From e7ba86f10a6d13694b6f19fe6e967f1d0440d4d6 Mon Sep 17 00:00:00 2001 From: xbazzi Date: Thu, 21 Aug 2025 23:43:52 -0600 Subject: [PATCH] Feat: add scylladb + a bunch of stuff I forgot to commit earlier --- .gitea/workflows/mirror-to-github.yaml | 73 +++++ inventory/group_vars/pve_nodes.yml | 58 ++-- inventory/hosts.yml | 286 +++++++++--------- playbooks/configure-pve.yml | 3 +- playbooks/deploy-stack.yml | 40 +++ playbooks/deploy-swarm.yml | 74 ----- playbooks/docker-prep.yml | 7 + playbooks/enable-x11.yml | 11 + playbooks/install-packages.yml | 6 + playbooks/nuke-docker.yml | 6 + playbooks/provision-alma.yml | 20 -- playbooks/provision-vm.yml | 23 ++ playbooks/sysprep-alma.yml | 4 +- playbooks/uninstall-packages.yml | 5 + .../build/caddy/templates/caddy-dockerfile.j2 | 1 + .../install/{ => alma}/defaults/main.yml | 0 .../docker/install/{ => alma}/tasks/main.yml | 0 roles/docker/install/deb/defaults/main.yml | 0 roles/docker/install/deb/handlers/main.yml | 3 + roles/docker/install/deb/tasks/main.yml | 156 ++++++++++ roles/docker/install/tasks/main2.yml | 45 --- roles/docker/setup-lvm/tasks/main.yml | 25 +- roles/docker/stack/defaults/main.yml | 2 - roles/docker/stack/tasks/main.yml | 27 -- roles/docker/swarm/node/tasks/main.yml | 3 +- roles/docker/swarm/prereqs/tasks/main.yml | 34 ++- .../swarm/stacks/files/dumbwhois-compose.yml | 36 +++ .../swarm/stacks/files/flowtodo-compose.yml | 38 +++ .../swarm/stacks/files/nginx-compose.yml | 37 +++ .../swarm/stacks/files/portainer-compose.yml | 60 ++++ .../swarm/stacks/files/postgresql-compose.yml | 67 ++++ .../swarm/stacks/files/scylladb-compose.yml | 37 +++ .../swarm/stacks/files/traefik-compose.yml | 142 +++++++++ .../swarm/stacks/files/whoami-compose.yml | 26 ++ roles/docker/swarm/stacks/tasks/main.yml | 15 +- .../swarm/stacks/templates/caddy-compose.j2 | 45 ++- .../stacks/templates/dumbwhois-compose.j2 | 30 ++ .../stacks/templates/flowtodo-compose.j2 | 33 ++ .../swarm/stacks/templates/nginx-compose.j2 | 6 + .../stacks/templates/portainer-compose.j2 | 9 +- .../stacks/templates/scylladb-compose.j2 | 4 + roles/docker/uninstall/defaults/main.yml | 0 roles/docker/uninstall/tasks/main.yml | 38 +++ roles/pve/lvm/tasks/main.yml | 83 ++++- .../disable/firewalld/defaults/main.yml | 0 roles/server/disable/firewalld/tasks/main.yml | 7 + roles/server/fastfetch/defaults/main.yml | 0 roles/server/fastfetch/tasks/main.yml | 31 ++ roles/server/firewall/tasks/main.yml | 71 +++-- roles/server/kitty/tasks/main.yml | 30 +- roles/server/network/handlers/main.yml | 11 +- roles/server/network/tasks/main.yml | 144 +++++---- .../templates/auxiliary-interface.network.j2 | 2 +- .../templates/default-interface.network.j2 | 2 +- .../templates/rename-auxiliary-dev.link.j2 | 5 + .../templates/rename-default-dev.link.j2 | 5 + roles/server/nfs/tasks/main.yml | 4 +- roles/server/packages/tasks/main.yml | 50 ++- roles/server/qemu-agent/defaults/main.yml | 0 roles/server/qemu-agent/tasks/main.yml | 5 + .../server/service/networkd/defaults/main.yml | 0 roles/server/service/networkd/tasks/main.yml | 7 + roles/server/ssh/x11/defaults/main.yml | 0 roles/server/ssh/x11/tasks/main.yml | 13 + roles/server/sysprep/tasks/main.yml | 75 +++-- roles/server/uninstall/defaults/main.yml | 0 roles/server/uninstall/tasks/main.yml | 5 + roles/server/users/tasks/main.yml | 46 +-- 68 files changed, 1608 insertions(+), 523 deletions(-) create mode 100644 .gitea/workflows/mirror-to-github.yaml create mode 100644 playbooks/deploy-stack.yml delete mode 100644 playbooks/deploy-swarm.yml create mode 100644 playbooks/docker-prep.yml create mode 100644 playbooks/enable-x11.yml create mode 100644 playbooks/install-packages.yml create mode 100644 playbooks/nuke-docker.yml delete mode 100644 playbooks/provision-alma.yml create mode 100644 playbooks/provision-vm.yml create mode 100644 playbooks/uninstall-packages.yml rename roles/docker/install/{ => alma}/defaults/main.yml (100%) mode change 100755 => 100644 rename roles/docker/install/{ => alma}/tasks/main.yml (100%) create mode 100644 roles/docker/install/deb/defaults/main.yml create mode 100644 roles/docker/install/deb/handlers/main.yml create mode 100644 roles/docker/install/deb/tasks/main.yml delete mode 100644 roles/docker/install/tasks/main2.yml delete mode 100755 roles/docker/stack/defaults/main.yml delete mode 100755 roles/docker/stack/tasks/main.yml create mode 100644 roles/docker/swarm/stacks/files/dumbwhois-compose.yml create mode 100644 roles/docker/swarm/stacks/files/flowtodo-compose.yml create mode 100644 roles/docker/swarm/stacks/files/nginx-compose.yml create mode 100644 roles/docker/swarm/stacks/files/portainer-compose.yml create mode 100644 roles/docker/swarm/stacks/files/postgresql-compose.yml create mode 100644 roles/docker/swarm/stacks/files/scylladb-compose.yml create mode 100644 roles/docker/swarm/stacks/files/traefik-compose.yml create mode 100644 roles/docker/swarm/stacks/files/whoami-compose.yml create mode 100644 roles/docker/swarm/stacks/templates/dumbwhois-compose.j2 create mode 100644 roles/docker/swarm/stacks/templates/flowtodo-compose.j2 create mode 100644 roles/docker/swarm/stacks/templates/scylladb-compose.j2 create mode 100644 roles/docker/uninstall/defaults/main.yml create mode 100644 roles/docker/uninstall/tasks/main.yml create mode 100644 roles/server/disable/firewalld/defaults/main.yml create mode 100644 roles/server/disable/firewalld/tasks/main.yml create mode 100644 roles/server/fastfetch/defaults/main.yml create mode 100644 roles/server/fastfetch/tasks/main.yml create mode 100644 roles/server/network/templates/rename-auxiliary-dev.link.j2 create mode 100644 roles/server/network/templates/rename-default-dev.link.j2 create mode 100644 roles/server/qemu-agent/defaults/main.yml create mode 100644 roles/server/qemu-agent/tasks/main.yml create mode 100644 roles/server/service/networkd/defaults/main.yml create mode 100644 roles/server/service/networkd/tasks/main.yml create mode 100644 roles/server/ssh/x11/defaults/main.yml create mode 100644 roles/server/ssh/x11/tasks/main.yml create mode 100644 roles/server/uninstall/defaults/main.yml create mode 100644 roles/server/uninstall/tasks/main.yml diff --git a/.gitea/workflows/mirror-to-github.yaml b/.gitea/workflows/mirror-to-github.yaml new file mode 100644 index 0000000..c568b0e --- /dev/null +++ b/.gitea/workflows/mirror-to-github.yaml @@ -0,0 +1,73 @@ +name: Simple Mirror to GitHub + +on: + push: + branches: + - master + +jobs: + mirror: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Fetch full history for complete mirror + # token: ${{ secrets.GITEA_TOKEN }} + + - name: Push to GitHub + run: | + # Configure git + git config --global user.name "Gitea Mirror Bot" + git config --global user.email "noreply@gitea.local" + + # Create mirror README + cat > README.md << 'EOF' + + # 🪞 GitHub Mirror + + This is an automated mirror of the repository hosted on [GitGud.foo/xbazzi/ansible-on-prem](https://gitgud.foo/xbazzi/ansible-on-prem). + + **⚠️ This is a read-only mirror - do not create issues or pull requests here.** + + ## 🏠 Original Repository + + Please visit the [original](https://gitgud.foo/xbazzi/ansible-on-prem) repository for: + - 📝 Issues and bug reports + - 🔄 Pull requests and contributions + - 📋 Project documentation + - 💬 Discussions + + --- + + *This mirror is automatically updated when changes are pushed to the master branch.* + EOF + + # Stage and commit the new README + git add README.md + if git diff --staged --quiet; then + echo "No changes to README, skipping commit" + else + git commit -m "Update README for GitHub mirror" + fi + + # Add remote + git remote add github https://${{ secrets.GH_TOKEN }}@github.com/xbazzi/ansible-on-prem.git + + # Check if GitHub repo is empty + if git ls-remote --heads github | grep -q refs/heads/; then + echo "GitHub repo has branches, doing full mirror" + git push github --all --force + git push github --tags --force + else + echo "GitHub repo is empty, pushing master branch first" + git push github master + # After master is established, push other branches and tags + git push github --all --force || echo "No additional branches to push" + git push github --tags --force || echo "No tags to push" + fi + - name: Debug git state + run: | + git log --oneline -5 + git branch -a + git remote -v \ No newline at end of file diff --git a/inventory/group_vars/pve_nodes.yml b/inventory/group_vars/pve_nodes.yml index 06f608f..a969272 100644 --- a/inventory/group_vars/pve_nodes.yml +++ b/inventory/group_vars/pve_nodes.yml @@ -1,30 +1,30 @@ $ANSIBLE_VAULT;1.1;AES256 -37643564643838303332353264393632633132346563613935393837386230363836646433316237 -6666323032363632323636316334643334343233333833330a336236313566643033333165653564 -63663837626362393930326234663735633231333762653964306636386466346366633432386533 -6233326361633434660a323633363438643231383739633335623932613964316165356633616335 -33323833656461663961303064343565333335353935633935336161303336326535363538303465 -66313338326333333534376562633933626438633134303739653261613464633435393133613439 -31653634616339316164336231303430393665323830616262363639656438353562373766396164 -64663766323635366332333634643864323439393539303063396334653563393139613932626433 -39306661393665333337613031386635623363343235616233613233363134363533346635316533 -62343633636665313539666431356164373538613261396136363761643634343734373237396237 -62376663663565353835363030643230383639363337636331616166323430343033343633643261 -39633736653266666539316337333162643334663037313639633164333961616237333430643163 -66316536353130653363366533663864623264393030393638666361666238353565363135356432 -36353437666231343035313565393137616166303734373432636130363433393561363235383235 -35333835343763343663616161636339663036336462316161396232313937663339336331333062 -31616639356338323637646564373034643963393830653365656337666461643762643439353864 -33356430393636353365313165396562653063666432323462623430663932623938373338386430 -63336165316364323136363432333839643730333365333962353733323666643766643461626630 -63343630653830333765333936366363396436663736333235393734363962336363336436346234 -33613133653232613833376663396536343936326565633731633433373731396439373265323366 -38356539376335396138623633336133656139383133663131643064353064353631356537313065 -33353962313139366538343463616562353965666636643563613636646165636130613330393431 -61303831343561656132383363313461663738316534396132326135373533376362356363326233 -35636337623133363364656630376132613739383135653330613466626164383637336164393634 -64323861363233613964393039383262353732666564366434643837653832616137323431623232 -38643566306537373334356430613639633763303733636633346637373437343937653031643431 -39313861333239353730366265623535333735373762386162363036303432306632373439363634 -65366630366130396339373539663266646637633539393937353038363562313337303462373466 -38326133306161383364646265656265643533623638343938303933656137386239 +30633665376131343032346664366164313233393462636261616136376265383561633764306338 +3931343666383332336537613664616532303763376433620a626230623436323234303963666261 +30373131626536626361353261646436373237643861396666366239343063346665623131653165 +3061646133356432350a666430626637393038653861313136336632336135346363616339643362 +65373566616638383865623535646436343037626563636361656165616130323234393033613861 +66383935373735646535316162343035303139343732623633656362323165383830326636336338 +30376539336633363137633732366432663336303232303834353064316230306564626438303833 +32336365653338393037616336336165623234333838386636306336363034643566323631623239 +34643762303064363661313961643238396431646432643139626130353331616539656532366561 +38363966633833306565323462356538316435376163646661353465626439356539316664376637 +30376131306332636336636134326438613234656266346263643664303733373964316366323237 +31313136636639643235336237633837383063626164316465613565323261393738393830643664 +64333038383662313137633361343664323234646534346364346630383931623135386438633435 +33326130323134396135383862396236623963613633393336306164363130666664343237643539 +65393866623031323162326566353437633266613838613939346335616464623936333662656565 +31373530303033363034353861323539636164363331303530653664343263633262626639353139 +65376330336266643463613531623636643139393661323638343330393532353135316235646365 +38376165363338376136636137623638316465346261353437633032343532626532363934303866 +36646533663164393232303933316337353434663730343139346430653237383035313162643362 +62656534383361656530373735343733383837316132633435636265313062333035353930663934 +34323866306334646532623830373661616233366565366466336464626563396434353134643962 +30626431373932383331643663663064663139363961663233316565333233663666623465616534 +33623665336662313964323336353063386637646664646366363566323062663935306439643762 +30343264386539656232333530653634343266623436336165313934353134306239336134303462 +66383232383062313364383865643339333338303861353636303437373834323466656234663838 +33386233663236653937376630623130336263656265656666336564313437623731306232313834 +30656537346636303761383936653438623838343363396431613864356232383464373265323937 +61383232313535393131343134356565343365313935356161663531376666346538613632336635 +62363333656663396435626334383862313963396266646465366366616234343636 diff --git a/inventory/hosts.yml b/inventory/hosts.yml index 5ea4849..20eb3f6 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -1,140 +1,148 @@ $ANSIBLE_VAULT;1.1;AES256 -64316466653738626630326463346363323439386264373961656466343230653332333061656435 -6630343738383162376666616637366430333630353437360a613638353235326536313236383266 -61303939333732646535623063313638363632393334386466303834303838653935373532353162 -3464663661363063320a356636366132633464346133613731663361663337613538666631303833 -38353038316533373637376463646630336335326532666664353632303864333135333562373633 -33633466643162636662623239323239666166353762383861636238343364393438613839356237 -64303566306432666238313330363330353862343730356666636637383333303639346663373966 -31633836353234366135636266623639306539623263643461323338326564646537636538616637 -63306330663265373932306533666137616634633661373066343730633432306230306264643137 -36643965343331333435393064613537363536663236636434373438633336373536333865383239 -66323538396239303030633934613230343938633962396632326166656634623439383737363637 -37646464323834646562656231653833666562616461356530646565333932633964313865313565 -38363636383136333732393537383162343765623563373863393137333031653136333735653831 -61336437613535633265363435653338323033303035343432653033343630666438663434326533 -37303439633364666462333438366131626265616661643064663462656239633938363965366364 -63366534626439653839343730323432313765396361316530363161396334363863356438636431 -64363534353135323732323739333331623237393463386238356164633462396532393564316331 -33333335306161303962313565646134653263666266313638663463653237663837616365613639 -61383232646130396631336262373437343830626238623430316531306239323231336331356339 -64373065303262653038663863353565616665643766323138646230373435623761656265393863 -35623530323663393332393830346366633332383637383330383735653630356537633530333765 -35313361306531633366343032636166323963303231623939386134333832323038303963333433 -30343332656335346465323233633433613334323033646663663866363238373831386534663564 -63313639303762646261626566623863313732363633336562393338336334346466346637666266 -36386234386331386434633832616661626462313034643839363131656462643665613765366337 -66366337633839633761633535336263623034336131613464653936666238356464376434383336 -39363638643133636161646662613639663237303933633231303336646366356138333832393531 -36323437393966303662663664666566643764333061343363383734346536336237313837383832 -65363637663034306439633265613336386564373932393062656263353633306664303738373562 -66373066363766643431333266613065306430383061326561636366313662633936636239363934 -37346133353262323638326237623534653464306439643830613432363130646635353162643735 -32303033643865646130316666643333303866326132383662323964333564326439643833356632 -31346634336666323266613535333339363733663035663434363231626433376439643739313162 -31353664316436376436336331613638626535663033343138346537326338613863373932333531 -31373161646137386264643264323863396139623464653062373866616433633132386435323037 -64383330376432666434303264336636333163346138386239346565636436633866333464363064 -33343034663239303738373431323432333839663539313330373537346530396232356435653830 -61613464376531393632633539653936633139323131306564343761636136383066633534353365 -62326134396236636439303839303066346135323963313530346461383665343432663838393632 -39313039643634626361343134663634313734376561653866653838633363383038663366663963 -61613334646362336338313631353263636134393238336466646566616561613665636463623738 -64656566346562633535326639353063363931313730386135373431653165343332386535303837 -32663336393435373830336535646531303130306431363034663034633630633365656565663161 -64386264383863343130656433613561316334306461656662633265326234666536333935343164 -34323533636534313966613331633966306534376532383561373763303566313535326266636535 -38386165653232623238353165363636393138396637633439616264393561306363363838626438 -32363431383864326661343533356632333033626230626432643332363437306236633232663063 -64623332643739383439363565343038643531326166353835323561323034343937303265636432 -34656639616462616664646132306436643062346662663135663337666430643536396161623530 -34366666653034336364336134636564356561366539633664663738313432623333663035313833 -38306337636536636562393237393030356334633930376662363936323764633636353566303732 -33666636353762626664636534356665363661303732326562373335303538393662353434326234 -64663262343937373430656535623362663163626465666565343461303339363534613431396230 -66353232633866663139653064636334303765353131313230636665313234623433636136353837 -64323335353864313434323366343662373561653863663563333464383465333766393835303534 -62633864373731396132306562353130666263393530316331663039323230323130616431636539 -31613933323764313838646631636365316164646231323562616239313936636635323034356466 -37333139656231623136333139303335393533373230343962306438373964373863633464363134 -36633839666335636562306238656165633231363031343566386538393365666533636332666232 -62323563343634303661383865653730316132376562613636373338643236393565303938323563 -62306363343535316336383238386166393339633737383037626136336539386234303562656336 -39333137383864643630666337623962653539646335663766313536326466653961366138323838 -37343665386634626430653939613866333836663961393464353062343533353933306338623561 -61653235353636633034363864366137653334616333643734363934366264613334316538616139 -61623030323131303436636131326532303563313861663835353936626661653461646435393734 -35636331663633363066373631666437366365316261336331396163333337353233353734373938 -66653439323062303362383165646136386561636131613334356565653539346339633265383863 -64643735373539313038663939616536393263356533353734333165373765356335623230323762 -38666264393561663039363763613264393235616139346438613830626163613763346438663539 -35363631643466303737356130623063383930623665666363356332633934366466613464643539 -61386362666530616364393836363336356436353833643734613164313239663134386237356164 -38613261383339636534343264633363346237326562333033623137626363316531376562636633 -66383933623964363636393034653865373732666336306266613633373035353461386134613132 -62376164613334626633383034346664373739393938373762333065646564393937306665643539 -30646462323166353630633763393338333336336237343435326166343465626161353464366361 -62656664346135386333383866623662663839356431616636343364303430636632636438353733 -32353334316163636263633935653434393539666131306530643464323065306136366432386466 -61373035396233303635323233303532313465346262383932653638643834326135373962333335 -36396532656362356533313337373738653230373364393133346561633464396661306230373238 -62336462393439333066386637343965343733633362626339363136366431346662383836316233 -30353262636134343764343363613634313866623538643761323335663464633666306433353161 -38393834376564636265366435646331393835626635366631343862656433616133363934336430 -62376238346634356263303937623566353436326161313038336334326562613638393330303934 -61656662633336333137663438326663633062663162326432653662646461356237346533666530 -36613439326562666561396632396135343731663862333466663138303062666462616136336462 -36366662636436333534363935653464613036663963643536663333333634303037653334663865 -63346435396335333464383261363935376536616262346365633963666535623131646262653063 -39363361366235663736626532646631313230363138343936363438613863663734326331633736 -31386639303331353534333632393563313663396164356232366135373361666435363936346339 -36653138313434636161353636303231613536633332346264653534313934633737313061373039 -62663130396130306266633462646663356435373730616564366635313861616638306163323361 -30353030376331336430313639373939323832396438366262383434616466646366376330623436 -34646166396238623632633065343531636162616139373938396532386331636265313864303365 -63306365353031613534633463616663363964643032316439313733323463373261623233396564 -61323631383839613366353530373366653066653034383137613836353964616630303733666563 -64363431326362626662393832626636663932643231356332316436663965626235346539353632 -37656438623734343234323439363133636563343235373334643165653431366231353065323631 -64613564633437353330633364626239303530663734333862356435643332336162303432323438 -62386339646564653532323965316434623535363234303261653862373264663036623663336265 -61613262353035376463653237636434306434353330386639633230623430373762343936353539 -61373161323438613662623030336339633964356231326133303333663931373132346364343238 -38626163623331666530663833316266656437303663323239353232363337326465363237666431 -37316361306430616466383139386331356530643361383739376638313734373536623738343532 -37306533653632316639613639666531313965363432386536613031363736323933656639303231 -33376464366166336437393230383431343635656636646535343030643763653564323936336332 -66303238656163623936656533303535643733613338313339396232353237643432323261626535 -30303632633161333831623734366565306636396262393161333263616232356638386263323331 -33356361333436613739373862653961323239326133636338646438313931393235653730616336 -35656134366330633434396432386237613133323234356165313665383433613338353337316337 -33623533346630663831343733303132366265656539366639646265306335623064303730613362 -64326336363637646436333961373333666635376564396164633537356561343433313762396435 -34366237303130653437343831373937326336346633366663323534386361613030316236323861 -34373762663464626431356165386665613962616435306439393963383631383034323863626335 -38626430356463353636373764646561376332316132623135376334616464363033656333353963 -65656436363361356361613461316232303835386663303630333030636433623630656131623466 -65313236313063616335613038336337373631646230353930303961623835623261613735646535 -35383365346538663734333066613965646564656234613936336138323335666239656562633335 -33343066333231303037613334376137363932366462373132376666623861613863643933646531 -33656330316333383337623462663838326537343666663633353239303933316164373863393533 -30346466346466623134336262356531306332303664323438623530393863663437316561346330 -64336562326331623865616430353165306438626365356336623162616632356563643439326463 -64303136326434666564613338653435653030646430646363396666313066383637366136396536 -31386139333738366136643330386335393262366635616630356364636330666533346335333063 -38346635623235396236373536633934316163353061353835373966613233636564313466636435 -62343935613437396431653933383364363264643665343766303262373337613138326532366363 -37326335373565666637323361393631633561653963393431656561376235333936653738306234 -34373364383466363339333933623333623430666661373766376164613964663035656332376161 -64303234616365316563613237376364393934376339346137376435343062336663306366366330 -65336333356334626137373162666366376430316635653435366332316332356262306363656466 -34396634313333356239633932323133343533356636376264323165323138623265366635653533 -65313339313562326661353737306130613136363232643933656432643966383439363163366534 -37303665373336653165353238616166393266626364323034313435636663623939613039646632 -31313261636533383131396263376236306535383231323963613264343338613362316364343266 -32656636393163313230343665333366396230623062306233613663636539633630663163623064 -38663234636433346135653434313332643338653639346163336133613866643934323237633430 -38326531343463396464636664313732653233643335383736383136343161623263393030656561 -39616437353236613235623433303161383263363137653665343861313637633737343032656234 -31376262666663366336376338326434393631323933646339656166633536336431616639313332 -626565393465323937383264373436336134 +63333337313138626662626265326131633239636462393563306537323533336237326637636130 +6264333438643239343163316563633062633433653435630a613736626163623039313461376439 +37356134663037326433613561376433346434643766313033333237333436386435636530613134 +3032666461313033340a393935333463303539633265633463356335653266313732313031653639 +32363333303736613230646461663133623736333764326536326336633864316136643663646165 +65663037313539303731363833306237363637343837346461346161376536343562343338353133 +31353066666235326538396336623838636565303662303065386338633831386366343364336534 +33623337366666623365653638653638626230646462316336353831383838316433643633653637 +35316439346134613439343664366632316664643839363265613165646236303032636339303939 +32396566656630666166323062306436333863343566636463363235356235383766303438396165 +38373131346664393431343566323561313265343739663666666638383431393861626236313830 +62616439346563663263666563363837373936613939663037336165613239633533353530663166 +37626537323034386530376238623830383231333665313037623537356531633162646634363932 +33333666343263333965623939343838323730313835623433383130333731333333653263376132 +31383031663436656635613066356634643662633466656433666538303835396664313066663635 +30306333643664383638376539356163633435383436366436356161326266333332613664323738 +66333537363632383536626664343939376635376632363139373337366262363665623265346235 +34363735666565393565313039663764363136333163393433373434613437363066626231363130 +64663433633636626666396334373563356633386238613835346561356433623064653762363862 +66666165333233356361326665353833316163643635343934333438306564333135383735363330 +31333462616464613162323236323233373839656162646339336339366433343236376339303039 +32623966363863653638363937326162643533656437323730386137353062633832643830616635 +36316561326662386364613736316231623534333765396431356237643536613136313862623665 +30613061316130643735626432356235326630643861653338303864376364643833363964613535 +66323061353365636563346662613132396235336464353537613463376363393162313764336635 +39383235366238656634336262323139663030656565666433323034343366303438323634366235 +33353037373630373331366430623937643131656134383936633565356666383133303836303430 +31326234646530366133623135306430343766343362343236303130653565663533383966306439 +38656563336566633233336664623734353538623766326564306661383964623162633430613733 +66303461323536346534343139613030396130323333353638383462356233636261376130373966 +62396263626362656463306464393465653163323839663835653665316665643064623763383137 +31383539383464346630396138646530323163613761393039353430643866363138303435353833 +31316133363430323632383332306537353664313533653132653164656139313235313164313266 +66646164616535393765333338316634626330393866326664373531363034363734343165383339 +64663232373236346136333437663635316162623664616236393963386564623336343466663838 +35326263356266306232633434633162386561623435653763663733343738303231376663306662 +65353361313338356336646164656238303562623462653163636630353731333566323437663432 +66326436623835663135396162373764373432616337356135616236303561383765353462633430 +30363438373166303764653933356634376330666232613463663039323933326530353266313332 +62666661356666363635626330346338613238363633623138633235646466303031373733643234 +32336438376564656136623639383137313738323562363638376262363537303232343430653265 +37306430323264366535323664643065363464336363663866343137636430646332633164613866 +37313335633634346666643863623238353537636366633730626162663863323532613130353766 +32366362393835623666313530356631636365653230653762313439636336616230373363656263 +38656237623239383962356436323034313834336333383438363632616336653230346361653534 +33336464343733303233653266326536396435373866393437363339646263393835653837623730 +66303362666138306463646363643162316532653963643534333638633835383961646136396465 +63396565306336353835333336313833613138303163666261373263376564343539646430653661 +39616265323734643735353930626563353337326532643432363465346265643835316364663538 +37336332623834326233393637643361643565313636333963623339656163383936326364333831 +65666334643864326265326433343635666664313132363031373036623166373838353538343864 +33383433376431613137383162666237313334386630633461646466376264313132346230383662 +32303039663232363464373765306462343762346338303262336463336633393738646439326330 +66336263386661336139613966643538316561383834303532353533396631323832613039313966 +65373237306636353065323033383234656630353732656639313731326631626332636531356666 +30353135323334616462306639336534333534323161356437633637376538613061303164323834 +30353466336563396166623537386665663763613463393465366633303931393066363261316166 +37613766656232633762353964323732633337363761346364396664666163356134343633313634 +32303264346535376430616332636363653034386638663765633566663436393630623966393532 +61663339343632343230346439326231383363663035613336323965636233316165623264366435 +32646332316530663538646530323561383730333831613762363739643739663430326365373032 +66643165643261313464373734333039363532316464643133623734303634363661303765346565 +37306631316233383138666236613465623462306162393663393362343162336130623762326532 +62363366363235353939303762666262616234393536343363656638626633626163323936343261 +65633937316361333134636462323063323765663834306438303032366239373630303039613763 +66313839613963653965656364643334336333393335373266386237613763356535373136316165 +63653435643733333439623633316364666433663063636136653164396533326165306163373562 +35656162346562363235633362623135333135616633353863363562666565626230626239303834 +33356235656532666466333730363938366466633932356539353838393033376235383964653864 +32653861313563343063313131313632666230313036636135623461653266653362346439626565 +66633034326339303832366433376264623332336465373262323832303439653131316334316537 +64383232316363643433343666653030633330356538303464343937653662363031386632643138 +32656163626266386166336331616464336331613761643363373732653035663633333637623961 +39333039363565363235393033373163386162616136366331646336646661623161643131633163 +65303437616662366434636232333335633461336265626364373262373164353232353264383032 +64336661623236326263363736613139653739393830376266306364633363363835366632653539 +34633539346265623631656237353565306338316432373833616266623837356337616466313035 +30656238333030613066363261323463613437353633383661313732373461343064376231343839 +35356336653262316362323137323337363535656332393766356235313839626638346134666135 +30343739613666323563613933323037396535616462376261303536336331393537383966313538 +38303738613664376432346438343166383031643964336435363264316636333938343536366536 +38343434313838623034396163646335333139643562366333303265366438666561623861616432 +62326235613364383361346536353134656261663537663231323164366635346337616266653230 +33633263376539393337386263326566636366633033383561336163343163346565346130636635 +36363137663838303931353636323865363861623461643436313830623034663630663334613561 +66393231643063636161316332376334633031623135383237653132623061333839323461643734 +30343766313937623766303062633730613131346538313635616565656662643561336431653030 +64636232343138666136373064353631333535663836636464313938656138353463326261616234 +62643936393663393030353166623233323564343430303637326534363166363361656366653738 +66313161313231306438613033643533656230303136613239396465663162353531303639343038 +65643963616133363563636363346432663236626335363662376564316563386633316661323134 +32376630306661656533643930316430333236653337373233656266306432323662613731366434 +66646133613335646662346466646138326230386534363230666263643461623838623035323663 +65383962366564376335393931633762303331393064303333303665613434346633663634393631 +30613862363239373333366261663536636636326439343839306461346631326164616532346362 +33613932376439356633303062343030656233666433663161396434653731393264643462623533 +36386438363366346435616339643765326132666562366431323836363665333463303761656130 +34383736316664383230636566623434326562313164616163386465643035636638376463623464 +63303333326364656536653636353339353732303065653533623466333238323934323864343361 +37316361643433373332646533326539303862326332306363323036313461656364343830316361 +35626232363462643939643037383637356338316362323761323466376566353964636461366366 +32343038363035646363623664353865326536646365323939633161346664353165646366636636 +66623533663631623931326166353861623830326161623162653732313639386336643438646263 +64643736323133646432323962666564626461356362303232326662393636616166626336376637 +38623663666263393838653137393261383034666130663736303463646661353362643932666132 +33383064396366656534303763363539303737663433656665303835626561663831353665393739 +63383832386261336366333736613130393134363334353737613438333731303035653635646138 +30313361333734366264356337303130393734653635336132313535346365356137313634313933 +36393662366531613231663934353737323463616634656364643637646130636439633235656365 +62643862326664663133633466333064613133363334383832653766396131356362663638383232 +30366633623837343833633535353031383431373765353663616338633734376430346266306434 +35393665346463623735656335626161363136373639633065623633306632356431373435356662 +62373031613537613734316332326137353031613264376562656136306434633531386165666437 +33636433343862363131613363633235393933396133313062383434373636366236323666316538 +66646466396639316137666638373339303562616439393966663363633336383637393530336165 +35393937636334393261393530353162343765316331353664656238356434343336653665616634 +32366533316237356666333237646133316332376435643864343832653339396536353335386437 +31393931616164383331343836633930393164353539376337353835636661323165346263363035 +65313163663337393735346663656634316135383966643838303063316136323038633964316131 +38393763643430303662653863363366636666623132396239653631653232376564333665353563 +61356262373637386632333230356365666239656637653039356538626461373433356562386364 +36633362353135373239363632653562643430316261316166306334623536663037383236313738 +38633730646531363361623165313262343437633538396434316262323434353863353635323164 +32343462323231393362336638373237653438336632323538363837363130313064316335626463 +35336164363764383363633335333630336233383561306666623238343133356537623639373136 +30346663656238363161383239316137336134643638323530653535336163636566393837643232 +66663330383366656630616665623030626637313164326231666635663239393634316434383366 +31643832393761323738306566373637666634663531376233643436376239663134376431616435 +33323134333030386631323565643539316237623033366561613030626339613963353034633337 +65646366646263623336616663656261653862343163393338623031366261313161356130343330 +62393330666164646333653238376663396537393931393730663537306661333231363237643465 +36656430616634316561653935313863653732346337396365646262653133626339656165653735 +61366233336366626539343133396639666134346237316365666433336235306134343135386436 +37393163643765616636633962393331653430663736383166313338623662363930353834386535 +65336532313930623063383935393861343338303761326533616637313735306239323635396139 +61363034333538386537656136626431353966616163316661376666343039623534633365616135 +34326231303863383762343135396566306339636130666631306538323761656262623561653037 +34326264653565343637313563616265323165363737326437316562336662643066386439616464 +61363461363063656638323535613337303831366639613964363761666437326363333862663465 +31376434646539666636356630353065376435323433366539613263626361633932623931363464 +63393135326466386639613337383739383933356662623465633638306234393233353437623465 +65383737366338663837636334333766346332393165346637333138626236643331343262353633 +38363131666436306433646433663861613363616330313135393030356134353930373161373038 +31343737373863366235386230353963646530643137313466613631343065623736643130363839 +62396138373332353737373763336662336634383566333437616332646136666335613662636638 +37656431386661396533656365643934343833306162376664366338636533346431623131363262 +383862316531646564646366333938333464 diff --git a/playbooks/configure-pve.yml b/playbooks/configure-pve.yml index 2c2e41a..ab346e3 100644 --- a/playbooks/configure-pve.yml +++ b/playbooks/configure-pve.yml @@ -3,5 +3,4 @@ hosts: pve_nodes become: true roles: - # - role: pve/setup_networking - - role: pve/lvm \ No newline at end of file + # - role: pve/setup_networking \ No newline at end of file diff --git a/playbooks/deploy-stack.yml b/playbooks/deploy-stack.yml new file mode 100644 index 0000000..10b5c23 --- /dev/null +++ b/playbooks/deploy-stack.yml @@ -0,0 +1,40 @@ +- name: Deploy Docker Swarm mgmt & stacks + hosts: prod_vms + vars: + ansible_python_interpreter: /opt/docker-venv/bin/python + become: true + + roles: + - role: docker/swarm/prereqs + + - role: docker/swarm/node + when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']" + + - role: docker/swarm/stacks + when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']" + vars: + stacks: + - name: postgresql + compose_path: postgresql-compose.yml + + - name: portainer + compose_path: portainer-compose.yml + + - name: nginx + compose_path: nginx-compose.yml + + - name: dumbwhois + compose_path: dumbwhois-compose.yml + + - name: flowtodo + compose_path: flowtodo-compose.yml + + - name: traefik + compose_path: traefik-compose.yml + mount_dirs: + - /docker-shared/stacks/data/traefik/certs + - /docker-shared/stacks/data/traefik/dynamic + - /docker-shared/stacks/data/traefik/logs + + - name: scylladb + compose_path: scylladb-compose.yml \ No newline at end of file diff --git a/playbooks/deploy-swarm.yml b/playbooks/deploy-swarm.yml deleted file mode 100644 index b156208..0000000 --- a/playbooks/deploy-swarm.