skoobasteeve/ansible-server-setup
1
0
Fork 0
mirror of https://github.com/skoobasteeve/ansible-server-setup.git synced 2026-03-20 03:18:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

linting

Browse Source
This commit is contained in:
Ray Lyon
2023-07-07 12:15:10 -04:00
parent c4804673ab
commit 9ed822eaec
6 changed files with 108 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
playbook-server-setup.yml
View File

@@ -2,9 +2,9 @@
- name: Configure servers for use on my home network - name: Configure servers for use on my home network
hosts: all hosts: all
remote_user: "{{ remote_user }}" remote_user: "{{ remote_user }}"
become: yes become: true
roles: roles:
- common - common
- librenms-client - librenms-client
- tailscale - tailscale

8
roles/common/handlers/main.yml
View File

@@ -1,10 +1,10 @@
--- ---
- name: restart ssh service - Debian - name: Restart ssh service - Debian
ansible.builtin.systemd: ansible.builtin.systemd:
state: restarted state: restarted
name: ssh name: ssh
- name: restart ssh service - RedHat - name: Restart ssh service - RedHat
ansible.builtin.systemd: ansible.builtin.systemd:
state: restarted state: restarted
name: sshd name: sshd

48
roles/common/tasks/main.yml
View File

@@ -1,61 +1,65 @@
--- ---
- name: get package facts - name: Get package facts
ansible.builtin.package_facts: ansible.builtin.package_facts:
- name: get service facts - name: Get service facts
service_facts: ansible.builtin.service_facts:
- name: add default ssh keys - name: Add default ssh keys
authorized_key: ansible.posix.authorized_key:
key: "{{ lookup('file', '{{ ssh_keyfile }}') }}" key: "{{ lookup('file', '{{ ssh_keyfile }}') }}"
user: "{{ remote_user }}" user: "{{ remote_user }}"
state: present state: present
exclusive: True exclusive: true
when: "'mothershipbu.lyon' not in inventory_hostname" when: "'mothershipbu.lyon' not in inventory_hostname"
- name: add default ssh keys - mothershipbu - name: Add default ssh keys - mothershipbu
authorized_key: ansible.posix.authorized_key:
key: "{{ lookup('file', 'keys-mothershipbu') }}" key: "{{ lookup('file', 'keys-mothershipbu') }}"
user: "{{ remote_user }}" user: "{{ remote_user }}"
state: present state: present
exclusive: True exclusive: true
when: "'mothershipbu.lyon' in inventory_hostname" when: "'mothershipbu.lyon' in inventory_hostname"
- name: disable password ssh auth - name: Disable password ssh auth
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/etc/ssh/sshd_config" path: "/etc/ssh/sshd_config"
regexp: '^PasswordAuthentication' regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no' line: 'PasswordAuthentication no'
backrefs: yes backrefs: true
notify: restart ssh service - {{ ansible_distribution_file_variety }} notify: restart ssh service - {{ ansible_distribution_file_variety }}
- name: automatic security updates - debian - name: Automatic security updates - debian
package: name=unattended-upgrades state=latest ansible.builtin.package:
name: unattended-upgrades
state: present
when: ansible_distribution_file_variety == "Debian" when: ansible_distribution_file_variety == "Debian"
- name: automatic security updates - redhat - name: Automatic security updates - redhat
package: name=dnf-automatic state=latest ansible.builtin.package:
name: dnf-automatic
state: present
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
- name: configure automatic security updates step 01 - redhat - name: Configure automatic security updates step 01 - redhat
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/etc/dnf/automatic.conf" path: "/etc/dnf/automatic.conf"
regexp: '^upgrade_type =' regexp: '^upgrade_type ='
line: 'upgrade_type = security' line: 'upgrade_type = security'
backrefs: yes backrefs: true
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
- name: configure automatic security updates step 02 - redhat - name: Configure automatic security updates step 02 - redhat
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/etc/dnf/automatic.conf" path: "/etc/dnf/automatic.conf"
regexp: '^apply_updates =' regexp: '^apply_updates ='
line: 'apply_updates = yes' line: 'apply_updates = yes'
backrefs: yes backrefs: true
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
- name: enable and start dnf-automatic.timer - redhat - name: Enable and start dnf-automatic.timer - redhat
ansible.builtin.systemd: ansible.builtin.systemd:
state: started state: started
enabled: yes enabled: true
name: dnf-automatic.timer name: dnf-automatic.timer
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"

