From 6afb19a45cdc74e43340f721a990e47fc1b42102 Mon Sep 17 00:00:00 2001 From: Annika Merris Date: Tue, 2 Jun 2026 00:30:56 +0000 Subject: [PATCH] Red Ranger! GO! --- .vscode/settings.json | 9 ++- .../minilab/roles/arr/files/homarr.yaml | 13 ++++ .../minilab/roles/arr/files/lidarr.yaml | 13 ++++ .../minilab/roles/arr/files/prowlarr.yaml | 13 ++++ .../minilab/roles/arr/files/radarr.yaml | 13 ++++ .../minilab/roles/arr/files/sabnzbd.yaml | 13 ++++ .../minilab/roles/arr/files/sonarr.yaml | 13 ++++ .../minilab/roles/arr/files/whisparr.yaml | 13 ++++ .../minilab/roles/caddy/tasks/main.yaml | 11 +++ .../roles/caddy/templates/Caddyfile.j2 | 38 +++++------ .../calibre/templates/docker-compose.yaml.j2 | 13 ++++ .../roles/immich/files/docker-compose.yaml | 22 ++++++ .../ntfy/templates/docker-compose.yaml.j2 | 14 ++++ .../roles/readeck/files/docker-compose.yaml | 13 ++++ .../templates/docker-compose_yaml.j2 | 55 +++++++++++++++ .../roles/termix/files/docker-compose.yaml | 17 ++++- .../minilab/roles/traefik/files/routers.yaml | 55 +++++++++++++++ .../minilab/roles/traefik/tasks/main.yaml | 68 +++++++++++++++++++ .../roles/traefik/templates/cloudflare.env.j2 | 1 + .../traefik/templates/middlewares.yaml.j2 | 27 ++++++++ .../roles/traefik/templates/services.yaml.j2 | 29 ++++++++ .../traefik/templates/traefik-compose.j2 | 29 ++++++++ .../roles/traefik/templates/traefik.yaml.j2 | 58 ++++++++++++++++ .../minilab/roles/traefik/vars/main.yaml | 30 ++++++++ .../roles/udpbroadcastrelay/tasks/main.yaml | 27 ++++++++ .../minilab/roles/valkey/tasks/main.yaml | 49 +++++++++++++ .../roles/valkey/templates/valkey-compose.j2 | 15 ++++ .../roles/valkey/templates/valkey_conf.j2 | 2 + .../minilab/roles/valkey/vars/main.yaml | 14 ++++ inventory/hosts.yaml | 16 ++--- minilab.yaml | 6 +- 31 files changed, 675 insertions(+), 34 deletions(-) create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/technitium/templates/docker-compose_yaml.j2 create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/routers.yaml create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/traefik/tasks/main.yaml create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/cloudflare.env.j2 create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/middlewares.yaml.j2 create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/services.yaml.j2 create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik-compose.j2 create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik.yaml.j2 create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/traefik/vars/main.yaml create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/udpbroadcastrelay/tasks/main.yaml create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/valkey/tasks/main.yaml create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey-compose.j2 create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey_conf.j2 create mode 100644 collections/ansible_collections/adhdgirl/minilab/roles/valkey/vars/main.yaml diff --git a/.vscode/settings.json b/.vscode/settings.json index 27557a5..f3e54aa 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,3 +1,10 @@ { - "ansible.python.interpreterPath": "/usr/bin/python" + "ansible.python.interpreterPath": "/usr/bin/python", + "yaml.schemas": { + "https://www.schemastore.org/traefik-v2.json": [ + "file:///workspaces/minilab/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/basic.yaml", + "file:///workspaces/minilab/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/umm.yaml", + "file:///workspaces/minilab/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/dynamic.yaml" + ] + } } \ No newline at end of file diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/homarr.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/homarr.yaml index 7fe3ace..de2b78b 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/homarr.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/homarr.yaml @@ -11,3 +11,16 @@ services: - SECRET_ENCRYPTION_KEY=${HOMARR_ENCRYPTION_KEY} ports: - "7575:7575" + networks: + - traefik + labels: + traefik.enable: "true" + traefik.http.routers.homarr.rule: Host(`homarr.local.cobb.lgbt`) + traefik.http.routers.homarr.entryPoints: websecure + traefik.http.routers.homarr.tls.certResolver: letsEncrypt + traefik.http.routers.homarr.observability.metrics: "true" + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/lidarr.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/lidarr.yaml index 566a918..e99d6b5 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/lidarr.