any.software.webdav: added role

any.software.miniflux-podman: added role
Migrated jellyfin role to new format
2025-12-23 22:51:12 +01:00 · 2025-12-23 22:49:58 +01:00 · 2025-12-21 21:44:17 +01:00 · 2025-12-21 21:43:27 +01:00 · 2025-12-21 21:42:37 +01:00
38 changed files with 717 additions and 20 deletions
--- a/inventory/group_vars/emma/vars.yaml
+++ b/inventory/group_vars/emma/vars.yaml
@ -0,0 +1,11 @@
 raid_uuid: '4d184875-19eb-4923-9b79-bf669c1f7978'
 btrfs_raid:
  uuid: '4d184875-19eb-4923-9b79-bf669c1f7978'
  path: '/mnt/data1'
 btrfs_nvme:
  uuid: '5d072d75-7ffc-4780-9a6a-3021b183f9db'
  path: '/'
 miniflux_admin_username: "{{ vault_miniflux_admin }}"
 miniflux_admin_password: "{{ vault_miniflux_admin_pass }}"
--- a/inventory/group_vars/emma/vault.yml
+++ b/inventory/group_vars/emma/vault.yml
@ -0,0 +1,35 @@
 $ANSIBLE_VAULT;1.1;AES256
 65386638663231383730366662326664386366383763643266666534336439396234343161333038
 3633373235656264623038653734663934663439346333310a643531633337646330656133313461
 62643165303132373437366466636538363630333737343238613334386362323733613539393335
 6563353766653733650a333032376561313731356336333565396539653931323637303263613965
 36353939613037636239353736383837363930376264326139306564343532623761613336656239
 34303732326331623331363764373961366534386562663134663634306365616436323138366136
 36656261646631393232373337646535316261333435326564656262663737393232616536316532
 63623234343932313661636166643730313661633531313764653861653139646365346239343134
 37663735646134623531343762303538623565626162313263373236643464326334363739376632
 32623361626332336630663836366563623235376138366431333731333764613935386633336131
 61636563396361326661393635393038343133363535313763363039646336393030303638316665
 65316261303435643533306338613433366236613431316261393262303939643431303263366634
 37626334313066323762343236313161356338616262326266373861356238636238313963303362
 39346234656133653230373835393537323362373966346163343938616530316562636264313239
 33656561626164343865306164656166633938653034396563316636653663376638613362383962
 37633964386662346565303961663731663865663134646433333964393431333837643861386366
 63643636643638383436623964353063616538303538623561663435366330306230633861353435
 65346532663138633533363163653864373330336336383065346332333965663836336134366630
 37643564333232393838346536373132303630303732323666343664636335336335396364636337
 31626331386631336436363933353730396631646235333164376231323438356633316566633931
 66343061393338356232353462376636623139393436366364383332396233313665343261323663
 62306566336234383162316133366432383064613461663231626238336431313865633236313936
 38336130636435653537653237383866343536623634313664653837646135333561366135646262
 36613037333039326362386233356530663738666537643334353364656464623230363035353134
 31633263313737393033633361386239613336353933303563353935313666636138393337383764
 31363938663235386334343431313362393337393936643662663965336263386662353635393234
 38623064306235343862343966346339633866323939323166303636646461306364613432396261
 32666539666238626531636638303861643931623232386564386536363438636362646465643339
 32613562353639303331633463386166313935323036373730623438326236393835313136336238
