chore: ansible-lint review (almost done)
This commit is contained in:
Clément Désiles
parent
3e469fa25e
commit
c79c445a23
@ -1,3 +1,4 @@
|
|||||||
---
|
---
|
||||||
skip_list:
|
skip_list:
|
||||||
- var-naming[no-role-prefix]
|
- var-naming[no-role-prefix]
|
||||||
|
- no-handler # Sequential task flows require immediate execution, not end-of-play handlers
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
- hosts: marge
|
- name: Sample of a playbook
|
||||||
|
hosts: marge
|
||||||
become: true
|
become: true
|
||||||
roles:
|
roles:
|
||||||
- role: ntpd
|
|
||||||
- role: fail2ban
|
- role: fail2ban
|
||||||
- role: unbound
|
- role: unbound
|
||||||
|
|||||||
@ -1,6 +1,7 @@
|
|||||||
---
|
---
|
||||||
collections:
|
collections:
|
||||||
- name: ansible.netcommon
|
- name: ansible.netcommon
|
||||||
|
- name: ansible.posix
|
||||||
- name: community.general
|
- name: community.general
|
||||||
- name: community.postgresql
|
- name: community.postgresql
|
||||||
- name: containers.podman
|
- name: containers.podman
|
||||||
|
|||||||
@ -1,15 +1,21 @@
|
|||||||
---
|
---
|
||||||
- name: Configure locales
|
- name: Configure locales
|
||||||
block:
|
block:
|
||||||
- name: Activate locale
|
|
||||||
ansible.builtin.command:
|
|
||||||
cmd: localectl set-locale LANG={{ arch_locale }}
|
|
||||||
- name: Edit /etc/locale.gen
|
- name: Edit /etc/locale.gen
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/locale.gen
|
dest: /etc/locale.gen
|
||||||
state: present
|
state: present
|
||||||
regexp: "{{ arch_locale }}"
|
regexp: "{{ arch_locale }}"
|
||||||
line: "{{ arch_locale }} UTF-8"
|
line: "{{ arch_locale }} UTF-8"
|
||||||
|
register: locale_gen_changed
|
||||||
|
|
||||||
- name: Regenerate locales
|
- name: Regenerate locales
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: locale-gen
|
cmd: locale-gen
|
||||||
|
when: locale_gen_changed is changed
|
||||||
|
changed_when: true
|
||||||
|
|
||||||
|
- name: Activate locale
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: localectl set-locale LANG={{ arch_locale }}
|
||||||
|
changed_when: false
|
||||||
|
|||||||
@ -77,12 +77,19 @@
|
|||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: Extract paru
|
- name: Extract paru
|
||||||
ansible.builtin.command:
|
ansible.builtin.unarchive:
|
||||||
cmd: "tar -xf /tmp/paru-{{ os_arch }}.tar.zst paru -C /tmp"
|
src: "/tmp/paru-{{ os_arch }}.tar.zst"
|
||||||
|
dest: /tmp
|
||||||
|
remote_src: true
|
||||||
|
extra_opts:
|
||||||
|
- paru
|
||||||
|
|
||||||
- name: Install paru binary
|
- name: Install paru binary
|
||||||
ansible.builtin.command:
|
ansible.builtin.copy:
|
||||||
cmd: "mv /tmp/paru /usr/bin/paru"
|
src: /tmp/paru
|
||||||
|
dest: /usr/bin/paru
|
||||||
|
remote_src: true
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
- name: Ensure permissions
|
- name: Ensure permissions
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
|||||||
4
roles/disks/handlers/main.yml
Normal file
4
roles/disks/handlers/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
- name: Systemd daemon reload
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: true
|
||||||
@ -23,11 +23,7 @@
|
|||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
register: timer_config
|
register: timer_config
|
||||||
|
notify: Systemd daemon reload
|
||||||
- name: Systemd daemon reload
|
|
||||||
ansible.builtin.systemd:
|
|
||||||
daemon_reload: true
|
|
||||||
when: timer_config.changed
|
|
||||||
|
|
||||||
- name: Enable periodic trim
|
- name: Enable periodic trim
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
|
|||||||
4
roles/docker/handlers/main.yml
Normal file
4
roles/docker/handlers/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
- name: Inform user to relogin
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: "Please logout and login again to make sure the user is added to the docker group"
|
||||||
@ -35,9 +35,4 @@
|
|||||||
name: "{{ ansible_user }}"
|
name: "{{ ansible_user }}"
|
||||||
groups: docker
|
groups: docker
|
||||||
append: true
|
append: true
|
||||||
register: docker_group
|
notify: Inform user to relogin
|
||||||
|
|
||||||