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/lidarr.yaml @@ -15,3 +15,16 @@ services: volumes: - /opt/arr/lidarr/config:/config - /mnt/storage:/data + networks: + - traefik + labels: + traefik.enable: "true" + traefik.http.routers.lidarr.rule: Host(`lidarr.local.cobb.lgbt`) + traefik.http.routers.lidarr.entryPoints: websecure + traefik.http.routers.lidarr.tls.certResolver: letsEncrypt + traefik.http.routers.lidarr.observability.metrics: "true" + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/prowlarr.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/prowlarr.yaml index 4387547..471597d 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/prowlarr.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/prowlarr.yaml @@ -14,3 +14,16 @@ services: - WEBUI_PORTS=9696/tcp volumes: - /opt/arr/prowlarr/config:/config + networks: + - traefik + labels: + traefik.enable: "true" + traefik.http.routers.prowlarr.rule: Host(`prowlarr.local.cobb.lgbt`) + traefik.http.routers.prowlarr.entryPoints: websecure + traefik.http.routers.prowlarr.tls.certResolver: letsEncrypt + traefik.http.routers.prowlarr.observability.metrics: "true" + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/radarr.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/radarr.yaml index f4a27f8..d9d23d1 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/radarr.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/radarr.yaml @@ -15,3 +15,16 @@ services: volumes: - /opt/arr/radarr/config:/config - /mnt/storage:/data + networks: + - traefik + labels: + traefik.enable: "true" + traefik.http.routers.radarr.rule: Host(`radarr.local.cobb.lgbt`) + traefik.http.routers.radarr.entryPoints: websecure + traefik.http.routers.radarr.tls.certResolver: letsEncrypt + traefik.http.routers.radarr.observability.metrics: "true" + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sabnzbd.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sabnzbd.yaml index b551081..5913b65 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sabnzbd.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sabnzbd.yaml @@ -13,3 +13,16 @@ services: ports: - 8081:8080 restart: unless-stopped + networks: + - traefik + labels: + traefik.enable: "true" + traefik.http.routers.sabnzbd.rule: Host(`sabnzbd.local.cobb.lgbt`) + traefik.http.routers.sabnzbd.entryPoints: websecure + traefik.http.routers.sabnzbd.tls.certResolver: letsEncrypt + traefik.http.routers.sabnzbd.observability.metrics: "true" + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sonarr.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sonarr.yaml index 19a9168..9fb81cc 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sonarr.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/sonarr.yaml @@ -15,3 +15,16 @@ services: volumes: - /opt/arr/sonarr/config:/config - /mnt/storage:/data + networks: + - traefik + labels: + traefik.enable: "true" + traefik.http.routers.sonarr.rule: Host(`sonarr.local.cobb.lgbt`) + traefik.http.routers.sonarr.entryPoints: websecure + traefik.http.routers.sonarr.tls.certResolver: letsEncrypt + traefik.http.routers.sonarr.observability.metrics: "true" + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/whisparr.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/whisparr.yaml index ffeacb2..0a0ddb3 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/whisparr.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/arr/files/whisparr.yaml @@ -15,3 +15,16 @@ services: volumes: - /opt/arr/whisparr/config:/config - /mnt/storage:/data + networks: + - traefik + labels: + traefik.enable: "true" + traefik.http.routers.whisparr.rule: Host(`whisparr.local.cobb.lgbt`) + traefik.http.routers.whisparr.entryPoints: websecure + traefik.http.routers.whisparr.tls.certResolver: letsEncrypt + traefik.http.routers.whisparr.observability.metrics: "true" + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/caddy/tasks/main.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/caddy/tasks/main.yaml index efb8362..2b9fea1 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/caddy/tasks/main.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/caddy/tasks/main.yaml @@ -9,6 +9,17 @@ - name: Ensure Caddy is running on this device block: + - name: Load IP addresses for other hosts + tags: packages,caddy,network + ansible.builtin.set_fact: + caddy_adguard_address: "{{ hostvars['adguard']['ansible_host'] }}" + caddy_nemetona_address: "{{ hostvars['nemetona']['ansible_host'] }}" + caddy_pve_address: "{{ hostvars['pve']['ansible_host'] }}" + caddy_code_address: "{{ hostvars['stephanie']['ansible_host'] }}" + caddy_home_assistant_address: "{{ hostvars['home_assistant']['ansible_host'] }}" + caddy_frigate_address: "{{ hostvars['curren']['ansible_host'] }}" + caddy_truenas_address: "{{ hostvars['mors']['ansible_host'] }}" + cacheable: true - name: Ensure presense of folders for Caddy Home tags: packages,docker,caddy ansible.builtin.file: diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/caddy/templates/Caddyfile.