 33666563396364613961323862316530663036356566356239313964306138623139323933306565
 61663562663931376563643833316166633465363132616530363739346432643762666230656466
 38646164306237366166386338386230666636326465663762636133363534663636303031343734
 36343535653461366233613763343835303838653336376462393631333539383333303632333866
 3761663065623631396331303465656136393962366362376432
--- a/plays/boomhut.yml
+++ b/plays/boomhut.yml
@ -0,0 +1,25 @@
 ---
 - hosts: boomhut
  gather_facts: false
  become: true
  roles:
    - 'any.common.python'
    - 'any.common.debian-user'
  tags: first
 - hosts: boomhut
  become: true
  roles:
    # - 'any.common.debian-repositories'
    - 'any.tools.default'
    - 'any.tools.restic'
    # First change SSH settings before enabling firewall
    - 'any.common.ssh'
    - 'any.tools.ufw'
  tags: base
 - hosts: boomhut
  become: true
  roles:
    - 'any.software.papermc-podman'
  tags: papermc
--- a/plays/emma.yml
+++ b/plays/emma.yml
@ -0,0 +1,62 @@
 - name: Set up static IP
  hosts: emma
  become: yes
  roles:
    - role: any.common.static-ip
      vars:
        interface: 'enp1s0'
        static_ip: '192.168.0.2'
        broadcast_ip: '192.168.0.255'
        router_ip: '192.168.0.1'
    - any.common.ssh
    - any.tools.ufw
  tags: networking
 - name: Configure BTRFS RAID
  hosts: emma
  become: yes
  roles:
    - any.common.raid
  tags: raid
 - name: Set up Jellyfin
  hosts: emma
  become: yes
  roles:
    - any.software.jellyfin
  tags: jellyfin
 - name: Set up Miniflux
  hosts: emma
  become: yes
  tags: miniflux
  roles:
    - role: any.common.btrfs-subvolumes
      vars:
        subvolumes:
          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
            filesystem_path: "{{ btrfs_nvme.path }}"
            name: "/@rootfs/data/miniflux/postgres"
    - role: any.software.miniflux-podman
      vars:
        postgres_data_dir: '/data/miniflux/postgres'
 - name: Set up WebDAV
  hosts: emma
  become: yes
  tags: webdav
  roles:
    - role: any.common.btrfs-subvolumes
      vars:
        subvolumes:
          - filesystem_uuid: "{{ btrfs_raid.uuid }}"
            filesystem_path: "{{ btrfs_raid.path }}"
            name: "/webdav/data"
    - role: any.software.webdav
      vars:
        webdav_version: '5.7.4'
        data_dir: '{{ btrfs_raid.path }}/webdav/data'
        webdav_user: "{{ vault_webdav_user }}"
        webdav_password: "{{ vault_webdav_password }}"
        webdav_password_bcrypt: "{{ vault_webdav_password_bcrypt }}"
--- a/roles/any.common.btrfs-subvolumes/tasks/main.yml
+++ b/roles/any.common.btrfs-subvolumes/tasks/main.yml
@ -0,0 +1,33 @@
 # ---
 # - name: Create subvolumes on {{ fs.path }}
 #   block:
 #     - name: Create subvolume {{ fs.path }}{{ subvol.name }}
 #       block:
 #         - name: "Ensure parent directory exists"
 #           ansible.builtin.file:
 #             path: "{{ (fs.path + subvol.name) | dirname }}"
 #             state: directory
 #         - name: "Ensure subvolume exists"
 #           community.general.btrfs_subvolume:
 #             filesystem_device: "{{ fs.device | default(omit) }}"
 #             filesystem_label: "{{ fs.label | default(omit) }}"
 #             filesystem_uuid: "{{ fs.uuid | default(omit) }}"
 #             name: "{{ subvol.name }}"
 #             state: "present"
 #       loop: "{{ fs.subvolumes }}"
 #       loop_var: "subvol"
 #   loop: "{{ filesystems }}"
 #   loop_var: "fs"
 - name: Ensure all BTRFS subvolumes are created
