inventory/group_vars/bots.example.yml

@@ -1,25 +0,0 @@
----
-# Gluetun SELinux access
-selinux_allow_gluetun: true
-
-# Servarr stack
-servarr_stack:
-  - src: qbittorrent.container.j2
-    dest: qbittorrent.container
-  - src: prowlarr.container.j2
-    dest: prowlarr.container
-  - src: radarr.container.j2
-    dest: radarr.container
-  - src: sonarr.container.j2
-    dest: sonarr.container
-  - src: bazarr.container.j2
-    dest: bazarr.container
-  - src: flaresolverr.container.j2
-    dest: flaresolverr.container
-
-# Gluetun setup
-vpn_provider: mullvad
-vpn_type: wireguard
-vpn_countries: "Netherlands,USA,Canada"
-vpn_private_key: "replace-with-wireguard-private-key"
-vpn_addresses: "10.0.0.2/32"

inventory/group_vars/services.example.yml

@@ -19,3 +19,28 @@ bazarr_domain: "bazarr.example.{{ caddy_node }}"
 bazarr_upstream: host.containers.internal:6767
 
 caddy_email: "admin@example.{{ caddy_node }}"
+
+# Gluetun SELinux access
+selinux_allow_gluetun: true
+
+# Servarr stack
+servarr_stack:
+  - src: qbittorrent.container.j2
+    dest: qbittorrent.container
+  - src: prowlarr.container.j2
+    dest: prowlarr.container
+  - src: radarr.container.j2
+    dest: radarr.container
+  - src: sonarr.container.j2
+    dest: sonarr.container
+  - src: bazarr.container.j2
+    dest: bazarr.container
+  - src: flaresolverr.container.j2
+    dest: flaresolverr.container
+
+# Gluetun setup
+vpn_provider: mullvad
+vpn_type: wireguard
+vpn_countries: "Netherlands,USA,Canada"
+vpn_private_key: "replace-with-wireguard-private-key"
+vpn_addresses: "10.0.0.2/32"

playbook.yml

@@ -1,68 +1,83 @@
-- name: Storage
+- name: Common host foundation
+  hosts: nas:services:workstation
+  become: true
+  roles:
+    - role: base_os
+      tags: base_os
+    - role: firewall_base
+      tags: firewall_base
+    - role: cli_productivity
+      tags: cli_productivity
+
+- name: Shared storage clients
+  hosts: nfs_clients
+  become: true
+  roles:
+    - role: nfs_client
+      tags: nfs_client
+
+- name: Storage services
   hosts: nas
   become: true
   roles:
-    - base_os
+    - role: storage_client
-    - firewall_base
+      tags: storage_client
-    - container_runtime
+    - role: nfs_server
-    - storage_client
+      tags: nfs_server
-    - nfs_server
+      
-  
+- name: Containers stack
-- name: Jellyfin
+  hosts: services
+  become: true
+  roles:
+    - role: container_runtime
+      tags: container_runtime
+    - role: selinux_containers
+      tags: selinux_containers
+
+- name: Media services
   hosts: media
   become: true
   roles:
-    - base_os
+  # Jellyfin role will go here later.
-    - firewall_base
+  # - role: jellyfin
-    - container_runtime
+  #   tags: jellyfin
 
-- name: Bots
+- name: DNS and reverse proxy
-  hosts: bots
+  hosts: services
   become: true
   roles:
-    - base_os
+    - role: adguard
-    - firewall_base
-    - container_runtime
-    - nfs_client
-    - servarr
-  
-- name: DNS
-  hosts: controller
-  become: true
-  roles:
-    - name: base_os
-      tags: base_os
-    - name: firewall_base
-      tags: firewall_base
-    - name: container_runtime
-      tags: container_runtime
-    - name: adguard
       tags: adguard
-    - name: trilium
+    - role: caddy
-      tags: trilium
-    - name: caddy
       tags: caddy
-  
+
-- name: Workstation Setup
+- name: Servarr stack
-  hosts: workstation
+  hosts: servarr_hosts
   become: true
   roles:
-    - base_os
+    - role: servarr
-    - firewall_base
+      tags: servarr
-    - container_runtime
+
-    - selinux_containers
+- name: Matrix stack
-  
+  hosts: matrix_hosts
-- name: Matrix
-  hosts: matrix
   become: true
   roles:
-    - base_os
+    - role: matrix_synapse
-    - firewall_base
+      tags: matrix
-    - container_runtime
+
-    - matrix_synapse
+- name: Notes stack
-  
+  hosts: notes_hosts
-- name: Configure RHEL machines
-  hosts: rhel
   become: true
   roles:
-    - cli_productivity
+    - role: trilium
+      tags: trilium
+
+- name: ML workloads
+  hosts: ml_hosts
+  become: true
+  roles:
+  # Future roles:
+  # - role: immich_ml
+  #   tags: immich_ml
+  # - role: whisper
+  #   tags: whisper

roles/adguard/templates/adguard.container.j2

@@ -7,7 +7,8 @@ Requires=homelab-network.service
 [Container]
 Image=docker.io/adguard/adguardhome:latest
 ContainerName=adguard
-Network=homelab:alias=adguard
+Network=homelab.network
+NetworkAlias=adguard
 
