From 659d653e900879a9d0d9cda57358971b88e66071 Mon Sep 17 00:00:00 2001 From: Justin Date: Mon, 14 Apr 2025 14:13:11 -0500 Subject: [PATCH] moved file around --- docker/docker-certs-enable.yaml | 52 +++++++++ docker/docker-certs.yaml | 158 +++++++++++++++++++++++++++ docker/inst-docker-ubuntu.yaml | 35 ++++++ docker/maint-docker-clean.yaml | 14 +++ git-update.yaml | 4 +- ubuntu/config-add-sshkey.yaml | 23 ++++ ubuntu/inst-vm-core.yaml | 19 ++++ ubuntu/install_nvim.yaml | 110 +++++++++++++++++++ ubuntu/maint-diskspace.yaml | 25 +++++ ubuntu/maint-reboot-required.yaml | 16 +++ ubuntu/plex.yaml | 11 ++ ubuntu/update-cloudflace-tunnel.yaml | 28 +++++ ubuntu/update.yaml | 86 +++++++++++++++ 13 files changed, 580 insertions(+), 1 deletion(-) create mode 100644 docker/docker-certs-enable.yaml create mode 100644 docker/docker-certs.yaml create mode 100644 docker/inst-docker-ubuntu.yaml create mode 100644 docker/maint-docker-clean.yaml create mode 100644 ubuntu/config-add-sshkey.yaml create mode 100644 ubuntu/inst-vm-core.yaml create mode 100644 ubuntu/install_nvim.yaml create mode 100644 ubuntu/maint-diskspace.yaml create mode 100644 ubuntu/maint-reboot-required.yaml create mode 100644 ubuntu/plex.yaml create mode 100644 ubuntu/update-cloudflace-tunnel.yaml create mode 100644 ubuntu/update.yaml diff --git a/docker/docker-certs-enable.yaml b/docker/docker-certs-enable.yaml new file mode 100644 index 0000000..ff0f3d3 --- /dev/null +++ b/docker/docker-certs-enable.yaml @@ -0,0 +1,52 @@ +--- +- name: "Docker Certs enable" + hosts: "{{ my_hosts | d([]) }}" + become: true + vars: + certs_path: "/root/docker-certs" + + tasks: + - name: Check if docker certs are existing + ansible.builtin.stat: + path: "{{ certs_path }}" + register: certs_dir + + - name: Fail if docker certs are not existing + ansible.builtin.fail: + msg: "Docker certificates are not existing in /root/docker-certs." + when: not certs_dir.stat.exists + + - name: Get machine's primary internal ip address from eth0 interface + ansible.builtin.setup: + register: ip_address + + - name: Set machine's primary internal ip address + ansible.builtin.set_fact: + ip_address: "{{ ip_address.ansible_facts.ansible_default_ipv4.address }}" + + - name: Check if ip_address is a valid ip address + ansible.builtin.assert: + that: + - ip_address is match("^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$") + fail_msg: "ip_address is not a valid ip address." + success_msg: "ip_address is a valid ip address." + + - name: Change docker daemon to use certs + ansible.builtin.lineinfile: + path: /lib/systemd/system/docker.service + line: > + ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock + -H tcp://{{ ip_address }}:2376 --tlsverify --tlscacert={{ certs_path }}/ca.pem + --tlscert={{ certs_path }}/server-cert.pem --tlskey={{ certs_path }}/server-key.pem + regexp: '^ExecStart=' + state: present + + - name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true + + - name: Restart docker daemon + ansible.builtin.systemd: + name: docker + state: restarted + enabled: true diff --git a/docker/docker-certs.yaml b/docker/docker-certs.yaml new file mode 100644 index 0000000..f7b8f71 --- /dev/null +++ b/docker/docker-certs.yaml @@ -0,0 +1,158 @@ +--- +- name: "Docker Certs" + hosts: "{{ my_hosts | d([]) }}" + become: true + vars: + certs_path: "/root/docker-certs" + cert_validity_days: 3650 + cn_domain: "your-domain.tld" + + tasks: + - name: Check if docker certs are existing + ansible.builtin.stat: + path: "{{ certs_path }}" + register: certs_dir + + - name: Create docker certs directory (if needed) + ansible.builtin.file: + path: "{{ certs_path }}" + state: directory + mode: '0700' + when: not certs_dir.stat.exists + + - name: Check if docker certs directory is empty + ansible.builtin.command: ls -A "{{ certs_path }}" + register: certs_list + when: certs_dir.stat.exists + changed_when: false + ignore_errors: true + + - name: Fail if docker certs already exist + ansible.builtin.fail: + msg: "Docker certificates already exist in /root/docker-certs." + when: certs_list.stdout | default('') != '' + + - name: Get machine's primary internal ip address from eth0 interface + ansible.builtin.setup: + register: ip_address + + - name: Set machine's primary internal ip address + ansible.builtin.set_fact: + ip_address: "{{ ip_address.ansible_facts.ansible_default_ipv4.address }}" + + - name: Check if ip_address is a valid ip address + ansible.builtin.assert: + that: + - ip_address is match("^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$") + fail_msg: "ip_address is not a valid ip address." + success_msg: "ip_address is a valid ip address." + + - name: Generate CA private key + ansible.builtin.command: + cmd: > + openssl genrsa -out "{{ certs_path }}/ca-key.pem" 4096 + args: + creates: "{{ certs_path }}/ca-key.pem" + + - name: Generate CA certificate + ansible.builtin.command: + cmd: > + openssl req -sha256 -new -x509 + -subj "/CN={{ cn_domain }}" + -days "{{ cert_validity_days }}" + -key "{{ certs_path }}/ca-key.pem" + -out "{{ certs_path }}/ca.pem" + args: + creates: "{{ certs_path }}/ca.pem" + + - name: Generate server private key + ansible.builtin.command: + cmd: > + openssl genrsa -out "{{ certs_path }}/server-key.pem" 4096 + creates: "{{ certs_path }}/server-key.pem" + + - name: Generate server certificate signing request + ansible.builtin.command: + cmd: > + openssl req -sha256 -new + -subj "/CN={{ inventory_hostname }}" + -key "{{ certs_path }}/server-key.pem" + -out "{{ certs_path }}/server.csr" + creates: "{{ certs_path }}/server.csr" + + - name: Generate server certificate extension file + ansible.builtin.shell: | + echo "subjectAltName = DNS:{{ inventory_hostname }},IP:{{ ip_address }},IP:127.0.0.1" >> "{{ certs_path }}/extfile.cnf" + echo "extendedKeyUsage = serverAuth" >> "{{ certs_path }}/extfile.cnf" + args: + creates: "{{ certs_path }}/extfile.cnf" + + - name: Generate server certificate + ansible.builtin.command: + cmd: > + openssl x509 -req -days "{{ cert_validity_days }}" -sha256 + -in "{{ certs_path }}/server.csr" + -CA "{{ certs_path }}/ca.pem" + -CAkey "{{ certs_path }}/ca-key.pem" + -CAcreateserial -out "{{ certs_path }}/server-cert.pem" + -extfile "{{ certs_path }}/extfile.cnf" + creates: "{{ certs_path }}/server-cert.pem" + + - name: Generate client private key + ansible.builtin.command: + cmd: > + openssl genrsa -out "{{ certs_path }}/key.pem" 4096 + creates: "{{ certs_path }}/key.pem" + + - name: Generate client certificate signing request + ansible.builtin.command: + cmd: > + openssl req -sha256 -new + -subj "/CN=client" + -key "{{ certs_path }}/key.pem" + -out "{{ certs_path }}/client.csr" + creates: "{{ certs_path }}/client.csr" + + - name: Generate client certificate extension file + ansible.builtin.shell: | + echo "extendedKeyUsage = clientAuth" >> "{{ certs_path }}/client-extfile.cnf" + args: + creates: "{{ certs_path }}/client-extfile.cnf" + + - name: Generate client certificate + ansible.builtin.command: + cmd: > + openssl x509 -req -days "{{ cert_validity_days }}" + -sha256 -in "{{ certs_path }}/client.csr" + -CA "{{ certs_path }}/ca.pem" + -CAkey "{{ certs_path }}/ca-key.pem" + -CAcreateserial -out "{{ certs_path }}/cert.pem" + -extfile "{{ certs_path }}/client-extfile.cnf" + creates: "{{ certs_path }}/cert.pem" + + - name: Remove client certificate signing request + ansible.builtin.file: + path: "{{ certs_path }}/server.csr" + state: absent + + - name: Remove client certificate signing request + ansible.builtin.file: + path: "{{ certs_path }}/client.csr" + state: absent + + - name: Remove server certificate extension file + ansible.builtin.file: + path: "{{ certs_path }}/extfile.cnf" + state: absent + + - name: Remove client certificate extension file + ansible.builtin.file: + path: "{{ certs_path }}/client-extfile.cnf" + state: absent + + - name: Set permissions for docker certs + ansible.builtin.file: + path: "{{ certs_path }}" + mode: '0700' + recurse: true + follow: true diff --git a/docker/inst-docker-ubuntu.yaml b/docker/inst-docker-ubuntu.yaml new file mode 100644 index 0000000..4db252e --- /dev/null +++ b/docker/inst-docker-ubuntu.yaml @@ -0,0 +1,35 @@ +--- +- name: Install docker + hosts: "{{ my_hosts | d([]) }}" + become: true + + tasks: + - name: Install docker dependencies + ansible.builtin.apt: + name: + - apt-transport-https + - ca-certificates + - curl + - gnupg-agent + - software-properties-common + update_cache: true + + - name: Add docker gpg key + ansible.builtin.apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + state: present + keyring: /etc/apt/keyrings/docker.gpg + + - name: Add docker repository + ansible.builtin.apt_repository: + filename: docker + repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_lsb.codename | lower }} stable + state: present + + - name: Install docker engine + ansible.builtin.apt: + name: + - docker-ce + - docker-buildx-plugin + - docker-compose-plugin + update_cache: true diff --git a/docker/maint-docker-clean.yaml b/docker/maint-docker-clean.yaml new file mode 100644 index 0000000..1a95266 --- /dev/null +++ b/docker/maint-docker-clean.yaml @@ -0,0 +1,14 @@ +--- +- name: Clean docker + hosts: "{{ my_hosts | d([]) }}" + + tasks: + - name: Prune non-dangling images + community.docker.docker_prune: + containers: false + images: true + images_filters: + dangling: false + networks: false + volumes: false + builder_cache: false diff --git a/git-update.yaml b/git-update.yaml index 2ced184..8d311ee 100644 --- a/git-update.yaml +++ b/git-update.yaml @@ -6,6 +6,8 @@ - name: Git Pull ansible.builtin.git: repo: https://git.ki5bhv.com/justin/Ansible.git - dest: /home/justin/ansible + dest: /home/justin/Ansible single_branch: yes version: main + + : diff --git a/ubuntu/config-add-sshkey.yaml b/ubuntu/config-add-sshkey.yaml new file mode 100644 index 0000000..5df3ac4 --- /dev/null +++ b/ubuntu/config-add-sshkey.yaml @@ -0,0 +1,23 @@ +--- +- name: Add ssh key + hosts: all + become: true + + tasks: + - name: create id_rsa + file: + path: "~/.ssh/id_rsa.pub" + state: touch + - name: Install public keys + ansible.posix.authorized_key: + user: "{{ lookup('env', 'USER') }}" + state: present + key: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}" + + - name: Change sudoers file + ansible.builtin.lineinfile: + path: /etc/sudoers + state: present + regexp: '^%sudo' + line: '%sudo ALL=(ALL) NOPASSWD: ALL' + validate: /usr/sbin/visudo -cf %s diff --git a/ubuntu/inst-vm-core.yaml b/ubuntu/inst-vm-core.yaml new file mode 100644 index 0000000..ba9ddd3 --- /dev/null +++ b/ubuntu/inst-vm-core.yaml @@ -0,0 +1,19 @@ +--- +- name: Install core packages for virtual machines + hosts: "{{ my_hosts | d([]) }}" + become: true + + tasks: + - name: Install packages + ansible.builtin.apt: + name: + - prometheus-node-exporter + - nfs-common + - qemu-guest-agent + update_cache: true + + - name: Start guest qemu-guest-agent + ansible.builtin.service: + name: qemu-guest-agent + state: started + enabled: true diff --git a/ubuntu/install_nvim.yaml b/ubuntu/install_nvim.yaml new