jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add metric support and fix net-persist issues with multiple NICs

Browse Source
This commit is contained in:
Clément Désiles 2025-08-26 00:31:24 +02:00
parent b5886e1a7b
commit 117978fe52
9 changed files with 141 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -15,7 +15,7 @@ ansible-galaxy collection install -r requirements.yml
## Usage
```sh
ansible-playbook -i inventory.yml playbook.yml --ask-become-pass
ansible-playbook -i inventory/hosts.yml playbook.yml --ask-become-pass
```
## Target devices configuration

3
roles/archlinux/defaults/main.yml
View File

@ -1,5 +1,6 @@
arch_locale: en_US.UTF-8
yay_src_path: /opt/yay
yay_git_repo: https://aur.archlinux.org/yay.git
paru_git_repo: Morganamilo/paru
paru_src_path: /opt/paru
paru_git_repo: https://aur.archlinux.org/paru.git
os_arch: x86_64 # or aarch64

133
roles/archlinux/tasks/paru.yml
View File

@ -6,55 +6,100 @@
- name: Install paru
block:
- name: Install build dependencies
package:
name:
- base-devel
- git
state: present
- name: Get the last github release
ansible.builtin.uri:
url: "https://api.github.com/repos/{{ paru_git_repo }}/releases/latest"
return_content: true
register: paru_release
- name: Disable sudo password prompt (makepkg sudoers hack)
lineinfile:
dest: /etc/sudoers
state: present
regexp: "^#?%wheel"
line: "%wheel ALL=(ALL) NOPASSWD: ALL"
validate: /usr/sbin/visudo -cf %s
- name: Extract tag_name
set_fact:
paru_version: "{{ (paru_release.json.tag_name | regex_replace('^v', '')) }}"
- command:
cmd: whoami
no_log: true
become: false
register: main_user
- name: Get the binary URL ({{ os_arch }})
set_fact:
paru_url: "{{ item.browser_download_url }}"
loop: "{{ paru_release.json.assets }}"
when: "'{{ os_arch }}.tar.zst' in item.name"
- set_fact:
main_user: "{{ main_user.stdout }}"
no_log: true
- name: Download
ansible.builtin.get_url:
url: "{{ paru_url }}"
dest: "/tmp/paru-{{ os_arch }}.tar.zst"
mode: "0644"
- name: Create paru sources dir
file:
path: "{{ paru_src_path }}"
state: directory
owner: "{{ main_user }}"
- name: Extract paru
ansible.builtin.command:
cmd: "tar -xf /tmp/paru-{{ os_arch }}.tar.zst paru -C /tmp"
- name: Clone git sources
become: false
git:
repo: "{{ paru_git_repo }}"
dest: "{{ paru_src_path }}"
- name: Install paru binary
ansible.builtin.command:
cmd: "mv /tmp/paru /usr/bin/paru"
# note: this only works because SUDOERS password prompt is disabled
- name: Build and install
become: false
command:
chdir: "{{ paru_src_path }}"
cmd: "makepkg -si -f --noconfirm"
- name: Ensure permissions
ansible.builtin.file:
path: /usr/bin/paru
mode: "0755"
- name: Restore sudo with password prompt
lineinfile:
dest: /etc/sudoers
state: present
regexp: "^#?%wheel"
line: "%wheel ALL=(ALL:ALL) ALL"
validate: /usr/sbin/visudo -cf %s
- name: Cleanup
ansible.builtin.file:
path: "/tmp/paru-{{ os_arch }}.tar.zst"
state: absent
when: not paru.stat.exists
##
## Deprecated version with compilation
##
# - name: Install paru
# block:
# - name: Install build dependencies
# package:
# name:
# - base-devel
# - git
# state: present
# - name: Disable sudo password prompt (makepkg sudoers hack)
# lineinfile:
# dest: /etc/sudoers
# state: present
# regexp: "^#?%wheel"
# line: "%wheel ALL=(ALL) NOPASSWD: ALL"
# validate: /usr/sbin/visudo -cf %s
# - command:
# cmd: whoami
# no_log: true
# become: false
# register: main_user
# - set_fact:
# main_user: "{{ main_user.stdout }}"
# no_log: true
# - name: Create paru sources dir
# file:
# path: "{{ paru_src_path }}"
# state: directory
# owner: "{{ main_user }}"
# - name: Clone git sources
# become: false
# git:
# repo: "{{ paru_git_repo }}"
# dest: "{{ paru_src_path }}"
# # note: this only works because SUDOERS password prompt is disabled
# - name: Build and install
# become: false
# command:
# chdir: "{{ paru_src_path }}"
# cmd: "makepkg -si -f --noconfirm"
# - name: Restore sudo with password prompt
# lineinfile:
# dest: /etc/sudoers
# state: present
# regexp: "^#?%wheel"
# line: "%wheel ALL=(ALL:ALL) ALL"
# validate: /usr/sbin/visudo -cf %s
# when: not paru.stat.exists