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/caddy/templates/Caddyfile.j2 index 92be7a5..d53d0c9 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/caddy/templates/Caddyfile.j2 +++ b/collections/ansible_collections/adhdgirl/minilab/roles/caddy/templates/Caddyfile.j2 @@ -4,13 +4,13 @@ } authentik.local.cobb.lgbt { - reverse_proxy 10.69.10.50:9000 { + reverse_proxy {{ caddy_nemetona_address }}:9000 { trusted_proxies private_ranges } } pve.local.cobb.lgbt { - reverse_proxy 10.69.1.7:8006 { + reverse_proxy {{ caddy_pve_address }}:8006 { transport http { tls_insecure_skip_verify } @@ -18,7 +18,7 @@ pve.local.cobb.lgbt { } code.local.cobb.lgbt { - reverse_proxy 10.69.10.52:8443 + reverse_proxy {{ caddy_code_address }}:8443 } guac.local.cobb.lgbt { @@ -26,62 +26,62 @@ guac.local.cobb.lgbt { not path /guacamole* } redir @notGuac /guacamole/ - reverse_proxy 10.69.10.50:8080 { + reverse_proxy {{ caddy_nemetona_address }}:8080 { flush_interval -1 } } homarr.local.cobb.lgbt { - reverse_proxy 10.69.10.50:7575 + reverse_proxy {{ caddy_nemetona_address }}:7575 } sabnzbd.local.cobb.lgbt { - reverse_proxy 10.69.10.50:8081 + reverse_proxy {{ caddy_nemetona_address }}:8081 } sonarr.local.cobb.lgbt { - reverse_proxy 10.69.10.50:8989 + reverse_proxy {{ caddy_nemetona_address }}:8989 } radarr.local.cobb.lgbt { - reverse_proxy 10.69.10.50:7878 + reverse_proxy {{ caddy_nemetona_address }}:7878 } prowlarr.local.cobb.lgbt { - reverse_proxy 10.69.10.50:9696 + reverse_proxy {{ caddy_nemetona_address }}:9696 } lidarr.local.cobb.lgbt { - reverse_proxy 10.69.10.50:8686 + reverse_proxy {{ caddy_nemetona_address }}:8686 } ha.local.cobb.lgbt { - reverse_proxy 10.69.10.199:8123 + reverse_proxy {{ caddy_home_assistant_address }}:8123 } ntfy.local.cobb.lgbt { - reverse_proxy 10.69.10.50:8085 + reverse_proxy {{ caddy_nemetona_address }}:8085 } truenas.local.cobb.lgbt { - reverse_proxy 10.69.10.30:443 { + reverse_proxy {{ caddy_truenas_address}}:443 { transport http { tls_insecure_skip_verify } } } termix.local.cobb.lgbt { - reverse_proxy 10.69.10.50:8082 + reverse_proxy {{ caddy_nemetona_address }}:8082 } frigate.local.cobb.lgbt { - reverse_proxy 10.69.10.51:8971 { + reverse_proxy {{ caddy_frigate_address }}:8971 { transport http { tls_insecure_skip_verify } } } immich.local.cobb.lgbt { - reverse_proxy 10.69.10.50:2283 + reverse_proxy {{ caddy_nemetona_address }}:2283 } readeck.local.cobb.lgbt { - reverse_proxy 10.69.10.50:8083 + reverse_proxy {{ caddy_nemetona_address }}:8083 } readeck.cobb.lgbt { - reverse_proxy 10.69.10.50:8083 + reverse_proxy {{ caddy_nemetona_address }}:8083 } cwa.local.cobb.lgbt { - reverse_proxy 10.69.10.50:8086 + reverse_proxy {{ caddy_nemetona_address }}:8086 } diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/calibre/templates/docker-compose.yaml.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/calibre/templates/docker-compose.yaml.j2 index 2c9c272..725606f 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/calibre/templates/docker-compose.yaml.j2 +++ b/collections/ansible_collections/adhdgirl/minilab/roles/calibre/templates/docker-compose.yaml.j2 @@ -34,3 +34,16 @@ services: # cap_add: # - NET_BIND_SERVICE restart: unless-stopped + networks: + - traefik + labels: + traefik.enable: "true" + traefik.http.routers.calibre.rule: Host(`calibre.local.cobb.lgbt`) + traefik.http.routers.calibre.entryPoints: websecure + traefik.http.routers.calibre.tls.certResolver: letsEncrypt + traefik.http.routers.calibre.observability.metrics: "true" + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/immich/files/docker-compose.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/immich/files/docker-compose.yaml index 8215d22..20298f0 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/immich/files/docker-compose.