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: Deploy Docker Swarm mgmt & stacks - hosts: prod_vms - become: true - - roles: - - role: docker/swarm/mgmt - when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']" - - - role: docker/swarm/node - when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']" - - - role: docker/swarm/stacks - when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']" - vars: - stacks: - - name: portainer - compose_path: portainer-compose.j2 - restart_condition: on-failure - replicas: 1 - labels: - com.xbazzi.stack: portainer - com.xbazzi.critical: "true" - constraints: - - node.role == manager - - node.hostname == prod2 - - node.labels.zone == core - - - name: caddy - compose_path: caddy-compose.j2 - deploy_mode: replicated - replicas: 1 - restart_condition: on-failure - labels: - com.xbazzi.stack: caddy - com.xbazzi.critical: "true" - constraints: - - node.role == manager - - node.labels.zone == core - - node.labels.type != db - volumes: - - /docker-shared/stacks/data/caddy/conf:/etc/caddy - - /docker-shared/stacks/data/caddy/site:/srv - - /docker-shared/stacks/data/caddy/caddy_data:/data - - /docker-shared/stacks/data/caddy/caddy_config:/config - - /var/run/docker.sock:/var/run/docker.sock - mount_dirs: - - /docker-shared/stacks/data/caddy/conf - - /docker-shared/stacks/data/caddy/site - - /docker-shared/stacks/data/caddy/caddy_data - - /docker-shared/stacks/data/caddy/caddy_config - - - name: nginx - compose_path: nginx-compose.j2 - deploy_mode: replicated - replicas: 1 - restart_condition: on-failure - labels: - com.xbazzi.stack: nginx - com.xbazzi.critical: "false" - constraints: - - node.labels.zone == core - - node.labels.type != db - - # - name: sleep - # compose_path: sleep-forever-compose.j2 - # deploy_mode: replicated - # replicas: 5 - # restart_condition: on-failure - # labels: - # com.xbazzi.stack: sleep - # com.xbazzi.critical: "false" - # constraints: - # - node.labels.zone == core - # - node.labels.type != db \ No newline at end of file diff --git a/playbooks/docker-prep.yml b/playbooks/docker-prep.yml new file mode 100644 index 0000000..615e499 --- /dev/null +++ b/playbooks/docker-prep.yml @@ -0,0 +1,7 @@ + +- name: Install Docker and prep for Swag + hosts: prod_vms + become: true + roles: + - role: docker/install + - role: server/reboot \ No newline at end of file diff --git a/playbooks/enable-x11.yml b/playbooks/enable-x11.yml new file mode 100644 index 0000000..701504e --- /dev/null +++ b/playbooks/enable-x11.yml @@ -0,0 +1,11 @@ +- name: Enable X11 Forwarding + hosts: prod_vms + become: true + roles: + - role: server/ssh/x11 + - role: server/packages + tasks: + - name: Restart sshd + ansible.builtin.systemd_service: + name: sshd + state: restarted \ No newline at end of file diff --git a/playbooks/install-packages.yml b/playbooks/install-packages.yml new file mode 100644 index 0000000..93bc8d7 --- /dev/null +++ b/playbooks/install-packages.yml @@ -0,0 +1,6 @@ + +- name: Install dnf packages + hosts: prod_vms + become: true + roles: + - role: server/packages \ No newline at end of file diff --git a/playbooks/nuke-docker.yml b/playbooks/nuke-docker.yml new file mode 100644 index 0000000..63a86d2 --- /dev/null +++ b/playbooks/nuke-docker.yml @@ -0,0 +1,6 @@ +- name: Nuke Docker on all nodes + hosts: prod_vms + become: true + roles: + - role: docker/uninstall + - role: server/reboot \ No newline at end of file diff --git a/playbooks/provision-alma.yml b/playbooks/provision-alma.yml deleted file mode 100644 index a2bda5c..0000000 --- a/playbooks/provision-alma.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Provision AlmaLinux 9 VM - hosts: prod_vms - become: yes - roles: - # - role: server/hostname - # - role: server/users - # - role: server/sshkey - - role: server/packages - # - role: server/network - - role: server/firewall - # - role: provision/alma/common - # - role: provision/alma/nfs - # - role: docker/install - # - role: docker/migrate-data - # - role: docker/setup-lvm - # - role: server/fstrim - # - role: server/kitty - # - role: server/reboot - # - role: server/nfs \ No newline at end of file diff --git a/playbooks/provision-vm.yml b/playbooks/provision-vm.yml new file mode 100644 index 0000000..c3be3b6 --- /dev/null +++ b/playbooks/provision-vm.yml @@ -0,0 +1,23 @@ +--- +- name: Provision VMs (deb/alma) + hosts: prod_vms + become: yes + roles: + # - role: server/hostname + # - role: server/users + # - role: server/sshkey + # - role: server/network + # - role: server/packages + # - role: server/fastfetch + # - role: server/nfs + # - role: docker/install/deb + + # BE REALLY CAREFUL FOR THESE TWO + # Only enable the FIRST time you attach a blank docker disk (vm-disk-1) + # - role: docker/migrate-data + - role: docker/setup-lvm + # - role: server/disable/firewalld + # - role: server/fstrim + # - role: server/kitty + # - role: server/service/networkd + # - role: server/reboot \ No newline at end of file diff --git a/playbooks/sysprep-alma.yml b/playbooks/sysprep-alma.yml index 4802778..2c9e4f4 100644 --- a/playbooks/sysprep-alma.yml +++ b/playbooks/sysprep-alma.yml @@ -1,9 +1,9 @@ - name: Sysprep Alma Linux machine - hosts: staging-vm + hosts: sysprep_vm become: yes roles: + - role: server/qemu-agent - role: server/users - role: server/sysprep - role: server/sshkey - - role: server/network - role: server/reboot \ No newline at end of file diff --git a/playbooks/uninstall-packages.yml b/playbooks/uninstall-packages.yml new file mode 100644 index 0000000..bc7bb95 --- /dev/null +++ b/playbooks/uninstall-packages.yml @@ -0,0 +1,5 @@ +- name: Uninstall packages + hosts: prod_vms + become: yes + roles: + - role: server/uninstall \ No newline at end of file diff --git a/roles/docker/build/caddy/templates/caddy-dockerfile.j2 b/roles/docker/build/caddy/templates/caddy-dockerfile.j2 index a7a8693..c634d97 100644 --- a/roles/docker/build/caddy/templates/caddy-dockerfile.j2 +++ b/roles/docker/build/caddy/templates/caddy-dockerfile.j2 @@ -10,6 +10,7 @@ FROM caddy:{{ item.version }}-{{ item.os }} COPY --from=builder /usr/bin/caddy /usr/bin/caddy +# Only for standalone Caddy. This one's pimped. #CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"] CMD ["caddy", "docker-proxy"] diff --git a/roles/docker/install/defaults/main.yml b/roles/docker/install/alma/defaults/main.yml old mode 100755 new mode 100644 similarity index 100% rename from roles/docker/install/defaults/main.yml rename to roles/docker/install/alma/defaults/main.yml diff --git a/roles/docker/install/tasks/main.yml b/roles/docker/install/alma/tasks/main.yml similarity index 100% rename from roles/docker/install/tasks/main.yml rename to roles/docker/install/alma/tasks/main.yml diff --git a/roles/docker/install/deb/defaults/main.yml b/roles/docker/install/deb/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/docker/install/deb/handlers/main.yml b/roles/docker/install/deb/handlers/main.yml new file mode 100644 index 0000000..5b4b2dd --- /dev/null +++ b/roles/docker/install/deb/handlers/main.yml @@ -0,0 +1,3 @@ +- name: Update apt cache + ansible.builtin.apt: + update_cache: yes \ No newline at end of file diff --git a/roles/docker/install/deb/tasks/main.yml b/roles/docker/install/deb/tasks/main.yml new file mode 100644 index 0000000..f80b159 --- /dev/null +++ b/roles/docker/install/deb/tasks/main.yml @@ -0,0 +1,156 @@ +--- +# - name: Ensure GPG and curl are installed +# ansible.builtin.apt: +# name: +# - curl +# - gnupg +# state: present +# update_cache: true + +# - name: Create keyrings directory +# ansible.builtin.file: +# path: /etc/apt/keyrings +# state: directory +# mode: '0755' + +# - name: Download and dearmor Docker GPG key +# ansible.builtin.shell: | +# curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg +# args: +# creates: /etc/apt/keyrings/docker.gpg + +# - name: Set proper permissions on the GPG key +# ansible.builtin.file: +# path: /etc/apt/keyrings/docker.gpg +# mode: '0644' + +# - name: Add Docker APT repository (correct for Debian) +# ansible.builtin.copy: +# dest: /etc/apt/sources.list.d/docker.list +# content: | +# deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable +# mode: '0644' +# notify: Update apt cache + +- name: Ensure dependencies for Docker key + apt: + name: + - curl + - gnupg + state: present + update_cache: true + +- name: Remove any broken docker keyrings or source files + file: + path: "{{ item }}" + state: absent + loop: + - /etc/apt/keyrings/docker.gpg + - /etc/apt/keyrings/docker.asc + - /etc/apt/sources.list.d/docker.list + +- name: Create keyring directory + file: + path: /etc/apt/keyrings + state: directory + mode: '0755' + +- name: Download and dearmor Docker GPG key + shell: | + curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg + args: + creates: /etc/apt/keyrings/docker.gpg + +- name: Set correct permissions on Docker GPG key + file: + path: /etc/apt/keyrings/docker.gpg + mode: '0644' + +# - name: Add Docker APT repository +# copy: +# dest: /etc/apt/sources.list.d/docker.list +# content: | +# deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable +# mode: '0644' + +- name: Add Docker APT repository (correct for Debian) + ansible.builtin.copy: + dest: /etc/apt/sources.list.d/docker.list + content: | + deb [arch={{ ansible_architecture | regex_replace('x86_64', 'amd64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable + mode: '0644' + + +- name: Update apt cache + apt: + update_cache: yes + +# - name: Update apt cache manually if needed +# ansible.builtin.apt: +# update_cache: true +# when: ansible_run_tags is not defined or 'skip_cache' not in ansible_run_tags +# - name: Update apt cache +# ansible.builtin.apt: +# update_cache: yes + +# - name: Install prerequisite packages +# ansible.builtin.apt: +# name: +# - ca-certificates +# - curl +# state: present + +# - name: Create apt keyrings directory +# ansible.builtin.file: +# path: /etc/apt/keyrings +# state: directory +# mode: '0755' + +# - name: Download Docker GPG key (dearmor format) +# ansible.builtin.get_url: +# url: https://download.docker.com/linux/debian/gpg +# dest: /etc/apt/keyrings/docker.gpg +# mode: '0644' + +# - name: Add Docker apt repository +# ansible.builtin.apt_repository: +# repo: "deb [arch={{ docker_arch }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" +# filename: docker +# state: present +# vars: +# docker_arch: "{{ ansible_architecture | regex_replace('x86_64', 'amd64') }}" + +# - name: Add Docker apt repository for Debian +# ansible.builtin.apt_repository: +# repo: "deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable" +# filename: docker +# state: present +# update_cache: true + +# - name: Update apt cache after adding Docker repository +# ansible.builtin.apt: +# update_cache: true + +- name: Install Docker packages + ansible.builtin.apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + state: present + +- name: Enable and start Docker Engine + ansible.builtin.systemd_service: + name: docker + state: started + enabled: true + +- name: Verify with Hello World + ansible.builtin.command: docker run hello-world + register: docker_hello + +- name: Test + ansible.builtin.debug: + var: docker_hello.stdout_lines diff --git a/roles/docker/install/tasks/main2.yml b/roles/docker/install/tasks/main2.yml deleted file mode 100644 index 86b2c7c..0000000 --- a/roles/docker/install/tasks/main2.