stargate-cluster/vm-ansible
stargate-cluster
/
vm-ansible
1
0
Fork 0
Code Pull Requests Releases Activity

always use full name of ansible task

This commit is contained in:
Torma Kristóf 2023-03-05 19:00:38 +01:00
parent d83c801db1
commit 95e3332f80
19 changed files with 80 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
roles/backuphost/tasks/main.yaml
View File

@ -13,13 +13,13 @@
shell: "/sbin/nologin" shell: "/sbin/nologin"
- name: Undefine AllowUsers - name: Undefine AllowUsers
lineinfile: ansible.builtin.lineinfile:
state: absent state: absent
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
line: "AllowUsers tormakris ansible service-user" line: "AllowUsers tormakris ansible service-user"
- name: Check if AllowUsers is defined - name: Check if AllowUsers is defined
lineinfile: ansible.builtin.lineinfile:
state: absent state: absent
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: "^AllowUsers" regexp: "^AllowUsers"
@ -28,24 +28,24 @@
register: checkallowusers register: checkallowusers
- name: Define AllowUsers if undefined - name: Define AllowUsers if undefined
lineinfile: ansible.builtin.lineinfile:
state: present state: present
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
line: "AllowUsers tormakris ansible backup" line: "AllowUsers tormakris ansible backup"
when: checkallowusers.found == 0 when: checkallowusers.found == 0
- name: "Restart sshd" - name: "Restart sshd"
service: ansible.builtin.service:
name: sshd name: sshd
state: restarted state: restarted
- name: Create .ssh directory of backup user - name: Create .ssh directory of backup user
file: ansible.builtin.file:
path: /home/backup/.ssh path: /home/backup/.ssh
state: directory state: directory
- name: Copy authorized_keys - name: Copy authorized_keys
copy: ansible.builtin.copy:
src: authorized_keys src: authorized_keys
dest: /home/backup/.ssh/authorized_keys dest: /home/backup/.ssh/authorized_keys
mode: 0600 mode: 0600
@ -53,7 +53,7 @@
group: backup group: backup
- name: Copy ssh config - name: Copy ssh config
copy: ansible.builtin.copy:
src: ssh_config src: ssh_config
dest: /home/backup/.ssh/config dest: /home/backup/.ssh/config
mode: 0600 mode: 0600

4
roles/backupscript/tasks/main.yaml
View File

@ -8,12 +8,12 @@
mode: '0700' mode: '0700'
- name: Create .ssh directory of root user - name: Create .ssh directory of root user
file: ansible.builtin.file:
path: /root/.ssh path: /root/.ssh
state: directory state: directory
- name: Copy ssh config - name: Copy ssh config
copy: ansible.builtin.copy:
src: ssh_config src: ssh_config
dest: /root/.ssh/config dest: /root/.ssh/config
mode: 0600 mode: 0600

10
roles/common/tasks/apt.yaml
View File

@ -1,6 +1,6 @@
--- ---
- name: "Use custom Ubuntu mirror" - name: "Use custom Ubuntu mirror"
replace: ansible.builtin.replace:
path: /etc/apt/sources.list path: /etc/apt/sources.list
regexp: 'http://hu.archive.ubuntu.com' regexp: 'http://hu.archive.ubuntu.com'
replace: 'https://tormakris.jfrog.io/artifactory/ubuntu-mirror' replace: 'https://tormakris.jfrog.io/artifactory/ubuntu-mirror'
@ -12,25 +12,25 @@
delegate_to: localhost delegate_to: localhost
- name: "Render JFrog credentials configuration" - name: "Render JFrog credentials configuration"
template: ansible.builtin.template:
src: jfrog.conf.template src: jfrog.conf.template
dest: /etc/apt/auth.conf.d/jfrog.conf dest: /etc/apt/auth.conf.d/jfrog.conf
- name: "Remove Ubuntu bloatware" - name: "Remove Ubuntu bloatware"
apt: ansible.builtin.apt:
state: absent state: absent
name: ubutu-server name: ubutu-server
autoremove: yes autoremove: yes
- name: "Update machine" - name: "Update machine"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
upgrade: "yes" upgrade: "yes"
autoclean: yes autoclean: yes
autoremove: yes autoremove: yes
- name: "Install my favourite applications" - name: "Install my favourite applications"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:

