Add new roles to emma playbook

inventory/group_vars/emma/vault.yml

@@ -1,35 +1,49 @@
 $ANSIBLE_VAULT;1.1;AES256
-65386638663231383730366662326664386366383763643266666534336439396234343161333038
-3633373235656264623038653734663934663439346333310a643531633337646330656133313461
-62643165303132373437366466636538363630333737343238613334386362323733613539393335
-6563353766653733650a333032376561313731356336333565396539653931323637303263613965
-36353939613037636239353736383837363930376264326139306564343532623761613336656239
-34303732326331623331363764373961366534386562663134663634306365616436323138366136
-36656261646631393232373337646535316261333435326564656262663737393232616536316532
-63623234343932313661636166643730313661633531313764653861653139646365346239343134
-37663735646134623531343762303538623565626162313263373236643464326334363739376632
-32623361626332336630663836366563623235376138366431333731333764613935386633336131
-61636563396361326661393635393038343133363535313763363039646336393030303638316665
-65316261303435643533306338613433366236613431316261393262303939643431303263366634
-37626334313066323762343236313161356338616262326266373861356238636238313963303362
-39346234656133653230373835393537323362373966346163343938616530316562636264313239
-33656561626164343865306164656166633938653034396563316636653663376638613362383962
-37633964386662346565303961663731663865663134646433333964393431333837643861386366
-63643636643638383436623964353063616538303538623561663435366330306230633861353435
-65346532663138633533363163653864373330336336383065346332333965663836336134366630
-37643564333232393838346536373132303630303732323666343664636335336335396364636337
-31626331386631336436363933353730396631646235333164376231323438356633316566633931
-66343061393338356232353462376636623139393436366364383332396233313665343261323663
-62306566336234383162316133366432383064613461663231626238336431313865633236313936
-38336130636435653537653237383866343536623634313664653837646135333561366135646262
-36613037333039326362386233356530663738666537643334353364656464623230363035353134
-31633263313737393033633361386239613336353933303563353935313666636138393337383764
-31363938663235386334343431313362393337393936643662663965336263386662353635393234
-38623064306235343862343966346339633866323939323166303636646461306364613432396261
-32666539666238626531636638303861643931623232386564386536363438636362646465643339
-32613562353639303331633463386166313935323036373730623438326236393835313136336238
-33666563396364613961323862316530663036356566356239313964306138623139323933306565
-61663562663931376563643833316166633465363132616530363739346432643762666230656466
-38646164306237366166386338386230666636326465663762636133363534663636303031343734
-36343535653461366233613763343835303838653336376462393631333539383333303632333866
-3761663065623631396331303465656136393962366362376432
+65626333343266643235663938663438356638613431393864666264636364363431316436636234
+3065623230376661396633643138633766633563393461380a636664373666646435643235653232
+30313935623961366634656134643834636239623836633864643961376237653531336238363135
+3662316535303637640a363863353263633661343635346238616335353232303261326163323233
+32373237303864353037643966656563323331326161623334636238666237383735643532626566
+64363931363932383263666434393139396137613934663134616430396537616566333835333865
