diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 5579c57..b3fbb3f 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -15,3 +15,6 @@ ansible_become_pass: !vault | 36343435646561643662373138613237626461373330346566356132636366623731643838383633 3765666163656264340a663138623535626161376666323862373131383637356231323737313564 6430 + +woodpecker_server: 'ci.rustybever.be:9000' +woodpecker_secret: "{{ vault_woodpecker_secret }}" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index f4da912..2aaf6ac 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,6 +1,10 @@ $ANSIBLE_VAULT;1.1;AES256 -37303338366435366664333235623930303461666537326463613536303263353233303631653061 -3365613139333035616434376464386436653863366338650a366363336438313364646432626335 -32396334643064326531393930666263643163636163316430616434363139316665323262616538 -3665633530616432350a326439636231383765666365386433313432373432373938656638373636 -34323166343965616330366265353462626132356565316637313430343462363163 +65396664323038303134303832613939623230323365613162313835623462663137623231643466 +3661303536326134636662636237326337653535613565380a643035326434656334363432633037 +31626233633935616234376334336138353833613962653632313639383932613638316238636436 +3066656463396530340a356634316630363866373834393035336663373264613031646231666538 +63366666336236313236653831316433346335356430366364303739666532623835373931376636 +63386434346265626331306461393330316164396632383462613537343664616266643938646632 +66316362623730313039666161353232313265613463653762666533356532633333616631343235 +66646339643366663365323165383830353562643266353935386334383134623933353162653666 +6432 diff --git a/nas.yml b/nas.yml index 9cbb433..7730b2b 100644 --- a/nas.yml +++ b/nas.yml @@ -41,3 +41,10 @@ roles: - rclone tags: rclone + +- name: Install Woodpecker agent + hosts: nas + become: yes + roles: + - woodpecker + tags: woodpecker diff --git a/roles/caddy/files/Caddyfile b/roles/caddy/files/Caddyfile index fdb27ea..8d16237 100644 --- a/roles/caddy/files/Caddyfile +++ b/roles/caddy/files/Caddyfile @@ -8,9 +8,7 @@ # this machine's public IP, then replace ":80" below with your # domain name. -media.roosens.me { - reverse_proxy localhost:8096 -} +import *.Caddyfile # Refer to the Caddy docs for more information: # https://caddyserver.com/docs/caddyfile diff --git a/roles/caddy/handlers/main.yml b/roles/caddy/handlers/main.yml index ddf490e..860dc15 100644 --- a/roles/caddy/handlers/main.yml +++ b/roles/caddy/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: reload-caddy +- name: caddy-reload service: name: caddy state: reloaded diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml index f3eb347..ddbcacd 100644 --- a/roles/caddy/tasks/main.yml +++ b/roles/caddy/tasks/main.yml @@ -25,7 +25,7 @@ owner: root group: root mode: '644' - notify: reload-caddy + notify: caddy-reload - name: Ensure Caddy service is running & enabled service: diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index efe7bbf..bb1ea27 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,10 +1,13 @@ -- name: Install packages +- name: Ensure common packages are installed apt: name: # Needed for handling GPG keys for repositories - debian-keyring - debian-archive-keyring - apt-transport-https + - ca-certificates + - lsb-release + - gnupg # Easy to edit files - vim @@ -16,9 +19,24 @@ # Disk monitoring - smartmontools + + # Periodic tasks + - cron state: present -- name: Install Vim config +- name: Ensure cron service is enabled + service: + name: cron + state: started + enabled: true + +- name: Ensure fail2ban service is enabled + service: + name: fail2ban + state: started + enabled: true + +- name: Ensure Vim config is present get_url: url: 'https://r8r.be/vim' dest: '{{ item.dest }}' @@ -30,9 +48,3 @@ dest: "/home/debian/.vimrc" - user: root dest: "/root/.vimrc" - -- name: Enable fail2ban - service: - name: fail2ban - state: started - enabled: true diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index b37a479..5f20a61 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -9,15 +9,6 @@ - runc state: absent -- name: Install Docker PPA dependencies. - apt: - name: - - apt-transport-https - - ca-certificates - - gnupg - - lsb-release - state: present - - name: Add Docker GPG key. apt_key: url: https://download.docker.com/linux/ubuntu/gpg @@ -26,7 +17,7 @@ - name: Add Docker PPA. apt_repository: # https://gist.github.com/rbq/886587980894e98b23d0eee2a1d84933 - repo: deb [arch=amd64] https://download.docker.com/{{ ansible_system | lower }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable + repo: deb [arch=arm64] https://download.docker.com/{{ ansible_system | lower }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable state: present - name: Install Docker, docker-compose & cron. @@ -50,4 +41,4 @@ name: Prune the Docker system. hour: 4 minute: 0 - job: docker system prune -f + job: docker