Roxedus/Infra
1
0
Fork 0
Code Issues 1 Pull Requests 6 Projects Releases Wiki Activity

Prox QoL

Browse Source
This commit is contained in:
Roxedus 2022-10-19 00:18:29 +02:00
parent 985ae6be37
commit 197ec08341
Signed by: Roxedus
GPG Key ID: 9B4E311961C63639
8 changed files with 92 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/group_vars/all.yml
View File

@ -17,8 +17,6 @@ users:
passwordless: True
github: Roxedus
password: "{{ secret_rox_pass }}"
system:
- proxmox
package_list:
- name: bash-completion

5
ansible/group_vars/prox.yml
View File

@ -1 +1,4 @@
do_become: true
do_become: false
security_ssh_permit_root_login: "yes"
security_sudoers_passwordless: []

14
ansible/roles/proxmox/tasks/create_user.yml
View File

@ -1,14 +0,0 @@
- name: Create user
become: "{{ do_become }}"
command:
argv:
- pvesh
- create
- /access/users
- --userid
- "{{ item.username }}@pam"
- --comment
- "Managed by Ansible"
- --password
- "{{ item.password | default(None) }}"
- --output-format=json

24
ansible/roles/proxmox/tasks/main.yml
View File

@ -1,34 +1,22 @@
# - name: Get users
# become: "{{ do_become }}"
# command:
# argv:
# - pvesh
# - get
# - /access/users
# - --output-format=json
# register: pve_users
# - name: Create users
# when: item.username not in (pve_users.stdout | from_json | community.general.json_query('[*].userid') |replace("@pam", ""))
# include_tasks: create_user.yml
# loop: "{{ users | selectattr('system', 'contains', 'proxmox') | flatten(levels=1) }}"
- name: Disable SWAP sysctl on host
become: true
ansible.posix.sysctl:
name: vm.swappiness
value: "0"
state: present
- name: Disable SWAP on host
become: true
ansible.builtin.command: swapoff -a
- name: Remove swapfile from /etc/fstab on host
become: true
ansible.posix.mount:
name: "{{ item }}"
fstype: swap
state: absent
with_items:
- swap
- name: Place script to grab certificate from Proxmox
ansible.builtin.template:
src: get_cert.sh.j2
dest: "/root/get_cert.sh"
mode: "0760"

37
ansible/roles/proxmox/templates/get_cert.sh.j2 Normal file
View File

@ -0,0 +1,37 @@
#!/usr/bin/env sh
# Based on https://gist.github.com/danie1k/c3d866eb6eed93bbc16b0628639efefe
HOSTNAME="gateway.rostvik.site"
CERT_ID="2"
USERNAME="root"
PASSWORD="{{ secret_rox_pass }}"
echo "Downloading certificate id=${CERT_ID} from ${HOSTNAME} into cert.pem file..."
# Open login screen
curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \
https://$HOSTNAME/system_certmanager.php \
| grep hidden | sed -E 's/.*name="([^"\]+)" value="([^"]+)".*/\1=\2/' > /tmp/opnsense_csrf.txt
POST_DATA="usernamefld=${USERNAME}&passwordfld=${PASSWORD}&login=1&$(cat /tmp/opnsense_csrf.txt)"
# Perform login
curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \
https://$HOSTNAME/system_certmanager.php \
-X POST --data "${POST_DATA}" > /dev/null
# Export user key
curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \
"https://$HOSTNAME/system_certmanager.php?act=key&id=$CERT_ID" > /etc/pve/local/pve-ssl.key
# Export user cert
curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \
"https://$HOSTNAME/system_certmanager.php?act=exp&id=$CERT_ID" > /etc/pve/local/pve-ssl.pem
rm -f /tmp/opnsense_csrf.txt /tmp/opnsense_cookies.txt
# Restart pveproxy
systemctl restart pveproxy.service
echo "Done."

