ryanc/ansible
1
0
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity

Compare commits

base: ryanc:b02da06c973aa449ec522ed6808dcc8d9dfad990
Branches Tags
ryanc:master
...
compare: ryanc:05b1e8da071593790dd85813b6cdbd56a2c682a4
Branches Tags
ryanc:master

14 Commits
b02da06c97 ... 05b1e8da07

Author SHA1 Message Date
Ryan Cavicchioni
05b1e8da07 loki: flesh out role 2024-04-14 17:48:46 -05:00
Ryan Cavicchioni
45ddb507ef mtail: remove dead code 2024-04-14 17:47:55 -05:00
Ryan Cavicchioni
1cce3fc642 nftables: add more rules 2024-04-14 17:46:42 -05:00
Ryan Cavicchioni
7168a89e53 Fix typos in Promtail systemd unit 2024-04-14 17:45:59 -05:00
Ryan Cavicchioni
4e338917dc iptables: open ports for promtail syslog 2024-04-14 17:45:16 -05:00
Ryan Cavicchioni
f79cdc1e59 Update http2 syntax 2024-04-14 17:34:54 -05:00
Ryan Cavicchioni
4a7f888994 Refactor certbot role 2024-04-14 17:29:18 -05:00
Ryan Cavicchioni
8b24c9fad9 Fix pixz package name 2024-04-14 17:28:36 -05:00
Ryan Cavicchioni
77ecf4ccbe Use tags 2024-04-14 17:26:32 -05:00
Ryan Cavicchioni
de53d99b5e Manager restic updates 2024-04-14 17:25:38 -05:00
Ryan Cavicchioni
907d7a9c63 Add role for snmp_exporter 2024-04-14 17:23:51 -05:00
Ryan Cavicchioni
6108475fbd Refactor netplan 2024-04-14 17:23:27 -05:00
Ryan Cavicchioni
db8c7f4f63 Secrets 2024-04-14 17:19:01 -05:00
Ryan Cavicchioni
02c1899ee0 Remove unused host_vars 2024-04-14 17:16:43 -05:00
51 changed files with 29081 additions and 747 deletions
Show Stats Expand all files Collapse all files

1018
group_vars/all/vault.yaml
View File

File diff suppressed because it is too large Load Diff

22
host_vars/nal-hutta.yaml
View File

@ -1,22 +0,0 @@
---
#network_interfaces:
# - name: eth0
# address:
# - 45.56.123.101/24
# - 2600:3c00::f03c:91ff:fed5:eeec/64
# gateway:
# - 45.56.123.1
# - fe80::1
firewall_allowed_tcp_ports:
v4:
- 443
- 80
- 8186
v6:
- 443
- 80
- 8186
postfix_sasl_passwd_map:
"[smtp.fastmail.com]:465": "foo:bar"

17
host_vars/rmq1.yaml
View File

@ -1,17 +0,0 @@
---
keepalived_vrrp_instances:
VI_1:
state: MASTER
interface: eth0
virtual_router_id: 51
priority: 254
authentication:
auth_type: PASS
auth_pass: asdf
unicast_peer: |
{{ groups['rabbitmq_servers'] | map('extract', hostvars, ['ansible_eth0', 'ipv4', 'address']) | difference([ansible_default_ipv4.address])| list }}
virtual_ipaddress:
- 10.100.100.20/24
track_script:
- chk_rabbitmq
- chk_amqp_port

17
host_vars/rmq2.yaml
View File

@ -1,17 +0,0 @@
---
keepalived_vrrp_instances:
VI_1:
state: BACKUP
interface: eth0
virtual_router_id: 51
priority: 253
authentication:
auth_type: PASS
auth_pass: asdf
unicast_peer: |
{{ groups['rabbitmq_servers'] | map('extract', hostvars, ['ansible_eth0', 'ipv4', 'address']) | difference([ansible_default_ipv4.address])| list }}
virtual_ipaddress:
- 10.100.100.20/24
track_script:
- chk_rabbitmq
- chk_amqp_port

17
host_vars/rmq3.yaml
View File

@ -1,17 +0,0 @@
---
keepalived_vrrp_instances:
VI_1:
state: BACKUP
interface: eth0
virtual_router_id: 51
priority: 252
authentication:
auth_type: PASS
auth_pass: asdf
unicast_peer: |
{{ groups['rabbitmq_servers'] | map('extract', hostvars, ['ansible_eth0', 'ipv4', 'address']) | difference([ansible_default_ipv4.address])| list }}
virtual_ipaddress:
- 10.100.100.20/24
track_script:
- chk_rabbitmq
- chk_amqp_port

7
host_vars/ubuntu.yaml
View File

@ -1,7 +0,0 @@
---
#network_interfaces:
# - name: enp1s0
# address:
# - 192.168.124.124/24
# gateway4: 192.168.124.1
#

131
playbook.yaml
View File

@ -3,25 +3,59 @@
become: true become: true
roles: roles:
- common - common
- network - role: network
tags:
- network
- netplan
- util - util
- sudo - sudo
- hostsfile - hostsfile
- certs - certs
- rsyslog - role: rsyslog
tags:
- rsyslog
- syslog
- logging
- users - users
- dns - dns
- firewall - role: firewall
tags:
- firewall
- iptables
- openssh - openssh
- wireguard - role: wireguard
tags:
- wireguard
- vpn
- chrony - chrony
- unattended-upgrades - unattended-upgrades
- postfix - postfix
- restic - restic
- node_exporter - role: node_exporter
- blackbox_exporter tags:
- mtail - prometheus
- monitoring
- role: blackbox_exporter
tags:
- prometheus
- monitoring
- role: mtail
tags:
- prometheus
- monitoring
- supervisor - supervisor
# - vector
- role: promtail
tags:
- promtail
- loki
- logging
- role: cloudflared
tags:
- cloudflared
- zerotrust
- access
- vpn
- hosts: minecraft_servers - hosts: minecraft_servers
become: true become: true
roles: roles:
@ -34,35 +68,98 @@
- hosts: git_servers - hosts: git_servers
become: true become: true
roles: roles:
- nginx - role: certbot
- certbot tags:
- gitea - tls
- role: nginx
tags:
- nginx
- role: gitea
tags:
- gitea
- git
- hosts: stats_servers - hosts: stats_servers
become: true become: true
roles: roles:
- nginx - role: certbot
- certbot tags:
- grafana - tls
- role: nginx
tags:
- nginx
- role: grafana
tags:
- grafana
- monitoring
- o11y
- hosts: monitor_servers - hosts: monitor_servers
become: true become: true
roles: roles:
- nginx - certbot
- role: nginx
tags:
- nginx
- role: prometheus - role: prometheus
tags: tags:
- prometheus - prometheus
- monitoring - monitoring
- alertmanager - role: alertmanager
- blackbox_exporter tags:
- pushgateway - prometheus
- monitoring
- role: blackbox_exporter
tags:
- prometheus
- monitoring
- role: pushgateway
tags:
- prometheus
- monitoring
- role: karma - role: karma
tags: tags:
- prometheus
- monitoring - monitoring
- role: kthxbye - role: kthxbye
tags: tags:
- prometheus
- monitoring - monitoring
- role: thanos - role: thanos
tags: tags:
- prometheus
- thanos - thanos
- monitoring - monitoring
- role: loki
tags:
- loki
- logging
- role: logcli
tags:
- logcli
- loki
- logging
- role: smokeping_prober
tags:
- prometheus
- monitoring
- smokeping
- role: mimir
tags:
- prometheus
- mimir
- monitoring
- role: snmp_exporter
tags:
- prometheus
- snmp_exporter
- monitoring
- role: lego
tags:
- acme
- certificates
- lego
- letsencrypt
- pki
- tls
# vim:ft=yaml.ansible: # vim:ft=yaml.ansible:

35
roles/certbot/defaults/main.yaml
View File

@ -1,22 +1,35 @@
--- ---
certbot_package_name: certbot certbot_package_name: certbot
certbot_package_state: present certbot_package_state: latest
certbot_plugins:
- certbot-dns-cloudflare
- certbot-dns-digitalocean
- certbot-dns-dnsimple
- certbot-dns-dnsmadeeasy
- certbot-dns-gehirn
- certbot-dns-google
- certbot-dns-linode
- certbot-dns-luadns
- certbot-dns-nsone
- certbot-dns-ovh
- certbot-dns-rfc2136
- certbot-dns-route53
- certbot-dns-sakuracloud
certbot_service_name: certbot.service certbot_service_name: certbot.service
certbot_bin_path: /usr/local/bin
certbot_path: "{{ certbot_bin_path }}/certbot"
certbot_timer_name: certbot.timer certbot_timer_name: certbot.timer
certbot_timer_state: started certbot_timer_state: started
certbot_timer_enabled: yes certbot_timer_enabled: true
certbot_cron_state: present certbot_etc_path: /etc/letsencrypt
certbot_cron_user: root certbot_live_path: "{{ certbot_etc_path }}/live"
certbot_cron_file_path: /etc/cron.d/certbot
certbot_cron_env:
path: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
shell: /bin/sh
certbot_cron_command: test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
certbot_cron_hour: "*/12"
certbot_cron_minute: "0"
certbot_system_timer_on_calender: "*-*-* 00,12:00:00" certbot_system_timer_on_calender: "*-*-* 00,12:00:00"
certbot_system_timer_randomized_delay_sec: 43200 certbot_system_timer_randomized_delay_sec: 43200
certbot_credential_path: /root/.secrets/certbot

6
roles/certbot/handlers/main.yaml
View File

@ -1,6 +1,4 @@
--- ---
- name: systemd daemon-reload - name: systemd daemon-reload
systemd: ansible.builtin.systemd:
name: "{{ certbot_service_name }}" daemon_reload: true
daemon_reload: yes
state: restarted

23
roles/certbot/tasks/configure-linode.yaml Normal file
View File

@ -0,0 +1,23 @@
---
- name: configure linode credentials
ansible.builtin.copy:
dest: "{{ certbot_credential_path }}/linode.ini"
owner: root
group: root
mode: 0600
content: "{{ certbot_dns_linode_credentials }}"
no_log: true
- name: certbot (linode)
ansible.builtin.shell: >
certbot certonly \
--dns-linode \
--dns-linode-credentials "{{ certbot_credential_path }}/linode.ini" \
--quiet \
--agree-tos \
--noninteractive \
--email "{{ item.email }}" \
--domain "{{ item.domains | join(',') }}"
args:
creates: "{{ certbot_live_path }}/{{ item.domains | first }}/cert.pem"
loop: "{{ certbot_certificates | default([]) }}"

0
roles/certbot/tasks/default.yaml Normal file
View File

8
roles/certbot/tasks/issue.yaml
View File

@ -1,9 +1 @@
--- ---
- name: "determine if certificate for {{ item.domains | join(', ') }}"
stat:
path: "/etc/letsencrypt/live/{{ item.domains | first }}/cert.pem"
register: st
- name: "request certificate for {{ item.domains | join(', ') }}"
command: "certbot certonly -q --webroot -w {{ certbot_challenge_webroot_path }} --agree-tos --noninteractive --email {{ item.email }} -d {{ item.domains | join(',') }}"
when: not st.stat.exists

86
roles/certbot/tasks/main.yaml
View File

@ -23,65 +23,51 @@
paths: paths:
- tasks - tasks
- name: install certbot modules - name: install certbot
package: ansible.builtin.pip:
name: "{{ certbot_package_name }}" name: "{{ certbot_package_name }}"
state: "{{ certbot_package_state }}" state: "{{ certbot_package_state }}"
- name: configure challenge webroot - name: install certbot plugins
file: ansible.builtin.pip:
path: "{{ certbot_challenge_webroot_path }}" name: "{{ certbot_plugins }}"
state: "directory" state: latest
- name: create credential path
ansible.builtin.file:
path: "{{ certbot_credential_path }}"
owner: root owner: root
group: root group: root
mode: 0755 mode: 0700
state: directory
- name: request certificates - name: request certificates
ansible.builtin.include_tasks: "issue.yaml" ansible.builtin.include_tasks: "issue.yaml"
loop: "{{ certbot_certificates }}" loop: "{{ certbot_certificates }}"
- name: configure systemd timer - name: include linode tasks
block: ansible.builtin.include_tasks: configure-linode.yaml
- name: create systemd timer override directory
file:
path: "/etc/systemd/system/{{ certbot_timer_name }}.d"
owner: root
group: root
mode: 0755
state: directory
- name: configure systemd timer options - name: configure renewal service
template: ansible.builtin.template:
src: certbot.timer.j2 src: certbot.service.j2
dest: "/etc/systemd/system/{{ certbot_timer_name }}.d/override.conf" dest: "/etc/systemd/system/certbot.service"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: systemd daemon-reload notify: systemd daemon-reload
- name: enable the timer
systemd:
name: "{{ certbot_timer_name }}"
state: "{{ certbot_timer_state }}"
enabled: "{{ certbot_timer_enabled }}"
when: ansible_service_mgr == "systemd"
- name: configure cron job - name: configure renewal timer
block: ansible.builtin.template:
- name: configure env src: certbot.timer.j2
cron: dest: "/etc/systemd/system/certbot.timer"
name: "{{ item.key | upper }}" owner: root
env: yes group: root
job: "{{ item.value }}" mode: 0644
user: "{{ certbot_cron_user }}" notify: systemd daemon-reload
cron_file: "{{ certbot_cron_file_path }}"
state: "{{ certbot_cron_state }}" - name: manage timer
loop: "{{ certbot_cron_env | dict2items }}" ansible.builtin.systemd:
- name: create job name: "{{ certbot_timer_name }}"
cron: enabled: "{{ certbot_timer_enabled }}"
name: certbot state: "{{ certbot_timer_state }}"
user: "{{ certbot_cron_user }}"
hour: "{{ certbot_cron_hour }}"
minute: "{{ certbot_cron_minute }}"
cron_file: "{{ certbot_cron_file_path }}"
job: "{{ certbot_cron_command }}"
state: "{{ certbot_cron_state }}"

14
roles/certbot/templates/certbot.service.j2 Normal file
View File

@ -0,0 +1,14 @@
# {{ ansible_managed }}
[Unit]
Description=Certbot renewal
After=network-online.target
Wants=network-online.target
Wants={{ certbot_timer_name }}
[Service]
Type=oneshot
ExecStart={{ certbot_path }} --quiet renew
[Install]
WantedBy=multi-user.target

7
roles/certbot/templates/certbot.timer.j2
View File

@ -1,5 +1,12 @@
# {{ ansible_managed }} # {{ ansible_managed }}
[Unit]
Description=Certbot renewal
Requires={{ certbot_service_name }}
[Timer] [Timer]
OnCalendar={{ certbot_system_timer_on_calender }} OnCalendar={{ certbot_system_timer_on_calender }}
RandomizedDelaySec={{ certbot_system_timer_randomized_delay_sec }} RandomizedDelaySec={{ certbot_system_timer_randomized_delay_sec }}
[Install]
WantedBy=timers.target

11
roles/dl/templates/nginx.conf.j2
View File

@ -26,10 +26,13 @@ server {
{% if dl_ssl_enabled is defined and {% if dl_ssl_enabled is defined and
dl_ssl_enabled %} dl_ssl_enabled %}
server { server {
listen 443 ssl http2; listen 443 ssl;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
listen [::]:443 ssl http2; listen [::]:443 ssl;
{% endif %} {% endif %}
http2 on;
server_name {{ dl_server_name }}; server_name {{ dl_server_name }};
access_log {{ dl_access_log }} main; access_log {{ dl_access_log }} main;
error_log {{ dl_error_log }} warn; error_log {{ dl_error_log }} warn;
@ -46,6 +49,10 @@ server {
ssl_dhparam {{ dl_ssl_dhparam }}; ssl_dhparam {{ dl_ssl_dhparam }};
{% endif %} {% endif %}
location / {
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
}
location ~ ^\/~(.+?)(\/.*)?$ { location ~ ^\/~(.+?)(\/.*)?$ {
alias /home/$1/public_html$2; alias /home/$1/public_html$2;
index index.html index.htm; index index.html index.htm;

3
roles/firewall/templates/ip6tables.j2
View File

@ -130,6 +130,9 @@
{% endif %} {% endif %}
{% if firewall_ipset_syslog is defined %} {% if firewall_ipset_syslog is defined %}
-A INPUT -p tcp -m tcp --dport 514 -m set --match-set syslog6 src -m comment --comment "accept syslog 514/tcp6" -j LOG_ACCEPT -A INPUT -p tcp -m tcp --dport 514 -m set --match-set syslog6 src -m comment --comment "accept syslog 514/tcp6" -j LOG_ACCEPT
-A INPUT -p udp -m udp --dport 514 -m set --match-set syslog6 src -m comment --comment "accept syslog 514/udp6" -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 1514 -m set --match-set syslog6 src -m comment --comment "accept syslog 1514/tcp6" -j LOG_ACCEPT
-A INPUT -p udp -m udp --dport 1514 -m set --match-set syslog6 src -m comment --comment "accept syslog 1514/udp6" -j LOG_ACCEPT
{% endif %} {% endif %}
{% if firewall_ipset_influxdb is defined %} {% if firewall_ipset_influxdb is defined %}
-A INPUT -p tcp -m tcp --dport 8086 -m set --match-set influxdb6 src -m comment --comment "accept influxdb 8086/tcp6" -j LOG_ACCEPT -A INPUT -p tcp -m tcp --dport 8086 -m set --match-set influxdb6 src -m comment --comment "accept influxdb 8086/tcp6" -j LOG_ACCEPT

2
roles/firewall/templates/iptables.j2
View File

@ -117,6 +117,8 @@
{% if firewall_ipset_syslog is defined %} {% if firewall_ipset_syslog is defined %}
-A INPUT -p tcp -m tcp --dport 514 -m set --match-set syslog4 src -m comment --comment "accept syslog 514/tcp" -j LOG_ACCEPT -A INPUT -p tcp -m tcp --dport 514 -m set --match-set syslog4 src -m comment --comment "accept syslog 514/tcp" -j LOG_ACCEPT
-A INPUT -p udp -m udp --dport 514 -m set --match-set syslog4 src -m comment --comment "accept syslog 514/udp" -j LOG_ACCEPT -A INPUT -p udp -m udp --dport 514 -m set --match-set syslog4 src -m comment --comment "accept syslog 514/udp" -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 1514 -m set --match-set syslog4 src -m comment --comment "accept syslog 1514/tcp" -j LOG_ACCEPT
-A INPUT -p udp -m udp --dport 1514 -m set --match-set syslog4 src -m comment --comment "accept syslog 1514/udp" -j LOG_ACCEPT
{% endif %} {% endif %}
{% if firewall_ipset_influxdb is defined %} {% if firewall_ipset_influxdb is defined %}
-A INPUT -p tcp -m tcp --dport 8086 -m set --match-set influxdb4 src -m comment --comment "accept influxdb 8086/tcp" -j LOG_ACCEPT -A INPUT -p tcp -m tcp --dport 8086 -m set --match-set influxdb4 src -m comment --comment "accept influxdb 8086/tcp" -j LOG_ACCEPT

8
roles/gitea/templates/nginx.conf.j2
View File

@ -37,10 +37,13 @@ server {
{% if gitea_ssl_enabled is defined and {% if gitea_ssl_enabled is defined and
gitea_ssl_enabled %} gitea_ssl_enabled %}
server { server {
listen 443 ssl http2; listen 443 ssl;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
listen [::]:443 ssl http2; listen [::]:443 ssl;
{% endif %} {% endif %}
http2 on;
server_name {{ gitea_domain }}; server_name {{ gitea_domain }};
access_log /var/log/nginx/gitea.access.log main; access_log /var/log/nginx/gitea.access.log main;
@ -62,6 +65,7 @@ server {
} }
location / { location / {
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
limit_req zone=req_bad_actors burst=10 nodelay; limit_req zone=req_bad_actors burst=10 nodelay;
proxy_pass http://gitea_backend; proxy_pass http://gitea_backend;
} }

17
roles/grafana/templates/nginx.conf.j2
View File

@ -6,6 +6,11 @@ upstream grafana_backend {
server 127.0.0.1:{{ grafana_port }}; server 127.0.0.1:{{ grafana_port }};
} }
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server { server {
listen 80; listen 80;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
@ -32,10 +37,13 @@ server {
{% if grafana_ssl_enabled is defined and {% if grafana_ssl_enabled is defined and
grafana_ssl_enabled %} grafana_ssl_enabled %}
server { server {
listen 443 ssl http2; listen 443 ssl;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
listen [::]:443 ssl http2; listen [::]:443 ssl;
{% endif %} {% endif %}
http2 on;
server_name {{ grafana_domain }}; server_name {{ grafana_domain }};
access_log /var/log/nginx/grafana.access.log main; access_log /var/log/nginx/grafana.access.log main;
@ -59,7 +67,12 @@ server {
} }
location / { location / {
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
limit_req zone=req_bad_actors burst=10 nodelay; limit_req zone=req_bad_actors burst=10 nodelay;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $http_host;
proxy_pass http://grafana_backend; proxy_pass http://grafana_backend;
} }
} }

72
roles/loki/defaults/main.yaml
View File

@ -26,12 +26,17 @@ loki_user_shell: /usr/sbin/nologin
loki_group: loki loki_group: loki
loki_group_state: "{{ loki_user_state | default('present') }}" loki_group_state: "{{ loki_user_state | default('present') }}"
loki_config_path: /etc/loki.yaml
loki_var_path: /var/lib/loki loki_var_path: /var/lib/loki
loki_var_owner: "{{ loki_user }}" loki_var_owner: "{{ loki_user }}"
loki_var_group: "{{ loki_group }}" loki_var_group: "{{ loki_group }}"
loki_var_mode: "0755" loki_var_mode: "0700"
loki_etc_path: /etc/loki
loki_etc_owner: "{{ loki_user }}"
loki_etc_group: "{{ loki_group }}"
loki_etc_mode: "0755"
loki_config_path: "{{ loki_etc_path }}/config.yaml"
loki_bin_path: /usr/local/bin loki_bin_path: /usr/local/bin
@ -39,36 +44,51 @@ loki_auth_enabled: false
loki_server: loki_server:
http_listen_port: 3100 http_listen_port: 3100
grpc_listen_port: 9096
loki_ingester: loki_common:
lifecycler: instance_addr: 127.0.0.1
address: 127.0.0.1 path_prefix: "{{ loki_var_path }}"
ring: storage:
kvstore: filesystem:
store: inmemory chunks_directory: "{{ loki_var_path }}/chunks"
replication_factor: 1 rules_directory: "{{ loki_var_path }}/rules"
final_sleep: 0s replication_factor: 1
chunk_idle_period: 5m ring:
chunk_retain_period: 30s kvstore:
store: inmemory
loki_query_range:
results_cache:
cache:
embedded_cache:
enabled: true
max_size_mb: 100
# loki_storage_config:
# {}
loki_schema_config: loki_schema_config:
configs: configs:
- from: 2020-05-15 - from: 2020-10-24
store: boltdb store: boltdb-shipper
object_store: filesystem object_store: gcs
schema: v11 schema: v11
index: index:
prefix: index_ prefix: index_
period: 168h period: 24h
loki_storage_config: loki_ruler:
boltdb: alertmanager_url: http://localhost:9093
directory: "{{ loki_var_path }}/index"
filesystem: # loki_query_scheduler:
directory: "{{ loki_var_path }}/chunks" # {}
# loki_querier:
# {}
# loki_compactor:
# {}
loki_limits_config: loki_limits_config:
enforce_metric_name: false retention_period: 744h
reject_old_samples: true
reject_old_samples_max_age: 168h
ingestion_burst_size_mb: 16

24
roles/loki/tasks/configure.yaml
View File

@ -15,14 +15,13 @@
home: "{{ loki_var_path }}" home: "{{ loki_var_path }}"
state: "{{ loki_user_state | default('present') }}" state: "{{ loki_user_state | default('present') }}"
- name: configure - name: create etc path
template: file:
src: loki.yaml.j2 path: "{{ loki_etc_path }}"
dest: "{{ loki_config_path }}" state: directory
owner: root owner: "{{ loki_etc_owner }}"
group: root group: "{{ loki_etc_group }}"
mode: 0444 mode: "{{ loki_etc_mode }}"
notify: restart loki
- name: create var path - name: create var path
file: file:
@ -32,6 +31,15 @@
group: "{{ loki_var_group }}" group: "{{ loki_var_group }}"
mode: "{{ loki_var_mode }}" mode: "{{ loki_var_mode }}"
- name: configure
template:
src: config.yaml.j2
dest: "{{ loki_config_path }}"
owner: "{{ loki_user }}"
group: "{{ loki_group }}"
mode: 0400
notify: restart loki
- name: configure systemd template - name: configure systemd template
template: template:
src: "{{ loki_service_name }}.j2" src: "{{ loki_service_name }}.j2"

55
roles/loki/templates/config.yaml.j2 Normal file
View File

@ -0,0 +1,55 @@
{{ ansible_managed | comment }}
---
{% if loki_auth_enabled is defined %}
auth_enabled: {{ loki_auth_enabled | bool | lower }}
{% endif %}
{% if loki_server is defined %}
server:
{{ loki_server | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_common is defined %}
common:
{{ loki_common | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_query_range is defined %}
query_range:
{{ loki_query_range | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_storage_config is defined %}
storage_config:
{{ loki_storage_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_schema_config is defined %}
schema_config:
{{ loki_schema_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_ruler is defined %}
ruler:
{{ loki_ruler | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_query_scheduler is defined %}
query_scheduler:
{{ loki_query_scheduler | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_querier is defined %}
querier:
{{ loki_querier | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_compactor is defined %}
compactor:
{{ loki_compactor | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_limits_config is defined %}
limits_config:
{{ loki_limits_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}

12
roles/loki/templates/loki.service.j2
View File

@ -1,19 +1,19 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
[Unit] [Unit]
Description=Loki Description=Loki service
After=network-online.target After=network.target
[Service] [Service]
Type=simple Type=simple
User={{ loki_user }} User={{ loki_user }}
Group={{ loki_group }}
ExecStart={{ loki_bin_path }}/loki \ ExecStart={{ loki_bin_path }}/loki \
-config.file {{ loki_config_path }} -config.file {{ loki_config_path }}
WorkingDirectory={{ loki_var_path }}
Restart=always WorkingDirectory={{ loki_var_path }}
RestartSec=1 TimeoutSec = 120
Restart = on-failure
RestartSec = 2
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

30
roles/loki/templates/loki.yaml.j2
View File

@ -1,30 +0,0 @@
{{ ansible_managed | comment }}
---
{% if loki_auth_enabled is defined %}
auth_enabled: {{ loki_auth_enabled | bool | lower }}
{% endif %}
{% if loki_server is defined %}
server:
{{ loki_server | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_ingester is defined %}
ingester:
{{ loki_ingester | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_schema_config is defined %}
schema_config:
{{ loki_schema_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_storage_config is defined %}
storage_config:
{{ loki_storage_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}
{% if loki_limits_config is defined %}
limits_config:
{{ loki_limits_config | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif -%}

2
roles/mtail/defaults/main.yaml
View File

@ -12,7 +12,7 @@ mtail_service_enabled: yes
mtail_version_regex: ^mtail version (\S+) mtail_version_regex: ^mtail version (\S+)
mtail_github_project_url: https://github.com/google/mtail mtail_github_project_url: https://github.com/google/mtail
mtail_release_file: "mtail_{{ mtail_version }}_{{ ansible_system | capitalize }}_{{ ansible_architecture }}.tar.gz" mtail_release_file: "mtail_{{ mtail_version }}_{{ ansible_system | lower }}_{{ mtail_go_arch }}.tar.gz"
mtail_release_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/{{ mtail_release_file }}" mtail_release_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/{{ mtail_release_file }}"
mtail_download_path: "/tmp/{{ mtail_release_file }}" mtail_download_path: "/tmp/{{ mtail_release_file }}"
mtail_checksum_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/checksums.txt" mtail_checksum_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/checksums.txt"

38
roles/mtail/tasks/pre.yaml
View File

@ -1,42 +1,4 @@
--- ---
#- name: determine if installed
# stat:
# path: "{{ mtail_bin_path }}/mtail"
# register: st
#
#- name: set mtail_installed
# set_fact:
# mtail_installed: "{{ st.stat.exists | bool }}"
#
#- block:
# - name: determine latest version
# uri:
# url: https://api.github.com/repos/google/mtail/releases/latest
# return_content: true
# body_format: json
# register: _latest_version
# until: _latest_version.status == 200
# retries: 3
#
# - name: set mtail_version
# set_fact:
# mtail_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
#
#- block:
# - name: determine installed version
# command: "{{ mtail_bin_path }}/mtail --version"
# register: _installed_version_string
# changed_when: false
#
# - name: set mtail_local_version
# set_fact:
# mtail_local_version: "{{ _installed_version_string.stdout | regex_search(mtail_version_regex, '\\1') | first }}"
# when: mtail_installed
#
#- name: set mtail_local_version to 0
# set_fact:
# mtail_local_version: "0"
# when: not mtail_installed
- name: determine if installed - name: determine if installed
stat: stat:
path: "{{ mtail_bin_path }}/mtail" path: "{{ mtail_bin_path }}/mtail"

18
roles/network/defaults/main.yml
View File

@ -6,6 +6,23 @@ network_netplan_config_path: "{{ network_netplan_etc_path }}/ansible.yaml"
network_netplan_default_config_path: "{{ network_netplan_etc_path }}/01-netcfg.yaml" network_netplan_default_config_path: "{{ network_netplan_etc_path }}/01-netcfg.yaml"
# network_netplan_default_config_state: absent # network_netplan_default_config_state: absent
network_netplan:
network:
version: 2
ethernets:
eth0:
dhcp4: false
dhcp6: false
accept-ra: true
addresses:
- "{{ ansible_default_ipv4.address }}/{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('prefix') }}"
- "{{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.prefix }}"
routes:
- to: default
via: "{{ ansible_default_ipv4.gateway }}"
nameservers:
addresses: "{{ network_dns_nameservers }}"
network_interfaces: network_interfaces:
- name: eth0 - name: eth0
inet4: inet4:
@ -15,6 +32,7 @@ network_interfaces:
gateway: "{{ ansible_default_ipv4.gateway }}" gateway: "{{ ansible_default_ipv4.gateway }}"
inet6: inet6:
dhcp: false dhcp: false
accept_ra: true
address: address:
- "{{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.prefix }}" - "{{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.prefix }}"
gateway: "{{ ansible_default_ipv6.gateway }}" gateway: "{{ ansible_default_ipv6.gateway }}"

8
roles/network/tasks/netplan.yml
View File

@ -5,14 +5,14 @@
state: "{{ network_netplan_default_config_state | default('absent') }}" state: "{{ network_netplan_default_config_state | default('absent') }}"
owner: root owner: root
group: root group: root
mode: 0644 mode: '0400'
notify: netplan apply notify: netplan apply
- name: Configure netplan - name: Configure netplan
ansible.builtin.template: ansible.builtin.copy:
dest: "{{ network_netplan_config_path }}" dest: "{{ network_netplan_config_path }}"
src: netplan.yaml.j2 content: "{{ network_netplan | to_nice_yaml }}"
owner: root owner: root
group: root group: root
mode: '0644' mode: '0400'
notify: netplan apply notify: netplan apply

15
roles/network/templates/netplan.yaml.j2
View File

@ -1,16 +1,19 @@
--- ---
network: network:
version: "{{ network_netplan_version | default(2) }}" version: {{ network_netplan_version | default(2) }}
renderer: "{{ network_netplan_renderer | default("networkd") }}" renderer: {{ network_netplan_renderer | default('networkd') }}
{% if network_interfaces is defined and network_interfaces | length %} {% if network_interfaces is defined and network_interfaces | length %}
ethernets: ethernets:
{% for iface in network_interfaces %} {% for iface in network_interfaces %}
{{ iface['name'] }}: {{ iface['name'] }}:
{% if iface['inet4']['dhcp'] is defined %} {% if iface['inet4']['dhcp'] is defined %}
dhcp4: "{{ iface['inet4']['dhcp'] | ternary('yes', 'no') }}" dhcp4: {{ iface['inet4']['dhcp'] | ternary('true', 'false') }}
{% endif %} {% endif %}
{% if iface['inet4']['dhcp'] is defined %} {% if iface['inet4']['dhcp'] is defined %}
dhcp6: "{{ iface['inet6']['dhcp'] | ternary('yes', 'no') }}" dhcp6: {{ iface['inet6']['dhcp'] | ternary('true', 'false') }}
{% endif %}
{% if iface['inet6']['accept_ra'] is defined %}
accept-ra: {{ iface['inet6']['accept_ra'] | ternary('true', 'false') }}
{% endif %} {% endif %}
{% if iface['inet4']['address'] is defined or iface['inet6']['address'] is defined %} {% if iface['inet4']['address'] is defined or iface['inet6']['address'] is defined %}
addresses: addresses:
@ -22,10 +25,10 @@ network:
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if iface['inet4']['gateway'] is defined %} {% if iface['inet4']['gateway'] is defined %}
gateway4: "{{ iface['inet4']['gateway'] }}" gateway4: {{ iface['inet4']['gateway'] }}
{% endif %} {% endif %}
{% if iface['inet6']['gateway'] is defined %} {% if iface['inet6']['gateway'] is defined %}
gateway6: "{{ iface['inet6']['gateway'] }}" gateway6: {{ iface['inet6']['gateway'] }}
{% endif %} {% endif %}
{% if network_dns_nameservers is defined %} {% if network_dns_nameservers is defined %}
nameservers: nameservers:

73
roles/nftables/defaults/main.yaml
View File

@ -36,35 +36,54 @@ nftables_builtin_sets:
- flags interval - flags interval
nftables_input_builtin_rules: nftables_input_builtin_rules:
- type filter hook input priority filter; policy drop; '000 policy':
- ip saddr @blackhole4 drop - type filter hook input priority filter; policy drop;
- ip6 saddr @blackhole6 drop '010 blackhole':
- ct state established,related accept - ip saddr @blackhole4 drop
- ct state invalid drop - ip6 saddr @blackhole6 drop
- iifname "lo" accept '020 related established':
- icmpv6 type $REQUIRED_ICMPV6_TYPES accept - ct state established,related accept
- icmpv6 type echo-request accept - ct state invalid drop
- icmp type echo-request accept '030 loopback':
- tcp dport @tcp_input_accept accept - iifname "lo" accept
- udp dport @udp_input_accept accept '040 icmp':
# this should be last because these ports could be allowed - icmpv6 type $REQUIRED_ICMPV6_TYPES accept
- udp dport $TRACEROUTE_UDP_PORTS reject - icmpv6 type echo-request accept
- icmp type echo-request accept
'050 tcp accept':
- tcp dport @tcp_input_accept accept
'060 udp accept':
- udp dport @udp_input_accept accept
'999 traceroute':
# this should be last because these ports could be allowed
- udp dport $TRACEROUTE_UDP_PORTS reject
nftables_forward_builtin_rules: nftables_forward_builtin_rules:
- type filter hook forward priority filter; policy drop; '000 policy':
- ct state { established, related } accept - type filter hook forward priority filter; policy drop;
'010 related established':
- ct state { established, related } accept
nftables_output_builtin_rules: nftables_output_builtin_rules:
- type filter hook output priority filter; policy accept; '000 policy':
- ip daddr @blackhole4 drop - type filter hook output priority filter; policy accept;
- ip6 daddr @blackhole6 drop '010 blackhole':
- ct state { established, related } accept - ip daddr @blackhole4 drop
- ip6 daddr @blackhole6 drop
'020 related established':
- ct state { established, related } accept
# nftables_sets: nftables_defines:
# {} {}
#
# nftables_input_rules: nftables_sets:
# [] {}
#
# nftables_output_rules: nftables_input_rules:
# [] {}
nftables_forward_rules:
{}
nftables_output_rules:
{}

81
roles/nftables/templates/nftables.conf.j2
View File

@ -1,82 +1,53 @@
{% set combined_defines = [ nftables_builtin_defines, nftables_defines ] | combine %}
{% set combined_sets = [ nftables_builtin_sets, nftables_sets ] | combine %}
{% set combined_input_rules = [ nftables_input_builtin_rules, nftables_input_rules ] | combine %}
{% set combined_forward_rules = [ nftables_forward_builtin_rules, nftables_forward_rules ] | combine %}
{% set combined_output_rules = [ nftables_output_builtin_rules, nftables_output_rules ] | combine %}
table inet filter { table inet filter {
{% if nftables_builtin_defines is mapping %} {% for name, cfg in combined_defines.items() %}
{% for name, cfg in nftables_builtin_defines.items() %} {% if cfg is string or cfg is number %}
{% if cfg is string %}
define {{ name }} = {{ cfg }} define {{ name }} = {{ cfg }}
{% elif cfg is sequence %} {% elif cfg is sequence %}
define {{ name }} = { define {{ name }} = {
{% for elem in cfg %} {% for elem in cfg %}
{{ elem }}, {{ elem }},
{% endfor %}
}
{% endif %}
{% endfor %} {% endfor %}
{% endif %}
{% if nftables_defines is mapping %}
{% for name, cfg in nftables_defines.items() %}
define {{ name }} = {
{% for elem in cfg %}
{{ elem }},
{% endfor %}
} }
{% endfor %} {% endif %}
{% endif %} {% endfor %}
{% if nftables_builtin_sets is mapping %} {% for name, cfg in combined_sets.items() %}
{% for name, cfg in nftables_builtin_sets.items() %}
set {{ name }} { set {{ name }} {
{% for elem in cfg %} {% for elem in cfg %}
{{ elem }} {{ elem }}
{% endfor %}
}
{% endfor %} {% endfor %}
{% endif %}
{% if nftables_sets is mapping %}
{% for name, cfg in nftables_sets.items() %}
set {{ name }} {
{% for elem in cfg %}
{{ elem }}
{% endfor %}
} }
{% endfor %} {% endfor %}
{% endif %}
chain input { chain input {
{% if nftables_input_builtin_rules is sequence %} {% for comment, rules in combined_input_rules.items() %}
{% for rule in nftables_input_builtin_rules %} # {{ comment }}
{% for rule in rules %}
{{ rule }} {{ rule }}
{% endfor %} {% endfor %}
{% endif %} {% endfor %}
{% if nftables_input_rules is sequence %}
{% for rule in nftables_input_rules %}
{{ rule }}
{% endfor %}
{% endif %}
} }
chain forward { chain forward {
{% if nftables_forward_builtin_rules is sequence %} {% for comment, rules in combined_forward_rules.items() %}
{% for rule in nftables_forward_builtin_rules %} # {{ comment }}
{% for rule in rules %}
{{ rule }} {{ rule }}
{% endfor %} {% endfor %}
{% endif %} {% endfor %}
{% if nftables_forward_rules is sequence %}
{% for rule in nftables_forward_rules %}
{{ rule }}
{% endfor %}
{% endif %}
} }
chain output { chain output {
{% if nftables_output_builtin_rules is sequence %} {% for comment, rules in combined_output_rules.items() %}
{% for rule in nftables_output_builtin_rules %} # {{ comment }}
{% for rule in rules %}
{{ rule }} {{ rule }}
{% endfor %} {% endfor %}
{% endif %} {% endfor %}
{% if nftables_output_rules is sequence %}
{% for rule in nftables_output_rules %}
{{ rule }}
{% endfor %}
{% endif %}
} }
} }

8
roles/prometheus/templates/nginx.conf.j2
View File

@ -38,10 +38,13 @@ server {
{% if prometheus_ssl_enabled is defined and {% if prometheus_ssl_enabled is defined and
prometheus_ssl_enabled %} prometheus_ssl_enabled %}
server { server {
listen 443 ssl http2; listen 443 ssl;
{% if ansible_all_ipv6_addresses | length %} {% if ansible_all_ipv6_addresses | length %}
listen [::]:443 ssl http2; listen [::]:443 ssl;
{% endif %} {% endif %}
http2 on;
server_name {{ prometheus_hostname }}; server_name {{ prometheus_hostname }};
auth_basic "Prometheus"; auth_basic "Prometheus";
@ -73,6 +76,7 @@ server {
} }
location / { location / {
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
return 301 /prometheus/; return 301 /prometheus/;
} }
} }

14
roles/promtail/templates/promtail.service.j2
View File

@ -1,19 +1,19 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
[Unit] [Unit]
Description=Loki Description=Promtail service
After=network-online.target After=network.target
[Service] [Service]
Type=simple Type=simple
User={{ promtail_user }} User={{ promtail_user }}
Group={{ promtail_group }}
ExecStart={{ promtail_bin_path }}/promtail \ ExecStart={{ promtail_bin_path }}/promtail \
-config.file {{ promtail_config_path }} -config.file {{ promtail_config_path }} \
-client.external-labels=host=%l
WorkingDirectory={{ promtail_var_path }} WorkingDirectory={{ promtail_var_path }}
TimeoutSec = 60
Restart=always Restart=on-failure
RestartSec=1 RestartSec=2
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

36
roles/restic/defaults/main.yaml
View File

@ -1,12 +1,34 @@
--- ---
restic_service_name: restic.service restic_go_arch_map:
restic_service_state: started i386: '386'
restic_service_enabled: yes x86_64: 'amd64'
restic_go_arch: "{{ restic_go_arch_map[ansible_architecture] | default('amd64') }}"
restic_version_regex: ^restic ([\d.]+)
restic_checksum_algo: sha256
restic_github_rel_path: restic/restic
restic_github_project_url: "https://github.com/{{ restic_github_rel_path }}"
restic_release_file: "restic_{{ restic_version }}_{{ ansible_system | lower }}_{{ restic_go_arch }}.bz2"
restic_release_url: "{{ restic_github_project_url }}/releases/download/v{{ restic_version }}/{{ restic_release_file }}"
restic_checksum_url: "{{ restic_github_project_url }}/releases/download/v{{ restic_version }}/{{ restic_checksum_algo | upper }}SUMS"
restic_download_path: "/tmp/{{ restic_release_file }}"
restic_unarchive_dest_path: /tmp
restic_extracted_path: "{{ restic_download_path | replace('.bz2', '') }}"
restic_binaries:
- restic
# restic_arch: amd64
# restic_version: 0.15.2
# restic_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_{{ restic_arch }}.bz2"
# restic_checksum: sha256:c8da7350dc334cd5eaf13b2c9d6e689d51e7377ba1784cc6d65977bd44ee1165
# restic_bin_path: /usr/local/bin
# restic_etc_path: /etc/restic
# restic_path: "{{ restic_bin_path }}/restic"
# restic_self_update: true
restic_arch: amd64
restic_version: 0.14.0
restic_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_{{ restic_arch }}.bz2"
restic_checksum: sha256:c8da7350dc334cd5eaf13b2c9d6e689d51e7377ba1784cc6d65977bd44ee1165
restic_bin_path: /usr/local/bin restic_bin_path: /usr/local/bin
restic_etc_path: /etc/restic restic_etc_path: /etc/restic
restic_path: "{{ restic_bin_path }}/restic" restic_path: "{{ restic_bin_path }}/restic"

4
roles/restic/files/hooks/gitea.sh
View File

@ -9,7 +9,7 @@ GITEA_CONFIG=${GITEA_CONFIG:-/etc/gitea/app.ini}
GITEA_WORK_PATH=${GITEA_WORK_PATH:-/var/lib/gitea} GITEA_WORK_PATH=${GITEA_WORK_PATH:-/var/lib/gitea}
GITEA_CUSTOM_PATH=${GITEA_CUSTOM_PATH:-$GITEA_WORK_PATH/custom} GITEA_CUSTOM_PATH=${GITEA_CUSTOM_PATH:-$GITEA_WORK_PATH/custom}
GITEA_BACKUP_PATH=${GITEA_BACKUP_PATH:-$GITEA_WORK_PATH/backup} GITEA_BACKUP_PATH=${GITEA_BACKUP_PATH:-$GITEA_WORK_PATH/backup}
GITEA_KEEP_DAYS=${GITEA_KEEP_DAYS:-2} GITEA_KEEP_HOURS=${GITEA_KEEP_HOURS:-12}
prereq() { prereq() {
if ! systemctl list-units --full --all | grep -Fq "gitea.service"; then if ! systemctl list-units --full --all | grep -Fq "gitea.service"; then
@ -41,7 +41,7 @@ main() {
find "$GITEA_BACKUP_PATH" \ find "$GITEA_BACKUP_PATH" \
-type f \ -type f \
-name '*.zip' \ -name '*.zip' \
-mtime "+$GITEA_KEEP_DAYS" \ -mmin +$((GITEA_KEEP_HOURS * 60)) \
-delete -delete
fi fi
} }

4
roles/restic/files/restic-job.sh
View File

@ -73,6 +73,10 @@ fi
START="$(date +%s)" START="$(date +%s)"
if [[ -n "$($RESTIC_PATH list locks -q)" ]]; then
error_exit "repo is locked"
fi
if [ -f "$LOCK" ]; then if [ -f "$LOCK" ]; then
pid=$(cat "$LOCK") pid=$(cat "$LOCK")
if ! kill -0 "$pid" 2> /dev/null; then if ! kill -0 "$pid" 2> /dev/null; then

25
roles/restic/tasks/install.yaml Normal file
View File

@ -0,0 +1,25 @@
---
- block:
- name: download
get_url:
url: "{{ restic_release_url }}"
dest: "{{ restic_download_path }}"
checksum: "{{ restic_checksum }}"
register: dl
until: dl is success
retries: 5
delay: 10
- name: extract
command:
cmd: "bunzip2 -f -k {{ restic_download_path }}"
- name: install binaries
copy:
src: "{{ restic_extracted_path }}"
dest: "{{ restic_path }}"
owner: root
group: root
mode: 0755
remote_src: true
when: restic_version != restic_local_version

29
roles/restic/tasks/main.yaml
View File

@ -23,35 +23,10 @@
paths: paths:
- tasks - tasks
- name: "download restic {{ restic_version }}" - ansible.builtin.include_tasks: pre.yaml
get_url:
url: "{{ restic_url }}"
checksum: "{{ restic_checksum }}"
dest: "{{ restic_path }}.bz2"
owner: root
group: root
mode: 0400
register: dl
- name: determine if restic exists - ansible.builtin.include_tasks: install.yaml
stat:
path: "{{ restic_path }}"
register: st
- name: decompress restic
command:
cmd: "bunzip2 -k {{ restic_path }}.bz2"
creates: "{{ restic_path }}"
when: dl.changed or not st.stat.exists
#notify:
# - restart restic
- name: manage restic attributes
file:
path: "{{ restic_path }}"
owner: root
group: root
mode: 0755
- name: create etc tree - name: create etc tree
file: file:

59
roles/restic/tasks/pre.yaml Normal file
View File

@ -0,0 +1,59 @@
---
- name: determine if installed
stat:
path: "{{ restic_bin_path }}/restic"
register: st
- name: set restic_installed
set_fact:
restic_installed: "{{ st.stat.exists | bool }}"
- block:
- name: determine latest version
uri:
url: "https://api.github.com/repos/{{ restic_github_rel_path }}/releases/latest"
return_content: true
body_format: json
register: _latest_version
until: _latest_version.status == 200
retries: 3
- name: set restic_version
set_fact:
restic_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
- block:
- name: determine installed version
command: "{{ restic_bin_path }}/restic version"
register: _installed_version_string
changed_when: false
- name: set restic_local_version
set_fact:
restic_local_version: "{{ _installed_version_string.stdout | regex_search(restic_version_regex, '\\1') | first }}"
rescue:
- name: set restic_local_version
set_fact:
restic_local_version: "{{ _installed_version_string.stderr | regex_search(restic_version_regex, '\\1') | first }}"
when: restic_installed
- name: set restic_local_version to 0
set_fact:
restic_local_version: "0"
when: not restic_installed
- block:
- name: get checksums
set_fact:
_checksums: "{{ lookup('url', restic_checksum_url, wantlist=True) }}"
- name: debug
debug:
msg: "{{ restic_checksum_algo }}:{{ item.split(' ') | first }}"
loop: "{{ _checksums }}"
- name: set restic_checksum
set_fact:
restic_checksum: "{{ restic_checksum_algo }}:{{ item.split(' ') | first }}"
loop: "{{ _checksums }}"
when: "restic_release_file in item"

102
roles/snmp_exporter/defaults/main.yaml Normal file
View File

@ -0,0 +1,102 @@
---
snmp_exporter_go_arch_map:
i386: '386'
x86_64: 'amd64'
snmp_exporter_go_arch: "{{ snmp_exporter_go_arch_map[ansible_architecture] | default('amd64') }}"
snmp_exporter_version: 0.25.0
snmp_exporter_checksums:
snmp_exporter-0.25.0.aix-ppc64.tar.gz: sha256:457524708e136a1c559567eb5170352b25591d33646ad85940f4692b13de8208
snmp_exporter-0.25.0.darwin-amd64.tar.gz: sha256:83f820691ec4013614c5e8771c37741ba7732a41f01ac4675428a95cf50785db
snmp_exporter-0.25.0.darwin-arm64.tar.gz: sha256:2de16c8ab56c96721ba71ce7b16cdcfaced50f0f7e78fc7ded1747017717a953
snmp_exporter-0.25.0.dragonfly-amd64.tar.gz: sha256:a17a8277a134d0f3f5913fdb89b3218e308c01c0749e4b1fe6eff860216c3f06
snmp_exporter-0.25.0.freebsd-386.tar.gz: sha256:dc5bb9943ce5abfc4610eb51b98d21754333828acd17e1058f4979dec83ec4bd
snmp_exporter-0.25.0.freebsd-amd64.tar.gz: sha256:65c527a32426b781968ee2b1ed9b13542f3333b2f60941ed7261c578d3a19515
snmp_exporter-0.25.0.freebsd-arm64.tar.gz: sha256:3ce5dd7c205e148eceef20d4a7f6042b49874d37b2f84cea1ad2b41a7adf27cc
snmp_exporter-0.25.0.freebsd-armv6.tar.gz: sha256:fecd7b648de5818f445ee3543b3a0e16090419b83481cb9268f1b070515f4719
snmp_exporter-0.25.0.freebsd-armv7.tar.gz: sha256:2750f4d469145a4e9bcf3ae2cf47c3a379581359c224fa3860d88a7671208fe0
snmp_exporter-0.25.0.illumos-amd64.tar.gz: sha256:71fbd5973d2b9e06e63728490e820fe5e33f27333a54dcb6b42d152d3cf36d2f
snmp_exporter-0.25.0.linux-386.tar.gz: sha256:a78577d5651557a67973363a87db3755170e61a79c8d698f14bc72cde3205e1a
snmp_exporter-0.25.0.linux-amd64.tar.gz: sha256:de206a27466656e8b4948ef66dd57cc80c5511ccd285b231fde4e044534db625
snmp_exporter-0.25.0.linux-arm64.tar.gz: sha256:d61a38544598921067b546cbdca2cce0165fede0414b2dd769e11b09037164ca
snmp_exporter-0.25.0.linux-armv5.tar.gz: sha256:a86cae97116524fc2479bbef211931ca375d78479a276f1c99e4a2ee033d54aa
snmp_exporter-0.25.0.linux-armv6.tar.gz: sha256:fed73deb4b2864b9793f07679308117e2b9568e08cf993c640b9fd9a534f2508
snmp_exporter-0.25.0.linux-armv7.tar.gz: sha256:ff4ce9ac6f8f489d40d2319ea07428cb58bc6b49ad5cc0054d7475a71b1a68bb
snmp_exporter-0.25.0.linux-mips.tar.gz: sha256:616f7d9a798425864852bf8acef1d1fde38e6c85cbc2b6fd176f5bad5aa2ce79
snmp_exporter-0.25.0.linux-mips64.tar.gz: sha256:4d7cf894079593e4ae4eba9c10f740514d3defe0ebc362953ffa6ba2ccb93127
snmp_exporter-0.25.0.linux-mips64le.tar.gz: sha256:ea3e346a702729daa2a4acb9389cc2fe95549afd6aa5806c173ae0b21340ea0c
snmp_exporter-0.25.0.linux-mipsle.tar.gz: sha256:b6fedb56c0ac64b87ec808448ef113bb3a44049d41a70c35004e0e05204a9ba7
snmp_exporter-0.25.0.linux-ppc64.tar.gz: sha256:6b6c67ba8e49e1e3e247799f151b74bf1cb6cb65d9e4efcf8c6d0eefa6467dbe
snmp_exporter-0.25.0.linux-ppc64le.tar.gz: sha256:b345a5b6808627ca119267f53b4d4835fc831cdbe25922359637b8068b6d2722
snmp_exporter-0.25.0.linux-riscv64.tar.gz: sha256:6f3659115b78f05349ce1cc61d17c03e7dbb5830d6a4f13433028efe198e4a66
snmp_exporter-0.25.0.linux-s390x.tar.gz: sha256:8a428c63081efee2d15df508c7da5588cc6582a3254561c2ddbd9898520d247e
snmp_exporter-0.25.0.netbsd-386.tar.gz: sha256:3b56b8feba1119737fe167db47afb2d53179f03fd1ed2c97a02745486cf78e9d
snmp_exporter-0.25.0.netbsd-amd64.tar.gz: sha256:e1e2f82047ec726be64434d45e4d18cff45bf739c8ac7ffcd39d2680148be4f6
snmp_exporter-0.25.0.netbsd-arm64.tar.gz: sha256:f1be651984a8aa9fb2793358545da1351cb66c0f94abfa67d97003276aeb64cb
snmp_exporter-0.25.0.netbsd-armv6.tar.gz: sha256:d250a3cdd4d6fb572ed740c7f800f2aaa11350294d9275e4054c39bcfed86710
snmp_exporter-0.25.0.netbsd-armv7.tar.gz: sha256:0ecc87cc94c6e4f9444e5a508bb3f848753eae551f38715d90531626a09eb21b
snmp_exporter-0.25.0.openbsd-386.tar.gz: sha256:93f600e3c8e51c9e4fe2888a6fcac28b6bf4128ff90cf833938c25fcd607d731
snmp_exporter-0.25.0.openbsd-amd64.tar.gz: sha256:68b5b7bf8903e02636ea1145a313bad6316950116c7dbcb8e62214acafb76a64
snmp_exporter-0.25.0.openbsd-arm64.tar.gz: sha256:ca0ff15972207d7efb0ec08ca3c74ab1940dd780430ebe409214ca6261b4a521
snmp_exporter-0.25.0.openbsd-armv7.tar.gz: sha256:094072fcc645e170fbcf617f86f41f35781f6eff83c2a5f3a4327b55c3aae6ba
snmp_exporter-0.25.0.windows-386.tar.gz: sha256:feb0eae7fdbff7d96eb489a61e7d4cb6f9065d84e80c5e0f6331893dd3c5e37a
snmp_exporter-0.25.0.windows-386.zip: sha256:10cb099383f990303ba293343a98377aabb0575f5d87b8702cd366bd787293b9
snmp_exporter-0.25.0.windows-amd64.tar.gz: sha256:78398d2553548f21eaf8920daf86df15865e7c4a93351be01abb10cc2508cc8c
snmp_exporter-0.25.0.windows-amd64.zip: sha256:b0872fc2d2cebc60244220c3412185a45b72ac56f2cb36f1e4f35d42e830de2d
snmp_exporter-0.25.0.windows-arm64.tar.gz: sha256:e3122f902b714b908884fb10fff61e93960c1ce1a1491d21d7be736ac6c9f833
snmp_exporter-0.25.0.windows-arm64.zip: sha256:f3465c09e7a28ced47b15da368074b7df6d610e4c82ea6ae647d916abb541dc8
snmp_exporter_github_rel_path: prometheus/snmp_exporter
snmp_exporter_github_project_url: "https://github.com/{{ snmp_exporter_github_rel_path }}"
snmp_exporter_release_file: "snmp_exporter-{{ snmp_exporter_version }}.{{ ansible_system | lower }}-{{ snmp_exporter_go_arch }}.tar.gz"
snmp_exporter_release_url: "{{ snmp_exporter_github_project_url }}/releases/download/v{{ snmp_exporter_version }}/{{ snmp_exporter_release_file }}"
snmp_exporter_download_path: "/tmp/{{ snmp_exporter_release_file }}"
snmp_exporter_opt_dir_path: "/opt/snmp_exporter-{{ snmp_exporter_version }}"
snmp_exporter_unarchive_dest_path: /tmp/
snmp_exporter_extracted_path: "/tmp/{{ snmp_exporter_release_file | replace('.tar.gz', '') }}"
snmp_exporter_binaries:
- snmp_exporter
snmp_exporter_user_name: snmp_exporter
snmp_exporter_user_shell: /usr/sbin/nologin
snmp_exporter_user_home: "{{ snmp_exporter_var_dir_path }}"
snmp_exporter_group_name: snmp_exporter
snmp_exporter_bin_dir_path: /usr/local/bin
snmp_exporter_bin_path: "{{ snmp_exporter_bin_dir_path }}/snmp_exporter"
snmp_exporter_etc_dir_path: /etc/snmp_exporter
snmp_exporter_etc_dir_path_owner: "{{ snmp_exporter_user_name }}"
snmp_exporter_etc_dir_path_group: "{{ snmp_exporter_group_name }}"
snmp_exporter_etc_dir_path_mode: 0500
snmp_exporter_etc_dir_path_state: directory
snmp_exporter_var_dir_path: /var/lib/snmp_exporter
snmp_exporter_var_dir_path_owner: "{{ snmp_exporter_user_name }}"
snmp_exporter_var_dir_path_group: "{{ snmp_exporter_group_name }}"
snmp_exporter_var_dir_path_mode: 0500
snmp_exporter_var_dir_path_state: directory
snmp_exporter_config_file_path: "{{ snmp_exporter_etc_dir_path }}/snmp.yml"
snmp_exporter_config_file_template_src: snmp.yml.j2
snmp_exporter_config_file_template_dest: "{{ snmp_exporter_config_file_path }}"
snmp_exporter_config_file_template_owner: "{{ snmp_exporter_user_name }}"
snmp_exporter_config_file_template_group: "{{ snmp_exporter_group_name }}"
snmp_exporter_config_file_template_mode: 0400
snmp_exporter_bin_args:
- "--config.file={{ snmp_exporter_config_file_path }}"
- "--snmp.module-concurrency={{ ansible_processor_vcpus }}"
snmp_exporter_service_name: snmp_exporter.service
snmp_exporter_service_enabled: true
snmp_exporter_service_state: started
snmp_exporter_service_template_src: "{{ snmp_exporter_service_name }}.j2"
snmp_exporter_service_template_dest: "/etc/systemd/system/{{ snmp_exporter_service_name }}"
snmp_exporter_service_template_owner: root
snmp_exporter_service_template_group: root
snmp_exporter_service_template_mode: 0444

6
roles/snmp_exporter/handlers/main.yaml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart snmp_exporter
systemd:
name: "{{ snmp_exporter_service_name }}"
daemon_reload: true
state: restarted

55
roles/snmp_exporter/tasks/configure.yaml Normal file
View File

@ -0,0 +1,55 @@
---
- name: create group
ansible.builtin.group:
name: "{{ snmp_exporter_group_name }}"
system: true
- name: create user
ansible.builtin.user:
name: "{{ snmp_exporter_user_name }}"
shell: "{{ snmp_exporter_user_shell }}"
home: "{{ snmp_exporter_user_home }}"
system: true
group: "{{ snmp_exporter_group_name }}"
- name: create var path
ansible.builtin.file:
path: "{{ snmp_exporter_var_dir_path }}"
owner: "{{ snmp_exporter_var_dir_path_owner }}"
group: "{{ snmp_exporter_var_dir_path_group }}"
mode: "{{ snmp_exporter_var_dir_path_mode }}"
state: "{{ snmp_exporter_var_dir_path_state }}"
- name: create etc path
ansible.builtin.file:
path: "{{ snmp_exporter_etc_dir_path }}"
owner: "{{ snmp_exporter_etc_dir_path_owner }}"
group: "{{ snmp_exporter_etc_dir_path_group }}"
mode: "{{ snmp_exporter_etc_dir_path_mode }}"
state: "{{ snmp_exporter_etc_dir_path_state }}"
- name: configure
ansible.builtin.template:
src: "{{ snmp_exporter_config_file_template_src }}"
dest: "{{ snmp_exporter_config_file_template_dest }}"
owner: "{{ snmp_exporter_config_file_template_owner }}"
group: "{{ snmp_exporter_config_file_template_group }}"
mode: "{{ snmp_exporter_config_file_template_mode }}"
notify:
- restart snmp_exporter
- name: configure systemd unit
ansible.builtin.template:
src: "{{ snmp_exporter_service_template_src }}"
dest: "{{ snmp_exporter_service_template_dest }}"
owner: "{{ snmp_exporter_service_template_owner }}"
group: "{{ snmp_exporter_service_template_group }}"
mode: "{{ snmp_exporter_service_template_mode }}"
notify:
- restart snmp_exporter
- name: manage service
ansible.builtin.service:
name: "{{ snmp_exporter_service_name }}"
enabled: "{{ snmp_exporter_service_enabled | default(true) }}"
state: "{{ snmp_exporter_service_state | default('started') }}"

0
roles/snmp_exporter/tasks/default.yaml Normal file
View File

56
roles/snmp_exporter/tasks/install.yaml Normal file
View File

@ -0,0 +1,56 @@
---
- name: determine install status
ansible.builtin.stat:
path: "{{ snmp_exporter_opt_dir_path }}/snmp_exporter"
register: st
- name: create opt path
ansible.builtin.file:
path: "{{ snmp_exporter_opt_dir_path }}"
owner: root
group: root
mode: 0755
state: directory
- block:
- name: download
ansible.builtin.get_url:
url: "{{ snmp_exporter_release_url }}"
dest: "{{ snmp_exporter_download_path }}"
checksum: "{{ snmp_exporter_checksums[snmp_exporter_release_file] }}"
register: dl
until: dl is success
retries: 5
delay: 10
- name: extract
ansible.builtin.unarchive:
src: "{{ snmp_exporter_download_path }}"
dest: "{{ snmp_exporter_unarchive_dest_path }}"
remote_src: true
- name: install
ansible.builtin.copy:
src: "{{ snmp_exporter_extracted_path }}/{{ item }}"
dest: "{{ snmp_exporter_opt_dir_path }}/{{ item }}"
remote_src: true
loop: "{{ snmp_exporter_binaries }}"
when: not st.stat.exists
- name: permissions
ansible.builtin.file:
path: "{{ snmp_exporter_opt_dir_path }}/{{ item }}"
owner: root
group: root
mode: 0755
loop: "{{ snmp_exporter_binaries }}"
- name: symlink
ansible.builtin.file:
src: "{{ snmp_exporter_opt_dir_path }}/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
owner: root
group: root
mode: 0755
state: link
loop: "{{ snmp_exporter_binaries }}"

28
roles/snmp_exporter/tasks/main.yaml Normal file
View File

@ -0,0 +1,28 @@
---
- name: gather os specific variables
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- vars
- name: include os specific tasks
ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- tasks
- ansible.builtin.include_tasks: install.yaml
- ansible.builtin.include_tasks: configure.yaml

27498
roles/snmp_exporter/templates/snmp.yml.j2 Normal file
View File

File diff suppressed because it is too large Load Diff

21
roles/snmp_exporter/templates/snmp_exporter.service.j2 Normal file
View File

@ -0,0 +1,21 @@
# {{ ansible_managed }}
[Unit]
Description=SNMP Exporter
After=network-online.target
[Service]
User={{ snmp_exporter_user_name }}
Restart=on-failure
ExecStart={{ snmp_exporter_bin_path }} \
{% for arg in snmp_exporter_bin_args %}
{{ arg }} {% if not loop.last %}\{{ "\n"}}{% endif %}
{% if loop.last %}
{% endif %}
{% endfor %}
WorkingDirectory={{ snmp_exporter_var_dir_path }}
[Install]
WantedBy=multi-user.target

0
roles/snmp_exporter/vars/default.yaml Normal file
View File

2
roles/util/defaults/main.yaml
View File

@ -42,7 +42,7 @@ util_packages:
- p7zip - p7zip
- p7zip-full - p7zip-full
- pigz - pigz
- pxz - pixz
- zstd - zstd
- pbzip2 - pbzip2
- pv - pv