ryanc/ansible
1
0
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity

Compare commits

base: ryanc:b685c1027e2e6537d9b654208d32809479dc4f8b
Branches Tags
ryanc:master
...
compare: ryanc:b02da06c973aa449ec522ed6808dcc8d9dfad990
Branches Tags
ryanc:master

9 Commits
b685c1027e ... b02da06c97

Author SHA1 Message Date
Ryan Cavicchioni
b02da06c97 Add roles for lego, logcli, mimir, process_exporter, smokeping_prober, and vector 2024-04-14 17:13:06 -05:00
Ryan Cavicchioni
ce692e4560
Add nftables role 2022-09-04 08:59:28 -05:00
Ryan Cavicchioni
42ba49c865
common: refactor 2022-09-01 17:12:52 -05:00
Ryan Cavicchioni
4b581b8a78
restic: remove tidy job 2022-09-01 16:42:00 -05:00
Ryan Cavicchioni
132b6d800a
Remove Python 2 packages 2022-09-01 16:41:35 -05:00
Ryan Cavicchioni
2483542b98
prometheus: scrape Grafana stats 2022-09-01 16:40:12 -05:00
Ryan Cavicchioni
dae13299e0
Remove DNS zones 2022-09-01 16:39:51 -05:00
Ryan Cavicchioni
36a2d3542c
Remove name server roles 2022-09-01 16:39:28 -05:00
Ryan Cavicchioni
3fc613fe2b
grafana: add default.yaml 2022-09-01 16:37:15 -05:00
81 changed files with 1658 additions and 210 deletions
Show Stats Expand all files Collapse all files

18
files/nsd/zones/cavi.cc.zone
View File

@ -1,18 +0,0 @@
; cavi.cc [320470]
$TTL 86400
@ IN SOA ns1.linode.com. hostmaster.kill0.net. 2022020501 14400 14400 1209600 86400
@ NS ns1.linode.com.
@ NS ns2.linode.com.
@ NS ns3.linode.com.
@ NS ns4.linode.com.
@ NS ns5.linode.com.
@ MX 10 in1-smtp.messagingengine.com.
@ MX 20 in2-smtp.messagingengine.com.
@ TXT "v=spf1 include:spf.messagingengine.com -all"
default._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY8s2MeBFqZIwItrdDo4J0N0AIoNtf7Ui6jtyIqqs2if2D1h3Ee37McBxZhJ79TX3TZyXci/G0+DZm/F9w2Ye703JNmgjSo6V1fx3MMZicohnTwYs3yQScdWNjJ8ML6SEJtveIjIws2CQ4/Y8J3f6ilWh2OAUrRIAg2u/BV5odgwIDAQAB"
mesmtp._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUDHvhiTIEgdxTfvcrL1znWbMBWC10L8enkWJmatLs1vGkEQkNbaK55aO3wDwuVZq9f2KmcEUA/GRUOJQy3XGu1xgPjVmR6Hqbx4ygjoAcMm8UfNc7UA8deKV8qCGEF2ag82n9LpDYcEQSehC/kE4bbUFaZk3FMUdTwMu5vB0vVQIDAQAB"
_dmarc TXT "v=DMARC1; p=reject; adkim=s; aspf=s"
@ A 45.33.21.121
@ AAAA 2600:3c00::f03c:92ff:feb0:e05c
www A 45.33.21.121
www AAAA 2600:3c00::f03c:92ff:feb0:e05c

12
files/nsd/zones/chill9.com.zone
View File

@ -1,12 +0,0 @@
; chill9.com [726945]
$TTL 86400
@ IN SOA ns1.linode.com. hostmaster.kill0.net. 2022051201 14400 14400 1209600 86400
@ NS ns1.linode.com.
@ NS ns2.linode.com.
@ NS ns3.linode.com.
@ NS ns4.linode.com.
@ NS ns5.linode.com.
@ A 45.33.21.121
@ AAAA 2600:3c00::f03c:92ff:feb0:e05c
www A 45.33.21.121
www AAAA 2600:3c00::f03c:92ff:feb0:e05c

12
files/nsd/zones/chill9.net.zone
View File

@ -1,12 +0,0 @@
; chill9.net [726945]
$TTL 86400
@ IN SOA ns1.linode.com. hostmaster.kill0.net. 2022051201 14400 14400 1209600 86400
@ NS ns1.linode.com.
@ NS ns2.linode.com.
@ NS ns3.linode.com.
@ NS ns4.linode.com.
@ NS ns5.linode.com.
@ A 45.33.21.121
@ AAAA 2600:3c00::f03c:92ff:feb0:e05c
www A 45.33.21.121
www AAAA 2600:3c00::f03c:92ff:feb0:e05c

12
files/nsd/zones/confabulator.net.zone
View File

@ -1,12 +0,0 @@
; confabulator.net [307550]
$TTL 86400
@ IN SOA ns1.linode.com. hostmaster.kill0.net. 2022051201 14400 14400 1209600 86400
@ NS ns1.linode.com.
@ NS ns2.linode.com.
@ NS ns3.linode.com.
@ NS ns4.linode.com.
@ NS ns5.linode.com.
@ A 45.33.21.121
@ AAAA 2600:3c00::f03c:92ff:feb0:e05c
www A 45.33.21.121
www AAAA 2600:3c00::f03c:92ff:feb0:e05c

16
files/nsd/zones/ctrl-v.org.zone
View File

@ -1,16 +0,0 @@
; ctrl-v.org [687762]
$TTL 86400
@ IN SOA ns1.linode.com. hostmaster.kill0.net. 2022051201 14400 14400 1209600 86400
@ NS ns1.linode.com.
@ NS ns2.linode.com.
@ NS ns3.linode.com.
@ NS ns4.linode.com.
@ NS ns5.linode.com.
@ MX 10 in1-smtp.messagingengine.com.
@ MX 20 in2-smtp.messagingengine.com.
@ TXT "v=spf1 include:spf.messagingengine.com include:mailgun.org -all"
mesmtp._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8ihB/cUM+FkgYv5MPoZQQQLLFfu77bPYgQv64g1xjNw0c3jmHMKjQ51zW5lbvu/DAwKxtZqHjnruyvcLzRGcWzeV8udk88l+DuskTbIAYn0U5tU0fzTRwiARz4flik+JQtA0P+jvK5jCjmmEHpz6QUa+UN6rZKpz1jB3SgXXbpwIDAQAB"
@ A 45.33.21.121
@ AAAA 2600:3c00::f03c:92ff:feb0:e05c
www A 45.33.21.121
www AAAA 2600:3c00::f03c:92ff:feb0:e05c

12
files/nsd/zones/kill0.com.zone
View File

@ -1,12 +0,0 @@
; kill0.com [726945]
$TTL 86400
@ IN SOA ns1.linode.com. hostmaster.kill0.net. 2022051201 14400 14400 1209600 86400
@ NS ns1.linode.com.
@ NS ns2.linode.com.
@ NS ns3.linode.com.
@ NS ns4.linode.com.
@ NS ns5.linode.com.
@ A 45.33.21.121
@ AAAA 2600:3c00::f03c:92ff:feb0:e05c
www A 45.33.21.121
www AAAA 2600:3c00::f03c:92ff:feb0:e05c

27
files/nsd/zones/kill0.net.zone
View File

@ -1,27 +0,0 @@
; kill0.net [726944]
$TTL 86400
@ SOA ns1.linode.com. hostmaster.kill0.net. 2022053101 14400 14400 1209600 86400
@ NS ns1.linode.com.
@ NS ns2.linode.com.
@ NS ns3.linode.com.
@ NS ns4.linode.com.
@ NS ns5.linode.com.
@ MX 10 in1-smtp.messagingengine.com.
@ MX 20 in2-smtp.messagingengine.com.
@ TXT "v=spf1 include:mailgun.org ~all"
mailo._domainkey TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7bl1IcQTV0h6yK7wAsuLqj6LjlTxL1ktnGMdeC+J0hlDOHQPey7XEjL9Hj1Ye55Fu1cyBNx7eYn/mLZgiuGu9MccbgIyzRasP1DHG2mQ9omi8z7igesKtRaasyJ4EM6oM3BNSmDneVcInxOUa+6E9fJCesT+X3Flf8XEvuV3gowIDAQAB"
jump0 A 45.33.21.121
jump1 A 198.58.98.26
mine0 A 173.255.193.88
vpn-home 300 A 98.52.91.99
vpn-jump0 A 45.33.21.121
jump0 AAAA 2600:3c00::f03c:92ff:feb0:e05c
jump1 AAAA 2600:3c00::f03c:93ff:feac:0daf
mine0 AAAA 2600:3c00::f03c:92ff:fe70:d8d1
git CNAME jump0.kill0.net.
monitor CNAME jump0.kill0.net.
ping CNAME jump0.kill0.net.
stats CNAME jump0.kill0.net.
dl CNAME jump0.kill0.net.
ping-home 300 A 98.52.91.99
ping-home 300 AAAA 2001:558:6033:96:4ea:10a5:9c40:3d9f

5
group_vars/monitor_servers/main.yaml
View File

@ -169,6 +169,11 @@ prometheus_config:
static_configs: static_configs:
- targets: - targets:
- "localhost:10912" - "localhost:10912"
- job_name: grafana
scrape_interval: 5s
static_configs:
- targets:
- "localhost:3002"
rule_files: rule_files:
- rules.yaml - rules.yaml