- name: Inform the user that user needs to logout and login again
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "Please logout and login again to make sure the user is added to the docker group"
|
|
||||||
when: docker_group.changed
|
|
||||||
|
|||||||
@ -4,13 +4,18 @@
|
|||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
|
|
||||||
- name: Reload systemd user
|
- name: Reload systemd user
|
||||||
ansible.builtin.command: "systemctl --user daemon-reload"
|
ansible.builtin.systemd:
|
||||||
become: true
|
daemon_reload: true
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Restart gitea
|
- name: Restart gitea
|
||||||
ansible.builtin.command: "systemctl --user restart gitea.service"
|
ansible.builtin.systemd:
|
||||||
become: true
|
name: gitea.service
|
||||||
|
state: restarted
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Reload nginx
|
- name: Reload nginx
|
||||||
|
|||||||
@ -14,6 +14,7 @@
|
|||||||
name: "{{ gitea_postgres_user }}"
|
name: "{{ gitea_postgres_user }}"
|
||||||
password: "{{ gitea_postgres_password }}"
|
password: "{{ gitea_postgres_password }}"
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user }}"
|
become_user: "{{ postgres_admin_user }}"
|
||||||
|
|
||||||
- name: Create PostgreSQL database for Gitea
|
- name: Create PostgreSQL database for Gitea
|
||||||
@ -21,6 +22,7 @@
|
|||||||
name: "{{ gitea_postgres_db_name }}"
|
name: "{{ gitea_postgres_db_name }}"
|
||||||
owner: "{{ gitea_postgres_user }}"
|
owner: "{{ gitea_postgres_user }}"
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user }}"
|
become_user: "{{ postgres_admin_user }}"
|
||||||
|
|
||||||
- name: Grant all privileges on database to Gitea user
|
- name: Grant all privileges on database to Gitea user
|
||||||
@ -30,6 +32,7 @@
|
|||||||
type: database
|
type: database
|
||||||
privs: ALL
|
privs: ALL
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user }}"
|
become_user: "{{ postgres_admin_user }}"
|
||||||
|
|
||||||
- name: Ensure Gitea user has no superuser privileges
|
- name: Ensure Gitea user has no superuser privileges
|
||||||
@ -37,6 +40,7 @@
|
|||||||
name: "{{ gitea_postgres_user }}"
|
name: "{{ gitea_postgres_user }}"
|
||||||
role_attr_flags: NOSUPERUSER,NOCREATEDB,NOCREATEROLE
|
role_attr_flags: NOSUPERUSER,NOCREATEDB,NOCREATEROLE
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
||||||
|
|
||||||
- name: Create PostgreSQL schema for Gitea
|
- name: Create PostgreSQL schema for Gitea
|
||||||
@ -45,6 +49,7 @@
|
|||||||
database: "{{ gitea_postgres_db_name }}"
|
database: "{{ gitea_postgres_db_name }}"
|
||||||
owner: "{{ gitea_postgres_user }}"
|
owner: "{{ gitea_postgres_user }}"
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
||||||
|
|
||||||
- name: Grant schema permissions to Gitea user
|
- name: Grant schema permissions to Gitea user
|
||||||
@ -55,6 +60,7 @@
|
|||||||
objs: "{{ gitea_postgres_schema }}"
|
objs: "{{ gitea_postgres_schema }}"
|
||||||
privs: CREATE,USAGE
|
privs: CREATE,USAGE
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
||||||
|
|
||||||
- name: Create Gitea project directory
|
- name: Create Gitea project directory
|
||||||
@ -113,7 +119,12 @@
|
|||||||
when: ansible_user != 'root'
|
when: ansible_user != 'root'
|
||||||
|
|
||||||
- name: Enable and start Gitea service (user scope)
|
- name: Enable and start Gitea service (user scope)
|
||||||
ansible.builtin.command: "systemctl --user enable --now gitea.service"
|
ansible.builtin.systemd:
|
||||||
|
name: gitea.service
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Deploy nginx vhost configuration for Gitea
|
- name: Deploy nginx vhost configuration for Gitea
|
||||||
|
|||||||
@ -4,13 +4,18 @@
|
|||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
|
|
||||||
- name: Reload systemd user
|
- name: Reload systemd user
|
||||||
ansible.builtin.command: "systemctl --user daemon-reload"
|
ansible.builtin.systemd:
|
||||||
become: true
|
daemon_reload: true
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Restart Immich
|
- name: Restart Immich
|
||||||
ansible.builtin.command: "systemctl --user restart immich.service"
|
ansible.builtin.systemd:
|
||||||
become: true
|
