jaydee/ansible
1
0
Fork 0
mirror of https://gitlab.sectorq.eu/jaydee/ansible.git synced 2026-01-28 18:39:44 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

build
Some checks failed
Gitea Actions Demo / Explore-Gitea-Actions (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Ladislav Dusa
2026-01-07 22:52:04 +01:00
parent 252190e128
commit e7f2c941fd
7 changed files with 98 additions and 364 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
hosts_init.yml
View File

@@ -44,9 +44,22 @@ datacenter:
# ansible_pass: l4c1!j4yd33?Du5lo1
ansible_python_interpreter: /share/ZFS530_DATA/.qpkg/QPython312/bin/python3
vms:
children:
debian9:
hosts:
vm0[1:9].home.lan:
vm[10:27].home.lan:
debian9-vm0[1:9].home.lan:
debian9-vm[10:27].home.lan:
vars:
ansible_python_interpreter: /usr/bin/python3
ansible_ssh_user: jd
ansible_ssh_password: q
ansible_become_method: su
ansible_become_password: q
ansible_ssh_pass: q
ansible_become_user: root
rocky9:
hosts:
rocky9-vm0[1:9].home.lan:
vars:
ansible_python_interpreter: /usr/bin/python3
ansible_ssh_user: jd

15
hosts_roles.yml
View File

@@ -184,11 +184,20 @@ datacenter:
ansible_become_password: q
ansible_ssh_private_key_file: ssh_key.pem
vms:
children:
debian9:
hosts:
vm0[1:9].home.lan:
vm[10:27].home.lan:
debian9-vm0[1:9].home.lan:
debian9-vm[10:27].home.lan:
vars:
ansible_python_interpreter: /usr/bin/python3
ansible_ssh_user: jd
ansible_become_password: l4c1j4yd33Du5lo
ansible_ssh_private_key_file: ssh_key.pem
rocky9:
hosts:
rocky9-vm0[1:9].home.lan:
vars:
ansible_python_interpreter: /usr/bin/python3
ansible_ssh_user: jd
ansible_ssh_private_key_file: ssh_key.pem

40
jaydee.yml
View File

@@ -1,20 +1,22 @@
$ANSIBLE_VAULT;1.1;AES256
37663331373063666438653164616534303732366337653238316433326364333765306339373863
3461393866633063303730653635356435613163623337650a636639623733346638626239326566
37393032353063363735376133333636376262386364383933303133376630353432313136356439
6237653563646437660a653764653562626137393363396565316666383064383933323338623838
31373234313330663861336537313431616136356234626435383037333966326637313836633561
65356437333264393061303263326637643839313732386533366133376534383263643562333636
62383736333438663131613563373936623261356666393931326461363336353534623464613733
62333636326538623539393634366137663833353137656235356135326435306563393336663866
38373563346339386364323063613436326562336337363330656330313436313730356530643237
30316463613338613765383235613665383666303135353236663830623639343764313330653937
35393132333565386333643534366564306165636235356138313533616261653936333161373135
65363333376331653735336133613938313436366530656261366630616330643233353731663931
34303632373530663437386130656633376131326538323466643830326266346465666563343364
63303631363635303337653135336662346434653166623635633730613639653539626161323636
31356164623537386634393534623538373833633732396232613532383163303136386139613730
61653534636434616438633030633636343663396636653536386536333866646438633433613931
61323833333237333063356331333137616564653636333361353239653738653830633537386661
65353763623666326265633164633763323463363237363333373562336434393264356438323634
613632373265346632306436633535323731
32656139633038623333316637646532643338373330336561346239653564666362323339646165
3533356464653662633136393937623230633863303538320a386333363938343131653664636237
63616433373136346331373739393631303863343966396635356263666534613662306362646362
3366393530313236340a393734623735346564326263626231373866323561633030636333626639
36623734623536316564646261653565333537373361326533393535663634373736626431313132
33636562636662666239366130643961633230626436313364336233636261653462616462343661
35353332643862343533316233333432376462363130393138613364653732363934346431623865
32396361363962396135623738333163646434333361373766303366613163396363366134646662
36356334326337613536323434643736633236653332353931326135303136353836643532373532
62373566376164396133386264613666323732396636646565373939323762626536343934663464
62336434353762343664613462363465363239333337616231616266343834323237323061373237
30653639626236646435663734346663643432316464313936656233623163656366346537643834
36353964363462303630646635633233353838643431396537613430656234383737666661383666
37383938323532376662363233376134626538333463393964343432356565633237313563373865
36353333396533336434383535663238663437626464616637666234616565323462316663383137
32656233343764366338616436633837346264353435333331616335613265653638393738393633
36386363623137363433626465356264623463626636386633613436333938666563326264343136
35636336316662393232653037356138666636373166626565393531616666643133663763633831
37316236313761353564653330613934323336326264386435666366636366613861363539326131
31363732386162613536623862333762333365343333316563633238376336643161343731393334
3339

1
roles/cert_gen/tasks/main.yml
View File

@@ -80,6 +80,7 @@
name: sshpass
state: present
when: inventory_hostname != 'nas.home.lan'
- name: Create cert directory on nas server
ansible.builtin.command: |
sshpass -p {{ nas_password }} \

