Compare commits

..

No commits in common. "bc6f76a07d06be5e8b3ba2b4ef057c287297cf42" and "f6d34bb7070525c5d9a08d9b58bed0871481c3f4" have entirely different histories.

25 changed files with 361 additions and 4 deletions

15
playbooks/device_roles_game.yml Executable file
View File

@ -0,0 +1,15 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: device_roles_game
gather_facts: no
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /data
backup_s3backup_exclude_list_extra:
- /data/terraria-fargo/backups
- /data/minecraft/hexxit2-survival/backups
- /data/minecraft/botaniapack2-survival/backups
tags: [ backup ]

View File

@ -0,0 +1,9 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: device_types_r720
roles:
- role: ansible-role-lm-sensors
vars:
lm_sensors_force_detection: yes
tags: [ lm-sensors ]

View File

@ -0,0 +1,8 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: platforms_fedora-kinoite
gather_facts: no
tasks:
- name: debug dummy task
debug: msg=ignoreme

View File

@ -0,0 +1,27 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: platforms_proxmox-ve-7
gather_facts: no
tasks:
# https://tteck.github.io/Proxmox/
- name: disable enterprise nag
ansible.builtin.copy:
content: |
DPkg::Post-Invoke { "dpkg -V proxmox-widget-toolkit | grep -q '/proxmoxlib\.js$'; if [ $? -eq 1 ]; then { echo 'Removing subscription nag from UI...'; sed -i '/data.status/{s/\!//;s/Active/NoMoreNagging/}' /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js; }; fi"; };
dest: /etc/apt/apt.conf.d/no-nag-script
owner: root
group: root
mode: "0644"
tags: [ nag, common ]
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /data
- /etc/kernel
- /etc/modprobe.d
- /etc/modules
- /etc/pve
backup_time: "Mon *-*-* 02:00:00"
tags: [ backup, common ]

View File

@ -0,0 +1,13 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: platforms_ubuntu-20-04
gather_facts: no
roles:
- role: motd
vars:
motd_watch_services_extra:
- docker
- kubelet
- postgresql
tags: [ motd, common ]

View File

@ -0,0 +1,13 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: platforms_ubuntu-21-10
gather_facts: no
roles:
- role: motd
vars:
motd_watch_services_extra:
- docker
- kubelet
- postgresql
tags: [ motd, common ]

View File

@ -0,0 +1,13 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: platforms_ubuntu-22-04
gather_facts: no
roles:
- role: motd
vars:
motd_watch_services_extra:
- docker
- kubelet
- postgresql
tags: [ motd, common ]

View File

@ -196,6 +196,13 @@
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit pvestatd.service
hostgroup: role-hypervisor
# Tag-specific checks
# ansible-pull
- name: Unit ansible-pull.service
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit ansible-pull.service
hostgroup: tag-ansible-pull
- name: Unit ansible-pull.timer
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit ansible-pull.timer
hostgroup: tag-ansible-pull
# docker
- name: Unit docker.service
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit docker.service

View File

@ -3,3 +3,4 @@
---
# Supplementary tags
- import_playbook: tags_ansible.yml
- import_playbook: tags_ansible-pull.yml

View File

@ -4,6 +4,12 @@
# Preambulatory system configuration
# It's implicit that configuration here MUST preceed site_main.yml
- import_playbook: all.yml
# Platform configuration
- import_playbook: platforms_ubuntu-20-04.yml
- import_playbook: platforms_ubuntu-21-10.yml
- import_playbook: platforms_ubuntu-22-04.yml
- import_playbook: platforms_fedora-kinoite.yml
- import_playbook: platforms_proxmox-ve-7.yml
# Manufacturer configuration
- import_playbook: manufacturers_raspi.yml
- import_playbook: manufacturers_s76.yml
@ -11,9 +17,9 @@
- import_playbook: tags_zt-personal.yml
- import_playbook: tags_zt-management.yml
# Tags for fundamental services
- import_playbook: tags_snmp.yml
- import_playbook: tags_nagios.yml
# Role (in the Netbox sense) configuration
- import_playbook: device_roles_bastion.yml
- import_playbook: device_roles_game.yml
- import_playbook: device_roles_workstation.yml
# Device type, which can include hw-specific stuff like sensors configuration
- import_playbook: device_types_pi4b.yml

