/infra

IaC for my Linux/Unix machines

Primary LanguageJinjaDo What The F*ck You Want To Public LicenseWTFPL

notthebee/infra

WARNING: I don't use this playbook to configure my system anymore, since I switched to Unraid

An Ansible playbook that sets up an Ubuntu-based home media server/NAS with reasonable security, auto-updates, e-mail notifications for S.M.A.R.T. and Snapraid errors and dynamic DNS.

It assumes a fresh Ubuntu Server 20.04 install, access to a non-root user with sudo privileges and a public SSH key. This can be configured during the installation process.

The playbook is mostly being developed for personal use, so stuff is going to be constantly changing and breaking. Use at your own risk and don't expect any help in setting it up on your machine.

Special thanks

  • David Stephens for his Ansible NAS project. This is where I got the idea and "borrowed" a lot of concepts and implementations from.
  • Jeff Geerling for his book, Ansible for DevOps and his Ansible 101 series on YouTube.
  • Jonathan Hanson for his SSH port juggling implementation.
  • Alex Kretzschmar and Chris Fisher from Self Hosted Show for introducing me to the idea of Infrastracture as Code
  • TylerAlterio for the mergerfs role
  • Jake Howard and Alex Kretzschmar for the snapraid role

Services included:

Media

  • Plex (A media server)
  • Jellyfin (Yet another media server)
  • Radarr (A movie tracker/downloader)
  • Jackett (A torrent/NZB indexer)
  • Booksonic (An audiobook server)
  • Sonarr (A TV show tracker/downloader)
  • arch-delugevpn (An Arch Linux container running Deluge and an Wireguard/OpenVPN client with a kill switch)

Services

Misc

  • Watchtower (An automated updater for Docker images)
  • DuckDNS (A dynamic DNS client for DuckDNS)
  • SWAG (A reverse proxy with built-in support for dynamic DNS, Certbot and fail2ban)
  • bunkerized-nginx (A NGINX-based web server focused on security)

Home Automation

Other features:

  • MergerFS with Snapraid
  • Samba
  • Fail2Ban for Nextcloud, Vaultwarden and endlessh with Cloudflare support
  • CrowdSec with the iptables bouncer
  • endlessh

Usage

Install Ansible (macOS):

brew install ansible

Clone the repository:

git clone https://github.com/notthebee/infra

Create a host varialbe file and adjust the variables:

cd infra/
mkdir -p host_vars/YOUR_HOSTNAME
vi host_vars/YOUR_HOSTNAME/vars.yml

Create a Keychain item for your Ansible Vault password (on macOS):

security add-generic-password \
               -a YOUR_USERNAME \
               -s ansible-vault-password \
               -w

The pass.sh script will extract the Ansible Vault password from your Keychain automatically each time Ansible requests it.

Create an encrypted secret.yml file and adjust the variables:

ansible-vault create host_vars/YOUR_HOSTNAME/secret.yml
ansible-vault edit host_vars/YOUR_HOSTNAME/secret.yml

Add your custom inventory file to hosts:

cp hosts_example hosts
vi hosts

Install the dependencies:

ansible-galaxy install -r requirements.yml

Finally, run the playbook:

ansible-playbook run.yml -l your-host-here -K

The "-K" parameter is only necessary for the first run, since the playbook configures passwordless sudo for the main login user

For consecutive runs, if you only want to update the Docker containers, you can run the playbook like this:

ansible-playbook run.yml --tags="port,containers"