jaydee/ansible
1
0
Fork 0
mirror of https://gitlab.sectorq.eu/jaydee/ansible.git synced 2025-10-29 17:40:08 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

bitwarden

Browse Source
This commit is contained in:
jaydee
2024-12-11 10:07:16 +01:00
parent 88fe512e87
commit f3f57b85a0
12 changed files with 551 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
playbooks/00_clone_git_repo.yml Normal file
View File

@@ -0,0 +1,4 @@
- hosts: datacenter
name: Clone git
become: true
tasks:

42
roles/autofs-client/tasks/main.yml Normal file
View File

@@ -0,0 +1,42 @@
- block:
- name: include vault
ansible.builtin.include_vars:
file: jaydee.yml
- name: Install autofs
ansible.builtin.apt:
name:
- autofs
- cifs-utils
state: present
- name: Creating a file with content
copy:
dest: "/etc/auto.auth"
content: |
username={{ samba_user }}
password={{ samba_password }}
- name: Creating a file with content
copy:
dest: "/etc/auto.nas"
content: |
nas-data -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Data
nas-docker-data -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/docker_data
nas-photo -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Photo
nas-public -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Public
nas-install -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/install
nas-media -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Media
nas-downloads -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/downloads
- name: Reconfigure zabbix agent Server
ansible.builtin.lineinfile:
path: /etc/auto.master
regexp: "^/media/nas.*"
insertafter: '^/media/nas'
line: "/media/nas /etc/auto.nas --timeout 360 --ghost"
- name: Restart docker service
ansible.builtin.service:
name: autofs
state: restarted
become: true

4
roles/docker/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart_docker
ansible.builtin.service:
name: docker.service
state: restarted

57
roles/docker/tasks/main.yml Normal file
View File

@@ -0,0 +1,57 @@
- block:
- name: Install docker
ansible.builtin.apt:
name:
- ca-certificates
- curl
- telnet
- net-tools
- python3-pip
- python3-dev
state: present
update_cache: true
- name: Get keys for raspotify
ansible.builtin.shell:
install -m 0755 -d /etc/apt/keyrings
- name: Get keys for raspotify
ansible.builtin.shell:
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
- name: Get keys for raspotify
ansible.builtin.shell:
chmod a+r /etc/apt/keyrings/docker.asc
- name: Get keys for raspotify
ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
- name: Install docker
ansible.builtin.apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
update_cache: true
- name: Create a directory docker.service.d
ansible.builtin.file:
path: /etc/systemd/system/docker.service.d/
state: directory
mode: '0755'
- name: Creating a file with content
copy:
dest: "/etc/systemd/system/docker.service.d/override.conf"
content: |
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375
notify: restart_docker
- name: Just force systemd to reread configs
ansible.builtin.systemd:
daemon_reload: true
become: true

