refactor: move to Debian on truenas scale

roles/arrstack/templates/custom-init/setup-wg.sh.j2

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+apk add --no-cache wireguard-tools-wg
+
+local_gateway=$(ip route | grep default | awk '{print $3}')
+# This used as the gateway address for NAT-PMP to work properly
+wg_gateway="{{ wg_dns }}"
+wg_peer_address=$(echo "{{ wg_peer_endpoint }}" | cut -d: -f1)
+
+ip route add "$wg_peer_address" via "$local_gateway"
+ip link add wg0 type wireguard
+wg setconf wg0 /etc/wireguard/wg0.conf
+ip address add dev wg0 "{{ wg_address }}"
+ip link set wg0 up
+ip route add "$wg_gateway" dev wg0
+ip route del default
+ip route add default via "$wg_gateway"
+
+# Note that the DNS isn't changed, so there's actually a leak there
+# That's on purpose, just in case I want to access local jackett from qbit
+
+# Finally, optionally allow access to the home network
+# ip route add "\{\{ home_network }}" via "$local_gateway"

roles/arrstack/templates/docker-compose.yml.j2

@@ -0,0 +1,82 @@
+version: "3.7"
+
+networks:
+  default:
+  traefik_traefik:
+    external: true
+
+services:
+  qbittorrent:
+    image: linuxserver/qbittorrent:latest
+    container_name: qbittorrent
+    cap_add:
+      - NET_ADMIN
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.qbittorrent.rule=Host(`qbit.{{ domain }}`)
+      - traefik.http.services.qbittorrent.loadbalancer.server.port=8080
+    restart: unless-stopped
+    networks:
+      - default
+      - traefik_traefik
+    volumes:
+      - ./wireguard:/etc/wireguard:ro
+      - ./custom-init:/custom-cont-init.d:ro
+      - {{ base_volume_path }}/arrstack/config/qbittorrent:/config
+      - {{ base_volume_path }}/arrstack/downloads:/downloads
+      - {{ media_volume_path }}/Plex:/media/Plex
+      - {{ media_volume_path }}/iso-img:/media/iso-img
+
+  jackett:
+    image: linuxserver/jackett:latest
+    container_name: jackett
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.jackett.rule=Host(`jackett.{{ domain }}`)
+      - traefik.http.services.jackett.loadbalancer.server.port=9117
+    restart: unless-stopped
+    networks:
+      - default
+      - traefik_traefik
+    volumes:
+      - {{ base_volume_path }}/arrstack/config/jackett:/config
+      - {{ base_volume_path }}/arrstack/downloads:/downloads
+      - {{ media_volume_path }}/Plex:/media/Plex
+
+  sonarr:
+    image: linuxserver/sonarr:latest
+    container_name: sonarr
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.sonarr.rule=Host(`sonarr.{{ domain }}`)
+      - traefik.http.services.sonarr.loadbalancer.server.port=8989
+    restart: unless-stopped
+    depends_on:
+      - qbittorrent
+      - jackett
+    networks:
+      - default
+      - traefik_traefik
+    volumes:
+      - {{ base_volume_path }}/arrstack/config/sonarr:/config
+      - {{ base_volume_path }}/arrstack/downloads:/downloads
+      - {{ media_volume_path }}/Plex:/media/Plex
+
+  radarr:
+    image: linuxserver/radarr:latest
+    container_name: radarr
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.radarr.rule=Host(`radarr.{{ domain }}`)
+      - traefik.http.services.radarr.loadbalancer.server.port=7878
+    restart: unless-stopped
+    depends_on:
+      - qbittorrent
+      - jackett
+    networks:
+      - default
+      - traefik_traefik
+    volumes:
+      - {{ base_volume_path }}/arrstack/config/radarr:/config
+      - {{ base_volume_path }}/arrstack/downloads:/downloads
+      - {{ media_volume_path }}/Plex:/media/Plex

roles/arrstack/templates/wireguard/wg0.conf.j2

@@ -0,0 +1,11 @@
+# Stripped version of the wg config
+
+[Interface]
+PrivateKey = {{ wg_privkey }}
+# Address = {{ wg_address }}
+# DNS = {{ wg_dns }} # This is also used as the gateway address for NAT-PMP to work properly
+
+[Peer]
+PublicKey = {{ wg_peer_pubkey }}
+AllowedIPs = 0.0.0.0/0
+Endpoint = {{ wg_peer_endpoint }}