18
roles/common/tasks/main.yml
View File

@@ -1,6 +1,9 @@
- name: Upgrade
become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}"
block:
- name: Include vault
ansible.builtin.include_vars:
file: jaydee.yml
- name: Include facts
ansible.builtin.include_role:
name: "setup"
@@ -13,10 +16,23 @@
# changed_when: "logo.rc == 0"
# when: inventory_hostname not in ['morefine.home.lan','rack.home.lan', 'rpi5.home.lan']
- name: Upgrade the full OS
- name: Upgrade Debian
ansible.builtin.apt:
update_cache: true
upgrade: full
when: ansible_facts.os_family == "Debian"
- name: Upgrade RHEL / Rocky / Alma / CentOS
ansible.builtin.dnf:
name: "*"
state: latest
when: ansible_facts.os_family == "RedHat"
- name: Upgrade SUSE
ansible.builtin.zypper:
name: "*"
state: latest
when: ansible_facts.os_family == "Suse"
- name: Upgrade flatpack
ansible.builtin.command: flatpak update -y

327
roles/docker/tasks/main.yml
View File

@@ -1,324 +1,7 @@
- name: Setup docker
become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}"
block:
- name: Include vault
ansible.builtin.include_vars:
file: jaydee.yml
- name: Facts
ansible.builtin.setup:
- name: Create apt proxy file
ansible.builtin.copy:
dest: /etc/apt/apt.conf.d/02proxy
content: |
Acquire::http::Proxy "http://192.168.77.101:3142";
Acquire::https::Proxy "false";
- name: Print arch
ansible.builtin.debug:
msg: "{{ ansible_architecture }}"
- name: Install docker dependencies
ansible.builtin.apt:
name:
- ca-certificates
- curl
- telnet
- net-tools
- python3-pip
- python3-dev
state: present
update_cache: true
register: install_docker_deps
until: install_docker_deps is succeeded
retries: 10
delay: 10
- name: Get keys for raspotify
ansible.builtin.command:
install -m 0755 -d /etc/apt/keyrings
# - name: Add an Apt signing key to a specific keyring file
# ansible.builtin.apt_key:
# url: https://download.docker.com/linux/debian/gpg
# keyring: /etc/apt/keyrings/docker.asc
# when:
# - ansible_distribution == "Debian" and ansible_distribution_major_version == "12"
# - name: Get keys for raspotify
# ansible.builtin.shell:
# curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
# when:
# - ansible_distribution == "Debian" and ansible_distribution_major_version == "12"
- name: Get keys for raspotify
ansible.builtin.shell:
curl -fsSL https://download.docker.com/linux/raspbian/gpg -o /etc/apt/keyrings/docker.asc
when:
- ansible_distribution == "Debian" and ansible_distribution_major_version == "12"
- name: Ensure docker keyring directory exists
file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
- name: Download Docker GPG key
get_url:
url: https://download.docker.com/linux/debian/gpg
dest: /etc/apt/keyrings/docker.asc
mode: "0644"
when:
- ansible_distribution == "Debian" and ansible_distribution_major_version == "13"
- name: Install docker.sources file
template:
src: docker.sources.j2
dest: /etc/apt/sources.list.d/docker.sources
owner: root
group: root
mode: "0644"
when:
- ansible_distribution == "Debian" and ansible_distribution_major_version == "13"
- name: Create docker.sources file
copy:
dest: /etc/apt/sources.list.d/docker.sources
mode: "0644"
content: |
Types: deb
URIs: https://download.docker.com/linux/debian
Suites: {{ ansible_facts['lsb']['codename'] }}
Components: stable
Signed-By: /etc/apt/keyrings/docker.asc
when:
- ansible_distribution == "Debian" and ansible_distribution_major_version == "13"
- name: Update apt cache
apt:
update_cache: yes
when:
- ansible_distribution == "Debian" and ansible_distribution_major_version == "13"
- name: Download Docker GPG key
get_url:
url: https://download.docker.com/linux/debian/gpg
dest: /etc/apt/keyrings/docker.asc
mode: "0644"
when:
- ansible_distribution == "Debian" and ansible_distribution_major_version == "13"
- name: Add an Apt signing key to a specific keyring file
ansible.builtin.apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
keyring: /etc/apt/keyrings/docker.asc
when:
- ansible_distribution == "Ubuntu"
# - name: Get keys for raspotify
# ansible.builtin.shell:
# curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
# when:
# - ansible_distribution == "Ubuntu"
- name: Change file ownership, group and permissions
ansible.builtin.file:
path: /etc/apt/keyrings/docker.asc
owner: root
group: root
mode: '0644'
# - name: Get keys for raspotify
# ansible.builtin.shell:
# chmod a+r /etc/apt/keyrings/docker.asc
- name: Get keys for raspotify
ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
when:
- ansible_distribution == "Debian" and ansible_distribution_major_version == "12"
- name: Get keys for raspotify
ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
when:
- ansible_distribution == "Ubuntu"
