diff --git a/.bashrc b/.bashrc index 0302d1e..5829d95 100644 --- a/.bashrc +++ b/.bashrc @@ -181,6 +181,6 @@ if [ -f $HOME/.bashrc.local ]; then fi # Display a welcome message for interactive shells -if [ -t 1 ] && command -v helloworld &> /dev/null; then +if [ -t 1 ]; then helloworld fi diff --git a/bin/actions/secrets.py b/bin/actions/secrets.py index 4279a9c..880c3ee 100755 --- a/bin/actions/secrets.py +++ b/bin/actions/secrets.py @@ -17,7 +17,7 @@ def get_password(): # Try to get the password success, output = run_command( - [op_cmd, "read", "op://j7nmhqlsjmp2r6umly5t75hzb4/Dotfiles Secrets/password"] + [op_cmd, "read", "op://Dotfiles/Dotfiles Secrets/password"] ) if not success: diff --git a/config/ansible/caddy-playbook.yml b/config/ansible/caddy-playbook.yml index 0c5bee3..c7e9a82 100644 --- a/config/ansible/caddy-playbook.yml +++ b/config/ansible/caddy-playbook.yml @@ -19,7 +19,7 @@ - name: Get Caddy email from 1Password ansible.builtin.set_fact: - caddy_email: "{{ lookup('community.general.onepassword', 'qwvcr4cuumhqh3mschv57xdqka', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='email') }}" + caddy_email: "{{ lookup('community.general.onepassword', 'Caddy (Proxy)', vault='Dotfiles', field='email') }}" ignore_errors: true tags: - caddy diff --git a/config/ansible/tasks/servers/juicefs.yml b/config/ansible/tasks/servers/juicefs.yml index 561a64b..ebae982 100644 --- a/config/ansible/tasks/servers/juicefs.yml +++ b/config/ansible/tasks/servers/juicefs.yml @@ -1,90 +1,94 @@ --- -- name: Check if JuiceFS is already installed - ansible.builtin.command: which juicefs - register: juicefs_check - ignore_errors: true - changed_when: false +- name: JuiceFS Installation and Configuration + block: + - name: Check if JuiceFS is already installed + ansible.builtin.command: which juicefs + register: juicefs_check + ignore_errors: true + changed_when: false -- name: Install JuiceFS using the automatic installer - ansible.builtin.shell: curl -sSL https://d.juicefs.com/install | sh - - register: juicefs_installation - when: juicefs_check.rc != 0 - become: true + - name: Install JuiceFS using the automatic installer + ansible.builtin.shell: curl -sSL https://d.juicefs.com/install | sh - + register: juicefs_installation + when: juicefs_check.rc != 0 + become: true -- name: Verify JuiceFS installation - ansible.builtin.command: juicefs version - register: juicefs_version - changed_when: false - when: juicefs_check.rc != 0 or juicefs_installation.changed + - name: Verify JuiceFS installation + ansible.builtin.command: juicefs version + register: juicefs_version + changed_when: false + when: juicefs_check.rc != 0 or juicefs_installation.changed -- name: Create mount directory - ansible.builtin.file: - path: /mnt/object_storage - state: directory - mode: "0755" - become: true + - name: Create mount directory + ansible.builtin.file: + path: /mnt/object_storage + state: directory + mode: "0755" + become: true -- name: Create cache directory - ansible.builtin.file: - path: /var/jfsCache - state: directory - mode: "0755" - become: true + - name: Create cache directory + ansible.builtin.file: + path: /var/jfsCache + state: directory + mode: "0755" + become: true -- name: Configure JuiceFS network performance optimizations - ansible.builtin.sysctl: - name: "{{ item.name }}" - value: "{{ item.value }}" - state: present - reload: true - become: true - loop: - - { name: "net.core.rmem_max", value: "16777216" } - - { name: "net.core.wmem_max", value: "16777216" } - - { name: "net.ipv4.tcp_rmem", value: "4096 87380 16777216" } - - { name: "net.ipv4.tcp_wmem", value: "4096 65536 16777216" } + - name: Configure JuiceFS network performance optimizations + ansible.builtin.sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + reload: true + become: true + loop: + - { name: "net.core.rmem_max", value: "16777216" } + - { name: "net.core.wmem_max", value: "16777216" } + - { name: "net.ipv4.tcp_rmem", value: "4096 87380 16777216" } + - { name: "net.ipv4.tcp_wmem", value: "4096 65536 16777216" } -- name: Set JuiceFS facts - ansible.builtin.set_fact: - hetzner_access_key: "{{ lookup('community.general.onepassword', 'mfk2qgnaplgtk6xmfc3r6w6neq', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='AWS_ACCESS_KEY_ID') }}" - hetzner_secret_key: - "{{ lookup('community.general.onepassword', 'mfk2qgnaplgtk6xmfc3r6w6neq', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='AWS_SECRET_ACCESS_KEY') - }}" - redis_password: "{{ lookup('community.general.onepassword', '4cioblm633bdkl6put35lk6ql4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='password') }}" + - name: Set JuiceFS facts + ansible.builtin.set_fact: + hetzner_access_key: "{{ lookup('community.general.onepassword', 'Hetzner Object Storage Bucket', vault='Dotfiles', field='AWS_ACCESS_KEY_ID') }}" + hetzner_secret_key: + "{{ lookup('community.general.onepassword', 'Hetzner Object Storage Bucket', vault='Dotfiles', field='AWS_SECRET_ACCESS_KEY') + }}" + redis_password: "{{ lookup('community.general.onepassword', 'JuiceFS (Redis)', vault='Dotfiles', field='password') }}" -- name: Create JuiceFS systemd service file - ansible.builtin.template: - src: templates/juicefs.service.j2 - dest: /etc/systemd/system/juicefs.service - owner: root - group: root - mode: "0644" - become: true + - name: Create JuiceFS systemd service file + ansible.builtin.template: + src: templates/juicefs.service.j2 + dest: /etc/systemd/system/juicefs.service + owner: root + group: root + mode: "0644" + become: true -- name: Reload systemd daemon - ansible.builtin.systemd: - daemon_reload: true - become: true + - name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true + become: true -- name: Include JuiceFS Redis tasks - ansible.builtin.include_tasks: services/redis/redis.yml - when: inventory_hostname == 'mennos-cloud-server' + - name: Include JuiceFS Redis tasks + ansible.builtin.include_tasks: services/redis/redis.yml + when: inventory_hostname == 'mennos-cloud-server' -- name: Enable and start JuiceFS service - ansible.builtin.systemd: - name: juicefs.service - enabled: true - state: started - become: true + - name: Enable and start JuiceFS service + ansible.builtin.systemd: + name: juicefs.service + enabled: true + state: started + become: true -- name: Check if JuiceFS is mounted - ansible.builtin.shell: df -h | grep /mnt/object_storage - become: true - register: mount_check - ignore_errors: true - changed_when: false + - name: Check if JuiceFS is mounted + ansible.builtin.shell: df -h | grep /mnt/object_storage + become: true + register: mount_check + ignore_errors: true + changed_when: false -- name: Display mount status - ansible.builtin.debug: - msg: "JuiceFS is successfully mounted at /mnt/object_storage" - when: mount_check.rc == 0 + - name: Display mount status + ansible.builtin.debug: + msg: "JuiceFS is successfully mounted at /mnt/object_storage" + when: mount_check.rc == 0 + tags: + - juicefs diff --git a/config/ansible/tasks/servers/server.yml b/config/ansible/tasks/servers/server.yml index 8c1c7cb..6889a7f 100644 --- a/config/ansible/tasks/servers/server.yml +++ b/config/ansible/tasks/servers/server.yml @@ -10,6 +10,8 @@ - name: Include JuiceFS tasks ansible.builtin.include_tasks: juicefs.yml + tags: + - juicefs - name: Include service tasks ansible.builtin.include_tasks: "services/{{ item.name }}/{{ item.name }}.yml" @@ -88,3 +90,7 @@ enabled: true hosts: - mennos-server + - name: unifi-network-application + enabled: true + hosts: + - mennos-cloud-server diff --git a/config/ansible/tasks/servers/services/caddy/caddy.yml b/config/ansible/tasks/servers/services/caddy/caddy.yml index 46988b2..66afa95 100644 --- a/config/ansible/tasks/servers/services/caddy/caddy.yml +++ b/config/ansible/tasks/servers/services/caddy/caddy.yml @@ -6,7 +6,7 @@ caddy_service_dir: "{{ ansible_env.HOME }}/services/caddy" caddy_data_dir: "{{ '/mnt/services/caddy' if inventory_hostname == 'mennos-server' else '/mnt/object_storage/services/caddy' }}" geoip_db_path: "{{ '/mnt/services/echoip' if inventory_hostname == 'mennos-server' else '/mnt/object_storage/services/echoip' }}" - caddy_email: "{{ lookup('community.general.onepassword', 'qwvcr4cuumhqh3mschv57xdqka', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='email') }}" + caddy_email: "{{ lookup('community.general.onepassword', 'Caddy (Proxy)', vault='Dotfiles', field='email') }}" - name: Create Caddy directory ansible.builtin.file: diff --git a/config/ansible/tasks/servers/services/downloaders/docker-compose.yml.j2 b/config/ansible/tasks/servers/services/downloaders/docker-compose.yml.j2 index 9d4446d..d8a1eb1 100644 --- a/config/ansible/tasks/servers/services/downloaders/docker-compose.yml.j2 +++ b/config/ansible/tasks/servers/services/downloaders/docker-compose.yml.j2 @@ -19,10 +19,10 @@ services: environment: - PUID=1000 - PGID=100 - - VPN_SERVICE_PROVIDER={{ lookup('community.general.onepassword', 'qm7lxjrv2ctgzsjuwtolxpd5i4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='VPN_SERVICE_PROVIDER') }} - - OPENVPN_USER={{ lookup('community.general.onepassword', 'qm7lxjrv2ctgzsjuwtolxpd5i4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='OPENVPN_USER') }} - - OPENVPN_PASSWORD={{ lookup('community.general.onepassword', 'qm7lxjrv2ctgzsjuwtolxpd5i4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='OPENVPN_PASSWORD') }} - - SERVER_COUNTRIES={{ lookup('community.general.onepassword', 'qm7lxjrv2ctgzsjuwtolxpd5i4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='SERVER_COUNTRIES') }} + - VPN_SERVICE_PROVIDER={{ lookup('community.general.onepassword', 'Gluetun', vault='Dotfiles', field='VPN_SERVICE_PROVIDER') }} + - OPENVPN_USER={{ lookup('community.general.onepassword', 'Gluetun', vault='Dotfiles', field='OPENVPN_USER') }} + - OPENVPN_PASSWORD={{ lookup('community.general.onepassword', 'Gluetun', vault='Dotfiles', field='OPENVPN_PASSWORD') }} + - SERVER_COUNTRIES={{ lookup('community.general.onepassword', 'Gluetun', vault='Dotfiles', field='SERVER_COUNTRIES') }} restart: always sabnzbd: diff --git a/config/ansible/tasks/servers/services/echoip/docker-compose.yml.j2 b/config/ansible/tasks/servers/services/echoip/docker-compose.yml.j2 index 0f76b3f..69ea7d2 100644 --- a/config/ansible/tasks/servers/services/echoip/docker-compose.yml.j2 +++ b/config/ansible/tasks/servers/services/echoip/docker-compose.yml.j2 @@ -3,8 +3,6 @@ services: container_name: 'echoip' image: 'mpolden/echoip:latest' restart: unless-stopped - ports: - - "8080:8080" extra_hosts: - "host.docker.internal:host-gateway" networks: diff --git a/config/ansible/tasks/servers/services/echoip/echoip.yml b/config/ansible/tasks/servers/services/echoip/echoip.yml index f053523..f129a5d 100644 --- a/config/ansible/tasks/servers/services/echoip/echoip.yml +++ b/config/ansible/tasks/servers/services/echoip/echoip.yml @@ -5,10 +5,10 @@ ansible.builtin.set_fact: echoip_service_dir: "{{ ansible_env.HOME }}/services/echoip" echoip_data_dir: "{{ '/mnt/services/echoip' if inventory_hostname == 'mennos-server' else '/mnt/object_storage/services/echoip' }}" - maxmind_account_id: "{{ lookup('community.general.onepassword', 'finpwvqp6evflzjcsnwge74n34', - vault='j7nmhqlsjmp2r6umly5t75hzb4', field='account_id') | regex_replace('\\s+', '') }}" - maxmind_license_key: "{{ lookup('community.general.onepassword', 'finpwvqp6evflzjcsnwge74n34', - vault='j7nmhqlsjmp2r6umly5t75hzb4', field='license_key') | regex_replace('\\s+', '') }}" + maxmind_account_id: "{{ lookup('community.general.onepassword', 'MaxMind', + vault='Dotfiles', field='account_id') | regex_replace('\\s+', '') }}" + maxmind_license_key: "{{ lookup('community.general.onepassword', 'MaxMind', + vault='Dotfiles', field='license_key') | regex_replace('\\s+', '') }}" - name: Create EchoIP directory ansible.builtin.file: diff --git a/config/ansible/tasks/servers/services/gitea/docker-compose.yml.j2 b/config/ansible/tasks/servers/services/gitea/docker-compose.yml.j2 index 73f307c..7305db8 100644 --- a/config/ansible/tasks/servers/services/gitea/docker-compose.yml.j2 +++ b/config/ansible/tasks/servers/services/gitea/docker-compose.yml.j2 @@ -23,7 +23,7 @@ services: - PUID=1000 - PGID=100 - POSTGRES_USER=gitea - - POSTGRES_PASSWORD={{ lookup('community.general.onepassword', '4gnclyzztfgqq7yxa3ctxs6tey', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='POSTGRES_PASSWORD') }} + - POSTGRES_PASSWORD={{ lookup('community.general.onepassword', 'Gitea', vault='Dotfiles', field='POSTGRES_PASSWORD') }} - POSTGRES_DB=gitea volumes: - {{gitea_data_dir}}/postgres:/var/lib/postgresql/data @@ -40,7 +40,7 @@ services: - PUID=1000 - PGID=100 - GITEA_INSTANCE_URL=https://git.mvl.sh - - GITEA_RUNNER_REGISTRATION_TOKEN={{ lookup('community.general.onepassword', '4gnclyzztfgqq7yxa3ctxs6tey', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='GITEA_RUNNER_REGISTRATION_TOKEN') }} + - GITEA_RUNNER_REGISTRATION_TOKEN={{ lookup('community.general.onepassword', 'Gitea', vault='Dotfiles', field='GITEA_RUNNER_REGISTRATION_TOKEN') }} - GITEA_RUNNER_NAME=act-worker - CONFIG_FILE=/config.yaml restart: always diff --git a/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2 b/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2 index e498b1b..aafa12d 100644 --- a/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2 +++ b/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2 @@ -4,7 +4,7 @@ services: image: ghcr.io/tailscale/golink:main user: root environment: - - TS_AUTHKEY={{ lookup('community.general.onepassword', '4gsgavajnxfpcrjvbkqhoc4drm', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='TS_AUTHKEY') }} + - TS_AUTHKEY={{ lookup('community.general.onepassword', 'GoLink', vault='Dotfiles', field='TS_AUTHKEY') }} volumes: - {{ golink_data_dir }}:/home/nonroot restart: "unless-stopped" diff --git a/config/ansible/tasks/servers/services/karakeep/dotenv.j2 b/config/ansible/tasks/servers/services/karakeep/dotenv.j2 index 5622a52..b21a936 100644 --- a/config/ansible/tasks/servers/services/karakeep/dotenv.j2 +++ b/config/ansible/tasks/servers/services/karakeep/dotenv.j2 @@ -10,6 +10,6 @@ TZ=Europe/Amsterdam PUID=1000 PGID=100 -NEXTAUTH_SECRET="{{ lookup('community.general.onepassword', 'osnzlfidxonvetmomdgn7vxu5a', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='NEXTAUTH_SECRET') }}" -MEILI_MASTER_KEY="{{ lookup('community.general.onepassword', 'osnzlfidxonvetmomdgn7vxu5a', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='MEILI_MASTER_KEY') }}" -OPENAI_API_KEY="{{ lookup('community.general.onepassword', 'osnzlfidxonvetmomdgn7vxu5a', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='OPENAI_API_KEY') }}" +NEXTAUTH_SECRET="{{ lookup('community.general.onepassword', 'Kara Keep', vault='Dotfiles', field='NEXTAUTH_SECRET') }}" +MEILI_MASTER_KEY="{{ lookup('community.general.onepassword', 'Kara Keep', vault='Dotfiles', field='MEILI_MASTER_KEY') }}" +OPENAI_API_KEY="{{ lookup('community.general.onepassword', 'Kara Keep', vault='Dotfiles', field='OPENAI_API_KEY') }}" diff --git a/config/ansible/tasks/servers/services/redis/redis.yml b/config/ansible/tasks/servers/services/redis/redis.yml index 607f669..6c8c55f 100644 --- a/config/ansible/tasks/servers/services/redis/redis.yml +++ b/config/ansible/tasks/servers/services/redis/redis.yml @@ -4,7 +4,7 @@ - name: Set Redis facts ansible.builtin.set_fact: redis_service_dir: "{{ ansible_env.HOME }}/services/juicefs-redis" - redis_password: "{{ lookup('community.general.onepassword', '4cioblm633bdkl6put35lk6ql4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='password') }}" + redis_password: "{{ lookup('community.general.onepassword', 'JuiceFS (Redis)', vault='Dotfiles', field='password') }}" - name: Create Redis service directory ansible.builtin.file: diff --git a/config/ansible/tasks/servers/services/seafile/seafile.yml b/config/ansible/tasks/servers/services/seafile/seafile.yml index ec97171..b1e164f 100644 --- a/config/ansible/tasks/servers/services/seafile/seafile.yml +++ b/config/ansible/tasks/servers/services/seafile/seafile.yml @@ -22,26 +22,26 @@ # Database settings seafile_mysql_db_host: "db" seafile_mysql_root_password: > - {{ lookup('community.general.onepassword', 'bbzudwdo3byqs4pscd2wy7qsn4', - vault='j7nmhqlsjmp2r6umly5t75hzb4', field='MYSQL_ROOT_PASSWORD') }} + {{ lookup('community.general.onepassword', 'Seafile', + vault='Dotfiles', field='MYSQL_ROOT_PASSWORD') }} seafile_mysql_db_user: "seafile" seafile_mysql_db_password: > - {{ lookup('community.general.onepassword', 'bbzudwdo3byqs4pscd2wy7qsn4', - vault='j7nmhqlsjmp2r6umly5t75hzb4', field='MYSQL_PASSWORD') }} + {{ lookup('community.general.onepassword', 'Seafile', + vault='Dotfiles', field='MYSQL_PASSWORD') }} # Server settings time_zone: "Europe/Amsterdam" jwt_private_key: > - {{ lookup('community.general.onepassword', 'bbzudwdo3byqs4pscd2wy7qsn4', - vault='j7nmhqlsjmp2r6umly5t75hzb4', field='jwt_private_key') }} + {{ lookup('community.general.onepassword', 'Seafile', + vault='Dotfiles', field='jwt_private_key') }} seafile_server_hostname: "sf.mvl.sh" seafile_server_protocol: "https" # Admin credentials seafile_admin_email: "menno@vleeuwen.me" seafile_admin_password: > - {{ lookup('community.general.onepassword', 'bbzudwdo3byqs4pscd2wy7qsn4', - vault='j7nmhqlsjmp2r6umly5t75hzb4', field='password') }} + {{ lookup('community.general.onepassword', 'Seafile', + vault='Dotfiles', field='password') }} - name: Create Seafile directories ansible.builtin.file: diff --git a/config/ansible/tasks/servers/services/unifi-network-application/docker-compose.yml.j2 b/config/ansible/tasks/servers/services/unifi-network-application/docker-compose.yml.j2 new file mode 100644 index 0000000..e969ec6 --- /dev/null +++ b/config/ansible/tasks/servers/services/unifi-network-application/docker-compose.yml.j2 @@ -0,0 +1,54 @@ +services: + unifi-controller: + image: linuxserver/unifi-network-application:latest + restart: unless-stopped + ports: + - "8080:8080" # Device communication + - "8443:8443" # Controller GUI / API + - "3478:3478/udp" # STUN + - "10001:10001/udp" # AP discovery + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Amsterdam + - MONGO_USER=unifi + - MONGO_PASS=unifi + - MONGO_HOST=unifi-db + - MONGO_PORT=27017 + - MONGO_DBNAME=unifi + - MONGO_AUTHSOURCE=admin + volumes: + - {{ unifi_network_application_data_dir }}/data:/config + depends_on: + - unifi-db + networks: + - unifi-network + - caddy_network + sysctls: + - net.ipv6.conf.all.disable_ipv6=1 + + unifi-db: + image: mongo:6.0 + restart: unless-stopped + volumes: + - {{ unifi_network_application_data_dir }}/db:/data/db + - {{ unifi_network_application_data_dir }}/init-mongo.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro + environment: + - MONGO_INITDB_ROOT_USERNAME=root + - MONGO_INITDB_ROOT_PASSWORD=root + - MONGO_INITDB_DATABASE=unifi + - MONGO_USER=unifi + - MONGO_PASS=unifi + - MONGO_DBNAME=unifi + - MONGO_AUTHSOURCE=admin + networks: + - unifi-network + sysctls: + - net.ipv6.conf.all.disable_ipv6=1 + +networks: + unifi-network: + driver: bridge + caddy_network: + external: true + name: caddy_default diff --git a/config/ansible/tasks/servers/services/unifi-network-application/unifi-network-application.yml b/config/ansible/tasks/servers/services/unifi-network-application/unifi-network-application.yml new file mode 100644 index 0000000..247c53f --- /dev/null +++ b/config/ansible/tasks/servers/services/unifi-network-application/unifi-network-application.yml @@ -0,0 +1,78 @@ +--- +- name: Deploy Unifi Network App service + block: + - name: Set Unifi Network App directories + ansible.builtin.set_fact: + unifi_network_application_data_dir: "/mnt/object_storage/services/unifi_network_application" + unifi_network_application_service_dir: "{{ ansible_env.HOME }}/services/unifi_network_application" + + - name: Create Unifi Network App directories + ansible.builtin.file: + path: "{{ unifi_network_application_dir }}" + state: directory + mode: "0755" + loop: + - "{{ unifi_network_application_data_dir }}" + - "{{ unifi_network_application_data_dir }}/data" + - "{{ unifi_network_application_data_dir }}/db" + - "{{ unifi_network_application_service_dir }}" + loop_control: + loop_var: unifi_network_application_dir + + - name: Create MongoDB initialization script + ansible.builtin.copy: + content: | + #!/bin/bash + + if which mongosh > /dev/null 2>&1; then + mongo_init_bin='mongosh' + else + mongo_init_bin='mongo' + fi + "${mongo_init_bin}" <