diff --git a/playbook-server-setup.yml b/playbook-server-setup.yml index 1195c10..d9ce9a3 100644 --- a/playbook-server-setup.yml +++ b/playbook-server-setup.yml @@ -2,9 +2,9 @@ - name: Configure servers for use on my home network hosts: all remote_user: "{{ remote_user }}" - become: yes + become: true roles: - common - librenms-client - - tailscale \ No newline at end of file + - tailscale diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index be2ce28..b4fed52 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,10 +1,10 @@ --- -- name: restart ssh service - Debian +- name: Restart ssh service - Debian ansible.builtin.systemd: state: restarted name: ssh - -- name: restart ssh service - RedHat + +- name: Restart ssh service - RedHat ansible.builtin.systemd: state: restarted - name: sshd \ No newline at end of file + name: sshd diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 044258e..ccba5e3 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,61 +1,65 @@ --- -- name: get package facts +- name: Get package facts ansible.builtin.package_facts: -- name: get service facts - service_facts: +- name: Get service facts + ansible.builtin.service_facts: -- name: add default ssh keys - authorized_key: +- name: Add default ssh keys + ansible.posix.authorized_key: key: "{{ lookup('file', '{{ ssh_keyfile }}') }}" user: "{{ remote_user }}" state: present - exclusive: True + exclusive: true when: "'mothershipbu.lyon' not in inventory_hostname" -- name: add default ssh keys - mothershipbu - authorized_key: +- name: Add default ssh keys - mothershipbu + ansible.posix.authorized_key: key: "{{ lookup('file', 'keys-mothershipbu') }}" user: "{{ remote_user }}" state: present - exclusive: True + exclusive: true when: "'mothershipbu.lyon' in inventory_hostname" -- name: disable password ssh auth +- name: Disable password ssh auth ansible.builtin.lineinfile: path: "/etc/ssh/sshd_config" regexp: '^PasswordAuthentication' line: 'PasswordAuthentication no' - backrefs: yes + backrefs: true notify: restart ssh service - {{ ansible_distribution_file_variety }} -- name: automatic security updates - debian - package: name=unattended-upgrades state=latest +- name: Automatic security updates - debian + ansible.builtin.package: + name: unattended-upgrades + state: present when: ansible_distribution_file_variety == "Debian" -- name: automatic security updates - redhat - package: name=dnf-automatic state=latest +- name: Automatic security updates - redhat + ansible.builtin.package: + name: dnf-automatic + state: present when: ansible_distribution_file_variety == "RedHat" -- name: configure automatic security updates step 01 - redhat +- name: Configure automatic security updates step 01 - redhat ansible.builtin.lineinfile: path: "/etc/dnf/automatic.conf" regexp: '^upgrade_type =' line: 'upgrade_type = security' - backrefs: yes + backrefs: true when: ansible_distribution_file_variety == "RedHat" -- name: configure automatic security updates step 02 - redhat +- name: Configure automatic security updates step 02 - redhat ansible.builtin.lineinfile: path: "/etc/dnf/automatic.conf" regexp: '^apply_updates =' line: 'apply_updates = yes' - backrefs: yes + backrefs: true when: ansible_distribution_file_variety == "RedHat" - -- name: enable and start dnf-automatic.timer - redhat + +- name: Enable and start dnf-automatic.timer - redhat ansible.builtin.systemd: state: started - enabled: yes + enabled: true name: dnf-automatic.timer when: ansible_distribution_file_variety == "RedHat" diff --git a/roles/librenms-client/handlers/main.yml b/roles/librenms-client/handlers/main.yml index 23771b7..a600c4a 100644 --- a/roles/librenms-client/handlers/main.yml +++ b/roles/librenms-client/handlers/main.yml @@ -1,23 +1,33 @@ --- -- name: reload systemd configs +- name: Reload systemd configs ansible.builtin.systemd: - daemon_reload: yes - -- name: enable and restart snmpd.service + daemon_reload: true + +- name: Enable and restart snmpd.service ansible.builtin.systemd: state: restarted - enabled: yes + enabled: true name: snmpd listen: enable and restart snmpd.service -- name: enable and restart the rsyslog service +- name: Enable and restart the rsyslog service ansible.builtin.systemd: state: restarted - enabled: yes + enabled: true name: rsyslog -- name: restart syslog-ng for LibreNMS +- name: Restart syslog-ng for LibreNMS ansible.builtin.systemd: state: restarted name: syslog-ng - delegate_to: nms.lyon \ No newline at end of file + delegate_to: nms.lyon + +- name: Check librenms add by hostname status + when: lnms_add_by_hostname.changed + ansible.builtin.debug: + msg: "{{ lnms_add_by_hostname.stdout }}" + +- name: Check librenms add by ip status + when: lnms_add_by_ip.changed + ansible.builtin.debug: + msg: "{{ lnms_add_by_ip.stdout }}" diff --git a/roles/librenms-client/tasks/main.yml b/roles/librenms-client/tasks/main.yml index 201e9d1..8d5cd81 100644 --- a/roles/librenms-client/tasks/main.yml +++ b/roles/librenms-client/tasks/main.yml @@ -1,145 +1,144 @@ --- -- name: check for pihole +- name: Check for pihole ansible.builtin.stat: path: "/usr/local/bin/pihole" register: pihole -- name: install latest snmpd - debian - package: name=snmpd state=latest +- name: Install latest snmpd - debian + ansible.builtin.package: + name: snmpd + state: present when: ansible_os_family == "Debian" -- name: install latest snmpd - centos - package: name=net-snmp state=latest +- name: Install latest snmpd - centos + ansible.builtin.package: + name: net-snmp + state: present when: ansible_distribution_file_variety == "RedHat" -- name: install latest jq - package: name=jq state=latest +- name: Install latest jq + ansible.builtin.package: + name: jq + state: present -- name: fix extend serial permissions +- name: Fix extend serial permissions ansible.builtin.file: path: "/sys/devices/virtual/dmi/id/product_serial" mode: '444' when: ansible_architecture == "x86_64" and ansible_virtualization_role != "guest" -- name: cron job for extend serial permissions +- name: Cron job for extend serial permissions ansible.builtin.lineinfile: path: /etc/crontab line: "@reboot chmod 444 /sys/devices/virtual/dmi/id/product_serial" when: ansible_architecture == "x86_64" -- name: download script for extend distro +- name: Download script for extend distro ansible.builtin.get_url: url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro" dest: "/usr/bin/distro" mode: '755' -- name: download script for extend osupdates +- name: Download script for extend osupdates ansible.builtin.get_url: url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/osupdate" dest: "/etc/snmp/osupdate" mode: '755' -- name: download script for extend zfs +- name: Download script for extend zfs ansible.builtin.get_url: url: "https://github.com/librenms/librenms-agent/raw/master/snmp/zfs-linux" dest: "/etc/snmp/zfs-linux" mode: '755' when: "'zfs-zed' in ansible_facts.packages" -- name: download script for extend docker +- name: Download script for extend docker ansible.builtin.get_url: url: "https://github.com/librenms/librenms-agent/raw/master/snmp/docker-stats.sh" dest: "/etc/snmp/docker-stats.sh" mode: '755' when: "'docker' in services" -- name: download script for extend pihole +- name: Download script for extend pihole ansible.builtin.get_url: url: "https://github.com/librenms/librenms-agent/raw/master/snmp/pi-hole" dest: "/etc/snmp/pi-hole" mode: '755' when: pihole.stat.exists -- name: download script for extend raspberrypi +- name: Download script for extend raspberrypi ansible.builtin.get_url: url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/raspberry.sh" dest: "/etc/snmp/raspberry.sh" mode: '755' when: ansible_os_family == "Debian" and ansible_lsb.id == 'Raspbian' -- name: add api key to pihole script for pihole01 +- name: Add api key to pihole script for pihole01 ansible.builtin.lineinfile: path: "/etc/snmp/pi-hole" regexp: '^API_AUTH_KEY=' line: 'API_AUTH_KEY="{{ pihole01_key }}"' - backrefs: yes + backrefs: true when: ansible_hostname == "pihole01" -- name: add api key to pihole script for pihole02 +- name: Add api key to pihole script for pihole02 ansible.builtin.lineinfile: path: "/etc/snmp/pi-hole" regexp: '^API_AUTH_KEY=' line: 'API_AUTH_KEY="{{ pihole02_key }}"' - backrefs: yes + backrefs: true when: ansible_hostname == "pihole02" -- name: set ExecStart options in service file - ubuntu +- name: Set ExecStart options in service file - ubuntu