/
/
/
Ansible role that deployes services on my runner machine
1---
2# Runner Services Role Defaults
3# Multi-service container deployment with NFS integration
4
5# ==============================================================================
6# GENERAL SETTINGS
7# ==============================================================================
8runner_enabled: true
9# Legacy variables - no longer used with consolidated structure
10# runner_docker_dir: "/docker/runner" # Now each service uses /docker/[service]
11# runner_data_dir: "/docker/runner-data" # Now consolidated into each service directory
12runner_nfs_mount_dir: "/mnt/docker"
13runner_user: "{{ ansible_user }}"
14runner_group: "users"
15runner_uid: 1000
16runner_gid: 1000
17
18# Timezone configuration
19runner_timezone: "Europe/Amsterdam"
20
21# Docker network for runner services
22runner_docker_network: "runner-network"
23runner_network_subnet: "172.20.0.0/16"
24
25# NFS Configuration
26runner_nfs_enabled: true
27runner_nas_host: "{{ vault_storage.nas_host | default('storage.home') }}"
28runner_nfs_options: "nfsvers=4.1,proto=tcp,hard,timeo=600,retrans=2,rsize=16777216,wsize=16777216,nconnect=8,noatime,_netdev"
29
30# ==============================================================================
31# NFS MOUNT CONFIGURATION
32# ==============================================================================
33runner_nfs_mounts:
34 - name: "frigate"
35 local_path: "{{ runner_nfs_mount_dir }}/frigate"
36 nfs_path: "/mnt/rstorage/cctv-data"
37 host: "{{ runner_nas_host }}"
38 options: "{{ runner_nfs_options }}"
39
40 - name: "immich"
41 local_path: "{{ runner_nfs_mount_dir }}/immich"
42 nfs_path: "/mnt/rstorage/media/pictures"
43 host: "{{ runner_nas_host }}"
44 options: "{{ runner_nfs_options }}"
45
46 - name: "forgejo"
47 local_path: "{{ runner_nfs_mount_dir }}/forgejo"
48 nfs_path: "/mnt/rstorage/code-repo"
49 host: "{{ runner_nas_host }}"
50 options: "{{ runner_nfs_options }}"
51
52 - name: "harbor"
53 local_path: "{{ runner_nfs_mount_dir }}/harbor"
54 nfs_path: "/mnt/rstorage/registry-data"
55 host: "{{ runner_nas_host }}"
56 options: "{{ runner_nfs_options }}"
57
58 - name: "cvat"
59 local_path: "{{ runner_nfs_mount_dir }}/cvat"
60 nfs_path: "/mnt/rstorage/cvat-datasets"
61 host: "{{ runner_nas_host }}"
62 options: "{{ runner_nfs_options }}"
63
64# ==============================================================================
65# SERVICE CONFIGURATIONS
66# ==============================================================================
67
68# Frigate - AI NVR System
69frigate_enabled: true
70frigate_port: 5000
71frigate_rtmp_port: 1935
72frigate_rtsp_port: 8554
73frigate_go2rtc_port: 1984
74frigate_config_dir: "/docker/frigate"
75frigate_data_dir: "{{ runner_nfs_mount_dir }}/frigate"
76frigate_mqtt_enabled: true
77frigate_mqtt_host: "{{ vault_runner.frigate_mqtt_host | default('192.168.34.94') }}"
78frigate_mqtt_port: "{{ vault_runner.frigate_mqtt_port | default(1883) }}"
79frigate_hardware_acceleration: "vaapi" # vaapi, nvdec, nvenc, qsv, or none
80
81# Frigate cameras configuration (from vault)
82frigate_cameras:
83 - name: "dining-room"
84 host: "{{ vault_runner.dining_room_camera_host | default('') }}"
85 username: "{{ vault_runner.dining_room_camera_user | default('') }}"
86 password: "{{ vault_runner.dining_room_camera_pass | default('') }}"
87 path: "/live0"
88 enabled: true
89
90 - name: "living-room"
91 host: "{{ vault_runner.living_room_camera_host | default('') }}"
92 username: "{{ vault_runner.living_room_camera_user | default('') }}"
93 password: "{{ vault_runner.living_room_camera_pass | default('') }}"
94 path: "/live0"
95 enabled: true
96
97 - name: "bed-room"
98 host: "{{ vault_runner.bed_room_camera_host | default('') }}"
99 username: "{{ vault_runner.bed_room_camera_user | default('') }}"
