Infra/ansible/run.yml

- hosts: all
  become: "{{ do_become }}"
  tags:
    - always
  vars_files:
    - "vars/vault.yml"
  tasks:
    - name: Get dpkg arch
      when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
      ansible.builtin.shell: dpkg --print-architecture
      register: _apt_arch
      changed_when: false

- hosts: all:!unifi
  become: "{{ do_become }}"
  tags: [never, init]
  vars_files:
    - "vars/vault.yml"

  pre_tasks:
    - include_tasks: tasks/users.yml
      with_items: "{{ users }}"
      loop_control:
        loop_var: user

    - name: Change hostname
      when: "set_hostname is defined"
      register: new_hostname
      ansible.builtin.hostname:
        name: "{{ set_hostname }}"

    - name: Change hostname in hosts
      when: new_hostname.changed
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: '^127\.0\.0\.1 localhost'
        line: "127.0.0.1 localhost {{ set_hostname }}"
        owner: root
        group: root
        mode: "0644"

    - name: Reboot the server
      ansible.builtin.reboot:
        msg: "Reboot initiated by Ansible due to hostname change"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 2
        post_reboot_delay: 30
        test_command: uptime
      when: new_hostname.changed

    - include_tasks: tasks/remove_prox_ee_apt.yml
      when: inventory_hostname in groups['prox']

    - name: Update apt cache
      when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 1

  roles:
    - role: geerlingguy.ntp
    - role: geerlingguy.security
      when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
  tasks:
    - name: Install packages
      when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
      ansible.builtin.apt:
        name: "{{package_list}}"
        state: latest

    - name: Install pip packages
      ansible.builtin.pip:
        name:
          - github3.py

- hosts: docker
  become: "{{ do_become }}"
  tags:
    - docker
  vars_files:
    - "vars/vault.yml"
  post_tasks:
    - name: Install pip packages
      ansible.builtin.pip:
        name:
          - docker

    - name: Create plugin directory if not present
      ansible.builtin.file:
        path: "/home/{{ item.username }}/.docker/cli-plugins/"
        state: directory
        owner: "{{ item.username }}"
        group: "{{ item.groupname }}"
        mode: "0775"
      loop: "{{ docker_users_obj }}"

    - name: Get latest release of a public repository
      community.general.github_release:
        user: docker
        repo: compose
        action: latest_release
      register: comp_cli

    - name: Install compose plugin
      ansible.builtin.get_url:
        url: "https://github.com/docker/compose/releases/download/{{comp_cli.tag}}/docker-compose-linux-{{ ansible_architecture }}"
        dest: "/home/{{ users.0.username }}/.docker/cli-plugins/docker-compose"
        mode: "0755"
        owner: "{{ users.0.username }}"
        group: "{{ users.0.groupname }}"

  roles:
    - role: geerlingguy.docker
      when: ansible_distribution == 'Ubuntu'

- hosts: kube
  tags:
    - init
    - kube
    - never
  vars_files:
    - "vars/vault.yml"
  tasks:
    - name: Install runtime dependencies
      become: "{{ do_become }}"
      ansible.builtin.apt:
        name: "{{ item }}"
        state: present
      with_items:
        - fuse-overlayfs
        - nfs-common
        - open-iscsi
    - name: Include Containerd role
      include_role:
        name: geerlingguy.containerd
        apply:
          become: "{{ do_become }}"
    - name: Include Docker role
      include_role:
        name: geerlingguy.docker
        apply:
          become: "{{ do_become }}"
    - name: Include Kubernetes role
      include_role:
        name: kubernetes
    - name: Include ZFS role
      when: inventory_hostname in groups['zfs']
      include_role:
        name: zfs
    - name: Include NFS role
      when: inventory_hostname in groups['nfs']
      include_role:
        name: geerlingguy.nfs
        apply:
          become: "{{ do_become }}"

- hosts: prox
  vars_files:
    - "vars/vault.yml"
  tags:
    - prox
    - update
  roles:
    - role: ironicbadger_ansible-role-proxmox-nag-removal
    - role: proxmox

