SL/ansible/run.yml

- hosts: all
  become: yes
  tags: [never, init]
  vars_files:
    - "vars/vault.yml"

  collections:
    - ansible.builtin.hostname
    - ansible.builtin.group
    - ansible.builtin.user
    - ansible.posix.authorized_key
    - ansible.builtin.lineinfile
    - ansible.builtin.file
    - ansible.builtin.copy
    - ansible.builtin.reboot

  pre_tasks:
    - include_tasks: tasks/user.yml
      with_items: "{{ users }}"
      loop_control:
        loop_var: user

    - name: Change hostname
      when: "set_hostname is defined"
      register: new_hostname
      ansible.builtin.hostname:
        name: "{{ set_hostname }}"

    - name: Change hostname in hosts
      when: new_hostname.changed
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: '^127\.0\.0\.1 localhost'
        line: "127.0.0.1 localhost {{ set_hostname }}"
        owner: root
        group: root
        mode: "0644"

    - name: Create scripts directory
      ansible.builtin.file:
        path: "/opt/scripts"
        state: directory
        owner: "{{ users.0.username }}"
        group: "{{ users.0.groupname }}"
        mode: "0775"
      register: script_dir

    - name: Add bin dir to system-wide $PATH.
      ansible.builtin.copy:
        dest: /etc/profile.d/custom-path.sh
        content: "PATH=$PATH:/opt/scripts"
        mode: "0644"
      when: script_dir.changed

    - name: Reboot the server
      ansible.builtin.reboot:
        msg: "Reboot initiated by Ansible due to hostname change"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 2
        post_reboot_delay: 30
        test_command: uptime
      when: new_hostname.changed

    - name: Update packages
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 1

  roles:
    - role: geerlingguy.ntp
    - role: geerlingguy.security

  tasks:
    - name: Change ssh port
      set_fact:
        ansible_port: "{{ secret_ssh_port }}"

- hosts: all
  become: yes
  tags: [always]
  vars_files:
    - "vars/vault.yml"

  collections:
    - ansible.builtin.apt

  tasks:
    - name: Install packages
      ansible.builtin.apt:
        update_cache: yes
        pkg: "{{ package_list }}"

- hosts: docker
  become: yes
  tags: [docker]
  vars_files:
    - "vars/vault.yml"

  collections:
    - ansible.builtin.pip
    - ansible.builtin.copy
    - ansible.builtin.service
    - ansible.builtin.file
    - ansible.builtin.get_url

  post_tasks:
    - name: Install pip packages
      tags: [never, init]
      ansible.builtin.pip:
        name:
          - docker
          - github3.py

    - name: Set Default logging
      tags: [never, init, logging]
      register: docker_deamon
      ansible.builtin.copy:
        dest: /etc/docker/daemon.json
        owner: "root"
        group: "root"
        content: |
          {
            "log-driver": "journald",
            "log-opts": {
              "mode": "non-blocking"
            }
          }
        mode: "0600"

    - name: Restart service to apply changes
      tags: [never, init, logging]
      when: docker_deamon.changed
      ansible.builtin.service:
        name: docker
        state: restarted

    - name: Create plugin directory if not present
      ansible.builtin.file:
        path: "/home/{{ users.0.username }}/.docker/cli-plugins/"
        state: directory
        owner: "{{ users.0.username }}"
        group: "{{ users.0.groupname }}"
        mode: "0775"

    - name: Get latest release of a public repository
      community.general.github_release:
        user: docker
        repo: compose
        action: latest_release
      register: comp_cli

    - name: Install compose plugin
      ansible.builtin.get_url:
        url: "https://github.com/docker/compose/releases/download/{{comp_cli.tag}}/docker-compose-linux-x86_64"
        dest: "/home/{{ users.0.username }}/.docker/cli-plugins/docker-compose"
        mode: "0755"
        owner: "{{ users.0.username }}"
        group: "{{ users.0.groupname }}"

  roles:
    - role: geerlingguy.docker
      tags: [never, init]

