rene/ansible-pull
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of ssh://gitea.mewissen.site:22422/rene/ansible-pull

Browse Source
This commit is contained in:
Rene
2025-12-12 14:40:47 +01:00
parent e4c4d7be8c e1301cee49
commit e7d2d232a8
42 changed files with 24492 additions and 21844 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
global_handlers/global_handlers.yml
View File

@@ -32,3 +32,8 @@
ansible.builtin.service:
name: rsyslog
state: restarted
- name: restart_telegraf
ansible.builtin.service:
name: "telegraf"
state: restarted

1
host_vars/caddy.universe.local.yml Normal file
View File

@@ -0,0 +1 @@
caddy: true

4
hosts
View File

@@ -52,6 +52,7 @@ mastodon
nameserver
printspooler
proxyserver
reverseproxy
webservers
[auth]
@@ -150,6 +151,9 @@ podman02.universe.local
[proxyserver]
tinyproxy.universe.local
[reverseproxy]
caddy.universe.local
[video_editing]
endor.universe.local
endorvm.universe.local

58
local.yml
View File

@@ -1,7 +1,7 @@
---
- hosts: all
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
connection: local
vars_files:
- "{{ lookup('first_found', ['os_vars/' + (ansible_distribution | lower) + '.yml'], errors='ignore') }}"
@@ -12,31 +12,31 @@
pre_tasks:
- name: pre-run | get status of marker file
stat:
ansible.builtin.stat:
path: "{{ ansible_pull_marker_file }}"
register: marker_file_stat
tags: always
- name: pre-run | check if last run was within cooldown period
meta: end_play
ansible.builtin.meta: end_play
when:
- marker_file_stat.stat.exists
- (ansible_date_time.epoch | int) - (marker_file_stat.stat.mtime | int) < (ansible_reboot_cooldown_minutes | int * 60)
tags: always
- name: pre-run | set marker file path as a cached fact
set_fact:
ansible.builtin.set_fact:
ansible_pull_marker_file: "{{ ansible_pull_marker_file }}"
cacheable: true
tags: always
- name: pre-run | update apt repository (debian, ubuntu, etc.) # noqa no-changed-when
apt: update_cache=yes
ansible.builtin.apt: update_cache=yes
#changed_when: false
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
ignore_errors: True
- name: pre-run | update pacman repository (arch)
pacman: update_cache=yes
community.general.pacman: update_cache=yes
#changed_when: false
when: ansible_distribution == 'Archlinux'
ignore_errors: True
@@ -50,19 +50,19 @@
- hosts: all:!database
pre_tasks:
- name: pre-run | upgrade system (debian, ubuntu, etc.)
apt: upgrade=dist
ansible.builtin.apt: upgrade=dist
#changed_when: false
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
ignore_errors: True
- name: pre-run | upgrade system (arch)
pacman: upgrade=true
community.general.pacman: upgrade=true
when: ansible_distribution == 'Archlinux'
ignore_errors: True
# run roles
- hosts: all
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
tags: base
become: true
roles:
@@ -82,18 +82,18 @@
roles:
- server
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
- hosts: bastionhost
tags: server,bastionhost
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
become: true
roles:
- bastionhost
post_tasks:
- name: Update AIDE database if changes were made
include_role:
ansible.builtin.include_role:
name: bastionhost
tasks_from: system_setup/aide_update.yml
when: (aide_db_needs_update is defined and aide_db_needs_update) and (aide_db is defined and aide_db.stat.exists)
@@ -101,7 +101,7 @@
- hosts: nameserver
tags: server,nameserver
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
become: true
roles:
- nameserver
@@ -110,7 +110,7 @@
tags: server,webservers
become: true
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles:
- webservers
@@ -118,7 +118,7 @@
tags: server,mailserver
become: true
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles:
- mailserver
@@ -126,7 +126,7 @@
tags: server,database
become: true
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles:
- database
@@ -139,7 +139,7 @@
- hosts: docker
tags: server,docker
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
become: true
roles:
- docker
@@ -148,7 +148,7 @@
tags: server,podman
become: true
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles:
- podman
@@ -156,7 +156,7 @@
tags: server,docker,drone
become: true
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles:
- drone
@@ -169,7 +169,7 @@
- hosts: mastodon
tags: server,mastodon
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
become: true
roles:
- mastodon
@@ -183,7 +183,7 @@
- hosts: jitsimeet
tags: server,jitsimeet,webservers
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
become: true
roles:
- jitsimeet
@@ -192,7 +192,7 @@
tags: server,omada_controller
become: true
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles:
- omada-controller
@@ -200,10 +200,18 @@
tags: server,backup
become: true
handlers:
- import_tasks: global_handlers/global_handlers.yml
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles:
- backup
- hosts: reverseproxy
tags: server,reverseproxy
become: true
handlers:
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles:
- reverseproxy
# - hosts: proxyserver
# tags: server,proxyserver
# become: true
@@ -216,14 +224,14 @@
post_tasks:
- name: cleanup package cache (debian and ubuntu)
tags: always
apt:
ansible.builtin.apt:
autoclean: yes
changed_when: false
when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu", "Linux Mint"]
- name: autoremove orphan packages (debian and ubuntu)
tags: always
apt:
ansible.builtin.apt:
autoremove: yes
purge: yes
when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu", "Linux Mint"]

2
os_vars/archlinux.yml
View File

@@ -0,0 +1,2 @@
aur_helper: "paru"
aur_build_user: "aur_builder"