- hosts: raspberries
  vars_files:
    - "vars/vault.yml"
  tags:
    - init
    - raspberries
    - update
  tasks:
    - name: Install packages
      become: "{{ do_become }}"
      ansible.builtin.apt:
        name: "{{ item  }}"
      loop:
        - libraspberrypi-bin
        - linux-modules-extra-raspi
        - vlan

    - name: Add the 802.1q module
      community.general.modprobe:
        name: 8021q
        state: present

    - name: Place PoE fan file
      become: "{{ do_become }}"
      ansible.builtin.copy:
        content: |
          # Ansible managed

          dtoverlay=rpi-poe
          dtparam=poe_fan_temp0=57000
          dtparam=poe_fan_temp1=60000
          dtparam=poe_fan_temp2=63000
          dtparam=poe_fan_temp3=66000

          dtoverlay=vc4-fkms-v3d
        dest: /boot/firmware/usercfg.txt

- hosts: piholes
  vars_files:
    - "vars/vault.yml"
  tags:
    - pihole
    - update
  roles:
    - role: pihole_updatelist
    - role: pi_dnsmasq
    - role: pihole

# - hosts: usg
#   vars_files:
#     - "vars/vault.yml"
#     - "vars/wireguard.yml"
#   tags: [network, ubnt]
#   roles:
#     - role: usg

# - hosts: cloud_key
#   vars_files:
#     - "vars/vault.yml"
#     - "vars/wireguard.yml"
#   tags: [network, ubnt]
#   roles:
#     - role: cloud_key

- hosts: all:!unifi
  become: "{{ do_become }}"
  tags:
    - init
    - update
  vars_files:
    - "vars/vault.yml"

  tasks:
    # https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/
    - name: Update packages
      when: ansible_distribution == 'Ubuntu'
      ansible.builtin.apt:
        update_cache: "True"
        force_apt_get: "True"
        cache_valid_time: 3600
        upgrade: "True"

    - name: Remove ubuntu motd spam
      ansible.builtin.file:
        path: "/etc/update-motd.d/{{ item }}"
        state: absent
      loop:
        - 10-help-text
        - 10-uname
        - 50-landscape-sysinfo
        - 50-motd-news
        - 80-livepatch
        - 88-esm-announce
        - 90-updates-available
        - 91-contract-ua-esm-status
        - 91-release-upgrade
        - 92-unattended-upgrades
        - 95-hwe-eol
      when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'

    - name: Place MoTD
      become: "{{ do_become }}"
      when: ansible_distribution == 'Ubuntu'
      ansible.builtin.copy:
        content: |
          #!/bin/sh
          # Ansible managed

          neofetch
        mode: 0755
        dest: /etc/update-motd.d/01-neofetch

    - name: Check if pi-hole is installed
      when: inventory_hostname in groups['piholes']
      ansible.builtin.stat:
        path: "/usr/local/bin/pihole"
      register: pihole_exec

    - name: Update PiHole
      when: inventory_hostname in groups['piholes'] and pihole_exec.stat.exists
      become: "{{ do_become }}"
      ansible.builtin.command:
        argv:
          - pihole
          - -up

    - name: Install and update chezmoi
      include_tasks: tasks/omp.yml

    - include_tasks: tasks/remove_prox_ee_apt.yml
      when: inventory_hostname in groups['prox']

    - name: Check if a reboot is needed for Debian and Ubuntu boxes
      register: reboot_required_file
      when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
      ansible.builtin.stat:
        path: /var/run/reboot-required
        get_md5: no

