diff options
author | Devan Carpenter <git@dvn.me> | 2020-05-13 16:11:54 +0100 |
---|---|---|
committer | Devan Carpenter <git@dvn.me> | 2020-05-13 16:11:54 +0100 |
commit | efaaee0ebe8c2f7fe715894c2941282cd29913e7 (patch) | |
tree | ffc070e43b85e5a2852875967fa2fd4523dc194c | |
download | ansible-basic-master.tar.gz ansible-basic-master.zip |
-rw-r--r-- | .gitlab-ci.yml | 10 | ||||
-rw-r--r-- | README.md | 3 | ||||
-rw-r--r-- | local.yml | 13 | ||||
-rw-r--r-- | roles/ansible-pull/tasks/main.yml | 33 | ||||
-rw-r--r-- | roles/ansible-pull/templates/ansible-pull.sh | 31 | ||||
-rw-r--r-- | roles/ansible-pull/templates/pull.fact | 13 | ||||
-rw-r--r-- | roles/ansible-pull/vars/main.yaml | 2 | ||||
-rw-r--r-- | roles/basic/handlers/main.yml | 2 | ||||
-rw-r--r-- | roles/basic/tasks/main.yml | 32 | ||||
-rw-r--r-- | roles/buster-upgrade/tasks/main.yml | 17 | ||||
-rw-r--r-- | roles/buster-upgrade/templates/sources.list | 11 | ||||
-rw-r--r-- | roles/unattended-upgrades/tasks/main.yml | 9 | ||||
-rw-r--r-- | roles/unattended-upgrades/templates/unattended-upgrades | 24 | ||||
-rw-r--r-- | roles/users/tasks/main.yml | 22 |
14 files changed, 222 insertions, 0 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..072476e --- /dev/null +++ b/.gitlab-ci.yml | |||
@@ -0,0 +1,10 @@ | |||
1 | stages: | ||
2 | - test | ||
3 | |||
4 | test: | ||
5 | stage: test | ||
6 | image: python:latest | ||
7 | before_script: | ||
8 | - pip install ansible==2.6.2 | ||
9 | script: | ||
10 | - ansible-playbook --syntax-check -v local.yml | ||
diff --git a/README.md b/README.md new file mode 100644 index 0000000..8ea0c17 --- /dev/null +++ b/README.md | |||
@@ -0,0 +1,3 @@ | |||
1 | # Ansible Basic Stuff | ||
2 | |||
3 | An `ansible-pull` compatible repo to do some basic things that I like all of my boxes to have. | ||
diff --git a/local.yml b/local.yml new file mode 100644 index 0000000..bcf72dc --- /dev/null +++ b/local.yml | |||
@@ -0,0 +1,13 @@ | |||
1 | --- | ||
2 | - hosts: localhost | ||
3 | vars: | ||
4 | additional_playbooks: | ||
5 | runner0.gitlab.gnunet.org: | ||
6 | - name: gitlab-runner | ||
7 | roles: | ||
8 | - role: buster-upgrade | ||
9 | when: (ansible_distribution == "Debian" and ansible_distribution_major_version == "9") | ||
10 | - basic | ||
11 | - ansible-pull | ||
12 | - users | ||
13 | - unattended-upgrades | ||
diff --git a/roles/ansible-pull/tasks/main.yml b/roles/ansible-pull/tasks/main.yml new file mode 100644 index 0000000..7414bd9 --- /dev/null +++ b/roles/ansible-pull/tasks/main.yml | |||
@@ -0,0 +1,33 @@ | |||
1 | - name: Update apt cache | ||
2 | apt: update_cache=yes | ||
3 | |||
4 | - name: Install depends | ||
5 | apt: | ||
6 | name: [python3-pip, ansible] | ||
7 | state: present | ||
8 | |||
9 | - name: Ensure /etc/ansible/facts.d exists | ||
10 | file: | ||
11 | path: /etc/ansible/facts.d | ||
12 | state: directory | ||
13 | recurse: yes | ||
14 | |||
15 | - name: Make /etc/ansible/facts.d/pull.fact | ||
16 | template: | ||
17 | src: pull.fact | ||
18 | dest: /etc/ansible/facts.d/pull.fact | ||
19 | |||
20 | - name: recollect facts | ||
21 | setup: | ||
