Compare commits
No commits in common. "bc6f76a07d06be5e8b3ba2b4ef057c287297cf42" and "f6d34bb7070525c5d9a08d9b58bed0871481c3f4" have entirely different histories.
bc6f76a07d
...
f6d34bb707
15
playbooks/device_roles_game.yml
Executable file
15
playbooks/device_roles_game.yml
Executable file
@ -0,0 +1,15 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: device_roles_game
|
||||
gather_facts: no
|
||||
roles:
|
||||
- role: backup
|
||||
vars:
|
||||
backup_s3backup_list_extra:
|
||||
- /data
|
||||
backup_s3backup_exclude_list_extra:
|
||||
- /data/terraria-fargo/backups
|
||||
- /data/minecraft/hexxit2-survival/backups
|
||||
- /data/minecraft/botaniapack2-survival/backups
|
||||
tags: [ backup ]
|
9
playbooks/device_types_r720.yml
Executable file
9
playbooks/device_types_r720.yml
Executable file
@ -0,0 +1,9 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: device_types_r720
|
||||
roles:
|
||||
- role: ansible-role-lm-sensors
|
||||
vars:
|
||||
lm_sensors_force_detection: yes
|
||||
tags: [ lm-sensors ]
|
8
playbooks/platforms_fedora-kinoite.yml
Executable file
8
playbooks/platforms_fedora-kinoite.yml
Executable file
@ -0,0 +1,8 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: platforms_fedora-kinoite
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- name: debug dummy task
|
||||
debug: msg=ignoreme
|
27
playbooks/platforms_proxmox-ve-7.yml
Executable file
27
playbooks/platforms_proxmox-ve-7.yml
Executable file
@ -0,0 +1,27 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: platforms_proxmox-ve-7
|
||||
gather_facts: no
|
||||
tasks:
|
||||
# https://tteck.github.io/Proxmox/
|
||||
- name: disable enterprise nag
|
||||
ansible.builtin.copy:
|
||||
content: |
|
||||
DPkg::Post-Invoke { "dpkg -V proxmox-widget-toolkit | grep -q '/proxmoxlib\.js$'; if [ $? -eq 1 ]; then { echo 'Removing subscription nag from UI...'; sed -i '/data.status/{s/\!//;s/Active/NoMoreNagging/}' /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js; }; fi"; };
|
||||
dest: /etc/apt/apt.conf.d/no-nag-script
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
tags: [ nag, common ]
|
||||
roles:
|
||||
- role: backup
|
||||
vars:
|
||||
backup_s3backup_list_extra:
|
||||
- /data
|
||||
- /etc/kernel
|
||||
- /etc/modprobe.d
|
||||
- /etc/modules
|
||||
- /etc/pve
|
||||
backup_time: "Mon *-*-* 02:00:00"
|
||||
tags: [ backup, common ]
|
13
playbooks/platforms_ubuntu-20-04.yml
Executable file
13
playbooks/platforms_ubuntu-20-04.yml
Executable file
@ -0,0 +1,13 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: platforms_ubuntu-20-04
|
||||
gather_facts: no
|
||||
roles:
|
||||
- role: motd
|
||||
vars:
|
||||
motd_watch_services_extra:
|
||||
- docker
|
||||
- kubelet
|
||||
- postgresql
|
||||
tags: [ motd, common ]
|
13
playbooks/platforms_ubuntu-21-10.yml
Executable file
13
playbooks/platforms_ubuntu-21-10.yml
Executable file
@ -0,0 +1,13 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: platforms_ubuntu-21-10
|
||||
gather_facts: no
|
||||
roles:
|
||||
- role: motd
|
||||
vars:
|
||||
motd_watch_services_extra:
|
||||
- docker
|
||||
- kubelet
|
||||
- postgresql
|
||||
tags: [ motd, common ]
|
13
playbooks/platforms_ubuntu-22-04.yml
Executable file
13
playbooks/platforms_ubuntu-22-04.yml
Executable file
@ -0,0 +1,13 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: platforms_ubuntu-22-04
|
||||
gather_facts: no
|
||||
roles:
|
||||
- role: motd
|
||||
vars:
|
||||
motd_watch_services_extra:
|
||||
- docker
|
||||
- kubelet
|
||||
- postgresql
|
||||
tags: [ motd, common ]
|
@ -196,6 +196,13 @@
|
||||
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit pvestatd.service
|
||||
hostgroup: role-hypervisor
|
||||
# Tag-specific checks
|
||||
# ansible-pull
|
||||
- name: Unit ansible-pull.service
|
||||
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit ansible-pull.service
|
||||
hostgroup: tag-ansible-pull
|
||||
- name: Unit ansible-pull.timer
|
||||
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit ansible-pull.timer
|
||||
hostgroup: tag-ansible-pull
|
||||
# docker
|
||||
- name: Unit docker.service
|
||||
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit docker.service
|
||||
