diff --git a/.vscode/settings.json b/.vscode/settings.json index 4cf87fa..b1badae 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,13 @@ { "files.associations": { + "hosts": "ini", "ansible/**/*.yml": "ansible", "ansible/roles/pi_updatelist/files/pihole-updatelists.conf": "ini" }, + "yaml.schemas": { + "https://raw.githubusercontent.com/ansible-community/schemas/main/f/ansible-tasks.json": ["roles/**/tasks/**.yml", "roles/**/tasks/**.yaml"], + "https://raw.githubusercontent.com/ansible-community/schemas/main/f/ansible-playbook.json": ["run.yml", "run.yaml"], + "https://json.schemastore.org/github-workflow": [".github/worflows/**.yml", ".github/worflows/**.yaml"], + "https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json": ["docker-compose.yml", "docker-compose.yaml"] + } } \ No newline at end of file diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 7c21b3d..5939916 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -2,6 +2,10 @@ ansible_become_password: "{{ secret_sudo }}" ntp_timezone: "Europe/Oslo" +do_become: true + +apt_arch: "{{ _apt_arch.stdout }}" + users: - username: roxedus groupname: roxedus @@ -9,9 +13,12 @@ users: uid: "1000" gid: "1000" docker: True + zfs: True passwordless: True github: Roxedus password: "{{ secret_rox_pass }}" + system: + - proxmox package_list: - name: bash-completion diff --git a/ansible/group_vars/docker.yml b/ansible/group_vars/docker.yml index f2a9205..2243e6d 100644 --- a/ansible/group_vars/docker.yml +++ b/ansible/group_vars/docker.yml @@ -2,6 +2,8 @@ docker_install_compose: false docker_users_obj: "{{ users|selectattr('docker', 'defined') }}" docker_users: "{{ docker_users_obj|map(attribute='username') }}" +docker_apt_arch: "{{ apt_arch }}" + docker_daemon_options: log-driver: "journald" log-opts: { "mode": "non-blocking" } diff --git a/ansible/group_vars/kube.yml b/ansible/group_vars/kube.yml deleted file mode 100644 index 0083dbd..0000000 --- a/ansible/group_vars/kube.yml +++ /dev/null @@ -1 +0,0 @@ -kube_ver: 1.19.4-00 diff --git a/ansible/group_vars/piholes.yml b/ansible/group_vars/piholes.yml index 1a616a0..9701ee5 100644 --- a/ansible/group_vars/piholes.yml +++ b/ansible/group_vars/piholes.yml @@ -6,6 +6,11 @@ dnsmasq: host: "{{ secret_wan_domain }}" - ip: 10.0.0.30 host: "{{ secret_unraid_uuid }}.unraid.net" + - ip: 10.0.0.35 + host: "proxmox.{{ dmasq_local_domain }}" + + - ip: 10.0.2.70 + host: "controlplane.kube.{{ dmasq_local_domain }}" - ip: 10.0.2.3 host: "vcenter.man.{{ dmasq_local_domain }}" diff --git a/ansible/group_vars/prox.yml b/ansible/group_vars/prox.yml new file mode 100644 index 0000000..3656882 --- /dev/null +++ b/ansible/group_vars/prox.yml @@ -0,0 +1 @@ +do_become: true diff --git a/ansible/group_vars/zfs.yml b/ansible/group_vars/zfs.yml new file mode 100644 index 0000000..a081b6a --- /dev/null +++ b/ansible/group_vars/zfs.yml @@ -0,0 +1,2 @@ +zfs_ver: 0.8.3-1ubuntu12.12 +zfs_users: "{{ users|selectattr('zfs', 'defined')|map(attribute='username') }}" diff --git a/ansible/requirements.txt b/ansible/requirements.txt index ab943d1..9095998 100644 --- a/ansible/requirements.txt +++ b/ansible/requirements.txt @@ -1,3 +1,6 @@ -ansible==4.4.0 -ansible-base==2.10.13 -jmespath \ No newline at end of file +ansible-lint==5.4.0 +yamllint==1.26.3 +ansible==5.6.0 +ansible-base==2.12.4 +wheel==0.37.1 +jmespath==0.10.0 diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 340a47a..4c66785 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -1,6 +1,16 @@ --- roles: - name: geerlingguy.docker + - name: geerlingguy.nfs - name: geerlingguy.ntp - name: geerlingguy.pip - name: geerlingguy.security + - name: alvistack.cri_o + version: "5.4.0" + - name: alvistack.runc + - name: alvistack.crun + - name: alvistack.containers_common + - name: alvistack.conmon + +collections: + - name: sindhuparvathi_gopi.ansible_collection_template diff --git a/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/README.md b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/README.md new file mode 100644 index 0000000..e54a9b7 --- /dev/null +++ b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/README.md @@ -0,0 +1,5 @@ +# ironicbadger/ansible-role-proxmox-nag-removal + +This role removes the obnoxious Proxmox 'please subscribe' dialog box from a non subscribed server. It will also by default ensure that the enterprise repos are disabled. + +Tested and working with Proxmox 6.4-1. diff --git a/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/defaults/main.yml b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/defaults/main.yml new file mode 100644 index 0000000..7749b77 --- /dev/null +++ b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/defaults/main.yml @@ -0,0 +1,5 @@ +--- + +remove_nag: True +remove_enterprise_repo: True +add_no_subscription_repo: True diff --git a/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/handlers/main.yml b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/handlers/main.yml new file mode 100644 index 0000000..40fdea3 --- /dev/null +++ b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart pveproxy + service: + name: pveproxy + state: restarted \ No newline at end of file diff --git a/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/meta/main.yml b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/meta/main.yml new file mode 100644 index 0000000..dab73f9 --- /dev/null +++ b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/meta/main.yml @@ -0,0 +1,14 @@ +--- +galaxy_info: + author: Alex Kretzschmar + description: Removes Proxmox nag screen + issue_tracker_url: https://github.com/ironicbadger/ansible-role-proxmox-nag-removal/issues + license: GPLv2 + min_ansible_version: 2.7 + platforms: + - name: Debian + versions: + - all + categories: + - system + - web \ No newline at end of file diff --git a/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/add-no-subscription-repo.yml b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/add-no-subscription-repo.yml new file mode 100644 index 0000000..3932804 --- /dev/null +++ b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/add-no-subscription-repo.yml @@ -0,0 +1,6 @@ +--- +- name: Add No Subscription Repository + apt_repository: + repo: deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription + filename: pve-no-subscription + state: present diff --git a/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/main.yml b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/main.yml new file mode 100644 index 0000000..ac446e2 --- /dev/null +++ b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: removes subscription nag box + include_tasks: remove-nag.yml + when: remove_nag + +- name: remove enterprise repo + include_tasks: remove-enterprise-repo.yml + when: remove_enterprise_repo + +- name: add no subcription repo + include_tasks: add-no-subscription-repo.yml + when: add_no_subscription_repo diff --git a/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/remove-enterprise-repo.yml b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/remove-enterprise-repo.yml new file mode 100644 index 0000000..0cba8ed --- /dev/null +++ b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/remove-enterprise-repo.