FIX: Fixed incorrect .env file and updated inventory to have a separate Ansible host

This reverts commit ea113ad443.

.gitignore

@@ -1,3 +1,2 @@
 .vscode/
-Ansible/secrets.yml
-Ansible/inventory/hosts.ini
+Ansible/secrets.yml

Ansible/README.md

@@ -1,18 +1,21 @@
-# Ansible Playbooks
+# Ansible for Homelab
 
-This directory contains Ansible playbooks for automating server configuration and management tasks.
+This Ansible setup is designed to automate the configuration and maintenance of servers and applications in the homelab. It includes playbooks for common tasks, inventory management for different environments, and a structured way to handle variables and secrets.
 
-## Playbooks
+## Directory Structure
 
-- **apt_upgrade.yml**: This playbook updates all packages on a Debian/Ubuntu server.
-- **zabbix_agent_upgrade.yml**: This playbook upgrades the Zabbix agent on a server.
+-   `inventory/`: Contains the inventory files that define the hosts and groups of hosts managed by Ansible.
+-   `playbooks/`: Contains the Ansible playbooks for various automation tasks.
+-   `secrets.yml`: This file is intended to store sensitive data like passwords and API keys. It is recommended to encrypt this file using Ansible Vault.
+-   `example_secrets.yml`: An example secrets file.
+-   `vars.yml`: This file can be used to store non-sensitive variables that are used across multiple playbooks.
 
-## Usage
+## Getting Started
 
-To use these playbooks, you will need to have Ansible installed on your control machine. You will also need to have an inventory file that defines the hosts you want to manage.
-
-Once you have Ansible and an inventory file set up, you can run a playbook using the following command:
-
-```
-ansible-playbook -i <inventory_file> <playbook>.yml
-```
+1.  **Install Ansible:** Make sure you have Ansible installed on your control machine.
+2.  **Inventory:** Update the `inventory/hosts.ini` file with the IP addresses and connection details for your servers.
+3.  **Secrets:** Create a `secrets.yml` file based on the `example_secrets.yml` template and encrypt it using Ansible Vault for security.
+4.  **Run a Playbook:** You can run a playbook using the `ansible-playbook` command. For example:
+    ```bash
+    ansible-playbook -i inventory/hosts.ini playbooks/apt_upgrade.yml
+    ```

Ansible/apt_upgrade.yml

@@ -1,24 +0,0 @@
-- name: Upgrade packages
-  hosts: vms
-  become: true
-
-  tasks:
-   - name: Update apt cache
-     ansible.builtin.apt:
-      update_cache: true
-     register: cache_updated
-
-   - name: Upgrade all packages
-     ansible.builtin.apt:
-      upgrade: "yes"
-     when: cache_updated.changed or cache_updated.rc == 0
-
-   - name: Autoremove unnecessary packages
-     ansible.builtin.apt:
-      autoremove: true
-     when: cache_updated.changed or cache_updated.rc == 0
-
-   - name: Autoclean apt cache
-     ansible.builtin.apt:
-      autoclean: true
-     when: cache_updated.changed or cache_updated.rc == 0

Ansible/example_secrets.yml

@@ -0,0 +1,2 @@
+# Copy this into secrets.yml and replate with a real values
+ansible_password: 'REPLACE_WITH_ROOT_PASSWORD'

Ansible/inventory/hosts.ini

@@ -0,0 +1,34 @@
+[all:vars]
+ansible_user = mbuz
+ansible_ssh_private_key_file = /home/mbuz/.ssh/id_ed25519
+
+[proxmox]
+proxmox_host ansible_host=10.0.0.1
+
+[ubuntu_servers]
+raspberry-pi ansible_host=10.0.0.5
+oracle-arm ansible_host=130.61.76.209 ansible_user=ubuntu
+
+[docker]
+docker-apps ansible_host=10.0.0.101
+docker-cloud ansible_host=10.0.0.102
+
+[filestorage]
+truenas ansible_host=10.0.0.200
+
+[lxc]
+gitea ansible_host=10.0.0.108
+zabbix-proxy ansible_host=10.0.0.110 
+pi-hole ansible_host=10.0.0.104
+ansible ansible_host=10.0.0.111
+#localhost ansible_connection=local # for testing playbooks on the control node
+
+
+[pbs]
+proxmox-backup ansible_host=10.0.0.201
+
+# This is a group of groups. It includes all Ubuntu based systems.
+[ubuntu:children]
+docker
+ubuntu_servers
+lxc

