alecodes/homelab
2
1
Fork 0
Code Issues 20 Pull requests Projects 1 Releases Packages Wiki Activity Actions

refactor: split ansible book into roles

Browse source
This commit is contained in:
Alexander Navarro 2024-12-10 11:31:46 -03:00
parent 89a7bfa789
commit 22d7e4a318
14 changed files with 983 additions and 215 deletions
Download patch file Download diff file Expand all files Collapse all files

25
roles/common/files/aleidk_key Normal file
View file

@ -0,0 +1,25 @@
$ANSIBLE_VAULT;1.1;AES256
61633965313636313234353338653466663733656339366561393932626364383439333034646136
3839303430636532306232303430356132373865306232310a663265343738613034343036653761
35303732633663323232633362373232366666393736376435653632666165656432646366656231
3663323862623830650a306139323764353435616238396438313766643836313363636638613761
33656566643763333962373063343734356639313564643934316439666664623432613135303963
34346239313137616361336538636237623436323566626166616265663264326632663665623866
31353938343938626631333635313661336263333132376231653030346664363863343939346435
65613561376664633931363963633038623430643332663231363034396335346463306334613931
62613334313363643832353136363434643034383939313463613838346639373536393264393066
37346630303762663363313535346638633535323732636562306435316261323935323363363836
66653133313264353861326637306131333437303261336362383336373061346231633064653139
38326564636534373966336535343165363137346261386464326161613264393339393661356337
62343062363530333339663932663366313030326533333239613265326135353264383835383036
39643034353435353064316234313864653631313631376333313438306565373164613030383139
62373836336262316237376433313964306337636263343233363530323831343163333265373536
33383036393534326561626565366461623438643734306663333238623563383131306361306639
31656537623931303830623338313630633562653762613532363338353938636463396138666363
66666137663363653938323261653238396633653238346365323664316361353831353034376230
66623733343233366632656461656632323839326530313532336139373636613966393238626234
33343039343039623831323539616434356132303030663136373337633532363761383066353730
62323263643264383163333962366239333363346366316562336339356637306563663632353337
30376430643732373162333035383266663063663634663233313133363931333565386230326362
36666633343661313039386662623861313761353163386662336536663866383463643338653066
63326335356431646465

10
roles/common/files/aleidk_key.pub Normal file
View file

@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
65316163633033323362323465383233343166663965353634623531343230333966383133633035
3139663363333965636634326264633264303765323436610a336166663166376265366466353730
39396532366562383935353234376563356332653637643737373930656331326135306236373137
3865323265343231660a666130666430623239613731646332393762623066643964386130633538
35346532656262363964656438613236323932306139663465383361393235326332383438623366
65353833646365363832636333393161626535316535626534383462336233353061366566386138
63353564326130633063383661343932363735326464346236373631643432363332623936376464
31313765656133383536376334323335333439376162373432373462373266306131323639353136
3931

25
roles/common/files/robo_key Normal file
View file

@ -0,0 +1,25 @@
$ANSIBLE_VAULT;1.1;AES256
34326137303139636664306330643433353766383839373262633531633336336434326136633331
6266336136633662366234303339343435633935653835330a313337386531346535633164363732
33333162663564343032323038353737663532616133353538626265646665393131336132393863
3335613064643365380a366633363531363332663939343030373265343438633365633264376236
30313862373337343961363164666166633137636232646365666333333261356264313235643365
36663336636132376366396338346164303066343234613236633561393063313636616630303838
33636231373465333830613630393366653363643561396465363765383764326538633464366530
66626363336565343832373631363237653333653265616331623938356266343235656239656134
66306565646333656337336632636162356531666337613766396439623135633430623132643335
32373965613962336338633933346437396139393539656437326666363661653231653230313634
61633032316436646663616437343161363534383365656364303131646636643232366361653231
30643839343961366665653265666662386537623738356537393364336365396136346361656538
38653936613261306632386665336162666539646564666232353064646564643036343437396566
64656261633534316166656564326563323732316436316161303633373564653834356433366561
39643164373866346531353037613563623038626536616434316266323130643534303736653263
63643632316562616462333835343437613865363763323464646231343066393264653833383662
30326332373432326665306338383963333137376538373839626631356236353838376332636132
64636632336139396437356336326331343832346166386136356239323966376532346130613833
36316633633536653163313166396238373139383763306532346334343466366136636339646235
66326162323666306566616339353930353732336538303835366132363139336462373736366538
39636138383536363332326534356366313362353739373666303133326364643832616431316363
35393364386536393761303733336230633832646531623264616463323862313565316566666137
30306433313563313363643034356265316564393166336361663431633930663361356432313861
38393732626237353131

10
roles/common/files/robo_key.pub Normal file
View file

@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
36616136323264353336336436666430626334313133643336383035313531393930313764323362
3133656632653262663266613130643162626535616130320a306435383930363131333035393834
31633537313861373437326138656163613336376535346561666232316436613338396331313965
3062366436363235630a656637373231363732643636353632366663386666613130656439386132
34323061333866373131363236326564643637373539636366376631393538333664353834626230
38386266623262343539356536313961393061346232386431666139303263613437376534633435
66613466353864633532383561633861396164313565653765363530326366323164313231343838
62643932623635646132316666303834653132396539363430666334633861336166313638323135
6364

4
roles/common/handlers/main.yaml Normal file
View file

@ -0,0 +1,4 @@
- name: Restart sshd
ansible.builtin.service:
name: sshd
state: restarted

19
roles/common/meta/arguments_specs.yaml Normal file
View file

@ -0,0 +1,19 @@
---
argument_specs:
main:
short_description: Main entry point for the common role
author:
- aleidk
options:
extra_groups:
type: "list"
elements: "str"
required: false
description:
- "Additional groups that will be added to each user"
robo_allowed_commands:
type: "list"
elements: "str"
required: false
description:
- "Commands that robo will be allowed to execute over SSH"

44
roles/common/tasks/main.yaml Normal file
View file

@ -0,0 +1,44 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/ansible/ansible-lint/refs/heads/main/src/ansiblelint/schemas/tasks.json
- name: Create a user group named docker
loop: "{{ extra_groups }}"
ansible.builtin.group:
name: "{{ item }}"
- name: Setup users
loop: "{{ users }}"
ansible.builtin.user:
state: present
name: "{{ item.name }}"
system: "{{ item.system }}"
shell: "{{ item.shell }}"
create_home: true
password: "{{ (item.password != '!' or item.password != '*') | ternary(item.password | password_hash('sha512'), item.password) }}"
groups: "{{ item.groups + extra_groups }}"
- name: Add SSH public key to users
loop: "{{ users }}"
ansible.posix.authorized_key:
user: "{{ item.name }}"
state: present
exclusive: true
key: "{{ item.ssh_keys.pub }}"
key_options: "{{ 'command=\"' + robo_allowed_commands | join('; ') + '\"' if robo_allowed_commands is defined and item.name == 'robo' else omit }}"
- name: Disable password authentication for SSH
become: true
notify: Restart sshd
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication'
line: 'PasswordAuthentication no'
state: present
- name: Allow authentication via ssh keys
become: true
notify: Restart sshd
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PubkeyAuthentication'
line: 'PubkeyAuthentication yes'
state: present

33
roles/common/vars/main.yaml Normal file
View file

@ -0,0 +1,33 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/ansible/ansible-lint/refs/heads/main/src/ansiblelint/schemas/vars.json
---
users:
- name: aleidk
shell: /bin/sh
system: false
groups:
- wheel
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
36376130326263316235653963663466333735313338636630326230636636663938313532356231
6234333364653934653665353438353562313838616236310a323738346137373061366433306238
61333637663466646631353032613431333263336436313261373637356562343834326563643637
3861326166353836330a333563623030346563353264313333363132633238636463623761313635
3432
ssh_keys:
priv: "{{ lookup('file', 'files/aleidk_key') }}"
pub: "{{ lookup('file', 'files/aleidk_key.pub') }}"
- name: robo
shell: /bin/sh
system: true
groups: []
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
65633362306631393332636364393639336561353261613037346363633737363236616262613538
3061643566343533393838613261616362373965616538650a396638623038666635323739393038
66313636633963306663383631376264383761343534643465663135646162643339336266646264
6433373636316237330a343139363432653737376465633538636639626238613266646664366166
3136
ssh_keys:
priv: "{{ lookup('file', 'files/robo_key') }}"
pub: "{{ lookup('file', 'files/robo_key.pub') }}"

4
roles/docker/handlers/main.yaml Normal file
View file

@ -0,0 +1,4 @@
- name: Restart docker
ansible.builtin.service:
name: docker
state: restarted

94
roles/docker/tasks/main.yaml Normal file
View file

@ -0,0 +1,94 @@
- name: Start docker service
ansible.builtin.service:
name: docker
state: started
enabled: true
- name: Setup Docker Swarm
when: docker_swarm_manager | bool
block:
- name: Enable Docker Swarm mode
community.docker.docker_swarm:
state: present
- name: Create Traefik network
community.docker.docker_network:
name: reverse-proxy
driver: overlay
attachable: true
- name: Deploy Traefik service
community.docker.docker_compose_v2:
remove_orphans: true
project_name: reverse-proxy
definition:
networks:
reverse-proxy:
external: true
services:
traefik:
container_name: traefix-proxy
image: 'traefik:latest'
restart: unless-stopped
networks:
- reverse-proxy
ports:
# listen on host ports without ingress network
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
healthcheck:
test: 'wget -qO- http://localhost:80/ping || exit 1'
interval: 4s
timeout: 2s
retries: 5
command:
- '--ping=true'
- '--ping.entrypoint=http'
- '--api.dashboard=true'
- '--api.insecure=true'
- '--entrypoints.http.address=:80'
- '--entryPoints.http.forwardedHeaders.trustedIPs=10.0.10.0/24'
- '--entrypoints.http.http.encodequerysemicolons=true'
- '--entryPoints.http.http2.maxConcurrentStreams=50'
# - "--providers.swarm.endpoint=tcp://{{ ansible_default_ipv4.address }}:2375"
- --providers.swarm.exposedByDefault=false
- --providers.swarm.network=reverse-proxy
deploy:
mode: global
placement:
constraints:
- node.role==manager
labels:
- traefik.enable=true
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.service=api@internal
- traefik.http.services.traefik.loadbalancer.server.port=8080
- name: Check if Docker context exists
local_action: ansible.builtin.command docker context inspect {{ ansible_hostname }}
register: context_exists
ignore_errors: true
- name: Create Docker context for each Swarm manager machine
local_action: >
ansible.builtin.command docker context create {{ ansible_hostname }} --docker "host=ssh://{{ ansible_default_ipv4.address }}"
when: context_exists.stderr != ''
- name: Join Docker Swarm as a worker
community.docker.docker_swarm:
state: join
join_token: "{{ hostvars['manager']['docker_swarm_worker_token'] }}"
remote_addrs: ["{{ hostvars['manager']['ansible_default_ipv4']['address'] }}"]
when: not docker_swarm_manager | bool