any.software.webdav: added role

inventory/group_vars/emma/vars.yaml

@@ -0,0 +1,11 @@
+raid_uuid: '4d184875-19eb-4923-9b79-bf669c1f7978'
+
+btrfs_raid:
+  uuid: '4d184875-19eb-4923-9b79-bf669c1f7978'
+  path: '/mnt/data1'
+btrfs_nvme:
+  uuid: '5d072d75-7ffc-4780-9a6a-3021b183f9db'
+  path: '/'
+
+miniflux_admin_username: "{{ vault_miniflux_admin }}"
+miniflux_admin_password: "{{ vault_miniflux_admin_pass }}"

inventory/group_vars/emma/vault.yml

@@ -0,0 +1,35 @@
+$ANSIBLE_VAULT;1.1;AES256
+65386638663231383730366662326664386366383763643266666534336439396234343161333038
+3633373235656264623038653734663934663439346333310a643531633337646330656133313461
+62643165303132373437366466636538363630333737343238613334386362323733613539393335
+6563353766653733650a333032376561313731356336333565396539653931323637303263613965
+36353939613037636239353736383837363930376264326139306564343532623761613336656239
+34303732326331623331363764373961366534386562663134663634306365616436323138366136
+36656261646631393232373337646535316261333435326564656262663737393232616536316532
+63623234343932313661636166643730313661633531313764653861653139646365346239343134
+37663735646134623531343762303538623565626162313263373236643464326334363739376632
+32623361626332336630663836366563623235376138366431333731333764613935386633336131
+61636563396361326661393635393038343133363535313763363039646336393030303638316665
+65316261303435643533306338613433366236613431316261393262303939643431303263366634
+37626334313066323762343236313161356338616262326266373861356238636238313963303362
+39346234656133653230373835393537323362373966346163343938616530316562636264313239
+33656561626164343865306164656166633938653034396563316636653663376638613362383962
+37633964386662346565303961663731663865663134646433333964393431333837643861386366
+63643636643638383436623964353063616538303538623561663435366330306230633861353435
+65346532663138633533363163653864373330336336383065346332333965663836336134366630
+37643564333232393838346536373132303630303732323666343664636335336335396364636337
+31626331386631336436363933353730396631646235333164376231323438356633316566633931
+66343061393338356232353462376636623139393436366364383332396233313665343261323663
+62306566336234383162316133366432383064613461663231626238336431313865633236313936
+38336130636435653537653237383866343536623634313664653837646135333561366135646262
+36613037333039326362386233356530663738666537643334353364656464623230363035353134
+31633263313737393033633361386239613336353933303563353935313666636138393337383764
+31363938663235386334343431313362393337393936643662663965336263386662353635393234
+38623064306235343862343966346339633866323939323166303636646461306364613432396261
+32666539666238626531636638303861643931623232386564386536363438636362646465643339
+32613562353639303331633463386166313935323036373730623438326236393835313136336238
+33666563396364613961323862316530663036356566356239313964306138623139323933306565
+61663562663931376563643833316166633465363132616530363739346432643762666230656466
+38646164306237366166386338386230666636326465663762636133363534663636303031343734
+36343535653461366233613763343835303838653336376462393631333539383333303632333866
+3761663065623631396331303465656136393962366362376432

plays/boomhut.yml

@@ -0,0 +1,25 @@
+---
+- hosts: boomhut
+  gather_facts: false
+  become: true
+  roles:
+    - 'any.common.python'
+    - 'any.common.debian-user'
+  tags: first
+
+- hosts: boomhut
+  become: true
+  roles:
+    # - 'any.common.debian-repositories'
+    - 'any.tools.default'
+    - 'any.tools.restic'
+    # First change SSH settings before enabling firewall
+    - 'any.common.ssh'
+    - 'any.tools.ufw'
+  tags: base
+
+- hosts: boomhut
+  become: true
+  roles:
+    - 'any.software.papermc-podman'
+  tags: papermc

