├── .ansible-lint ├── .github ├── FUNDING.yml └── workflows │ └── stale-action.yml ├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── ansible.cfg ├── images ├── homelab-pxe-boot-menu.png └── kubernetes-homelab-diagram.png ├── inventory ├── manifest.json ├── playbooks ├── configure-admin-hosts.yml ├── configure-dell-hosts.yml ├── configure-hostsfile.yml ├── configure-k8s-cluster.yml ├── configure-k8s-hosts.yml ├── configure-kvm-hosts.yml ├── configure-newrelic-hosts.yml ├── configure-openvas-hosts.yml ├── configure-pxe-hosts.yml ├── configure-raspberrypi-hosts.yml ├── create-users.yml ├── group_vars │ └── all └── update-all-yum-packages.yml └── roles ├── hl.bind ├── defaults │ ├── main.yml │ └── secure.yml ├── files │ ├── db.1.11.10 │ └── db.hl.test ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ ├── bind_exporter.service.j2 │ ├── named.conf.master.j2 │ ├── named.conf.slave.j2 │ └── rndc.key.j2 ├── hl.certbot ├── defaults │ └── main.yml ├── handlers │ └── main.yml └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.chrony ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ ├── chrony.conf.peer1.j2 │ └── chrony.conf.peer2.j2 ├── hl.common ├── defaults │ └── main.yml └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.containerd ├── defaults │ └── main.yml ├── handlers │ └── main.yml └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.dell-omsa ├── defaults │ └── main.yml ├── files │ └── dell-system-update.repo └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.dellhw-exporter ├── defaults │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ └── dellhw_exporter.service.j2 ├── hl.dhcpd ├── defaults │ ├── main.yml │ └── secure.yml ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ ├── dhcpd.conf.master.j2 │ └── dhcpd.conf.slave.j2 ├── hl.docker ├── defaults │ └── main.yml ├── files │ └── daemon.json ├── handlers │ └── main.yml └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.handle-lid-switch ├── defaults │ └── main.yml └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.haproxy ├── defaults │ └── main.yml ├── files │ └── haproxy.pem ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ ├── haproxy.cfg.j2 │ └── haproxy_exporter.service.j2 ├── hl.hardening ├── defaults │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ ├── hardening-limits.conf.j2 │ └── securetty.j2 ├── hl.hostsfile ├── defaults │ └── main.yml ├── tasks │ ├── Linux.yml │ └── main.yml └── templates │ └── hosts.j2 ├── hl.httpd ├── defaults │ └── main.yml ├── files │ ├── 00-base.conf │ ├── 00-dav.conf │ ├── 00-optional.conf │ ├── 00-proxy.conf │ └── 10-proxy_h2.conf ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ └── httpd.conf.j2 ├── hl.k8s-cluster ├── defaults │ └── main.yml ├── files │ └── dashboard-adminuser.yaml └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.k8s ├── defaults │ └── main.yml ├── files │ └── modules.conf └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.keepalived ├── defaults │ ├── main.yml │ └── secure.yml ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ ├── keepalived.conf.master.j2 │ └── keepalived.conf.slave.j2 ├── hl.libvirt ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ ├── ifcfg-br0.example │ └── ifcfg-ethx.example ├── hl.mysql-server ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ └── my.cnf.j2 ├── hl.mysqld-exporter ├── defaults │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ └── mysqld_exporter.service.j2 ├── hl.node-exporter ├── defaults │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ └── node_exporter.service.j2 ├── hl.openvas ├── defaults │ └── main.yml ├── files │ ├── Rocky-PowerTools.repo │ └── crb-el9.repo ├── handlers │ └── main.yml └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.openvpn-server ├── defaults │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ ├── client.conf.j2 │ ├── logrotate.openvpn.j2 │ └── server.conf.j2 ├── hl.php ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ └── php.ini.j2 ├── hl.pihole-exporter ├── defaults │ └── main.yml ├── tasks │ ├── Debian.yml │ └── main.yml └── templates │ └── pihole_exporter.service.j2 ├── hl.postfix ├── defaults │ ├── main.yml │ └── secure.yml ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ ├── main.cf.j2 │ └── sasl_passwd.j2 ├── hl.pxe-boot-server ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ ├── download_media.yml │ └── main.yml └── templates │ ├── default.j2 │ ├── exports.j2 │ ├── nginx.conf.j2 │ ├── rocky8-host-ks.cfg.j2 │ ├── rocky8-packer-ks.cfg.j2 │ ├── rocky9-host-ks.cfg.j2 │ ├── rocky9-packer-ks.cfg.j2 │ ├── ubuntu2004-desktop.seed.j2 │ ├── ubuntu2004-server.seed.j2 │ └── vsftpd.conf.j2 ├── hl.resolvconf ├── defaults │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ └── resolv.conf.j2 ├── hl.samba ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ └── smb.conf.j2 ├── hl.sshd ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── tasks │ ├── Debian.yml │ ├── RedHat.yml │ └── main.yml ├── templates │ └── sshd_config.j2 └── vars │ └── main.yml ├── hl.staticroute ├── README.md ├── defaults │ └── main.yml ├── tasks │ ├── RedHat.yml │ └── main.yml └── templates │ └── route-ethx.j2 ├── hl.swapfile ├── defaults │ └── main.yml ├── handlers │ └── main.yml └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.template ├── defaults │ └── main.yml ├── handlers │ └── main.yml └── tasks │ ├── RedHat.yml │ └── main.yml ├── hl.timezone ├── defaults │ └── main.yml └── tasks │ ├── Linux.yml │ └── main.yml ├── hl.users ├── defaults │ ├── main.yml │ └── secure.yml ├── files │ ├── id_rsa_ansible.pub │ ├── id_rsa_root.pub │ └── id_rsa_tom.pub └── tasks │ ├── Linux.yml │ └── main.yml ├── hl.wakeonlan ├── defaults │ └── main.yml └── tasks │ ├── RedHat.yml │ └── main.yml └── newrelic.newrelic-infra ├── LICENSE.md ├── defaults └── main.yml ├── handlers └── main.yml ├── tasks ├── install_dist_pkgs.yml ├── install_targz.yml └── main.yml ├── templates └── newrelic-infra.yml.j2 └── vars └── main.yml /.ansible-lint: -------------------------------------------------------------------------------- 1 | --- 2 | # .ansible-lint 3 | 4 | # You need to install ansible-lint to use this: 5 | # pip3 install ansible-lint 6 | 7 | profile: production 8 | 9 | # exclude_paths included in this file are parsed relative to this file's location 10 | # and not relative to the CWD of execution. 11 | exclude_paths: 12 | - collections 13 | 14 | parseable: true 15 | quiet: true 16 | strict: true 17 | verbosity: 1 18 | 19 | # Enforce variable names to follow pattern below, in addition to Ansible own 20 | # requirements, like avoiding python identifiers. To disable add `var-naming` 21 | # to skip_list. 22 | var_naming_pattern: "^[a-z_][a-z0-9_]*$" 23 | 24 | use_default_rules: true 25 | 26 | # To skip a rule just enter filename and tag. 27 | skip_list: 28 | - deprecated-module 29 | - package-latest # We want the latest packages installed on servers. 30 | - role-name # Exclude role name checking because they contain a dot. 31 | - yaml[line-length] 32 | - yaml[truthy] 33 | 34 | # Ansible-lint does not automatically load rules that have the 'opt-in' tag. 35 | # You must enable opt-in rules by listing each rule 'id' below. 36 | enable_list: 37 | - args 38 | - empty-string-compare # opt-in 39 | - no-log-password # opt-in 40 | - no-same-owner # opt-in 41 | - name[prefix] # opt-in 42 | - yaml 43 | 44 | # Offline mode disables installation of requirements.yml and schema refreshing 45 | offline: true 46 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | --- 2 | patreon: lisenet 3 | -------------------------------------------------------------------------------- /.github/workflows/stale-action.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Close stale issues and PRs" 3 | 4 | on: 5 | schedule: 6 | - cron: "37 13 * * *" 7 | 8 | permissions: 9 | issues: write 10 | pull-requests: write 11 | 12 | jobs: 13 | stale: 14 | runs-on: ubuntu-22.04 15 | steps: 16 | - uses: actions/stale@v8 17 | with: 18 | stale-issue-message: "This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days." 19 | close-issue-message: "This issue was closed because it has been stalled for 7 days with no activity." 20 | stale-pr-message: "This PR is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days." 21 | close-pr-message: "This PR was closed because it has been stalled for 7 days with no activity." 22 | stale-issue-label: "stale" 23 | stale-pr-label: "stale" 24 | days-before-issue-stale: 180 25 | days-before-pr-stale: 180 26 | days-before-issue-close: 7 27 | days-before-pr-close: 7 28 | exempt-issue-labels: "in progress" 29 | exempt-pr-labels: "in progress" 30 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *backup 2 | ansible.log 3 | join* 4 | vault.key 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Contributions are welcome via GitHub pull requests. 4 | 5 | To contribute to homelab-ansible, please use pull requests on a branch of your own fork. 6 | 7 | This document outlines the process to help get your contribution accepted. 8 | 9 | ## Sign Your Commits 10 | 11 | Contributors must sign their commits locally using GPG. 12 | 13 | See GitHub documentation [here](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits). 14 | 15 | ## How to Contribute 16 | 17 | 1. Fork this repository, develop and test your changes. 18 | 2. Remember to sign your commits locally using GPG as described above. 19 | 3. Submit a pull request. 20 | 21 | ### Step-by-step 22 | 23 | After creating your fork on GitHub, you can do: 24 | 25 | ```bash 26 | $ git clone --recursive git@github.com:your-name/homelab-ansible 27 | $ cd homelab-ansible 28 | $ git checkout -b your-branch-name 29 | # DO SOME CODING HERE 30 | $ git add your new files 31 | $ git commit -S -m "YOUR_COMMIT_MESSAGE" 32 | $ git push origin your-branch-name 33 | ``` 34 | 35 | You will then be able to create a pull request from your commit. 36 | 37 | ## Coding Conventions 38 | 39 | This project uses Ansible-lint in order to adopt proven practices and avoid pitfalls that could make code harder to maintain. 40 | 41 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2021, lisenet (tomas at lisenet dot com) 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | inventory = ./inventory 3 | vault_password_file = ./vault.key 4 | ansible_managed = ANSIBLE MANAGED: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} 5 | 6 | # Use YAML callback plugin for a better CLI experience 7 | stdout_callback = yaml 8 | 9 | # Ansible best practices: using project-local collections and roles. 