name: immich.service
|
||||||
|
state: restarted
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Reload nginx
|
- name: Reload nginx
|
||||||
|
|||||||
@ -16,6 +16,7 @@
|
|||||||
name: "{{ immich_postgres_db_name }}"
|
name: "{{ immich_postgres_db_name }}"
|
||||||
owner: "{{ immich_postgres_user }}"
|
owner: "{{ immich_postgres_user }}"
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
||||||
|
|
||||||
- name: Create PostgreSQL user for Immich
|
- name: Create PostgreSQL user for Immich
|
||||||
@ -23,6 +24,7 @@
|
|||||||
name: "{{ immich_postgres_user }}"
|
name: "{{ immich_postgres_user }}"
|
||||||
password: "{{ immich_postgres_password }}"
|
password: "{{ immich_postgres_password }}"
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
||||||
|
|
||||||
- name: Grant all privileges on database to Immich user
|
- name: Grant all privileges on database to Immich user
|
||||||
@ -32,6 +34,7 @@
|
|||||||
type: database
|
type: database
|
||||||
privs: ALL
|
privs: ALL
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
||||||
|
|
||||||
- name: Ensure Immich user has no superuser privileges
|
- name: Ensure Immich user has no superuser privileges
|
||||||
@ -39,6 +42,7 @@
|
|||||||
name: "{{ immich_postgres_user }}"
|
name: "{{ immich_postgres_user }}"
|
||||||
role_attr_flags: NOSUPERUSER,NOCREATEDB,NOCREATEROLE
|
role_attr_flags: NOSUPERUSER,NOCREATEDB,NOCREATEROLE
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
||||||
|
|
||||||
- name: Enable required PostgreSQL extensions in Immich database
|
- name: Enable required PostgreSQL extensions in Immich database
|
||||||
@ -46,6 +50,7 @@
|
|||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
login_db: "{{ immich_postgres_db_name }}"
|
login_db: "{{ immich_postgres_db_name }}"
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
||||||
loop:
|
loop:
|
||||||
- cube
|
- cube
|
||||||
@ -60,6 +65,7 @@
|
|||||||
objs: public
|
objs: public
|
||||||
privs: CREATE,USAGE
|
privs: CREATE,USAGE
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
become_user: "{{ postgres_admin_user | default('postgres') }}"
|
||||||
|
|
||||||
- name: Create Immich project directory
|
- name: Create Immich project directory
|
||||||
@ -120,7 +126,12 @@
|
|||||||
when: ansible_user != 'root'
|
when: ansible_user != 'root'
|
||||||
|
|
||||||
- name: Enable and start Immich service (user scope)
|
- name: Enable and start Immich service (user scope)
|
||||||
ansible.builtin.command: "systemctl --user enable --now immich.service"
|
ansible.builtin.systemd:
|
||||||
|
name: immich.service
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Deploy nginx vhost configuration for Immich
|
- name: Deploy nginx vhost configuration for Immich
|
||||||
|
|||||||
@ -1,4 +1,5 @@
|
|||||||
---
|
---
|
||||||
- name: install oryx
|
- name: Install oryx
|
||||||
cmd: paru -S oryx
|
ansible.builtin.command: paru -S --noconfirm oryx
|
||||||
when: ansible_facts['os_family'] == 'Archlinux'
|
when: ansible_facts['os_family'] == 'Archlinux'
|
||||||
|
changed_when: false
|
||||||
|
|||||||
@ -7,7 +7,7 @@
|
|||||||
- name: Process ethernet interface persistence
|
- name: Process ethernet interface persistence
|
||||||
when: interface.type is not defined or interface.type == 'ethernet'
|
when: interface.type is not defined or interface.type == 'ethernet'
|
||||||
block:
|
block:
|
||||||
- name: "Check {{ interface.name }} ({{ interface.mac_address }}) rule"
|
- name: "Check interface rule for {{ interface.name }} ({{ interface.mac_address }})"
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
interface_original_name: "{{ ansible_facts.interfaces | select('in', ansible_facts) | map('extract', ansible_facts) | selectattr('pciid', 'defined') | selectattr('macaddress', 'equalto', interface.mac_address) | map(attribute='device') | first }}"
|
interface_original_name: "{{ ansible_facts.interfaces | select('in', ansible_facts) | map('extract', ansible_facts) | selectattr('pciid', 'defined') | selectattr('macaddress', 'equalto', interface.mac_address) | map(attribute='device') | first }}"
|
||||||
|
|
||||||
@ -6,8 +6,8 @@ This role configures the networking on the target machine.