ansible.builtin.lineinfile: path: "/lib/systemd/system/snmpd.service" regexp: '^ExecStart=' line: "ExecStart=/usr/sbin/snmpd -LS4d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -f" - backrefs: yes + backrefs: true when: ansible_os_family == "Debian" notify: reload systemd configs -- name: set snmpdopts - centos +- name: Set snmpdopts - centos ansible.builtin.lineinfile: path: "/etc/sysconfig/snmpd" regexp: '^# OPTIONS=|^OPTIONS=' line: 'OPTIONS="-LS4-6d"' when: ansible_distribution_file_variety == "RedHat" -- name: copy snmpd.conf from template - register: snmpd_config +- name: Copy snmpd.conf from template ansible.builtin.template: src: snmpd.conf.j2 dest: "/etc/snmp/snmpd.conf" owner: root group: root mode: '0644' - notify: + register: snmpd_config + notify: - enable and restart snmpd.service -- name: add host to librenms - # when: snmpd_config.changed +- name: Add host to librenms block: - name: Try adding by hostname - command: + ansible.builtin.command: cmd: "/usr/bin/lnms device:add --v2c -c {{ snmp_community }} {{ inventory_hostname }}" - become: yes + become: true become_user: librenms delegate_to: nms.lyon register: lnms_add_by_hostname + notify: + - Check librenms add by hostname status rescue: - name: Add by IP when hostname fails - command: + ansible.builtin.command: cmd: "/opt/librenms/snmp-scan.py -v -r {{ ansible_default_ipv4.address }}/32" - become: yes + become: true become_user: librenms delegate_to: nms.lyon register: lnms_add_by_ip + notify: + - Check librenms add by ip status -- name: check librenms add by hostname status - when: lnms_add_by_hostname.changed - ansible.builtin.debug: - msg: "{{ lnms_add_by_hostname.stdout }}" - -- name: check librenms add by ip status - when: lnms_add_by_ip.changed - ansible.builtin.debug: - msg: "{{ lnms_add_by_ip.stdout }}" - -- name: copy sudoers from template +- name: Copy sudoers from template ansible.builtin.template: src: sudoers.j2 dest: "/etc/sudoers.d/80-snmp" @@ -147,25 +146,23 @@ group: root mode: '0440' -- name: copy rsyslog config from template +- name: Copy rsyslog config from template ansible.builtin.template: src: rsyslog.conf.j2 dest: "/etc/rsyslog.d/librenms.conf" owner: root group: root mode: '0644' - notify: + notify: - enable and restart the rsyslog service - restart syslog-ng for LibreNMS -- name: verify the rsyslog service is running +- name: Verify the rsyslog service is running ansible.builtin.systemd: state: started name: rsyslog -- name: verify the snmpd service is running +- name: Verify the snmpd service is running ansible.builtin.systemd: state: started name: snmpd - - diff --git a/roles/tailscale/tasks/main.yml b/roles/tailscale/tasks/main.yml index 96d2e32..2eaeadb 100644 --- a/roles/tailscale/tasks/main.yml +++ b/roles/tailscale/tasks/main.yml @@ -1,35 +1,35 @@ --- -- name: check for tailscale install - command: +- name: Check for tailscale install + ansible.builtin.command: cmd: tailscale status register: tailscale_status - ignore_errors: yes + ignore_errors: true -- name: check tailscale_status +- name: Check tailscale_status ansible.builtin.debug: - msg: "{{ tailscale_status }}" + msg: "{{ tailscale_status }}" - name: Download Tailscale install script - get_url: + ansible.builtin.get_url: url: https://tailscale.com/install.sh dest: /tmp/tailscale_install.sh mode: '0555' when: tailscale_status.failed - name: Run Tailscale install script - command: + ansible.builtin.command: cmd: /tmp/tailscale_install.sh when: tailscale_status.failed - name: Prompt to authorize device - debug: + ansible.builtin.debug: msg: "Device requires authorization in the TailScale admin panel. Task will wait 60s for you to do so." - when: + when: - tailscale_status.failed == false - '"not yet authorized" in tailscale_status.stdout' - name: Start Tailscale - command: + ansible.builtin.command: cmd: /usr/bin/tailscale up --authkey "{{ tailscale_key }}" async: 60 when: tailscale_status.failed @@ -38,6 +38,6 @@ - name: Machine added confirmation debug: msg: "Device successfully added to TailScale." - when: + when: - tailscale_start_status.changed - - '"Success" in tailscale_start_status.stderr' \ No newline at end of file + - '"Success" in tailscale_start_status.stderr'