Ansible/playbooks/apt_upgrade.yml

@@ -0,0 +1,29 @@
+---
+- name: Upgrade all apt packages
+  hosts: ubuntu
+  become: yes
+  tasks:
+    - name: Update apt cache
+      ansible.builtin.apt:
+        update_cache: yes
+        cache_valid_time: 3600
+
+    - name: Upgrade all apt packages
+      ansible.builtin.apt:
+        upgrade: dist
+#      environment:
+#        DEBIAN_FRONTEND: noninteractive
+
+    - name: Autoremove unused packages
+      ansible.builtin.apt:
+        autoremove: yes
+
+    - name: Check if a reboot is required
+      ansible.builtin.stat:
+        path: /var/run/reboot-required
+      register: reboot_required_file
+
+    - name: Display reboot message
+      ansible.builtin.debug:
+        msg: "A reboot is required to apply the latest updates."
+      when: reboot_required_file.stat.exists

Ansible/playbooks/lxc_setup_ubuntu.yml

@@ -0,0 +1,63 @@
+---
+- name: Secure and Configure a New LXC Container
+  hosts: 'lxc' # Hosts or group defined in your inventory
+  remote_user: root
+  tasks:
+    - name: 1. Create user '{{ target_user }}'
+      ansible.builtin.user:
+        name: '{{ target_user }}'
+        shell: /bin/bash
+        groups: sudo # Add to sudo (for Debian/Ubuntu)
+        state: present
+
+    - name: 1.1. Allow '{{ target_user }}' to use sudo without a password
+      ansible.builtin.copy:
+        dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
+        content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
+        mode: '0440'
+        validate: /usr/sbin/visudo -cf %s
+
+    - name: 2. Set up authorized_keys for '{{ target_user }}'
+      ansible.posix.authorized_key:
+        user: '{{ target_user }}'
+        key: "{{ item }}"
+        state: present
+        path: /home/{{ target_user }}/.ssh/authorized_keys
+      loop: "{{ my_public_keys }}"
+      # ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
+
+    - name: 3. Lock password for '{{ target_user }}'
+      ansible.builtin.user:
+        name: '{{ target_user }}'
+        password_lock: yes
+
+    - name: 4.0. Install software-properties-common
+      ansible.builtin.apt:
+        name: software-properties-common
+        state: present
+        update_cache: yes
+
+    - name: 4.1. Disallow root login over SSH
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PermitRootLogin'
+        line: 'PermitRootLogin no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+    - name: 4.2. Disallow password authentication
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+  handlers:
+    # This block will only run if at least one task sends a notification.
+    # This prevents unnecessary service restarts.
+    - name: 5. Restart sshd server
+      listen: "restart sshd"
+      ansible.builtin.service:
+        name: sshd
+        state: restarted

Ansible/playbooks/zabbix_agent_upgrade.yml

@@ -1,16 +1,16 @@
-- name: Upgrade zabbix agent
-  hosts: zagents
-  become: true
-
-  tasks:
-   - name: Ensure that Zabbix agent is at the latest version 
-     ansible.builtin.apt:
-      name: zabbix-agent2
-      state: latest
-     register: zabbix_agent2_status
-
-   - name: Upgrade Zabbix agent if not latest
-     ansible.builtin.apt:
-      name: zabbix-agent2
-      upgrade: yes
+- name: Upgrade zabbix agent
+  hosts: zagents
+  become: true
+
+  tasks:
+   - name: Ensure that Zabbix agent is at the latest version 
+     ansible.builtin.apt:
+      name: zabbix-agent2
+      state: latest
+     register: zabbix_agent2_status
+
+   - name: Upgrade Zabbix agent if not latest
+     ansible.builtin.apt:
+      name: zabbix-agent2
+      upgrade: yes
      when: zabbix_agent2_status.changed

