small upadte

ansible/auth.yaml

@@ -0,0 +1,8 @@
+---
+# file: auth.yaml
+- hosts: auth
+  roles:
+    - common
+    - ldap_client
+    - docker
+    - pocketid

ansible/dns.yaml

@@ -4,3 +4,4 @@
   roles:
     - common
     - unbound
+    - netbird_peer

ansible/dockhand.yaml

@@ -0,0 +1,8 @@
+---
+# file: dockhand.yaml
+- hosts: dockhand
+  roles:
+    - common
+    - ldap_client
+    - docker
+    - dockhand

ansible/gitea.yaml

@@ -3,7 +3,8 @@
 - hosts: gitea
   roles:
     - common
+    - lego
     - nginx
     - gitea
-    - olm
+    - netbird_peer
     - ldap_client

ansible/inventories/production/host_vars/auth.home.jthan.io/vars.yaml

@@ -0,0 +1,3 @@
+pocket_id_encryption_key: "{{ lookup('bitwarden.secrets.lookup', '6a5549a9-0f64-4791-94d1-b43b00254c42') }}"
+pocket_id_version: 2.6.2
+pocket_id_sha256: "348c2cfb6457d31078327c203896c29509d0417982c78bfac185d07859dc5b86"

ansible/inventories/production/host_vars/git.jthan.io/vars.yaml

@@ -2,6 +2,9 @@ gitea_version: 1.25.3
 
 root_pw: "{{ lookup('bitwarden.secrets.lookup', '4c3d81e6-bb31-40f9-a37a-b3bd00484160') }}" 
 
+letsencrypt_email: "me@jthan.io"
+linode_dns_token: "{{ lookup('bitwarden.secrets.lookup', '8849d676-e53e-4aef-a7e6-b3dc014dd698') }}"
+
 nginx_ssl_enabled: true
 
 olm_config_path: "/etc/olm"
@@ -11,3 +14,8 @@ olm_secret: "{{ lookup('bitwarden.secrets.lookup', 'a9499a7f-4b3e-4c1b-97a0-b3de
 olm_loglevel: "INFO"
 olm_override_dns: "false"
 olm_tunnel_dns: "true"
+
+netbird_version: "0.68.3"
+netbird_arch: "amd64"
+netbird_sha256: "596adb7b74c6d9d2104bb517a4fa0353bcb1e889bd89aaf2b52a21ef58285ae9"
+netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', '4ba58bbe-e459-4978-894b-b43000561a2f') }}"

ansible/inventories/production/host_vars/netbird.jthan.io/vars.yaml

@@ -0,0 +1,6 @@
+root_pw: "{{ lookup('bitwarden.secrets.lookup', 'a3402c94-7082-4d70-8436-b42e002c8e18') }}"
+
+netbird_version: "0.68.3"
+netbird_arch: "amd64"
+netbird_sha256: "596adb7b74c6d9d2104bb517a4fa0353bcb1e889bd89aaf2b52a21ef58285ae9"
+netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', '88be4f9e-2558-455f-a34a-b436003684af') }}"

ansible/inventories/production/host_vars/pangolin.jthan.io/vars.yaml

@@ -1,5 +1,5 @@
 root_pw: "{{ lookup('bitwarden.secrets.lookup', '279ef4de-8dc7-4e55-a548-b3c400107332') }}"
-pangolin_version: "1.15.4"
+pangolin_version: "1.16.2"
 gerbil_version: "1.3.0"
 traefik_version: "3.6.8"
 pangolin_base_domain: "pangolin.jthan.io"

