From e7f2c941fd3518fb45d75995f5576d0973b4e792 Mon Sep 17 00:00:00 2001 From: jaydee Date: Wed, 7 Jan 2026 22:52:04 +0100 Subject: [PATCH] build --- hosts_init.yml | 35 ++-- hosts_roles.yml | 25 ++- jaydee.yml | 40 ++-- roles/cert_gen/tasks/main.yml | 1 + roles/common/tasks/main.yml | 18 +- roles/docker/tasks/main.yml | 331 +--------------------------------- roles/init/tasks/main.yml | 12 +- 7 files changed, 98 insertions(+), 364 deletions(-) diff --git a/hosts_init.yml b/hosts_init.yml index aa81749..3fcc06d 100755 --- a/hosts_init.yml +++ b/hosts_init.yml @@ -44,14 +44,27 @@ datacenter: # ansible_pass: l4c1!j4yd33?Du5lo1 ansible_python_interpreter: /share/ZFS530_DATA/.qpkg/QPython312/bin/python3 vms: - hosts: - vm0[1:9].home.lan: - vm[10:27].home.lan: - vars: - ansible_python_interpreter: /usr/bin/python3 - ansible_ssh_user: jd - ansible_ssh_password: q - ansible_become_method: su - ansible_become_password: q - ansible_ssh_pass: q - ansible_become_user: root \ No newline at end of file + children: + debian9: + hosts: + debian9-vm0[1:9].home.lan: + debian9-vm[10:27].home.lan: + vars: + ansible_python_interpreter: /usr/bin/python3 + ansible_ssh_user: jd + ansible_ssh_password: q + ansible_become_method: su + ansible_become_password: q + ansible_ssh_pass: q + ansible_become_user: root + rocky9: + hosts: + rocky9-vm0[1:9].home.lan: + vars: + ansible_python_interpreter: /usr/bin/python3 + ansible_ssh_user: jd + ansible_ssh_password: q + ansible_become_method: su + ansible_become_password: q + ansible_ssh_pass: q + ansible_become_user: root \ No newline at end of file diff --git a/hosts_roles.yml b/hosts_roles.yml index 939aeba..b449c00 100755 --- a/hosts_roles.yml +++ b/hosts_roles.yml @@ -184,11 +184,20 @@ datacenter: ansible_become_password: q ansible_ssh_private_key_file: ssh_key.pem vms: - hosts: - vm0[1:9].home.lan: - vm[10:27].home.lan: - vars: - ansible_python_interpreter: /usr/bin/python3 - ansible_ssh_user: jd - ansible_become_password: l4c1j4yd33Du5lo - ansible_ssh_private_key_file: ssh_key.pem \ No newline at end of file + children: + debian9: + hosts: + debian9-vm0[1:9].home.lan: + debian9-vm[10:27].home.lan: + vars: + ansible_python_interpreter: /usr/bin/python3 + ansible_ssh_user: jd + ansible_ssh_private_key_file: ssh_key.pem + rocky9: + hosts: + rocky9-vm0[1:9].home.lan: + vars: + ansible_python_interpreter: /usr/bin/python3 + ansible_ssh_user: jd + ansible_ssh_private_key_file: ssh_key.pem + \ No newline at end of file diff --git a/jaydee.yml b/jaydee.yml index e2b1517..a90f7d8 100755 --- a/jaydee.yml +++ b/jaydee.yml @@ -1,20 +1,22 @@ $ANSIBLE_VAULT;1.1;AES256 -37663331373063666438653164616534303732366337653238316433326364333765306339373863 -3461393866633063303730653635356435613163623337650a636639623733346638626239326566 -37393032353063363735376133333636376262386364383933303133376630353432313136356439 -6237653563646437660a653764653562626137393363396565316666383064383933323338623838 -31373234313330663861336537313431616136356234626435383037333966326637313836633561 -65356437333264393061303263326637643839313732386533366133376534383263643562333636 -62383736333438663131613563373936623261356666393931326461363336353534623464613733 -62333636326538623539393634366137663833353137656235356135326435306563393336663866 -38373563346339386364323063613436326562336337363330656330313436313730356530643237 -30316463613338613765383235613665383666303135353236663830623639343764313330653937 -35393132333565386333643534366564306165636235356138313533616261653936333161373135 -65363333376331653735336133613938313436366530656261366630616330643233353731663931 -34303632373530663437386130656633376131326538323466643830326266346465666563343364 -63303631363635303337653135336662346434653166623635633730613639653539626161323636 -31356164623537386634393534623538373833633732396232613532383163303136386139613730 -61653534636434616438633030633636343663396636653536386536333866646438633433613931 -61323833333237333063356331333137616564653636333361353239653738653830633537386661 -65353763623666326265633164633763323463363237363333373562336434393264356438323634 -613632373265346632306436633535323731 +32656139633038623333316637646532643338373330336561346239653564666362323339646165 +3533356464653662633136393937623230633863303538320a386333363938343131653664636237 +63616433373136346331373739393631303863343966396635356263666534613662306362646362 +3366393530313236340a393734623735346564326263626231373866323561633030636333626639 +36623734623536316564646261653565333537373361326533393535663634373736626431313132 +33636562636662666239366130643961633230626436313364336233636261653462616462343661 +35353332643862343533316233333432376462363130393138613364653732363934346431623865 +32396361363962396135623738333163646434333361373766303366613163396363366134646662 +36356334326337613536323434643736633236653332353931326135303136353836643532373532 +62373566376164396133386264613666323732396636646565373939323762626536343934663464 +62336434353762343664613462363465363239333337616231616266343834323237323061373237 +30653639626236646435663734346663643432316464313936656233623163656366346537643834 +36353964363462303630646635633233353838643431396537613430656234383737666661383666 +37383938323532376662363233376134626538333463393964343432356565633237313563373865 +36353333396533336434383535663238663437626464616637666234616565323462316663383137 +32656233343764366338616436633837346264353435333331616335613265653638393738393633 +36386363623137363433626465356264623463626636386633613436333938666563326264343136 +35636336316662393232653037356138666636373166626565393531616666643133663763633831 +37316236313761353564653330613934323336326264386435666366636366613861363539326131 +31363732386162613536623862333762333365343333316563633238376336643161343731393334 +3339 diff --git a/roles/cert_gen/tasks/main.yml b/roles/cert_gen/tasks/main.yml index 3bdc163..ead663a 100755 --- a/roles/cert_gen/tasks/main.yml +++ b/roles/cert_gen/tasks/main.yml @@ -80,6 +80,7 @@ name: sshpass state: present when: inventory_hostname != 'nas.home.lan' + - name: Create cert directory on nas server ansible.builtin.command: | sshpass -p {{ nas_password }} \ diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index f1e967b..d0a1da5 100755 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,6 +1,9 @@ - name: Upgrade become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" block: + - name: Include vault + ansible.builtin.include_vars: + file: jaydee.yml - name: Include facts ansible.builtin.include_role: name: "setup" @@ -13,10 +16,23 @@ # changed_when: "logo.rc == 0" # when: inventory_hostname not in ['morefine.home.lan','rack.home.lan', 'rpi5.home.lan'] - - name: Upgrade the full OS + - name: Upgrade Debian ansible.builtin.apt: update_cache: true upgrade: full + when: ansible_facts.os_family == "Debian" + + - name: Upgrade RHEL / Rocky / Alma / CentOS + ansible.builtin.dnf: + name: "*" + state: latest + when: ansible_facts.os_family == "RedHat" + + - name: Upgrade SUSE + ansible.builtin.zypper: + name: "*" + state: latest + when: ansible_facts.os_family == "Suse" - name: Upgrade flatpack ansible.builtin.command: flatpak update -y diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index febb3ad..9e509a2 100755 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,324 +1,7 @@ -- name: Setup docker - become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" - block: - - name: Facts - ansible.builtin.setup: - - - name: Create apt proxy file - ansible.builtin.copy: - dest: /etc/apt/apt.conf.d/02proxy - content: | - Acquire::http::Proxy "http://192.168.77.101:3142"; - Acquire::https::Proxy "false"; - - - name: Print arch - ansible.builtin.debug: - msg: "{{ ansible_architecture }}" - - name: Install docker dependencies - ansible.builtin.apt: - name: - - ca-certificates - - curl - - telnet - - net-tools - - python3-pip - - python3-dev - state: present - update_cache: true - register: install_docker_deps - until: install_docker_deps is succeeded - retries: 10 - delay: 10 - - - name: Get keys for raspotify - ansible.builtin.command: - install -m 0755 -d /etc/apt/keyrings - - - # - name: Add an Apt signing key to a specific keyring file - # ansible.builtin.apt_key: - # url: https://download.docker.com/linux/debian/gpg - # keyring: /etc/apt/keyrings/docker.asc - # when: - # - ansible_distribution == "Debian" and ansible_distribution_major_version == "12" - - # - name: Get keys for raspotify - # ansible.builtin.shell: - # curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc - # when: - # - ansible_distribution == "Debian" and ansible_distribution_major_version == "12" - - - name: Get keys for raspotify - ansible.builtin.shell: - curl -fsSL https://download.docker.com/linux/raspbian/gpg -o /etc/apt/keyrings/docker.asc - when: - - ansible_distribution == "Debian" and ansible_distribution_major_version == "12" - - - name: Ensure docker keyring directory exists - file: - path: /etc/apt/keyrings - state: directory - mode: "0755" - - - name: Download Docker GPG key - get_url: - url: https://download.docker.com/linux/debian/gpg - dest: /etc/apt/keyrings/docker.asc - mode: "0644" - when: - - ansible_distribution == "Debian" and ansible_distribution_major_version == "13" - - - name: Install docker.sources file - template: - src: docker.sources.j2 - dest: /etc/apt/sources.list.d/docker.sources - owner: root - group: root - mode: "0644" - when: - - ansible_distribution == "Debian" and ansible_distribution_major_version == "13" - - - name: Create docker.sources file - copy: - dest: /etc/apt/sources.list.d/docker.sources - mode: "0644" - content: | - Types: deb - URIs: https://download.docker.com/linux/debian - Suites: {{ ansible_facts['lsb']['codename'] }} - Components: stable - Signed-By: /etc/apt/keyrings/docker.asc - when: - - ansible_distribution == "Debian" and ansible_distribution_major_version == "13" - - - name: Update apt cache - apt: - update_cache: yes - - when: - - ansible_distribution == "Debian" and ansible_distribution_major_version == "13" - - - name: Download Docker GPG key - get_url: - url: https://download.docker.com/linux/debian/gpg - dest: /etc/apt/keyrings/docker.asc - mode: "0644" - when: - - ansible_distribution == "Debian" and ansible_distribution_major_version == "13" - - - name: Add an Apt signing key to a specific keyring file - ansible.builtin.apt_key: - url: https://download.docker.com/linux/ubuntu/gpg - keyring: /etc/apt/keyrings/docker.asc - when: - - ansible_distribution == "Ubuntu" - - # - name: Get keys for raspotify - # ansible.builtin.shell: - # curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc - # when: - # - ansible_distribution == "Ubuntu" - - name: Change file ownership, group and permissions - ansible.builtin.file: - path: /etc/apt/keyrings/docker.asc - owner: root - group: root - mode: '0644' - - # - name: Get keys for raspotify - # ansible.builtin.shell: - # chmod a+r /etc/apt/keyrings/docker.asc - - - name: Get keys for raspotify - ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null - when: - - ansible_distribution == "Debian" and ansible_distribution_major_version == "12" - - - name: Get keys for raspotify - ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - when: - - ansible_distribution == "Ubuntu" - - # - name: Install docker - # ansible.builtin.apt: - # name: - # - docker-ce - # - docker-ce-cli - # - containerd.io - # - docker-buildx-plugin - # - docker-compose-plugin - # update_cache: true - - name: Install the version docker1 - ansible.builtin.apt: - name: "{{ item }}" - state: present - when: - - ansible_distribution == "Debian" - loop: - - docker-ce - - docker-ce-cli - - name: Install the version docker - ansible.builtin.apt: - name: "{{ item }}" - state: present - allow_downgrade: true - when: - - ansible_distribution == "Debian" - loop: - - containerd.io - - - name: Install the version docker - ansible.builtin.apt: - name: "{{ item }}" - state: present - allow_downgrade: true - when: - - ansible_distribution == "Debian" - loop: - - docker-buildx-plugin - - - - name: Install the version docker - ansible.builtin.apt: - name: "{{ item }}=5:28.5.2-1~{{ ansible_distribution | lower }}.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release }}" - state: present - allow_downgrade: true - when: - - ansible_distribution == "Debian1" - loop: - - docker-ce - - docker-ce-cli - - name: Install the version docker - ansible.builtin.apt: - name: "{{ item }}=1.7.28-2~{{ ansible_distribution | lower }}.