2
roles/common/tasks/clean-motd.yaml
View File

@ -1,6 +1,6 @@
--- ---
- name: clean motd - name: clean motd
file: ansible.builtin.file:
state: touch state: touch
owner: tormakris owner: tormakris
group: tormakris group: tormakris

4
roles/common/tasks/disable-cloudinit.yaml
View File

@ -1,12 +1,12 @@
--- ---
- name: disable cloudinit - name: disable cloudinit
copy: ansible.builtin.copy:
content: "" content: ""
dest: /etc/cloud/cloud-init.disabled dest: /etc/cloud/cloud-init.disabled
force: no force: no
- name: disable network autoconfig - name: disable network autoconfig
copy: ansible.builtin.copy:
content: "network: {config: disabled}" content: "network: {config: disabled}"
dest: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg dest: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
force: no force: no

4
roles/common/tasks/node-exporter.yaml
View File

@ -1,6 +1,6 @@
--- ---
- name: "Install node exporter" - name: "Install node exporter"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
@ -14,7 +14,7 @@
src: 192.168.69.0/24 src: 192.168.69.0/24
- name: Enable and restart exporter daemon - name: Enable and restart exporter daemon
service: ansible.builtin.service:
name: prometheus-node-exporter name: prometheus-node-exporter
state: restarted state: restarted
enabled: yes enabled: yes

4
roles/common/tasks/remove-snap.yaml
View File

@ -1,13 +1,13 @@
--- ---
- name: Remove snapd from Ubuntu - name: Remove snapd from Ubuntu
apt: ansible.builtin.apt:
name: snapd name: snapd
state: absent state: absent
purge: yes purge: yes
when: ansible_distribution == "Ubuntu" when: ansible_distribution == "Ubuntu"
- name: Remove snapd-related directories - name: Remove snapd-related directories
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
state: absent state: absent
with_items: with_items:

14
roles/common/tasks/ssh-security-settings.yaml
View File

@ -1,30 +1,30 @@
--- ---
- name: Disable password authentication - name: Disable password authentication
replace: ansible.builtin.replace:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: 'PasswordAuthentication yes' regexp: 'PasswordAuthentication yes'
replace: 'PasswordAuthentication no' replace: 'PasswordAuthentication no'
- name: Disable root authentication - name: Disable root authentication
replace: ansible.builtin.replace:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '#PermitRootLogin prohibit-password' regexp: '#PermitRootLogin prohibit-password'
replace: 'PermitRootLogin no' replace: 'PermitRootLogin no'
- name: Disable X11 forwarding - name: Disable X11 forwarding
replace: ansible.builtin.replace:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: 'X11Forwarding yes' regexp: 'X11Forwarding yes'
replace: 'X11Forwarding no' replace: 'X11Forwarding no'
- name: Explicitly only listen on ipv4 - name: Explicitly only listen on ipv4
replace: ansible.builtin.replace:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '#AddressFamily any' regexp: '#AddressFamily any'
replace: 'AddressFamily inet' replace: 'AddressFamily inet'
- name: Check if AllowUsers is defined - name: Check if AllowUsers is defined
lineinfile: ansible.builtin.lineinfile:
state: absent state: absent
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: "^AllowUsers" regexp: "^AllowUsers"
@ -33,14 +33,14 @@
register: checkallowusers register: checkallowusers
- name: Define AllowUsers if undefined - name: Define AllowUsers if undefined
lineinfile: ansible.builtin.lineinfile:
state: present state: present
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
line: "AllowUsers tormakris ansible service-user" line: "AllowUsers tormakris ansible service-user"
when: checkallowusers.found == 0 when: checkallowusers.found == 0
- name: "Restart sshd" - name: "Restart sshd"
service: ansible.builtin.service:
name: sshd name: sshd
state: restarted state: restarted
... ...