ansible/inventories/production/host_vars/rpi0.home.jthan.io/vars.yaml

@@ -1,3 +1,8 @@
+netbird_version: "0.68.3"
+netbird_arch: "arm64"
+netbird_sha256: "a3ba352f2b2bfbcd1bf157257b3b1fbe4c9d21dee2a7cb15e9c36b2a092563d9 "
+netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', 'ceda19a5-3efb-4bcf-ac84-b43000086ea4') }}"
+
 private_domains:
   - name: jthan.io
     records:
@@ -24,6 +29,9 @@ private_domains:
       - type: A
         name: "storage0.home.jthan.io"
         value: 192.168.1.3
+      - type: A
+        name: "auth.home.jthan.io"
+        value: 192.168.1.7
       - type: A
         name: "proxy0.home.jthan.io"
         value: 192.168.1.7
@@ -42,6 +50,9 @@ private_domains:
       - type: A
         name: "syncthing.home.jthan.io"
         value: 192.168.1.15
+      - type: A
+        name: "docker.home.jthan.io"
+        value: 192.168.1.18
       - type: AAAA
         name: "storage0.home.jthan.io"
         value: "2602:fb57:c20:b00:7a55:36ff:fe02:92c9"
@@ -63,6 +74,12 @@ private_domains:
       - type: AAAA
         name: "syncthing.home.jthan.io"
         value: "2602:fb57:c20:b00:be24:11ff:fee9:9c4b"
+      - type: AAAA
+        name: "docker.home.jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
+      - type: AAAA
+        name: "auth.home.jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fee6:8593"
       - type: CNAME
         name: "ha.home.jthan.io"
         value: "proxy0.home.jthan.io"

ansible/inventories/production/hosts.ini

@@ -4,9 +4,6 @@ git.jthan.io
 [dns]
 rpi0.home.jthan.io
 
-[pangolin]
-pangolin.jthan.io
-
 [authentik]
 authentik.home.jthan.io ansible_host=192.168.1.8
 
@@ -25,3 +22,12 @@ syncthing.home.jthan.io
 [webservers]
 notes.jthan.io ansible_host=192.168.1.16
 jthan.io ansible_host=192.168.1.17
+
+[netbird_server]
+netbird.jthan.io
+
+[dockhand]
+docker.home.jthan.io
+
+[auth]
+auth.home.jthan.io ansible_host=192.168.1.5

ansible/netbird_server.yaml

@@ -0,0 +1,9 @@
+---
+# file: netbird_server.yaml
+- hosts: netbird_server
+  roles:
+    - common
+    - docker
+    - netbird_peer # can be server and peer to access internal resources
+    - ldap_client # which allows us to talk to ldap, authentik, etc.
+

ansible/pangolin_server.yaml

@@ -1,6 +1,6 @@
 ---
 # file: pangolin.yaml
-- hosts: pangolin
+- hosts: pangolin_server
   roles:
     - common
-    - pangolin
+    - pangolin_server

ansible/roles/dockhand/tasks/main.yaml

@@ -0,0 +1,19 @@
+- name: Create dockhand directory
+  file:
+    path: /root/dockhand
+    state: directory
+    mode: '0755'
+
+- name: Create or update docker-compose
+  template:
+    src: templates/docker-compose.yaml.j2
+    dest: /root/dockhand/docker-compose.yaml
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Create and start dockhand
+  community.docker.docker_compose_v2:
+    project_src: /root/dockhand
+    build: always
+  register: output

ansible/roles/dockhand/tasks/templates/docker-compose.yaml.j2

@@ -0,0 +1,48 @@
+services:
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy
+    container_name: socket-proxy
+    restart: unless-stopped
+    environment:
+      # Required for Dockhand core functionality
+      - CONTAINERS=1
+      - IMAGES=1
+      - NETWORKS=1
+      - VOLUMES=1
+      - EVENTS=1
+      - POST=1
+      - DELETE=1
+      # Required for dashboard host info and disk usage
+      - INFO=1
+      - SYSTEM=1
+      # Required for vulnerability scanning
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+      # Optional: enable for terminal access
+      # - EXEC=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - socket-proxy
+
+  dockhand:
+    image: fnsys/dockhand:latest
+    container_name: dockhand
+    restart: unless-stopped
+    depends_on:
+      - socket-proxy
+    ports:
+      - "3000:3000"
+    volumes:
+      - dockhand_data:/app/data
+    networks:
+      - socket-proxy
+      - default
+
+networks:
+  socket-proxy:
+    internal: true
+
+volumes:
+  dockhand_data:

