4 changed files with 103 additions and 42 deletions
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -7,9 +7,6 @@ system_locale: ru_RU.UTF-8
 x11_display_host: "192.168.1.101"
 admin_user: zailon
 # Включить мониторинг Docker для Node Exporter
 enable_docker_monitoring: true
 # Базовые пакеты для всех серверов
 base_packages:
  - curl
@ -44,29 +41,18 @@ custom_directories:
 ssh_public_keys:
  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8/+/WFFYDu4ljy1j9+bWp6MiXZ9a0iodoPHq+nEpIr ansible@Olimp"
  - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbvnGZxQEGYuScClONbkbfVn2+Uo1kYYztXqMf9ku1lHkw+7IZa00LOMwv7QGBRvrtBcw+TWqaMst5FZ3R6oWcQc+nkBEYoRXe4f3AuuFAl9C9F6sEYM8fX6mAHIlWQhFyVslazZtVTQwnfRV0rnbtCduCu9liywM3fShFqBVwq7Y4nBjG648Zq+VfCHpbBE9XkZaMDyeOXdtppmLetywnBS33mbXMDgH09PMlRz097xfZLkpFdSi8WtDOtKSBiEHtZ+H0EZ42Cda2xMnqlgVtPxWGUirvv6CvDyTmuMzrjALZoSKhl3iD6Szd1YOJcAw6bv9gbJKxPkZchrB65ZXT ZailonOlimp"
  - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCy3BrhfJx6+ey4h4ZHgBNsuCbgKNwY83lhE/FuHdFxy4NmjiHSH4yXyPz3Qt+mz/VnSQ2rzzsY9xkDs/V+6e3LmXGuhhk65mwYKhWneWTAgprM6CN2PUi5d5P8MXUXDwgVR+XivfI4Y/Bpe8RvGyssuzgra38R5UKZCXKn9lrumkZKq9+GlMKUDLZp5C3/xA/GuI/C4Q+2BT1vOJSM86/7w5VPcd3IjYVTgNA4/V1fR9S/zB0OEkDfK2euqq2zTb6EzDxOGSYcXeH3t37bo0smKqnIehQmkbguLjsGYHEuP4ZE62DJwPZAMwRjn20wf6Nmzy9VQsDGl6Li4nl/TApouQSFbm4NjJOGN7KDT/R54Oq8VCi9rjHOvIg7vxZc3c+ckQGPNmj8FDoyy2Jj9Q1yEUdcSwdI4KvXn0VN2wlJTuN3pzStAI9wMhlUPx7w4DsAiftAvR8OLYSCch9khK146TYWtv4skqd9N0skNJMFVun9VuqT85IXqh6DVecY1fVyTd9qFgz3OfF0idQ4rMI2hxNAZjEZH2gTtb1eYT1UMeBzpBOuQbmWODgCK33Ec3nvV+XXj561Hj5Qpf9bg8i3TTM1dQImKE8macUPn9GwCdshdEJ9VlUwrB9z7SXTtLysgziTkpes5r84Cp/j5tem+7VLOln316d34nz0KU9/Qw== ansible@olimp"
 # Пакеты для удаления
 cleanup_packages:
  - gparted
 # =============================================================================
-# DOCKER SETTINGS (LXC-safe versions)
+# DOCKER PINNING ДЛЯ LXC
 # =============================================================================
 # Безопасные версии пакетов Docker для LXC
 docker_ce_version: "5:28.2.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release }}"
 docker_ce_cli_version: "5:28.2.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release }}"
 containerd_io_version: "1.7.28-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release }}"
 runc_safe_version: "1.1.12-0ubuntu3"
 # Список пакетов для фиксации
 docker_pinned_packages:
-  - "docker-ce={{ docker_ce_version }}"
+  - "containerd.io=1.7.28-1~ubuntu.24.04~noble"
-  - "docker-ce-cli={{ docker_ce_cli_version }}"
+  - "runc=1.1.12-0ubuntu3"
  - "containerd.io={{ containerd_io_version }}"
  - "runc={{ runc_safe_version }}"
 # Включить фиксацию версий в LXC
 lxc_docker_pin_enabled: true
 # Пакеты для исключения из upgrade в LXC (через APT pinning)
@ -80,18 +66,18 @@ docker_exclude_packages_lxc:
 # СЕТЕВЫЕ НАСТРОЙКИ
 # =============================================================================
 server_ips:
-  olimp:      "192.168.1.200"
+  olimp:      "192.168.1.200"  # Proxmox
-  gateway:    "192.168.1.201"
+  gateway:    "192.168.1.201"  # NPM, Dashy, Heimdall
-  data:       "192.168.1.202"
+  data:       "192.168.1.202"  # Bitwarden, Mealie, Bookstack
-  media:      "192.168.1.203"
+  media:      "192.168.1.203"  # Jellyfin, Ampache, Calibre
-  photo:      "192.168.1.204"
