dogeystamp
864c1bdfd3
docker is now listening on localhost, with a haproxy on the services server to forward the ports outwards. this is because docker tends to disregard UFW's rules, but haproxy should be better in that regard. meanwhile, the firewall rules have been configured properly to only allow the bastion IP in over the wireguard connection, for proper authentication.
147 lines
2.9 KiB
YAML
147 lines
2.9 KiB
YAML
---
|
|
|
|
- name: Install Docker packages
|
|
community.general.pacman:
|
|
name:
|
|
- docker
|
|
- docker-compose
|
|
|
|
- name: Create docker user
|
|
user:
|
|
name: docker
|
|
group: docker
|
|
|
|
- name: Create Gitea user
|
|
user:
|
|
name: gitea
|
|
register: user_gitea
|
|
when: '"gitea" in group_names'
|
|
|
|
- name: Create Syncthing group
|
|
group:
|
|
name: vault
|
|
state: present
|
|
|
|
- name: Create Syncthing user
|
|
user:
|
|
name: syncthing
|
|
group: vault
|
|
register: user_syncthing
|
|
when: '"syncthing" in group_names'
|
|
|
|
- name: Create Syncthing vault directories
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: syncthing
|
|
group: vault
|
|
mode: "u=rwX,g=rwX,o="
|
|
with_items:
|
|
- "{{ vault_path }}"
|
|
- "{{ archive_path }}"
|
|
|
|
- name: Create Syncthing config directory
|
|
file:
|
|
path: "{{ syncthing_conf_dir }}"
|
|
state: directory
|
|
owner: syncthing
|
|
group: vault
|
|
mode: "u=rwX,g=,o="
|
|
|
|
- name: Add unpriviledged user to file management group
|
|
user:
|
|
name: "{{ username }}"
|
|
append: yes
|
|
groups: vault
|
|
|
|
- name: Create Paperless group
|
|
group:
|
|
name: paperless
|
|
state: present
|
|
register: group_paperless
|
|
|
|
- name: Create Paperless user
|
|
user:
|
|
name: paperless
|
|
group: paperless
|
|
register: user_paperless
|
|
|
|
- name: Create Paperless directories
|
|
file:
|
|
path: "{{ dataroot }}/paperless/{{ item }}"
|
|
state: directory
|
|
owner: paperless
|
|
group: paperless
|
|
mode: "u=rwX,g=,o="
|
|
with_items:
|
|
- data
|
|
- media
|
|
|
|
- name: Create Paperless consume directory
|
|
file:
|
|
path: "{{ dataroot }}/paperless/consume"
|
|
state: directory
|
|
owner: paperless
|
|
group: vault
|
|
mode: "u=rwX,g=rwX,o="
|
|
|
|
- name: Create Paperless .env file
|
|
template:
|
|
src: "paperless.env.j2"
|
|
dest: "{{ docker_compose_dir }}/paperless.env"
|
|
lstrip_blocks: true
|
|
|
|
- name: Create Navidrome user
|
|
user:
|
|
name: navidrome
|
|
register: user_navidrome
|
|
when: '"navidrome" in group_names'
|
|
|
|
- name: Create Navidrome directory
|
|
file:
|
|
path: "{{ dataroot }}/navidrome"
|
|
state: directory
|
|
owner: navidrome
|
|
group: navidrome
|
|
mode: "u=rwX,g=rwX,o="
|
|
|
|
- name: Create music directory
|
|
file:
|
|
path: "{{ music_path }}"
|
|
state: directory
|
|
owner: navidrome
|
|
group: vault
|
|
mode: "u=rwX,g=rwX,o="
|
|
|
|
- name: Create docker-compose directory
|
|
ansible.builtin.file:
|
|
path: "{{ docker_compose_dir }}"
|
|
owner: "{{ admin_username }}"
|
|
group: "{{ admin_username }}"
|
|
state: directory
|
|
|
|
- name: Create Synapse user
|
|
user:
|
|
name: synapse
|
|
register: user_synapse
|
|
when: '"synapse" in group_names'
|
|
|
|
- name: Generate docker-compose.yml
|
|
template:
|
|
src: "docker-compose.yml.j2"
|
|
dest: "{{ docker_compose_dir }}/docker-compose.yml"
|
|
lstrip_blocks: true
|
|
register: generateComp
|
|
|
|
- name: Create systemd unit file
|
|
template:
|
|
src: "docker-compose.service.j2"
|
|
dest: "/etc/systemd/system/docker-compose.service"
|
|
|
|
- name: Compose up (update images if necessary)
|
|
systemd:
|
|
name: docker-compose
|
|
state: reloaded
|
|
enabled: true
|
|
register: compUp
|