A lil TLC
This commit is contained in:
parent
bdbc512647
commit
39b0938d27
7
.vscode/settings.json
vendored
7
.vscode/settings.json
vendored
@ -1,6 +1,13 @@
|
|||||||
{
|
{
|
||||||
"files.associations": {
|
"files.associations": {
|
||||||
|
"hosts": "ini",
|
||||||
"ansible/**/*.yml": "ansible",
|
"ansible/**/*.yml": "ansible",
|
||||||
"ansible/roles/pi_updatelist/files/pihole-updatelists.conf": "ini"
|
"ansible/roles/pi_updatelist/files/pihole-updatelists.conf": "ini"
|
||||||
},
|
},
|
||||||
|
"yaml.schemas": {
|
||||||
|
"https://raw.githubusercontent.com/ansible-community/schemas/main/f/ansible-tasks.json": ["roles/**/tasks/**.yml", "roles/**/tasks/**.yaml"],
|
||||||
|
"https://raw.githubusercontent.com/ansible-community/schemas/main/f/ansible-playbook.json": ["run.yml", "run.yaml"],
|
||||||
|
"https://json.schemastore.org/github-workflow": [".github/worflows/**.yml", ".github/worflows/**.yaml"],
|
||||||
|
"https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json": ["docker-compose.yml", "docker-compose.yaml"]
|
||||||
|
}
|
||||||
}
|
}
|
@ -2,6 +2,10 @@ ansible_become_password: "{{ secret_sudo }}"
|
|||||||
|
|
||||||
ntp_timezone: "Europe/Oslo"
|
ntp_timezone: "Europe/Oslo"
|
||||||
|
|
||||||
|
do_become: true
|
||||||
|
|
||||||
|
apt_arch: "{{ _apt_arch.stdout }}"
|
||||||
|
|
||||||
users:
|
users:
|
||||||
- username: roxedus
|
- username: roxedus
|
||||||
groupname: roxedus
|
groupname: roxedus
|
||||||
@ -9,9 +13,12 @@ users:
|
|||||||
uid: "1000"
|
uid: "1000"
|
||||||
gid: "1000"
|
gid: "1000"
|
||||||
docker: True
|
docker: True
|
||||||
|
zfs: True
|
||||||
passwordless: True
|
passwordless: True
|
||||||
github: Roxedus
|
github: Roxedus
|
||||||
password: "{{ secret_rox_pass }}"
|
password: "{{ secret_rox_pass }}"
|
||||||
|
system:
|
||||||
|
- proxmox
|
||||||
|
|
||||||
package_list:
|
package_list:
|
||||||
- name: bash-completion
|
- name: bash-completion
|
||||||
|
@ -2,6 +2,8 @@ docker_install_compose: false
|
|||||||
docker_users_obj: "{{ users|selectattr('docker', 'defined') }}"
|
docker_users_obj: "{{ users|selectattr('docker', 'defined') }}"
|
||||||
docker_users: "{{ docker_users_obj|map(attribute='username') }}"
|
docker_users: "{{ docker_users_obj|map(attribute='username') }}"
|
||||||
|
|
||||||
|
docker_apt_arch: "{{ apt_arch }}"
|
||||||
|
|
||||||
docker_daemon_options:
|
docker_daemon_options:
|
||||||
log-driver: "journald"
|
log-driver: "journald"
|
||||||
log-opts: { "mode": "non-blocking" }
|
log-opts: { "mode": "non-blocking" }
|
||||||
|
@ -1 +0,0 @@
|
|||||||
kube_ver: 1.19.4-00
|
|
@ -6,6 +6,11 @@ dnsmasq:
|
|||||||
host: "{{ secret_wan_domain }}"
|
host: "{{ secret_wan_domain }}"
|
||||||
- ip: 10.0.0.30
|
- ip: 10.0.0.30
|
||||||
host: "{{ secret_unraid_uuid }}.unraid.net"
|
host: "{{ secret_unraid_uuid }}.unraid.net"
|
||||||
|
- ip: 10.0.0.35
|
||||||
|
host: "proxmox.{{ dmasq_local_domain }}"
|
||||||
|
|
||||||
|
- ip: 10.0.2.70
|
||||||
|
host: "controlplane.kube.{{ dmasq_local_domain }}"
|
||||||
|
|
||||||
- ip: 10.0.2.3
|
- ip: 10.0.2.3
|
||||||
host: "vcenter.man.{{ dmasq_local_domain }}"
|
host: "vcenter.man.{{ dmasq_local_domain }}"
|
||||||
|
1
ansible/group_vars/prox.yml
Normal file
1
ansible/group_vars/prox.yml
Normal file
@ -0,0 +1 @@
|
|||||||
|
do_become: true
|
2
ansible/group_vars/zfs.yml
Normal file
2
ansible/group_vars/zfs.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
zfs_ver: 0.8.3-1ubuntu12.12
|
||||||
|
