- Jinja 95.9%
- Nix 3.9%
- Shell 0.2%
| files | ||
| group_vars | ||
| playbooks | ||
| roles | ||
| .envrc | ||
| .gitignore | ||
| .pre-commit-config.yaml | ||
| .yamllint | ||
| flake.lock | ||
| flake.nix | ||
| README.md | ||
| renovate.json | ||
| requirements.yaml | ||
| vault-pass.sh | ||
Artur's Homelab
This repo contains Ansible roles to deploy my homelab/self-hosted stack with Ansible.
Overview
I like the idea of Infrastructure of Code, Automations, and reproducible builds. This is my attempt to achieve this for my homelab.
What's a homelab?
It's a hardware and software experimental laboratory for you to test and break > bleeding-edge technologies. And learn, learn so much about how the internet works, what's behind the scenes of common cloud services and large websites, and much more.
At the same time, a homelab can be your production environment to run self-hosted services to enhance your quality of life, while achieving maximum privacy, because all of you data is under your control.
To learn more, consult /c/selfhosted, /r/homelab, and /r/selfhosted.
Hardware
-
Intel NUC11ATKC4:
- CPU:
Intel Celeron N5105 @ 2.00GHz - RAM:
32GB - SSD:
1TB
- CPU:
-
Dell OptiPlex 3000 Micro:
- CPU:
Intel(R) Core(TM) i5-12500T @ 4.40GHz - RAM:
64GB - SSD:
2TB
- CPU:
Software
All the services are deployed via Podman Quadlets.
| Software | Purpose |
|---|---|
| Actual Budget | Budgeting |
| Authentik | Single-Sign On |
| Changedetection | Detect website changes |
| FreshRSS | Follow RSS feeds |
| Librechat | API access to multiple LLMs |
| Paperless-ngx | Document management |
| Readeck | Read-it-later |
| Stirling-PDF | PDF manipulation |
| Grafana | Observe homelab with nice charts |
| Homepage | ...Homepage |
| Prometheus | Collect data for Grafana |
| Speedtest-tracker | Measure Internet speed |
| Uptime Kuma | Monitor uptime |
| Infisical | Secret management |
I also deploy Forgejo for version control and Immich for photos with Nix. See my NixOS repo here.
Bitwarden and ansible-vault
This article explains how to retrieve ansible-vault password from Bitwarden.
Add to ansible.cfg:
[defaults]
vault_password_file = ./vault-pass.sh
Then ./vault-pass.sh:
#!/usr/bin/env bash
set -e
rbw get "ansible-vault"
If rbw does not have a password cached, it will ask you.
caddy reverse proxy
See details in roles/deploy_caddy/README.md.
Tailscale deployment
export TAILSCALE_KEY=<tailscale_key>.ansible-playbook playbooks/install_tailscale.yaml.- To reauth a Tailscale node run the first command and then
ansible-playbook playbooks/reauth_tailscale.yaml.
Proxmox Backup Server
See details in roles/setup_pbs/README.md.
LibreChat Troubleshooting
See details in roles/deploy_services/README.md.
Roadmap
- Implement Hashicorp Vault/Infisical or other external secret management to remove my reliance on Ansible Vault. Update: partially implemented. I now deploy Infisical on a separate VM.
- Tailscale deployment
- Merge this repo with my Caddy deployment
Availability
The repo is available on my personal Forgejo instance, Codeberg and GitHub.
The GitHub repo is updated every 144 hours. Codeberg repo is updated every 8 hours.
Thanks
- Ansible Collection - devsec.hardening. I used their code to dynamically generate my sshd configuration.