/
/
/
1---
2# Runner Services Role Defaults
3# Multi-service container deployment with NFS integration
4
5# ==============================================================================
6# GENERAL SETTINGS
7# ==============================================================================
8runner_enabled: true
9# Legacy variables - no longer used with consolidated structure
10# runner_docker_dir: "/docker/runner" # Now each service uses /docker/[service]
11# runner_data_dir: "/docker/runner-data" # Now consolidated into each service directory
12runner_nfs_mount_dir: "/mnt/docker"
13runner_user: "{{ ansible_user }}"
14runner_group: "users"
15runner_uid: 1000
16runner_gid: 1000
17
18# Timezone configuration
19runner_timezone: "Europe/Amsterdam"
20
21# Docker network for runner services
22runner_docker_network: "runner-network"
23runner_network_subnet: "172.20.0.0/16"
24
25# NFS Configuration
26runner_nfs_enabled: true
27runner_nas_host: "{{ vault_storage.nas_host | default('storage.home') }}"
28runner_nfs_options: "nfsvers=4.1,proto=tcp,hard,timeo=600,retrans=2,rsize=16777216,wsize=16777216,nconnect=8,noatime,_netdev"
29
30# ==============================================================================
31# NFS MOUNT CONFIGURATION
32# ==============================================================================
33runner_nfs_mounts:
34 - name: "frigate"
35 local_path: "{{ runner_nfs_mount_dir }}/frigate"
36 nfs_path: "/mnt/rstorage/cctv-data"
37 host: "{{ runner_nas_host }}"
38 options: "{{ runner_nfs_options }}"
39
40 - name: "immich"
41 local_path: "{{ runner_nfs_mount_dir }}/immich"
42 nfs_path: "/mnt/rstorage/media/pictures"
43 host: "{{ runner_nas_host }}"
44 options: "{{ runner_nfs_options }}"
45
46 - name: "forgejo"
47 local_path: "{{ runner_nfs_mount_dir }}/forgejo"
48 nfs_path: "/mnt/rstorage/code-repo"
49 host: "{{ runner_nas_host }}"
50 options: "{{ runner_nfs_options }}"
51
52 - name: "harbor"
53 local_path: "{{ runner_nfs_mount_dir }}/harbor"
54 nfs_path: "/mnt/rstorage/registry-data"
55 host: "{{ runner_nas_host }}"
56 options: "{{ runner_nfs_options }}"
57
58 - name: "cvat"
59 local_path: "{{ runner_nfs_mount_dir }}/cvat"
60 nfs_path: "/mnt/rstorage/cvat-datasets"
61 host: "{{ runner_nas_host }}"
62 options: "{{ runner_nfs_options }}"
63
64# ==============================================================================
65# SERVICE CONFIGURATIONS
66# ==============================================================================
67
68# Frigate - AI NVR System
69frigate_enabled: true
70frigate_port: 5000
71frigate_rtmp_port: 1935
72frigate_rtsp_port: 8554
73frigate_config_dir: "/docker/frigate"
74frigate_data_dir: "{{ runner_nfs_mount_dir }}/frigate"
75frigate_mqtt_enabled: true
76frigate_mqtt_host: "{{ vault_runner.frigate_mqtt_host | default('192.168.34.94') }}"
77frigate_mqtt_port: "{{ vault_runner.frigate_mqtt_port | default(1883) }}"
78frigate_hardware_acceleration: "vaapi" # vaapi, nvdec, nvenc, qsv, or none
79
80# Frigate cameras configuration (from vault)
81frigate_cameras:
82 - name: "dining-room"
83 host: "{{ vault_runner.dining_room_camera_host | default('') }}"
84 username: "{{ vault_runner.dining_room_camera_user | default('') }}"
85 password: "{{ vault_runner.dining_room_camera_pass | default('') }}"
86 path: "/live0"
87 enabled: true
88
89 - name: "living-room"
90 host: "{{ vault_runner.living_room_camera_host | default('') }}"
91 username: "{{ vault_runner.living_room_camera_user | default('') }}"
92 password: "{{ vault_runner.living_room_camera_pass | default('') }}"
93 path: "/live0"
94 enabled: true
95
96 - name: "bed-room"
97 host: "{{ vault_runner.bed_room_camera_host | default('') }}"
98 username: "{{ vault_runner.bed_room_camera_user | default('') }}"
99 password: "{{ vault_runner.bed_room_camera_pass | default('') }}"
100 path: "/live0"
101 enabled: true
102
103 - name: "alina-office"