 Volume={{ adguard_dir }}/work:/opt/adguardhome/work
 Volume={{ adguard_dir }}/conf:/opt/adguardhome/conf

roles/base_os/tasks/time_sync.yml

@@ -1,29 +1,44 @@
 ---
-#base_os/tasks/time_sync.yml
+# base_os/tasks/time_sync.yml
-- name: Chrony time sync (dev only)
+- name: Chrony time sync correction for test environments
   when: env == "test"
   block:
-
+    - name: Ensure chronyd is enabled and running
-    - name: Ensure chronyd is running
       become: true
       ansible.builtin.service:
         name: chronyd
         state: started
         enabled: true
 
-    - name: Wait for chrony to have reachable sources
+    - name: Initial chrony time step
       become: true
-      command: chronyc activity
+      ansible.builtin.command: chronyc makestep
-      register: chrony_activity
+      changed_when: false
-      retries: 20
+      failed_when: false
-      delay: 2
-      until: "'sources online' in chrony_activity.stdout and '0 sources online' not in chrony_activity.stdout"
 
-    - name: Force time step correction
+    - name: Wait after initial chrony time step
+      ansible.builtin.pause:
+        seconds: 5
+
+    - name: Restart chronyd after initial time step
       become: true
-      command: chronyc -a makestep
+      ansible.builtin.service:
+        name: chronyd
+        state: restarted
+        enabled: true
+
+    - name: Wait after chronyd restart
+      ansible.builtin.pause:
+        seconds: 2
+
+    - name: Final chrony time step
+      become: true
+      ansible.builtin.command: chronyc makestep
+      changed_when: false
+      failed_when: false
 
     - name: Verify system time is reasonable
-      command: date
+      ansible.builtin.command: date
       register: date_check
+      changed_when: false
       failed_when: "'2026-04-13' in date_check.stdout"

roles/cli_productivity/defaults/main.yml

@@ -77,8 +77,8 @@ cli_optional_packages:
 cli_starship_install_method: "script"
 cli_starship_bin_path: "/usr/local/bin/starship"
 
-cli_git_user_name: ""
+cli_git_user_name: "drew"
-cli_git_user_email: ""
+cli_git_user_email: "drew.wells007@icloud.com"
 
 cli_fish_abbreviations:
   - name: ll

roles/cli_productivity/tasks/main.yml

@@ -36,14 +36,6 @@
   register: cli_optional_package_install
   failed_when: false
 
-- name: Report optional CLI packages that could not be installed
-  ansible.builtin.debug:
-    msg: "Optional package was not installed: {{ item.item }} - {{ item.failures | default(item.msg | default('unknown reason')) }}"
-  loop: "{{ cli_optional_package_install.results | default([]) }}"
-  when:
-    - item.rc is defined
-    - item.rc != 0
-
 - name: Check whether Starship is installed
   ansible.builtin.stat:
     path: "{{ cli_starship_bin_path }}"

roles/container_runtime/tasks/main.yml

@@ -1,4 +1,5 @@
-#container_runtime/tasks/main.yml
+---
+# container_runtime/tasks/main.yml
 - name: Install required base packages
   become: true
   dnf:
@@ -42,11 +43,6 @@
     mode: "0644"
     owner: "{{ container_user }}"
     group: "{{ container_group }}"
-    
-#- name: Force systemd reload (blocking)
-#  become: true
-#  become_user: "{{ container_user }}"
-#  command: systemctl --user daemon-reload
   
 - name: Force systemd reload (blocking)
   become: true

roles/matrix_synapse/tasks/main.yml

@@ -24,6 +24,7 @@
     owner: "{{ container_user }}"
     group: "{{ container_group }}"
     mode: '0600'
+    force: "{{ matrix_overwrite_config | default(false) | bool }}"
     
 - name: Ensure Synapse signing key is deployed
   copy:
@@ -32,6 +33,7 @@
     owner: "{{ container_user }}"
     group: "{{ container_group }}"
     mode: '0600'
+    force: "{{ matrix_overwrite_signing_key | default(false) | bool }}"
 
 - name: Deploy Synapse Quadlet
   template:

roles/nfs_client/tasks/main.yml

@@ -1,73 +1,70 @@
 ---
-#nfs_client/tasks/main.yml
+# nfs_client/tasks/main.yml
-- name: Create dummy NAS root for test environment
+- name: Configure dummy NAS storage for test environment
-  become: true
-  file:
-    path: "{{ nfs_mount_point }}"
-    state: directory
-    owner: "{{ container_user }}"
-    group: "{{ container_group }}"
-    mode: "0755"
   when: env == "test"
+  block:
+    - name: Create dummy NAS root for test environment
+      become: true
+      file:
+        path: "{{ nfs_mount_point }}"
+        state: directory
+        owner: "{{ container_user }}"
+        group: "{{ container_group }}"
+        mode: "0755"
 