57
group_vars/name_servers/main.yaml
View File

@ -1,57 +0,0 @@
---
nsd_linode_xfr:
- "{{ lookup('dig', 'axfr1.linode.com.') }}"
- "{{ lookup('dig', 'axfr2.linode.com.') }}"
- "{{ lookup('dig', 'axfr3.linode.com.') }}"
- "{{ lookup('dig', 'axfr4.linode.com.') }}"
- "{{ lookup('dig', 'axfr5.linode.com.') }}"
- "{{ lookup('dig', 'axfr1.linode.com./AAAA') }}"
- "{{ lookup('dig', 'axfr2.linode.com./AAAA') }}"
- "{{ lookup('dig', 'axfr3.linode.com./AAAA') }}"
- "{{ lookup('dig', 'axfr4.linode.com./AAAA') }}"
- "{{ lookup('dig', 'axfr5.linode.com./AAAA') }}"
nsd_provide_xfr:
- "{{ lookup('dig', 'axfr1.linode.com.') }} NOKEY"
- "{{ lookup('dig', 'axfr2.linode.com.') }} NOKEY"
- "{{ lookup('dig', 'axfr3.linode.com.') }} NOKEY"
- "{{ lookup('dig', 'axfr4.linode.com.') }} NOKEY"
- "{{ lookup('dig', 'axfr5.linode.com.') }} NOKEY"
- "{{ lookup('dig', 'axfr1.linode.com./AAAA') }} NOKEY"
- "{{ lookup('dig', 'axfr2.linode.com./AAAA') }} NOKEY"
- "{{ lookup('dig', 'axfr3.linode.com./AAAA') }} NOKEY"
- "{{ lookup('dig', 'axfr4.linode.com./AAAA') }} NOKEY"
- "{{ lookup('dig', 'axfr5.linode.com./AAAA') }} NOKEY"
firewall_dns_whitelist: "{{ nsd_linode_xfr }}"
firewall_ipset_dns: "{{ nsd_linode_xfr }}"
nsd_zones:
- name: cavi.cc
zonefile: cavi.cc.zone
provide-xfr: "{{ nsd_provide_xfr }}"
notify: "{{ nsd_provide_xfr }}"
- name: kill0.net
zonefile: kill0.net.zone
provide-xfr: "{{ nsd_provide_xfr }}"
notify: "{{ nsd_provide_xfr }}"
- name: kill0.com
zonefile: kill0.com.zone
provide-xfr: "{{ nsd_provide_xfr }}"
notify: "{{ nsd_provide_xfr }}"
- name: chill9.com
zonefile: chill9.com.zone
provide-xfr: "{{ nsd_provide_xfr }}"
notify: "{{ nsd_provide_xfr }}"
- name: chill9.net
zonefile: chill9.net.zone
provide-xfr: "{{ nsd_provide_xfr }}"
notify: "{{ nsd_provide_xfr }}"
- name: confabulator.net
zonefile: confabulator.net.zone
provide-xfr: "{{ nsd_provide_xfr }}"
notify: "{{ nsd_provide_xfr }}"
- name: ctrl-v.org
zonefile: ctrl-v.org.zone
provide-xfr: "{{ nsd_provide_xfr }}"
notify: "{{ nsd_provide_xfr }}"

3
inventory.yaml
View File

@ -21,9 +21,6 @@ all:
monitor_servers: monitor_servers:
hosts: hosts:
jump0.kill0.net jump0.kill0.net
name_servers:
hosts:
jump0.kill0.net
linode: linode:
hosts: hosts:
mine0.kill0.net: mine0.kill0.net:

7
playbook.yaml
View File

@ -3,13 +3,13 @@
become: true become: true
roles: roles:
- common - common
- network
- util - util
- sudo - sudo
- hostsfile - hostsfile
- certs - certs
- rsyslog - rsyslog
- users - users
- network
- dns - dns
- firewall - firewall
- openssh - openssh
@ -42,7 +42,6 @@
roles: roles:
- nginx - nginx
- certbot - certbot
- influxdb
- grafana - grafana
- hosts: monitor_servers - hosts: monitor_servers
become: true become: true
@ -65,9 +64,5 @@
tags: tags:
- thanos - thanos
- monitoring - monitoring
- hosts: name_servers
become: true
roles:
- nsd
# vim:ft=yaml.ansible: # vim:ft=yaml.ansible:

4
roles/certbot/tasks/Ubuntu.yaml
View File

@ -1,4 +0,0 @@
---
- name: configure ppa
apt_repository:
repo: "ppa:certbot/certbot"

10
roles/common/defaults/main.yaml
View File

@ -1,6 +1,6 @@
--- ---
cron_service_name: cron # common_cron_service_name: cron.service
# common_timezone: Etc/UTC
timezone: UTC # common_locale: C.UTF-8
# common_apt_update_cache: true
# vim:ft=yaml.ansible: # common_apt_cache_valid_time: 3600

7
roles/common/handlers/main.yaml
View File

@ -1,8 +1,5 @@
--- ---
- name: restart cron - name: restart cron
service: ansible.builtin.service:
name: "{{ cron_service_name }}" name: "{{ common_cron_service_name | default('cron.service') }}"
state: restarted state: restarted
when: cron_service_name is defined
# vim:ft=yaml.ansible:

6
roles/common/tasks/Debian.yaml
View File

@ -1,6 +1,6 @@
--- ---
- name: run apt-get update - name: run apt-get update
apt: ansible.builtin.apt:
update_cache: yes update_cache: "{{ common_apt_update_cache | default(true) }}"
cache_valid_time: 3600 cache_valid_time: "{{ common_apt_cache_valid_time | default(3600) }}"
changed_when: false changed_when: false

13
roles/common/tasks/main.yaml
View File

@ -24,12 +24,17 @@
- tasks - tasks
- name: set hostname - name: set hostname
hostname: ansible.builtin.hostname:
name: "{{ hostname | default(inventory_hostname) }}" name: "{{ common_hostname | default(inventory_hostname) }}"
- name: configure system timezone - name: configure system timezone
timezone: ansible.builtin.timezone:
name: "{{ timezone }}" name: "{{ common_timezone | default('Etc/UTC') }}"
notify: restart cron notify: restart cron
- name: configure system locale
ansible.builtin.command:
cmd: "localectl set-locale {{ common_locale | default('C.UTF-8') }}"
when: ansible_facts.env.LANG != (common_locale | default('C.UTF-8'))
# vim:ft=yaml.ansible: # vim:ft=yaml.ansible:

0
roles/grafana/tasks/default.yaml Normal file
View File

130
roles/lego/defaults/main.yaml Normal file
View File

@ -0,0 +1,130 @@
---
lego_go_arch_map:
i386: '386'
x86_64: 'amd64'
lego_go_arch: "{{ lego_go_arch_map[ansible_architecture] | default('amd64') }}"
lego_version: 4.16.1
# curl -L -s https://github.com/go-acme/lego/releases/download/v4.14.2/lego_4.14.2_checksums.txt | awk '{ printf "%s: sha256:%s\n", $2, $1 }' | sort
lego_checksums:
lego_v4.16.1_darwin_amd64.tar.gz: sha256:2555ae9c3976bb6d3d783819c7012572fecbd309330a5010dd1f9882332fa349
lego_v4.16.1_darwin_arm64.tar.gz: sha256:609789c72a9c8e7f4f5916aa08440a299f63c75fee14f42e61904cda01f0736f
lego_v4.16.1_freebsd_386.tar.gz: sha256:41408e99b9f1fb823e53d53feb15cd0cb929ad3cd093b9010c7af7ba71077e55
lego_v4.16.1_freebsd_amd64.tar.gz: sha256:9353c009c4801d7646b3c99803a77aa0f2a041f802c8794d16ba4b31af4a8dfb
lego_v4.16.1_freebsd_arm64.tar.gz: sha256:c39a98c8401a0fe506ac206ae5ef5e167d1dcd9e7f6bb27def954089c0f99839
lego_v4.16.1_freebsd_armv5.tar.gz: sha256:b96b88a84aa51e77da8d4b92f6920b1890ae47c53e59c477d7b3b556b1273446
lego_v4.16.1_freebsd_armv6.tar.gz: sha256:ea41ff383adcf98ff70a65e6da49c7c82d16071f3057e44e1c41b2fe34543f19
lego_v4.16.1_freebsd_armv7.tar.gz: sha256:6e883cb6c12a7bb703018e85623bf2c548eebfd01047bda75820264bb8ff85f2
lego_v4.16.1_linux_386.tar.gz: sha256:3eb2e75cc474b0a0b9a990ddd9c70e7c9631a150487d8434e03a295cfd4b0caa
lego_v4.16.1_linux_amd64.tar.gz: sha256:e9826f955337c1fd825d21b073168692711985e25db013ff6b00e9a55a9644b4
lego_v4.16.1_linux_arm64.tar.gz: sha256:0669037c2bcff11d0599765c63f186dfc98397b6a827f5cb2e48e9e69c12626c
lego_v4.16.1_linux_armv5.tar.gz: sha256:33ff82f3aff43825b0fca7f173825c6cc6b02d9e5607dec147ba172e62c883c9
lego_v4.16.1_linux_armv6.tar.gz: sha256:3532a986667fe4ba42366fe09a5487c273c168779f803d878b4cc990d29c5c94
lego_v4.16.1_linux_armv7.tar.gz: sha256:b9727c1282a320c22d9fbdbdb59e35810c8b7f94d1382bfa87d564429a89629e
lego_v4.16.1_linux_mips64_hardfloat.tar.gz: sha256:055914fab0e26432590fccb54e400e1c0b1ad8d9932f0d418ed9ee7857765eed
lego_v4.16.1_linux_mips64_softfloat.tar.gz: sha256:6d79cde9f3f7598276e9f82d2c0fe94b541b35112c0d03797cae4bd9de289d78
lego_v4.16.1_linux_mips64le_hardfloat.tar.gz: sha256:5a2421aed70c009d746eff8ffb8a1429dbfdda9c60d08790b53b88d7d4e0b270
lego_v4.16.1_linux_mips64le_softfloat.tar.gz: sha256:c1e8afedc29d18e7cb6da4d42c77d41b11041f58637e453be1ac70f65dfba0bc
lego_v4.16.1_linux_mips_hardfloat.tar.gz: sha256:07bcd8f03dda24e7db4ef0be065680a8db2d1ec7b217aea2c4ee7f6a6d731928
lego_v4.16.1_linux_mips_softfloat.tar.gz: sha256:0367bd328a9355b0191ae0f1b77a20e6a7f6c84a0a65d0a7e4a5f240e7737ed4
lego_v4.16.1_linux_mipsle_hardfloat.tar.gz: sha256:49c6117c24e351921e9fdfc0fa01dc7dd007001602b4743f2854b85dde7dd410
lego_v4.16.1_linux_mipsle_softfloat.tar.gz: sha256:e5771a43504deab162291c957c1cf549e287c15f645712c08e56f08e5ed97d4c
lego_v4.16.1_openbsd_386.tar.gz: sha256:7aaa14b081b8c2d18717c463b6ecea434c963366c82ad9824bcf61750b130c73
lego_v4.16.1_openbsd_amd64.tar.gz: sha256:4249afea73a1f8cdec964a0471e841103d6575f6d8549005ec2c06efa063d0fe
lego_v4.16.1_openbsd_arm64.tar.gz: sha256:4e94b6714bfed91c06e7365da1da36624126b323dc2c0fdabe7fd3fb155f7cb5
lego_v4.16.1_solaris_amd64.tar.gz: sha256:e9d33547a2671636bf02148677bd790996fb94688b0a055393675c645de150ec
lego_v4.16.1_windows_386.zip: sha256:980e5d8e6afb700f28c9b9ab539141c45fbd556e12c5b3deb114d7db056d7f0f
lego_v4.16.1_windows_amd64.zip: sha256:2716e8cc14facd60d804f849c1aeff6bb31bfa09719905d8f65ec801ead628ca
lego_v4.16.1_windows_arm64.zip: sha256:28179af7c79f01e8347dcaab65fba5b70abd36dcd0a2bcc2d6803cb177f2b72c
lego_v4.16.1_windows_armv5.zip: sha256:4017c2f1cbd8c838377e6816daccabc96d063b44749407c68e985af7f04fff6c
lego_v4.16.1_windows_armv6.zip: sha256:099992c58012440f693206ab0ea23dd1794f4093fd2ad62b744d6a08e3749efd
lego_v4.16.1_windows_armv7.zip: sha256:4b9557137c5d24996c3b44c223edf9495f0ea7df7f9a2d5da5f3dbc8f8ec8b50
lego_github_rel_path: go-acme/lego
lego_github_project_url: "https://github.com/{{ lego_github_rel_path }}"
lego_release_file: "lego_v{{ lego_version }}_{{ ansible_system | lower }}_{{ lego_go_arch }}.tar.gz"
lego_release_url: "{{ lego_github_project_url }}/releases/download/v{{ lego_version }}/{{ lego_release_file }}"
lego_download_path: "/tmp/{{ lego_release_file }}"
lego_opt_dir_path: "/opt/lego-{{ lego_version }}"
lego_unarchive_dest_path: /tmp/
lego_extracted_path: "/tmp"
lego_binaries:
- lego
lego_user_name: lego
lego_user_shell: /usr/sbin/nologin
lego_user_home: "{{ lego_var_dir_path }}"
lego_group_name: lego
lego_bin_dir_path: /usr/local/bin
lego_bin_path: "{{ lego_bin_dir_path }}/lego"
lego_etc_dir_path: /etc/lego
lego_etc_dir_path_owner: "{{ lego_user_name }}"
lego_etc_dir_path_group: "{{ lego_group_name }}"
lego_etc_dir_path_mode: ugo=rx
lego_etc_dir_path_state: directory
lego_var_dir_path: /var/lib/lego
lego_var_dir_path_owner: "{{ lego_user_name }}"
lego_var_dir_path_group: "{{ lego_group_name }}"
lego_var_dir_path_mode: u=rwx,go=rx
lego_var_dir_path_state: directory
lego_bin_args:
- --accept-tos
- --domains %i
- --domains www.%i
lego_environ:
LEGO_PATH: "{{ lego_var_dir_path }}"
lego_bin_user_args: []
lego_user_environ: {}
lego_credential_files: []
lego_service_name: lego@.service
lego_service_enabled: true
lego_service_state: started
lego_timer_name: lego@.timer
lego_timer_enabled: true
lego_timer_state: started
lego_service_template_src: "{{ lego_service_name }}.j2"
lego_service_template_dest: "/etc/systemd/system/{{ lego_service_name }}"
lego_service_template_owner: root
lego_service_template_group: root
lego_service_template_mode: ugo=r
lego_timer_template_src: "{{ lego_timer_name }}.j2"
lego_timer_template_dest: "/etc/systemd/system/{{ lego_timer_name }}"
lego_timer_template_owner: root
lego_timer_template_group: root
lego_timer_template_mode: ugo=r
lego_systemd_service_d_dir_path: /etc/systemd/system/lego@.service.d
lego_systemd_service_d_dir_path_owner: root
lego_systemd_service_d_dir_path_group: root
lego_systemd_service_d_dir_path_mode: ugo=rx
lego_systemd_service_d_dir_path_state: directory
lego_systemd_service_d_template_src: "environ.conf.j2"
lego_systemd_service_d_template_dest: "{{ lego_systemd_service_d_dir_path }}/environ.conf"
lego_systemd_service_d_template_path_owner: root
lego_systemd_service_d_template_path_group: root
lego_systemd_service_d_template_path_mode: u=r,go=
lego_credential_file_owner: "{{ lego_user_name }}"
lego_credential_file_group: "{{ lego_group_name }}"
lego_credential_file_mode: u=r,go=
# lego_domains:
# - name: example.com
# # not required
# enabled: true
# # not required
# state: started

5
roles/lego/handlers/main.yaml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart lego
systemd:
name: "{{ lego_service_name }}"
daemon_reload: true

98
roles/lego/tasks/configure.yaml Normal file
View File

@ -0,0 +1,98 @@
---
- name: create group
ansible.builtin.group:
name: "{{ lego_group_name }}"
system: true
- name: create user
ansible.builtin.user:
name: "{{ lego_user_name }}"
shell: "{{ lego_user_shell }}"
home: "{{ lego_user_home }}"
system: true
group: "{{ lego_group_name }}"
- name: create var path
ansible.builtin.file:
path: "{{ lego_var_dir_path }}"
owner: "{{ lego_var_dir_path_owner }}"
group: "{{ lego_var_dir_path_group }}"
mode: "{{ lego_var_dir_path_mode }}"
state: "{{ lego_var_dir_path_state }}"
- name: create etc path
ansible.builtin.file:
path: "{{ lego_etc_dir_path }}"
owner: "{{ lego_etc_dir_path_owner }}"
group: "{{ lego_etc_dir_path_group }}"
mode: "{{ lego_etc_dir_path_mode }}"
state: "{{ lego_etc_dir_path_state }}"
- name: "create {{ lego_systemd_service_d_dir_path }}"
ansible.builtin.file:
path: "{{ lego_systemd_service_d_dir_path }}"
owner: "{{ lego_systemd_service_d_dir_path_owner }}"
group: "{{ lego_systemd_service_d_dir_path_group }}"
mode: "{{ lego_systemd_service_d_dir_path_mode }}"
state: "{{ lego_systemd_service_d_dir_path_state }}"
- name: "create {{ lego_systemd_service_d_template_dest }}"
ansible.builtin.template:
src: "{{ lego_systemd_service_d_template_src }}"
dest: "{{ lego_systemd_service_d_template_dest }}"
owner: "{{ lego_systemd_service_d_template_path_owner }}"
group: "{{ lego_systemd_service_d_template_path_group }}"
mode: "{{ lego_systemd_service_d_template_path_mode }}"
notify:
- restart lego
- name: create credential files
ansible.builtin.copy:
dest: "{{ lego_etc_dir_path }}/{{ item.name }}"
owner: "{{ item.owner | default(lego_credential_file_owner) }}"
group: "{{ item.group | default(lego_credential_file_group) }}"
mode: "{{ item.mode | default(lego_credential_file_mode) }}"
content: "{{ item.content }}"
loop: "{{ lego_credential_files | default([]) }}"
no_log: true
#- name: configure
# ansible.builtin.template:
# src: "{{ lego_config_file_template_src }}"
# dest: "{{ lego_config_file_template_dest }}"
# owner: "{{ lego_config_file_template_owner }}"
# group: "{{ lego_config_file_template_group }}"
# mode: "{{ lego_config_file_template_mode }}"
# notify:
# - restart lego
#
- name: configure systemd unit
ansible.builtin.template:
src: "{{ lego_service_template_src }}"
dest: "{{ lego_service_template_dest }}"
owner: "{{ lego_service_template_owner }}"
group: "{{ lego_service_template_group }}"
mode: "{{ lego_service_template_mode }}"
notify:
- restart lego
- name: configure timer
ansible.builtin.template:
src: "{{ lego_timer_template_src }}"
dest: "{{ lego_timer_template_dest }}"
owner: "{{ lego_timer_template_owner }}"
group: "{{ lego_timer_template_group }}"
mode: "{{ lego_timer_template_mode }}"
#
#- name: manage service
# ansible.builtin.service:
# name: "{{ lego_service_name }}"
# enabled: "{{ lego_service_enabled | default(true) }}"
# state: "{{ lego_service_state | default('started') }}"
- name: manage timers
ansible.builtin.systemd:
name: "lego@{{ item.name }}.timer"
enabled: "{{ item.enabled | default(true) }}"
state: "{{ item.state | default('started') }}"
loop: "{{ lego_domains | default([]) }}"

0
roles/lego/tasks/default.yaml Normal file
View File

56
roles/lego/tasks/install.yaml Normal file
View File

@ -0,0 +1,56 @@
---
- name: determine install status
ansible.builtin.stat:
path: "{{ lego_opt_dir_path }}/lego"
register: st
- name: create opt path
ansible.builtin.file:
path: "{{ lego_opt_dir_path }}"
owner: root
group: root
mode: 0755
state: directory
- block:
- name: download
ansible.builtin.get_url:
url: "{{ lego_release_url }}"
dest: "{{ lego_download_path }}"
checksum: "{{ lego_checksums[lego_release_file] }}"
register: dl
until: dl is success
retries: 5
delay: 10
- name: extract
ansible.builtin.unarchive:
src: "{{ lego_download_path }}"
dest: "{{ lego_unarchive_dest_path }}"
remote_src: true
- name: install
ansible.builtin.copy:
src: "{{ lego_extracted_path }}/{{ item }}"
dest: "{{ lego_opt_dir_path }}/{{ item }}"
remote_src: true
loop: "{{ lego_binaries }}"
when: not st.stat.exists
- name: permissions
ansible.builtin.file:
path: "{{ lego_opt_dir_path }}/{{ item }}"
owner: root
group: root
mode: 0755
loop: "{{ lego_binaries }}"
- name: symlink
ansible.builtin.file:
src: "{{ lego_opt_dir_path }}/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
owner: root
group: root
mode: 0755
state: link
loop: "{{ lego_binaries }}"

28
roles/lego/tasks/main.yaml Normal file
View File

@ -0,0 +1,28 @@
---
- name: gather os specific variables
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- vars
- name: include os specific tasks
ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- tasks
- ansible.builtin.include_tasks: install.yaml
- ansible.builtin.include_tasks: configure.yaml

8
roles/lego/templates/environ.conf.j2 Normal file
View File

@ -0,0 +1,8 @@
# {{ ansible_managed }}
[Service]
{% if lego_user_environ is defined %}
{% for k, v in lego_user_environ.items() %}
Environment={{ k | upper }}={{ v }}
{% endfor %}
{% endif %}

31
roles/lego/templates/lego@.service.j2 Normal file
View File

@ -0,0 +1,31 @@
# {{ ansible_managed }}
[Unit]
Description=Let's Encrypt client and ACME library written in Go
After=network-online.target
Wants=network-online.target
[Service]
{% if lego_environ is defined %}
{% for k, v in lego_environ.items() %}
Environment={{ k | upper }}={{ v }}
{% endfor %}
{% endif %}
Type=oneshot
User={{ lego_user_name }}
ExecStart={{ lego_bin_path }} \
{% for arg in lego_bin_args | default([]) + lego_bin_user_args | default([]) %}
{{ arg }} \
{% endfor %}
renew \
{% for arg in lego_bin_renew_user_args | default([]) %}
{{ arg }} {% if not loop.last %}\{{ "\n"}}{% endif %}
{% if loop.last %}
{% endif %}
{% endfor %}
WorkingDirectory={{ lego_var_dir_path }}
[Install]
WantedBy=multi-user.target

11
roles/lego/templates/lego@.timer.j2 Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Certbot renewal
Description=Let's Encrypt client and ACME library written in Go
Requires={{ lego_service_name }}%i
[Timer]
OnCalendar=*-*-* 00,12:00:00
# RandomizedDelaySec=1
[Install]
WantedBy=timers.target

0
roles/lego/vars/default.yaml Normal file
View File

57
roles/logcli/defaults/main.yaml Normal file
View File

@ -0,0 +1,57 @@
---
logcli_go_arch_map:
i386: '386'
x86_64: 'amd64'
logcli_go_arch: "{{ logcli_go_arch_map[ansible_architecture] | default('amd64') }}"
logcli_version: 2.9.5
logcli_checksums:
logcli-darwin-amd64.zip: sha256:b224dc8872167be0c5f07b1c22471b21604419b625b4a6e69b2c7751bc409d98
logcli-darwin-arm64.zip: sha256:ad93156ae1132038de7a6b42633bdc59aac1a04e816aeae2796bc6dddddff14a
logcli-freebsd-amd64.zip: sha256:952f48394a080b88a100001b9c454e8793071ba4cd8cc95811bd446b4215a9a3
logcli-linux-amd64.zip: sha256:a22f7e29bb9ef8f6f70e31926bbffc646b9e36b3265458e199c497b305d21cc2
logcli-linux-arm.zip: sha256:0ad5c86191916121acea30d44011d84d33e5ca27497691980de16f1508b209f5
logcli-linux-arm64.zip: sha256:06b6a6b961f5004c51eb7922509dbbb189701b1f3925ba1bb2289894fef7861e
logcli-windows-amd64.exe.zip: sha256:d1a37c56fa2a1dfa97855d2a26826ba89569d50846a6022be03936423f04e19b
loki-canary-darwin-amd64.zip: sha256:9f73e81666397e195ae092c518df32200bab71f72ff778c839abba0283f8f4b3
loki-canary-darwin-arm64.zip: sha256:fa3a96bec9b30ec06bf5271182646161ab8056c51b07e00da14ce21d53bbd871
loki-canary-freebsd-amd64.zip: sha256:170c0ea9bf6349cce9b9fb5be6b27d0b8477fc57e5a0849ad7c828ba3de79f15
loki-canary-linux-amd64.zip: sha256:e4ff7cfb302851b98d4df1dc7793b3fdc7fd9680d2e75fc0484abcd08412f198
loki-canary-linux-arm.zip: sha256:02750db39ecba743da3036ca28a3b426c7d068efeee86b875f7870ba8798dca2
loki-canary-linux-arm64.zip: sha256:e0c0c31c89cad8ddffbd11f9467778e9b30bdfbdce955fba67871365a07ab3a1
loki-canary-windows-amd64.exe.zip: sha256:54564cbd123fbdd1b95fe9882bd916e2e9432b53826a97c04179c48ff0314912
loki-darwin-amd64.zip: sha256:b5831c0da363b3b075ddbdaa6e6e1323858b17c0d6c0052908aebaa637bc522c
loki-darwin-arm64.zip: sha256:1b73e4867730c252ce0e3720dd42fea5bd7921dd3cda4aa5f3764e43e1495374
loki-freebsd-amd64.zip: sha256:c3ac9b0aa16ca494a1537c28fe036440cd701d5273c5c8bbdb47426ecb5a041e
loki-linux-amd64.zip: sha256:9d919a55e7a2dbaeab46e777a0589d7e304c71fed011f989143883cbc887e348
loki-linux-arm.zip: sha256:104efc28b322523bf5bced67bdcc3746e1f7f872057f6ef54f25ab00ce426b39
loki-linux-arm64.zip: sha256:491833bf201c55388b82c3d1f583a9d4426c1b778ed3dc710cd67c8cbbbb67bb
loki-windows-amd64.exe.zip: sha256:1acee64bb69bd54ff6549edd2f670d0a3802727d9efced8705c7a712412d8ef7
promtail-darwin-amd64.zip: sha256:54032f2781d3acfef7dd7ad12b7f38ec4f5d0eb8ba047ebecb9911a6dd4b6cc6
promtail-darwin-arm64.zip: sha256:405ed21efcaa21ae5bbe4b7e16ca888ae8238716c46a176ea9c5e2a7b2b2a633
promtail-freebsd-amd64.zip: sha256:5a68f6fa6c7ae96919f13b4fffb188f72f9b16e38f40cf3962b97989c9739a99
promtail-linux-amd64.zip: sha256:e444bcff2d6677d284350819d3d1b7b473a1699357689230254fbc602b28dac7
promtail-linux-arm.zip: sha256:d0cc7552b8ce69534893040e6518288a6899c4f3acf9d4e7d32335f5f2f6145d
promtail-linux-arm64.zip: sha256:b23bd750dc5f6a76d808826ebc9d3c8b3540adb329578b650571a10d2be348b8
promtail-windows-386.exe.zip: sha256:a121de0b043db194c65422f863211efe566da3bec338a92f0623dff6f3c435d1
promtail-windows-amd64.exe.zip: sha256:d9c4b5bb58d3ece2e4ff78cd7fef65f5fadd7d9fe73ceb2dfa4a2990f944466f
logcli_github_rel_path: grafana/loki
logcli_github_project_url: "https://github.com/{{ logcli_github_rel_path }}"
logcli_release_file: "logcli-{{ ansible_system | lower }}-{{ logcli_go_arch }}.zip"
logcli_release_url: "{{ logcli_github_project_url }}/releases/download/v{{ logcli_version }}/{{ logcli_release_file }}"
logcli_download_path: "/tmp/logcli-{{ logcli_version }}-{{ ansible_system | lower }}-{{ logcli_go_arch }}.zip"
logcli_opt_path: "/opt/logcli-{{ logcli_version }}"
logcli_unarchive_dest_path: /tmp/
logcli_extracted_path: "/tmp/logcli-{{ ansible_system | lower }}-{{ logcli_go_arch }}"
logcli_binaries:
- logcli
logcli_loki_addr: http://localhost:3100
logcli_profile_d_path: /etc/profile.d/logcli.sh
logcli_profile_d_env:
LOKI_ADDR: "{{ logcli_loki_addr }}"

11
roles/logcli/tasks/configure.yaml Normal file
View File

@ -0,0 +1,11 @@
---
- name: set logcli environment variables
ansible.builtin.copy:
dest: "{{ logcli_profile_d_path }}"
owner: root
group: root
mode: 0755
content: |
{% for k, v in logcli_profile_d_env.items() %}
export {{ k }}="{{ v }}"
{% endfor %}

0
roles/logcli/tasks/default.yaml Normal file
View File

56
roles/logcli/tasks/install.yaml Normal file
View File

@ -0,0 +1,56 @@
---
- name: determine install status
ansible.builtin.stat:
path: "{{ logcli_opt_path }}/logcli"
register: st
- name: create opt path
ansible.builtin.file:
path: "{{ logcli_opt_path }}"
owner: root
group: root
mode: 0755
state: directory
- block:
- name: download
ansible.builtin.get_url:
url: "{{ logcli_release_url }}"
dest: "{{ logcli_download_path }}"
checksum: "{{ logcli_checksums[logcli_release_file] }}"
register: dl
until: dl is success
retries: 5
delay: 10
- name: extract
ansible.builtin.unarchive:
src: "{{ logcli_download_path }}"
dest: "{{ logcli_unarchive_dest_path }}"
remote_src: true
- name: install
ansible.builtin.copy:
src: "{{ logcli_extracted_path }}"
dest: "{{ logcli_opt_path }}/{{ item }}"
remote_src: true
loop: "{{ logcli_binaries }}"
when: not st.stat.exists
- name: permissions
ansible.builtin.file:
path: "{{ logcli_opt_path }}/{{ item }}"
owner: root
group: root
mode: 0755
loop: "{{ logcli_binaries }}"
- name: symlink
ansible.builtin.file:
src: "{{ logcli_opt_path }}/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
owner: root
group: root
mode: 0755
state: link
loop: "{{ logcli_binaries }}"

28
roles/logcli/tasks/main.yaml Normal file
View File

@ -0,0 +1,28 @@
---
- name: gather os specific variables
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- vars
- name: include os specific tasks
ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- tasks
- ansible.builtin.include_tasks: install.yaml
- ansible.builtin.include_tasks: configure.yaml

0
roles/logcli/vars/default.yaml Normal file
View File

68
roles/mimir/defaults/main.yaml Normal file
View File

@ -0,0 +1,68 @@
---
mimir_package_name: mimir
mimir_package_state: present
mimir_service_name: mimir.service
mimir_service_enabled: true
mimir_service_state: started
mimir_apt_repository_repo: deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main
mimir_apt_repository_state: present
mimir_version_regex: ^mimir, version ([\d.]+)
mimir_user_name: mimir
mimir_user_comment: mimir user
mimir_user_state: present
mimir_user_shell: /usr/sbin/nologin
mimir_user_system: true
mimir_user_createhome: false
mimir_group_name: mimir
mimir_group_state: "{{ mimir_user_state | default('present') }}"
mimir_group_system: true
mimir_var_dir_path: /var/lib/mimir
mimir_var_dir_owner: "{{ mimir_user_name }}"
mimir_var_dir_group: "{{ mimir_group_name }}"
mimir_var_dir_mode: "0700"
mimir_etc_dir_path: /etc/mimir
mimir_etc_dir_owner: "{{ mimir_user_name }}"
mimir_etc_dir_group: "{{ mimir_group_name }}"
mimir_etc_dir_mode: "0755"
mimir_config_file_path: "{{ mimir_etc_dir_path }}/config.yml"
mimir_config_file_path_owner: "{{ mimir_user_name }}"
mimir_config_file_path_group: "{{ mimir_group_name }}"
mimir_config_file_path_mode: "0755"
m# imir_common:
# {}
mimir_server:
http_listen_port: 9009
mimir_alertmanager:
sharding_ring:
replication_factor: 1
# mimir_compactor:
# {}
# mimir_distributor:
# {}
mimir_ingester:
ring:
replication_factor: 1
mimir_store_gateway:
sharding_ring:
replication_factor: 1
# mimir_blocks_storage:
# {}
# mimir_ruler_storage:
# {}

BIN
roles/mimir/files/grafana.gpg Normal file
View File

Binary file not shown.

6
roles/mimir/handlers/main.yaml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart mimir
systemd:
name: "{{ mimir_service_name }}"
daemon_reload: true
state: restarted

14
roles/mimir/tasks/Debian.yaml Normal file
View File

@ -0,0 +1,14 @@
---
- name: trust grafana apt respository key
ansible.builtin.copy:
src: "grafana.gpg"
dest: "/etc/apt/keyrings/grafana.gpg"
owner: root
group: root
mode: 0644
- name: configure grafana apt repository
ansible.builtin.apt_repository:
repo: "{{ mimir_apt_repository_repo }}"
state: "{{ mimir_apt_repository_state | default('present') }}"
filename: grafana

48
roles/mimir/tasks/configure.yaml Normal file
View File

@ -0,0 +1,48 @@
---
- name: create group
ansible.builtin.group:
name: "{{ mimir_group_name }}"
system: "{{ mimir_group_system | default(true) }}"
state: "{{ mimir_group_name_state | default('present') }}"
- name: create user
ansible.builtin.user:
name: "{{ mimir_user_name }}"
comment: "{{ mimir_user_comment }}"
system: "{{ mimir_user_system | default(true) }}"
shell: "{{ mimir_user_shell | default('/usr/sbin/nologin') }}"
group: "{{ mimir_group_name }}"
createhome: "{{ mimir_user_createhome | default(false) }}"
home: "{{ mimir_var_dir_path }}"
state: "{{ mimir_user_state | default('present') }}"
- name: create etc path
ansible.builtin.file:
path: "{{ mimir_etc_dir_path }}"
state: directory
owner: "{{ mimir_etc_dir_owner }}"
group: "{{ mimir_etc_dir_group }}"
mode: "{{ mimir_etc_dir_mode }}"
- name: create var path
ansible.builtin.file:
path: "{{ mimir_var_dir_path }}"
state: directory
owner: "{{ mimir_var_dir_owner }}"
group: "{{ mimir_var_dir_group }}"
mode: "{{ mimir_var_dir_mode }}"
- name: configure
template:
src: config.yml.j2
dest: "{{ mimir_config_file_path }}"
owner: "{{ mimir_user_name }}"
group: "{{ mimir_group_name }}"
mode: 0400
notify: restart mimir
- name: manage service
service:
name: "{{ mimir_service_name }}"
enabled: "{{ mimir_service_enabled }}"
state: "{{ mimir_service_state }}"

0
roles/mimir/tasks/default.yaml Normal file
View File

5
roles/mimir/tasks/install.yaml Normal file
View File

@ -0,0 +1,5 @@
---
- name: install package
ansible.builtin.package:
name: "{{ mimir_package_name }}"
state: "{{ mimir_package_state | default('present') }}"

28
roles/mimir/tasks/main.yaml Normal file
View File

@ -0,0 +1,28 @@
---
- name: gather os specific variables
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- vars
- name: include os specific tasks
ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- tasks
- ansible.builtin.include_tasks: install.yaml
- ansible.builtin.include_tasks: configure.yaml

51
roles/mimir/templates/config.yml.j2 Normal file
View File

@ -0,0 +1,51 @@
# {{ ansible_managed }}
---
{% if mimir_common is defined %}
common:
{{ mimir_common | to_nice_yaml(indent=2) | indent(4, False) }}
{% endif -%}
{% if mimir_server is defined %}
server:
{{ mimir_server | to_nice_yaml(indent=2) | indent(4, False) }}
{% endif -%}
{% if mimir_alertmanager is defined %}
alertmanager:
{{ mimir_alertmanager | to_nice_yaml(indent=2) | indent(4, False) }}
{% endif -%}
{% if mimir_compactor is defined %}
compactor:
{{ mimir_compactor | to_nice_yaml(indent=2) | indent(4, False) }}
{% endif -%}
{% if mimir_distributor is defined %}
distributor:
{{ mimir_distributor | to_nice_yaml(indent=2) | indent(4, False) }}
{% endif -%}
{% if mimir_ingester is defined %}
ingester:
{{ mimir_ingester | to_nice_yaml(indent=2) | indent(4, False) }}
{% endif -%}
{% if mimir_store_gateway is defined %}
store_gateway:
{{ mimir_store_gateway | to_nice_yaml(indent=2) | indent(4, False) }}
{% endif -%}
{% if mimir_alertmanager_storage is defined %}
alertmanager_storage:
{{ mimir_alertmanager_storage | to_nice_yaml(indent=2) | indent(4, False) }}
{% endif -%}
{% if mimir_blocks_storage is defined %}
blocks_storage:
{{ mimir_blocks_storage | to_nice_yaml(indent=2) | indent(4, False) }}
{% endif -%}
{% if mimir_ruler_storage is defined %}
ruler_storage:
{{ mimir_ruler_storage | to_nice_yaml(indent=2) | indent(4, False) }}
{% endif -%}

0
roles/mimir/vars/default.yaml Normal file
View File

70
roles/nftables/defaults/main.yaml Normal file
View File

@ -0,0 +1,70 @@
---
# nftables_ufw_package_name: ufw
# nftables_ufw_package_state: absent
# nftables_package_name: nftables
# nftables_package_state: present
# nftables_service_name: nftables
# nftables_service_state: started
# nftables_service_enabled: true
# nftables_config_path: /etc/nftables.conf
nftables_builtin_defines:
REQUIRED_ICMPV6_TYPES:
- 1-4
- 130-136
- 141-143
- 148-149
- 151-153
TRACEROUTE_UDP_PORTS: 33434-33534
nftables_builtin_sets:
blackhole4:
- type ipv4_addr
- flags interval
blackhole6:
- type ipv6_addr
- flags interval
tcp_input_accept:
- type inet_service
- flags interval
- elements = { ssh }
udp_input_accept:
- type inet_service
- flags interval
nftables_input_builtin_rules:
- type filter hook input priority filter; policy drop;
- ip saddr @blackhole4 drop
- ip6 saddr @blackhole6 drop
- ct state established,related accept
- ct state invalid drop
- iifname "lo" accept
- icmpv6 type $REQUIRED_ICMPV6_TYPES accept
- icmpv6 type echo-request accept
- icmp type echo-request accept
- tcp dport @tcp_input_accept accept
- udp dport @udp_input_accept accept
# this should be last because these ports could be allowed
- udp dport $TRACEROUTE_UDP_PORTS reject
nftables_forward_builtin_rules:
- type filter hook forward priority filter; policy drop;
- ct state { established, related } accept
nftables_output_builtin_rules:
- type filter hook output priority filter; policy accept;
- ip daddr @blackhole4 drop
- ip6 daddr @blackhole6 drop
- ct state { established, related } accept
# nftables_sets:
# {}
#
# nftables_input_rules:
# []
#
# nftables_output_rules:
# []

10
roles/nftables/handlers/main.yaml Normal file
View File

@ -0,0 +1,10 @@
---
- name: reload nftables
ansible.builtin.service:
name: "{{ nftables_service_name | default('nftables') }}"
state: reloaded
- name: restart nftables
ansible.builtin.service:
name: "{{ nftables_service_name | default('nftables') }}"
state: restarted

5
roles/nftables/tasks/Ubuntu.yaml Normal file
View File

@ -0,0 +1,5 @@
---
- name: remove ufw
ansible.builtin.package:
name: "{{ nftables_ufw_package_name | default('ufw') }}"
state: "{{ nftables_ufw_package_state | default('absent') }}"

16
roles/nftables/tasks/configure.yaml Normal file
View File

@ -0,0 +1,16 @@
---
- name: configure rules
ansible.builtin.template:
src: nftables.conf.j2
dest: "{{ nftables_config_path | default('/etc/nftables.conf') }}"
owner: root
group: root
mode: 0600
notify:
- restart nftables
- name: manage service
ansible.builtin.service:
name: "{{ nftables_service_name | default('nftables') }}"
state: "{{ nftables_service_state | default('started') }}"
enabled: "{{ nftables_service_enabled | default(true) }}"

0
roles/nftables/tasks/default.yaml Normal file
View File

5
roles/nftables/tasks/install.yaml Normal file
View File

@ -0,0 +1,5 @@
---
- name: remove ufw
ansible.builtin.package:
name: "{{ nftables_package_name | default('nftables') }}"
state: "{{ nftables_package_state | default('present') }}"

28
roles/nftables/tasks/main.yaml Normal file
View File

@ -0,0 +1,28 @@
---
- name: gather OS specific variables
ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- vars
- name: run os specific tasks
ansible.builtin.include_tasks: "{{ lookup('ansible.builtin.first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- tasks
- include_tasks: install.yaml
- include_tasks: configure.yaml

82
roles/nftables/templates/nftables.conf.j2 Normal file
View File

@ -0,0 +1,82 @@
table inet filter {
{% if nftables_builtin_defines is mapping %}
{% for name, cfg in nftables_builtin_defines.items() %}
{% if cfg is string %}
define {{ name }} = {{ cfg }}
{% elif cfg is sequence %}
define {{ name }} = {
{% for elem in cfg %}
{{ elem }},
{% endfor %}
}
{% endif %}
{% endfor %}
{% endif %}
{% if nftables_defines is mapping %}
{% for name, cfg in nftables_defines.items() %}
define {{ name }} = {
{% for elem in cfg %}
{{ elem }},
{% endfor %}
}
{% endfor %}
{% endif %}
{% if nftables_builtin_sets is mapping %}
{% for name, cfg in nftables_builtin_sets.items() %}
set {{ name }} {
{% for elem in cfg %}
{{ elem }}
{% endfor %}
}
{% endfor %}
{% endif %}
{% if nftables_sets is mapping %}
{% for name, cfg in nftables_sets.items() %}
set {{ name }} {
{% for elem in cfg %}
{{ elem }}
{% endfor %}
}
{% endfor %}
{% endif %}
chain input {
{% if nftables_input_builtin_rules is sequence %}
{% for rule in nftables_input_builtin_rules %}
{{ rule }}
{% endfor %}
{% endif %}
{% if nftables_input_rules is sequence %}
{% for rule in nftables_input_rules %}
{{ rule }}
{% endfor %}
{% endif %}
}
chain forward {
{% if nftables_forward_builtin_rules is sequence %}
{% for rule in nftables_forward_builtin_rules %}
{{ rule }}
{% endfor %}
{% endif %}
{% if nftables_forward_rules is sequence %}
{% for rule in nftables_forward_rules %}
{{ rule }}
{% endfor %}
{% endif %}
}
chain output {
{% if nftables_output_builtin_rules is sequence %}
{% for rule in nftables_output_builtin_rules %}
{{ rule }}
{% endfor %}
{% endif %}
{% if nftables_output_rules is sequence %}
{% for rule in nftables_output_rules %}
{{ rule }}
{% endfor %}
{% endif %}
}
}

0
roles/nftables/vars/default.yaml Normal file
View File

1
roles/nginx/tasks/main.yml
View File

@ -28,7 +28,6 @@
name: "{{ item }}" name: "{{ item }}"
state: present state: present
loop: loop:
- python-passlib
- python3-passlib - python3-passlib
- name: install package - name: install package

43
roles/process_exporter/defaults/main.yaml Normal file
View File

@ -0,0 +1,43 @@
---
process_exporter_go_arch_map:
i386: '386'
x86_64: 'amd64'
process_exporter_go_arch: "{{ process_exporter_go_arch_map[ansible_architecture] | default('amd64') }}"
process_exporter_service_name: process-exporter.service
process_exporter_service_enabled: true
process_exporter_service_state: started
process_exporter_version_regex: (.+)
process_exporter_checksum_algo: sha256
process_exporter_github_rel_path: ncabatoff/process-exporter
process_exporter_github_project_url: "https://github.com/{{ process_exporter_github_rel_path }}"
process_exporter_release_file: "process-exporter-{{ process_exporter_version }}.{{ ansible_system | lower }}-{{ process_exporter_go_arch }}.tar.gz"
process_exporter_release_url: "{{ process_exporter_github_project_url }}/releases/download/v{{ process_exporter_version }}/{{ process_exporter_release_file }}"
process_exporter_checksum_url: "{{ process_exporter_github_project_url }}/releases/download/v{{ process_exporter_version }}/checksums.txt"
process_exporter_download_path: "/tmp/{{ process_exporter_release_file }}"
process_exporter_unarchive_dest_path: /tmp
process_exporter_extracted_path: "{{ process_exporter_download_path | replace('.tar.gz', '') }}"
process_exporter_binaries:
- process-exporter
process_exporter_user: process-exporter
process_exporter_user_state: present
process_exporter_user_shell: /usr/sbin/nologin
process_exporter_group: process-exporter
process_exporter_group_state: "{{ process_exporter_user_state | default('present') }}"
process_exporter_etc_path: /etc/process-exporter
process_exporter_etc_owner: root
process_exporter_etc_group: root
process_exporter_etc_mode: "0755"
process_exporter_var_path: /var/lib/process-exporter
process_exporter_var_owner: "{{ process_exporter_user }}"
process_exporter_var_group: "{{ process_exporter_group }}"
process_exporter_var_mode: "0755"
process_exporter_bin_path: /usr/local/bin

6
roles/process_exporter/handlers/main.yaml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart process-exporter
systemd:
name: "{{ process_exporter_service_name }}"
daemon_reload: true
state: restarted

47
roles/process_exporter/tasks/configure.yaml Normal file
View File

@ -0,0 +1,47 @@
---
- name: create group
group:
name: "{{ process_exporter_group }}"
system: true
state: "{{ process_exporter_group_state | default('present') }}"
- name: create user
user:
name: "{{ process_exporter_user }}"
system: true
shell: "{{ process_exporter_user_shell }}"
group: "{{ process_exporter_group }}"
createhome: false
home: "{{ process_exporter_var_path }}"
state: "{{ process_exporter_user_state | default('present') }}"
- name: create etc path
file:
path: "{{ process_exporter_etc_path }}"
state: directory
owner: "{{ process_exporter_etc_owner }}"
group: "{{ process_exporter_etc_group }}"
mode: "{{ process_exporter_etc_mode }}"
- name: create var path
file:
path: "{{ process_exporter_var_path }}"
state: directory
owner: "{{ process_exporter_var_owner }}"
group: "{{ process_exporter_var_group }}"
mode: "{{ process_exporter_var_mode }}"
- name: configure systemd template
template:
src: "{{ process_exporter_service_name }}.j2"
dest: "/etc/systemd/system/{{ process_exporter_service_name }}"
owner: root
group: root
mode: 0444
notify: restart process-exporter
- name: manage service
service:
name: "{{ process_exporter_service_name }}"
enabled: "{{ process_exporter_service_enabled }}"
state: "{{ process_exporter_service_state }}"

0
roles/process_exporter/tasks/default.yaml Normal file
View File

30
roles/process_exporter/tasks/install.yaml Normal file
View File

@ -0,0 +1,30 @@
---
- block:
- name: download tar
get_url:
url: "{{ process_exporter_release_url }}"
dest: "{{ process_exporter_download_path }}"
checksum: "{{ process_exporter_checksum }}"
register: dl
until: dl is success
retries: 5
delay: 10
- name: extract tar
unarchive:
src: "{{ process_exporter_download_path }}"
dest: "{{ process_exporter_unarchive_dest_path }}"
creates: "{{ process_exporter_extracted_path }}"
remote_src: true
- name: install binaries
copy:
src: "{{ process_exporter_extracted_path }}/{{ item }}"
dest: "{{ process_exporter_bin_path }}/{{ item }}"
owner: root
group: root
mode: 0755
remote_src: true
loop: "{{ process_exporter_binaries }}"
notify: restart process-exporter
when: process_exporter_version != process_exporter_local_version

30
roles/process_exporter/tasks/main.yaml Normal file
View File

@ -0,0 +1,30 @@
---
- name: gather os specific variables
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- vars
- name: include os specific tasks
ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- tasks
- ansible.builtin.include_tasks: pre.yaml
- ansible.builtin.include_tasks: install.yaml
- ansible.builtin.include_tasks: configure.yaml

54
roles/process_exporter/tasks/pre.yaml Normal file
View File

@ -0,0 +1,54 @@
---
- name: determine if installed
stat:
path: "{{ process_exporter_bin_path }}/process-exporter"
register: st
- name: set process_exporter_installed
set_fact:
process_exporter_installed: "{{ st.stat.exists | bool }}"
- block:
- name: determine latest version
uri:
url: "https://api.github.com/repos/{{ process_exporter_github_rel_path }}/releases/latest"
return_content: true
body_format: json
register: _latest_version
until: _latest_version.status == 200
retries: 3
- name: set process_exporter_version
set_fact:
process_exporter_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
- block:
- name: determine installed version
command: "{{ process_exporter_bin_path }}/process-exporter --version"
register: _installed_version_string
changed_when: false
- name: set process_exporter_local_version
set_fact:
process_exporter_local_version: "{{ _installed_version_string.stdout | regex_search(process_exporter_version_regex, '\\1') | first }}"
rescue:
- name: set process_exporter_local_version
set_fact:
process_exporter_local_version: "{{ _installed_version_string.stderr | regex_search(process_exporter_version_regex, '\\1') | first }}"
when: process_exporter_installed
- name: set process_exporter_local_version to 0
set_fact:
process_exporter_local_version: "0"
when: not process_exporter_installed
- block:
- name: get checksums
set_fact:
_checksums: "{{ lookup('url', process_exporter_checksum_url, wantlist=True) }}"
- name: set process_exporter_checksum
set_fact:
process_exporter_checksum: "{{ process_exporter_checksum_algo }}:{{ item.split(' ') | first }}"
loop: "{{ _checksums }}"
when: "process_exporter_release_file in item"

17
roles/process_exporter/templates/process-exporter.service.j2 Normal file
View File

@ -0,0 +1,17 @@
{{ ansible_managed | comment }}
[Unit]
Description=process-exporter
Wants=network-online.target
After=network-online.target
After=alertmanager.service
[Service]
Type=simple
User={{ process_exporter_user }}
Group={{ process_exporter_group }}
WorkingDirectory={{ process_exporter_etc_path }}
ExecStart={{ process_exporter_bin_path }}/process-exporter \
[Install]
WantedBy=multi-user.target

0
roles/process_exporter/vars/default.yaml Normal file
View File

1
roles/restic/tasks/main.yaml
View File

@ -81,7 +81,6 @@
group: root group: root
mode: 0755 mode: 0755
loop: loop:
- restic-tidy.sh
- restic-repo.sh - restic-repo.sh
- restic-job.sh - restic-job.sh

10
roles/restic/tasks/repo.yaml
View File

@ -53,13 +53,3 @@
state: link state: link
force: yes force: yes
when: restic_repos | count == 1 when: restic_repos | count == 1
- name: create cron
cron:
name: "restic {{ item.name }} tidy"
hour: "0"
minute: "{{ 60 | random(seed=inventory_hostname) }}"
user: root
state: present
job: "( {{ restic_bin_path }}/restic-tidy {{ item.name }} | logger --id=$$ -t restic-tidy -p user.info ) 2>&1 | logger --id=$$ -t restic-tidy -p user.err"
when: restic_tidy_enabled

100
roles/smokeping_prober/defaults/main.yaml Normal file
View File

@ -0,0 +1,100 @@
---
smokeping_prober_go_arch_map:
i386: '386'
x86_64: 'amd64'
smokeping_prober_go_arch: "{{ smokeping_prober_go_arch_map[ansible_architecture] | default('amd64') }}"
smokeping_prober_version: 0.7.3
smokeping_prober_checksums:
smokeping_prober-0.7.3.aix-ppc64.tar.gz: sha256:13df5d0fc4205c30e3e6887324990dd56285a17bfe1fed263d2b87134061a700
smokeping_prober-0.7.3.darwin-amd64.tar.gz: sha256:70a4fc89c1277c78541e5157aa418940d7660aa2915fe0fc34d95870b9aab705
smokeping_prober-0.7.3.darwin-arm64.tar.gz: sha256:c6ba90ef426dc3a4efcc80a33a30492e22dd2031730ce0d99caa3503dae87df9
smokeping_prober-0.7.3.dragonfly-amd64.tar.gz: sha256:723ec9c8841444fa80a398677f7e3d567537570895ce0d6a778e207c8d4679ea
smokeping_prober-0.7.3.freebsd-386.tar.gz: sha256:6291caed80438c62ef2603b28f5f767cc90012c3ea8aa0d4bb6ae0b799a4ed6c
smokeping_prober-0.7.3.freebsd-amd64.tar.gz: sha256:7d7da04d07b02cc0e10b1f9c5a567c1abdd80effa6f7e830bf6e5e59510057a0
smokeping_prober-0.7.3.freebsd-arm64.tar.gz: sha256:33a251ce899a0fbc244b12dd7fdadef6d36294925dd96edf12bb210edfe10010
smokeping_prober-0.7.3.freebsd-armv6.tar.gz: sha256:4ffcae8da2609a6d2491ce5ccee982620a7e9a0e70ee1272f0f6ffcc30d62221
smokeping_prober-0.7.3.freebsd-armv7.tar.gz: sha256:78986b4a673fae5c5b6f665dc160bb63c996611533faacdebc4b496dea93612e
smokeping_prober-0.7.3.illumos-amd64.tar.gz: sha256:603d673b8f33bd0da74349992a4a4f372381a09c7b8fceef81cf409a0c09eea9
smokeping_prober-0.7.3.linux-386.tar.gz: sha256:f5234a097d93ebc039b727c8343af2811ea5ef953af9fe53275a333acbfb3fc2
smokeping_prober-0.7.3.linux-amd64.tar.gz: sha256:00277fcd494002fbb0e24df398fc9bb06bb7f1406ecc0d2d71b6c0cb63bca872
smokeping_prober-0.7.3.linux-arm64.tar.gz: sha256:e93945a630eb58e9e88acd5c404be8b488b1593d2a07d721b8bf48d38471a67d
smokeping_prober-0.7.3.linux-armv5.tar.gz: sha256:514d5fdb6f8ccfcc0d5a4d0f98a91324c65bf0f6cfa37f54e5b4c5f30ba489d4
smokeping_prober-0.7.3.linux-armv6.tar.gz: sha256:75b4fec3840eaf87b1b46b5d43f84eef2acb3f630e2949caa15ff0f2ed6e4aff
smokeping_prober-0.7.3.linux-armv7.tar.gz: sha256:97a1c4c4e8502be192b6196a528647c93b9902ca3c7a855c0078d6be04260bc6
smokeping_prober-0.7.3.linux-mips.tar.gz: sha256:019e92d66bf4226d04cf5fadfa059d1c594d4b1cf8e35f3b491b40056e4a3e0a
smokeping_prober-0.7.3.linux-mips64.tar.gz: sha256:c054566106f751a01ccc0a1eb43748363d7ef0a6ee1aa9a8d421f487943b7871
smokeping_prober-0.7.3.linux-mips64le.tar.gz: sha256:95ef43cba12ee64cfe85ae6a28b9f6df3e800b13a2d121d41e60fce1dcac31eb
smokeping_prober-0.7.3.linux-mipsle.tar.gz: sha256:5beb3b1df782a177c1c0cbe3757815b5eabc977bedd95e1584d4512ed55f20df
smokeping_prober-0.7.3.linux-ppc64.tar.gz: sha256:dc403d910ee4c9f3e08ecbb6717e9a8caa195b911c48872900c811689e586d23
smokeping_prober-0.7.3.linux-ppc64le.tar.gz: sha256:c446660a14b53c9ed771a3d833a411c4929c8dd5b28c021ff36b6a246393c487
smokeping_prober-0.7.3.linux-s390x.tar.gz: sha256:9b53921cbe22dad60c6f8bea5ac2f75e1601a5b4e30b75c0e2b5b6c82a5d51de
smokeping_prober-0.7.3.netbsd-386.tar.gz: sha256:2cad359f42af0efe743e7ac326a552235e387e9d23c3fb6a753dd0f88a50d2d0
smokeping_prober-0.7.3.netbsd-amd64.tar.gz: sha256:e5c646848cc80a2d59c7e09b9fcb1dcffca205ca8e4ba16295ed8bc7b3900aba
smokeping_prober-0.7.3.netbsd-arm64.tar.gz: sha256:718f5f4fad07e8dfec1513a269a9899cd5f8d329c30e290bb6ecf3ce74013286
smokeping_prober-0.7.3.netbsd-armv6.tar.gz: sha256:20120fb928dcc85a97933737965b9b0abc5b09798ddcb720efc3f51a3abf0f01
smokeping_prober-0.7.3.netbsd-armv7.tar.gz: sha256:eae37f6c24cbf19e5a7248f7831b06e22a9f66ecd7d0d016ab217c67759dd3c0
smokeping_prober-0.7.3.openbsd-386.tar.gz: sha256:350b48242569594d59a3a7b3df1f10070896a4e1a38c1aa1f6561d522d114622
smokeping_prober-0.7.3.openbsd-amd64.tar.gz: sha256:d70f803922b425f4d5af39e261bea8ae7ea17916156126f8ea4b4fc6df139bcd
smokeping_prober-0.7.3.openbsd-arm64.tar.gz: sha256:35b43966f399df85601fdfd46d9a87417d3fec2fdd272d7b8ca3f59c17db890b
smokeping_prober-0.7.3.openbsd-armv7.tar.gz: sha256:965854e022e67cf0ccd094aff06b37e3b80f0b84e0251a5513c5745e0d98e5e0
smokeping_prober-0.7.3.windows-386.tar.gz: sha256:4567ffa0dfdf2bebe0debed67c599379707f8d957e5050e5ad2a86296a4545b1
smokeping_prober-0.7.3.windows-386.zip: sha256:45d017e34bb58ea093402a3030a3afd37bddfd524704ea2a2b54e9756d5fd2f3
smokeping_prober-0.7.3.windows-amd64.tar.gz: sha256:99d32b77a0c30f70921e842c724573659593069da97fbb6fe51fb9955a4a2a7e
smokeping_prober-0.7.3.windows-amd64.zip: sha256:dde0897b180ecd04f2e670d3613e6282ecf5fb457ec08ce8b4cde4a34bc39d69
smokeping_prober-0.7.3.windows-arm64.tar.gz: sha256:973a07635285feabb3a9050cb6b4d8706352f10b982130713108f13fd41b15c2
smokeping_prober-0.7.3.windows-arm64.zip: sha256:abf7342b029e43777ba82f10ea49b3a8bcb19e5aabbda32c2418628817b17f29
smokeping_prober_github_rel_path: SuperQ/smokeping_prober
smokeping_prober_github_project_url: "https://github.com/{{ smokeping_prober_github_rel_path }}"
smokeping_prober_release_file: "smokeping_prober-{{ smokeping_prober_version }}.{{ ansible_system | lower }}-{{ smokeping_prober_go_arch }}.tar.gz"
smokeping_prober_release_url: "{{ smokeping_prober_github_project_url }}/releases/download/v{{ smokeping_prober_version }}/{{ smokeping_prober_release_file }}"
smokeping_prober_download_path: "/tmp/{{ smokeping_prober_release_file }}"
smokeping_prober_opt_path: "/opt/smokeping_prober-{{ smokeping_prober_version }}"
smokeping_prober_unarchive_dest_path: /tmp
smokeping_prober_extracted_path: "{{ smokeping_prober_download_path | replace('.tar.gz', '') }}"
smokeping_prober_binaries:
- smokeping_prober
smokeping_prober_bin_path: /usr/local/bin/smokeping_prober
smokeping_prober_var_path: /var/lib/smokeping_prober
smokeping_prober_var_path_owner: "{{ smokeping_prober_user }}"
smokeping_prober_var_path_group: "{{ smokeping_prober_group }}"
smokeping_prober_var_path_mode: 0755
smokeping_prober_var_path_state: directory
smokeping_prober_user: smokeping_prober
smokeping_prober_user_shell: /usr/sbin/nologin
smokeping_prober_user_home: "{{ smokeping_prober_var_path }}"
smokeping_prober_group: smokeping_prober
smokeping_prober_etc_path: /etc/smokeping_prober
smokeping_prober_etc_path_owner: "{{ smokeping_prober_user }}"
smokeping_prober_etc_path_group: "{{ smokeping_prober_group }}"
smokeping_prober_etc_path_mode: 0755
smokeping_prober_etc_path_state: directory
smokeping_prober_config_path: "{{ smokeping_prober_etc_path }}/config.yaml"
smokeping_prober_config_path_owner: "{{ smokeping_prober_user }}"
smokeping_prober_config_path_group: "{{ smokeping_prober_group }}"
smokeping_prober_config_path_mode: 0444
smokeping_prober_config:
targets:
- hosts:
- localhost
network: ip4
- hosts:
- localhost
network: ip6
smokeping_prober_args:
- "--config.file={{ smokeping_prober_config_path }}"
smokeping_prober_service_name: smokeping_prober.service
smokeping_prober_service_state: started
smokeping_prober_service_enabled: true

