jahanson/valinor
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Some ansible bootstrap scripts.

Browse source
This commit is contained in:
Joseph Hanson 2023-11-20 16:33:30 -06:00
parent afd3a209ab
commit 2fb47dbbfe
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
6 changed files with 433 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ansible/ansible.cfg Normal file
View file

@ -0,0 +1,2 @@
[defaults]
inventory = hosts.yaml

79
ansible/bootstrapuser.yaml Normal file
View file

@ -0,0 +1,79 @@
---
- name: Prepare System
hosts: all
become: true
gather_facts: true
any_errors_fatal: true
pre_tasks:
- name: Pausing for 2 seconds...
ansible.builtin.pause:
seconds: 2
tasks:
- name: Packages
block:
- name: Packages | Add fish key
ansible.builtin.get_url:
url: https://download.opensuse.org/repositories/shells:fish:release:3/Debian_12/Release.key
dest: /etc/apt/trusted.gpg.d/fish.asc
owner: root
group: root
mode: "0644"
- name: Packages | Add fish repository
ansible.builtin.apt_repository:
repo: deb [signed-by=/etc/apt/trusted.gpg.d/fish.asc] http://download.opensuse.org/repositories/shells:/fish:/release:/3/Debian_12/ /
filename: fish
update_cache: true
- name: Packages | Add non-free repository
ansible.builtin.apt_repository:
repo: deb http://deb.debian.org/debian/ stable main contrib non-free
filename: non-free
update_cache: true
- name: Packages | Install
ansible.builtin.apt:
name: i965-va-driver-shaders,apt-transport-https,ca-certificates,conntrack,curl,dirmngr,fish,gdisk,
gnupg,hdparm,htop,intel-gpu-tools,intel-media-va-driver-non-free,iperf3,iptables,iputils-ping,ipvsadm,
libseccomp2,lm-sensors,neofetch,net-tools,nfs-common,nvme-cli,open-iscsi,parted,psmisc,python3,
python3-apt,python3-openshift,python3-kubernetes,python3-yaml,smartmontools,socat,software-properties-common,
unzip,util-linux
install_recommends: false
- name: User Configuration
block:
- name: User Configuration | SSH keys
ansible.posix.authorized_key:
user: "{{ ansible_user }}"
key: "https://github.com/{{ github_username }}.keys"
- name: User Configuration | Silence login
ansible.builtin.file:
dest: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.hushlogin"
state: touch
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "0644"
modification_time: preserve
access_time: preserve
- name: User Configuration | Add user to sudoers
when: ansible_user != 'root'
ansible.builtin.copy:
content: "{{ ansible_user }} ALL=(ALL:ALL) NOPASSWD:ALL"
dest: "/etc/sudoers.d/{{ ansible_user }}"
owner: root
group: root
mode: "0440"
- name: User Configuration | Fish shell (1)
ansible.builtin.user:
name: "{{ ansible_user }}"
shell: /usr/bin/fish
- name: User Configuration | Fish shell (2)
ansible.builtin.file:
path: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.config/fish/functions"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
recurse: true
- name: User Configuration | Fish shell (3)
ansible.builtin.copy:
dest: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.config/fish/functions/fish_greeting.fish"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "0755"
content: neofetch --config none

53
ansible/dhcp.yaml Normal file
View file

@ -0,0 +1,53 @@
---
- hosts: all
become: true
tasks:
# VM DHCP Config
- name: Install isc-dhcp-server
ansible.builtin.apt:
pkg:
- isc-dhcp-server
state: present
- name: Copy dhcpd.conf to /etc/dhcp/dhcpd.conf
ansible.builtin.copy:
src: ../config/dhcpd-hostnet.conf
dest: /etc/dhcp/dhcpd.conf
owner: root
group: root
mode: '0644'
- name: Copy isc-dhcp-server to /etc/default/isc-dhcp-server
ansible.builtin.copy:
src: ../config/dhcpd-interfaces.conf
dest: /etc/default/isc-dhcp-server
owner: root
group: root
mode: '0644'
- name: Copy net create script in ../scripts to /tmp
ansible.builtin.copy:
src: ../scripts/create_net_if.sh
dest: /tmp/create_net_if.sh
owner: root
group: root
mode: '0755'
- name: Check if vmbr1 exists
ansible.builtin.stat:
path: /sys/class/net/vmbr1
register: vmbr1
- name: Set the network interfaces
ansible.builtin.shell: /tmp/valinor-scripts/create_net_if.sh > /etc/network/interfaces
when: not vmbr1.stat.exists
- name: Restart service networking
ansible.builtin.service:
name: networking
state: restarted
- name: Delete script /tmp/
ansible.builtin.file:
path: /tmp/create_net_if.sh
state: absent
force: true
- name: Enable isc-dhcp-server
ansible.builtin.service:
name: isc-dhcp-server
enabled: true
state: started

