Compare commits
8 Commits
f6d34bb707
...
bc6f76a07d
Author | SHA1 | Date | |
---|---|---|---|
bc6f76a07d | |||
77a2d1e10c | |||
33318967d7 | |||
f9320086bf | |||
487aa794c2 | |||
249b974da2 | |||
b780551d1d | |||
99845033f1 |
@ -1,15 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: device_roles_game
|
|
||||||
gather_facts: no
|
|
||||||
roles:
|
|
||||||
- role: backup
|
|
||||||
vars:
|
|
||||||
backup_s3backup_list_extra:
|
|
||||||
- /data
|
|
||||||
backup_s3backup_exclude_list_extra:
|
|
||||||
- /data/terraria-fargo/backups
|
|
||||||
- /data/minecraft/hexxit2-survival/backups
|
|
||||||
- /data/minecraft/botaniapack2-survival/backups
|
|
||||||
tags: [ backup ]
|
|
@ -1,9 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: device_types_r720
|
|
||||||
roles:
|
|
||||||
- role: ansible-role-lm-sensors
|
|
||||||
vars:
|
|
||||||
lm_sensors_force_detection: yes
|
|
||||||
tags: [ lm-sensors ]
|
|
@ -1,8 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: platforms_fedora-kinoite
|
|
||||||
gather_facts: no
|
|
||||||
tasks:
|
|
||||||
- name: debug dummy task
|
|
||||||
debug: msg=ignoreme
|
|
@ -1,27 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: platforms_proxmox-ve-7
|
|
||||||
gather_facts: no
|
|
||||||
tasks:
|
|
||||||
# https://tteck.github.io/Proxmox/
|
|
||||||
- name: disable enterprise nag
|
|
||||||
ansible.builtin.copy:
|
|
||||||
content: |
|
|
||||||
DPkg::Post-Invoke { "dpkg -V proxmox-widget-toolkit | grep -q '/proxmoxlib\.js$'; if [ $? -eq 1 ]; then { echo 'Removing subscription nag from UI...'; sed -i '/data.status/{s/\!//;s/Active/NoMoreNagging/}' /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js; }; fi"; };
|
|
||||||
dest: /etc/apt/apt.conf.d/no-nag-script
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0644"
|
|
||||||
tags: [ nag, common ]
|
|
||||||
roles:
|
|
||||||
- role: backup
|
|
||||||
vars:
|
|
||||||
backup_s3backup_list_extra:
|
|
||||||
- /data
|
|
||||||
- /etc/kernel
|
|
||||||
- /etc/modprobe.d
|
|
||||||
- /etc/modules
|
|
||||||
- /etc/pve
|
|
||||||
backup_time: "Mon *-*-* 02:00:00"
|
|
||||||
tags: [ backup, common ]
|
|
@ -1,13 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: platforms_ubuntu-20-04
|
|
||||||
gather_facts: no
|
|
||||||
roles:
|
|
||||||
- role: motd
|
|
||||||
vars:
|
|
||||||
motd_watch_services_extra:
|
|
||||||
- docker
|
|
||||||
- kubelet
|
|
||||||
- postgresql
|
|
||||||
tags: [ motd, common ]
|
|
@ -1,13 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: platforms_ubuntu-21-10
|
|
||||||
gather_facts: no
|
|
||||||
roles:
|
|
||||||
- role: motd
|
|
||||||
vars:
|
|
||||||
motd_watch_services_extra:
|
|
||||||
- docker
|
|
||||||
- kubelet
|
|
||||||
- postgresql
|
|
||||||
tags: [ motd, common ]
|
|
@ -1,13 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: platforms_ubuntu-22-04
|
|
||||||
gather_facts: no
|
|
||||||
roles:
|
|
||||||
- role: motd
|
|
||||||
vars:
|
|
||||||
motd_watch_services_extra:
|
|
||||||
- docker
|
|
||||||
- kubelet
|
|
||||||
- postgresql
|
|
