first commit

flock.yml

@@ -0,0 +1,84 @@
+---
+- hosts: all
+  roles:
+    - role: setup_base_system
+    - role: lifeofguenter.resolvconf
+      vars:
+        resolv_nameservers:
+          - 10.0.1.111
+    - role: hifis.toolkit.unattended_upgrades
+      become: true
+    - role: hussainweb.chezmoi
+      vars:
+        chezmoi_init_url: https://git.fern.garden/fern/dots
+
+- hosts: all
+  roles:
+    - role: install_standard_packages
+
+- hosts: all
+  roles:
+    - role: setup_user
+
+- hosts: virtual_machines
+  roles:
+    - role: setup_virtual_machine
+
+- hosts: docker
+  roles:
+    - role: geerlingguy.docker
+      become: yes
+      vars:
+        docker_users:
+          - fern
+
+- hosts: nfs_servers
+  roles:
+    - role: setup_nfs_server
+    - role: geerlingguy.nfs
+      vars:
+        nfs_exports: [
+          "/export/film 10.0.1.0/24(rw,subtree_check,insecure,all_squash,anonuid=1000,anongid=1800)",
+          "/export/tv 10.0.1.0/24(rw,subtree_check,insecure,all_squash,anonuid=1000,anongid=1800)",
+          "/export/misc 10.0.1.0/24(rw,subtree_check,insecure,all_squash,anonuid=1000,anongid=1800)",
+        ]
+
+- hosts: nfs_clients
+  roles:
+    - role: setup_nfs_client
+
+- hosts: jellyfin.local
+  roles:
+    - role: tomhesse.jellyfin
+  tasks:
+    - name: Ensure Jellyfin user is a member of the media group
+      become: yes
+      tags:
+        - media_group
+      ansible.builtin.user:
+        name: jellyfin
+        groups: media
+        append: yes
+
+- hosts: weebill.local
+  tasks:
+    - name: Install Webone dependencies
+      ansible.builtin.apt:
+        deb: https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb
+    - name: Install Webone
+      ansible.builtin.apt:
+        update_cache: yes
+        deb: https://github.com/atauenis/webone/releases/download/v0.17.4/webone.0.17.4.linux-arm64.deb
+
+- hosts: stash.local
+  tasks:
+    - name: Add user to render group
+      become: yes
+      ansible.builtin.user:
+        name: fern
+        groups: render
+        append: yes
+
+- hosts: all
+  roles:
+    - role: setup_sshd

inventory/hosts.yml

@@ -0,0 +1,37 @@
+---
+### ALL HOSTS ###
+
+ungrouped:
+  hosts:
+    docker.local:
+    immich.local:
+    minecraft.local:
+    ff-syncserver.local:
+    jellyfin.local:
+    media-share.local:
+    technitium.local:
+    weebill.local:
+
+### GROUPS ###
+
+virtual_machines:
+  hosts:
+    docker.local:
+    minecraft.local:
+    media-share.local:
+
+docker:
+  hosts:
+    docker.local:
+    immich.local:
+    minecraft.local:
+    weebill.local:
+
+nfs_clients:
+  hosts:
+    docker.local:
+    jellyfin.local:
+
+nfs_servers:
+  hosts:
+    media-share.local:

requirements.yml

@@ -0,0 +1,9 @@
+roles:
+  - name: lifeofguenter.resolvconf
+  - name: hussainweb.chezmoi
+  - name: geerlingguy.docker
+  - name: tomhesse.jellyfin
+  - name: geerlingguy.nfs
+
+collections:
+  - name: hifis.toolkit

roles/install_standard_packages/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: Install some standard packages
+  become: true
+  apt:
+    update_cache: yes
+    pkg:
+    - avahi-daemon
+    - curl
+    - fish
+    - git
+    - libnss-mdns
+    - rsync
+    - sudo
+    - tmux
+    - trash-cli
+    - btop
+    - ncdu
+    - nnn
+    - neovim

roles/setup_base_system/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart avahi
+  service:
+    name: avahi-daemon
+    state: restarted