  community.general.btrfs_subvolume:
    filesystem_device: "{{ item.filesystem_device | default(omit) }}"
    filesystem_label: "{{ item.filesystem_label | default(omit) }}"
    filesystem_uuid: "{{ item.filesystem_uuid | default(omit) }}"
    name: "{{ item.name }}"
    recursive: true
  loop: "{{ subvolumes }}"
--- a/roles/any.common.raid/tasks/main.yml
+++ b/roles/any.common.raid/tasks/main.yml
--- a/roles/any.common.ssh/files/authorized_keys
+++ b/roles/any.common.ssh/files/authorized_keys
@ -0,0 +1,5 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkDjXuZn+blanbJAhte8KttrpeCPeT5CGcZ5mlAZv724wTa4qebpwCnf4SK4aFuDQEuCusnia3+X7YWAyCDReNURznAWCtq+b8LGxyIm2hTBbLA1m8sj0xidR/djlUtOwDp9VpSNamUWyiPWJ+WNsPd9xLJ6BK3qRsoFiMN87sO12L7DHHDaMze628Oc+IxFd+VZnH0dPVgitis31f+lXCr8w5qSiEepDJ8Nde8M+Ev1RrPQbR5Q5C+wYxlbY0oPNlGqSrs5i1jJl0BVMI4DlibxatTfuteU5IwcDMQObJr3xJGKNTPswSdzpfJFrLfUBZvsDs94BXEHR2CtxZ4aLQPeLfosWe4zuGvX22p7TzSPx1LkuqIF85Tw1PvK3f7u3l9sozHORAoEA8sFHG+DolqldgjuUgCGpfF/QOY1jkGpbEhq57kKFH+VlFI2XePGQ6299R9RN/Y4S88v14ChLwoLSNWgxK+CgYgB4lbquAIKTKsRla3gkEeziz+qoHPQkD5RcajrWOfSKU4alORpgQerSFZ9zMoz9N2rfTVEzCsVUj0Jiwtd5O7pCX9PWBhz1Nl1ItrRPuFiTSKB05dqsQ1CDZAZMDPJNqotd6QRS5+cKzFLgvU6k/gk08/qV00VM+BxlXkh8PwAhaxNPjMxjzqHx0+xC38FtacuhJiOV91Q== roosensjef@gmail.com
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgHqW7mLuaW8XEFJrg031ES7v7y6Uk5QUp++axTd0wzvt5qfqTox9Hg1Xk5C9hdEfYzS5NCU+uoiInR0aHZ3Cl+yxqi3VqDfO20j6Irrt2SOBB86Gsyu9Brj62xtS0rY/e9rmyULJGUtJEz3UmFvn8fE5hUpGjDg7NByFs8f054pzifWw8F/wOvF5rKo9GqkWeXEUZ456FmowXCQLl5SypQliOsHJDs89NiTVvOxiKQXULBhj8o4c0MyCeFfPWqOutSSAetmbnegEjOTy7f/0IiqB+5713KOh1Bm1/u+3J2IVbRgeG1iTJdDVeIxBGmA1wMLvrBtBRIS0MaKa1Xabo3QTgYPHNGrf2w+GMnuoQ6/tdD6omPWGTHXqtHKEeIW1JrlDyhOo86oCl+l2aveMwhFFGW4nQmW7sfrowyLHdU3BpGl4m7pGa+5sTsHiOGEqEN/a7xikztXkuKacQ8E/y1C8gDXgaX8zFl6VOwR5EfMEMX390tz+R+ErDU81h47tSkwbY3KhunSKwPT8jSMldBttnCIexd+QuQgOlSwXkYVPPmXtPUkfp+4VzWSWeGKAa9k3HtVMIvKdVk9eXDVNnVdaAL+EkHyXOyFVVGa9gJ3ZOWhHMNi2/kHAwWMI9CwRxj7AVk30KGBhPN0wdS9Dt8/0Aa33hWuY2p9DxtNaiNw== roosensjef@gmail.com
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkcCTP0IE/ANIXJJIMWEg4f5riS8uv3KuypkzQC47XN roosensjef@gmail.com
--- a/roles/any.common.ssh/tasks/main.yml
+++ b/roles/any.common.ssh/tasks/main.yml
@ -1,4 +1,20 @@
 ---
 - name: Ensure ssh directory is present
  file:
    path: /home/debian/.ssh/
    state: directory
    owner: debian
    group: debian
    mode: '700'
 - name: Ensure authorized keys are present
  copy:
    src: authorized_keys
    dest: /home/debian/.ssh/authorized_keys
    owner: debian
    group: debian
    mode: '600'
 - name: Ensure sshd config is present
  ansible.builtin.copy:
    src: 'sshd_config'
--- a/roles/any.common.static-ip/handlers/main.yml
+++ b/roles/any.common.static-ip/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: restart networking
  service:
    name: networking
    state: restarted
--- a/roles/any.common.static-ip/tasks/main.yml
+++ b/roles/any.common.static-ip/tasks/main.yml
@ -0,0 +1,6 @@
 ---
 - name: Install networking config file.
