231 lines
5.5 KiB
YAML
231 lines
5.5 KiB
YAML
|
- hosts: all
|
||
|
become: yes
|
||
|
tags: [never, init]
|
||
|
vars_files:
|
||
|
- "vars/vault.yml"
|
||
|
|
||
|
collections:
|
||
|
- ansible.builtin.hostname
|
||
|
- ansible.builtin.group
|
||
|
- ansible.builtin.user
|
||
|
- ansible.posix.authorized_key
|
||
|
- ansible.builtin.lineinfile
|
||
|
- ansible.builtin.file
|
||
|
- ansible.builtin.copy
|
||
|
- ansible.builtin.reboot
|
||
|
|
||
|
pre_tasks:
|
||
|
- include_tasks: tasks/user.yml
|
||
|
with_items: "{{ users }}"
|
||
|
loop_control:
|
||
|
loop_var: user
|
||
|
|
||
|
- name: Change hostname
|
||
|
when: "set_hostname is defined"
|
||
|
register: new_hostname
|
||
|
ansible.builtin.hostname:
|
||
|
name: "{{ set_hostname }}"
|
||
|
|
||
|
- name: Change hostname in hosts
|
||
|
when: new_hostname.changed
|
||
|
ansible.builtin.lineinfile:
|
||
|
path: /etc/hosts
|
||
|
regexp: '^127\.0\.0\.1 localhost'
|
||
|
line: "127.0.0.1 localhost {{ set_hostname }}"
|
||
|
owner: root
|
||
|
group: root
|
||
|
mode: "0644"
|
||
|
|
||
|
- name: Create scripts directory
|
||
|
ansible.builtin.file:
|
||
|
path: "/opt/scripts"
|
||
|
state: directory
|
||
|
owner: "{{ users.0.username }}"
|
||
|
group: "{{ users.0.groupname }}"
|
||
|
mode: "0775"
|
||
|
register: script_dir
|
||
|
|
||
|
- name: Add bin dir to system-wide $PATH.
|
||
|
ansible.builtin.copy:
|
||
|
dest: /etc/profile.d/custom-path.sh
|
||
|
content: "PATH=$PATH:/opt/scripts"
|
||
|
mode: "0644"
|
||
|
when: script_dir.changed
|
||
|
|
||
|
- name: Reboot the server
|
||
|
ansible.builtin.reboot:
|
||
|
msg: "Reboot initiated by Ansible due to hostname change"
|
||
|
connect_timeout: 5
|
||
|
reboot_timeout: 300
|
||
|
pre_reboot_delay: 2
|
||
|
post_reboot_delay: 30
|
||
|
test_command: uptime
|
||
|
when: new_hostname.changed
|
||
|
|
||
|
- name: Update packages
|
||
|
ansible.builtin.apt:
|
||
|
update_cache: true
|
||
|
cache_valid_time: 1
|
||
|
|
||
|
roles:
|
||
|
- role: geerlingguy.ntp
|
||
|
- role: geerlingguy.security
|
||
|
|
||
|
tasks:
|
||
|
- name: Change ssh port
|
||
|
set_fact:
|
||
|
ansible_port: "{{ secret_ssh_port }}"
|
||
|
|
||
|
- hosts: all
|
||
|
become: yes
|
||
|
tags: [always]
|
||
|
vars_files:
|
||
|
- "vars/vault.yml"
|
||
|
|
||
|
collections:
|
||
|
- ansible.builtin.apt
|
||
|
|
||
|
tasks:
|
||
|
- name: Install packages
|
||
|
ansible.builtin.apt:
|
||
|
update_cache: yes
|
||
|
pkg: "{{ package_list }}"
|
||
|
|
||
|
- hosts: docker
|
||
|
become: yes
|
||
|
tags: [docker]
|
||
|
vars_files:
|
||
|
- "vars/vault.yml"
|
||
|
|
||
|
collections:
|
||
|
- ansible.builtin.pip
|
||
|
- ansible.builtin.copy
|
||
|
- ansible.builtin.service
|
||
|
- ansible.builtin.file
|
||
|
- ansible.builtin.get_url
|
||
|
|
||
|
post_tasks:
|
||
|
- name: Install pip packages
|
||
|
tags: [never, init]
|
||
|
ansible.builtin.pip:
|
||
|
name:
|
||
|
- docker
|
||
|
- github3.py
|
||
|
|
||
|
- name: Set Default logging
|
||
|
tags: [never, init, logging]
|
||
|
register: docker_deamon
|
||
|
ansible.builtin.copy:
|