10 | # Installs roles into [current dir]/roles/namespace.rolename 11 | roles_path = ./roles 12 | # Installs collections into [current dir]/collections/ansible_collections/namespace/collection_name 13 | collections_paths = ./collections 14 | 15 | remote_user = ansible 16 | remote_port = 22 17 | host_key_checking = False 18 | timeout = 5 19 | #scp_if_ssh = True 20 | deprecation_warnings = False 21 | nocows = True 22 | # Default connection plugin to use 23 | transport = ssh 24 | 25 | [ssh_connection] 26 | ssh_args = -o ControlMaster=auto -o ControlPersist=3600 27 | control_path = ~/.ssh/multiplexing/ansible-ssh-%%r@%%h:%%p 28 | 29 | [privilege_escalation] 30 | become = False 31 | become_method = sudo 32 | become_user = root 33 | become_ask_pass = False 34 | -------------------------------------------------------------------------------- /images/homelab-pxe-boot-menu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lisenet/homelab-ansible/5e16c6f0d56a4db28827e304a01796920bb9568a/images/homelab-pxe-boot-menu.png -------------------------------------------------------------------------------- /images/kubernetes-homelab-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lisenet/homelab-ansible/5e16c6f0d56a4db28827e304a01796920bb9568a/images/kubernetes-homelab-diagram.png -------------------------------------------------------------------------------- /inventory: -------------------------------------------------------------------------------- 1 | [dns1] 2 | 10.11.1.2 3 | 4 | [dns2] 5 | 10.11.1.3 6 | 7 | [raspberrypi] 8 | 10.11.1.7 9 | 10 | [pxe] 11 | 10.11.1.20 12 | 13 | [kvm] 14 | 10.11.1.21 15 | 10.11.1.22 16 | 10.11.1.23 17 | 18 | [dell:children] 19 | kvm 20 | 21 | [admin:children] 22 | dns1 23 | dns2 24 | 25 | [virtual:children] 26 | dns1 27 | dns2 28 | 29 | [k8s_first_control_plane] 30 | 10.11.1.31 31 | 32 | [k8s_other_control_plane] 33 | 10.11.1.32 34 | 10.11.1.33 35 | 36 | [k8s_master:children] 37 | k8s_first_control_plane 38 | k8s_other_control_plane 39 | 40 | [k8s_node] 41 | 10.11.1.[34:36] 42 | 43 | [k8s:children] 44 | k8s_master 45 | k8s_node 46 | 47 | [nri-agents:children] 48 | admin 49 | pxe 50 | kvm 51 | k8s 52 | 53 | [openvas] 54 | 10.11.1.40 55 | -------------------------------------------------------------------------------- /manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "homelab-ansible", 3 | "version": "11.2.0", 4 | "author": "Lisenet", 5 | "homepage_url": "https://github.com/lisenet/homelab-ansible" 6 | } 7 | -------------------------------------------------------------------------------- /playbooks/configure-admin-hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Users 3 | hosts: admin 4 | remote_user: root 5 | gather_facts: true 6 | roles: 7 | - hl.users 8 | 9 | - name: Configure Admin Hosts 10 | hosts: admin 11 | become: true 12 | gather_facts: true 13 | roles: 14 | - hl.sshd 15 | - hl.resolvconf 16 | - hl.timezone 17 | - hl.hardening 18 | - hl.common 19 | - hl.node-exporter 20 | - hl.swapfile 21 | - hl.bind 22 | - hl.dhcpd 23 | - hl.haproxy 24 | - hl.keepalived 25 | - hl.postfix 26 | - hl.chrony 27 | ... 28 | -------------------------------------------------------------------------------- /playbooks/configure-dell-hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Configure Dell Hosts 3 | hosts: dell 4 | become: true 5 | gather_facts: true 6 | roles: 7 | - hl.dell-omsa 8 | - hl.dellhw-exporter 9 | ... 10 | -------------------------------------------------------------------------------- /playbooks/configure-hostsfile.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Configure Hosts File 3 | hosts: admin,pxe,kvm,k8s 4 | become: true 5 | gather_facts: true 6 | roles: 7 | - hl.hostsfile 8 | ... 9 | -------------------------------------------------------------------------------- /playbooks/configure-k8s-cluster.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Configure Kubernetes Cluster 3 | hosts: k8s 4 | become: true 5 | gather_facts: true 6 | roles: 7 | - hl.k8s-cluster 8 | ... 9 | -------------------------------------------------------------------------------- /playbooks/configure-k8s-hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Users 3 | hosts: k8s 4 | remote_user: root 5 | gather_facts: true 6 | roles: 7 | - hl.users 8 | 9 | - name: Configure Kubernetes Hosts 10 | hosts: k8s 11 | become: true 12 | gather_facts: true 13 | roles: 14 | - hl.sshd 15 | - hl.resolvconf 16 | - hl.timezone 17 | - hl.hardening 18 | - hl.common 19 | - hl.node-exporter 20 | - hl.containerd 21 | - hl.k8s 22 | ... 23 | -------------------------------------------------------------------------------- /playbooks/configure-kvm-hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Users 3 | hosts: kvm 4 | remote_user: root 5 | gather_facts: true 6 | roles: 7 | - hl.users 8 | 9 | - name: Configure KVM Hosts 10 | hosts: kvm 11 | become: true 12 | gather_facts: true 13 | roles: 14 | - hl.sshd 15 | - hl.resolvconf 16 | - hl.timezone 17 | - hl.hardening 18 | - hl.common 19 | - hl.node-exporter 20 | - hl.handle-lid-switch 21 | - hl.wakeonlan 22 | - hl.libvirt 23 | vars: 24 | sysctl_values: 25 | - name: net.ipv4.ip_forward 26 | value: 1 27 | - name: vm.swappiness 28 | value: 1 29 | tasks: 30 | - name: Configure Sysctl Values 31 | ansible.posix.sysctl: 32 | name: "{{ item.name }}" 33 | value: "{{ item.value }}" 34 | state: present 35 | loop: "{{ sysctl_values }}" 36 | ... 37 | -------------------------------------------------------------------------------- /playbooks/configure-newrelic-hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Linux | Configure NewRelic Agent 3 | hosts: nri-agents 4 | become: true 5 | roles: 6 | - name: newrelic.newrelic-infra 7 | vars: 8 | nrinfragent_state: latest 9 | nrinfragent_service_enabled: true 10 | nrinfragent_service_state: started 11 | nrinfragent_config: 12 | license_key: "{{ newrelic_key }}" 13 | log_file: "/var/log/nr-infra.log" 14 | log_to_stdout: false 15 | enable_process_metrics: false 16 | metrics_process_sample_rate: -1 17 | startup_connection_retries: -1 18 | selinux_enable_semodule: false 19 | dns_hostname_resolution: false 20 | tasks: 21 | - name: Linux | Remove Integrations from Monitoring 22 | # This counts towards infrastructure integrations data ingestion 23 | ansible.builtin.file: 24 | path: "/etc/newrelic-infra/integrations.d/" 25 | state: absent 26 | ... 27 | -------------------------------------------------------------------------------- /playbooks/configure-openvas-hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Users 3 | hosts: openvas 4 | remote_user: root 5 | gather_facts: true 6 | roles: 7 | - hl.users 8 | 9 | - name: Configure OpenVAS Host 10 | hosts: openvas 11 | become: true 12 | gather_facts: true 13 | roles: 14 | - hl.sshd 15 | - hl.resolvconf 16 | - hl.timezone 17 | - hl.hardening 18 | - hl.common 19 | - hl.node-exporter 20 | - hl.openvas 21 | ... 22 | -------------------------------------------------------------------------------- /playbooks/configure-pxe-hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Users 3 | hosts: pxe 4 | remote_user: root 5 | gather_facts: true 6 | roles: 7 | - hl.users 8 | 9 | - name: Configure PXE Boot Hosts 10 | hosts: pxe 11 | become: true 12 | gather_facts: true 13 | roles: 14 | - hl.pxe-boot-server 15 | - hl.sshd 16 | - hl.resolvconf 17 | - hl.timezone 18 | - hl.hardening 19 | - hl.common 20 | - hl.node-exporter 21 | - hl.handle-lid-switch 22 | - hl.wakeonlan 23 | vars: 24 | - download_pxe_boot_media: false 25 | - download_packer_media: false 26 | ... 27 | -------------------------------------------------------------------------------- /playbooks/configure-raspberrypi-hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Users 3 | hosts: raspberrypi 4 | remote_user: root 5 | gather_facts: true 6 | roles: 7 | - hl.users 8 | 9 | - name: Configure RaspberryPi Hosts 10 | hosts: raspberrypi 11 | become: true 12 | gather_facts: true 13 | roles: 14 | - hl.sshd 15 | - hl.timezone 16 | - hl.pihole-exporter 17 | ... 18 | -------------------------------------------------------------------------------- /playbooks/create-users.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Users and Groups 3 | hosts: all 4 | remote_user: root 5 | gather_facts: true 6 | roles: 7 | - hl.users 8 | ... 9 | -------------------------------------------------------------------------------- /playbooks/group_vars/all: -------------------------------------------------------------------------------- 1 | homelab_address: "10.11.1.0" 2 | homelab_broadcast: "10.11.1.255" 3 | homelab_cidr_prefix: "24" 4 | homelab_dns1_server: "10.11.1.2" 5 | homelab_dns2_server: "10.11.1.3" 6 | homelab_dns3_server: "10.11.1.7" 7 | homelab_dns_forwarder_server: "10.11.1.7" 8 | homelab_domain_name: "hl.test" 9 | homelab_gateway: "10.11.1.1" 10 | homelab_reverse_zone: "1.11.10" 11 | homelab_subnet_mask: "255.255.255.0" 12 | 13 | -------------------------------------------------------------------------------- /playbooks/update-all-yum-packages.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Upgrade Packages 3 | hosts: all 4 | become: true 5 | gather_facts: true 6 | tasks: 7 | - name: RedHat | Upgrade all packages, excluding kernel 8 | ansible.builtin.yum: 9 | name: '*' 10 | state: latest 11 | exclude: 'kernel*' 12 | when: ansible_os_family == 'RedHat' 13 | ... 14 | -------------------------------------------------------------------------------- /roles/hl.bind/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - bind 8 | - bind-utils 9 | - tar 10 | 11 | systemd_service: "named" 12 | firewall_port: "dns" 13 | 14 | # rndc_key: 15 | # DNS update key, generated with `rndc-confgen -A hmac-sha256 -a -b 512 -r /dev/urandom` 16 | # stored in ansible vault defaults/secure.yml 17 | 18 | bind_user: "named" 19 | bind_log_file: "/var/log/{{ systemd_service }}/{{ systemd_service }}.log" 20 | bind_config_file: "named.conf" 21 | bind_rndc_key: "/etc/rndc.key" 22 | bind_data_dir: "/var/named/data" 23 | bind_statistics_port: "8053" 24 | 25 | # bind exporter variables 26 | prometheus_user: "prometheus" 27 | bind_exporter_port: "9153" 28 | bind_exporter_url: "https://github.com/prometheus-community/bind_exporter/releases/download/v0.5.0/bind_exporter-0.5.0.linux-amd64.tar.gz" 29 | bind_exporter_binary: "bind_exporter" 30 | bind_exporter_systemd_service: "bind_exporter.service" 31 | -------------------------------------------------------------------------------- /roles/hl.bind/defaults/secure.yml: -------------------------------------------------------------------------------- 1 | $ANSIBLE_VAULT;1.1;AES256 2 | 35383062653533636336366435313436313438663162613936313562316565333538633665616532 3 | 3262383866343233626261643338633234366139313637630a356261623263663438646532376335 4 | 63616364343535623565303835633736613032306463663331303062623036656264613764636361 5 | 3132383132363931380a653437363234386139323134336233633534333764626534373038636130 6 | 36333930366135386363376235346133613635373062323132383332386463636466336132626364 7 | 33366130313232646162326433376133363535343764613062316362656437333862616236356663 8 | 62393435363831653466333062636632303863373838393463383234383431373665616262646432 9 | 35623336326166303730376332303264383830616638666535656662666638343963313164386265 10 | 32383162633464653734653461613436303366643639633530353038353738323734 11 | -------------------------------------------------------------------------------- /roles/hl.bind/files/db.1.11.10: -------------------------------------------------------------------------------- 1 | ; Generated by Ansible role {{ ansible_role_name }} 2 | 3 | $ORIGIN . 