plays/emma.yml

@@ -0,0 +1,62 @@
+- name: Set up static IP
+  hosts: emma
+  become: yes
+  roles:
+    - role: any.common.static-ip
+      vars:
+        interface: 'enp1s0'
+        static_ip: '192.168.0.2'
+        broadcast_ip: '192.168.0.255'
+        router_ip: '192.168.0.1'
+    - any.common.ssh
+    - any.tools.ufw
+  tags: networking
+
+- name: Configure BTRFS RAID
+  hosts: emma
+  become: yes
+  roles:
+    - any.common.raid
+  tags: raid
+
+- name: Set up Jellyfin
+  hosts: emma
+  become: yes
+  roles:
+    - any.software.jellyfin
+  tags: jellyfin
+
+- name: Set up Miniflux
+  hosts: emma
+  become: yes
+  tags: miniflux
+  roles:
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
+            filesystem_path: "{{ btrfs_nvme.path }}"
+            name: "/@rootfs/data/miniflux/postgres"
+    - role: any.software.miniflux-podman
+      vars:
+        postgres_data_dir: '/data/miniflux/postgres'
+
+- name: Set up WebDAV
+  hosts: emma
+  become: yes
+  tags: webdav
+  roles:
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          - filesystem_uuid: "{{ btrfs_raid.uuid }}"
+            filesystem_path: "{{ btrfs_raid.path }}"
+            name: "/webdav/data"
+    - role: any.software.webdav
+      vars:
+        webdav_version: '5.7.4'
+        data_dir: '{{ btrfs_raid.path }}/webdav/data'
+
+        webdav_user: "{{ vault_webdav_user }}"
+        webdav_password: "{{ vault_webdav_password }}"
+        webdav_password_bcrypt: "{{ vault_webdav_password_bcrypt }}"

roles/any.common.btrfs-subvolumes/tasks/main.yml

@@ -0,0 +1,33 @@
+# ---
+# - name: Create subvolumes on {{ fs.path }}
+#   block:
+#     - name: Create subvolume {{ fs.path }}{{ subvol.name }}
+#       block:
+#         - name: "Ensure parent directory exists"
+#           ansible.builtin.file:
+#             path: "{{ (fs.path + subvol.name) | dirname }}"
+#             state: directory
+
+#         - name: "Ensure subvolume exists"
+#           community.general.btrfs_subvolume:
+#             filesystem_device: "{{ fs.device | default(omit) }}"
+#             filesystem_label: "{{ fs.label | default(omit) }}"
+#             filesystem_uuid: "{{ fs.uuid | default(omit) }}"
+
+#             name: "{{ subvol.name }}"
+#             state: "present"
+      
+#       loop: "{{ fs.subvolumes }}"
+#       loop_var: "subvol"
+#   loop: "{{ filesystems }}"
+#   loop_var: "fs"
+
+- name: Ensure all BTRFS subvolumes are created
+  community.general.btrfs_subvolume:
+    filesystem_device: "{{ item.filesystem_device | default(omit) }}"
+    filesystem_label: "{{ item.filesystem_label | default(omit) }}"
+    filesystem_uuid: "{{ item.filesystem_uuid | default(omit) }}"
+    name: "{{ item.name }}"
+    recursive: true
+  loop: "{{ subvolumes }}"
+