Ansible/playbooks/zabbix_proxy_install.yml

@@ -0,0 +1,115 @@
+---
+- name: Install and Configure Zabbix Proxy and Agent
+  hosts: zabbix-proxy # Assuming you have a group for zabbix proxy in your inventory
+  become: yes
+  vars_files:
+    - ../secrets.yml
+  tasks:
+    - name: Download Zabbix release package
+      ansible.builtin.get_url:
+        url: "https://repo.zabbix.com/zabbix/7.4/release/ubuntu/pool/main/z/zabbix-release/zabbix-release_latest_7.4+ubuntu24.04_all.deb"
+        dest: /tmp/zabbix-release.deb
+
+    - name: Install Zabbix release package
+      ansible.builtin.apt:
+        deb: /tmp/zabbix-release.deb
+
+    - name: Install Zabbix proxy and agent
+      ansible.builtin.apt:
+        name:
+          - zabbix-proxy-sqlite3
+          - zabbix-agent2
+        state: present
+        update_cache: yes
+
+    - name: Create Zabbix proxy custom configuration file
+      ansible.builtin.copy:
+        dest: /etc/zabbix/zabbix_proxy.d/custom.conf
+        content: |
+          ## Managed by Ansible - do not edit manually ##
+          ## Changes will be overwritten ##
+          DBName=/tmp/zabbix_proxy
+          StartPollers=2
+          StartPreprocessors=1
+          StartTrappers=1
+          StartDiscoverers=1
+          StartDBSyncers=1
+          StartAgentPollers=2
+          EnableRemoteCommands=1
+          TLSConnect=psk
+          TLSAccept=psk
+      notify: restart zabbix-proxy
+
+    - name: Create Zabbix proxy connection configuration file
+      ansible.builtin.copy:
+        dest: /etc/zabbix/zabbix_proxy.d/connection.conf
+        content: |
+          ## Managed by Ansible - do not edit manually ##
+          ## Changes will be overwritten ##
+          Server={{ zabbix_server_address }}:10051
+          Hostname={{ ansible_facts.hostname }}
+          TLSPSKFile=/etc/zabbix/{{ ansible_facts.hostname }}.psk
+          TLSPSKIdentity={{ zabbix_psk_identity }}
+      notify: restart zabbix-proxy
+
+    - name: Create Zabbix proxy PSK file
+      ansible.builtin.copy:
+        dest: "/etc/zabbix/{{ ansible_facts.hostname }}.psk"
+        content: "{{ zabbix_proxy_psk }}"
+        owner: zabbix
+        group: zabbix
+        mode: '0600'
+      notify: restart zabbix-proxy
+
+    - name: Create Zabbix agent custom configuration file
+      ansible.builtin.copy:
+        dest: /etc/zabbix/zabbix_agent2.d/custom.conf
+        content: |
+          ## Managed by Ansible - do not edit manually ##
+          ## Changes will be overwritten ##
+          Hostname={{ ansible_facts.hostname }}
+          Server={{ hostvars['zabbix-proxy']['ansible_host'] }},{{ hostvars['raspberry-pi']['ansible_host'] }}
+          ServerActive={{ hostvars['zabbix-proxy']['ansible_host'] }};{{ hostvars['raspberry-pi']['ansible_host'] }}
+      notify: restart zabbix-agent2
+
+    - name: Create Zabbix agent user parameters file
+      ansible.builtin.copy:
+        dest: /etc/zabbix/zabbix_agent2.d/userparams.conf
+        content: |
+          ## Managed by Ansible - do not edit manually ##
+          ## Changes will be overwritten ## 
+          AllowKey=system.run[*]
+      notify: restart zabbix-agent2
+
+  handlers:
+    - name: restart zabbix-proxy
+      ansible.builtin.service:
+        name: zabbix-proxy
+        state: restarted
+        enabled: yes
+    - name: restart zabbix-agent2
+      ansible.builtin.service:
+        name: zabbix-agent2
+        state: restarted
+        enabled: yes
+
+- name: Verify Zabbix Services
+  hosts: zabbix-proxy
+  become: yes
+  tasks:
+    - name: Check if Zabbix services are running
+      ansible.builtin.service_facts:
+
+    - name: Assert that Zabbix proxy is running
+      ansible.builtin.assert:
+        that:
+          - "ansible_facts.services['zabbix-proxy.service'].state == 'running'"
+        fail_msg: "Zabbix proxy is not running"
+        success_msg: "Zabbix proxy is running"
+
+    - name: Assert that Zabbix agent is running
+      ansible.builtin.assert:
+        that:
+          - "ansible_facts.services['zabbix-agent2.service'].state == 'running'"
+        fail_msg: "Zabbix agent 2 is not running"
+        success_msg: "Zabbix agent 2 is running"

