From 3f601f92a0d7fed8c80771a701b051566cc6ce9d Mon Sep 17 00:00:00 2001 From: jaydee Date: Tue, 18 Mar 2025 17:24:20 +0100 Subject: [PATCH] aaa --- hosts_roles.yml | 29 +++ playbooks/00_sync_rpi5.yml | 4 +- playbooks/switch_destination.yaml | 235 +++++++++++++++++-------- playbooks/switch_destination_test.yaml | 15 ++ roles/docker/files/ca.pem | 33 ++++ roles/docker/files/server-cert.pem | 32 ++++ roles/docker/files/server-key.pem | 52 ++++++ roles/docker/tasks/main.yml | 62 ++++++- roles/loki-agent/tasks/main.yml | 20 +++ roles/loki-agent/vars/main.yml | 1 + roles/omv_backup/tasks/main.yml | 11 +- roles/wazuh-agent/tasks/main.yml | 3 +- roles/zabbix-agent/tasks/main.yml | 8 +- 13 files changed, 414 insertions(+), 91 deletions(-) create mode 100755 playbooks/switch_destination_test.yaml create mode 100644 roles/docker/files/ca.pem create mode 100644 roles/docker/files/server-cert.pem create mode 100644 roles/docker/files/server-key.pem create mode 100755 roles/loki-agent/tasks/main.yml create mode 100755 roles/loki-agent/vars/main.yml diff --git a/hosts_roles.yml b/hosts_roles.yml index 614f15f..b6afeca 100755 --- a/hosts_roles.yml +++ b/hosts_roles.yml @@ -110,6 +110,35 @@ datacenter: containers: children: + docker_servers: + children: + router: + hosts: + router.home.lan: + vars: + ansible_python_interpreter: /usr/bin/python3 + ansible_ssh_user: root + ansible_ssh_private_key_file: ssh_key.pem + srv: + hosts: + rpi5.home.lan: + m-server.home.lan: + vars: + ansible_python_interpreter: /usr/bin/python3 + ansible_ssh_user: jd + ansible_become_password: l4c1j4yd33Du5lo + ansible_ssh_private_key_file: ssh_key.pem + ns: + hosts: + nas.home.lan: + vars: + ansible_ssh_user: admin + become_method: su + become_user: admin + ansible_ssh_private_key_file: ssh_key.pem + # ansible_user: admin + # ansible_pass: l4c1!j4yd33?Du5lo1 + ansible_python_interpreter: /share/ZFS530_DATA/.qpkg/QPython312/bin/python3 servers: hosts: rpi5-1.home.lan: diff --git a/playbooks/00_sync_rpi5.yml b/playbooks/00_sync_rpi5.yml index 3c2cf82..8c7be99 100755 --- a/playbooks/00_sync_rpi5.yml +++ b/playbooks/00_sync_rpi5.yml @@ -2,7 +2,7 @@ name: Sync rpi5 become: true tasks: - - name: Apt exclude linux-dtb-current-meson64 + - name: Get running packages ansible.builtin.shell: "docker ps|awk '{print $NF}'" register: containers - debug: @@ -13,4 +13,4 @@ when: item != "NAMES" and item != "watchtower-watchtower-1" with_items: "{{ containers.stdout_lines }}" - name: Sync data - ansible.builtin.shell: "/myapps/venv/bin/python3 /myapps/omv_backup.py -r all" \ No newline at end of file + ansible.builtin.shell: "/myapps/venv/bin/python3 /myapps/omv_backup.py -r all" diff --git a/playbooks/switch_destination.yaml b/playbooks/switch_destination.yaml index 445ff03..20c2584 100755 --- a/playbooks/switch_destination.yaml +++ b/playbooks/switch_destination.yaml @@ -1,90 +1,173 @@ -- hosts: containers - name: Switch mailu to second - +- hosts: docker_servers + name: Switch server ignore_unreachable: false - vars: - arch_name: docker_mailu2_data - containers: - - nginx-app-1 - - heimdall - - mailu2-admin-1 - - mailu2-antispam-1 - - mailu2-antivirus-1 - - mailu2-fetchmail-1 - - mailu2-front-1 - - mailu2-imap-1 - - mailu2-oletools-1 - - mailu2-redis-1 - - mailu2-resolver-1 - - mailu2-smtp-1 - - mailu2-webdav-1 - - mailu2-webmail-1 - - HomeAssistant - - mosquitto-mosquitto-1 - - gitlab - - watchtower-watchtower-1 - - kestra-kestra-1 - - kestra-postgres-1 - - authentik-worker-1 - - authentik-server-1 - - authentik-redis-1 - - authentik-postgresql-1 + tasks: - - name: Start mailu containers - command: "docker start {{ containers | join(' ') }}" - become: true + - name: Reconfigure swap size + ansible.builtin.lineinfile: + path: /etc/sysctl.conf + regexp: "^net.ipv4.igmp_max_memberships =.