+66653239363539363432363735353930393239333063623339623330666432323635356363376337
+39643938653737343633663665343132613236326666336434613966343134613035343562356133
+64613630613037663638633439306433633261373731306564363133633832326632623733313434
+64376538313634333564343263636436323230663935363964396636666532333331313535323962
+34623764666362643031643339356163366132336239366639333939633965383736383839646261
+30343331626434366662613139306335336231643066356465363763383237636466636162393266
+31613432643835306230386536323438366537313137626361326338363539303031326439303065
+66343634653034643964636333383131333530636330346462653336633435356430663234376539
+33633963616630396134366632613139366134313430363764303738636263623362373332336266
+35616461306635343364636634396664316635383164323933396233613539353436373264616137
+38373335333631303133363730626365643765366462373337386132343361303230626661613431
+32363334636563613333646633323261316534386138616133663539393864353863353431396563
+37386166326133653734666266383932633638333930623835333164303366633432303563386661
+63313032643733643738383731623838623939316330613465653165666166356366646537313431
+35613662363331323530323563613438616362353838616463623963616231653730613264383439
+30386164356537326639313636303636386631613363323863653566363730366664633935376236
+36646539653865383633643733383038313032356433623434343666386231633537646638376436
+61636464353565336131396231643433353063303934326533306565623533303466633631363737
+61636464393931636461343038323434346464363438373039346338666536323363366533636535
+31346336393162653232323766323962373039373236353862383266313238386634343333343461
+64393633656361313635343764373564623039396634626332323664326464626631646562623930
+31396566353366393362623432376635366165353064653830333736373630353563323836346430
+33326132366365616265626137383235353838653634393366313233343033626334383339663535
+39333531353734653235323730633363613938303765633637373765663737633536313237626565
+65336335633233626137643339386362313534393336656637326335643137333330656330386362
+30656265356232343638393761303765396363656437316339396637306264623830373761363962
+37663865303833366165623934343963666633616366376435393239373862646562383462393964
+62373636633436643636346666663339313338646534383135316462346366373462346637313662
+64363433666137643734393338326132393865343135663435323566666530363561343766646435
+63653735623564323661333734643236646534663133633331616565353039626364366337333834
+64366161636662616639613464396563623231386230636561666134383139323431383933613937
+62613838383332343438313939333434646632353435643832376363353539333530306530323165
+39303533393762353138623537363461333138383066383838376663636339626632643534303961
+63646163333533623536663565623833303238623235633239613763653930363065666435376437
+31383030313831643965386531396664363035306439626266353030363738376232366138306436
+30336663313335313233313235653133313866353666336463376264393965636633636436643235
+36653363363533343037353632646439366130396638343362626434376637313533383166356231
+61646161303430396264376433363161313032366265666133333566616463636431643035393763
+63653437353839393665643138663562633864633662343935313634386466366535326361633737
+38363963386334376538626365363362663833376139363163636332313231666565393532646533
+64386230313436316138643834373462643330336366323863336463356265376461346261356464
+35643230353939333830