+  photo:      "192.168.1.204"  # Immich
-  nextcloud:  "192.168.1.205"
+  nextcloud:  "192.168.1.205"  # Nextcloud
-  talk:       "192.168.1.206"
+  talk:       "192.168.1.206"  # Matrix, Mumble, Snikket, TeamSpeak
-  games:      "192.168.1.207"
+  games:      "192.168.1.207"  # Minecraft
-  manage:     "192.168.1.208"
+  manage:     "192.168.1.208"  # Grafana, Loki, MeshCentral
-  git:        "192.168.1.209"
+  git:        "192.168.1.209"  # GitLab
-  ansible:    "192.168.1.210"
+  ansible:    "192.168.1.210"  # Ansible
-  torrent:    "192.168.1.211"
+  torrent:    "192.168.1.211"  # Qbittorrent, TorrServer
 # =============================================================================
 # МОНИТОРИНГ (VictoriaMetrics, Grafana, Loki)
@ -131,10 +117,12 @@ monitoring_groups:
    - "{{ server_ips.ansible }}"
    - "{{ server_ips.torrent }}"
 # Proxmox Exporter
 pve_exporter_user: "pve_exporter@pve"
 pve_exporter_token_name: "grafana"
 pve_exporter_token_value: "{{ vault_pve_exporter_token }}"
 # VictoriaMetrics & Grafana
 victoriametrics_retention_months: 2
 victoriametrics_version: v1.101.0
 grafana_version: 11.2.0
@ -142,9 +130,11 @@ grafana_admin_user: admin
 grafana_admin_password: "{{ vault_grafana_admin_password }}"
 grafana_root_url: https://mon.zailon.ru
 # Loki
 loki_version: "2.9.2"
 loki_retention_days: 30
 # cAdvisor
 cadvisor_enabled: true
 cadvisor_base_dir: "/opt/cadvisor"
 cadvisor_port: 8080
@ -155,9 +145,11 @@ cadvisor_port: 8080
 npm_base_dir: "/opt/npm"
 npm_data_dir: "/opt/npm/data"
 npm_letsencrypt_dir: "/opt/npm/letsencrypt"
 heimdall_base_dir: "/opt/heimdall"
 heimdall_config_dir: "/opt/heimdall/config"
 heimdall_port: "45131"
 dashy_base_dir: "/opt/dashy"
 dashy_config_dir: "{{ dashy_base_dir }}/config"
 dashy_port: "45132"
@ -166,6 +158,7 @@ dashy_domain: "start.zailon.ru"
 # =============================================================================
 # СЕРВИСЫ: DATA (192.168.1.202)
 # =============================================================================
 # Bitwarden
 bitwarden_base_dir: "/mnt/bitwarden"
 bitwarden_data_dir: "{{ bitwarden_base_dir }}/vw-data"
 bitwarden_port: "45131"
@ -180,12 +173,14 @@ bitwarden_smtp_password: "{{ vault_bitwarden_smtp_password }}"
 bitwarden_smtp_from: "zailon@bk.ru"
 bitwarden_domain: "https://bw.zailon.ru"
 # Mealie
 mealie_base_dir: "/mnt/mealie"
 mealie_data_dir: "/mnt/mealie/data"
 mealie_port: "45132"
 mealie_db_type: "sqlite"
 mealie_db_password: "{{ vault_mealie_db_password }}"
 # Bookstack
 bookstack_base_dir: "/mnt/bookstack"
 bookstack_config_dir: "/mnt/bookstack/config"
 bookstack_uploads_dir: "/mnt/bookstack/uploads"
@ -197,6 +192,7 @@ bookstack_port: "45133"
 # =============================================================================
 service_config_base: "/mnt/service"
 # Jellyfin
 jellyfin_base_dir: "{{ service_config_base }}/jellyfin"
 jellyfin_config_dir: "{{ jellyfin_base_dir }}/config"
 jellyfin_cache_dir: "{{ jellyfin_base_dir }}/cache"
@ -205,11 +201,13 @@ jellyfin_media_path: "/mnt/video"
 jellyfin_port: "45131"
 jellyfin_hw_acceleration: true
 # Audiobookshelf
 audiobookshelf_base_dir: "{{ service_config_base }}/audiobookshelf"
 audiobookshelf_config_dir: "{{ audiobookshelf_base_dir }}/config"
 audiobookshelf_db_dir: "{{ audiobookshelf_base_dir }}/db"