149
roles/ldap-client/tasks/main.yml Normal file
View File

@@ -0,0 +1,149 @@
- block:
- name: Install ldap packages
ansible.builtin.apt:
name:
- libpam-ldapd
- ldap-utils
- libnss-ldapd
# - name: Reconfigure ldap base
# ansible.builtin.lineinfile:
# path: /etc/ldap.conf
# regexp: "^base "
# line: "base dc=sectorq,dc=eu"
# - name: Reconfigure ldap uri
# ansible.builtin.lineinfile:
# path: /etc/ldap.conf
# regexp: "^uri ldap.*"
# line: "uri ldaps://ldap-server.loc/"
# - name: Reconfigure ldap version
# ansible.builtin.lineinfile:
# path: /etc/ldap.conf
# regexp: "^ldap_version.*"
# line: "ldap_version 3"
# - name: Reconfigure ldap rootbinddn
# ansible.builtin.lineinfile:
# path: /etc/ldap.conf
# regexp: "^rootbinddn.*"
# line: "rootbinddn cn=admin,dc=sectorq,dc=eu"
- name: Reconfigure common-session
ansible.builtin.lineinfile:
path: /etc/pam.d/common-session
regexp: "^session optional pam_mkhomedir.so.*"
line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077"
- name: Reconfigure common-session
ansible.builtin.lineinfile:
path: /etc/pam.d/common-session
regexp: "^session.*pam_ldap.so.*"
line: "session [success=ok default=ignore] pam_ldap.so minimum_uid=1000"
- name: Reconfigure common-password
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: "^password.*success=1 user_unknown=ignore default=die.*"
line: "password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass"
- name: Reconfigure nsswitch passwd
ansible.builtin.lineinfile:
path: /etc/nsswitch.conf
regexp: "^passwd:.*"
line: "passwd: compat systemd ldap"
- name: Reconfigure nsswitch group
ansible.builtin.lineinfile:
path: /etc/nsswitch.conf
regexp: "^group:.*"
line: "group: compat systemd ldap"
- name: Reconfigure nsswitch shadow
ansible.builtin.lineinfile:
path: /etc/nsswitch.conf
regexp: "^shadow:.*"
line: "shadow: compat ldap"
- name: Reconfigure nslcd uri
ansible.builtin.lineinfile:
path: /etc/nslcd.conf
regexp: "^uri ldap.*"
line: "uri ldap://192.168.77.101:2389/"
- name: Reconfigure ldap base
ansible.builtin.lineinfile:
path: /etc/nslcd.conf
regexp: "^base "
line: "base dc=sectorq,dc=eu"
- name: Reconfigure nslcd binddn
ansible.builtin.lineinfile:
path: /etc/nslcd.conf
regexp: "^binddn"
line: "binddn cn=jaydee,dc=users,dc=sectorq,dc=eu"
- name: Reconfigure nslcd bindpw
ansible.builtin.lineinfile:
path: /etc/nslcd.conf
regexp: "^bindpw"
line: "bindpw {{ ldap_admin_password }}"
# - name: Reconfigure ldap base
# ansible.builtin.lineinfile:
# path: /etc/nslcd.conf
# regexp: "^#ssl"
# line: "ssl start_tls"
- name: Reconfigure nslcd tls_reqcert
ansible.builtin.lineinfile:
path: /etc/nslcd.conf
regexp: "^tls_reqcert"
line: "tls_reqcert allow"
- name: Restart nslcd service
ansible.builtin.service:
name: nslcd.service
state: restarted
- name: Creating a file with content
copy:
dest: "/usr/local/bin/fetchSSHKeysFromLDAP"
content: |
#!/usr/bin/bash
ldapsearch -x '(&(objectClass=ldapPublicKey)(cn='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
mode: '0755'
- name: Reconfigure sshd
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#AuthorizedKeysCommand *"
line: "AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP"
- name: Reconfigure sshd
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#AuthorizedKeysCommandUser *"
line: "AuthorizedKeysCommandUser root"
- name: Create a directory LDAP if it does not exist
ansible.builtin.file:
path: /etc/ldap/
state: directory
mode: '0755'
- name: Creating a file with content
copy:
dest: "/etc/ldap/ldap.conf"
content: |
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=sectorq,dc=eu
URI ldap://192.168.77.101:2389
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
- name: Restart sshd service
ansible.builtin.service:
name: sshd.service
state: restarted
become: true

4
roles/matter-server/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart_matter_server
ansible.builtin.shell: docker restart matter-server
become: true

10
roles/matter-server/tasks/main.yml Normal file
View File

@@ -0,0 +1,10 @@
- block:
- name: Reconfigure config
ansible.builtin.lineinfile:
path: /etc/sysctl.conf
regexp: "^Unet.ipv4.igmp_max_memberships.*"
line: "net.ipv4.igmp_max_memberships = 75"
- name: Restart agent
ansible.builtin.shell: echo 76 > /proc/sys/net/ipv4/igmp_max_memberships
notify: restart_matter_server
become: true