22 | |||
23 | - name: Install the ansible-pull script | ||
24 | template: src=ansible-pull.sh dest=/usr/sbin/run-ansible-pull mode=0755 owner=root group=root | ||
25 | |||
26 | - name: Install cronjob | ||
27 | cron: name="Ansible Pull" minute="{{ ansible_local.pull.minute | default(59 | random) }}" job="/usr/sbin/run-ansible-pull" | ||
28 | |||
29 | - name: ensure ansible-pull is run on reboot | ||
30 | cron: | ||
31 | name: run ansible on reboot | ||
32 | job: /usr/sbin/run-ansible-pull | ||
33 | special_time: reboot | ||
diff --git a/roles/ansible-pull/templates/ansible-pull.sh b/roles/ansible-pull/templates/ansible-pull.sh new file mode 100644 index 0000000..56dcb9a --- /dev/null +++ b/roles/ansible-pull/templates/ansible-pull.sh | |||
@@ -0,0 +1,31 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | if [ "$1" == "nodisown" ]; then | ||
4 | # Sometimes the $PATH gets messed up in cron, so lets start by setting the record straight | ||
5 | PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||
6 | if [[ -d /usr/ansible ]]; then rm -rf /usr/ansible; fi | ||
7 | ansible-pull -U {{ ansible_local.pull.repo }} -C {{ ansible_local.pull.branch }} -d /var/run/ansible/basic &> /var/log/ansible.log | ||
8 | code=$? | ||
9 | |||
10 | if [[ "$code" -ne "0" ]]; then | ||
11 | # ansible localhost -m irc -a "server=irc.oftc.net use_ssl=yes port=6697 channel=# msg='[$(hostname -f)] Ansible Pull failed.' nick=ansible-$RANDOM color=red timeout=60" | ||
12 | exit 1 | ||
13 | fi | ||
14 | |||
15 | {% if ansible_fqdn in additional_playbooks %} | ||
16 | {% for playbook in additional_playbooks[ansible_fqdn] %} | ||
17 | ansible-pull -U {{ playbooks[playbook.name] }} {% if 'branch' in playbook %}-C {{ playbook.branch}} {% endif %} -d /var/run/ansible/{{playbook.name}}&> /var/log/ansible-{{ playbook.name }}.log | ||
18 | code=$? | ||
19 | |||
20 | if [[ "$code" -ne "0" ]]; then | ||
21 | # ansible localhost -m irc -a "server=irc.oftc.net use_ssl=yes port=6697 channel=# msg='[$(hostname -f)] ansible-pull failed with additional playbook {{ playbook.name }}' nick=ansible-$RANDOM color=red" | ||
22 | exit 1 | ||
23 | fi | ||
24 | |||
25 | {% endfor %} | ||
26 | {% endif %} | ||
27 | # ansible localhost -m irc -a "server=irc.oftc.net use_ssl=yes port=6697 channel=# msg='[$(hostname -f)] Ansible Pull successfully ran' nick=ansible-$RANDOM color=green" | ||
28 | |||
29 | else | ||
30 | $0 nodisown & disown | ||
31 | fi | ||
diff --git a/roles/ansible-pull/templates/pull.fact b/roles/ansible-pull/templates/pull.fact new file mode 100644 index 0000000..ac87804 --- /dev/null +++ b/roles/ansible-pull/templates/pull.fact | |||
@@ -0,0 +1,13 @@ | |||
1 | { | ||
2 | {% if ansible_local is defined and ansible_local.pull is defined and ansible_local.pull is mapping %} | ||
3 | "repo": "{% if ansible_local.pull.repo %}{{ ansible_local.pull.repo }}{% else %}https://git.gnunet.org/ansible-basic.git{% endif %}", | ||
4 | "branch": "{% if ansible_local.pull.branch %}{{ ansible_local.pull.branch }}{% else %}master{% endif %}", | ||
5 | "minute": {% if ansible_local.pull.minute %}{{ ansible_local.pull.minute }}{% else %}{{ 59 | random }}{% endif %} | ||
