Chewing_Bever/homelab
1
0
Fork 0
Code Issues 5 Wiki Activity

feat: add initial setup for pearl server

Browse source
This commit is contained in:
Jef Roosens 2025-04-24 18:05:28 +02:00
parent 2ae759025c
commit 824d7b8a12
Signed by: Jef Roosens
GPG key ID: 21FD3D77D56BAF49
14 changed files with 329 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

8
roles/any.common.enable-testing/tasks/main.yml → roles/any.common.debian-repositories/tasks/main.yml
View file

@ -1,17 +1,21 @@
---
- ansible.builtin.copy:
src: 'sources.list'
- name: Update sources list
ansible.builtin.template:
src: 'sources.list.j2'
dest: '/etc/apt/sources.list'
owner: 'root'
group: 'root'
mode: '0644'
register: res
- name: Upgrade all packages to the latest version in testing
ansible.builtin.apt:
upgrade: dist
update_cache: yes
cache_valid_time: 3600
when: 'res.changed'
- name: Clean up unused packages
ansible.builtin.apt:
autoremove: yes
when: 'res.changed'

10
roles/any.common.debian-repositories/templates/sources.list.j2 Normal file
View file

@ -0,0 +1,10 @@
deb http://deb.debian.org/debian/ {{ debian_version }} main non-free-firmware
deb-src http://deb.debian.org/debian/ {{ debian_version }} main non-free-firmware
deb http://security.debian.org/debian-security {{ debian_version }}-security main non-free-firmware
deb-src http://security.debian.org/debian-security {{ debian_version }}-security main non-free-firmware
# {{ debian_version }}-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://deb.debian.org/debian/ {{ debian_version }}-updates main non-free-firmware
deb-src http://deb.debian.org/debian/ {{ debian_version }}-updates main non-free-firmware

10
roles/any.common.enable-testing/files/sources.list
View file

@ -1,10 +0,0 @@
deb http://deb.debian.org/debian/ trixie main non-free-firmware
deb-src http://deb.debian.org/debian/ trixie main non-free-firmware
deb http://security.debian.org/debian-security trixie-security main non-free-firmware
deb-src http://security.debian.org/debian-security trixie-security main non-free-firmware
# trixie-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://deb.debian.org/debian/ trixie-updates main non-free-firmware
deb-src http://deb.debian.org/debian/ trixie-updates main non-free-firmware

9
roles/any.tools.caddy/tasks/main.yml
View file

@ -1,8 +1,9 @@
---
- name: Add Caddy GPG key
apt_key:
url: "https://dl.cloudsmith.io/public/caddy/stable/gpg.key"
state: present
ansible.builtin.get_url:
url: 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key'
dest: '/etc/apt/trusted.gpg.d/caddy.asc'
mode: '0644'
force: true
- name: Add Caddy repositories
apt_repository:

60
roles/any.tools.default/tasks/main.yml Normal file
View file

@ -0,0 +1,60 @@
---
- name: Ensure common packages are installed
apt:
name:
# Needed for handling GPG keys for repositories
- debian-keyring
- debian-archive-keyring
- apt-transport-https
- ca-certificates
- lsb-release
- gnupg
# Easy to edit files
- vim
- tmux
- htop
# Spam prevention
- fail2ban
# Disk monitoring
- smartmontools
# Periodic tasks
- cron
# General compression tools
- bzip2
- zip
# Working with BTRFS file systems
- btrfs-progs
- curl
state: present
- name: Ensure cron service is enabled
service:
name: cron
state: started
enabled: true
- name: Ensure fail2ban service is enabled
service:
name: fail2ban
state: started
enabled: true
- name: Ensure Vim config is present
get_url:
url: 'https://r8r.be/vim'
dest: '{{ item.dest }}'
owner: "{{ item.user }}"
group: "{{ item.user }}"
mode: '644'
with_items:
- user: debian
dest: "/home/debian/.vimrc"
- user: root
dest: "/root/.vimrc"