roles/arrstack/vars/app_config.yml

@@ -0,0 +1,12 @@
+$ANSIBLE_VAULT;1.2;AES256;alpina
+37653839366635373530306432303538626233356164633761316231623732316138643532383735
+3132613432333636383363383162643434626638613234320a343337333435393461323735646338
+34353764366561633738383933626261643734343266333364353162366161313738663064656530
+6666313731343663650a343761646664356238373763383136366431383337313065613663303233
+36613233653666306338373839623130323833393932386161353933613338613836326632653262
+31646131646637646237373964376365336337386639396266393731623761393038396233663663
+32393964313361326463356435343064643964343731386238643263653738356534383536353330
+32376162376235663636626562646436613265656461656133643762396137313238383533653831
+31396632656630626138326335363462383131343431336264656236346665366236353863326237
+66653064653166373838653631653563303834303334633830383064323965393563663563636361
+653139663339346331336435313263343936

roles/arrstack/vars/main.yml

@@ -1,5 +1,5 @@
 ---
-current_svc_name: jackett
+current_svc_name: arrstack
 current_svc_path: "{{ my_svc_path }}/{{ current_svc_name }}"
 
 templates_source: "{{ role_path }}/templates"

roles/common/tasks/main.yml

@@ -1,49 +1,14 @@
-- name: Upgrade alpine packages
-  community.general.apk:
-    upgrade: yes
+- name: Upgrade Debian packages
+  become: yes
+  ansible.builtin.apt:
+    upgrade: dist
     update_cache: yes
-  register: apk_upgrades
-
-- name: Install alpine packages
-  community.general.apk:
-    name:
-      - qemu-guest-agent
-      - dhcpcd
-      - python3
-      - fish
-      - docker
-      - docker-compose
-      - docker-fish-completion
-      - docker-compose-fish-completion
-      - zfs
-      - zfs-utils-py
+    cache_valid_time: 3600
+    autoremove: yes
     state: latest
-    update_cache: yes
-  register: apk_installs
-
-- name: Enable qemu-guest-agent service
-  service:
-    name: qemu-guest-agent
-    runlevel: boot
-    enabled: yes
-
-- name: Enable zfs-import service
-  service:
-    name: zfs-import
-    runlevel: sysinit
-    enabled: yes
-
-- name: Enable zfs-mount service
-  service:
-    name: zfs-mount
-    runlevel: sysinit
-    enabled: yes
-
-- name: Enable docker service
-  service:
-    name: docker
-    enabled: yes
+  register: apt_upgrades
 
 - name: Reboot if needed
-  reboot:
-  when: apk_upgrades.changed or apk_installs.changed
+  become: yes
+  ansible.builtin.reboot:
+  when: apt_upgrades.changed

roles/gitea/templates/docker-compose.yml.j2

@@ -1,14 +1,10 @@
-version: "3.9"
+version: "3.7"
 
 networks:
   default:
   traefik_traefik:
     external: true
 
-volumes:
-  gitea:
-  postgres:
-
 services:
   server:
     image: gitea/gitea:1.18
@@ -24,7 +20,7 @@ services:
       - default
       - traefik_traefik
     volumes:
-      - gitea:/data
+      - {{ base_volume_path }}/gitea/gitea:/data
     depends_on:
       - db
   db:
@@ -36,4 +32,4 @@ services:
     networks:
       - default
     volumes:
-      - postgres:/var/lib/postgresql/data
+      - {{ base_volume_path }}/gitea/postgres:/var/lib/postgresql/data

roles/jackett/templates/docker-compose.yml.j2

@@ -1,26 +0,0 @@
-version: "3.9"
-
-networks:
-  default:
-  traefik_traefik:
-    external: true
-
-volumes:
-  config:
-  torrent_blackhole:
-
-services:
-  jackett:
-    image: linuxserver/jackett:latest
-    container_name: jackett
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.jackett.rule=Host(`jackett.{{ domain }}`)
-      - traefik.http.services.jackett.loadbalancer.server.port=9117
-    restart: unless-stopped
-    networks:
-      - default
-      - traefik_traefik
-    volumes:
-      - config:/config
-      - torrent_blackhole:/downloads

roles/jellyfin/templates/docker-compose.yml.j2

@@ -1,26 +1,10 @@
-version: "3.9"
+version: "3.7"
 