1
roles/backup/files/config/docker01_includes.txt
View File

@@ -1,2 +1 @@
/opt/docker
/var/lib/docker/volumes

0
roles/backup/files/config/podman01_excludes.txt Normal file
View File

1
roles/backup/files/config/podman01_includes.txt Normal file
View File

@@ -0,0 +1 @@
/var/lib/containers

10
roles/backup/tasks/system_setup/copy_backup_config.yml
View File

@@ -1,5 +1,5 @@
- name: backup | system setup | create backup config directory
file:
ansible.builtin.file:
path: "{{ item }}"
state: directory
loop:
@@ -8,24 +8,24 @@
- "/opt/backup/config"
- name: backup | system setup | create a link to backup script
file:
ansible.builtin.file:
path: "/opt/backup/bin/backup_remote.bash"
state: link
src: "{{ ansible_user_dir }}/bin/backup_remote.bash"
- name: backup | system setup | copy backup config files
copy:
ansible.builtin.copy:
dest: "/opt/backup/config/"
src: "config/"
- name: backup | system setup | copy backup config files 2
template:
ansible.builtin.template:
src: "backup_remote.j2"
dest: "/opt/backup/config/backup_remote.conf"
force: Yes
- name: backup | system setup | add entries to ssh_config
blockinfile:
ansible.builtin.blockinfile:
dest: "{{ ansible_user_dir }}/.ssh/config"
block: "{{ lookup('template', 'ssh_config.j2') }}"
marker: "## {mark} ANSIBLE MANAGED BLOCK FOR backup"

16
roles/backup/vars/main.yml
View File

@@ -1,7 +1,7 @@
hosts_to_backup:
- { hostname: "mariadb02", fqdn: "mariadb02.universe.local." }
- { hostname: "haproxy02", fqdn: "haproxy02.universe.local." }
- { hostname: "AdGuard", fqdn: "AdGuard.universe.local." }
- { hostname: "mail", fqdn: "mail.universe.local." }
- { hostname: "owntrack", fqdn: "owntrack.universe.local." }
- { hostname: "endor", fqdn: "endor.universe.local." }
- { hostname: "step-ca", fqdn: "step-ca.universe.local." }
@@ -10,36 +10,42 @@ hosts_to_backup:
- { hostname: "searx", fqdn: "searx.universe.local." }
- { hostname: "dnspri", fqdn: "dnspri.universe.local." }
- { hostname: "gs1900-8hp", fqdn: "gs1900-8hp.universe.local." }
- { hostname: "librenms", fqdn: "librenms.universe.local." }
- { hostname: "webserver", fqdn: "webserver.universe.local." }
- { hostname: "agh01", fqdn: "agh01.universe.local." }
- { hostname: "mastodon", fqdn: "mastodon.universe.local." }
- { hostname: "icinga", fqdn: "icinga.universe.local." }
- { hostname: "haproxy01", fqdn: "haproxy01.universe.local." }
- { hostname: "freeradius", fqdn: "freeradius.universe.local." }
- { hostname: "dhcp-kea", fqdn: "dhcp-kea.universe.local." }
- { hostname: "pi-alert-lan", fqdn: "pi-alert-lan.universe.local." }
- { hostname: "mariadb01", fqdn: "mariadb01.universe.local." }
- { hostname: "dhcp-stork", fqdn: "dhcp-stork.universe.local." }
- { hostname: "paperless", fqdn: "paperless.universe.local." }
- { hostname: "truenas", fqdn: "truenas.universe.local." }
- { hostname: "grafana", fqdn: "grafana.universe.local." }
- { hostname: "idrac-dell", fqdn: "idrac-dell.universe.local." }
- { hostname: "docker01", fqdn: "docker01.universe.local." }
- { hostname: "pi-alert", fqdn: "pi-alert.universe.local." }
- { hostname: "tatooine", fqdn: "tatooine.universe.local." }
- { hostname: "pixelfed", fqdn: "pixelfed.universe.local." }
- { hostname: "pve2", fqdn: "pve2.universe.local." }
- { hostname: "dnssec2", fqdn: "dnssec2.universe.local." }
- { hostname: "pve", fqdn: "pve.universe.local." }
- { hostname: "jitsimeet", fqdn: "jitsimeet.universe.local." }
- { hostname: "haproxy", fqdn: "haproxy.universe.local." }
- { hostname: "homeassistant", fqdn: "homeassistant.universe.local." }
- { hostname: "ns1", fqdn: "ns1.universe.local." }
- { hostname: "pve-ha", fqdn: "pve-ha.universe.local." }
- { hostname: "backup", fqdn: "backup.universe.local." }
- { hostname: "tinyproxy", fqdn: "tinyproxy.universe.local." }
- { hostname: "bastion", fqdn: "bastion.universe.local." }
- { hostname: "tatooine2", fqdn: "tatooine2.universe.local." }
- { hostname: "mailcow", fqdn: "mailcow.universe.local." }
- { hostname: "netbox", fqdn: "netbox.universe.local." }
- { hostname: "AdGuard", fqdn: "AdGuard.universe.local." }
- { hostname: "samba-ad-dc2", fqdn: "samba-ad-dc2.universe.local." }
- { hostname: "graylog", fqdn: "graylog.universe.local." }
- { hostname: "bmc-truenas", fqdn: "bmc-truenas.universe.local." }
- { hostname: "shinobi", fqdn: "shinobi.universe.local." }
- { hostname: "nextcloud", fqdn: "nextcloud.universe.local." }
- { hostname: "podman01", fqdn: "podman01.universe.local." }
- { hostname: "docker02", fqdn: "docker02.universe.local." }
- { hostname: "dnssec1", fqdn: "dnssec1.universe.local." }
- { hostname: "samba-ad-dc1", fqdn: "samba-ad-dc1.universe.local." }