28
roles/librenms-client/handlers/main.yml
View File

@@ -1,23 +1,33 @@
--- ---
- name: reload systemd configs - name: Reload systemd configs
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: yes daemon_reload: true
- name: enable and restart snmpd.service - name: Enable and restart snmpd.service
ansible.builtin.systemd: ansible.builtin.systemd:
state: restarted state: restarted
enabled: yes enabled: true
name: snmpd name: snmpd
listen: enable and restart snmpd.service listen: enable and restart snmpd.service
- name: enable and restart the rsyslog service - name: Enable and restart the rsyslog service
ansible.builtin.systemd: ansible.builtin.systemd:
state: restarted state: restarted
enabled: yes enabled: true
name: rsyslog name: rsyslog
- name: restart syslog-ng for LibreNMS - name: Restart syslog-ng for LibreNMS
ansible.builtin.systemd: ansible.builtin.systemd:
state: restarted state: restarted
name: syslog-ng name: syslog-ng
delegate_to: nms.lyon delegate_to: nms.lyon
- name: Check librenms add by hostname status
when: lnms_add_by_hostname.changed
ansible.builtin.debug:
msg: "{{ lnms_add_by_hostname.stdout }}"
- name: Check librenms add by ip status
when: lnms_add_by_ip.changed
ansible.builtin.debug:
msg: "{{ lnms_add_by_ip.stdout }}"

