π Raspberry Pi 5
Home Server
Powered by Ansible
Features β’ Requirements β’ Getting Started β’ Port Forwarding β’ Environment Variables β’ Security β’ License
This Ansible configuration automates the setup of a Raspberry Pi Home Server running Raspberry Pi OS. It deploys essential services, enhances security, and ensures consistency across the server environment.
If you find this repository useful, please βοΈ or fork it!
Warning
This setup requires your domain to be fully managed by Cloudflare DNS.
- Automated Docker Installation
- Vaultwarden Deployment for secure password management
- Cloudflare DDNS Updater for dynamic IP management
- PiVPN (WireGuard) configuration for secure remote access
- NextCloud for file synchronization and sharing
- Immich for media synchronization with fast-upload speeds
- Ente Auth for a cross-platform 2FA solution
- Glance dashboard for a unified news feed and monitoring of the home lab
- AdGuard Home for ad-blocking and privacy protection
- Beaver Habits Tracker for habit tracking
- Dotfiles for a standardized environment
- Personal Site for hosting your personal website
- Raspberry Pi OS Lite (64-bit): Ensure your Raspberry Pi is running the latest version.
- Ansible: Install Ansible on your local machine.
- Cloudflare-managed domain: Required for dynamic DNS updates and subdomain routing.
- Ethernet connection: Use a wired connection for your Raspberry Pi to ensure stable performance.
Important
When flashing your SD card, enable SSH and select the Use password authentication option.
Note
If you choose a custom hostname or user, remember to update the inventory.ini file accordingly.
-
Static IPv4 configuration: Your Raspberry Pi should have a static IP on your local network. To set the IP to
192.168.2.210, use:sudo nmcli con mod "Wired connection 1" ipv4.addresses "192.168.2.210/24" \ ipv4.gateway "192.168.2.1" \ ipv4.dns "192.168.2.1" \ ipv4.method manual && \ sudo nmcli con up "Wired connection 1"
This is a one-time setup. The Ansible playbook will manage IP persistence afterward.
Note
Ensure Avahi is installed and running for .local domain resolution. Alternatively, access the Pi using its IP address directly.
-
Clone the repository:
git clone https://github.com/Nitestack/raspberry-pi-5.git ~/raspberry-pi-5 -
Install required Ansible Galaxy collections:
ansible-galaxy install -r requirements.yml --force # to ensure the latest versions -
Run the playbook:
ansible-playbook -i inventory.ini playbook.yml
Important
This only works if you have set up password-less authentication on your Raspberry Pi. Please look at the Security section for more details.
To ensure remote access and proper functionality of the services, configure the following port forwarding rules on your router:
# PiVPN (WireGuard)
# PIVPN_PORT is an environment variable configurable in `secrets.yml`. The default value is `51820`.
public:${PIVPN_PORT}/tcp -> local:${PIVPN_PORT}/tcp
# Caddy (handling all the websites and API's)
public:443/tcp -> local:443/tcp
public:443/udp -> local:443/udp
# SSH (optional, if you want to access the Raspberry Pi with an URL)
public:22/tcp -> local:22/tcp
To securely configure sensitive data, create a secrets.yml file in the root directory. Copy the secrets.example.yml file and populate the fields as required.
Please set up an API token with CLOUDFLARE_API_TOKEN with Edit zone DNS permissions. This token is used to update your dynamic IP address in Cloudflare.
Please set a GitHub personal access token with GITHUB_API_TOKEN (check this article).
Please set your timezone id (TZ identifier) with TIMEZONE (check this Wikipedia article).
To enable secure SSH access, copy your public key to the Raspberry Pi:
ssh-copy-id nhan@npham.deEdit the /etc/ssh/sshd_config file on the Raspberry Pi to strengthen security. Update the following settings:
PasswordAuthentication no
UsePAM no
Apply the changes by reloading the SSH service:
sudo systemctl reload sshThis project is licensed under the Apache-2.0 license.