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/immich/files/docker-compose.yaml @@ -31,6 +31,15 @@ services: restart: always healthcheck: disable: false + networks: + - traefik + - immich-internal + labels: + traefik.enable: "true" + traefik.http.routers.immich.rule: Host(`immich.local.cobb.lgbt`) + traefik.http.routers.immich.entryPoints: websecure + traefik.http.routers.immich.tls.certResolver: letsEncrypt + traefik.http.routers.immich.observability.metrics: "true" immich-machine-learning: container_name: immich_machine_learning @@ -47,6 +56,8 @@ services: restart: always healthcheck: disable: false + networks: + - immich-internal redis: container_name: immich_redis @@ -54,6 +65,8 @@ services: healthcheck: test: redis-cli ping || exit 1 restart: always + networks: + - immich-internal database: container_name: immich_postgres @@ -72,6 +85,15 @@ services: restart: always healthcheck: disable: false + networks: + - immich-internal volumes: model-cache: + +networks: + traefik: + name: traefik + external: true + immich-internal: + name: immich-internal diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/ntfy/templates/docker-compose.yaml.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/ntfy/templates/docker-compose.yaml.j2 index 597d8d7..85d4b98 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/ntfy/templates/docker-compose.yaml.j2 +++ b/collections/ansible_collections/adhdgirl/minilab/roles/ntfy/templates/docker-compose.yaml.j2 @@ -13,6 +13,8 @@ services: ports: - 8085:80 - 8025:25 + networks: + - traefik healthcheck: # optional: remember to adapt the host:port to your environment test: [ @@ -25,3 +27,15 @@ services: start_period: 40s restart: unless-stopped init: true # needed, if healthcheck is used. Prevents zombie processes + labels: + traefik.enable: 'true' + traefik.http.routers.ntfy.rule: Host(`ntfy.local.cobb.lgbt`) + traefik.http.routers.ntfy.entryPoints: websecure + traefik.http.routers.ntfy.tls.certResolver: letsEncrypt + traefik.http.routers.ntfy.observability.metrics: 'true' + traefik.http.services.ntfy.loadBalancer.server.port: 80 + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/readeck/files/docker-compose.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/readeck/files/docker-compose.yaml index 1c645a0..527e608 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/readeck/files/docker-compose.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/readeck/files/docker-compose.yaml @@ -15,3 +15,16 @@ services: interval: 30s timeout: 2s retries: 3 + networks: + - traefik + labels: + traefik.enable: "true" + traefik.http.routers.readeck.rule: Host(`readeck.local.cobb.lgbt`) + traefik.http.routers.readeck.entryPoints: websecure + traefik.http.routers.readeck.tls.certResolver: letsEncrypt + traefik.http.routers.readeck.observability.metrics: "true" + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/technitium/templates/docker-compose_yaml.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/technitium/templates/docker-compose_yaml.j2 new file mode 100644 index 0000000..464e5e0 --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/technitium/templates/docker-compose_yaml.j2 @@ -0,0 +1,55 @@ +services: + dns-server: + container_name: dns-server + hostname: dns-server + image: docker.io/technitium/dns-server:latest + ports: + # - "5380:5380/tcp" #DNS web console (HTTP) + # - "53443:53443/tcp" #DNS web console (HTTPS) + - "53:53/udp" #DNS service + - "53:53/tcp" #DNS service + # - "853:853/udp" #DNS-over-QUIC service + # - "853:853/tcp" #DNS-over-TLS service + # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) + # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) + # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal) + # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy) + # - "67:67/udp" #DHCP service + environment: + - DNS_SERVER_DOMAIN=local.cobb.lgbt #The primary domain name used by this DNS Server to identify itself. + - DNS_SERVER_ADMIN_PASSWORD=${SERVER_ADMIN_PASSWORD} #DNS web console admin user password. + # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user. + # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled. + # - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode. + - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol. + # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol. + - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_TLS_CERTIFICATE_PATH=/etc/dns/tls/cert.pfx #The file path to the TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_TLS_CERTIFICATE_PASSWORD=password #The password for the TLS certificate for the DNS web console. + - DNS_SERVER_WEB_SERVICE_HTTP_TO_TLS_REDIRECT=false #Enables HTTP to HTTPS redirection for the DNS web console. + - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=true #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx. + - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL. + # - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option. + # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + - DNS_SERVER_ENABLE_BLOCKING=true #Sets the DNS server to block domain names using Blocked Zone and Block List