inital

.gitignore

@@ -0,0 +1,18 @@
+# Vault Password File
+.vault-password
+vault-password
+*.vault-pass
+
+# Sensible Dateien
+*.key
+*.pem
+*.pfx
+
+# Ansible temporäre Dateien
+*.retry
+.ansible/
+
+# Editor
+.vscode/
+*.swp
+*~

ansible.cfg

@@ -0,0 +1,7 @@
+[defaults]
+host_key_checking = false
+inventory=pfannkuchen.ini
+ansible_python_interpreter=/usr/bin/python3
+interpreter_python = auto_silent
+[ssh_connection]
+ssh_args = -o PasswordAuthentication=yes

base-debian.yml

@@ -0,0 +1,141 @@
+---
+- name: Basis-Konfiguration für Debian VMs
+  hosts: all
+  become: yes
+  vars:
+    # Pfad auf dem Ansible-LXC (Quelle)
+    source_folder: "/ansible/komodo/"
+    # Pfad auf der Ziel-VM (Ziel)
+    dest_folder: "/app-config/komodo/"
+
+  tasks:
+    - name: SSH Key für Benutzer sascha hinterlegen
+      ansible.posix.authorized_key:
+        user: chris
+        state: present
+        key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
+    - name: Standard Debian Trixie Repositories setzen
+      copy:
+        dest: /etc/apt/sources.list
+        content: |
+          deb http://ftp.gwdg.de/debian/ trixie main non-free-firmware non-free contrib
+          deb-src http://ftp.gwdg.de/debian/ trixie main non-free-firmware non-free contrib
+
+          deb http://security.debian.org/debian-security trixie-security main non-free-firmware non-free contrib
+          deb-src http://security.debian.org/debian-security trixie-security main non-free-firmware non-free contrib
+
+          deb http://ftp.gwdg.de/debian/ trixie-updates main non-free-firmware non-free contrib
+          deb-src http://ftp.gwdg.de/debian/ trixie-updates main non-free-firmware non-free contrib
+        owner: root
+        group: root
+        mode: '0644'
+      register: repo_status
+
+    - name: Apt Cache aktualisieren (falls Repos geändert wurden)
+      apt:
+        update_cache: yes
+      when: repo_status.changed
+
+    - name: Installiere benötigte Basis-Pakete
+      apt:
+        name: 
+          - curl
+          - gnupg
+          - ca-certificates
+          - sudo 
+          - wget
+          - vim
+          - mc
+        state: present
+        update_cache: yes
+    - name: Locales-Paket sicherstellen
+      apt:
+        name: locales
+        state: present
+
+    - name: en_US.UTF-8 Locale generieren
+      locale_gen:
+        name: en_US.UTF-8
+        state: present
+
+    - name: Systemweite Sprache auf en_US.UTF-8 setzen
+      debconf:
+        name: locales
+        question: locales/default_environment_locale
+        value: en_US.UTF-8
+        vtype: select
+
+    - name: Locale-Datei manuell schreiben (Sicherheitsnetz)
+      copy:
+        dest: /etc/default/locale
+        content: |
+          LANG=en_US.UTF-8
+          LC_ALL=en_US.UTF-8
+
+    - name: Verzeichnis für Keyrings erstellen
+      file:
+        path: /etc/apt/keyrings
+        state: directory
+        mode: '0755'
+
+    - name: Docker GPG Key herunterladen (Modern)
+      get_url:
+        url: https://download.docker.com/linux/debian/gpg
+        dest: /etc/apt/keyrings/docker.asc
+        mode: '0644'
+
+    - name: Docker Repository Datei erstellen
+      copy:
+        dest: /etc/apt/sources.list.d/docker.list
+        content: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable"
+        mode: '0644'
+      register: docker_repo
+
+    - name: Paketliste aktualisieren
+      apt:
+        update_cache: yes
+      when: docker_repo.changed
+
+    - name: Docker Engine installieren
+      apt:
+        name:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-compose-plugin
+        state: present
+    - name: Zielverzeichnis auf der VM erstellen
+      file:
+        path: "{{ dest_folder }}"
+        state: directory
+        mode: '0755'
+
+    # 2. Sudoers anpassen (Ohne Passwort-Abfrage für die Gruppe sudo)
+    - name: Gruppe sudo passwortloses sudo erlauben
+      lineinfile:
+        path: /etc/sudoers
+        state: present
+        regexp: '^%sudo'
+        line: '%sudo   ALL=(ALL:ALL) NOPASSWD: ALL'
+        validate: '/usr/sbin/visudo -cf %s'
+
+    # 3. Sascha in Gruppen stecken
+    - name: Benutzer sascha zu sudo und docker Gruppen hinzufügen
+      user:
+        name: sascha
+        groups: sudo,docker
+        append: yes
+
+    - name: Unnötige Pakete entfernen
+      apt:
+        autoremove: yes
+
+    - name: QEMU Guest Agent installieren und starten
+      apt:
+        name: qemu-guest-agent
+        state: present
+    - name: Agent Dienst aktivieren
+      service:
+        name: qemu-guest-agent
+        state: started
+        enabled: yes

