inital commit

2022-10-30 14:01:10 -05:00
commit 9506f24bcc
30 changed files with 769 additions and 0 deletions
--- a/tasks/deluge.yaml
+++ b/tasks/deluge.yaml
@@ -0,0 +1,15 @@
+---
+- name: Make deluge dir
+  file:
+    name: /infra/deluge/config
+    state: directory
+    owner: 1000
+
+- name: Copy deluge docker-compose
+  copy:
+    src: static/docker/deluge.yaml
+    dest: /infra/deluge/docker-compose.yaml
+
+- name: Build & start deluge
+  community.docker.docker_compose:
+    project_src: /infra/deluge
--- a/tasks/essential.yaml
+++ b/tasks/essential.yaml
@@ -0,0 +1,43 @@
+---
+- name: Upgrade Packages
+  apt:
+    update_cache: yes
+    upgrade: full
+
+- name: Install required software
+  package:
+    name:
+      - apache2-utils
+      - python3-passlib
+      - nginx
+      - fail2ban
+      - docker
+      - docker-compose
+      - ufw
+      - curl
+      - python3-certbot-nginx
+
+- name: Make downloads directory
+  file:
+    name: /infra/downloads
+    state: directory
+    owner: 1000
+
+- name: Make downloads/movies directory
+  file:
+    name: /infra/downloads/movies
+    state: directory
+    owner: 1000
+
+- name: Make downloads/tvshows directory
+  file:
+    name: /infra/downloads/tvshows
+    state: directory
+    owner: 1000
+
+- name: Make infra user
+  user:
+    name: infra
+    comment: infrastructure
+    uid: 1000
+    state: present
--- a/tasks/firewall.yaml
+++ b/tasks/firewall.yaml
@@ -0,0 +1,45 @@
+---
+- name: Allow port 22
+  community.general.ufw:
+    rule: allow
+    port: '22'
+    proto: tcp
+
+- name: Allow port 80
+  community.general.ufw:
+    rule: allow
+    port: '80'
+    proto: tcp
+
+- name: Allow port 443
+  community.general.ufw:
+    rule: allow
+    port: '443'
+    proto: tcp
+
+- name: Allow port 6881
+  community.general.ufw:
+    rule: allow
+    port: '6881'
+    proto: tcp
+
+- name: Allow port 6881/udp
+  community.general.ufw:
+    rule: allow
+    port: '6881'
+    proto: udp
+
+- name: Startup UFW
+  community.general.ufw:
+    state: enabled
+
+- name: Copy fail2ban jail config
+  copy:
+    src: static/fail2ban/jails.local
+    dest: /etc/fail2ban/jail.d/jails.local
+
+- name: Enable fail2ban service
+  systemd:
+    name: fail2ban
+    enabled: yes
+    state: started
--- a/tasks/homer.yaml
+++ b/tasks/homer.yaml
@@ -0,0 +1,15 @@
+---
+- name: Copy homer dir
+  copy:
+    src: static/homer
+    dest: /infra
+    owner: 1000
+
+- name: Copy homer docker-compose
+  copy:
+    src: static/docker/homer.yaml
+    dest: /infra/homer/docker-compose.yaml
+
+- name: Build & start homer
+  community.docker.docker_compose:
+    project_src: /infra/homer
--- a/tasks/jackett.yaml
+++ b/tasks/jackett.yaml
@@ -0,0 +1,22 @@
+---
+- name: Make jackett dir
+  file:
+    name: /infra/jackett/config
+    state: directory
+    owner: 1000
+
+- name: Copy jackett config
+  copy:
+    src: static/Jackett
+    dest: /infra/jackett/config
+    owner: 1000
+    force: no
+
+- name: Copy jackett docker-compose
+  copy:
+    src: static/docker/jackett.yaml
+    dest: /infra/jackett/docker-compose.yaml
+
+- name: Build & start jackett
+  community.docker.docker_compose:
+    project_src: /infra/jackett
--- a/tasks/jellyfin.yaml
+++ b/tasks/jellyfin.yaml
@@ -0,0 +1,21 @@
+---
+- name: Make jellyfin dir
+  file:
+    name: /infra/jellyfin/config
+    state: directory
+    owner: 1000
+
+- name: Copy jellyfin base config
+  copy:
+    src: static/jellyfin/network.xml
+    dest: /infra/jellyfin/config/network.xml
+    owner: 1000
+