 audiobookshelf_port: "45132"
 # Calibre Web
 calibre_base_dir: "{{ service_config_base }}/calibre"
 calibre_library_dir: "/mnt/books/calibre"
 calibre_config_dir: "{{ calibre_base_dir }}/config"
@ -221,12 +219,14 @@ calibre_web_enable_registration: false
 calibre_web_enable_webdav: true
 calibre_web_enable_opds: true
 # Ampache
 ampache_base_dir: "{{ service_config_base }}/ampache"
 ampache_config_dir: "{{ ampache_base_dir }}/config"
 ampache_logs_dir: "{{ ampache_base_dir }}/logs"
 ampache_mysql_dir: "{{ ampache_base_dir }}/mysql"
 ampache_port: "45134"
 # Flibusta
 flibusta_base_dir: "/mnt/service/flibusta"
 flibusta_source_archives_dir: "/mnt/books/flibusta"
 flibusta_web_port: "45137"
@ -248,6 +248,7 @@ immich_version: "release"
 # =============================================================================
 # СЕРВИСЫ: TALK (192.168.1.206)
 # =============================================================================
 # Mumble
 mumble_base_dir: "/mnt/mumble"
 mumble_data_dir: "{{ mumble_base_dir }}/data"
 mumble_port: "45131"
@ -256,6 +257,7 @@ mumble_max_users: "100"
 mumble_server_password: "{{ vault_mumble_server_password }}"
 mumble_superuser_password: "{{ vault_mumble_superuser_password }}"
 # Matrix (Synapse)
 matrix_base_dir: "/mnt/matrix"
 matrix_data_dir: "{{ matrix_base_dir }}/data"
 matrix_config_dir: "{{ matrix_base_dir }}/config"
@ -273,6 +275,7 @@ matrix_synapse_secret: "{{ vault_matrix_synapse_secret }}"
 matrix_macaroon_secret: "{{ vault_matrix_macaroon_secret }}"
 matrix_form_secret: "{{ vault_matrix_form_secret }}"
 # Snikket (XMPP)
 snikket_base_dir: "/mnt/snikket"
 snikket_data_dir: "{{ snikket_base_dir }}/snikket_data"
 snikket_nginx_custom_dir: "{{ snikket_base_dir }}/nginx-custom"
@ -299,6 +302,7 @@ snikket_backup_retention_days: 30
 snikket_admin_password: "{{ vault_snikket_admin_password }}"
 snikket_invite_token: "{{ vault_snikket_invite_token }}"
 # TeamSpeak
 teamspeak_base_dir: "/mnt/teamspeak"
 teamspeak_data_dir: "{{ teamspeak_base_dir }}/data"
 teamspeak_logs_dir: "{{ teamspeak_base_dir }}/logs"
@ -331,6 +335,7 @@ meshcentral_files_dir: "/mnt/mesh/meshcentral-files"
 meshcentral_backup_dir: "/mnt/mesh/meshcentral-backup"
 meshcentral_port: "45131"
 # Grafana
 grafana_base_dir: /mnt/grafana
 grafana_data_dir: "{{ grafana_base_dir }}/data"
 grafana_config_dir: "{{ grafana_base_dir }}/config"
@ -339,12 +344,14 @@ grafana_vmagent_tmp_dir: "{{ grafana_base_dir }}/vmagent/tmp"
 grafana_vmagent_config: "{{ grafana_base_dir }}/vmagent/vmagent.yaml"
 grafana_port: 45132
 # Loki
 loki_base_dir: "/mnt/loki"
 loki_config_dir: "{{ loki_base_dir }}/config"
 loki_data_dir: "{{ loki_base_dir }}/data"
 loki_server_host: "{{ server_ips.manage }}"
 loki_server_port: "{{ monitoring_ports.loki }}"
 # Promtail
 promtail_config_dir: "/etc/promtail"
 promtail_data_dir: "/var/lib/promtail"
@ -375,6 +382,7 @@ qbittorrent_port_webui: 8080
 qbittorrent_port_torrent: 6881
 qbittorrent_smb_credentials_dir: "/etc/smb-creds"
 # Учётные данные для SMB-шар
 qbittorrent_smb_creds:
  olimp:
    username: "Olimp"
@ -385,56 +393,69 @@ qbittorrent_smb_creds:
    password: "{{ vault_samba_password_qb }}"
    file: "qb"
 # Маунты SMB-шар
 qbittorrent_shares:
  - name: downloads
    src: "//192.168.1.101/Downloads"
    dest: "/mnt/downloads"