104 host: "{{ vault_runner.alina_office_camera_host | default('') }}"
105 username: "{{ vault_runner.alina_office_camera_user | default('') }}"
106 password: "{{ vault_runner.alina_office_camera_pass | default('') }}"
107 path: "/live0"
108 enabled: true
109
110 - name: "tapo-cam"
111 host: "{{ vault_runner.tapocam_host | default('') }}"
112 username: "{{ vault_runner.tapocam_user | default('') }}"
113 password: "{{ vault_runner.tapocam_pass | default('') }}"
114 path: "/stream1"
115 port: 554
116 enabled: true
117
118# Immich - Photo Management
119immich_enabled: true
120immich_server_port: 2283
121immich_ml_port: 3003
122immich_config_dir: "/docker/immich"
123immich_data_dir: "/docker/immich"
124immich_upload_dir: "{{ runner_nfs_mount_dir }}/immich"
125immich_db_name: "{{ vault_runner.postgres_db | default('') }}"
126immich_db_user: "{{ vault_runner.postgres_user | default('') }}"
127immich_redis_enabled: true
128immich_ml_enabled: true
129immich_facial_recognition: true
130immich_hardware_acceleration: "none" # none, vaapi, nvdec, nvenc, or qsv
131
132# Forgejo - Git Server
133forgejo_enabled: true
134forgejo_http_port: 3010
135forgejo_ssh_port: 2222
136forgejo_config_dir: "/docker/forgejo"
137forgejo_data_dir: "{{ runner_nfs_mount_dir }}/forgejo"
138forgejo_db_type: "sqlite3"
139forgejo_app_name: "Forgejo Git Service"
140forgejo_domain: "git.local"
141forgejo_ssh_domain: "{{ ansible_default_ipv4.address }}"
142
143# Forgejo Runner Configuration
144forgejo_runner_enabled: true
145forgejo_runner_token: "AWPjaLooCGjNn6aOuDj6pFrMsp9vE7XLCW4PFIeF"
146forgejo_runner_name: "default-runner"
147forgejo_runner_capacity: 2
148forgejo_runner_loglevel: info
149forgejo_runner_base_image: ubuntu:22.04
150forgejo_runner_user: runner
151forgejo_runner_uid: 1000
152forgejo_runner_version: 9.1.1
153
154# Stirling-PDF - PDF Processing
155stirling_pdf_enabled: true
156stirling_pdf_port: 8080
157stirling_pdf_config_dir: "/docker/stirling-pdf"
158stirling_pdf_data_dir: "/docker/stirling-pdf"
159
160# Tandoor - Recipe Manager
161tandoor_enabled: true
162tandoor_port: 8010
163tandoor_config_dir: "/docker/tandoor"
164tandoor_data_dir: "/docker/tandoor"
165tandoor_media_dir: "{{ tandoor_data_dir }}/media"
166tandoor_static_dir: "{{ tandoor_data_dir }}/static"
167tandoor_db_engine: "django.db.backends.postgresql"
168
169# Ghost CMS - Headless CMS
170ghost_enabled: true
171ghost_port: 2368
172ghost_config_dir: "/docker/ghost"
173ghost_data_dir: "/docker/ghost"
174ghost_content_dir: "{{ ghost_data_dir }}/content"
175ghost_db_client: "mysql"
176ghost_db_host: "ghost-mysql"
177ghost_db_name: "ghost"
178ghost_db_user: "ghost"
179ghost_url: "http://localhost:2368"
180
181cvat_config_dir: "/docker/cvat"
182# CVAT - Data labeling
183cvat_enabled: true
184
185cvat_repo_url: "https://github.com/cvat-ai/cvat.git"
186cvat_repo_version: "{{ cvat_image_tag }}"
187
188cvat_admin_username: admin
189cvat_admin_password: "{{ vault_runner.cvat_admin_password | default('change-me') }}"
190cvat_admin_email: "{{ vault_runner.cvat_admin_email | default('change-me') }}"
191
192# Networking / access
193cvat_domain: "cvat.home" # used by Traefik routing in CVAT compose
194cvat_http_port: 8989 # Traefik "web" entrypoint in the default compose
195cvat_https_enabled: false # add CVAT's https overlay when true
196
197cvat_share_dir: >-
198 {{ (runner_nfs_mounts
199 | selectattr('name','equalto','cvat')
200 | map(attribute='local_path')
201 | first)
202 | default(runner_nfs_mount_dir ~ '/cvat', true) }}
203
204# Versioning / images
205cvat_image_tag: "v2.44.3" # pulled via CVAT_VERSION; align with the git tag you run
206
207# Optional: serverless auto-annotation overlay (Nuclio/SAM/YOLO assist in CVAT)
208cvat_serverless_enabled: false
209
210# Optional: use an external Postgres instead of the bundled one
211cvat_external_db_enabled: false
212cvat_db_host: "postgres.internal"