4
roles/common/tasks/timesync.yaml
View File

@ -1,13 +1,13 @@
--- ---
- name: Setup timesync config - name: Setup timesync config
template: ansible.builtin.template:
src: timesyncd.conf.template src: timesyncd.conf.template
dest: /etc/systemd/timesyncd.conf dest: /etc/systemd/timesyncd.conf
notify: run Timedatectl notify: run Timedatectl
when: ansible_service_mgr == "systemd" when: ansible_service_mgr == "systemd"
- name: set Timezone - name: set Timezone
timezone: name={{ timedatectl_timezone }} ansible.builtin.timezone: name={{ timedatectl_timezone }}
when: ansible_service_mgr == "systemd" when: ansible_service_mgr == "systemd"
- name: Reastart timesyncd to apply changes - name: Reastart timesyncd to apply changes

2
roles/common/tasks/ufw.yaml
View File

@ -1,6 +1,6 @@
--- ---
- name: "Install ufw via apt" - name: "Install ufw via apt"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:

8
roles/common/tasks/user-ops.yaml
View File

@ -19,14 +19,14 @@
append: yes append: yes
- name: Create .ssh directory of root user - name: Create .ssh directory of root user
file: ansible.builtin.file:
path: /home/ansible/.ssh path: /home/ansible/.ssh
state: directory state: directory
owner: ansible owner: ansible
group: ansible group: ansible
- name: Copy authorized_keys - name: Copy authorized_keys
copy: ansible.builtin.copy:
src: authorized_keys src: authorized_keys
dest: /home/ansible/.ssh/authorized_keys dest: /home/ansible/.ssh/authorized_keys
mode: 0600 mode: 0600
@ -34,7 +34,7 @@
group: ansible group: ansible
- name: Check if ansible is already nopasswd in sudoers - name: Check if ansible is already nopasswd in sudoers
lineinfile: ansible.builtin.lineinfile:
state: absent state: absent
path: /etc/sudoers path: /etc/sudoers
regexp: "^ansible" regexp: "^ansible"
@ -43,7 +43,7 @@
register: checkallowusers register: checkallowusers
- name: Define ansible nopasswd in sudoers - name: Define ansible nopasswd in sudoers
lineinfile: ansible.builtin.lineinfile:
state: present state: present
path: /etc/sudoers path: /etc/sudoers
line: "ansible ALL=(ALL:ALL) NOPASSWD:ALL" line: "ansible ALL=(ALL:ALL) NOPASSWD:ALL"

6
roles/docker/tasks/main.yaml
View File

@ -1,6 +1,6 @@
--- ---
- name: "Install Docker via apt" - name: "Install Docker via apt"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
@ -8,7 +8,7 @@
- docker-compose - docker-compose
- name: Disable userland proxy - name: Disable userland proxy
copy: ansible.builtin.copy:
src: daemon.json src: daemon.json
dest: /etc/docker/daemon.json dest: /etc/docker/daemon.json
mode: 644 mode: 644
@ -16,7 +16,7 @@
group: backup group: backup
- name: Enable and restart Docker daemon - name: Enable and restart Docker daemon
service: ansible.builtin.service:
name: docker name: docker
state: restarted state: restarted
enabled: yes enabled: yes

10
roles/internalsmtp/tasks/main.yaml
View File

@ -1,24 +1,24 @@
--- ---
- name: "Install Postfix via apt" - name: "Install Postfix via apt"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
- postfix - postfix
- name: Install Postfix forwarder config - name: Install Postfix forwarder config
template: ansible.builtin.template:
src: templates/main.cf src: templates/main.cf
dest: /etc/postfix/main.cf dest: /etc/postfix/main.cf
- name: Restart Postfix - name: Restart Postfix
service: ansible.builtin.service:
name: postfix name: postfix
state: restarted state: restarted
enabled: yes enabled: yes
- name: "Install postfix exporter" - name: "Install postfix exporter"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
@ -39,7 +39,7 @@
append: yes append: yes
- name: Enable and restart exporter daemon - name: Enable and restart exporter daemon
service: ansible.builtin.service:
name: prometheus-postfix-exporter name: prometheus-postfix-exporter
state: restarted state: restarted
enabled: yes enabled: yes