    credential: "olimp"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.olimp.file }}"
  - name: abook
    src: "//192.168.1.203/Abook"
    dest: "/mnt/abook"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: music
    src: "//192.168.1.203/Music"
    dest: "/mnt/audio"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: books
    src: "//192.168.1.203/Books"
    dest: "/mnt/books"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: films
    src: "//192.168.1.203/Films"
    dest: "/mnt/video/films"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: mult
    src: "//192.168.1.203/Mult"
    dest: "/mnt/video/mult"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: anime
    src: "//192.168.1.203/Anime"
    dest: "/mnt/video/anime"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: serial
    src: "//192.168.1.203/Serial"
    dest: "/mnt/video/serial"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: mserials
    src: "//192.168.1.203/Mserials"
    dest: "/mnt/video/mserials"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: doc
    src: "//192.168.1.203/Doc"
    dest: "/mnt/video/doc"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: ztube
    src: "//192.168.1.203/Ztube"
    dest: "/mnt/video/ztube"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: show
    src: "//192.168.1.203/Show"
    dest: "/mnt/video/show"
    opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}"
  - name: games
    src: "//192.168.1.207/Games"
    dest: "/mnt/games"
--- a/inventories/hosts
+++ b/inventories/hosts
@ -1,5 +1,5 @@
 [all:vars]
-ansible_user=root
+ansible_user=zailon
 ansible_become=yes
 ansible_become_method=sudo
 ansible_ssh_private_key_file=/root/.ssh/id_rsa
@ -17,7 +17,6 @@ manage          ansible_host=192.168.1.208 int_ip=192.168.1.208 ansible_python_i
 git             ansible_host=192.168.1.209 int_ip=192.168.1.209 ansible_python_interpreter=/usr/bin/python3
 ansible         ansible_host=192.168.1.210 int_ip=192.168.1.210 ansible_python_interpreter=/usr/bin/python3
 torrent         ansible_host=192.168.1.211 int_ip=192.168.1.211 ansible_python_interpreter=/usr/bin/python3
 gitea           ansible_host=192.168.1.214 int_ip=192.168.1.214 ansible_python_interpreter=/usr/bin/python3
 [pve-server]
 proxmox
@ -48,7 +47,6 @@ manage
 [git-server]
 git
 gitea
 [ansible-server]
 ansible
--- a/roles/base_setup/tasks/main.yml
+++ b/roles/base_setup/tasks/main.yml
@ -217,7 +217,7 @@
    validate: 'sshd -t -f %s'
  loop:
    - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
-    - { regexp: '^PermitRootLogin', line: 'PermitRootLogin yes' }
+    - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
    - { regexp: '^PubkeyAuthentication', line: 'PubkeyAuthentication yes' }
  notify: restart ssh
  become: yes
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -1,4 +1,20 @@
 ---
 # =============================================================================
 # DOCKER ROLE - tasks/main.yml
 # =============================================================================
 # ========== Fix runc BEFORE Docker install (LXC safety) ==========
 - name: Ensure runc at safe version before Docker install (LXC only)
  apt:
    name: "runc=1.1.12-0ubuntu3"
    state: present
    allow_downgrade: yes
    allow_change_held_packages: yes
  become: yes
