Ansible roles for a home server, using Ubuntu 22.04 on amd64 or arm64 (e.g. Raspberry Pi 4).
| Role | Description |
|---|---|
pi_server.roles.base |
Basic server setup: Docker, monitoring with Prometheus, Traefik, automatic updates. |
pi_server.roles.pi_core |
Home server base: dynamic DNS and a control panel for services. Only suitable for use on a LAN, since most services are configured without authentication. Includes pi_server.roles.base. |
pi_server.roles.pi_full |
Home server services: Syncthing, MiniDLNA, PhotoPrism, Pi-hole, OpenVPN, backups via restic. Includes pi_server.roles.pi_core. Requires a ZFS pool for storing synced data, and certificates for OpenVPN; see below. |
For finer-grained choice of services, directly use the roles that
pi_server.roles.pi_full calls.
-
Install Ubuntu 22.04 on the server.
-
Create a non-root user with sudo access:
sudo adduser USER sudo adduser USER sudo
-
Add the dev machine's SSH key to the new user's
authorized_keys. -
If using
pi_server.roles.pi_full, set up a ZFS pool for storing synced data:# DEV_* should be the device files of the disks, e.g. /dev/sda, /dev/sdb. # ZPOOL_NAME must match pi_server_storage_zpool in the inventory. zpool create -m /mnt/data -o autoexpand=on -O acltype=posix -O atime=off -O \ compression=on -O xattr=sa "${ZPOOL_NAME}" mirror "${DEV_1}" "${DEV_2}"
-
If using
pi_server.roles.pi_full, create certificates for OpenVPN:# One time only: create the CA. DIR should be encrypted. cd ca ./make-ca "${DIR}" "${CA_NAME}" # For each server: create certs. cd "${DIR}" ./scripts/make-pi-server-certs
Copy the generated certs to
/etc/pi-server/certson the server.
Before using any of these roles, include pi_server.role_helpers. Example
playbook:
- hosts: pi
tasks:
- ansible.builtin.include_role:
name: pi_server.role_helpers
- ansible.builtin.include_role:
name: pi_server.roles.pi_coreExample inventory:
all:
hosts:
pi:
ansible_host: # the server's IP address
ansible_user: # the user created on the server
# pi_server_*: many vars needed by the roles; roles will complain if the
# vars they need are unset. See testbed/Vagrantfile for
# examples.
On the dev machine:
pip install -r requirements.txt.ansible-galaxy install -r requirements.yml.ansible-playbook --ask-become-pass --inventory "${INVENTORY}" "${PLAYBOOK}"
Forward TCP port 1194 to the server on the server's LAN's router.
Set static routes on the server's LAN's router:
${pi_server_vpn_network} via ${pi_server_lan_ip}
If using pi_server.apps.openvpn.server_to_server_client and
pi_server.apps.openvpn.server_to_server_server, set extra static routes on the
client server's LAN's router:
${remote server's pi_server_lan_network} via ${pi_server_lan_ip}
${remote server's pi_server_vpn_network} via ${pi_server_lan_ip}
And on the remote server's LAN's router:
${pi_server_lan_network} via ${remote server's pi_server_lan_ip}
${pi_server_vpn_network} via ${remote server's pi_server_lan_ip}
See testbed/README.md.