|
|||||||
|
|
||||||
Roles:
|
Roles:
|
||||||
|
|
||||||
- net-persist
|
- net_persist
|
||||||
- net-config
|
- net_config
|
||||||
|
|
||||||
## Inventory Variables
|
## Inventory Variables
|
||||||
|
|
||||||
|
|||||||
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
- name: Setup persistent network interface(s)
|
- name: Setup persistent network interface(s)
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: net-persist
|
name: net_persist
|
||||||
public: true
|
public: true
|
||||||
vars:
|
vars:
|
||||||
interface: "{{ item }}"
|
interface: "{{ item }}"
|
||||||
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
- name: Configure network interface(s)
|
- name: Configure network interface(s)
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: net-config
|
name: net_config
|
||||||
public: true
|
public: true
|
||||||
vars:
|
vars:
|
||||||
interface: "{{ item }}"
|
interface: "{{ item }}"
|
||||||
|
|||||||
@ -4,13 +4,18 @@
|
|||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
|
|
||||||
- name: Reload systemd user
|
- name: Reload systemd user
|
||||||
ansible.builtin.command: "systemctl --user daemon-reload"
|
ansible.builtin.systemd:
|
||||||
become: true
|
daemon_reload: true
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Restart ntfy
|
- name: Restart ntfy
|
||||||
ansible.builtin.command: "systemctl --user restart ntfy.service"
|
ansible.builtin.systemd:
|
||||||
become: true
|
name: ntfy.service
|
||||||
|
state: restarted
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Reload nginx
|
- name: Reload nginx
|
||||||
|
|||||||
@ -77,7 +77,12 @@
|
|||||||
when: ansible_user != 'root'
|
when: ansible_user != 'root'
|
||||||
|
|
||||||
- name: Enable and start ntfy service (user scope)
|
- name: Enable and start ntfy service (user scope)
|
||||||
ansible.builtin.command: "systemctl --user enable --now ntfy.service"
|
ansible.builtin.systemd:
|
||||||
|
name: ntfy.service
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Wait for ntfy to be ready
|
- name: Wait for ntfy to be ready
|
||||||
@ -92,21 +97,26 @@
|
|||||||
register: ntfy_user_list
|
register: ntfy_user_list
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Create admin user in ntfy
|
- name: Create admin user in ntfy
|
||||||
ansible.builtin.shell: |
|
ansible.builtin.shell: |
|
||||||
|
set -o pipefail
|
||||||
printf '%s\n%s\n' '{{ ntfy_admin_password }}' '{{ ntfy_admin_password }}' | podman exec -i ntfy-server ntfy user add --role=admin {{ ntfy_admin_user }}
|
printf '%s\n%s\n' '{{ ntfy_admin_password }}' '{{ ntfy_admin_password }}' | podman exec -i ntfy-server ntfy user add --role=admin {{ ntfy_admin_user }}
|
||||||
when: ntfy_admin_user not in ntfy_user_list.stdout
|
when: ntfy_admin_user not in ntfy_user_list.stdout
|
||||||
register: ntfy_user_create
|
register: ntfy_user_create
|
||||||
changed_when: ntfy_user_create.rc == 0
|
changed_when: ntfy_user_create.rc == 0
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Set admin user password
|
- name: Set admin user password
|
||||||
ansible.builtin.shell: |
|
ansible.builtin.shell: |
|
||||||
|
set -o pipefail
|
||||||
printf '%s\n%s\n' '{{ ntfy_admin_password }}' '{{ ntfy_admin_password }}' | podman exec -i ntfy-server ntfy user change-pass {{ ntfy_admin_user }}
|
printf '%s\n%s\n' '{{ ntfy_admin_password }}' '{{ ntfy_admin_password }}' | podman exec -i ntfy-server ntfy user change-pass {{ ntfy_admin_user }}
|
||||||
when: ntfy_admin_user in ntfy_user_list.stdout
|
when: ntfy_admin_user in ntfy_user_list.stdout
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Deploy nginx vhost configuration for ntfy
|
- name: Deploy nginx vhost configuration for ntfy
|
||||||
|
|||||||
@ -35,4 +35,5 @@
|
|||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: initdb -D {{ postgres_data_dir }}
|