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure enterprise repo file is not present + file: + path: /etc/apt/sources.list.d/pve-enterprise.list + state: absent diff --git a/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/remove-nag.yml b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/remove-nag.yml new file mode 100644 index 0000000..b2bb465 --- /dev/null +++ b/ansible/roles/ironicbadger_ansible-role-proxmox-nag-removal/tasks/remove-nag.yml @@ -0,0 +1,10 @@ +--- +# credit: https://johnscs.com/remove-proxmox51-subscription-notice/ & https://github.com/foundObjects/pve-nag-buster +- name: Modify line in file to remove nag message + become: true + replace: + path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js + regexp: 'res === null \|\| res === undefined \|\| !res \|\| res[\s\n]*\.data\.status\.toLowerCase\(\) !== .active.' + replace: "false" + backup: yes + notify: restart pveproxy diff --git a/ansible/roles/kubernetes/defaults/main.yml b/ansible/roles/kubernetes/defaults/main.yml new file mode 100644 index 0000000..22e1607 --- /dev/null +++ b/ansible/roles/kubernetes/defaults/main.yml @@ -0,0 +1,4 @@ +kube_release: "1.23" +kube_apt: "{{ kube_release }}.5-00" +cri_o_ver: "{{ kube_release }}:" +cri_o_os: "x{{ ansible_distribution }}_{{ distribution_version }}" diff --git a/ansible/roles/kubernetes/tasks/main.yml b/ansible/roles/kubernetes/tasks/main.yml new file mode 100644 index 0000000..fe14fd2 --- /dev/null +++ b/ansible/roles/kubernetes/tasks/main.yml @@ -0,0 +1,63 @@ +- name: Disable SWAP + when: ansible_memory_mb.swap.total != 0 + register: swap_disable + become: true + ansible.builtin.command: swapoff -a + +- name: Remove swapfile from /etc/fstab + become: true + ansible.posix.mount: + name: "{{ item }}" + fstype: swap + state: absent + with_items: + - swap + +- name: Set up kmsg in LXC # https://kevingoos.medium.com/kubernetes-inside-proxmox-lxc-cce5c9927942 + when: inventory_hostname in groups['lxc_guest'] + become: true + ansible.builtin.copy: + content: | + #!/bin/sh -e + if [ ! -e /dev/kmsg ]; then + ln -s /dev/console /dev/kmsg + fi + mount --make-rshared / + dest: /etc/rc.local + mode: "0755" + +- name: Add Apt signing key Google + become: true + ansible.builtin.apt_key: + url: "{{ item }}" + state: present + loop: + - https://packages.cloud.google.com/apt/doc/apt-key.gpg + +- name: Add repo for kubernetes + become: true + ansible.builtin.apt_repository: + filename: kubernetes + repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main" + mode: "0666" + update_cache: yes + +- name: Install packages + become: true + ansible.builtin.apt: + name: "{{ item }}={{ kube_apt }}" + state: present + with_items: + - kubelet + - kubeadm + - kubectl + +- name: Hold kubernetes version + become: true + ansible.builtin.dpkg_selections: + name: "{{ item }}" + selection: "hold" + with_items: + - kubelet + - kubeadm + - kubectl diff --git a/ansible/roles/pi_dnsmasq/tasks/main.yml b/ansible/roles/pi_dnsmasq/tasks/main.yml index 406c466..3368806 100644 --- a/ansible/roles/pi_dnsmasq/tasks/main.yml +++ b/ansible/roles/pi_dnsmasq/tasks/main.yml @@ -1,5 +1,5 @@ - name: Check if dnsmasq is setup - stat: + ansible.builtin.stat: path: "/etc/dnsmasq.d/" register: dnsmasq_setup @@ -25,7 +25,7 @@ dest: /etc/dnsmasq.d/02-custom.conf - name: Check if PiHole is installed - stat: + ansible.builtin.stat: path: "/usr/local/bin/pihole" register: pihole_bin diff --git a/ansible/roles/pihole/tasks/configure.yml b/ansible/roles/pihole/tasks/configure.yml index 46d2752..79d8e70 100644 --- a/ansible/roles/pihole/tasks/configure.yml +++ b/ansible/roles/pihole/tasks/configure.yml @@ -1,4 +1,5 @@ - name: Set pihole webpassword + become: true ansible.builtin.lineinfile: path: /etc/pihole/setupVars.conf regexp: "^WEBPASSWORD=" @@ -6,6 +7,7 @@ create: yes - name: Set pihole theme + become: true ansible.builtin.lineinfile: path: /etc/pihole/setupVars.conf regexp: "^WEBTHEME=" @@ -13,6 +15,7 @@ create: yes - name: Set pihole layout + become: true ansible.builtin.lineinfile: path: /etc/pihole/setupVars.conf regexp: "^WEBUIBOXEDLAYOUT=" @@ -20,13 +23,15 @@ create: yes - name: Set pihole