🚀 Slava's Home Server Automation (Ansible Project)

Welcome to the magic folder that controls all the servers! 🎩✨

If you've ever played a video game where you build a city, this is kind of like the control panel for our real-life digital city. Instead of logging into every single computer (server) to install things one by one, we use a tool called Ansible to give them instructions all at once.

This guide is written so anyone can understand how our digital house is built and how to add new rooms (servers) to it.

---

📖 Table of Contents

1. What is this? (The Simple Explanation)
2. How the Folders are Organized
3. The Core Services We Run
4. How to Manage the Servers
5. 📦 Centralized APT Repository & "Lazy Mirror"
6. 💾 Immich Media Backup (Restic)
7. 🛠️ Tutorial: How to Provision & Onboard a New Server
8. 🛠️ Tutorial: How to Add a New Website (Subdomain)
9. 🔑 Tutorial: Single Sign-On (SSO) with Authelia
10. 🛡️ Tutorial: CrowdSec "Security Mesh"
11. 📊 Zabbix Security Monitoring
12. 📚 Playbooks Explained
13. 🧩 Roles Explained
14. 🛡️ Security Auditing & Hardening
15. Security Stuff

---

1. What is this? (The Simple Explanation)

Imagine you have 20 robots, and you want them all to put on a blue hat.

• The hard way: Walk up to each robot, hand it a hat, and tell it to put it on.
• The Ansible way: You stand at a microphone, shout "Everyone put on a blue hat!" and they all do it at the exact same time.

Ansible is our microphone.

• The Playbooks are the scripts we read into the microphone (e.g., "Install Docker!").
• The Inventory is our list of robots (IP addresses) so the microphone knows who to talk to.

---

2. How the Folders are Organized

Here is what all the folders in this project actually do:

• 📂 inventory/: This is the address book.
  • hosts.yml: A list of every single server we own and what "groups" they belong to (like the docker group or the caddy group).
  • group_vars/: Settings that apply to a whole group of servers.
  • host_vars/: Settings for one specific server (like a specific firewall port).
• 📂 playbooks/: These are the instruction manuals.
• 📂 roles/: These are reusable "recipes".
• 📂 keys/: Contains our digital keys (SSH keys) for passwordless login.

---

3. The Core Services We Run

Our home network runs a lot of cool stuff automatically:

• 🌐 Caddy (.53): The Traffic Cop. Handles HTTPS and sends you to the right server.
• 🛑 Pi-hole (.25 & .10): The Ad Blocker and Phonebook (DNS).
• 🔐 Authelia (.7): The Bouncer. Single Sign-On (SSO) protection.
• 🔍 SearXNG (.251): The Private Eye. Our own private, ad-free search engine.
• 🛡️ UFW, PVE Firewall & CrowdSec: The Bodyguards. Firewall and Intrusion Prevention.
• ✈️ atop: The "Flight Recorder". Records system activity every 10 minutes for crash analysis.
• 📊 Zabbix (.18): The Doctor. Constant health monitoring and alerts.
• 📦 APT Cacher (.253): The Warehouse. Stores a copy of every software package we use.
• 🐳 Docker Cache & Maintenance (.253): The Image Library. Local copies of Docker images and automated cleanup.
• 💿 ISO Repository (.26): The DVD Shelf. Local OS images on the NAS.
• 💾 Immich Backup (.217): The Safety Net. Nightly Restic backups of 600GB of media to OMV.

---

4. How to Manage the Servers

The Master Playbook (site.yml)

Instead of running individual playbooks, you can use the master playbook to manage everything. We've added Tags so you can run only specific parts of the setup:

• Apply ONLY Common settings:

  ansible-playbook playbooks/site.yml --tags common
  

• Update EVERYTHING (Standard run):

  ansible-playbook playbooks/site.yml
  

---

📚 Specialized Manuals & Guides

For detailed instructions, refer to these dedicated manuals:

• 💾 Backup & Recovery Manual (Restic) - How we protect our data and how to restore it.
• 🛡️ Fleet Hardening & Security Manual - How we use Lynis, Trivy, and enforcement roles.
• 🔋 Power Optimization Guide - Strategies for N100 power efficiency.
• 🪄 A Beginner's Guide - Conceptual overview for non-technical users.

---

3. The Core Services We Run