plays/emma.yml

@@ -61,6 +61,37 @@
         webdav_password: "{{ vault_webdav_password }}"
         webdav_password_bcrypt: "{{ vault_webdav_password_bcrypt }}"
 
+- name: Set up Gitea
+  hosts: emma
+  become: yes
+  tags: gitea
+  roles:
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          # Data files and LFS are placed on RAID
+          - filesystem_uuid: "{{ btrfs_raid.uuid }}"
+            filesystem_path: "{{ btrfs_raid.path }}"
+            name: "/gitea/data"
+          - filesystem_uuid: "{{ btrfs_raid.uuid }}"
+            filesystem_path: "{{ btrfs_raid.path }}"
+            name: "/gitea/lfs"
+
+          # Repositories and database are stored in NVME
+          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
+            filesystem_path: "{{ btrfs_nvme.path }}"
+            name: "/@rootfs/data/gitea/repositories"
+          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
+            filesystem_path: "{{ btrfs_nvme.path }}"
+            name: "/@rootfs/data/gitea/postgres"
+
+    - role: any.software.gitea
+      vars:
+        gitea_data_dir: '{{ btrfs_raid.path }}/gitea/data'
+        gitea_lfs_dir: '{{ btrfs_raid.path }}/gitea/lfs'
+        gitea_repositories_dir: '{{ btrfs_nvme.path }}/data/gitea/repositories'
+        postgres_data_dir: '{{ btrfs_nvme.path }}/data/gitea/postgres'
+
 - name: Set up Otter
   hosts: emma
   become: yes
@@ -75,3 +106,111 @@
     - role: any.software.otter
       vars:
         data_dir: '{{ btrfs_nvme.path }}/data/otter/data'
+
+- name: Set up Nefarious
+  hosts: emma
+  become: yes
+  tags: nefarious
+  roles:
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          - filesystem_uuid: "{{ btrfs_raid.uuid }}"
+            filesystem_path: "{{ btrfs_raid.path }}"
+            name: "/nefarious/nefarious"
+          - filesystem_uuid: "{{ btrfs_raid.uuid }}"
+            filesystem_path: "{{ btrfs_raid.path }}"
+            name: "/nefarious/jackett"
+    - role: any.software.nefarious-podman
+      vars:
+        host_download_dir: "/mnt/data1/media"
+        transmission_settings_path: "/etc/nefarious/transmission-settings.json"
+        nefarious_config_dir: "/mnt/data1/nefarious/nefarious"
+        jackett_data_dir: "/mnt/data1/nefarious/jackett"
+        nefarious_admin_user: "{{ vault_nefarious_admin_user }}"
+        nefarious_admin_pass: "{{ vault_nefarious_admin_pass }}"
+
+- name: Set up Actual
+  hosts: emma
+  tags: actual
+  roles:
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
+            filesystem_path: "{{ btrfs_nvme.path }}"
+            name: "/@rootfs/data/actual/data"
+      become: true
+    - role: any.software.actual-podman
+      vars:
+        data_dir: '/data/actual/data'
+
+- name: Set up Baikal
+  hosts: emma
+  tags: baikal
+  roles:
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
+            filesystem_path: "{{ btrfs_nvme.path }}"
+            name: "/@rootfs/data/baikal/config"
+      become: true
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
+            filesystem_path: "{{ btrfs_nvme.path }}"
+            name: "/@rootfs/data/baikal/Specific"
+      become: true
+    - role: any.software.baikal-podman
+      vars:
+        baikal_config_dir: '/data/baikal/config'
+        baikal_specific_dir: '/data/baikal/Specific'
+
+- name: Set up Syncthing
+  hosts: emma
+  tags: syncthing
+  become: true
+  roles:
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          - filesystem_uuid: "{{ btrfs_raid.uuid }}"
+            filesystem_path: "{{ btrfs_raid.path }}"
+            name: "/syncthing/data"
+          - filesystem_uuid: "{{ btrfs_raid.uuid }}"
+            filesystem_path: "{{ btrfs_raid.path }}"
+            name: "/syncthing/config"
+          - filesystem_uuid: "{{ btrfs_raid.uuid }}"
+            filesystem_path: "{{ btrfs_raid.path }}"
+            name: "/syncthing/home"
+    - role: any.software.syncthing
+      vars:
+        syncthing_data_dir: '/mnt/data1/syncthing/data'
+        syncthing_home_dir: '/mnt/data1/syncthing/home'
+        syncthing_config_dir: '/mnt/data1/syncthing/config'
+
+- name: Set up Monica
+  hosts: emma
+  tags: monica
+  roles:
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
+            filesystem_path: "{{ btrfs_nvme.path }}"
+            name: "/@rootfs/data/monica/data"
+          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
+            filesystem_path: "{{ btrfs_nvme.path }}"
+            name: "/@rootfs/data/monica/mariadb"
+      become: true
+    - role: any.software.monica-podman
+      vars:
+        monica_data_dir: '/data/monica/data'
+        mariadb_data_dir: '/data/monica/mariadb'
+    # - role: any.software.syncthing
+    #   vars:
+    #     syncthing_data_dir: '/mnt/data1/syncthing/data'
+    #     syncthing_home_dir: '/mnt/data1/syncthing/home'
+    #     syncthing_config_dir: '/mnt/data1/syncthing/config'

roles/any.software.baikal-podman/files/baikal.Caddyfile

@@ -0,0 +1,5 @@
+dav.roosens.me {
+    reverse_proxy localhost:8005 {
+        header_down +X-Robots-Tag "none"
+    }
+}

roles/any.software.baikal-podman/files/baikal.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/baikal'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/any.software.baikal-podman/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: 'restart baikal'
+  ansible.builtin.systemd_service:
+    name: 'baikal'
+    state: 'restarted'
+
+    scope: 'user'
+    daemon_reload: true

roles/any.software.baikal-podman/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: any.tools.caddy
+    become: true