Zone. + # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. + # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs. + - DNS_SERVER_FORWARDERS=1.1.1.1, 9.9.9.9 #Comma separated list of forwarder addresses. + - DNS_SERVER_FORWARDER_PROTOCOL=Udp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson. + - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging. + - DNS_SERVER_LOG_FOLDER_PATH=/var/log/technitium/dns #The folder path on the server where the log files should be saved. + # - DNS_SERVER_LOG_MAX_LOG_FILE_DAYS=365 #Max number of days to keep the log files. Log files older than the specified number of days will be deleted automatically. Set 0 to disable auto delete. + # - DNS_SERVER_STATS_ENABLE_IN_MEMORY_STATS=false #This option will enable in-memory stats and only Last Hour data will be available on Dashboard. No stats data will be stored on disk. + # - DNS_SERVER_STATS_MAX_STAT_FILE_DAYS=365 #Max number of days to keep the dashboard stats. Stat files older than the specified number of days will be deleted automatically. Set 0 to disable auto delete. + volumes: + - config:/etc/dns + - logs:/var/log/technitium/dns + restart: unless-stopped + sysctls: + - net.ipv4.ip_local_port_range=1024 65535 #remove when using "host" network mode + +volumes: + config: + logs: diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/termix/files/docker-compose.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/termix/files/docker-compose.yaml index 81fc102..d6b425d 100644 --- a/collections/ansible_collections/adhdgirl/minilab/roles/termix/files/docker-compose.yaml +++ b/collections/ansible_collections/adhdgirl/minilab/roles/termix/files/docker-compose.yaml @@ -5,8 +5,21 @@ services: container_name: termix restart: unless-stopped ports: - - '8082:8080' + - "8082:8080" volumes: - /opt/termix/data:/app/data environment: - PORT: '8080' + PORT: "8080" + networks: + - traefik + labels: + traefik.enable: "true" + traefik.http.routers.termix.rule: Host(`termix.local.cobb.lgbt`) + traefik.http.routers.termix.entryPoints: websecure + traefik.http.routers.termix.tls.certResolver: letsEncrypt + traefik.http.routers.termix.observability.metrics: "true" + +networks: + traefik: + name: traefik + external: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/routers.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/routers.yaml new file mode 100644 index 0000000..cf8fbbd --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/files/routers.yaml @@ -0,0 +1,55 @@ +--- +http: + routers: + dashboard: + entryPoints: + - websecure + rule: "Host(`traefik-dashboard.local.cobb.lgbt`)" + tls: + certResolver: letsEncrypt + observability: + metrics: true + service: api@internal + middlewares: + - known-ips@file + - dashboard-auth@file + proxmox: + entryPoints: + - websecure + rule: "Host(`pve.local.cobb.lgbt`)" + tls: + certResolver: letsEncrypt + observability: + metrics: true + service: proxmox@file + middlewares: + - known-ips@file + home-assistant: + entryPoints: + - websecure + rule: "Host(`ha.local.cobb.lgbt`)" + tls: + certResolver: letsEncrypt + observability: + metrics: true + service: home-assistant@file + truenas: + entryPoints: + - websecure + rule: "Host(`truenas.local.cobb.lgbt`)" + tls: + certResolver: letsEncrypt + observability: + metrics: true + service: truenas@file + middlewares: + - known-ips@file + frigate: + entryPoints: + - websecure + rule: "Host(`frigate.local.cobb.lgbt`)" + tls: + certResolver: letsEncrypt + observability: + metrics: true + service: frigate@file diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/tasks/main.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/tasks/main.yaml new file mode 100644 index 0000000..3b85e92 --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/tasks/main.yaml @@ -0,0 +1,68 @@ +--- +- name: Load distro-specific variables + ansible.builtin.include_vars: "{{ item }}" + tags: always + with_first_found: + - files: + - "{{ ansible_facts['distribution'] }}.yaml" + skip: true + +- name: Ensure Traefik is running on this device + block: + - name: Load IP addresses for other hosts + tags: packages,traefik,network + ansible.builtin.set_fact: + traefik_adguard_address: "{{ hostvars['adguard']['ansible_host'] }}" + traefik_nemetona_address: "{{ hostvars['nemetona']['ansible_host'] }}" + traefik_pve_address: "{{ hostvars['pve']['ansible_host'] }}" + traefik_code_address: "{{ hostvars['stephanie']['ansible_host'] }}" + traefik_home_assistant_address: "{{ hostvars['home_assistant']['ansible_host'] }}" + traefik_frigate_address: "{{ hostvars['curren']['ansible_host'] }}" + traefik_truenas_address: "{{ hostvars['mors']['ansible_host'] }}" + cacheable: true + - name: Ensure presense of folders for Traefik + tags: packages,docker,traefik + ansible.builtin.file: + path: "/opt/traefik/{{ item }}" + state: directory + recurse: true + owner: 1000 + group: 1000 + loop: + - dynamic + - lets-encrypt + - name: Ensure config templates are available + tags: traefik,settings + ansible.builtin.template: + src: "{{ item.src }}" + dest: "/opt/traefik/{{ item.dest }}" + owner: 1000 + group: 1000 + mode: u=rw,g=r,o=r + loop: + - { src: "traefik-compose.j2", dest: "docker-compose.yaml" } + - { src: "cloudflare.env.j2", dest: "cloudflare.env" } + - { src: "traefik.yaml.j2", dest: "traefik.yaml" } + - { src: "middlewares.yaml.j2", dest: "dynamic/middlewares.yaml" } + - { src: "services.yaml.j2", dest: "dynamic/services.yaml" } + - name: Ensure dynamic configs are available to the server + tags: traefik,settings + ansible.builtin.copy: + src: "{{ item }}" + dest: /opt/traefik/dynamic/{{ item }} + owner: 1000 + group: 1000 + mode: u=rw,g=r,o=r + loop: + - routers.yaml + - name: Ensure docker containers are pulled and running + tags: docker,traefik + community.docker.docker_compose_v2: + project_src: /opt/traefik + pull: policy + recreate: always + + rescue: + - name: Set that this task failed # noqa: var-naming[no-role-prefix] + ansible.builtin.set_fact: + task_failed: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/cloudflare.env.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/cloudflare.env.j2 new file mode 100644 index 0000000..8a084fc --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/cloudflare.env.j2 @@ -0,0 +1 @@ +CF_DNS_API_TOKEN={{ traefik_cobblgbt_key }} diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/middlewares.yaml.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/middlewares.yaml.j2 new file mode 100644 index 0000000..117776c --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/middlewares.yaml.j2 @@ -0,0 +1,27 @@ +--- +http: + middlewares: + redirect: + redirectScheme: + scheme: https + corsAll: + headers: + accessControlAllowMethods: + - "GET" + - "OPTIONS" + - "PUT" + accessControlAllowHeaders: + - "*" + accessControlAllowOriginList: + - "*" + accessControlMaxAge: 100 + addVaryHeader: true + known-ips: + ipallowlist: + sourcerange: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/24 + dashboard-auth: + basicauth: + users: "admin:{{ traefik_dashboard_basicauth }}" diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/services.yaml.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/services.yaml.j2 new file mode 100644 index 0000000..aeb8b4c --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/services.yaml.j2 @@ -0,0 +1,29 @@ +--- +http: + serversTransports: + insecureTransport: + insecureSkipVerify: true + services: + proxmox: + loadBalancer: + passHostHeader: true + servers: + - url: "http://{{ traefik_pve_address }}:9000" + home-assistant: + loadBalancer: + servers: + - url: "http://{{ traefik_home_assistant_address }}:8123" + coder: + loadBalancer: + servers: + - url: "http://{{ traefik_code_address }}:8443" + truenas: + loadBalancer: + serversTransport: insecureTransport + servers: + - url: "https://{{ traefik_truenas_address }}:443" + frigate: + loadBalancer: + serversTransport: insecureTransport + servers: + - url: "https://{{ traefik_frigate_address }}:8971" diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik-compose.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik-compose.j2 new file mode 100644 index 0000000..fe8ab95 --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik-compose.j2 @@ -0,0 +1,29 @@ +--- +services: + traefik: + image: traefik:v3.7 + container_name: traefik + restart: unless-stopped + security_opt: + - no-new-privileges:true + networks: + - traefik + ports: + - "80:80" + - "443:443" + env_file: + - path: /opt/traefik/cloudflare.env + required: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /opt/traefik/dynamic:/dynamic:ro + - /opt/traefik/lets-encrypt:/lets-encrypt + - /opt/traefik/traefik.yaml:/traefik.yaml + command: + - "--configfile=/traefik.yaml" + labels: + - "traefik.enable=true" + +networks: + traefik: + name: traefik diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik.yaml.