4 | $TTL 3600 ; 60 minutes 5 | 1.11.10.in-addr.arpa IN SOA dns1.hl.test. root.hl.test. ( 6 | 2022040801 ; serial 7 | 3600 ; refresh (1 hour) 8 | 3600 ; retry (1 hour) 9 | 604800 ; expire (1 week) 10 | 3600 ; minimum (1 hour) 11 | ) 12 | NS dns1.hl.test. 13 | NS dns2.hl.test. 14 | PTR hl.test. 15 | $ORIGIN 1.11.10.in-addr.arpa. 16 | 1 PTR mikrotik.hl.test. 17 | 10 PTR flames.hl.test. 18 | 11 PTR mikrotik-lte.hl.test. 19 | 2 PTR dns1.hl.test. 20 | PTR admin1.hl.test. 21 | 20 PTR pxe.hl.test. 22 | 21 PTR kvm1.hl.test. 23 | 22 PTR kvm2.hl.test. 24 | 23 PTR kvm3.hl.test. 25 | 24 PTR kvm4.hl.test. 26 | 27 PTR wiserheat.hl.test. 27 | 28 PTR media-pc.hl.test. 28 | 29 PTR printer.hl.test. 29 | 3 PTR dns2.hl.test. 30 | PTR admin2.hl.test. 31 | 30 PTR kubelb.hl.test. 32 | 31 PTR srv31.hl.test. 33 | 32 PTR srv32.hl.test. 34 | 33 PTR srv33.hl.test. 35 | 34 PTR srv34.hl.test. 36 | 35 PTR srv35.hl.test. 37 | 36 PTR srv36.hl.test. 38 | 37 PTR srv37.hl.test. 39 | 38 PTR srv38.hl.test. 40 | 39 PTR srv39.hl.test. 41 | 4 PTR switch.hl.test. 42 | 40 PTR srv40.hl.test. 43 | 41 PTR srv41.hl.test. 44 | 42 PTR srv42.hl.test. 45 | 43 PTR srv43.hl.test. 46 | 44 PTR srv44.hl.test. 47 | 45 PTR srv45.hl.test. 48 | 46 PTR srv46.hl.test. 49 | 47 PTR srv47.hl.test. 50 | 48 PTR srv48.hl.test. 51 | 49 PTR srv49.hl.test. 52 | 5 PTR truenas.hl.test. 53 | 50 PTR dashboard.apps.hl.test. 54 | 52 PTR kubecost.hl.test. 55 | 53 PTR openvpn.hl.test. 56 | 54 PTR argocd.hl.test. 57 | 55 PTR influxdb.hl.test. 58 | 58 PTR kibana.hl.test. 59 | 59 PTR elasticsearch.hl.test. 60 | 6 PTR ipcam-garden.hl.test. 61 | 7 PTR pi.hl.test. 62 | 8 PTR ipcam-driveway.hl.test. 63 | 9 PTR ipcam-room.hl.test. 64 | -------------------------------------------------------------------------------- /roles/hl.bind/files/db.hl.test: -------------------------------------------------------------------------------- 1 | ; Generated by Ansible role {{ ansible_role_name }} 2 | 3 | $TTL 3600 ; 60 min 4 | @ IN SOA dns1.hl.test. root.hl.test. ( 5 | 2022040801 ; Serial 6 | 3600 ; Refresh (1 hour) 7 | 3600 ; Retry (1 hour) 8 | 604800 ; Expire (1 hour) 9 | 3600 ; Minimum (1 hour) 10 | ) 11 | 12 | ; Name Servers - NS records 13 | @ NS dns1.hl.test. ; This is required 14 | @ NS dns2.hl.test. ; You should have two name servers 15 | @ A 10.11.1.2 16 | @ A 10.11.1.3 17 | dns1 A 10.11.1.2 18 | dns2 A 10.11.1.3 19 | admin1 A 10.11.1.2 20 | admin2 A 10.11.1.3 21 | mikrotik A 10.11.1.1 22 | switch A 10.11.1.4 23 | truenas A 10.11.1.5 24 | ipcam-garden A 10.11.1.6 25 | pi A 10.11.1.7 26 | ipcam-driveway A 10.11.1.8 27 | ipcam-room A 10.11.1.9 28 | flames A 10.11.1.10 29 | mikrotik-lte A 10.11.1.11 30 | pxe A 10.11.1.20 31 | kvm1 A 10.11.1.21 32 | kvm2 A 10.11.1.22 33 | kvm3 A 10.11.1.23 34 | kvm4 A 10.11.1.24 35 | wiserheat A 10.11.1.27 36 | media-pc A 10.11.1.28 37 | printer A 10.11.1.29 38 | kubelb A 10.11.1.30 39 | srv31 A 10.11.1.31 40 | srv32 A 10.11.1.32 41 | srv33 A 10.11.1.33 42 | srv34 A 10.11.1.34 43 | srv35 A 10.11.1.35 44 | srv36 A 10.11.1.36 45 | srv37 A 10.11.1.37 46 | srv38 A 10.11.1.38 47 | srv39 A 10.11.1.39 48 | srv40 A 10.11.1.40 49 | srv41 A 10.11.1.41 50 | srv42 A 10.11.1.42 51 | srv43 A 10.11.1.43 52 | srv44 A 10.11.1.44 53 | srv45 A 10.11.1.45 54 | srv46 A 10.11.1.46 55 | srv47 A 10.11.1.47 56 | srv48 A 10.11.1.48 57 | srv49 A 10.11.1.49 58 | dashboard.apps A 10.11.1.50 59 | *.apps A 10.11.1.51 60 | kubecost A 10.11.1.52 61 | openvpn A 10.11.1.53 62 | argocd A 10.11.1.54 63 | influxdb A 10.11.1.55 64 | kibana A 10.11.1.58 65 | elasticsearch A 10.11.1.59 66 | -------------------------------------------------------------------------------- /roles/hl.bind/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart bind 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.bind/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.bind/templates/bind_exporter.service.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | [Unit] 5 | Description=Prometheus 6 | Documentation=https://github.com/prometheus-community/bind_exporter 7 | Wants=network-online.target 8 | After=network-online.target 9 | 10 | [Service] 11 | Type=simple 12 | User={{ prometheus_user }} 13 | Group={{ prometheus_user }} 14 | ExecReload=/bin/kill -HUP $MAINPID 15 | ExecStart=/usr/local/bin/{{ bind_exporter_binary }} \ 16 | --bind.pid-file=/var/run/named/named.pid \ 17 | --bind.timeout=20s \ 18 | --web.listen-address=0.0.0.0:{{ bind_exporter_port }} \ 19 | --web.telemetry-path=/metrics \ 20 | --bind.stats-url=http://127.0.0.1:{{ bind_statistics_port }}/ \ 21 | --bind.stats-groups=server,view,tasks 22 | 23 | SyslogIdentifier={{ prometheus_user }} 24 | Restart=always 25 | 26 | [Install] 27 | WantedBy=multi-user.target 28 | -------------------------------------------------------------------------------- /roles/hl.bind/templates/named.conf.master.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # BIND MASTER CONFIG FILE 5 | include "/etc/named.rfc1912.zones"; 6 | include "/etc/named.root.key"; 7 | include "/etc/rndc.key"; 8 | 9 | # Allow rndc management 10 | controls { 11 | inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; 12 | }; 13 | 14 | statistics-channels { 15 | inet 127.0.0.1 port {{ bind_statistics_port }} allow { 127.0.0.1; }; 16 | }; 17 | 18 | # Limit access to local network and homelab LAN 19 | acl "clients" { 20 | 127.0.0.0/8; 21 | {{ homelab_address }}/{{ homelab_cidr_prefix }}; 22 | }; 23 | 24 | options { 25 | listen-on port 53 { 127.0.0.1; {{ homelab_dns1_server }}; }; ## MASTER 26 | listen-on-v6 { none; }; 27 | directory "/var/named"; 28 | dump-file "/var/named/data/cache_dump.db"; 29 | statistics-file "/var/named/data/named_stats.txt"; 30 | memstatistics-file "/var/named/data/named_mem_stats.txt"; 31 | secroots-file "/var/named/data/named.secroots"; 32 | recursing-file "/var/named/data/named.recursing"; 33 | forwarders { {{ homelab_dns_forwarder_server }}; 1.1.1.1; 8.8.8.8; 8.8.4.4; }; 34 | 35 | tcp-clients 50; 36 | 37 | # Disable built-in server information zones 38 | version none; 39 | hostname none; 40 | server-id none; 41 | 42 | recursion yes; 43 | recursive-clients 50; 44 | allow-recursion { clients; }; 45 | allow-query { clients; }; 46 | allow-transfer { localhost; {{ homelab_dns2_server }}; {{ homelab_dns_forwarder_server }}; 10.11.1.10; }; ## SLAVE 47 | 48 | auth-nxdomain no; 49 | notify no; 50 | 51 | dnssec-enable yes; 52 | dnssec-validation yes; 53 | 54 | bindkeys-file "/etc/named.iscdlv.key"; 55 | managed-keys-directory "/var/named/dynamic"; 56 | 57 | pid-file "/run/named/named.pid"; 58 | session-keyfile "/run/named/session.key"; 59 | 60 | /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ 61 | include "/etc/crypto-policies/back-ends/bind.config"; 62 | }; 63 | 64 | # Specifications of what to log, and where the log messages are sent 65 | logging { 66 | channel "common_log" { 67 | file "{{ bind_log_file }}" versions 10 size 5m; 68 | severity dynamic; 69 | print-category yes; 70 | print-severity yes; 71 | print-time yes; 72 | }; 73 | category default { "common_log"; }; 74 | category general { "common_log"; }; 75 | category queries { "common_log"; }; 76 | category client { "common_log"; }; 77 | category security { "common_log"; }; 78 | category query-errors { "common_log"; }; 79 | category lame-servers { null; }; 80 | }; 81 | 82 | zone "." IN { 83 | type hint; 84 | file "named.ca"; 85 | }; 86 | 87 | # Internal zone definitions 88 | zone "{{ homelab_domain_name }}" { 89 | type master; 90 | file "data/db.{{ homelab_domain_name }}"; 91 | allow-update { key rndc-key; }; 92 | notify yes; 93 | zone-statistics yes; 94 | }; 95 | 96 | zone "{{ homelab_reverse_zone }}.in-addr.arpa" { 97 | type master; 98 | file "data/db.{{ homelab_reverse_zone }}"; 99 | allow-update { key rndc-key; }; 100 | notify yes; 101 | zone-statistics yes; 102 | }; 103 | -------------------------------------------------------------------------------- /roles/hl.bind/templates/named.conf.slave.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # BIND SLAVE CONFIG FILE 5 | include "/etc/named.rfc1912.zones"; 6 | include "/etc/named.root.key"; 7 | 8 | acl "clients" { 9 | 127.0.0.0/8; 10 | {{ homelab_address }}/{{ homelab_cidr_prefix }}; 11 | }; 12 | 13 | statistics-channels { 14 | inet 127.0.0.1 port {{ bind_statistics_port }} allow { 127.0.0.1; }; 15 | }; 16 | 17 | options { 18 | listen-on port 53 { 127.0.0.1; {{ homelab_dns2_server }}; }; ## SLAVE 19 | listen-on-v6 { none; }; 20 | directory "/var/named"; 21 | dump-file "/var/named/data/cache_dump.db"; 22 | statistics-file "/var/named/data/named_stats.txt"; 23 | memstatistics-file "/var/named/data/named_mem_stats.txt"; 24 | secroots-file "/var/named/data/named.secroots"; 25 | recursing-file "/var/named/data/named.recursing"; 26 | forwarders { {{ homelab_dns_forwarder_server }}; 1.1.1.1; 8.8.8.8; 8.8.4.4; }; 27 | 28 | tcp-clients 50; 29 | 30 | # Disable built-in server information zones 31 | version none; 32 | hostname none; 33 | server-id none; 34 | 35 | recursion yes; 36 | recursive-clients 50; 37 | allow-recursion { clients; }; 38 | allow-query { clients; }; 39 | allow-transfer { 10.11.1.10; }; 40 | 41 | auth-nxdomain no; 42 | notify no; 43 | dnssec-enable yes; 44 | dnssec-validation auto; 45 | 46 | bindkeys-file "/etc/named.iscdlv.key"; 47 | managed-keys-directory "/var/named/dynamic"; 48 | 49 | pid-file "/run/named/named.pid"; 50 | session-keyfile "/run/named/session.key"; 51 | 52 | /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ 53 | include "/etc/crypto-policies/back-ends/bind.config"; 54 | }; 55 | 56 | # Specifications of what to log, and where the log messages are sent 57 | logging { 58 | channel "common_log" { 59 | file "{{ bind_log_file }}" versions 10 size 5m; 60 | severity dynamic; 61 | print-category yes; 62 | print-severity yes; 63 | print-time yes; 64 | }; 65 | category default { "common_log"; }; 66 | category general { "common_log"; }; 67 | category queries { "common_log"; }; 68 | category client { "common_log"; }; 69 | category security { "common_log"; }; 70 | category query-errors { "common_log"; }; 71 | category lame-servers { null; }; 72 | }; 73 | 74 | zone "." IN { 75 | type hint; 76 | file "named.ca"; 77 | }; 78 | 79 | # Internal zone definitions 80 | zone "{{ homelab_domain_name }}" { 81 | type slave; 82 | file "data/db.