112
ansible/extras-only.yaml Normal file
View file

@ -0,0 +1,112 @@
---
- hosts: all
become: true
tasks:
- name: Check if reboot is required
ansible.builtin.stat:
path: /var/run/reboot-required
register: reboot_required
- name: Reboot if required
ansible.builtin.reboot:
when: reboot_required.stat.exists
- name: Installing Crowdsec pre-reqs
ansible.builtin.apt:
pkg:
- gnupg
state: present
- name: Add crowdsec keyring
ansible.builtin.get_url:
url: https://packagecloud.io/crowdsec/crowdsec/gpgkey
dest: /etc/apt/trusted.gpg.d/crowdsec
checksum: sha512:5036042aff9d2700a39f64c3a6a70164a76162973e10dacb119aec98e9d60bd4a2f6d6ca4bc2c243a0751fd957baa51e0182fa0cd2f5798d7ec8a7893a1e219f
mode: '0644'
- name: Dearmor crowdsec gpg key
ansible.builtin.command:
cmd: gpg --dearmor /etc/apt/trusted.gpg.d/crowdsec
creates: /etc/apt/trusted.gpg.d/crowdsec.gpg
- name: Ensure keyring is removed
ansible.builtin.file:
path: /etc/apt/trusted.gpg.d/crowdsec
state: absent
- name: Add crowdsec repo
ansible.builtin.apt_repository:
repo: deb https://packagecloud.io/crowdsec/crowdsec/debian/ bookworm main
state: present
filename: crowdsec-install-repo
update_cache: true
- name: Add crowdsec source repo
ansible.builtin.apt_repository:
repo: deb-src https://packagecloud.io/crowdsec/crowdsec/debian/ bookworm main
state: present
filename: crowdsec-src-repo
update_cache: true
- name: Install firewalld and crowdsec packages
ansible.builtin.apt:
pkg:
- firewalld
- crowdsec
- crowdsec-firewall-bouncer-iptables
update_cache: true
- name: Add enp5s0 interface to public firewalld zone
ansible.posix.firewalld:
state: "enabled"
interface: "enp5s0"
zone: public
immediate: true
permanent: true
- name: Configure open ports with firewalld
ansible.posix.firewalld:
state: "{{ item.state }}"
port: "{{ item.port }}"
zone: public
immediate: true
permanent: true
with_items:
- { state: 'enabled', port: '22/tcp' }
- { state: 'enabled', port: '8006/tcp' }
- name: Enable firewalld masquerade
ansible.posix.firewalld:
state: "enabled"
masquerade: "true"
zone: public
immediate: true
permanent: true
- name: Enable masquerade rich rule for 192.168.20.0/24 network
ansible.posix.firewalld:
state: "enabled"
rich_rule: "rule family=ipv4 source address=192.168.20.0/24 masquerade"
permanent: true
immediate: true
- name: Enable ipv4 forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: 1
state: present
reload: true
- name: Enable ipv6 forwarding
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: 1
state: present
reload: true
- name: Add vfio modules to /etc/modules
ansible.builtin.lineinfile:
path: /etc/modules
line: "{{ item }}"
create: true
with_items:
- vfio
- vfio_iommu_type1
- vfio_pci
- vfio_virqfd
- name: Add intel_iommu=on iommu=pt to kernel start parameters
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='
line: 'GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0 systemd.show_status=true intel_iommu=on iommu=pt"'
state: present
backup: true
## TODO: Find a way to only execute this ONLY when the kernel is installed.
- name: Update grub
ansible.builtin.command: update-grub

21
ansible/hosts.yaml Normal file
View file

@ -0,0 +1,21 @@
---
valinor:
vars:
ansible_user: jahanson
github_username: jahanson
ansible_ssh_port: 22
children:
workers:
hosts:
varda:
ansible_host: varda.hsn.dev
ceph_drives:
- /dev/disk/by-id/nvme-SAMSUNG_MZVL2512HCJQ-00B00_S675NU0TB36131
# manwe:
# ansible_host: manwe.hsn.dev
# ceph_drives:
# - /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0TC01391F
# nienna:
# ansible_host: nienna.hsn.dev
# ceph_drives:
# - /dev/disk/by-id/nvme-SAMSUNG_MZVLB512HBJQ-00000_S4GENX0N424497

