Infrastructure Automation

Ansible-based homelab deployment with fail-fast validation, automated backups, and full observability.

Repository: Codeberg (primary) · GitHub (mirror)

Architecture

graph TB
    subgraph VLAN["Services VLAN - (192.168.20.0/24)"]
        direction LR
        dns["<b>pi-dns</b><br/>Pi-hole · NTP"]
        music["<b>pi-music</b><br/>Navidrome · yt-dlp · Beets"]
        automation["<b>pi-automation</b><br/>Traefik · Vaultwarden<br/>InfluxDB · Portainer"]
        monitoring["<b>debian-monitoring</b><br/>Grafana · Prometheus<br/>Loki · Alertmanager"]
    end
    backup["Backup Coordinator<br/>(Restic → Hetzner)"]
    cloudflare["Cloudflare<br/>(DNS + SSL)"]

    VLAN -->|Backups| backup
    VLAN -->|DNS/Certs| cloudflare
    dns -.->|Metrics| monitoring
    music -.->|Metrics| monitoring
    automation -.->|Metrics| monitoring

Loading

Quick Start

just setup          # Create venv, install deps, collections, hooks
just deploy         # Full infrastructure (with confirmation)
just lint           # Ansible-lint + yamllint
just test           # Molecule tests (all roles)
just validate full  # End-to-end infrastructure validation

Deploy Individual Services

just deploy-service playbooks/music-stack.yml
just deploy-service playbooks/automation-stack.yml

Or directly:

ansible-playbook -i inventory/production/hosts.yml \
  playbooks/site.yml --limit dns --ask-vault-pass

Roles

roles/
├── common/              # Docker, packages, network facts, backup, promtail
├── dns/                 # Pi-hole DNS + Chrony NTP
├── music-stack/         # Navidrome + yt-dlp + Beets
├── automation/          # Traefik + Vaultwarden + InfluxDB + Portainer
├── monitoring/          # Grafana + Prometheus + Loki + Alertmanager
├── backup/              # Restic multi-tier backup (standalone + coordinator)
├── backup-system/       # Enterprise backup coordinator
├── firewall/            # UFW configuration
└── prometheus-exporters/ # Node, Docker, Pi-hole, Pi hardware exporters

Configuration

All secrets live in inventory/production/group_vars/all/vault.yml (ansible-vault encrypted, not in repo). See vault.yml.example for required variables.

Host-specific config: inventory/production/host_vars/{hostname}.yml

Docs

• Backup System — Multi-repository strategy, restore procedures
• Monitoring Stack — Dashboards, alerting, retention
• Testing — Molecule tests, CI matrix