Infra/ansible/run.yml

- hosts: all
  become: yes
  tags: [never, init]
  vars_files:
    - "vars/vault.yml"

  collections:
    - ansible.builtin.apt
    - ansible.builtin.apt_key
    - ansible.builtin.git
    - ansible.builtin.group
    - ansible.builtin.hostname
    - ansible.builtin.lineinfile
    - ansible.builtin.pip
    - ansible.builtin.reboot
    - ansible.builtin.user
    - ansible.posix.authorized_key
    - ansible.posix.mount
    - ansible.builtin.command
    - ansible.builtin.apt_repository
    - ansible.builtin.dpkg_selections

  pre_tasks:
    - include_tasks: tasks/users.yml
      with_items: "{{ users }}"
      loop_control:
        loop_var: user

    - name: Change hostname
      when: "set_hostname is defined"
      register: new_hostname
      ansible.builtin.hostname:
        name: "{{ set_hostname }}"

    - name: Change hostname in hosts
      when: new_hostname.changed
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: '^127\.0\.0\.1 localhost'
        line: "127.0.0.1 localhost {{ set_hostname }}"
        owner: root
        group: root
        mode: "0644"

    - name: Reboot the server
      ansible.builtin.reboot:
        msg: "Reboot initiated by Ansible due to hostname change"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 2
        post_reboot_delay: 30
        test_command: uptime
      when: new_hostname.changed

  roles:
    - role: geerlingguy.ntp
    - role: geerlingguy.security

  tasks:
    - name: Install packages
      ansible.builtin.apt:
        name: "{{ item.name | default(omit) }}"
        state: latest
        default_release: "{{ item.default_release | default(omit) }}"
      with_items:
        - "{{package_list}}"

- hosts: docker
  become: yes
  tags: [never, init, docker]
  vars_files:
    - "vars/vault.yml"
  post_tasks:
    - name: Install pip packages
      ansible.builtin.pip:
        name:
          - docker
          - docker-compose
  roles:
    - role: geerlingguy.docker

- hosts: kube
  become: yes
  tags: [never, init, kube]
  vars_files:
    - "vars/vault.yml"
  tasks:
    - name: Disable SWAP
      # ansible.builtin.comman
      command: swapoff -a

    - name: Remove swapfile from /etc/fstab
      ansible.posix.mount:
        name: "{{ item }}"
        fstype: swap
        state: absent
      with_items:
        - swap

    - name: Add Apt signing key Google
      ansible.builtin.apt_key:
        url: "{{ item }}"
        state: present
      loop:
        - https://packages.cloud.google.com/apt/doc/apt-key.gpg

    - name: Add repo for kubernetes
      ansible.builtin.apt_repository:
        filename: kubernetes
        repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
        mode: "0666"
        update_cache: yes

    - name: Install packages
      ansible.builtin.apt:
        name: "{{ item }}={{ kube_ver }}"
        state: present
      with_items:
        - kubelet
        - kubeadm
        - kubectl

    - name: Hold kubernetes version
      become: yes
      ansible.builtin.dpkg_selections:
        name: "{{ item }}"
        selection: "hold"
      with_items:
        - kubelet
        - kubeadm
        - kubectl

- hosts: piholes
  vars_files:
    - "vars/vault.yml"
  pre_tasks:
    - name: Checkout pihole
      tags: [never, init, pihole]
      become: yes
      ansible.builtin.git:
        repo: "https://github.com/pi-hole/pi-hole.git"
        clone: yes
        dest: "/etc/.pihole"
        depth: 1
        umask: "022"

    - name: Checkout pihole_updatelist
      tags: [never, init, pihole]
      ansible.builtin.git:
        repo: "https://github.com/jacklul/pihole-updatelists.git"
        clone: yes
        dest: "/home/{{ users.0.username }}/pihole_updatelist"
        depth: 1

    - name: Get dependencies
      become: yes
      tags: [never, init, pihole]
      ansible.builtin.apt:
        name:
          [
            "cron",
            "curl",
            "dhcpcd5",
            "dns-root-data",
            "dns-root-data",
            "dnsutils",
            "git",
            "idn2",
            "idn2",
            "iputils-ping",
            "libcap2-bin",
            "libcap2",
            "lighttpd",
            "lsof",
            "netcat",
            "php-cgi",
            "php-cli",
            "php-curl",
            "php-intl",
            "php-sqlite3",
            "php-sqlite3",
            "php-xml",
            "psmisc",
            "sqlite3",
            "sudo",
            "unzip",
            "unzip",
            "wget",
            "whiptail",
          ]
        state: latest

  roles:
    - role: pi_updatelist
      tags: [update]
    - role: pi_dnsmasq
      tags: [update]

- hosts: all
  become: yes
  tags: [update]
  vars_files:
    - "vars/vault.yml"

  tasks:
    # https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/
    - name: Update packages
      ansible.builtin.apt:
        update_cache: true
        force_apt_get: true
        cache_valid_time: 3600
        upgrade: true

    - name: Remove ubuntu motd spam
      ansible.builtin.file:
        path: "/etc/update-motd.d/{{ item }}"
        state: absent
      loop:
        - 10-help-text
        - 50-landscape-sysinfo
        - 50-motd-news
        - 80-livepatch
        - 95-hwe-eol
      when: ansible_distribution == 'Ubuntu'

    - name: Update PiHole
      when: inventory_hostname in groups['piholes']
      become: true
      ansible.builtin.command:
        argv:
          - pihole
          - -up

    - name: Check if a reboot is needed for Debian and Ubuntu boxes
      register: reboot_required_file
      stat: path=/var/run/reboot-required get_md5=no

    - name: Reboot the server
      ansible.builtin.reboot:
        msg: "Reboot initiated by Ansible due to kernel updates"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: uptime
      when: reboot_required_file.stat.exists