diff --git a/.ansible-lint b/.ansible-lint index 37ca0f9..1600213 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,2 +1,11 @@ --- verbosity: 1 + +skip_list: + - 'yaml' + - 'role-name' + - 'package-latest' + - 'latest[git]' + - 'no-changed-when' + - 'schema[meta]' + - 'ignore-errors' diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index 3c05007..0000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1 +0,0 @@ -github: veerendra2 diff --git a/inventory.yml b/inventory.yml index 8bbf3da..46a9fb6 100644 --- a/inventory.yml +++ b/inventory.yml @@ -1,11 +1,12 @@ +--- all: - # hosts: - # atom: - # ansible_ssh_port: 22 - # ansible_ssh_host: 192.168.0.120 - # ansible_ssh_user: veerendra - # # ansible_ssh_password: - # extra_hosts: - # - "atom:192.168.0.130" # Wifi Address + hosts: + atom: + ansible_ssh_port: 22 + ansible_ssh_host: 192.168.0.120 + ansible_ssh_user: veerendra + # ansible_ssh_password: + extra_hosts: + - "atom:192.168.0.130" localhost: - ansible_connection: local \ No newline at end of file + ansible_connection: local diff --git a/main.yml b/main.yml index 1b661f8..5d25a58 100644 --- a/main.yml +++ b/main.yml @@ -4,9 +4,9 @@ vars_files: - vars.yml - roles: - - role: veerendra2.prepare_dev_setup - tags: system + # roles: + # - role: veerendra2.prepare_dev_setup + # tags: system tasks: - name: Prepare Pi @@ -22,7 +22,3 @@ - name: Setup firewall rules ansible.builtin.import_tasks: tasks/ufw.yml become: true - - - name: Run smoke tests - ansible.builtin.import_tasks: tasks/smoke-tests.yml - tags: never diff --git a/services/databases/docker-stack.yml b/services/databases/docker-stack.yml index bd144e8..71f62b9 100644 --- a/services/databases/docker-stack.yml +++ b/services/databases/docker-stack.yml @@ -56,12 +56,12 @@ services: labels: - "traefik.enable=false" hostname: redis - command: [ - "sh", "-c", - ' - docker-entrypoint.sh - --requirepass "$$(cat $$REDIS_PASSWORD_FILE)" - ' + command: [ + "sh", "-c", + ' + docker-entrypoint.sh + --requirepass "$$(cat $$REDIS_PASSWORD_FILE)" + ' ] env_file: - .env_redis diff --git a/services/filebrowser/docker-stack.yml b/services/filebrowser/docker-stack.yml index fa5a894..acd9c35 100644 --- a/services/filebrowser/docker-stack.yml +++ b/services/filebrowser/docker-stack.yml @@ -35,4 +35,3 @@ services: - /media/disk1:/srv/disk1 networks: network_public: - diff --git a/services/monitoring/grafana/provisioning/dashboards/dashboard.yml b/services/monitoring/grafana/provisioning/dashboards/dashboard.yml index d83b43c..273961a 100644 --- a/services/monitoring/grafana/provisioning/dashboards/dashboard.yml +++ b/services/monitoring/grafana/provisioning/dashboards/dashboard.yml @@ -1,3 +1,4 @@ +--- apiVersion: 1 providers: @@ -9,4 +10,4 @@ providers: editable: true allowUiUpdates: true options: - path: /etc/grafana/provisioning/dashboards \ No newline at end of file + path: /etc/grafana/provisioning/dashboards diff --git a/services/monitoring/grafana/provisioning/datasources/datasource.yml b/services/monitoring/grafana/provisioning/datasources/datasource.yml index 89a7dca..ab2e71b 100644 --- a/services/monitoring/grafana/provisioning/datasources/datasource.yml +++ b/services/monitoring/grafana/provisioning/datasources/datasource.yml @@ -1,3 +1,4 @@ +--- apiVersion: 1 datasources: diff --git a/services/monitoring/prometheus/prometheus.yml b/services/monitoring/prometheus/prometheus.yml index 717e02b..0f1edab 100644 --- a/services/monitoring/prometheus/prometheus.yml +++ b/services/monitoring/prometheus/prometheus.yml @@ -1,3 +1,4 @@ +--- global: scrape_interval: 15s evaluation_interval: 15s @@ -8,8 +9,8 @@ global: monitor: "docker-host-alpha" # Load and evaluate rules in this file every 'evaluation_interval' seconds. -#rule_files: -# - "alert.rules" +# rule_files: +# - "alert.rules" # A scrape configuration containing exactly one endpoint to scrape. scrape_configs: diff --git a/services/portainer/docker-stack.yml b/services/portainer/docker-stack.yml index e69f8a1..c4d0880 100644 --- a/services/portainer/docker-stack.yml +++ b/services/portainer/docker-stack.yml @@ -42,4 +42,3 @@ services: - network_public secrets: - portainer_admin_password - diff --git a/services/rest-server/docker-stack.yml b/services/rest-server/docker-stack.yml index e4b8fe2..5e38e25 100644 --- a/services/rest-server/docker-stack.yml +++ b/services/rest-server/docker-stack.yml @@ -1,3 +1,4 @@ +--- version: "3.8" networks: @@ -37,4 +38,4 @@ services: - network_public - network_monitoring secrets: - - htpasswd \ No newline at end of file + - htpasswd diff --git a/services/searxng/config/settings.yml b/services/searxng/config/settings.yml index bc2dabb..6af4357 100644 --- a/services/searxng/config/settings.yml +++ b/services/searxng/config/settings.yml @@ -1,3 +1,4 @@ +--- general: # Debug mode, only for development. Is overwritten by ${SEARXNG_DEBUG} debug: false diff --git a/services/searxng/docker-stack.yml b/services/searxng/docker-stack.yml index 62dd0c6..174c7de 100644 --- a/services/searxng/docker-stack.yml +++ b/services/searxng/docker-stack.yml @@ -1,3 +1,4 @@ +--- version: "3.8" networks: diff --git a/services/traefik/docker-stack.yml b/services/traefik/docker-stack.yml index 1316899..63f7ca9 100644 --- a/services/traefik/docker-stack.yml +++ b/services/traefik/docker-stack.yml @@ -1,3 +1,4 @@ +--- # https://dust6765.gitbook.io/raspberrypi-home-server/services/traefik-proxy version: "3.8" @@ -51,4 +52,4 @@ services: - network_public - network_private secrets: - - duckdns \ No newline at end of file + - duckdns diff --git a/services/traefik/network.yml b/services/traefik/network.yml index 1739f66..92f3a9b 100644 --- a/services/traefik/network.yml +++ b/services/traefik/network.yml @@ -1,3 +1,4 @@ +--- version: '3.8' services: diff --git a/services/vaultwarden/docker-stack.yml b/services/vaultwarden/docker-stack.yml index f15157f..4d190c1 100644 --- a/services/vaultwarden/docker-stack.yml +++ b/services/vaultwarden/docker-stack.yml @@ -1,3 +1,4 @@ +--- version: '3.8' networks: diff --git a/tasks/deploy-services.yml b/tasks/deploy-services.yml index 956d725..f737d95 100644 --- a/tasks/deploy-services.yml +++ b/tasks/deploy-services.yml @@ -4,10 +4,11 @@ path: "{{ services_base_dir_location }}" state: directory owner: "{{ run_user }}" - become: yes + mode: '0644' + become: true -# Run pre deploy tasks for services -- include_tasks: pihole.yml +- name: Include pihole tasks + ansible.builtin.include_tasks: pihole.yml when: "'pihole' in services" - name: Create .vpn_ip file for torrent service @@ -15,6 +16,8 @@ dest: services/torrent/.vpn_ip content: | VPN_IP={{ vpn_ip }} + owner: "{{ run_user }}" + mode: '0644' when: "vpn_ip and 'torrent' in services" - name: Synchronize services directories diff --git a/tasks/pigpio.yml b/tasks/pigpio.yml index 70e63f9..94c8c72 100644 --- a/tasks/pigpio.yml +++ b/tasks/pigpio.yml @@ -9,6 +9,8 @@ ansible.builtin.get_url: url: https://github.com/joan2937/pigpio/archive/master.zip dest: "{{ tempdir.path }}" + owner: "{{ run_user }}" + mode: '0440' # TODO need to test! - name: Extract pigpio ansible.builtin.unarchive: @@ -24,7 +26,6 @@ - name: Set systemd unit parameters for pigpiod ansible.builtin.set_fact: - name: pigpiod description: Daemon required to control GPIO pins via pigpio exec_start_cmd: /usr/local/bin/pigpiod exec_kill_cmd: /bin/systemctl kill pigpiod @@ -37,12 +38,13 @@ ansible.builtin.template: src: templates/systemd_unit.service.j2 dest: /lib/systemd/system/pigpiod.service + mode: '0640' - name: Enable and start pigpiod systemd daemon ansible.builtin.systemd: name: pigpiod - enabled: yes - daemon_reload: yes + enabled: true + daemon_reload: true state: started - name: Copy fan.py script @@ -53,7 +55,6 @@ - name: Set systemd unit parameters for fan-py ansible.builtin.set_fact: - name: fan-py description: Daemon required to control fan speed via pigpio exec_start_cmd: /usr/bin/python3 /usr/local/bin/fan.py exec_kill_cmd: /bin/kill -TERM $MAINPID @@ -62,14 +63,15 @@ pre_start_cmd: /bin/sleep 5 service_type: simple -- name: Create fan-py systemd unit +- name: Create fan-py systemd unit file ansible.builtin.template: src: templates/systemd_unit.service.j2 dest: /lib/systemd/system/fan-py.service + mode: '0640' - name: Enable and start fan-py systemd daemon ansible.builtin.systemd: name: fan-py - enabled: yes - daemon_reload: yes + enabled: true + daemon_reload: true state: started diff --git a/tasks/pihole.yml b/tasks/pihole.yml index 37bf925..e2d3635 100644 --- a/tasks/pihole.yml +++ b/tasks/pihole.yml @@ -2,7 +2,7 @@ # https://github.com/pi-hole/docker-pi-hole#installing-on-ubuntu-or-fedora - name: Disable stub resolver in systemd-resolved config - ini_file: + community.general.ini_fil: path: /etc/systemd/resolved.conf section: Resolve option: DNSStubListener @@ -10,24 +10,24 @@ backup: true - name: Create backup /etc/resolv.conf - copy: - remote_src: yes + ansible.builtin.copy`: + remote_src: true src: /etc/resolv.conf dest: /etc/resolv.conf.backup - name: Remove /etc/resolv.conf - file: + ansible.builtin.file: path: /etc/resolv.conf state: absent - name: Create link /etc/resolv.conf - file: + ansible.builtin.file: src: /run/systemd/resolve/resolv.conf dest: /etc/resolv.conf state: link - ignore_errors: yes + ignore_errors: true - name: Restart systemd-resolved - service: + ansible.builtin.service: name: systemd-resolved state: restarted diff --git a/tasks/prepare-pi.yml b/tasks/prepare-pi.yml index f3d72d8..3ea56e8 100644 --- a/tasks/prepare-pi.yml +++ b/tasks/prepare-pi.yml @@ -1,5 +1,6 @@ --- - name: Install fan script + when: install_fan_script block: - name: Check fan-py daemon is loaded ansible.builtin.systemd: @@ -9,21 +10,20 @@ - name: Install pigpio and Pi fan controller ansible.builtin.include_tasks: pigpio.yml when: output.status.LoadState != 'loaded' - when: install_fan_script - name: Power optimization + when: disable_bluetooth block: - name: Stop and disable hciuart and bluetooth deamon ansible.builtin.systemd: name: "{{ item }}" state: stopped - enabled: no + enabled: false with_items: - bluetooth - hciuart - name: Disable HDMI Output ansible.builtin.command: /usr/bin/tvservice -o - when: disable_bluetooth|bool == true - name: Configure disk mounts in /etc/fstab ansible.posix.mount: diff --git a/tasks/smoke-tests.yml b/tasks/smoke-tests.yml deleted file mode 100644 index 1fda3d1..0000000 --- a/tasks/smoke-tests.