- hosts: simple_login
  become: yes
  tags: [init, mail]
  vars_files:
    - "vars/vault.yml"

  roles:
    - role: wireguard
      tags: [wireguard]
    - role: simple-login
      tags: [mail]
    - role: swag
      tags: [edge]
    - role: authentik
      tags: [edge]
    - role: ufw
      tags: [edge]

- hosts: all
  become: yes
  tags: [update, init]
  vars_files:
    - "vars/vault.yml"

  collections:
    - ansible.builtin.apt
    - ansible.builtin.file
    - ansible.builtin.reboot

  tasks:
    # https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/
    - name: Update packages
      ansible.builtin.apt:
        update_cache: true
        force_apt_get: true
        cache_valid_time: 3600
        upgrade: true

    - name: Remove ubuntu motd spam
      ansible.builtin.file:
        path: "/etc/update-motd.d/{{ item }}"
        state: absent
      loop:
        - 10-help-text
        - 50-landscape-sysinfo
        - 50-motd-news
        - 80-livepatch
        - 90-updates-available
        - 95-hwe-eol
      when: ansible_distribution == 'Ubuntu'

    - name: Check if a reboot is needed for Debian and Ubuntu boxes
      register: reboot_required_file
      stat:
        path: /var/run/reboot-required
        get_md5: no

    - name: Reboot the server
      ansible.builtin.reboot:
        msg: "Reboot initiated by Ansible due to kernel updates"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: uptime
      when: reboot_required_file.stat.exists
Init push 2022-06-13 22:09:07 +02:00			`- hosts: all`
			`become: yes`
			`tags: [never, init]`
			`vars_files:`
			`- "vars/vault.yml"`

			`collections:`
			`- ansible.builtin.hostname`
			`- ansible.builtin.group`
			`- ansible.builtin.user`
			`- ansible.posix.authorized_key`
			`- ansible.builtin.lineinfile`
			`- ansible.builtin.file`
			`- ansible.builtin.copy`
			`- ansible.builtin.reboot`

			`pre_tasks:`
			`- include_tasks: tasks/user.yml`
			`with_items: "{{ users }}"`
			`loop_control:`
			`loop_var: user`

			`- name: Change hostname`
			`when: "set_hostname is defined"`
			`register: new_hostname`
			`ansible.builtin.hostname:`
			`name: "{{ set_hostname }}"`

			`- name: Change hostname in hosts`
			`when: new_hostname.changed`
			`ansible.builtin.lineinfile:`
			`path: /etc/hosts`
			`regexp: '^127\.0\.0\.1 localhost'`
			`line: "127.0.0.1 localhost {{ set_hostname }}"`
			`owner: root`
			`group: root`
			`mode: "0644"`

			`- name: Create scripts directory`
			`ansible.builtin.file:`
			`path: "/opt/scripts"`
			`state: directory`
			`owner: "{{ users.0.username }}"`
			`group: "{{ users.0.groupname }}"`
			`mode: "0775"`
			`register: script_dir`

			`- name: Add bin dir to system-wide $PATH.`
			`ansible.builtin.copy:`
			`dest: /etc/profile.d/custom-path.sh`
			`content: "PATH=$PATH:/opt/scripts"`
			`mode: "0644"`
			`when: script_dir.changed`

			`- name: Reboot the server`
			`ansible.builtin.reboot:`
			`msg: "Reboot initiated by Ansible due to hostname change"`
			`connect_timeout: 5`
			`reboot_timeout: 300`
			`pre_reboot_delay: 2`
			`post_reboot_delay: 30`
			`test_command: uptime`
			`when: new_hostname.changed`

			`- name: Update packages`
			`ansible.builtin.apt:`
			`update_cache: true`
			`cache_valid_time: 1`

			`roles:`
			`- role: geerlingguy.ntp`
			`- role: geerlingguy.security`

			`tasks:`
			`- name: Change ssh port`
			`set_fact:`
			`ansible_port: "{{ secret_ssh_port }}"`

			`- hosts: all`
			`become: yes`
			`tags: [always]`
			`vars_files:`
			`- "vars/vault.yml"`

			`collections:`
			`- ansible.builtin.apt`

			`tasks:`
			`- name: Install packages`
			`ansible.builtin.apt:`
			`update_cache: yes`
			`pkg: "{{ package_list }}"`

