Prox QoL
This commit is contained in:
parent
985ae6be37
commit
197ec08341
@ -17,8 +17,6 @@ users:
|
|||||||
passwordless: True
|
passwordless: True
|
||||||
github: Roxedus
|
github: Roxedus
|
||||||
password: "{{ secret_rox_pass }}"
|
password: "{{ secret_rox_pass }}"
|
||||||
system:
|
|
||||||
- proxmox
|
|
||||||
|
|
||||||
package_list:
|
package_list:
|
||||||
- name: bash-completion
|
- name: bash-completion
|
||||||
|
@ -1 +1,4 @@
|
|||||||
do_become: true
|
do_become: false
|
||||||
|
|
||||||
|
security_ssh_permit_root_login: "yes"
|
||||||
|
security_sudoers_passwordless: []
|
||||||
|
@ -1,14 +0,0 @@
|
|||||||
- name: Create user
|
|
||||||
become: "{{ do_become }}"
|
|
||||||
command:
|
|
||||||
argv:
|
|
||||||
- pvesh
|
|
||||||
- create
|
|
||||||
- /access/users
|
|
||||||
- --userid
|
|
||||||
- "{{ item.username }}@pam"
|
|
||||||
- --comment
|
|
||||||
- "Managed by Ansible"
|
|
||||||
- --password
|
|
||||||
- "{{ item.password | default(None) }}"
|
|
||||||
- --output-format=json
|
|
@ -1,34 +1,22 @@
|
|||||||
# - name: Get users
|
|
||||||
# become: "{{ do_become }}"
|
|
||||||
# command:
|
|
||||||
# argv:
|
|
||||||
# - pvesh
|
|
||||||
# - get
|
|
||||||
# - /access/users
|
|
||||||
# - --output-format=json
|
|
||||||
# register: pve_users
|
|
||||||
|
|
||||||
# - name: Create users
|
|
||||||
# when: item.username not in (pve_users.stdout | from_json | community.general.json_query('[*].userid') |replace("@pam", ""))
|
|
||||||
# include_tasks: create_user.yml
|
|
||||||
# loop: "{{ users | selectattr('system', 'contains', 'proxmox') | flatten(levels=1) }}"
|
|
||||||
|
|
||||||
- name: Disable SWAP sysctl on host
|
- name: Disable SWAP sysctl on host
|
||||||
become: true
|
|
||||||
ansible.posix.sysctl:
|
ansible.posix.sysctl:
|
||||||
name: vm.swappiness
|
name: vm.swappiness
|
||||||
value: "0"
|
value: "0"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Disable SWAP on host
|
- name: Disable SWAP on host
|
||||||
become: true
|
|
||||||
ansible.builtin.command: swapoff -a
|
ansible.builtin.command: swapoff -a
|
||||||
|
|
||||||
- name: Remove swapfile from /etc/fstab on host
|
- name: Remove swapfile from /etc/fstab on host
|
||||||
become: true
|
|
||||||
ansible.posix.mount:
|
ansible.posix.mount:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
fstype: swap
|
fstype: swap
|
||||||
state: absent
|
state: absent
|
||||||
with_items:
|
with_items:
|
||||||
- swap
|
- swap
|
||||||
|
|
||||||
|
- name: Place script to grab certificate from Proxmox
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: get_cert.sh.j2
|
||||||
|
dest: "/root/get_cert.sh"
|
||||||
|
mode: "0760"
|
||||||
|
37
ansible/roles/proxmox/templates/get_cert.sh.j2
Normal file
37
ansible/roles/proxmox/templates/get_cert.sh.j2
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
# Based on https://gist.github.com/danie1k/c3d866eb6eed93bbc16b0628639efefe
|
||||||
|
|
||||||
|
HOSTNAME="gateway.rostvik.site"
|
||||||
|
CERT_ID="2"
|
||||||
|
USERNAME="root"
|
||||||
|
PASSWORD="{{ secret_rox_pass }}"
|
||||||
|
|
||||||
|
echo "Downloading certificate id=${CERT_ID} from ${HOSTNAME} into cert.pem file..."
|
||||||
|
|
||||||
|
# Open login screen
|
||||||
|
curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \
|
||||||
|
https://$HOSTNAME/system_certmanager.php \
|
||||||
|
| grep hidden | sed -E 's/.*name="([^"\]+)" value="([^"]+)".*/\1=\2/' > /tmp/opnsense_csrf.txt
|
||||||
|
|
||||||
|
POST_DATA="usernamefld=${USERNAME}&passwordfld=${PASSWORD}&login=1&$(cat /tmp/opnsense_csrf.txt)"
|
||||||
|
|
||||||
|
# Perform login
|
||||||
|
curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \
|
||||||
|
https://$HOSTNAME/system_certmanager.php \
|
||||||
|
-X POST --data "${POST_DATA}" > /dev/null
|
||||||
|
|
||||||
|
# Export user key
|
||||||
|
curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \
|
||||||
|
"https://$HOSTNAME/system_certmanager.php?act=key&id=$CERT_ID" > /etc/pve/local/pve-ssl.key
|
||||||
|
|
||||||
|
# Export user cert
|
||||||
|
curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \
|
||||||
|
"https://$HOSTNAME/system_certmanager.php?act=exp&id=$CERT_ID" > /etc/pve/local/pve-ssl.pem
|
||||||
|
|
||||||
|
rm -f /tmp/opnsense_csrf.txt /tmp/opnsense_cookies.txt
|
||||||
|
|
||||||
|
# Restart pveproxy
|
||||||
|
systemctl restart pveproxy.service
|
||||||
|
|
||||||
|
echo "Done."