18
roles/neko/tasks/main.yaml
View File

@ -1,13 +1,13 @@
--- ---
- name: "Install haproxy via apt" - name: "Install haproxy via apt"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
- haproxy - haproxy
- name: Copy haproxy configuration - name: Copy haproxy configuration
copy: ansible.builtin.copy:
src: haproxy.cfg src: haproxy.cfg
dest: /etc/haproxy/haproxy.cfg dest: /etc/haproxy/haproxy.cfg
mode: 0644 mode: 0644
@ -15,34 +15,34 @@
group: root group: root
- name: Enable and stop haproxy - name: Enable and stop haproxy
service: ansible.builtin.service:
name: haproxy name: haproxy
state: stopped state: stopped
enabled: yes enabled: yes
- name: "Install certbot via apt" - name: "Install certbot via apt"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
- python3-certbot - python3-certbot
- name: Generate certificate for Neko domain - name: Generate certificate for Neko domain
command: ansible.builtin.command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --standalone -d neko.tormakristof.eu cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --standalone -d neko.tormakristof.eu
- name: Generate certificate for TURN domain - name: Generate certificate for TURN domain
command: ansible.builtin.command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --standalone -d turn.tormakristof.eu cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --standalone -d turn.tormakristof.eu
- name: Enable and start haproxy - name: Enable and start haproxy
service: ansible.builtin.service:
name: haproxy name: haproxy
state: started state: started
enabled: yes enabled: yes
- name: Copy certbot cronjob - name: Copy certbot cronjob
copy: ansible.builtin.copy:
src: certbot src: certbot
dest: /etc/cron.weekly/certbot dest: /etc/cron.weekly/certbot
mode: 0755 mode: 0755
@ -58,7 +58,7 @@
state: enabled state: enabled
- name: "Install haproxy exporter" - name: "Install haproxy exporter"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:

6
roles/netplan/tasks/main.yaml
View File

@ -1,16 +1,16 @@
--- ---
- name: "remove cloudinit config" - name: "remove cloudinit config"
file: ansible.builtin.file:
path: /etc/netplan/50-cloud-init.yaml path: /etc/netplan/50-cloud-init.yaml
state: absent state: absent
- name: "remove installer config" - name: "remove installer config"
file: ansible.builtin.file:
path: /etc/netplan/00-installer-config.yaml path: /etc/netplan/00-installer-config.yaml
state: absent state: absent
- name: "install static config" - name: "install static config"
template: ansible.builtin.template:
src: templates/netplan.yaml src: templates/netplan.yaml
dest: /etc/netplan/00-static.yaml dest: /etc/netplan/00-static.yaml
notify: netplanapply notify: netplanapply

8
roles/openvpn/tasks/main.yaml
View File

@ -1,6 +1,6 @@
--- ---
- name: "Install openvpn-server via apt" - name: "Install openvpn-server via apt"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
@ -15,13 +15,13 @@
reload: yes reload: yes
- name: Enable and restart openvpn daemon - name: Enable and restart openvpn daemon
service: ansible.builtin.service:
name: openvpn-server@stargate name: openvpn-server@stargate
state: restarted state: restarted
enabled: yes enabled: yes
- name: Check if AllowUsers is defined - name: Check if AllowUsers is defined
lineinfile: ansible.builtin.lineinfile:
state: absent state: absent
path: /etc/ufw/before.rules path: /etc/ufw/before.rules
regexp: "^# START OPENVPN" regexp: "^# START OPENVPN"
@ -30,7 +30,7 @@
register: checkufwrules register: checkufwrules
- name: Insert openvpn iptables rules - name: Insert openvpn iptables rules
blockinfile: ansible.builtin.blockinfile:
path: /etc/ufw/before.rules path: /etc/ufw/before.rules
block: | block: |
# START OPENVPN RULES # START OPENVPN RULES