# - name: Install docker
# ansible.builtin.apt:
# name:
# - docker-ce
# - docker-ce-cli
# - containerd.io
# - docker-buildx-plugin
# - docker-compose-plugin
# update_cache: true
- name: Install the version docker1
ansible.builtin.apt:
name: "{{ item }}"
state: present
when:
- ansible_distribution == "Debian"
loop:
- docker-ce
- docker-ce-cli
- name: Install the version docker
ansible.builtin.apt:
name: "{{ item }}"
state: present
allow_downgrade: true
when:
- ansible_distribution == "Debian"
loop:
- containerd.io
- name: Install the version docker
ansible.builtin.apt:
name: "{{ item }}"
state: present
allow_downgrade: true
when:
- ansible_distribution == "Debian"
loop:
- docker-buildx-plugin
- name: Install the version docker
ansible.builtin.apt:
name: "{{ item }}=5:28.5.2-1~{{ ansible_distribution | lower }}.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release }}"
state: present
allow_downgrade: true
when:
- ansible_distribution == "Debian1"
loop:
- docker-ce
- docker-ce-cli
- name: Install the version docker
ansible.builtin.apt:
name: "{{ item }}=1.7.28-2~{{ ansible_distribution | lower }}.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release }}"
state: present
allow_downgrade: true
when:
- ansible_distribution == "Debian1"
loop:
- containerd.io
- name: Install the version docker
ansible.builtin.apt:
name: "{{ item }}=0.28.0-0~{{ ansible_distribution | lower }}.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release }}"
state: present
allow_downgrade: true
when:
- ansible_distribution == "Debian1"
loop:
- docker-buildx-plugin
- name: Create a directory docker.service.d
ansible.builtin.file:
path: /etc/systemd/system/docker.service.d/
state: directory
mode: '0755'
- name: Create a directory for certs
ansible.builtin.file:
path: /etc/docker/certs
state: directory
mode: '0700'
owner: root
group: root
# - name: Copy files
# ansible.builtin.copy:
# src: server-key.pem
# dest: /etc/docker/certs/
# mode: '0600'
# owner: root
# group: root
# - name: Copy files
# ansible.builtin.copy:
# src: ca.pem
# dest: /etc/docker/certs/
# mode: '0600'
# owner: root
# group: root
# - name: Copy files
# ansible.builtin.copy:
# src: server-cert.pem
# dest: /etc/docker/certs/
# mode: '0600'
# owner: root
# group: root
- name: Creating a file with content
ansible.builtin.copy:
dest: "/etc/systemd/system/docker.service.d/override.conf"
content: |
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376
mode: '0600'
owner: root
group: root
notify: restart_docker
when: mode == "cert"
# - name: Creating a file with content
# ansible.builtin.copy:
# dest: "/etc/systemd/system/docker.service.d/override.conf"
# content: |
# [Service]
# ExecStart=
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify \
# --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem \
# --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376
# mode: '0600'
# owner: root
# group: root
# notify: restart_docker
# when: mode != "nocert"
- name: Just force systemd to reread configs
ansible.builtin.systemd:
daemon_reload: true
- name: Check if file exists
ansible.builtin.stat:
path: /etc/docker/certs/ca.pem
register: file_check
- name: Print file check result
ansible.builtin.debug:
var: file_check
- name: Include role only if missing
ansible.builtin.include_role:
name: cert_gen
when: not file_check.stat.exists and mode == "cert"
- name: Create docker config file
ansible.builtin.copy:
dest: /etc/docker/daemon.json
content: |
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"data-root": "/var/lib/docker",
"dns": ["192.168.77.101", "192.168.77.106", "8.8.8.8"],
"dns-search": ["lan", "home.lan"]
}
mode: '0644'
owner: root
group: root
- name: Restart docker service
ansible.builtin.service:
name: docker
state: restarted
# - name: Get keys for raspotify
# ansible.builtin.shell: docker plugin install grafana/loki-docker-driver:3.3.2-{{ ansible_architecture }} --alias loki --grant-all-permissions
- name: Install a plugin
community.docker.docker_plugin:
plugin_name: grafana/loki-docker-driver
alias: loki
state: enable
- name: Include OS-specific tasks
ansible.builtin.include_tasks: "{{ ansible_facts.os_family }}.yml"

12
roles/init/tasks/main.yml
View File

@@ -2,19 +2,29 @@
become: "{{ 'no' if inventory_hostname in ['sectorq.cloud', 'nas.home.lan'] else 'yes' }}"
become_method: su
block:
- name: Include vault
ansible.builtin.include_vars:
file: jaydee.yml
file: init.yml
- name: Change password for jd
ansible.builtin.user:
name: jd
password: "{{ jd_password | password_hash('sha512') }}"
- name: Check if group exists
getent:
database: group
key: sudo
register: group_check
ignore_errors: true
- name: Ensure deploy user exists
ansible.builtin.user:
name: jd
shell: /bin/bash
groups: sudo
append: true
when: group_check is succeeded
- name: Give deploy sudo access
ansible.builtin.copy:
dest: /etc/sudoers.d/jd