cmd: initdb -D {{ postgres_data_dir }}
|
||||||
creates: "{{ postgres_data_dir }}/PG_VERSION"
|
creates: "{{ postgres_data_dir }}/PG_VERSION"
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user }}"
|
become_user: "{{ postgres_admin_user }}"
|
||||||
|
|||||||
@ -97,4 +97,5 @@
|
|||||||
name: "{{ postgres_admin_user }}"
|
name: "{{ postgres_admin_user }}"
|
||||||
password: "{{ postgres_admin_password }}"
|
password: "{{ postgres_admin_password }}"
|
||||||
state: present
|
state: present
|
||||||
|
become: false
|
||||||
become_user: "{{ postgres_admin_user }}"
|
become_user: "{{ postgres_admin_user }}"
|
||||||
|
|||||||
5
roles/sshd/handlers/main.yml
Normal file
5
roles/sshd/handlers/main.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- name: Restart SSH service
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ ssh_service_name }}"
|
||||||
|
state: restarted
|
||||||
@ -1,26 +1,27 @@
|
|||||||
---
|
---
|
||||||
- include_vars: "{{ item }}"
|
- name: Load OS-specific variables
|
||||||
|
ansible.builtin.include_vars: "{{ item }}"
|
||||||
with_first_found:
|
with_first_found:
|
||||||
- "vars/{{ ansible_facts['os_family'] }}.yml"
|
- "vars/{{ ansible_facts['os_family'] }}.yml"
|
||||||
- "vars/debian.yml"
|
- "vars/debian.yml"
|
||||||
|
|
||||||
- name: Install OpenSSH
|
- name: Install OpenSSH
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: "{{ ssh_package_name }}"
|
name: "{{ ssh_package_name }}"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Install UFW
|
- name: Install UFW
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: ufw
|
name: ufw
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Enable SSH
|
- name: Enable SSH
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: "{{ ssh_service_name }}"
|
name: "{{ ssh_service_name }}"
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
- name: Allow local network incoming connection
|
- name: Allow local network incoming connection
|
||||||
ufw:
|
community.general.ufw:
|
||||||
rule: allow
|
rule: allow
|
||||||
port: "{{ ssh_port }}"
|
port: "{{ ssh_port }}"
|
||||||
proto: tcp
|
proto: tcp
|
||||||
@ -29,7 +30,7 @@
|
|||||||
comment: "SSH from local network"
|
comment: "SSH from local network"
|
||||||
|
|
||||||
- name: Allow SSH VPN incoming connection
|
- name: Allow SSH VPN incoming connection
|
||||||
ufw:
|
community.general.ufw:
|
||||||
rule: allow
|
rule: allow
|
||||||
port: "{{ ssh_port }}"
|
port: "{{ ssh_port }}"
|
||||||
proto: tcp
|
proto: tcp
|
||||||
@ -37,36 +38,41 @@
|
|||||||
direction: in
|
direction: in
|
||||||
comment: "SSH from VPN network"
|
comment: "SSH from VPN network"
|
||||||
|
|
||||||
- name: Add SSH public key to authorized_keys
|
# TODO
|
||||||
authorized_key:
|
# - name: Add SSH public key to authorized_keys
|
||||||
user: "{{ item }}"
|
# authorized_key:
|
||||||
state: present
|
# user: "{{ item }}"
|
||||||
key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
|
# state: present
|
||||||
comment: "{{ lookup('env', 'USER') | default('ansible') }}@{{ lookup('pipe', 'hostname -s') }}"
|
# key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
|
||||||
loop: "{{ ssh_users.split() }}"
|
# comment: "{{ lookup('env', 'USER') | default('ansible') }}@{{ lookup('pipe', 'hostname -s') }}"
|
||||||
|
# loop: "{{ ssh_users.split() }}"
|
||||||
|
|
||||||
- name: Authorized keys fallback
|
- name: Authorized keys fallback (when home cannot be mounted)
|
||||||
|
when: ssh_authorized_keys_fallback_enabled
|
||||||
block:
|
block:
|
||||||
- name: Create the directory
|
- name: Create the directory
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ ssh_authorized_keys_fallback_dir }}"
|
path: "{{ ssh_authorized_keys_fallback_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
- name: Backup authorized_keys out of HOME dir (if unavailable at startup)