roles/any.software.baikal-podman/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Ensure data directories are present
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: directory
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  become: true
+  loop:
+    - '{{ baikal_specific_dir }}'
+    - '{{ baikal_config_dir }}'
+
+- name: Ensure Quadlet files are present
+  ansible.builtin.template:
+    src: "baikal.container.j2"
+    dest: "/home/debian/.config/containers/systemd/baikal.container"
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  notify: 'restart baikal'
+
+- name: Ensure Caddyfile is present
+  ansible.builtin.copy:
+    src: 'baikal.Caddyfile'
+    dest: '/etc/caddy/baikal.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  become: true
+  notify: 'reload caddy'
+
+# - name: Ensure backup script is present
+#   ansible.builtin.copy:
+#     src: 'baikal.backup.sh'
+#     dest: '/etc/backups/baikal.backup.sh'
+#     owner: 'root'
+#     group: 'root'
+#     mode: '0644'

roles/any.software.baikal-podman/templates/baikal.container.j2

@@ -0,0 +1,14 @@
+# vim: ft=systemd
+[Container]
+Image=docker.io/ckulka/baikal:0.9.4-nginx
+
+PublishPort=127.0.0.1:8005:80
+
+Volume={{ baikal_config_dir }}:/var/www/baikal/config
+Volume={{ baikal_specific_dir }}:/var/www/baikal/Specific
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target

roles/any.software.monica-podman/files/monica.Caddyfile

@@ -0,0 +1,5 @@
+prm.roosens.me {
+    reverse_proxy localhost:8001 {
+        header_down +X-Robots-Tag "none"
+    }
+}

roles/any.software.monica-podman/files/monica.pod

@@ -0,0 +1,3 @@
+# vim: ft=systemd
+[Pod]
+PublishPort=8001:80

roles/any.software.monica-podman/handlers/main.yml

@@ -0,0 +1,16 @@
+---
+- name: 'restart monica'
+  ansible.builtin.systemd_service:
+    name: 'monica-app'
+    state: 'restarted'
+
+    scope: 'user'
+    daemon_reload: true
+
+- name: 'restart mariadb'
+  ansible.builtin.systemd_service:
+    name: 'monica-mariadb'
+    state: 'restarted'
+
+    scope: 'user'
+    daemon_reload: true

roles/any.software.monica-podman/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: any.tools.caddy
+    become: true

roles/any.software.monica-podman/tasks/main.yml

@@ -0,0 +1,55 @@
+---
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/monica'
+    state: directory
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  become: true
+
+- name: Ensure Monica Quadlet file is present
+  ansible.builtin.template:
+    src: 'monica-app.container.j2'
+    dest: '/home/debian/.config/containers/systemd/monica-app.container'
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  notify: 'restart monica'
+
+- name: Ensure MariaDB Quadlet file is present
+  ansible.builtin.template:
+    src: 'monica-mariadb.container.j2'
+    dest: '/home/debian/.config/containers/systemd/monica-mariadb.container'
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  notify: 'restart mariadb'
+
+- name: Ensure Pod file is present
+  ansible.builtin.copy:
+    src: 'monica.pod'
+    dest: '/home/debian/.config/containers/systemd/monica.pod'
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  notify: 'restart monica'
+
+- name: Ensure Monica environment file is present
+  ansible.builtin.template:
+    src: 'monica.env.j2'
+    dest: '/etc/monica/monica.env'
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  notify: 'restart monica'
+
+- name: Ensure Caddyfile is present
+  ansible.builtin.copy:
+    src: 'monica.Caddyfile'
+    dest: '/etc/caddy/monica.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  become: true
+  notify: 'reload caddy'

roles/any.software.monica-podman/templates/monica-app.container.j2

@@ -0,0 +1,17 @@
+# vim: ft=systemd
+[Unit]
+Requires=monica-mariadb.service
+After=monica-mariadb.service
+
+[Container]
+Image=docker.io/monica:3.7.0-apache
+Pod=monica.pod
+
+EnvironmentFile=/etc/monica/monica.env
+Volume={{ monica_data_dir }}:/var/www/html/storage
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target

