benschubert.infrastructure.main role – Configure a suite of basic infrastructure services in podman to serve as a foundation for a Homelab.

Note

This role is part of the benschubert.infrastructure collection (version 0.0.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install benschubert.infrastructure.

To use it in a playbook, specify: benschubert.infrastructure.main.

Entry point main – Configure a suite of basic infrastructure services in podman to serve as a foundation for a Homelab.

Synopsis

  • This role configures a suite of services connected together via podman and exposed to the host.

  • You can find the entire list of services configured by this role in the the main description.

Parameters

Parameter

Comments

auth_authentik_authentication_page_title

string

The title to show users when they are trying to login on Authentik

Default: "Welcome to {{ auth_authentik_hostname }}"

auth_authentik_background

string

The name of the file to use as a background for Authentik when users login

auth_authentik_configuration_path

string / required

The directory in which the configuration files for Authentik will be stored

auth_authentik_email_config

dictionary

The configuration to allow Authentik to send emails when needed

from

string / required

The email address authentik will send from

In order to change the display name, use Name <account@domain>

host

string / required

The email provider host

password

string / required

The password to authenticate with the email provider

port

string / required

The port for the SMTP service to send emails to

ssl

boolean

Whether to use SSL to connect to the email provider

Choices:

  • false

  • true

tls

boolean

Whether to use TLS to connect to the email provider

Choices:

  • false

  • true

username

string / required

The username to authenticate with the email provider

auth_authentik_hostname

string / required

The hostname under which Authentik should be reachable

auth_authentik_icon

string

Name of the SVG file to use as an icon for Authentik on login screen

auth_authentik_image

string

The container image path and tag to use for Authentik

Default: "See I(auth_authentik_image) in the auth role"

auth_authentik_secret_key

string / required

Secret key used for cookie signing and unique user IDs, don’t change this after the first install.

auth_authentik_superadmin_bootstrap_password

string

The password for the super admin that Authentik creates at bootstrap

Only required for the first run.

auth_authentik_superadmin_bootstrap_token

string

The value of the token to create for the super admin at bootstrap

This is then used to connect to Authentik

auth_authentik_token

string

The token to use to connect to Authentik

Defaults to auth_authentik_superadmin_bootstrap_token if not set

It is recommended, after the bootstrap, to create a new token, and remove the bootstrap one, so that it does not linger in the environment needlessly

Default: "{{ auth_authentik_superadmin_bootstrap_token }}"

auth_monitor_agent_alloy_image

string

The container image path and tag to use for Alloy

Default: "See I(monitoring_agent_alloy_image) from the Monitoring role"

auth_monitor_agent_config_path

string / required

The path on disk where to store the monitoring’s agent configuration files

auth_monitor_agent_data_path

string / required

The path on disk where to store the monitoring’s agent data

auth_monitor_agent_user_group

string

A group name to which to add the role account that is created for monitoring Authentik.

This is useful if you want to restrict apps per user, so you can have those bots publish their metrics correctly.

Defaults to default_monitor_agent_user_group

auth_postgres_data_path

string / required

The path on disk where the PostgreSQL instance for Authentik should store its data

auth_postgres_image

string

The container image path and tag to use for Postgres

Default: "See I(postgres_image) from the Postgres role"

auth_postgres_password

string / required

The password used to connect to the Authentik PostgreSQL database

auth_redis_config_path

string / required

The path on disk where the Redis instance for Authentik should store its configurations

auth_redis_data_path

string / required

The path on disk where the Authentik Redis instance should store its data

auth_redis_image

string

The container image path and tag to use for Redis

Default: "See I(redis_image) from the Redis role"

auth_redis_metrics_password

string / required

The password to allow the metric gathering agent to connect to the Authentik Redis instance

auth_redis_password

string / required

The password that Authentik will use to connect to Redis

This is also used to configure the Redis instance

auth_worker_additional_networks

list / elements=string

A list of additional podman networks that need to be attached to the Authentik worker pod.

This is useful if you want to configure a SMTP gateway for sending emails via Authentik. For example, this would allow validating and resetting emails.

Default: []

default_monitor_agent_user_group

string

A group name to which to add the role account that is created for monitoring services.

This is useful if you want to restrict apps per user, so you can have those bots publish their metrics correctly.

This is the default value that each service-specific values will take if they are not individually overridden

ingress_additional_networks

list / elements=string

A list of additional podman networks that need to be attached to the ingress pod.

This is useful if you want to expose other services that are not part of this collection through the ingress.

For a definition of what the entries can accept, see ingress_networks

Default: []

ingress_custom_ca_cert

string

The path on disk to a custom certificate to validate the TLS certificates if they are not available in the root certificate authorities

ingress_http_port

integer

The port that Traefik should use to expose its http interface on the host.

Default: 80

ingress_https_port

integer

The port that Traefik should use to expose its https interface on the host.

Default: 443

ingress_monitor_agent_alloy_image

string

The container image path and tag to use for Alloy

Default: "See I(monitoring_agent_alloy_image) from the Monitoring role"

ingress_monitor_agent_config_path

string / required

The path on disk where to store the monitoring’s agent configuration files for the ingress services

ingress_monitor_agent_data_path

string / required

The path on disk where to store the monitoring’s agent data for the ingress services

ingress_monitor_agent_user_group

string

A group name to which to add the role account that is created for monitoring Traefik.

This is useful if you want to restrict apps per user, so you can have those bots publish their metrics correctly.

ingress_networks

list / elements=string

In most cases, setting this should not be required, and you should leverage ingress_additional_networks instead.

The list of podman networks that the Traefik pod should attach to.

This is to let Traefik act as a reverse proxy for other services hosted in podman, without exposing them to other places.

ingress_traefik_allowlisted_groups

list / elements=string

A list of groups to restrict the Traefik dashboard to.