zfs_users: "{{ users|selectattr('zfs', 'defined')|map(attribute='username') }}"
|
@ -1,3 +1,6 @@
|
|||||||
ansible==4.4.0
|
ansible-lint==5.4.0
|
||||||
ansible-base==2.10.13
|
yamllint==1.26.3
|
||||||
jmespath
|
ansible==5.6.0
|
||||||
|
ansible-base==2.12.4
|
||||||
|
wheel==0.37.1
|
||||||
|
jmespath==0.10.0
|
||||||
|
@ -1,6 +1,16 @@
|
|||||||
---
|
---
|
||||||
roles:
|
roles:
|
||||||
- name: geerlingguy.docker
|
- name: geerlingguy.docker
|
||||||
|
- name: geerlingguy.nfs
|
||||||
- name: geerlingguy.ntp
|
- name: geerlingguy.ntp
|
||||||
- name: geerlingguy.pip
|
- name: geerlingguy.pip
|
||||||
- name: geerlingguy.security
|
- name: geerlingguy.security
|
||||||
|
- name: alvistack.cri_o
|
||||||
|
version: "5.4.0"
|
||||||
|
- name: alvistack.runc
|
||||||
|
- name: alvistack.crun
|
||||||
|
- name: alvistack.containers_common
|
||||||
|
- name: alvistack.conmon
|
||||||
|
|
||||||
|
collections:
|
||||||
|
- name: sindhuparvathi_gopi.ansible_collection_template
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
# ironicbadger/ansible-role-proxmox-nag-removal
|
||||||
|
|
||||||
|
This role removes the obnoxious Proxmox 'please subscribe' dialog box from a non subscribed server. It will also by default ensure that the enterprise repos are disabled.
|
||||||
|
|
||||||
|
Tested and working with Proxmox 6.4-1.
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
remove_nag: True
|
||||||
|
remove_enterprise_repo: True
|
||||||
|
add_no_subscription_repo: True
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: restart pveproxy
|
||||||
|
service:
|
||||||
|
name: pveproxy
|
||||||
|
state: restarted
|
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
galaxy_info:
|
||||||
|
author: Alex Kretzschmar
|
||||||
|
description: Removes Proxmox nag screen
|
||||||
|
issue_tracker_url: https://github.com/ironicbadger/ansible-role-proxmox-nag-removal/issues
|
||||||
|
license: GPLv2
|
||||||
|
min_ansible_version: 2.7
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- all
|
||||||
|
categories:
|
||||||
|
- system
|
||||||
|
- web
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: Add No Subscription Repository
|
||||||
|
apt_repository:
|
||||||
|
repo: deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription
|
||||||
|
filename: pve-no-subscription
|
||||||
|
state: present
|
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
- name: removes subscription nag box
|
||||||
|
include_tasks: remove-nag.yml
|
||||||
|
when: remove_nag
|
||||||
|
|
||||||
|
- name: remove enterprise repo
|
||||||
|
include_tasks: remove-enterprise-repo.yml
|
||||||
|
when: remove_enterprise_repo
|
||||||
|
|
||||||
|
- name: add no subcription repo
|
||||||
|
include_tasks: add-no-subscription-repo.yml
|
||||||
|
when: add_no_subscription_repo
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure enterprise repo file is not present
|
||||||
|
file:
|
||||||
|
path: /etc/apt/sources.list.d/pve-enterprise.list
|
||||||
|
state: absent
|
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
# credit: https://johnscs.com/remove-proxmox51-subscription-notice/ & https://github.com/foundObjects/pve-nag-buster
|
||||||
|
- name: Modify line in file to remove nag message
|
||||||
|
become: true
|
||||||
|
replace:
|
||||||
|
path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
|
||||||
|
regexp: 'res === null \|\| res === undefined \|\| !res \|\| res[\s\n]*\.data\.status\.toLowerCase\(\) !== .active.'