roles/any.software.monica-podman/templates/monica-mariadb.container.j2

@@ -0,0 +1,13 @@
+# vim: ft=systemd
+[Unit]
+StopWhenUnneeded=true
+
+[Container]
+Image=docker.io/mariadb:10.7.1
+Pod=monica.pod
+
+Environment="MARIADB_ROOT_PASSWORD={{ monica_mariadb_root_pass }}" MARIADB_USER=monica MARIADB_PASSWORD=monica MARIADB_DATABASE=monica
+Volume={{ mariadb_data_dir }}:/var/lib/mysql
+
+[Service]
+Restart=always

roles/any.software.monica-podman/templates/monica.env.j2

@@ -0,0 +1,56 @@
+APP_ENV=production
+APP_DEBUG=false
+APP_KEY={{ monica_app_key }}
+HASH_SALT={{ monica_hash_salt }}
+HASH_LENGTH=18
+APP_URL=https://prm.roosens.me
+APP_FORCE_URL=false
+DB_CONNECTION=mysql
+DB_HOST=127.0.0.1
+DB_PORT=3306
+DB_DATABASE=monica
+DB_USERNAME=monica
+DB_PASSWORD=monica
+DB_PREFIX=
+DB_TEST_HOST=127.0.0.1
+DB_TEST_DATABASE=monica_test
+DB_TEST_USERNAME=homestead
+DB_TEST_PASSWORD=secret
+DB_USE_UTF8MB4=true
+MAIL_MAILER=smtp
+MAIL_HOST=mailtrap.io
+MAIL_PORT=2525
+MAIL_USERNAME=
+MAIL_PASSWORD=
+MAIL_ENCRYPTION=
+MAIL_FROM_ADDRESS=
+MAIL_FROM_NAME=Monica instance
+APP_EMAIL_NEW_USERS_NOTIFICATION=
+APP_DISABLE_SIGNUP=true
+APP_SIGNUP_DOUBLE_OPTIN=false
+APP_TRUSTED_PROXIES=*
+APP_TRUSTED_CLOUDFLARE=false
+LOG_CHANNEL=daily
+SENTRY_SUPPORT=false
+SENTRY_LARAVEL_DSN=
+CHECK_VERSION=true
+SESSION_LIFETIME=120
+QUEUE_CONNECTION=sync
+DEFAULT_MAX_UPLOAD_SIZE=10240
+DEFAULT_MAX_STORAGE_SIZE=51200
+DEFAULT_FILESYSTEM=public
+AWS_KEY=
+AWS_SECRET=
+AWS_REGION=us-east-1
+AWS_BUCKET=
+AWS_SERVER=
+MFA_ENABLED=true
+DAV_ENABLED=true
+PASSPORT_PERSONAL_ACCESS_CLIENT_ID=
+PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET=
+ALLOW_STATISTICS_THROUGH_PUBLIC_API_ACCESS=false
+POLICY_COMPLIANT=true
+ENABLE_GEOLOCATION=false
+LOCATION_IQ_API_KEY=
+ENABLE_WEATHER=false
+DARKSKY_API_KEY=

roles/any.software.nefarious-podman/files/nefarious-redis.container

@@ -0,0 +1,6 @@
+[Container]
+Image=docker.io/redis:6-alpine
+Pod=nefarious.pod
+
+[Service]
+Restart=always

roles/any.software.nefarious-podman/files/nefarious.Caddyfile

@@ -0,0 +1,5 @@
+nf.roosens.me {
+    reverse_proxy localhost:8006 {
+        header_down +X-Robots-Tag "none"
+    }
+}

roles/any.software.nefarious-podman/files/nefarious.pod

@@ -0,0 +1,6 @@
+# vim: ft=systemd
+[Pod]
+PublishPort=127.0.0.1:8006:80
+PublishPort=8007:9117
+PublishPort=8008:9091
+PublishPort=51413:51413

roles/any.software.nefarious-podman/files/transmission-settings.json

@@ -0,0 +1,10 @@
+{
+    "download-dir": "/downloads/complete",
+    "incomplete-dir": "/downloads/incomplete",
+    "rpc-whitelist": "*",
+    "rpc-host-whitelist-enabled": "false",
+    "port-forwarding-enabled": true,
+    "peer-port": 51413,
+    "peer-port-random-on-start": false,
+    "peer-socket-tos": "default"
+}