213cvat_db_port: 5432
214cvat_db_name: "cvat"
215cvat_db_user: "cvat_user"
216cvat_db_password: "{{ vault_runner.cvat_db_password | default('change-me') }}"
217
218# Optional: expose Traefik dashboard (binds host port below)
219cvat_traefik_dashboard_enabled: false
220cvat_dashboard_port: 8899
221
222# Optional: GPU reservation for CVAT server container (you must have host GPU runtime ready)
223cvat_gpu_enabled: false
224cvat_gpu_driver: "nvidia"
225cvat_gpu_count: "all" # or a number like "1"
226
227# ==============================================================================
228# DATABASE CONFIGURATIONS
229# ==============================================================================
230
231# PostgreSQL (Immich)
232postgres_enabled: "{{ immich_enabled }}"
233postgres_config_dir: "/docker/immich/postgres"
234postgres_db: "{{ vault_runner.postgres_db | default('') }}"
235postgres_user: "{{ vault_runner.postgres_user | default('') }}"
236postgres_version: "14"
237
238# Redis (Immich)
239redis_enabled: "{{ immich_redis_enabled }}"
240redis_config_dir: "/docker/immich/redis"
241redis_port: 6379
242
243# MySQL (Ghost CMS)
244mysql_enabled: "{{ ghost_enabled }}"
245mysql_config_dir: "/docker/ghost/mysql"
246mysql_db: "{{ ghost_db_name }}"
247mysql_user: "{{ ghost_db_user }}"
248mysql_version: "8.0"
249
250# ==============================================================================
251# SECURITY SETTINGS (FROM VAULT)
252# ==============================================================================
253
254# Database passwords
255postgres_password: "{{ vault_runner.postgres_password | default('') }}"
256mysql_password: "{{ vault_runner.mysql_password | default('') }}"
257mysql_root_password: "{{ vault_runner.mysql_root_password | default('') }}"
258
259# Service secrets
260immich_jwt_secret: "{{ vault_runner.immich_jwt_secret | default('') }}"
261ghost_database_password: "{{ vault_runner.ghost_database_password | default('') }}"
262tandoor_secret_key: "{{ vault_runner.tandoor_secret_key | default('') }}"
263
264# MQTT credentials (from vault) - centralized definitions
265frigate_mqtt_username: "{{ vault_runner.frigate_mqtt_username | default('') }}"
266frigate_mqtt_password: "{{ vault_runner.frigate_mqtt_password | default('') }}"
267
268# ==============================================================================
269# DIRECTORY STRUCTURE
270# ==============================================================================
271
272# Local configuration directories
273runner_config_directories:
274 - "{{ frigate_config_dir }}"
275 - "{{ immich_config_dir }}"
276 - "{{ immich_config_dir }}/postgres"
277 - "{{ immich_config_dir }}/redis"
278 - "{{ immich_config_dir }}/library"
279 - "{{ immich_config_dir }}/cache"
280 - "{{ immich_config_dir }}/model-cache"
281 - "{{ immich_config_dir }}/postgres-init"
282 - "{{ forgejo_config_dir }}"
283 - "{{ forgejo_config_dir }}/forgejo-runner-data"
284 - "{{ stirling_pdf_config_dir }}"
285 - "{{ tandoor_config_dir }}"
286 - "{{ tandoor_data_dir }}/db"
287 - "{{ tandoor_data_dir }}/media"
288 - "{{ tandoor_data_dir }}/static"
289 - "{{ ghost_config_dir }}"
290 - "{{ ghost_config_dir }}/content"
291 - "{{ ghost_config_dir }}/mysql"
292
293# NFS mount directories
294runner_nfs_directories:
295 - "{{ runner_nfs_mount_dir }}"
296 - "{{ runner_nfs_mount_dir }}/frigate"
297 - "{{ runner_nfs_mount_dir }}/immich"
298 - "{{ runner_nfs_mount_dir }}/forgejo"
299 - "{{ runner_nfs_mount_dir }}/harbor"
300 - "{{ runner_nfs_mount_dir }}/cvat"
301
302# ==============================================================================
303# PERFORMANCE SETTINGS
304# ==============================================================================
305
306# Network performance tuning for NFS
307runner_performance_tuning_enabled: true
308runner_sysctl_settings:
309 # Extreme performance network buffers for Ryzen 7 + 32GB RAM
