From 24191afe3dcd576f4493e30891b0b6701169d3f2 Mon Sep 17 00:00:00 2001 From: jaydee Date: Wed, 16 Apr 2025 09:31:09 +0200 Subject: [PATCH] alias --- roles/autofs_client/tasks/main.yml | 164 +++++++++--------- roles/docker/tasks/main.yml | 253 +++++++++++++++++----------- roles/fail2ban/tasks/main.yml | 84 +++++---- roles/hosts/tasks/main.yml | 50 +++--- roles/loki-agent/tasks/main.yml | 20 --- roles/loki-agent/vars/main.yml | 1 - roles/matter-server/tasks/main.yml | 22 +-- roles/monitoring/tasks/main.yml | 45 ++--- roles/mqtt-srv/tasks/main.yml | 215 ++++++++++++----------- roles/omv_backup/tasks/main.yml | 27 +-- roles/prevent_policy/tasks/main.yml | 25 +-- roles/promtail/tasks/main.yml | 126 +++++++------- roles/sendmail/handlers/main.yml | 5 - roles/sendmail/tasks/main.yml | 57 ------- roles/ssh_config/tasks/main.yml | 4 +- roles/ssh_config/vars/main.yml | 2 +- roles/wazuh-agent/tasks/main.yml | 52 +++--- 17 files changed, 593 insertions(+), 559 deletions(-) delete mode 100755 roles/loki-agent/tasks/main.yml delete mode 100755 roles/loki-agent/vars/main.yml delete mode 100755 roles/sendmail/handlers/main.yml delete mode 100755 roles/sendmail/tasks/main.yml diff --git a/roles/autofs_client/tasks/main.yml b/roles/autofs_client/tasks/main.yml index adfd3c1..b9bcbfc 100755 --- a/roles/autofs_client/tasks/main.yml +++ b/roles/autofs_client/tasks/main.yml @@ -1,83 +1,95 @@ -- block: - - name: include vault - ansible.builtin.include_vars: - file: jaydee.yml - - name: Install autofs - ansible.builtin.apt: - name: - - autofs - - cifs-utils - state: present +- name: Setup autofs + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + block: + - name: Include vault + ansible.builtin.include_vars: + file: jaydee.yml + - name: Install autofs + ansible.builtin.apt: + name: + - autofs + - cifs-utils + state: present - - name: Creating a file with content - copy: - dest: "/etc/auto.auth" - content: | - username={{ samba_user }} - password={{ samba_password }} - - - name: Creating a file with content - copy: - dest: "/etc/auto.nas-movies" - content: | - movies -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0777,file_mode=0777,uid=jd,rw ://nas.home.lan/movies - - name: Creating a file with content - copy: - dest: "/etc/auto.nas-music" - content: | - music -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0777,file_mode=0777,uid=jd,rw ://nas.home.lan/music - - name: Creating a file with content - copy: - dest: "/etc/auto.nas-shows" - content: | - shows -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0777,file_mode=0777,uid=jd,rw ://nas.home.lan/shows - - - name: Creating a file with content - copy: - dest: "/etc/auto.nas" - content: | - nas-data -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Data - nas-docker-data -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/docker_data - nas-photo -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Photo - nas-public -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Public - nas-install -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/install - nas-downloads -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/downloads - nas-games -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/qda_2 - # - name: Reconfigure autofs Server - # ansible.builtin.lineinfile: - # path: /etc/auto.master - # regexp: "^/media/nas.*" - # insertafter: '^/media/nas' - # line: "/media/nas /etc/auto.nas --timeout 360 --ghost" + - name: Creating a file with content + ansible.builtin.copy: + dest: "/etc/auto.auth" + content: | + username={{ samba_user }} + password={{ samba_password }} + mode: '0700' + owner: root + group: root - - name: Reconfigure autofs Server - ansible.builtin.lineinfile: - path: /etc/auto.master - regexp: "^/media/data/music/nas.*" - line: /media/data/music/nas /etc/auto.nas-music --timeout 360 --ghost - - name: Reconfigure autofs Server - ansible.builtin.lineinfile: - path: /etc/auto.master - regexp: "^/media/data/movies/nas.*" - line: /media/data/movies/nas /etc/auto.nas-movies --timeout 360 --ghost - - name: Reconfigure autofs Server - ansible.builtin.lineinfile: - path: /etc/auto.master - regexp: "^/media/data/shows/nas.*" - line: /media/data/shows/nas /etc/auto.nas-shows --timeout 360 --ghost - - name: Reconfigure autofs Server - ansible.builtin.lineinfile: - path: /etc/auto.master - line: /media/nas /etc/auto.nas --timeout 360 --ghost + - name: Creating a file with content + ansible.builtin.copy: + dest: "/etc/auto.nas-movies" + content: | + movies -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0777,file_mode=0777,uid=jd,rw ://nas.home.lan/movies + mode: '0700' + owner: root + group: root + - name: Creating a file with content + ansible.builtin.copy: + dest: "/etc/auto.nas-music" + content: | + music -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0777,file_mode=0777,uid=jd,rw ://nas.home.lan/music + mode: '0700' + owner: root + group: root + - name: Creating a file with content + ansible.builtin.copy: + dest: "/etc/auto.nas-shows" + content: | + shows -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0777,file_mode=0777,uid=jd,rw ://nas.home.lan/shows + mode: '0700' + owner: root + group: root + - name: Creating a file with content + ansible.builtin.copy: + dest: "/etc/auto.nas" + content: | + nas-data -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Data + nas-docker-data -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/docker_data + nas-photo -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Photo + nas-public -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Public + nas-install -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/install + nas-downloads -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/downloads + nas-games -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/qda_2 + mode: '0700' + owner: root + group: root + # - name: Reconfigure autofs Server + # ansible.builtin.lineinfile: + # path: /etc/auto.master + # regexp: "^/media/nas.