  template:
    src: interfaces.j2
    dest: /etc/network/interfaces.d/{{ interface }}
  notify: restart networking
--- a/roles/any.common.static-ip/templates/interfaces.j2
+++ b/roles/any.common.static-ip/templates/interfaces.j2
@ -0,0 +1,7 @@
 auto {{ interface }}
 iface {{ interface }} inet static
 	address {{ static_ip }}
 	broadcast {{ broadcast_ip }}
 	netmask 255.255.255.0
 	gateway {{ router_ip }}
 	dns-nameservers {{ router_ip }} 8.8.8.8
--- a/roles/any.software.jellyfin/files/jellyfin-defaults
+++ b/roles/any.software.jellyfin/files/jellyfin-defaults
--- a/roles/any.software.jellyfin/files/jellyfin.Caddyfile
+++ b/roles/any.software.jellyfin/files/jellyfin.Caddyfile
--- a/roles/any.software.jellyfin/files/jellyfin.service.conf
+++ b/roles/any.software.jellyfin/files/jellyfin.service.conf
@ -7,7 +7,7 @@
 User = jellyfin
 # Alter where environment variables are sourced from
-#EnvironmentFile = /etc/default/jellyfin
+EnvironmentFile = /etc/default/jellyfin
 # These *should* prevent Jellyfin from fully consuming my Pi's resources
 CPUQuota=300%
--- a/roles/any.software.jellyfin/handlers/main.yml
+++ b/roles/any.software.jellyfin/handlers/main.yml
@ -3,7 +3,7 @@
  systemd:
    daemon_reload: true
- name: restart-jellyfin
+- name: restart jellyfin
  service:
    name: jellyfin
    state: restarted
--- a/roles/any.software.jellyfin/meta/main.yml
+++ b/roles/any.software.jellyfin/meta/main.yml
@ -0,0 +1,3 @@
 ---
 dependencies:
  - role: any.tools.caddy
--- a/roles/any.software.jellyfin/tasks/main.yml
+++ b/roles/any.software.jellyfin/tasks/main.yml
@ -1,13 +1,12 @@
- name: Add Jellyfin GPG key
+- name: Add Jellyfin repository and key
-  apt_key:
+  ansible.builtin.deb822_repository:
-    url: "https://repo.jellyfin.org/debian/jellyfin_team.gpg.key"
+    name: 'jellyfin'
-    state: present
+    types: 
-
+      - deb
- name: Add Jellyfin repository
+    uris: 'https://repo.jellyfin.org/debian'
-  apt_repository:
+    suites: 'trixie'
-    repo: "deb https://repo.jellyfin.org/debian bookworm main"
+    components: 'main'
-    filename: 'jellyfin'
+    signed_by: 'https://repo.jellyfin.org/debian/jellyfin_team.gpg.key'
    state: present
 - name: Install Jellyfin
  apt:
@ -17,8 +16,8 @@
 - name: Create Jellyfin user
  user:
    name: jellyfin
-    groups:
+    # groups:
-      - data
+    #   - data
    append: true
    create_home: no
    shell: /bin/nologin
@ -33,7 +32,7 @@
    mode: '644'
  notify: 
    - daemon-reload
-    - restart-jellyfin
+    - restart jellyfin
 - name: Copy over Environment file
  copy:
@ -42,7 +41,7 @@
    owner: root
    group: root
    mode: '644'
-  notify: restart-jellyfin
+  notify: restart jellyfin
 - name: Ensure Jellyfin service is running & enabled
  service:
@ -57,4 +56,4 @@
    owner: root
    group: root
    mode: '0644'
-  notify: caddy-reload
+  notify: reload caddy
--- a/roles/any.software.miniflux-podman/files/miniflux-app.container
+++ b/roles/any.software.miniflux-podman/files/miniflux-app.container
@ -0,0 +1,14 @@
 # vim: ft=systemd
 [Unit]
 Requires=miniflux-postgres.service
 [Container]
 Image=docker.io/miniflux/miniflux:2.2.7
 EnvironmentFile=/etc/miniflux/miniflux.env
 Pod=miniflux.pod
 [Service]
 Restart=always
 [Install]
 WantedBy=default.target
--- a/roles/any.software.miniflux-podman/files/miniflux.Caddyfile
+++ b/roles/any.software.miniflux-podman/files/miniflux.Caddyfile
@ -0,0 +1,5 @@
 nws.roosens.me {
    reverse_proxy localhost:8002 {
        header_down +X-Robots-Tag "none"
    }
 }
--- a/roles/any.software.miniflux-podman/files/miniflux.backup.sh