  tags: [docker, deploy_docker]
  when: ansible_virtualization_type in ['lxc', 'container']
 # ========== Install Docker ==========
 - name: Install Docker dependencies
  apt:
    name:
@ -9,18 +25,25 @@
      - lsb-release
    state: present
    update_cache: yes
  become: yes
  tags: [docker, deploy_docker]
 - name: Add Docker GPG key
  apt_key:
    url: https://download.docker.com/linux/ubuntu/gpg
    state: present
  become: yes
  tags: [docker, deploy_docker]
 - name: Add Docker repository
  apt_repository:
    repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
    state: present
    update_cache: yes
  become: yes
  tags: [docker, deploy_docker]
- name: Install Docker
+- name: Install Docker packages
  apt:
    name:
      - docker-ce
@ -28,40 +51,56 @@
      - containerd.io
    state: present
    update_cache: yes
    allow_downgrade: yes
    allow_change_held_packages: yes
  become: yes
  notify: restart docker
  tags: [docker, deploy_docker]
- name: Install Docker Compose
+- name: Install Docker Compose plugin
  apt:
    name: docker-compose-plugin
    state: present
  become: yes
  tags: [docker, deploy_docker]
 - name: Start and enable Docker service
  systemd:
    name: docker
    state: started
    enabled: yes
    daemon_reload: yes
  become: yes
  tags: [docker, deploy_docker]
 - name: Wait for Docker to start
  pause:
    seconds: 5
  tags: [docker, deploy_docker]
 - name: Verify Docker installation
  command: docker --version
  register: docker_version
  changed_when: false
  tags: [docker, deploy_docker]
 - name: Show Docker version
  debug:
    msg: "Docker version: {{ docker_version.stdout }}"
  tags: [docker, deploy_docker]
 - name: Verify Docker Compose installation
  command: docker compose version
  register: docker_compose_version
  changed_when: false
  tags: [docker, deploy_docker]
 - name: Show Docker Compose version
  debug:
    msg: "Docker Compose version: {{ docker_compose_version.stdout }}"
  tags: [docker, deploy_docker]
 # ========== Docker Monitoring Setup ==========
 - name: Setup Docker monitoring
  block:
    - name: Create scripts directory
@ -155,16 +194,19 @@
    - name: Show Docker metrics test result
      debug:
        var: metrics_test.stdout
  tags: [docker, deploy_docker, monitoring]
-# ========== Fix Docker runc version ==========
+# ========== Optional: Manual runc update for non-LXC hosts ==========
- name: Check current runc version
+- name: Check current runc version (non-LXC only)
  command: runc --version
  register: runc_version_check
  ignore_errors: yes
  changed_when: false
  become: yes
  when: ansible_virtualization_type not in ['lxc', 'container']
  tags: [docker, runc_update]
- name: Download and update runc to v1.2.4 if needed
+- name: Update runc to v1.2.4 if needed (non-LXC only)
  block:
    - name: Download runc v1.2.4
      get_url:
@ -214,9 +256,9 @@
      debug:
        msg: "runc updated to version: {{ new_runc_version.stdout }}"
      become: yes
  when: 
-    - runc_version_check is failed or 
+    - ansible_virtualization_type not in ['lxc', 'container']
-      "'1.2.4' not in runc_version_check.stdout"
+    - runc_version_check is failed or "'1.2.4' not in runc_version_check.stdout"
    - ansible_architecture == "x86_64"
  become: yes
  tags: [docker, runc_update]