116
roles/mqtt-srv/tasks/main.yml Normal file
View File

@@ -0,0 +1,116 @@
- block:
- name: include vault
ansible.builtin.include_vars:
file: ../jaydee.yml
- name: Delete content & directory
ansible.builtin.file:
state: absent
path: "{{ dest_folder }}"
- name: GIT pull
tags:
- git_pull
git:
repo: "https://{{ git_user | urlencode }}:{{ git_password_mqtt | urlencode }}@gitlab.sectorq.eu/jaydee/mqtt_srv.git"
dest: "{{ dest_folder }}"
update: yes
clone: yes
version: main
- debug:
msg: "{{ inventory_hostname }}"
- name: Upload service config
ansible.builtin.copy:
src: "{{ dest_folder }}/mqtt_srv.service"
dest: /etc/systemd/system/mqtt_srv.service
remote_src: true
when: inventory_hostname != 'nas.home.lan'
- name: Upload service script
ansible.builtin.copy:
src: "{{ dest_folder }}/mqtt_srv.py"
dest: /usr/bin/mqtt_srv.py
mode: '755'
owner: root
remote_src: true
when: inventory_hostname != 'nas.home.lan'
- name: Upload service script config
ansible.builtin.copy:
src: "{{ dest_folder }}/mqtt_srv.cfg"
dest: /etc/mqtt_srv/mqtt_srv.cfg
mode: '755'
owner: root
remote_src: true
when: inventory_hostname != 'nas.home.lan'
# - name: Upload service script1
# ansible.builtin.copy:
# src: scripts/mqtt_srv.sh
# dest: /jffs/scripts/mqtt_srv/
# mode: '755'
# owner: admin
# when: inventory_hostname in groups['router']
# become: false
# - name: Upload service script
# ansible.builtin.copy:
# src: scripts/mqtt_srv.py
# dest: /jffs/scripts/mqtt_srv/
# mode: '755'
# owner: admin
# when: inventory_hostname in groups['router']
# become: false
- name: Upload service script1
ansible.builtin.copy:
src: "{{ dest_folder }}/mqtt_srv.sh"
dest: /etc/init.d/
mode: '755'
owner: admin
remote_src: true
when: inventory_hostname == 'nas.home.lan'
- debug:
msg: "{{ dest_folder }}"
- name: Upload service script2
ansible.builtin.copy:
src: "{{ dest_folder }}/mqtt_srv.py"
dest: /usr/bin/mqtt_srv.py
mode: '755'
owner: admin
remote_src: true
when: inventory_hostname == 'nas.home.lan'
- name: Install bottle python package
ansible.builtin.shell: pip install {{ item }} --break-system-packages
loop:
- paho-mqtt
- getmac
- ping3
- psutil
- autorandr
when: inventory_hostname != 'nas.home.lan'
- name: Just force systemd to reread configs (2.4 and above)
ansible.builtin.systemd:
daemon_reload: true
when: inventory_hostname != 'nas.home.lan'
- name: Restart mqtt_srv service
ansible.builtin.service:
name: mqtt_srv.service
state: restarted
enabled: true
when: inventory_hostname != 'nas.home.lan'
- name: Restart mqtt service
ansible.builtin.shell: "(/etc/init.d/mqtt_srv.sh restart >/dev/null 2>&1 &)"
async: 10
poll: 0
when: inventory_hostname == 'nas.home.lan'
become: "{{ 'no' if inventory_hostname == 'nas.home.lan' else 'yes' }}"

1
roles/mqtt-srv/vars/main.yml Normal file
View File

@@ -0,0 +1 @@
dest_folder: "/tmp/ans_repo"

9
roles/timeshift/tasks/main.yml Normal file
View File

@@ -0,0 +1,9 @@
- name: Install timeshift packages
ansible.builtin.apt:
name:
- timeshift
update_cache: yes
become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}"
ignore_errors: true
when: inventory_hostname != 'nas.home.lan'