Ansible/vars.yml

@@ -0,0 +1,9 @@
+# User which will be created on the LXC containers to replace root
+target_user: 'mbuz'
+
+# List of public keys to be added to the target_user's authorized_keys file
+my_public_keys:
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSGj0dxaA38QSBVY3DZiPb+qmIuTFxGo0mt4sbmYDa3 mbuz@macbook-pro"
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpvRkew+XpOAt7I/mizQbE/OJP1SO6NVl2/A1ZGzdU3 mbuz@windows-desktop"
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWMJbHDCB8XCxPGth1229A3W/sPpvJHO9xBvegv4Sx mbuz@macbook-air"
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJM2yLXiX45OgzhmKtr822gJaER/Ur/2yhRSiXI2AW+U mbuz@ansible"

Docker/immich/.env.example

@@ -1,21 +1,22 @@
 # You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
 
 # The location where your uploaded files are stored
-UPLOAD_LOCATION=${UPLOAD_LOCATION}
-# The location where your database files are stored
-DB_DATA_LOCATION=${DB_DATA_LOCATION}
+UPLOAD_LOCATION=./library
+
+# The location where your database files are stored. Network shares are not supported for the database
+DB_DATA_LOCATION=./postgres
 
 # To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
 # TZ=Etc/UTC
 
 # The Immich version to use. You can pin this to a specific version like "v1.71.0"
-IMMICH_VERSION=${IMMICH_VERSION:-release}
+IMMICH_VERSION=release
 
 # Connection secret for postgres. You should change it to a random password
 # Please use only the characters `A-Za-z0-9`, without special characters or spaces
-DB_PASSWORD=${DB_PASSWORD}
+DB_PASSWORD=postgres
 
 # The values below this line do not need to be changed
 ###################################################################################
-DB_USERNAME=${DB_USERNAME}
-DB_DATABASE_NAME=${DB_DATABASE_NAME}
+DB_USERNAME=postgres
+DB_DATABASE_NAME=immich

Docker/semaphore-ui/.env.example

@@ -0,0 +1,4 @@
+SEMAPHORE_ADMIN=admin
+SEMAPHORE_ADMIN_PASSWORD=changeme
+SEMAPHORE_ADMIN_NAME=Admin
+SEMAPHORE_ADMIN_EMAIL=admin@example.com

Docker/semaphore-ui/docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+    semaphore:
+        ports:
+            - 3030:3000
+        image: semaphoreui/semaphore:v2.16.18
+        environment:
+            SEMAPHORE_DB_DIALECT: sqlite
+            SEMAPHORE_ADMIN: ${ADMIN_USER}
+            SEMAPHORE_ADMIN_PASSWORD: ${ADMIN_PASS}
+            SEMAPHORE_ADMIN_NAME: ${ADMIN_NAME}
+            SEMAPHORE_ADMIN_EMAIL: ${ADMIN_EMAIL}
+        volumes:       
+            - semaphore-data:/var/lib/semaphore
+            - semaphore-config:/etc/semaphore  
+volumes:
+  semaphore-data:
+  semaphore-config:

Docker/semaphore-ui/docker-run.sh

@@ -0,0 +1,9 @@
+docker run -d \
+  --restart unless-stopped \
+  --name semaphore \
+  -p 3030:3000 \
+  --env-file .env \
+  -e SEMAPHORE_DB_DIALECT=sqlite \
+  -v semaphore-data:/var/lib/semaphore \
+  -v semaphore-config:/etc/semaphore \
+  semaphoreui/semaphore:latest