restart | bool)
 
 - name: Restart fail2ban
   ansible.builtin.systemd:
     name: fail2ban.service
     state: restarted
-    enabled: true
+  listen: Restart fail2ban
+
+- name: Reload nginx
+  ansible.builtin.systemd:
+    name: nginx.service
+    state: restarted
+  listen: reload_nginx
+
+- name: Systemd daemon-reload
+  ansible.builtin.systemd:
+    daemon_reload: true
+  listen: systemd_daemon_reload

meta/main.yml

@@ -5,7 +5,7 @@ galaxy_info:
   description: Ansible role to install and configure Jellyfin on Debian-like systems.
   license: GPLv3
   github_branch: main
-  min_ansible_version: "2.14"
+  min_ansible_version: "2.16"
   platforms:
     - name: Debian
       versions:

tasks/certs/certbot.yml

@@ -0,0 +1,5 @@
+---
+- name: Install certbot package
+  ansible.builtin.apt:
+    name: certbot
+    state: present

tasks/certs/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Make snakeoil certs
+  ansible.builtin.command: make-ssl-cert generate-default-snakeoil
+  changed_when: false
+
+- name: Add webserver user to ssl-cert group
+  ansible.builtin.user:
+    name: www-data
+    groups: ssl-cert
+    append: true

tasks/config.yml

@@ -1,10 +1,21 @@
 ---
-- name: Configure Jellyfin
+- name: Template jellyfin main config
   ansible.builtin.template:
-    src: templates/config.jinja
+    src: templates/etc/default/jellyfin.j2
     dest: /etc/default/jellyfin
-    force: true
-    owner: "{{ jellyfin_user }}"
-    group: "{{ jellyfin_user }}"
-    mode: "0744"
-  notify: Restart Jellyfin
+    owner: root
+    group: root
+    mode: "{{ jellyfin_permission_etc_file }}"
+  notify:
+    - restart_jellyfin
+
+- name: Configure systemd service override
+  ansible.builtin.template:
+    src: templates/etc/systemd/system/jellyfin.service.d/ansible_managed.conf.j2
+    dest: /etc/systemd/system/jellyfin.service.d/ansible_managed.conf
+    owner: root
+    group: root
+    mode: "{{ jellyfin_permission_etc_file }}"
+  notify:
+    - restart_jellyfin
+    - systemd_daemon_reload

tasks/fail2ban.yml

@@ -1,38 +1,28 @@
 ---
-
 - name: Install fail2ban and dependencies
   ansible.builtin.apt:
     pkg:
-      - "fail2ban"
-      - "iptables"
-  notify: Restart fail2ban
+      - fail2ban
+      - iptables
+
+- name: Enable and start fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: started
+    enabled: true
 
 - name: Create fail2ban jail
   ansible.builtin.template:
-    src: templates/fail2ban_jail
+    src: templates/fail2ban_jail.j2
     dest: /etc/fail2ban/jail.d/jellyfin.local
     mode: "0744"
   notify: Restart fail2ban
   diff: true
 
 - name: Create fail2ban filter
   ansible.builtin.template:
-    src: templates/fail2ban_filter
+    src: templates/fail2ban_filter.j2
     dest: /etc/fail2ban/filter.d/jellyfin.conf
     mode: "0744"
   notify: Restart fail2ban
   diff: true
-
-- name: Gather package facts
-  ansible.builtin.package_facts:
-    manager: apt
-  changed_when: false
-
-- name: Disable fail2ban for sshd when sshd is not installed
-  ansible.builtin.replace:
-    path: "/etc/fail2ban/jail.d/defaults-debian.conf"
-    regexp: "(?<=[sshd]\nenabled = )true"
-    replace: "false"
-  when: "'openssh-server' not in ansible_facts.packages"
-  diff: true
-  notify: Restart fail2ban

tasks/install.yml

@@ -0,0 +1,17 @@
+---
+- name: Add Jellyfin repo
+  ansible.builtin.deb822_repository:
+    name: jellyfin
+    types: deb
+    uris: https://repo.jellyfin.org/{{ ansible_distribution | lower }}
+    suites:
+      - "{{ ansible_distribution_release | lower }}"
+    components: main
+    architectures: "{{ jellyfin_deb_architecture }}"
+    signed_by: "{{ jellyfin_apt_signing_key_uri }}"
+
+- name: Install Jellyfin
+  ansible.builtin.apt:
+    pkg: jellyfin
+    update_cache: true
+  notify: restart_jellyfin

tasks/logging.yml

@@ -0,0 +1,31 @@
+---
+- name: Install logrotate
+  ansible.builtin.apt:
+    name: logrotate
+    state: present
+  when: jellyfin_logrotate.enabled | bool
+
+- name: Configure logrotate with jellyfin
+  ansible.builtin.template:
+    src: templates/etc/logrotate.d/jellyfin.j2
+    dest: /etc/logrotate.d/jellyfin
+    owner: root
+    group: root
+    mode: "{{ jellyfin_permission_etc_file }}"
+  when: jellyfin_logrotate.enabled | bool
+
+- name: Remove jellyfin logrotate config
+  ansible.builtin.file:
+    path: /etc/logrotate.d/jellyfin
+    state: absent
+  when: not jellyfin_logrotate.enabled | bool
+
+- name: Configure jellyfin logging
+  ansible.builtin.template:
+    src: templates/etc/jellyfin/logging.json.j2
+    dest: "{{ jellyfin_config_dir }}/logging.json"
+    owner: root
+    group: root
+    mode: "{{ jellyfin_permission_etc_file }}"
+  notify:
+    - restart_jellyfin