    - name: Reboot the server
      throttle: 1
      when: reboot_required_file.stat.exists and (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian')
      ansible.builtin.reboot:
        msg: "Reboot initiated by Ansible due to kernel updates"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: uptime
Initial commit 2020-10-28 22:15:23 +01:00			`- hosts: all`
A lil TLC 2022-04-15 15:51:58 +02:00			`become: "{{ do_become }}"`
Lint and updates 2022-10-18 22:20:04 +02:00			`tags:`
			`- always`
A lil TLC 2022-04-15 15:51:58 +02:00			`vars_files:`
			`- "vars/vault.yml"`
			`tasks:`
			`- name: Get dpkg arch`
			`when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'`
			`ansible.builtin.shell: dpkg --print-architecture`
			`register: _apt_arch`
Lint and updates 2022-10-18 22:20:04 +02:00			`changed_when: false`
A lil TLC 2022-04-15 15:51:58 +02:00
			`- hosts: all:!unifi`
			`become: "{{ do_become }}"`
Initial commit 2020-10-28 22:15:23 +01:00			`tags: [never, init]`
			`vars_files:`
			`- "vars/vault.yml"`

			`pre_tasks:`
Redo user task 2021-08-16 23:50:14 +02:00			`- include_tasks: tasks/users.yml`
			`with_items: "{{ users }}"`
			`loop_control:`
			`loop_var: user`
Initial commit 2020-10-28 22:15:23 +01:00
			`- name: Change hostname`
			`when: "set_hostname is defined"`
			`register: new_hostname`
			`ansible.builtin.hostname:`
			`name: "{{ set_hostname }}"`

			`- name: Change hostname in hosts`
			`when: new_hostname.changed`
			`ansible.builtin.lineinfile:`
			`path: /etc/hosts`
			`regexp: '^127\.0\.0\.1 localhost'`
			`line: "127.0.0.1 localhost {{ set_hostname }}"`
			`owner: root`
			`group: root`
			`mode: "0644"`

			`- name: Reboot the server`
			`ansible.builtin.reboot:`
			`msg: "Reboot initiated by Ansible due to hostname change"`
			`connect_timeout: 5`
			`reboot_timeout: 300`
			`pre_reboot_delay: 2`
			`post_reboot_delay: 30`
			`test_command: uptime`
			`when: new_hostname.changed`

A lil TLC 2022-04-15 15:51:58 +02:00			`- include_tasks: tasks/remove_prox_ee_apt.yml`
			`when: inventory_hostname in groups['prox']`

QoL 2021-08-17 00:13:23 +02:00			`- name: Update apt cache`
A lil TLC 2022-04-15 15:51:58 +02:00			`when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'`
QoL 2021-08-17 00:13:23 +02:00			`ansible.builtin.apt:`
			`update_cache: true`
			`cache_valid_time: 1`

Initial commit 2020-10-28 22:15:23 +01:00			`roles:`
			`- role: geerlingguy.ntp`
			`- role: geerlingguy.security`
A lil TLC 2022-04-15 15:51:58 +02:00			`when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'`
Initial commit 2020-10-28 22:15:23 +01:00			`tasks:`
			`- name: Install packages`
A lil TLC 2022-04-15 15:51:58 +02:00			`when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'`
Initial commit 2020-10-28 22:15:23 +01:00			`ansible.builtin.apt:`
Group packages 2022-11-08 21:41:19 +01:00			`name: "{{package_list}}"`
Initial commit 2020-10-28 22:15:23 +01:00			`state: latest`

A lil TLC 2022-04-15 15:51:58 +02:00			`- name: Install pip packages`
			`ansible.builtin.pip:`
			`name:`
			`- github3.py`

Updates 2021-02-13 15:39:14 +01:00			`- hosts: docker`
do_become 2022-10-19 00:16:16 +02:00			`become: "{{ do_become }}"`
Lint and updates 2022-10-18 22:20:04 +02:00			`tags:`
			`- docker`
Updates 2021-02-13 15:39:14 +01:00			`vars_files:`
			`- "vars/vault.yml"`
			`post_tasks:`
			`- name: Install pip packages`
			`ansible.builtin.pip:`
			`name:`
			`- docker`
Use function in role to set docker daemon options Also install RC of compose plugin 2021-08-16 23:52:40 +02:00
			`- name: Create plugin directory if not present`
			`ansible.builtin.file:`
			`path: "/home/{{ item.username }}/.docker/cli-plugins/"`
			`state: directory`
			`owner: "{{ item.username }}"`
			`group: "{{ item.groupname }}"`
			`mode: "0775"`
			`loop: "{{ docker_users_obj }}"`