|
- name: Backup authorized_keys out of HOME dir (if unavailable at startup)
|
||||||
command: "cp /home/{{ item }}/.ssh/authorized_keys {{ssh_authorized_keys_fallback_dir}}/{{ item }}"
|
ansible.builtin.command: "cp /home/{{ item }}/.ssh/authorized_keys {{ ssh_authorized_keys_fallback_dir }}/{{ item }}"
|
||||||
loop: "{{ ssh_users.split() }}"
|
loop: "{{ ssh_users.split() }}"
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
- name: Fix ownership
|
- name: Fix ownership
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ ssh_authorized_keys_fallback_dir }}/{{ item }}"
|
path: "{{ ssh_authorized_keys_fallback_dir }}/{{ item }}"
|
||||||
owner: "{{ item }}"
|
owner: "{{ item }}"
|
||||||
group: "{{ item }}"
|
group: "{{ item }}"
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
loop: "{{ ssh_users.split() }}"
|
loop: "{{ ssh_users.split() }}"
|
||||||
when: ssh_authorized_keys_fallback_enabled
|
|
||||||
|
|
||||||
- name: Create an SSH banner
|
- name: Create an SSH banner
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: templates/sshd_banner.j2
|
src: templates/sshd_banner.j2
|
||||||
dest: "{{ sshd_banner }}"
|
dest: "{{ sshd_banner }}"
|
||||||
owner: root
|
owner: root
|
||||||
@ -74,27 +80,33 @@
|
|||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: Remove motd on Debian
|
- name: Remove motd on Debian
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /etc/motd
|
path: /etc/motd
|
||||||
state: absent
|
state: absent
|
||||||
when: ansible_facts['os_family'] == 'Debian'
|
when: ansible_facts['os_family'] == 'Debian'
|
||||||
|
|
||||||
- name: Hardening sshd_config
|
- name: Hardening sshd_config
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: templates/sshd_config.j2
|
src: templates/sshd_config.j2
|
||||||
dest: "{{ sshd_config }}"
|
dest: "{{ sshd_config }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
validate: "{{ sshd_binary }} -t -f %s"
|
validate: "{{ sshd_binary }} -t -f %s"
|
||||||
register: ssh_hardening_task
|
notify: Restart SSH service
|
||||||
|
|
||||||
- name: Restart SSH service
|
|
||||||
service:
|
|
||||||
name: "{{ ssh_service_name }}"
|
|
||||||
state: restarted
|
|
||||||
when: ssh_hardening_task.changed
|
|
||||||
|
|
||||||
- name: Enable UFW
|
- name: Enable UFW
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
state: enabled
|
state: enabled
|
||||||
|
|
||||||
|
- name: Enable UFW service at startup
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: ufw
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Start and enable fail2ban
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: fail2ban
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
|||||||
@ -37,6 +37,7 @@
|
|||||||
force: true
|
force: true
|
||||||
loop: "{{ static_web_sites | dict2items }}"
|
loop: "{{ static_web_sites | dict2items }}"
|
||||||
when: static_web_sites | length > 0
|
when: static_web_sites | length > 0
|
||||||
|
become: false
|
||||||
become_user: "{{ nginx_user }}"
|
become_user: "{{ nginx_user }}"
|
||||||
notify: Reload nginx
|
notify: Reload nginx
|
||||||
|
|
||||||
@ -49,6 +50,7 @@
|
|||||||
- static_web_sites | length > 0
|
- static_web_sites | length > 0
|
||||||
- item.value.build_command is defined
|
- item.value.build_command is defined
|
||||||
- item.value.build_command | length > 0
|
- item.value.build_command | length > 0
|
||||||
|
become: false
|
||||||
become_user: "{{ nginx_user }}"
|
become_user: "{{ nginx_user }}"
|
||||||
changed_when: true
|
changed_when: true
|
||||||
|
|
||||||
@ -16,3 +16,9 @@
|
|||||||
name: bottom
|
name: bottom
|
||||||
state: present
|
state: present
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Install wget
|
||||||
|
package:
|
||||||
|
name: wget
|
||||||
|
state: present
|
||||||
|
changed_when: false
|
||||||
|
|||||||
