Infra/ansible/run.yml
2022-11-08 21:41:19 +01:00

317 lines
8.0 KiB
YAML

- hosts: all
become: "{{ do_become }}"
tags:
- always
vars_files:
- "vars/vault.yml"
tasks:
- name: Get dpkg arch
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
ansible.builtin.shell: dpkg --print-architecture
register: _apt_arch
changed_when: false
- hosts: all:!unifi
become: "{{ do_become }}"
tags: [never, init]
vars_files:
- "vars/vault.yml"
pre_tasks:
- include_tasks: tasks/users.yml
with_items: "{{ users }}"
loop_control:
loop_var: user
- name: Change hostname
when: "set_hostname is defined"
register: new_hostname
ansible.builtin.hostname:
name: "{{ set_hostname }}"
- name: Change hostname in hosts
when: new_hostname.changed
ansible.builtin.lineinfile:
path: /etc/hosts
regexp: '^127\.0\.0\.1 localhost'
line: "127.0.0.1 localhost {{ set_hostname }}"
owner: root
group: root
mode: "0644"
- name: Reboot the server
ansible.builtin.reboot:
msg: "Reboot initiated by Ansible due to hostname change"
connect_timeout: 5
reboot_timeout: 300
pre_reboot_delay: 2
post_reboot_delay: 30
test_command: uptime
when: new_hostname.changed
- include_tasks: tasks/remove_prox_ee_apt.yml
when: inventory_hostname in groups['prox']
- name: Update apt cache
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
ansible.builtin.apt:
update_cache: true
cache_valid_time: 1
roles:
- role: geerlingguy.ntp
- role: geerlingguy.security
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
tasks:
- name: Install packages
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
ansible.builtin.apt:
name: "{{package_list}}"
state: latest
- name: Install pip packages
ansible.builtin.pip:
name:
- github3.py
- hosts: docker
become: "{{ do_become }}"
tags:
- docker
vars_files:
- "vars/vault.yml"
post_tasks:
- name: Install pip packages
ansible.builtin.pip:
name:
- docker
- name: Create plugin directory if not present
ansible.builtin.file:
path: "/home/{{ item.username }}/.docker/cli-plugins/"
state: directory
owner: "{{ item.username }}"
group: "{{ item.groupname }}"
mode: "0775"
loop: "{{ docker_users_obj }}"
- name: Get latest release of a public repository
community.general.github_release:
user: docker
repo: compose
action: latest_release
register: comp_cli
- name: Install compose plugin
ansible.builtin.get_url:
url: "https://github.com/docker/compose/releases/download/{{comp_cli.tag}}/docker-compose-linux-{{ ansible_architecture }}"
dest: "/home/{{ users.0.username }}/.docker/cli-plugins/docker-compose"
mode: "0755"
owner: "{{ users.0.username }}"
group: "{{ users.0.groupname }}"
roles:
- role: geerlingguy.docker
when: ansible_distribution == 'Ubuntu'
- hosts: kube
tags:
- init
- kube
- never
vars_files:
- "vars/vault.yml"
tasks:
- name: Install runtime dependencies
become: "{{ do_become }}"
ansible.builtin.apt:
name: "{{ item }}"
state: present
with_items:
- fuse-overlayfs
- nfs-common
- open-iscsi
- name: Include Containerd role
include_role:
name: geerlingguy.containerd
apply:
become: "{{ do_become }}"
- name: Include Docker role
include_role:
name: geerlingguy.docker
apply:
become: "{{ do_become }}"
- name: Include Kubernetes role
include_role:
name: kubernetes
- name: Include ZFS role
when: inventory_hostname in groups['zfs']
include_role:
name: zfs
- name: Include NFS role
when: inventory_hostname in groups['nfs']
include_role:
name: geerlingguy.nfs
apply:
become: "{{ do_become }}"
- hosts: prox
vars_files:
- "vars/vault.yml"
tags:
- prox
- update
roles:
- role: ironicbadger_ansible-role-proxmox-nag-removal
- role: proxmox
- hosts: raspberries
vars_files:
- "vars/vault.yml"
tags:
- init
- raspberries
- update
tasks:
- name: Install packages
become: "{{ do_become }}"
ansible.builtin.apt:
name: "{{ item }}"
loop:
- libraspberrypi-bin
- linux-modules-extra-raspi
- vlan
- name: Add the 802.1q module
community.general.modprobe:
name: 8021q
state: present
- name: Place PoE fan file
become: "{{ do_become }}"
ansible.builtin.copy:
content: |
# Ansible managed
dtoverlay=rpi-poe
dtparam=poe_fan_temp0=57000
dtparam=poe_fan_temp1=60000
dtparam=poe_fan_temp2=63000
dtparam=poe_fan_temp3=66000
dtoverlay=vc4-fkms-v3d
dest: /boot/firmware/usercfg.txt
- hosts: piholes
vars_files:
- "vars/vault.yml"
tags:
- pihole
- update
roles:
- role: pihole_updatelist
- role: pi_dnsmasq
- role: pihole
# - hosts: usg
# vars_files:
# - "vars/vault.yml"
# - "vars/wireguard.yml"
# tags: [network, ubnt]
# roles:
# - role: usg
# - hosts: cloud_key
# vars_files:
# - "vars/vault.yml"
# - "vars/wireguard.yml"
# tags: [network, ubnt]
# roles:
# - role: cloud_key
- hosts: all:!unifi
become: "{{ do_become }}"
tags:
- init
- update
vars_files:
- "vars/vault.yml"
tasks:
# https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/
- name: Update packages
when: ansible_distribution == 'Ubuntu'
ansible.builtin.apt:
update_cache: "True"
force_apt_get: "True"
cache_valid_time: 3600
upgrade: "True"
- name: Remove ubuntu motd spam
ansible.builtin.file:
path: "/etc/update-motd.d/{{ item }}"
state: absent
loop:
- 10-help-text
- 10-uname
- 50-landscape-sysinfo
- 50-motd-news
- 80-livepatch
- 88-esm-announce
- 90-updates-available
- 91-contract-ua-esm-status
- 91-release-upgrade
- 92-unattended-upgrades
- 95-hwe-eol
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
- name: Place MoTD
become: "{{ do_become }}"
when: ansible_distribution == 'Ubuntu'
ansible.builtin.copy:
content: |
#!/bin/sh
# Ansible managed
neofetch
mode: 0755
dest: /etc/update-motd.d/01-neofetch
- name: Check if pi-hole is installed
when: inventory_hostname in groups['piholes']
ansible.builtin.stat:
path: "/usr/local/bin/pihole"
register: pihole_exec
- name: Update PiHole
when: inventory_hostname in groups['piholes'] and pihole_exec.stat.exists
become: "{{ do_become }}"
ansible.builtin.command:
argv:
- pihole
- -up
- name: Install and update chezmoi
include_tasks: tasks/omp.yml
- include_tasks: tasks/remove_prox_ee_apt.yml
when: inventory_hostname in groups['prox']
- name: Check if a reboot is needed for Debian and Ubuntu boxes
register: reboot_required_file
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
ansible.builtin.stat:
path: /var/run/reboot-required
get_md5: no
- name: Reboot the server
throttle: 1
when: reboot_required_file.stat.exists and (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian')
ansible.builtin.reboot:
msg: "Reboot initiated by Ansible due to kernel updates"
connect_timeout: 5
reboot_timeout: 300
pre_reboot_delay: 0
post_reboot_delay: 30
test_command: uptime