{{ homelab_domain_name }}"; 83 | masters { {{ homelab_dns1_server }}; }; 84 | allow-notify { {{ homelab_dns1_server }}; }; 85 | zone-statistics yes; 86 | }; 87 | 88 | zone "{{ homelab_reverse_zone }}.in-addr.arpa" { 89 | type slave; 90 | file "data/db.{{ homelab_reverse_zone }}"; 91 | masters { {{ homelab_dns1_server }}; }; 92 | allow-notify { {{ homelab_dns1_server }}; }; 93 | zone-statistics yes; 94 | }; 95 | -------------------------------------------------------------------------------- /roles/hl.bind/templates/rndc.key.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | key "rndc-key" { 5 | algorithm hmac-sha256; 6 | secret "{{ rndc_key }}"; 7 | }; 8 | -------------------------------------------------------------------------------- /roles/hl.certbot/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - epel-release 8 | - snapd 9 | 10 | systemd_service: "snapd" 11 | 12 | certbot_dns_plugin: "certbot-dns-cloudflare" 13 | -------------------------------------------------------------------------------- /roles/hl.certbot/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart name 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.certbot/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | - name: RedHat | Start and Enable Service {{ systemd_service }} 9 | ansible.builtin.service: 10 | name: "{{ systemd_service }}" 11 | state: started 12 | enabled: true 13 | 14 | - name: RedHat | Enable Classic Snap Support 15 | ansible.builtin.file: 16 | src: /var/lib/snapd/snap 17 | dest: /snap 18 | state: link 19 | 20 | # Install a snap with classic confinement 21 | - name: RedHat | Install Certbot with Option --classic 22 | community.general.snap: 23 | name: certbot 24 | classic: true 25 | 26 | - name: RedHat | Ensure the Certbot Command Can be Run 27 | ansible.builtin.file: 28 | src: /snap/bin/certbot 29 | dest: /usr/bin/certbot 30 | state: link 31 | 32 | - name: RedHat | Install Certbot DNS Plugin 33 | community.general.snap: 34 | name: "{{ certbot_dns_plugin }}" 35 | 36 | - name: RedHat | Certbot Command to Obtain a Wildcard Certificate 37 | ansible.builtin.debug: 38 | msg: "certbot certonly --email root@localhost --agree-tos --no-eff-email --dns-cloudflare --dns-cloudflare-credentials /root/.cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d lisenet.com -d *.lisenet.com" 39 | -------------------------------------------------------------------------------- /roles/hl.certbot/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.chrony/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - chrony 8 | 9 | systemd_service: "chronyd" 10 | firewall_port: "ntp" 11 | 12 | chrony_conf_file: "chrony.conf" 13 | 14 | chrony_peer1_server_address: "10.11.1.2" 15 | chrony_peer2_server_address: "10.11.1.3" 16 | -------------------------------------------------------------------------------- /roles/hl.chrony/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart chrony 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.chrony/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | - name: RedHat | Enable Service in Firewalld {{ firewall_port }} 9 | ansible.posix.firewalld: 10 | immediate: true 11 | service: "{{ firewall_port }}" 12 | permanent: true 13 | state: enabled 14 | 15 | - name: RedHat | Copy Configuration File {{ chrony_conf_file }} 16 | ansible.builtin.template: 17 | src: "{{ chrony_conf_file }}.peer1.j2" 18 | dest: "/etc/{{ chrony_conf_file }}" 19 | owner: root 20 | group: root 21 | mode: "0644" 22 | notify: 23 | - Restart chrony 24 | when: "'dns1' in group_names" 25 | 26 | - name: RedHat | Copy Configuration File {{ chrony_conf_file }} 27 | ansible.builtin.template: 28 | src: "{{ chrony_conf_file }}.peer2.j2" 29 | dest: "/etc/{{ chrony_conf_file }}" 30 | owner: root 31 | group: root 32 | mode: "0644" 33 | notify: 34 | - Restart chrony 35 | when: "'dns2' in group_names" 36 | 37 | - name: RedHat | Start and Enable Service {{ systemd_service }} 38 | ansible.builtin.service: 39 | name: "{{ systemd_service }}" 40 | state: started 41 | enabled: true 42 | -------------------------------------------------------------------------------- /roles/hl.chrony/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.chrony/templates/chrony.conf.peer1.j2: -------------------------------------------------------------------------------- 1 | # Use public servers from the pool.ntp.org project. 2 | # Please consider joining the pool (http://www.pool.ntp.org/join.html). 3 | pool uk.pool.ntp.org iburst maxsources 4 4 | peer {{ chrony_peer2_server_address }} 5 | 6 | # Record the rate at which the system clock gains/losses time. 7 | driftfile /var/lib/chrony/drift 8 | 9 | # Allow the system clock to be stepped in the first three updates 10 | # if its offset is larger than 1 second. 11 | makestep 1.0 3 12 | 13 | # Enable kernel synchronization of the real-time clock (RTC). 14 | rtcsync 15 | 16 | # Enable hardware timestamping on all interfaces that support it. 17 | #hwtimestamp * 18 | 19 | # Increase the minimum number of selectable sources required to adjust 20 | # the system clock. 21 | #minsources 2 22 | 23 | # Allow NTP client access from local network. 24 | allow {{ homelab_address }}/{{ homelab_cidr_prefix }} 25 | 26 | # Serve time even if not synchronized to a time source. 27 | local stratum 10 28 | 29 | # Specify file containing keys for NTP authentication. 30 | keyfile /etc/chrony.keys 31 | 32 | # Get TAI-UTC offset and leap seconds from the system tz database. 33 | leapsectz right/UTC 34 | 35 | # Specify directory for log files. 36 | logdir /var/log/chrony 37 | 38 | # Select which information is logged. 39 | #log measurements statistics tracking 40 | -------------------------------------------------------------------------------- /roles/hl.chrony/templates/chrony.conf.peer2.j2: -------------------------------------------------------------------------------- 1 | # Use public servers from the pool.ntp.org project. 2 | # Please consider joining the pool (http://www.pool.ntp.org/join.html). 3 | pool uk.pool.ntp.org iburst maxsources 4 4 | peer {{ chrony_peer1_server_address }} 5 | 6 | # Record the rate at which the system clock gains/losses time. 7 | driftfile /var/lib/chrony/drift 8 | 9 | # Allow the system clock to be stepped in the first three updates 10 | # if its offset is larger than 1 second. 11 | makestep 1.0 3 12 | 13 | # Enable kernel synchronization of the real-time clock (RTC). 14 | rtcsync 15 | 16 | # Enable hardware timestamping on all interfaces that support it. 17 | #hwtimestamp * 18 | 19 | # Increase the minimum number of selectable sources required to adjust 20 | # the system clock. 21 | #minsources 2 22 | 23 | # Allow NTP client access from local network. 24 | allow {{ homelab_address }}/{{ homelab_cidr_prefix }} 25 | 26 | # Serve time even if not synchronized to a time source. 27 | local stratum 10 28 | 29 | # Specify file containing keys for NTP authentication. 30 | keyfile /etc/chrony.keys 31 | 32 | # Get TAI-UTC offset and leap seconds from the system tz database. 33 | leapsectz right/UTC 34 | 35 | # Specify directory for log files. 36 | logdir /var/log/chrony 37 | 38 | # Select which information is logged. 39 | #log measurements statistics tracking 40 | -------------------------------------------------------------------------------- /roles/hl.common/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - curl 8 | - epel-release 9 | - glibc-langpack-en 10 | - htop 11 | - iotop 12 | - policycoreutils-devel 13 | - policycoreutils-python-utils 14 | - psmisc 15 | - rsync 16 | - setroubleshoot-server 17 | - tar 18 | - telnet 19 | - vim 20 | - wget 21 | - yum-utils 22 | -------------------------------------------------------------------------------- /roles/hl.common/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | -------------------------------------------------------------------------------- /roles/hl.common/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.containerd/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | prerequisites_packages: 7 | - yum-utils 8 | 9 | packages: 10 | - containerd.io-1.7.25-3.1.el{{ ansible_distribution_major_version }}.x86_64 11 | 12 | systemd_service: "containerd" 13 | 14 | docker_gpg_key_redhat: "https://download.docker.com/linux/centos/gpg" 15 | docker_repository_redhat: "https://download.docker.com/linux/centos/$releasever/$basearch/stable" 16 | 17 | sysctl_config: 18 | - name: net.ipv4.ip_forward 19 | value: 1 20 | -------------------------------------------------------------------------------- /roles/hl.containerd/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart containerd 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.containerd/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Configure Sysctl Values 3 | ansible.posix.sysctl: 4 | name: "{{ item.name }}" 5 | value: "{{ item.value }}" 6 | state: present 7 | loop: "{{ sysctl_config }}" 8 | 9 | - name: RedHat | Install Prerequisites Packages 10 | ansible.builtin.package: 11 | name: "{{ item }}" 12 | state: present 13 | loop: "{{ prerequisites_packages }}" 14 | 15 | - name: RedHat | Add Docker Repository Sources 16 | ansible.builtin.yum_repository: 17 | file: "docker-ce-stable" 18 | name: "docker-ce-stable" 19 | description: "Docker CE Stable - $basearch" 20 | baseurl: "{{ docker_repository_redhat }}" 21 | gpgcheck: true 22 | gpgkey: "{{ docker_gpg_key_redhat }}" 23 | enabled: true 24 | 25 | - name: RedHat | Remove Docker Packages 26 | ansible.builtin.package: 27 | name: "{{ item }}" 28 | state: absent 29 | loop: 30 | - docker-ce 31 | - docker-ce-cli 32 | 33 | - name: RedHat | Install Packages 34 | ansible.builtin.package: 35 | name: "{{ item }}" 36 | state: present 37 | allow_downgrade: true 38 | loop: "{{ packages }}" 39 | 40 | - name: RedHat | Create Directory {{ systemd_service }} 41 | ansible.builtin.file: 42 | path: /etc/{{ systemd_service }} 43 | state: directory 44 | mode: "0755" 45 | 46 | - name: RedHat | Generate Containerd Config 47 | ansible.builtin.shell: containerd config default > /etc/{{ systemd_service }}/config.toml 48 | become: true 49 | register: containerd_output # Registers the command output. 