@ -97,6 +97,7 @@
|
|||||||
|
|
||||||
- name: Convert hosts file to unbound format
|
- name: Convert hosts file to unbound format
|
||||||
ansible.builtin.shell: |
|
ansible.builtin.shell: |
|
||||||
|
set -o pipefail
|
||||||
grep '^0\.0\.0\.0' /tmp/hosts.txt | awk '{print "local-zone: \""$2"\" always_nxdomain"}' > "{{ unbound_ad_servers_config_path }}" &&
|
grep '^0\.0\.0\.0' /tmp/hosts.txt | awk '{print "local-zone: \""$2"\" always_nxdomain"}' > "{{ unbound_ad_servers_config_path }}" &&
|
||||||
chown unbound:unbound "{{ unbound_ad_servers_config_path }}"
|
chown unbound:unbound "{{ unbound_ad_servers_config_path }}"
|
||||||
args:
|
args:
|
||||||
|
|||||||
@ -4,13 +4,18 @@
|
|||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
|
|
||||||
- name: Reload systemd user
|
- name: Reload systemd user
|
||||||
ansible.builtin.command: "systemctl --user daemon-reload"
|
ansible.builtin.systemd:
|
||||||
become: true
|
daemon_reload: true
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Restart uptime-kuma
|
- name: Restart uptime-kuma
|
||||||
ansible.builtin.command: "systemctl --user restart uptime-kuma.service"
|
ansible.builtin.systemd:
|
||||||
become: true
|
name: uptime-kuma.service
|
||||||
|
state: restarted
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Reload nginx
|
- name: Reload nginx
|
||||||
@ -55,7 +55,12 @@
|
|||||||
when: ansible_user != 'root'
|
when: ansible_user != 'root'
|
||||||
|
|
||||||
- name: Enable and start uptime-kuma service (user scope)
|
- name: Enable and start uptime-kuma service (user scope)
|
||||||
ansible.builtin.command: "systemctl --user enable --now uptime-kuma.service"
|
ansible.builtin.systemd:
|
||||||
|
name: uptime-kuma.service
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
scope: user
|
||||||
|
become: false
|
||||||
become_user: "{{ ansible_user }}"
|
become_user: "{{ ansible_user }}"
|
||||||
|
|
||||||
- name: Deploy nginx vhost configuration for uptime-kuma
|
- name: Deploy nginx vhost configuration for uptime-kuma
|
||||||
@ -20,3 +20,10 @@
|
|||||||
else
|
else
|
||||||
grub-mkconfig -o /boot/grub/grub.cfg
|
grub-mkconfig -o /boot/grub/grub.cfg
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
- name: Warn user about reboot requirement
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: |
|
||||||
|
WARNING: GRUB configuration has been updated with transparent_hugepage=madvise
|
||||||
|
A REBOOT IS REQUIRED for this change to take effect permanently.
|
||||||
|
The setting has been applied at runtime temporarily.
|
||||||
|
|||||||
@ -20,8 +20,9 @@
|
|||||||
line: '\1 transparent_hugepage=madvise"'
|
line: '\1 transparent_hugepage=madvise"'
|
||||||
backrefs: true
|
backrefs: true
|
||||||
when: thp_check.rc != 0
|
when: thp_check.rc != 0
|
||||||
notify: Update GRUB
|
notify:
|
||||||
register: grub_updated
|
- Update GRUB
|
||||||
|
- Warn user about reboot requirement
|
||||||
|
|
||||||
- name: Check current THP runtime setting
|
- name: Check current THP runtime setting
|
||||||
ansible.builtin.shell: cat /sys/kernel/mm/transparent_hugepage/enabled
|
ansible.builtin.shell: cat /sys/kernel/mm/transparent_hugepage/enabled
|
||||||
@ -33,11 +34,3 @@
|
|||||||
echo madvise > /sys/kernel/mm/transparent_hugepage/enabled
|
echo madvise > /sys/kernel/mm/transparent_hugepage/enabled
|
||||||
echo madvise > /sys/kernel/mm/transparent_hugepage/defrag
|
echo madvise > /sys/kernel/mm/transparent_hugepage/defrag
|
||||||
when: "'[madvise]' not in current_thp.stdout"
|
when: "'[madvise]' not in current_thp.stdout"
|
||||||
|
|
||||||
- name: Warn user about reboot requirement
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: |
|
|
||||||
WARNING: GRUB configuration has been updated with transparent_hugepage=madvise
|
|
||||||
A REBOOT IS REQUIRED for this change to take effect permanently.
