From b6dafc7a73c145184f7b3c9fc3d95e6f92c73d5d Mon Sep 17 00:00:00 2001 From: Sascha Date: Tue, 3 Mar 2026 21:45:41 +0100 Subject: [PATCH] inital --- .gitignore | 18 ++++++ ansible.cfg | 7 +++ base-debian.yml | 141 ++++++++++++++++++++++++++++++++++++++++++++ hawser.yml | 14 +++++ nvidia.yml | 88 +++++++++++++++++++++++++++ pfannkuchen.ini | 45 ++++++++++++++ sysctl-proxmox.yaml | 27 +++++++++ sysctl.yaml | 41 +++++++++++++ update.yml | 10 ++++ 9 files changed, 391 insertions(+) create mode 100644 .gitignore create mode 100644 ansible.cfg create mode 100644 base-debian.yml create mode 100644 hawser.yml create mode 100644 nvidia.yml create mode 100644 pfannkuchen.ini create mode 100644 sysctl-proxmox.yaml create mode 100644 sysctl.yaml create mode 100644 update.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..763dd2e --- /dev/null +++ b/.gitignore @@ -0,0 +1,18 @@ +# Vault Password File +.vault-password +vault-password +*.vault-pass + +# Sensible Dateien +*.key +*.pem +*.pfx + +# Ansible temporäre Dateien +*.retry +.ansible/ + +# Editor +.vscode/ +*.swp +*~ diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..46378eb --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,7 @@ +[defaults] +host_key_checking = false +inventory=pfannkuchen.ini +ansible_python_interpreter=/usr/bin/python3 +interpreter_python = auto_silent +[ssh_connection] +ssh_args = -o PasswordAuthentication=yes diff --git a/base-debian.yml b/base-debian.yml new file mode 100644 index 0000000..7ffe2a6 --- /dev/null +++ b/base-debian.yml @@ -0,0 +1,141 @@ +--- +- name: Basis-Konfiguration für Debian VMs + hosts: all + become: yes + vars: + # Pfad auf dem Ansible-LXC (Quelle) + source_folder: "/ansible/komodo/" + # Pfad auf der Ziel-VM (Ziel) + dest_folder: "/app-config/komodo/" + + tasks: + - name: SSH Key für Benutzer sascha hinterlegen + ansible.posix.authorized_key: + user: chris + state: present + key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}" + - name: Standard Debian Trixie Repositories setzen + copy: + dest: /etc/apt/sources.list + content: | + deb http://ftp.gwdg.de/debian/ trixie main non-free-firmware non-free contrib + deb-src http://ftp.gwdg.de/debian/ trixie main non-free-firmware non-free contrib + + deb http://security.debian.org/debian-security trixie-security main non-free-firmware non-free contrib + deb-src http://security.debian.org/debian-security trixie-security main non-free-firmware non-free contrib + + deb http://ftp.gwdg.de/debian/ trixie-updates main non-free-firmware non-free contrib + deb-src http://ftp.gwdg.de/debian/ trixie-updates main non-free-firmware non-free contrib + owner: root + group: root + mode: '0644' + register: repo_status + + - name: Apt Cache aktualisieren (falls Repos geändert wurden) + apt: + update_cache: yes + when: repo_status.changed + + - name: Installiere benötigte Basis-Pakete + apt: + name: + - curl + - gnupg + - ca-certificates + - sudo + - wget + - vim + - mc + state: present + update_cache: yes + - name: Locales-Paket sicherstellen + apt: + name: locales + state: present + + - name: en_US.UTF-8 Locale generieren + locale_gen: + name: en_US.UTF-8 + state: present + + - name: Systemweite Sprache auf en_US.UTF-8 setzen + debconf: + name: locales + question: locales/default_environment_locale + value: en_US.UTF-8 + vtype: select + + - name: Locale-Datei manuell schreiben (Sicherheitsnetz) + copy: + dest: /etc/default/locale + content: | + LANG=en_US.UTF-8 + LC_ALL=en_US.UTF-8 + + - name: Verzeichnis für Keyrings erstellen + file: + path: /etc/apt/keyrings + state: directory + mode: '0755' + + - name: Docker GPG Key herunterladen (Modern) + get_url: + url: https://download.docker.com/linux/debian/gpg + dest: /etc/apt/keyrings/docker.asc + mode: '0644' + + - name: Docker Repository Datei erstellen + copy: + dest: /etc/apt/sources.list.d/docker.list + content: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable" + mode: '0644' + register: docker_repo + + - name: Paketliste aktualisieren + apt: + update_cache: yes + when: docker_repo.changed + + - name: Docker Engine installieren + apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose-plugin + state: present + - name: Zielverzeichnis auf der VM erstellen + file: + path: "{{ dest_folder }}" + state: directory + mode: '0755' + + # 2. Sudoers anpassen (Ohne Passwort-Abfrage für die Gruppe sudo) + - name: Gruppe sudo passwortloses sudo erlauben + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%sudo' + line: '%sudo ALL=(ALL:ALL) NOPASSWD: ALL' + validate: '/usr/sbin/visudo -cf %s' + + # 3. Sascha in Gruppen stecken + - name: Benutzer sascha zu sudo und docker Gruppen hinzufügen + user: + name: sascha + groups: sudo,docker + append: yes + + - name: Unnötige Pakete entfernen + apt: + autoremove: yes + + - name: QEMU Guest Agent installieren und starten + apt: + name: qemu-guest-agent + state: present + - name: Agent Dienst aktivieren + service: + name: qemu-guest-agent + state: started + enabled: yes diff --git a/hawser.yml b/hawser.yml new file mode 100644 index 0000000..b9b8ea6 --- /dev/null +++ b/hawser.yml @@ -0,0 +1,14 @@ +--- +- name: Hawser + hosts: all + become: yes + tasks: + - name: Hawser installieren (offizielles Install-Script) + ansible.builtin.shell: + cmd: curl -fsSL https://raw.githubusercontent.com/Finsys/hawser/main/scripts/install.sh | bash + - name: Hawser aktivieren und starten + ansible.builtin.systemd: + name: hawser + enabled: true + state: started + daemon_reload: true diff --git a/nvidia.yml b/nvidia.yml new file mode 100644 index 0000000..49849d3 --- /dev/null +++ b/nvidia.yml @@ -0,0 +1,88 @@ +--- +- name: NVIDIA + Docker Setup fuer Debian Trixie + hosts: all + become: true + + vars: + docker_daemon_config: + default-runtime: nvidia + runtimes: + nvidia: + path: nvidia-container-runtime + runtimeArgs: [] + + tasks: + + # --- Repos ---------------------------------------------------------------- + + - name: NVIDIA Container Toolkit GPG Key hinzufuegen + ansible.builtin.shell: | + curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey \ + | gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg + args: + creates: /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg + + - name: NVIDIA Container Toolkit Repo hinzufuegen + ansible.builtin.shell: | + curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list \ + | sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' \ + | tee /etc/apt/sources.list.d/nvidia-container-toolkit.list + args: + creates: /etc/apt/sources.list.d/nvidia-container-toolkit.list + + - name: apt update + ansible.builtin.apt: + update_cache: true + + # --- Pakete --------------------------------------------------------------- + - name: Kernel Headers und DKMS installieren + ansible.builtin.apt: + name: + - linux-headers-{{ ansible_kernel }} + - dkms + state: present + + - name: NVIDIA Treiber installieren + ansible.builtin.apt: + name: + - "nvidia-driver" + state: present + + - name: NVIDIA Container Toolkit installieren + ansible.builtin.apt: + name: + - nvidia-container-toolkit + - nvidia-docker2 + state: present + + - name: NFS und CIFS Pakete installieren + ansible.builtin.apt: + name: + - nfs-common + - cifs-utils + state: present + + # --- Docker konfigurieren ------------------------------------------------- + + - name: /etc/docker Verzeichnis sicherstellen + ansible.builtin.file: + path: /etc/docker + state: directory + mode: "0755" + + - name: Docker daemon.json konfigurieren (NVIDIA als default runtime) + ansible.builtin.copy: + content: "{{ docker_daemon_config | to_nice_json }}" + dest: /etc/docker/daemon.json + mode: "0644" + notify: Docker neustarten + + - name: nvidia-ctk runtime fuer Docker konfigurieren + ansible.builtin.command: nvidia-ctk runtime configure --runtime=docker + changed_when: false + + handlers: + - name: Docker neustarten + ansible.builtin.service: + name: docker + state: restarted diff --git a/pfannkuchen.ini b/pfannkuchen.ini new file mode 100644 index 0000000..ce670e9 --- /dev/null +++ b/pfannkuchen.ini @@ -0,0 +1,45 @@ +[proxmox] +node1 ansible_host=10.10.1.1 +node2 ansible_host=10.5.85.200 +node4 ansible_host=10.5.85.100 +node5 ansible_host=10.5.85.101 + +[proxmox:vars] +ansible_user=root + +[media] +emby_sascha ansible_host=10.5.1.103 ansible_user=sascha +emby_chris ansible_host=10.5.1.106 ansible_user=chris +jellyfin ansible_host=10.5.1.112 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 +immich ansible_host=10.4.1.107 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 +emby_chris_new ansible_host=10.5.1.117 ansible_user=chris ansible_become_method=su ansible_become_password=Pimmelparty123 ansible_password=Pimmelparty123 + + +[arr] +tdarr ansible_host=10.2.1.104 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 +arrapps ansible_host=10.2.1.100 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 +sabnzbd ansible_host=10.2.1.119 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 + +[docker] +dockhand ansible_host=10.4.1.116 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 ansible_password=GT500r8 + +[auto] +n8n ansible_host=10.4.1.113 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 ansible_password=GT500r8 +ansible ansible_host=localhost ansible_user=root + +[communication] +matrix ansible_host=10.4.1.110 ansible_user=sascha ansible_become_method=su ansible_become_password=GT500r8 ansible_password=GT500r8 + +[hetzner] +emby ansible_host=emby ansible_user=root +proxy ansible_host=proxy ansible_user=root + + +[all:children] +media +arr +media +docker +auto +hetzner +#proxmox diff --git a/sysctl-proxmox.yaml b/sysctl-proxmox.yaml new file mode 100644 index 0000000..43487cf --- /dev/null +++ b/sysctl-proxmox.yaml @@ -0,0 +1,27 @@ +--- +- name: Sysctl Tuning fuer Proxmox Hosts + hosts: proxmox + become: true + + tasks: + + - name: Sysctl Parameter setzen + ansible.posix.sysctl: + name: "{{ item.key }}" + value: "{{ item.value }}" + sysctl_file: /etc/sysctl.d/99-proxmox-tuning.conf + reload: true + state: present + loop: + # KVM / Virtualisierung + - { key: vm.overcommit_memory, value: "1" } + - { key: vm.swappiness, value: "1" } + # Viele VMs = viele File Handles + - { key: fs.file-max, value: "9999999" } + - { key: fs.inotify.max_user_watches, value: "524288" } + - { key: fs.inotify.max_user_instances, value: "512" } + # Routing zwischen VMs / Bridges + - { key: net.ipv4.ip_forward, value: "1" } + # WireGuard MTU-Anpassung + # TODO: entfernen sobald WireGuard abgeschaltet wird + - { key: net.ipv4.tcp_mtu_probing, value: "1" } diff --git a/sysctl.yaml b/sysctl.yaml new file mode 100644 index 0000000..dad3c5c --- /dev/null +++ b/sysctl.yaml @@ -0,0 +1,41 @@ +--- +- name: Sysctl Tuning fuer Emby + hosts: all + become: true + + tasks: + + - name: BBR Kernel Modul laden + ansible.builtin.modprobe: + name: tcp_bbr + state: present + + - name: BBR Modul beim Boot laden + ansible.builtin.copy: + content: "tcp_bbr\n" + dest: /etc/modules-load.d/bbr.conf + mode: "0644" + + - name: Sysctl Parameter setzen + ansible.posix.sysctl: + name: "{{ item.key }}" + value: "{{ item.value }}" + sysctl_file: /etc/sysctl.d/99-net-tuning.conf + reload: true + state: present + loop: + - { key: net.core.rmem_default, value: "262144" } + - { key: net.core.wmem_default, value: "262144" } + - { key: net.core.rmem_max, value: "67108864" } + - { key: net.core.wmem_max, value: "67108864" } + - { key: net.ipv4.tcp_rmem, value: "4096 87380 67108864" } + - { key: net.ipv4.tcp_wmem, value: "4096 65536 67108864" } + - { key: net.ipv4.tcp_window_scaling, value: "1" } + - { key: net.ipv4.tcp_congestion_control, value: "bbr" } + - { key: net.ipv4.tcp_slow_start_after_idle, value: "0" } + - { key: net.ipv4.tcp_fastopen, value: "3" } + - { key: net.core.netdev_max_backlog, value: "16384" } + # RAM ist reichlich vorhanden, Transcoding auf tmpfs + - { key: vm.swappiness, value: "1" } + - { key: vm.dirty_ratio, value: "15" } + - { key: vm.dirty_background_ratio, value: "5" } diff --git a/update.yml b/update.yml new file mode 100644 index 0000000..bf97314 --- /dev/null +++ b/update.yml @@ -0,0 +1,10 @@ +--- +- name: Alle VMs aktualisieren + hosts: all + become: yes + tasks: + - name: Update apt cache and upgrade packages + apt: + update_cache: yes + upgrade: dist + autoremove: yes