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Update apt cache - ansible.builtin.apt: - update_cache: yes - -- name: Install prerequisite packages - ansible.builtin.apt: - name: - - ca-certificates - - curl - state: present - -- name: Create apt keyrings directory - ansible.builtin.file: - path: /etc/apt/keyrings - state: directory - mode: '0755' - -- name: Download Docker GPG key - ansible.builtin.get_url: - url: "https://download.docker.com/linux/ubuntu/gpg" - dest: /etc/apt/keyrings/docker.asc - mode: '0644' - -- name: Add Docker apt repository - ansible.builtin.apt_repository: - repo: "deb [arch={{ docker_arch }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" - filename: docker - state: present - vars: - docker_arch: "{{ ansible_architecture | regex_replace('x86_64', 'amd64') }}" - -- name: Update apt cache after adding Docker repository - ansible.builtin.apt: - update_cache: true - -- name: Install Docker packages - ansible.builtin.apt: - name: - - docker-ce - - docker-ce-cli - - containerd.io - - docker-buildx-plugin - - docker-compose-plugin - state: present \ No newline at end of file diff --git a/roles/docker/setup-lvm/tasks/main.yml b/roles/docker/setup-lvm/tasks/main.yml index 939da6c..478a7a5 100644 --- a/roles/docker/setup-lvm/tasks/main.yml +++ b/roles/docker/setup-lvm/tasks/main.yml @@ -13,18 +13,24 @@ ansible.builtin.command: "lvs --noheadings -o lv_name {{ docker_vg }}" register: lvs_output -- name: Create logical volume for Docker +- name: Create logical volume for Docker (in VM) community.general.lvol: vg: "{{ docker_vg }}" lv: "{{ docker_lv }}" size: "{{ docker_lv_size }}" state: present -- name: Format logical volume with XFS +# - name: Format logical volume with XFS +# community.general.filesystem: +# fstype: xfs +# dev: "/dev/{{ docker_vg }}/{{ docker_lv }}" +# opts: "-n ftype=1" + +- name: Format logical volume with ext4 community.general.filesystem: - fstype: xfs + fstype: ext4 dev: "/dev/{{ docker_vg }}/{{ docker_lv }}" - opts: "-n ftype=1" + opts: "-F" - name: Create mount point for Docker volume ansible.builtin.file: @@ -32,14 +38,23 @@ state: directory mode: '0755' +# - name: Mount Docker LV to VM filesystem +# ansible.posix.mount: +# path: "{{ docker_mountpoint }}" +# src: "/dev/{{ docker_vg }}/{{ docker_lv }}" +# fstype: xfs +# opts: defaults +# state: mounted + - name: Mount Docker LV to VM filesystem ansible.posix.mount: path: "{{ docker_mountpoint }}" src: "/dev/{{ docker_vg }}/{{ docker_lv }}" - fstype: xfs + fstype: ext4 opts: defaults state: mounted + - name: Stop Docker service ansible.builtin.systemd: name: docker diff --git a/roles/docker/stack/defaults/main.yml b/roles/docker/stack/defaults/main.yml deleted file mode 100755 index 6b7f1a5..0000000 --- a/roles/docker/stack/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -apps: [] -stack_name: "willneverexist" \ No newline at end of file diff --git a/roles/docker/stack/tasks/main.yml b/roles/docker/stack/tasks/main.yml deleted file mode 100755 index ab0863b..0000000 --- a/roles/docker/stack/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Create app mount directories - ansible.builtin.file: - path: "{{ remote_app_mounts }}/{{ item }}" - state: directory - mode: '0777' - loop: "{{ apps }}" - -- name: Create stack directory - ansible.builtin.file: - path: "{{ remote_stacks }}/{{ stack_name }}" - state: directory - mode: '0777' - -- name: Copy docker-compose.yml to server - ansible.builtin.copy: - src: '{{ docker_stacks }}/{{ stack_name }}/docker-compose.yml' - dest: '{{ remote_stacks }}/{{ stack_name }}/docker-compose.yml' - owner: javi - group: javi - mode: '0777' - -- name: Start up the containers - ansible.builtin.command: docker compose up -d - become: true - args: - chdir: "{{ remote_stacks }}/{{ stack_name }}" \ No newline at end of file diff --git a/roles/docker/swarm/node/tasks/main.yml b/roles/docker/swarm/node/tasks/main.yml index 77a8dc7..5229887 100644 --- a/roles/docker/swarm/node/tasks/main.yml +++ b/roles/docker/swarm/node/tasks/main.yml @@ -4,4 +4,5 @@ hostname: "{{ item.name }}" labels: "{{ item.labels }}" labels_state: replace - loop: "{{ swarm_nodes }}" \ No newline at end of file + loop: "{{ swarm_nodes }}" + when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']" \ No newline at end of file diff --git a/roles/docker/swarm/prereqs/tasks/main.yml b/roles/docker/swarm/prereqs/tasks/main.yml index 17313c2..4ba3ccf 100644 --- a/roles/docker/swarm/prereqs/tasks/main.yml +++ b/roles/docker/swarm/prereqs/tasks/main.yml @@ -1,18 +1,36 @@ --- -- name: Ensure pip is installed - ansible.builtin.package: - name: - - python3 - - python3-pip +- name: Ensure python3-venv is installed + ansible.builtin.apt: + name: python3-venv state: present become: true -- name: Install Docker SDK and requests for Python +- name: Create a virtualenv for Docker SDK + ansible.builtin.command: + cmd: python3 -m venv /opt/docker-venv + creates: /opt/docker-venv + +- name: Install packages in the virtualenv ansible.builtin.pip: + virtualenv: /opt/docker-venv name: - docker - requests - jsondiff - packaging - state: present - become: true \ No newline at end of file + +# - name: Install pipx +# ansible.builtin.apt: +# name: pipx + # state: absent + +# - name: Ensure pipx binary path is available +# ansible.builtin.shell: pipx ensurepath + +# - name: Ensure pip is installed +# ansible.builtin.package: +# name: +# - python3 +# - python3-pip +# state: present +# become: true \ No newline at end of file diff --git a/roles/docker/swarm/stacks/files/dumbwhois-compose.yml b/roles/docker/swarm/stacks/files/dumbwhois-compose.yml new file mode 100644 index 0000000..cc31897 --- /dev/null +++ b/roles/docker/swarm/stacks/files/dumbwhois-compose.yml @@ -0,0 +1,36 @@ + +services: + dumbwhois: + image: dumbwareio/dumbwhois:latest + networks: + - traefik_traefik_proxy + deploy: + mode: replicated + replicas: 15 + restart_policy: + condition: on-failure + labels: + # Enable Service discovery for Traefik + - "traefik.enable=true" + # Define the dumbwhois router rule + - "traefik.http.routers.dumbwhois.rule=Host(`dumbwhois.lan.xbazzi.com`)" + # Expose dumbwhois on the HTTPS entrypoint + - "traefik.http.routers.dumbwhois.entrypoints=websecure" + # - "traefik.http.routers.dumbwhois.entrypoints=web" + # Enable TLS + - "traefik.http.routers.dumbwhois.tls=true" + # - "traefik.http.routers.dumbwhois.tls=false" + # Expose the dumbwhois port number to Traefik + - "traefik.http.services.dumbwhois.loadbalancer.server.port=3000" + + # Custom labels + - "com.xbazzi.stack=dumbwhois" + - "com.xbazzi.critical=false" + placement: + constraints: + - node.labels.zone == core + - node.labels.type != db + +networks: + traefik_traefik_proxy: + external: true \ No newline at end of file diff --git a/roles/docker/swarm/stacks/files/flowtodo-compose.yml b/roles/docker/swarm/stacks/files/flowtodo-compose.yml new file mode 100644 index 0000000..7382376 --- /dev/null +++ b/roles/docker/swarm/stacks/files/flowtodo-compose.yml @@ -0,0 +1,38 @@ +services: + flowtodo: + image: gitgud.foo/thegrind/flowtodo + #environment: + # If you're serving through a reverse proxy + #- OCTANE_HTTPS=false + networks: + - traefik_traefik_proxy + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: on-failure + labels: + # Enable Service discovery for Traefik + - "traefik.enable=true" + # Define the flowtodo router rule + - "traefik.http.routers.flowtodo.rule=Host(`flowtodo.lan.xbazzi.com`)" + # Expose flowtodo on the HTTPS entrypoint + - "traefik.http.routers.flowtodo.entrypoints=websecure" + # - "traefik.http.routers.flowtodo.entrypoints=web" + # Enable TLS + - "traefik.http.routers.flowtodo.tls=true" + # - "traefik.http.routers.flowtodo.tls=false" + # Expose the flowtodo port number to Traefik + - "traefik.http.services.flowtodo.loadbalancer.server.port=8000" + + # Custom labels + - "com.xbazzi.stack=flowtodo" + - "com.xbazzi.critical=true" + placement: + constraints: + - node.labels.zone == core + - node.labels.type != db + +networks: + traefik_traefik_proxy: + external: true diff --git a/roles/docker/swarm/stacks/files/nginx-compose.yml b/roles/docker/swarm/stacks/files/nginx-compose.yml new file mode 100644 index 0000000..a68f69c --- /dev/null +++ b/roles/docker/swarm/stacks/files/nginx-compose.yml @@ -0,0 +1,37 @@ + +services: + nginx: + image: nginx:latest + networks: + - traefik_traefik_proxy + deploy: + mode: replicated + replicas: 8 + restart_policy: + condition: on-failure + labels: + # Enable Service discovery for Traefik + - "traefik.enable=true" + # Define the nginx router rule + - "traefik.http.routers.nginx.rule=Host(`nginx.lan.xbazzi.com`)" + # Expose nginx on the HTTPS entrypoint + - "traefik.http.routers.nginx.entrypoints=websecure" + # - "traefik.http.routers.nginx.entrypoints=web" + # Enable TLS + - "traefik.http.routers.nginx.tls=true" + # - "traefik.http.routers.nginx.tls=false" + # Expose the nginx port number to Traefik + - "traefik.http.services.nginx.loadbalancer.server.port=80" + + # Custom labels + - "com.xbazzi.stack=nginx" + - "com.xbazzi.critical=false" + placement: + constraints: + - node.labels.zone == core + # - node.role != manager + # - node.labels.type != db + +networks: + traefik_traefik_proxy: + external: true diff --git a/roles/docker/swarm/stacks/files/portainer-compose.yml b/roles/docker/swarm/stacks/files/portainer-compose.yml new file mode 100644 index 0000000..b3d8ad6 --- /dev/null +++ b/roles/docker/swarm/stacks/files/portainer-compose.yml @@ -0,0 +1,60 @@ +version: '3.2' + +services: + agent: + image: portainer/agent:lts + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /var/lib/docker/volumes:/var/lib/docker/volumes + networks: + - agent_network + deploy: + mode: global + placement: + constraints: [node.platform.os == linux] + + portainer: + image: portainer/portainer-ce:lts + command: -H tcp://tasks.agent:9001 --tlsskipverify + ports: + - "9443:9443" + - "9000:9000" + - "8000:8000" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /docker-shared/stacks/data/portainer:/data + networks: + - traefik_traefik_proxy + - agent_network + deploy: + mode: replicated + replicas: 1 + labels: + # Enable Service discovery for Traefik + - "traefik.enable=true" + # Define the nginx router rule + - "traefik.http.routers.portainer.rule=Host(`portainer.lan.xbazzi.com`)" + # Expose nginx on the HTTPS entrypoint + - "traefik.http.routers.portainer.entrypoints=websecure" + # - "traefik.http.routers.nginx.entrypoints=web" + # Enable TLS + - "traefik.http.routers.portainer.tls=true" + # - "traefik.http.routers.nginx.tls=false" + # Expose the nginx port number to Traefik + - "traefik.http.services.portainer.loadbalancer.server.port=9000" + + + # Custom labels + - "com.xbazzi.stack=nginx" + - "com.xbazzi.critical=false" + restart_policy: + condition: on-failure + placement: + constraints: [node.role == manager] + +networks: + agent_network: + driver: overlay + attachable: true + traefik_traefik_proxy: + external: true diff --git a/roles/docker/swarm/stacks/files/postgresql-compose.yml b/roles/docker/swarm/stacks/files/postgresql-compose.yml new file mode 100644 index 0000000..76fc98d --- /dev/null +++ b/roles/docker/swarm/stacks/files/postgresql-compose.yml @@ -0,0 +1,67 @@ +services: + + postgres: + image: postgres:17.5-alpine3.21 + hostname: postgres + networks: + - postgres_net + - traefik_traefik_proxy + # or set shared memory limit when deploy via swarm stack + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: on-failure + labels: + # Custom labels + - "com.xbazzi.stack=postgresql" + - "com.xbazzi.critical=true" + + placement: + constraints: + - node.hostname == db1 + volumes: + - /var/lib/postgresql/data:/var/lib/postgresql/data + # - type: tmpfs + # target: /dev/shm + # tmpfs: + # size: 134217728 # 128*2^20 bytes = 128Mb + environment: + POSTGRES_PASSWORD: password + + adminer: + image: adminer + networks: + - postgres_net + - traefik_traefik_proxy + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: on-failure + labels: + # Enable Service discovery for Traefik + - "traefik.enable=true" + # Define the nginx router rule + - "traefik.http.routers.adminer.rule=Host(`adminer.lan.xbazzi.com`)" + # Expose nginx on the HTTPS entrypoint + - "traefik.http.routers.adminer.entrypoints=websecure" + # Enable TLS + - "traefik.http.routers.adminer.tls=true" + # Expose the nginx port number to Traefik + - "traefik.http.services.adminer.loadbalancer.server.port=8080" + + # Custom labels + - "com.xbazzi.stack=adminer" + - "com.xbazzi.critical=true" + placement: + constraints: + - node.hostname == db1 + +networks: + postgres_net: + driver: overlay + attachable: true + + traefik_traefik_proxy: + external: true diff --git a/roles/docker/swarm/stacks/files/scylladb-compose.yml b/roles/docker/swarm/stacks/files/scylladb-compose.yml new file mode 100644 index 0000000..08ffcd6 --- /dev/null +++ b/roles/docker/swarm/stacks/files/scylladb-compose.yml @@ -0,0 +1,37 @@ +services: + some-scylla: + image: scylladb/scylla + networks: + - traefik_traefik_proxy + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: on-failure + labels: + # Enable Service discovery for Traefik + - "traefik.enable=true" + # Define the scylladb router rule + - "traefik.http.routers.scylladb.rule=Host(`scylladb.lan.xbazzi.com`)" + # Expose scylladb on the HTTPS entrypoint + - "traefik.http.routers.scylladb.entrypoints=websecure" + # - "traefik.http.routers.scylladb.entrypoints=web" + # Enable TLS + - "traefik.http.routers.scylladb.tls=true" + # - "traefik.http.routers.scylladb.tls=false" + # Expose the scylladb port number to Traefik + - "traefik.http.services.scylladb.loadbalancer.server.port=9494" + + # Custom labels + - "com.xbazzi.stack=scylladb" + - "com.xbazzi.critical=true" + placement: + constraints: + - node.labels.zone == core + - node.labels.type == db + volumes: + - /var/lib/scylla:/var/lib/scylla + +networks: + traefik_traefik_proxy: + external: true \ No newline at end of file diff --git a/roles/docker/swarm/stacks/files/traefik-compose.yml b/roles/docker/swarm/stacks/files/traefik-compose.yml new file mode 100644 index 0000000..9c82d5e --- /dev/null +++ b/roles/docker/swarm/stacks/files/traefik-compose.yml @@ -0,0 +1,142 @@ +services: + traefik: + image: traefik:v3.4 + + networks: + # Connect to the 'traefik_proxy' overlay network for inter-container communication across nodes + - traefik_proxy + + ports: + # Expose Traefik's entry points to the Swarm + # Swarm requires the long syntax for ports. + - target: 80 # Container port (Traefik web entry point) + published: 80 # Host port exposed on the nodes + protocol: tcp + # 'host' mode binds directly to the node's IP where the task runs. + # 'ingress' mode uses Swarm's Routing Mesh (load balances across nodes). + # Choose based on your load balancing strategy. 