---
- name: Prepare System
hosts: all
become: true
gather_facts: true
any_errors_fatal: true
pre_tasks:
- name: Pausing for 2 seconds...
ansible.builtin.pause:
seconds: 2
tasks:
- name: Locale
block:
- name: Locale | Set timezone
community.general.timezone:
name: "{{ timezone | default('Etc/UTC') }}"
- name: Packages
block:
- name: Packages | Add fish key
ansible.builtin.get_url:
url: https://download.opensuse.org/repositories/shells:fish:release:3/Debian_12/Release.key
dest: /etc/apt/trusted.gpg.d/fish.asc
owner: root
group: root
mode: "0644"
- name: Packages | Add fish repository
ansible.builtin.apt_repository:
repo: deb [signed-by=/etc/apt/trusted.gpg.d/fish.asc] http://download.opensuse.org/repositories/shells:/fish:/release:/3/Debian_12/ /
filename: fish
update_cache: true
- name: Packages | Add non-free repository
ansible.builtin.apt_repository:
repo: deb http://deb.debian.org/debian/ stable main contrib non-free
filename: non-free
update_cache: true
- name: Packages | Install
ansible.builtin.apt:
name: apt-transport-https,ca-certificates,conntrack,curl,dirmngr,fish,gdisk,
gnupg,hdparm,htop,iperf3,iptables,iputils-ping,ipvsadm,
libseccomp2,lm-sensors,neofetch,net-tools,nfs-common,nvme-cli,open-iscsi,parted,psmisc,python3,
python3-apt,python3-kubernetes,python3-yaml,smartmontools,socat,software-properties-common,
unzip,util-linux
install_recommends: false
- name: User Configuration
block:
- name: User Configuration | SSH keys
ansible.posix.authorized_key:
user: "{{ ansible_user }}"
key: "https://github.com/{{ github_username }}.keys"
- name: User Configuration | Silence login
ansible.builtin.file:
dest: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.hushlogin"
state: touch
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "0644"
modification_time: preserve
access_time: preserve
- name: User Configuration | Add user to sudoers
when: ansible_user != 'root'
ansible.builtin.copy:
content: "{{ ansible_user }} ALL=(ALL:ALL) NOPASSWD:ALL"
dest: "/etc/sudoers.d/{{ ansible_user }}"
owner: root
group: root
mode: "0440"
- name: User Configuration | Fish shell (1)
ansible.builtin.user:
name: "{{ ansible_user }}"
shell: /usr/bin/fish
- name: User Configuration | Fish shell (2)
ansible.builtin.file:
path: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.config/fish/functions"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
recurse: true
- name: User Configuration | Fish shell (3)
ansible.builtin.copy:
dest: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.config/fish/functions/fish_greeting.fish"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "0755"
content: neofetch --config none
- name: User Configuration | Fish shell (3)
ansible.builtin.copy:
dest: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.config/fish/functions/k.fish"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "0755"
content: |
function k --wraps=kubectl --description 'kubectl shorthand'
kubectl $argv
end
- name: Network Configuration
notify: Reboot
block:
- name: Network Configuration | Set hostname
ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
- name: Network Configuration | Update hosts
ansible.builtin.copy:
dest: /etc/hosts
content: |
127.0.0.1 localhost
127.0.1.1 {{ inventory_hostname }}
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
mode: preserve
# https://github.com/cilium/cilium/issues/18706
- name: Network Configuration | Cilium (1)
ansible.builtin.lineinfile:
dest: /etc/systemd/networkd.conf
regexp: ManageForeignRoutingPolicyRules
line: ManageForeignRoutingPolicyRules=no
- name: Network Configuration | Cilium (2)
ansible.builtin.lineinfile:
dest: /etc/systemd/networkd.conf
regexp: ManageForeignRoutes
line: ManageForeignRoutes=no
- name: System Configuration
notify: Reboot
block:
- name: System Configuration | Neofetch
ansible.builtin.copy:
dest: /etc/profile.d/neofetch.sh
mode: "0755"
content: neofetch --config none
- name: System Configuration | Disable swap
ansible.posix.mount:
name: "{{ item }}"
fstype: swap
state: absent
loop: ["none", "swap"]
- name: System Configuration | Kernel modules (1)
community.general.modprobe:
name: "{{ item }}"
state: present
loop: ["br_netfilter", "ceph", "ip_vs", "ip_vs_rr", "nbd", "overlay", "rbd"]
- name: System Configuration | Kernel modules (2)
ansible.builtin.copy:
dest: "/etc/modules-load.d/{{ item }}.conf"
mode: "0644"
content: "{{ item }}"
loop: ["br_netfilter", "ceph", "ip_vs", "ip_vs_rr", "nbd", "overlay", "rbd"]
- name: System Configuration | Sysctl
ansible.posix.sysctl:
name: "{{ item.key }}"
value: "{{ item.value }}"
sysctl_file: /etc/sysctl.d/99-kubernetes.conf
reload: true
with_dict: "{{ sysctl_config }}"
vars:
sysctl_config:
fs.inotify.max_queued_events: 65536
fs.inotify.max_user_watches: 524288
fs.inotify.max_user_instances: 8192
- name: System Configuration | Grub (1)
ansible.builtin.replace:
path: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=(?:(?![" ]{{ item.key | regex_escape }}=).)*)(?:[" ]{{ item.key | regex_escape }}=\S+)?(.*")$'
replace: '\1 {{ item.key }}={{ item.value }}\2'
with_dict: "{{ grub_config }}"
vars:
grub_config:
apparmor: "0"
mitigations: "off"
register: grub_status
- name: System Configuration | Grub (2) # noqa: no-changed-when no-handler
ansible.builtin.command: update-grub
when: grub_status.changed
handlers:
- name: Reboot
ansible.builtin.reboot:
msg: Rebooting nodes
reboot_timeout: 3600