310 net.core.rmem_max: 268435456 # 256MB socket receive buffer
311 net.core.wmem_max: 268435456 # 256MB socket send buffer
312 net.core.rmem_default: 33554432 # 32MB default receive buffer
313 net.core.wmem_default: 33554432 # 32MB default send buffer
314 net.ipv4.tcp_rmem: "4096 131072 268435456" # TCP receive: 4KB min, 128KB default, 256MB max
315 net.ipv4.tcp_wmem: "4096 131072 268435456" # TCP send: 4KB min, 128KB default, 256MB max
316 net.core.netdev_max_backlog: 30000 # Handle high connection burst (32 connections)
317 net.ipv4.tcp_congestion_control: "bbr" # BBR congestion control
318 net.ipv4.tcp_window_scaling: 1 # Enable TCP window scaling
319 net.ipv4.tcp_timestamps: 1 # Enable TCP timestamps for RTT calculation
320 net.ipv4.tcp_sack: 1 # Enable selective acknowledgments
321 # NFS client cache tuning for 32GB RAM
322 vm.dirty_background_ratio: 3 # Start writeback at 3% (more aggressive)
323 vm.dirty_ratio: 8 # Force writeback at 8% (more aggressive)
324 vm.vfs_cache_pressure: 25 # Keep even more file cache (25% vs 50%)
325 vm.min_free_kbytes: 131072 # Keep 128MB free for network buffers
326
327# Harbor Configuration (external deployment)
328harbor_enabled: true
329harbor_config_dir: "/docker/harbor"
330harbor_version: "2.13.0"
331harbor_hostname: "registry.local"
332harbor_http_port: 8080
333harbor_registry_port: 5000
334harbor_admin_password: "Harbor12345"
335harbor_checksum: "b4a3b0e7d8e3a8b1c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1"
336
337# ==============================================================================
338# CONTAINER IMAGES
339# ==============================================================================
340
341# Centralized container image mapping for version control
342# Note: Frigate and Immich use conditional images based on hardware acceleration
343container_images:
344 # Core services
345 forgejo: "codeberg.org/forgejo/forgejo:12"
346 forgejo_runner: "data.forgejo.org/forgejo/runner:9.1.1"
347
348 # Productivity services
349 stirling_pdf: "frooodle/s-pdf:latest"
350 tandoor: "vabene1111/recipes:latest"
351 ghost: "ghost:5-alpine"
352
353 # Database services
354 postgres: "postgres:14-alpine"
355 mysql: "mysql:8.0"
356 redis: "redis:7-alpine"
357
358# Docker resource limits
359default_memory_limit: "1g"
360default_cpu_limit: "1"
361
362# Health check configuration
363health_check_interval: "30s"
364health_check_timeout: "30s"
365health_check_retries: 5
366health_check_start_period: "60s"
367
368# Service-specific limits
369frigate_memory_limit: "4g"
370frigate_cpu_limit: "2"
371immich_memory_limit: "2g"
372immich_cpu_limit: "2"
373immich_ml_memory_limit: "4g"
374immich_ml_cpu_limit: "2"
375postgres_memory_limit: "1g"
376postgres_cpu_limit: "1"
377mysql_memory_limit: "1g"
378mysql_cpu_limit: "1"
379
380# ==============================================================================
381# SERVICE HEALTH ENDPOINTS
382# ==============================================================================
383service_endpoints:
384 frigate: "http://localhost:{{ frigate_port }}/api/config"
385 immich: "http://localhost:{{ immich_server_port }}/api/server-info/ping"
386 forgejo: "http://localhost:{{ forgejo_http_port }}/api/v1/version"
387 stirling_pdf: "http://localhost:{{ stirling_pdf_port }}/api/v1/info/status"
388 tandoor: "http://localhost:{{ tandoor_port }}/accounts/login/"
389 ghost: "http://localhost:{{ ghost_port }}/ghost/api/admin/site/"
390
391# ==============================================================================
392# LOGGING CONFIGURATION
393# ==============================================================================
394logging_driver: "json-file"
395logging_max_size: "10m"
396logging_max_file: "3"
397
398# Service-specific logging levels
399frigate_log_level: "info"
400immich_log_level: "log"
401forgejo_log_level: "Info"
402ghost_logging: "info"
403
404