Users not in any of the specified groups won’t be able to see or login to the dashboard.

null or [] doesn’t restrict the access.

ingress_traefik_certificates_resolvers

dictionary

The configuration for the certificate resolvers

When created, it expects at least a ‘default’ entry, which will be used for all services that don’t specify an explicit resolver in their configuration

See Traefik’s documentation for more information

Default: {}

ingress_traefik_configuration_files_path

string / required

The directory in which the configuration files for Traefik will be stored

ingress_traefik_dashboard_hostname

string / required

The hostname under which to expose the Traefik dashboard

ingress_traefik_environment_variables

dictionary

A list of environment variables to set for Traefik as <key: value>

This can be used, e.g., to configure the certificate resolver.

For secrets, use ingress_traefik_secrets instead.

Default: {}

ingress_traefik_image

string

The container image path and tag to use for Traefik

Default: "See I(ingress_traefik_image) in the ingress role"

ingress_traefik_secrets

dictionary

A list of secrets to inject into the Traefik container as <key: value>

The key of each secret will be set as an environment variable pointing to the secret containing the value

Default: {}

ingress_validate_certs

boolean

Whether the TLS certificate to access the Traefik should be validated or not

Choices:

  • false

  • true ← (default)

monitoring_grafana_admin_bootstrap_password

string

The password to give to the Grafana admin user

monitoring_grafana_admin_group_name

string

The name of the group in Authentik that should be admins in Grafana

Default: "Grafana Admins"

monitoring_grafana_admin_password

string

The password to authenticate as admin on Grafana for setting up dashboards and other resources

Defaults to monitoring_grafana_admin_bootstrap_password if not set.

Default: "{{ monitoring_grafana_admin_bootstrap_password }}"

monitoring_grafana_admin_user

string

The name of the admin user for Grafana. This user will not exist on the Authentik service

Default: "admin"

monitoring_grafana_allowlisted_groups

list / elements=string

A list of groups to restrict Grafana to.

Users not in any of the specified groups won’t be able to see or login to Grafana.

null or [] doesn’t restrict the access.

When setting this, you should at least add {{ monitoring_grafana_admin_group_name }} to it.

monitoring_grafana_config_path

string / required

The path to where the Grafana configuration is kept

This is used to install dashboards for viewing metrics

monitoring_grafana_data_path

string / required

The directory in which the Grafana data will be stored

monitoring_grafana_hostname

string / required

The hostname at which the Grafana instance is reachable

monitoring_grafana_image

string

The container image path and tag to use for Grafana

Default: "See I(monitoring_grafana_image) from the monitoring role"

monitoring_grafana_postgres_data_path

string / required

The path on disk where the PostgreSQL instance for Grafana should store its data

monitoring_grafana_postgres_image

string

The container image path and tag to use for Postgres

Default: "See I(postgres_image) from the Postgres role"

monitoring_grafana_postgres_password

string / required

The password used to connect to PostgreSQL database

monitoring_grafana_secret_key

string / required

The secret key to use in Grafana to encrypt various sensitive data

monitoring_loki_allowlisted_groups

list / elements=string

A list of groups to restrict Loki to.

Users not in any of the specified groups won’t be able to see or login to Loki.

null or [] doesn’t restrict the access.

monitoring_loki_config_path

string / required

The path on disk where the Loki configuration files should be stored.

monitoring_loki_data_path

string / required

The path on disk where the Loki data should be stored.

monitoring_loki_hostname

string / required

The hostname at which the Loki instance is reachable.

monitoring_loki_image

string

The container image path and tag to use for Loki

Default: "See I(monitoring_loki_image) from the monitoring role"

monitoring_mimir_additional_networks

list / elements=string

A list of additional podman networks that need to be attached to the Mimir pod.

This is useful if you want to configure a SMTP gateway for sending emails via AlertManager.

Default: []

monitoring_mimir_alertmanager_config_template

string

The name of the template to use to configure the AlertManager routing

Default: "mimir-alertmanager-fallback-config.yml.j2"

monitoring_mimir_allowlisted_groups

list / elements=string

A list of groups to restrict Mimir to.

Users not in any of the specified groups won’t be able to see or login to Mimir.

null or [] doesn’t restrict the access.

monitoring_mimir_config_path

string / required

The path on disk where the Mimir configuration files should be stored.

monitoring_mimir_data_path

string / required

The path on disk where the Mimir data should be stored.

monitoring_mimir_hostname

string / required

The hostname at which the Mimir instance is reachable.

monitoring_mimir_image

string

The container image path and tag to use for Mimir

Default: "See I(monitoring_mimir_image) from the monitoring role"

monitoring_mimir_secrets

dictionary

A list of secrets to inject into the Mimir container as <key: value>

The secrets will be exposed under /run/secrets/monitoring-mimir-<key> with the key having ‘_’ replaced by ‘-’

Default: {}

monitoring_monitor_agent_alloy_image

string

The container image path and tag to use for Alloy

Default: "See I(monitoring_agent_alloy_image) from the Monitoring role"

monitoring_monitor_agent_config_path

string / required

The path at which the Grafana Alloy monitoring the monitoring stack should store its configuration

monitoring_monitor_agent_data_path

string / required

The path at which the Grafana Alloy monitoring the monitoring stack should store its data

monitoring_monitor_agent_user_group

string

A group name to which to add the role account that is created for monitoring the monitoring stack.

This is useful if you want to restrict apps per user, so you can have those bots publish their metrics correctly.

Defaults to default_monitor_agent_user_group if not set.

template_warning

string / required

A warning that is added to the top of each file created by this collection so users know it is managed by an automated process.