154
roles/zabbix-agent/tasks/main.yml Normal file
View File

@@ -0,0 +1,154 @@
- block:
- name: Get config for not nas
ansible.builtin.set_fact:
zabbix_agent_cfg: "/etc/zabbix/zabbix_agent2.conf"
when: inventory_hostname != 'nas.home.lan'
- name: Get config for nas
ansible.builtin.set_fact:
zabbix_agent_cfg: "/opt/ZabbixAgent/etc/zabbix_agentd.conf"
when: inventory_hostname == 'nas.home.lan'
- name: Print all available facts
ansible.builtin.debug:
msg: "{{ false if inventory_hostname == 'nas.home.lan' else true }}"
- name: Print all available facts
ansible.builtin.debug:
var: ansible_facts.architecture
- name: Print all available facts
ansible.builtin.debug:
var: ansible_distribution
- name: Print all available facts
ansible.builtin.debug:
var: ansible_distribution_major_version
# - name: Upload zabbix package
# ansible.builtin.copy:
# src: packages/zabbix-release_6.4-1+ubuntu22.04_all.deb
# dest: /tmp/
- name: Install a .deb package from the internet11
ansible.builtin.apt:
deb: https://repo.zabbix.com/zabbix/6.4/ubuntu-arm64/pool/main/z/zabbix-release/zabbix-release_6.4-1+ubuntu22.04_all.deb
when:
- ansible_facts.architecture != "armv7l" and ( ansible_distribution == "Ubuntu" or ansible_distribution == "Linux Mint" )
- name: Install a .deb package from the internet2
ansible.builtin.apt:
#deb: https://repo.zabbix.com/zabbix/6.4/raspbian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb
deb: https://repo.zabbix.com/zabbix/7.0/raspbian/pool/main/z/zabbix-release/zabbix-release_7.0-1+debian11_all.deb
retries: 5
delay: 5
when:
- ansible_facts.architecture == "armv7l" or ansible_facts.architecture == "aarch64"
ignore_errors: true
- name: Install a .deb package from the internet3
ansible.builtin.apt:
deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb
when:
- ansible_facts.architecture != "armv7l" and ansible_distribution == "Debian" and ansible_distribution_major_version == "11"
- name: Install a .deb package from the internet4
ansible.builtin.apt:
#deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian12_all.deb
deb: https://repo.zabbix.com/zabbix/7.0/debian/pool/main/z/zabbix-release/zabbix-release_7.0-1+debian12_all.deb
when:
- ansible_facts.architecture != "armv7l" and ansible_facts.architecture != "aarch64" and ansible_distribution == "Debian" and ansible_distribution_major_version == "12"
ignore_errors: true
# - name: Install a .deb package localy
# ansible.builtin.apt:
# deb: /tmp/zabbix-release_6.4-1+ubuntu22.04_all.deb
- name: Install zabbix packages
ansible.builtin.apt:
name:
- zabbix-agent2
- zabbix-agent2-plugin-mongodb
- zabbix-agent2-plugin-postgresql
# - zabbix-agent2-plugin-mysql
update_cache: yes
ignore_errors: true
when: inventory_hostname != 'nas.home.lan'
- name: Reconfigure zabbix agent Server
ansible.builtin.lineinfile:
path: "{{ zabbix_agent_cfg }}"
regexp: "^Server=.*"
insertafter: '^# Server='
line: "Server=192.168.77.0/24,192.168.80.0/28"
become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}"
- name: Reconfigure zabbix agent ServerActive
ansible.builtin.lineinfile:
path: "{{ zabbix_agent_cfg }}"
regexp: "^ServerActive=.*"
line: "ServerActive={{ ZABBIX_SERVER }}"
- name: Reconfigure zabbix agent ListenPort
ansible.builtin.lineinfile:
path: "{{ zabbix_agent_cfg }}"
regexp: "^ListenPort=.*"
line: "ListenPort=10050"
# - name: Reconfigure zabbix agent ListenIP
# ansible.builtin.lineinfile:
# path: /"{{ zabbix_agent_cfg }}"
# regexp: "^ListenIP=.*"
# line: "ListenIP=0.0.0.0"
- name: Reconfigure zabbix-agent2 hostname
ansible.builtin.lineinfile:
path: "{{ zabbix_agent_cfg }}"
regexp: "^Hostname=.*"
line: "Hostname={{ inventory_hostname }}"
- name: Reconfigure zabbix-agent2 config
ansible.builtin.lineinfile:
path: "{{ zabbix_agent_cfg }}"
insertafter: '^# UserParameter='
regexp: "^UserParameter=system.certs.*"
line: "UserParameter=system.certs,python3 /share/ZFS530_DATA/.qpkg/ZabbixAgent/cert_check2.py"
when: inventory_hostname == 'nas.home.lan' or inventory_hostname == 'm-server.home.lan'
- name: Reconfigure zabbix-agent2 config
ansible.builtin.lineinfile:
path: "{{ zabbix_agent_cfg }}"
insertafter: '^# UserParameter='
line: "UserParameter=rpi.hw.temp,/usr/bin/vcgencmd measure_temp"
when: inventory_hostname == 'rpi5.home.lan'
- name: Reconfigure zabbix-agent2 hostname
ansible.builtin.lineinfile:
path: "{{ zabbix_agent_cfg }}"
regexp: "^HostMetadata=.*"
insertafter: '^# HostMetadata='
line: "HostMetadata=linux;jaydee"
- name: Reconfigure zabbix-agent2 hostname
ansible.builtin.lineinfile:
path: "{{ zabbix_agent_cfg }}"
regexp: "^HostMetadata=.*"
insertafter: '^# HostMetadata='
line: "HostMetadata=server;jaydee"
when: inventory_hostname == 'nas.home.lan' or inventory_hostname == 'm-server.home.lan'
- name: Add the user 'to group video
ansible.builtin.user:
name: zabbix
groups: video
append: yes
when: inventory_hostname != 'nas.home.lan'
- name: Restart zabbix-agent2 service
ansible.builtin.service:
name: zabbix-agent2.service
state: restarted
enabled: true
when: inventory_hostname != 'nas.home.lan'
- name: Restart agent
ansible.builtin.shell: /etc/init.d/ZabbixAgent.sh restart
when: inventory_hostname == 'nas.home.lan'
become: true

1
roles/zabbix-agent/vars/main.yml Normal file
View File

@@ -0,0 +1 @@
ZABBIX_SERVER: "zabbix.home.lan"