|
|
||||||
The setting has been applied at runtime temporarily.
|
|
||||||
when: grub_updated is changed
|
|
||||||
|
|||||||
@ -17,9 +17,7 @@
|
|||||||
when: zfs_pools is defined
|
when: zfs_pools is defined
|
||||||
|
|
||||||
- name: Creating basic zpool(s)
|
- name: Creating basic zpool(s)
|
||||||
ansible.builtin.command:
|
ansible.builtin.command: "zpool create {{ '-o ' + item.options.items() | map('join', '=') | join(' -o ') if item.options is defined else '' }} {{ item.name }} {{ item.devices | join(' ') }}"
|
||||||
"zpool create {{ '-o '+ item.options.items() |map('join', '=') | join (' -o ') if item.options is defined else '' }} {{ item.name }} {{
|
|
||||||
item.devices|join (' ') }}"
|
|
||||||
with_items: "{{ zfs_pools }}"
|
with_items: "{{ zfs_pools }}"
|
||||||
when:
|
when:
|
||||||
- zfs_pools is defined
|
- zfs_pools is defined
|
||||||
@ -29,9 +27,7 @@
|
|||||||
- item.devices[0] not in zpool_devices.stdout
|
- item.devices[0] not in zpool_devices.stdout
|
||||||
|
|
||||||
- name: Creating mirror/zraid zpool(s)
|
- name: Creating mirror/zraid zpool(s)
|
||||||
ansible.builtin.command:
|
ansible.builtin.command: "zpool create {{ '-o ' + item.options.items() | map('join', '=') | join(' -o ') if item.options is defined else '' }} {{ item.name }} {{ item.type }} {{ item.devices | join(' ') }}"
|
||||||
"zpool create {{ '-o '+ item.options.items() |map('join', '=') | join (' -o ') if item.options is defined else '' }} {{ item.name }} {{
|
|
||||||
item.type }} {{ item.devices|join (' ') }}"
|
|
||||||
with_items: "{{ zfs_pools }}"
|
with_items: "{{ zfs_pools }}"
|
||||||
when:
|
when:
|
||||||
- zfs_pools is defined
|
- zfs_pools is defined
|
||||||
|
|||||||
@ -24,18 +24,12 @@
|
|||||||
update: true
|
update: true
|
||||||
version: master
|
version: master
|
||||||
loop:
|
loop:
|
||||||
- {
|
- repo: https://github.com/zsh-users/zsh-syntax-highlighting.git
|
||||||
repo: https://github.com/zsh-users/zsh-syntax-highlighting.git,
|
dest: "{{ zsh_plugins_path }}/zsh-syntax-highlighting"
|
||||||
dest: "{{ zsh_plugins_path }}/zsh-syntax-highlighting",
|
- repo: https://github.com/zsh-users/zsh-autosuggestions.git
|
||||||
}
|
dest: "{{ zsh_plugins_path }}/zsh-autosuggestions"
|
||||||
- {
|
- repo: https://github.com/romkatv/powerlevel10k.git
|
||||||
repo: https://github.com/zsh-users/zsh-autosuggestions.git,
|
dest: "{{ zsh_plugins_path }}/powerlevel10k"
|
||||||
dest: "{{ zsh_plugins_path }}/zsh-autosuggestions",
|
|
||||||
}
|
|
||||||
- {
|
|
||||||
repo: https://github.com/romkatv/powerlevel10k.git,
|
|
||||||
dest: "{{ zsh_plugins_path }}/powerlevel10k",
|
|
||||||
}
|
|
||||||
|
|
||||||
- name: Assert plugins are available for any user
|
- name: Assert plugins are available for any user
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user