|
@ -17,27 +17,6 @@
|
|||||||
vars_files:
|
vars_files:
|
||||||
- "vars/vault.yml"
|
- "vars/vault.yml"
|
||||||
|
|
||||||
collections:
|
|
||||||
- ansible.builtin.apt
|
|
||||||
- ansible.builtin.apt_key
|
|
||||||
- ansible.builtin.apt_repository
|
|
||||||
- ansible.builtin.command
|
|
||||||
- ansible.builtin.copy
|
|
||||||
- ansible.builtin.dpkg_selections
|
|
||||||
- ansible.builtin.file
|
|
||||||
- ansible.builtin.get_url
|
|
||||||
- ansible.builtin.git
|
|
||||||
- ansible.builtin.group
|
|
||||||
- ansible.builtin.hostname
|
|
||||||
- ansible.builtin.lineinfile
|
|
||||||
- ansible.builtin.pip
|
|
||||||
- ansible.builtin.reboot
|
|
||||||
- ansible.builtin.stat
|
|
||||||
- ansible.builtin.template
|
|
||||||
- ansible.builtin.user
|
|
||||||
- ansible.posix.authorized_key
|
|
||||||
- ansible.posix.mount
|
|
||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
- include_tasks: tasks/users.yml
|
- include_tasks: tasks/users.yml
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
@ -185,11 +164,6 @@
|
|||||||
tags:
|
tags:
|
||||||
- prox
|
- prox
|
||||||
- update
|
- update
|
||||||
pre_tasks:
|
|
||||||
- name: Install sudo
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: sudo
|
|
||||||
state: latest
|
|
||||||
roles:
|
roles:
|
||||||
- role: ironicbadger_ansible-role-proxmox-nag-removal
|
- role: ironicbadger_ansible-role-proxmox-nag-removal
|
||||||
- role: proxmox
|
- role: proxmox
|
||||||
@ -273,6 +247,7 @@
|
|||||||
state: absent
|
state: absent
|
||||||
loop:
|
loop:
|
||||||
- 10-help-text
|
- 10-help-text
|
||||||
|
- 10-uname
|
||||||
- 50-landscape-sysinfo
|
- 50-landscape-sysinfo
|
||||||
- 50-motd-news
|
- 50-motd-news
|
||||||
- 80-livepatch
|
- 80-livepatch
|
||||||
@ -280,8 +255,9 @@
|
|||||||
- 90-updates-available
|
- 90-updates-available
|
||||||
- 91-contract-ua-esm-status
|
- 91-contract-ua-esm-status
|
||||||
- 91-release-upgrade
|
- 91-release-upgrade
|
||||||
|
- 92-unattended-upgrades
|
||||||
- 95-hwe-eol
|
- 95-hwe-eol
|
||||||
when: ansible_distribution == 'Ubuntu'
|
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||||
|
|
||||||
- name: Place MoTD
|
- name: Place MoTD
|
||||||
become: "{{ do_become }}"
|
become: "{{ do_become }}"
|
||||||
@ -309,7 +285,7 @@
|
|||||||
- pihole
|
- pihole
|
||||||
- -up
|
- -up
|
||||||
|
|
||||||
- name: Install and update OMP
|
- name: Install and update chezmoi
|
||||||
include_tasks: tasks/omp.yml
|
include_tasks: tasks/omp.yml
|
||||||
|
|
||||||
- include_tasks: tasks/remove_prox_ee_apt.yml
|
- include_tasks: tasks/remove_prox_ee_apt.yml
|
||||||
|
@ -10,12 +10,13 @@
|
|||||||
|
|
||||||
- name: Check if OMP is installed
|
- name: Check if OMP is installed
|
||||||
ansible.builtin.stat:
|
ansible.builtin.stat:
|
||||||
path: /opt/scripts/oh-my-posh
|
path: /usr/local/bin/oh-my-posh
|
||||||
register: omp_bin
|
register: omp_bin
|
||||||
|
|
||||||
- name: Check OMP version
|
- name: Check OMP version
|
||||||
when: omp_bin.stat.exists
|
when: omp_bin.stat.exists
|
||||||
ansible.builtin.command: /opt/scripts/oh-my-posh -version
|
ansible.builtin.command: /usr/local/bin/oh-my-posh --version
|
||||||
|
changed_when: false
|
||||||
register: omp_ver
|
register: omp_ver
|
||||||
|
|
||||||
- name: Get latest release of OMP
|
- name: Get latest release of OMP
|
||||||
@ -26,20 +27,46 @@
|
|||||||
register: omp_latest
|
register: omp_latest
|
||||||
|
|
||||||
- name: Download OMP
|
- name: Download OMP
|
||||||
when: not omp_bin.stat.exists or omp_latest != ( "v" + omp_ver )
|
when: not omp_bin.stat.exists or omp_latest.tag != ( "v" + omp_ver.stdout )
|
||||||
become: "{{ do_become }}"
|
become: "{{ do_become }}"
|
||||||
ansible.builtin.get_url:
|
ansible.builtin.get_url:
|
||||||
