An Ansible playbook that sets up an Ubuntu-based home media server/NAS with reasonable security, auto-updates, e-mail notifications for S.M.A.R.T. and Snapraid errors and dynamic DNS.
It assumes a fresh Ubuntu Server 20.04 install, access to a non-root user with sudo privileges and a public SSH key. This can be configured during the installation process.
The playbook is mostly being developed for personal use, so stuff is going to be constantly changing and breaking. Use at your own risk and don't expect any help in setting it up on your machine.
- David Stephens for his Ansible NAS project. This is where I got the idea and "borrowed" a lot of concepts and implementations from.
- Jeff Geerling for his book, Ansible for DevOps and his Ansible 101 series on YouTube.
- Jonathan Hanson for his SSH port juggling implementation.
- Alex Kretzschmar and Chris Fisher from Self Hosted Show for introducing me to the idea of Infrastracture as Code
- TylerAlterio for the mergerfs role
- Jake Howard and Alex Kretzschmar for the snapraid role
- Plex (A media server)
- Radarr (A movie tracker/downloader)
- Jackett (A torrent/NZB indexer)
- Sonarr (A TV show tracker/downloader)
- Arch-DelugeVPN (An Arch Linux container running Deluge and an Wireguard/OpenVPN client with a kill switch)
- Homer (A static home page)
- Nextcloud (A self-hosted cloud platform)
- MariaDB (A database server for Nextcloud)
- Vaultwarden (A FOSS Bitwarden fork written in Rust)
- Wireguard (A VPN server)
- IKEv2 (An IKEv2 VPN server for Apple devices)
- Watchtower (An automated updater for Docker images)
- DuckDNS (A dynamic DNS client for DuckDNS)
- SWAG (A reverse proxy with built-in support for dynamic DNS, Certbot and fail2ban)
- Home Assistant (A FOSS smart home hub)
- Phoscon-GW (A Zigbee gateway)
- MergerFS with Snapraid
- Samba
- Netatalk (AFP) for Time Machine
Install Ansible (macOS):
brew install ansible
Clone the repository:
git clone https://github.com/notthebee/infra
Copy the sample inventory and adjust the variables in vars.yml
:
cd infra/ansible
cp -r group_vars/sample group_vars/YOUR_HOSTNAME
vi group_vars/YOUR_HOSTNAME/vars.yml
Create a Keychain item for your Ansible Vault password (on macOS):
security add-generic-password \
-a YOUR_USERNAME \
-s ansible-vault-password \
-w
The pass.sh
script will extract the Ansible Vault password from your Keychain automatically each time Ansible requests it.
Encrypt the secret.yml
file and adjust the variables:
ansible-vault encrypt group_vars/YOUR_HOSTNAME/secret.yml
ansible-vault edit group_vars/YOUR_HOSTNAME/secret.yml
Add your custom inventory file to hosts
:
cp hosts_example hosts
vi hosts
Install the dependencies:
ansible-galaxy install -r requirements.yml
Finally, run the playbook:
ansible-playbook run.yml -l your-host-here -K
The "-K" parameter is only necessary for the first run, since the playbook configures passwordless sudo for the main login user
For consecutive runs, if you only want to update the Docker containers, you can run the playbook like this:
ansible-playbook run.yml --tags="port,containers"