45 lines
1.8 KiB
YAML
45 lines
1.8 KiB
YAML
---
|
|
# Notice that "# noqa: package-latest" is included in this file. This disabled a specific check for the Ansible linter,
|
|
# see: https://ansible.readthedocs.io/projects/lint/usage/#muting-warnings-to-avoid-false-positives.
|
|
# For a purely reproducible build this would be a good suggestion but I'm willing to take the risk with the Pi.
|
|
- name: Install raspberry pi
|
|
hosts: raspberry_pis
|
|
vars_files:
|
|
- vault.yml
|
|
- versions.yml
|
|
roles:
|
|
# These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
|
|
# Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
|
|
- role: fstab
|
|
- role: devsec.hardening.ssh_hardening
|
|
become: true
|
|
- role: geerlingguy.docker
|
|
become: true
|
|
- role: hostname
|
|
- role: packages
|
|
- role: user
|
|
- role: cloudflare-ddns
|
|
- role: cloudflared
|
|
- role: nginx
|
|
- role: actual
|
|
- role: postgres
|
|
- role: wedding
|
|
- role: changedetection
|
|
- role: monitoring
|
|
- role: immich
|
|
vars:
|
|
# devsec.hardening.ssh_hardening vars:
|
|
ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
|
|
ssh_client_password_login: false # Default, but duplicated here for documentation purpose.
|
|
ssh_allow_tcp_forwarding: true
|
|
# geerlingguy.docker vars:
|
|
docker_edition: 'ce'
|
|
docker_install_compose_plugin: true
|
|
tasks:
|
|
# This task can be handy for debugging gathered facts, uncomment it if necessary:
|
|
# - name: Store gathered facts in local file
|
|
# delegate_to: localhost
|
|
# ansible.builtin.copy:
|
|
# dest: './.ansible_facts.json'
|
|
# content: "{{ ansible_facts }}"
|
|
# mode: "0600"
|