*" + line: "net.ipv4.igmp_max_memberships = 1024" + create: true + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + when: inventory_hostname != "router.home.lan" + + - name: Start containers + shell: docker start `docker ps -a |awk '{ print $NF }'|grep -v NAME |xargs` + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" ignore_errors: true - when: inventory_hostname in groups['raspberrypi5'] - - - name: Get ruleset - command: nvram get vts_rulelist - when: inventory_hostname in groups['router'] - register: ruleset - - - name: Print the gateway for each host when defined - ansible.builtin.debug: - msg: "var is {{ ruleset.stdout }}" - when: inventory_hostname in groups['router'] + when: inventory_hostname == destination and inventory_hostname != "nas.home.lan" + - name: Start containers + shell: docker exec -it gitlab update-permissions + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + ignore_errors: true + when: inventory_hostname == destination and inventory_hostname != "nas.home.lan and inventory_hostname != "rpi5.home.lan" - - name: Print the gateway for each host when defined - ansible.builtin.debug: - msg: "var is {{ destination }}" - when: inventory_hostname in groups['router'] + - name: Start containers + shell: /share/ZFS530_DATA/.qpkg/container-station/bin/docker exec -it gitlab update-permissions + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + ignore_errors: true + when: inventory_hostname == destination and inventory_hostname == "nas.home.lan" - - name: initialize variables - set_fact: - regexp: "\\g<1>{{ destination }}\\3" - when: inventory_hostname in groups['router'] + + - name: Start containers + shell: /share/ZFS530_DATA/.qpkg/container-station/bin/docker start `/share/ZFS530_DATA/.qpkg/container-station/bin/docker ps -a |awk '{ print $NF }'|grep -v NAME |xargs` + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + ignore_errors: true + when: inventory_hostname == destination and inventory_hostname == "nas.home.lan" - - set_fact: - app_path: "{{ ruleset.stdout | regex_replace('(\\[0-9,]{1,}\\>)([0-9.]{1,})(\\>[0-9a-zA-Z\\s-]{0,}\\>TCP\\>)', regexp) | regex_replace('(\\[0-9,]{1,}\\>)([0-9.]{1,})(\\>[0-9a-zA-Z\\s-]{0,}\\>TCP\\>)', regexp) }}" - when: inventory_hostname in groups['router'] + - name: Get Authentification token + ansible.builtin.uri: + url: http://localhost:9380/api/auth + method: POST + body_format: json + body: {"password":"l4c1j4yd33Du5lo"} + register: login + when: inventory_hostname != "router.home.lan" + # - debug: + # msg: "{{ login.json.session }}" + + - name: Get Config + ansible.builtin.uri: + url: http://localhost:9380/api/config + method: GET + headers: + X-FTL-SID: "{{ login.json.session.sid }}" + register: old_config + when: inventory_hostname != "router.home.lan" + + # - debug: + # msg: "{{ old_config.json.config.dns.cnameRecords }}" + + - name: Parse config + ansible.builtin.set_fact: + jsondata: "{{ old_config }}" + + - name: New records for nas + ansible.builtin.set_fact: + new_data: ["mqtt.home.lan,nas.home.lan","media.home.lan,nas.home.lan","ldap.home.lan,nas.home.lan","webhub.home.lan,nas.home.lan","semaphore.home.lan,nas.home.lan","active.home.lan,nas.home.lan"] + when: destination == 'nas.home.lan' + + - name: New records for m-server + ansible.builtin.set_fact: + new_data: ["mqtt.home.lan,m-server.home.lan","media.home.lan,m-server.home.lan","ldap.home.lan,m-server.home.lan","webhub.home.lan,m-server.home.lan","semaphore.home.lan,m-server.home.lan","active.home.lan,m-server.home.lan"] + when: destination == 'm-server.home.lan' + + - name: New records for rpi5 + ansible.builtin.set_fact: + new_data: ["mqtt.home.lan,rpi5.home.lan","media.home.lan,rpi5.home.lan","ldap.home.lan,rpi5.home.lan","webhub.home.lan,rpi5.home.lan","semaphore.home.lan,rpi5.home.lan","active.home.lan,rpi5.home.lan"] + when: destination == 'rpi5.home.lan' - - name: Print the gateway for each host when defined - ansible.builtin.debug: - msg: "var is {{ app_path }}" - when: inventory_hostname in groups['router'] + # - debug: + # msg: "{{ new_data }}" + + - name: Set new values + ansible.utils.update_fact: + updates: + - path: jsondata.json.config.dns.cnameRecords + value: "{{ new_data }}" + register: new_config + when: inventory_hostname != "router.home.lan" - - - name: Pause for 60 seconds - ansible.builtin.pause: - seconds: 60 - - - name: Set new ruleset - command: nvram set vts_rulelist="{{ app_path }}" - when: inventory_hostname in groups['router'] - - - name: Nvram commit - command: nvram commit - when: inventory_hostname in groups['router'] - - - name: Restart firewall - command: service restart_firewall - when: inventory_hostname in groups['router'] + - name: Patch config + ansible.builtin.uri: + url: http://localhost:9380/api/config + method: PATCH + body: "{{ new_config.jsondata.json |to_json}}" + headers: + X-FTL-SID: "{{ login.json.session.sid }}" + Content-Type: application/json + register: _result + until: _result.status == 200 + retries: 3 # 720 * 5 seconds = 1hour (60*60/5) + delay: 5 # Every 5 seconds + register: _result + until: _result.status == 200 + retries: 3 # 720 * 5 seconds = 1hour (60*60/5) + delay: 5 # Every 5 seconds + when: inventory_hostname != "router.home.lan" + - name: Sleep for 30 seconds and continue with play + ansible.builtin.wait_for: + timeout: 10 + - name: Logout + ansible.builtin.uri: + url: http://localhost:9380/api/auth + method: DELETE + status_code: 204 + headers: + X-FTL-SID: "{{ login.json.session.sid }}" + when: inventory_hostname != "router.home.lan" + ignore_errors: true + - name: Setting up resolv.conf + ansible.builtin.copy: + dest: "/etc/resolv.conf" + content: | + nameserver 192.168.77.101 + nameserver 192.168.77.106 + nameserver 192.168.77.238 + options rotate + options timeout:1 + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + + + # until: _result.status == 204 + # retries: 3 # 720 * 5 seconds = 1hour (60*60/5) + # delay: 5 # Every 5 seconds + - name: Sleep for 60 seconds and continue with play + ansible.builtin.wait_for: + timeout: 60 + + - name: Reconfigurte router containers + shell: python3 /root/unifi-api/unifi.py -s -d "{{ destination.split('.')