+++ b/roles/any.software.miniflux-podman/files/miniflux.backup.sh
@ -0,0 +1,5 @@
 cd /etc/miniflux
 /usr/bin/docker compose exec -T db pg_dump -U miniflux miniflux |
    /usr/bin/gzip --rsyncable |
    /usr/local/bin/restic backup --stdin --stdin-filename miniflux-postgres.sql.gz
--- a/roles/any.software.miniflux-podman/files/miniflux.pod
+++ b/roles/any.software.miniflux-podman/files/miniflux.pod
@ -0,0 +1,3 @@
 # vim: ft=systemd
 [Pod]
 PublishPort=127.0.0.1:8002:8080
--- a/roles/any.software.miniflux-podman/meta/main.yml
+++ b/roles/any.software.miniflux-podman/meta/main.yml
@ -0,0 +1,3 @@
 ---
 dependencies:
  - role: any.tools.caddy
--- a/roles/any.software.miniflux-podman/tasks/main.yml
+++ b/roles/any.software.miniflux-podman/tasks/main.yml
@ -0,0 +1,67 @@
 ---
 - name: Ensure systemd directory is present
  ansible.builtin.file:
    path: '/home/debian/.config/containers/systemd'
    state: 'directory'
    mode: '0755'
    owner: 'debian'
    group: 'debian'
 - name: Ensure Quadlet files are present
  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "/home/debian/.config/containers/systemd/{{ item }}"
    mode: '0755'
    owner: 'debian'
    group: 'debian'
  loop:
    - 'miniflux-postgres.container'
 - name: Ensure Quadlet files is present
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "/home/debian/.config/containers/systemd/{{ item }}"
    mode: '0755'
    owner: 'debian'
    group: 'debian'
  loop:
    - 'miniflux-app.container'
    - 'miniflux.pod'
 - name: Ensure configuration directory is present
  ansible.builtin.file:
    path: '/etc/miniflux'
    state: directory
    mode: '0755'
 - name: Ensure environment file is present
  ansible.builtin.template:
    src: 'miniflux.env.j2'
    dest: '/etc/miniflux/miniflux.env'
    mode: '0644'
    owner: 'root'
    group: 'root'
  register: res
 - name: Ensure Caddyfile is present
  copy:
    src: 'miniflux.Caddyfile'
    dest: '/etc/caddy/miniflux.Caddyfile'
    owner: root
    group: root
    mode: '0644'
  notify: reload caddy
 # - name: Ensure stack is deployed
 #   ansible.builtin.shell:
 #     chdir: '/etc/miniflux'
 #     cmd: 'docker compose up -d --remove-orphans'
 #   when: 'res.changed'
 # - name: Ensure backup script is present
 #   ansible.builtin.copy:
 #     src: 'miniflux.backup.sh'
 #     dest: '/etc/backups/miniflux.backup.sh'
 #     owner: 'root'
 #     group: 'root'
 #     mode: '0644'
--- a/roles/any.software.miniflux-podman/templates/compose.yml.j2
+++ b/roles/any.software.miniflux-podman/templates/compose.yml.j2
@ -0,0 +1,47 @@
 # vim: ft=yaml
 version: '3'
 name: 'miniflux'
 services:
  app:
    image: 'miniflux/miniflux:2.2.7'
    restart: 'always'
    # depends_on:
    #   db:
        # condition: service_healthy
    environment:
      - DATABASE_URL=postgres://miniflux:miniflux@db/miniflux?sslmode=disable
      - RUN_MIGRATIONS=1
      - CREATE_ADMIN=1
      - ADMIN_USERNAME=admin
      - ADMIN_PASSWORD=password
      # Don't stress the system too much
      - WORKER_POOL_SIZE=1
      - BASE_URL=https://nws.roosens.me
      # Default scheduling settings should be good
      # I'm a hoarder
      - CLEANUP_ARCHIVE_UNREAD_DAYS=-1
      - CLEANUP_ARCHIVE_READ_DAYS=-1
    ports:
      - "127.0.0.1:8002:8080"
  db:
    image: 'postgres:16.1-alpine'
    restart: 'always'
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "miniflux"]
      interval: 10s
      start_period: 30s
    environment:
      - POSTGRES_USER=miniflux
      - POSTGRES_PASSWORD=miniflux
      - POSTGRES_DB=miniflux
    volumes:
      - /mnt/data1/miniflux/postgres:/var/lib/postgresql/data