||||||
tags: [ motd, common ]
|
|
@ -196,13 +196,6 @@
|
|||||||
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit pvestatd.service
|
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit pvestatd.service
|
||||||
hostgroup: role-hypervisor
|
hostgroup: role-hypervisor
|
||||||
# Tag-specific checks
|
# Tag-specific checks
|
||||||
# ansible-pull
|
|
||||||
- name: Unit ansible-pull.service
|
|
||||||
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit ansible-pull.service
|
|
||||||
hostgroup: tag-ansible-pull
|
|
||||||
- name: Unit ansible-pull.timer
|
|
||||||
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit ansible-pull.timer
|
|
||||||
hostgroup: tag-ansible-pull
|
|
||||||
# docker
|
# docker
|
||||||
- name: Unit docker.service
|
- name: Unit docker.service
|
||||||
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit docker.service
|
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit docker.service
|
||||||
|
@ -3,4 +3,3 @@
|
|||||||
---
|
---
|
||||||
# Supplementary tags
|
# Supplementary tags
|
||||||
- import_playbook: tags_ansible.yml
|
- import_playbook: tags_ansible.yml
|
||||||
- import_playbook: tags_ansible-pull.yml
|
|
||||||
|
@ -4,12 +4,6 @@
|
|||||||
# Preambulatory system configuration
|
# Preambulatory system configuration
|
||||||
# It's implicit that configuration here MUST preceed site_main.yml
|
# It's implicit that configuration here MUST preceed site_main.yml
|
||||||
- import_playbook: all.yml
|
- import_playbook: all.yml
|
||||||
# Platform configuration
|
|
||||||
- import_playbook: platforms_ubuntu-20-04.yml
|
|
||||||
- import_playbook: platforms_ubuntu-21-10.yml
|
|
||||||
- import_playbook: platforms_ubuntu-22-04.yml
|
|
||||||
- import_playbook: platforms_fedora-kinoite.yml
|
|
||||||
- import_playbook: platforms_proxmox-ve-7.yml
|
|
||||||
# Manufacturer configuration
|
# Manufacturer configuration
|
||||||
- import_playbook: manufacturers_raspi.yml
|
- import_playbook: manufacturers_raspi.yml
|
||||||
- import_playbook: manufacturers_s76.yml
|
- import_playbook: manufacturers_s76.yml
|
||||||
@ -17,9 +11,9 @@
|
|||||||
- import_playbook: tags_zt-personal.yml
|
- import_playbook: tags_zt-personal.yml
|
||||||
- import_playbook: tags_zt-management.yml
|
- import_playbook: tags_zt-management.yml
|
||||||
# Tags for fundamental services
|
# Tags for fundamental services
|
||||||
- import_playbook: tags_snmp.yml
|
|
||||||
- import_playbook: tags_nagios.yml
|
- import_playbook: tags_nagios.yml
|
||||||
# Role (in the Netbox sense) configuration
|
# Role (in the Netbox sense) configuration
|
||||||
- import_playbook: device_roles_bastion.yml
|
- import_playbook: device_roles_bastion.yml
|
||||||
- import_playbook: device_roles_game.yml
|
|
||||||
- import_playbook: device_roles_workstation.yml
|
- import_playbook: device_roles_workstation.yml
|
||||||
|
# Device type, which can include hw-specific stuff like sensors configuration
|
||||||
|
- import_playbook: device_types_pi4b.yml
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: tags_ansible-pull