roles/any.software.nefarious-podman/tasks/main.yml

@@ -0,0 +1,59 @@
+---
+- name: Ensure subvolume permissions are correct
+  ansible.builtin.file:
+    path: "/mnt/data1/nefarious/{{ item.dir }}"
+    state: directory
+    mode: '0755'
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+  loop:
+    - dir: 'nefarious'
+      owner: 1000
+      group: 1000
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/nefarious'
+    state: directory
+    mode: '0755'
+
+- name: Ensure Transmission config file is present
+  ansible.builtin.copy:
+    src: 'transmission-settings.json'
+    dest: '/etc/nefarious/transmission-settings.json'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Ensure Quadlet files is present
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/home/debian/.config/containers/systemd/{{ item }}"
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  loop:
+    - 'nefarious-app.container'
+    - 'nefarious-celery.container'
+    - 'nefarious-jackett.container'
+    - 'nefarious-transmission.container'
+
+- name: Ensure Quadlet files is present
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/home/debian/.config/containers/systemd/{{ item }}"
+    mode: '0755'
+    owner: 'debian'
+    group: 'debian'
+  loop:
+    - 'nefarious-redis.container'
+    - 'nefarious.pod'
+
+- name: Ensure Caddyfile is present
+  ansible.builtin.copy:
+    src: 'nefarious.Caddyfile'
+    dest: '/etc/caddy/nefarious.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  # notify: reload caddy

roles/any.software.nefarious-podman/templates/compose.yml.j2

@@ -0,0 +1,61 @@
+# vim: set ft=yaml
+name: 'nefarious'
+services:
+  app:
+    image: 'lardbit/nefarious:latest'
+    restart: 'always'
+
+    environment:
+      - 'DATABASE_URL=sqlite:////config/db.sqlite3'
+      - 'REDIS_HOST=redis'
+      - 'HOST_DOWNLOAD_PATH=/mnt/data1/media'
+      - 'NEFARIOUS_USER={{ nefarious_admin_user }}'
+      - 'NEFARIOUS_PASS={{ nefarious_admin_pass }}'
+      - 'CONFIG_PATH=/config'
+    ports:
+      - '8006:80'
+    volumes:
+      - '/mnt/data1/nefarious/nefarious:/config'
+
+  celery:
+    image: 'lardbit/nefarious:latest'
+    restart: 'always'
+    entrypoint: '/app/entrypoint-celery.sh'
+
+    environment:
+      - 'DATABASE_URL=sqlite:////config/db.sqlite3'
+      - 'REDIS_HOST=redis'
+      - 'CONFIG_PATH=/config'
+      - 'NUM_CELERY_WORKERS=1'
+    volumes:
+      - '/mnt/data1/nefarious/nefarious:/config'
+
+  redis:
+    image: 'redis:6-alpine'
+    restart: always
+
+  jackett:
+    image: 'linuxserver/jackett:latest'
+    restart: always
+
+    ports:
+      - '8007:9117'
+    volumes:
+      - '/mnt/data1/nefarious/jackett:/config'
+
+  transmission:
+    image: 'linuxserver/transmission:4.0.5'
+    restart: 'always'
+    
+    environment:
+      - 'PUID=1000'
+      - 'PGID=1000'
+      - 'TZ=Europe/Brussels'
+      - 'USER='
+      - 'PASS='
+    ports:
+      - '8008:9091'
+      - '51413:51413'
+    volumes:
+      - '/etc/nefarious/transmission-settings.json:/config/settings.json:ro'
+      - '/mnt/data1/media:/downloads'

