Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jun 17 23:58
    Travis jeanlst/nas@baee5ff (feature/pi-nas) errored (4)
  • Jun 17 23:56
    Travis jeanlst/nas (sammaes-HA) errored (3)
  • Jun 13 19:39
    allthestairs edited #466
  • Jun 13 19:38
    allthestairs edited #466
  • Jun 13 19:36
    allthestairs opened #466
  • Jun 13 04:10
  • Jun 13 04:04
    Travis adilosa/ansible-nas (master) failed (3)
  • Jun 12 19:56
    allthestairs closed #427
  • Jun 12 19:55
    allthestairs synchronize #424
  • Jun 12 19:52
    allthestairs synchronize #424
  • Jun 12 19:46
    allthestairs synchronize #424
  • May 27 15:48
    nickbock closed #465
  • May 27 15:47
    nickbock opened #465
  • May 12 03:47
    tsjordan-eng opened #464
  • Apr 27 04:27
    flammableliquids edited #463
  • Apr 27 04:25
    flammableliquids labeled #463
  • Apr 27 04:25
    flammableliquids opened #463
  • Apr 18 16:00
    eniad opened #460
  • Apr 18 16:00
    eniad labeled #460
  • Apr 17 21:53
    eniad edited #459
allthestairs
@allthestairs
You put in your info in the relevant vars, it sets up a tunnel interface, generates a second docker bridge network, configures routing to send traffic on that second bridge through wireguard, then adds that bridge network to all containers you list and sets their default route to wireguard
containers can still be accessed locally on their normal IP
if you remove a container from the list it should reset the default route to the original docker bridge network
you get it by running the wireguard.yml playbook
Andrew DiLosa
@adilosa
thanks! was just looking for a vpn setup, great timing. i'll try it out this weekend
allthestairs
@allthestairs
I was debating whether to use wireguard in a container instead of setting up an interface with systemd templates but I couldn't think of a good reason for that hassle when it isn't all that distinct from how ansible-nas handles something like NFS
Andrew DiLosa
@adilosa
my preference at the moment is as much in configurable containers as possible, install almost nothing on the host. im a bit surprised something like a VPN works out that nicely, but if it's as you said where the local ips are preserved too seems great
allthestairs
@allthestairs
yeah I could probably change it to use wireguard in a container, and that just made me realize i don't have a task to actually install wireguard
the problem with wireguard containers is they need so many privileges to make interfaces and manipulate routes and such
Andrew DiLosa
@adilosa
ah yeah i can imagine. making a task is dead simple, esp since theres already images like linuxserver/wireguard. but the networking might be gnarly
allthestairs
@allthestairs
the effect is that you are creating a docker container to create an interface on the host outside of the container namespace
all it takes to do the setup is dropping two templates in /etc/systemd/network and restarting systemd-networkd
maybe i'll experiment with containers tomorrow
Andrew DiLosa
@adilosa
eh, your way might be the way to go for this. as long as its in ansible its pretty transparent anyway
allthestairs
@allthestairs
I still need to test it with containers with more unusual network setups, if there are any in ansible-nas
works great with transmission atm
Andrew DiLosa
@adilosa
that's good. i can let you know how it works for me. only weird thing i have might be pihole
allthestairs
@allthestairs
That is one of those things where I'd have to think about what you're trying to accomplish by tunneling your pi-hole container through a wireguard vpn
Andrew DiLosa
@adilosa
oh i wouldnt need that necessarily. just the only thing in my setup that has weird docker-networking implications
im still on an old fork, before things changed from tasks -> roles, because i incorporated some of the PRs from @bcurran3 like pihole and unifi. will see if i can get wireguard working with all that
as long as wireguard doesnt interfere with pihole working locally, all good there
allthestairs
@allthestairs
hmm, you can probably just drop that one role folder and wireguard.yml in there and have it work since i didn't touch nas.yml
it shouldn't affect anything that you don't put in the wireguard_containers list
I wanted fine-grained here
Andrew DiLosa
@adilosa
sounds good to me! i'll pull your commit in later and see how it goes
allthestairs
@allthestairs
if there are any ansible or docker networking wizards I would love to know a better way to do the, let's say, last four tasks in that role
allthestairs
@allthestairs
I don't seem to have broken traefik yet but hypothetically having two ip addresses, only one of which traefik can see, could cause problems if traefik restarts while the container has two networks
I'll need to figure out if setting traefik.docker.network=bridge will break something
oh right, it doesn't break because we use traefik in host networking mode
Jean Lucas
@jeanlst
Cool! Gonna snatch that hydra role from your rope @allthestairs
Jean Lucas
@jeanlst
Guys, why do we have separate tasks for calibre/guacamole/etc and their defaults inside nas.yml instead of having their own role folder inside roles like the other ones?
Andrew DiLosa
@adilosa
I think the migration to roles hasn't been finished. There's open PRs for Calibre (davestephens/ansible-nas#415) and a bunch of others, but no commits have been made since Apr 2.
allthestairs
@allthestairs
My hydra role should be ready to pull into master. I'm a bad contributor and forgot about fixing my lint problems on that pull request...four months ago.
Jean Lucas
@jeanlst
I was looking at the smarttools issue, has anyone been able to make a role for it? davestephens/ansible-nas#2
19 replies
I have my own domain and I'm using protonmail for mail with that domain
allthestairs
@allthestairs
This looked like an interesting option: https://hub.docker.com/r/analogj/scrutiny
allthestairs
@allthestairs
I integrated https://hub.docker.com/r/analogj/scrutiny into the stats role that I also added to run it alongside grafana
it can handle all sorts of smartd notification tools using https://containrrr.dev/shoutrrr/services/overview/
allthestairs
@allthestairs
If anyone wants to try it you can find my branch here: https://github.com/allthestairs/ansible-nas/tree/scrutiny It does include a commit that transitions the stats task to a role
it should be configurable to allow notifications without manually editing the template file
allthestairs
@allthestairs