||
|
dest: /etc/docker/daemon.json
|
||
|
owner: "root"
|
||
|
group: "root"
|
||
|
content: |
|
||
|
{
|
||
|
"log-driver": "journald",
|
||
|
"log-opts": {
|
||
|
"mode": "non-blocking"
|
||
|
}
|
||
|
}
|
||
|
mode: "0600"
|
||
|
|
||
|
- name: Restart service to apply changes
|
||
|
tags: [never, init, logging]
|
||
|
when: docker_deamon.changed
|
||
|
ansible.builtin.service:
|
||
|
name: docker
|
||
|
state: restarted
|
||
|
|
||
|
- name: Create plugin directory if not present
|
||
|
ansible.builtin.file:
|
||
|
path: "/home/{{ users.0.username }}/.docker/cli-plugins/"
|
||
|
state: directory
|
||
|
owner: "{{ users.0.username }}"
|
||
|
group: "{{ users.0.groupname }}"
|
||
|
mode: "0775"
|
||
|
|
||
|
- name: Get latest release of a public repository
|
||
|
community.general.github_release:
|
||
|
user: docker
|
||
|
repo: compose
|
||
|
action: latest_release
|
||
|
register: comp_cli
|
||
|
|
||
|
- name: Install compose plugin
|
||
|
ansible.builtin.get_url:
|
||
|
url: "https://github.com/docker/compose/releases/download/{{comp_cli.tag}}/docker-compose-linux-x86_64"
|
||
|
dest: "/home/{{ users.0.username }}/.docker/cli-plugins/docker-compose"
|
||
|
mode: "0755"
|
||
|
owner: "{{ users.0.username }}"
|
||
|
group: "{{ users.0.groupname }}"
|
||
|
|
||
|
roles:
|
||
|
- role: geerlingguy.docker
|
||
|
tags: [never, init]
|
||
|
|
||
|
- hosts: simple_login
|
||
|
become: yes
|
||
|
tags: [init, mail]
|
||
|
vars_files:
|
||
|
- "vars/vault.yml"
|
||
|
|
||
|
roles:
|
||
|
- role: wireguard
|
||
|
tags: [wireguard]
|
||
|
- role: simple-login
|
||
|
tags: [mail]
|
||
|
- role: swag
|
||
|
tags: [edge]
|
||
|
- role: authentik
|
||
|
tags: [edge]
|
||
|
- role: ufw
|
||
|
tags: [edge]
|
||
|
|
||
|
- hosts: all
|
||
|
become: yes
|
||
|
tags: [update, init]
|
||
|
vars_files:
|
||
|
- "vars/vault.yml"
|
||
|
|
||
|
collections:
|
||
|
- ansible.builtin.apt
|
||
|
- ansible.builtin.file
|
||
|
- ansible.builtin.reboot
|
||
|
|
||
|
tasks:
|
||
|
# https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/
|
||
|
- name: Update packages
|
||
|
ansible.builtin.apt:
|
||
|
update_cache: true
|
||
|
force_apt_get: true
|
||
|
cache_valid_time: 3600
|
||
|
upgrade: true
|
||
|
|
||
|
- name: Remove ubuntu motd spam
|
||
|
ansible.builtin.file:
|
||
|
path: "/etc/update-motd.d/{{ item }}"
|
||
|
state: absent
|
||
|
loop:
|
||
|
- 10-help-text
|
||
|
- 50-landscape-sysinfo
|
||
|
- 50-motd-news
|
||
|
- 80-livepatch
|
||
|
- 90-updates-available
|
||
|
- 95-hwe-eol
|
||
|
when: ansible_distribution == 'Ubuntu'
|
||
|
|
||
|
- name: Check if a reboot is needed for Debian and Ubuntu boxes
|
||
|
register: reboot_required_file
|
||
|
stat:
|
||
|
path: /var/run/reboot-required
|
||
|
get_md5: no
|
||
|
|
||
|
- name: Reboot the server
|
||
|
ansible.builtin.reboot:
|
||
|
msg: "Reboot initiated by Ansible due to kernel updates"
|
||
|
connect_timeout: 5
|
||
|
reboot_timeout: 300
|
||
|
pre_reboot_delay: 0
|
||
|
post_reboot_delay: 30
|
||
|
test_command: uptime
|
||
|
when: reboot_required_file.stat.exists
|