roles/any.common.ssh/files/authorized_keys

@@ -0,0 +1,5 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkDjXuZn+blanbJAhte8KttrpeCPeT5CGcZ5mlAZv724wTa4qebpwCnf4SK4aFuDQEuCusnia3+X7YWAyCDReNURznAWCtq+b8LGxyIm2hTBbLA1m8sj0xidR/djlUtOwDp9VpSNamUWyiPWJ+WNsPd9xLJ6BK3qRsoFiMN87sO12L7DHHDaMze628Oc+IxFd+VZnH0dPVgitis31f+lXCr8w5qSiEepDJ8Nde8M+Ev1RrPQbR5Q5C+wYxlbY0oPNlGqSrs5i1jJl0BVMI4DlibxatTfuteU5IwcDMQObJr3xJGKNTPswSdzpfJFrLfUBZvsDs94BXEHR2CtxZ4aLQPeLfosWe4zuGvX22p7TzSPx1LkuqIF85Tw1PvK3f7u3l9sozHORAoEA8sFHG+DolqldgjuUgCGpfF/QOY1jkGpbEhq57kKFH+VlFI2XePGQ6299R9RN/Y4S88v14ChLwoLSNWgxK+CgYgB4lbquAIKTKsRla3gkEeziz+qoHPQkD5RcajrWOfSKU4alORpgQerSFZ9zMoz9N2rfTVEzCsVUj0Jiwtd5O7pCX9PWBhz1Nl1ItrRPuFiTSKB05dqsQ1CDZAZMDPJNqotd6QRS5+cKzFLgvU6k/gk08/qV00VM+BxlXkh8PwAhaxNPjMxjzqHx0+xC38FtacuhJiOV91Q== roosensjef@gmail.com
+
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgHqW7mLuaW8XEFJrg031ES7v7y6Uk5QUp++axTd0wzvt5qfqTox9Hg1Xk5C9hdEfYzS5NCU+uoiInR0aHZ3Cl+yxqi3VqDfO20j6Irrt2SOBB86Gsyu9Brj62xtS0rY/e9rmyULJGUtJEz3UmFvn8fE5hUpGjDg7NByFs8f054pzifWw8F/wOvF5rKo9GqkWeXEUZ456FmowXCQLl5SypQliOsHJDs89NiTVvOxiKQXULBhj8o4c0MyCeFfPWqOutSSAetmbnegEjOTy7f/0IiqB+5713KOh1Bm1/u+3J2IVbRgeG1iTJdDVeIxBGmA1wMLvrBtBRIS0MaKa1Xabo3QTgYPHNGrf2w+GMnuoQ6/tdD6omPWGTHXqtHKEeIW1JrlDyhOo86oCl+l2aveMwhFFGW4nQmW7sfrowyLHdU3BpGl4m7pGa+5sTsHiOGEqEN/a7xikztXkuKacQ8E/y1C8gDXgaX8zFl6VOwR5EfMEMX390tz+R+ErDU81h47tSkwbY3KhunSKwPT8jSMldBttnCIexd+QuQgOlSwXkYVPPmXtPUkfp+4VzWSWeGKAa9k3HtVMIvKdVk9eXDVNnVdaAL+EkHyXOyFVVGa9gJ3ZOWhHMNi2/kHAwWMI9CwRxj7AVk30KGBhPN0wdS9Dt8/0Aa33hWuY2p9DxtNaiNw== roosensjef@gmail.com
+
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkcCTP0IE/ANIXJJIMWEg4f5riS8uv3KuypkzQC47XN roosensjef@gmail.com

roles/any.common.ssh/tasks/main.yml

@@ -1,4 +1,20 @@
 ---
+- name: Ensure ssh directory is present
+  file:
+    path: /home/debian/.ssh/
+    state: directory
+    owner: debian
+    group: debian
+    mode: '700'
+
+- name: Ensure authorized keys are present
+  copy:
+    src: authorized_keys
+    dest: /home/debian/.ssh/authorized_keys
+    owner: debian
+    group: debian
+    mode: '600'
+
 - name: Ensure sshd config is present
   ansible.builtin.copy:
     src: 'sshd_config'

roles/any.common.static-ip/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart networking
+  service:
+    name: networking
+    state: restarted

roles/any.common.static-ip/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Install networking config file.
+  template:
+    src: interfaces.j2
+    dest: /etc/network/interfaces.d/{{ interface }}
+  notify: restart networking

roles/any.common.static-ip/templates/interfaces.j2

@@ -0,0 +1,7 @@
+auto {{ interface }}
+iface {{ interface }} inet static
+	address {{ static_ip }}
+	broadcast {{ broadcast_ip }}
+	netmask 255.255.255.0
+	gateway {{ router_ip }}
+	dns-nameservers {{ router_ip }} 8.8.8.8

roles/any.software.jellyfin/files/jellyfin.service.conf

@@ -7,7 +7,7 @@
 User = jellyfin
 
 # Alter where environment variables are sourced from
-#EnvironmentFile = /etc/default/jellyfin
+EnvironmentFile = /etc/default/jellyfin
 
 # These *should* prevent Jellyfin from fully consuming my Pi's resources
 CPUQuota=300%

roles/any.software.jellyfin/handlers/main.yml

@@ -3,7 +3,7 @@
   systemd:
     daemon_reload: true
 
-- name: restart-jellyfin
+- name: restart jellyfin
   service:
     name: jellyfin
     state: restarted

roles/any.software.jellyfin/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: any.tools.caddy

roles/any.software.jellyfin/tasks/main.yml

@@ -1,13 +1,12 @@
-- name: Add Jellyfin GPG key
-  apt_key:
-    url: "https://repo.jellyfin.org/debian/jellyfin_team.gpg.key"
-    state: present
-
-- name: Add Jellyfin repository
-  apt_repository:
-    repo: "deb https://repo.jellyfin.org/debian bookworm main"
-    filename: 'jellyfin'
-    state: present
+- name: Add Jellyfin repository and key
+  ansible.builtin.deb822_repository:
+    name: 'jellyfin'
+    types: 
+      - deb
+    uris: 'https://repo.jellyfin.org/debian'
+    suites: 'trixie'
+    components: 'main'
+    signed_by: 'https://repo.jellyfin.org/debian/jellyfin_team.gpg.key'
 
 - name: Install Jellyfin
   apt:
@@ -17,8 +16,8 @@
 - name: Create Jellyfin user
   user:
     name: jellyfin
-    groups:
-      - data
+    # groups:
+    #   - data
     append: true
     create_home: no
     shell: /bin/nologin
@@ -33,7 +32,7 @@
     mode: '644'
   notify: 
     - daemon-reload
-    - restart-jellyfin
+    - restart jellyfin
 
 - name: Copy over Environment file
   copy:
@@ -42,7 +41,7 @@
     owner: root
     group: root
     mode: '644'
-  notify: restart-jellyfin
+  notify: restart jellyfin
 
 - name: Ensure Jellyfin service is running & enabled
   service:
@@ -57,4 +56,4 @@
     owner: root
     group: root
     mode: '0644'
-  notify: caddy-reload
+  notify: reload caddy

roles/any.software.miniflux-podman/files/miniflux-app.container

@@ -0,0 +1,14 @@
+# vim: ft=systemd
+[Unit]
+Requires=miniflux-postgres.service
+
+[Container]
+Image=docker.io/miniflux/miniflux:2.2.7
+EnvironmentFile=/etc/miniflux/miniflux.env
+Pod=miniflux.pod
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target

roles/any.software.miniflux-podman/files/miniflux.Caddyfile

@@ -0,0 +1,5 @@
+nws.roosens.me {
+    reverse_proxy localhost:8002 {
+        header_down +X-Robots-Tag "none"
+    }
+}

roles/any.software.miniflux-podman/files/miniflux.backup.sh

@@ -0,0 +1,5 @@
+cd /etc/miniflux
+
+/usr/bin/docker compose exec -T db pg_dump -U miniflux miniflux |
+    /usr/bin/gzip --rsyncable |
+    /usr/local/bin/restic backup --stdin --stdin-filename miniflux-postgres.sql.gz

roles/any.software.miniflux-podman/files/miniflux.pod

@@ -0,0 +1,3 @@
+# vim: ft=systemd
+[Pod]
+PublishPort=127.0.0.1:8002:8080

roles/any.software.miniflux-podman/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: any.tools.caddy

roles/any.software.miniflux-podman/tasks/main.yml

@@ -0,0 +1,67 @@
+---
+- name: Ensure systemd directory is present
+  ansible.builtin.file:
+    path: '/home/debian/.config/containers/systemd'
+    state: 'directory'
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+
+- name: Ensure Quadlet files are present
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/home/debian/.config/containers/systemd/{{ item }}"
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  loop:
+    - 'miniflux-postgres.container'
+
+- name: Ensure Quadlet files is present
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/home/debian/.config/containers/systemd/{{ item }}"
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  loop:
+    - 'miniflux-app.container'
+    - 'miniflux.pod'
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/miniflux'
+    state: directory
+    mode: '0755'
+
+- name: Ensure environment file is present
+  ansible.builtin.template:
+    src: 'miniflux.env.j2'
+    dest: '/etc/miniflux/miniflux.env'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  register: res
+
+- name: Ensure Caddyfile is present
+  copy:
+    src: 'miniflux.Caddyfile'
+    dest: '/etc/caddy/miniflux.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: reload caddy
+
+# - name: Ensure stack is deployed
+#   ansible.builtin.shell:
+#     chdir: '/etc/miniflux'
+#     cmd: 'docker compose up -d --remove-orphans'
+#   when: 'res.changed'
+
+# - name: Ensure backup script is present
+#   ansible.builtin.copy:
+#     src: 'miniflux.backup.sh'
+#     dest: '/etc/backups/miniflux.backup.sh'
+#     owner: 'root'
+#     group: 'root'
+#     mode: '0644'