*" + # insertafter: '^/media/nas' + # line: "/media/nas /etc/auto.nas --timeout 360 --ghost" + - name: Reconfigure autofs Server + ansible.builtin.lineinfile: + path: /etc/auto.master + regexp: "^/media/data/music/nas.*" + line: /media/data/music/nas /etc/auto.nas-music --timeout 360 --ghost + - name: Reconfigure autofs Server + ansible.builtin.lineinfile: + path: /etc/auto.master + regexp: "^/media/data/movies/nas.*" + line: /media/data/movies/nas /etc/auto.nas-movies --timeout 360 --ghost + - name: Reconfigure autofs Server + ansible.builtin.lineinfile: + path: /etc/auto.master + regexp: "^/media/data/shows/nas.*" + line: /media/data/shows/nas /etc/auto.nas-shows --timeout 360 --ghost + - name: Reconfigure autofs Server + ansible.builtin.lineinfile: + path: /etc/auto.master + line: /media/nas /etc/auto.nas --timeout 360 --ghost - - - - name: Restart docker service - ansible.builtin.service: - name: autofs - state: restarted - become: true \ No newline at end of file + - name: Restart docker service + ansible.builtin.service: + name: autofs + state: restarted diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 68306d6..80624a7 100755 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,113 +1,164 @@ -- block: - - name: print arch - debug: - msg: "{{ ansible_architecture }}" - - name: Install docker - ansible.builtin.apt: - name: - - ca-certificates - - curl - - telnet - - net-tools - - python3-pip - - python3-dev - state: present - update_cache: true - - name: Get keys for raspotify - ansible.builtin.shell: - install -m 0755 -d /etc/apt/keyrings +- name: Setup docker + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + block: + - name: Print arch + ansible.builtin.debug: + msg: "{{ ansible_architecture }}" + - name: Install docker + ansible.builtin.apt: + name: + - ca-certificates + - curl + - telnet + - net-tools + - python3-pip + - python3-dev + state: present + update_cache: true + - name: Get keys for raspotify + ansible.builtin.command: + install -m 0755 -d /etc/apt/keyrings + changed_when: my_output.rc != 0 - - name: Get keys for raspotify - ansible.builtin.shell: - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc - when: + - name: Add an Apt signing key to a specific keyring file + ansible.builtin.apt_key: + url: https://download.docker.com/linux/debian/gpg + keyring: /etc/apt/keyrings/docker.asc + when: - ansible_distribution == "Debian" and ansible_distribution_major_version == "12" - - name: Get keys for raspotify - ansible.builtin.shell: - curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc - when: + + # - name: Get keys for raspotify + # ansible.builtin.shell: + # curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc + # when: + # - ansible_distribution == "Debian" and ansible_distribution_major_version == "12" + + - name: Add an Apt signing key to a specific keyring file + ansible.builtin.apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + keyring: /etc/apt/keyrings/docker.asc + when: - ansible_distribution == "Ubuntu" - - name: Get keys for raspotify - ansible.builtin.shell: - chmod a+r /etc/apt/keyrings/docker.asc + # - name: Get keys for raspotify + # ansible.builtin.shell: + # curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc + # when: + # - ansible_distribution == "Ubuntu" + - name: Change file ownership, group and permissions + ansible.builtin.file: + path: /etc/apt/keyrings/docker.asc + owner: root + group: root + mode: '0644' - - name: Get keys for raspotify - ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - when: + # - name: Get keys for raspotify + # ansible.builtin.shell: + # chmod a+r /etc/apt/keyrings/docker.asc + + - name: Get keys for raspotify + ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc]\ + https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" |\ + sudo tee /etc/apt/sources.list.d/docker.list > /dev/null + when: - ansible_distribution == "Debian" and ansible_distribution_major_version == "12" - - name: Get keys for raspotify - ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - when: - - ansible_distribution == "Ubuntu" - - - name: Install docker - ansible.builtin.apt: - name: - - docker-ce - - docker-ce-cli - - containerd.io - - docker-buildx-plugin - - docker-compose-plugin - update_cache: true + changed_when: my_output.rc != 0 - - name: Create a directory docker.service.d - ansible.builtin.file: - path: /etc/systemd/system/docker.service.d/ - state: directory - mode: '0755' - - name: Create a directory for certs - ansible.builtin.file: - path: /etc/docker/certs - state: directory - mode: '0700' - - name: Copy files - copy: - src: server-key.pem - dest: /etc/docker/certs/ - - name: Copy files - copy: - src: ca.pem - dest: /etc/docker/certs/ - - name: Copy files - copy: - src: server-cert.pem - dest: /etc/docker/certs/ - - name: Creating a file with content - copy: - dest: "/etc/systemd/system/docker.service.d/override.conf" - content: | - [Service] - ExecStart= - ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376 - notify: restart_docker - when: mode == "nocert" - - name: Creating a file with content - copy: - dest: "/etc/systemd/system/docker.service.d/override.conf" - content: | - [Service] - ExecStart= - ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376 - notify: restart_docker - when: mode != "nocert" + - name: Get keys for raspotify + ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc]\ + https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" |\ + sudo tee /etc/apt/sources.list.d/docker.list > /dev/null + when: + - ansible_distribution == "Ubuntu" + changed_when: my_output.rc != 0 - - name: Just force systemd to reread configs - ansible.builtin.systemd: - daemon_reload: true + - name: Install docker + ansible.builtin.apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + update_cache: true - - name: Restart docker service - ansible.builtin.service: - name: docker - state: restarted + - name: Create a directory docker.service.d + ansible.builtin.file: + path: /etc/systemd/system/docker.service.d/ + state: directory + mode: '0755' + - name: Create a directory for certs + ansible.builtin.file: + path: /etc/docker/certs + state: directory + mode: '0700' + owner: root + group: root - # - name: Get keys for raspotify - # ansible.builtin.shell: docker plugin install grafana/loki-docker-driver:3.3.2-{{ ansible_architecture }} --alias loki --grant-all-permissions - - name: Install a plugin - community.docker.docker_plugin: - plugin_name: grafana/loki-docker-driver:3.3.2 - alias: loki - state: present + - name: Copy files + ansible.builtin.copy: + src: server-key.pem + dest: /etc/docker/certs/ + mode: '0600' + owner: root + group: root + - name: Copy files + ansible.builtin.copy: + src: ca.pem + dest: /etc/docker/certs/ + mode: '0600' + owner: root + group: root + - name: Copy files + ansible.builtin.copy: + src: server-cert.pem + dest: /etc/docker/certs/ + mode: '0600' + owner: root + group: root + - name: Creating a file with content + ansible.builtin.copy: + dest: "/etc/systemd/system/docker.service.d/override.conf" + content: | + [Service] + ExecStart= + ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify \ + --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem \ + --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376 + mode: '0600' + owner: root + group: root + notify: restart_docker + when: mode == "nocert" + - name: Creating a file with content + ansible.builtin.copy: + dest: "/etc/systemd/system/docker.service.d/override.conf" + content: | + [Service] + ExecStart= + ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify \ + --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem \ + --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376 + mode: '0600' + owner: root + group: root + notify: restart_docker + when: mode != "nocert" - become: true \ No newline at end of file + - name: Just force systemd to reread configs + ansible.builtin.systemd: + daemon_reload: true + + - name: Restart docker service + ansible.builtin.service: + name: docker + state: restarted + + # - name: Get keys for raspotify + # ansible.builtin.shell: docker plugin install grafana/loki-docker-driver:3.3.2-{{ ansible_architecture }} --alias loki --grant-all-permissions + - name: Install a plugin + community.docker.docker_plugin: + plugin_name: grafana/loki-docker-driver:3.3.2 + alias: loki + state: present diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index cc92418..a1fc6a5 100755 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -1,41 +1,51 @@ -- block: - - name: Install fail2ban packages - ansible.builtin.apt: - name: - - fail2ban - - sendmail -#add line to /etc/hosts -#127.0.0.1 m-server localhost.... - - name: Copy files - copy: - src: "{{ item }}" - dest: /etc/fail2ban/jail.d/ - with_fileglob: - - "jail.d/*.conf" +- name: Setup Fail2ban + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + block: + - name: Install fail2ban packages + ansible.builtin.apt: + name: + - fail2ban + - sendmail + # add line to /etc/hosts + # 127.0.0.1 m-server localhost.... + - name: Copy files + ansible.builtin.copy: + src: "{{ item }}" + dest: /etc/fail2ban/jail.d/ + mode: '0700' + owner: root + group: root + with_fileglob: + - "jail.d/*.conf" - - name: Copy files - copy: - src: "{{ item }}" - dest: /etc/fail2ban/filter.d/ - with_fileglob: - - "filter.d/*.conf" + - name: Copy files + ansible.builtin.copy: + src: "{{ item }}" + dest: /etc/fail2ban/filter.d/ + mode: '0700' + owner: root + group: root + with_fileglob: + - "filter.d/*.conf" - - name: Copy files - copy: - src: "{{ item }}" - dest: /etc/fail2ban/action.d/ - with_fileglob: - - "action.d/*.conf" + - name: Copy files + ansible.builtin.copy: + src: "{{ item }}" + dest: /etc/fail2ban/action.d/ + mode: '0700' + owner: root + group: root + with_fileglob: + - "action.d/*.conf" - - name: disable sendmail service - ansible.builtin.service: - name: sendmail.service - state: stopped - enabled: false + - name: Disable sendmail service + ansible.builtin.service: + name: sendmail.service + state: stopped + enabled: false - - name: Restart fail2ban service - ansible.builtin.service: - name: fail2ban.service - state: restarted - enabled: true - become: true \ No newline at end of file + - name: Restart fail2ban service + ansible.builtin.service: + name: fail2ban.service + state: restarted + enabled: true diff --git a/roles/hosts/tasks/main.yml b/roles/hosts/tasks/main.yml index a2c06af..9a90668 100755 --- a/roles/hosts/tasks/main.yml +++ b/roles/hosts/tasks/main.yml @@ -1,28 +1,28 @@ - name: Hosts become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" block: - - name: Reconfigure hosts file - ansible.builtin.lineinfile: - path: "/etc/hosts" - regexp: "^192.168.77.101 .*" - line: "192.168.77.101 m-server m-server.home.lan" - - name: Reconfigure hosts file - ansible.builtin.lineinfile: - path: "/etc/hosts" - regexp: "^192.168.77.106 .*" - line: "192.168.77.106 nas nas.home.lan" - - name: Reconfigure hosts file - ansible.builtin.lineinfile: - path: "/etc/hosts" - regexp: "^192.168.77.238 .*" - line: "192.168.77.238 rpi5 rpi5.home.lan" - - name: Reconfigure hosts file - ansible.builtin.lineinfile: - path: "/etc/hosts" - regexp: "^192.168.77.4 .*" - line: "192.168.77.4 amd amd.home.lan" - - name: Reconfigure hosts file - ansible.builtin.lineinfile: - path: "/etc/hosts" - regexp: "^192.168.77.55 .*" - line: "192.168.77.55 rack rack.home.lan" \ No newline at end of file + - name: Reconfigure hosts file + ansible.builtin.lineinfile: + path: "/etc/hosts" + regexp: "^192.168.77.101 .*" + line: "192.168.77.101 m-server m-server.home.lan" + - name: Reconfigure hosts file + ansible.builtin.lineinfile: + path: "/etc/hosts" + regexp: "^192.168.77.106 .*" + line: "192.168.77.106 nas nas.home.lan" + - name: Reconfigure hosts file + ansible.builtin.lineinfile: + path: "/etc/hosts" + regexp: "^192.168.77.238 .*" + line: "192.168.77.238 rpi5 rpi5.home.lan" + - name: Reconfigure hosts file + ansible.builtin.lineinfile: + path: "/etc/hosts" + regexp: "^192.168.77.4 .*" + line: "192.168.77.4 amd amd.home.lan" + - name: Reconfigure hosts file + ansible.builtin.lineinfile: + path: "/etc/hosts" + regexp: "^192.168.77.55 .*" + line: "192.168.77.55 rack rack.home.lan" diff --git a/roles/loki-agent/tasks/main.yml b/roles/loki-agent/tasks/main.yml deleted file mode 100755 index 268a983..0000000 --- a/roles/loki-agent/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ -- block: - - name: Get keys - ansible.builtin.shell: curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg - - name: Add repo - ansible.builtin.shell: echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list - - name: Update cache - ansible.builtin.apt: - update_cache: true - - name: Instal wazuh - ansible.builtin.apt: - name: wazuh-agent - environment: - WAZUH_MANAGER: 'm-server.home.lan' - WAZUH_AGENT_NAME: "{{ inventory_hostname }}" - - name: Restart wazuh service - ansible.builtin.service: - name: wazuh-agent - state: restarted - enabled: true - become: true \ No newline at end of file diff --git a/roles/loki-agent/vars/main.yml b/roles/loki-agent/vars/main.yml deleted file mode 100755 index e95fa5e..0000000 --- a/roles/loki-agent/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ -ZABBIX_SERVER: "zabbix.home.lan" \ No newline at end of file diff --git a/roles/matter-server/tasks/main.yml b/roles/matter-server/tasks/main.yml index a02386f..1236b48 100755 --- a/roles/matter-server/tasks/main.yml +++ b/roles/matter-server/tasks/main.yml @@ -1,10 +1,12 @@ -- block: - - name: Reconfigure config - ansible.builtin.lineinfile: - path: /etc/sysctl.conf - regexp: "^Unet.ipv4.igmp_max_memberships.*" - line: "net.ipv4.igmp_max_memberships = 80" - - name: Restart agent - ansible.builtin.shell: echo 80 > /proc/sys/net/ipv4/igmp_max_memberships - notify: restart_matter_server - become: true +- name: Setup matter server + become: "{{ 'no' if inventory_hostname == 'nas.home.lan' else 'yes' }}" + block: + - name: Reconfigure config + ansible.builtin.lineinfile: + path: /etc/sysctl.conf + regexp: "^Unet.ipv4.igmp_max_memberships.*" + line: "net.ipv4.igmp_max_memberships = 80" + - name: Restart agent + ansible.builtin.shell: echo 80 > /proc/sys/net/ipv4/igmp_max_memberships + notify: restart_matter_server + changed_when: my_output.rc != 0 diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml index 392efe8..7fb4204 100755 --- a/roles/monitoring/tasks/main.yml +++ b/roles/monitoring/tasks/main.yml @@ -2,7 +2,7 @@ ansible.builtin.set_fact: zabbix_agent_cfg: "/etc/zabbix/zabbix_agent2.conf" when: inventory_hostname != 'nas.home.lan' - + - name: Get config for nas ansible.builtin.set_fact: zabbix_agent_cfg: "/opt/ZabbixAgent/etc/zabbix_agentd.conf" @@ -29,42 +29,43 @@ become: true - name: Install a .deb package from the internet2 ansible.builtin.apt: - #deb: https://repo.zabbix.com/zabbix/6.4/raspbian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb + # deb: https://repo.zabbix.com/zabbix/6.4/raspbian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb deb: https://repo.zabbix.com/zabbix/7.0/raspbian/pool/main/z/zabbix-release/zabbix-release_7.0-1+debian11_all.deb retries: 5 delay: 5 when: - ansible_facts.architecture == "armv7l" or ansible_facts.architecture == "aarch64" become: true - ignore_errors: true + failed_when: my_output.rc != 0 - name: Install a .deb package from the internet3 ansible.builtin.apt: deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb - become: true + become: true when: - ansible_facts.architecture != "armv7l" and ansible_distribution == "Debian" and ansible_distribution_major_version == "11" - + - name: Install a .deb package from the internet4 ansible.builtin.apt: - #deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian12_all.deb + # deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian12_all.deb deb: https://repo.zabbix.com/zabbix/7.2/debian/pool/main/z/zabbix-release/zabbix-release_7.2-1+debian12_all.deb when: - - ansible_facts.architecture != "armv7l" and ansible_facts.architecture != "aarch64" and ansible_distribution == "Debian" and ansible_distribution_major_version == "12" - ignore_errors: true + - ansible_facts.architecture != "armv7l" + - ansible_facts.architecture != "aarch64" + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "12" + failed_when: my_output.rc != 0 become: true -# - name: Install a .deb package localy -# ansible.builtin.apt: -# deb: /tmp/zabbix-release_6.4-1+ubuntu22.04_all.deb + - name: Install zabbix packages ansible.builtin.apt: - name: + name: - zabbix-agent2 - zabbix-agent2-plugin-mongodb - zabbix-agent2-plugin-postgresql - update_cache: yes + update_cache: false become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" - ignore_errors: true + failed_when: my_output.rc != 0 when: inventory_hostname != 'nas.home.lan' - name: Reconfigure zabbix agent Server @@ -99,14 +100,14 @@ regexp: "^Hostname=.*" line: "Hostname={{ inventory_hostname }}" become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" - + - name: Reconfigure zabbix-agent2 config ansible.builtin.lineinfile: path: "{{ zabbix_agent_cfg }}" insertafter: '^# UserParameter=' regexp: "^UserParameter=system.certs.*" line: "UserParameter=system.certs,python3 /share/ZFS530_DATA/.qpkg/ZabbixAgent/cert_check2.py" - when: inventory_hostname == 'nas.home.lan' + when: inventory_hostname == 'nas.home.lan' become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" - name: Reconfigure zabbix-agent2 config @@ -115,7 +116,7 @@ insertafter: '^# UserParameter=' regexp: "^UserParameter=system.certs.*" line: "UserParameter=system.certs,python3 /usr/bin/cert_check2.py" - when: inventory_hostname == 'm-server.home.lan' + when: inventory_hostname == 'm-server.home.lan' become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" - name: Reconfigure zabbix-agent2 config @@ -140,14 +141,14 @@ regexp: "^HostMetadata=.*" insertafter: '^# HostMetadata=' line: "HostMetadata=server;jaydee" - when: inventory_hostname == 'nas.home.lan' or inventory_hostname == 'm-server.home.lan' + when: inventory_hostname == 'nas.home.lan' or inventory_hostname == 'm-server.home.lan' become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" - name: Add the user 'to group video ansible.builtin.user: name: zabbix groups: video - append: yes + append: true when: inventory_hostname != 'nas.home.lan' become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" @@ -160,6 +161,8 @@ become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" - name: Restart agent - ansible.builtin.shell: /etc/init.d/ZabbixAgent.sh restart + ansible.builtin.command: /etc/init.d/ZabbixAgent.sh restart when: inventory_hostname == 'nas.home.lan' - become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" \ No newline at end of file + changed_when: my_output.rc != 0 + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + \ No newline at end of file diff --git a/roles/mqtt-srv/tasks/main.yml b/roles/mqtt-srv/tasks/main.yml index e402bf8..fe8853c 100755 --- a/roles/mqtt-srv/tasks/main.yml +++ b/roles/mqtt-srv/tasks/main.yml @@ -1,116 +1,125 @@ -- block: - - name: include vault - ansible.builtin.include_vars: - file: jaydee.yml - - name: Delete content & directory - ansible.builtin.file: - state: absent - path: "{{ dest_folder }}" - - name: GIT pull - tags: - - git_pull - git: - repo: "https://{{ git_user | urlencode }}:{{ git_password_mqtt | urlencode }}@gitlab.sectorq.eu/jaydee/mqtt_srv.git" - dest: "{{ dest_folder }}" - update: yes - clone: yes - version: main - - debug: - msg: "{{ inventory_hostname }}" +- name: Setup mqtt_srv + become: "{{ 'no' if inventory_hostname == 'nas.home.lan' else 'yes' }}" + block: + - name: Include vault + ansible.builtin.include_vars: + file: jaydee.yml + - name: Delete content & directory + ansible.builtin.file: + state: absent + path: "{{ dest_folder }}" + - name: GIT pull + tags: + - git_pull + ansible.builtin.git: + repo: "https://{{ git_user | urlencode }}:{{ git_password_mqtt | urlencode }}@gitlab.sectorq.eu/jaydee/mqtt_srv.git" + dest: "{{ dest_folder }}" + update: true + clone: true + version: main + - name: Print message + ansible.builtin.debug: + msg: "{{ inventory_hostname }}" - - name: Upload service config - ansible.builtin.copy: - src: "{{ dest_folder }}/mqtt_srv.service" - dest: /etc/systemd/system/mqtt_srv.service - remote_src: true - when: inventory_hostname != 'nas.home.lan' + - name: Upload service config + ansible.builtin.copy: + src: "{{ dest_folder }}/mqtt_srv.service" + dest: /etc/systemd/system/mqtt_srv.service + remote_src: true + mode: '0755' + owner: root + group: root + when: inventory_hostname != 'nas.home.lan' - - name: Upload service script - ansible.builtin.copy: - src: "{{ dest_folder }}/mqtt_srv.py" - dest: /usr/bin/mqtt_srv.py - mode: '755' - owner: root - remote_src: true - when: inventory_hostname != 'nas.home.lan' - - - name: Upload service script config - ansible.builtin.copy: - src: "{{ dest_folder }}/mqtt_srv.cfg" - dest: /etc/mqtt_srv/mqtt_srv.cfg - mode: '755' - owner: root - remote_src: true - when: inventory_hostname != 'nas.home.lan' + - name: Upload service script + ansible.builtin.copy: + src: "{{ dest_folder }}/mqtt_srv.py" + dest: /usr/bin/mqtt_srv.py + mode: '0755' + owner: root + group: root + remote_src: true + when: inventory_hostname != 'nas.home.lan' - - # - name: Upload service script1 - # ansible.builtin.copy: - # src: scripts/mqtt_srv.sh - # dest: /jffs/scripts/mqtt_srv/ - # mode: '755' - # owner: admin - # when: inventory_hostname in groups['router'] - # become: false + - name: Upload service script config + ansible.builtin.copy: + src: "{{ dest_folder }}/mqtt_srv.cfg" + dest: /etc/mqtt_srv/mqtt_srv.cfg + mode: '755' + owner: root + remote_src: true + when: inventory_hostname != 'nas.home.lan' + + # - name: Upload service script1 + # ansible.builtin.copy: + # src: scripts/mqtt_srv.sh + # dest: /jffs/scripts/mqtt_srv/ + # mode: '755' + # owner: admin + # when: inventory_hostname in groups['router'] + # become: false - # - name: Upload service script - # ansible.builtin.copy: - # src: scripts/mqtt_srv.py - # dest: /jffs/scripts/mqtt_srv/ - # mode: '755' - # owner: admin - # when: inventory_hostname in groups['router'] - # become: false + # - name: Upload service script + # ansible.builtin.copy: + # src: scripts/mqtt_srv.py + # dest: /jffs/scripts/mqtt_srv/ + # mode: '755' + # owner: admin + # when: inventory_hostname in groups['router'] + # become: false - - name: Upload service script1 - ansible.builtin.copy: - src: "{{ dest_folder }}/mqtt_srv.sh" - dest: /etc/init.d/ - mode: '755' - owner: admin - remote_src: true - when: inventory_hostname == 'nas.home.lan' + - name: Upload service script1 + ansible.builtin.copy: + src: "{{ dest_folder }}/mqtt_srv.sh" + dest: /etc/init.d/ + mode: '755' + owner: admin + remote_src: true + when: inventory_hostname == 'nas.home.lan' - - debug: - msg: "{{ dest_folder }}" - - name: Upload service script2 - ansible.builtin.copy: - src: "{{ dest_folder }}/mqtt_srv.py" - dest: /usr/bin/mqtt_srv.py - mode: '755' - owner: admin - remote_src: true - when: inventory_hostname == 'nas.home.lan' + - name: Print message + ansible.builtin.debug: + msg: "{{ dest_folder }}" - - name: Install bottle python package - ansible.builtin.shell: pip install {{ item }} --break-system-packages - loop: - - paho-mqtt - - getmac - - ping3 - - psutil - - autorandr - when: inventory_hostname != 'nas.home.lan' + - name: Upload service script2 + ansible.builtin.copy: + src: "{{ dest_folder }}/mqtt_srv.py" + dest: /usr/bin/mqtt_srv.py + mode: '755' + owner: admin + remote_src: true + when: inventory_hostname == 'nas.home.lan' - - name: Just force systemd to reread configs (2.4 and above) - ansible.builtin.systemd: - daemon_reload: true - when: inventory_hostname != 'nas.home.lan' + - name: Install bottle python package + ansible.builtin.pip: + name: "{{ item }}" + loop: + - paho-mqtt + - getmac + - ping3 + - psutil + - autorandr + when: inventory_hostname != 'nas.home.lan' + + - name: Just force systemd to reread configs (2.4 and above) + ansible.builtin.systemd: + daemon_reload: true + when: inventory_hostname != 'nas.home.lan' - - name: Restart mqtt_srv service - ansible.builtin.service: - name: mqtt_srv.service - state: restarted - enabled: true - when: inventory_hostname != 'nas.home.lan' + - name: Restart mqtt_srv service + ansible.builtin.service: + name: mqtt_srv.service + state: restarted + enabled: true + when: inventory_hostname != 'nas.home.lan' - - name: Restart mqtt service - ansible.builtin.shell: "(/etc/init.d/mqtt_srv.sh restart >/dev/null 2>&1 &)" - async: 10 - poll: 0 - when: inventory_hostname == 'nas.home.lan' - - become: "{{ 'no' if inventory_hostname == 'nas.home.lan' else 'yes' }}" \ No newline at end of file + - name: Restart mqtt service + ansible.builtin.shell: "(/etc/init.d/mqtt_srv.sh restart >/dev/null 2>&1 &)" + async: 10 + poll: 0 + when: inventory_hostname == 'nas.home.lan' + changed_when: my_output.rc != 0 + \ No newline at end of file diff --git a/roles/omv_backup/tasks/main.yml b/roles/omv_backup/tasks/main.yml index c543d47..b62e0fe 100755 --- a/roles/omv_backup/tasks/main.yml +++ b/roles/omv_backup/tasks/main.yml @@ -1,23 +1,24 @@ - name: Omv Setup - become: true + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" block: - - name: include vault + - name: Include vault ansible.builtin.include_vars: file: jaydee.yml - name: Delete content & directory ansible.builtin.file: state: absent