27
playbooks/tags_ansible-pull.yml Executable file
View File

@ -0,0 +1,27 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: tags_ansible-pull
gather_facts: no
roles:
- role: ansible-pull
vars:
ansible_pull_repo: "https://git.desu.ltd/salt/ansible"
ansible_pull_commit: master
tags: [ ansible ]
- role: git
vars:
git_repos:
- repo: "{{ ansible_pull_repo }}"
dest: /etc/ansible
tags: [ ansible ]
- hosts: all
gather_facts: no
tasks:
- name: disable ansible-pull when not tagged
ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
with_items:
- ansible-pull.timer
- ansible-pull.service
when: "'tags_ansible-pull' not in group_names and item in services"
tags: [ ansible ]

31
playbooks/tags_snmp.yml Executable file
View File

@ -0,0 +1,31 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: tags_snmp
gather_facts: no
roles:
- role: oefenweb.snmpd
vars:
snmpd_internal_user:
username: "{{ secret_snmp_internal_username }}"
password: "{{ secret_snmp_internal_password }}"
auth_protocol: SHA
snmpd_users:
- username: "{{ secret_snmp_rouser_username }}"
password: "{{ secret_snmp_rouser_password }}"
type: rouser
auth_protocol: SHA
privacy_passphrase: "{{ secret_snmp_rouser_privacy_passphrase }}"
privacy_protocol: AES
snmpd_disks_include_all: yes
snmpd_disks_include_all_threshold_minpercent: "10%"
tags: [ snmp ]
- hosts: all
gather_facts: no
tasks:
- name: disable snmpd when not tagged
ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
with_items:
- snmpd.service
when: "'tags_snmp' not in group_names and item in services"
tags: [ zerotier ]

View File

@ -1,7 +1,5 @@
ansible
ansible-lint
botocore
boto3
dnspython
pynetbox
pytz

View File

@ -15,6 +15,9 @@ roles:
# Upstream: https://github.com/geerlingguy/ansible-role-postgresql
- src: geerlingguy.postgresql
version: 3.5.0
# Upstream: https://github.com/Oefenweb/ansible-snmpd
- src: oefenweb.snmpd
version: master
# Upstream: https://github.com/willshersystems/ansible-sshd
- src: willshersystems.sshd
version: v0.23.0

View File

@ -0,0 +1,3 @@
# ansible-pull
This role configures and enables a period `ansible-pull` task through systemd, allowing for machines to ensure proper configuration periodically and of their own volition.

View File

@ -0,0 +1,6 @@
# vim:ft=ansible:
ansible_pull_boot_delay: 15min
ansible_pull_commit: master
ansible_pull_time: "*-*-* 01:00:00"
ansible_pull_playbook: pull.yml
ansible_pull_skip_tags: "skip-pull"

View File

@ -0,0 +1,6 @@
$ANSIBLE_VAULT;1.1;AES256
31383561303637303735386663306631333063623336643030643634333262336664363461613239
6230623439393465656161663432393732633662383833640a373433343236353835363130653937
31346233663237383666306536633962613534623735366531666561656335393964316230633161
3930636537313364380a376432363431346636363565383734613638316161643036623636656532
66333038393738663464343534633766643734393165626538633962376161376262

View File

@ -0,0 +1,5 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
- name: restart ansiblepull timer
ansible.builtin.systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started
become: yes

View File

@ -0,0 +1,5 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
dependencies:
- role: ansible

View File

@ -0,0 +1,15 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
- name: assure vault password file
ansible.builtin.copy: src=vaultpass dest="~/ansiblevaultpass" mode="0600"
become: yes
become_user: ansible
- name: install ansible
ansible.builtin.pip: name=ansible<5,ansible-lint state=latest
- name: configure systemd service
ansible.builtin.template: src=ansible-pull.service dest=/etc/systemd/system/ansible-pull.service mode=0644
- name: configure systemd timer
ansible.builtin.template: src=ansible-pull.timer dest=/etc/systemd/system/ansible-pull.timer mode=0644
notify: restart ansiblepull timer
- name: enable timer
ansible.builtin.systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started