45649
roles/base/files/users/known_hosts
View File

File diff suppressed because it is too large Load Diff

31
roles/base/tasks/software/aur_helper.yml Normal file
View File

@@ -0,0 +1,31 @@
---
- name: "[Arch] Install base-devel & git"
pacman:
name:
- base-devel
- git
state: present
when: ansible_facts['os_family'] == "Archlinux"
- name: "[Arch] Create AUR build user"
user:
name: "{{ aur_build_user }}"
groups: ['wheel']
create_home: yes
when: ansible_facts['os_family'] == "Archlinux"
- name: "[Arch] Allow AUR builder to use pacman without password"
lineinfile:
path: "/etc/sudoers.d/90-aur-builder"
line: "{{ aur_build_user }} ALL=(ALL) NOPASSWD: /usr/bin/pacman"
create: yes
validate: "visudo -cf %s"
when: ansible_facts['os_family'] == "Archlinux"
# - name: "[Arch] Install AUR helper"
# community.general.aur:
# name: "{{ aur_helper }}"
# state: present
# use: makepkg
# become_user: "{{ aur_build_user }}"
# when: ansible_facts['os_family'] == "Archlinux"

14
roles/base/tasks/software/packages_utilities.yml
View File

@@ -1,6 +1,6 @@
- name: system setup | utilities | install utility packages individually
tags: packages,system,system setup
package:
ansible.builtin.package:
state: latest
name: "{{ item }}"
loop:
@@ -32,7 +32,7 @@
- name: system setup | utilities | install cloud-init and gemu guest agent
tags: packages,system,system setup
package:
ansible.builtin.package:
state: latest
name: "{{ item }}"
loop:
@@ -46,7 +46,7 @@
- name: system setup | utilities | install utilities (arch)
tags: packages,system,system setup
package:
ansible.builtin.package:
state: latest
name: "{{ item }}"
loop:
@@ -64,7 +64,7 @@
- name: system setup | utilities | install man-pages (arch)
tags: packages,system,settings
pacman:
community.general.pacman:
state: latest
name: "{{ item }}"
loop:
@@ -76,7 +76,7 @@
- name: system setup | utilities | install utilities (debian)
tags: packages,system,system setup
package:
ansible.builtin.package:
state: latest
name: "{{ item }}"
loop:
@@ -89,3 +89,7 @@
- "{{ python_passlib_package }}"
when: ansible_distribution in [ "Debian", "Ubuntu" ]
ignore_errors: true
- name: system setup | utilities | install AUR helper (arch)
ansible.builtin.import_tasks: aur_helper.yml
when: ansible_facts['os_family'] == "Archlinux"

24
roles/base/tasks/system_setup/cron.yml
View File

@@ -13,7 +13,17 @@
enabled: true
when: ansible_distribution == "Archlinux"
- name: add cronjob for ansible
- name: system setup | cron | add cronjob for ansible on reboot
become: true
become_user: root
cron:
name: "ansible provision"
user: "{{ ansible_user_id }}"
job: 'ansible-pull --vault-password-file=~/.vaultpass -U "https://gitea.mewissen.site/rene/ansible-pull.git" -d "/opt/ansible-pull" -C master > /var/log/ansible_pull.log || cat /var/log/ansible_pull.log'
state: present
special_time: reboot
- name: system setup | cron | add cronjob for ansible
become: true
become_user: root
cron:
@@ -24,7 +34,7 @@
minute: 0
hour: 1
- name: correct crontab for reboot | remove
- name: system setup | cron | correct crontab for reboot | remove
become: true
become_user: root
cron:
@@ -32,7 +42,7 @@
job: '[[ -f /etc/ssh/ssh_host_* ]] | ssh-keygen -A'
state: absent
- name: correct crontab for reboot | remove
- name: system setup | cron | correct crontab for reboot | remove
become: true
become_user: root
cron:
@@ -40,23 +50,23 @@
job: '[[ -f /etc/ssh/ssh_host_* ]] || ssh-keygen -A'
state: absent
- name: correct crontab for reboot | remove
- name: system setup | cron | correct crontab for reboot | add
become: true
become_user: root
cron:
name: "generate SSH key on reboot, if missing"
job: "[[ -f /etc/ssh/ssh_host_* ]] || ssh-keygen -A && systemctl restart {{ ssh_service }}"
state: absent
state: present
special_time: reboot
- name: correct crontab for reboot | add
- name: system setup | cron | correct crontab for reboot | remove
become: true
become_user: root
cron:
name: "generate SSH key on reboot, if missing"
job: >-
{% raw %}KEYS=(/etc/ssh/ssh_host_*_key); (( ${#KEYS[@]} )) || ( ssh-keygen -A && systemctl restart {% endraw %}{{ ssh_service }}{% raw %} ){% endraw %}
state: present
state: absent
special_time: reboot
- name: base | cron | set shell to bash

2
roles/server/files/telegraf.d/input_docker.conf → roles/docker/files/telegraf.d/input_docker.conf
View File

