init
This commit is contained in:
commit
9d7c62684f
25
README.md
Normal file
25
README.md
Normal file
@ -0,0 +1,25 @@
|
||||
# Ansible playbooks to setup servers
|
||||
|
||||
## Requirements
|
||||
|
||||
```
|
||||
ansible-galaxy install -r requirements.yml
|
||||
```
|
||||
|
||||
## Roles
|
||||
|
||||
Basic server setup:
|
||||
|
||||
- `hostname` Set hostname, FQDN.
|
||||
- `tz` Set TZ `Europe/Moscow`.
|
||||
- `locale` Generate and set locale `en_US.utf-8`.
|
||||
- `packages` Install admin tools e.g. vim, tree, etc.
|
||||
- `dotfiles` Add dotfiles for root and /etc/skel.
|
||||
- `motd` Modify MOTD.
|
||||
- `ufw` Enable UFW, allow OpenSSH rule.
|
||||
- `sshd` Disable SSH authentication via passwords.
|
||||
|
||||
Other:
|
||||
|
||||
- `avahi` Install and configure Avahi daemon for mDNS.
|
||||
- `docker` Install Docker Engine.
|
4
ansible.cfg
Normal file
4
ansible.cfg
Normal file
@ -0,0 +1,4 @@
|
||||
[defaults]
|
||||
host_key_checking = false
|
||||
inventory = ./inventory.yaml
|
||||
roles_path = ./roles/
|
35
inventory.yaml
Normal file
35
inventory.yaml
Normal file
@ -0,0 +1,35 @@
|
||||
all:
|
||||
vars:
|
||||
architectures:
|
||||
x86_64: amd64
|
||||
aarch64: arm64
|
||||
armv7l: armhf
|
||||
children:
|
||||
external:
|
||||
hosts:
|
||||
mainframe:
|
||||
server_hostname: mainframe
|
||||
server_fqdn: mainframe.phreepunk.network
|
||||
ansible_host: 147.45.233.134
|
||||
ansible_user: root
|
||||
ansible_ssh_private_key_file: /home/ge/.ssh/id_ed25519
|
||||
internal:
|
||||
hosts:
|
||||
opipcplus:
|
||||
server_hostname: opipcplus
|
||||
server_fqdn: opipcplus.local
|
||||
ansible_host: 192.168.3.8
|
||||
ansible_user: root
|
||||
ansible_ssh_private_key_file: /home/ge/.ssh/id_ed25519
|
||||
opi3b:
|
||||
server_hostname: opi3b
|
||||
server_fqdn: opi3b.local
|
||||
ansible_host: 192.168.3.6
|
||||
ansible_user: root
|
||||
ansible_ssh_private_key_file: /home/ge/.ssh/id_ed25519
|
||||
pnx:
|
||||
server_hostname: pnx
|
||||
server_fqdn: pnx.local
|
||||
ansible_host: 192.168.3.128
|
||||
ansible_user: root
|
||||
ansible_ssh_private_key_file: /home/ge/.ssh/id_ed25519
|
8
playbooks/base.yaml
Normal file
8
playbooks/base.yaml
Normal file
@ -0,0 +1,8 @@
|
||||
- hosts: all
|
||||
roles:
|
||||
- hostname
|
||||
- tz
|
||||
- locale
|
||||
- motd
|
||||
- dotfiles
|
||||
- packages
|
6
playbooks/external.yaml
Normal file
6
playbooks/external.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
- hosts: external
|
||||
roles:
|
||||
- sshd
|
||||
- ufw
|
||||
- role: docker
|
||||
when: server_hostname in ['mainframe']
|
5
playbooks/internal.yaml
Normal file
5
playbooks/internal.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
- hosts: internal
|
||||
roles:
|
||||
- avahi
|
||||
- role: docker
|
||||
when: server_hostname != 'pnx'
|
3
playbooks/master.yaml
Normal file
3
playbooks/master.yaml
Normal file
@ -0,0 +1,3 @@
|
||||
- import_playbook: base.yaml
|
||||
- import_playbook: internal.yaml
|
||||
- import_playbook: external.yaml
|
2
requirements.yaml
Normal file
2
requirements.yaml
Normal file
@ -0,0 +1,2 @@
|
||||
collections:
|
||||
- name: community.general
|
13