--- a/roles/any.software.miniflux-podman/templates/miniflux-postgres.container.j2
+++ b/roles/any.software.miniflux-podman/templates/miniflux-postgres.container.j2
@ -0,0 +1,15 @@
 # vim: ft=systemd
 [Container]
 Image=docker.io/postgres:16.1-alpine
 Environment=POSTGRES_USER=miniflux POSTGRES_PASSWORD=miniflux POSTGRES_DB=miniflux
 HealthCmd=["pg_isready","-U","miniflux"]
 HealthInterval=10s
 HealthStartPeriod=30s
 Pod=miniflux.pod
 Notify=healthy
 Volume={{ postgres_data_dir }}:/var/lib/postgresql/data
 [Service]
 Restart=always
--- a/roles/any.software.miniflux-podman/templates/miniflux.env.j2
+++ b/roles/any.software.miniflux-podman/templates/miniflux.env.j2
@ -0,0 +1,11 @@
 DATABASE_URL=postgres://miniflux:miniflux@localhost:5432/miniflux?sslmode=disable
 RUN_MIGRATIONS=1
 CREATE_ADMIN=1
 ADMIN_USERNAME={{ miniflux_admin_username }}
 ADMIN_PASSWORD={{ miniflux_admin_password }}
 WORKER_POOL_SIZE=1
 BASE_URL=https://nws.roosens.me
 CLEANUP_ARCHIVE_UNREAD_DAYS=-1
 CLEANUP_ARCHIVE_READ_DAYS=-1
--- a/roles/any.software.papermc-podman/files/Dockerfile
+++ b/roles/any.software.papermc-podman/files/Dockerfile
@ -0,0 +1,68 @@
 ARG BASE_IMAGE
 # Build dumb-init
 FROM alpine AS dumb-init-builder
 ARG DI_VER=1.2.5
 WORKDIR /app
 # Build dumb-init & download tshock
 RUN apk add --update --no-cache build-base unzip curl && \
    curl -Lo - "https://github.com/Yelp/dumb-init/archive/refs/tags/v${DI_VER}.tar.gz" | tar -xzf - && \
    cd "dumb-init-${DI_VER}" && \
    make SHELL=/bin/sh && \
    mv dumb-init ..
 # We use ${:-} instead of a default value because the argument is always passed
 # to the build, it'll just be blank most likely
 FROM ${BASE_IMAGE:-'eclipse-temurin:21-jre-alpine'}
 # Build arguments
 ARG MC_VERSION
 ARG PAPERMC_VERSION
 COPY ./alex /bin/alex
 # Install alex binary
 # ADD "https://git.rustybever.be/api/packages/Chewing_Bever/generic/alex/0.4.0/alex-linux-amd64" /bin/alex
 # RUN chmod +x /bin/alex && \
 #     addgroup -Sg 1000 paper && \
 #     adduser -SHG paper -u 1000 paper
 # Create worlds and config directory
 WORKDIR /app
 RUN mkdir -p worlds config/cache backups
 # Download server file
 # ADD "https://papermc.io/api/v2/projects/paper/versions/$MC_VERSION/builds/$PAPERMC_VERSION/downloads/paper-$MC_VERSION-$PAPERMC_VERSION.jar" server.jar
 ADD "https://fill-data.papermc.io/v1/objects/0b32aa197452047a51772af05bb9fddc264304ad780dca87425a726d68f89149/paper-1.21.10-127.jar" server.jar
 # Make sure the server user can access all necessary folders
 # RUN chown -R paper:paper /app
 # Store the cache in an anonymous volume, which means it won't get stored in the other volumes
 # VOLUME /app/config/cache
 ENV ALEX_JAR=/app/server.jar \
    ALEX_CONFIG=/app/config \
    ALEX_WORLD=/app/worlds \
    ALEX_BACKUP=/app/backups \
    ALEX_SERVER=paper \
    ALEX_SERVER_VERSION="${MC_VERSION}-${PAPERMC_VERSION}"
 # Document exposed ports
 EXPOSE 25565
 # Switch to non-root user
 # USER paper:paper
 COPY --from=dumb-init-builder /app/dumb-init /dumb-init
 ENTRYPOINT ["/dumb-init", "--"]
 CMD /bin/alex run
 # HEALTHCHECK --interval=30s --timeout=5s --start-period=1m --retries=5 \
 #     CMD mcstatus localhost:25565 ping
--- a/roles/any.software.papermc-podman/files/alex
+++ b/roles/any.software.papermc-podman/files/alex
--- a/roles/any.software.papermc-podman/files/papermc.container
+++ b/roles/any.software.papermc-podman/files/papermc.container
@ -0,0 +1,23 @@
 # vim: ft=systemd
 [Unit]
 Description=Self-hostable Minecraft server
 [Container]
 Image=papermc:1.21.10
 EnvironmentFile=/etc/papermc/papermc.env
 Pull=never
 PodmanArgs=--tty
 PublishPort=25565:25565
