An Ansible playbook that sets up an Ubuntu-based home media server/NAS with reasonable security, auto-updates, e-mail notifications for S.M.A.R.T. and Snapraid errors and dynamic DNS.
It assumes a fresh Ubuntu Server 20.04 install, access to a non-root user with sudo privileges and a public SSH key. This can be configured during the installation process.
The playbook is mostly being developed for personal use, so stuff is going to be constantly changing and breaking. Use at your own risk and don't expect any help in setting it up on your machine.
- David Stephens for his Ansible NAS project. This is where I got the idea and "borrowed" a lot of concepts and implementations from.
- Jeff Geerling for his book, Ansible for DevOps and his Ansible 101 series on YouTube.
- Jonathan Hanson for his SSH port juggling implementation.
- Alex Kretzschmar and Chris Fisher from Self Hosted Show for introducing me to the idea of Infrastracture as Code
- TylerAlterio for the mergerfs role
- Jake Howard and Alex Kretzschmar for the snapraid role
- Plex (A media server)
- Jellyfin (Yet another media server)
- Radarr (A movie tracker/downloader)
- Jackett (A torrent/NZB indexer)
- Booksonic (An audiobook server)
- Sonarr (A TV show tracker/downloader)
- arch-delugevpn (An Arch Linux container running Deluge and an Wireguard/OpenVPN client with a kill switch)
- Authelia (An authentication provider)
- cloudflare-ddns (A dynamic DNS updater for Cloudflare)
- UniFi Controller (A controller for UniFi devices)
- Homer (A static home page)
- Flame (Another static home page)
- Nextcloud (A self-hosted cloud platform)
- PhotoPrism (A photo library)
- PiHole + Unbound (An all-in-one DNS solution with built-in ad-blocking)
- MariaDB (A database server for Nextcloud)
- Vaultwarden (A FOSS Bitwarden fork written in Rust)
- Wireguard (A VPN server)
- IKEv2 (An IKEv2 VPN server for Apple devices)
- Watchtower (An automated updater for Docker images)
- DuckDNS (A dynamic DNS client for DuckDNS)
- SWAG (A reverse proxy with built-in support for dynamic DNS, Certbot and fail2ban)
- bunkerized-nginx (A NGINX-based web server focused on security)
- Home Assistant (A FOSS smart home hub)
- Phoscon-GW (A Zigbee gateway)
- MergerFS with Snapraid
- Samba
- Fail2Ban for Nextcloud, Vaultwarden and endlessh with Cloudflare support
- CrowdSec with the iptables bouncer
- endlessh
Install Ansible (macOS):
brew install ansible
Clone the repository:
git clone https://github.com/notthebee/infra
Create a host varialbe file and adjust the variables:
cd infra/ansible
mkdir -p host_vars/YOUR_HOSTNAME
vi host_vars/YOUR_HOSTNAME/vars.yml
Create a Keychain item for your Ansible Vault password (on macOS):
security add-generic-password \
-a YOUR_USERNAME \
-s ansible-vault-password \
-w
The pass.sh
script will extract the Ansible Vault password from your Keychain automatically each time Ansible requests it.
Create an encrypted secret.yml
file and adjust the variables:
touch host_vars/YOUR_HOSTNAME/secret.yml
ansible-vault encrypt host_vars/YOUR_HOSTNAME/secret.yml
ansible-vault edit host_vars/YOUR_HOSTNAME/secret.yml
Add your custom inventory file to hosts
:
cp hosts_example hosts
vi hosts
Install the dependencies:
ansible-galaxy install -r requirements.yml
Finally, run the playbook:
ansible-playbook run.yml -l your-host-here -K
The "-K" parameter is only necessary for the first run, since the playbook configures passwordless sudo for the main login user
For consecutive runs, if you only want to update the Docker containers, you can run the playbook like this:
ansible-playbook run.yml --tags="port,containers"