roles/avahi/files/nsswitch.conf
Normal file
13
roles/avahi/files/nsswitch.conf
Normal file
@ -0,0 +1,13 @@
|
||||
# Ansible managed
|
||||
|
||||
passwd: files
|
||||
group: files
|
||||
shadow: files
|
||||
gshadow: files
|
||||
hosts: files mdns4_minimal [NOTFOUND=return] dns
|
||||
networks: files
|
||||
protocols: db files
|
||||
services: db files
|
||||
ethers: db files
|
||||
rpc: db files
|
||||
netgroup: nis
|
9
roles/avahi/handlers/main.yaml
Normal file
9
roles/avahi/handlers/main.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
- name: Restart Avahi Daemon
|
||||
ansible.builtin.service:
|
||||
name: avahi-daemon
|
||||
state: restarted
|
||||
|
||||
- name: Autoremove and autoclean packages
|
||||
ansible.builtin.apt:
|
||||
autoremove: yes
|
||||
autoclean: yes
|
30
roles/avahi/tasks/main.yaml
Normal file
30
roles/avahi/tasks/main.yaml
Normal file
@ -0,0 +1,30 @@
|
||||
- name: Populate service facts
|
||||
ansible.builtin.service_facts:
|
||||
|
||||
- name: Stop and disable systemd-resolved
|
||||
ansible.builtin.systemd:
|
||||
name: systemd-resolved
|
||||
state: stopped
|
||||
enabled: false
|
||||
when: "'systemd-resolved' in services"
|
||||
|
||||
- name: Install Avahi Daemon and helpers
|
||||
ansible.builtin.apt:
|
||||
name: "{{ item }}"
|
||||
state: latest
|
||||
update_cache: yes
|
||||
install_recommends: no
|
||||
with_items:
|
||||
- avahi-daemon
|
||||
- avahi-utils
|
||||
- libnss-mdns
|
||||
notify: Autoremove and autoclean packages
|
||||
|
||||
- name: Configure /etc/nsswitch.conf
|
||||
ansible.builtin.copy:
|
||||
src: nsswitch.conf
|
||||
dest: /etc/nsswitch.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: Restart Avahi Daemon
|
4
roles/docker/handlers/main.yaml
Normal file
4
roles/docker/handlers/main.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
- name: Autoremove and autoclean packages
|
||||
ansible.builtin.apt:
|
||||
autoremove: yes
|
||||
autoclean: yes
|
46
roles/docker/tasks/main.yaml
Normal file
46
roles/docker/tasks/main.yaml
Normal file
@ -0,0 +1,46 @@
|
||||
- name: Check and install prerequisites
|
||||
ansible.builtin.apt:
|
||||
name: "{{ item }}"
|
||||
state: latest
|
||||
update_cache: yes
|
||||
install_recommends: no
|
||||
with_items:
|
||||
- ca-certificates
|
||||
- curl
|
||||
- gnupg
|
||||
- lsb-release
|
||||
|
||||
- name: Add Docker repository
|
||||
block:
|
||||
- name: Make APT keyrings dir
|
||||
ansible.builtin.file:
|
||||
path: /etc/apt/keyrings
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: Add Docker APT key
|
||||
ansible.builtin.get_url:
|
||||
url: "https://download.docker.com/linux/debian/gpg"
|
||||
dest: /etc/apt/keyrings/docker.asc
|
||||
|
||||
- name: Add Docker APT list
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb [arch={{ architectures[ansible_architecture] }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
|
||||
filename: docker
|
||||
state: present
|
||||
|
||||
- name: Install Docker Engine
|
||||
ansible.builtin.apt:
|
||||
name: "{{ item }}"
|
||||
state: latest
|
||||
update_cache: yes
|
||||
install_recommends: no
|
||||
with_items:
|
||||
- docker-ce
|
||||
- docker-ce-cli
|
||||
- containerd.io