|
||||||
|
replace: "false"
|
||||||
|
backup: yes
|
||||||
|
notify: restart pveproxy
|
4
ansible/roles/kubernetes/defaults/main.yml
Normal file
4
ansible/roles/kubernetes/defaults/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
kube_release: "1.23"
|
||||||
|
kube_apt: "{{ kube_release }}.5-00"
|
||||||
|
cri_o_ver: "{{ kube_release }}:"
|
||||||
|
cri_o_os: "x{{ ansible_distribution }}_{{ distribution_version }}"
|
63
ansible/roles/kubernetes/tasks/main.yml
Normal file
63
ansible/roles/kubernetes/tasks/main.yml
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
- name: Disable SWAP
|
||||||
|
when: ansible_memory_mb.swap.total != 0
|
||||||
|
register: swap_disable
|
||||||
|
become: true
|
||||||
|
ansible.builtin.command: swapoff -a
|
||||||
|
|
||||||
|
- name: Remove swapfile from /etc/fstab
|
||||||
|
become: true
|
||||||
|
ansible.posix.mount:
|
||||||
|
name: "{{ item }}"
|
||||||
|
fstype: swap
|
||||||
|
state: absent
|
||||||
|
with_items:
|
||||||
|
- swap
|
||||||
|
|
||||||
|
- name: Set up kmsg in LXC # https://kevingoos.medium.com/kubernetes-inside-proxmox-lxc-cce5c9927942
|
||||||
|
when: inventory_hostname in groups['lxc_guest']
|
||||||
|
become: true
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: |
|
||||||
|
#!/bin/sh -e
|
||||||
|
if [ ! -e /dev/kmsg ]; then
|
||||||
|
ln -s /dev/console /dev/kmsg
|
||||||
|
fi
|
||||||
|
mount --make-rshared /
|
||||||
|
dest: /etc/rc.local
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: Add Apt signing key Google
|
||||||
|
become: true
|
||||||
|
ansible.builtin.apt_key:
|
||||||
|
url: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
loop:
|
||||||
|
- https://packages.cloud.google.com/apt/doc/apt-key.gpg
|
||||||
|
|
||||||
|
- name: Add repo for kubernetes
|
||||||
|
become: true
|
||||||
|
ansible.builtin.apt_repository:
|
||||||
|
filename: kubernetes
|
||||||
|
repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
|
||||||
|
mode: "0666"
|
||||||
|
update_cache: yes
|
||||||
|
|
||||||
|
- name: Install packages
|
||||||
|
become: true
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: "{{ item }}={{ kube_apt }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- kubelet
|
||||||
|
- kubeadm
|
||||||
|
- kubectl
|
||||||
|
|
||||||
|
- name: Hold kubernetes version
|
||||||
|
become: true
|
||||||
|
ansible.builtin.dpkg_selections:
|
||||||
|
name: "{{ item }}"
|
||||||
|
selection: "hold"
|
||||||
|
with_items:
|
||||||
|
- kubelet
|
||||||
|
- kubeadm
|
||||||
|
- kubectl
|
@ -1,5 +1,5 @@
|
|||||||
- name: Check if dnsmasq is setup
|
- name: Check if dnsmasq is setup
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "/etc/dnsmasq.d/"
|
path: "/etc/dnsmasq.d/"
|
||||||
register: dnsmasq_setup
|
register: dnsmasq_setup
|
||||||
|
|
||||||
@ -25,7 +25,7 @@
|
|||||||
dest: /etc/dnsmasq.d/02-custom.conf
|
dest: /etc/dnsmasq.d/02-custom.conf
|
||||||
|
|
||||||
- name: Check if PiHole is installed
|
- name: Check if PiHole is installed
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "/usr/local/bin/pihole"
|
path: "/usr/local/bin/pihole"
|
||||||
register: pihole_bin
|
register: pihole_bin
|
||||||
|
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
- name: Set pihole webpassword
|
- name: Set pihole webpassword
|
||||||
|
become: true
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/pihole/setupVars.conf
|
path: /etc/pihole/setupVars.conf
|
||||||
regexp: "^WEBPASSWORD="
|
regexp: "^WEBPASSWORD="
|
||||||
@ -6,6 +7,7 @@
|
|||||||
create: yes
|
create: yes
|
||||||
|
|
||||||
- name: Set pihole theme
|
- name: Set pihole theme
|
||||||
|
become: true
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/pihole/setupVars.conf
|
path: /etc/pihole/setupVars.conf
|
||||||
regexp: "^WEBTHEME="
|
regexp: "^WEBTHEME="
|
||||||
@ -13,6 +15,7 @@
|
|||||||
create: yes
|
create: yes
|
||||||
|
|
||||||
- name: Set pihole layout
|
- name: Set pihole layout
|
||||||
|
become: true
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/pihole/setupVars.conf
|
path: /etc/pihole/setupVars.conf
|
||||||
regexp: "^WEBUIBOXEDLAYOUT="
|
regexp: "^WEBUIBOXEDLAYOUT="
|
||||||
@ -20,13 +23,15 @@
|
|||||||
create: yes
|
create: yes
|
||||||
|
|
||||||
- name: Set pihole listen
|
- name: Set pihole listen
|
||||||
|
become: true
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/pihole/setupVars.conf
|
path: /etc/pihole/setupVars.conf
|
||||||
regexp: "^DNSMASQ_LISTENING="
|
regexp: "^DNSMASQ_LISTENING="
|
||||||
line: DNSMASQ_LISTENING=local
|
line: DNSMASQ_LISTENING=bind
|
||||||
create: yes
|
create: yes
|
||||||
|
|
||||||
- name: Set pihole fqdn forwarding
|
- name: Set pihole fqdn forwarding
|
||||||
|
become: true
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/pihole/setupVars.conf
|
path: /etc/pihole/setupVars.conf
|
||||||
regexp: "^DNS_FQDN_REQUIRED="
|
regexp: "^DNS_FQDN_REQUIRED="
|
||||||
@ -34,6 +39,7 @@
|
|||||||
create: yes
|
create: yes
|
||||||
|
|
||||||
- name: Set pihole reverse lookup
|
- name: Set pihole reverse lookup
|
||||||
|
become: true
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/pihole/setupVars.conf
|
path: /etc/pihole/setupVars.conf
|
||||||
regexp: "^DNS_BOGUS_PRIV="
|
regexp: "^DNS_BOGUS_PRIV="
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
- name: Get dependencies for PiHole
|
- name: Get dependencies for PiHole
|
||||||
when: not pihole_setup.stat.exists
|
when: not pihole_setup.stat.exists
|
||||||
become: yes
|
become: true
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
[
|
[
|
||||||
@ -34,7 +34,7 @@
|
|||||||
state: latest
|
state: latest
|
||||||
|
|
||||||
- name: Checkout PiHole
|
- name: Checkout PiHole
|
||||||
become: yes
|
become: true
|
||||||
ansible.builtin.git:
|
ansible.builtin.git:
|
||||||
repo: "https://github.com/pi-hole/pi-hole.git"
|
repo: "https://github.com/pi-hole/pi-hole.git"
|
||||||
clone: yes
|
clone: yes
|
||||||
|
@ -1,18 +1,17 @@
|
|||||||
- name: Check if PiHole is cloned
|
- name: Check if PiHole is cloned
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "/etc/pihole"
|
path: "/etc/pihole"
|
||||||
register: pihole_clone
|
register: pihole_clone
|
||||||
|
|
||||||
- name: Gather PiHole
|
- name: Gather PiHole
|
||||||
when: not pihole_clone.stat.exists
|
when: not pihole_clone.stat.exists
|
||||||
include: gather.yml
|
include_tasks: gather.yml
|
||||||
|
|
||||||
- name: Check if PiHole is installed
|
- name: Check if PiHole is installed
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "/usr/local/bin/pihole"
|
path: "/usr/local/bin/pihole"
|
||||||
register: pihole_bin
|
register: pihole_bin
|
||||||
|
|
||||||
- name: Configure PiHole
|
- name: Configure PiHole
|
||||||
when: pihole_bin.stat.exists
|
when: pihole_bin.stat.exists
|
||||||
include: configure.yml
|
include_tasks: configure.yml
|
||||||
become: yes
|
|
||||||
|
@ -17,12 +17,12 @@
|
|||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: Check if updatelist is installed
|
- name: Check if updatelist is installed
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "/usr/local/sbin/pihole-updatelists"
|
path: "/usr/local/sbin/pihole-updatelists"
|
||||||
register: updatelist_exec
|
register: updatelist_exec
|
||||||
|
|
||||||
- name: Activate changes
|
- name: Activate changes
|
||||||
when: updatelist.changed and updatelist_exec.stat.exists
|
when: updatelist_exec.stat.exists
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
argv:
|
argv:
|
||||||
|
14
ansible/roles/proxmox/tasks/create_user.yml
Normal file
14
ansible/roles/proxmox/tasks/create_user.yml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
- name: Create user
|
||||||
|
become: "{{ do_become }}"
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- pvesh
|
||||||
|
- create
|
||||||
|
- /access/users
|
||||||
|
- --userid
|
||||||
|
- "{{ item.username }}@pam"
|
||||||
|
- --comment
|
||||||
|
- "Managed by Ansible"
|
||||||
|
- --password
|
||||||
|
- "{{ item.password | default(None) }}"
|
||||||
|
- --output-format=json
|
34
ansible/roles/proxmox/tasks/main.yml
Normal file
34
ansible/roles/proxmox/tasks/main.yml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
- name: Get users
|
||||||
|
become: "{{ do_become }}"
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- pvesh
|
||||||
|
- get
|
||||||
|
- /access/users
|
||||||
|
- --output-format=json
|
||||||
|
register: pve_users
|
||||||
|
|
||||||
|
- name: Create users
|
||||||
|
when: item.username not in (pve_users.stdout | from_json | community.general.json_query('[*].userid') |replace("@pam", ""))
|
||||||
|
include_tasks: create_user.yml
|
||||||
|