'host' is often simpler if using an external LB. + mode: host + - target: 443 # Container port ( Traefik websecure entry point) + published: 443 # Host port + protocol: tcp + mode: host + + # External EntryPoint host port + - target: 8443 + published: 8443 + protocol: tcp + mode: host + + volumes: + # Mount the Docker socket for the Swarm provider + # This MUST be run from a manager node to access the Swarm API via the socket. + - /docker-shared/stacks/data/traefik/certs:/certs:ro + - /docker-shared/stacks/data/traefik/dynamic:/dynamic:ro + - /docker-shared/stacks/data/traefik/logs:/logs/ + - /var/run/docker.sock:/var/run/docker.sock:ro # Swarm API socket + + # Traefik Static configuration via command-line arguments + command: + # HTTP EntryPoint + - "--entrypoints.web.address=:80" + + # External EntryPoint + - "--entrypoints.external.address=:8443" + - "--entrypoints.external.http.tls=true" + + # Configure HTTP to HTTPS Redirection + - "--entrypoints.web.http.redirections.entrypoint.to=websecure" + - "--entrypoints.web.http.redirections.entrypoint.scheme=https" + - "--entrypoints.web.http.redirections.entrypoint.permanent=true" + + # HTTPS EntryPoint + - "--entrypoints.websecure.address=:443" + - "--entrypoints.websecure.http.tls=true" + + # Attach dynamic TLS file + - "--providers.file.filename=/dynamic/tls.yaml" + + # Providers + + # Enable the Docker Swarm provider (instead of Docker provider) + - "--providers.swarm.endpoint=unix:///var/run/docker.sock" + + # Watch for Swarm service changes (requires socket access) + - "--providers.swarm.watch=true" + + # Recommended: Don't expose services by default; require explicit labels + - "--providers.swarm.exposedbydefault=false" + + # Specify the default network for Traefik to connect to services + - "--providers.swarm.network=traefik_traefik_proxy" + + # API & Dashboard + # - "--api=true" # Enable API + # - "--api" + # - "--api.insecure=true" # Enale API + - "--api.dashboard=true" # Enable the dashboard + - "--api.insecure=false" # Explicitly disable insecure API mod + + # Observability + - "--log.level=DEBUG" # Set the Log Level e.g INFO, DEBUG + - "--accesslog=true" # Enable Access Logs + - "--metrics.prometheus=true" # Enable Prometheus + + deploy: + mode: replicated + replicas: 1 + placement: + + # Placement constraints restrict where Traefik tasks can run. + # Running on manager nodes is common for accessing the Swarm API via the socket. + constraints: + - node.role == manager + + # Traefik Dynamic configuration via labels + # In Swarm, labels on the service definition configure Traefik routing for that service. + labels: + - "traefik.enable=true" + + # Dashboard router + - "traefik.http.routers.dashboard.rule=Host(`traefik.lan.xbazzi.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" + - "traefik.http.routers.dashboard.entrypoints=websecure" + # - "traefik.http.routers.dashboard.entrypoints=web" + - "traefik.http.routers.dashboard.service=api@internal" + - "traefik.http.routers.dashboard.tls=true" + # - "traefik.http.routers.dashboard.tls=false" + + # Basic‑auth middleware + - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$apr1$$E5TT9jjy$$FWtnebebWTH/fiL.oz3jg1" + - "traefik.http.routers.dashboard.middlewares=dashboard-auth@swarm" + + # Service hint + - "traefik.http.services.traefik.loadbalancer.server.port=8080" + + # Deploy the Whoami application + whoami: + image: traefik/whoami + networks: + - traefik_proxy + deploy: + labels: + # Enable Service discovery for Traefik + - "traefik.enable=true" + # Define the WHoami router rule + - "traefik.http.routers.whoami.rule=Host(`whoami.lan.xbazzi.com`)" + # Expose Whoami on the HTTPS entrypoint + - "traefik.http.routers.whoami.entrypoints=websecure" + # - "traefik.http.routers.whoami.entrypoints=web" + # Enable TLS + - "traefik.http.routers.whoami.tls=true" + # - "traefik.http.routers.whoami.tls=false" + # Expose the whoami port number to Traefik + - "traefik.http.services.whoami.loadbalancer.server.port=80" + placement: + constraints: + - node.role != manager + +# Define the overlay network for Swarm +networks: + traefik_proxy: + driver: overlay + attachable: true \ No newline at end of file diff --git a/roles/docker/swarm/stacks/files/whoami-compose.yml b/roles/docker/swarm/stacks/files/whoami-compose.yml new file mode 100644 index 0000000..c3783da --- /dev/null +++ b/roles/docker/swarm/stacks/files/whoami-compose.yml @@ -0,0 +1,26 @@ +services: + whoami: + image: traefik/whoami + networks: + - traefik_proxy + deploy: + labels: + # Enable Service discovery for Traefik + - "traefik.enable=true" + # Define the WHoami router rule + - "traefik.http.routers.whoami.rule=Host(`whoami.lan.xbazzi.com`)" + # Expose Whoami on the HTTPS entrypoint + - "traefik.http.routers.whoami.entrypoints=websecure" + # - "traefik.http.routers.whoami.entrypoints=web" + # Enable TLS + - "traefik.http.routers.whoami.tls=true" + # - "traefik.http.routers.whoami.tls=false" + # Expose the whoami port number to Traefik + - "traefik.http.services.whoami.loadbalancer.server.port=80" + placement: + constraints: + - node.role != manager + +networks: + traefik_traefik_proxy: + external: true \ No newline at end of file diff --git a/roles/docker/swarm/stacks/tasks/main.yml b/roles/docker/swarm/stacks/tasks/main.yml index 2f5dac5..e606b13 100644 --- a/roles/docker/swarm/stacks/tasks/main.yml +++ b/roles/docker/swarm/stacks/tasks/main.yml @@ -9,15 +9,24 @@ loop: "{{ stacks }}" # when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']" -- name: Render docker-compose.yml for each stack - ansible.builtin.template: +# - name: Render docker-compose.yml for each stack +# ansible.builtin.template: +# src: "{{ item.compose_path }}" +# dest: "/docker-shared/stacks/compose/{{ item.name }}/docker-compose.yml" +# owner: root +# group: root +# mode: '0644' +# loop: "{{ stacks }}" +# # when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']" + +- name: Copy raw docker-compose.yml for each stack + ansible.builtin.copy: src: "{{ item.compose_path }}" dest: "/docker-shared/stacks/compose/{{ item.name }}/docker-compose.yml" owner: root group: root mode: '0644' loop: "{{ stacks }}" - # when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']" - name: Ensure Docker bind mount directories exist ansible.builtin.file: diff --git a/roles/docker/swarm/stacks/templates/caddy-compose.j2 b/roles/docker/swarm/stacks/templates/caddy-compose.j2 index 950ea22..66f8bfe 100644 --- a/roles/docker/swarm/stacks/templates/caddy-compose.j2 +++ b/roles/docker/swarm/stacks/templates/caddy-compose.j2 @@ -1,12 +1,15 @@ services: - caddy: + server: image: gitgud.foo/xbazzi/caddy-pimped:latest - restart: unless-stopped ports: - - "80:80" - - "443:443" - - "2019:2019" - - "443:443/udp" + - 80:80 + - 5443:443 + networks: + - caddy_net + - caddy_controller + environment: + - CADDY_DOCKER_MODE=server + - CADDY_CONTROLLER_NETWORK=10.200.254.0/24 volumes: {% for volume in item.volumes %} - {{ volume }} @@ -17,6 +20,7 @@ services: restart_policy: condition: {{ item.restart_condition }} labels: + caddy.email: admin@xbazzi.com {% for key, val in item.labels.items() %} {{ key }}: "{{ val }}" {% endfor %} @@ -24,4 +28,31 @@ services: constraints: {% for constraint in item.constraints %} - {{ constraint }} -{% endfor %} \ No newline at end of file +{% endfor %} + + controller: + image: gitgud.foo/xbazzi/caddy-pimped:latest + networks: + - caddy_controller + - caddy_net + environment: + - CADDY_DOCKER_MODE=controller + - CADDY_CONTROLLER_NETWORK=10.200.254.0/24 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + deploy: + placement: + constraints: +{% for constraint in item.constraints %} + - {{ constraint }} +{% endfor %} + +networks: + caddy_net: + external: true + caddy_controller: + driver: overlay + ipam: + driver: default + config: + - subnet: "10.200.254.0/24" \ No newline at end of file diff --git a/roles/docker/swarm/stacks/templates/dumbwhois-compose.j2 b/roles/docker/swarm/stacks/templates/dumbwhois-compose.j2 new file mode 100644 index 0000000..e7b9b7b --- /dev/null +++ b/roles/docker/swarm/stacks/templates/dumbwhois-compose.j2 @@ -0,0 +1,30 @@ + +services: + dumbwhois: + image: dumbwareio/dumbwhois:latest + ports: + - target: 3000 + published: 3000 + protocol: tcp + mode: ingress + networks: + - default + - caddy_net + deploy: + mode: replicated + replicas: {{ item.replicas }} + restart_policy: + condition: {{ item.restart_condition }} + labels: +{% for key, val in item.labels.items() %} + {{ key }}: "{{ val }}" +{% endfor %} + placement: + constraints: +{% for constraint in item.constraints %} + - {{ constraint }} +{% endfor %} + +networks: + caddy_net: + external: true \ No newline at end of file diff --git a/roles/docker/swarm/stacks/templates/flowtodo-compose.j2 b/roles/docker/swarm/stacks/templates/flowtodo-compose.j2 new file mode 100644 index 0000000..60b3406 --- /dev/null +++ b/roles/docker/swarm/stacks/templates/flowtodo-compose.j2 @@ -0,0 +1,33 @@ + +services: + flowtodo: + image: gitgud.foo/thegrind/flowtodo + #environment: + # If you're serving through a reverse proxy + #- OCTANE_HTTPS=false + ports: + - target: 8000 + published: 4000 + protocol: tcp + mode: ingress + networks: + - default + - caddy_net + deploy: + mode: replicated + replicas: {{ item.replicas }} + restart_policy: + condition: {{ item.restart_condition }} + labels: +{% for key, val in item.labels.items() %} + {{ key }}: "{{ val }}" +{% endfor %} + placement: + constraints: +{% for constraint in item.constraints %} + - {{ constraint }} +{% endfor %} + +networks: + caddy_net: + external: true diff --git a/roles/docker/swarm/stacks/templates/nginx-compose.j2 b/roles/docker/swarm/stacks/templates/nginx-compose.j2 index 3dedf5e..ed38467 100644 --- a/roles/docker/swarm/stacks/templates/nginx-compose.j2 +++ b/roles/docker/swarm/stacks/templates/nginx-compose.j2 @@ -7,6 +7,8 @@ services: published: 8080 protocol: tcp mode: ingress + networks: + - caddy_net deploy: mode: replicated replicas: {{ item.replicas }} @@ -21,3 +23,7 @@ services: {% for constraint in item.constraints %} - {{ constraint }} {% endfor %} + +networks: + caddy_net: + external: true \ No newline at end of file diff --git a/roles/docker/swarm/stacks/templates/portainer-compose.j2 b/roles/docker/swarm/stacks/templates/portainer-compose.j2 index 6901220..ddec7f8 100644 --- a/roles/docker/swarm/stacks/templates/portainer-compose.j2 +++ b/roles/docker/swarm/stacks/templates/portainer-compose.j2 @@ -25,9 +25,14 @@ services: - /docker-shared/stacks/data/portainer:/data networks: - agent_network + - caddy_net deploy: mode: replicated replicas: {{ item.replicas }} + labels: +{% for key, val in item.labels.items() %} + {{ key }}: "{{ val }}" +{% endfor %} restart_policy: condition: {{ item.restart_condition }} placement: @@ -37,4 +42,6 @@ services: networks: agent_network: driver: overlay - attachable: true \ No newline at end of file + attachable: true + caddy_net: + external: true \ No newline at end of file diff --git a/roles/docker/swarm/stacks/templates/scylladb-compose.j2 b/roles/docker/swarm/stacks/templates/scylladb-compose.j2 new file mode 100644 index 0000000..c80947c --- /dev/null +++ b/roles/docker/swarm/stacks/templates/scylladb-compose.j2 @@ -0,0 +1,4 @@ +services: + scylla: + image: scylladb/scylla + container_name: scylladb \ No newline at end of file diff --git a/roles/docker/uninstall/defaults/main.yml b/roles/docker/uninstall/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/docker/uninstall/tasks/main.yml b/roles/docker/uninstall/tasks/main.yml