-- name: Create dummy NAS storage tree for test environment
+    - name: Create dummy NAS storage tree for test environment
-  become: true
+      become: true
-  file:
+      file:
-    path: "{{ nfs_mount_point }}/{{ item }}"
+        path: "{{ nfs_mount_point }}/{{ item }}"
-    state: directory
+        state: directory
-    owner: "{{ container_user }}"
+        owner: "{{ container_user }}"
-    group: "{{ container_group }}"
+        group: "{{ container_group }}"
-    mode: "0775"
+        mode: "0775"
-  loop: "{{ storage_tree }}"
+      loop: "{{ storage_tree }}"
-  when: env == "test"
 
-- name: Set SELinux context for dummy NAS storage in test environment
+    - name: Set SELinux context for dummy NAS storage in test environment
-  become: true
+      become: true
-  community.general.sefcontext:
+      community.general.sefcontext:
-    target: "{{ nfs_mount_point }}(/.*)?"
+        target: "{{ nfs_mount_point }}(/.*)?"
-    setype: container_file_t
+        setype: container_file_t
-    state: present
+        state: present
-  when: env == "test"
 
-- name: Apply SELinux context for dummy NAS storage in test environment
+    - name: Apply SELinux context for dummy NAS storage in test environment
-  become: true
+      become: true
-  command: restorecon -Rv "{{ nfs_mount_point }}"
+      command: restorecon -Rv "{{ nfs_mount_point }}"
-  changed_when: false
+      changed_when: false
-  when: env == "test"
 
-- name: Install required NFS client packages
+- name: Configure NFS client for non-test environments
-  become: true
-  dnf:
-    name: nfs-utils
-    state: present
   when: env != "test"
+  block:
+    - name: Install required NFS client packages
+      become: true
+      dnf:
+        name: nfs-utils
+        state: present
 
-- name: Check whether NFS mount point is already mounted
+    - name: Check whether NFS mount point is already mounted
-  become: true
+      become: true
-  command: findmnt --mountpoint "{{ nfs_mount_point }}"
+      ansible.builtin.command: findmnt --mountpoint "{{ nfs_mount_point }}"
-  register: nfs_mount_check
+      register: nfs_mount_check
-  changed_when: false
+      changed_when: false
-  failed_when: false
+      failed_when: false
-  when: env != "test"
 
-- name: Create NFS mount point
+    - name: Ensure local NFS mount point exists before mounting
-  become: true
+      become: true
-  file:
+      file:
-    path: "{{ nfs_mount_point }}"
+        path: "{{ nfs_mount_point }}"
-    state: directory
+        state: directory
-    owner: root
+        owner: root
-    group: root
+        group: root
-    mode: "0755"
+        mode: "0755"
-  when:
+      when: nfs_mount_check.rc != 0
-    - env != "test"
-    - nfs_mount_check.rc != 0
 
-- name: Configure NFS mount
+    - name: Ensure NFS mount is present in fstab and mounted
-  become: true
+      become: true
-  ansible.posix.mount:
+      ansible.posix.mount:
-    path: "{{ nfs_mount_point }}"
+        path: "{{ nfs_mount_point }}"
-    src: "{{ nfs_server }}:{{ nfs_export }}"
+        src: "{{ nfs_server }}:{{ nfs_export }}"
-    fstype: "{{ nfs_fstype }}"
+        fstype: "{{ nfs_fstype }}"
-    opts: "{{ nfs_options }}"
+        opts: "{{ nfs_options }}"
-    state: mounted
+        state: mounted
-  when: env != "test"

roles/nfs_server/defaults/main.yml

@@ -1,4 +1,4 @@
-#nfw_server/defaults/main.yml
+---
-nfs_packages:
+# nfs_server/defaults/main.yml
-  - nfs-utils
+base_nfs_packages:
-  - nfs-server
+  - nfs-utils

roles/nfs_server/tasks/main.yml

@@ -1,11 +1,11 @@
 ---
 #nfs_server/tasks/main.yml
-- name: Install NFS utilities
+- name: Install required NFS utilities packages
   become: true
   dnf:
-    name: nfs-utils
+    name: "{{ item }}"
     state: present
-  loop: "{{ nfs_packages }}"
+  loop: "{{ base_nfs_packages }}"
 
 - name: Build NFS exports entries
   become: true

roles/servarr/templates/byparr.container.j2

@@ -7,9 +7,11 @@ After=gluetun.service
 ContainerName=byparr
 Image=ghcr.io/thephaseless/byparr:latest
 
-Environment=TZ=America/New_York
+Environment=TZ={{ timezone }}
 Environment=LOG_LEVEL=info
 Network=container:gluetun
+
+[Service]
 Restart=always
 
 [Install]