12
roles/smtpgateway/tasks/main.yaml
View File

@ -1,21 +1,21 @@
--- ---
- name: "Install Postfix via apt" - name: "Install Postfix via apt"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
- postfix - postfix
- name: Install Postfix mail gateway config - name: Install Postfix mail gateway config
template: ansible.builtin.template:
src: templates/main.cf src: templates/main.cf
dest: /etc/postfix/main.cf dest: /etc/postfix/main.cf
- name: Build /etc/mailname - name: Build /etc/mailname
shell: hostname --fqdn > /etc/mailname ansible.builtin.shell: hostname --fqdn > /etc/mailname
- name: Restart Postfix - name: Restart Postfix
service: ansible.builtin.service:
name: postfix name: postfix
state: restarted state: restarted
enabled: yes enabled: yes
@ -27,7 +27,7 @@
src: 192.168.69.0/24 src: 192.168.69.0/24
- name: "Install postfix exporter" - name: "Install postfix exporter"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
@ -48,7 +48,7 @@
append: yes append: yes
- name: Enable and restart exporter daemon - name: Enable and restart exporter daemon
service: ansible.builtin.service:
name: prometheus-postfix-exporter name: prometheus-postfix-exporter
state: restarted state: restarted
enabled: yes enabled: yes

18
roles/webgateway/tasks/main.yaml
View File

@ -1,6 +1,6 @@
--- ---
- name: "Install nginx via apt" - name: "Install nginx via apt"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
@ -27,23 +27,23 @@
mode: '0644' mode: '0644'
- name: Enable and restart nginx daemon - name: Enable and restart nginx daemon
service: ansible.builtin.service:
name: nginx name: nginx
state: restarted state: restarted
enabled: yes enabled: yes
- name: Generate certificate for all proxied domains - name: Generate certificate for all proxied domains
command: ansible.builtin.command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}} cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
with_items: "{{ proxy }}" with_items: "{{ proxy }}"
- name: Generate certificate for all static sites - name: Generate certificate for all static sites
command: ansible.builtin.command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}} cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
with_items: "{{ static }}" with_items: "{{ static }}"
- name: Generate certificate for all redirect sites - name: Generate certificate for all redirect sites
command: ansible.builtin.command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}} cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
with_items: "{{ redirect }}" with_items: "{{ redirect }}"
@ -64,11 +64,11 @@
mode: '0644' mode: '0644'
- name: Validate nginx configuration - name: Validate nginx configuration
command: ansible.builtin.command:
cmd: nginx -t cmd: nginx -t
- name: Reload nginx after configuration change - name: Reload nginx after configuration change
service: ansible.builtin.service:
name: nginx name: nginx
state: reloaded state: reloaded
@ -91,7 +91,7 @@
with_items: "{{ static }}" with_items: "{{ static }}"
- name: "Install nginx exporter" - name: "Install nginx exporter"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
@ -106,7 +106,7 @@
mode: '0644' mode: '0644'
- name: Enable and restart exporter daemon - name: Enable and restart exporter daemon
service: ansible.builtin.service:
name: prometheus-nginx-exporter name: prometheus-nginx-exporter
state: restarted state: restarted
enabled: yes enabled: yes

12
roles/webserver/tasks/main.yaml
View File

@ -6,7 +6,7 @@
src: 192.168.69.0/24 src: 192.168.69.0/24
- name: "Install Nginx via apt" - name: "Install Nginx via apt"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
@ -23,13 +23,13 @@
mode: '0644' mode: '0644'
- name: Enable and restart nginx daemon - name: Enable and restart nginx daemon
service: ansible.builtin.service:
name: nginx name: nginx
state: restarted state: restarted
enabled: yes enabled: yes
- name: Generate certificate for all server instances - name: Generate certificate for all server instances
command: ansible.builtin.command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}} cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
with_items: "{{ webserver }}" with_items: "{{ webserver }}"
@ -50,12 +50,12 @@
mode: '0644' mode: '0644'
- name: Reload nginx daemon - name: Reload nginx daemon
service: ansible.builtin.service:
name: nginx name: nginx
state: reloaded state: reloaded
- name: "Install nginx exporter" - name: "Install nginx exporter"
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
state: present state: present
name: name:
@ -77,7 +77,7 @@
mode: '0644' mode: '0644'
- name: Enable and restart exporter daemon - name: Enable and restart exporter daemon
service: ansible.builtin.service:
name: prometheus-nginx-exporter name: prometheus-nginx-exporter
state: restarted state: restarted
enabled: yes enabled: yes