100 password: "{{ vault_runner.bed_room_camera_pass | default('') }}"
101 path: "/live0"
102 enabled: true
103
104 - name: "alina-office"
105 host: "{{ vault_runner.alina_office_camera_host | default('') }}"
106 username: "{{ vault_runner.alina_office_camera_user | default('') }}"
107 password: "{{ vault_runner.alina_office_camera_pass | default('') }}"
108 path: "/live0"
109 enabled: true
110
111 - name: "tapo-cam"
112 host: "{{ vault_runner.tapocam_host | default('') }}"
113 username: "{{ vault_runner.tapocam_user | default('') }}"
114 password: "{{ vault_runner.tapocam_pass | default('') }}"
115 path: "/stream1"
116 port: 554
117 enabled: true
118
119# Immich - Photo Management
120immich_enabled: true
121immich_server_port: 2283
122immich_ml_port: 3003
123immich_config_dir: "/docker/immich"
124immich_data_dir: "/docker/immich"
125immich_upload_dir: "{{ runner_nfs_mount_dir }}/immich"
126immich_db_name: "{{ vault_runner.postgres_db | default('') }}"
127immich_db_user: "{{ vault_runner.postgres_user | default('') }}"
128immich_redis_enabled: true
129immich_ml_enabled: true
130immich_facial_recognition: true
131immich_hardware_acceleration: "none" # none, vaapi, nvdec, nvenc, or qsv
132
133# Forgejo - Git Server
134forgejo_enabled: true
135forgejo_http_port: 3010
136forgejo_ssh_port: 2222
137forgejo_config_dir: "/docker/forgejo"
138forgejo_data_dir: "{{ runner_nfs_mount_dir }}/forgejo"
139forgejo_db_type: "sqlite3"
140forgejo_app_name: "Forgejo Git Service"
141forgejo_domain: "forgejo.home"
142forgejo_ssh_domain: "{{ ansible_default_ipv4.address }}"
143
144# Forgejo Runner Configuration
145forgejo_runner_enabled: true
146forgejo_runner_token: "AWPjaLooCGjNn6aOuDj6pFrMsp9vE7XLCW4PFIeF"
147forgejo_runner_name: "default-runner"
148forgejo_runner_capacity: 2
149forgejo_runner_loglevel: info
150forgejo_runner_base_image: ubuntu:22.04
151forgejo_runner_user: runner
152forgejo_runner_uid: 1000
153forgejo_runner_version: 9.1.1
154
155# Stirling-PDF - PDF Processing
156stirling_pdf_enabled: true
157stirling_pdf_port: 8080
158stirling_pdf_config_dir: "/docker/stirling-pdf"
159stirling_pdf_data_dir: "/docker/stirling-pdf"
160
161# Tandoor - Recipe Manager
162tandoor_enabled: true
163tandoor_port: 8010
164tandoor_config_dir: "/docker/tandoor"
165tandoor_data_dir: "/docker/tandoor"
166tandoor_media_dir: "{{ tandoor_data_dir }}/media"
167tandoor_static_dir: "{{ tandoor_data_dir }}/static"
168tandoor_db_engine: "django.db.backends.postgresql"
169
170# Ghost CMS - Headless CMS
171ghost_enabled: true
172ghost_port: 2368
173ghost_config_dir: "/docker/ghost"
174ghost_data_dir: "/docker/ghost"
175ghost_content_dir: "{{ ghost_data_dir }}/content"
176ghost_db_client: "mysql"
177ghost_db_host: "ghost-mysql"
178ghost_db_name: "ghost"
179ghost_db_user: "ghost"
180ghost_url: "http://ghost.home"
181
182cvat_config_dir: "/docker/cvat"
183# CVAT - Data labeling
184cvat_enabled: true
185
186cvat_repo_url: "https://github.com/cvat-ai/cvat.git"
187cvat_repo_version: "{{ cvat_image_tag }}"
188
189cvat_admin_username: admin
190cvat_admin_password: "{{ vault_runner.cvat_admin_password | default('change-me') }}"
191cvat_admin_email: "{{ vault_runner.cvat_admin_email | default('change-me') }}"
192
193# Networking / access
194cvat_domain: "cvat.home" # used by Traefik routing in CVAT compose
195cvat_http_port: 8990 # Traefik "web" entrypoint in the default compose
196cvat_https_enabled: false # add CVAT's https overlay when true
197
198cvat_share_dir: >-
199 {{ (runner_nfs_mounts
200 | selectattr('name','equalto','cvat')
201 | map(attribute='local_path')
202 | first)
203 | default(runner_nfs_mount_dir ~ '/cvat', true) }}
204
205# Versioning / images
206cvat_image_tag: "v2.44.3" # pulled via CVAT_VERSION; align with the git tag you run
207
208# Optional: serverless auto-annotation overlay (Nuclio/SAM/YOLO assist in CVAT)