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik.yaml.j2 new file mode 100644 index 0000000..d5ad239 --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/templates/traefik.yaml.j2 @@ -0,0 +1,58 @@ +--- +log: + level: DEBUG +accessLog: + filters: + statusCodes: + - "200" + - "300-302" + retryAttempts: true + minDuration: "10ms" +api: + dashboard: true + insecure: false +metrics: + prometheus: {} + +providers: + docker: + watch: true + endpoint: unix:///var/run/docker.sock + exposedByDefault: false + network: traefik + file: + directory: /dynamic + watch: true + redis: + endpoints: + - "nemetona.local.cobb.lgbt:6379" + username: traefik + password: {{ traefik_valkey_auth_pass }} + +entryPoints: + web: + address: :80 + http: + redirections: + entryPoint: + to: websecure + scheme: https + permanent: true + observability: + accessLogs: false + metrics: false + tracing: false + + websecure: + address: :443 + http: + tls: {} + +certificatesResolvers: + letsEncrypt: + acme: + dnsChallenge: + provider: cloudflare + email: annika@adhdgirl.dev + storage: /lets-encrypt/acme.json + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/traefik/vars/main.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/vars/main.yaml new file mode 100644 index 0000000..f031f9b --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/traefik/vars/main.yaml @@ -0,0 +1,30 @@ +--- +traefik_cobblgbt_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 32396232646666616261393537613662386165353765323763353739343232323363636331656338 + 3133323662636436326535323637633261313163366237300a383865393032326331336335636262 + 30646461653832323262373863646261333865613763356365666130636262636430616238643538 + 3039316461356630620a323536643638396164303965346465356563326131663939633236343532 + 61363338313435316334616462376433643732343936316437656165373961306438393665343265 + 3132636333313635633533353461333236666561363865653236 +traefik_valkey_auth_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61343838393634376266333639646239363362396133363238393830306561626362623734333464 + 6634346639363361353965386339396331363463323265390a646565366634326539356631393838 + 30613564383635303731316365366262333530313030303866656235643061623263623133346264 + 3561316334363561630a663234383633336161383439633538316162656462653833343731373366 + 61323038656631663236666265383031376561653535653062666262633939396431336632393537 + 37346263393637653933373263346362383634363461363966393831643035383061326330343035 + 61333462313933333533626432666634633835373733613365623937346438663866396666373038 + 64643333663565636530363138643465613333313034656437366333643762316239376633303431 + 32366335663865316366626231633237326633393334343130343738326265303861663333353637 + 34373136303933383236326133633035326530626430393762383337373531643761393166643933 + 616361656162353561636639363637636137 +traefik_dashboard_basicauth: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34376233363435633734353965336332346335613234336565653633333265386634336335303135 + 6265613466353333623830653764366234343036393463310a356338306162633661363939653633 + 64376562363633626366663663666436393739323131323464613263613462323664323664666562 + 3835363566666537340a353262366536626335653034623236306162633031616533653065613638 + 37303063393365306332656565393661653563343461396264396538616539643236656163303431 + 6533646238316539363632383936646339303162636137316263 diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/udpbroadcastrelay/tasks/main.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/udpbroadcastrelay/tasks/main.yaml new file mode 100644 index 0000000..96b79da --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/udpbroadcastrelay/tasks/main.yaml @@ -0,0 +1,27 @@ +--- +- name: Load distro-specific variables + ansible.builtin.include_vars: "{{ item }}" + tags: always + with_first_found: + - files: + - "{{ ansible_facts['distribution'] }}.yaml" + skip: true + +- name: Ensure udpbroadcastrelay is properly built for and installed + block: + - name: Get current version + ansible.builtin.shell: + cmd: + "git describe --tags --exact-match 2>/dev/null || git rev-parse --short + HEAD" + chdir: { { udpbroadcastrelay_code_dir } } + register: udpbroadcastrelay_current_version + changed_when: false + failed_when: false + - name: Fetch source from github + tags: packages,git,network + ansible.builtin.git: + repo: "" + dest: "/opt/udpbroadcastrelay" + version: "{{ udpbroadcastrelay_tag }}" + register: diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/valkey/tasks/main.