roles/any.software.miniflux-podman/templates/compose.yml.j2

@@ -0,0 +1,47 @@
+# vim: ft=yaml
+version: '3'
+name: 'miniflux'
+
+services:
+  app:
+    image: 'miniflux/miniflux:2.2.7'
+    restart: 'always'
+
+    # depends_on:
+    #   db:
+        # condition: service_healthy
+
+    environment:
+      - DATABASE_URL=postgres://miniflux:miniflux@db/miniflux?sslmode=disable
+      - RUN_MIGRATIONS=1
+      - CREATE_ADMIN=1
+      - ADMIN_USERNAME=admin
+      - ADMIN_PASSWORD=password
+
+      # Don't stress the system too much
+      - WORKER_POOL_SIZE=1
+      - BASE_URL=https://nws.roosens.me
+
+      # Default scheduling settings should be good
+
+      # I'm a hoarder
+      - CLEANUP_ARCHIVE_UNREAD_DAYS=-1
+      - CLEANUP_ARCHIVE_READ_DAYS=-1
+    ports:
+      - "127.0.0.1:8002:8080"
+
+  db:
+    image: 'postgres:16.1-alpine'
+    restart: 'always'
+
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "miniflux"]
+      interval: 10s
+      start_period: 30s
+
+    environment:
+      - POSTGRES_USER=miniflux
+      - POSTGRES_PASSWORD=miniflux
+      - POSTGRES_DB=miniflux
+    volumes:
+      - /mnt/data1/miniflux/postgres:/var/lib/postgresql/data

roles/any.software.miniflux-podman/templates/miniflux-postgres.container.j2

@@ -0,0 +1,15 @@
+# vim: ft=systemd
+[Container]
+Image=docker.io/postgres:16.1-alpine
+
+Environment=POSTGRES_USER=miniflux POSTGRES_PASSWORD=miniflux POSTGRES_DB=miniflux
+HealthCmd=["pg_isready","-U","miniflux"]
+HealthInterval=10s
+HealthStartPeriod=30s
+Pod=miniflux.pod
+
+Notify=healthy
+Volume={{ postgres_data_dir }}:/var/lib/postgresql/data
+
+[Service]
+Restart=always

roles/any.software.miniflux-podman/templates/miniflux.env.j2

@@ -0,0 +1,11 @@
+DATABASE_URL=postgres://miniflux:miniflux@localhost:5432/miniflux?sslmode=disable
+RUN_MIGRATIONS=1
+CREATE_ADMIN=1
+ADMIN_USERNAME={{ miniflux_admin_username }}
+ADMIN_PASSWORD={{ miniflux_admin_password }}
+
+WORKER_POOL_SIZE=1
+BASE_URL=https://nws.roosens.me
+
+CLEANUP_ARCHIVE_UNREAD_DAYS=-1
+CLEANUP_ARCHIVE_READ_DAYS=-1