209cvat_serverless_enabled: false
210
211# Optional: use an external Postgres instead of the bundled one
212cvat_external_db_enabled: false
213cvat_db_host: "postgres.internal"
214cvat_db_port: 5432
215cvat_db_name: "cvat"
216cvat_db_user: "cvat_user"
217cvat_db_password: "{{ vault_runner.cvat_db_password | default('change-me') }}"
218
219# Optional: expose Traefik dashboard (binds host port below)
220cvat_traefik_dashboard_enabled: false
221cvat_dashboard_port: 8899
222
223# Optional: GPU reservation for CVAT server container (you must have host GPU runtime ready)
224cvat_gpu_enabled: false
225cvat_gpu_driver: "nvidia"
226cvat_gpu_count: "all" # or a number like "1"
227
228# ==============================================================================
229# DATABASE CONFIGURATIONS
230# ==============================================================================
231
232# PostgreSQL (Immich)
233postgres_enabled: "{{ immich_enabled }}"
234postgres_config_dir: "/docker/immich/postgres"
235postgres_db: "{{ vault_runner.postgres_db | default('') }}"
236postgres_user: "{{ vault_runner.postgres_user | default('') }}"
237postgres_version: "14"
238
239# Redis (Immich)
240redis_enabled: "{{ immich_redis_enabled }}"
241redis_config_dir: "/docker/immich/redis"
242redis_port: 6379
243
244# MySQL (Ghost CMS)
245mysql_enabled: "{{ ghost_enabled }}"
246mysql_config_dir: "/docker/ghost/mysql"
247mysql_db: "{{ ghost_db_name }}"
248mysql_user: "{{ ghost_db_user }}"
249mysql_version: "8.0"
250
251# ==============================================================================
252# SECURITY SETTINGS (FROM VAULT)
253# ==============================================================================
254
255# Database passwords
256postgres_password: "{{ vault_runner.postgres_password | default('') }}"
257mysql_password: "{{ vault_runner.mysql_password | default('') }}"
258mysql_root_password: "{{ vault_runner.mysql_root_password | default('') }}"
259
260# Service secrets
261immich_jwt_secret: "{{ vault_runner.immich_jwt_secret | default('') }}"
262ghost_database_password: "{{ vault_runner.ghost_database_password | default('') }}"
263tandoor_secret_key: "{{ vault_runner.tandoor_secret_key | default('') }}"
264
265# MQTT credentials (from vault) - centralized definitions
266frigate_mqtt_username: "{{ vault_runner.frigate_mqtt_username | default('') }}"
267frigate_mqtt_password: "{{ vault_runner.frigate_mqtt_password | default('') }}"
268
269# ==============================================================================
270# DIRECTORY STRUCTURE
271# ==============================================================================
272
273# Local configuration directories
274runner_config_directories:
275 - "{{ frigate_config_dir }}"
276 - "{{ immich_config_dir }}"
277 - "{{ immich_config_dir }}/postgres"
278 - "{{ immich_config_dir }}/redis"
279 - "{{ immich_config_dir }}/library"
280 - "{{ immich_config_dir }}/cache"
281 - "{{ immich_config_dir }}/model-cache"
282 - "{{ immich_config_dir }}/postgres-init"
283 - "{{ forgejo_config_dir }}"
284 - "{{ forgejo_config_dir }}/forgejo-runner-data"
285 - "{{ stirling_pdf_config_dir }}"
286 - "{{ tandoor_config_dir }}"
287 - "{{ tandoor_data_dir }}/db"
288 - "{{ tandoor_data_dir }}/media"
289 - "{{ tandoor_data_dir }}/static"
290 - "{{ ghost_config_dir }}/config"
291 - "{{ ghost_config_dir }}/content"
292 - "{{ ghost_config_dir }}/mysql"
293
294# NFS mount directories
295runner_nfs_directories:
296 - "{{ runner_nfs_mount_dir }}"
297 - "{{ runner_nfs_mount_dir }}/frigate"
298 - "{{ runner_nfs_mount_dir }}/immich"
299 - "{{ runner_nfs_mount_dir }}/forgejo"
300 - "{{ runner_nfs_mount_dir }}/harbor"
301 - "{{ runner_nfs_mount_dir }}/cvat"
302
303# ==============================================================================
304# PERFORMANCE SETTINGS