44
roles/any.tools.docker/tasks/main.yml Normal file
View file

@ -0,0 +1,44 @@
---
- name: Ensure older Docker versions aren't installed.
apt:
name:
- docker
- docker-engine
- docker.io
- containerd
- runc
state: absent
- name: Add Docker GPG key.
ansible.builtin.get_url:
url: 'https://download.docker.com/linux/ubuntu/gpg'
dest: '/etc/apt/trusted.gpg.d/docker.asc'
mode: '0644'
force: true
- name: Add Docker PPA.
ansible.builtin.apt_repository:
# https://gist.github.com/rbq/886587980894e98b23d0eee2a1d84933
repo: "deb https://download.docker.com/{{ ansible_system | lower }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
state: present
- name: Install Docker, docker-compose & cron.
apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
state: present
- name: Ensure Docker is running & enabled.
service:
name: docker
state: started
enabled: true
- name: Add Docker prune cronjob.
cron:
name: Prune the Docker system.
hour: 4
minute: 0
job: docker system prune -af

7
roles/any.tools.restic/files/restic_backups_passwd Normal file
View file

@ -0,0 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
33666438313237356564363136333933633035303531653464643766373434623834663736386463
3464643731366237633334616536613864396162353264360a316130333032316437393333396466
34356638393834316235633062646330336438376135346666663064303831666632353834663465
6636663930356138640a323433613263393939303833616637336436366630386133386338613736
34353433643539306238663638656539373731616238656635353561356632366332623532396465
3936373534643966616131616161633234663430633233653435

56
roles/any.tools.restic/tasks/main.yml Normal file
View file

@ -0,0 +1,56 @@
---
- name: Ensure download directory is present
ansible.builtin.file:
path: "/opt/restic/{{ restic_version }}"
state: directory
mode: '0755'
- name: Ensure compressed binary is downloaded
ansible.builtin.get_url:
url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_arm64.bz2"
dest: "/opt/restic/{{ restic_version }}/restic-{{ restic_version }}.bz2"
register: res
- name: Ensure binary is decompressed
ansible.builtin.shell:
cmd: "bunzip2 -k /opt/restic/{{ restic_version }}/restic-{{ restic_version }}.bz2"
when: 'res.changed'
- name: Ensure binary is copied to correct location
ansible.builtin.copy:
src: "/opt/restic/{{ restic_version }}/restic-{{ restic_version }}"
remote_src: true
dest: '/usr/local/bin/restic'
owner: 'root'
group: 'root'
mode: '0755'
when: 'res.changed'
# - name: Ensure backup scripts directory is present
# ansible.builtin.file:
# path: '/etc/backups'
# state: directory
# mode: '0755'
# - name: Ensure Restic backups password file is present
# ansible.builtin.copy:
# src: 'restic_backups_passwd'
# dest: '/etc/backups/restic_backups_passwd'
# owner: root
# group: root
# mode: '0600'
# - name: Ensure backup-all script is present
# ansible.builtin.template:
# src: "backup-all.sh.j2"
# dest: '/etc/backups/backup-all.sh'
# owner: root
# group: root
# mode: '0644'
# - name: Ensure backup cronjob is enabled
# ansible.builtin.cron:
# name: 'Perform nightly backups'
# minute: '0'
# hour: '2'
# job: '/usr/bin/bash /etc/backups/backup-all.sh'

43
roles/any.tools.restic/templates/backup-all.sh.j2 Normal file
View file

@ -0,0 +1,43 @@
#!/usr/bin/env bash
# This script sequentially executes all shell scripts matching
# /etc/backups/*.backup.sh, with environment variables configured to publish
# backups to the local Restic REST server.
# Get passed along to subcalls to bash
export RESTIC_REPOSITORY='rest:http://{{ groups['nas'][0] }}:8000/backups'
export RESTIC_PASSWORD_FILE='/etc/backups/restic_backups_passwd'
log_file='/tmp/backup-all.sh.log'
rm -f "$log_file"
for script in $(find /etc/backups -name '*.backup.sh'); do
T="$(date +%s)"
/usr/bin/bash "$script"
res="$?"
T="$(($(date +%s)-T))"
if [[ $res == 0 ]]; then
header='OK'
else
header="FAIL ($res)"
fi
printf \
"%s: %s in %02dh%02dm%02ds\n" \
"$(basename "$script")" "$header" \
"$((T/3600%24))" "$((T/60%60))" "$((T%60))" \
>> "$log_file"
done
# Prune older backups
/usr/local/bin/restic forget --keep-last 7 && \
/usr/local/bin/restic prune
# Send status notification
ntfy publish \
--title "Backups ($(hostname))" \
homelab "$(cat "$log_file")"