 Volume=/data/papermc/config:/app/config
 Volume=/data/papermc/worlds:/app/worlds
 Volume=/data/papermc/backups:/app/backups
 Volume=/data/papermc/cache:/app/config/cache
 [Service]
 Restart=always
 [Install]
 WantedBy=default.target
--- a/roles/any.software.papermc-podman/files/papermc.env
+++ b/roles/any.software.papermc-podman/files/papermc.env
@ -0,0 +1,3 @@
 ALEX_XMS=4096
 ALEX_XMX=6144
 ALEX_LAYERS=30min,30,1,48;daily,1440,7,1
--- a/roles/any.software.papermc-podman/tasks/main.yml
+++ b/roles/any.software.papermc-podman/tasks/main.yml
@ -0,0 +1,54 @@
 ---
 - name: Ensure data directory is present
  ansible.builtin.file:
    path: '/data/papermc/{{ item }}'
    state: directory
    mode: '0755'
    owner: 'debian'
    group: 'debian'
  loop:
    - 'cache'
    - 'worlds'
    - 'config'
    - 'backups'
 - name: Ensure configuration directory is present
  ansible.builtin.file:
    path: '/etc/papermc'
    state: directory
    mode: '0755'
 - name: Ensure files are present
  ansible.builtin.copy:
    src: '{{ item }}'
    dest: '/etc/papermc/{{ item }}'
    mode: '0644'
    owner: 'root'
    group: 'root'
  loop:
    - 'papermc.env'
    - 'Dockerfile'
    - 'alex'
 - name: Ensure user configuration directory is present
  ansible.builtin.file:
    path: '/home/debian/.config/containers/systemd'
    state: directory
    owner: 'debian'
    group: 'debian'
    mode: '0755'
 - name: Ensure Container unit files are present
  ansible.builtin.copy:
    src: "papermc.container"
    dest: "/home/debian/.config/containers/systemd/papermc.container"
    mode: '0644'
    owner: 'debian'
    group: 'debian'
  register: res
 - name: systemd-reload
  ansible.builtin.systemd_service:
    daemon_reload: true
    scope: "user"
  when: 'res.changed'
--- a/roles/any.software.webdav/files/webdav.Caddyfile
+++ b/roles/any.software.webdav/files/webdav.Caddyfile
@ -0,0 +1,5 @@
 webdav.roosens.me {
    reverse_proxy localhost:8018 {
        header_down +X-Robots-Tag "none"
    }
 }
--- a/roles/any.software.webdav/files/webdav.data.backup.sh
+++ b/roles/any.software.webdav/files/webdav.data.backup.sh
@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 data_dir='/mnt/data1/webdav/data'
 snapshot_dir="${data_dir}.snapshot"
 # Read-only snapshot for atomic backup
 btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
 /usr/local/bin/restic backup "$snapshot_dir"
 # Always remove snapshot subvolume, even if restic fails
 btrfs subvolume delete "$snapshot_dir"
--- a/roles/any.software.webdav/files/webdav.service
+++ b/roles/any.software.webdav/files/webdav.service
@ -0,0 +1,15 @@
 [Unit]
 Description=WebDAV
 After=network.target network-online.target
 Requires=network-online.target
 [Service]
 Type=exec
 User=webdav
 Group=webdav
 ExecStart=/usr/local/bin/webdav --config /etc/webdav/config.toml
 Restart=always
 [Install]
 WantedBy=multi-user.target
--- a/roles/any.software.webdav/handlers/main.yml
+++ b/roles/any.software.webdav/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: 'restart webdav'
  ansible.builtin.service:
    name: 'webdav'
    state: 'restarted'
--- a/roles/any.software.webdav/tasks/main.yml
+++ b/roles/any.software.webdav/tasks/main.yml
@ -0,0 +1,107 @@
 ---
 # Download latest version of binary
 - name: Ensure download directory is present
  ansible.builtin.file:
    path: "/home/debian/webdav/{{ webdav_version }}"
    state: directory
    mode: '0755'
 - name: Ensure compressed binary is downloaded
  ansible.builtin.get_url:
    url: "https://github.com/hacdias/webdav/releases/download/v{{ webdav_version }}/linux-amd64-webdav.tar.gz"