|
|
||||||
gather_facts: no
|
|
||||||
roles:
|
|
||||||
- role: ansible-pull
|
|
||||||
vars:
|
|
||||||
ansible_pull_repo: "https://git.desu.ltd/salt/ansible"
|
|
||||||
ansible_pull_commit: master
|
|
||||||
tags: [ ansible ]
|
|
||||||
- role: git
|
|
||||||
vars:
|
|
||||||
git_repos:
|
|
||||||
- repo: "{{ ansible_pull_repo }}"
|
|
||||||
dest: /etc/ansible
|
|
||||||
tags: [ ansible ]
|
|
||||||
- hosts: all
|
|
||||||
gather_facts: no
|
|
||||||
tasks:
|
|
||||||
- name: disable ansible-pull when not tagged
|
|
||||||
ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
|
|
||||||
with_items:
|
|
||||||
- ansible-pull.timer
|
|
||||||
- ansible-pull.service
|
|
||||||
when: "'tags_ansible-pull' not in group_names and item in services"
|
|
||||||
tags: [ ansible ]
|
|
@ -1,31 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: tags_snmp
|
|
||||||
gather_facts: no
|
|
||||||
roles:
|
|
||||||
- role: oefenweb.snmpd
|
|
||||||
vars:
|
|
||||||
snmpd_internal_user:
|
|
||||||
username: "{{ secret_snmp_internal_username }}"
|
|
||||||
password: "{{ secret_snmp_internal_password }}"
|
|
||||||
auth_protocol: SHA
|
|
||||||
snmpd_users:
|
|
||||||
- username: "{{ secret_snmp_rouser_username }}"
|
|
||||||
password: "{{ secret_snmp_rouser_password }}"
|
|
||||||
type: rouser
|
|
||||||
auth_protocol: SHA
|
|
||||||
privacy_passphrase: "{{ secret_snmp_rouser_privacy_passphrase }}"
|
|
||||||
privacy_protocol: AES
|
|
||||||
snmpd_disks_include_all: yes
|
|
||||||
snmpd_disks_include_all_threshold_minpercent: "10%"
|
|
||||||
tags: [ snmp ]
|
|
||||||
- hosts: all
|
|
||||||
gather_facts: no
|
|
||||||
tasks:
|
|
||||||
- name: disable snmpd when not tagged
|
|
||||||
ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
|
|
||||||
with_items:
|
|
||||||
- snmpd.service
|
|
||||||
when: "'tags_snmp' not in group_names and item in services"
|
|
||||||
tags: [ zerotier ]
|
|
@ -1,5 +1,7 @@
|
|||||||
ansible
|
ansible
|
||||||
ansible-lint
|
ansible-lint
|
||||||
|
botocore
|
||||||
|
boto3
|
||||||
dnspython
|
dnspython
|
||||||
pynetbox
|
pynetbox
|
||||||
pytz
|
pytz
|
||||||
|
@ -15,9 +15,6 @@ roles:
|
|||||||
# Upstream: https://github.com/geerlingguy/ansible-role-postgresql
|
# Upstream: https://github.com/geerlingguy/ansible-role-postgresql
|
||||||
- src: geerlingguy.postgresql
|
- src: geerlingguy.postgresql
|
||||||
version: 3.5.0
|
version: 3.5.0
|
||||||
# Upstream: https://github.com/Oefenweb/ansible-snmpd
|
|
||||||
- src: oefenweb.snmpd
|
|
||||||
version: master
|
|
||||||
# Upstream: https://github.com/willshersystems/ansible-sshd
|
# Upstream: https://github.com/willshersystems/ansible-sshd
|
||||||
- src: willshersystems.sshd
|
- src: willshersystems.sshd
|
||||||
version: v0.23.0
|
version: v0.23.0
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
# ansible-pull
|
|
||||||
|
|
||||||
This role configures and enables a period `ansible-pull` task through systemd, allowing for machines to ensure proper configuration periodically and of their own volition.