ansible/roles/lego/tasks/generate_cert.yaml

@@ -1,3 +1,8 @@
+- name: Check if SSL cert already exists for domain
+  stat:
+    path: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
+  register: existing_cert_check
+
 - name: Generate initial cert (http)
   command:
     cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} --http run
@@ -15,3 +20,13 @@
     LINODE_PROPAGATION_TIMEOUT: 600
     LINODE_TOKEN: "{{ linode_dns_token }}"
   when: lego_method == 'dns'
+
+- name: Renew cert (dns)
+  command:
+    cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --dns linode --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} --dns.resolvers 8.8.8.8 renew
+    chdir: /root
+  environment:
+    LINODE_POLLING_INTERVAL: 120
+    LINODE_PROPAGATION_TIMEOUT: 600
+    LINODE_TOKEN: "{{ linode_dns_token }}"
+  when: lego_method == 'dns' and existing_cert_check.stat.exists

ansible/roles/netbird_peer/handlers/main.yaml

@@ -0,0 +1,9 @@
+- name: restart netbird
+  service:
+    name: netbird
+    state: restarted
+
+- name: restart firewalld
+  service:
+    name: firewalld
+    state: restarted

ansible/roles/netbird_peer/tasks/main.yaml

@@ -0,0 +1,88 @@
+- name: Create temporary netbird unarchive directory
+  file: 
+    path: "/tmp/netbird_{{ netbird_version }}"
+    state: directory
+    mode: '0700'
+    owner: root
+    group: root
+
+- name: Download and verify the netbird archive
+  get_url:
+    url: "https://github.com/netbirdio/netbird/releases/download/v{{ netbird_version }}/netbird_{{ netbird_version }}_linux_{{ netbird_arch }}.tar.gz"
+    dest: "/tmp/netbird-{{ netbird_version }}.linux-{{ netbird_arch }}.tar.gz"
+    checksum: "sha256:{{ netbird_sha256 }}"
+  register: download_result
+
+- name: Unarchive netbird binary
+  unarchive:
+    src: "{{ download_result.dest }}"
+    dest: "/tmp/netbird_{{ netbird_version }}"
+    remote_src: true # Indicates the source file is on the remote host
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Copy netbird binary to /usr/local/bin
+  copy:
+    src: "/tmp/netbird_{{ netbird_version }}/netbird"
+    dest: "/usr/local/bin/netbird-{{ netbird_version }}"
+    owner: root
+    group: root
+    mode: '0755'
+    remote_src: yes
+
+- name: Create netbird binary symlink
+  file:
+    src: "/usr/local/bin/netbird-{{ netbird_version }}"
+    dest: "/usr/local/bin/netbird"
+    state: link
+    owner: root
+    group: root
+    mode: '0755' # Permissions for the target file
+    force: yes 
+
+- name: Run command to generate netbird systemd unit file
+  command: 
+    cmd: /usr/local/bin/netbird service install
+    creates: /etc/systemd/system/netbird.service
+  register: netbird_service
+
+- name: systemctl daemon-reload to pickup netbird service changes
+  systemd_service:
+    daemon_reload: true
+  when: netbird_service.changed
+  notify: restart netbird
+
+- name: Start and enable netbird service
+  service:
+    name: netbird
+    state: started
+    enabled: true
+    daemon_reload: true
+
+- name: Run netbird up with setup key
+  command:
+    cmd: /usr/local/bin/netbird up --setup-key {{ netbird_setup_key }} --management-url https://netbird.jthan.io:443
+
+- name: Create netbird firewalld zone
+  ansible.posix.firewalld:
+    zone: netbird
+    state: present
+    permanent: true
+  notify: restart firewalld
+
+- name: Set netbird zone target to ACCEPT
+  ansible.posix.firewalld:
+    zone: netbird
+    state: present
+    permanent: true
+    target: ACCEPT
+  notify: restart firewalld
+
+- name: Add netbird interface to netbird zone 
+  ansible.posix.firewalld:
+    zone: netbird
+    interface: wt0
+    permanent: true
+    state: enabled
+  notify: restart firewalld

ansible/roles/nginx/tasks/main.yaml

@@ -41,6 +41,7 @@
     mode: 0600
     remote_src: true
   when: nginx_ssl_enabled
+  notify: Restart nginx
 
 - name: Copy SSL issuer certificate into place for SSL enabled nginx server
   copy:
@@ -51,6 +52,7 @@
     mode: 0600
     remote_src: true
   when: nginx_ssl_enabled
+  notify: Restart nginx
 
