jelly, caddy, other stuff

first_run.yml

@@ -1,11 +1,12 @@
 ---
-- name: Install Python
-  hosts: all
-  gather_facts: no
-  roles:
-    - install-python
-
 - name: Configure base system.
   hosts: all
+  gather_facts: no
+  # Debian installs don't have Python by default
+  pre_tasks:
+  - name: Update package database
+    raw: apt update
+  - name: Install Python
+    raw: apt install -y python3
   roles:
     - base

group_vars/all/vars.yml

@@ -15,16 +15,3 @@ ansible_become_pass: !vault |
           36343435646561643662373138613237626461373330346566356132636366623731643838383633
           3765666163656264340a663138623535626161376666323862373131383637356231323737313564
           6430
-
-lambroek_password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          33373365393262643630646336323731376232646138613061363933366265393863636536303430
-          3738363338653035623039383463643761343261336366620a353532613132343439333563663664
-          61643135323936323362326365663366333864363735363438636361643734333930616566356563
-          3038373639646338380a393061376135353564373062353139366461383939333161333936613430
-          33383233336531663261373631363733323839353235613131363966643838373033373437613764
-          37306137366666663938616465393464653961643732636236636438396165623165653363623135
-          36386632303939646632393362373838663337663063326338623534326561656561633131376138
-          64376237373133333761313635346266306638383038663333366139303437323562303733373764
-          63316564393763643834643232663462333633373639633938663035633063356530
-

group_vars/nas/vars.yml

@@ -0,0 +1,2 @@
+raid_uuid: '4d184875-19eb-4923-9b79-bf669c1f7978'
+lambroek_password: "{{ vault_lambroek_password }}"

group_vars/nas/vault.yml

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+63336531383736643438396339366463383265373633373666623566616538316666323136626537
+3462346135616462383838613531343537313165653962370a343965613330636566393363633733
+35313039626430346264373361306464343532316532353232666166656531346237613033383662
+3563663536616362620a626563666631336537373961636232386430366139396262666466626633
+30653138633830636130663139373462663266643332303234303564353162333031383331396562
+6136386164613435633835336462663834376130383362666561

hosts.ini

@@ -1 +1,2 @@
-192.168.0.3
+[nas]
+192.168.0.3 static_ip=192.168.0.3

nas.yml

@@ -0,0 +1,36 @@
+---
+- name: Perform common tasks
+  hosts: nas
+  become: yes
+  roles:
+    - base
+    - common
+  tags: base
+
+- name: Configure BTRFS RAID
+  hosts: nas
+  become: yes
+  roles:
+    - raid
+  tags: raid
+
+- name: Set up Samba
+  hosts: nas
+  become: yes
+  roles:
+    - samba
+  tags: samba
+
+- name: Set up Jellyfin
+  hosts: nas
+  become: yes
+  roles:
+    - jellyfin
+  tags: jellyfin
+
+- name: Set up Caddy
+  hosts: nas
+  become: yes
+  roles:
+    - caddy
+  tags: caddy

roles/base/tasks/main.yml

@@ -4,10 +4,17 @@
     name: sudo
     state: present
 
+- name: Create data group.
+  group:
+    name: data
+    gid: 1002
+
 - name: Create debian user.
   user:
     name: debian
-    groups: sudo
+    groups:
+      - sudo
+      - data
     append: true
     create_home: yes
     shell: /bin/bash

roles/caddy/files/Caddyfile

@@ -0,0 +1,16 @@
+# The Caddyfile is an easy way to configure your Caddy web server.
+#
+# Unless the file starts with a global options block, the first
+# uncommented line is always the address of your site.
+#
+# To use your own domain name (with automatic HTTPS), first make
+# sure your domain's A/AAAA DNS records are properly pointed to
+# this machine's public IP, then replace ":80" below with your
+# domain name.
+
+media.roosens.me {
+	reverse_proxy localhost:8096
+}
+
+# Refer to the Caddy docs for more information:
+# https://caddyserver.com/docs/caddyfile

roles/caddy/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload-caddy
+  service:
+    name: caddy
+    state: reloaded

roles/caddy/tasks/main.yml

@@ -1,3 +1,4 @@
+---
 - name: Add Caddy GPG key
   apt_key:
     url: "https://dl.cloudsmith.io/public/caddy/stable/gpg.key"
@@ -16,3 +17,19 @@
   apt:
     name: caddy
     state: present
+
+- name: Copy over Caddyfile
+  copy:
+    src: Caddyfile
+    dest: '/etc/caddy/Caddyfile'
+    owner: root
+    group: root
+    mode: '644'
+  notify: reload-caddy
+
+- name: Ensure Caddy service is running & enabled
+  service:
+    name: caddy
+    state: started
+    enabled: true
+

roles/common/tasks/main.yml

@@ -10,6 +10,12 @@
       - vim
       - tmux
       - htop
+
+      # Spam prevention
+      - fail2ban
+
+      # Disk monitoring
+      - smartmontools
     state: present
 
 - name: Install Vim config
@@ -24,3 +30,9 @@
       dest: "/home/debian/.vimrc"
     - user: root
       dest: "/root/.vimrc"
+
+- name: Enable fail2ban
+  service:
+    name: fail2ban
+    state: started
+    enabled: true

roles/install-python/tasks/main.yml

@@ -1,6 +0,0 @@
----
-- name: Update package database
-  raw: apt update
-
-- name: Install Python
-  raw: apt install -y python3

roles/jellyfin/tasks/main.yml

@@ -5,7 +5,7 @@
 
 - name: Add Jellyfin repository
   apt_repository:
-    repo: "deb https://repo.jellyfin.org/debian bullseye main"
+    repo: "deb https://repo.jellyfin.org/debian bookworm main"
     filename: 'jellyfin'
     state: present
 
@@ -14,6 +14,16 @@
     name: jellyfin
     state: present
 
+- name: Create Jellyfin user
+  user:
+    name: jellyfin
+    groups:
+      - data
+    append: true
+    create_home: no
+    shell: /bin/nologin
+    update_password: on_create
+
 - name: Copy over service file
   copy:
     src: jellyfin.service.conf

roles/net-security/tasks/main.yml

@@ -1,14 +0,0 @@
-- name: Install fail2ban.
-  apt:
-    name: fail2ban
-    state: present
-
-# TODO add proper fail2ban config
-
-- name: Ensure fail2ban is started & enabled.
-  service:
-    name: fail2ban
-    state: started
-    enabled: true
-
-# TODO install UFW

roles/raid/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Install BTRFS tools
+  apt:
+    name: btrfs-progs
+    state: present
+
+- name: Create mountpoint
+  file:
+    path: /mnt/data1
+    state: directory
+    mode: '0755'
+    owner: debian
+    group: debian
+
+- name: Mount RAID
+  mount:
+    path: /mnt/data1
+    src: "UUID={{ raid_uuid }}"
+    fstype: btrfs
+    state: mounted

roles/samba/handlers/main.yml

@@ -3,3 +3,8 @@
   service:
     name: smbd
     state: restarted
+
+- name: smbpasswd-lambroek
+  shell:
+    cmd: "smbpasswd -sa lambroek"
+    stdin: "{{ lambroek_password }}\n{{ lambroek_password }}"

roles/samba/tasks/main.yml

@@ -16,10 +16,9 @@
     create_home: false
     groups:
       - data
-    password: "{{ lambroek_password }}"
+    password: "{{ lambroek_password | password_hash('sha512') }}"
     shell: /sbin/nologin
-
-# TODO run "smbpasswd -a lambroek"
+  notify: smbpasswd-lambroek
 
 - name: Copy over smb config file
   copy: