Personal Infrastructure Ansible Playbook

This Ansible playbook automates the setup and management of a personal self-hosted infrastructure running Docker containers for various services.

Overview

The playbook manages two main environments:

• Bootstrap server (netcup): Initial server setup with Tailscale VPN
• Docker server (docker-01): Main application server running containerized services

Services Deployed

The Docker role deploys and manages the following self-hosted services:

• Authentication: Authentik (SSO/Identity Provider)
• Media: Audiobookshelf, Calibre, Pinchflat
• Productivity: Ghost blog, Gitea, Code Server, Grist, TasksMD, Stirling PDF, MMDL (Task Management)
• Communication: GoToSocial, Matrix (Conduit)
• File Management: Hoarder, Paperless-NGX, Syncthing, Manyfold
• Monitoring: Changedetection, Glance dashboard, Dawarich location tracking
• Utilities: Baikal (CalDAV/CardDAV), HeyForm, Pingvin Share, Pinry
• Notifications: Apprise API
• Reverse Proxy: Caddy

Structure

├── site.yml           # Main playbook
├── bootstrap.yml      # Server bootstrap playbook
├── dns.yml           # AWS Route53 DNS management
├── hosts.yml         # Inventory file
├── requirements.yml  # External role dependencies
└── roles/
    ├── bootstrap/    # Initial server setup
    ├── common/       # Common server configuration
    ├── cron/         # Scheduled tasks
    └── docker/       # Docker services deployment

Roles Documentation

Each role has detailed documentation in its respective directory:

Bootstrap Role

Performs initial server setup and hardening:

• Creates user accounts with SSH key authentication
• Configures passwordless sudo and security hardening
• Installs essential packages and configures UFW firewall
• Sets up Tailscale VPN for secure network access

Common Role

Provides shared configuration for all servers:

• Installs common packages (aptitude)
• Enables UFW firewall with default deny policy
• Ensures consistent base configuration across infrastructure

Cron Role

Manages scheduled tasks and automation:

• Warhammer RSS Feed Updater: Daily job that generates and updates RSS feeds
• Integrates with Docker services for content generation
• Supports easy addition of new scheduled tasks

Docker Role

The most comprehensive role, deploying 25+ containerized services:

• Core Infrastructure: Caddy reverse proxy, Authentik SSO, Dockge management
• Development Tools: Gitea, Code Server, Matrix communication
• Media Management: Audiobookshelf, Calibre, Ghost blog
• Productivity: Paperless-NGX, Baikal calendar, Glance dashboard
• Security Features: Centralized authentication, network isolation, container hardening
• Monitoring: Comprehensive service health monitoring and alerting

Usage

Prerequisites

1. Install Ansible and required collections:

   ansible-galaxy install -r requirements.yml
   

2. Configure your inventory in hosts.yml with your server details

Bootstrap a New Server

ansible-playbook bootstrap.yml -i hosts.yml

This will:

• Create a user account
• Install and configure Tailscale VPN
• Set up basic security

Deploy Docker Services

ansible-playbook site.yml -i hosts.yml

Or deploy specific services using tags:

# Deploy only Caddy reverse proxy
ansible-playbook site.yml -i hosts.yml --tags caddy

# Deploy authentication services
ansible-playbook site.yml -i hosts.yml --tags authentik

# Deploy task management
ansible-playbook site.yml -i hosts.yml --tags mmdl

Manage DNS Records

ansible-playbook dns.yml -i hosts.yml

Updates AWS Route53 DNS records for configured domains (thesatelliteoflove.com and nerder.land).

Configuration

• Service configurations are templated in roles/docker/templates/
• Environment variables and secrets should be managed through Ansible Vault
• Docker Compose files are generated from Jinja2 templates

Security Notes

• Uses Tailscale for secure network access
• Caddy provides automatic HTTPS with Let's Encrypt
• Services are containerized for isolation
• UFW firewall rules are managed via Docker integration