|
@ -3,3 +3,4 @@
|
||||
---
|
||||
# Supplementary tags
|
||||
- import_playbook: tags_ansible.yml
|
||||
- import_playbook: tags_ansible-pull.yml
|
||||
|
@ -4,6 +4,12 @@
|
||||
# Preambulatory system configuration
|
||||
# It's implicit that configuration here MUST preceed site_main.yml
|
||||
- import_playbook: all.yml
|
||||
# Platform configuration
|
||||
- import_playbook: platforms_ubuntu-20-04.yml
|
||||
- import_playbook: platforms_ubuntu-21-10.yml
|
||||
- import_playbook: platforms_ubuntu-22-04.yml
|
||||
- import_playbook: platforms_fedora-kinoite.yml
|
||||
- import_playbook: platforms_proxmox-ve-7.yml
|
||||
# Manufacturer configuration
|
||||
- import_playbook: manufacturers_raspi.yml
|
||||
- import_playbook: manufacturers_s76.yml
|
||||
@ -11,9 +17,9 @@
|
||||
- import_playbook: tags_zt-personal.yml
|
||||
- import_playbook: tags_zt-management.yml
|
||||
# Tags for fundamental services
|
||||
- import_playbook: tags_snmp.yml
|
||||
- import_playbook: tags_nagios.yml
|
||||
# Role (in the Netbox sense) configuration
|
||||
- import_playbook: device_roles_bastion.yml
|
||||
- import_playbook: device_roles_game.yml
|
||||
- import_playbook: device_roles_workstation.yml
|
||||
# Device type, which can include hw-specific stuff like sensors configuration
|
||||
- import_playbook: device_types_pi4b.yml
|
||||
|
27
playbooks/tags_ansible-pull.yml
Executable file
27
playbooks/tags_ansible-pull.yml
Executable file
@ -0,0 +1,27 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: tags_ansible-pull
|
||||
gather_facts: no
|
||||
roles:
|
||||
- role: ansible-pull
|
||||
vars:
|
||||
ansible_pull_repo: "https://git.desu.ltd/salt/ansible"
|
||||
ansible_pull_commit: master
|
||||
tags: [ ansible ]
|
||||
- role: git
|
||||
vars:
|
||||
git_repos:
|
||||
- repo: "{{ ansible_pull_repo }}"
|
||||
dest: /etc/ansible
|
||||
tags: [ ansible ]
|
||||
- hosts: all
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- name: disable ansible-pull when not tagged
|
||||
ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
|
||||
with_items:
|
||||
- ansible-pull.timer
|
||||
- ansible-pull.service
|
||||
when: "'tags_ansible-pull' not in group_names and item in services"
|
||||
tags: [ ansible ]
|
31
playbooks/tags_snmp.yml
Executable file
31
playbooks/tags_snmp.yml
Executable file
@ -0,0 +1,31 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: tags_snmp
|
||||
gather_facts: no
|
||||
roles:
|
||||
- role: oefenweb.snmpd
|
||||
vars:
|
||||
snmpd_internal_user:
|
||||
username: "{{ secret_snmp_internal_username }}"
|
||||
password: "{{ secret_snmp_internal_password }}"
|
||||
auth_protocol: SHA
|
||||
snmpd_users:
|
||||
- username: "{{ secret_snmp_rouser_username }}"
|
||||
password: "{{ secret_snmp_rouser_password }}"
|
||||
type: rouser
|
||||
auth_protocol: SHA
|
||||
privacy_passphrase: "{{ secret_snmp_rouser_privacy_passphrase }}"
|
||||
privacy_protocol: AES
|
||||
snmpd_disks_include_all: yes
|
||||
snmpd_disks_include_all_threshold_minpercent: "10%"
|
||||
tags: [ snmp ]
|
||||
- hosts: all
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- name: disable snmpd when not tagged
|
||||
ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
|
||||
with_items:
|
||||
- snmpd.service
|
||||
when: "'tags_snmp' not in group_names and item in services"
|
||||
tags: [ zerotier ]
|
@ -1,7 +1,5 @@
|
||||
ansible
|
||||
ansible-lint
|
||||
botocore
|
||||
boto3
|
||||
dnspython
|
||||
pynetbox
|
||||
pytz
|
||||
|
@ -15,6 +15,9 @@ roles:
|
||||
# Upstream: https://github.com/geerlingguy/ansible-role-postgresql
|
||||
- src: geerlingguy.postgresql
|
||||
version: 3.5.0
|
||||
# Upstream: https://github.com/Oefenweb/ansible-snmpd
|
||||
- src: oefenweb.snmpd
|
||||
version: master
|
||||
# Upstream: https://github.com/willshersystems/ansible-sshd
|
||||
- src: willshersystems.sshd
|
||||
version: v0.23.0
|
||||
|
3
roles/ansible-pull/README.md
Normal file
3
roles/ansible-pull/README.md
Normal file
@ -0,0 +1,3 @@
|
||||
# ansible-pull
|
||||
|
||||
This role configures and enables a period `ansible-pull` task through systemd, allowing for machines to ensure proper configuration periodically and of their own volition.