I think the migration to roles hasn't been finished. There's open PRs for Calibre (davestephens/ansible-nas#415) and a bunch of others, but no commits have been made since Apr 2.

I went through and created a branch for each reamining task that replaces task with a role and then created another streamlined single-commit branch that has everything as a role with not a single remaining bare task https://github.com/allthestairs/ansible-nas/tree/all_roles

Andrew DiLosa
@adilosa

pulled the commit, seemed to install wireguard fine. ended up moving to wg-quick settings from systemd as part of debugging. turned out there was bug in the Unifi controller that made port forwarding settings silently not take effect, ended up in a whole Unifi upgrade hell where DHCP was hosed all day.

anyways... tl;dr once i rebuilt my network i ended up configuring wireguard manually in the host. it seems to give me access to all my containers that are locally accessible anyway, without mucking around with docker networking.

allthestairs
@allthestairs
I seem to have run into an issue with using it and docker port forwarding but I probably fucked something up manually while experimenting.
It definitely needs more testing before I'd suggest anyone do more than experiment with it.
Also I realized my routing manipulation in the containers isn't a real solution since it doesn't survive a container restart.
I'm not sure if Docker actually supports a way to do what I'm doing, but the current ansible plugin definitely seems not to
Well, actually lets say I'm pretty sure I could make it work if I was willing to go into the docker_container setup for every container and modify it there, but I don't really want to make that sweeping a set of changes to enable VPN
allthestairs
@allthestairs
I think if you added it at container creation time with network_mode as <container_name>:ansible_wireguard it would actually work but I'd need to add a jinja template conditional to every task to make that work
I suppose one could write a wrapper task for ansible-nas in general that replaces docker_container tasks in all the roles that you could use to automatically handle things like traefik labels and vpn routing in some sort of bizarro-inheritance but that would be a big change to the overall project
Jean Lucas
@jeanlst
Is davestephens still maintaining the project or has he set it aside?