305# ==============================================================================
306
307# Network performance tuning for NFS
308runner_performance_tuning_enabled: true
309runner_sysctl_settings:
310 # Extreme performance network buffers for Ryzen 7 + 32GB RAM
311 net.core.rmem_max: 268435456 # 256MB socket receive buffer
312 net.core.wmem_max: 268435456 # 256MB socket send buffer
313 net.core.rmem_default: 33554432 # 32MB default receive buffer
314 net.core.wmem_default: 33554432 # 32MB default send buffer
315 net.ipv4.tcp_rmem: "4096 131072 268435456" # TCP receive: 4KB min, 128KB default, 256MB max
316 net.ipv4.tcp_wmem: "4096 131072 268435456" # TCP send: 4KB min, 128KB default, 256MB max
317 net.core.netdev_max_backlog: 30000 # Handle high connection burst (32 connections)
318 net.ipv4.tcp_congestion_control: "bbr" # BBR congestion control
319 net.ipv4.tcp_window_scaling: 1 # Enable TCP window scaling
320 net.ipv4.tcp_timestamps: 1 # Enable TCP timestamps for RTT calculation
321 net.ipv4.tcp_sack: 1 # Enable selective acknowledgments
322 # NFS client cache tuning for 32GB RAM
323 vm.dirty_background_ratio: 3 # Start writeback at 3% (more aggressive)
324 vm.dirty_ratio: 8 # Force writeback at 8% (more aggressive)
325 vm.vfs_cache_pressure: 25 # Keep even more file cache (25% vs 50%)
326 vm.min_free_kbytes: 131072 # Keep 128MB free for network buffers
327
328# Harbor Configuration (external deployment)
329harbor_enabled: true
330harbor_config_dir: "/docker/harbor"
331harbor_version: "2.13.0"
332harbor_hostname: "registry.local"
333harbor_http_port: 8080
334harbor_registry_port: 5000
335harbor_admin_password: "Harbor12345"
336harbor_checksum: "b4a3b0e7d8e3a8b1c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1"
337
338# ==============================================================================
339# CONTAINER IMAGES
340# ==============================================================================
341
342# Centralized container image mapping for version control
343# Note: Frigate and Immich use conditional images based on hardware acceleration
344container_images:
345 # Core services
346 forgejo: "codeberg.org/forgejo/forgejo:12"
347 forgejo_runner: "data.forgejo.org/forgejo/runner:9.1.1"
348
349 # Productivity services
350 stirling_pdf: "frooodle/s-pdf:latest"
351 tandoor: "vabene1111/recipes:latest"
352 ghost: "ghost:5-alpine"
353
354 # Database services
355 postgres: "postgres:14-alpine"
356 mysql: "mysql:8.0"
357 redis: "redis:7-alpine"
358
359# Docker resource limits
360default_memory_limit: "1g"
361default_cpu_limit: "1"
362
363# Health check configuration
364health_check_interval: "30s"
365health_check_timeout: "30s"
366health_check_retries: 5
367health_check_start_period: "60s"
368
369# ==============================================================================
370# SERVICE HEALTH ENDPOINTS
371# ==============================================================================
372service_endpoints:
373 frigate: "http://localhost:{{ frigate_port }}/api/config"
374 immich: "http://localhost:{{ immich_server_port }}/api/server-info/ping"
375 forgejo: "http://localhost:{{ forgejo_http_port }}/api/v1/version"
376 stirling_pdf: "http://localhost:{{ stirling_pdf_port }}/api/v1/info/status"
377 tandoor: "http://localhost:{{ tandoor_port }}/accounts/login/"
378 ghost: "http://localhost:{{ ghost_port }}/ghost/api/admin/site/"
379
380# ==============================================================================
381# LOGGING CONFIGURATION
382# ==============================================================================
383logging_driver: "json-file"
384logging_max_size: "10m"
385logging_max_file: "3"
386
387# Service-specific logging levels
388frigate_log_level: "info"
389immich_log_level: "log"
390forgejo_log_level: "Info"
391ghost_logging: "info"
392
393