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/tasks/main.yaml new file mode 100644 index 0000000..5a315ac --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/tasks/main.yaml @@ -0,0 +1,49 @@ +--- +- name: Load distro-specific variables + ansible.builtin.include_vars: "{{ item }}" + tags: always + with_first_found: + - files: + - "{{ ansible_facts['distribution'] }}.yaml" + skip: true + +- name: Ensure Valkey is running on this device + block: + - name: Ensure presense of folders for Valkey + tags: packages,docker,valkey + ansible.builtin.file: + path: "/opt/valkey/{{ item }}" + state: directory + recurse: true + owner: 1000 + group: 1000 + loop: + - persist + - config + - name: Ensure compose file is available on the server + tags: docker,valkey,settings + ansible.builtin.template: + src: valkey-compose.j2 + dest: /opt/valkey/docker-compose.yaml + owner: 1000 + group: 1000 + mode: u=rw,g=r,o=r + - name: Ensure environment file is available on the server + tags: docker,valkey,settings + ansible.builtin.template: + src: valkey_conf.j2 + dest: /opt/valkey/config/valkey.conf + owner: 1000 + group: 1000 + mode: u=rw,g=,o= + - name: Ensure docker containers are pulled and running + tags: docker,valkey + community.docker.docker_compose_v2: + project_src: /opt/valkey + pull: policy + recreate: always + + rescue: + - name: Set that this task failed # noqa: var-naming[no-role-prefix] + ansible.builtin.set_fact: + task_failed: true diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey-compose.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey-compose.j2 new file mode 100644 index 0000000..7d5e801 --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey-compose.j2 @@ -0,0 +1,15 @@ +--- +services: + valkey: + image: valkey/valkey:9.1.0 + container_name: valkey + restart: unless-stopped + user: 1000:1000 + ports: + - "6379:6379" + volumes: + - /opt/valkey/persist:/data + - /opt/valkey/config:/usr/local/etc/valkey + command: + - "valkey-server" + - "/usr/local/etc/valkey/valkey.conf" diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey_conf.j2 b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey_conf.j2 new file mode 100644 index 0000000..eeddacc --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/templates/valkey_conf.j2 @@ -0,0 +1,2 @@ +# Do config things +user traefik on +@all ~* &* >{{ valkey_traefik_auth_pass }} diff --git a/collections/ansible_collections/adhdgirl/minilab/roles/valkey/vars/main.yaml b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/vars/main.yaml new file mode 100644 index 0000000..32afcfe --- /dev/null +++ b/collections/ansible_collections/adhdgirl/minilab/roles/valkey/vars/main.yaml @@ -0,0 +1,14 @@ +--- +valkey_traefik_auth_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61343838393634376266333639646239363362396133363238393830306561626362623734333464 + 6634346639363361353965386339396331363463323265390a646565366634326539356631393838 + 30613564383635303731316365366262333530313030303866656235643061623263623133346264 + 3561316334363561630a663234383633336161383439633538316162656462653833343731373366 + 61323038656631663236666265383031376561653535653062666262633939396431336632393537 + 37346263393637653933373263346362383634363461363966393831643035383061326330343035 + 61333462313933333533626432666634633835373733613365623937346438663866396666373038 + 64643333663565636530363138643465613333313034656437366333643762316239376633303431 + 32366335663865316366626231633237326633393334343130343738326265303861663333353637 + 34373136303933383236326133633035326530626430393762383337373531643761393166643933 + 616361656162353561636639363637636137 diff --git a/inventory/hosts.yaml b/inventory/hosts.yaml index 7573c90..a414ba7 100644 --- a/inventory/hosts.yaml +++ b/inventory/hosts.yaml @@ -5,10 +5,6 @@ all: ansible_host: 10.69.10.10 adguardpi: ansible_host: 10.69.10.11 - # maxim: - # ansible_host: 10.69.10.50 - # pump: - # ansible_host: 10.69.10.51 fifi: ansible_host: 10.69.10.100 knivi: @@ -27,6 +23,12 @@ all: ansible_host: 10.69.10.51 emosen: ansible_host: 10.69.10.54 + pve: + ansible_host: 10.69.1.7 + home_assistant: + ansible_host: 10.69.10.199 + mors: + ansible_host: 10.69.10.30 children: alpine: hosts: @@ -38,26 +40,20 @@ all: debian: hosts: adguardpi: - # maxim: - # pump: fifi: knivi: reir: - # trady: curren: docker: hosts: adguard: adguardpi: - # pump: - # trady: stephanie: nemetona: curren: ida: unifi_controller: hosts: - # pump: adguard_servers: hosts: adguard: diff --git a/minilab.yaml b/minilab.yaml index b3c2ddc..b67a634 100644 --- a/minilab.yaml +++ b/minilab.yaml @@ -49,11 +49,12 @@ - adhdgirl.minilab.coder - name: Configure nemetona hosts: nemetona - tags: docker,authentik,caddy + tags: docker,authentik,caddy,ntfy become: true roles: + - adhdgirl.minilab.traefik - adhdgirl.minilab.authentik - - adhdgirl.minilab.caddy + # - adhdgirl.minilab.caddy - adhdgirl.minilab.arr - adhdgirl.minilab.ntfy - adhdgirl.minilab.cloudflared @@ -61,6 +62,7 @@ - adhdgirl.minilab.immich - adhdgirl.minilab.readeck - adhdgirl.minilab.calibre + - adhdgirl.minilab.valkey - name: Configure frigate hosts: curren tags: docker,frigate