+- name: Copy jellyfin docker-compose
+  copy:
+    src: static/docker/jellyfin.yaml
+    dest: /infra/jellyfin/docker-compose.yaml
+
+- name: Build & start jellyfin
+  community.docker.docker_compose:
+    project_src: /infra/jellyfin
--- a/tasks/nginx.yaml
+++ b/tasks/nginx.yaml
@@ -0,0 +1,74 @@
+---
+- name: Remove default nginx config
+  file:
+    name: /etc/nginx/sites-enabled
+    state: absent
+
+- name: Restore nginx/conf.d
+  file:
+    name: /etc/nginx/conf.d
+    state: directory
+
+- name: Install system nginx config
+  copy:
+    src: static/nginx/nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+# helps with proxy-ing services
+- name: Install nginx proxy-control.conf
+  copy:
+    src: static/nginx/proxy-control.conf
+    dest: /etc/nginx/proxy-control.conf
+
+- name: Install nginx restrict-conf.conf
+  template:
+    src: templates/nginx/restrict-auth.conf
+    dest: /etc/nginx/restrict-auth.conf
+
+- name: Install nginx config for site proxies
+  copy:
+    src: static/nginx/sites.conf
+    dest: /etc/nginx/conf.d/sites.conf
+
+# locks down services that shouldn't be public (if enabled)
+- name: Install nginx passwd file
+  htpasswd:
+    path: /etc/nginx/passwdfile
+    name: "{{ auth_username }}"
+    password: "{{ auth_password }}"
+    owner: root
+    group: www-data
+    mode: 0640
+  when: auth_enabled == "y" # only do it when the username is specified
+
+- name: Install updateDuckDNS
+  template:
+    src: templates/updateDuckDNS
+    dest: /infra/updateDuckDNS
+    mode: u+rx
+  when: duck_enabled == "y"
+
+# update duckdns daily
+- name: Install DuckDNS cronjob
+  cron:
+    name: Update DuckDNS
+    minute: 0
+    hour: 1
+    job: /infra/updateDuckDNS
+  when: duck_enabled == "y"
+
+# go ahead and run the update (before running cerbot)
+- name: Setup DuckDNS
+  shell: "/infra/updateDuckDNS"
+  when: duck_enabled == "y"
+
+# certbot is a life saver. thank you certbot devs!
+- name: Setup certbot
+  shell: "certbot --nginx --non-interactive --agree-tos -m do_not_contact@proton.me -d {{ duck_domain }}"
+  when: duck_enabled == "y"
+
+- name: Reload Nginx
+  systemd:
+    name: nginx
+    enabled: yes
+    state: restarted
--- a/tasks/openbooks.yaml
+++ b/tasks/openbooks.yaml
@@ -0,0 +1,21 @@
+---
+- name: Make downloads/books dir
+  file:
+    name: /infra/downloads/books
+    state: directory
+    owner: 1000
+
+- name: Make openbooks dir
+  file:
+    name: /infra/openbooks
+    state: directory
+    owner: 1000
+
+- name: Copy openbooks docker-compose
+  copy:
+    src: static/docker/openbooks.yaml
+    dest: /infra/openbooks/docker-compose.yaml
+
+- name: Build & start openbooks
+  community.docker.docker_compose:
+    project_src: /infra/openbooks
--- a/tasks/radarr.yaml
+++ b/tasks/radarr.yaml
@@ -0,0 +1,16 @@
+---
+- name: Copy radarr dir
+  copy:
+    src: static/radarr
+    dest: /infra
+    owner: 1000
+    force: no
+
+- name: Copy radarr docker-compose
+  copy:
+    src: static/docker/radarr.yaml
+    dest: /infra/radarr/docker-compose.yaml
+
+- name: Build & start radarr
+  community.docker.docker_compose:
+    project_src: /infra/radarr
--- a/tasks/sonarr.yaml
+++ b/tasks/sonarr.yaml
@@ -0,0 +1,16 @@
+---
+- name: Copy sonarr dir
+  copy:
+    src: static/sonarr
+    dest: /infra
+    owner: 1000
+    force: no
+
+- name: Copy sonarr docker-compose
+  copy:
+    src: static/docker/sonarr.yaml
+    dest: /infra/sonarr/docker-compose.yaml
+
+- name: Build & start sonarr
+  community.docker.docker_compose:
+    project_src: /infra/sonarr