loop: "{{ users | selectattr('system', 'contains', 'proxmox') | flatten(levels=1) }}"
|
||||||
|
|
||||||
|
- name: Disable SWAP sysctl on host
|
||||||
|
become: true
|
||||||
|
ansible.posix.sysctl:
|
||||||
|
name: vm.swappiness
|
||||||
|
value: "0"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Disable SWAP on host
|
||||||
|
become: true
|
||||||
|
ansible.builtin.command: swapoff -a
|
||||||
|
|
||||||
|
- name: Remove swapfile from /etc/fstab on host
|
||||||
|
become: true
|
||||||
|
ansible.posix.mount:
|
||||||
|
name: "{{ item }}"
|
||||||
|
fstype: swap
|
||||||
|
state: absent
|
||||||
|
with_items:
|
||||||
|
- swap
|
2
ansible/roles/zfs/defaults/main.yml
Normal file
2
ansible/roles/zfs/defaults/main.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
zfs_ver: 0.8.3-1ubuntu12.9
|
||||||
|
zfs_users: user
|
15
ansible/roles/zfs/tasks/install.yml
Normal file
15
ansible/roles/zfs/tasks/install.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
- name: Install packages
|
||||||
|
become: true
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: "{{ item }}={{ zfs_ver }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- zfsutils-linux
|
||||||
|
|
||||||
|
- name: Hold ZFS version
|
||||||
|
become: true
|
||||||
|
ansible.builtin.dpkg_selections:
|
||||||
|
name: "{{ item }}"
|
||||||
|
selection: "hold"
|
||||||
|
with_items:
|
||||||
|
- zfsutils-linux
|
15
ansible/roles/zfs/tasks/main.yml
Normal file
15
ansible/roles/zfs/tasks/main.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
- name: Check if ZFS is installed
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/usr/sbin/zfs"
|
||||||
|
register: zfs_bin
|
||||||
|
|
||||||
|
- name: Install ZFS
|
||||||
|
when: not zfs_bin.stat.exists
|
||||||
|
include_tasks: install.yml
|
||||||
|
|
||||||
|
- name: Give user passwordless access to ZFS commands
|
||||||
|
become: true
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/sudoers
|
||||||
|
line: "{{ item }} ALL=(ALL) NOPASSWD: /usr/sbin/zfs,/usr/sbin/zpool"
|
||||||
|
loop: "{{ zfs_users }}"
|
204
ansible/run.yml
204
ansible/run.yml
@ -1,5 +1,16 @@
|
|||||||
- hosts: all
|
- hosts: all
|
||||||
become: yes
|
become: "{{ do_become }}"
|
||||||
|
tags: [always]
|
||||||
|
vars_files:
|
||||||
|
- "vars/vault.yml"
|
||||||
|
tasks:
|
||||||
|
- name: Get dpkg arch
|
||||||
|
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||||
|
ansible.builtin.shell: dpkg --print-architecture
|
||||||
|
register: _apt_arch
|
||||||
|
|
||||||
|
- hosts: all:!unifi
|
||||||
|
become: "{{ do_become }}"
|
||||||
tags: [never, init]
|
tags: [never, init]
|
||||||
vars_files:
|
vars_files:
|
||||||
- "vars/vault.yml"
|
- "vars/vault.yml"
|
||||||
@ -7,18 +18,23 @@
|
|||||||
collections:
|
collections:
|
||||||
- ansible.builtin.apt
|
- ansible.builtin.apt
|
||||||
- ansible.builtin.apt_key
|
- ansible.builtin.apt_key
|
||||||
|
- ansible.builtin.apt_repository
|
||||||
|
- ansible.builtin.command
|
||||||
|
- ansible.builtin.copy
|
||||||
|
- ansible.builtin.dpkg_selections
|
||||||
|
- ansible.builtin.file
|
||||||
|
- ansible.builtin.get_url
|
||||||
- ansible.builtin.git
|
- ansible.builtin.git
|
||||||
- ansible.builtin.group
|
- ansible.builtin.group
|
||||||
- ansible.builtin.hostname
|
- ansible.builtin.hostname
|
||||||
- ansible.builtin.lineinfile
|
- ansible.builtin.lineinfile
|
||||||
- ansible.builtin.pip
|
- ansible.builtin.pip
|
||||||
- ansible.builtin.reboot
|
- ansible.builtin.reboot
|
||||||
|
- ansible.builtin.stat
|
||||||
|
- ansible.builtin.template
|
||||||
- ansible.builtin.user
|
- ansible.builtin.user
|
||||||
- ansible.posix.authorized_key
|
- ansible.posix.authorized_key
|
||||||
- ansible.posix.mount
|
- ansible.posix.mount
|
||||||
- ansible.builtin.command
|
|
||||||
- ansible.builtin.apt_repository
|
|
||||||
- ansible.builtin.dpkg_selections
|
|
||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
- include_tasks: tasks/users.yml
|
- include_tasks: tasks/users.yml
|
||||||
@ -52,7 +68,11 @@
|
|||||||
test_command: uptime
|
test_command: uptime
|
||||||
when: new_hostname.changed
|
when: new_hostname.changed
|
||||||
|
|
||||||
|
- include_tasks: tasks/remove_prox_ee_apt.yml
|
||||||
|
when: inventory_hostname in groups['prox']
|
||||||
|
|
||||||
- name: Update apt cache
|
- name: Update apt cache
|
||||||
|