|
||||
- docker-buildx-plugin
|
||||
- docker-compose-plugin
|
||||
notify: Autoremove and autoclean packages
|
3
roles/dotfiles/files/dot.bash_profile
Normal file
3
roles/dotfiles/files/dot.bash_profile
Normal file
@ -0,0 +1,3 @@
|
||||
# Ansible managed
|
||||
|
||||
[ -f ~/.bashrc ] && . ~/.bashrc
|
31
roles/dotfiles/files/dot.bashrc
Normal file
31
roles/dotfiles/files/dot.bashrc
Normal file
@ -0,0 +1,31 @@
|
||||
# Ansible managed
|
||||
|
||||
[ -f ~/.profile ] && . ~/.profile
|
||||
|
||||
[ -f ~/.profile.extra ] && . ~/.profile.extra
|
||||
|
||||
alias grep='grep --color=auto'
|
||||
alias diff='diff --color=auto'
|
||||
alias ls='ls -F --color=auto'
|
||||
alias l='ls -hl'
|
||||
alias ll='ls -alh'
|
||||
alias tree='tree -F'
|
||||
alias qq='history -c; exit'
|
||||
|
||||
shopt -s autocd
|
||||
shopt -s histappend
|
||||
|
||||
HISTCONTROL=ignoreboth
|
||||
HISTSIZE=20000
|
||||
HISTFILESIZE=20000
|
||||
HISTTIMEFORMAT="%d %b %Y %T %z "
|
||||
|
||||
if [ "$EUID" -eq 0 ]; then
|
||||
if [ -f /etc/armbian-release ]; then
|
||||
PS1='\[\033[38;5;208;1m\]\u@\H\[\033[00m\]:\w\[\033[00m\]\$ '
|
||||
else
|
||||
PS1='\[\033[1m\]\u@\H\[\033[00m\]:\w\[\033[00m\]\$ '
|
||||
fi
|
||||
else
|
||||
PS1='\u@\H:\w\$ '
|
||||
fi
|
7
roles/dotfiles/files/dot.profile
Normal file
7
roles/dotfiles/files/dot.profile
Normal file
@ -0,0 +1,7 @@
|
||||
# Ansible managed
|
||||
|
||||
PATH=$HOME/.local/bin:$PATH
|
||||
EDITOR=vim
|
||||
VISUAL=vim
|
||||
LESS=-R
|
||||
export PATH EDITOR VISUAL LESS
|
5
roles/dotfiles/files/dot.screenrc
Normal file
5
roles/dotfiles/files/dot.screenrc
Normal file
@ -0,0 +1,5 @@
|
||||
# Ansible managed
|
||||
|
||||
startup_message off
|
||||
hardstatus alwayslastline
|
||||
hardstatus string '%S: %-w%>(%n %t)%{-}%+w%<'
|
20
roles/dotfiles/files/dot.vimrc
Normal file
20
roles/dotfiles/files/dot.vimrc
Normal file
@ -0,0 +1,20 @@
|
||||
" Ansible managed
|
||||
|
||||
colorscheme default
|
||||
filetype plugin on
|
||||
syntax on
|
||||
let python_highlight_all = 1
|
||||
set mouse-=a
|
||||
set tabstop=4
|
||||
set shiftwidth=4
|
||||
set smarttab
|
||||
set expandtab
|
||||
set softtabstop=4
|
||||
set autoindent
|
||||
set listchars=tab:▸\ ,trail:·
|
||||
set list
|
||||
set t_Co=256
|
||||
set enc=utf-8
|
||||
set fenc=utf-8
|
||||
set termencoding=utf-8
|
||||
set modeline
|
26
roles/dotfiles/tasks/main.yaml
Normal file
26
roles/dotfiles/tasks/main.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
- name: Copy dotfiles
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
with_items:
|
||||
- { src: 'dot.vimrc', dest: '/etc/skel/.vimrc' }
|
||||
- { src: 'dot.screenrc', dest: '/etc/skel/.screenrc' }
|
||||
- { src: 'dot.profile', dest: '/etc/skel/.profile' }
|
||||
- { src: 'dot.bashrc', dest: '/etc/skel/.bashrc' }
|
||||
- { src: 'dot.bash_profile', dest: '/etc/skel/.bash_profile' }
|
||||
- { src: 'dot.vimrc', dest: '/root/.vimrc' }
|
||||
- { src: 'dot.screenrc', dest: '/root/.screenrc' }
|
||||
- { src: 'dot.profile', dest: '/root/.profile' }
|
||||
- { src: 'dot.bashrc', dest: '/root/.bashrc' }
|
||||
- { src: 'dot.bash_profile', dest: '/root/.bash_profile' }
|
||||
|
||||
