jelly, caddy, other stuff

roles/base/tasks/main.yml

@@ -4,10 +4,17 @@
     name: sudo
     state: present
 
+- name: Create data group.
+  group:
+    name: data
+    gid: 1002
+
 - name: Create debian user.
   user:
     name: debian
-    groups: sudo
+    groups:
+      - sudo
+      - data
     append: true
     create_home: yes
     shell: /bin/bash

roles/caddy/files/Caddyfile

@@ -0,0 +1,16 @@
+# The Caddyfile is an easy way to configure your Caddy web server.
+#
+# Unless the file starts with a global options block, the first
+# uncommented line is always the address of your site.
+#
+# To use your own domain name (with automatic HTTPS), first make
+# sure your domain's A/AAAA DNS records are properly pointed to
+# this machine's public IP, then replace ":80" below with your
+# domain name.
+
+media.roosens.me {
+	reverse_proxy localhost:8096
+}
+
+# Refer to the Caddy docs for more information:
+# https://caddyserver.com/docs/caddyfile

roles/caddy/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload-caddy
+  service:
+    name: caddy
+    state: reloaded

roles/caddy/tasks/main.yml

@@ -1,3 +1,4 @@
+---
 - name: Add Caddy GPG key
   apt_key:
     url: "https://dl.cloudsmith.io/public/caddy/stable/gpg.key"
@@ -16,3 +17,19 @@
   apt:
     name: caddy
     state: present
+
+- name: Copy over Caddyfile
+  copy:
+    src: Caddyfile
+    dest: '/etc/caddy/Caddyfile'
+    owner: root
+    group: root
+    mode: '644'
+  notify: reload-caddy
+
+- name: Ensure Caddy service is running & enabled
+  service:
+    name: caddy
+    state: started
+    enabled: true
+

roles/common/tasks/main.yml

@@ -10,6 +10,12 @@
       - vim
       - tmux
       - htop
+
+      # Spam prevention
+      - fail2ban
+
+      # Disk monitoring
+      - smartmontools
     state: present
 
 - name: Install Vim config
@@ -24,3 +30,9 @@
       dest: "/home/debian/.vimrc"
     - user: root
       dest: "/root/.vimrc"
+
+- name: Enable fail2ban
+  service:
+    name: fail2ban
+    state: started
+    enabled: true

roles/install-python/tasks/main.yml

@@ -1,6 +0,0 @@
----
-- name: Update package database
-  raw: apt update
-
-- name: Install Python
-  raw: apt install -y python3

roles/jellyfin/tasks/main.yml

@@ -5,7 +5,7 @@
 
 - name: Add Jellyfin repository
   apt_repository:
-    repo: "deb https://repo.jellyfin.org/debian bullseye main"
+    repo: "deb https://repo.jellyfin.org/debian bookworm main"
     filename: 'jellyfin'
     state: present
 
@@ -14,6 +14,16 @@
     name: jellyfin
     state: present
 
+- name: Create Jellyfin user
+  user:
+    name: jellyfin
+    groups:
+      - data
+    append: true
+    create_home: no
+    shell: /bin/nologin
+    update_password: on_create
+
 - name: Copy over service file
   copy:
     src: jellyfin.service.conf

roles/net-security/tasks/main.yml

@@ -1,14 +0,0 @@
-- name: Install fail2ban.
-  apt:
-    name: fail2ban
-    state: present
-
-# TODO add proper fail2ban config
-
-- name: Ensure fail2ban is started & enabled.
-  service:
-    name: fail2ban
-    state: started
-    enabled: true
-
-# TODO install UFW

roles/raid/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Install BTRFS tools
+  apt:
+    name: btrfs-progs
+    state: present
+
+- name: Create mountpoint
+  file:
+    path: /mnt/data1
+    state: directory
+    mode: '0755'
+    owner: debian
+    group: debian
+
+- name: Mount RAID
+  mount:
+    path: /mnt/data1
+    src: "UUID={{ raid_uuid }}"
+    fstype: btrfs
+    state: mounted

roles/samba/handlers/main.yml

@@ -3,3 +3,8 @@
   service:
     name: smbd
     state: restarted
+
+- name: smbpasswd-lambroek
+  shell:
+    cmd: "smbpasswd -sa lambroek"
+    stdin: "{{ lambroek_password }}\n{{ lambroek_password }}"

roles/samba/tasks/main.yml

@@ -16,10 +16,9 @@
     create_home: false
     groups:
       - data
-    password: "{{ lambroek_password }}"
+    password: "{{ lambroek_password | password_hash('sha512') }}"
     shell: /sbin/nologin
-
-# TODO run "smbpasswd -a lambroek"
+  notify: smbpasswd-lambroek
 
 - name: Copy over smb config file
   copy: