ryanc/ansible
1
0
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity

Compare commits

base: ryanc:05b1e8da071593790dd85813b6cdbd56a2c682a4
Branches Tags
ryanc:master
..
compare: ryanc:b02da06c973aa449ec522ed6808dcc8d9dfad990
Branches Tags
ryanc:master

No commits in common. "05b1e8da071593790dd85813b6cdbd56a2c682a4" and "b02da06c973aa449ec522ed6808dcc8d9dfad990" have entirely different histories.
05b1e8da07 ... b02da06c97

51 changed files with 749 additions and 29083 deletions
Show Stats Expand all files Collapse all files

1018
group_vars/all/vault.yaml
View File

File diff suppressed because it is too large Load Diff

22
host_vars/nal-hutta.yaml Normal file
View File

@ -0,0 +1,22 @@
---
#network_interfaces:
# - name: eth0
# address:
# - 45.56.123.101/24
# - 2600:3c00::f03c:91ff:fed5:eeec/64
# gateway:
# - 45.56.123.1
# - fe80::1
firewall_allowed_tcp_ports:
v4:
- 443
- 80
- 8186
v6:
- 443
- 80
- 8186
postfix_sasl_passwd_map:
"[smtp.fastmail.com]:465": "foo:bar"

17
host_vars/rmq1.yaml Normal file
View File

@ -0,0 +1,17 @@
---
keepalived_vrrp_instances:
VI_1:
state: MASTER
interface: eth0
virtual_router_id: 51
priority: 254
authentication:
auth_type: PASS
auth_pass: asdf
unicast_peer: |
{{ groups['rabbitmq_servers'] | map('extract', hostvars, ['ansible_eth0', 'ipv4', 'address']) | difference([ansible_default_ipv4.address])| list }}
virtual_ipaddress:
- 10.100.100.20/24
track_script:
- chk_rabbitmq
- chk_amqp_port

17
host_vars/rmq2.yaml Normal file
View File

@ -0,0 +1,17 @@
---
keepalived_vrrp_instances:
VI_1:
state: BACKUP
interface: eth0
virtual_router_id: 51
priority: 253
authentication:
auth_type: PASS
auth_pass: asdf
unicast_peer: |
{{ groups['rabbitmq_servers'] | map('extract', hostvars, ['ansible_eth0', 'ipv4', 'address']) | difference([ansible_default_ipv4.address])| list }}
virtual_ipaddress:
- 10.100.100.20/24
track_script:
- chk_rabbitmq
- chk_amqp_port

17
host_vars/rmq3.yaml Normal file
View File

@ -0,0 +1,17 @@
---
keepalived_vrrp_instances:
VI_1:
state: BACKUP
interface: eth0
virtual_router_id: 51
priority: 252
authentication:
auth_type: PASS
auth_pass: asdf
unicast_peer: |
{{ groups['rabbitmq_servers'] | map('extract', hostvars, ['ansible_eth0', 'ipv4', 'address']) | difference([ansible_default_ipv4.address])| list }}
virtual_ipaddress:
- 10.100.100.20/24
track_script:
- chk_rabbitmq
- chk_amqp_port

7
host_vars/ubuntu.yaml Normal file
View File

@ -0,0 +1,7 @@
---
#network_interfaces:
# - name: enp1s0
# address:
# - 192.168.124.124/24
# gateway4: 192.168.124.1
#

131
playbook.yaml
View File

@ -3,59 +3,25 @@
become: true become: true
roles: roles:
- common - common
- role: network - network
tags:
- network
- netplan
- util - util
- sudo - sudo
- hostsfile - hostsfile
- certs - certs
- role: rsyslog - rsyslog
tags:
- rsyslog
- syslog
- logging
- users - users
- dns - dns
- role: firewall - firewall
tags:
- firewall
- iptables
- openssh - openssh
- role: wireguard - wireguard
tags:
- wireguard
- vpn
- chrony - chrony
- unattended-upgrades - unattended-upgrades
- postfix - postfix
- restic - restic
- role: node_exporter - node_exporter
tags: - blackbox_exporter
- prometheus - mtail
- monitoring
- role: blackbox_exporter
tags:
- prometheus
- monitoring
- role: mtail
tags:
- prometheus
- monitoring
- supervisor - supervisor
# - vector
- role: promtail
tags:
- promtail
- loki
- logging
- role: cloudflared
tags:
- cloudflared
- zerotrust
- access
- vpn
- hosts: minecraft_servers - hosts: minecraft_servers
become: true become: true
roles: roles:
@ -68,98 +34,35 @@
- hosts: git_servers - hosts: git_servers
become: true become: true
roles: roles:
- role: certbot - nginx
tags: - certbot
- tls - gitea
- role: nginx
tags:
- nginx
- role: gitea
tags:
- gitea
- git
- hosts: stats_servers - hosts: stats_servers
become: true become: true
roles: roles:
- role: certbot - nginx
tags: - certbot
- tls - grafana
- role: nginx
tags:
- nginx
- role: grafana
tags:
- grafana
- monitoring
- o11y
- hosts: monitor_servers - hosts: monitor_servers
become: true become: true
roles: roles:
- certbot - nginx
- role: nginx
tags:
- nginx
- role: prometheus - role: prometheus
tags: tags:
- prometheus - prometheus
- monitoring - monitoring
- role: alertmanager - alertmanager
tags: - blackbox_exporter
- prometheus - pushgateway
- monitoring
- role: blackbox_exporter
tags:
- prometheus
- monitoring
- role: pushgateway
tags:
- prometheus
- monitoring
- role: karma - role: karma
tags: tags:
- prometheus
- monitoring - monitoring
- role: kthxbye - role: kthxbye
tags: tags:
- prometheus
- monitoring - monitoring
- role: thanos - role: thanos
tags: tags:
- prometheus
- thanos - thanos
- monitoring - monitoring
- role: loki
tags:
- loki
- logging
- role: logcli
tags:
- logcli
- loki
- logging
- role: smokeping_prober
tags:
- prometheus
- monitoring
- smokeping
- role: mimir
tags:
- prometheus
- mimir
- monitoring
- role: snmp_exporter
tags:
- prometheus
- snmp_exporter
- monitoring
- role: lego
tags:
- acme
- certificates
- lego
- letsencrypt
- pki
- tls
# vim:ft=yaml.ansible: # vim:ft=yaml.ansible:

35
roles/certbot/defaults/main.yaml
View File

@ -1,35 +1,22 @@
--- ---
certbot_package_name: certbot certbot_package_name: certbot
certbot_package_state: latest certbot_package_state: present
certbot_plugins:
- certbot-dns-cloudflare
- certbot-dns-digitalocean
- certbot-dns-dnsimple
- certbot-dns-dnsmadeeasy
- certbot-dns-gehirn
- certbot-dns-google
- certbot-dns-linode
- certbot-dns-luadns
- certbot-dns-nsone
- certbot-dns-ovh
- certbot-dns-rfc2136
- certbot-dns-route53
- certbot-dns-sakuracloud
certbot_service_name: certbot.service certbot_service_name: certbot.service
certbot_bin_path: /usr/local/bin
certbot_path: "{{ certbot_bin_path }}/certbot"
certbot_timer_name: certbot.timer certbot_timer_name: certbot.timer
certbot_timer_state: started certbot_timer_state: started
certbot_timer_enabled: true certbot_timer_enabled: yes
certbot_etc_path: /etc/letsencrypt certbot_cron_state: present
certbot_live_path: "{{ certbot_etc_path }}/live" certbot_cron_user: root
certbot_cron_file_path: /etc/cron.d/certbot
certbot_cron_env:
path: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
shell: /bin/sh
certbot_cron_command: test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
certbot_cron_hour: "*/12"
certbot_cron_minute: "0"
certbot_system_timer_on_calender: "*-*-* 00,12:00:00" certbot_system_timer_on_calender: "*-*-* 00,12:00:00"
certbot_system_timer_randomized_delay_sec: 43200 certbot_system_timer_randomized_delay_sec: 43200
certbot_credential_path: /root/.secrets/certbot

6
roles/certbot/handlers/main.yaml
View File

@ -1,4 +1,6 @@
--- ---
- name: systemd daemon-reload - name: systemd daemon-reload
ansible.builtin.systemd: systemd:
daemon_reload: true name: "{{ certbot_service_name }}"
daemon_reload: yes
state: restarted

23
roles/certbot/tasks/configure-linode.yaml
View File

@ -1,23 +0,0 @@
---
- name: configure linode credentials
ansible.builtin.copy:
dest: "{{ certbot_credential_path }}/linode.ini"
owner: root
group: root
mode: 0600
content: "{{ certbot_dns_linode_credentials }}"
no_log: true
- name: certbot (linode)
ansible.builtin.shell: >
certbot certonly \
--dns-linode \
--dns-linode-credentials "{{ certbot_credential_path }}/linode.ini" \
--quiet \
--agree-tos \
--noninteractive \
--email "{{ item.email }}" \
--domain "{{ item.domains | join(',') }}"
args:
creates: "{{ certbot_live_path }}/{{ item.domains | first }}/cert.pem"
loop: "{{ certbot_certificates | default([]) }}"

0
roles/certbot/tasks/default.yaml
View File

8
roles/certbot/tasks/issue.yaml
View File

@ -1 +1,9 @@
--- ---
- name: "determine if certificate for {{ item.domains | join(', ') }}"
stat:
path: "/etc/letsencrypt/live/{{ item.domains | first }}/cert.pem"
register: st
- name: "request certificate for {{ item.domains | join(', ') }}"
command: "certbot certonly -q --webroot -w {{ certbot_challenge_webroot_path }} --agree-tos --noninteractive --email {{ item.email }} -d {{ item.domains | join(',') }}"
when: not st.stat.exists

86
roles/certbot/tasks/main.yaml
View File

@ -23,51 +23,65 @@
paths: paths:
- tasks - tasks
- name: install certbot - name: install certbot modules
ansible.builtin.pip: package:
name: "{{ certbot_package_name }}" name: "{{ certbot_package_name }}"
state: "{{ certbot_package_state }}" state: "{{ certbot_package_state }}"
- name: install certbot plugins - name: configure challenge webroot
ansible.builtin.pip: file:
name: "{{ certbot_plugins }}" path: "{{ certbot_challenge_webroot_path }}"
state: latest state: "directory"
- name: create credential path
ansible.builtin.file:
path: "{{ certbot_credential_path }}"
owner: root owner: root
group: root group: root
mode: 0700 mode: 0755
state: directory
- name: request certificates - name: request certificates
ansible.builtin.include_tasks: "issue.yaml" ansible.builtin.include_tasks: "issue.yaml"
loop: "{{ certbot_certificates }}" loop: "{{ certbot_certificates }}"
- name: include linode tasks - name: configure systemd timer
ansible.builtin.include_tasks: configure-linode.yaml block:
- name: create systemd timer override directory
file:
path: "/etc/systemd/system/{{ certbot_timer_name }}.d"
owner: root
group: root
mode: 0755
state: directory
- name: configure renewal service - name: configure systemd timer options
ansible.builtin.template: template:
src: certbot.service.j2 src: certbot.timer.j2
dest: "/etc/systemd/system/certbot.service" dest: "/etc/systemd/system/{{ certbot_timer_name }}.d/override.conf"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: systemd daemon-reload notify: systemd daemon-reload
- name: enable the timer
systemd:
name: "{{ certbot_timer_name }}"
state: "{{ certbot_timer_state }}"
enabled: "{{ certbot_timer_enabled }}"
when: ansible_service_mgr == "systemd"
- name: configure renewal timer - name: configure cron job
ansible.builtin.template: block:
src: certbot.timer.j2 - name: configure env
dest: "/etc/systemd/system/certbot.timer" cron:
owner: root name: "{{ item.key | upper }}"
group: root env: yes
mode: 0644 job: "{{ item.value }}"
notify: systemd daemon-reload user: "{{ certbot_cron_user }}"
cron_file: "{{ certbot_cron_file_path }}"
- name: manage timer state: "{{ certbot_cron_state }}"
ansible.builtin.systemd: loop: "{{ certbot_cron_env | dict2items }}"
name: "{{ certbot_timer_name }}" - name: create job
enabled: "{{ certbot_timer_enabled }}" cron:
state: "{{ certbot_timer_state }}" name: certbot
user: "{{ certbot_cron_user }}"
hour: "{{ certbot_cron_hour }}"
minute: "{{ certbot_cron_minute }}"
cron_file: "{{ certbot_cron_file_path }}"
job: "{{ certbot_cron_command }}"
state: "{{ certbot_cron_state }}"

14
roles/certbot/templates/certbot.service.j2
View File

@ -1,14 +0,0 @@
# {{ ansible_managed }}
[Unit]
Description=Certbot renewal
After=network-online.target
Wants=network-online.target
Wants={{ certbot_timer_name }}
[Service]
Type=oneshot
ExecStart={{ certbot_path }} --quiet renew
[Install]
WantedBy=multi-user.target

7
roles/certbot/templates/certbot.timer.j2
View File

@ -1,12 +1,5 @@
# {{ ansible_managed }} # {{ ansible_managed }}
[Unit]
Description=Certbot renewal
Requires={{ certbot_service_name }}
[Timer] [Timer]
OnCalendar={{ certbot_system_timer_on_calender }} OnCalendar={{ certbot_system_timer_on_calender }}
RandomizedDelaySec={{ certbot_system_timer_randomized_delay_sec }} RandomizedDelaySec={{ certbot_system_timer_randomized_delay_sec }}
[Install]
WantedBy=timers.target

11
roles/dl/templates/nginx.conf.j2
View File

@ -26,13 +26,10 @@ server {
{% if dl_ssl_enabled is defined and {% if dl_ssl_enabled is defined and
dl_ssl_enabled %} dl_ssl_enabled %}
server { server {
listen 443 ssl; listen 443 ssl http2;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
listen [::]:443 ssl; listen [::]:443 ssl http2;
{% endif %} {% endif %}
http2 on;
server_name {{ dl_server_name }}; server_name {{ dl_server_name }};
access_log {{ dl_access_log }} main; access_log {{ dl_access_log }} main;
error_log {{ dl_error_log }} warn; error_log {{ dl_error_log }} warn;
@ -49,10 +46,6 @@ server {
ssl_dhparam {{ dl_ssl_dhparam }}; ssl_dhparam {{ dl_ssl_dhparam }};
{% endif %} {% endif %}
location / {
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
}
location ~ ^\/~(.+?)(\/.*)?$ { location ~ ^\/~(.+?)(\/.*)?$ {
alias /home/$1/public_html$2; alias /home/$1/public_html$2;
index index.html index.htm; index index.html index.htm;

3
roles/firewall/templates/ip6tables.j2
View File

@ -130,9 +130,6 @@
{% endif %} {% endif %}
{% if firewall_ipset_syslog is defined %} {% if firewall_ipset_syslog is defined %}
-A INPUT -p tcp -m tcp --dport 514 -m set --match-set syslog6 src -m comment --comment "accept syslog 514/tcp6" -j LOG_ACCEPT -A INPUT -p tcp -m tcp --dport 514 -m set --match-set syslog6 src -m comment --comment "accept syslog 514/tcp6" -j LOG_ACCEPT
-A INPUT -p udp -m udp --dport 514 -m set --match-set syslog6 src -m comment --comment "accept syslog 514/udp6" -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 1514 -m set --match-set syslog6 src -m comment --comment "accept syslog 1514/tcp6" -j LOG_ACCEPT
-A INPUT -p udp -m udp --dport 1514 -m set --match-set syslog6 src -m comment --comment "accept syslog 1514/udp6" -j LOG_ACCEPT
{% endif %} {% endif %}
{% if firewall_ipset_influxdb is defined %} {% if firewall_ipset_influxdb is defined %}
-A INPUT -p tcp -m tcp --dport 8086 -m set --match-set influxdb6 src -m comment --comment "accept influxdb 8086/tcp6" -j LOG_ACCEPT -A INPUT -p tcp -m tcp --dport 8086 -m set --match-set influxdb6 src -m comment --comment "accept influxdb 8086/tcp6" -j LOG_ACCEPT

2
roles/firewall/templates/iptables.j2
View File

@ -117,8 +117,6 @@
{% if firewall_ipset_syslog is defined %} {% if firewall_ipset_syslog is defined %}
-A INPUT -p tcp -m tcp --dport 514 -m set --match-set syslog4 src -m comment --comment "accept syslog 514/tcp" -j LOG_ACCEPT -A INPUT -p tcp -m tcp --dport 514 -m set --match-set syslog4 src -m comment --comment "accept syslog 514/tcp" -j LOG_ACCEPT
-A INPUT -p udp -m udp --dport 514 -m set --match-set syslog4 src -m comment --comment "accept syslog 514/udp" -j LOG_ACCEPT -A INPUT -p udp -m udp --dport 514 -m set --match-set syslog4 src -m comment --comment "accept syslog 514/udp" -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 1514 -m set --match-set syslog4 src -m comment --comment "accept syslog 1514/tcp" -j LOG_ACCEPT
-A INPUT -p udp -m udp --dport 1514 -m set --match-set syslog4 src -m comment --comment "accept syslog 1514/udp" -j LOG_ACCEPT
{% endif %} {% endif %}
{% if firewall_ipset_influxdb is defined %} {% if firewall_ipset_influxdb is defined %}
-A INPUT -p tcp -m tcp --dport 8086 -m set --match-set influxdb4 src -m comment --comment "accept influxdb 8086/tcp" -j LOG_ACCEPT -A INPUT -p tcp -m tcp --dport 8086 -m set --match-set influxdb4 src -m comment --comment "accept influxdb 8086/tcp" -j LOG_ACCEPT

8
roles/gitea/templates/nginx.conf.j2
View File

@ -37,13 +37,10 @@ server {
{% if gitea_ssl_enabled is defined and {% if gitea_ssl_enabled is defined and
gitea_ssl_enabled %} gitea_ssl_enabled %}
server { server {
listen 443 ssl; listen 443 ssl http2;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
listen [::]:443 ssl; listen [::]:443 ssl http2;
{% endif %} {% endif %}
http2 on;
server_name {{ gitea_domain }}; server_name {{ gitea_domain }};
access_log /var/log/nginx/gitea.access.log main; access_log /var/log/nginx/gitea.access.log main;
@ -65,7 +62,6 @@ server {
} }
location / { location / {
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
limit_req zone=req_bad_actors burst=10 nodelay; limit_req zone=req_bad_actors burst=10 nodelay;
proxy_pass http://gitea_backend; proxy_pass http://gitea_backend;
} }

17
roles/grafana/templates/nginx.conf.j2
View File

@ -6,11 +6,6 @@ upstream grafana_backend {
server 127.0.0.1:{{ grafana_port }}; server 127.0.0.1:{{ grafana_port }};
} }
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server { server {
listen 80; listen 80;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
@ -37,13 +32,10 @@ server {
{% if grafana_ssl_enabled is defined and {% if grafana_ssl_enabled is defined and
grafana_ssl_enabled %} grafana_ssl_enabled %}
server { server {
listen 443 ssl; listen 443 ssl http2;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
listen [::]:443 ssl; listen [::]:443 ssl http2;
{% endif %} {% endif %}
http2 on;
server_name {{ grafana_domain }}; server_name {{ grafana_domain }};
access_log /var/log/nginx/grafana.access.log main; access_log /var/log/nginx/grafana.access.log main;
@ -67,12 +59,7 @@ server {
} }
location / { location / {
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
limit_req zone=req_bad_actors burst=10 nodelay; limit_req zone=req_bad_actors burst=10 nodelay;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $http_host;
proxy_pass http://grafana_backend; proxy_pass http://grafana_backend;
} }
} }

72
roles/loki/defaults/main.yaml
View File

@ -26,17 +26,12 @@ loki_user_shell: /usr/sbin/nologin
loki_group: loki loki_group: loki
loki_group_state: "{{ loki_user_state | default('present') }}" loki_group_state: "{{ loki_user_state | default('present') }}"
loki_config_path: /etc/loki.yaml
loki_var_path: /var/lib/loki loki_var_path: /var/lib/loki
loki_var_owner: "{{ loki_user }}" loki_var_owner: "{{ loki_user }}"
loki_var_group: "{{ loki_group }}" loki_var_group: "{{ loki_group }}"
loki_var_mode: "0700" loki_var_mode: "0755"
loki_etc_path: /etc/loki
loki_etc_owner: "{{ loki_user }}"
loki_etc_group: "{{ loki_group }}"
loki_etc_mode: "0755"
loki_config_path: "{{ loki_etc_path }}/config.yaml"
loki_bin_path: /usr/local/bin loki_bin_path: /usr/local/bin
@ -44,51 +39,36 @@ loki_auth_enabled: false
loki_server: loki_server:
http_listen_port: 3100 http_listen_port: 3100
grpc_listen_port: 9096
loki_common: loki_ingester:
instance_addr: 127.0.0.1 lifecycler:
path_prefix: "{{ loki_var_path }}" address: 127.0.0.1
storage: ring:
filesystem: kvstore:
chunks_directory: "{{ loki_var_path }}/chunks" store: inmemory
rules_directory: "{{ loki_var_path }}/rules" replication_factor: 1
replication_factor: 1 final_sleep: 0s
ring: chunk_idle_period: 5m
kvstore: chunk_retain_period: 30s
store: inmemory
loki_query_range:
results_cache:
cache:
embedded_cache:
enabled: true
max_size_mb: 100
# loki_storage_config:
# {}
loki_schema_config: loki_schema_config:
configs: configs:
- from: 2020-10-24 - from: 2020-05-15
store: boltdb-shipper store: boltdb
object_store: gcs object_store: filesystem
schema: v11 schema: v11
index: index:
prefix: index_ prefix: index_
period: 24h period: 168h
loki_ruler: loki_storage_config:
alertmanager_url: http://localhost:9093 boltdb:
directory: "{{ loki_var_path }}/index"
# loki_query_scheduler: filesystem:
# {} directory: "{{ loki_var_path }}/chunks"
# loki_querier:
# {}
# loki_compactor:
# {}
loki_limits_config: loki_limits_config:
retention_period: 744h enforce_metric_name: false
reject_old_samples: true
reject_old_samples_max_age: 168h
ingestion_burst_size_mb: 16

24
roles/loki/tasks/configure.yaml
View File

@ -15,13 +15,14 @@
home: "{{ loki_var_path }}" home: "{{ loki_var_path }}"
state: "{{ loki_user_state | default('present') }}" state: "{{ loki_user_state | default('present') }}"
- name: create etc path - name: configure
file: template:
path: "{{ loki_etc_path }}" src: loki.yaml.j2
state: directory dest: "{{ loki_config_path }}"
owner: "{{ loki_etc_owner }}" owner: root
group: "{{ loki_etc_group }}" group: root
mode: "{{ loki_etc_mode }}" mode: 0444
notify: restart loki
- name: create var path - name: create var path
file: file:
@ -31,15 +32,6 @@
group: "{{ loki_var_group }}" group: "{{ loki_var_group }}"
mode: "{{ loki_var_mode }}" mode: "{{ loki_var_mode }}"
- name: configure
template:
src: config.yaml.j2
dest: "{{ loki_config_path }}"
owner: "{{ loki_user }}"
group: "{{ loki_group }}"
mode: 0400
notify: restart loki
- name: configure systemd template - name: configure systemd template
template: template:
src: "{{ loki_service_name }}.j2" src: "{{ loki_service_name }}.j2"

55
roles/loki/templates/config.yaml.j2
View File

@ -1,55 +0,0 @@
{{ ansible_managed | comment }}
---
{% if loki_auth_enabled is defined %}
auth_enabled: {{ loki_auth_enabled | bool | lower }}
{% endif %}
{% if loki_server is defined %}
server:
{{ loki_server | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_common is defined %}
common:
{{ loki_common | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_query_range is defined %}
query_range:
{{ loki_query_range | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_storage_config is defined %}
storage_config:
{{ loki_storage_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_schema_config is defined %}
schema_config:
{{ loki_schema_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_ruler is defined %}
ruler:
{{ loki_ruler | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_query_scheduler is defined %}
query_scheduler:
{{ loki_query_scheduler | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_querier is defined %}
querier:
{{ loki_querier | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_compactor is defined %}
compactor:
{{ loki_compactor | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_limits_config is defined %}
limits_config:
{{ loki_limits_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}

12
roles/loki/templates/loki.service.j2
View File

@ -1,19 +1,19 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
[Unit] [Unit]
Description=Loki service Description=Loki
After=network.target After=network-online.target
[Service] [Service]
Type=simple Type=simple
User={{ loki_user }} User={{ loki_user }}
Group={{ loki_group }}
ExecStart={{ loki_bin_path }}/loki \ ExecStart={{ loki_bin_path }}/loki \
-config.file {{ loki_config_path }} -config.file {{ loki_config_path }}
WorkingDirectory={{ loki_var_path }} WorkingDirectory={{ loki_var_path }}
TimeoutSec = 120
Restart = on-failure Restart=always
RestartSec = 2 RestartSec=1
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

30
roles/loki/templates/loki.yaml.j2 Normal file
View File

@ -0,0 +1,30 @@
{{ ansible_managed | comment }}
---
{% if loki_auth_enabled is defined %}
auth_enabled: {{ loki_auth_enabled | bool | lower }}
{% endif %}
{% if loki_server is defined %}
server:
{{ loki_server | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_ingester is defined %}
ingester:
{{ loki_ingester | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_schema_config is defined %}
schema_config:
{{ loki_schema_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_storage_config is defined %}
storage_config:
{{ loki_storage_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_limits_config is defined %}
limits_config:
{{ loki_limits_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}

2
roles/mtail/defaults/main.yaml
View File

@ -12,7 +12,7 @@ mtail_service_enabled: yes
mtail_version_regex: ^mtail version (\S+) mtail_version_regex: ^mtail version (\S+)
mtail_github_project_url: https://github.com/google/mtail mtail_github_project_url: https://github.com/google/mtail
mtail_release_file: "mtail_{{ mtail_version }}_{{ ansible_system | lower }}_{{ mtail_go_arch }}.tar.gz" mtail_release_file: "mtail_{{ mtail_version }}_{{ ansible_system | capitalize }}_{{ ansible_architecture }}.tar.gz"
mtail_release_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/{{ mtail_release_file }}" mtail_release_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/{{ mtail_release_file }}"
mtail_download_path: "/tmp/{{ mtail_release_file }}" mtail_download_path: "/tmp/{{ mtail_release_file }}"
mtail_checksum_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/checksums.txt" mtail_checksum_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/checksums.txt"

38
roles/mtail/tasks/pre.yaml
View File

@ -1,4 +1,42 @@
--- ---
#- name: determine if installed
# stat:
# path: "{{ mtail_bin_path }}/mtail"
# register: st
#
#- name: set mtail_installed
# set_fact:
# mtail_installed: "{{ st.stat.exists | bool }}"
#
#- block:
# - name: determine latest version
# uri:
# url: https://api.github.com/repos/google/mtail/releases/latest
# return_content: true
# body_format: json
# register: _latest_version
# until: _latest_version.status == 200
# retries: 3
#
# - name: set mtail_version
# set_fact:
# mtail_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
#
#- block:
# - name: determine installed version
# command: "{{ mtail_bin_path }}/mtail --version"
# register: _installed_version_string
# changed_when: false
#
# - name: set mtail_local_version
# set_fact:
# mtail_local_version: "{{ _installed_version_string.stdout | regex_search(mtail_version_regex, '\\1') | first }}"
# when: mtail_installed
#
#- name: set mtail_local_version to 0
# set_fact:
# mtail_local_version: "0"
# when: not mtail_installed
- name: determine if installed - name: determine if installed
stat: stat:
path: "{{ mtail_bin_path }}/mtail" path: "{{ mtail_bin_path }}/mtail"

18
roles/network/defaults/main.yml
View File

@ -6,23 +6,6 @@ network_netplan_config_path: "{{ network_netplan_etc_path }}/ansible.yaml"
network_netplan_default_config_path: "{{ network_netplan_etc_path }}/01-netcfg.yaml" network_netplan_default_config_path: "{{ network_netplan_etc_path }}/01-netcfg.yaml"
# network_netplan_default_config_state: absent # network_netplan_default_config_state: absent
network_netplan:
network:
version: 2
ethernets:
eth0:
dhcp4: false
dhcp6: false
accept-ra: true
addresses:
- "{{ ansible_default_ipv4.address }}/{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('prefix') }}"
- "{{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.prefix }}"
routes:
- to: default
via: "{{ ansible_default_ipv4.gateway }}"
nameservers:
addresses: "{{ network_dns_nameservers }}"
network_interfaces: network_interfaces:
- name: eth0 - name: eth0
inet4: inet4:
@ -32,7 +15,6 @@ network_interfaces:
gateway: "{{ ansible_default_ipv4.gateway }}" gateway: "{{ ansible_default_ipv4.gateway }}"
inet6: inet6:
dhcp: false dhcp: false
accept_ra: true
address: address:
- "{{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.prefix }}" - "{{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.prefix }}"
gateway: "{{ ansible_default_ipv6.gateway }}" gateway: "{{ ansible_default_ipv6.gateway }}"

8
roles/network/tasks/netplan.yml
View File

@ -5,14 +5,14 @@
state: "{{ network_netplan_default_config_state | default('absent') }}" state: "{{ network_netplan_default_config_state | default('absent') }}"
owner: root owner: root
group: root group: root
mode: '0400' mode: 0644
notify: netplan apply notify: netplan apply
- name: Configure netplan - name: Configure netplan
ansible.builtin.copy: ansible.builtin.template:
dest: "{{ network_netplan_config_path }}" dest: "{{ network_netplan_config_path }}"
content: "{{ network_netplan | to_nice_yaml }}" src: netplan.yaml.j2
owner: root owner: root
group: root group: root
mode: '0400' mode: '0644'
notify: netplan apply notify: netplan apply

15
roles/network/templates/netplan.yaml.j2
View File

@ -1,19 +1,16 @@
--- ---
network: network:
version: {{ network_netplan_version | default(2) }} version: "{{ network_netplan_version | default(2) }}"
renderer: {{ network_netplan_renderer | default('networkd') }} renderer: "{{ network_netplan_renderer | default("networkd") }}"
{% if network_interfaces is defined and network_interfaces | length %} {% if network_interfaces is defined and network_interfaces | length %}
ethernets: ethernets:
{% for iface in network_interfaces %} {% for iface in network_interfaces %}
{{ iface['name'] }}: {{ iface['name'] }}:
{% if iface['inet4']['dhcp'] is defined %} {% if iface['inet4']['dhcp'] is defined %}
dhcp4: {{ iface['inet4']['dhcp'] | ternary('true', 'false') }} dhcp4: "{{ iface['inet4']['dhcp'] | ternary('yes', 'no') }}"
{% endif %} {% endif %}
{% if iface['inet4']['dhcp'] is defined %} {% if iface['inet4']['dhcp'] is defined %}
dhcp6: {{ iface['inet6']['dhcp'] | ternary('true', 'false') }} dhcp6: "{{ iface['inet6']['dhcp'] | ternary('yes', 'no') }}"
{% endif %}
{% if iface['inet6']['accept_ra'] is defined %}
accept-ra: {{ iface['inet6']['accept_ra'] | ternary('true', 'false') }}
{% endif %} {% endif %}
{% if iface['inet4']['address'] is defined or iface['inet6']['address'] is defined %} {% if iface['inet4']['address'] is defined or iface['inet6']['address'] is defined %}
addresses: addresses:
@ -25,10 +22,10 @@ network:
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if iface['inet4']['gateway'] is defined %} {% if iface['inet4']['gateway'] is defined %}
gateway4: {{ iface['inet4']['gateway'] }} gateway4: "{{ iface['inet4']['gateway'] }}"
{% endif %} {% endif %}
{% if iface['inet6']['gateway'] is defined %} {% if iface['inet6']['gateway'] is defined %}
gateway6: {{ iface['inet6']['gateway'] }} gateway6: "{{ iface['inet6']['gateway'] }}"
{% endif %} {% endif %}
{% if network_dns_nameservers is defined %} {% if network_dns_nameservers is defined %}
nameservers: nameservers:

73
roles/nftables/defaults/main.yaml
View File

@ -36,54 +36,35 @@ nftables_builtin_sets:
- flags interval - flags interval
nftables_input_builtin_rules: nftables_input_builtin_rules:
'000 policy': - type filter hook input priority filter; policy drop;
- type filter hook input priority filter; policy drop; - ip saddr @blackhole4 drop
'010 blackhole': - ip6 saddr @blackhole6 drop
- ip saddr @blackhole4 drop - ct state established,related accept
- ip6 saddr @blackhole6 drop - ct state invalid drop
'020 related established': - iifname "lo" accept
- ct state established,related accept - icmpv6 type $REQUIRED_ICMPV6_TYPES accept
- ct state invalid drop - icmpv6 type echo-request accept
'030 loopback': - icmp type echo-request accept
- iifname "lo" accept - tcp dport @tcp_input_accept accept
'040 icmp': - udp dport @udp_input_accept accept
- icmpv6 type $REQUIRED_ICMPV6_TYPES accept # this should be last because these ports could be allowed
- icmpv6 type echo-request accept - udp dport $TRACEROUTE_UDP_PORTS reject
- icmp type echo-request accept
'050 tcp accept':
- tcp dport @tcp_input_accept accept
'060 udp accept':
- udp dport @udp_input_accept accept
'999 traceroute':
# this should be last because these ports could be allowed
- udp dport $TRACEROUTE_UDP_PORTS reject
nftables_forward_builtin_rules: nftables_forward_builtin_rules:
'000 policy': - type filter hook forward priority filter; policy drop;
- type filter hook forward priority filter; policy drop; - ct state { established, related } accept
'010 related established':
- ct state { established, related } accept
nftables_output_builtin_rules: nftables_output_builtin_rules:
'000 policy': - type filter hook output priority filter; policy accept;
- type filter hook output priority filter; policy accept; - ip daddr @blackhole4 drop
'010 blackhole': - ip6 daddr @blackhole6 drop
- ip daddr @blackhole4 drop - ct state { established, related } accept
- ip6 daddr @blackhole6 drop
'020 related established':
- ct state { established, related } accept
nftables_defines: # nftables_sets:
{} # {}
#
nftables_sets: # nftables_input_rules:
{} # []
#
nftables_input_rules: # nftables_output_rules:
{} # []
nftables_forward_rules:
{}
nftables_output_rules:
{}

85
roles/nftables/templates/nftables.conf.j2
View File

@ -1,53 +1,82 @@
{% set combined_defines = [ nftables_builtin_defines, nftables_defines ] | combine %}
{% set combined_sets = [ nftables_builtin_sets, nftables_sets ] | combine %}
{% set combined_input_rules = [ nftables_input_builtin_rules, nftables_input_rules ] | combine %}
{% set combined_forward_rules = [ nftables_forward_builtin_rules, nftables_forward_rules ] | combine %}
{% set combined_output_rules = [ nftables_output_builtin_rules, nftables_output_rules ] | combine %}
table inet filter { table inet filter {
{% for name, cfg in combined_defines.items() %} {% if nftables_builtin_defines is mapping %}
{% if cfg is string or cfg is number %} {% for name, cfg in nftables_builtin_defines.items() %}
{% if cfg is string %}
define {{ name }} = {{ cfg }} define {{ name }} = {{ cfg }}
{% elif cfg is sequence %} {% elif cfg is sequence %}
define {{ name }} = { define {{ name }} = {
{% for elem in cfg %} {% for elem in cfg %}
{{ elem }}, {{ elem }},
{% endfor %} {% endfor %}
} }
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %}
{% if nftables_defines is mapping %}
{% for name, cfg in nftables_defines.items() %}
define {{ name }} = {
{% for elem in cfg %}
{{ elem }},
{% endfor %}
}
{% endfor %}
{% endif %}
{% for name, cfg in combined_sets.items() %} {% if nftables_builtin_sets is mapping %}
{% for name, cfg in nftables_builtin_sets.items() %}
set {{ name }} { set {{ name }} {
{% for elem in cfg %} {% for elem in cfg %}
{{ elem }} {{ elem }}
{% endfor %} {% endfor %}
} }
{% endfor %} {% endfor %}
{% endif %}
{% if nftables_sets is mapping %}
{% for name, cfg in nftables_sets.items() %}
set {{ name }} {
{% for elem in cfg %}
{{ elem }}
{% endfor %}
}
{% endfor %}
{% endif %}
chain input { chain input {
{% for comment, rules in combined_input_rules.items() %} {% if nftables_input_builtin_rules is sequence %}
# {{ comment }} {% for rule in nftables_input_builtin_rules %}
{% for rule in rules %}
{{ rule }} {{ rule }}
{% endfor %} {% endfor %}
{% endfor %} {% endif %}
{% if nftables_input_rules is sequence %}
{% for rule in nftables_input_rules %}
{{ rule }}
{% endfor %}
{% endif %}
} }
chain forward { chain forward {
{% for comment, rules in combined_forward_rules.items() %} {% if nftables_forward_builtin_rules is sequence %}
# {{ comment }} {% for rule in nftables_forward_builtin_rules %}
{% for rule in rules %}
{{ rule }} {{ rule }}
{% endfor %} {% endfor %}
{% endfor %} {% endif %}
{% if nftables_forward_rules is sequence %}
{% for rule in nftables_forward_rules %}
{{ rule }}
{% endfor %}
{% endif %}
} }
chain output { chain output {
{% for comment, rules in combined_output_rules.items() %} {% if nftables_output_builtin_rules is sequence %}
# {{ comment }} {% for rule in nftables_output_builtin_rules %}
{% for rule in rules %}
{{ rule }} {{ rule }}
{% endfor %} {% endfor %}
{% endfor %} {% endif %}
{% if nftables_output_rules is sequence %}
{% for rule in nftables_output_rules %}
{{ rule }}
{% endfor %}
{% endif %}
} }
} }

8
roles/prometheus/templates/nginx.conf.j2
View File

@ -38,13 +38,10 @@ server {
{% if prometheus_ssl_enabled is defined and {% if prometheus_ssl_enabled is defined and
prometheus_ssl_enabled %} prometheus_ssl_enabled %}
server { server {
listen 443 ssl; listen 443 ssl http2;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
listen [::]:443 ssl; listen [::]:443 ssl http2;
{% endif %} {% endif %}
http2 on;
server_name {{ prometheus_hostname }}; server_name {{ prometheus_hostname }};
auth_basic "Prometheus"; auth_basic "Prometheus";
@ -76,7 +73,6 @@ server {
} }
location / { location / {
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
return 301 /prometheus/; return 301 /prometheus/;
} }
} }

14
roles/promtail/templates/promtail.service.j2
View File

@ -1,19 +1,19 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
[Unit] [Unit]
Description=Promtail service Description=Loki
After=network.target After=network-online.target
[Service] [Service]
Type=simple Type=simple
User={{ promtail_user }} User={{ promtail_user }}
Group={{ promtail_group }}
ExecStart={{ promtail_bin_path }}/promtail \ ExecStart={{ promtail_bin_path }}/promtail \
-config.file {{ promtail_config_path }} \ -config.file {{ promtail_config_path }}
-client.external-labels=host=%l
WorkingDirectory={{ promtail_var_path }} WorkingDirectory={{ promtail_var_path }}
TimeoutSec = 60
Restart=on-failure Restart=always
RestartSec=2 RestartSec=1
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

36
roles/restic/defaults/main.yaml
View File

@ -1,34 +1,12 @@
--- ---
restic_go_arch_map: restic_service_name: restic.service
i386: '386' restic_service_state: started
x86_64: 'amd64' restic_service_enabled: yes
restic_go_arch: "{{ restic_go_arch_map[ansible_architecture] | default('amd64') }}"
restic_version_regex: ^restic ([\d.]+)
restic_checksum_algo: sha256
restic_github_rel_path: restic/restic
restic_github_project_url: "https://github.com/{{ restic_github_rel_path }}"
restic_release_file: "restic_{{ restic_version }}_{{ ansible_system | lower }}_{{ restic_go_arch }}.bz2"
restic_release_url: "{{ restic_github_project_url }}/releases/download/v{{ restic_version }}/{{ restic_release_file }}"
restic_checksum_url: "{{ restic_github_project_url }}/releases/download/v{{ restic_version }}/{{ restic_checksum_algo | upper }}SUMS"
restic_download_path: "/tmp/{{ restic_release_file }}"
restic_unarchive_dest_path: /tmp
restic_extracted_path: "{{ restic_download_path | replace('.bz2', '') }}"
restic_binaries:
- restic
# restic_arch: amd64
# restic_version: 0.15.2
# restic_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_{{ restic_arch }}.bz2"
# restic_checksum: sha256:c8da7350dc334cd5eaf13b2c9d6e689d51e7377ba1784cc6d65977bd44ee1165
# restic_bin_path: /usr/local/bin
# restic_etc_path: /etc/restic
# restic_path: "{{ restic_bin_path }}/restic"
# restic_self_update: true
restic_arch: amd64
restic_version: 0.14.0
restic_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_{{ restic_arch }}.bz2"
restic_checksum: sha256:c8da7350dc334cd5eaf13b2c9d6e689d51e7377ba1784cc6d65977bd44ee1165
restic_bin_path: /usr/local/bin restic_bin_path: /usr/local/bin
restic_etc_path: /etc/restic restic_etc_path: /etc/restic
restic_path: "{{ restic_bin_path }}/restic" restic_path: "{{ restic_bin_path }}/restic"

4
roles/restic/files/hooks/gitea.sh
View File

@ -9,7 +9,7 @@ GITEA_CONFIG=${GITEA_CONFIG:-/etc/gitea/app.ini}
GITEA_WORK_PATH=${GITEA_WORK_PATH:-/var/lib/gitea} GITEA_WORK_PATH=${GITEA_WORK_PATH:-/var/lib/gitea}
GITEA_CUSTOM_PATH=${GITEA_CUSTOM_PATH:-$GITEA_WORK_PATH/custom} GITEA_CUSTOM_PATH=${GITEA_CUSTOM_PATH:-$GITEA_WORK_PATH/custom}
GITEA_BACKUP_PATH=${GITEA_BACKUP_PATH:-$GITEA_WORK_PATH/backup} GITEA_BACKUP_PATH=${GITEA_BACKUP_PATH:-$GITEA_WORK_PATH/backup}
GITEA_KEEP_HOURS=${GITEA_KEEP_HOURS:-12} GITEA_KEEP_DAYS=${GITEA_KEEP_DAYS:-2}
prereq() { prereq() {
if ! systemctl list-units --full --all | grep -Fq "gitea.service"; then if ! systemctl list-units --full --all | grep -Fq "gitea.service"; then
@ -41,7 +41,7 @@ main() {
find "$GITEA_BACKUP_PATH" \ find "$GITEA_BACKUP_PATH" \
-type f \ -type f \
-name '*.zip' \ -name '*.zip' \
-mmin +$((GITEA_KEEP_HOURS * 60)) \ -mtime "+$GITEA_KEEP_DAYS" \
-delete -delete
fi fi
} }

4
roles/restic/files/restic-job.sh
View File

@ -73,10 +73,6 @@ fi
START="$(date +%s)" START="$(date +%s)"
if [[ -n "$($RESTIC_PATH list locks -q)" ]]; then
error_exit "repo is locked"
fi
if [ -f "$LOCK" ]; then if [ -f "$LOCK" ]; then
pid=$(cat "$LOCK") pid=$(cat "$LOCK")
if ! kill -0 "$pid" 2> /dev/null; then if ! kill -0 "$pid" 2> /dev/null; then

25
roles/restic/tasks/install.yaml
View File

@ -1,25 +0,0 @@
---
- block:
- name: download
get_url:
url: "{{ restic_release_url }}"
dest: "{{ restic_download_path }}"
checksum: "{{ restic_checksum }}"
register: dl
until: dl is success
retries: 5
delay: 10
- name: extract
command:
cmd: "bunzip2 -f -k {{ restic_download_path }}"
- name: install binaries
copy:
src: "{{ restic_extracted_path }}"
dest: "{{ restic_path }}"
owner: root
group: root
mode: 0755
remote_src: true
when: restic_version != restic_local_version

29
roles/restic/tasks/main.yaml
View File

@ -23,10 +23,35 @@
paths: paths:
- tasks - tasks
- ansible.builtin.include_tasks: pre.yaml - name: "download restic {{ restic_version }}"
get_url:
url: "{{ restic_url }}"
checksum: "{{ restic_checksum }}"
dest: "{{ restic_path }}.bz2"
owner: root
group: root
mode: 0400
register: dl
- ansible.builtin.include_tasks: install.yaml - name: determine if restic exists
stat:
path: "{{ restic_path }}"
register: st
- name: decompress restic
command:
cmd: "bunzip2 -k {{ restic_path }}.bz2"
creates: "{{ restic_path }}"
when: dl.changed or not st.stat.exists
#notify:
# - restart restic
- name: manage restic attributes
file:
path: "{{ restic_path }}"
owner: root
group: root
mode: 0755
- name: create etc tree - name: create etc tree
file: file:

59
roles/restic/tasks/pre.yaml
View File

@ -1,59 +0,0 @@
---
- name: determine if installed
stat:
path: "{{ restic_bin_path }}/restic"
register: st
- name: set restic_installed
set_fact:
restic_installed: "{{ st.stat.exists | bool }}"
- block:
- name: determine latest version
uri:
url: "https://api.github.com/repos/{{ restic_github_rel_path }}/releases/latest"
return_content: true
body_format: json
register: _latest_version
until: _latest_version.status == 200
retries: 3
- name: set restic_version
set_fact:
restic_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
- block:
- name: determine installed version
command: "{{ restic_bin_path }}/restic version"
register: _installed_version_string
changed_when: false
- name: set restic_local_version
set_fact:
restic_local_version: "{{ _installed_version_string.stdout | regex_search(restic_version_regex, '\\1') | first }}"
rescue:
- name: set restic_local_version
set_fact:
restic_local_version: "{{ _installed_version_string.stderr | regex_search(restic_version_regex, '\\1') | first }}"
when: restic_installed
- name: set restic_local_version to 0
set_fact:
restic_local_version: "0"
when: not restic_installed
- block:
- name: get checksums
set_fact:
_checksums: "{{ lookup('url', restic_checksum_url, wantlist=True) }}"
- name: debug
debug:
msg: "{{ restic_checksum_algo }}:{{ item.split(' ') | first }}"
loop: "{{ _checksums }}"
- name: set restic_checksum
set_fact:
restic_checksum: "{{ restic_checksum_algo }}:{{ item.split(' ') | first }}"
loop: "{{ _checksums }}"
when: "restic_release_file in item"

102
roles/snmp_exporter/defaults/main.yaml
View File

@ -1,102 +0,0 @@
---
snmp_exporter_go_arch_map:
i386: '386'
x86_64: 'amd64'
snmp_exporter_go_arch: "{{ snmp_exporter_go_arch_map[ansible_architecture] | default('amd64') }}"
snmp_exporter_version: 0.25.0
snmp_exporter_checksums:
snmp_exporter-0.25.0.aix-ppc64.tar.gz: sha256:457524708e136a1c559567eb5170352b25591d33646ad85940f4692b13de8208
snmp_exporter-0.25.0.darwin-amd64.tar.gz: sha256:83f820691ec4013614c5e8771c37741ba7732a41f01ac4675428a95cf50785db
snmp_exporter-0.25.0.darwin-arm64.tar.gz: sha256:2de16c8ab56c96721ba71ce7b16cdcfaced50f0f7e78fc7ded1747017717a953
snmp_exporter-0.25.0.dragonfly-amd64.tar.gz: sha256:a17a8277a134d0f3f5913fdb89b3218e308c01c0749e4b1fe6eff860216c3f06
snmp_exporter-0.25.0.freebsd-386.tar.gz: sha256:dc5bb9943ce5abfc4610eb51b98d21754333828acd17e1058f4979dec83ec4bd
snmp_exporter-0.25.0.freebsd-amd64.tar.gz: sha256:65c527a32426b781968ee2b1ed9b13542f3333b2f60941ed7261c578d3a19515
snmp_exporter-0.25.0.freebsd-arm64.tar.gz: sha256:3ce5dd7c205e148eceef20d4a7f6042b49874d37b2f84cea1ad2b41a7adf27cc
snmp_exporter-0.25.0.freebsd-armv6.tar.gz: sha256:fecd7b648de5818f445ee3543b3a0e16090419b83481cb9268f1b070515f4719
snmp_exporter-0.25.0.freebsd-armv7.tar.gz: sha256:2750f4d469145a4e9bcf3ae2cf47c3a379581359c224fa3860d88a7671208fe0
snmp_exporter-0.25.0.illumos-amd64.tar.gz: sha256:71fbd5973d2b9e06e63728490e820fe5e33f27333a54dcb6b42d152d3cf36d2f
snmp_exporter-0.25.0.linux-386.tar.gz: sha256:a78577d5651557a67973363a87db3755170e61a79c8d698f14bc72cde3205e1a
snmp_exporter-0.25.0.linux-amd64.tar.gz: sha256:de206a27466656e8b4948ef66dd57cc80c5511ccd285b231fde4e044534db625
snmp_exporter-0.25.0.linux-arm64.tar.gz: sha256:d61a38544598921067b546cbdca2cce0165fede0414b2dd769e11b09037164ca
snmp_exporter-0.25.0.linux-armv5.tar.gz: sha256:a86cae97116524fc2479bbef211931ca375d78479a276f1c99e4a2ee033d54aa
snmp_exporter-0.25.0.linux-armv6.tar.gz: sha256:fed73deb4b2864b9793f07679308117e2b9568e08cf993c640b9fd9a534f2508
snmp_exporter-0.25.0.linux-armv7.tar.gz: sha256:ff4ce9ac6f8f489d40d2319ea07428cb58bc6b49ad5cc0054d7475a71b1a68bb
snmp_exporter-0.25.0.linux-mips.tar.gz: sha256:616f7d9a798425864852bf8acef1d1fde38e6c85cbc2b6fd176f5bad5aa2ce79
snmp_exporter-0.25.0.linux-mips64.tar.gz: sha256:4d7cf894079593e4ae4eba9c10f740514d3defe0ebc362953ffa6ba2ccb93127
snmp_exporter-0.25.0.linux-mips64le.tar.gz: sha256:ea3e346a702729daa2a4acb9389cc2fe95549afd6aa5806c173ae0b21340ea0c
snmp_exporter-0.25.0.linux-mipsle.tar.gz: sha256:b6fedb56c0ac64b87ec808448ef113bb3a44049d41a70c35004e0e05204a9ba7
snmp_exporter-0.25.0.linux-ppc64.tar.gz: sha256:6b6c67ba8e49e1e3e247799f151b74bf1cb6cb65d9e4efcf8c6d0eefa6467dbe
snmp_exporter-0.25.0.linux-ppc64le.tar.gz: sha256:b345a5b6808627ca119267f53b4d4835fc831cdbe25922359637b8068b6d2722
snmp_exporter-0.25.0.linux-riscv64.tar.gz: sha256:6f3659115b78f05349ce1cc61d17c03e7dbb5830d6a4f13433028efe198e4a66
snmp_exporter-0.25.0.linux-s390x.tar.gz: sha256:8a428c63081efee2d15df508c7da5588cc6582a3254561c2ddbd9898520d247e
snmp_exporter-0.25.0.netbsd-386.tar.gz: sha256:3b56b8feba1119737fe167db47afb2d53179f03fd1ed2c97a02745486cf78e9d
snmp_exporter-0.25.0.netbsd-amd64.tar.gz: sha256:e1e2f82047ec726be64434d45e4d18cff45bf739c8ac7ffcd39d2680148be4f6
snmp_exporter-0.25.0.netbsd-arm64.tar.gz: sha256:f1be651984a8aa9fb2793358545da1351cb66c0f94abfa67d97003276aeb64cb
snmp_exporter-0.25.0.netbsd-armv6.tar.gz: sha256:d250a3cdd4d6fb572ed740c7f800f2aaa11350294d9275e4054c39bcfed86710
snmp_exporter-0.25.0.netbsd-armv7.tar.gz: sha256:0ecc87cc94c6e4f9444e5a508bb3f848753eae551f38715d90531626a09eb21b
snmp_exporter-0.25.0.openbsd-386.tar.gz: sha256:93f600e3c8e51c9e4fe2888a6fcac28b6bf4128ff90cf833938c25fcd607d731
snmp_exporter-0.25.0.openbsd-amd64.tar.gz: sha256:68b5b7bf8903e02636ea1145a313bad6316950116c7dbcb8e62214acafb76a64
snmp_exporter-0.25.0.openbsd-arm64.tar.gz: sha256:ca0ff15972207d7efb0ec08ca3c74ab1940dd780430ebe409214ca6261b4a521
snmp_exporter-0.25.0.openbsd-armv7.tar.gz: sha256:094072fcc645e170fbcf617f86f41f35781f6eff83c2a5f3a4327b55c3aae6ba
snmp_exporter-0.25.0.windows-386.tar.gz: sha256:feb0eae7fdbff7d96eb489a61e7d4cb6f9065d84e80c5e0f6331893dd3c5e37a
snmp_exporter-0.25.0.windows-386.zip: sha256:10cb099383f990303ba293343a98377aabb0575f5d87b8702cd366bd787293b9
snmp_exporter-0.25.0.windows-amd64.tar.gz: sha256:78398d2553548f21eaf8920daf86df15865e7c4a93351be01abb10cc2508cc8c
snmp_exporter-0.25.0.windows-amd64.zip: sha256:b0872fc2d2cebc60244220c3412185a45b72ac56f2cb36f1e4f35d42e830de2d
snmp_exporter-0.25.0.windows-arm64.tar.gz: sha256:e3122f902b714b908884fb10fff61e93960c1ce1a1491d21d7be736ac6c9f833
snmp_exporter-0.25.0.windows-arm64.zip: sha256:f3465c09e7a28ced47b15da368074b7df6d610e4c82ea6ae647d916abb541dc8
snmp_exporter_github_rel_path: prometheus/snmp_exporter
snmp_exporter_github_project_url: "https://github.com/{{ snmp_exporter_github_rel_path }}"
snmp_exporter_release_file: "snmp_exporter-{{ snmp_exporter_version }}.{{ ansible_system | lower }}-{{ snmp_exporter_go_arch }}.tar.gz"
snmp_exporter_release_url: "{{ snmp_exporter_github_project_url }}/releases/download/v{{ snmp_exporter_version }}/{{ snmp_exporter_release_file }}"
snmp_exporter_download_path: "/tmp/{{ snmp_exporter_release_file }}"
snmp_exporter_opt_dir_path: "/opt/snmp_exporter-{{ snmp_exporter_version }}"
snmp_exporter_unarchive_dest_path: /tmp/
snmp_exporter_extracted_path: "/tmp/{{ snmp_exporter_release_file | replace('.tar.gz', '') }}"
snmp_exporter_binaries:
- snmp_exporter
snmp_exporter_user_name: snmp_exporter
snmp_exporter_user_shell: /usr/sbin/nologin
snmp_exporter_user_home: "{{ snmp_exporter_var_dir_path }}"
snmp_exporter_group_name: snmp_exporter
snmp_exporter_bin_dir_path: /usr/local/bin
snmp_exporter_bin_path: "{{ snmp_exporter_bin_dir_path }}/snmp_exporter"
snmp_exporter_etc_dir_path: /etc/snmp_exporter
snmp_exporter_etc_dir_path_owner: "{{ snmp_exporter_user_name }}"
snmp_exporter_etc_dir_path_group: "{{ snmp_exporter_group_name }}"
snmp_exporter_etc_dir_path_mode: 0500
snmp_exporter_etc_dir_path_state: directory
snmp_exporter_var_dir_path: /var/lib/snmp_exporter
snmp_exporter_var_dir_path_owner: "{{ snmp_exporter_user_name }}"
snmp_exporter_var_dir_path_group: "{{ snmp_exporter_group_name }}"
snmp_exporter_var_dir_path_mode: 0500
snmp_exporter_var_dir_path_state: directory
snmp_exporter_config_file_path: "{{ snmp_exporter_etc_dir_path }}/snmp.yml"
snmp_exporter_config_file_template_src: snmp.yml.j2
snmp_exporter_config_file_template_dest: "{{ snmp_exporter_config_file_path }}"
snmp_exporter_config_file_template_owner: "{{ snmp_exporter_user_name }}"
snmp_exporter_config_file_template_group: "{{ snmp_exporter_group_name }}"
snmp_exporter_config_file_template_mode: 0400
snmp_exporter_bin_args:
- "--config.file={{ snmp_exporter_config_file_path }}"
- "--snmp.module-concurrency={{ ansible_processor_vcpus }}"
snmp_exporter_service_name: snmp_exporter.service
snmp_exporter_service_enabled: true
snmp_exporter_service_state: started
snmp_exporter_service_template_src: "{{ snmp_exporter_service_name }}.j2"
snmp_exporter_service_template_dest: "/etc/systemd/system/{{ snmp_exporter_service_name }}"
snmp_exporter_service_template_owner: root
snmp_exporter_service_template_group: root
snmp_exporter_service_template_mode: 0444

6
roles/snmp_exporter/handlers/main.yaml
View File

@ -1,6 +0,0 @@
---
- name: restart snmp_exporter
systemd:
name: "{{ snmp_exporter_service_name }}"
daemon_reload: true
state: restarted

55
roles/snmp_exporter/tasks/configure.yaml
View File

@ -1,55 +0,0 @@
---
- name: create group
ansible.builtin.group:
name: "{{ snmp_exporter_group_name }}"
system: true
- name: create user
ansible.builtin.user:
name: "{{ snmp_exporter_user_name }}"
shell: "{{ snmp_exporter_user_shell }}"
home: "{{ snmp_exporter_user_home }}"
system: true
group: "{{ snmp_exporter_group_name }}"
- name: create var path
ansible.builtin.file:
path: "{{ snmp_exporter_var_dir_path }}"
owner: "{{ snmp_exporter_var_dir_path_owner }}"
group: "{{ snmp_exporter_var_dir_path_group }}"
mode: "{{ snmp_exporter_var_dir_path_mode }}"
state: "{{ snmp_exporter_var_dir_path_state }}"
- name: create etc path
ansible.builtin.file:
path: "{{ snmp_exporter_etc_dir_path }}"
owner: "{{ snmp_exporter_etc_dir_path_owner }}"
group: "{{ snmp_exporter_etc_dir_path_group }}"
mode: "{{ snmp_exporter_etc_dir_path_mode }}"
state: "{{ snmp_exporter_etc_dir_path_state }}"
- name: configure
ansible.builtin.template:
src: "{{ snmp_exporter_config_file_template_src }}"
dest: "{{ snmp_exporter_config_file_template_dest }}"
owner: "{{ snmp_exporter_config_file_template_owner }}"
group: "{{ snmp_exporter_config_file_template_group }}"
mode: "{{ snmp_exporter_config_file_template_mode }}"
notify:
- restart snmp_exporter
- name: configure systemd unit
ansible.builtin.template:
src: "{{ snmp_exporter_service_template_src }}"
dest: "{{ snmp_exporter_service_template_dest }}"
owner: "{{ snmp_exporter_service_template_owner }}"
group: "{{ snmp_exporter_service_template_group }}"
mode: "{{ snmp_exporter_service_template_mode }}"
notify:
- restart snmp_exporter
- name: manage service
ansible.builtin.service:
name: "{{ snmp_exporter_service_name }}"
enabled: "{{ snmp_exporter_service_enabled | default(true) }}"
state: "{{ snmp_exporter_service_state | default('started') }}"

0
roles/snmp_exporter/tasks/default.yaml
View File

56
roles/snmp_exporter/tasks/install.yaml
View File

@ -1,56 +0,0 @@
---
- name: determine install status
ansible.builtin.stat:
path: "{{ snmp_exporter_opt_dir_path }}/snmp_exporter"
register: st
- name: create opt path
ansible.builtin.file:
path: "{{ snmp_exporter_opt_dir_path }}"
owner: root
group: root
mode: 0755
state: directory
- block:
- name: download
ansible.builtin.get_url:
url: "{{ snmp_exporter_release_url }}"
dest: "{{ snmp_exporter_download_path }}"
checksum: "{{ snmp_exporter_checksums[snmp_exporter_release_file] }}"
register: dl
until: dl is success
retries: 5
delay: 10
- name: extract
ansible.builtin.unarchive:
src: "{{ snmp_exporter_download_path }}"
dest: "{{ snmp_exporter_unarchive_dest_path }}"
remote_src: true
- name: install
ansible.builtin.copy:
src: "{{ snmp_exporter_extracted_path }}/{{ item }}"
dest: "{{ snmp_exporter_opt_dir_path }}/{{ item }}"
remote_src: true
loop: "{{ snmp_exporter_binaries }}"
when: not st.stat.exists
- name: permissions
ansible.builtin.file:
path: "{{ snmp_exporter_opt_dir_path }}/{{ item }}"
owner: root
group: root
mode: 0755
loop: "{{ snmp_exporter_binaries }}"
- name: symlink
ansible.builtin.file:
src: "{{ snmp_exporter_opt_dir_path }}/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
owner: root
group: root
mode: 0755
state: link
loop: "{{ snmp_exporter_binaries }}"

28
roles/snmp_exporter/tasks/main.yaml
View File

@ -1,28 +0,0 @@
---
- name: gather os specific variables
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- vars
- name: include os specific tasks
ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- tasks
- ansible.builtin.include_tasks: install.yaml
- ansible.builtin.include_tasks: configure.yaml

27498
roles/snmp_exporter/templates/snmp.yml.j2
View File

File diff suppressed because it is too large Load Diff

21
roles/snmp_exporter/templates/snmp_exporter.service.j2
View File

@ -1,21 +0,0 @@
# {{ ansible_managed }}
[Unit]
Description=SNMP Exporter
After=network-online.target
[Service]
User={{ snmp_exporter_user_name }}
Restart=on-failure
ExecStart={{ snmp_exporter_bin_path }} \
{% for arg in snmp_exporter_bin_args %}
{{ arg }} {% if not loop.last %}\{{ "\n"}}{% endif %}
{% if loop.last %}
{% endif %}
{% endfor %}
WorkingDirectory={{ snmp_exporter_var_dir_path }}
[Install]
WantedBy=multi-user.target

0
roles/snmp_exporter/vars/default.yaml
View File

2
roles/util/defaults/main.yaml
View File

@ -42,7 +42,7 @@ util_packages:
- p7zip - p7zip
- p7zip-full - p7zip-full
- pigz - pigz
- pixz - pxz
- zstd - zstd
- pbzip2 - pbzip2
- pv - pv