    dest: "/home/debian/webdav/{{ webdav_version }}/webdav-{{ webdav_version }}.tar.gz"
  register: res
 - name: Ensure binary is decompressed
  ansible.builtin.shell:
    chdir: "/home/debian/webdav/{{ webdav_version }}"
    cmd: "tar --extract --gzip --file webdav-{{ webdav_version }}.tar.gz"
  when: 'res.changed'
 - name: Ensure binary is copied to correct location
  ansible.builtin.copy:
    src: "/home/debian/webdav/{{ webdav_version }}/webdav"
    remote_src: true
    dest: '/usr/local/bin/webdav'
    owner: 'root'
    group: 'root'
    mode: '0755'
  when: 'res.changed'
  notify: 'restart webdav'
 # Set up system user and data directories
 - name: Ensure system group exists
  ansible.builtin.group:
    name: 'webdav'
    gid: 5000
    system: true
    state: present
 - name: Ensure system user exists
  ansible.builtin.user:
    name: 'webdav'
    group: 'webdav'
    uid: 5000
    system: true
    create_home: false
 - name: Ensure subvolume permissions are correct
  ansible.builtin.file:
    path: "{{ data_dir }}"
    state: directory
    mode: '0755'
    owner: 'webdav'
    group: 'webdav'
 # Set up configuration, backup scripts and systemd service
 - name: Ensure configuration directory is present
  ansible.builtin.file:
    path: '/etc/webdav'
    state: directory
    mode: '0755'
 - name: Ensure config file is present
  ansible.builtin.template:
    src: 'config.toml.j2'
    dest: '/etc/webdav/config.toml'
    mode: '0644'
    owner: 'root'
    group: 'root'
  notify: 'restart webdav'
 # - name: Ensure backup scripts are present
 #   ansible.builtin.copy:
 #     src: "webdav.{{ item }}.backup.sh"
 #     dest: "/etc/backups/webdav.{{ item }}.backup.sh"
 #     owner: 'root'
 #     group: 'root'
 #     mode: '0644'
 #   loop:
 #     - 'data'
 - name: Ensure Caddyfile is present
  ansible.builtin.copy:
    src: "webdav.Caddyfile"
    dest: "/etc/caddy/webdav.Caddyfile"
    owner: 'root'
    group: 'root'
    mode: '0644'
 - name: Ensure service file is present
  ansible.builtin.copy:
    src: 'webdav.service'
    dest: '/lib/systemd/system/webdav.service'
    owner: 'root'
    group: 'root'
    mode: '0644'
  register: res
 - name: systemd-reload
  ansible.builtin.systemd_service:
    daemon_reload: true
  when: 'res.changed'
 # - name: Ensure webdav service is enabled
 #   ansible.builtin.service:
 #     name: 'webdav'
 #     enabled: true
--- a/roles/any.software.webdav/templates/config.toml.j2
+++ b/roles/any.software.webdav/templates/config.toml.j2
@ -0,0 +1,31 @@
 address = '127.0.0.1'
 port = 8018
 # Handled by reverse proxy
 tls = false
 prefix = '/'
 debug = false
 noSniff = false
 behindProxy = true
 directory = '{{ data_dir }}'
 permissions = 'R'
 rulesBehavior = 'overwrite'
 [log]
 format = 'console'
 # Color output isn't useful when ingested via systemd
 colors = false
 outputs = ['stdout']
 [cors]
 enabled = false
 [[users]]
 username = '{{ webdav_user }}'
 password = '{{ webdav_password }}'
 permissions = 'CRUD'
 # vim: ft=toml
--- a/roles/jellyfin/meta/main.yml
+++ b/roles/jellyfin/meta/main.yml
@ -1,3 +0,0 @@
 ---
 dependencies:
  - role: caddy
Author	SHA1	Message	Date
Jef Roosens	1fed7d327a	any.software.webdav: added role	2025-12-23 22:51:12 +01:00
Jef Roosens	74cf571e05	any.software.miniflux-podman: added role	2025-12-23 22:49:58 +01:00
Jef Roosens	adb96c3028	Migrated jellyfin role to new format	2025-12-21 21:44:17 +01:00
Jef Roosens	75e0f73ba8	Added emma play and updated roles for multi-server setup	2025-12-21 21:43:27 +01:00
Jef Roosens	dc538a3971	added boomhut play and papermc role	2025-12-21 21:42:37 +01:00