kodi media services basic setup

ansible/inventory/host_vars/kodi00.balsillie.house/certbot.yaml

@@ -0,0 +1,11 @@
+certbot_rfc2136_server: '10.208.240.1'
+certbot_rfc2136_key_name: 'rndc-house'
+certbot_rfc2136_key_algorithm: 'hmac-sha256'
+
+certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
+certbot_dns_plugin: 'rfc2136'
+certbot_email: "certbot.kodi00@balsillie.email"
+certbot_acme_server: "https://acme-v02.api.letsencrypt.org/directory"
+
+certbot_domains:
+  - kodi.balsillie.house

ansible/inventory/host_vars/kodi00.balsillie.house/nginx.yaml

@@ -0,0 +1,13 @@
+nginx_sites:
+  - name: tv.balsillie.house
+    upstream: 127.0.0.1:8080
+  - name: movies.balsillie.house
+    upstream: 127.0.0.1:8081
+  - name: index.balsillie.house
+    upstream: 127.0.0.1:8082
+  - name: torrent.balsillie.house
+    upstream: 127.0.0.1:9090
+  - name: jellyfin.balsillie.house
+    upstream: 127.0.0.1:8096
+  - name: kodi.balsillie.house
+    upstream: 127.0.0.1:8082

ansible/inventory/host_vars/kodi00.balsillie.house/sshd.yaml

@@ -0,0 +1,4 @@
+sshd:
+  auth:
+    password: 'no'
+    pubkey: 'yes'

ansible/inventory/host_vars/kodi00.balsillie.house/ufw.yaml

@@ -0,0 +1,21 @@
+ufw_enabled: true
+
+ufw_rules:
+  - name: "SSH from Local Subnet"
+    port: "22"
+    protocol: "tcp"
+    action: "allow"
+    source: "10.192.210.0/24"
+    destination: "10.192.210.169"
+  - name: "HTTP from Local Subnet"
+    port: "80"
+    protocol: "tcp"
+    action: "allow"
+    source: "10.192.210.0/24"
+    destination: "10.192.210.169"
+  - name: "HTTPS from Local Subnet"
+    port: "443"
+    protocol: "tcp"
+    action: "allow"
+    source: "10.192.210.0/24"
+    destination: "10.192.210.169"

ansible/playbooks/infra/kodi.yaml

@@ -4,4 +4,7 @@
   gather_facts: true
   become: true
   roles:
-    - name: kodi
+    - role: sshd
+    - role: ufw
+    - role: nginx
+    - role: certbot

ansible/roles/certbot/tasks/main.yaml

@@ -3,8 +3,50 @@
   community.general.pacman:
     name:
       - certbot
-      - certbot-dns-rfc2136
+      - certbot-dns-{{ certbot_dns_plugin }}
     state: present
     update_cache: true
 
-- name: Add certbot config
+- name: Install certbot webserver plugin (Archlinux)
+  when:
+    - ansible_facts['os_family'] == "Archlinux"
+    - certbot_webserver_type == 'nginx'
+  community.general.pacman:
+    name:
+      - certbot-nginx
+    state: present
+    update_cache: true
+
+- name: Template out the dns config file
+  when: certbot_dns_plugin == 'rfc2136'
+  ansible.builtin.template:
+    src: "{{ certbot_dns_plugin }}.conf.j2"
+    dest: "/etc/letsencrypt/{{ certbot_dns_plugin }}.conf"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Register certbot account
+  ansible.builtin.command:
+    argv:
+      - "certbot register"
+      - "--agree-tos"
+      - "--email {{ certbot_email }}"
+      - "--no-eff-email"
+    creates: /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/{{ certbot_email }}
+
+- name: Request and install certificates
+  ansible.builtin.command:
+    argv:
+      - "certbot --nginx run -n"
+      - "--dns-{{ certbot_dns_plugin }}"
+      - "--dns-{{ certbot_dns_plugin }}-credentials /etc/letsencrypt/{{ certbot_dns_plugin }}.conf"
+      - "-d {{ item }}"
+    creates: /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  loop: "{{ certbot_domains }}"
+
+- name: Enable certbot renewal
+  ansible.builtin.service:
+    name: certbot-renew.timer
+    state: started
+    enabled: true

ansible/roles/certbot/templates/rfc2136.conf.j2

@@ -0,0 +1,4 @@
+dns_rfc2136_server = {{ certbot_rfc2136_server }}
+dns_rfc2136_name = {{ certbot_rfc2136_key_name }}
+dns_rfc2136_secret = {{ certbot_rfc2136_key_secret }}
+dns_rfc2136_algorithm = {{ certbot_rfc2136_key_algorithm }}

ansible/roles/nginx/tasks/main.yaml

@@ -0,0 +1,7 @@
+- name: Install nginx package (Archlinux)
+  when: ansible_facts['os_family'] == "Archlinux"
+  community.general.pacman:
+    name:
+      - nginx
+    state: present
+    update_cache: true

ansible/roles/sshd/tasks/main.yaml

@@ -0,0 +1,14 @@
+---
+
+- name: Template out sshd_config
+  ansible.builtin.template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - Restart sshd
+
+- name: Flush handlers for immediate shhd restart
+  ansible.builtin.meta: flush_handlers

ansible/roles/sshd/tasks/setup_key.yaml

@@ -1,13 +1,5 @@
 ---
 
-# - name: Debug ansible facts
-#   ansible.builtin.debug:
-#     msg: "{{ ansible_facts }}"
-
-# - name: Debug host vars
-#   ansible.builtin.debug:
-#     msg: "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
-
 - name: Ensure ssh config dir exists
   delegate_to: localhost
   become: false
@@ -39,19 +31,6 @@
     user: "{{ ansible_user }}"
     state: present
 
-- name: Template out sshd_config
-  ansible.builtin.template:
-    src: sshd_config.j2
-    dest: /etc/ssh/sshd_config
-    owner: root
-    group: root
-    mode: '0644'
-  notify:
-    - Restart sshd
-
-- name: Flush handlers for immediate shhd restart
-  ansible.builtin.meta: flush_handlers
-
 - name: Add local ssh client config
   delegate_to: localhost
   become: false

ansible/roles/ufw/tasks/main.yaml

@@ -0,0 +1,33 @@
+- name: Install ufw package (Archlinux)
+  when: ansible_facts['os_family'] == "Archlinux"
+  community.general.pacman:
+    name:
+      - ufw
+    state: present
+    update_cache: true
+
+- name: Add ufw rules
+  community.general.ufw:
+    comment: "{{ item.name }}"
+    direction: 'in'
+    from_ip: "{{ item.source }}"
+    proto: "{{ item.protocol }}"
+    rule: "{{ item.action }}"
+    to_ip: "{{ item.destination }}"
+    to_port: "{{ item.port }}"
+  loop: "{{ ufw_rules }}"
+
+- name: Enable ufw
+  when: ufw_enabled
+  community.general.ufw:
+    default: "deny"
+    direction: "incoming"
+    logging: "low"
+    state: enabled
+
+- name: Enable the ufw service
+  when: ufw_enabled
+  ansible.builtin.service:
+    name: ufw
+    state: restarted
+    enabled: true