|
6
roles/ansible-pull/defaults/main.yml
Normal file
6
roles/ansible-pull/defaults/main.yml
Normal file
@ -0,0 +1,6 @@
|
||||
# vim:ft=ansible:
|
||||
ansible_pull_boot_delay: 15min
|
||||
ansible_pull_commit: master
|
||||
ansible_pull_time: "*-*-* 01:00:00"
|
||||
ansible_pull_playbook: pull.yml
|
||||
ansible_pull_skip_tags: "skip-pull"
|
6
roles/ansible-pull/files/vaultpass
Normal file
6
roles/ansible-pull/files/vaultpass
Normal file
@ -0,0 +1,6 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31383561303637303735386663306631333063623336643030643634333262336664363461613239
|
||||
6230623439393465656161663432393732633662383833640a373433343236353835363130653937
|
||||
31346233663237383666306536633962613534623735366531666561656335393964316230633161
|
||||
3930636537313364380a376432363431346636363565383734613638316161643036623636656532
|
||||
66333038393738663464343534633766643734393165626538633962376161376262
|
5
roles/ansible-pull/handlers/main.yml
Normal file
5
roles/ansible-pull/handlers/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
- name: restart ansiblepull timer
|
||||
ansible.builtin.systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started
|
||||
become: yes
|
5
roles/ansible-pull/meta/main.yml
Normal file
5
roles/ansible-pull/meta/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
dependencies:
|
||||
- role: ansible
|
15
roles/ansible-pull/tasks/main.yml
Normal file
15
roles/ansible-pull/tasks/main.yml
Normal file
@ -0,0 +1,15 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
- name: assure vault password file
|
||||
ansible.builtin.copy: src=vaultpass dest="~/ansiblevaultpass" mode="0600"
|
||||
become: yes
|
||||
become_user: ansible
|
||||
- name: install ansible
|
||||
ansible.builtin.pip: name=ansible<5,ansible-lint state=latest
|
||||
- name: configure systemd service
|
||||
ansible.builtin.template: src=ansible-pull.service dest=/etc/systemd/system/ansible-pull.service mode=0644
|
||||
- name: configure systemd timer
|
||||
ansible.builtin.template: src=ansible-pull.timer dest=/etc/systemd/system/ansible-pull.timer mode=0644
|
||||
notify: restart ansiblepull timer
|
||||
- name: enable timer
|
||||
ansible.builtin.systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started
|
19
roles/ansible-pull/templates/ansible-pull.service
Normal file
19
roles/ansible-pull/templates/ansible-pull.service
Normal file
@ -0,0 +1,19 @@
|
||||
# vim:ft=dosini:
|
||||
[Unit]
|
||||
Description=Ansible pull service
|
||||
StartLimitIntervalSec=3600
|
||||
StartLimitBurst=5
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
User=ansible
|
||||
Group=ansible
|
||||
Type=oneshot
|
||||
Environment=ANSIBLE_CONFIG=~/ansible-pull-repo/ansible-pull.cfg
|
||||
ExecStart=ansible-pull --accept-host-key -U "{{ ansible_pull_repo }}" -C "{{ ansible_pull_commit }}" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" "{{ ansible_pull_playbook }}" --skip-tags "{{ ansible_pull_skip_tags }}"
|
||||
Restart=on-failure
|
||||
RestartSec=90
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
11
roles/ansible-pull/templates/ansible-pull.timer
Normal file
11
roles/ansible-pull/templates/ansible-pull.timer
Normal file
@ -0,0 +1,11 @@
|
||||
# vim:ft=dosini:
|
||||
[Unit]
|
||||
Description=Ansible pull timer
|
||||
|
||||
[Timer]
|
||||
Persistent=true
|
||||
OnBootSec={{ ansible_pull_boot_delay }}
|
||||
OnCalendar={{ ansible_pull_time }}
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
30
roles/motd/defaults/main.yml
Normal file
30
roles/motd/defaults/main.yml
Normal file
@ -0,0 +1,30 @@
|
||||
# vim:ft=ansible:
|
||||
|
||||
# Default motd files to remove from /etc/update-motd.d
|
||||
motd_remove:
|
||||
- 00-header
|
||||
- 10-help-text
|
||||
- 50-landscape-sysinfo
|
||||
- 50-motd-news
|
||||
- 85-fwupd
|
||||
- 88-esm-announce