file mode 100644 index 0000000..827e75f --- /dev/null +++ b/ubuntu/install_nvim.yaml @@ -0,0 +1,110 @@ +--- +- name: Installing Nvim + hosts: localhost + + tasks: + - name: make sure git is installed + become: yes + apt: + update_cache: yes + name: git + state: latest + + - name: Pulling from github + ansible.builtin.command: + cmd: "curl -LO https://github.com/neovim/neovim/releases/latest/download/nvim-linux-x86_64.tar.gz --output-dir /tmp" + + - name: Removing and older verson + become: true + ansible.builtin.command: + cmd: "sudo rm -rf /opt/nvim" + + - name: Unziping Nvim + become: true + ansible.builtin.command: + cmd: "sudo tar -C /opt -xzf /tmp/nvim-linux-x86_64.tar.gz" + + - name: Setting the path + ansible.builtin.lineinfile: + line: 'export PATH="$PATH:/opt/nvim-linux-x86_64/bin"' + path: "~/.bashrc" + insertafter: EOF + + - name: Check if there is a config + ansible.builtin.stat: + path: /home/justin/.config/nvim + register: nvim_config + + - name: Checking if there is a backup Nvim config + ansible.builtin.stat: + path: /home/justin/.config/nvim.bak + register: nvim_backup_config + + - name: Removing backup config + ansible.builtin.command: + cmd: "rm -r /home/justin/.config/nvim.bak" + when: nvim_backup_config.stat.exists + + - name: Backup configs + ansible.builtin.command: + cmd: "mv /home/justin/.config/nvim /home/justin/.config/nvim.bak" + when: nvim_config.stat.exists + + - name: Pulling config + ansible.builtin.command: + cmd: "git clone https://github.com/LazyVim/starter ~/.config/nvim" + + - name: removing the git file + ansible.builtin.command: + cmd: "rm -rf /home/justin/.config/nvim/.git" + + - name: Cleanup + ansible.builtin.command: + cmd: "rm /tmp/nvim-linux-x86_64.tar.gz" + + - name: installing unzip + become: true + when: ansible_pkg_mgr == "apt" + ansible.builtin.apt: + name: unzip + state: latest + + - name: Check if Font folder is there + ansible.builtin.stat: + path: ~/.local/share/fonts + register: fonts_folder + + - name: Making font folder + ansible.builtin.command: + cmd: "mkdir /home/justin/.local/share/fonts" + when: fonts_folder.stat.exists != True + + - name: Nerd font zip + ansible.builtin.command: + cmd: "curl -LO https://github.com/ryanoasis/nerd-fonts/releases/download/v3.3.0/3270.zip --output-dir /tmp" + + - name: Unzipping + ansible.builtin.command: + cmd: "unzip /tmp/3270.zip -d /home/justin/.local/share/fonts/ " + + - name: Font Cleanup + ansible.builtin.command: + cmd: "rm /tmp/3270.zip" + + - name: installing font config + become: true + when: ansible_pkg_mgr == "apt" + ansible.builtin.apt: + name: fontconfig + state: latest + + - name: Set Fonts + ansible.builtin.command: + cmd: "fc-cache -fv" + + - name: installing fzf for nvim + become: true + when: ansible_pkg_mgr == "apt" + ansible.builtin.apt: + name: fzf + state: latest diff --git a/ubuntu/maint-diskspace.yaml b/ubuntu/maint-diskspace.yaml new file mode 100644 index 0000000..58b4fa2 --- /dev/null +++ b/ubuntu/maint-diskspace.yaml @@ -0,0 +1,25 @@ +--- +- name: Check disk space + hosts: "all" + + tasks: + - name: Check disk space available + ansible.builtin.shell: + cmd: | + set -euo pipefail + df -Ph / | awk 'NR==2 {print $5}' + executable: /bin/bash + changed_when: false + check_mode: false + register: disk_usage + + - name: Diskspace is over 80% + ansible.builtin.debug: + msg: "Disk is over 80%" + when: disk_usage.stdout[:-1]|int>80 + + - name: Posting + ansible.builtin.command: + cmd: 'curl -d "Disk space on {{ inventory_hostname }} is above 80%!" ntfy.ki5bhv.com/server' + when: disk_usage.stdout[:-1]|int>80 + diff --git a/ubuntu/maint-reboot-required.yaml b/ubuntu/maint-reboot-required.yaml new file mode 100644 