9
roles/net-config/templates/etc-interfaces.j2
View File

@ -1,9 +0,0 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The primary network interface
allow-hotplug {{ interface.name }}
iface {{ interface.name }} inet dhcp
# This is an autoconfigured IPv6 interface
iface {{ interface.name }} inet6 auto

19
roles/net-config/templates/systemd.network.j2
View File

@ -1,9 +1,24 @@
# {{ ansible_managed }}
# systemd.network(5)
[Match]
Name={{ interface.name }}
[Network]
[Address]
Address={{ interface.ipv4.address }}
Gateway={{ interface.ipv4.gateway }}
{% if interface.ipv4.metric is defined %}
RouteMetric={{ interface.ipv4.metric }}
{% endif %}
[Network]
{% for dns in interface.ipv4.nameservers %}
DNS={{ dns }}
{% endfor %}
{% if interface.ipv4.gateway is defined %}
[Route]
Gateway={{ interface.ipv4.gateway }}
{% if interface.ipv4.metric is defined %}
Metric={{ interface.ipv4.metric }}
{% endif %}
{% endif %}

2
roles/net-persist/tasks/main.yml
View File

@ -1,5 +1,5 @@
---
- name: Check if the interface is already named as expected
- name: "Check {{ interface.name }} ({{ interface.mac_address }}) rule"
set_fact:
interface_original_name: "{{ ansible_facts.interfaces
| select('in', ansible_facts)

4
roles/networking/tasks/main.yml
View File

@ -1,5 +1,5 @@
---
- name: "Setup persistent network interface(s)"
- name: Setup persistent network interface(s)
include_role:
name: net-persist
public: yes
@ -7,7 +7,7 @@
interface: "{{ item }}"
loop: "{{ hostvars[inventory_hostname].network_interfaces | default([]) }}"
- name: "Configure network interface(s)"
- name: Configure network interface(s)
include_role:
name: net-config
public: yes

4
roles/sshd/tasks/main.yml
View File

@ -19,7 +19,7 @@
name: "{{ ssh_service_name }}"
enabled: yes
- name: Allow SSH incoming connection on local network
- name: Allow local network incoming connection
ufw:
rule: allow
port: "{{ ssh_port }}"
@ -27,7 +27,7 @@
from: "{{ ssh_allowed_network }}"
direction: in
- name: Allow SSH incoming connection on vpn network
- name: Allow SSH VPN incoming connection
ufw:
rule: allow
port: "{{ ssh_port }}"