|
||||
- 90-updates-available
|
||||
- 91-contract-ua-esm-status
|
||||
- 91-release-upgrade
|
||||
- 92-unattended-upgrades
|
||||
- 95-hwe-eol
|
||||
- 97-overlayroot
|
||||
- 98-fsck-at-reboot
|
||||
- 98-reboot-required
|
||||
motd_remove_extra: []
|
||||
|
||||
# Services to monitor with our script
|
||||
# Units that can't be found will be skipped
|
||||
motd_watch_services:
|
||||
- ansible-pull
|
||||
- backup
|
||||
motd_watch_services_extra: []
|
||||
# Docker images to look for. Matches a simple glob (*{{ item }}*)
|
||||
# If Docker is not running, this section will be omitted
|
||||
motd_watch_containers: []
|
||||
motd_watch_containers_extra: []
|
11
roles/motd/tasks/main.yml
Normal file
11
roles/motd/tasks/main.yml
Normal file
@ -0,0 +1,11 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
- name: remove default motd items
|
||||
ansible.builtin.file: state=absent path=/etc/update-motd.d/{{ item }}
|
||||
loop: "{{ motd_remove + motd_remove_extra }}"
|
||||
- name: disable motd-news
|
||||
ansible.builtin.systemd: name="{{ item }}" state=stopped enabled=no
|
||||
with_items:
|
||||
- motd-news.timer
|
||||
- name: template out motd script
|
||||
ansible.builtin.template: src=motd.sh dest=/etc/update-motd.d/50-ansible mode=0755
|
75
roles/motd/templates/motd.sh
Executable file
75
roles/motd/templates/motd.sh
Executable file
@ -0,0 +1,75 @@
|
||||
#! /bin/bash
|
||||
|
||||
# motd.sh
|
||||
# A basic motd script with some nice information. Designed to be extensible
|
||||
# and easily configurable per-host
|
||||
|
||||
# NOTE: We do not set -e here because we don't want MOTD generation to fail
|
||||
# in the event that just this script fails
|
||||
|
||||
# Services that we want a quick heads-up on their status
|
||||
declare -a services
|
||||
{% for item in (motd_watch_services + motd_watch_services_extra)|sort %}
|
||||
services+=("{{ item }}")
|
||||
{% endfor %}
|
||||
|
||||
declare -a containers
|
||||
{% for item in (motd_watch_containers + motd_watch_containers_extra)|sort %}
|
||||
containers+=("{{ item }}")
|
||||
{% endfor %}
|
||||
|
||||
## Now, we actually put this info to use
|
||||
# Starting with services
|
||||
if [ -n "${services[*]}" ]; then
|
||||
printf "\e[1mService Statuses\e[0m\n"
|
||||
len=20
|
||||
for service in "${services[@]}"; do
|
||||
status="\e[33mUnknown\e[0m"
|
||||
systemctl status "$service" > /dev/null 2>&1
|
||||
case $? in
|
||||
0)
|
||||
status="\e[1;32mRunning\e[0m"
|
||||
;;
|
||||
1|2)
|
||||
status="\e[1;31mDead\e[0m"
|
||||
;;
|
||||
3)
|
||||
status="\e[37mNot Running\e[0m"
|
||||
;;
|
||||
4)
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
printf " * \e[37m%-${len}.${len}s\e[0m - $status " "$service"
|
||||
if systemctl is-failed --quiet "$service"; then
|
||||
printf "\e[1;31m(FAILED!)\e[0m "
|
||||
fi
|
||||
printf "\n"
|
||||
done
|
||||
fi
|
||||
|
||||
# Containers, if docker is running
|
||||
if [ -n "${containers[*]}" ] && systemctl -q is-active docker; then
|
||||
printf "\e[1mContainer Statuses\e[0m\n"
|
||||
len=20
|
||||
for container in "${containers[@]}"; do
|
||||
status="\e[33mUnknown\e[0m"
|
||||
image="$(docker ps | tail -n +2 | awk '{print $2}' | grep -ie "$container")"
|
||||
if [ -n "$image" ]; then
|
||||
status="\e[1;32mRunning\e[0m - $image"
|
||||
fi
|
||||
if [ -z "$image" ]; then
|
||||
status="\e[1;31mNot Running\e[0m"
|
||||
fi
|
||||
printf " * \e[37m%-${len}.${len}s\e[0m - $status " "$container"
|
||||
printf "\n"
|
||||
done
|
||||
fi
|
||||
|
||||
## And some generic system status stuff
|
||||
printf "\e[1mSystem Status\e[0m\n"
|
||||
if [ -f /var/run/reboot-required ]; then
|
||||
printf " * \e[1;33mReboot required\e[0m\n"
|
||||
else
|
||||
printf "\e[37m - No outstanding reboots\e[0m\n"
|
||||
fi
|
Loading…
Reference in New Issue
Block a user