- name: Remove unwanted dotfiles
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- /etc/skel/.bash_logout
|
||||
- /root/resize.log
|
23
roles/hostname/tasks/main.yaml
Normal file
23
roles/hostname/tasks/main.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
- name: Set a hostname via hostnamectl
|
||||
ansible.builtin.hostname:
|
||||
name: "{{ server_hostname }}"
|
||||
use: systemd
|
||||
when: ansible_virtualization_type == "kvm" or
|
||||
ansible_virtualization_type == "openstack" or
|
||||
ansible_virtualization_type == "NA"
|
||||
|
||||
- name: Set a hostname and FQDN in /etc/hosts
|
||||
ansible.builtin.template:
|
||||
src: hosts
|
||||
dest: /etc/hosts
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Set a hostname in /etc/hostname
|
||||
ansible.builtin.template:
|
||||
src: hostname
|
||||
dest: /etc/hostname
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
1
roles/hostname/templates/hostname
Normal file
1
roles/hostname/templates/hostname
Normal file
@ -0,0 +1 @@
|
||||
{{ server_hostname }}
|
10
roles/hostname/templates/hosts
Normal file
10
roles/hostname/templates/hosts
Normal file
@ -0,0 +1,10 @@
|
||||
# Ansible managed
|
||||
|
||||
127.0.0.1 localhost
|
||||
::1 localhost6
|
||||
127.0.0.1 {{ server_fqdn }} {{ server_hostname }}
|
||||
::1 localhost ip6-localhost ip6-loopback
|
||||
fe00::0 ip6-localnet
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
ff02::3 ip6-allhosts
|
8
roles/locale/tasks/main.yaml
Normal file
8
roles/locale/tasks/main.yaml
Normal file
@ -0,0 +1,8 @@
|
||||
- name: Generate en_US.UTF-8 locale
|
||||
community.general.locale_gen:
|
||||
name: en_US.UTF-8
|
||||
state: present
|
||||
|
||||
- name: Set en_US.UTF-8 as default locale
|
||||
ansible.builtin.command: localectl set-locale LANG=en_US.utf8
|
||||
when: ansible_env.LANG != "en_US.utf8"
|
9
roles/motd/files/motd.cube
Normal file
9
roles/motd/files/motd.cube
Normal file
@ -0,0 +1,9 @@
|
||||
|
||||
+------+.
|
||||
|`. | `.
|
||||
| `+--+---+
|
||||
| | | |
|
||||
+---+--+. |
|
||||
`. | `.|
|
||||
`+------+
|
||||
|
8
roles/motd/files/motd.orangepi
Normal file
8
roles/motd/files/motd.orangepi
Normal file
@ -0,0 +1,8 @@
|
||||
____
|
||||
_\\/_/_
|
||||
/ ____ \
|
||||
/ /\ | /\ \
|
||||
| |-|+|-| |
|
||||
\ \/_|_\/ /
|
||||
\_______/
|
||||
|
39
roles/motd/tasks/main.yaml
Normal file
39
roles/motd/tasks/main.yaml
Normal file
@ -0,0 +1,39 @@
|
||||
- name: Find unwanted motd scripts
|
||||
ansible.builtin.find:
|
||||
paths: /etc/update-motd.d/
|
||||
file_type: any
|
||||
register: collected_files
|
||||
|
||||
- name: Delete unwanted motd scripts
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
state: absent
|
||||
with_items: "{{ collected_files.files }}"
|
||||
|
||||
- name: Remove Debian legal notice (/etc/motd)
|
||||
ansible.builtin.file:
|
||||
path: /etc/motd
|
||||
state: absent
|
||||
|
||||
- name: Detect Armbian
|
||||
ansible.builtin.stat:
|
||||
path: /etc/armbian-release
|
||||
register: armbian
|
||||
|
||||
- name: Add custom /etc/motd for Armbian
|
||||
ansible.builtin.copy:
|
||||
src: motd.orangepi
|
||||
dest: /etc/motd
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
