This commit is contained in:
ge 2024-09-15 14:12:48 +03:00
commit 9d7c62684f
34 changed files with 464 additions and 0 deletions

25
README.md Normal file
View File

@ -0,0 +1,25 @@
# Ansible playbooks to setup servers
## Requirements
```
ansible-galaxy install -r requirements.yml
```
## Roles
Basic server setup:
- `hostname` Set hostname, FQDN.
- `tz` Set TZ `Europe/Moscow`.
- `locale` Generate and set locale `en_US.utf-8`.
- `packages` Install admin tools e.g. vim, tree, etc.
- `dotfiles` Add dotfiles for root and /etc/skel.
- `motd` Modify MOTD.
- `ufw` Enable UFW, allow OpenSSH rule.
- `sshd` Disable SSH authentication via passwords.
Other:
- `avahi` Install and configure Avahi daemon for mDNS.
- `docker` Install Docker Engine.

4
ansible.cfg Normal file
View File

@ -0,0 +1,4 @@
[defaults]
host_key_checking = false
inventory = ./inventory.yaml
roles_path = ./roles/

35
inventory.yaml Normal file
View File

@ -0,0 +1,35 @@
all:
vars:
architectures:
x86_64: amd64
aarch64: arm64
armv7l: armhf
children:
external:
hosts:
mainframe:
server_hostname: mainframe
server_fqdn: mainframe.phreepunk.network
ansible_host: 147.45.233.134
ansible_user: root
ansible_ssh_private_key_file: /home/ge/.ssh/id_ed25519
internal:
hosts:
opipcplus:
server_hostname: opipcplus
server_fqdn: opipcplus.local
ansible_host: 192.168.3.8
ansible_user: root
ansible_ssh_private_key_file: /home/ge/.ssh/id_ed25519
opi3b:
server_hostname: opi3b
server_fqdn: opi3b.local
ansible_host: 192.168.3.6
ansible_user: root
ansible_ssh_private_key_file: /home/ge/.ssh/id_ed25519
pnx:
server_hostname: pnx
server_fqdn: pnx.local
ansible_host: 192.168.3.128
ansible_user: root
ansible_ssh_private_key_file: /home/ge/.ssh/id_ed25519

8
playbooks/base.yaml Normal file
View File

@ -0,0 +1,8 @@
- hosts: all
roles:
- hostname
- tz
- locale
- motd
- dotfiles
- packages

6
playbooks/external.yaml Normal file
View File

@ -0,0 +1,6 @@
- hosts: external
roles:
- sshd
- ufw
- role: docker
when: server_hostname in ['mainframe']

5
playbooks/internal.yaml Normal file
View File

@ -0,0 +1,5 @@
- hosts: internal
roles:
- avahi
- role: docker
when: server_hostname != 'pnx'

3
playbooks/master.yaml Normal file
View File

@ -0,0 +1,3 @@
- import_playbook: base.yaml
- import_playbook: internal.yaml
- import_playbook: external.yaml

2
requirements.yaml Normal file
View File

@ -0,0 +1,2 @@
collections:
- name: community.general

View File

@ -0,0 +1,13 @@
# Ansible managed
passwd: files
group: files
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

View File

@ -0,0 +1,9 @@
- name: Restart Avahi Daemon
ansible.builtin.service:
name: avahi-daemon
state: restarted
- name: Autoremove and autoclean packages
ansible.builtin.apt:
autoremove: yes
autoclean: yes

View File

@ -0,0 +1,30 @@
- name: Populate service facts
ansible.builtin.service_facts:
- name: Stop and disable systemd-resolved
ansible.builtin.systemd:
name: systemd-resolved
state: stopped
enabled: false
when: "'systemd-resolved' in services"
- name: Install Avahi Daemon and helpers
ansible.builtin.apt:
name: "{{ item }}"
state: latest
update_cache: yes
install_recommends: no
with_items:
- avahi-daemon
- avahi-utils
- libnss-mdns
notify: Autoremove and autoclean packages
- name: Configure /etc/nsswitch.conf
ansible.builtin.copy:
src: nsswitch.conf
dest: /etc/nsswitch.conf
owner: root
group: root
mode: 0644
notify: Restart Avahi Daemon