32
roles/sshd/templates/sshd_banner.j2
View File

@ -15,6 +15,9 @@
⢸⣿⡇⠈⠙⠛⢛⣿⣿⣤⣤⣿⣿⡛⠛⠋⠁⢸⣿⡇
⣤⣼⣿⣧⣤⡀ ⠙⠛⠛⠛⠛⠛⠛⠋ ⢀⣤⣼⣿⣧⣤
⠛⠛⠛⠛⠛⠁ ⠈⠛⠛⠛⠛⠛
*******************************************
Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl!
*******************************************
{% elif ansible_host == 'omega' %}
⣀⣤⣴⣶⣾⣿⣿⣿⣿⣷⡶⠦
⢀⣴⣾⣿⣿⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣤⡄
@ -29,6 +32,29 @@
⠹⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏
⠈⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⡄
⠉⠛⠻⠿⢿⣿⣿⣿⣿⠟⠉⠉⠉⠉
{% elif ansible_host == 'pinwheel' %}
⢀⣠⣄⣀⣀⣀ ⣀⣤⣴⣶⡾⠿⠿⠿⠿⢷⣶⣦⣤⣀⡀
⢰⣿⡟⠛⠛⠛⠻⠿⠿⢿⣶⣶⣦⣤⣤⣀⣀⡀⣀⣴⣾⡿⠟⠋⠉ ⠉⠙⠻⢿⣷⣦⣀ ⢀⣀⣀⣀⣀⣀⣀⣀⡀
⠻⣿⣦⡀ ⠉⠓⠶⢦⣄⣀⠉⠉⠛⠛⠻⠿⠟⠋⠁ ⣤⡀ ⢠ ⣠ ⠈⠙⠻⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠛⠛⢻⣿
⠈⠻⣿⣦ ⠈⠙⠻⢷⣶⣤⡀ ⢀⣀⡀ ⠙⢷⡀⠸⡇ ⣰⠇ ⢀⣀⣀ ⣀⣠⣤⣤⣶⡶⠶⠶⠒⠂ ⣠⣾⠟
⠈⢿⣷⡀ ⠈⢻⣿⡄⣠⣴⣿⣯⣭⣽⣷⣆ ⠁ ⢠⣾⣿⣿⣿⣿⣦⡀ ⣠⣾⠟⠋⠁ ⣠⣾⡟⠁
⠈⢻⣷⣄ ⣿⡗⢻⣿⣧⣽⣿⣿⣿⣧ ⣀⣀ ⢠⣿⣧⣼⣿⣿⣿⣿⠗⠰⣿⠃ ⣠⣾⡿⠋
⠙⢿⣶⣄⡀ ⠸⠃⠈⠻⣿⣿⣿⣿⣿⡿⠃⠾⣥⡬⠗⠸⣿⣿⣿⣿⣿⡿⠛ ⢀⡟ ⣀⣠⣾⡿⠋
⠉⠛⠿⣷⣶⣤⣤⣄⣰⣄ ⠉⠉⠉⠁ ⢀⣀⣠⣄⣀⡀ ⠉⠉⠉ ⢀⣠⣾⣥⣤⣤⣤⣶⣶⡿⠿⠛⠉
⠈⠉⢻⣿⠛⢿⣷⣦⣤⣴⣶⣶⣦⣤⣤⣤⣤⣬⣥⡴⠶⠾⠿⠿⠿⠿⠛⢛⣿⣿⣿⣯⡉⠁
⠈⣿⣧⡀⠈⠉ ⠈⠁⣾⠛⠉⠉ ⣀⣴⣿⠟⠉⣹⣿⣇
⢀⣸⣿⣿⣦⣀ ⢻⡀ ⢀⣠⣤⣶⣿⠋⣿⠛⠃ ⣈⣿⣿
⣿⡿⢿⡀⠈⢹⡿⠶⣶⣼⡇ ⢀⣀⣀⣤⣴⣾⠟⠋⣡⣿⡟ ⢻⣶⠶⣿⣿⠛⢯
⠘⣿⣷⡈⢿⣦⣸⠇⢀⡿⠿⠿⡿⠿⠿⣿⠛⠋⠁ ⣴⠟⣿⣧⡀⠈⢁⣰⣿⠏ ⠏⡆
⢸⣿⢻⣦⣈⣽⣀⣾⠃ ⢸⡇ ⢸⡇ ⢀⣠⡾⠋⢰⣿⣿⣿⣿⡿⠟⠋
⠘⠿⢿⣿⣿⡟⠛⠃ ⣾ ⢸⡇⠐⠿⠋ ⣿⢻⣿⣿
⢸⣿⠁⢀⡴⠋ ⣿ ⢸⠇ ⠁⢸⣿⣿
⢀⣿⡿⠟⠋ ⣿ ⣸ ⢸⣿⣿
⢸⣿⣁⣀ ⣿⡀ ⣿ ⢀⣈⣿⣿
⠘⠛⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠛⠋
******************************************************************
May the shell be with you
******************************************************************
{% else %}
ACCESS DENIED - UNKNOWN STAR SYSTEM
{% endif %}
@ -39,9 +65,5 @@ will result in tracking and possible Force
action.
{% if ansible_hostname is defined %}
Server: {{ ansible_hostname }}
{{ group_names | first }}: {{ ansible_hostname }}
{% endif %}
*******************************************
Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl!
*******************************************