 networks:
   default:
   traefik_traefik:
     external: true
 
-volumes:
-  config:
-  cache:
-  media:
-    driver: local
-    driver_opts:
-      type: nfs
-      o: "addr=truenas.lab.home,nfsvers=4,ro,noatime"
-      device: ":/mnt/Mass-Storage-New/JailStorage/Plex/media"
-  other_videos:
-    driver: local
-    driver_opts:
-      type: nfs
-      o: "addr=truenas.lab.home,nfsvers=4,ro,noatime"
-      device: ":/mnt/Mass-Storage-New/syncThingData/Videos"
-
 services:
   jellyfin:
     image: jellyfin/jellyfin:10.8.6
@@ -36,10 +20,10 @@ services:
       - default
       - traefik_traefik
     volumes:
-      - config:/config
-      - cache:/cache
-      - media:/data/media
-      - other_videos:/data/other_videos
+      - {{ base_volume_path }}/jellyfin/config:/config
+      - {{ base_volume_path }}/jellyfin/cache:/cache
+      - {{ media_volume_path }}/Plex/media:/data/media:ro
+      - {{ media_volume_path }}/other_videos:/data/other_videos:ro
     tmpfs:
       - /tmp/transcodes
     devices:

roles/nextcloud/templates/docker-compose.yml.j2

@@ -1,15 +1,10 @@
-version: "3.9"
+version: "3.7"
 
 networks:
   default:
   traefik_traefik:
     external: true
 
-volumes:
-  nextcloud:
-  nextcloud_config:
-  nextcloud_data:
-  db:
 
 services:
   app:
@@ -24,9 +19,9 @@ services:
     networks:
       - default
     volumes:
-      - nextcloud:/var/www/html
-      - nextcloud_config:/var/www/html/config
-      - nextcloud_data:/var/www/html/data
+      - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
+      - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
+      - {{ base_volume_path }}/nextcloud/nextcloud_data:/var/www/html/data
 
   cron:
     image: nextcloud:${NEXTCLOUD_VERSION}
@@ -37,8 +32,10 @@ services:
     entrypoint: /cron.sh
     networks:
       - default
-    volumes_from:
-      - app
+    volumes:
+      - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
+      - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
+      - {{ base_volume_path }}/nextcloud/nextcloud_data:/var/www/html/data
 
   notify_push:
     image: nextcloud:${NEXTCLOUD_VERSION}
@@ -51,8 +48,10 @@ services:
       - /var/www/html/config/config.php
     networks:
       - default
-    volumes_from:
-      - app
+    volumes:
+      - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
+      - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
+      - {{ base_volume_path }}/nextcloud/nextcloud_data:/var/www/html/data
 
   db:
     image: postgres:13-alpine
@@ -63,7 +62,7 @@ services:
     networks:
       - default
     volumes:
-      - db:/var/lib/postgresql/data
+      - {{ base_volume_path }}/nextcloud/db:/var/lib/postgresql/data
 
   redis:
     image: redis:7-alpine
@@ -91,6 +90,7 @@ services:
       - traefik_traefik
       - default
     volumes:
-      - ./nginx.conf:/etc/nginx/nginx.conf
-    volumes_from:
-      - app
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
+      - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
+      - {{ base_volume_path }}/nextcloud/nextcloud_data:/var/www/html/data

roles/traefik/templates/docker-compose.yml.j2

@@ -1,4 +1,4 @@
-version: "3.9"
+version: "3.7"
 
 networks:
   default:
@@ -8,9 +8,6 @@ networks:
       config:
         - subnet: {{ traefik_ip }}/24
 
-volumes:
-  logs:
-
 services:
   traefik:
     image: traefik:v2.9
@@ -32,5 +29,5 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./traefik.yml:/etc/traefik/traefik.yml:ro
-      - logs:/logs
-      - {{ current_svc_path }}/rules:/rules:ro
+      - {{ base_volume_path }}/traefik/logs:/logs
+      - ./rules:/rules:ro

roles/traefik/templates/rules/app-sonarr.yml.j2

@@ -1,25 +0,0 @@
-http:
-  routers:
-    sonarr:
-      rule: "Host(`sonarr.{{ domain }}`)"
-      service: sonarr
-    radarr:
-      rule: "Host(`radarr.{{ domain }}`)"
-      service: radarr
-  serversTransports:
-    sonarrTransport:
-      insecureSkipVerify: true
-      forwardingTimeouts:
-        dialTimeout: "180s"
-
-  services:
-    sonarr:
-      loadBalancer:
-        servers:
-          - url: "http://sonarr.lab.home:8989"
-        serversTransport: "sonarrTransport"
-    radarr:
-      loadBalancer:
-        servers:
-          - url: "http://radarr.lab.home:7878"
-        serversTransport: "sonarrTransport"