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
cache_valid_time: 1
|
cache_valid_time: 1
|
||||||
@ -60,9 +80,10 @@
|
|||||||
roles:
|
roles:
|
||||||
- role: geerlingguy.ntp
|
- role: geerlingguy.ntp
|
||||||
- role: geerlingguy.security
|
- role: geerlingguy.security
|
||||||
|
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||||
tasks:
|
tasks:
|
||||||
- name: Install packages
|
- name: Install packages
|
||||||
|
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: "{{ item.name | default(omit) }}"
|
name: "{{ item.name | default(omit) }}"
|
||||||
state: latest
|
state: latest
|
||||||
@ -70,8 +91,13 @@
|
|||||||
with_items:
|
with_items:
|
||||||
- "{{package_list}}"
|
- "{{package_list}}"
|
||||||
|
|
||||||
|
- name: Install pip packages
|
||||||
|
ansible.builtin.pip:
|
||||||
|
name:
|
||||||
|
- github3.py
|
||||||
|
|
||||||
- hosts: docker
|
- hosts: docker
|
||||||
become: yes
|
become: true
|
||||||
tags: [docker]
|
tags: [docker]
|
||||||
vars_files:
|
vars_files:
|
||||||
- "vars/vault.yml"
|
- "vars/vault.yml"
|
||||||
@ -81,10 +107,6 @@
|
|||||||
name:
|
name:
|
||||||
- docker
|
- docker
|
||||||
|
|
||||||
- name: Get DEB architecture
|
|
||||||
shell: dpkg --print-architecture
|
|
||||||
register: deb_architecture
|
|
||||||
|
|
||||||
- name: Create plugin directory if not present
|
- name: Create plugin directory if not present
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "/home/{{ item.username }}/.docker/cli-plugins/"
|
path: "/home/{{ item.username }}/.docker/cli-plugins/"
|
||||||
@ -94,68 +116,81 @@
|
|||||||
mode: "0775"
|
mode: "0775"
|
||||||
loop: "{{ docker_users_obj }}"
|
loop: "{{ docker_users_obj }}"
|
||||||
|
|
||||||
|
- name: Get latest release of a public repository
|
||||||
|
community.general.github_release:
|
||||||
|
user: docker
|
||||||
|
repo: compose
|
||||||
|
action: latest_release
|
||||||
|
register: comp_cli
|
||||||
|
|
||||||
- name: Install compose plugin
|
- name: Install compose plugin
|
||||||
ansible.builtin.get_url:
|
ansible.builtin.get_url:
|
||||||
url: "https://github.com/docker/compose-cli/releases/download/v2.0.0-rc.1/docker-compose-linux-{{ deb_architecture.stdout }}"
|
url: "https://github.com/docker/compose/releases/download/{{comp_cli.tag}}/docker-compose-linux-{{ ansible_architecture }}"
|
||||||
dest: "/home/{{ item.username }}/.docker/cli-plugins/docker-compose"
|
dest: "/home/{{ users.0.username }}/.docker/cli-plugins/docker-compose"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
owner: "{{ item.username }}"
|
owner: "{{ users.0.username }}"
|
||||||
group: "{{ item.groupname }}"
|
group: "{{ users.0.groupname }}"
|
||||||
loop: "{{ docker_users_obj }}"
|
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- role: geerlingguy.docker
|
- role: geerlingguy.docker
|
||||||
|
when: ansible_distribution == 'Ubuntu'
|
||||||
|
|
||||||
- hosts: kube
|
- hosts: kube
|
||||||
become: yes
|
|
||||||
tags: [never, init, kube]
|
tags: [never, init, kube]
|
||||||
vars_files:
|
vars_files:
|
||||||
- "vars/vault.yml"
|
- "vars/vault.yml"
|
||||||
tasks:
|
tasks:
|
||||||
- name: Disable SWAP
|
- name: Include Cri-O role
|
||||||
# ansible.builtin.comman
|
include_role:
|
||||||
command: swapoff -a
|
name: alvistack.cri_o
|
||||||
|
apply:
|
||||||
|
become: true
|
||||||
|
- name: Include Runc role
|
||||||
|
include_role:
|
||||||
|
name: alvistack.runc
|
||||||
|
apply:
|
||||||
|
become: true
|
||||||
|
- name: Include Crun role
|
||||||
|
include_role:
|
||||||
|
name: alvistack.crun
|
||||||
|
apply:
|
||||||
|
become: true
|
||||||
|
- name: Include containers_common role
|
||||||
|
include_role:
|
||||||
|
name: alvistack.containers_common
|
||||||
|
apply:
|
||||||
|
become: true
|
||||||
|
- name: Include conmon role
|
||||||
|
include_role:
|
||||||
|
name: alvistack.conmon
|
||||||
|
apply:
|
||||||
|
become: true
|
||||||
|
- name: Include Kubernetes role
|
||||||
|
include_role:
|
||||||
|
name: kubernetes
|
||||||
|
- name: Include ZFS role
|
||||||
|
when: inventory_hostname in groups['zfs']
|
||||||
|
include_role:
|
||||||
|
name: zfs
|
||||||
|
- name: Include NFS role
|
||||||
|
when: inventory_hostname in groups['nfs']
|
||||||
|
include_role:
|
||||||
|
name: geerlingguy.nfs
|
||||||
|
apply:
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: Remove swapfile from /etc/fstab
|
- hosts: prox
|
||||||
ansible.posix.mount:
|
vars_files:
|
||||||
name: "{{ item }}"
|
- "vars/vault.yml"
|
||||||
fstype: swap
|
tags: [update, prox]
|
||||||
state: absent
|
pre_tasks:
|
||||||
with_items:
|
- name: Install sudo
|
||||||
- swap
|
|
||||||
|
|
||||||
- name: Add Apt signing key Google
|
|
||||||
ansible.builtin.apt_key:
|
|
||||||
url: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
loop:
|
|
||||||
- https://packages.cloud.google.com/apt/doc/apt-key.gpg
|
|
||||||
|
|
||||||
- name: Add repo for kubernetes
|
|
||||||
ansible.builtin.apt_repository:
|
|
||||||
filename: kubernetes
|
|
||||||
repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
|
|
||||||
mode: "0666"
|
|
||||||
update_cache: yes
|
|
||||||
|
|
||||||
- name: Install packages
|
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: "{{ item }}={{ kube_ver }}"
|
name: sudo
|
||||||
state: present
|
state: latest
|
||||||
with_items:
|
roles:
|
||||||
- kubelet
|
- role: ironicbadger_ansible-role-proxmox-nag-removal
|
||||||
- kubeadm
|
- role: proxmox
|
||||||
- kubectl
|
|
||||||
|
|
||||||
- name: Hold kubernetes version
|
|
||||||
become: yes
|
|
||||||
ansible.builtin.dpkg_selections:
|
|
||||||
name: "{{ item }}"
|
|
||||||
selection: "hold"
|
|
||||||
with_items:
|
|
||||||
- kubelet
|
|
||||||
- kubeadm
|
|
||||||
- kubectl
|
|
||||||
|
|
||||||
- hosts: piholes
|
- hosts: piholes
|
||||||
vars_files:
|
vars_files:
|
||||||
@ -165,9 +200,43 @@
|
|||||||
- role: pihole_updatelist
|
- role: pihole_updatelist
|
||||||
- role: pi_dnsmasq
|
- role: pi_dnsmasq
|
||||||
- role: pihole
|
- role: pihole
|
||||||
|
tasks:
|
||||||
|
- name: Install packages
|
||||||
|
become: true
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: libraspberrypi-bin
|
||||||
|
|
||||||
- hosts: all
|
- name: Place PoE fan file
|
||||||
become: yes
|
become: true
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: |
|
||||||
|
# Ansible managed
|
||||||
|
|
||||||
|
dtoverlay=rpi-poe
|
||||||
|
dtparam=poe_fan_temp0=57000
|
||||||
|
dtparam=poe_fan_temp1=60000
|
||||||
|
dtparam=poe_fan_temp2=63000
|
||||||
|
dtparam=poe_fan_temp3=66000
|
||||||
|
dest: /boot/firmware/usercfg.txt
|
||||||
|
|
||||||
|
# - hosts: usg
|
||||||
|
# vars_files:
|
||||||
|
# - "vars/vault.yml"
|
||||||
|
# - "vars/wireguard.yml"
|
||||||
|
# tags: [network, ubnt]
|
||||||
|
# roles:
|
||||||
|
# - role: usg
|
||||||
|
|
||||||
|
# - hosts: cloud_key
|
||||||
|
# vars_files:
|
||||||
|
# - "vars/vault.yml"
|
||||||
|
# - "vars/wireguard.yml"
|
||||||
|
# tags: [network, ubnt]
|
||||||
|
# roles:
|
||||||
|
# - role: cloud_key
|
||||||
|
|
||||||
|
- hosts: all:!unifi
|
||||||
|
become: "{{ do_become }}"
|
||||||
tags: [update]
|
tags: [update]
|
||||||
vars_files:
|
vars_files:
|
||||||
- "vars/vault.yml"
|
- "vars/vault.yml"
|
||||||
@ -175,6 +244,7 @@
|
|||||||
tasks:
|
tasks:
|
||||||
# https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/
|
# https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/
|
||||||
- name: Update packages
|
- name: Update packages
|
||||||
|
when: ansible_distribution == 'Ubuntu'
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
update_cache: "True"
|
update_cache: "True"
|
||||||
force_apt_get: "True"
|
force_apt_get: "True"
|
||||||
@ -191,12 +261,13 @@
|
|||||||
- 50-motd-news
|
- 50-motd-news
|
||||||
- 80-livepatch
|
- 80-livepatch
|
||||||
- 90-updates-available
|
- 90-updates-available
|
||||||
|
- 91-release-upgrade
|
||||||
- 95-hwe-eol
|
- 95-hwe-eol
|
||||||
when: ansible_distribution == 'Ubuntu'
|
when: ansible_distribution == 'Ubuntu'
|
||||||
|
|
||||||
- name: Check if pi-hole is installed
|
- name: Check if pi-hole is installed
|
||||||
when: inventory_hostname in groups['piholes']
|
when: inventory_hostname in groups['piholes']
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "/usr/local/bin/pihole"
|
path: "/usr/local/bin/pihole"
|
||||||
register: pihole_exec
|
register: pihole_exec
|
||||||
|
|
||||||
@ -208,14 +279,22 @@
|
|||||||
- pihole
|
- pihole
|
||||||
- -up
|
- -up
|
||||||
|
|
||||||
|
- name: Install and update OMP
|
||||||
|
include_tasks: tasks/omp.yml
|
||||||
|
|
||||||
|
- include_tasks: tasks/remove_prox_ee_apt.yml
|
||||||
|
when: inventory_hostname in groups['prox']