			`- hosts: docker`
			`become: yes`
			`tags: [docker]`
			`vars_files:`
			`- "vars/vault.yml"`

			`collections:`
			`- ansible.builtin.pip`
			`- ansible.builtin.copy`
			`- ansible.builtin.service`
			`- ansible.builtin.file`
			`- ansible.builtin.get_url`

			`post_tasks:`
			`- name: Install pip packages`
			`tags: [never, init]`
			`ansible.builtin.pip:`
			`name:`
			`- docker`
			`- github3.py`

			`- name: Set Default logging`
			`tags: [never, init, logging]`
			`register: docker_deamon`
			`ansible.builtin.copy:`
			`dest: /etc/docker/daemon.json`
			`owner: "root"`
			`group: "root"`
			`content: \|`
			`{`
			`"log-driver": "journald",`
			`"log-opts": {`
			`"mode": "non-blocking"`
			`}`
			`}`
			`mode: "0600"`

			`- name: Restart service to apply changes`
			`tags: [never, init, logging]`
			`when: docker_deamon.changed`
			`ansible.builtin.service:`
			`name: docker`
			`state: restarted`

			`- name: Create plugin directory if not present`
			`ansible.builtin.file:`
			`path: "/home/{{ users.0.username }}/.docker/cli-plugins/"`
			`state: directory`
			`owner: "{{ users.0.username }}"`
			`group: "{{ users.0.groupname }}"`
			`mode: "0775"`

			`- name: Get latest release of a public repository`
			`community.general.github_release:`
			`user: docker`
			`repo: compose`
			`action: latest_release`
			`register: comp_cli`

			`- name: Install compose plugin`
			`ansible.builtin.get_url:`
			`url: "https://github.com/docker/compose/releases/download/{{comp_cli.tag}}/docker-compose-linux-x86_64"`
			`dest: "/home/{{ users.0.username }}/.docker/cli-plugins/docker-compose"`
			`mode: "0755"`
			`owner: "{{ users.0.username }}"`
			`group: "{{ users.0.groupname }}"`

			`roles:`
			`- role: geerlingguy.docker`
			`tags: [never, init]`

			`- hosts: simple_login`
			`become: yes`
			`tags: [init, mail]`
			`vars_files:`
			`- "vars/vault.yml"`

			`roles:`
			`- role: wireguard`
			`tags: [wireguard]`
			`- role: simple-login`
			`tags: [mail]`
			`- role: swag`
			`tags: [edge]`
			`- role: authentik`
			`tags: [edge]`
			`- role: ufw`
			`tags: [edge]`

			`- hosts: all`
			`become: yes`
			`tags: [update, init]`
			`vars_files:`
			`- "vars/vault.yml"`

			`collections:`
			`- ansible.builtin.apt`
			`- ansible.builtin.file`
			`- ansible.builtin.reboot`

			`tasks:`
			`# https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/`
			`- name: Update packages`
			`ansible.builtin.apt:`
			`update_cache: true`
			`force_apt_get: true`
			`cache_valid_time: 3600`
			`upgrade: true`

			`- name: Remove ubuntu motd spam`
			`ansible.builtin.file:`
			`path: "/etc/update-motd.d/{{ item }}"`
			`state: absent`
			`loop:`
			`- 10-help-text`
			`- 50-landscape-sysinfo`
			`- 50-motd-news`
			`- 80-livepatch`
			`- 90-updates-available`
			`- 95-hwe-eol`
			`when: ansible_distribution == 'Ubuntu'`

			`- name: Check if a reboot is needed for Debian and Ubuntu boxes`
			`register: reboot_required_file`
			`stat:`
			`path: /var/run/reboot-required`
			`get_md5: no`

			`- name: Reboot the server`
			`ansible.builtin.reboot:`
			`msg: "Reboot initiated by Ansible due to kernel updates"`
			`connect_timeout: 5`
			`reboot_timeout: 300`
			`pre_reboot_delay: 0`
			`post_reboot_delay: 30`
			`test_command: uptime`
			`when: reboot_required_file.stat.exists`