A lil TLC 2022-04-15 15:51:58 +02:00			`- name: Get latest release of a public repository`
			`community.general.github_release:`
			`user: docker`
			`repo: compose`
			`action: latest_release`
			`register: comp_cli`

Use function in role to set docker daemon options Also install RC of compose plugin 2021-08-16 23:52:40 +02:00			`- name: Install compose plugin`
			`ansible.builtin.get_url:`
A lil TLC 2022-04-15 15:51:58 +02:00			`url: "https://github.com/docker/compose/releases/download/{{comp_cli.tag}}/docker-compose-linux-{{ ansible_architecture }}"`
			`dest: "/home/{{ users.0.username }}/.docker/cli-plugins/docker-compose"`
Use function in role to set docker daemon options Also install RC of compose plugin 2021-08-16 23:52:40 +02:00			`mode: "0755"`
A lil TLC 2022-04-15 15:51:58 +02:00			`owner: "{{ users.0.username }}"`
			`group: "{{ users.0.groupname }}"`
Use function in role to set docker daemon options Also install RC of compose plugin 2021-08-16 23:52:40 +02:00
Updates 2021-02-13 15:39:14 +01:00			`roles:`
			`- role: geerlingguy.docker`
A lil TLC 2022-04-15 15:51:58 +02:00			`when: ansible_distribution == 'Ubuntu'`
Updates 2021-02-13 15:39:14 +01:00
			`- hosts: kube`
Lint and updates 2022-10-18 22:20:04 +02:00			`tags:`
			`- init`
			`- kube`
			`- never`
Updates 2021-02-13 15:39:14 +01:00			`vars_files:`
			`- "vars/vault.yml"`
			`tasks:`
kube things 2022-10-18 22:18:54 +02:00			`- name: Install runtime dependencies`
do_become 2022-10-19 00:16:16 +02:00			`become: "{{ do_become }}"`
kube things 2022-10-18 22:18:54 +02:00			`ansible.builtin.apt:`
			`name: "{{ item }}"`
			`state: present`
			`with_items:`
			`- fuse-overlayfs`
			`- nfs-common`
			`- open-iscsi`
			`- name: Include Containerd role`
A lil TLC 2022-04-15 15:51:58 +02:00			`include_role:`
kube things 2022-10-18 22:18:54 +02:00			`name: geerlingguy.containerd`
A lil TLC 2022-04-15 15:51:58 +02:00			`apply:`
do_become 2022-10-19 00:16:16 +02:00			`become: "{{ do_become }}"`
kube things 2022-10-18 22:18:54 +02:00			`- name: Include Docker role`
A lil TLC 2022-04-15 15:51:58 +02:00			`include_role:`
kube things 2022-10-18 22:18:54 +02:00			`name: geerlingguy.docker`
A lil TLC 2022-04-15 15:51:58 +02:00			`apply:`
do_become 2022-10-19 00:16:16 +02:00			`become: "{{ do_become }}"`
A lil TLC 2022-04-15 15:51:58 +02:00			`- name: Include Kubernetes role`
			`include_role:`
			`name: kubernetes`
			`- name: Include ZFS role`
			`when: inventory_hostname in groups['zfs']`
			`include_role:`
			`name: zfs`
			`- name: Include NFS role`
			`when: inventory_hostname in groups['nfs']`
			`include_role:`
			`name: geerlingguy.nfs`
			`apply:`
do_become 2022-10-19 00:16:16 +02:00			`become: "{{ do_become }}"`
Updates 2021-02-13 15:39:14 +01:00
A lil TLC 2022-04-15 15:51:58 +02:00			`- hosts: prox`
			`vars_files:`
			`- "vars/vault.yml"`
Lint and updates 2022-10-18 22:20:04 +02:00			`tags:`
			`- prox`
			`- update`
A lil TLC 2022-04-15 15:51:58 +02:00			`roles:`
			`- role: ironicbadger_ansible-role-proxmox-nag-removal`
			`- role: proxmox`
Updates 2021-02-13 15:39:14 +01:00
Lint and updates 2022-10-18 22:20:04 +02:00			`- hosts: raspberries`
Initial commit 2020-10-28 22:15:23 +01:00			`vars_files:`
			`- "vars/vault.yml"`
Lint and updates 2022-10-18 22:20:04 +02:00			`tags:`
			`- init`
			`- raspberries`
			`- update`
A lil TLC 2022-04-15 15:51:58 +02:00			`tasks:`
			`- name: Install packages`
do_become 2022-10-19 00:16:16 +02:00			`become: "{{ do_become }}"`
A lil TLC 2022-04-15 15:51:58 +02:00			`ansible.builtin.apt:`
Group packages 2022-11-08 21:41:19 +01:00			`name: "{{ item }}"`
			`loop:`
			`- libraspberrypi-bin`
			`- linux-modules-extra-raspi`
			`- vlan`