url: https://github.com/JanDeDobbeleer/oh-my-posh/releases/download/{{ omp_latest.tag }}/posh-linux-{{ apt_arch }}
|
url: https://github.com/JanDeDobbeleer/oh-my-posh/releases/download/{{ omp_latest.tag }}/posh-linux-{{ apt_arch }}
|
||||||
dest: /usr/local/bin/oh-my-posh
|
dest: /usr/local/bin/oh-my-posh
|
||||||
mode: "0744"
|
mode: "0744"
|
||||||
owner: "{{ users.0.username }}"
|
force: "yes"
|
||||||
group: "{{ users.0.groupname }}"
|
|
||||||
|
- name: Check if Chezmoi is installed
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: /usr/local/bin/chezmoi
|
||||||
|
register: chezmoi_bin
|
||||||
|
|
||||||
|
- name: Check Chezmoi version
|
||||||
|
when: chezmoi_bin.stat.exists
|
||||||
|
ansible.builtin.command: /usr/local/bin/chezmoi --version
|
||||||
|
changed_when: false
|
||||||
|
register: chezmoi_ver
|
||||||
|
|
||||||
|
- name: Get latest release of Chezmoi
|
||||||
|
community.general.github_release:
|
||||||
|
user: twpayne
|
||||||
|
repo: chezmoi
|
||||||
|
action: latest_release
|
||||||
|
register: chezmoi_latest
|
||||||
|
|
||||||
|
- name: Download Chezmoi
|
||||||
|
when: not chezmoi_bin.stat.exists or chezmoi_latest.tag.split(",")[0] != ( "chezmoi version v" + chezmoi_ver.stdout )
|
||||||
|
become: "{{ do_become }}"
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: https://github.com/twpayne/chezmoi/releases/download/{{ chezmoi_latest.tag }}/chezmoi-linux-{{ apt_arch }}
|
||||||
|
dest: /usr/local/bin/chezmoi
|
||||||
|
mode: "0744"
|
||||||
force: "yes"
|
force: "yes"
|
||||||
|
|
||||||
- name: Add OMP to bash
|
- name: Add OMP to bash
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
path: /home/{{ users.0.username }}/.bashrc
|
path: /home/{{ users.0.username }}/.bashrc
|
||||||
|
search_string: oh-my-posh
|
||||||
line: eval "$(oh-my-posh init bash --config https://gist.github.com/Roxedus/6a11a5dbd37c24ecacf02fb9aef06e15/raw)"
|
line: eval "$(oh-my-posh init bash --config https://gist.github.com/Roxedus/6a11a5dbd37c24ecacf02fb9aef06e15/raw)"
|
||||||
create: yes
|
create: yes
|
||||||
|
|
||||||
|
@ -1,10 +1,12 @@
|
|||||||
- name: Ensure groups exists
|
- name: Ensure groups exists
|
||||||
|
when: "inventory_hostname not in groups['prox']"
|
||||||
ansible.builtin.group:
|
ansible.builtin.group:
|
||||||
name: "{{ user.groupname | default(user.username) }}"
|
name: "{{ user.groupname | default(user.username) }}"
|
||||||
gid: "{{ user.gid | default(omit) }}"
|
gid: "{{ user.gid | default(omit) }}"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Add users
|
- name: Add users
|
||||||
|
when: "inventory_hostname not in groups['prox']"
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: "{{ user.username }}"
|
name: "{{ user.username }}"
|
||||||
uid: "{{ user.uid | default(omit) }}"
|
uid: "{{ user.uid | default(omit) }}"
|
||||||
@ -14,7 +16,13 @@
|
|||||||
password: "{{ user.password | password_hash('sha512') | default(omit) }}"
|
password: "{{ user.password | password_hash('sha512') | default(omit) }}"
|
||||||
|
|
||||||
- name: Add a Github key ssh key
|
- name: Add a Github key ssh key
|
||||||
when: "user.github is defined"
|
when: "user.github is defined and inventory_hostname not in groups['prox']"
|
||||||
ansible.posix.authorized_key:
|
ansible.posix.authorized_key:
|
||||||
user: "{{ user.username }}"
|
user: "{{ user.username }}"
|
||||||
key: "https://github.com/{{ user.github }}.keys"
|
key: "https://github.com/{{ user.github }}.keys"
|
||||||
|
|
||||||
|
- name: Add a Github key ssh key
|
||||||
|
when: inventory_hostname in groups['prox']
|
||||||
|
ansible.posix.authorized_key:
|
||||||
|
user: root
|
||||||
|
key: "https://github.com/{{ user.github }}.keys"
|
||||||
|
Loading…
Reference in New Issue
Block a user