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release }}" - state: present - allow_downgrade: true - when: - - ansible_distribution == "Debian1" - loop: - - containerd.io - - - name: Install the version docker - ansible.builtin.apt: - name: "{{ item }}=0.28.0-0~{{ ansible_distribution | lower }}.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release }}" - state: present - allow_downgrade: true - when: - - ansible_distribution == "Debian1" - loop: - - docker-buildx-plugin - - - name: Create a directory docker.service.d - ansible.builtin.file: - path: /etc/systemd/system/docker.service.d/ - state: directory - mode: '0755' - - - name: Create a directory for certs - ansible.builtin.file: - path: /etc/docker/certs - state: directory - mode: '0700' - owner: root - group: root - - # - name: Copy files - # ansible.builtin.copy: - # src: server-key.pem - # dest: /etc/docker/certs/ - # mode: '0600' - # owner: root - # group: root - # - name: Copy files - # ansible.builtin.copy: - # src: ca.pem - # dest: /etc/docker/certs/ - # mode: '0600' - # owner: root - # group: root - # - name: Copy files - # ansible.builtin.copy: - # src: server-cert.pem - # dest: /etc/docker/certs/ - # mode: '0600' - # owner: root - # group: root - - name: Creating a file with content - ansible.builtin.copy: - dest: "/etc/systemd/system/docker.service.d/override.conf" - content: | - [Service] - ExecStart= - ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376 - mode: '0600' - owner: root - group: root - notify: restart_docker - when: mode == "cert" - - # - name: Creating a file with content - # ansible.builtin.copy: - # dest: "/etc/systemd/system/docker.service.d/override.conf" - # content: | - # [Service] - # ExecStart= - # ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify \ - # --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem \ - # --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376 - # mode: '0600' - # owner: root - # group: root - # notify: restart_docker - # when: mode != "nocert" - - - name: Just force systemd to reread configs - ansible.builtin.systemd: - daemon_reload: true - - - name: Check if file exists - ansible.builtin.stat: - path: /etc/docker/certs/ca.pem - register: file_check - - - name: Print file check result - ansible.builtin.debug: - var: file_check - - - name: Include role only if missing - ansible.builtin.include_role: - name: cert_gen - when: not file_check.stat.exists and mode == "cert" - - - - name: Create docker config file - ansible.builtin.copy: - dest: /etc/docker/daemon.json - content: | - { - "log-driver": "json-file", - "log-opts": { - "max-size": "10m", - "max-file": "3" - }, - "data-root": "/var/lib/docker", - "dns": ["192.168.77.101", "192.168.77.106", "8.8.8.8"], - "dns-search": ["lan", "home.lan"] - - } - mode: '0644' - owner: root - group: root - - - - name: Restart docker service - ansible.builtin.service: - name: docker - state: restarted - - # - name: Get keys for raspotify - # ansible.builtin.shell: docker plugin install grafana/loki-docker-driver:3.3.2-{{ ansible_architecture }} --alias loki --grant-all-permissions - - name: Install a plugin - community.docker.docker_plugin: - plugin_name: grafana/loki-docker-driver - alias: loki - state: enable +- name: Include vault + ansible.builtin.include_vars: + file: jaydee.yml +- name: Facts + ansible.builtin.setup: +- name: Include OS-specific tasks + ansible.builtin.include_tasks: "{{ ansible_facts.os_family }}.yml" \ No newline at end of file diff --git a/roles/init/tasks/main.yml b/roles/init/tasks/main.yml index e2d3861..c096b44 100755 --- a/roles/init/tasks/main.yml +++ b/roles/init/tasks/main.yml @@ -2,19 +2,29 @@ become: "{{ 'no' if inventory_hostname in ['sectorq.cloud', 'nas.home.lan'] else 'yes' }}" become_method: su block: + - name: Include vault ansible.builtin.include_vars: - file: jaydee.yml + file: init.yml - name: Change password for jd ansible.builtin.user: name: jd password: "{{ jd_password | password_hash('sha512') }}" + - name: Check if group exists + getent: + database: group + key: sudo + register: group_check + ignore_errors: true + - name: Ensure deploy user exists ansible.builtin.user: name: jd shell: /bin/bash groups: sudo append: true + when: group_check is succeeded + - name: Give deploy sudo access ansible.builtin.copy: dest: /etc/sudoers.d/jd