			`- name: Add the 802.1q module`
			`community.general.modprobe:`
			`name: 8021q`
			`state: present`
Initial commit 2020-10-28 22:15:23 +01:00
A lil TLC 2022-04-15 15:51:58 +02:00			`- name: Place PoE fan file`
do_become 2022-10-19 00:16:16 +02:00			`become: "{{ do_become }}"`
A lil TLC 2022-04-15 15:51:58 +02:00			`ansible.builtin.copy:`
			`content: \|`
			`# Ansible managed`

			`dtoverlay=rpi-poe`
			`dtparam=poe_fan_temp0=57000`
			`dtparam=poe_fan_temp1=60000`
			`dtparam=poe_fan_temp2=63000`
			`dtparam=poe_fan_temp3=66000`
pi things 2022-10-18 22:13:55 +02:00
			`dtoverlay=vc4-fkms-v3d`
A lil TLC 2022-04-15 15:51:58 +02:00			`dest: /boot/firmware/usercfg.txt`

pi things 2022-10-18 22:13:55 +02:00			`- hosts: piholes`
			`vars_files:`
			`- "vars/vault.yml"`
			`tags:`
			`- pihole`
			`- update`
			`roles:`
			`- role: pihole_updatelist`
			`- role: pi_dnsmasq`
			`- role: pihole`

A lil TLC 2022-04-15 15:51:58 +02:00			`# - hosts: usg`
			`# vars_files:`
			`# - "vars/vault.yml"`
			`# - "vars/wireguard.yml"`
			`# tags: [network, ubnt]`
			`# roles:`
			`# - role: usg`

			`# - hosts: cloud_key`
			`# vars_files:`
			`# - "vars/vault.yml"`
			`# - "vars/wireguard.yml"`
			`# tags: [network, ubnt]`
			`# roles:`
			`# - role: cloud_key`

			`- hosts: all:!unifi`
			`become: "{{ do_become }}"`
Lint and updates 2022-10-18 22:20:04 +02:00			`tags:`
			`- init`
			`- update`
Initial commit 2020-10-28 22:15:23 +01:00			`vars_files:`
			`- "vars/vault.yml"`