@@ -6,9 +6,7 @@
container_name_include = []
container_name_exclude = []
timeout = "5s"
perdevice = false
perdevice_include = ["cpu", "blkio", "network"]
total = false
total_include = ["cpu", "blkio", "network"]
docker_label_include = []
docker_label_exclude = []

7
roles/docker/tasks/configure_telegraf.yml Normal file
View File

@@ -0,0 +1,7 @@
- name: docker | telegraf | copy basic config
ansible.builtin.copy:
dest: "/etc/telegraf/telegraf.d/{{ item | basename }}"
src: "{{ item }}"
with_fileglob:
- "telegraf.d/*.conf"
notify: restart_telegraf

8
roles/docker/tasks/install_docker.yml
View File

@@ -1,13 +1,13 @@
- block:
- name: docker | install docker | get convenience script
get_url:
ansible.builtin.get_url:
url: "https://get.docker.com"
dest: "~/get-docker.sh"
mode: "0777" # not required. The permissions the resulting file or directory should have. For those used to I(/usr/bin/chmod) remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like C(0644) or C(01777)) or quote it (like C('644') or C('1777')) so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, C(u+rwx) or C(u=rw,g=r,o=r)). As of Ansible 2.6, the mode may also be the special string C(preserve). When set to C(preserve) the file will be given the same permissions as the source file.
use_proxy: No
- name: docker | install docker | execute convenience script
shell:
ansible.builtin.shell:
cmd: "/tmp/get-docker.sh"
creates: /usr/bin/docker
@@ -18,7 +18,7 @@
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: docker | install docker | docker-compose
package:
ansible.builtin.package:
name: "{{ item }}"
state: latest
loop:
@@ -26,7 +26,7 @@
- docker-compose
- name: docker | install docker | enable service
service:
ansible.builtin.service:
name: docker
state: started
enabled: true

13
roles/docker/tasks/main.yml
View File

@@ -1,17 +1,20 @@
---
# Load distro specific variables
- include_vars: "{{ ansible_distribution | lower }}.yml"
- ansible.builtin.include_vars: "{{ ansible_distribution | lower }}.yml"
tags: always
ignore_errors: True
- include_vars: "{{ ansible_fqdn | lower }}.yml"
- ansible.builtin.include_vars: "{{ ansible_fqdn | lower }}.yml"
ignore_errors: True
- import_tasks: install_docker.yml
- import_tasks: install_portainer.yml
- ansible.builtin.import_tasks: install_docker.yml
- ansible.builtin.import_tasks: install_portainer.yml
when:
- run_portainer is defined
- run_portainer == true
- import_tasks: install_portainer_agent.yml
- ansible.builtin.import_tasks: install_portainer_agent.yml
when:
- run_portainer_agent is defined
- run_portainer_agent == true
- ansible.builtin.import_tasks: configure_telegraf.yml

8
roles/drone/tasks/create_app.yml
View File

@@ -1,20 +1,20 @@
- name: drone | create app | generate shared secret
command: openssl rand -hex 16
ansible.builtin.command: openssl rand -hex 16
register: DRONE_RPC_SECRET
- name: drone | create app | create docker dir
file:
ansible.builtin.file:
path: "/opt/docker/drone"
state: directory
- name: drone | create app | create docker-compose.yml
template:
ansible.builtin.template:
src: "docker-compose.yml.j2"
dest: "/opt/docker/drone/docker-compose.yml"
force: no
validate: "docker-compose -f %s config" # not required. The validation command to run before copying into place. The path to the file to validate is passed in via '%s' which must be present as in the examples below. The command is passed securely so shell features like expansion and pipes will not work.
- name: drone | create app | start docker container
command:
ansible.builtin.command:
cmd: "docker-compose up -d"
chdir: "/opt/docker/drone"

11
roles/nameserver/tasks/install_powerdns_server.yml
View File

@@ -101,16 +101,14 @@
mode: "0644"
owner: "root"
group: "root"
force: no
force: yes
- name: Nameserver | powerdns-server | set listening IPs
when:
- powerdns_secondary is defined
- powerdns_secondary is true
- powerdns_recursor is defined
- powerdns_recursor is true
template:
src: "powerdns-server-sec-mysql-config.j2"
src: "powerdns-server-sec-config.j2"
dest: "/etc/powerdns/pdns.conf"
owner: "root"
group: "root"
@@ -135,3 +133,8 @@
name: "pdns"
state: started
enabled: true
- name: Nameserver | powerdns-server | install python-is-python3 for snmp helper
package:
name: python-is-python3
state: present

4
roles/nameserver/templates/powerdns-server-sec-config.j2 Normal file
View File

@@ -0,0 +1,4 @@
include-dir=/etc/powerdns/pdns.d
launch=
local-address={{ ansible_default_ipv4.address }}, [{{ ansible_default_ipv6.address }}], 127.0.0.1:553{% if wg_local_ip is defined %}, {{ wg_local_ip | ansible.utils.ipaddr('address') }}:553{% endif %}
security-poll-suffix=

4
roles/nameserver/templates/powerdns-server-sec-mysql-config .j2
View File

@@ -1,4 +0,0 @@
launch += gmysql
gmysql-host = {{ pdns_pri_server }}
gmysql-password = {{ pdns_db_passwd | default(lookup('password', '/etc/powerdns/pdns.d/.mysqlpw length=20')) }}
gmysql-dnssec = Yes