93
roles/librenms-client/tasks/main.yml
View File

@@ -1,145 +1,144 @@
--- ---
- name: check for pihole - name: Check for pihole
ansible.builtin.stat: ansible.builtin.stat:
path: "/usr/local/bin/pihole" path: "/usr/local/bin/pihole"
register: pihole register: pihole
- name: install latest snmpd - debian - name: Install latest snmpd - debian
package: name=snmpd state=latest ansible.builtin.package:
name: snmpd
state: present
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: install latest snmpd - centos - name: Install latest snmpd - centos
package: name=net-snmp state=latest ansible.builtin.package:
name: net-snmp
state: present
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
- name: install latest jq - name: Install latest jq
package: name=jq state=latest ansible.builtin.package:
name: jq
state: present
- name: fix extend serial permissions - name: Fix extend serial permissions
ansible.builtin.file: ansible.builtin.file:
path: "/sys/devices/virtual/dmi/id/product_serial" path: "/sys/devices/virtual/dmi/id/product_serial"
mode: '444' mode: '444'
when: ansible_architecture == "x86_64" and ansible_virtualization_role != "guest" when: ansible_architecture == "x86_64" and ansible_virtualization_role != "guest"
- name: cron job for extend serial permissions - name: Cron job for extend serial permissions
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/crontab path: /etc/crontab
line: "@reboot chmod 444 /sys/devices/virtual/dmi/id/product_serial" line: "@reboot chmod 444 /sys/devices/virtual/dmi/id/product_serial"
when: ansible_architecture == "x86_64" when: ansible_architecture == "x86_64"
- name: download script for extend distro - name: Download script for extend distro
ansible.builtin.get_url: ansible.builtin.get_url:
url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro" url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro"
dest: "/usr/bin/distro" dest: "/usr/bin/distro"
mode: '755' mode: '755'
- name: download script for extend osupdates - name: Download script for extend osupdates
ansible.builtin.get_url: ansible.builtin.get_url:
url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/osupdate" url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/osupdate"
dest: "/etc/snmp/osupdate" dest: "/etc/snmp/osupdate"
mode: '755' mode: '755'
- name: download script for extend zfs - name: Download script for extend zfs
ansible.builtin.get_url: ansible.builtin.get_url:
url: "https://github.com/librenms/librenms-agent/raw/master/snmp/zfs-linux" url: "https://github.com/librenms/librenms-agent/raw/master/snmp/zfs-linux"
dest: "/etc/snmp/zfs-linux" dest: "/etc/snmp/zfs-linux"
mode: '755' mode: '755'
when: "'zfs-zed' in ansible_facts.packages" when: "'zfs-zed' in ansible_facts.packages"
- name: download script for extend docker - name: Download script for extend docker
ansible.builtin.get_url: ansible.builtin.get_url:
url: "https://github.com/librenms/librenms-agent/raw/master/snmp/docker-stats.sh" url: "https://github.com/librenms/librenms-agent/raw/master/snmp/docker-stats.sh"
dest: "/etc/snmp/docker-stats.sh" dest: "/etc/snmp/docker-stats.sh"
mode: '755' mode: '755'
when: "'docker' in services" when: "'docker' in services"
- name: download script for extend pihole - name: Download script for extend pihole
ansible.builtin.get_url: ansible.builtin.get_url:
url: "https://github.com/librenms/librenms-agent/raw/master/snmp/pi-hole" url: "https://github.com/librenms/librenms-agent/raw/master/snmp/pi-hole"
dest: "/etc/snmp/pi-hole" dest: "/etc/snmp/pi-hole"
mode: '755' mode: '755'
when: pihole.stat.exists when: pihole.stat.exists
- name: download script for extend raspberrypi - name: Download script for extend raspberrypi
ansible.builtin.get_url: ansible.builtin.get_url:
url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/raspberry.sh" url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/raspberry.sh"
dest: "/etc/snmp/raspberry.sh" dest: "/etc/snmp/raspberry.sh"
mode: '755' mode: '755'
when: ansible_os_family == "Debian" and ansible_lsb.id == 'Raspbian' when: ansible_os_family == "Debian" and ansible_lsb.id == 'Raspbian'
- name: add api key to pihole script for pihole01 - name: Add api key to pihole script for pihole01
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/etc/snmp/pi-hole" path: "/etc/snmp/pi-hole"
regexp: '^API_AUTH_KEY=' regexp: '^API_AUTH_KEY='
line: 'API_AUTH_KEY="{{ pihole01_key }}"' line: 'API_AUTH_KEY="{{ pihole01_key }}"'
backrefs: yes backrefs: true
when: ansible_hostname == "pihole01" when: ansible_hostname == "pihole01"
- name: add api key to pihole script for pihole02 - name: Add api key to pihole script for pihole02
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/etc/snmp/pi-hole" path: "/etc/snmp/pi-hole"
regexp: '^API_AUTH_KEY=' regexp: '^API_AUTH_KEY='
line: 'API_AUTH_KEY="{{ pihole02_key }}"' line: 'API_AUTH_KEY="{{ pihole02_key }}"'
backrefs: yes backrefs: true
when: ansible_hostname == "pihole02" when: ansible_hostname == "pihole02"
- name: set ExecStart options in service file - ubuntu - name: Set ExecStart options in service file - ubuntu
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/lib/systemd/system/snmpd.service" path: "/lib/systemd/system/snmpd.service"
regexp: '^ExecStart=' regexp: '^ExecStart='
line: "ExecStart=/usr/sbin/snmpd -LS4d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -f" line: "ExecStart=/usr/sbin/snmpd -LS4d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -f"
backrefs: yes backrefs: true
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
notify: reload systemd configs notify: reload systemd configs
- name: set snmpdopts - centos - name: Set snmpdopts - centos
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/etc/sysconfig/snmpd" path: "/etc/sysconfig/snmpd"
regexp: '^# OPTIONS=|^OPTIONS=' regexp: '^# OPTIONS=|^OPTIONS='
line: 'OPTIONS="-LS4-6d"' line: 'OPTIONS="-LS4-6d"'
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
- name: copy snmpd.conf from template - name: Copy snmpd.conf from template
register: snmpd_config
ansible.builtin.template: ansible.builtin.template:
src: snmpd.conf.j2 src: snmpd.conf.j2
dest: "/etc/snmp/snmpd.conf" dest: "/etc/snmp/snmpd.conf"
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
notify: register: snmpd_config
notify:
- enable and restart snmpd.service - enable and restart snmpd.service
- name: add host to librenms - name: Add host to librenms
# when: snmpd_config.changed
block: block:
- name: Try adding by hostname - name: Try adding by hostname
command: ansible.builtin.command:
cmd: "/usr/bin/lnms device:add --v2c -c {{ snmp_community }} {{ inventory_hostname }}" cmd: "/usr/bin/lnms device:add --v2c -c {{ snmp_community }} {{ inventory_hostname }}"
become: yes become: true
become_user: librenms become_user: librenms
delegate_to: nms.lyon delegate_to: nms.lyon
register: lnms_add_by_hostname register: lnms_add_by_hostname
notify:
- Check librenms add by hostname status
rescue: rescue:
- name: Add by IP when hostname fails - name: Add by IP when hostname fails
command: ansible.builtin.command:
cmd: "/opt/librenms/snmp-scan.py -v -r {{ ansible_default_ipv4.address }}/32" cmd: "/opt/librenms/snmp-scan.py -v -r {{ ansible_default_ipv4.address }}/32"
become: yes become: true
become_user: librenms become_user: librenms
delegate_to: nms.lyon delegate_to: nms.lyon
register: lnms_add_by_ip register: lnms_add_by_ip
notify:
- Check librenms add by ip status
- name: check librenms add by hostname status - name: Copy sudoers from template
when: lnms_add_by_hostname.changed
ansible.builtin.debug:
msg: "{{ lnms_add_by_hostname.stdout }}"
- name: check librenms add by ip status
when: lnms_add_by_ip.changed
ansible.builtin.debug:
msg: "{{ lnms_add_by_ip.stdout }}"
- name: copy sudoers from template
ansible.builtin.template: ansible.builtin.template:
src: sudoers.j2 src: sudoers.j2
dest: "/etc/sudoers.d/80-snmp" dest: "/etc/sudoers.d/80-snmp"
@@ -147,25 +146,23 @@
group: root group: root
mode: '0440' mode: '0440'
- name: copy rsyslog config from template - name: Copy rsyslog config from template
ansible.builtin.template: ansible.builtin.template:
src: rsyslog.conf.j2 src: rsyslog.conf.j2
dest: "/etc/rsyslog.d/librenms.conf" dest: "/etc/rsyslog.d/librenms.conf"
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
notify: notify:
- enable and restart the rsyslog service - enable and restart the rsyslog service
- restart syslog-ng for LibreNMS - restart syslog-ng for LibreNMS
- name: verify the rsyslog service is running - name: Verify the rsyslog service is running
ansible.builtin.systemd: ansible.builtin.systemd:
state: started state: started
name: rsyslog name: rsyslog
- name: verify the snmpd service is running - name: Verify the snmpd service is running
ansible.builtin.systemd: ansible.builtin.systemd:
state: started state: started
name: snmpd name: snmpd