roles/any.software.papermc-podman/files/Dockerfile

@@ -0,0 +1,68 @@
+ARG BASE_IMAGE
+
+# Build dumb-init
+FROM alpine AS dumb-init-builder
+
+ARG DI_VER=1.2.5
+
+WORKDIR /app
+
+# Build dumb-init & download tshock
+RUN apk add --update --no-cache build-base unzip curl && \
+    curl -Lo - "https://github.com/Yelp/dumb-init/archive/refs/tags/v${DI_VER}.tar.gz" | tar -xzf - && \
+    cd "dumb-init-${DI_VER}" && \
+    make SHELL=/bin/sh && \
+    mv dumb-init ..
+
+
+# We use ${:-} instead of a default value because the argument is always passed
+# to the build, it'll just be blank most likely
+FROM ${BASE_IMAGE:-'eclipse-temurin:21-jre-alpine'}
+
+# Build arguments
+ARG MC_VERSION
+ARG PAPERMC_VERSION
+
+COPY ./alex /bin/alex
+
+# Install alex binary
+# ADD "https://git.rustybever.be/api/packages/Chewing_Bever/generic/alex/0.4.0/alex-linux-amd64" /bin/alex
+
+# RUN chmod +x /bin/alex && \
+#     addgroup -Sg 1000 paper && \
+#     adduser -SHG paper -u 1000 paper
+
+# Create worlds and config directory
+WORKDIR /app
+RUN mkdir -p worlds config/cache backups
+
+# Download server file
+# ADD "https://papermc.io/api/v2/projects/paper/versions/$MC_VERSION/builds/$PAPERMC_VERSION/downloads/paper-$MC_VERSION-$PAPERMC_VERSION.jar" server.jar
+ADD "https://fill-data.papermc.io/v1/objects/0b32aa197452047a51772af05bb9fddc264304ad780dca87425a726d68f89149/paper-1.21.10-127.jar" server.jar
+
+# Make sure the server user can access all necessary folders
+# RUN chown -R paper:paper /app
+
+# Store the cache in an anonymous volume, which means it won't get stored in the other volumes
+# VOLUME /app/config/cache
+
+ENV ALEX_JAR=/app/server.jar \
+    ALEX_CONFIG=/app/config \
+    ALEX_WORLD=/app/worlds \
+    ALEX_BACKUP=/app/backups \
+    ALEX_SERVER=paper \
+    ALEX_SERVER_VERSION="${MC_VERSION}-${PAPERMC_VERSION}"
+
+# Document exposed ports
+EXPOSE 25565
+
+# Switch to non-root user
+# USER paper:paper
+
+COPY --from=dumb-init-builder /app/dumb-init /dumb-init
+
+ENTRYPOINT ["/dumb-init", "--"]
+CMD /bin/alex run
+
+# HEALTHCHECK --interval=30s --timeout=5s --start-period=1m --retries=5 \
+#     CMD mcstatus localhost:25565 ping

roles/any.software.papermc-podman/files/papermc.container

@@ -0,0 +1,23 @@
+# vim: ft=systemd
+[Unit]
+Description=Self-hostable Minecraft server
+
+[Container]
+Image=papermc:1.21.10
+EnvironmentFile=/etc/papermc/papermc.env
+Pull=never
+
+PodmanArgs=--tty
+
+PublishPort=25565:25565
+
+Volume=/data/papermc/config:/app/config
+Volume=/data/papermc/worlds:/app/worlds
+Volume=/data/papermc/backups:/app/backups
+Volume=/data/papermc/cache:/app/config/cache
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target

roles/any.software.papermc-podman/files/papermc.env

@@ -0,0 +1,3 @@
+ALEX_XMS=4096
+ALEX_XMX=6144
+ALEX_LAYERS=30min,30,1,48;daily,1440,7,1

roles/any.software.papermc-podman/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+- name: Ensure data directory is present
+  ansible.builtin.file:
+    path: '/data/papermc/{{ item }}'
+    state: directory
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  loop:
+    - 'cache'
+    - 'worlds'
+    - 'config'
+    - 'backups'
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/papermc'
+    state: directory
+    mode: '0755'
+
+- name: Ensure files are present
+  ansible.builtin.copy:
+    src: '{{ item }}'
+    dest: '/etc/papermc/{{ item }}'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  loop:
+    - 'papermc.env'
+    - 'Dockerfile'
+    - 'alex'
+
+- name: Ensure user configuration directory is present
+  ansible.builtin.file:
+    path: '/home/debian/.config/containers/systemd'
+    state: directory
+    owner: 'debian'
+    group: 'debian'
+    mode: '0755'
+
+- name: Ensure Container unit files are present
+  ansible.builtin.copy:
+    src: "papermc.container"
+    dest: "/home/debian/.config/containers/systemd/papermc.container"
+    mode: '0644'
+    owner: 'debian'
+    group: 'debian'
+  register: res
+
+- name: systemd-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+    scope: "user"
+  when: 'res.changed'

roles/any.software.webdav/files/webdav.Caddyfile

@@ -0,0 +1,5 @@
+webdav.roosens.me {
+    reverse_proxy localhost:8018 {
+        header_down +X-Robots-Tag "none"
+    }
+}