8
roles/nameserver/templates/powerdns-server-sec-mysql-config.j2
View File

@@ -1,4 +1,4 @@
include-dir=/etc/powerdns/pdns.d
launch=
local-address={{ ansible_default_ipv4.address }}, [{{ ansible_default_ipv6.address }}], 127.0.0.1:553{% if wg_local_ip is defined %}, {{ wg_local_ip | ansible.utils.ipaddr('address') }}:553{% endif %}
security-poll-suffix=
launch += gmysql
gmysql-host = {{ pdns_pri_server }}
gmysql-password = {{ pdns_db_passwd | default(lookup('password', '/etc/powerdns/pdns.d/.mysqlpw length=20')) }}
gmysql-dnssec = Yes

4
roles/podman/tasks/main.yml
View File

@@ -8,7 +8,7 @@
update_cache: yes
- name: Create local mount point for Podman NFS data
ansible.builtin.file:
ansible.builtin.file: # noqa name[missing]
path: "{{ podman_data_mount_point }}"
state: directory
mode: '0755'
@@ -48,7 +48,7 @@
update_cache: yes
- name: Create directory for Portainer compose file
ansible.builtin.file:
ansible.builtin.file: # noqa name[missing]
path: "{{ podman_data_mount_point }}/compose/portainer"
state: directory
mode: '0755'

18
roles/reverseproxy/tasks/caddy.yml Normal file
View File

@@ -0,0 +1,18 @@
# Load distro-specific variables
- include_vars: "{{ ansible_distribution | lower }}.yml"
tags: always
ignore_errors: True
- block:
- debug:
msg: Debug
# Perform remaining tasks:
- ansible.builtin.import_tasks: caddy_install_debian.yml
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- ansible.builtin.import_tasks: caddy_config.yml
- ansible.builtin.import_tasks: caddy_service.yml
rescue:
- set_fact: task_failed=true

18
roles/reverseproxy/tasks/caddy_config.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: Create Caddy config dir
file:
path: /etc/caddy
state: directory
mode: 0755
- name: Deploy Caddyfile
template:
src: Caddyfile.j2
dest: /etc/caddy/Caddyfile
mode: 0644
- name: Deploy PowerDNS env file
template:
src: powerdns.env.j2
dest: /etc/caddy/powerdns.env
mode: 0600

37
roles/reverseproxy/tasks/caddy_install.yml Normal file
View File

@@ -0,0 +1,37 @@
---
- name: Install dependencies
apt:
name:
- curl
- unzip
- git
- build-essential
state: present
update_cache: yes
- name: Download xcaddy
get_url:
url: https://github.com/caddyserver/xcaddy/releases/download/v0.9.5/xcaddy_0.9.5_linux_amd64.tar.gz
dest: /tmp/xcaddy.tar.gz
- name: Extract xcaddy
unarchive:
src: /tmp/xcaddy.tar.gz
dest: /usr/local/bin/
mode: 0755
remote_src: yes
- name: Build Caddy with PowerDNS DNS plugin
command: >
xcaddy build
--with github.com/caddy-dns/powerdns
args:
chdir: /usr/local/bin
creates: /usr/local/bin/caddy-custom
- name: Move custom caddy binary
copy:
src: /usr/local/bin/caddy
dest: /usr/local/bin/caddy
mode: 0755
remote_src: yes

52
roles/reverseproxy/tasks/caddy_install_debian.yml Normal file
View File

@@ -0,0 +1,52 @@
---
- name: Install dependencies
apt:
name:
- curl
- unzip
- git
- build-essential
- golang
- debian-keyring
- debian-archive-keyring
- apt-transport-https
state: present
update_cache: yes
- name: reverseproxy | xcaddy | download key
ansible.builtin.uri:
url: "https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key"
dest: "/tmp/xcaddy_gpg.key"
creates: "/tmp/xcaddy_gpg.key"
- name: reverseproxy | xcaddy | verify and import key
ansible.builtin.shell:
cmd: "gpg --show-keys --with-fingerprint --with-colons /tmp/xcaddy_gpg.key 2>&1 | grep -q '^fpr:\\+65760C51EDEA2017CEA2CA15155B6D79CA56EA34:$' && cat /tmp/xcaddy_gpg.key | gpg --dearmor | tee /etc/apt/keyrings/xcaddy_gpg.gpg > /dev/null"
creates: "/etc/apt/trusted.gpg.d/xcaddy_gpg.gpg"
- name: reverseproxy | caddy | add repository
ansible.builtin.uri:
url: "https://dl.cloudsmith.io/public/caddy/xcaddy/debian.deb.txt"
dest: "/etc/apt/sources.list.d/xcaddy-stable.list"
creates: "/etc/apt/sources.list.d/xcaddy-stable.list"
- name: reverseproxy | xcaddy | install xcaddy
ansible.builtin.apt:
name: "xcaddy"
state: latest
update_cache: yes
- name: Build Caddy with PowerDNS DNS plugin
command: >
xcaddy build
--with github.com/caddy-dns/powerdns
args:
chdir: /usr/local/bin
creates: /usr/local/bin/caddy-custom
- name: Move custom caddy binary
copy:
src: /usr/local/bin/caddy
dest: /usr/local/bin/caddy
mode: 0755
remote_src: yes