listen + become: true ansible.builtin.lineinfile: path: /etc/pihole/setupVars.conf regexp: "^DNSMASQ_LISTENING=" - line: DNSMASQ_LISTENING=local + line: DNSMASQ_LISTENING=bind create: yes - name: Set pihole fqdn forwarding + become: true ansible.builtin.lineinfile: path: /etc/pihole/setupVars.conf regexp: "^DNS_FQDN_REQUIRED=" @@ -34,6 +39,7 @@ create: yes - name: Set pihole reverse lookup + become: true ansible.builtin.lineinfile: path: /etc/pihole/setupVars.conf regexp: "^DNS_BOGUS_PRIV=" diff --git a/ansible/roles/pihole/tasks/gather.yml b/ansible/roles/pihole/tasks/gather.yml index 6fe56cc..1b783b6 100644 --- a/ansible/roles/pihole/tasks/gather.yml +++ b/ansible/roles/pihole/tasks/gather.yml @@ -1,6 +1,6 @@ - name: Get dependencies for PiHole when: not pihole_setup.stat.exists - become: yes + become: true ansible.builtin.apt: name: [ @@ -34,7 +34,7 @@ state: latest - name: Checkout PiHole - become: yes + become: true ansible.builtin.git: repo: "https://github.com/pi-hole/pi-hole.git" clone: yes diff --git a/ansible/roles/pihole/tasks/main.yml b/ansible/roles/pihole/tasks/main.yml index c71a372..8dfbcfd 100644 --- a/ansible/roles/pihole/tasks/main.yml +++ b/ansible/roles/pihole/tasks/main.yml @@ -1,18 +1,17 @@ - name: Check if PiHole is cloned - stat: + ansible.builtin.stat: path: "/etc/pihole" register: pihole_clone - name: Gather PiHole when: not pihole_clone.stat.exists - include: gather.yml + include_tasks: gather.yml - name: Check if PiHole is installed - stat: + ansible.builtin.stat: path: "/usr/local/bin/pihole" register: pihole_bin - name: Configure PiHole when: pihole_bin.stat.exists - include: configure.yml - become: yes + include_tasks: configure.yml diff --git a/ansible/roles/pihole_updatelist/tasks/main.yml b/ansible/roles/pihole_updatelist/tasks/main.yml index 1f08342..d7c99f0 100644 --- a/ansible/roles/pihole_updatelist/tasks/main.yml +++ b/ansible/roles/pihole_updatelist/tasks/main.yml @@ -17,12 +17,12 @@ become: true - name: Check if updatelist is installed - stat: + ansible.builtin.stat: path: "/usr/local/sbin/pihole-updatelists" register: updatelist_exec - name: Activate changes - when: updatelist.changed and updatelist_exec.stat.exists + when: updatelist_exec.stat.exists become: true ansible.builtin.command: argv: diff --git a/ansible/roles/proxmox/tasks/create_user.yml b/ansible/roles/proxmox/tasks/create_user.yml new file mode 100644 index 0000000..8fc71d2 --- /dev/null +++ b/ansible/roles/proxmox/tasks/create_user.yml @@ -0,0 +1,14 @@ +- name: Create user + become: "{{ do_become }}" + command: + argv: + - pvesh + - create + - /access/users + - --userid + - "{{ item.username }}@pam" + - --comment + - "Managed by Ansible" + - --password + - "{{ item.password | default(None) }}" + - --output-format=json diff --git a/ansible/roles/proxmox/tasks/main.yml b/ansible/roles/proxmox/tasks/main.yml new file mode 100644 index 0000000..4e80063 --- /dev/null +++ b/ansible/roles/proxmox/tasks/main.yml @@ -0,0 +1,34 @@ +- name: Get users + become: "{{ do_become }}" + command: + argv: + - pvesh + - get + - /access/users + - --output-format=json + register: pve_users + +- name: Create users + when: item.username not in (pve_users.stdout | from_json | community.general.json_query('[*].userid') |replace("@pam", "")) + include_tasks: create_user.yml + loop: "{{ users | selectattr('system', 'contains', 'proxmox') | flatten(levels=1) }}" + +- name: Disable SWAP sysctl on host + become: true + ansible.posix.sysctl: + name: vm.swappiness + value: "0" + state: present + +- name: Disable SWAP on host + become: true + ansible.builtin.command: swapoff -a + +- name: Remove swapfile from /etc/fstab on host + become: true + ansible.posix.mount: + name: "{{ item }}" + fstype: swap + state: absent + with_items: + - swap diff --git