50 | changed_when: containerd_output.rc != 0 # Uses the return code to define when the task has changed. 51 | 52 | - name: RedHat | Enable Systemd cgroup driver for Containerd Runtime 53 | ansible.builtin.lineinfile: 54 | path: /etc/{{ systemd_service }}/config.toml 55 | search_string: "SystemdCgroup = false" 56 | line: " SystemdCgroup = true" 57 | become: true 58 | 59 | - name: RedHat | Start and Enable Service {{ systemd_service }} 60 | ansible.builtin.service: 61 | name: "{{ systemd_service }}" 62 | state: started 63 | enabled: true 64 | 65 | - name: RedHat | Systemd Restart {{ systemd_service }} 66 | ansible.builtin.systemd: 67 | name: "{{ systemd_service }}" 68 | state: restarted 69 | -------------------------------------------------------------------------------- /roles/hl.containerd/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.dell-omsa/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - srvadmin-base 8 | - srvadmin-server-cli 9 | 10 | systemd_service: 11 | - dsm_sa_datamgrd 12 | - dsm_sa_eventmgrd 13 | 14 | rpm_gpg_keys: 15 | - "https://linux.dell.com/repo/pgp_pubkeys/0x756ba70b1019ced6.asc" 16 | - "https://linux.dell.com/repo/pgp_pubkeys/0x1285491434D8786F.asc" 17 | - "https://linux.dell.com/repo/pgp_pubkeys/0xca77951d23b66a9d.asc" 18 | - "https://linux.dell.com/repo/pgp_pubkeys/0x3CA66B4946770C59.asc" 19 | -------------------------------------------------------------------------------- /roles/hl.dell-omsa/files/dell-system-update.repo: -------------------------------------------------------------------------------- 1 | [dell-system-update_independent] 2 | name=dell-system-update_independent 3 | baseurl=http://linux.dell.com/repo/hardware/dsu/os_independent/ 4 | gpgcheck=1 5 | gpgkey=https://linux.dell.com/repo/pgp_pubkeys/0x756ba70b1019ced6.asc https://linux.dell.com/repo/pgp_pubkeys/0x1285491434D8786F.asc https://linux.dell.com/repo/pgp_pubkeys/0xca77951d23b66a9d.asc https://linux.dell.com/repo/pgp_pubkeys/0x3CA66B4946770C59.asc 6 | enabled=1 7 | exclude=dell-system-update*.i386 8 | 9 | [dell-system-update_dependent] 10 | name=dell-system-update_dependent 11 | mirrorlist=http://linux.dell.com/repo/hardware/dsu/mirrors.cgi?osname=el$releasever&basearch=$basearch&native=1 12 | gpgcheck=1 13 | gpgkey=https://linux.dell.com/repo/pgp_pubkeys/0x756ba70b1019ced6.asc https://linux.dell.com/repo/pgp_pubkeys/0x1285491434D8786F.asc https://linux.dell.com/repo/pgp_pubkeys/0xca77951d23b66a9d.asc https://linux.dell.com/repo/pgp_pubkeys/0x3CA66B4946770C59.asc 14 | enabled=1 15 | -------------------------------------------------------------------------------- /roles/hl.dell-omsa/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Configure Dell OpenManage Server Administrator 4 | # https://linux.dell.com/repo/hardware/omsa.html 5 | # 6 | - name: RedHat | Setup dell-system-update Repository 7 | ansible.builtin.template: 8 | src: "files/dell-system-update.repo" 9 | dest: "/etc/yum.repos.d/dell-system-update.repo" 10 | owner: 0 11 | group: 0 12 | mode: "0644" 13 | become: true 14 | 15 | - name: RedHat | Import RPM GPG Keys from URL 16 | ansible.builtin.rpm_key: 17 | state: present 18 | key: "{{ item }}" 19 | loop: "{{ rpm_gpg_keys }}" 20 | become: true 21 | 22 | - name: RedHat | Install Packages 23 | ansible.builtin.package: 24 | name: "{{ item }}" 25 | state: present 26 | loop: "{{ packages }}" 27 | become: true 28 | 29 | - name: RedHat | Start and Enable OMSA Service 30 | ansible.builtin.service: 31 | name: "{{ item }}" 32 | state: started 33 | enabled: true 34 | loop: "{{ systemd_service }}" 35 | become: true 36 | -------------------------------------------------------------------------------- /roles/hl.dell-omsa/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.dellhw-exporter/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - tar 8 | 9 | prometheus_user: "prometheus" 10 | 11 | # This exporter wraps the "omreport" command from Dell OMSA. 12 | # If you can't run omreport on your system, the exporter won't export any metrics. 13 | dellhw_exporter_port: "9137" 14 | dellhw_exporter_url: "https://github.com/galexrt/dellhw_exporter/releases/download/v1.12.1/dellhw_exporter-1.12.1.linux-amd64.tar.gz" 15 | dellhw_exporter_binary: "dellhw_exporter" 16 | dellhw_exporter_systemd_service: "dellhw_exporter.service" 17 | -------------------------------------------------------------------------------- /roles/hl.dellhw-exporter/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | # 9 | # Configure Dell Hardware Exporter systemd service 10 | # 11 | - name: RedHat | Create System Group {{ prometheus_user }} 12 | ansible.builtin.group: 13 | state: present 14 | system: true 15 | name: "{{ prometheus_user }}" 16 | become: true 17 | 18 | - name: RedHat | Create System User {{ prometheus_user }} 19 | ansible.builtin.user: 20 | state: present 21 | system: true 22 | name: "{{ prometheus_user }}" 23 | groups: "{{ prometheus_user }}" 24 | shell: "/sbin/nologin" 25 | become: true 26 | 27 | - name: RedHat | Check Services 28 | ansible.builtin.service_facts: 29 | 30 | - name: RedHat | Enable Service in Firewalld {{ dellhw_exporter_port }} 31 | ansible.posix.firewalld: 32 | immediate: true 33 | port: "{{ dellhw_exporter_port }}/tcp" 34 | permanent: true 35 | state: enabled 36 | when: "'firewalld.service' in ansible_facts.services" 37 | become: true 38 | 39 | - name: RedHat | Unarchive a file that needs to be downloaded 40 | ansible.builtin.unarchive: 41 | src: "{{ dellhw_exporter_url }}" 42 | dest: "/usr/local/bin" 43 | remote_src: true 44 | owner: root 45 | group: root 46 | extra_opts: 47 | - "--strip-components" 48 | - "1" 49 | become: true 50 | 51 | - name: RedHat | Copy Systemd File {{ dellhw_exporter_systemd_service }} 52 | ansible.builtin.template: 53 | src: "{{ dellhw_exporter_systemd_service }}.j2" 54 | dest: "/etc/systemd/system/{{ dellhw_exporter_systemd_service }}" 55 | owner: root 56 | group: root 57 | mode: "0644" 58 | become: true 59 | 60 | - name: RedHat | Force Systemd to Reread Configs 61 | ansible.builtin.systemd: 62 | daemon_reload: true 63 | become: true 64 | 65 | - name: RedHat | Start and Enable Service {{ dellhw_exporter_systemd_service }} 66 | ansible.builtin.service: 67 | name: "{{ dellhw_exporter_systemd_service }}" 68 | state: started 69 | enabled: true 70 | become: true 71 | -------------------------------------------------------------------------------- /roles/hl.dellhw-exporter/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.dellhw-exporter/templates/dellhw_exporter.service.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | [Unit] 5 | Description=Prometheus 6 | Documentation=https://github.com/galexrt/dellhw_exporter 7 | Wants=network-online.target 8 | After=network-online.target 9 | 10 | [Service] 11 | Type=simple 12 | User={{ prometheus_user }} 13 | Group={{ prometheus_user }} 14 | ExecReload=/bin/kill -HUP $MAINPID 15 | ExecStart=/usr/local/bin/{{ dellhw_exporter_binary }} \ 16 | --collectors-enabled=chassis,nics,system,memory,processors \ 17 | --collectors-omreport="/opt/dell/srvadmin/bin/omreport" \ 18 | --log-level=INFO \ 19 | --web-listen-address=0.0.0.0:{{ dellhw_exporter_port }} \ 20 | --web-telemetry-path=/metrics 21 | 22 | SyslogIdentifier=prometheus 23 | Restart=always 24 | 25 | [Install] 26 | WantedBy=multi-user.target 27 | -------------------------------------------------------------------------------- /roles/hl.dhcpd/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - dhcp-server 8 | 9 | systemd_service: "dhcpd" 10 | firewall_port: "dhcp" 11 | firewall_dhcp_failover_port: "647" 12 | 13 | # rndc_key: 14 | # DNS update key, generated with `rndc-confgen -A hmac-sha256 -a -b 512 -r /dev/urandom` 15 | # stored in ansible vault defaults/secure.yml 16 | 17 | dhcpd_config_file: "dhcpd.conf" 18 | dhcp_address_range_start: "10.11.1.140" 19 | dhcp_address_range_end: "10.11.1.149" 20 | 21 | bind_master_server_address: "10.11.1.2" 22 | bind_slave_server_address: "10.11.1.3" 23 | tftp_next_server: "10.11.1.20" 24 | 25 | # dhcp_leases_for_physical_hosts are defined in defaults/secure.yml and 26 | # stored in ansible vault because they contain real hardware (MAC) addresses 27 | 28 | dhcp_leases_for_virtual_hosts: 29 | - ip_address: "10.11.1.31" 30 | mac_address: "C0:FF:EE:D0:5E:31" 31 | host_name: "srv31" 32 | - ip_address: "10.11.1.32" 33 | mac_address: "C0:FF:EE:D0:5E:32" 34 | host_name: "srv32" 35 | - ip_address: "10.11.1.33" 36 | mac_address: "C0:FF:EE:D0:5E:33" 37 | host_name: "srv33" 38 | - ip_address: "10.11.1.34" 39 | mac_address: "C0:FF:EE:D0:5E:34" 40 | host_name: "srv34" 41 | - ip_address: "10.11.1.35" 42 | mac_address: "C0:FF:EE:D0:5E:35" 43 | host_name: "srv35" 44 | - ip_address: "10.11.1.36" 45 | mac_address: "C0:FF:EE:D0:5E:36" 46 | host_name: "srv36" 47 | - ip_address: "10.11.1.37" 48 | mac_address: "C0:FF:EE:D0:5E:37" 49 | host_name: "srv37" 50 | - ip_address: "10.11.1.38" 51 | mac_address: "C0:FF:EE:D0:5E:38" 52 | host_name: "srv38" 53 | - ip_address: "10.11.1.39" 54 | mac_address: "C0:FF:EE:D0:5E:39" 55 | host_name: "srv39" 56 | - ip_address: "10.11.1.40" 57 | mac_address: "C0:FF:EE:D0:5E:40" 58 | host_name: "srv40" 59 | - ip_address: "10.11.1.41" 60 | mac_address: "C0:FF:EE:D0:5E:41" 61 | host_name: "srv41" 62 | - ip_address: "10.11.1.42" 63 | mac_address: "C0:FF:EE:D0:5E:42" 64 | host_name: "srv42" 65 | - ip_address: "10.11.1.43" 66 | mac_address: "C0:FF:EE:D0:5E:43" 67 | host_name: "srv43" 68 | - ip_address: "10.11.1.44" 69 | mac_address: "C0:FF:EE:D0:5E:44" 70 | host_name: "srv44" 71 | - ip_address: "10.11.1.45" 72 | mac_address: "C0:FF:EE:D0:5E:45" 73 | host_name: "srv45" 74 | - ip_address: "10.11.1.46" 75 | mac_address: "C0:FF:EE:D0:5E:46" 76 | host_name: "srv46" 77 | - ip_address: "10.11.1.47" 78 | mac_address: "C0:FF:EE:D0:5E:47" 79 | host_name: "srv47" 80 | - ip_address: "10.11.1.48" 81 | mac_address: "C0:FF:EE:D0:5E:48" 82 | host_name: "srv48" 83 | - ip_address: "10.11.1.49" 84 | mac_address: "C0:FF:EE:D0:5E:49" 85 | host_name: "srv49" 86 | -------------------------------------------------------------------------------- /roles/hl.dhcpd/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart dhcpd 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.dhcpd/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Include Secure Vars 3 | ansible.builtin.include_vars: 4 | file: ../defaults/secure.yml 5 | 6 | - name: RedHat | Install Packages 7 | ansible.builtin.package: 8 | name: "{{ item }}" 9 | state: present 10 | loop: "{{ packages }}" 11 | 12 | - name: RedHat | Enable Service in Firewalld {{ firewall_port }} 13 | ansible.posix.firewalld: 14 | immediate: true 15 | service: "{{ firewall_port }}" 16 | permanent: true 17 | state: enabled 18 | 19 | - name: RedHat | Enable DHCP Failover Port in Firewalld {{ firewall_dhcp_failover_port }} 20 | ansible.posix.firewalld: 21 | immediate: true 22 | port: "{{ firewall_dhcp_failover_port }}/tcp" 23 | permanent: true 24 | state: enabled 25 | 26 | - name: RedHat | Configure Master DHCP Server 27 | when: "'dns1' in group_names" 28 | block: 29 | - name: RedHat | Copy {{ dhcpd_config_file }} 30 | ansible.builtin.template: 31 | src: "{{ dhcpd_config_file }}.master.j2" 32 | dest: "/etc/dhcp/{{ dhcpd_config_file }}" 33 | owner: root 34 | group: root 35 | mode: "0644" 36 | notify: 37 | - Restart dhcpd 38 | 39 | - name: RedHat | Configure Slave DHCP Server 40 | when: "'dns2' in group_names" 41 | block: 42 | - name: RedHat | Copy {{ dhcpd_config_file }} 43 | ansible.builtin.template: 44 | src: "{{ dhcpd_config_file }}.slave.j2" 45 | dest: "/etc/dhcp/{{ dhcpd_config_file }}" 46 | owner: root 47 | group: root 48 | mode: "0644" 49 | notify: 50 | - Restart dhcpd 51 | 52 | - name: RedHat | Start and Enable Service {{ systemd_service }} 53 | ansible.builtin.service: 54 | name: "{{ systemd_service }}" 55 | state: started 56 | enabled: true 57 | -------------------------------------------------------------------------------- /roles/hl.dhcpd/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.dhcpd/templates/dhcpd.conf.master.