roles/setup_base_system/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: Set a hostname
+  become: true
+  ansible.builtin.hostname:
+    name: '{{ inventory_hostname.split(".")[0] | lower }}'
+
+- name: Set the timezone
+  become: true
+  community.general.timezone:
+    name: Australia/Perth
+
+- name: Ensure locales exist
+  become: true
+  community.general.locale_gen:
+    name:
+      - en_US.UTF-8
+      - en_AU.UTF-8
+    state: present

roles/setup_nfs_client/tasks/main.yml

@@ -0,0 +1,41 @@
+- name: Ensure media group exists
+  become: true
+  tags:
+    - media_group
+  ansible.builtin.group:
+    name: media
+    state: present
+    gid: 1800
+
+- name: Install nfs-common
+  become: true
+  apt:
+    pkg:
+    - nfs-common
+
+- name: Mount /media/tv
+  become: true
+  ansible.posix.mount:
+    src: 10.0.1.101:/export/tv
+    path: /media/tv
+    opts: default
+    state: mounted
+    fstype: nfs
+
+- name: Mount /media/film
+  become: true
+  ansible.posix.mount:
+    src: 10.0.1.101:/export/film
+    path: /media/film
+    opts: default
+    state: mounted
+    fstype: nfs
+
+- name: Mount /media/misc
+  become: true
+  ansible.posix.mount:
+    src: 10.0.1.101:/export/misc
+    path: /media/misc
+    opts: default
+    state: mounted
+    fstype: nfs

roles/setup_nfs_server/tasks/main.yml

@@ -0,0 +1,32 @@
+- name: Ensure media group exists
+  become: true
+  tags:
+    - media_group
+  ansible.builtin.group:
+    name: media
+    state: present
+    gid: 1800
+
+- name: Mount /export/tv
+  become: true
+  ansible.posix.mount:
+    src: UUID=fcee0188-8ca1-4fda-81b7-f5920c79ab48
+    path: /export/tv
+    state: mounted
+    fstype: ext4
+
+- name: Mount /export/film
+  become: true
+  ansible.posix.mount:
+    src: UUID=5d9dd538-79e4-4168-be91-e0b040155cb3
+    path: /export/film
+    state: mounted
+    fstype: ext4
+
+- name: Mount /export/misc
+  become: true
+  ansible.posix.mount:
+    src: UUID=5a43b7dc-3e28-459e-824a-ad45b5475361
+    path: /export/misc
+    state: mounted
+    fstype: ext4

roles/setup_sshd/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart SSHD
+  service:
+    name: sshd
+    state: restarted

roles/setup_sshd/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Add SSH Key - fern@muskduck
+  ansible.posix.authorized_key:
+    user: fern
+    state: present
+    key: "{{ lookup('file', '/home/fern/.ssh/id_ed25519.pub') }}"
+
+- name: Add SSH Key - YubiKey
+  ansible.posix.authorized_key:
+    user: fern
+    state: present
+    key: "{{ lookup('file', '/home/fern/.ssh/id_ed25519_sk.pub') }}"
+
+- name: Add SSH Key - fairywren
+  ansible.posix.authorized_key:
+    user: fern
+    state: present
+    key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8W3zggrj6ml/VZWem9l21SWK3yffgw5RkdgF6fG6jo u0_a336@localhostsk-ssh-ed25519@openssh.com"
+
+- name: Disable root login
+  become: true
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^PermitRootLogin"
+    line: "PermitRootLogin no"
+    backup: yes
+  notify: Restart SSHD

roles/setup_user/tasks/main.yml

@@ -0,0 +1,13 @@
+- name: Add 'fern' user
+  become: true
+  user:
+    name: fern
+    shell: /usr/bin/fish
+    uid: 1000
+
+- name: Set sudo rules
+  become: true
+  community.general.sudoers:
+    name: sudo
+    commands: ALL
+    user: fern

roles/setup_virtual_machine/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart qemu-guest-agent
+  service:
+    name: qemu-guest-agent
+    state: restarted

roles/setup_virtual_machine/tasks/main.yml

@@ -0,0 +1,5 @@
+- name: Install qemu-guest-agent package
+  become: true
+  apt:
+    pkg:
+    - qemu-guest-agent