when: armbian.stat.exists == True
|
||||
|
||||
- name: Add common custom /etc/motd
|
||||
ansible.builtin.copy:
|
||||
src: motd.cube
|
||||
dest: /etc/motd
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
when: armbian.stat.exists == False
|
4
roles/packages/handlers/main.yaml
Normal file
4
roles/packages/handlers/main.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
- name: Autoremove and autoclean packages
|
||||
ansible.builtin.apt:
|
||||
autoremove: yes
|
||||
autoclean: yes
|
35
roles/packages/tasks/main.yaml
Normal file
35
roles/packages/tasks/main.yaml
Normal file
@ -0,0 +1,35 @@
|
||||
- name: Install base packages
|
||||
ansible.builtin.apt:
|
||||
name: "{{ item }}"
|
||||
state: latest
|
||||
update_cache: yes
|
||||
install_recommends: no
|
||||
with_items:
|
||||
- cron
|
||||
- logrotate
|
||||
- dmidecode
|
||||
- lshw
|
||||
- sysstat
|
||||
- iotop
|
||||
- iftop
|
||||
- inetutils-telnet
|
||||
- inetutils-ping
|
||||
- inetutils-ftp
|
||||
- ethtool
|
||||
- tcpdump
|
||||
- mtr
|
||||
- curl
|
||||
- wget
|
||||
- rsync
|
||||
- psmisc
|
||||
- screen
|
||||
- vim
|
||||
- file
|
||||
- tree
|
||||
- plocate
|
||||
- findutils
|
||||
- diffutils
|
||||
- git
|
||||
- htop
|
||||
- unzip
|
||||
notify: Autoremove and autoclean packages
|
11
roles/sshd/files/sshd_config
Normal file
11
roles/sshd/files/sshd_config
Normal file
@ -0,0 +1,11 @@
|
||||
# Ansible managed
|
||||
|
||||
Include /etc/ssh/sshd_config.d/*.conf
|
||||
PermitRootLogin yes
|
||||
PasswordAuthentication no
|
||||
ChallengeResponseAuthentication no
|
||||
UsePAM yes
|
||||
X11Forwarding yes
|
||||
PrintMotd no
|
||||
AcceptEnv LANG LC_*
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
4
roles/sshd/handlers/main.yaml
Normal file
4
roles/sshd/handlers/main.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
- name: Restart sshd
|
||||
ansible.builtin.service:
|
||||
name: sshd
|
||||
state: restarted
|
8
roles/sshd/tasks/main.yaml
Normal file
8
roles/sshd/tasks/main.yaml
Normal file
@ -0,0 +1,8 @@
|
||||
- name: Update sshd_config
|
||||
ansible.builtin.copy:
|
||||
src: sshd_config
|
||||
dest: /etc/ssh/sshd_config
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: Restart sshd
|
4
roles/tz/handlers/main.yaml
Normal file
4
roles/tz/handlers/main.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
- name: Restart Cron
|
||||
ansible.builtin.service:
|
||||
name: cron
|
||||
state: restarted
|
4
roles/tz/tasks/main.yaml
Normal file
4
roles/tz/tasks/main.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
- name: Set timezone to Europe/Moscow
|
||||
community.general.timezone:
|
||||
name: Europe/Moscow
|
||||
notify: Restart Cron
|
14
roles/ufw/tasks/main.yaml
Normal file
14
roles/ufw/tasks/main.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
- name: Install UFW
|
||||
ansible.builtin.apt:
|
||||
name: ufw
|
||||
state: latest
|
||||
update_cache: yes
|
||||
|
||||
- name: Allow SSH
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
name: OpenSSH
|
||||
|
||||
- name: Enable Firewall
|
||||
community.general.ufw:
|
||||
state: enabled
|
Loading…
Reference in New Issue
Block a user