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | failover peer "failover-dhcp" { 5 | primary; # This defines the master 6 | address {{ bind_master_server_address }}; 7 | port {{ firewall_dhcp_failover_port }}; 8 | peer address {{ bind_slave_server_address }}; 9 | peer port {{ firewall_dhcp_failover_port }}; 10 | max-response-delay 60; 11 | max-unacked-updates 10; 12 | mclt 3600; 13 | split 128; # 128 is balanced; use 255 if primary is 100% responsible until failure 14 | load balance max seconds 3; 15 | } 16 | 17 | authoritative; 18 | allow booting; 19 | allow bootp; 20 | next-server {{ tftp_next_server }}; # TFTP 21 | filename "pxelinux.0"; 22 | default-lease-time 86400; # 1 day 23 | max-lease-time 86400; # 1 day 24 | 25 | ddns-update-style interim; 26 | 27 | update-static-leases on; 28 | one-lease-per-client on; 29 | 30 | # We generated the rndc-key when setting up DNS servers 31 | key "rndc-key" { 32 | algorithm hmac-sha256; 33 | secret "{{ rndc_key }}"; 34 | }; 35 | 36 | # We created zones when setting up DNS servers 37 | zone {{ homelab_reverse_zone }}.in-addr.arpa { 38 | primary {{ bind_master_server_address }}; 39 | key "rndc-key"; 40 | } 41 | zone {{ homelab_domain_name }} { 42 | primary {{ bind_master_server_address }}; 43 | key "rndc-key"; 44 | } 45 | 46 | subnet {{ homelab_address }} netmask {{ homelab_subnet_mask }} { 47 | option subnet-mask {{ homelab_subnet_mask }}; 48 | option broadcast-address {{ homelab_broadcast }}; 49 | option routers {{ homelab_gateway }}; 50 | option domain-name-servers dns1.hl.test, dns2.hl.test; 51 | option domain-search "{{ homelab_domain_name }}"; 52 | pool { 53 | failover peer "failover-dhcp"; 54 | range {{ dhcp_address_range_start }} {{ dhcp_address_range_end }}; 55 | } 56 | } 57 | 58 | # Physical hosts range: 10.11.1.4-10.11.1.29 59 | {% for item in dhcp_leases_for_physical_hosts %} 60 | host {{ item.host_name }} { 61 | hardware ethernet {{ item.mac_address }}; 62 | fixed-address {{ item.ip_address }}; 63 | option host-name {{ item.host_name }}; 64 | } 65 | {% endfor %} 66 | 67 | # Virtual hosts range: 10.11.1.30-10.11.1.49 68 | # Below are DHCP leases for PXE boot 69 | {% for item in dhcp_leases_for_virtual_hosts %} 70 | host {{ item.host_name }} { 71 | hardware ethernet {{ item.mac_address }}; 72 | fixed-address {{ item.ip_address }}; 73 | option host-name {{ item.host_name }}; 74 | } 75 | {% endfor %} 76 | 77 | # MetalLB range: 10.11.1.51-10.11.1.59 78 | -------------------------------------------------------------------------------- /roles/hl.dhcpd/templates/dhcpd.conf.slave.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | failover peer "failover-dhcp" { 5 | secondary; # This defines the slave 6 | address {{ bind_slave_server_address }}; 7 | port {{ firewall_dhcp_failover_port }}; 8 | peer address {{ bind_master_server_address }}; 9 | peer port {{ firewall_dhcp_failover_port }}; 10 | max-response-delay 60; 11 | max-unacked-updates 10; 12 | load balance max seconds 3; 13 | } 14 | 15 | authoritative; 16 | allow booting; 17 | allow bootp; 18 | next-server {{ tftp_next_server }}; # TFTP 19 | filename "pxelinux.0"; 20 | default-lease-time 86400; # 1 day 21 | max-lease-time 86400; # 1 day 22 | 23 | ddns-update-style interim; 24 | 25 | update-static-leases on; 26 | one-lease-per-client on; 27 | 28 | # We generated the rndc-key when setting up DNS servers 29 | key "rndc-key" { 30 | algorithm hmac-sha256; 31 | secret "{{ rndc_key }}"; 32 | }; 33 | 34 | # We created zones when setting up DNS servers 35 | zone {{ homelab_reverse_zone }}.in-addr.arpa { 36 | primary {{ bind_master_server_address }}; 37 | key "rndc-key"; 38 | } 39 | zone {{ homelab_domain_name }} { 40 | primary {{ bind_master_server_address }}; 41 | key "rndc-key"; 42 | } 43 | 44 | subnet {{ homelab_address }} netmask {{ homelab_subnet_mask }} { 45 | option subnet-mask {{ homelab_subnet_mask }}; 46 | option broadcast-address {{ homelab_broadcast }}; 47 | option routers {{ homelab_gateway }}; 48 | option domain-name-servers dns1.hl.test, dns2.hl.test; 49 | option domain-search "{{ homelab_domain_name }}"; 50 | pool { 51 | failover peer "failover-dhcp"; 52 | range {{ dhcp_address_range_start }} {{ dhcp_address_range_end }}; 53 | } 54 | } 55 | 56 | # Physical hosts range: 10.11.1.4-10.11.1.29 57 | {% for item in dhcp_leases_for_physical_hosts %} 58 | host {{ item.host_name }} { 59 | hardware ethernet {{ item.mac_address }}; 60 | fixed-address {{ item.ip_address }}; 61 | option host-name {{ item.host_name }}; 62 | } 63 | {% endfor %} 64 | 65 | # Virtual hosts range: 10.11.1.30-10.11.1.49 66 | # Below are DHCP leases for PXE boot 67 | {% for item in dhcp_leases_for_virtual_hosts %} 68 | host {{ item.host_name }} { 69 | hardware ethernet {{ item.mac_address }}; 70 | fixed-address {{ item.ip_address }}; 71 | option host-name {{ item.host_name }}; 72 | } 73 | {% endfor %} 74 | 75 | # MetalLB range: 10.11.1.51-10.11.1.59 76 | -------------------------------------------------------------------------------- /roles/hl.docker/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | prerequisites_packages: 7 | - yum-utils 8 | 9 | packages: 10 | - docker-ce-20.10.13-3.el{{ ansible_distribution_major_version }}.x86_64 11 | - docker-ce-cli-20.10.13-3.el{{ ansible_distribution_major_version }}.x86_64 12 | - containerd.io-1.4.3-3.1.el{{ ansible_distribution_major_version }}.x86_64 13 | 14 | systemd_service: "docker" 15 | 16 | docker_gpg_key_redhat: "https://download.docker.com/linux/centos/gpg" 17 | docker_repository_redhat: "https://download.docker.com/linux/centos/$releasever/$basearch/stable" 18 | docker_daemon_config_file: "daemon.json" 19 | 20 | sysctl_config: 21 | - name: net.ipv4.ip_forward 22 | value: 1 23 | -------------------------------------------------------------------------------- /roles/hl.docker/files/daemon.json: -------------------------------------------------------------------------------- 1 | { 2 | "exec-opts": ["native.cgroupdriver=systemd"] 3 | } 4 | -------------------------------------------------------------------------------- /roles/hl.docker/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart docker 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.docker/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Configure Sysctl Values 3 | ansible.posix.sysctl: 4 | name: "{{ item.name }}" 5 | value: "{{ item.value }}" 6 | state: present 7 | loop: "{{ sysctl_config }}" 8 | 9 | - name: RedHat | Install Prerequisites Packages 10 | ansible.builtin.package: 11 | name: "{{ item }}" 12 | state: present 13 | loop: "{{ prerequisites_packages }}" 14 | 15 | - name: RedHat | Add Docker Repository Sources 16 | ansible.builtin.yum_repository: 17 | file: "docker-ce-stable" 18 | name: "docker-ce-stable" 19 | description: "Docker CE Stable - $basearch" 20 | baseurl: "{{ docker_repository_redhat }}" 21 | gpgcheck: true 22 | gpgkey: "{{ docker_gpg_key_redhat }}" 23 | enabled: true 24 | 25 | - name: RedHat | Install Packages 26 | ansible.builtin.package: 27 | name: "{{ item }}" 28 | state: present 29 | allow_downgrade: true 30 | loop: "{{ packages }}" 31 | 32 | - name: RedHat | Start and Enable Service {{ systemd_service }} 33 | ansible.builtin.service: 34 | name: "{{ systemd_service }}" 35 | state: started 36 | enabled: true 37 | 38 | - name: RedHat | Copy File to Use systemd as cGroupDriver {{ docker_daemon_config_file }} 39 | ansible.builtin.template: 40 | src: "files/{{ docker_daemon_config_file }}" 41 | dest: "/etc/docker/{{ docker_daemon_config_file }}" 42 | owner: root 43 | group: root 44 | mode: "0644" 45 | notify: 46 | - Restart docker 47 | 48 | - name: RedHat | Systemd Restart {{ systemd_service }} 49 | ansible.builtin.systemd: 50 | name: "{{ systemd_service }}" 51 | state: restarted 52 | -------------------------------------------------------------------------------- /roles/hl.docker/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.handle-lid-switch/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | systemd_file: "/etc/systemd/logind.conf" 7 | -------------------------------------------------------------------------------- /roles/hl.handle-lid-switch/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Disable sleep on Laptop Lid Close 3 | ansible.builtin.lineinfile: 4 | path: "{{ systemd_file }}" 5 | state: present 6 | regexp: "^HandleLidSwitch=" 7 | line: "HandleLidSwitch=ignore" 8 | -------------------------------------------------------------------------------- /roles/hl.handle-lid-switch/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.haproxy/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | packages: 3 | - haproxy 4 | - tar 5 | 6 | systemd_service: "haproxy" 7 | 8 | haproxy_config_file: "haproxy.cfg" 9 | haproxy_socket: "/var/lib/haproxy/stats" 10 | haproxy_chroot: "/var/lib/haproxy" 11 | haproxy_user: "haproxy" 12 | haproxy_group: "haproxy" 13 | haproxy_dh_key: "/etc/haproxy/dhparams.pem" 14 | 15 | haproxy_stats_port: "8080" 16 | 17 | # Frontend settings 18 | haproxy_frontend_name: "kubernetes" 19 | haproxy_frontend_bind_address: "*" 20 | haproxy_frontend_port: "6443" 21 | haproxy_frontend_mode: "tcp" 22 | haproxy_frontend_option: "tcplog" 23 | 24 | # Backend