path: "{{ dest_folder }}" - - name: GIT pull + - name: Pull repo tags: - git_pull - git: + ansible.builtin.git: repo: "https://{{ git_user | urlencode }}:{{ git_password_mqtt | urlencode }}@gitlab.sectorq.eu/jaydee/omv_backup.git" dest: "{{ dest_folder }}" - update: yes - clone: yes + update: true + clone: true version: main - - debug: + - name: Print + ansible.builtin.debug: msg: "{{ inventory_hostname }}" - name: Create a directory if it does not exist ansible.builtin.file: @@ -35,18 +36,21 @@ mode: '0755' owner: root group: root - when: inventory_hostname != 'nas.home.lan' + when: inventory_hostname != 'nas.home.lan' - name: Upload requirements ansible.builtin.copy: src: "{{ dest_folder }}/requirements.txt" dest: /myapps/requirements.txt remote_src: true - when: inventory_hostname != 'nas.home.lan' + mode: '0755' + owner: root + group: root + when: inventory_hostname != 'nas.home.lan' - name: Install venv ansible.builtin.apt: - name: + name: - python3-virtualenv - name: Install specified python requirements in indicated (virtualenv) @@ -62,6 +66,9 @@ ansible.builtin.copy: src: omv_backup.service dest: /etc/systemd/system/omv_backup.service + mode: '0755' + owner: root + group: root when: inventory_hostname == 'amd.home.lan' - name: Restart omv service ansible.builtin.service: diff --git a/roles/prevent_policy/tasks/main.yml b/roles/prevent_policy/tasks/main.yml index b26a964..93afaaf 100755 --- a/roles/prevent_policy/tasks/main.yml +++ b/roles/prevent_policy/tasks/main.yml @@ -1,12 +1,15 @@ -- block: - - name: Creating a file with content - copy: - dest: "/etc/polkit-1/rules.d/50_disable_pol.rules" - content: | - polkit.addRule(function(action, subject) { - if (action.id == "org.freedesktop.NetworkManager.wifi.scan") { - return polkit.Result.YES; - } - }); +- name: Setup policies become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" - + block: + - name: Creating a file with content + ansible.builtin.copy: + dest: "/etc/polkit-1/rules.d/50_disable_pol.rules" + content: | + polkit.addRule(function(action, subject) { + if (action.id == "org.freedesktop.NetworkManager.wifi.scan") { + return polkit.Result.YES; + } + }); + mode: '0644' + owner: root + group: root diff --git a/roles/promtail/tasks/main.yml b/roles/promtail/tasks/main.yml index 36217b3..bedb1b0 100755 --- a/roles/promtail/tasks/main.yml +++ b/roles/promtail/tasks/main.yml @@ -1,68 +1,76 @@ --- -- block: - - name: Create dir - ansible.builtin.file: - path: /etc/apt/keyrings/ - owner: root - group: root +- name: Promtail + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + block: + - name: Create dir + ansible.builtin.file: + path: /etc/apt/keyrings/ + owner: root + group: root + - name: Create Banner + ansible.builtin.shell: wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor > /etc/apt/keyrings/grafana.gpg + register: my_output + changed_when: my_output.rc != 0 + # - name: < Fetch file that requires authentication. + # username/password only available since 2.8, in older versions you need to use url_username/url_password + # ansible.builtin.get_url: + # url: https://apt.grafana.com/gpg.key + # dest: /etc/foo.conf + # username: bar + # password: '{{ mysecret }}' + # changed_when: my_output.rc != 0 - - name: Create Banner - ansible.builtin.shell: wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor > /etc/apt/keyrings/grafana.gpg - register: my_output - changed_when: my_output.rc != 0 + - name: Create Banner + ansible.builtin.shell: echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | tee /etc/apt/sources.list.d/grafana.list + register: my_output + changed_when: my_output.rc != 0 - - name: Create Banner - ansible.builtin.shell: echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | tee /etc/apt/sources.list.d/grafana.list - register: my_output - changed_when: my_output.rc != 0 + - name: Install packages + ansible.builtin.apt: + name: + - promtail + update_cache: true - - name: Install packages - ansible.builtin.apt: - name: - - promtail - update_cache: true + - name: Creating a file with content + ansible.builtin.copy: + dest: "/etc/promtail/config.yml" + owner: root + group: root + mode: '0644' + content: | + # This minimal config scrape only single log file. + # Primarily used in rpm/deb packaging where promtail service can be started during system init process. + # And too much scraping during init process can overload the complete system. + # https://github.com/grafana/loki/issues/11398 - - name: Creating a file with content - ansible.builtin.copy: - dest: "/etc/promtail/config.yml" - owner: root - group: root - mode: '0644' - content: | - # This minimal config scrape only single log file. - # Primarily used in rpm/deb packaging where promtail service can be started during system init process. - # And too much scraping during init process can overload the complete system. - # https://github.com/grafana/loki/issues/11398 + server: + http_listen_port: 9080 + grpc_listen_port: 0 - server: - http_listen_port: 9080 - grpc_listen_port: 0 + positions: + filename: /tmp/positions.yaml - positions: - filename: /tmp/positions.yaml + clients: + - url: http://192.168.77.101:3100/loki/api/v1/push + external_labels: + nodename: {{ inventory_hostname }} - clients: - - url: http://192.168.77.101:3100/loki/api/v1/push - external_labels: - nodename: {{ inventory_hostname }} + scrape_configs: + - job_name: system + static_configs: + - targets: + - localhost + labels: + job: varlogs1 + #NOTE: Need to be modified to scrape any additional logs of the system. + __path__: /var/log/zabbix/*.log + - targets: + - localhost + labels: + job: omv_backup + __path__: /myapps/omv_backup.log - scrape_configs: - - job_name: system - static_configs: - - targets: - - localhost - labels: - job: varlogs1 - #NOTE: Need to be modified to scrape any additional logs of the system. - __path__: /var/log/zabbix/*.log - - targets: - - localhost - labels: - job: omv_backup - __path__: /myapps/omv_backup.log - - - name: Sshd - ansible.builtin.service: - name: promtail - state: restarted - become: true + - name: Sshd + ansible.builtin.service: + name: promtail + state: restarted diff --git a/roles/sendmail/handlers/main.yml b/roles/sendmail/handlers/main.yml deleted file mode 100755 index 90ec872..0000000 --- a/roles/sendmail/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: restart_docker - ansible.builtin.service: - name: docker.service - state: restarted - become: true \ No newline at end of file diff --git a/roles/sendmail/tasks/main.yml b/roles/sendmail/tasks/main.yml deleted file mode 100755 index 9f80008..0000000 --- a/roles/sendmail/tasks/main.yml +++ /dev/null @@ -1,57 +0,0 @@ -- block: - - name: Install docker - ansible.builtin.apt: - name: - - ca-certificates - - curl - - telnet - - net-tools - - python3-pip - - python3-dev - state: present - update_cache: true - - name: Get keys for raspotify - ansible.builtin.shell: - install -m 0755 -d /etc/apt/keyrings - - - name: Get keys for raspotify - ansible.builtin.shell: - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc - - - name: Get keys for raspotify - ansible.builtin.shell: - chmod a+r /etc/apt/keyrings/docker.asc - - - name: Get keys for raspotify - ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - - - name: Install docker - ansible.builtin.apt: - name: - - docker-ce - - docker-ce-cli - - containerd.io - - docker-buildx-plugin - - docker-compose-plugin - update_cache: true - - - name: Create a directory docker.service.d - ansible.builtin.file: - path: /etc/systemd/system/docker.service.d/ - state: directory - mode: '0755' - - - name: Creating a file with content - copy: - dest: "/etc/systemd/system/docker.service.d/override.conf" - content: | - [Service] - ExecStart= - ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 - notify: restart_docker - - - name: Just force systemd to reread configs - ansible.builtin.systemd: - daemon_reload: true - - become: true \ No newline at end of file diff --git a/roles/ssh_config/tasks/main.yml b/roles/ssh_config/tasks/main.yml index 2b5b902..9f9b470 100755 --- a/roles/ssh_config/tasks/main.yml +++ b/roles/ssh_config/tasks/main.yml @@ -8,7 +8,7 @@ mode: '0600' owner: jd group: jd - when: inventory_hostname != 'nas.home.lan' + when: inventory_hostname != 'nas.home.lan' - name: Upload config ansible.builtin.copy: src: config @@ -16,4 +16,4 @@ mode: '0600' owner: root group: root - when: inventory_hostname != 'nas.home.lan' + when: inventory_hostname != 'nas.home.lan' diff --git a/roles/ssh_config/vars/main.yml b/roles/ssh_config/vars/main.yml index 1de1a77..a63bf71 100755 --- a/roles/ssh_config/vars/main.yml +++ b/roles/ssh_config/vars/main.yml @@ -1 +1 @@ -dest_folder: "/tmp/ans_repo" \ No newline at end of file +dest_folder: "/tmp/ans_repo" diff --git a/roles/wazuh-agent/tasks/main.yml b/roles/wazuh-agent/tasks/main.yml index 268a983..ab315e8 100755 --- a/roles/wazuh-agent/tasks/main.yml +++ b/roles/wazuh-agent/tasks/main.yml @@ -1,20 +1,32 @@ -- block: - - name: Get keys - ansible.builtin.shell: curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg - - name: Add repo - ansible.builtin.shell: echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list - - name: Update cache - ansible.builtin.apt: - update_cache: true - - name: Instal wazuh - ansible.builtin.apt: - name: wazuh-agent - environment: - WAZUH_MANAGER: 'm-server.home.lan' - WAZUH_AGENT_NAME: "{{ inventory_hostname }}" - - name: Restart wazuh service - ansible.builtin.service: - name: wazuh-agent - state: restarted - enabled: true - become: true \ No newline at end of file +- name: Setup loki agent + become: "{{ 'no' if inventory_hostname == 'nas.home.lan' else 'yes' }}" + block: + - name: Get keys + ansible.builtin.command: | + curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH |\ + gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg \ + --import && chmod 644 /usr/share/keyrings/wazuh.gpg + changed_when: my_output.rc != 0 + + - name: Add repo + ansible.builtin.command: | + echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" |\ + tee -a /etc/apt/sources.list.d/wazuh.list + changed_when: my_output.rc != 0 + + - name: Update cache + ansible.builtin.apt: + update_cache: true + + - name: Instal wazuh + ansible.builtin.apt: + name: wazuh-agent + environment: + WAZUH_MANAGER: 'm-server.home.lan' + WAZUH_AGENT_NAME: "{{ inventory_hostname }}" + + - name: Restart wazuh service + ansible.builtin.service: + name: wazuh-agent + state: restarted + enabled: true