scripts/ansible/main.yml

197 lines
4.8 KiB
YAML

# All hosts are debian 10
---
# Common
- hosts: compute,nfs,router
become: yes
handlers:
- import_tasks: handlers.yml
tasks:
# Core
- name: Install common packages
apt:
name:
- apt-listchanges
- chrony
- curl
- git
- htop
- iperf3
- mosh
- nmap
- tmux
- unattended-upgrades
- vim
force_apt_get: yes
update_cache: yes
# TODO Change defaults
- name: Configure unattended-upgrades
copy:
src: files/50unattended-upgrades
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root
mode: '0644'
- name: Enable unattended-upgrades
copy:
src: files/20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
owner: root
group: root
mode: '0644'
- name: Disable power and reset buttons
copy:
src: files/logind.conf
dest: /etc/systemd/logind.conf
owner: root
group: root
mode: '0644'
notify: Restart systemd-logind service
- name: Set chrony ntp servers
copy:
src: files/chrony.conf
dest: /etc/chrony/chrony.conf
owner: root
group: root
mode: '0644'
notify: Restart chrony service
# Core networking
- name: Configure sshd_config to listen on 2222/22 and disable password auth
copy:
src: files/sshd_config
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify: Restart sshd service
## Changes will take effect during next reboot
## (determined by unattended-upgrades)
- name: Configure sysctl with IPv6 privacy extensions
template:
src: templates/local.conf.j2
dest: /etc/sysctl.d/local.conf
owner: root
group: root
mode: '0644'
### Router
##- hosts: router
## become: yes
## tasks:
## - name: Install frrouting and related router packages
## - name: Configure bgp, etc???
# Media networking (Wireguard VPN, NFS)
- hosts: compute,nfs
become: yes
handlers:
- import_tasks: handlers.yml
tasks:
- name: Add unstable repository
shell: |
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
args:
creates: /etc/apt/sources.list.d/unstable.list
- name: Install media networking packages
apt:
name:
- nfs-common
- wireguard
force_apt_get: yes
update_cache: yes
# Manually do wireguard config https://wiki.debian.org/Wireguard
# NFS core config
# ASSUMES /bigdata IS CONFIGURED (make sure dir is 755)
- hosts: nfs
become: yes
handlers:
- import_tasks: handlers.yml
tasks:
- name: Install NFS server package
apt:
name: nfs-kernel-server
force_apt_get: yes
update_cache: yes
- name: Export /bigdata
copy:
src: files/exports
dest: /etc/exports
owner: root
group: root
mode: '0644'
notify: Re-export exportfs
# Compute core config
- hosts: compute
become: yes
tasks:
- name: Install Docker + compute packages
apt:
name:
- apt-transport-https
- ca-certificates
- curl
- gnupg2
- software-properties-common
- sshfs
force_apt_get: yes
update_cache: yes
- name: Mount bigdummy /bigdata via NFS
mount:
src: 10.200.0.202:/bigdata
path: /bigdata
fstype: nfs
opts: soft,nodev,nosuid
state: mounted
- name: Create /media-vtluug directory
file:
path: /media-vtluug
state: directory
mode: '0755'
# Might require running manually mounting
- name: Mount vtluug /media via sshfs
mount:
src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media
path: /media-vtluug
fstype: fuse.sshfs
opts: allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa
state: mounted
- name: Add Docker GPG key
apt_key:
url: https://download.docker.com/linux/debian/gpg
- name: Add Docker APT repository
apt_repository:
repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
- name: Install Docker CE
apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
force_apt_get: yes
update_cache: yes
- name: Add paul to docker group
user:
name: paul
groups: docker
append: yes
# Clone docker-manifests repo to start services