View File

@ -0,0 +1,19 @@
# vim:ft=dosini:
[Unit]
Description=Ansible pull service
StartLimitIntervalSec=3600
StartLimitBurst=5
After=network-online.target
Wants=network-online.target
[Service]
User=ansible
Group=ansible
Type=oneshot
Environment=ANSIBLE_CONFIG=~/ansible-pull-repo/ansible-pull.cfg
ExecStart=ansible-pull --accept-host-key -U "{{ ansible_pull_repo }}" -C "{{ ansible_pull_commit }}" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" "{{ ansible_pull_playbook }}" --skip-tags "{{ ansible_pull_skip_tags }}"
Restart=on-failure
RestartSec=90
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,11 @@
# vim:ft=dosini:
[Unit]
Description=Ansible pull timer
[Timer]
Persistent=true
OnBootSec={{ ansible_pull_boot_delay }}
OnCalendar={{ ansible_pull_time }}
[Install]
WantedBy=timers.target

View File

@ -0,0 +1,30 @@
# vim:ft=ansible:
# Default motd files to remove from /etc/update-motd.d
motd_remove:
- 00-header
- 10-help-text
- 50-landscape-sysinfo
- 50-motd-news
- 85-fwupd
- 88-esm-announce
- 90-updates-available
- 91-contract-ua-esm-status
- 91-release-upgrade
- 92-unattended-upgrades
- 95-hwe-eol
- 97-overlayroot
- 98-fsck-at-reboot
- 98-reboot-required
motd_remove_extra: []
# Services to monitor with our script
# Units that can't be found will be skipped
motd_watch_services:
- ansible-pull
- backup
motd_watch_services_extra: []
# Docker images to look for. Matches a simple glob (*{{ item }}*)
# If Docker is not running, this section will be omitted
motd_watch_containers: []
motd_watch_containers_extra: []

11
roles/motd/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
- name: remove default motd items
ansible.builtin.file: state=absent path=/etc/update-motd.d/{{ item }}
loop: "{{ motd_remove + motd_remove_extra }}"
- name: disable motd-news
ansible.builtin.systemd: name="{{ item }}" state=stopped enabled=no
with_items:
- motd-news.timer
- name: template out motd script
ansible.builtin.template: src=motd.sh dest=/etc/update-motd.d/50-ansible mode=0755

75
roles/motd/templates/motd.sh Executable file
View File

@ -0,0 +1,75 @@
#! /bin/bash
# motd.sh
# A basic motd script with some nice information. Designed to be extensible
# and easily configurable per-host
# NOTE: We do not set -e here because we don't want MOTD generation to fail
# in the event that just this script fails
# Services that we want a quick heads-up on their status
declare -a services
{% for item in (motd_watch_services + motd_watch_services_extra)|sort %}
services+=("{{ item }}")
{% endfor %}
declare -a containers
{% for item in (motd_watch_containers + motd_watch_containers_extra)|sort %}
containers+=("{{ item }}")
{% endfor %}
## Now, we actually put this info to use
# Starting with services
if [ -n "${services[*]}" ]; then
printf "\e[1mService Statuses\e[0m\n"
len=20
for service in "${services[@]}"; do
status="\e[33mUnknown\e[0m"
systemctl status "$service" > /dev/null 2>&1
case $? in
0)
status="\e[1;32mRunning\e[0m"
;;
1|2)
status="\e[1;31mDead\e[0m"
;;
3)
status="\e[37mNot Running\e[0m"
;;
4)
continue
;;
esac
printf " * \e[37m%-${len}.${len}s\e[0m - $status " "$service"
if systemctl is-failed --quiet "$service"; then
printf "\e[1;31m(FAILED!)\e[0m "
fi
printf "\n"
done
fi
# Containers, if docker is running
if [ -n "${containers[*]}" ] && systemctl -q is-active docker; then
printf "\e[1mContainer Statuses\e[0m\n"
len=20
for container in "${containers[@]}"; do
status="\e[33mUnknown\e[0m"
image="$(docker ps | tail -n +2 | awk '{print $2}' | grep -ie "$container")"
if [ -n "$image" ]; then
status="\e[1;32mRunning\e[0m - $image"
fi
if [ -z "$image" ]; then
status="\e[1;31mNot Running\e[0m"
fi
printf " * \e[37m%-${len}.${len}s\e[0m - $status " "$container"
printf "\n"
done
fi
## And some generic system status stuff
printf "\e[1mSystem Status\e[0m\n"
if [ -f /var/run/reboot-required ]; then
printf " * \e[1;33mReboot required\e[0m\n"
else
printf "\e[37m - No outstanding reboots\e[0m\n"
fi