|
|
@ -1,6 +0,0 @@
|
|||||||
# vim:ft=ansible:
|
|
||||||
ansible_pull_boot_delay: 15min
|
|
||||||
ansible_pull_commit: master
|
|
||||||
ansible_pull_time: "*-*-* 01:00:00"
|
|
||||||
ansible_pull_playbook: pull.yml
|
|
||||||
ansible_pull_skip_tags: "skip-pull"
|
|
@ -1,6 +0,0 @@
|
|||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
31383561303637303735386663306631333063623336643030643634333262336664363461613239
|
|
||||||
6230623439393465656161663432393732633662383833640a373433343236353835363130653937
|
|
||||||
31346233663237383666306536633962613534623735366531666561656335393964316230633161
|
|
||||||
3930636537313364380a376432363431346636363565383734613638316161643036623636656532
|
|
||||||
66333038393738663464343534633766643734393165626538633962376161376262
|
|
@ -1,5 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
- name: restart ansiblepull timer
|
|
||||||
ansible.builtin.systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started
|
|
||||||
become: yes
|
|
@ -1,5 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
dependencies:
|
|
||||||
- role: ansible
|
|
@ -1,15 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
- name: assure vault password file
|
|
||||||
ansible.builtin.copy: src=vaultpass dest="~/ansiblevaultpass" mode="0600"
|
|
||||||
become: yes
|
|
||||||
become_user: ansible
|
|
||||||
- name: install ansible
|
|
||||||
ansible.builtin.pip: name=ansible<5,ansible-lint state=latest
|
|
||||||
- name: configure systemd service
|
|
||||||
ansible.builtin.template: src=ansible-pull.service dest=/etc/systemd/system/ansible-pull.service mode=0644
|
|
||||||
- name: configure systemd timer
|
|
||||||
ansible.builtin.template: src=ansible-pull.timer dest=/etc/systemd/system/ansible-pull.timer mode=0644
|
|
||||||
notify: restart ansiblepull timer
|
|
||||||
- name: enable timer
|
|
||||||
ansible.builtin.systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started
|
|
@ -1,19 +0,0 @@
|
|||||||
# vim:ft=dosini:
|
|
||||||
[Unit]
|
|
||||||
Description=Ansible pull service
|
|
||||||
StartLimitIntervalSec=3600
|
|
||||||
StartLimitBurst=5
|
|
||||||
After=network-online.target
|
|
||||||
Wants=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
User=ansible
|
|
||||||
Group=ansible
|
|
||||||
Type=oneshot
|
|
||||||
Environment=ANSIBLE_CONFIG=~/ansible-pull-repo/ansible-pull.cfg
|
|
||||||
ExecStart=ansible-pull --accept-host-key -U "{{ ansible_pull_repo }}" -C "{{ ansible_pull_commit }}" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" "{{ ansible_pull_playbook }}" --skip-tags "{{ ansible_pull_skip_tags }}"
|
|
||||||
Restart=on-failure
|
|
||||||
RestartSec=90
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
@ -1,11 +0,0 @@
|
|||||||
# vim:ft=dosini:
|
|
||||||
[Unit]
|
|
||||||
Description=Ansible pull timer
|
|
||||||
|
|
||||||
[Timer]
|
|
||||||
Persistent=true
|
|
||||||
OnBootSec={{ ansible_pull_boot_delay }}
|
|
||||||
OnCalendar={{ ansible_pull_time }}
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=timers.target
|
|
@ -1,30 +0,0 @@
|
|||||||
# vim:ft=ansible:
|
|
||||||
|
|
||||||
# Default motd files to remove from /etc/update-motd.d
|
|
||||||
motd_remove:
|
|
||||||
- 00-header
|
|
||||||
- 10-help-text
|
|
||||||
- 50-landscape-sysinfo
|
|
||||||
- 50-motd-news
|
|
||||||
- 85-fwupd
|
|
||||||
- 88-esm-announce
|
|
||||||
- 90-updates-available
|
|
||||||
- 91-contract-ua-esm-status
|
|
||||||
- 91-release-upgrade
|
|
||||||
- 92-unattended-upgrades
|
|
||||||
- 95-hwe-eol
|
|
||||||
- 97-overlayroot
|
|
||||||
- 98-fsck-at-reboot
|
|
||||||
- 98-reboot-required
|
|
||||||
motd_remove_extra: []
|
|
||||||
|
|
||||||
# Services to monitor with our script
|
|
||||||