View File

@ -0,0 +1,4 @@
- name: Autoremove and autoclean packages
ansible.builtin.apt:
autoremove: yes
autoclean: yes

View File

@ -0,0 +1,46 @@
- name: Check and install prerequisites
ansible.builtin.apt:
name: "{{ item }}"
state: latest
update_cache: yes
install_recommends: no
with_items:
- ca-certificates
- curl
- gnupg
- lsb-release
- name: Add Docker repository
block:
- name: Make APT keyrings dir
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
owner: root
group: root
mode: 0755
- name: Add Docker APT key
ansible.builtin.get_url:
url: "https://download.docker.com/linux/debian/gpg"
dest: /etc/apt/keyrings/docker.asc
- name: Add Docker APT list
ansible.builtin.apt_repository:
repo: "deb [arch={{ architectures[ansible_architecture] }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
filename: docker
state: present
- name: Install Docker Engine
ansible.builtin.apt:
name: "{{ item }}"
state: latest
update_cache: yes
install_recommends: no
with_items:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
notify: Autoremove and autoclean packages

View File

@ -0,0 +1,3 @@
# Ansible managed
[ -f ~/.bashrc ] && . ~/.bashrc

View File

@ -0,0 +1,31 @@
# Ansible managed
[ -f ~/.profile ] && . ~/.profile
[ -f ~/.profile.extra ] && . ~/.profile.extra
alias grep='grep --color=auto'
alias diff='diff --color=auto'
alias ls='ls -F --color=auto'
alias l='ls -hl'
alias ll='ls -alh'
alias tree='tree -F'
alias qq='history -c; exit'
shopt -s autocd
shopt -s histappend
HISTCONTROL=ignoreboth
HISTSIZE=20000
HISTFILESIZE=20000
HISTTIMEFORMAT="%d %b %Y %T %z "
if [ "$EUID" -eq 0 ]; then
if [ -f /etc/armbian-release ]; then
PS1='\[\033[38;5;208;1m\]\u@\H\[\033[00m\]:\w\[\033[00m\]\$ '
else
PS1='\[\033[1m\]\u@\H\[\033[00m\]:\w\[\033[00m\]\$ '
fi
else
PS1='\u@\H:\w\$ '
fi

View File

@ -0,0 +1,7 @@
# Ansible managed
PATH=$HOME/.local/bin:$PATH
EDITOR=vim
VISUAL=vim
LESS=-R
export PATH EDITOR VISUAL LESS

View File

@ -0,0 +1,5 @@
# Ansible managed
startup_message off
hardstatus alwayslastline
hardstatus string '%S: %-w%>(%n %t)%{-}%+w%<'

View File

@ -0,0 +1,20 @@
" Ansible managed
colorscheme default
filetype plugin on
syntax on
let python_highlight_all = 1
set mouse-=a
set tabstop=4
set shiftwidth=4
set smarttab
set expandtab
set softtabstop=4
set autoindent
set listchars=tab:▸\ ,trail:·
set list
set t_Co=256
set enc=utf-8
set fenc=utf-8
set termencoding=utf-8
set modeline

View File

@ -0,0 +1,26 @@
- name: Copy dotfiles
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: 0644
with_items:
- { src: 'dot.vimrc', dest: '/etc/skel/.vimrc' }
- { src: 'dot.screenrc', dest: '/etc/skel/.screenrc' }
- { src: 'dot.profile', dest: '/etc/skel/.profile' }
- { src: 'dot.bashrc', dest: '/etc/skel/.bashrc' }
- { src: 'dot.bash_profile', dest: '/etc/skel/.bash_profile' }
- { src: 'dot.vimrc', dest: '/root/.vimrc' }
- { src: 'dot.screenrc', dest: '/root/.screenrc' }
- { src: 'dot.profile', dest: '/root/.profile' }
- { src: 'dot.bashrc', dest: '/root/.bashrc' }
- { src: 'dot.bash_profile', dest: '/root/.bash_profile' }
- name: Remove unwanted dotfiles
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
- /etc/skel/.bash_logout
- /root/resize.log