hawser.yml

@@ -0,0 +1,14 @@
+---
+- name: Hawser
+  hosts: all
+  become: yes
+  tasks:
+    - name: Hawser installieren (offizielles Install-Script)
+      ansible.builtin.shell:
+        cmd: curl -fsSL https://raw.githubusercontent.com/Finsys/hawser/main/scripts/install.sh | bash
+    - name: Hawser aktivieren und starten
+      ansible.builtin.systemd:
+        name: hawser
+        enabled: true
+        state: started
+        daemon_reload: true

nvidia.yml

@@ -0,0 +1,88 @@
+---
+- name: NVIDIA + Docker Setup fuer Debian Trixie
+  hosts: all
+  become: true
+
+  vars:
+    docker_daemon_config:
+      default-runtime: nvidia
+      runtimes:
+        nvidia:
+          path: nvidia-container-runtime
+          runtimeArgs: []
+
+  tasks:
+
+    # --- Repos ----------------------------------------------------------------
+
+    - name: NVIDIA Container Toolkit GPG Key hinzufuegen
+      ansible.builtin.shell: |
+        curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey \
+          | gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg
+      args:
+        creates: /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg
+
+    - name: NVIDIA Container Toolkit Repo hinzufuegen
+      ansible.builtin.shell: |
+        curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list \
+          | sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' \
+          | tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
+      args:
+        creates: /etc/apt/sources.list.d/nvidia-container-toolkit.list
+
+    - name: apt update
+      ansible.builtin.apt:
+        update_cache: true
+
+    # --- Pakete ---------------------------------------------------------------
+    - name: Kernel Headers und DKMS installieren
+      ansible.builtin.apt:
+        name:
+          - linux-headers-{{ ansible_kernel }}
+          - dkms
+        state: present
+
+    - name: NVIDIA Treiber installieren
+      ansible.builtin.apt:
+        name:
+          - "nvidia-driver"
+        state: present
+
+    - name: NVIDIA Container Toolkit installieren
+      ansible.builtin.apt:
+        name:
+          - nvidia-container-toolkit
+          - nvidia-docker2
+        state: present
+
+    - name: NFS und CIFS Pakete installieren
+      ansible.builtin.apt:
+        name:
+          - nfs-common
+          - cifs-utils
+        state: present
+
+    # --- Docker konfigurieren -------------------------------------------------
+
+    - name: /etc/docker Verzeichnis sicherstellen
+      ansible.builtin.file:
+        path: /etc/docker
+        state: directory
+        mode: "0755"
+
+    - name: Docker daemon.json konfigurieren (NVIDIA als default runtime)
+      ansible.builtin.copy:
+        content: "{{ docker_daemon_config | to_nice_json }}"
+        dest: /etc/docker/daemon.json
+        mode: "0644"
+      notify: Docker neustarten
+
+    - name: nvidia-ctk runtime fuer Docker konfigurieren
+      ansible.builtin.command: nvidia-ctk runtime configure --runtime=docker
+      changed_when: false
+
+  handlers:
+    - name: Docker neustarten
+      ansible.builtin.service:
+        name: docker
+        state: restarted

