IaC for my Linux/Unix machines

notthebee/infra

An Ansible playbook that sets up an Ubuntu-based home media server/NAS with reasonable security, auto-updates, e-mail notifications for S.M.A.R.T. and Snapraid errors and dynamic DNS.

It assumes a fresh Ubuntu Server 20.04 install, access to a non-root user with sudo privileges and a public SSH key. This can be configured during the installation process.

The playbook is mostly being developed for personal use, so stuff is going to be constantly changing and breaking. Use at your own risk and don't expect any help in setting it up on your machine.

Special thanks

• David Stephens for his Ansible NAS project. This is where I got the idea and "borrowed" a lot of concepts and implementations from.
• Jeff Geerling for his book, Ansible for DevOps and his Ansible 101 series on YouTube.
• Jonathan Hanson for his SSH port juggling implementation.
• Alex Kretzschmar and Chris Fisher from Self Hosted Show for introducing me to the idea of Infrastracture as Code
• TylerAlterio for the mergerfs role
• Jake Howard and Alex Kretzschmar for the snapraid role

Services included:

Media

• Plex (A media server)
• Jellyfin (Yet another media server)
• Radarr (A movie tracker/downloader)
• Jackett (A torrent/NZB indexer)
• Sonarr (A TV show tracker/downloader)
• Arch-DelugeVPN (An Arch Linux container running Deluge and an Wireguard/OpenVPN client with a kill switch)

Services

• Authelia (An authentication provider)
• UniFi Controller (A controller for UniFi devices)
• Homer (A static home page)
• Flame (Another static home page)
• Nextcloud (A self-hosted cloud platform)
• PhotoPrism (A photo library)
• PiHole + Unbound (An all-in-one DNS solution with built-in ad-blocking)
• MariaDB (A database server for Nextcloud)
• Vaultwarden (A FOSS Bitwarden fork written in Rust)
• Wireguard (A VPN server)
• IKEv2 (An IKEv2 VPN server for Apple devices)

Misc

• Watchtower (An automated updater for Docker images)
• DuckDNS (A dynamic DNS client for DuckDNS)
• SWAG (A reverse proxy with built-in support for dynamic DNS, Certbot and fail2ban)

Home Automation

• Home Assistant (A FOSS smart home hub)
• Phoscon-GW (A Zigbee gateway)

Other features:

• MergerFS with Snapraid
• Samba

Usage

Install Ansible (macOS):

brew install ansible

Clone the repository:

git clone https://github.com/notthebee/infra

Create a host varialbe file and adjust the variables:

cd infra/ansible
mkdir -p host_vars/YOUR_HOSTNAME
vi host_vars/YOUR_HOSTNAME/vars.yml

Create a Keychain item for your Ansible Vault password (on macOS):

security add-generic-password \
               -a YOUR_USERNAME \
               -s ansible-vault-password \
               -w

The pass.sh script will extract the Ansible Vault password from your Keychain automatically each time Ansible requests it.

Create an encrypted secret.yml file and adjust the variables:

touch host_vars/YOUR_HOSTNAME/secret.yml
ansible-vault encrypt host_vars/YOUR_HOSTNAME/secret.yml
ansible-vault edit host_vars/YOUR_HOSTNAME/secret.yml

Add your custom inventory file to hosts:

cp hosts_example hosts
vi hosts

Install the dependencies:

ansible-galaxy install -r requirements.yml

Finally, run the playbook:

ansible-playbook run.yml -l your-host-here -K

The "-K" parameter is only necessary for the first run, since the playbook configures passwordless sudo for the main login user

For consecutive runs, if you only want to update the Docker containers, you can run the playbook like this:

ansible-playbook run.yml --tags="port,containers"