[0] }}" + when: inventory_hostname == "router.home.lan" + + - name: Stop containers + shell: docker stop `docker ps -a |awk '{ print $NF }'|egrep -v "NAME|^pihole$|watchtower|portainer" |xargs` + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + ignore_errors: true + when: inventory_hostname != destination and inventory_hostname != "nas.home.lan" and inventory_hostname != "router.home.lan" + + - name: Restart containers + shell: docker restart nginx-app-1 + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + when: inventory_hostname == destination + + - name: Stop containers + shell: /share/ZFS530_DATA/.qpkg/container-station/bin/docker stop `/share/ZFS530_DATA/.qpkg/container-station/bin/docker ps -a |awk '{ print $NF }'|egrep -v "NAME|pihole|watchtower" |xargs` + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + ignore_errors: true + when: inventory_hostname != destination and inventory_hostname == "nas.home.lan" and inventory_hostname != "router.home.lan" + + - name: Sleep for 120 seconds and continue with play + ansible.builtin.wait_for: + timeout: 120 + # - name: Restart containers + # shell: docker restart nginx-app-1 + # become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" + # when: inventory_hostname == destination - \ No newline at end of file diff --git a/playbooks/switch_destination_test.yaml b/playbooks/switch_destination_test.yaml new file mode 100755 index 0000000..2ee410a --- /dev/null +++ b/playbooks/switch_destination_test.yaml @@ -0,0 +1,15 @@ +- hosts: datacenter + name: Switch server + ignore_unreachable: false + + tasks: + - name: Unifi Modifi + ansible.builtin.uri: + url: http://192.168.77.101:8123/api/webhook/-WcEse1k5QxIBlQu5B0u-5Esb?server=nas + method: POST + when: inventory_hostname == destination and destination == "nas.home.lan" + - name: Unifi Modifi + ansible.builtin.uri: + url: http://192.168.77.101:8123/api/webhook/-WcEse1k5QxIBlQu5B0u-5Esb?server=m-server + method: POST + when: inventory_hostname == destination and destination == "m-server.home.lan" \ No newline at end of file diff --git a/roles/docker/files/ca.pem b/roles/docker/files/ca.pem new file mode 100644 index 0000000..e629a56 --- /dev/null +++ b/roles/docker/files/ca.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFqTCCA5GgAwIBAgIUJ3kgn/onrwoKs+MqhsHo7RmF/20wDQYJKoZIhvcNAQEL +BQAwZDELMAkGA1UEBhMCU0sxETAPBgNVBAgMCFNsb3Zha2lhMQswCQYDVQQHDAJT +SzETMBEGA1UECgwKc2VjdG9ycS5ldTELMAkGA1UECwwCSVQxEzARBgNVBAMMCnNl +Y3RvcnEuZXUwHhcNMjUwMzExMTc1MDA5WhcNMjYwMzExMTc1MDA5WjBkMQswCQYD +VQQGEwJTSzERMA8GA1UECAwIU2xvdmFraWExCzAJBgNVBAcMAlNLMRMwEQYDVQQK +DApzZWN0b3JxLmV1MQswCQYDVQQLDAJJVDETMBEGA1UEAwwKc2VjdG9ycS5ldTCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJsXcxwOjZ3jBO3j7gps12vo +zXmSNEoka5RiUvZlfopifwKVxFMzAJd/yoeaxiUBYKIlHgZ/OYu/+WkrwgpX2HO3 +2ZuB83Ym7P3TkTBhRp1S/HqBIb6aORGKhiuhZt6PNiCgqFszmb4Wl0Ox2cYxWYi5 +1DeHXNa5vRob2rSfsJwtamiksJkAsXclQu5dyfMv+cvc4Pob1o/DT76+xDpqT4lr +pzXhpfXyT/xwtOEWku/53fccU0SBSSHPp6HzZUWHoodmHPigYYFEz1drYk1nDr3u +gZq+nEQAVpcn1JrH7DuUaX/CrgBZNRdQ8d+mQ9EEDAQXNfzlH10ebfTjm2ol40cu +9mwVJQ5Ru+h2xvfAlbcqnDTinXFgABuquSNzEz/1eJMIhm+myVOqF1WGeA/LnXGp +OaNny7oQW8/9OLmpAZKIFzcD7KxvdBAu9IkO/KduqJohD8BBPqVAksan85bmEs8R +Iu46XAJ7nmlX1DLchBtwvYv5MRdna73M52rTpNlmidWuiUeysZs8Nx7dGh1bd5I6 +9JnHcMl01UorQn0uitnO9zrOTEg0KkEmUZab1A2CbqeoYYLXi72Sva959faviXb0 +0HaPDtWuih9jQORu7fH7H6ghLFdfgUOp9am1hQpX1P7uXmUOB4iztMrh3bM8m2ZE +HEvr+VfNkcq9KaAfXPhHAgMBAAGjUzBRMB0GA1UdDgQWBBTG6a566m85pq5bLi0O +nC5y0pg6sjAfBgNVHSMEGDAWgBTG6a566m85pq5bLi0OnC5y0pg6sjAPBgNVHRMB +Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQA5g9OxfcoAbYvi2T89E5205QkC +ZxwWgrHIVGICeOF1K2nIypnddoJQUvMT/GYIK4QjZSWLGB2+YZMtXS+U/C9uxKOm +d7bbzp437wUZwUJRtA4JZayxIitVTtzLYYLimb13GrsPs2KwGaZALe0K7dYzDwP1 +74gqOPvP7snDD98c6HV6vVXnTN+0T7djQyv/TqcyQ/IZjVY6JpsqgMg1rHqkYhDM +Na7XBgwOt0Y4QmgS6EYEVv1+QsVB0U1tdH1oa+zwiyj5xDwVNmU5bLocEq3kYIRU +tQUarNNKY4fMq529Heq7Ki63DLYTP8tJGh0Yijm9SFPqKYaZy6iL5xbdRFNCIFR/ +FnBZmRVxvPealAoIg9vutHkQrdqebBfX11PwWtLn+fkGTXq+5fBwjYllK04/MBk0 +SNjt6qwnOGZOc4gmEjthF4oVcVKoE7sVSCdgu/2jtLeJ48s0MwGhWZCk21ZgJbZY +5gMahOiSndmudTo1ubFrqLb71MBTpqjiHTF2VLdxZEsrFCqeQAbsG+KmMuj+UhzV +yuO3ycAGSDxsgbyHHYzjo2O5BvY35J7w1lZe1CExgoeeYFWlJ6t5PySf6OJupFit +7FNwYgVXqC3+vwEWmbXz0WHwPh4aCvfSuNAHoiwX2UyzceYOWB5F4TmA2Chj23Ih +isOdaq7ol1Q0iF9tjQ== +-----END CERTIFICATE----- diff --git a/roles/docker/files/server-cert.pem b/roles/docker/files/server-cert.pem new file mode 100644 index 0000000..28d3e9c --- /dev/null +++ b/roles/docker/files/server-cert.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFkDCCA3igAwIBAgIUUYzivwquTJnP+9/Q/zb/0Ew+eVowDQYJKoZIhvcNAQEL +BQAwZDELMAkGA1UEBhMCU0sxETAPBgNVBAgMCFNsb3Zha2lhMQswCQYDVQQHDAJT +SzETMBEGA1UECgwKc2VjdG9ycS5ldTELMAkGA1UECwwCSVQxEzARBgNVBAMMCnNl +Y3RvcnEuZXUwHhcNMjUwMzExMTc1MDEzWhcNMjYwMzExMTc1MDEzWjAcMRowGAYD +VQQDDBFtLXNlcnZlci5ob21lLmxhbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC +AgoCggIBALcgqTwwWnKeiHt1ZZQjoyZw/c/DbPwQnBuQVhNGF6RX7apXP/eY4Sf8 +/l2y6awZd6vM4JyFonPENbll/dEVgFEPgwwiqiaBC9PuZIbC60LLYwpDUmaHXNAd +xgohSWOEc7uT1lcW2yn5n1A93JpoOScb/dAmjWPUYV3BqnKTtcqVs3a5SzWxnIqO +szWt97SZpRY3GWIAiOmFqcKE5gL7FkSaMyS81E/Qfct/37o5OHWpiBhzLZUyop1e +z9f7RrgDRzEoNlJisWFY/wF0xvmowkslL8QsYBTkfgofP7dEm8MOn0hJOFzuUY75 +TAp+h6wiL0bhTab4XDOrFjFy5ivehICdDSal+IlNEmI9Zsziy/1gW7WXCMMgOXKn +xX7se2OFbHGCaf9NCn+0ODHev9ZeDni5SQsgyD3Zjyh3kc7AZ97M8jNJlCGb2QaJ +f/BF2Q9EzbQYHjor97r/+tMdvYkYNo9+FYoJH3yP+T378Tn+DFe8KthvbqCSF01t +aDdfcRu0p+qNalVkD2rctohJgiEuhzVIIpfqe3P9yMyzBYgwoXMUIthug4wOo8gE +Xwr7cgTTK8pxPQGlo1JL0WuBxodtdHP9/VQmf3Qkgj3W0UTAP3rphnvg/5S5tqIT +P7W+HVjEzTEh2z2FGxz4lvEbo82FrhxnCrW+Gk/jhbY99Lr3SeetAgMBAAGjgYEw +fzAoBgNVHREEITAfghFtLXNlcnZlci5ob21lLmxhbocEwKhN7ocEfwAAATATBgNV +HSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUOIy9QvfKWPuMGEp4C2yvjNO2uYsw +HwYDVR0jBBgwFoAUxumueupvOaauWy4tDpwuctKYOrIwDQYJKoZIhvcNAQELBQAD +ggIBAIJBsaPUjAApSDplyUGru6XnLL1UHjG+g49A12QIfgG9x2frRRhvAbx21121 +sCJ5/dvHJS/a8xppcNd4cMFrvLrOkZn6s+gfeXc20sMscdyjnjIbxdmDiUwnhoFT ++9OKg5BYokg11PmEOhMEK7L9qEXaf5L+9TdcxBl/qvciqSpZ9FsOGDYCgB0EMsQ/ +48/Tj/0ABF+c/+WVXzWL51Gdj6waM0qqXjGArbjAUA7ft8gy18n/6DyM3KWlZXCb ++mAwUGnOvHFNbb8jgxSDvFeIos0P6Edq0PDcK5k1uYEeATp0CC6/F3z1Eai2vKy+ +c1BbJZtDJmlKTL+7vykHMSVqAuN/Vq4uvtxv1pOCR1UJk1mW0mr6Ovm9sVVk5HFD +3j6nOF81PiabdWA6GbbSCQdlpL2v0KipAR/sNheMwXAe+5NGJAiE5uaBgQSTVZS+ +7b4DDKFxfkHR9ISOGURgf9wRxqF6jNS4qqQp9+sOdK6y++ZVGRTTpQbCHEg9V79r +TTGs4lbvaFCmF/Y9/NPSrRo//l+XhJrpjoeyx04iy6QipErCCFK2dHH5hYfS3ISt +kbaw2ARNqbcktQkWwA+W+rb83en/w3WG1v2vByKGCr1s4jHAhWtSLZhXx+PIYeT+ +ml/kv+Y3W1T/lOcsytJrXug8t+g4nh9wYTnRl5YwruaKQjWF +-----END CERTIFICATE----- diff --git a/roles/docker/files/server-key.pem b/roles/docker/files/server-key.pem new file mode 100644 index 0000000..9c99001 --- /dev/null +++ b/roles/docker/files/server-key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC3IKk8MFpynoh7 +dWWUI6MmcP3Pw2z8EJwbkFYTRhekV+2qVz/3mOEn/P5dsumsGXerzOCchaJzxDW5 +Zf3RFYBRD4MMIqomgQvT7mSGwutCy2MKQ1Jmh1zQHcYKIUljhHO7k9ZXFtsp+Z9Q +PdyaaDknG/3QJo1j1GFdwapyk7XKlbN2uUs1sZyKjrM1rfe0maUWNxliAIjphanC +hOYC+xZEmjMkvNRP0H3Lf9+6OTh1qYgYcy2VMqKdXs/X+0a4A0cxKDZSYrFhWP8B +dMb5qMJLJS/ELGAU5H4KHz+3RJvDDp9ISThc7lGO+UwKfoesIi9G4U2m+FwzqxYx +cuYr3oSAnQ0mpfiJTRJiPWbM4sv9YFu1lwjDIDlyp8V+7HtjhWxxgmn/TQp/tDgx +3r/WXg54uUkLIMg92Y8od5HOwGfezPIzSZQhm9kGiX/wRdkPRM20GB46K/e6//rT +Hb2JGDaPfhWKCR98j/k9+/E5/gxXvCrYb26gkhdNbWg3X3EbtKfqjWpVZA9q3LaI +SYIhLoc1SCKX6ntz/cjMswWIMKFzFCLYboOMDqPIBF8K+3IE0yvKcT0BpaNSS9Fr +gcaHbXRz/f1UJn90JII91tFEwD966YZ74P+UubaiEz+1vh1YxM0xIds9hRsc+Jbx +G6PNha4cZwq1vhpP44W2PfS690nnrQIDAQABAoICAACEElRh8wKkg6xWkQULDMdi +wWen/H85frbufBhkyQH3NWjErCMmwzJsMWi9EUkKGs7VWKgLv7uadY4q03XHhgmc +GrAEwS6UaFmNgd5fmk3j1rHhUSIUyq8JNkbtIPr9bC+a6C/OuRYpE4o2V1zzPK1D +HokafrNqxHGne/g8ASfgGcApH9C1MwR9bnyi6txmhRcDM7SiZ5JCDCGdgg11eirz +45PvsAysg3ZfA4DAQOWn4defEj8NtO9kisbRKWBKosrrJmSWZ4fnd6F8TzSX/dO8 +MEEXUW7RJ7G0vviTnSeQNnjsZB+wQk84y3lRGDzvCVxR7cqLdaKjMD38zQdr1HiM +IysiYw7aUQ8ukz+4I4izPmn/iDdTxNzTHSvaxCjKRqsaj9R3kEFqtVuOoInfwKD9 +iSoEI35IkEIJwhvnt/xfZY03HwI7JBvSgA23zM5L2dvuM0nwGVcn+/WkLcYRum2y +hXRbpQ69dVTiFCxQG71bdcuK8z2lxXDPsyBjkcBta/WwQe8sHHdrszyc1Zf5DIDx +341bQ0cJEZQJD5BmKNij6Ow0N9g/0vySAScKF1zM9J0fE/XBihNYIH9JCXPRrFqw +BmUGmNjjyJSbnYMxjyVDz8g9026N+w23VtLv0UlA4hF3Hexupqol7XM+MhqNSFIO +A+F8Ho9U38LZfA3yt8JpAoIBAQD00RQmllHGtRR2zsIA0LPMVUyV3DOshJ4XYj8a +sN2rSU9rgNRB0rnpgWoGMAysOerPphvoY6bf1wrI3dFt5pzQMuKJLz6VFl135k5R +11kxZfCmZC/pIp3WLkIHDthAXkU5IKnWw/4vQgmIwTZ5I7rNjPaJYuoH8z5Buuwi +qUnEJj3czq4iNW2DHAFd657NQImrIbvN4T9SHLGrFBG3Bqf43xc/TMNqOnD7FcYe ++DIkBFXBFqx6pwMjP7hUwo88Oxzp7I/MaDXw9LnSPt2YQqdyNaaFiyk8JWc87LMq +DFaXFh+aON9XFxvKfCQA5uNCwyaWMi8zNWLpFTPKuZPPaWR5AoIBAQC/fi5ReLUL +HEpGgKw9UstgexmdnQLVisVfRH9eaQn/U6Yoo8XD0gpdjtqdA9dStV3jw9zKAoeP +twg819A/nl+kavDP1bGxaxEou9BUFvxyqw0OrA1bKznNlcpCNpqShSiFVO/6CqaU +awaDRuAsf4gs8/vKzw3q5bPErC+/a8x8USicOMc1tPrUxmTSwoXCfgtb+l7+7K48 +QeA27zPxaOCotAhef1T6KW1mYC7vP0ertZwiG+Lqoh9fzrun5TUYielqqrAJWPFC +o12r6jqhr9a6dPZ0/ZBCK3JyvdYGt321P6yffA78sz0hvSqT9JMmNnZJSc6oOiuB +qqutqzl/KgfVAoIBAQDoZWD/kEpompSmg3beVz+WhJKC39mdtvZrtDO7HpIOezUN +E+pp4aPh6Zu/6/TbuM8R9tkfLRnH+tad/xNDhFrvuJ4bI+IAnI51twY54nck0WQ0 +T367jMTQAHFlSc42rEaCCGOxH7Q3IDT0wJT5QdWeMmYF3QPUMC+1Lb/i11jS/opT +BU9/4b/nabpSccz5gn4tGYSx11TImbx+bjqyx3rEYOIskK4gNQHzF6RO2cSfNA5D +kUaB1/C+kUpmC5r0zhiQZqPKolIyPd33mv23/+38GLnOo1+tXMQ3rWoWTEgWfEXb +nIlGnwUeneF/ia3KPn5urYzoy5DtOddEZg3OInnhAoIBAGrVZ9v2PvMi5mFtGirg +TSzXoNPpLBKc6D6dRX4TlgtHzNSxgf0c6sGFmHuvD+tJ2kbfGAfv31eTotnnAXzs +y6k8LHuXWhqEhD84gSLY7CDBQ3ijDpSFiisjXYMRWa1S8udoGrZiSMtW5nxJB3pr +8Do8KIbee4JIgsG/2qet6ZiV4tU9bA6PmL0qrkdTVTLMBWRcS7FntFFT41Zin5UY +kPYt8tldqrgicrGCCc1afY7TtHbnHfMPXfeiq9kgrD2ze3ESJ0IfyAIIiJMIC4v3 +QRInfPSKHnh8Ks7PEGAQ8OY0zwbvPKFJElsHYYDIG2xfSCDdN5ltUqZ15G/wrhQ/ +C70CggEAHKhqoWElJNa3Ba4UscXKWL28cXRkMLdZGRngU5W9GLUQhDVYHdy+x5jU +5V4OnhCFo4Vq8uc2HsKnknhu/KGJ2gf3g8ASkILCG6aqB+0xZ+N6/dW0Yfft7vV4 +az9azn2nEK6Pqiokm0ggc+UhZ4C6EKWY3Vefs0scxKBIx48aGDP0I/XwFrZpwdWC +Z/jlCjTZlJ+5G7VenkqWtIlJmXZ6zrRFkPKlmxSTKIrDTJaD0dcNmDrwe+au0x+y +YHMSo0gMN9W5pFN6LDc/JYXOkb995mkKXyzeRTFy+v2yFig6rSwBStwcSTsuNWAe +FOWrzZPSFGNqLJEHjZdIBAaDR6ER7A== +-----END PRIVATE