			`tasks:`
			`# https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/`
			`- name: Update packages`
A lil TLC 2022-04-15 15:51:58 +02:00			`when: ansible_distribution == 'Ubuntu'`
Initial commit 2020-10-28 22:15:23 +01:00			`ansible.builtin.apt:`
QoL 2021-08-17 00:13:23 +02:00			`update_cache: "True"`
			`force_apt_get: "True"`
Initial commit 2020-10-28 22:15:23 +01:00			`cache_valid_time: 3600`
QoL 2021-08-17 00:13:23 +02:00			`upgrade: "True"`
Initial commit 2020-10-28 22:15:23 +01:00
			`- name: Remove ubuntu motd spam`
			`ansible.builtin.file:`
			`path: "/etc/update-motd.d/{{ item }}"`
			`state: absent`
			`loop:`
			`- 10-help-text`
Prox QoL 2022-10-19 00:18:29 +02:00			`- 10-uname`
Initial commit 2020-10-28 22:15:23 +01:00			`- 50-landscape-sysinfo`
			`- 50-motd-news`
			`- 80-livepatch`
Lint and updates 2022-10-18 22:20:04 +02:00			`- 88-esm-announce`
QoL 2021-08-17 00:13:23 +02:00			`- 90-updates-available`
Lint and updates 2022-10-18 22:20:04 +02:00			`- 91-contract-ua-esm-status`
A lil TLC 2022-04-15 15:51:58 +02:00			`- 91-release-upgrade`
Prox QoL 2022-10-19 00:18:29 +02:00			`- 92-unattended-upgrades`
Initial commit 2020-10-28 22:15:23 +01:00			`- 95-hwe-eol`
Prox QoL 2022-10-19 00:18:29 +02:00			`when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'`
Initial commit 2020-10-28 22:15:23 +01:00
Lint and updates 2022-10-18 22:20:04 +02:00			`- name: Place MoTD`
do_become 2022-10-19 00:16:16 +02:00			`become: "{{ do_become }}"`
Lint and updates 2022-10-18 22:20:04 +02:00			`when: ansible_distribution == 'Ubuntu'`
			`ansible.builtin.copy:`
			`content: \|`
			`#!/bin/sh`
			`# Ansible managed`

			`neofetch`
			`mode: 0755`
			`dest: /etc/update-motd.d/01-neofetch`

QoL 2021-08-17 00:13:23 +02:00			`- name: Check if pi-hole is installed`
Updates 2021-02-13 15:39:14 +01:00			`when: inventory_hostname in groups['piholes']`
A lil TLC 2022-04-15 15:51:58 +02:00			`ansible.builtin.stat:`
QoL 2021-08-17 00:13:23 +02:00			`path: "/usr/local/bin/pihole"`
			`register: pihole_exec`

			`- name: Update PiHole`
			`when: inventory_hostname in groups['piholes'] and pihole_exec.stat.exists`
do_become 2022-10-19 00:16:16 +02:00			`become: "{{ do_become }}"`
Updates 2021-02-13 15:39:14 +01:00			`ansible.builtin.command:`
			`argv:`
			`- pihole`
			`- -up`

Prox QoL 2022-10-19 00:18:29 +02:00			`- name: Install and update chezmoi`
A lil TLC 2022-04-15 15:51:58 +02:00			`include_tasks: tasks/omp.yml`

			`- include_tasks: tasks/remove_prox_ee_apt.yml`
			`when: inventory_hostname in groups['prox']`

Initial commit 2020-10-28 22:15:23 +01:00			`- name: Check if a reboot is needed for Debian and Ubuntu boxes`
			`register: reboot_required_file`
A lil TLC 2022-04-15 15:51:58 +02:00			`when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'`
			`ansible.builtin.stat:`
QoL 2021-08-17 00:13:23 +02:00			`path: /var/run/reboot-required`
			`get_md5: no`
Initial commit 2020-10-28 22:15:23 +01:00
			`- name: Reboot the server`
QoL 2021-08-17 00:13:23 +02:00			`throttle: 1`
A lil TLC 2022-04-15 15:51:58 +02:00			`when: reboot_required_file.stat.exists and (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian')`
Initial commit 2020-10-28 22:15:23 +01:00			`ansible.builtin.reboot:`
			`msg: "Reboot initiated by Ansible due to kernel updates"`
			`connect_timeout: 5`
			`reboot_timeout: 300`
			`pre_reboot_delay: 0`
			`post_reboot_delay: 30`
			`test_command: uptime`