index 0000000..4281db4 --- /dev/null +++ b/ubuntu/maint-reboot-required.yaml @@ -0,0 +1,16 @@ +--- +- name: Check if system reboot is required + hosts: "all" + become: true + + tasks: + - name: Check if system reboot is required + become: true + ansible.builtin.stat: + path: /run/reboot-required + register: reboot_required + + - name: Report if reboot is required + ansible.builtin.command: + cmd: 'curl -d "Reboot is required for {{inventory_hostname}}" ntfy.ki5bhv.com/server' + when: reboot_required.stat.exists diff --git a/ubuntu/plex.yaml b/ubuntu/plex.yaml new file mode 100644 index 0000000..f4d16bd --- /dev/null +++ b/ubuntu/plex.yaml @@ -0,0 +1,11 @@ +--- +- name: Update Plex Sever + hosts: media.ki5bhv.com + become: yes + + tasks: + - name: Ensure Plex is at the latest version + apt: + update_cache: yes + name: plexmediaserver + state: latest diff --git a/ubuntu/update-cloudflace-tunnel.yaml b/ubuntu/update-cloudflace-tunnel.yaml new file mode 100644 index 0000000..dea7cc5 --- /dev/null +++ b/ubuntu/update-cloudflace-tunnel.yaml @@ -0,0 +1,28 @@ +--- +- name: Update cloud Flare Tunnel + hosts: cloudflare-tunnel.ki5bhv.com + + tasks: + - name: Pull the newest package + ansible.builtin.command: + cmd: "curl --location --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb" + + - name: installing package + become: true + ansible.builtin.command: + cmd: "dpkg -i cloudflared.deb" + + - name: Restart the service + become: true + ansible.builtin.command: + cmd: "systemctl restart cloudflared.service" + + - name: check before cleanup + ansible.builtin.stat: + path: cloudflared.deb + register: cloudflaredfile + + - name: Cleanup + when: cloudflaredfile.stat.exists + ansible.builtin.command: + cmd: "rm cloudflared.deb" diff --git a/ubuntu/update.yaml b/ubuntu/update.yaml new file mode 100644 index 0000000..14ebc1e --- /dev/null +++ b/ubuntu/update.yaml @@ -0,0 +1,86 @@ +--- +- name: Send Start update + hosts: localhost + + tasks: + - name: send ntfy + ansible.builtin.command: + cmd: 'curl -d "Starting updating with ansible" ntfy.ki5bhv.com/server' + +- name: Proxmox Update and upgrade apt packages + hosts: proxmox + become: yes + + tasks: + - name: Update packages with apt + when: ansible_pkg_mgr == 'apt' + ansible.builtin.apt: + update_cache: true + + - name: Installing proxmox guest agent + when: ansible_pkg_mgr == 'apt' + ansible.builtin.apt: + name: qemu-guest-agent + state: latest + + - name: Enable proxmox agent + ansible.builtin.command: + cmd: systemctl enable qemu-guest-agent + + - name: Restart proxmox agent + ansible.builtin.command: + cmd: systemctl restart qemu-guest-agent + + + - name: Upgrade packages with apt + when: ansible_pkg_mgr == 'apt' + ansible.builtin.apt: + upgrade: dist + + - name: Clean up packages with apt + when: ansible_pkg_mgr == 'apt' + ansible.builtin.apt: + autoclean: true + autoremove: true + +- name: Hardware Update and upgrade apt packages + hosts: hardware + become: yes + + tasks: + - name: Update packages with apt + when: ansible_pkg_mgr == 'apt' + ansible.builtin.apt: + update_cache: true + + + - name: Upgrade packages with apt + when: ansible_pkg_mgr == 'apt' + ansible.builtin.apt: + upgrade: dist + + - name: Clean up packages with apt + when: ansible_pkg_mgr == 'apt' + ansible.builtin.apt: + autoclean: true + autoremove: true + +- name: installing net-tools on all + hosts: all + become: yes + tasks: + - name: running apt + when: ansible_pkg_mgr == 'apt' + ansible.builtin.apt: + name: net-tools + state: latest + + + +- name: Send completed update + hosts: localhost + + tasks: + - name: send ntfy + ansible.builtin.command: + cmd: 'curl -d "Updated with ansible" ntfy.ki5bhv.com/server'