31
roles/reverseproxy/tasks/caddy_service.yml Normal file
View File

@@ -0,0 +1,31 @@
---
- name: Install systemd service
copy:
dest: /etc/systemd/system/caddy.service
mode: 0644
content: |
[Unit]
Description=Caddy
After=network-online.target
Wants=network-online.target
[Service]
EnvironmentFile=/etc/caddy/powerdns.env
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
Restart=on-failure
User=root
Group=root
[Install]
WantedBy=multi-user.target
- name: Reload systemd
systemd:
daemon_reload: yes
- name: Enable and start Caddy
systemd:
name: caddy
state: started
enabled: yes

11
roles/reverseproxy/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
# Load distro specific variables
- include_vars: "{{ ansible_distribution | lower }}.yml"
tags: always
ignore_errors: True
- include_vars: "{{ ansible_fqdn | lower }}.yml"
ignore_errors: True
- include_tasks: caddy.yml
when:
- caddy is defined
- caddy == true

23
roles/reverseproxy/templates/Caddyfile.j2 Normal file
View File

@@ -0,0 +1,23 @@
{
email admin@example.net
acme_dns powerdns {
api_url {env.PDNS_API_URL}
api_key {env.PDNS_API_KEY}
server_id {env.PDNS_SERVER_ID}
}
}
nextcloud.example.net {
reverse_proxy 10.10.20.10:443
tls {
dns powerdns
}
}
gitea.example.org {
reverse_proxy 10.10.30.20:3000
tls {
dns powerdns
}
}

3
roles/reverseproxy/templates/powerdns.env.j2 Normal file
View File

@@ -0,0 +1,3 @@
PDNS_API_KEY="{{ pdns_api_key }}"
PDNS_API_URL="{{ pdns_api_url }}"
PDNS_SERVER_ID="{{ pdns_server_id }}"

12
roles/server/defaults/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# defaults file for server
telegraf_memory_high: "120M"
telegraf_memory_max: "150M"
telegraf_memory_swap_max: "0"
telegraf_agent_interval: "10s"
telegraf_agent_flush_interval: "10s"
telegraf_agent_flush_jitter: "2s"
telegraf_agent_metric_batch_size: 500
telegraf_agent_metric_buffer_limit: 1000
telegraf_agent_collection_jitter: "1s"
telegraf_agent_round_interval: "true" # Must be quoted, because Ansible would interpret as boolean and will set it as "True" (capital T). But telegraf needs it with lowercase 'T'.

2
roles/server/files/sudoers
View File

@@ -1,2 +1,2 @@
Debian-snmp ALL = NOPASSWD: /etc/snmp/bind, /etc/snmp/fail2ban, /etc/snmp/docker-stats.sh, /etc/snmp/mailcow-dockerized-postfix, /etc/snmp/unbound, /etc/snmp/osupdate, /etc/snmp/distro, /etc/snmp/powerdns-recursor, /etc/snmp/apache-stats.py
Debian-snmp ALL = NOPASSWD: /etc/snmp/bind, /etc/snmp/fail2ban, /etc/snmp/docker-stats.sh, /etc/snmp/mailcow-dockerized-postfix, /etc/snmp/unbound, /etc/snmp/osupdate, /etc/snmp/distro, /etc/snmp/powerdns-recursor, /etc/snmp/apache-stats.py, /etc/snmp/powerdns.py, /etc/snmp/powerdns-recursor
Debian-snmp ALL = (postgres) NOPASSWD: /etc/snmp/postgres

11
roles/server/files/telegraf.d/output_file.conf Normal file
View File

@@ -0,0 +1,11 @@
# --- FALLBACK: Metriken in Datei schreiben (optional, aber SEHR hilfreich) ---
# Wird aktiviert, wenn du sicherstellen willst, dass keine Daten verloren gehen,
# selbst wenn die InfluxDB tagelang offline ist.
#
# WICHTIG: Der File-Output belegt praktisch KEINEN RAM, da er direkt streamt.
[[outputs.file]]
files = ["stdout", "/var/log/telegraf/metrics_backup.out"]
rotation_interval = "1h"
rotation_max_size = "100MB"
rotation_max_archives = 5

10
roles/server/files/telegraf.d/output_influx.conf
View File

@@ -1,4 +1,14 @@
[[outputs.influxdb]]
urls = ["http://grafana.universe.local:8086"]
database = "linux"
## Timeouts BEGRENZEN, damit der Puffer nicht endlos wächst
timeout = "3s"
username = "telegraf"
password = "secret"
## Ab Telegraf 1.20+ sinnvoll:
http_headers = { "Connection" = "close" }
## Fehler schnell melden → verhindert große Warteschlangen
skip_database_creation = false

8
roles/server/handlers/main.yml
View File

@@ -1,9 +1,13 @@
- name: reload_systemd
systemd:
daemon_reload: yes
- name: restart_snmpd
service:
ansible.builtin.service:
name: "snmpd"
state: restarted
- name: restart_telegraf
service:
ansible.builtin.service:
name: "telegraf"
state: restarted

3
roles/server/tasks/main.yml
View File

@@ -8,7 +8,7 @@
- block:
- include_tasks: utilities/mail_transfer_agent.yml
# - include_tasks: utilities/telegraf.yml
- include_tasks: utilities/telegraf.yml
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- include_tasks: utilities/netdata.yml
when: netdata is defined and netdata == true
@@ -21,5 +21,4 @@
# - include_role:
# name: base
# tasks_from: users.yml
# vim: ts=2 sw=2