system prune -af diff --git a/roles/jellyfin/files/jellyfin.Caddyfile b/roles/jellyfin/files/jellyfin.Caddyfile new file mode 100644 index 0000000..d803d5e --- /dev/null +++ b/roles/jellyfin/files/jellyfin.Caddyfile @@ -0,0 +1,3 @@ +media.roosens.me { + reverse_proxy localhost:8096 +} diff --git a/roles/jellyfin/meta/main.yml b/roles/jellyfin/meta/main.yml new file mode 100644 index 0000000..1dbd0f6 --- /dev/null +++ b/roles/jellyfin/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: caddy diff --git a/roles/jellyfin/tasks/main.yml b/roles/jellyfin/tasks/main.yml index 48b969b..7ac1304 100644 --- a/roles/jellyfin/tasks/main.yml +++ b/roles/jellyfin/tasks/main.yml @@ -50,3 +50,11 @@ state: started enabled: true +- name: Ensure Jellyfin Caddyfile is present + copy: + src: 'jellyfin.Caddyfile' + dest: '/etc/caddy/jellyfin.Caddyfile' + owner: root + group: root + mode: '0644' + notify: caddy-reload diff --git a/roles/samba/handlers/main.yml b/roles/samba/handlers/main.yml index 48e1e38..ccde2aa 100644 --- a/roles/samba/handlers/main.yml +++ b/roles/samba/handlers/main.yml @@ -7,4 +7,4 @@ - name: smbpasswd-lambroek shell: cmd: "smbpasswd -sa lambroek" - stdin: "{{ lambroek_password }}\n{{ lambroek_password }}" + stdin: "{{ lambroek_password }}\n{{ lambroek_password }}\n" diff --git a/roles/woodpecker/files/woodpecker-agent.service b/roles/woodpecker/files/woodpecker-agent.service new file mode 100644 index 0000000..d1801a7 --- /dev/null +++ b/roles/woodpecker/files/woodpecker-agent.service @@ -0,0 +1,16 @@ +[Unit] +Description=Woodpecker Agent +Documentation=https://woodpecker-ci.org/ +After=network.target network-online.target +Requires=network-online.target + +[Service] +Type=exec +User=woodpecker +Group=woodpecker +ExecStart=/usr/local/bin/woodpecker-agent +Restart=always +EnvironmentFile=/etc/woodpecker/woodpecker-agent.env + +[Install] +WantedBy=multi-user.target diff --git a/roles/woodpecker/handlers/main.yml b/roles/woodpecker/handlers/main.yml new file mode 100644 index 0000000..a9933a7 --- /dev/null +++ b/roles/woodpecker/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: woodpecker-agent-restart + ansible.builtin.service: + name: 'woodpecker-agent' + state: 'restarted' diff --git a/roles/woodpecker/meta/main.yml b/roles/woodpecker/meta/main.yml new file mode 100644 index 0000000..cb7d8e0 --- /dev/null +++ b/roles/woodpecker/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: docker diff --git a/roles/woodpecker/tasks/main.yml b/roles/woodpecker/tasks/main.yml new file mode 100644 index 0000000..f6fda97 --- /dev/null +++ b/roles/woodpecker/tasks/main.yml @@ -0,0 +1,78 @@ +--- +- name: Create download directory + ansible.builtin.file: + path: '/home/debian/woodpecker-agent-1.0.1' + state: directory + mode: '0755' + +- name: Download agent tarball + ansible.builtin.unarchive: + src: 'https://github.com/woodpecker-ci/woodpecker/releases/download/v1.0.1/woodpecker-agent_linux_arm64.tar.gz' + remote_src: true + dest: '/home/debian/woodpecker-agent-1.0.1' + creates: '/home/debian/woodpecker-agent-1.0.1/woodpecker-agent' + include: + - 'woodpecker-agent' + register: res + +- name: Move binary to correct location + ansible.builtin.copy: + src: '/home/debian/woodpecker-agent-1.0.1/woodpecker-agent' + remote_src: true + dest: '/usr/local/bin/woodpecker-agent' + owner: 'root' + group: 'root' + mode: '0755' + when: 'res.changed' + +- name: Ensure system group exists + group: + name: 'woodpecker' + gid: 200 + system: true + state: present + +- name: Ensure system user exists + user: + name: 'woodpecker' + group: 'woodpecker' + uid: 200 + system: true + create_home: false + +- name: Ensure woodpecker directory is present + file: + path: '/etc/woodpecker' + state: directory + mode: '0755' + owner: 'woodpecker' + group: 'woodpecker' + +- name: Ensure agent environment file is present + template: + src: 'woodpecker-agent.env.j2' + dest: '/etc/woodpecker/woodpecker-agent.env' + owner: 'woodpecker' + group: 'woodpecker' + mode: '0644' + notify: woodpecker-agent-restart + +- name: Ensure service file is present + copy: + src: 'woodpecker-agent.service' + dest: '/lib/systemd/system/woodpecker-agent.service' + owner: 'root' + group: 'root' + mode: '0644' + register: res + +- name: systemd-reload + ansible.builtin.systemd_service: + daemon_reload: true + when: 'res.changed' + +- name: Ensure agent service is enabled + ansible.builtin.service: + name: 'woodpecker-agent' + state: started + enabled: true diff --git a/roles/woodpecker/templates/woodpecker-agent.env.j2 b/roles/woodpecker/templates/woodpecker-agent.env.j2 new file mode 100644 index 0000000..1314a2b --- /dev/null +++ b/roles/woodpecker/templates/woodpecker-agent.env.j2 @@ -0,0 +1,4 @@ +WOODPECKER_SERVER={{ woodpecker_server }} +WOODPECKER_AGENT_SECRET={{ woodpecker_secret }} +WOODPECKER_AGENT_CONFIG_FILE=/etc/woodpecker/woodpecker-agent.conf +WOODPECKER_BACKEND=docker