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -- name: Fetch docker swarm info - community.docker.docker_swarm_info: - nodes: yes - services: yes - ignore_errors: yes - register: swarm_info - -- ansible.builtin.debug: - msg: | - ***************** DOCKER SWARM INFO ***************** - can_talk_to_docker: {{ swarm_info.can_talk_to_docker }} - docker_swarm_active: {{ swarm_info.docker_swarm_active }} - docker_swarm_manager: {{ swarm_info.docker_swarm_manager }} - failed: {{ swarm_info.failed }} - ***************** DOCKER SWARM NODES ***************** - {% for node in swarm_info.nodes %} - Node name: {{ node.Hostname }} - Availability: {{ node.Availability }} - ManagerStatus: {{ node.ManagerStatus }} - Status: {{ node.Status }} - {% endfor %} - -- name: Running HTTP GET - ansible.builtin.get_url: - url: "https://192.168.0.120/{{ item }}/" - dest: /tmp/value - validate_certs: no - register: output - ignore_errors: yes - with_items: - - "dashboard" - - "filebrowser" - - "portainer" - - "admin" - - "grafana" - - "prometheus" - - "jellyfin" - - "nextcloud" - loop_control: - label: "{{ item }}" - -- ansible.builtin.debug: - msg: | - {{ "{:<35} {}".format('URL', 'HTTP RESPONCE CODE') }} - - {% for item in output.results %} - {{ "{:<40} {}".format(item.url, item.status_code) }} - {% endfor %} diff --git a/tasks/ufw.yml b/tasks/ufw.yml index 6ca9058..90eb738 100644 --- a/tasks/ufw.yml +++ b/tasks/ufw.yml @@ -1,5 +1,6 @@ --- -- set_fact: +- name: Set facts + ansible.legacy.set_fact: external_iface_list: - eth0 - wlan0 @@ -19,7 +20,7 @@ - name: Append custom rules in /etc/ufw/after.rules ansible.builtin.blockinfile: dest: /etc/ufw/after.rules - block: "{{ lookup('template', 'templates/override_ufw_rules.j2' ) }}" + block: "{{ lookup('template', 'templates/override_ufw_rules.j2') }}" marker: "#{mark} ANSIBLE MANAGED BLOCK" - name: Set DEFAULT_FORWARD_POLICY=DROP in /etc/default/ufw @@ -27,16 +28,16 @@ path: /etc/default/ufw regexp: '^DEFAULT_FORWARD_POLICY(.*)$' line: 'DEFAULT_FORWARD_POLICY="DROP"' - backup: yes - backrefs: yes + backup: true + backrefs: true - name: Set IPV6=no in /etc/default/ufw ansible.builtin.lineinfile: path: /etc/default/ufw regexp: '^IPV6=(.*)$' line: 'IPV6=no' - backup: yes - backrefs: yes + backup: true + backrefs: true - name: Allow selected tcp ports community.general.ufw: @@ -46,12 +47,12 @@ with_items: "{{ allow_tcp_ports }}" - name: Allow selected udp ports - ufw: + community.general.ufw: rule: allow port: "{{ item }}" proto: udp with_items: "{{ allow_udp_ports }}" - name: Enable ufw - ufw: + community.general.ufw: state: enabled diff --git a/vars.yml b/vars.yml index 6bed586..67e8076 100644 --- a/vars.yml +++ b/vars.yml @@ -38,9 +38,9 @@ install_fan_script: true # Mount partions configuration in /etc/fstab disk_mount_dirs: - # [DISK_PARTITION]: [MOUNT DIRECTORY] - # /dev/sda1: /media/disk1 # Backup disk - /dev/sdb1: /media/disk2 # Main disk for nextcloud, filebrowser, jellyfin and postgres +# [DISK_PARTITION]: [MOUNT DIRECTORY] + - /dev/sdb1: /media/disk2 # Main disk for nextcloud, filebrowser, jellyfin and postgres +# - /dev/sda1: /media/disk1 # Backup disk # Pi power optimization setttings disable_hdmi: true @@ -48,4 +48,3 @@ disable_bluetooth: true # VPN ip to test connection is secure. More info in https://github.com/veerendra2/raspberrypi-homeserver/blob/main/services/torrent/README.md vpn_ip: "" -