166
ansible/proxmox8.yaml Normal file
View file

@ -0,0 +1,166 @@
---
- hosts: all
become: true
tasks:
- name: Add proxmox gpg key
ansible.builtin.get_url:
url: https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg
dest: /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
checksum: sha512:7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87
mode: '0644'
- name: Add proxmox repo
ansible.builtin.apt_repository:
repo: deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
state: present
filename: pve-install-repo
update_cache: true
- name: Ensure that pve-enterprise apt repo is removed
ansible.builtin.apt_repository:
repo: deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise
state: absent
filename: pve-enterprise
- name: Upgrade apt packages
ansible.builtin.apt:
upgrade: full
update_cache: true
- name: Install pve-kernel-6.2
ansible.builtin.apt:
pkg: pve-kernel-6.2
state: present
- name: Check if reboot is required
ansible.builtin.stat:
path: /var/run/reboot-required
register: reboot_required
- name: Reboot if required
ansible.builtin.reboot:
when: reboot_required.stat.exists
- name: Install proxmox-ve postfix and open-iscsi
ansible.builtin.apt:
pkg:
- proxmox-ve
- postfix
- open-iscsi
state: present
- name: Ensure the Debian Kernel is removed
ansible.builtin.apt:
pkg:
- linux-image-amd64
- linux-image-6.1*
state: absent
## TODO: Find a way to only execute this ONLY when the kernel is installed.
- name: Update grub
ansible.builtin.command: update-grub
- name: Remove os-prober
ansible.builtin.apt:
pkg: os-prober
state: absent
- name: Ensure that pve-enterprise apt repo is removed
ansible.builtin.apt_repository:
repo: deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise
state: absent
filename: pve-enterprise
- name: Upgrade apt packages
ansible.builtin.apt:
upgrade: full
update_cache: true
- name: Installing Crowdsec pre-reqs
ansible.builtin.apt:
pkg:
- gnupg
state: present
- name: Add crowdsec keyring
ansible.builtin.get_url:
url: https://packagecloud.io/crowdsec/crowdsec/gpgkey
dest: /etc/apt/trusted.gpg.d/crowdsec
checksum: sha512:5036042aff9d2700a39f64c3a6a70164a76162973e10dacb119aec98e9d60bd4a2f6d6ca4bc2c243a0751fd957baa51e0182fa0cd2f5798d7ec8a7893a1e219f
mode: '0644'
- name: Dearmor crowdsec gpg key
ansible.builtin.command:
cmd: gpg --dearmor /etc/apt/trusted.gpg.d/crowdsec
creates: /etc/apt/trusted.gpg.d/crowdsec.gpg
- name: Ensure keyring is removed
ansible.builtin.file:
path: /etc/apt/trusted.gpg.d/crowdsec
state: absent
- name: Add crowdsec repo
ansible.builtin.apt_repository:
repo: deb https://packagecloud.io/crowdsec/crowdsec/debian/ bookworm main
state: present
filename: crowdsec-install-repo
update_cache: true
- name: Add crowdsec source repo
ansible.builtin.apt_repository:
repo: deb-src https://packagecloud.io/crowdsec/crowdsec/debian/ bookworm main
state: present
filename: crowdsec-src-repo
update_cache: true
- name: Install firewalld and crowdsec packages
ansible.builtin.apt:
pkg:
- firewalld
- crowdsec
- crowdsec-firewall-bouncer-iptables
update_cache: true
- name: Add enp5s0 interface to public firewalld zone
ansible.posix.firewalld:
state: "enabled"
interface: "enp5s0"
zone: public
immediate: true
permanent: true
- name: Configure open ports with firewalld
ansible.posix.firewalld:
state: "{{ item.state }}"
port: "{{ item.port }}"
zone: public
immediate: true
permanent: true
with_items:
- { state: 'enabled', port: '22/tcp' }
- { state: 'enabled', port: '8006/tcp' }
- name: Enable firewalld masquerade
ansible.posix.firewalld:
state: "enabled"
masquerade: "true"
zone: public
immediate: true
permanent: true
- name: Enable masquerade rich rule for 192.168.20.0/24 network
ansible.posix.firewalld:
state: "enabled"
rich_rule: "rule family=ipv4 source address=192.168.20.0/24 masquerade"
permanent: true
immediate: true
- name: Enable ipv4 forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: 1
state: present
reload: true
- name: Enable ipv6 forwarding
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: 1
state: present
reload: true
- name: Add vfio modules to /etc/modules
ansible.builtin.lineinfile:
path: /etc/modules
line: "{{ item }}"
create: true
with_items:
- vfio
- vfio_iommu_type1
- vfio_pci
- vfio_virqfd
- name: Add intel_iommu=on iommu=pt to debian bookworm kernel start parameters
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='
line: 'GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0 systemd.show_status=true intel_iommu=on iommu=pt"'
state: present
backup: true
## TODO: Find a way to only execute this ONLY when the kernel is installed.
- name: Update grub
ansible.builtin.command: update-grub