settings 25 | haproxy_backend_name: "kubernetes-master-nodes" 26 | haproxy_backend_mode: "tcp" 27 | haproxy_backend_balance_method: "roundrobin" 28 | haproxy_backend_option: "tcp-check" 29 | 30 | # List of backend servers 31 | haproxy_backend_servers: 32 | - name: srv31-master 33 | address: 10.11.1.31:{{ haproxy_frontend_port }} 34 | - name: srv32-master 35 | address: 10.11.1.32:{{ haproxy_frontend_port }} 36 | - name: srv33-master 37 | address: 10.11.1.33:{{ haproxy_frontend_port }} 38 | 39 | # haproxy stats login 40 | haproxy_stats_user: "admin" 41 | haproxy_stats_password: "haproxy" 42 | 43 | # haproxy exporter variables 44 | prometheus_user: "prometheus" 45 | haproxy_exporter_port: "9101" 46 | haproxy_exporter_url: "https://github.com/prometheus/haproxy_exporter/releases/download/v0.15.0/haproxy_exporter-0.15.0.linux-amd64.tar.gz" 47 | haproxy_exporter_binary: "haproxy_exporter" 48 | haproxy_exporter_systemd_service: "haproxy_exporter.service" 49 | -------------------------------------------------------------------------------- /roles/hl.haproxy/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart haproxy 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.haproxy/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | - name: RedHat | Enable Service in Firewalld {{ item }} 9 | ansible.posix.firewalld: 10 | immediate: true 11 | port: "{{ item }}/tcp" 12 | permanent: true 13 | state: enabled 14 | loop: 15 | - "{{ haproxy_frontend_port }}" 16 | - "{{ haproxy_stats_port }}" 17 | 18 | - name: RedHat | SELinux - Allow HAProxy to Bind to TCP Port {{ haproxy_frontend_port }} 19 | community.general.seport: 20 | ports: "{{ haproxy_frontend_port }}" 21 | proto: tcp 22 | setype: http_cache_port_t 23 | state: present 24 | 25 | - name: RedHat | Generate Diffie-Hellman Key 26 | community.crypto.openssl_dhparam: 27 | path: "{{ haproxy_dh_key }}" 28 | size: 2048 29 | owner: 0 30 | group: 0 31 | mode: "0644" 32 | 33 | - name: RedHat | Copy HAProxy Certificate File 34 | ansible.builtin.template: 35 | src: "files/haproxy.pem" 36 | dest: "/etc/pki/tls/certs/haproxy.pem" 37 | mode: "0600" 38 | notify: Restart haproxy 39 | 40 | - name: RedHat | Copy HAProxy Configuration File 41 | ansible.builtin.template: 42 | src: "{{ haproxy_config_file }}.j2" 43 | dest: "/etc/haproxy/{{ haproxy_config_file }}" 44 | mode: "0644" 45 | validate: "haproxy -f %s -c -q" 46 | notify: Restart haproxy 47 | 48 | - name: RedHat | Start and Enable Service {{ systemd_service }} 49 | ansible.builtin.service: 50 | name: "{{ systemd_service }}" 51 | state: started 52 | enabled: true 53 | 54 | # 55 | # Configure HAProxy Exporter systemd service 56 | # 57 | - name: RedHat | Create System Group {{ prometheus_user }} 58 | ansible.builtin.group: 59 | state: present 60 | system: true 61 | name: "{{ prometheus_user }}" 62 | 63 | - name: RedHat | Create System User {{ prometheus_user }} 64 | ansible.builtin.user: 65 | state: present 66 | system: true 67 | name: "{{ prometheus_user }}" 68 | groups: "{{ prometheus_user }}" 69 | shell: "/sbin/nologin" 70 | 71 | - name: RedHat | Enable Service in Firewalld {{ haproxy_exporter_port }} 72 | ansible.posix.firewalld: 73 | immediate: true 74 | port: "{{ haproxy_exporter_port }}/tcp" 75 | permanent: true 76 | state: enabled 77 | 78 | - name: RedHat | Unarchive a file that needs to be downloaded 79 | ansible.builtin.unarchive: 80 | src: "{{ haproxy_exporter_url }}" 81 | dest: "/usr/local/bin" 82 | remote_src: true 83 | owner: root 84 | group: root 85 | extra_opts: 86 | - "--strip-components" 87 | - "1" 88 | 89 | - name: RedHat | Copy Systemd File {{ haproxy_exporter_systemd_service }} 90 | ansible.builtin.template: 91 | src: "{{ haproxy_exporter_systemd_service }}.j2" 92 | dest: "/etc/systemd/system/{{ haproxy_exporter_systemd_service }}" 93 | owner: root 94 | group: root 95 | mode: "0644" 96 | 97 | - name: RedHat | Force Systemd to Reread Configs 98 | ansible.builtin.systemd: 99 | daemon_reload: true 100 | 101 | - name: RedHat | Start and Enable Service {{ haproxy_exporter_systemd_service }} 102 | ansible.builtin.service: 103 | name: "{{ haproxy_exporter_systemd_service }}" 104 | state: started 105 | enabled: true 106 | -------------------------------------------------------------------------------- /roles/hl.haproxy/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.haproxy/templates/haproxy.cfg.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | global 5 | log /dev/log local0 6 | log /dev/log local1 notice 7 | 8 | {% if haproxy_chroot != '' %} 9 | chroot {{ haproxy_chroot }} 10 | {% endif %} 11 | pidfile /var/run/haproxy.pid 12 | maxconn 4000 13 | user {{ haproxy_user }} 14 | group {{ haproxy_group }} 15 | daemon 16 | 17 | {% if haproxy_socket != '' %} 18 | # turn on stats unix socket 19 | stats socket {{ haproxy_socket }} level admin 20 | {% endif %} 21 | 22 | # utilise system-wide crypto-policies 23 | ssl-default-bind-ciphers PROFILE=SYSTEM 24 | ssl-default-server-ciphers PROFILE=SYSTEM 25 | ssl-dh-param-file {{ haproxy_dh_key }} 26 | 27 | defaults 28 | mode http 29 | log global 30 | option httplog 31 | option dontlognull 32 | retries 3 33 | timeout http-request 10s 34 | timeout queue 1m 35 | timeout connect 10s 36 | timeout client 1m 37 | timeout server 1m 38 | timeout http-keep-alive 10s 39 | timeout check 10s 40 | maxconn 3000 41 | 42 | frontend {{ haproxy_frontend_name }} 43 | bind {{ haproxy_frontend_bind_address }}:{{ haproxy_frontend_port }} 44 | option {{ haproxy_frontend_option }} 45 | mode {{ haproxy_frontend_mode }} 46 | default_backend {{ haproxy_backend_name }} 47 | 48 | backend {{ haproxy_backend_name }} 49 | mode {{ haproxy_backend_mode }} 50 | balance {{ haproxy_backend_balance_method }} 51 | option {{ haproxy_backend_option }} 52 | {% for backend in haproxy_backend_servers %} 53 | server {{ backend.name }} {{ backend.address }} check fall 3 rise 2 54 | {% endfor %} 55 | 56 | frontend stats 57 | bind {{ haproxy_frontend_bind_address }}:{{ haproxy_stats_port }} ssl crt /etc/pki/tls/certs/haproxy.pem 58 | mode http 59 | stats enable 60 | stats uri / 61 | #stats hide-version 62 | stats refresh 30s 63 | stats realm HAProxy\ Statistics 64 | stats auth {{ haproxy_stats_user }}:{{ haproxy_stats_password }} 65 | stats admin if LOCALHOST 66 | -------------------------------------------------------------------------------- /roles/hl.haproxy/templates/haproxy_exporter.service.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | # As of 2.0.0, HAProxy includes a Prometheus exporter module. 4 | # Rocky 8 comes with HAProxy 1.8. Remove this exporter 5 | # configuration when migrating to Rocky 9 and HAProxy 2.4. 6 | 7 | [Unit] 8 | Description=Prometheus 9 | Documentation=https://github.com/prometheus/haproxy_exporter 10 | Wants=network-online.target 11 | After=network-online.target 12 | 13 | [Service] 14 | Type=simple 15 | User={{ prometheus_user }} 16 | Group={{ prometheus_user }} 17 | ExecReload=/bin/kill -HUP $MAINPID 18 | ExecStart=/usr/local/bin/{{ haproxy_exporter_binary }} \ 19 | --haproxy.pid-file=/var/run/haproxy.pid \ 20 | --haproxy.timeout=20s \ 21 | --web.listen-address=0.0.0.0:{{ haproxy_exporter_port }} \ 22 | --web.telemetry-path=/metrics \ 23 | --no-haproxy.ssl-verify \ 24 | '--haproxy.scrape-uri=https://{{ haproxy_stats_user }}:{{ haproxy_stats_password }}@127.0.0.1:{{ haproxy_stats_port }}/stats;csv' 25 | 26 | SyslogIdentifier=prometheus 27 | Restart=always 28 | 29 | [Install] 30 | WantedBy=multi-user.target 31 | -------------------------------------------------------------------------------- /roles/hl.hardening/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | password_minlen_login_defs: "10" 7 | password_mindays_login_defs: "1" 8 | accounts_tmout: "3600" 9 | accounts_fail_delay: "1" 10 | accounts_max_concurrent_login_sessions: "10" 11 | history_file_size: "20000" 12 | auth_root_ttys: ["console", "tty1", "tty2", "tty3", "tty4", "tty5", "tty6"] 13 | proc_mnt_options: "rw,nodev,nosuid,noexec,relatime,hidepid=2" 14 | 15 | packages_to_remove: 16 | - ivtv-* 17 | - iwl*firmware 18 | - aic94xx-firmware 19 | 20 | services_to_disable: 21 | - kdump 22 | 23 | modules_to_disable: 24 | - appletalk 25 | - bluetooth 26 | - bnep 27 | - btusb 28 | - net-pf-31 29 | - dccp 30 | - sctp 31 | - rds 32 | - tipc 33 | - usb-storage 34 | - cramfs 35 | - freevxfs 36 | - jffs2 37 | - hfsplus 38 | 39 | malware_scanners_to_install: 40 | - rkhunter 41 | 42 | # Security limits config 43 | limits_user_hard_nproc: "16384" 44 | limits_root_hard_nproc: "16384" 45 | limits_user_hard_nofile: "65536" 46 | limits_root_hard_nofile: "65536" 47 | limits_user_hard_fsize: "67108864" 48 | limits_root_hard_fsize: "67108864" 49 | -------------------------------------------------------------------------------- /roles/hl.hardening/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.hardening/templates/hardening-limits.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # 4096 is a good starting point 5 | * soft nofile 4096 6 | * hard nofile {{ limits_user_hard_nofile }} 7 | * soft nproc 4096 8 | * hard nproc {{ limits_user_hard_nproc }} 9 | * soft locks 4096 10 | * hard locks 4096 11 | * soft stack 10240 12 | * hard stack 32768 13 | * - maxlogins 50 14 | 15 | # Soft limit 64GB, hard 64GB 16 | * soft fsize {{ limits_user_hard_fsize }} 17 | * hard fsize {{ limits_user_hard_fsize }} 18 | 19 | # Disable core dumps for all users 20 | * hard core 0 21 | root hard core 0 22 | 23 | # Defaults 24 | * soft memlock 64 25 | * hard memlock 64 26 | 27 | # Limits for root 28 | root soft nofile 4096 29 | root hard nofile {{ limits_root_hard_nofile }} 30 | root soft nproc 4096 31 | root hard nproc {{ limits_root_hard_nproc }} 32 | root soft stack 10240 33 | root hard stack 32768 34 | root soft fsize {{ limits_root_hard_fsize }} 35 | root hard fsize {{ limits_root_hard_fsize }} -------------------------------------------------------------------------------- /roles/hl.hardening/templates/securetty.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # A list of TTYs, from which root can log in 5 | # see `man securetty` for reference 6 | {{ "\n".join(auth_root_ttys) }} 7 | -------------------------------------------------------------------------------- /roles/hl.hostsfile/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | hosts_file: "/etc/hosts" 7 | hosts_template: "hosts.j2" 8 | -------------------------------------------------------------------------------- /roles/hl.hostsfile/tasks/Linux.