Ansible roles to jump start hassbian setups

configuration
Tags: #<Tag:0x00007f1b986d3980>

#1

Hello!

I’d like to share a bit of work that I’ve been toying with over the last couple months in hopes that others might find it useful.

I’ve been writing a number of Ansible Roles to help to make my HA setup running on Hassbian a little more disciplined, predictable, reproducible, etc. Like many, I’m sure, I started out setting up all the usual things like DuckDNS, Letsencrypt, mosquitto, etc, and after some time ended up with a pretty reasonable setup. Then life happens, like the SD card dies or I do a dumb thing on my Pi a nuke something important, leaving kind of a mess that requires manual intervention to resolve.

By declaring these pieces via ansible roles/playbooks, I’m basically able to (re)create a known working state with all the bells and whistles that I’ve added, using one command. Further, by templating certain bits, I believe these pieces can be used by anyone to jump start their setup process.

Here are all the roles that I’ve produced as of today:

  • ha_duckdns
    • consumes your subdomain and auth token and installs the linux level pieces required to keep your DNS entry up to date with your home’s dynamic IP.
  • ha_letsencrypt
    • consumes your host name(s) and produces SSL certs that can be used to secure your domain. These certs are installed on to your system so other pieces can use them where needed.
    • auto-renewal of your certs is also setup. On renewal, the applications consuming the certificates will be restarted so they will continue to work without any intervention on your part.
  • ha_nginx
    • sets up an nginx server to reverse-proxy your home assistant instance.
    • this server exposes the default HTTP and HTTPS ports
    • the SSL certs produced above are consumed by this nginx server. All HTTP traffic will be automatically redirected to HTTPS, so all web traffic is encrypted on the wire.
  • ha_mosquitto
    • installs and configures mosquitto for MQTT brokering
    • The broker is exposed on two ports. One using the above SSL certs, intended for any external devices that need to connect over the internet, and the other unencrypted intended for internal traffic just within your home.
  • ha_influxdb
    • just what you’d expect - installs and configures influxdb so all your data from home assistant ends up in a place that is more easily probed by other systems you may have (like grafana)
  • ha_aws
    • installs your AWS credentials to you Pi so you can use them in scripts, etc. This unlocks quite a bit.
    • also installs the aws cli
  • ha_influxdb_backup
    • Using the above two roles, this role will schedule nightly backups of your influxdb data to AWS S3 storage. This ensures that your won’t lose your home’s precious data if something bad happens.
  • ha_grafana
    • installs a grafana instance so you can surface your home’s data more easily, set up alerts, etc.
    • using the nginx reverse proxy, this is exposed via HTTPS at grafana.<your-subdomain>.duckdns.org.

These are all available on ansible galaxy and github.

Lastly, I have an example project which demonstrates how one might bring all of this together. You can find it at the github link above (I’d like to link everything individually but there are forum restriction for new users preventing me from doing so). This project also has an extra playbook which runs the steps required to upgrade your Pi’s system and home assistant instance. I use this regularly to keep my instance on the latest version.

Thanks for reading. Happy automating :slight_smile:
Mat