# Units that can't be found will be skipped
|
|
||||||
motd_watch_services:
|
|
||||||
- ansible-pull
|
|
||||||
- backup
|
|
||||||
motd_watch_services_extra: []
|
|
||||||
# Docker images to look for. Matches a simple glob (*{{ item }}*)
|
|
||||||
# If Docker is not running, this section will be omitted
|
|
||||||
motd_watch_containers: []
|
|
||||||
motd_watch_containers_extra: []
|
|
@ -1,11 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
- name: remove default motd items
|
|
||||||
ansible.builtin.file: state=absent path=/etc/update-motd.d/{{ item }}
|
|
||||||
loop: "{{ motd_remove + motd_remove_extra }}"
|
|
||||||
- name: disable motd-news
|
|
||||||
ansible.builtin.systemd: name="{{ item }}" state=stopped enabled=no
|
|
||||||
with_items:
|
|
||||||
- motd-news.timer
|
|
||||||
- name: template out motd script
|
|
||||||
ansible.builtin.template: src=motd.sh dest=/etc/update-motd.d/50-ansible mode=0755
|
|
@ -1,75 +0,0 @@
|
|||||||
#! /bin/bash
|
|
||||||
|
|
||||||
# motd.sh
|
|
||||||
# A basic motd script with some nice information. Designed to be extensible
|
|
||||||
# and easily configurable per-host
|
|
||||||
|
|
||||||
# NOTE: We do not set -e here because we don't want MOTD generation to fail
|
|
||||||
# in the event that just this script fails
|
|
||||||
|
|
||||||
# Services that we want a quick heads-up on their status
|
|
||||||
declare -a services
|
|
||||||
{% for item in (motd_watch_services + motd_watch_services_extra)|sort %}
|
|
||||||
services+=("{{ item }}")
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
declare -a containers
|
|
||||||
{% for item in (motd_watch_containers + motd_watch_containers_extra)|sort %}
|
|
||||||
containers+=("{{ item }}")
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
## Now, we actually put this info to use
|
|
||||||
# Starting with services
|
|
||||||
if [ -n "${services[*]}" ]; then
|
|
||||||
printf "\e[1mService Statuses\e[0m\n"
|
|
||||||
len=20
|
|
||||||
for service in "${services[@]}"; do
|
|
||||||
status="\e[33mUnknown\e[0m"
|
|
||||||
systemctl status "$service" > /dev/null 2>&1
|
|
||||||
case $? in
|
|
||||||
0)
|
|
||||||
status="\e[1;32mRunning\e[0m"
|
|
||||||
;;
|
|
||||||
1|2)
|
|
||||||
status="\e[1;31mDead\e[0m"
|
|
||||||
;;
|
|
||||||
3)
|
|
||||||
status="\e[37mNot Running\e[0m"
|
|
||||||
;;
|
|
||||||
4)
|
|
||||||
continue
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
printf " * \e[37m%-${len}.${len}s\e[0m - $status " "$service"
|
|
||||||
if systemctl is-failed --quiet "$service"; then
|
|
||||||
printf "\e[1;31m(FAILED!)\e[0m "
|
|
||||||
fi
|
|
||||||
printf "\n"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Containers, if docker is running
|
|
||||||
if [ -n "${containers[*]}" ] && systemctl -q is-active docker; then
|
|
||||||
printf "\e[1mContainer Statuses\e[0m\n"
|
|
||||||
len=20
|
|
||||||
for container in "${containers[@]}"; do
|
|
||||||
status="\e[33mUnknown\e[0m"
|
|
||||||
image="$(docker ps | tail -n +2 | awk '{print $2}' | grep -ie "$container")"
|
|
||||||
if [ -n "$image" ]; then
|
|
||||||
status="\e[1;32mRunning\e[0m - $image"
|
|
||||||
fi
|
|
||||||
if [ -z "$image" ]; then
|
|
||||||
status="\e[1;31mNot Running\e[0m"
|
|
||||||
fi
|
|
||||||
printf " * \e[37m%-${len}.${len}s\e[0m - $status " "$container"
|
|
||||||
printf "\n"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
## And some generic system status stuff
|
|
||||||
printf "\e[1mSystem Status\e[0m\n"
|
|
||||||
if [ -f /var/run/reboot-required ]; then
|
|
||||||
printf " * \e[1;33mReboot required\e[0m\n"
|
|
||||||
else
|
|
||||||
printf "\e[37m - No outstanding reboots\e[0m\n"
|
|
||||||
fi
|
|
Loading…
Reference in New Issue
Block a user