cbalders/homelab-ansible-lxc-dawarich
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e7b8d4df178a8b16438c7e98f3883770fecf865d
homelab-ansible-lxc-dawarich/vars/main.yml
T
Your Name e7b8d4df17 initial commit: Dawarich LXC role (CT 459 on pve02, .159) 
Self-hosted location history. 4-container compose: Rails 8 app + Sidekiq
+ PostGIS 16-3.4 + Redis 7, plus watchtower. Authentik OIDC end-to-end.
Image pinned at freikin/dawarich:1.7.11 (OIDC support requires >= 1.7.8).

PostGIS DB lives in this LXC, not on the central DB VM (.172) — central
image is postgres:16-alpine without postgis, swapping it carries broader
blast radius than colocating here. Convention exception captured in
homelab-docs project_dawarich memory.

Roles:
  - dawarich: system + Docker + compose + weekly prune timer
  - alloy:    logs+journald → Loki, node metrics → Prometheus

Bring-up sequence proven 2026-06-01. README documents the 5-trap build
chain (image version, entrypoint scripts, solid_cache SQLite bind mount,
APPLICATION_HOSTS+localhost, force_ssl+healthcheck).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-01 21:24:09 -04:00

85 lines
3.1 KiB
YAML
Raw Blame History

---
timezone: America/Toronto
packages:
- apt-utils
- bash-completion
- ca-certificates
- curl
- git
- gnupg
- htop
- net-tools
- openssh-server
- python3
- python3-pip
- sudo
- vim
- wget
users:
- name: cbalders
groups: sudo
shell: /bin/bash
ssh_authorized_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINALaic1jpoP6t1urbZqJLI1eU5NeTVD9k8AAMAvOvvk OfficeMini"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzTHdCiQjhIHsGB8oMpyKtr9TZXrXeIRKwcwe698zMW Generated By Termius"
# Alloy ships Docker logs + journald to Loki on observe.lan.balders.ca + node
# metrics to Prometheus. Pattern mirrors every other LXC.
alloy_host_label: dawarich
alloy_loki_url: http://observe.lan.balders.ca:3100/loki/api/v1/push
alloy_prom_job: node_lxc
alloy_prom_group: lxc
alloy_prom_hostname: dawarich
# ------------------------------------------------------------------------------
# Dawarich — self-hosted location history
# ------------------------------------------------------------------------------
# Pin image tags (Dawarich ships breaking schema changes on minor bumps). Bump
# in lockstep across app + sidekiq, never split — they share the same DB
# migrations. Check release notes before bumping.
# Pinned tag — OIDC support first landed in 1.7.8 (2026-05-16). DO NOT
# downgrade below 1.7.8 without disabling OIDC. Bump in lockstep with sidekiq.
dawarich_image: "freikin/dawarich:1.7.11"
# Official PostGIS image — alpine variant. Strict superset of postgres:16-alpine
# so swapping to it later (if we ever centralize on DB VM) is non-breaking.
postgis_image: "postgis/postgis:16-3.4-alpine"
redis_image: "redis:7-alpine"
dawarich_port: 3000
dawarich_site_url: "https://dawarich.balders.ca"
dawarich_domain: "dawarich.balders.ca"
# Database (local — central DB VM doesn't load PostGIS extension; see memory
# project_dawarich for the convention exception rationale).
dawarich_db_name: "dawarich"
dawarich_db_user: "dawarich"
# Background processing — keep modest to leave headroom for the web tier.
# Dawarich docs default 5; bump cautiously if Sidekiq queue depth grows.
dawarich_sidekiq_concurrency: 5
# Geocoding — disabled in v1. Dawarich falls back to its internal lightweight
# lookup. Self-hosted Photon stack is a future addition; uncomment + set host
# when wired.
# dawarich_photon_api_host: "photon.lan.balders.ca"
# OIDC via Authentik. Client id/secret live in Infisical /oidc/ (pushed into
# Authentik by homelab-ansible-pi-auth's oidc_clients role).
dawarich_oidc_enabled: true
dawarich_oidc_issuer: "https://auth.balders.ca/application/o/dawarich/"
dawarich_oidc_redirect_uri: "https://dawarich.balders.ca/users/auth/openid_connect/callback"
dawarich_oidc_provider_name: "Authentik"
# false → only OIDC users can sign in (we want SSO-only). First OIDC login
# becomes the canonical user account.
dawarich_allow_email_password_registration: false
dawarich_oidc_auto_register: true
# Infisical (secrets source)
infisical_url: "https://secrets.balders.ca"
infisical_project_id: "50062d7c-06ff-4d5c-8ca3-6c0cdba9f270"
infisical_client_id: "828d2cc8-eb25-4b1e-a711-c9a4b1580106"
infisical_client_secret: "{{ vault_infisical_client_secret }}"
Reference in New Issue View Git Blame Copy Permalink