24
roles/tailscale/tasks/main.yml
View File

@@ -1,35 +1,35 @@
--- ---
- name: check for tailscale install - name: Check for tailscale install
command: ansible.builtin.command:
cmd: tailscale status cmd: tailscale status
register: tailscale_status register: tailscale_status
ignore_errors: yes ignore_errors: true
- name: check tailscale_status - name: Check tailscale_status
ansible.builtin.debug: ansible.builtin.debug:
msg: "{{ tailscale_status }}" msg: "{{ tailscale_status }}"
- name: Download Tailscale install script - name: Download Tailscale install script
get_url: ansible.builtin.get_url:
url: https://tailscale.com/install.sh url: https://tailscale.com/install.sh
dest: /tmp/tailscale_install.sh dest: /tmp/tailscale_install.sh
mode: '0555' mode: '0555'
when: tailscale_status.failed when: tailscale_status.failed
- name: Run Tailscale install script - name: Run Tailscale install script
command: ansible.builtin.command:
cmd: /tmp/tailscale_install.sh cmd: /tmp/tailscale_install.sh
when: tailscale_status.failed when: tailscale_status.failed
- name: Prompt to authorize device - name: Prompt to authorize device
debug: ansible.builtin.debug:
msg: "Device requires authorization in the TailScale admin panel. Task will wait 60s for you to do so." msg: "Device requires authorization in the TailScale admin panel. Task will wait 60s for you to do so."
when: when:
- tailscale_status.failed == false - tailscale_status.failed == false
- '"not yet authorized" in tailscale_status.stdout' - '"not yet authorized" in tailscale_status.stdout'
- name: Start Tailscale - name: Start Tailscale
command: ansible.builtin.command:
cmd: /usr/bin/tailscale up --authkey "{{ tailscale_key }}" cmd: /usr/bin/tailscale up --authkey "{{ tailscale_key }}"
async: 60 async: 60
when: tailscale_status.failed when: tailscale_status.failed
@@ -38,6 +38,6 @@
- name: Machine added confirmation - name: Machine added confirmation
debug: debug:
msg: "Device successfully added to TailScale." msg: "Device successfully added to TailScale."
when: when:
- tailscale_start_status.changed - tailscale_start_status.changed
- '"Success" in tailscale_start_status.stderr' - '"Success" in tailscale_start_status.stderr'