6 | |||
7 | {% else %} | ||
8 | "repo": "https://git.gnunet.org/ansible-basic.git", | ||
9 | "branch": "master", | ||
10 | "minute": "{{ 59 | random }}" | ||
11 | |||
12 | {% endif %} | ||
13 | } | ||
diff --git a/roles/ansible-pull/vars/main.yaml b/roles/ansible-pull/vars/main.yaml new file mode 100644 index 0000000..8b856a6 --- /dev/null +++ b/roles/ansible-pull/vars/main.yaml | |||
@@ -0,0 +1,2 @@ | |||
1 | playbooks: | ||
2 | gitlab-runner: https://git.gnunet.org/ansible-gitlab-runner.git | ||
diff --git a/roles/basic/handlers/main.yml b/roles/basic/handlers/main.yml new file mode 100644 index 0000000..6e1840d --- /dev/null +++ b/roles/basic/handlers/main.yml | |||
@@ -0,0 +1,2 @@ | |||
1 | - name: Locale Gen | ||
2 | command: locale-gen | ||
diff --git a/roles/basic/tasks/main.yml b/roles/basic/tasks/main.yml new file mode 100644 index 0000000..b845a43 --- /dev/null +++ b/roles/basic/tasks/main.yml | |||
@@ -0,0 +1,32 @@ | |||
1 | - name: Install things from apt | ||
2 | apt: | ||
3 | name: [git, htop, mosh, tmux, ca-certificates, xtail, vim, python3-pip] | ||
4 | state: latest | ||
5 | update_cache: yes | ||
6 | |||
7 | - name: Install qemu-guest-agent | ||
8 | apt: | ||
9 | name: qemu-guest-agent | ||
10 | state: latest | ||
11 | when: ansible_system_vendor == "QEMU" | ||
12 | |||
13 | - name: Start qemu-guest-agent | ||
14 | service: | ||
15 | name: qemu-guest-agent | ||
16 | state: started | ||
17 | when: ansible_system_vendor == "QEMU" | ||
18 | |||
19 | - name: Enable UTF-8 in the locale file | ||
20 | lineinfile: line="en_US.UTF-8 UTF-8" dest=/etc/locale.gen | ||
21 | notify: | ||
22 | - Locale Gen | ||
23 | |||
24 | - name: Set timezone to Europe/Berlin | ||
25 | timezone: | ||
26 | name: Europe/Berlin | ||
27 | hwclock: UTC | ||
28 | |||
29 | - name: Install things from pip | ||
30 | pip: | ||
31 | name: ipcalc | ||
32 | executable: pip3 | ||
diff --git a/roles/buster-upgrade/tasks/main.yml b/roles/buster-upgrade/tasks/main.yml new file mode 100644 index 0000000..4e0edf0 --- /dev/null +++ b/roles/buster-upgrade/tasks/main.yml | |||
@@ -0,0 +1,17 @@ | |||
1 | - name: Preliminary update of apt repo and cache | ||
2 | apt: update_cache=yes cache_valid_time=3600 | ||
3 | |||
4 | - name: Preliminary package upgrade | ||
5 | apt: upgrade=dist | ||
6 | |||
7 | - name: Ensure apt sources are set to Buster | ||
8 | template: | ||
9 | src: sources.list | ||
10 | dest: /etc/apt/sources.list | ||
11 | |||
12 | - name: Update apt repo and cache from new source list | ||
13 | apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 | ||
14 | |||
15 | - name: Upgrade to Buster | ||
16 | apt: upgrade=dist force_apt_get=yes | ||
17 | |||
diff --git a/roles/buster-upgrade/templates/sources.list b/roles/buster-upgrade/templates/sources.list new file mode 100644 index 0000000..fdbb297 --- /dev/null +++ b/roles/buster-upgrade/templates/sources.list | |||
@@ -0,0 +1,11 @@ | |||
1 | # main repos | ||
2 | deb http://ftp.us.debian.org/debian/ buster main | ||
3 | deb-src http://ftp.us.debian.org/debian/ buster main | ||
4 | |||