new file mode 100644 index 0000000..06e5bda --- /dev/null +++ b/roles/docker/uninstall/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Leave Docker Swarm (if member) + ansible.builtin.shell: docker swarm leave --force || true + ignore_errors: true + +- name: Stop Docker service + ansible.builtin.systemd_service: + name: docker + state: stopped + enabled: true + +- name: Remove Docker data directories + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /var/lib/docker + - /var/lib/docker/volumes + - /var/lib/docker/swarm + - /var/lib/docker/network + - /etc/docker/key.json + - /run/docker + ignore_errors: true + +- name: Remove dnf packages + ansible.builtin.dnf: + name: + - docker + - docker-client + - docker-client-latest + - docker-common + - docker-latest + - docker-latest-logrotate + - docker-logrotate + - docker-engine + - podman + - runc + state: absent \ No newline at end of file diff --git a/roles/pve/lvm/tasks/main.yml b/roles/pve/lvm/tasks/main.yml index 51c8e2f..82789df 100644 --- a/roles/pve/lvm/tasks/main.yml +++ b/roles/pve/lvm/tasks/main.yml @@ -25,10 +25,11 @@ shrink: false size: "{{ pve_docker_lv_size }}" state: present - when: "'docker' in item.roles" + when: "'docker' in item.vm_roles" loop: "{{ vms }}" loop_control: label: "{{ item.vmid }}" + ignore_errors: true - name: Attach Docker disk to VM ansible.builtin.shell: > @@ -38,7 +39,7 @@ delegate_to: "{{ item.node }}" run_once: true loop: "{{ vms }}" - when: "'docker' in item.roles" + when: "'docker' in item.vm_roles" loop_control: label: "VM {{ item.vmid }} on {{ item.node }}" @@ -49,7 +50,83 @@ shrink: false size: "{{ pve_db_lv_size }}" state: present - when: "'db' in item.roles" + when: "'db' in item.vm_roles" loop: "{{ vms }}" loop_control: label: "{{ item.vmid }}" + +# - name: Install LVM tools (if not present) +# ansible.builtin.package: +# name: lvm2 +# state: present + +# - name: Check current LVs for VMs +# ansible.builtin.shell: > +# lvs -o lv_name --noheadings | grep vm || true +# register: lvs_output +# changed_when: false + +# - name: Debug current LV list +# debug: +# var: lvs_output.stdout_lines + +# - name: Create logical volume for Docker (only on owning node) +# community.general.lvol: +# lv: "vm-{{ item.vmid }}-disk-{{ pve_docker_disk_id }}" +# vg: "{{ pve_vg }}" +# shrink: false +# size: "{{ pve_docker_lv_size }}" +# state: present +# when: +# - "'docker' in item.vm_roles" +# - inventory_hostname == item.node +# loop: "{{ vms }}" +# loop_control: +# label: "lv_docker_{{ item.vmid }}" +# ignore_errors: false + +# - name: Ensure VM exists before attaching disk +# ansible.builtin.command: > +# qm config {{ item.vmid }} +# register: vm_check +# failed_when: vm_check.rc != 0 and 'no such VM' not in vm_check.stderr +# changed_when: false +# when: +# - "'docker' in item.vm_roles" +# - inventory_hostname == item.node +# loop: "{{ vms }}" +# loop_control: +# label: "check_vm_{{ item.vmid }}" + +# - name: Attach Docker disk to VM +# ansible.builtin.shell: > +# qm set {{ item.vmid }} --scsi{{ pve_docker_disk_id }} +# ha-lvm:vm-{{ item.vmid }}-disk-{{ pve_docker_disk_id }}, +# cache=writeback,discard=on,iothread=1,ssd=1 +# args: +# executable: /bin/bash +# delegate_to: "{{ item.node }}" +# run_once: false +# loop: "{{ vms }}" +# when: +# - "'docker' in item.vm_roles" +# retries: 5 +# delay: 3 +# register: disk_attach_result +# until: disk_attach_result.rc == 0 +# loop_control: +# label: "attach_vm_{{ item.vmid }}" + +# - name: Create logical volume for DB (only on owning node) +# community.general.lvol: +# lv: "vm-{{ item.vmid }}-disk-{{ pve_db_disk_id }}" +# vg: "{{ pve_vg }}" +# shrink: false +# size: "{{ pve_db_lv_size }}" +# state: present +# when: +# - "'db' in item.vm_roles" +# - inventory_hostname == item.node +# loop: "{{ vms }}" +# loop_control: +# label: "lv_db_{{ item.vmid }}" diff --git a/roles/server/disable/firewalld/defaults/main.yml b/roles/server/disable/firewalld/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/server/disable/firewalld/tasks/main.yml b/roles/server/disable/firewalld/tasks/main.yml new file mode 100644 index 0000000..fc3aa3d --- /dev/null +++ b/roles/server/disable/firewalld/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Disable and stop firewalld + ansible.builtin.systemd_service: + name: firewalld + state: stopped + enabled: false + masked: true diff --git a/roles/server/fastfetch/defaults/main.yml b/roles/server/fastfetch/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/server/fastfetch/tasks/main.yml b/roles/server/fastfetch/tasks/main.yml new file mode 100644 index 0000000..4bdb237 --- /dev/null +++ b/roles/server/fastfetch/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: Clone fastfetch repository + ansible.builtin.git: + repo: https://github.com/fastfetch-cli/fastfetch.git + dest: /usr/local/src/fastfetch + version: master + update: yes + +- name: Create build directory + ansible.builtin.file: + path: /usr/local/src/fastfetch/build + state: directory + +- name: Run cmake to configure build + ansible.builtin.command: + cmd: cmake -G Ninja .. + chdir: /usr/local/src/fastfetch/build + args: + creates: /usr/local/src/fastfetch/build/build.ninja + +- name: Build fastfetch with ninja + ansible.builtin.command: + cmd: ninja + chdir: /usr/local/src/fastfetch/build + args: + creates: /usr/local/src/fastfetch/build/fastfetch + +- name: Install fastfetch binary + ansible.builtin.command: + cmd: ninja install + chdir: /usr/local/src/fastfetch/build diff --git a/roles/server/firewall/tasks/main.yml b/roles/server/firewall/tasks/main.yml index 76e32df..9322f8f 100644 --- a/roles/server/firewall/tasks/main.yml +++ b/roles/server/firewall/tasks/main.yml @@ -8,6 +8,7 @@ - name: Assign interface ens18 to core zone ansible.posix.firewalld: interface: ens18 + # masquerade: true zone: core state: enabled permanent: true @@ -15,6 +16,7 @@ - name: Assign interface ens19 to mgmt zone ansible.posix.firewalld: interface: ens19 + # masquerade: true zone: mgmt state: enabled permanent: true @@ -22,6 +24,7 @@ - name: Assign interface ens20 to dmz zone ansible.posix.firewalld: interface: ens20 + # masquerade: true zone: dmz state: enabled permanent: true @@ -32,12 +35,12 @@ - name: Reload firewalld to apply changes ansible.builtin.command: firewall-cmd --reload -- name: DROP all traffic on dmz by default - ansible.builtin.firewalld: - zone: dmz - target: "DROP" - permanent: true - state: enabled +# - name: DROP all traffic on dmz by default +# ansible.builtin.firewalld: +# zone: dmz +# target: "DROP" +# permanent: true +# state: enabled ################ SWARM SETUP ################ - name: Open Docker Swarm manager inbound port 2377/tcp @@ -46,7 +49,7 @@ port: 2377/tcp permanent: true state: enabled - when: "'swarm' in hostvars[inventory_hostname]['vm_roles']" + when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']" - name: Open Docker Swarm data overlay node discovery port 7946/tcp ansible.builtin.firewalld: @@ -88,10 +91,18 @@ state: enabled when: "'swarm' in hostvars[inventory_hostname]['vm_roles']" +- name: Open Docker Swarm overlay network traffic 4789/udp on mgmt + ansible.builtin.firewalld: + zone: mgmt + port: 4789/udp + permanent: true + state: enabled + + ############# Docker Services ########### - name: Open Docker Stack portainer 9443/tcp ansible.builtin.firewalld: - zone: core + # zone: core port: 9443/tcp permanent: true state: enabled @@ -99,51 +110,59 @@ - name: Open Docker Stack nginx 8080/tcp ansible.builtin.firewalld: - zone: core + # zone: core port: 8080/tcp permanent: true state: enabled when: "'swarm' in hostvars[inventory_hostname]['vm_roles']" -- name: Open Caddy 443/tcp +- name: Open Caddy 4443/tcp ansible.builtin.firewalld: - zone: core - port: 443/tcp + # zone: core + port: 4443/tcp permanent: true state: enabled when: "'swarm' in hostvars[inventory_hostname]['vm_roles']" -- name: Open Caddy 80/tcp +- name: Open Caddy 4443/udp ansible.builtin.firewalld: - zone: core - port: 80/tcp + # zone: core + port: 4443/udp permanent: true state: enabled when: "'swarm' in hostvars[inventory_hostname]['vm_roles']" -- name: Open Caddy 80/tcp +- name: Open Caddy 4080/tcp ansible.builtin.firewalld: - zone: core - port: 80/tcp + # zone: core + port: 4080/tcp permanent: true state: enabled when: "'swarm' in hostvars[inventory_hostname]['vm_roles']" - name: Open Caddy 2019/tcp ansible.builtin.firewalld: - zone: core + # zone: core port: 2019/tcp permanent: true state: enabled when: "'swarm' in hostvars[inventory_hostname]['vm_roles']" -# - name: Open Portainer env port 9001/tcp -# ansible.builtin.firewalld: -# zone: core -# port: 9001/tcp -# permanent: true -# state: enabled -# when: "'swarm' in hostvars[inventory_hostname]['vm_roles']" +- name: Open FlowTodo 4000/tcp + ansible.builtin.firewalld: + # zone: core + port: 4000/tcp + permanent: true + state: enabled + when: "'swarm' in hostvars[inventory_hostname]['vm_roles']" + +- name: Open DumbWhois 3000/tcp + ansible.builtin.firewalld: + # zone: core + port: 3000/tcp + permanent: true + state: enabled + when: "'swarm' in hostvars[inventory_hostname]['vm_roles']" - name: Restart firewalld service ansible.builtin.systemd_service: diff --git a/roles/server/kitty/tasks/main.yml b/roles/server/kitty/tasks/main.yml index 60a7856..11efb22 100644 --- a/roles/server/kitty/tasks/main.yml +++ b/roles/server/kitty/tasks/main.yml @@ -5,21 +5,35 @@ - name: Upload xterm-kitty.terminfo to each user’s home ansible.builtin.copy: src: "/home/xbazzi/.xterm-kitty.terminfo" - dest: "/home/{{ item }}/.xterm-kitty.terminfo" + dest: "{{ '/root' if item == 'root' else '/home/' + item }}/.xterm-kitty.terminfo" + # dest: "/home/{{ item }}/.xterm-kitty.terminfo" owner: "{{ item }}" group: "{{ item }}" mode: '0644' - loop: "{{ users }}" + loop: "{{ users + ['root']}}" +# - name: Compile terminfo for each user +# ansible.builtin.command: > +# tic -x -o "{{ '/root' if item == 'root' else '/home/' + item }}/.terminfo {{ '/root' if item == 'root' else '/home/' + item }}/.xterm-kitty.terminfo" +# become: true +# become_user: root #"{{ item }}" +# loop: "{{ users + ['root']}}" + - name: Compile terminfo for each user - ansible.builtin.command: > - tic -x -o /home/{{ item }}/.terminfo /home/{{ item }}/.xterm-kitty.terminfo - become: true - become_user: root #"{{ item }}" - loop: "{{ users }}" + ansible.builtin.command: + argv: + - tic + - -x + - -o + - "{{ item_home }}/.terminfo" + - "{{ item_home }}/.xterm-kitty.terminfo" + vars: + item_home: "{{ '/root' if item == 'root' else '/home/' + item }}" + loop: "{{ users + ['root'] }}" + - name: Clean up xterm-kitty.terminfo from home directory ansible.builtin.file: path: "/home/{{ item }}/.xterm-kitty.terminfo" state: absent - loop: "{{ users }}" + loop: "{{ users + ['root']}}" diff --git a/roles/server/network/handlers/main.yml b/roles/server/network/handlers/main.yml index 6bc7f06..9eed949 100644 --- a/roles/server/network/handlers/main.yml +++ b/roles/server/network/handlers/main.yml @@ -1,4 +1,13 @@ - name: Restart systemd-networkd ansible.builtin.systemd_service: name: systemd-networkd - state: restarted \ No newline at end of file + state: restarted + +- name: Trigger udev for new interface names + ansible.builtin.command: udevadm trigger + become: true + +- name: Restart systemd-networkd + ansible.builtin.systemd: + name: systemd-networkd + state: restarted diff --git a/roles/server/network/tasks/main.yml b/roles/server/network/tasks/main.yml index 95b999c..24291ce 100644 --- a/roles/server/network/tasks/main.yml +++ b/roles/server/network/tasks/main.yml @@ -1,68 +1,69 @@ --- ##### Firewall pre-requisites ##### + +# - name: Enable and start firewalld +# ansible.builtin.systemd: +# name: firewalld +# enabled: yes +# state: started + +# - name: firewall-cmd --get-zones +# ansible.builtin.command: firewall-cmd --get-zones +# register: firewalld_zones + +# - name: firewall-cmd --get-active-zones +# ansible.builtin.command: firewall-cmd --get-active-zones +# register: firewalld_zones + +# - name: Check existing zones +# ansible.builtin.debug: +# var: firewalld_zones.stdout + +# - name: Create firewalld core zone +# ansible.posix.firewalld: +# zone: core +# state: present +# permanent: true + +# - name: Create firewalld mgmt zone +# ansible.posix.firewalld: +# zone: mgmt +# state: present +# permanent: true + +# - name: Create firewalld dmz zone +# ansible.posix.firewalld: +# zone: dmz +# state: present +# permanent: true + +# - name: Reload firewalld to apply changes +# ansible.builtin.command: firewall-cmd --reload + +# - name: Enable ssh rule in core +# ansible.posix.firewalld: +# zone: core +# service: ssh +# state: enabled +# permanent: true + +# - name: Enable ssh rule in mgmt +# ansible.posix.firewalld: +# zone: mgmt +# service: ssh +# state: enabled +# permanent: true + +# - name: Reload firewalld to apply changes +# ansible.builtin.command: firewall-cmd --reload + +#### Network config #### - name: Enable and start systemd-networkd ansible.builtin.systemd: name: systemd-networkd enabled: true state: started -- name: Enable and start firewalld - ansible.builtin.systemd: - name: firewalld - enabled: yes - state: started - -- name: firewall-cmd --get-zones - ansible.builtin.command: firewall-cmd --get-zones - register: firewalld_zones - -- name: firewall-cmd --get-active-zones - ansible.builtin.command: firewall-cmd --get-active-zones - register: firewalld_zones - -- name: Check existing zones - ansible.builtin.debug: - var: firewalld_zones.stdout - -- name: Create firewalld core zone - ansible.posix.firewalld: - zone: core - state: present - permanent: true - -- name: Create firewalld mgmt zone - ansible.posix.firewalld: - zone: mgmt - state: present - permanent: true - -- name: Create firewalld dmz zone - ansible.posix.firewalld: - zone: dmz - state: present - permanent: true - -- name: Reload firewalld to apply changes - ansible.builtin.command: firewall-cmd --reload - -- name: Enable ssh rule in core - ansible.posix.firewalld: - zone: core - service: ssh - state: enabled - permanent: true - -- name: Enable ssh rule in mgmt - ansible.posix.firewalld: - zone: mgmt - service: ssh - state: enabled - permanent: true - -- name: Reload firewalld to apply changes - ansible.builtin.command: firewall-cmd --reload - -#### Network config #### - name: Ensure systemd-networkd directories exist ansible.builtin.file: path: "{{ item }}" @@ -74,6 +75,25 @@ - /etc/systemd/network - /etc/systemd/networkd.conf.d +- name: Rename default network interface via .link files + ansible.builtin.template: + src: rename-default-dev.link.j2 + dest: "/etc/systemd/network/1-rename-{{ default_interface.ifname }}-to-{{ default_interface.name }}.link" + owner: root + group: root + mode: '0644' + notify: Trigger udev for new interface names + +- name: Rename network interfaces via .link files + ansible.builtin.template: + src: rename-auxiliary-dev.link.j2 + dest: "/etc/systemd/network/1-rename-{{ item.ifname }}-to-{{ item.name }}.link" + owner: root + group: root + mode: '0644' + loop: "{{ network_interfaces }}" + notify: Trigger udev for new interface names + - name: Generate default interface .network file ansible.builtin.template: src: default-interface.network.j2 @@ -117,12 +137,21 @@ - 10-routes.conf notify: Restart systemd-networkd +- name: Ensure networking is disabled + ansible.builtin.systemd_service: + name: networking + masked: true + enabled: false + state: stopped + ignore_errors: true + - name: Ensure NetworkManager is disabled ansible.builtin.systemd_service: name: NetworkManager masked: true enabled: false state: stopped + ignore_errors: true - name: Ensure NetworkManager-wait-online is disabled ansible.builtin.systemd_service: @@ -130,3 +159,4 @@ masked: true enabled: false state: stopped + ignore_errors: true diff --git a/roles/server/network/templates/auxiliary-interface.network.j2 b/roles/server/network/templates/auxiliary-interface.network.j2 index 1089c40..494ddc8 100644 --- a/roles/server/network/templates/auxiliary-interface.network.j2 +++ b/roles/server/network/templates/auxiliary-interface.network.j2 @@ -1,5 +1,5 @@ [Match] -Name={{ item.ifname }} +Name={{ item.name }} [Network] Address={{ hostvars[inventory_hostname]['addresses'][item.name] }}/22 diff --git a/roles/server/network/templates/default-interface.network.j2 b/roles/server/network/templates/default-interface.network.j2 index 67c07e4..e3c62fc 100644 --- a/roles/server/network/templates/default-interface.network.j2 +++ b/roles/server/network/templates/default-interface.network.j2 @@ -1,5 +1,5 @@ [Match] -Name={{ default_interface.ifname }} +Name={{ default_interface.name }} [Network] Address={{ hostvars[inventory_hostname]['addresses'][default_interface.name] }}/22 diff --git a/roles/server/network/templates/rename-auxiliary-dev.link.j2 b/roles/server/network/templates/rename-auxiliary-dev.link.j2 new file mode 100644 index 0000000..705c0ba --- /dev/null +++ b/roles/server/network/templates/rename-auxiliary-dev.link.j2 @@ -0,0 +1,5 @@ +[Match] +OriginalName={{ item.ifname }} + +[Link] +Name={{ item.name }} \ No newline at end of file diff --git a/roles/server/network/templates/rename-default-dev.link.j2 b/roles/server/network/templates/rename-default-dev.link.j2 new file mode 100644 index 0000000..5a3b965 --- /dev/null +++ b/roles/server/network/templates/rename-default-dev.link.j2 @@ -0,0 +1,5 @@ +[Match] +OriginalName={{ default_interface.ifname }} + +[Link] +Name={{ default_interface.name }} \ No newline at end of file diff --git a/roles/server/nfs/tasks/main.yml b/roles/server/nfs/tasks/main.yml index 998a6db..1d0e148 100644 --- a/roles/server/nfs/tasks/main.yml +++ b/roles/server/nfs/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install NFS client - ansible.builtin.dnf: - name: nfs-utils + ansible.builtin.package: + name: nfs-common state: present - name: Create mount points diff --git a/roles/server/packages/tasks/main.yml b/roles/server/packages/tasks/main.yml index ec766f5..b61ae23 100644 --- a/roles/server/packages/tasks/main.yml +++ b/roles/server/packages/tasks/main.yml @@ -1,21 +1,59 @@ +# --- +# - name: Install packages +# ansible.builtin.package: +# name: +# # - systemd-networkd +# - systemd-resolved +# - vim +# - curl +# - git +# - bash-completion +# - firewalld +# - fastfetch +# - btop +# - kitty-terminfo +# - bind-utils +# - nmap +# - tcpdump +# - rsync +# - tree +# - ipvsadm +# - conntrack +# - wireshark +# - xorg-x11-xauth +# - xorg-x11-fonts-misc +# - xorg-x11-utils +# - dbus-x11 +# state: latest +# update_cache: true + --- -- name: Install packages - ansible.builtin.package: +- name: Install packages on Debian + ansible.builtin.apt: name: - - systemd-networkd + - jq + - apache2-utils - systemd-resolved - vim - curl - git - bash-completion - firewalld - - fastfetch + # - fastfetch - btop - - kitty-terminfo - - bind-utils + - ncurses-term # Replaces kitty-terminfo for terminfo + - dnsutils # Replaces bind-utils (for dig, etc.) - nmap - tcpdump - rsync - tree + - ipvsadm + - conntrack + - wireshark + - xauth # Replaces xorg-x11-xauth + # - fonts-misc-fixed # Replaces xorg-x11-fonts-misc + - x11-utils # Replaces xorg-x11-utils + - dbus-x11 + - gpg state: latest update_cache: true diff --git a/roles/server/qemu-agent/defaults/main.yml b/roles/server/qemu-agent/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/server/qemu-agent/tasks/main.yml b/roles/server/qemu-agent/tasks/main.yml new file mode 100644 index 0000000..1349448 --- /dev/null +++ b/roles/server/qemu-agent/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Install QEMU Guest Agent + ansible.builtin.package: + name: + - 'qemu-guest-agent' \ No newline at end of file diff --git a/roles/server/service/networkd/defaults/main.yml b/roles/server/service/networkd/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/server/service/networkd/tasks/main.yml b/roles/server/service/networkd/tasks/main.yml new file mode 100644 index 0000000..18871c7 --- /dev/null +++ b/roles/server/service/networkd/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Stop legacy networking.service + ansible.builtin.systemd_service: + name: networking + enabled: false + state: stopped + ignore_errors: true \ No newline at end of file diff --git a/roles/server/ssh/x11/defaults/main.yml b/roles/server/ssh/x11/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/server/ssh/x11/tasks/main.yml b/roles/server/ssh/x11/tasks/main.yml new file mode 100644 index 0000000..f7b9c3b --- /dev/null +++ b/roles/server/ssh/x11/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- name: Ensure SSH X11 forwarding is enabled + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^#?X11Forwarding' + line: 'X11Forwarding yes' + state: present + backup: yes + +- name: Restart sshd + ansible.builtin.systemd_service: + name: sshd + state: restarted \ No newline at end of file diff --git a/roles/server/sysprep/tasks/main.yml b/roles/server/sysprep/tasks/main.yml index b3f8f0e..bc884c6 100644 --- a/roles/server/sysprep/tasks/main.yml +++ b/roles/server/sysprep/tasks/main.yml @@ -18,14 +18,20 @@ regexp: '^::1\s+localhost' state: absent +- name: Clean APT cache + ansible.builtin.apt: + autoclean: yes + autoremove: yes + update_cache: no + # - name: Remove xbazzi user # ansible.builtin.user: # name: xbazzi # state: absent # remove: true -# - name: Truncate machine-id -# ansible.builtin.command: truncate -s 0 /etc/machine-id +- name: Truncate machine-id + ansible.builtin.command: truncate -s 0 /etc/machine-id - name: Remove DBus machine-id if exists ansible.builtin.file: @@ -42,27 +48,36 @@ path: /root/anaconda-ks.cfg state: absent -- name: Clear logs - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: - - /var/log/boot.log - - /var/log/cron - - /var/log/dmesg - - /var/log/grubby - - /var/log/lastlog - - /var/log/maillog - - /var/log/messages - - /var/log/secure - - /var/log/spooler - - /var/log/tallylog - - /var/log/wtmp - - /var/log/yum.log - - /var/log/audit/audit.log - - /var/log/tuned/tuned.log - - /var/log/wpa_supplicant.log - - /var/log/ovirt-guest-agent/ovirt-guest-agent.log +- name: Truncate logs + ansible.builtin.shell: | + find /var/log -type f -exec truncate -s 0 {} \; + +# - name: Clear logs +# ansible.builtin.file: +# path: "{{ item }}" +# state: absent +# loop: +# - /var/log/boot.log +# - /var/log/cron +# - /var/log/dmesg +# - /var/log/grubby +# - /var/log/lastlog +# - /var/log/maillog +# - /var/log/messages +# - /var/log/secure +# - /var/log/spooler +# - /var/log/tallylog +# - /var/log/wtmp +# - /var/log/yum.log +# - /var/log/audit/audit.log +# - /var/log/tuned/tuned.log +# - /var/log/wpa_supplicant.log +# - /var/log/ovirt-guest-agent/ovirt-guest-agent.log + +- name: Truncate logs + ansible.builtin.shell: | + find /var/log -type f -exec truncate -s 0 {} \; + - name: Rotate and vacuum journal logs ansible.builtin.shell: | @@ -70,11 +85,12 @@ journalctl --vacuum-time=1s when: ansible_facts['distribution_major_version'] is version('8', '>=') -- name: Clear shell history - ansible.builtin.copy: - content: "" - dest: /root/.bash_history - force: true +- name: Clear bash history + ansible.builtin.shell: | + unset HISTFILE + rm -f /root/.bash_history + find /home -name .bash_history -exec rm -f {} \; + become: true - name: Find all SSH keys ansible.builtin.find: @@ -86,7 +102,6 @@ - "id_*" - "authorized_keys" - "known_hosts" - - "config" use_regex: false recurse: true file_type: file @@ -112,4 +127,4 @@ local_action: module: command args: - cmd: ssh-keygen -R "{{ hostvars['staging-vm'].ansible_host }}" + cmd: ssh-keygen -R "{{ hostvars['sysprep_vm'].ansible_host }}" diff --git a/roles/server/uninstall/defaults/main.yml b/roles/server/uninstall/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/server/uninstall/tasks/main.yml b/roles/server/uninstall/tasks/main.yml new file mode 100644 index 0000000..5092ac1 --- /dev/null +++ b/roles/server/uninstall/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Remove dnf packages + ansible.builtin.package: + name: + - docker diff --git a/roles/server/users/tasks/main.yml b/roles/server/users/tasks/main.yml index f11a455..c73b61e 100644 --- a/roles/server/users/tasks/main.yml +++ b/roles/server/users/tasks/main.yml @@ -1,33 +1,33 @@ --- -- name: Add xbazzi group - ansible.builtin.group: - name: xbazzi - gid: 1337 - state: present - -- name: Add xbazzi user - ansible.builtin.user: - name: xbazzi - create_home: true - shell: /bin/bash - groups: "{{ admin_group }},xbazzi" - uid: 1337 - state: present - -# - name: Add ansible group +# - name: Add xbazzi group # ansible.builtin.group: -# name: ansible +# name: xbazzi +# gid: 1337 # state: present -# gid: 1001 -# - name: Add ansible user +# - name: Add xbazzi user # ansible.builtin.user: -# name: ansible +# name: xbazzi # create_home: true # shell: /bin/bash -# groups: "{{ admin_group }},ansible" +# groups: "{{ admin_group }},xbazzi" +# uid: 1337 # state: present -# uid: 1001 + +- name: Add ansible group + ansible.builtin.group: + name: ansible + state: present + gid: 1001 + +- name: Add ansible user + ansible.builtin.user: + name: ansible + create_home: true + shell: /bin/bash + groups: "sudo,ansible" + state: present + uid: 1001 - name: Add ansible to sudoers w/ no password community.general.sudoers: @@ -48,6 +48,6 @@ name: nfsuser create_home: true shell: /bin/bash - groups: "{{ admin_group }}" + groups: "sudo" state: present uid: 3005