6
roles/smokeping_prober/handlers/main.yaml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart smokeping_prober
systemd:
name: "{{ smokeping_prober_service_name }}"
daemon_reload: true
state: restarted

55
roles/smokeping_prober/tasks/configure.yaml Normal file
View File

@ -0,0 +1,55 @@
---
- name: create group
ansible.builtin.group:
name: "{{ smokeping_prober_group }}"
system: true
- name: create user
ansible.builtin.user:
name: "{{ smokeping_prober_user }}"
shell: "{{ smokeping_prober_user_shell }}"
home: "{{ smokeping_prober_user_home }}"
system: true
group: "{{ smokeping_prober_group }}"
- name: create var path
ansible.builtin.file:
path: "{{ smokeping_prober_var_path }}"
owner: "{{ smokeping_prober_var_path_owner }}"
group: "{{ smokeping_prober_var_path_group }}"
mode: "{{ smokeping_prober_var_path_mode }}"
state: "{{ smokeping_prober_var_path_state }}"
- name: create etc path
ansible.builtin.file:
path: "{{ smokeping_prober_etc_path }}"
owner: "{{ smokeping_prober_etc_path_owner }}"
group: "{{ smokeping_prober_etc_path_group }}"
mode: "{{ smokeping_prober_etc_path_mode }}"
state: "{{ smokeping_prober_etc_path_state }}"
- name: configure
ansible.builtin.copy:
dest: "{{ smokeping_prober_config_path }}"
owner: "{{ smokeping_prober_config_path_owner }}"
group: "{{ smokeping_prober_config_path_group }}"
mode: "{{ smokeping_prober_config_path_mode }}"
content: "{{ smokeping_prober_config | to_yaml }}"
notify:
- restart smokeping_prober
- name: configure systemd unit
ansible.builtin.template:
src: smokeping_prober.service.j2
dest: "/etc/systemd/system/{{ smokeping_prober_service_name }}"
owner: root
group: root
mode: 0444
notify:
- restart smokeping_prober
- name: manage service
ansible.builtin.service:
name: "{{ smokeping_prober_service_name }}"
enabled: "{{ smokeping_prober_service_enabled | default(true) }}"
state: "{{ smokeping_prober_service_state | default('started') }}"

0
roles/smokeping_prober/tasks/default.yaml Normal file
View File

56
roles/smokeping_prober/tasks/install.yaml Normal file
View File

@ -0,0 +1,56 @@
---
- name: determine install status
ansible.builtin.stat:
path: "{{ smokeping_prober_opt_path }}/smokeping_prober"
register: st
- name: create opt path
ansible.builtin.file:
path: "{{ smokeping_prober_opt_path }}"
owner: root
group: root
mode: 0755
state: directory
- block:
- name: download
ansible.builtin.get_url:
url: "{{ smokeping_prober_release_url }}"
dest: "{{ smokeping_prober_download_path }}"
checksum: "{{ smokeping_prober_checksums[smokeping_prober_release_file] }}"
register: dl
until: dl is success
retries: 5
delay: 10
- name: extract
ansible.builtin.unarchive:
src: "{{ smokeping_prober_download_path }}"
dest: "{{ smokeping_prober_unarchive_dest_path }}"
remote_src: true
- name: install
ansible.builtin.copy:
src: "{{ smokeping_prober_extracted_path }}/{{ item }}"
dest: "{{ smokeping_prober_opt_path }}/{{ item }}"
remote_src: true
loop: "{{ smokeping_prober_binaries }}"
when: not st.stat.exists
- name: permissions
ansible.builtin.file:
path: "{{ smokeping_prober_opt_path }}/{{ item }}"
owner: root
group: root
mode: 0755
loop: "{{ smokeping_prober_binaries }}"
- name: symlink
ansible.builtin.file:
src: "{{ smokeping_prober_opt_path }}/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
owner: root
group: root
mode: 0755
state: link
loop: "{{ smokeping_prober_binaries }}"

28
roles/smokeping_prober/tasks/main.yaml Normal file
View File

@ -0,0 +1,28 @@
---
- name: gather os specific variables
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- vars
- name: include os specific tasks
ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
paths:
- tasks
- ansible.builtin.include_tasks: install.yaml
- ansible.builtin.include_tasks: configure.yaml

27
roles/smokeping_prober/templates/smokeping_prober.service.j2 Normal file
View File

@ -0,0 +1,27 @@
# {{ ansible_managed }}
[Unit]
Description=Smokeping Prober
After=network.target
[Service]
Type=simple
User={{ smokeping_prober_user }}
ExecStart={{ smokeping_prober_bin_path }} \
{% for arg in smokeping_prober_args %}
{{ arg }} {% if not loop.last %}\{% endif %}
{% if loop.last %}
{% endif %}
{% endfor %}
WorkingDirectory={{ smokeping_prober_var_path }}
TimeoutSec = 60
Restart=on-failure
RestartSec=2
AmbientCapabilities=CAP_NET_RAW
[Install]
WantedBy=multi-user.target

0
roles/smokeping_prober/vars/default.yaml Normal file
View File

2
roles/util/defaults/main.yaml
View File

@ -67,9 +67,7 @@ util_packages:
interpreters: interpreters:
- lua5.3 - lua5.3
python: python:
- python-pip
- python3-pip - python3-pip
- python-requests
- python3-requests - python3-requests
fun: fun:
- cmatrix - cmatrix

34
roles/vector/defaults/main.yaml Normal file
View File

@ -0,0 +1,34 @@
---
vector_package_name: vector
vector_package_state: present
vector_service_name: vector.service
vector_service_state: started
vector_service_enabled: true
vector_user: vector
vector_group: vector
vector_etc_path: /etc/vector
vector_config_file_mode: 0600
vector_config:
api:
enabled: true
vector_sources:
sources:
journald:
type: journald
vector_transforms:
transforms:
{}
vector_sinks:
sinks:
blackhole:
type: blackhole
inputs:
- journald

6
roles/vector/handlers/main.yaml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart vector
ansible.builtin.systemd:
name: "{{ vector_service_name }}"
daemon_reload: true
state: restarted

22
roles/vector/tasks/Debian.yaml Normal file
View File

@ -0,0 +1,22 @@
---
- name: configure apt repositories
block:
- name: add repository key
ansible.builtin.get_url:
url: https://repositories.timber.io/public/vector/gpg.3543DB2D0A2BC4B8.key
dest: /etc/apt/keyrings/timber-vector-archive-keyring.asc
#- name: dearmor GPG key
# ansible.builtin.shell: gpg --dearmor /tmp/timber-vector-archive-keyring.asc --output /etc/apt/keyrings/timber-vector-archive-keyring.gpg
# args:
# creates: /etc/apt/keyrings/timber-vector-archive-keyring.gpg
- name: add apt repository
ansible.builtin.apt_repository:
repo: "deb [signed-by=/etc/apt/keyrings/timber-vector-archive-keyring.asc] https://repositories.timber.io/public/vector/deb/ubuntu {{ ansible_distribution_release }} main"
state: present
- name: add apt source repository
ansible.builtin.apt_repository:
repo: "deb-src [signed-by=/etc/apt/keyrings/timber-vector-archive-keyring.asc] https://repositories.timber.io/public/vector/deb/ubuntu {{ ansible_distribution_release }} main"
state: present

84
roles/vector/tasks/configure.yaml Normal file
View File

@ -0,0 +1,84 @@
---
- name: remove example files
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- "{{ vector_etc_path }}/vector.toml"
- "{{ vector_etc_path }}/examples"
notify:
- restart vector
- name: configure
ansible.builtin.copy:
dest: "{{ vector_etc_path }}/vector.yaml"
owner: "{{ vector_user }}"
group: "{{ vector_group }}"
mode: "{{ vector_config_file_mode }}"
content: "{{ vector_config | to_yaml }}"
notify:
- restart vector
- name: configure sources
ansible.builtin.copy:
dest: "{{ vector_etc_path }}/sources.yaml"
owner: "{{ vector_user }}"
group: "{{ vector_group }}"
mode: "{{ vector_config_file_mode }}"
content: "{{ vector_sources | to_yaml }}"
notify:
- restart vector
- name: configure transforms
ansible.builtin.copy:
dest: "{{ vector_etc_path }}/transforms.yaml"
owner: "{{ vector_user }}"
group: "{{ vector_group }}"
mode: "{{ vector_config_file_mode }}"
content: "{{ vector_transforms | to_yaml }}"
notify:
- restart vector
- name: configure sinks
ansible.builtin.copy:
dest: "{{ vector_etc_path }}/sinks.yaml"
owner: "{{ vector_user }}"
group: "{{ vector_group }}"
mode: "{{ vector_config_file_mode }}"
content: "{{ vector_sinks | to_yaml }}"
notify:
- restart vector
- name: systemd unit overrides
block:
- name: create /etc/systemd/system/vector.service.d
ansible.builtin.file:
dest: /etc/systemd/system/vector.service.d
owner: root
group: root
mode: 0755
state: directory
- name: vector systemd unit override
ansible.builtin.copy:
dest: /etc/systemd/system/vector.service.d/ansible.conf
owner: root
group: root
mode: 0644
content: |
# Ansible managed
[Service]
Environment=VECTOR_CONFIG="{{ vector_etc_path }}/*.yaml"
RuntimeDirectory="vector"
notify:
- restart vector
- name: flush handlers
ansible.builtin.meta: flush_handlers
- name: manage service
ansible.builtin.service:
name: "{{ vector_service_name }}"
state: "{{ vector_service_state }}"
enabled: "{{ vector_service_enabled }}"

0
roles/vector/tasks/default.yaml Normal file
View File

5
roles/vector/tasks/install.yaml Normal file
View File

@ -0,0 +1,5 @@
---
- name: install package
package:
name: "{{ vector_package_name }}"
state: "{{ vector_package_state }}"

28
roles/vector/tasks/main.yaml Normal file
View File

@ -0,0 +1,28 @@
---
- name: gather os specific variables
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- default.yaml
paths:
- vars
- name: include os specific tasks
ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- default.yaml
paths:
- tasks
- include_tasks: install.yaml
- include_tasks: configure.yaml

0
roles/vector/vars/default.yaml Normal file
View File