View File

@ -0,0 +1,23 @@
- name: Set a hostname via hostnamectl
ansible.builtin.hostname:
name: "{{ server_hostname }}"
use: systemd
when: ansible_virtualization_type == "kvm" or
ansible_virtualization_type == "openstack" or
ansible_virtualization_type == "NA"
- name: Set a hostname and FQDN in /etc/hosts
ansible.builtin.template:
src: hosts
dest: /etc/hosts
owner: root
group: root
mode: 0644
- name: Set a hostname in /etc/hostname
ansible.builtin.template:
src: hostname
dest: /etc/hostname
owner: root
group: root
mode: 0644

View File

@ -0,0 +1 @@
{{ server_hostname }}

View File

@ -0,0 +1,10 @@
# Ansible managed
127.0.0.1 localhost
::1 localhost6
127.0.0.1 {{ server_fqdn }} {{ server_hostname }}
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

View File

@ -0,0 +1,8 @@
- name: Generate en_US.UTF-8 locale
community.general.locale_gen:
name: en_US.UTF-8
state: present
- name: Set en_US.UTF-8 as default locale
ansible.builtin.command: localectl set-locale LANG=en_US.utf8
when: ansible_env.LANG != "en_US.utf8"

View File

@ -0,0 +1,9 @@
+------+.
|`. | `.
| `+--+---+
| | | |
+---+--+. |
`. | `.|
`+------+

View File

@ -0,0 +1,8 @@
____
_\\/_/_
/ ____ \
/ /\ | /\ \
| |-|+|-| |
\ \/_|_\/ /
\_______/

View File

@ -0,0 +1,39 @@
- name: Find unwanted motd scripts
ansible.builtin.find:
paths: /etc/update-motd.d/
file_type: any
register: collected_files
- name: Delete unwanted motd scripts
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
with_items: "{{ collected_files.files }}"
- name: Remove Debian legal notice (/etc/motd)
ansible.builtin.file:
path: /etc/motd
state: absent
- name: Detect Armbian
ansible.builtin.stat:
path: /etc/armbian-release
register: armbian
- name: Add custom /etc/motd for Armbian
ansible.builtin.copy:
src: motd.orangepi
dest: /etc/motd
owner: root
group: root
mode: 0755
when: armbian.stat.exists == True
- name: Add common custom /etc/motd
ansible.builtin.copy:
src: motd.cube
dest: /etc/motd
owner: root
group: root
mode: 0755
when: armbian.stat.exists == False

View File

@ -0,0 +1,4 @@
- name: Autoremove and autoclean packages
ansible.builtin.apt:
autoremove: yes
autoclean: yes

View File

@ -0,0 +1,35 @@
- name: Install base packages
ansible.builtin.apt:
name: "{{ item }}"
state: latest
update_cache: yes
install_recommends: no
with_items:
- cron
- logrotate
- dmidecode
- lshw
- sysstat
- iotop
- iftop
- inetutils-telnet
- inetutils-ping
- inetutils-ftp
- ethtool
- tcpdump
- mtr
- curl
- wget
- rsync
- psmisc
- screen
- vim
- file
- tree
- plocate
- findutils
- diffutils
- git
- htop
- unzip
notify: Autoremove and autoclean packages

View File

@ -0,0 +1,11 @@
# Ansible managed
Include /etc/ssh/sshd_config.d/*.conf
PermitRootLogin yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

View File

@ -0,0 +1,4 @@
- name: Restart sshd
ansible.builtin.service:
name: sshd
state: restarted

View File

@ -0,0 +1,8 @@
- name: Update sshd_config
ansible.builtin.copy:
src: sshd_config
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
notify: Restart sshd

View File

@ -0,0 +1,4 @@
- name: Restart Cron
ansible.builtin.service:
name: cron
state: restarted

4
roles/tz/tasks/main.yaml Normal file
View File

@ -0,0 +1,4 @@
- name: Set timezone to Europe/Moscow
community.general.timezone:
name: Europe/Moscow
notify: Restart Cron

14
roles/ufw/tasks/main.yaml Normal file
View File

@ -0,0 +1,14 @@
- name: Install UFW
ansible.builtin.apt:
name: ufw
state: latest
update_cache: yes
- name: Allow SSH
community.general.ufw:
rule: allow
name: OpenSSH
- name: Enable Firewall
community.general.ufw:
state: enabled