|
||||||
|
|
||||||
- name: Check if a reboot is needed for Debian and Ubuntu boxes
|
- name: Check if a reboot is needed for Debian and Ubuntu boxes
|
||||||
register: reboot_required_file
|
register: reboot_required_file
|
||||||
stat:
|
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||||
|
ansible.builtin.stat:
|
||||||
path: /var/run/reboot-required
|
path: /var/run/reboot-required
|
||||||
get_md5: no
|
get_md5: no
|
||||||
|
|
||||||
- name: Reboot the server
|
- name: Reboot the server
|
||||||
throttle: 1
|
throttle: 1
|
||||||
|
when: reboot_required_file.stat.exists and (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian')
|
||||||
ansible.builtin.reboot:
|
ansible.builtin.reboot:
|
||||||
msg: "Reboot initiated by Ansible due to kernel updates"
|
msg: "Reboot initiated by Ansible due to kernel updates"
|
||||||
connect_timeout: 5
|
connect_timeout: 5
|
||||||
@ -223,4 +302,3 @@
|
|||||||
pre_reboot_delay: 0
|
pre_reboot_delay: 0
|
||||||
post_reboot_delay: 30
|
post_reboot_delay: 30
|
||||||
test_command: uptime
|
test_command: uptime
|
||||||
when: reboot_required_file.stat.exists
|
|
||||||
|
34
ansible/tasks/omp.yml
Normal file
34
ansible/tasks/omp.yml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
- name: Check if OMP is installed
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: /opt/scripts/oh-my-posh
|
||||||
|
register: omp_bin
|
||||||
|
|
||||||
|
- name: Check OMP version
|
||||||
|
when: omp_bin.stat.exists
|
||||||
|
ansible.builtin.command: /opt/scripts/oh-my-posh -version
|
||||||
|
register: omp_ver
|
||||||
|
|
||||||
|
- name: Get latest release of OMP
|
||||||
|
community.general.github_release:
|
||||||
|
user: JanDeDobbeleer
|
||||||
|
repo: oh-my-posh
|
||||||
|
action: latest_release
|
||||||
|
register: omp_latest
|
||||||
|
|
||||||
|
- name: Download OMP
|
||||||
|
when: not omp_bin.stat.exists or omp_latest != ( "v" + omp_ver )
|
||||||
|
become: "{{ do_become }}"
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: https://github.com/JanDeDobbeleer/oh-my-posh/releases/download/{{ omp_latest.tag }}/posh-linux-{{ apt_arch }}
|
||||||
|
dest: /usr/local/bin/oh-my-posh
|
||||||
|
mode: "0744"
|
||||||
|
owner: "{{ users.0.username }}"
|
||||||
|
group: "{{ users.0.groupname }}"
|
||||||
|
force: "yes"
|
||||||
|
|
||||||
|
- name: Add OMP to bash
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
mode: "0644"
|
||||||
|
path: /home/{{ users.0.username }}/.bashrc
|
||||||
|
line: eval "$(oh-my-posh --init --shell bash --config https://gist.githubusercontent.com/Roxedus/6a11a5dbd37c24ecacf02fb9aef06e15/raw/bd0955596238ab4e31db64c0ab1551c0ee375619/oh-my.posh.json)"
|
||||||
|
create: yes
|
6
ansible/tasks/remove_prox_ee_apt.yml
Normal file
6
ansible/tasks/remove_prox_ee_apt.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
- name: Remove PVE EE repo
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /etc/apt/sources.list.d/{{ item }}.list
|
||||||
|
state: absent
|
||||||
|
loop:
|
||||||
|
- pve-enterprise
|
@ -1,17 +1,17 @@
|
|||||||
- name: Ensure groups exists
|
- name: Ensure groups exists
|
||||||
ansible.builtin.group:
|
ansible.builtin.group:
|
||||||
name: "{{ user.groupname }}"
|
name: "{{ user.groupname | default(user.username) }}"
|
||||||
gid: "{{ user.gid | default(None) }}"
|
gid: "{{ user.gid | default(omit) }}"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Add users
|
- name: Add users
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: "{{ user.username }}"
|
name: "{{ user.username }}"
|
||||||
uid: "{{ user.uid | default(None) }}"
|
uid: "{{ user.uid | default(omit) }}"
|
||||||
group: "{{ user.groupname | default(user.username) }}"
|
group: "{{ user.groupname | default(user.username) }}"
|
||||||
shell: "{{ user.shell | default('/bin/bash') }}"
|
shell: "{{ user.shell | default('/bin/bash') }}"
|
||||||
move_home: "{{ user.home | default(None) }}"
|
move_home: "{{ user.home | default(omit) }}"
|
||||||
password: "{{ user.password | default(None) }}"
|
password: "{{ user.password | password_hash('sha512') | default(omit) }}"
|
||||||
|
|
||||||
- name: Add a Github key ssh key
|
- name: Add a Github key ssh key
|
||||||
when: "user.github is defined"
|
when: "user.github is defined"
|
||||||
|
Loading…
Reference in New Issue
Block a user