a/ansible/roles/zfs/defaults/main.yml b/ansible/roles/zfs/defaults/main.yml new file mode 100644 index 0000000..0eca753 --- /dev/null +++ b/ansible/roles/zfs/defaults/main.yml @@ -0,0 +1,2 @@ +zfs_ver: 0.8.3-1ubuntu12.9 +zfs_users: user diff --git a/ansible/roles/zfs/tasks/install.yml b/ansible/roles/zfs/tasks/install.yml new file mode 100644 index 0000000..fdc5f14 --- /dev/null +++ b/ansible/roles/zfs/tasks/install.yml @@ -0,0 +1,15 @@ +- name: Install packages + become: true + ansible.builtin.apt: + name: "{{ item }}={{ zfs_ver }}" + state: present + with_items: + - zfsutils-linux + +- name: Hold ZFS version + become: true + ansible.builtin.dpkg_selections: + name: "{{ item }}" + selection: "hold" + with_items: + - zfsutils-linux diff --git a/ansible/roles/zfs/tasks/main.yml b/ansible/roles/zfs/tasks/main.yml new file mode 100644 index 0000000..ffd5b43 --- /dev/null +++ b/ansible/roles/zfs/tasks/main.yml @@ -0,0 +1,15 @@ +- name: Check if ZFS is installed + ansible.builtin.stat: + path: "/usr/sbin/zfs" + register: zfs_bin + +- name: Install ZFS + when: not zfs_bin.stat.exists + include_tasks: install.yml + +- name: Give user passwordless access to ZFS commands + become: true + lineinfile: + path: /etc/sudoers + line: "{{ item }} ALL=(ALL) NOPASSWD: /usr/sbin/zfs,/usr/sbin/zpool" + loop: "{{ zfs_users }}" diff --git a/ansible/run.yml b/ansible/run.yml index c3e9c7a..b018cb0 100644 --- a/ansible/run.yml +++ b/ansible/run.yml @@ -1,5 +1,16 @@ - hosts: all - become: yes + become: "{{ do_become }}" + tags: [always] + vars_files: + - "vars/vault.yml" + tasks: + - name: Get dpkg arch + when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' + ansible.builtin.shell: dpkg --print-architecture + register: _apt_arch + +- hosts: all:!unifi + become: "{{ do_become }}" tags: [never, init] vars_files: - "vars/vault.yml" @@ -7,18 +18,23 @@ collections: - ansible.builtin.apt - ansible.builtin.apt_key + - ansible.builtin.apt_repository + - ansible.builtin.command + - ansible.builtin.copy + - ansible.builtin.dpkg_selections + - ansible.builtin.file + - ansible.builtin.get_url - ansible.builtin.git - ansible.builtin.group - ansible.builtin.hostname - ansible.builtin.lineinfile - ansible.builtin.pip - ansible.builtin.reboot + - ansible.builtin.stat + - ansible.builtin.template - ansible.builtin.user - ansible.posix.authorized_key - ansible.posix.mount - - ansible.builtin.command - - ansible.builtin.apt_repository - - ansible.builtin.dpkg_selections pre_tasks: - include_tasks: tasks/users.yml @@ -52,7 +68,11 @@ test_command: uptime when: new_hostname.changed + - include_tasks: tasks/remove_prox_ee_apt.yml + when: inventory_hostname in groups['prox'] + - name: Update apt cache + when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' ansible.builtin.apt: update_cache: true cache_valid_time: 1 @@ -60,9 +80,10 @@ roles: - role: geerlingguy.ntp - role: geerlingguy.security - + when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' tasks: - name: Install packages + when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' ansible.builtin.apt: name: "{{ item.name | default(omit) }}" state: latest @@ -70,8 +91,13 @@ with_items: - "{{package_list}}" + - name: Install pip packages + ansible.builtin.pip: + name: + - github3.py + - hosts: docker - become: yes + become: true tags: [docker] vars_files: - "vars/vault.yml" @@ -81,10 +107,6 @@ name: - docker - - name: Get DEB architecture - shell: dpkg --print-architecture - register: deb_architecture - - name: Create plugin directory if not present ansible.builtin.file: path: "/home/{{ item.username }}/.docker/cli-plugins/" @@ -94,68 +116,81 @@ mode: "0775" loop: "{{ docker_users_obj }}" + - name: Get latest release of a public repository + community.general.github_release: + user: docker + repo: compose + action: latest_release + register: comp_cli + - name: Install compose plugin ansible.builtin.get_url: - url: "https://github.com/docker/compose-cli/releases/download/v2.0.0-rc.1/docker-compose-linux-{{ deb_architecture.stdout }}" - dest: "/home/{{ item.username }}/.docker/cli-plugins/docker-compose" + url: "https://github.com/docker/compose/releases/download/{{comp_cli.tag}}/docker-compose-linux-{{ ansible_architecture }}" + dest: "/home/{{ users.0.username }}/.docker/cli-plugins/docker-compose" mode: "0755" - owner: "{{ item.username }}" - group: "{{ item.groupname }}" - loop: "{{ docker_users_obj }}" + owner: "{{ users.0.username }}" + group: "{{ users.0.groupname }}" roles: - role: geerlingguy.docker + when: ansible_distribution == 'Ubuntu' - hosts: kube - become: yes tags: [never, init, kube] vars_files: - "vars/vault.yml" tasks: - - name: Disable SWAP - # ansible.builtin.comman - command: swapoff -a + - name: Include Cri-O role + include_role: + name: alvistack.cri_o + apply: + become: true + - name: Include Runc role + include_role: + name: alvistack.runc + apply: + become: true + - name: Include Crun role + include_role: + name: alvistack.crun + apply: + become: true + - name: Include containers_common role + include_role: + name: alvistack.containers_common + apply: + become: true + - name: Include conmon role + include_role: + name: alvistack.conmon + apply: + become: true + - name: Include Kubernetes role + include_role: + name: kubernetes + - name: Include ZFS role + when: inventory_hostname in groups['zfs'] + include_role: + name: zfs + - name: Include NFS role + when: inventory_hostname in groups['nfs'] + include_role: + name: geerlingguy.nfs + apply: + become: true - - name: Remove swapfile from /etc/fstab - ansible.posix.mount: - name: "{{ item }}" - fstype: swap - state: absent - with_items: - - swap - - - name: Add Apt signing key Google - ansible.builtin.apt_key: - url: "{{ item }}" - state: present - loop: - - https://packages.cloud.google.com/apt/doc/apt-key.gpg - - - name: Add repo for kubernetes - ansible.builtin.apt_repository: - filename: kubernetes - repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main" - mode: "0666" - update_cache: yes - - - name: Install packages +- hosts: prox + vars_files: + - "vars/vault.yml" + tags: [update, prox] + pre_tasks: + - name: Install sudo ansible.builtin.apt: - name: "{{ item }}={{ kube_ver }}" - state: present - with_items: - - kubelet - - kubeadm - - kubectl - - - name: Hold kubernetes version - become: yes - ansible.builtin.dpkg_selections: - name: "{{ item }}" - selection: "hold" - with_items: - - kubelet - - kubeadm - - kubectl + name: sudo + state: latest + roles: + - role: ironicbadger_ansible-role-proxmox-nag-removal + - role: proxmox - hosts: piholes vars_files: @@ -165,9 +200,43 @@ - role: pihole_updatelist - role: pi_dnsmasq - role: pihole + tasks: + - name: Install packages + become: true + ansible.builtin.apt: + name: libraspberrypi-bin -- hosts: all - become: yes + - name: Place PoE fan file + become: true + ansible.builtin.copy: + content: | + # Ansible managed + + dtoverlay=rpi-poe + dtparam=poe_fan_temp0=57000 + dtparam=poe_fan_temp1=60000 + dtparam=poe_fan_temp2=63000 + dtparam=poe_fan_temp3=66000 + dest: /boot/firmware/usercfg.txt + +# - hosts: usg +# vars_files: +# - "vars/vault.yml" +# - "vars/wireguard.yml" +# tags: [network, ubnt] +# roles: +# - role: usg + +# - hosts: cloud_key +# vars_files: +# - "vars/vault.yml" +# - "vars/wireguard.yml" +# tags: [network, ubnt] +# roles: +# - role: cloud_key + +- hosts: all:!unifi + become: "{{ do_become }}" tags: [update] vars_files: - "vars/vault.yml" @@ -175,6 +244,7 @@ tasks: # https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/ - name: Update packages + when: ansible_distribution == 'Ubuntu' ansible.builtin.apt: update_cache: "True" force_apt_get: "True" @@ -191,12 +261,13 @@ - 50-motd-news - 80-livepatch - 90-updates-available + - 91-release-upgrade - 95-hwe-eol when: ansible_distribution == 'Ubuntu' - name: Check if pi-hole is installed when: inventory_hostname in groups['piholes'] - stat: + ansible.builtin.stat: path: "/usr/local/bin/pihole" register: pihole_exec @@ -208,14 +279,22 @@ - pihole - -up + - name: Install and update OMP + include_tasks: tasks/omp.yml + + - include_tasks: tasks/remove_prox_ee_apt.yml + when: inventory_hostname in groups['prox'] + - name: Check if a reboot is needed for Debian and Ubuntu boxes register: reboot_required_file - stat: + when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' + ansible.builtin.stat: path: /var/run/reboot-required get_md5: no - name: Reboot the server throttle: 1 + when: reboot_required_file.stat.exists and (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian') ansible.builtin.reboot: msg: "Reboot initiated by Ansible due to kernel updates" connect_timeout: 5 @@ -223,4 +302,3 @@ pre_reboot_delay: 0 post_reboot_delay: 30 test_command: uptime - when: reboot_required_file.stat.exists diff --git a/ansible/tasks/omp.yml b/ansible/tasks/omp.yml new file mode 100644 index 0000000..97a1fad --- /dev/null +++ b/ansible/tasks/omp.yml @@ -0,0 +1,34 @@ +- name: Check if OMP is installed + ansible.builtin.stat: + path: /opt/scripts/oh-my-posh + register: omp_bin + +- name: Check OMP version + when: omp_bin.stat.exists + ansible.builtin.command: /opt/scripts/oh-my-posh -version + register: omp_ver + +- name: Get latest release of OMP + community.general.github_release: + user: JanDeDobbeleer + repo: oh-my-posh + action: latest_release + register: omp_latest + +- name: Download OMP + when: not omp_bin.stat.exists or omp_latest != ( "v" + omp_ver ) + become: "{{ do_become }}" + ansible.builtin.get_url: + url: https://github.com/JanDeDobbeleer/oh-my-posh/releases/download/{{ omp_latest.tag }}/posh-linux-{{ apt_arch }} + dest: /usr/local/bin/oh-my-posh + mode: "0744" + owner: "{{ users.0.username }}" + group: "{{ users.0.groupname }}" + force: "yes" + +- name: Add OMP to bash + ansible.builtin.lineinfile: + mode: "0644" + path: /home/{{ users.0.username }}/.bashrc + line: eval "$(oh-my-posh --init --shell bash --config https://gist.githubusercontent.com/Roxedus/6a11a5dbd37c24ecacf02fb9aef06e15/raw/bd0955596238ab4e31db64c0ab1551c0ee375619/oh-my.posh.json)" + create: yes diff --git a/ansible/tasks/remove_prox_ee_apt.yml b/ansible/tasks/remove_prox_ee_apt.yml new file mode 100644 index 0000000..872897e --- /dev/null +++ b/ansible/tasks/remove_prox_ee_apt.yml @@ -0,0 +1,6 @@ +- name: Remove PVE EE repo + ansible.builtin.file: + path: /etc/apt/sources.list.d/{{ item }}.list + state: absent + loop: + - pve-enterprise diff --git a/ansible/tasks/users.yml b/ansible/tasks/users.yml index 16d88b2..19d59c6 100644 --- a/ansible/tasks/users.yml +++ b/ansible/tasks/users.yml @@ -1,17 +1,17 @@ - name: Ensure groups exists ansible.builtin.group: - name: "{{ user.groupname }}" - gid: "{{ user.gid | default(None) }}" + name: "{{ user.groupname | default(user.username) }}" + gid: "{{ user.gid | default(omit) }}" state: present - name: Add users ansible.builtin.user: name: "{{ user.username }}" - uid: "{{ user.uid | default(None) }}" + uid: "{{ user.uid | default(omit) }}" group: "{{ user.groupname | default(user.username) }}" shell: "{{ user.shell | default('/bin/bash') }}" - move_home: "{{ user.home | default(None) }}" - password: "{{ user.password | default(None) }}" + move_home: "{{ user.home | default(omit) }}" + password: "{{ user.password | password_hash('sha512') | default(omit) }}" - name: Add a Github key ssh key when: "user.github is defined"