 - name: Copy SSL key into place for SSL enabled nginx server
   copy:
@@ -61,6 +63,7 @@
     mode: 0600
     remote_src: true
   when: nginx_ssl_enabled
+  notify: Restart nginx
 
 - name: Create web root
   file:

ansible/roles/pocketid/tasks/main.yaml

@@ -0,0 +1,55 @@
+- name: Create a pocketid group
+  group:
+    name: pocketid
+    state: present
+    gid: 1050 
+
+- name: Create a pocketid user
+  user:
+    name: pocketid
+    uid: 1050
+    group: 1050
+    comment: "pocketid user"
+    shell: /bin/bash
+    state: present
+    create_home: yes
+
+- name: Create pocketid directory
+  file:
+    path: /home/pocketid/pocketid
+    state: directory
+    mode: '0755'
+    owner: pocketid
+    group: pocketid
+
+- name: Create encryption key file
+  template:
+    src: pocket_id_encryption_key.j2
+    dest: /home/pocketid/pocketid/pocket_id_encryption_key
+    owner: pocketid
+    group: pocketid
+    mode: '0600'  
+  no_log: true    # Prevents secret from appearing in logs
+
+- name: Create env file
+  template:
+    src: templates/pocketid.env.j2
+    dest: /home/pocketid/pocketid/.env
+    owner: pocketid
+    group: pocketid
+    mode: '0600'  
+  no_log: true    # Prevents secret from appearing in logs
+
+- name: Create or update docker-compose
+  template:
+    src: templates/docker-compose.yaml.j2
+    dest: /home/pocketid/pocketid/docker-compose.yaml
+    owner: pocketid
+    group: pocketid
+    mode: 0600
+
+- name: Create and start pocketid
+  community.docker.docker_compose_v2:
+    project_src: /home/pocketid/pocketid/
+    build: always
+  register: output

ansible/roles/pocketid/tasks/templates/docker-compose.yaml.j2

@@ -0,0 +1,21 @@
+secrets:
+  pocket_id_encryption_key:
+    file: ./pocket_id_encryption_key
+services:
+  pocket-id:
+    image: ghcr.io/pocket-id/pocket-id:v{{ pocket_id_version }}
+    restart: unless-stopped
+    env_file: .env
+    ports:
+      - 1411:1411
+    volumes:
+      - "./data:/app/data"
+    # Optional healthcheck
+    healthcheck:
+      test: [ "CMD", "/app/pocket-id", "healthcheck" ]
+      interval: 1m30s
+      timeout: 5s
+      retries: 2
+      start_period: 10s
+    secrets:
+      - pocket_id_encryption_key

ansible/roles/pocketid/tasks/templates/pocket_id_encryption_key.j2

@@ -0,0 +1 @@
+{{ pocket_id_encryption_key }}

ansible/roles/pocketid/tasks/templates/pocketid.env.j2

@@ -0,0 +1,18 @@
+# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
+
+# These variables must be configured for your deployment:
+APP_URL=https://{{ inventory_hostname }}
+
+# Encryption key (choose one method):
+# Method 1: Direct key (simple but less secure)
+# Generate with: openssl rand -base64 32
+# ENCRYPTION_KEY=
+# Method 2: File-based key (recommended)
+# Put the base64 key in a file and point to it here.
+ENCRYPTION_KEY_FILE=/run/secrets/pocket_id_encryption_key
+
+# These variables are optional but recommended to review:
+TRUST_PROXY=true
+MAXMIND_LICENSE_KEY=
+PUID=1050
+PGID=1050

ansible/site.yaml

@@ -3,11 +3,12 @@
 - import_playbook: webservers.yaml
 - import_playbook: gitea.yaml
 - import_playbook: dns.yaml
-- import_playbook: pangolin.yaml
+- import_playbook: pangolin_server.yaml
+- import_playbook: netbird_server.yaml
 - import_playbook: monitoring.yaml
 - import_playbook: ldap_server.yaml
 - import_playbook: irc.yaml
 - import_playbook: syncthing.yaml
-#- import_playbook: notes.yaml
-#- import_playbook: authentik.yaml
+- import_playbook: dockhand.yaml
+- import_playbook: auth.yaml