• Automated Docker installation
• Vaultwarden deployment for secure password management
• Cloudflare DDNS updater for dynamic IP management
• PiVPN (WireGuard) configuration for secure remote access
• NextCloud with OnlyOffice for file synchronization and sharing
• Immich for media synchronization with fast-upload speeds
• Home Assistant for home automation and IoT management
• Dotfiles for a standardized environment

1. Raspberry Pi OS Lite (64-bit): Ensure your Raspberry Pi is running the latest version.
2. Ansible: Install Ansible on your local machine.
3. Cloudflare-managed domain: Required for dynamic DNS updates and subdomain routing.
4. Ethernet connection: Use a wired connection for your Raspberry Pi to ensure stable performance.

5. Static IPv4 configuration: Your Raspberry Pi should have a static IP on your local network. To set the IP to 192.168.2.210, use:

   sudo nmcli con mod "Wired connection 1" ipv4.addresses "192.168.2.210/24" \
     ipv4.gateway "192.168.2.1" \
     ipv4.dns "192.168.2.1" \
     ipv4.method manual && \
   sudo nmcli con up "Wired connection 1"

   This is a one-time setup. The Ansible playbook will manage IP persistence afterward.

1. Clone the repository:

   git clone https://github.com/Nitestack/raspberry-pi-5.git ~/raspberry-pi-5

2. Install required Ansible Galaxy collections:

   ansible-galaxy install -r requirements.yml --force # to ensure the latest versions

3. Run the playbook:

   ansible-playbook -i inventory.ini playbook.yml

To ensure remote access and proper functionality of the services, configure the following port forwarding rules on your router:

# PiVPN (WireGuard)
# PIVPN_PORT is an environment variable configurable in `secrets.yml`. The default value is `51820`.
public:${PIVPN_PORT}/tcp -> local:${PIVPN_PORT}/tcp

# Caddy (handling all the websites)
public:443/tcp -> local:443/tcp
public:443/udp -> local:443/udp

# SSH (optional, if you want to access the Raspberry Pi remotely without WireGuard)
public:22/tcp -> local:22/tcp

To securely configure sensitive data, create a secrets.yml file in the root directory. Copy the secrets.example.yml file and populate the fields as required.

Ensure that an A record for your domain is set up, initially pointing to a placeholder IP (e.g., 8.8.8.8). The DDNS script will update it with your public IP. Define the record name in secrets.yml under CLOUDFLARE_RECORD_NAME.

Add a CNAME record for your PiVPN subdomain, pointing it to the value in CLOUDFLARE_RECORD_NAME. Update the PIVPN_DOMAIN variable in secrets.yml with the correct domain.

Create a CNAME record for your Vaultwarden subdomain, directing it to the value specified in CLOUDFLARE_RECORD_NAME. Set the VAULTWARDEN_URL variable in secrets.yml to your Vaultwarden URL.

Create a CNAME record for your NextCloud subdomain, directing it to the value specified in CLOUDFLARE_RECORD_NAME. Set the NEXTCLOUD_URL and ONLYOFFICE_URL variable in secrets.yml to your NextCloud URL.

Create a CNAME record for your Immich subdomain, directing it to the value specified in CLOUDFLARE_RECORD_NAME. Set the IMMICH_URL variable in secrets.yml to your Immich URL. In addition to that, please set your timezone id (TZ identifier) with TIMEZONE (check this Wikipedia article). You also have to set a database password with IMMICH_DB_WORD (only use the characters A-Za-z0-9, without special characters or spaces).

Create a CNAME record for your Home Assistant subdomain, directing it to the value specified in CLOUDFLARE_RECORD_NAME. Set the HOME_ASSISTANT_URL variable in secrets.yml to your Home Assistant URL.

To enable secure SSH access, copy your public key to the Raspberry Pi:

ssh-copy-id nhan@raspberrypi.local

Edit the /etc/ssh/sshd_config file on the Raspberry Pi to strengthen security. Update the following settings:

PasswordAuthentication no
UsePAM no

Apply the changes by reloading the SSH service:

sudo systemctl reload ssh

This project is licensed under the Apache-2.0 license.