Add CI (#9)

.github/workflows/ci.yml

@@ -0,0 +1,95 @@
+---
+name: CI
+
+'on':
+  push: {}
+  pull_request: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  ANSIBLE_FORCE_COLOR: '1'
+  ANSIBLE_CONFIG: ci/ansible.cfg
+
+jobs:
+  lint:
+    name: Lint code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out sources
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install Python dependencies
+        run: python3 -m pip install -r requirements.txt
+
+      - name: Install Ansible Galaxy dependencies
+        run: ansible-galaxy install -r requirements.yml
+
+      - name: Run YAML linter
+        run: yamllint .
+
+      - name: Run Ansible syntax check
+        run: ansible-playbook main.yml --syntax-check
+
+      - name: Run Ansible linter
+        run: ansible-lint
+
+  run-playbook:
+    name: Run playbook
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out sources
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+          cache: pip
+
+      - name: Install Python dependencies
+        run: python3 -m pip install -r requirements.txt
+
+      - name: Install Ansible Galaxy dependencies
+        run: ansible-galaxy install -r requirements.yml
+
+      - name: Remove encrypted secrets
+        run: grep -lZ -e '^\$ANSIBLE_VAULT' group_vars/*/*.yml | xargs -0 rm -f
+
+      - name: Use sample config
+        run: cp -f config.yml.sample config.yml
+
+      - name: Run playbook (first run)
+        run: ansible-playbook main.yml --extra-vars '@ci/config_overrides.yml'
+
+      - name: Run playbook (second run)
+        run: ansible-playbook main.yml --extra-vars '@ci/config_overrides.yml' | tee /tmp/secondrun.log
+
+      - name: Upload second run output as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: second-run-output
+          path: /tmp/secondrun.log
+
+  idempotence:
+    name: Check idempotence
+    runs-on: ubuntu-latest
+    needs: run-playbook
+    steps:
+      - name: Download second run output artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: second-run-output
+
+      - name: Check idempotence
+        run: >-
+          grep -A1 -e 'PLAY RECAP' secondrun.log | grep -q -e 'changed=0.*failed=0'
+          && (echo 'Idempotence test: pass' && exit 0)
+          || (echo 'Idempotence test: fail' && exit 1)

.gitignore

@@ -1,6 +1,6 @@
 keys/*
 !keys/README.md
-inventory
+/inventory
 .facts_cache
 vault_password.txt
 venv/

.yamlignore

@@ -1 +1,3 @@
 group_vars/homeserver/secrets.yml
+group_vars/homeserver/prometheus_scrape_configs.yml
+roles/monitoring/templates/prometheus.yml

README.md

@@ -1,5 +1,7 @@
 # Home server playbook
 
+[![CI](https://github.com/kdkasad/home-server/actions/workflows/ci.yml/badge.svg)](https://github.com/kdkasad/home-server/actions/workflows/ci.yml)
+
 An Ansible playbook to manage my home server,
 a mini-PC running Debian.
 

ansible.cfg

@@ -1,5 +1,8 @@
 [defaults]
 
+# Look for custom module(s) in library directory
+library = ./library
+
 # Set inventory file
 inventory = inventory
 
@@ -16,3 +19,10 @@ vault_password_file = ./vault_password.txt
 
 # Print output/errors in human-readable format
 stdout_callback = ansible.posix.debug
+
+# Print timestamp for each task
+;callbacks_enabled = ansible.posix.profile_tasks
+
+[callback_profile_tasks]
+# Don't show summary of longest-running tasks
+;task_output_limit = 0

ci/ansible.cfg

@@ -0,0 +1,10 @@
+[defaults]
+nocows = True
+library = ../library
+inventory = inventory
+stdout_callback = ansible.posix.debug
+strategy = free
+callbacks_enabled = ansible.posix.profile_tasks
+
+[callback_profile_tasks]
+task_output_limit = 0

ci/config_overrides.yml

@@ -0,0 +1,41 @@
+---
+storage:
+  data_dir: /data
+  nas_dir: /nas
+  docker_dir: /var/lib/docker
+
+  # Don't create LVM volumes since we don't control the disk setup
+  vg: pool
+  volumes: {}
+
+dnsmasq_port: 54
+
+# Jellyfin takes too long to start on the GitHub Actions runner.
+# TODO: Figure out why this is the case.
+jellyfin_skip_setup: yes
+
+
+###########
+# SECRETS #
+###########
+
+minio_root_user: "minio"
+minio_root_password: "minio"
+
+secret_authentik_pg_pass: authentik
+secret_authentik_bootstrap_email: authentik
+secret_authentik_bootstrap_password: authentik
+
+secret_homarr_oidc_client_id: homarrclientid
+secret_homarr_oidc_client_secret: homarrclientsecret
+
+secret_minio_openid_client_id: minioclientid
+secret_minio_openid_client_secret: minioclientsecret
+
+secret_jellyfin_admin_username: jellyfin
+secret_jellyfin_admin_password: jellyfin
+secret_jellyfin_oidc_client_id: jellyfinclientid
+secret_jellyfin_oidc_client_secret: jellyfinclientsecret
+
+secret_monitoring_grafana_client_id: grafanaclientid
+secret_monitoring_grafana_client_secret: grafanaclientsecret

ci/inventory

@@ -0,0 +1,2 @@
+[homeserver]
+localhost ansible_connection=local

config.yml

@@ -13,9 +13,19 @@ general:
   # Set the timezone
   timezone: America/Los_Angeles
 
-  # Only automatically install security updates
+  # Configure which package updates are installed automatically
+  # If set to "security", only security updates will be installed
+  # If set to "all", all updates will be installed
+  # If set to "none", no updates will be installed
   auto_update_packages: security
 
+  # DNS servers to use for non-local lookups
+  upstream_dns_servers:
+    - '1.1.1.1'
+    - '1.0.0.1'
+    - '2606:4700:4700::1111'
+    - '2606:4700:4700::1001'
+
 users:
   worker: worker
   nas: nas
@@ -244,6 +254,7 @@ homarr_env:
   AUTH_OIDC_CLIENT_NAME: Authentik
   AUTH_OIDC_CLIENT_ID: "{{ secret_homarr_oidc_client_id }}"
   AUTH_OIDC_CLIENT_SECRET: "{{ secret_homarr_oidc_client_secret }}"
+  AUTH_OIDC_SCOPE_OVERWRITE: openid email profile groups
   AUTH_OIDC_ADMIN_GROUP: Administrators
   AUTH_OIDC_URI: >-
     https://{{ authentik_routing.subdomain | default('auth') }}.{{ general.domain }}/application/o/homarr