roles/any.software.nefarious-podman/templates/nefarious-app.container.j2

@@ -0,0 +1,19 @@
+# vim: ft=systemd
+[Unit]
+Requires=nefarious-celery.service nefarious-redis.service nefarious-jackett.service nefarious-transmission.service
+After=nefarious-redis.service
+
+[Container]
+Image=docker.io/lardbit/nefarious:latest
+Pod=nefarious.pod
+
+Environment=DATABASE_URL=sqlite:////config/db.sqlite3 REDIS_HOST=localhost HOST_DOWNLOAD_PATH={{ host_download_dir }} "NEFARIOUS_USER={{ nefarious_admin_user }}" "NEFARIOUS_PASS={{ nefarious_admin_pass }}" CONFIG_PATH=/config HOST_DOWNLOAD_UID=0
+Volume={{ nefarious_config_dir }}:/config
+
+AutoUpdate=registry
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target

roles/any.software.nefarious-podman/templates/nefarious-celery.container.j2

@@ -0,0 +1,16 @@
+# vim: ft=systemd
+[Container]
+Image=docker.io/lardbit/nefarious:latest
+Pod=nefarious.pod
+Entrypoint=/app/entrypoint-celery.sh
+
+Environment=DATABASE_URL=sqlite:////config/db.sqlite3 REDIS_HOST=localhost HOST_DOWNLOAD_PATH={{ host_download_dir }} "NEFARIOUS_USER={{ nefarious_admin_user }}" "NEFARIOUS_PASS={{ nefarious_admin_pass }}" CONFIG_PATH=/config  NUM_CELERY_WORKERS=1 HOST_DOWNLOAD_UID=0
+Volume={{ nefarious_config_dir }}:/config
+
+AutoUpdate=registry
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target

roles/any.software.nefarious-podman/templates/nefarious-jackett.container.j2

@@ -0,0 +1,10 @@
+# vim: ft=systemd
+[Container]
+Image=docker.io/linuxserver/jackett:latest
+Pod=nefarious.pod
+Volume={{ jackett_data_dir }}:/config
+
+AutoUpdate=registry
+
+[Service]
+Restart=always

roles/any.software.nefarious-podman/templates/nefarious-transmission.container.j2

@@ -0,0 +1,11 @@
+# vim: ft=systemd
+[Container]
+Image=docker.io/linuxserver/transmission:4.0.5
+Pod=nefarious.pod
+
+Environment=PUID=0 PGID=0 TZ=Europe/Brussels USER= PASS=
+Volume={{ transmission_settings_path }}:/config/settings.json:ro
+Volume={{ host_download_dir }}:/downloads
+
+[Service]
+Restart=always

roles/any.software.syncthing/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: 'restart syncthing'
+  ansible.builtin.systemd_service:
+    name: 'syncthing'
+    state: 'restarted'
+
+    daemon_reload: true

roles/any.software.syncthing/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- name: Ensure Syncthing is installed
+  ansible.builtin.apt:
+    name: syncthing
+    state: present
+
+- name: Ensure data directories are present
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+  loop:
+    - "{{ syncthing_data_dir }}"
+    - "{{ syncthing_home_dir }}"
+    - "{{ syncthing_config_dir }}"
+
+- name: Ensure service file is present
+  ansible.builtin.template:
+    src: 'syncthing.service.j2'
+    dest: '/lib/systemd/system/syncthing.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: 'restart syncthing'
+
+- name: Ensure Syncthing service is enabled
+  ansible.builtin.service:
+    name: 'syncthing'
+    enabled: true

roles/any.software.syncthing/templates/syncthing.service.j2

@@ -0,0 +1,24 @@
+[Unit]
+Description=Syncthing - Open Source Continuous File Synchronization
+Documentation=man:syncthing(1)
+After=network.target
+StartLimitIntervalSec=60
+StartLimitBurst=4
+
+[Service]
+ExecStart=/usr/bin/syncthing serve --no-browser --no-restart --logflags=0 --config='{{ syncthing_config_dir }}' --data='{{ syncthing_data_dir }}' --no-default-folder --gui-address=0.0.0.0:8384
+Restart=on-failure
+RestartSec=1
+SuccessExitStatus=3 4
+RestartForceExitStatus=3 4
+Environment="HOME={{ syncthing_home_dir }}"
+
+# Hardening
+ProtectSystem=full
+PrivateTmp=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target