36
roles/server/tasks/utilities/snmpd.yml
View File

@@ -1,12 +1,12 @@
- include_vars: snmp_users.yml
- ansible.builtin.include_vars: snmp_users.yml
- name: server | snmpd | install package
package:
ansible.builtin.package:
name: "{{ snmpd_package }}"
state: present
- name: server | snmpd | install sudoers file
copy:
ansible.builtin.copy:
dest: "/etc/sudoers.d/10-debian-snmp"
src: "sudoers"
owner: "root"
@@ -16,14 +16,14 @@
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: server | snmpd | create /etc/snmp
file:
ansible.builtin.file:
path: "/etc/snmp"
state: directory
owner: "root"
group: "root"
- name: server | snmpd | insert anchors to snmpd.conf
blockinfile:
ansible.builtin.blockinfile:
path: "{{ snmpd_conf }}"
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK"
@@ -32,24 +32,24 @@
# SECTION: custom settings
- name: server | snmpd | stop service
service:
ansible.builtin.service:
name: "snmpd"
state: stopped
- name: server | snmpd | setup monitoring user SNMPv3
lineinfile:
ansible.builtin.lineinfile:
path: "{{ snmpd_user_file }}"
create: true
line: "createuser {{ snmp_user }} {{ snmp_auth_proto }} {{ snmp_auth_pass }} {{ snmp_priv_proto }} {{ snmp_priv_pass }}"
- name: server | snmpd | setup ACLs
lineinfile:
ansible.builtin.lineinfile:
path: "{{ snmpd_conf }}" # required. The file to modify. Before Ansible 2.3 this option was only usable as I(dest), I(destfile) and I(name).
line: "rouser {{ snmp_user }} authpriv"
insertafter: "# SECTION: custom settings"
- name: server | snmpd | enable service on wireguard interface
lineinfile:
ansible.builtin.lineinfile:
path: "{{ snmpd_conf }}"
regexp: "^agentaddress.*$"
state: present
@@ -57,34 +57,34 @@
when: wg_local_ip is defined
- name: server | snmpd | set sysLocation
lineinfile:
ansible.builtin.lineinfile:
path: "{{ snmpd_conf }}"
regexp: '^sysLocation.*$'
state: present
line: "sysLocation {{ snmp_location }}"
- name: server | snmpd | set sysContact
lineinfile:
ansible.builtin.lineinfile:
path: "{{ snmpd_conf }}"
regexp: '^sysContact.*$'
state: present
line: "sysContact {{ snmp_contact }}"
- name: server | snmpd | enable service on all interfaces
lineinfile:
ansible.builtin.lineinfile:
path: "{{ snmpd_conf }}"
regexp: "^agentaddress.*$"
state: absent
when: wg_local_ip is not defined
- name: server | snmpd | copy distro script
copy:
ansible.builtin.copy:
dest: "/etc/snmp/distro"
src: "distro"
mode: "0755"
- name: server | snmpd | get os-updates script
get_url:
ansible.builtin.get_url:
url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/osupdate"
dest: "/etc/snmp/osupdate"
mode: "0755"
@@ -92,7 +92,7 @@
group: "root"
- name: server | snmpd | configure extends
lineinfile:
ansible.builtin.lineinfile:
path: "{{ snmpd_conf }}"
state: present
line: "extend {{ item.service }} '{{ item.script }}'"
@@ -106,14 +106,14 @@
- block:
- name: server | snmpd | get proxmox script
get_url:
ansible.builtin.get_url:
url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/agent-local/proxmox"
dest: "/usr/local/bin/proxmox"
mode: "0755"
owner: "root"
group: "root"
- name: server | snmpd | configure proxmox extends
lineinfile:
ansible.builtin.lineinfile:
path: "{{ snmpd_conf }}"
state: present
line: "extend proxmox {{ sudo }} /usr/local/bin/proxmox"
@@ -123,7 +123,7 @@
- is_proxmox == true
- name: server | snmpd start service
service:
ansible.builtin.service:
name: "snmpd"
state: started
enabled: true