pfannkuchen.ini

@@ -0,0 +1,45 @@
+[proxmox]
+node1 ansible_host=10.10.1.1
+node2 ansible_host=10.5.85.200
+node4 ansible_host=10.5.85.100
+node5 ansible_host=10.5.85.101
+
+[proxmox:vars]
+ansible_user=root
+
+[media]
+emby_sascha ansible_host=10.5.1.103 ansible_user=sascha
+emby_chris ansible_host=10.5.1.106 ansible_user=chris
+jellyfin ansible_host=10.5.1.112 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8
+immich ansible_host=10.4.1.107 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8
+emby_chris_new ansible_host=10.5.1.117 ansible_user=chris ansible_become_method=su ansible_become_password=Pimmelparty123 ansible_password=Pimmelparty123
+
+
+[arr]
+tdarr ansible_host=10.2.1.104 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8
+arrapps ansible_host=10.2.1.100 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8
+sabnzbd ansible_host=10.2.1.119 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8
+
+[docker]
+dockhand ansible_host=10.4.1.116 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 ansible_password=GT500r8
+
+[auto]
+n8n ansible_host=10.4.1.113 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 ansible_password=GT500r8
+ansible ansible_host=localhost ansible_user=root
+
+[communication]
+matrix ansible_host=10.4.1.110 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 ansible_password=GT500r8
+
+[hetzner]
+emby ansible_host=emby ansible_user=root
+proxy ansible_host=proxy ansible_user=root
+
+
+[all:children]
+media
+arr
+media
+docker
+auto
+hetzner
+#proxmox

sysctl-proxmox.yaml

@@ -0,0 +1,27 @@
+---
+- name: Sysctl Tuning fuer Proxmox Hosts
+  hosts: proxmox
+  become: true
+
+  tasks:
+
+    - name: Sysctl Parameter setzen
+      ansible.posix.sysctl:
+        name: "{{ item.key }}"
+        value: "{{ item.value }}"
+        sysctl_file: /etc/sysctl.d/99-proxmox-tuning.conf
+        reload: true
+        state: present
+      loop:
+        # KVM / Virtualisierung
+        - { key: vm.overcommit_memory,               value: "1" }
+        - { key: vm.swappiness,                      value: "1" }
+        # Viele VMs = viele File Handles
+        - { key: fs.file-max,                        value: "9999999" }
+        - { key: fs.inotify.max_user_watches,        value: "524288" }
+        - { key: fs.inotify.max_user_instances,      value: "512" }
+        # Routing zwischen VMs / Bridges
+        - { key: net.ipv4.ip_forward,                value: "1" }
+        # WireGuard MTU-Anpassung
+        # TODO: entfernen sobald WireGuard abgeschaltet wird
+        - { key: net.ipv4.tcp_mtu_probing,           value: "1" }

sysctl.yaml

@@ -0,0 +1,41 @@
+---
+- name: Sysctl Tuning fuer Emby
+  hosts: all
+  become: true
+
+  tasks:
+
+    - name: BBR Kernel Modul laden
+      ansible.builtin.modprobe:
+        name: tcp_bbr
+        state: present
+
+    - name: BBR Modul beim Boot laden
+      ansible.builtin.copy:
+        content: "tcp_bbr\n"
+        dest: /etc/modules-load.d/bbr.conf
+        mode: "0644"
+
+    - name: Sysctl Parameter setzen
+      ansible.posix.sysctl:
+        name: "{{ item.key }}"
+        value: "{{ item.value }}"
+        sysctl_file: /etc/sysctl.d/99-net-tuning.conf
+        reload: true
+        state: present
+      loop:
+        - { key: net.core.rmem_default,              value: "262144" }
+        - { key: net.core.wmem_default,              value: "262144" }
+        - { key: net.core.rmem_max,                  value: "67108864" }
+        - { key: net.core.wmem_max,                  value: "67108864" }
+        - { key: net.ipv4.tcp_rmem,                  value: "4096 87380 67108864" }
+        - { key: net.ipv4.tcp_wmem,                  value: "4096 65536 67108864" }
+        - { key: net.ipv4.tcp_window_scaling,        value: "1" }
+        - { key: net.ipv4.tcp_congestion_control,    value: "bbr" }
+        - { key: net.ipv4.tcp_slow_start_after_idle, value: "0" }
+        - { key: net.ipv4.tcp_fastopen,              value: "3" }
+        - { key: net.core.netdev_max_backlog,        value: "16384" }
+        # RAM ist reichlich vorhanden, Transcoding auf tmpfs
+        - { key: vm.swappiness,                      value: "1" }
+        - { key: vm.dirty_ratio,                     value: "15" }
+        - { key: vm.dirty_background_ratio,          value: "5" }

update.yml

@@ -0,0 +1,10 @@
+---
+- name: Alle VMs aktualisieren
+  hosts: all
+  become: yes
+  tasks:
+    - name: Update apt cache and upgrade packages
+      apt:
+        update_cache: yes
+        upgrade: dist
+        autoremove: yes