KEY----- diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 9f80008..68306d6 100755 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,4 +1,7 @@ - block: + - name: print arch + debug: + msg: "{{ ansible_architecture }}" - name: Install docker ansible.builtin.apt: name: @@ -17,6 +20,13 @@ - name: Get keys for raspotify ansible.builtin.shell: curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc + when: + - ansible_distribution == "Debian" and ansible_distribution_major_version == "12" + - name: Get keys for raspotify + ansible.builtin.shell: + curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc + when: + - ansible_distribution == "Ubuntu" - name: Get keys for raspotify ansible.builtin.shell: @@ -24,7 +34,13 @@ - name: Get keys for raspotify ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - + when: + - ansible_distribution == "Debian" and ansible_distribution_major_version == "12" + - name: Get keys for raspotify + ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null + when: + - ansible_distribution == "Ubuntu" + - name: Install docker ansible.builtin.apt: name: @@ -40,18 +56,58 @@ path: /etc/systemd/system/docker.service.d/ state: directory mode: '0755' - + - name: Create a directory for certs + ansible.builtin.file: + path: /etc/docker/certs + state: directory + mode: '0700' + - name: Copy files + copy: + src: server-key.pem + dest: /etc/docker/certs/ + - name: Copy files + copy: + src: ca.pem + dest: /etc/docker/certs/ + - name: Copy files + copy: + src: server-cert.pem + dest: /etc/docker/certs/ - name: Creating a file with content copy: dest: "/etc/systemd/system/docker.service.d/override.conf" content: | [Service] ExecStart= - ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 + ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376 notify: restart_docker + when: mode == "nocert" + - name: Creating a file with content + copy: + dest: "/etc/systemd/system/docker.service.d/override.conf" + content: | + [Service] + ExecStart= + ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376 + notify: restart_docker + when: mode != "nocert" - name: Just force systemd to reread configs ansible.builtin.systemd: daemon_reload: true + - name: Restart docker service + ansible.builtin.service: + name: docker + state: restarted + + # - name: Get keys for raspotify + # ansible.builtin.shell: docker plugin install grafana/loki-docker-driver:3.3.2-{{ ansible_architecture }} --alias loki --grant-all-permissions + - name: Install a plugin + community.docker.docker_plugin: + plugin_name: grafana/loki-docker-driver:3.3.2 + alias: loki + state: present + + become: true \ No newline at end of file diff --git a/roles/loki-agent/tasks/main.yml b/roles/loki-agent/tasks/main.yml new file mode 100755 index 0000000..268a983 --- /dev/null +++ b/roles/loki-agent/tasks/main.yml @@ -0,0 +1,20 @@ +- block: + - name: Get keys + ansible.builtin.shell: curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg + - name: Add repo + ansible.builtin.shell: echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list + - name: Update cache + ansible.builtin.apt: + update_cache: true + - name: Instal wazuh + ansible.builtin.apt: + name: wazuh-agent + environment: + WAZUH_MANAGER: 'm-server.home.lan' + WAZUH_AGENT_NAME: "{{ inventory_hostname }}" + - name: Restart wazuh service + ansible.builtin.service: + name: wazuh-agent + state: restarted + enabled: true + become: true \ No newline at end of file diff --git a/roles/loki-agent/vars/main.yml b/roles/loki-agent/vars/main.yml new file mode 100755 index 0000000..e95fa5e --- /dev/null +++ b/roles/loki-agent/vars/main.yml @@ -0,0 +1 @@ +ZABBIX_SERVER: "zabbix.home.lan" \ No newline at end of file diff --git a/roles/omv_backup/tasks/main.yml b/roles/omv_backup/tasks/main.yml index 98c318a..0ced0f4 100755 --- a/roles/omv_backup/tasks/main.yml +++ b/roles/omv_backup/tasks/main.yml @@ -27,7 +27,7 @@ - name: Upload script ansible.builtin.copy: - src: "{{ dest_folder }}/omv_backup.py" + src: "{{ dest_folder }}/omv_backup_v3.py" dest: /myapps/omv_backup.py remote_src: true mode: '0755' @@ -36,8 +36,8 @@ when: inventory_hostname != 'nas.home.lan' - name: Upload script ansible.builtin.copy: - src: "{{ dest_folder }}/omv_backup_v2.py" - dest: /myapps/omv_backup_v2.py + src: "{{ dest_folder }}/omv_backup_v3.py" + dest: /myapps/omv_backup.py remote_src: true mode: '0755' owner: root @@ -89,12 +89,14 @@ Description=Enable OMV backup [Service] - ExecStart = nohup /myapps/venv/bin/python3 /myapps/omv_backup_v2.py -b > /dev/null 2>&1 & + ExecStart = nohup /myapps/venv/bin/python3 /myapps/omv_backup.py -b > /dev/null 2>&1 & [Install] WantedBy=basic.target owner: root mode: '0744' + when: inventory_hostname == 'amd.home.lan' + - name: Restart service omv_backup, in all cases ansible.builtin.service: name: omv_backup @@ -103,4 +105,5 @@ # async: # poll: 0 # ignore_errors: true + when: inventory_hostname == 'amd.home.lan' become: true diff --git a/roles/wazuh-agent/tasks/main.yml b/roles/wazuh-agent/tasks/main.yml index 996fe97..268a983 100755 --- a/roles/wazuh-agent/tasks/main.yml +++ b/roles/wazuh-agent/tasks/main.yml @@ -11,11 +11,10 @@ name: wazuh-agent environment: WAZUH_MANAGER: 'm-server.home.lan' - WAZUH_AGENT_NAME: "{{ inventory_hostname}}" + WAZUH_AGENT_NAME: "{{ inventory_hostname }}" - name: Restart wazuh service ansible.builtin.service: name: wazuh-agent state: restarted enabled: true - become: true \ No newline at end of file diff --git a/roles/zabbix-agent/tasks/main.yml b/roles/zabbix-agent/tasks/main.yml index ec89ea6..0334bdb 100755 --- a/roles/zabbix-agent/tasks/main.yml +++ b/roles/zabbix-agent/tasks/main.yml @@ -26,11 +26,11 @@ # ansible.builtin.copy: # src: packages/zabbix-release_6.4-1+ubuntu22.04_all.deb # dest: /tmp/ - - name: Install a .deb package from the internet11 + - name: Install a .deb package from the internet111 ansible.builtin.apt: - deb: https://repo.zabbix.com/zabbix/6.4/ubuntu-arm64/pool/main/z/zabbix-release/zabbix-release_6.4-1+ubuntu22.04_all.deb + deb: https://repo.zabbix.com/zabbix/7.2/release/ubuntu/pool/main/z/zabbix-release/zabbix-release_latest_7.2+ubuntu24.04_all.deb when: - - ansible_facts.architecture != "armv7l" and ( ansible_distribution == "Ubuntu" or ansible_distribution == "Linux Mint" ) + - ansible_facts.architecture != "armv7l" and ( ansible_distribution == "Ubuntu1" or ansible_distribution == "Linux Mint" ) - name: Install a .deb package from the internet2 ansible.builtin.apt: @@ -77,7 +77,7 @@ path: "{{ zabbix_agent_cfg }}" regexp: "^Server=.*" insertafter: '^# Server=' - line: "Server=192.168.77.0/24,172.30.0.0/24" + line: "Server=192.168.77.0/24,192.168.89.0/28" - name: Reconfigure zabbix agent ServerActive