roles/any.software.webdav/files/webdav.data.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/webdav/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/any.software.webdav/files/webdav.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=WebDAV
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=exec
+User=webdav
+Group=webdav
+ExecStart=/usr/local/bin/webdav --config /etc/webdav/config.toml
+
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/any.software.webdav/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: 'restart webdav'
+  ansible.builtin.service:
+    name: 'webdav'
+    state: 'restarted'

roles/any.software.webdav/tasks/main.yml

@@ -0,0 +1,107 @@
+---
+# Download latest version of binary
+- name: Ensure download directory is present
+  ansible.builtin.file:
+    path: "/home/debian/webdav/{{ webdav_version }}"
+    state: directory
+    mode: '0755'
+
+- name: Ensure compressed binary is downloaded
+  ansible.builtin.get_url:
+    url: "https://github.com/hacdias/webdav/releases/download/v{{ webdav_version }}/linux-amd64-webdav.tar.gz"
+    dest: "/home/debian/webdav/{{ webdav_version }}/webdav-{{ webdav_version }}.tar.gz"
+  register: res
+
+- name: Ensure binary is decompressed
+  ansible.builtin.shell:
+    chdir: "/home/debian/webdav/{{ webdav_version }}"
+    cmd: "tar --extract --gzip --file webdav-{{ webdav_version }}.tar.gz"
+  when: 'res.changed'
+
+- name: Ensure binary is copied to correct location
+  ansible.builtin.copy:
+    src: "/home/debian/webdav/{{ webdav_version }}/webdav"
+    remote_src: true
+    dest: '/usr/local/bin/webdav'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: 'res.changed'
+  notify: 'restart webdav'
+
+# Set up system user and data directories
+- name: Ensure system group exists
+  ansible.builtin.group:
+    name: 'webdav'
+    gid: 5000
+    system: true
+    state: present
+
+- name: Ensure system user exists
+  ansible.builtin.user:
+    name: 'webdav'
+    group: 'webdav'
+    uid: 5000
+    system: true
+    create_home: false
+
+- name: Ensure subvolume permissions are correct
+  ansible.builtin.file:
+    path: "{{ data_dir }}"
+    state: directory
+    mode: '0755'
+    owner: 'webdav'
+    group: 'webdav'
+
+# Set up configuration, backup scripts and systemd service
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/webdav'
+    state: directory
+    mode: '0755'
+
+- name: Ensure config file is present
+  ansible.builtin.template:
+    src: 'config.toml.j2'
+    dest: '/etc/webdav/config.toml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart webdav'
+
+# - name: Ensure backup scripts are present
+#   ansible.builtin.copy:
+#     src: "webdav.{{ item }}.backup.sh"
+#     dest: "/etc/backups/webdav.{{ item }}.backup.sh"
+#     owner: 'root'
+#     group: 'root'
+#     mode: '0644'
+#   loop:
+#     - 'data'
+
+- name: Ensure Caddyfile is present
+  ansible.builtin.copy:
+    src: "webdav.Caddyfile"
+    dest: "/etc/caddy/webdav.Caddyfile"
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Ensure service file is present
+  ansible.builtin.copy:
+    src: 'webdav.service'
+    dest: '/lib/systemd/system/webdav.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: res
+
+- name: systemd-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  when: 'res.changed'
+
+# - name: Ensure webdav service is enabled
+#   ansible.builtin.service:
+#     name: 'webdav'
+#     enabled: true

roles/any.software.webdav/templates/config.toml.j2

@@ -0,0 +1,31 @@
+address = '127.0.0.1'
+port = 8018
+
+# Handled by reverse proxy
+tls = false
+
+prefix = '/'
+debug = false
+noSniff = false
+
+behindProxy = true
+directory = '{{ data_dir }}'
+
+permissions = 'R'
+rulesBehavior = 'overwrite'
+
+[log]
+format = 'console'
+# Color output isn't useful when ingested via systemd
+colors = false
+outputs = ['stdout']
+
+[cors]
+enabled = false
+
+[[users]]
+username = '{{ webdav_user }}'
+password = '{{ webdav_password }}'
+permissions = 'CRUD'
+
+# vim: ft=toml

roles/jellyfin/meta/main.yml

@@ -1,3 +0,0 @@
----
-dependencies:
-  - role: caddy