5 | # security updates | ||
6 | deb http://security.debian.org/debian-security buster/updates main | ||
7 | deb-src http://security.debian.org/debian-security buster/updates main | ||
8 | |||
9 | # buster-updates, previously known as 'volatile' | ||
10 | deb http://ftp.us.debian.org/debian/ buster-updates main | ||
11 | deb-src http://ftp.us.debian.org/debian/ buster-updates main | ||
diff --git a/roles/unattended-upgrades/tasks/main.yml b/roles/unattended-upgrades/tasks/main.yml new file mode 100644 index 0000000..93b7fab --- /dev/null +++ b/roles/unattended-upgrades/tasks/main.yml | |||
@@ -0,0 +1,9 @@ | |||
1 | - name: Install unattended-upgrades | ||
2 | apt: | ||
3 | name: unattended-upgrades | ||
4 | state: present | ||
5 | |||
6 | - name: Configure unattended-upgrades | ||
7 | template: | ||
8 | src: unattended-upgrades | ||
9 | dest: /etc/apt/apt.conf.d/50unattended-upgrades | ||
diff --git a/roles/unattended-upgrades/templates/unattended-upgrades b/roles/unattended-upgrades/templates/unattended-upgrades new file mode 100644 index 0000000..f27d85e --- /dev/null +++ b/roles/unattended-upgrades/templates/unattended-upgrades | |||
@@ -0,0 +1,24 @@ | |||
1 | Unattended-Upgrade::Origins-Pattern { | ||
2 | "origin=Debian,codename=buster,label=Debian"; | ||
3 | "codename=buster-backports"; | ||
4 | "origin=Debian,codename=buster,label=Debian-Security"; | ||
5 | |||
6 | }; | ||
7 | |||
8 | Unattended-Upgrade::Package-Blacklist { | ||
9 | }; | ||
10 | |||
11 | // Remove unused automatically installed kernel-related packages | ||
12 | // (kernel images, kernel headers and kernel version locked tools). | ||
13 | Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; | ||
14 | |||
15 | // Do automatic removal of newly unused dependencies after the upgrade | ||
16 | Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; | ||
17 | |||
18 | // Do automatic removal of unused packages after the upgrade | ||
19 | // (equivalent to apt-get autoremove) | ||
20 | Unattended-Upgrade::Remove-Unused-Dependencies "true"; | ||
21 | |||
22 | // Automatically reboot *WITHOUT CONFIRMATION* if | ||
23 | // the file /var/run/reboot-required is found after the upgrade | ||
24 | // Unattended-Upgrade::Automatic-Reboot "true"; | ||
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml new file mode 100644 index 0000000..fe4e289 --- /dev/null +++ b/roles/users/tasks/main.yml | |||
@@ -0,0 +1,22 @@ | |||
1 | - name: Configure users | ||
2 | user: | ||
3 | name: "{{ item }}" | ||
4 | groups: adm,sudo | ||
5 | shell: /bin/bash | ||
6 | with_items: | ||
7 | - devan | ||
8 | |||
9 | - name: Configure SSH keys | ||
10 | authorized_key: | ||
11 | user: "{{ item.name }}" | ||
12 | state: present | ||
13 | key: "{{ item.key }}" | ||
14 | with_items: | ||
15 | - name: dvn | ||
16 | key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILL6PhAcMxsc4GhRuQYRMwchcig5qTDQQFZBQzxFTmxI | ||
17 | |||
18 | - name: Ensure passwordless sudo | ||
19 | lineinfile: | ||
20 | line: "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" | ||
21 | dest: /etc/sudoers | ||
22 | regexp: "^%sudo ALL=\\(ALL:ALL\\).*" | ||