152
roles/server/tasks/utilities/telegraf.yml
View File

@@ -3,35 +3,157 @@
# path: "/etc/apt/sources.list.d/influxdata.list"
# state: absent
# curl --silent --location -O https://repos.influxdata.com/influxdata-archive.key
# gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 \
# | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' \
# && cat influxdata-archive.key \
# | gpg --dearmor \
# | sudo tee /etc/apt/keyrings/influxdata-archive.gpg > /dev/null \
# && echo 'deb [signed-by=/etc/apt/keyrings/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' \
# | sudo tee /etc/apt/sources.list.d/influxdata.list
# sudo apt-get update && sudo apt-get install telegraf
- name: server | telegraf | download key
uri:
url: "https://repos.influxdata.com/influxdata-archive_compat.key"
dest: "/tmp/influxdb.key"
creates: "/tmp/influxdb.key"
ansible.builtin.uri:
url: "https://repos.influxdata.com/influxdata-archive.key"
dest: "/tmp/influxdata.key"
creates: "/tmp/influxdata.key"
- name: server | telegraf | verify and import key
shell:
cmd: "echo '393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c /tmp/influxdb.key' | sha256sum -c && cat /tmp/influxdb.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/null"
creates: "/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg"
ansible.builtin.shell:
cmd: "gpg --show-keys --with-fingerprint --with-colons /tmp/influxdata.key 2>&1 | grep -q '^fpr:\\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' && cat /tmp/influxdata.key | gpg --dearmor | tee /usr/share/keyrings/influxdata.gpg > /dev/null"
creates: "/usr/share/keyrings/influxdata.gpg"
- name: server | telegraf | add repository
shell:
cmd: "echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list"
ansible.builtin.shell:
cmd: "echo 'deb [signed-by=/usr/share/keyrings/influxdata.gpg] https://repos.influxdata.com/debian stable main' | tee /etc/apt/sources.list.d/influxdata.list"
creates: "/etc/apt/sources.list.d/influxdata.list"
- name: server | telegraf | install telegraf
apt:
ansible.builtin.apt:
name: "telegraf"
state: latest
update_cache: yes
- name: server | telegraf | copy basic config
copy:
dest: "/etc/telegraf/{{ item }}"
ansible.builtin.copy:
dest: "/etc/telegraf/telegraf.d/{{ item | basename }}"
src: "{{ item }}"
loop:
- telegraf.d/input_basics.conf
- telegraf.d/output_influx.conf
with_fileglob:
- "telegraf.d/*.conf"
notify: restart_telegraf
- name: Configure telegraf agent hostname
tags: telegraf
ansible.builtin.lineinfile:
path: /etc/telegraf/telegraf.conf
regexp: '^\s*#?\s*hostname\s*='
line: ' hostname = "{{ ansible_fqdn }}"'
owner: root
group: root
mode: '0644'
notify: restart_telegraf
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: Configure telegraf agent interval
tags: telegraf
ansible.builtin.lineinfile:
path: /etc/telegraf/telegraf.conf
regexp: '^\s*#?\s*interval\s*='
line: ' interval = "{{ telegraf_agent_interval }}"'
owner: root
group: root
mode: '0644'
notify: restart_telegraf
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: Configure telegraf agent flush_interval
tags: telegraf
ansible.builtin.lineinfile:
path: /etc/telegraf/telegraf.conf
regexp: '^\s*#?\s*flush_interval\s*='
line: ' flush_interval = "{{ telegraf_agent_flush_interval }}"'
owner: root
group: root
mode: '0644'
notify: restart_telegraf
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: Configure telegraf agent flush_jitter
tags: telegraf
ansible.builtin.lineinfile:
path: /etc/telegraf/telegraf.conf
regexp: '^\s*#?\s*flush_jitter\s*='
line: ' flush_jitter = "{{ telegraf_agent_flush_jitter }}"'
owner: root
group: root
mode: '0644'
notify: restart_telegraf
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: Configure telegraf agent collection_jitter
tags: telegraf
ansible.builtin.lineinfile:
path: /etc/telegraf/telegraf.conf
regexp: '^\s*#?\s*collection_jitter\s*='
line: ' collection_jitter = "{{ telegraf_agent_collection_jitter }}"'
owner: root
group: root
mode: '0644'
notify: restart_telegraf
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: Configure telegraf agent metric_batch_size
tags: telegraf
ansible.builtin.lineinfile:
path: /etc/telegraf/telegraf.conf
regexp: '^\s*#?\s*metric_batch_size\s*='
line: ' metric_batch_size = {{ telegraf_agent_metric_batch_size }}'
owner: root
group: root
mode: '0644'
notify: restart_telegraf
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: Configure telegraf agent metric_buffer_limit
tags: telegraf
ansible.builtin.lineinfile:
path: /etc/telegraf/telegraf.conf
regexp: '^\s*#?\s*metric_buffer_limit\s*='
line: ' metric_buffer_limit = {{ telegraf_agent_metric_buffer_limit }}'
owner: root
group: root
mode: '0644'
notify: restart_telegraf
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: Configure telegraf agent round_interval
tags: telegraf
ansible.builtin.lineinfile:
path: /etc/telegraf/telegraf.conf
regexp: '^\s*#?\s*round_interval\s*='
line: ' round_interval = {{ telegraf_agent_round_interval }}'
owner: root
group: root
mode: '0644'
notify: restart_telegraf
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: server | telegraf | create systemd override directory for telegraf
ansible.builtin.file:
path: /etc/systemd/system/telegraf.service.d
state: directory
mode: '0755'
- name: server | telegraf | define systemd-limits
ansible.builtin.template:
src: telegraf-override.j2
dest: /etc/systemd/system/telegraf.service.d/override.conf
notify:
- reload_systemd
- restart_telegraf

6
roles/server/templates/telegraf-override.j2 Normal file
View File

@@ -0,0 +1,6 @@
[Service]
MemoryHigh={{ telegraf_memory_high }}
MemoryMax={{ telegraf_memory_max }}
MemorySwapMax={{ telegraf_memory_swap_max }}
Restart=on-failure
RestartSec=5

8
roles/webservers/tasks/apps/nextcloud/prereq.yml
View File

@@ -1,5 +1,5 @@
- name: webservers | nextcloud | basic tools
package:
ansible.builtin.package:
state: latest
name:
- ca-certificates
@@ -10,19 +10,19 @@
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
- name: webservers | nextcloud | prereq | get php repo key
uri:
ansible.builtin.uri:
url: "https://packages.sury.org/php/apt.gpg"
dest: "/etc/apt/trusted.gpg.d/php.gpg"
- name: webservers | nextcloud | prereq | add php repo
lineinfile:
ansible.builtin.lineinfile:
path: "/etc/apt/sources.list.d/php.list"
state: present
line: "deb https://packages.sury.org/php/ {{ ansible_distribution_release | lower }} main"
create: True
- name: webservers | nextcloud | prereq | install php
package:
ansible.builtin.package:
state: latest
name: "{{ item.package }}"
update_cache: True