Modularity¶

Overview¶

This playbook is made to be modular, meaning you can pick what services you want to install from the selection.
However, it is not fully finished, more lik an in-between, with most services defined as roles.
Services (at least most of them currently) are defined as Ansible Roles, and do the whole installation of said service.
This includes rendering the templates, making the container/Quadlet, opening ports if necessary and doing other configurations.
The main playbook orchestrates which roles run.

The 'in-between'

Some tasks are yet to be delegated to roles. These include:

Podman installation (Alma Linux came with it so I forgot about that)
Cloudflare Tunnel installation
Opening port 443 (belongs to Caddy role)

Role Catalog¶

Customization

Most roles have variables and defaults that influence how they behave or modify importand data, like domain names.
I detail what these are and what changing them does in the Roles topic.

Core infrastructure¶

These services are necessary for the stack to work, such as container management, reverse proxy, and remote access.
They are non-negotiables if you want the stack to function like mine. Hoewever, you can change these, if you know what you're doing

PodmanCloudflaredCaddyfirewalld

Tip

Podman is not a role as my playbook currently assumes you have Podman preinstalled.

Tip

Cloudflared is currently NOT a separate role.
It's a part of the main playbook, but I'll move it soon.

Warning

Keep in mind that Cloudflare can decrypt your messages (that's how their protections work) so avoid publishing sensitive services over it (like Immich).

Purpose
Installs cloudflared and creates the tunnel with the token you provide.
This enables your services to be reachable behind CGNAT.

Limitations
The tunnel management is available via the Cloudflare Dashboard, and you need an account for it to work.

Future
Moving this to a separate role, so that it can be part of the modular mix and match style.

Purpose
Installs Caddy reverse proxy as a Quadlet.
It uses a templated Caddyfile, so you can easily change the domains or some ports with Ansible variables.

Limitations
I'm sure it has some, but for my current usecase, they do not matter.

Future
Make it optional, and create other roles for other reverse proxy services.

Note

Again, this playbook assumes Alma Linux, which comes with firewalld preinstalled.

This is more of just a service to be installed, as all roles (except Caddy which I'll change soon) open their own ports in their roles.

Services¶

VaultwardenTandoorGrafanaInfluxDBTelegrafMosquitto

The (probably) most popular self-hosted password manager, that works with Bitwarden clients.
This way, you can have safe, generated passwords, and you only have to remember a master password.
This service is published over Cloudflare Tunnel, as it sends encrypted data (not like Immich).
See more details

The nicest looking recipe manager that has built-in shopping lists I could find. It has a good web UI and multiple Android clients.
See more details

Dashboards that provide queried data from databases.
It belongs to my IoT stack, displaying graphs from InfluxDB.
See more details

A pretty light database to store all the IoT monitoring data.
See more details

The middleman passing data from Mosquitto to the InfluxDB database.
See more details

An MQTT broker that my IoT devices can connect to and publish data to.
See more details