32
ansible/run.yml
View File

@ -17,27 +17,6 @@
vars_files:
- "vars/vault.yml"
collections:
- ansible.builtin.apt
- ansible.builtin.apt_key
- ansible.builtin.apt_repository
- ansible.builtin.command
- ansible.builtin.copy
- ansible.builtin.dpkg_selections
- ansible.builtin.file
- ansible.builtin.get_url
- ansible.builtin.git
- ansible.builtin.group
- ansible.builtin.hostname
- ansible.builtin.lineinfile
- ansible.builtin.pip
- ansible.builtin.reboot
- ansible.builtin.stat
- ansible.builtin.template
- ansible.builtin.user
- ansible.posix.authorized_key
- ansible.posix.mount
pre_tasks:
- include_tasks: tasks/users.yml
with_items: "{{ users }}"
@ -185,11 +164,6 @@
tags:
- prox
- update
pre_tasks:
- name: Install sudo
ansible.builtin.apt:
name: sudo
state: latest
roles:
- role: ironicbadger_ansible-role-proxmox-nag-removal
- role: proxmox
@ -273,6 +247,7 @@
state: absent
loop:
- 10-help-text
- 10-uname
- 50-landscape-sysinfo
- 50-motd-news
- 80-livepatch
@ -280,8 +255,9 @@
- 90-updates-available
- 91-contract-ua-esm-status
- 91-release-upgrade
- 92-unattended-upgrades
- 95-hwe-eol
when: ansible_distribution == 'Ubuntu'
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
- name: Place MoTD
become: "{{ do_become }}"
@ -309,7 +285,7 @@
- pihole
- -up
- name: Install and update OMP
- name: Install and update chezmoi
include_tasks: tasks/omp.yml
- include_tasks: tasks/remove_prox_ee_apt.yml

37
ansible/tasks/omp.yml
View File

@ -10,12 +10,13 @@
- name: Check if OMP is installed
ansible.builtin.stat:
path: /opt/scripts/oh-my-posh
path: /usr/local/bin/oh-my-posh
register: omp_bin
- name: Check OMP version
when: omp_bin.stat.exists
ansible.builtin.command: /opt/scripts/oh-my-posh -version
ansible.builtin.command: /usr/local/bin/oh-my-posh --version
changed_when: false
register: omp_ver
- name: Get latest release of OMP
@ -26,20 +27,46 @@
register: omp_latest
- name: Download OMP
when: not omp_bin.stat.exists or omp_latest != ( "v" + omp_ver )
when: not omp_bin.stat.exists or omp_latest.tag != ( "v" + omp_ver.stdout )
become: "{{ do_become }}"
ansible.builtin.get_url:
url: https://github.com/JanDeDobbeleer/oh-my-posh/releases/download/{{ omp_latest.tag }}/posh-linux-{{ apt_arch }}
dest: /usr/local/bin/oh-my-posh
mode: "0744"
owner: "{{ users.0.username }}"
group: "{{ users.0.groupname }}"
force: "yes"
- name: Check if Chezmoi is installed
ansible.builtin.stat:
path: /usr/local/bin/chezmoi
register: chezmoi_bin
- name: Check Chezmoi version
when: chezmoi_bin.stat.exists
ansible.builtin.command: /usr/local/bin/chezmoi --version
changed_when: false
register: chezmoi_ver
- name: Get latest release of Chezmoi
community.general.github_release:
user: twpayne
repo: chezmoi
action: latest_release
register: chezmoi_latest
- name: Download Chezmoi
when: not chezmoi_bin.stat.exists or chezmoi_latest.tag.split(",")[0] != ( "chezmoi version v" + chezmoi_ver.stdout )
become: "{{ do_become }}"
ansible.builtin.get_url:
url: https://github.com/twpayne/chezmoi/releases/download/{{ chezmoi_latest.tag }}/chezmoi-linux-{{ apt_arch }}
dest: /usr/local/bin/chezmoi
mode: "0744"
force: "yes"
- name: Add OMP to bash
ansible.builtin.lineinfile:
mode: "0644"
path: /home/{{ users.0.username }}/.bashrc
search_string: oh-my-posh
line: eval "$(oh-my-posh init bash --config https://gist.github.com/Roxedus/6a11a5dbd37c24ecacf02fb9aef06e15/raw)"
create: yes

10
ansible/tasks/users.yml
View File

@ -1,10 +1,12 @@
- name: Ensure groups exists
when: "inventory_hostname not in groups['prox']"
ansible.builtin.group:
name: "{{ user.groupname | default(user.username) }}"
gid: "{{ user.gid | default(omit) }}"
state: present
- name: Add users
when: "inventory_hostname not in groups['prox']"
ansible.builtin.user:
name: "{{ user.username }}"
uid: "{{ user.uid | default(omit) }}"
@ -14,7 +16,13 @@
password: "{{ user.password | password_hash('sha512') | default(omit) }}"
- name: Add a Github key ssh key
when: "user.github is defined"
when: "user.github is defined and inventory_hostname not in groups['prox']"
ansible.posix.authorized_key:
user: "{{ user.username }}"
key: "https://github.com/{{ user.github }}.keys"
- name: Add a Github key ssh key
when: inventory_hostname in groups['prox']
ansible.posix.authorized_key:
user: root
key: "https://github.com/{{ user.github }}.keys"