298 lines
8.4 KiB
YAML
298 lines
8.4 KiB
YAML
- name: Setup SSH Config
|
|
hosts: all
|
|
become: true
|
|
become_user: root
|
|
tags:
|
|
- setup_ssh
|
|
- setup
|
|
tasks:
|
|
- name: Authorized_keys dir present
|
|
ansible.builtin.file:
|
|
state: directory
|
|
path: /etc/ssh/authorized_keys
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
- name: Obtain Machine Pubkey
|
|
delegate_to: localhost
|
|
become: false
|
|
changed_when: false
|
|
register: pubkey
|
|
ansible.builtin.command:
|
|
cmd: "ssh-keygen -y -f {{ ansible_ssh_private_key_file }}"
|
|
- name: Deploy SSH-Keys
|
|
vars:
|
|
machine_key: "{{ pubkey.stdout }}"
|
|
ansible.builtin.template:
|
|
src: "authorized_keys.j2"
|
|
dest: "/etc/ssh/authorized_keys/{{ ansible_user }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
- name: Ensure authorized_keys ownership
|
|
ansible.builtin.file:
|
|
state: directory
|
|
path: /etc/ssh/authorized_keys
|
|
owner: root
|
|
group: root
|
|
mode: "u=rwX,g=rX,o=rX"
|
|
recurse: true
|
|
- name: Configure sshd
|
|
ansible.builtin.template:
|
|
src: 'sshd_config.j2'
|
|
dest: '/etc/ssh/sshd_config.d/99-override.conf'
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
- name: Remove Keys Config
|
|
ansible.builtin.file:
|
|
state: absent
|
|
path: /etc/ssh/ssh_config.d/40-ssh-key-dir.conf
|
|
|
|
- name: Setup Networks
|
|
hosts: network_config
|
|
become: true
|
|
become_user: root
|
|
tasks:
|
|
- name: Setup wired interface
|
|
ansible.builtin.template:
|
|
src: "connection.nmconnection.j2"
|
|
dest: "/etc/NetworkManager/system-connections/Wired Connection 1.nmconnection"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
notify: Restart Network
|
|
- name: Setup DNS
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/systemd/resolved.conf
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
notify: Restart systemd-resolved
|
|
loop:
|
|
- regexp: "^DNS="
|
|
line: "DNS=1.1.1.1"
|
|
- regexp: "^FallbackDNS="
|
|
line: "FallbackDNS=8.8.8.8"
|
|
handlers:
|
|
- name: Restart Network
|
|
ansible.builtin.systemd:
|
|
name: NetworkManager.service
|
|
state: restarted
|
|
- name: Restart systemd-resolved
|
|
ansible.builtin.systemd:
|
|
name: systemd-resolved.service
|
|
state: restarted
|
|
|
|
|
|
- name: Backup
|
|
hosts: backup
|
|
become: true
|
|
become_user: root
|
|
tasks:
|
|
- name: Install backup script
|
|
ansible.builtin.template:
|
|
src: backup.sh.j2
|
|
dest: /root/backup.sh
|
|
mode: '0700'
|
|
owner: root
|
|
- ansible.builtin.file:
|
|
path: /root/.ssh
|
|
owner: root
|
|
state: directory
|
|
mode: '0700'
|
|
- name: Install SSH Keys
|
|
ansible.builtin.template:
|
|
src: storagebox.j2
|
|
dest: /root/.ssh/storagebox
|
|
mode: '0600'
|
|
owner: root
|
|
- name: Add Known Hosts entries
|
|
ansible.builtin.known_hosts:
|
|
path: "/root/.ssh/known_hosts"
|
|
name: "{{ backup.known_hosts.name }}"
|
|
key: "{{ backup.known_hosts.key }}"
|
|
- name: Restore from Backup
|
|
hosts: backup
|
|
become: true
|
|
become_user: root
|
|
gather_facts: true
|
|
tasks:
|
|
- name: Check if restore is needed
|
|
ansible.builtin.stat:
|
|
path: "/etc/setup_complete"
|
|
register: setup_complete
|
|
- block:
|
|
- name: Install restore script
|
|
ansible.builtin.template:
|
|
src: restore.sh.j2
|
|
dest: /root/restore.sh
|
|
mode: '0700'
|
|
owner: root
|
|
- name: Setup ssh directory
|
|
ansible.builtin.file:
|
|
path: /root/.ssh
|
|
owner: root
|
|
state: directory
|
|
mode: '0700'
|
|
- name: Install SSH Keys
|
|
ansible.builtin.template:
|
|
src: storagebox.j2
|
|
dest: /root/.ssh/storagebox
|
|
mode: '0600'
|
|
owner: root
|
|
- name: Add Known Hosts entries
|
|
ansible.builtin.known_hosts:
|
|
path: "/root/.ssh/known_hosts"
|
|
name: "{{ backup.known_hosts.name }}"
|
|
key: "{{ backup.known_hosts.key }}"
|
|
- name: Restore from Borg
|
|
become: true
|
|
become_user: root
|
|
ansible.builtin.command:
|
|
chdir: /
|
|
cmd: bash /root/restore.sh
|
|
- name: Remove script from host
|
|
ansible.builtin.file:
|
|
path: /root/restore.sh
|
|
state: absent
|
|
- name: Mark setup as complete
|
|
ansible.builtin.file:
|
|
path: "/etc/setup_complete"
|
|
state: touch
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
when: not setup_complete.stat.exists
|
|
- name: Setup Registry credentials
|
|
hosts: all
|
|
tasks:
|
|
- ansible.builtin.file:
|
|
path: /home/core/.docker
|
|
owner: core
|
|
state: directory
|
|
mode: '0700'
|
|
- ansible.builtin.template:
|
|
src: docker-config.json.j2
|
|
dest: /home/core/.docker/config.json
|
|
mode: '0600'
|
|
owner: core
|
|
- name: Setup Docker Config
|
|
hosts: all
|
|
become: true
|
|
become_user: root
|
|
tasks:
|
|
- name: Template Config
|
|
ansible.builtin.template:
|
|
src: "docker-daemon.json.j2"
|
|
dest: /etc/docker/daemon.json
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
notify: Restart Docker
|
|
- name: Setup default ulimts
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sysconfig/docker
|
|
search_string: '--default-ulimit nofile='
|
|
line: ' --default-ulimit nofile=4096:4096 \'
|
|
notify: Restart Docker
|
|
- name: Remove log-driver from sysconfig
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sysconfig/docker
|
|
search_string: '--log-driver='
|
|
state: absent
|
|
notify: Restart Docker
|
|
- name: Restart Docker if necessary
|
|
meta: flush_handlers
|
|
handlers:
|
|
- name: Restart Docker
|
|
ansible.builtin.systemd:
|
|
state: restarted
|
|
name: docker.service
|
|
- name: Setup internal networks
|
|
hosts: all
|
|
tasks:
|
|
- name: Setup network
|
|
community.docker.docker_network:
|
|
name: "{{ item }}"
|
|
internal: true
|
|
loop: "{{ docker.internal_networks | default([]) }}"
|
|
- name: Setup Push Monitoring
|
|
hosts: all
|
|
tags:
|
|
- never
|
|
- setup_monitoring
|
|
- setup
|
|
tasks:
|
|
- name: Login to Kuma
|
|
delegate_to: localhost
|
|
check_mode: false
|
|
lucasheld.uptime_kuma.login:
|
|
api_url: "{{ kuma.api_url }}"
|
|
api_username: "{{ kuma.api_username }}"
|
|
api_password: "{{ kuma.api_password }}"
|
|
register: kumalogin
|
|
- name: Create Kuma Monitor
|
|
delegate_to: localhost
|
|
check_mode: false
|
|
lucasheld.uptime_kuma.monitor:
|
|
api_url: "{{ kuma.api_url }}"
|
|
api_token: "{{ kumalogin.token }}"
|
|
name: "{{ inventory_hostname }}"
|
|
description: "Managed by Ansible"
|
|
type: push
|
|
interval: "{{ heartbeat_timer_interval|mandatory + 30 }}"
|
|
maxretries: 2
|
|
notification_names:
|
|
- "Kuma Statusmonitor"
|
|
state: present
|
|
- name: Obtain Kuma Push Token
|
|
delegate_to: localhost
|
|
check_mode: false
|
|
lucasheld.uptime_kuma.monitor_info:
|
|
api_url: "{{ kuma.api_url }}"
|
|
api_token: "{{ kumalogin.token }}"
|
|
name: "{{ inventory_hostname }}"
|
|
register: monitor
|
|
- name: Check if user is lingering
|
|
stat:
|
|
path: "/var/lib/systemd/linger/{{ ansible_user }}"
|
|
register: user_lingering
|
|
- name: Enable lingering for user if needed
|
|
command: "loginctl enable-linger {{ ansible_user }}"
|
|
when:
|
|
- not user_lingering.stat.exists
|
|
- name: Create systemd config dir
|
|
file:
|
|
state: directory
|
|
path: "/home/{{ ansible_user }}/.config/systemd/user"
|
|
owner: "{{ ansible_user }}"
|
|
group: "{{ ansible_user }}"
|
|
mode: '0755'
|
|
- name: Copy Push Monitor Service and Timer
|
|
ansible.builtin.template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/home/{{ ansible_user }}/.config/systemd/user/{{ item }}"
|
|
mode: '0600'
|
|
owner: "{{ ansible_user }}"
|
|
vars:
|
|
monitor_url: "{{ kuma.api_url }}/api/push/{{ monitor.monitors[0].pushToken }}?status=up&msg=OK"
|
|
loop:
|
|
- heartbeat.service
|
|
- heartbeat.timer
|
|
- name: Enable timer
|
|
ansible.builtin.systemd:
|
|
scope: user
|
|
name: heartbeat.timer
|
|
state: started
|
|
enabled: true
|
|
masked: false
|
|
daemon_reload: true
|
|
- name: Setup Infrastructure Wireguard
|
|
tags:
|
|
- setup
|
|
- setup_wireguard
|
|
- setup_vpn
|
|
ansible.builtin.import_playbook: vpn.yaml
|
|
|
|
# vim: ft=yaml.ansible
|