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Linux | Create File {{ hosts_file }} 3 | become: true 4 | ansible.builtin.template: 5 | src: "{{ hosts_template }}" 6 | dest: "{{ hosts_file }}" 7 | owner: root 8 | group: root 9 | mode: "0644" 10 | ignore_errors: true 11 | register: ignore_errors_register 12 | -------------------------------------------------------------------------------- /roles/hl.hostsfile/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: Linux.yml 4 | when: ansible_system == 'Linux' 5 | -------------------------------------------------------------------------------- /roles/hl.hostsfile/templates/hosts.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 5 | ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 6 | 7 | {% for host in groups['admin'] %} 8 | {{ hostvars[host].ansible_default_ipv4.address }} {{ hostvars[host].ansible_facts.fqdn }} {{ hostvars[host].ansible_facts.hostname }} 9 | {% endfor %} 10 | {% for host in groups['pxe'] %} 11 | {{ hostvars[host].ansible_default_ipv4.address }} {{ hostvars[host].ansible_facts.fqdn }} {{ hostvars[host].ansible_facts.hostname }} 12 | {% endfor %} 13 | {% for host in groups['kvm'] %} 14 | {{ hostvars[host].ansible_default_ipv4.address }} {{ hostvars[host].ansible_facts.fqdn }} {{ hostvars[host].ansible_facts.hostname }} 15 | {% endfor %} 16 | 10.11.1.30 kubelb.hl.test 17 | {% for host in groups['k8s_master'] %} 18 | {{ hostvars[host].ansible_default_ipv4.address }} {{ hostvars[host].ansible_facts.fqdn }} {{ hostvars[host].ansible_facts.hostname }} 19 | {% endfor %} 20 | {% for host in groups['k8s_node'] %} 21 | {{ hostvars[host].ansible_default_ipv4.address }} {{ hostvars[host].ansible_facts.fqdn }} {{ hostvars[host].ansible_facts.hostname }} 22 | {% endfor %} 23 | -------------------------------------------------------------------------------- /roles/hl.httpd/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - httpd 8 | - mod_ssl 9 | - mod_security 10 | 11 | systemd_service: "httpd" 12 | firewall_ports: 13 | - 80 14 | - 443 15 | 16 | httpd_conf_dir: "/etc/httpd" 17 | httpd_conf_file: "httpd.conf" 18 | httpd_modules_dir: "/etc/httpd/conf.modules.d" 19 | 20 | # If this is set to false, none of the following options will have any effect. 21 | # Any and all changes to /etc/httpd/conf/httpd.conf will be your responsibility. 22 | httpd_use_managed_conf: true 23 | httpd_use_managed_modules_conf: true 24 | 25 | httpd_server_admin: "root@localhost" 26 | httpd_document_root: "/var/www/html" 27 | 28 | httpd_enable_sendfile: "Off" 29 | httpd_server_signature: "Off" 30 | httpd_server_tokens: "Prod" 31 | httpd_trace_enable: "Off" 32 | httpd_extended_status: "On" 33 | -------------------------------------------------------------------------------- /roles/hl.httpd/files/00-base.conf: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # 5 | # This file loads most of the modules included with the Apache HTTP 6 | # Server itself. 7 | # 8 | 9 | #LoadModule access_compat_module modules/mod_access_compat.so 10 | #LoadModule actions_module modules/mod_actions.so 11 | LoadModule alias_module modules/mod_alias.so 12 | #LoadModule allowmethods_module modules/mod_allowmethods.so 13 | LoadModule auth_basic_module modules/mod_auth_basic.so 14 | #LoadModule auth_digest_module modules/mod_auth_digest.so 15 | #LoadModule authn_anon_module modules/mod_authn_anon.so 16 | LoadModule authn_core_module modules/mod_authn_core.so 17 | #LoadModule authn_dbd_module modules/mod_authn_dbd.so 18 | #LoadModule authn_dbm_module modules/mod_authn_dbm.so 19 | LoadModule authn_file_module modules/mod_authn_file.so 20 | #LoadModule authn_socache_module modules/mod_authn_socache.so 21 | LoadModule authz_core_module modules/mod_authz_core.so 22 | #LoadModule authz_dbd_module modules/mod_authz_dbd.so 23 | #LoadModule authz_dbm_module modules/mod_authz_dbm.so 24 | #LoadModule authz_groupfile_module modules/mod_authz_groupfile.so 25 | LoadModule authz_host_module modules/mod_authz_host.so 26 | #LoadModule authz_owner_module modules/mod_authz_owner.so 27 | LoadModule authz_user_module modules/mod_authz_user.so 28 | LoadModule autoindex_module modules/mod_autoindex.so 29 | #LoadModule brotli_module modules/mod_brotli.so 30 | #LoadModule cache_module modules/mod_cache.so 31 | #LoadModule cache_disk_module modules/mod_cache_disk.so 32 | #LoadModule cache_socache_module modules/mod_cache_socache.so 33 | #LoadModule data_module modules/mod_data.so 34 | #LoadModule dbd_module modules/mod_dbd.so 35 | LoadModule deflate_module modules/mod_deflate.so 36 | LoadModule dir_module modules/mod_dir.so 37 | #LoadModule dumpio_module modules/mod_dumpio.so 38 | #LoadModule echo_module modules/mod_echo.so 39 | #LoadModule env_module modules/mod_env.so 40 | #LoadModule expires_module modules/mod_expires.so 41 | #LoadModule ext_filter_module modules/mod_ext_filter.so 42 | LoadModule filter_module modules/mod_filter.so 43 | LoadModule headers_module modules/mod_headers.so 44 | #LoadModule include_module modules/mod_include.so 45 | #LoadModule info_module modules/mod_info.so 46 | LoadModule log_config_module modules/mod_log_config.so 47 | LoadModule logio_module modules/mod_logio.so 48 | #LoadModule macro_module modules/mod_macro.so 49 | LoadModule mime_magic_module modules/mod_mime_magic.so 50 | LoadModule mime_module modules/mod_mime.so 51 | #LoadModule negotiation_module modules/mod_negotiation.so 52 | LoadModule remoteip_module modules/mod_remoteip.so 53 | LoadModule reqtimeout_module modules/mod_reqtimeout.so 54 | LoadModule request_module modules/mod_request.so 55 | LoadModule rewrite_module modules/mod_rewrite.so 56 | LoadModule setenvif_module modules/mod_setenvif.so 57 | #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so 58 | LoadModule slotmem_shm_module modules/mod_slotmem_shm.so 59 | #LoadModule socache_dbm_module modules/mod_socache_dbm.so 60 | #LoadModule socache_memcache_module modules/mod_socache_memcache.so 61 | LoadModule socache_shmcb_module modules/mod_socache_shmcb.so 62 | LoadModule status_module modules/mod_status.so 63 | #LoadModule substitute_module modules/mod_substitute.so 64 | #LoadModule suexec_module modules/mod_suexec.so 65 | LoadModule unique_id_module modules/mod_unique_id.so 66 | LoadModule unixd_module modules/mod_unixd.so 67 | #LoadModule userdir_module modules/mod_userdir.so 68 | #LoadModule version_module modules/mod_version.so 69 | #LoadModule vhost_alias_module modules/mod_vhost_alias.so 70 | LoadModule watchdog_module modules/mod_watchdog.so 71 | -------------------------------------------------------------------------------- /roles/hl.httpd/files/00-dav.conf: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | #LoadModule dav_module modules/mod_dav.so 5 | #LoadModule dav_fs_module modules/mod_dav_fs.so 6 | #LoadModule dav_lock_module modules/mod_dav_lock.so 7 | -------------------------------------------------------------------------------- /roles/hl.httpd/files/00-optional.conf: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # 5 | # This file lists modules included with the Apache HTTP Server 6 | # which are not enabled by default. 7 | # 8 | 9 | #LoadModule asis_module modules/mod_asis.so 10 | #LoadModule buffer_module modules/mod_buffer.so 11 | #LoadModule heartbeat_module modules/mod_heartbeat.so 12 | LoadModule heartmonitor_module modules/mod_heartmonitor.so 13 | #LoadModule usertrack_module modules/mod_usertrack.so 14 | #LoadModule dialup_module modules/mod_dialup.so 15 | #LoadModule charset_lite_module modules/mod_charset_lite.so 16 | #LoadModule log_debug_module modules/mod_log_debug.so 17 | #LoadModule log_forensic_module modules/mod_log_forensic.so 18 | #LoadModule ratelimit_module modules/mod_ratelimit.so 19 | #LoadModule reflector_module modules/mod_reflector.so 20 | #LoadModule sed_module modules/mod_sed.so 21 | #LoadModule speling_module modules/mod_speling.so 22 | -------------------------------------------------------------------------------- /roles/hl.httpd/files/00-proxy.conf: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # This file configures all the proxy modules: 5 | LoadModule proxy_module modules/mod_proxy.so 6 | #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so 7 | #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so 8 | #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so 9 | #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so 10 | #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so 11 | #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so 12 | #LoadModule proxy_connect_module modules/mod_proxy_connect.so 13 | #LoadModule proxy_express_module modules/mod_proxy_express.so 14 | LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so 15 | #LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so 16 | #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so 17 | #LoadModule proxy_http_module modules/mod_proxy_http.so 18 | #LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so 19 | #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so 20 | #LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so 21 | #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so 22 | -------------------------------------------------------------------------------- /roles/hl.httpd/files/10-proxy_h2.conf: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | #LoadModule proxy_http2_module modules/mod_proxy_http2.so 5 | -------------------------------------------------------------------------------- /roles/hl.httpd/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart httpd 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.httpd/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages for Apache 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | - name: RedHat | Copy Template File {{ httpd_conf_file }} 9 | ansible.builtin.template: 10 | src: "{{ httpd_conf_file }}.j2" 11 | dest: "{{ httpd_conf_dir }}/conf/{{ httpd_conf_file }}" 12 | owner: root 13 | group: root 14 | mode: "0644" 15 | force: true 16 | when: httpd_use_managed_conf 17 | 18 | - name: RedHat | Copy Module Configuration Files to {{ httpd_modules_dir }} 19 | ansible.builtin.template: 20 | src: "files/{{ item }}" 21 | dest: "{{ httpd_modules_dir }}/{{ item }}" 22 | owner: root 23 | group: root 24 | mode: "0644" 25 | force: true 26 | when: httpd_use_managed_modules_conf 27 | loop: 28 | - "00-base.conf" 29 | - "00-dav.conf" 30 | - "00-optional.conf" 31 | - "00-proxy.conf" 32 | - "10-proxy_h2.conf" 33 | 34 | - name: RedHat | Disable Alias /icons/ 35 | ansible.builtin.replace: 36 | path: "{{ httpd_conf_dir }}/conf.d/autoindex.conf" 37 | regexp: "^Alias" 38 | replace: "#Alias" 39 | notify: 40 | - Restart httpd 41 | 42 | - name: RedHat | Disable Welcome Page 43 | ansible.builtin.copy: 44 | content: "" 45 | dest: "{{ httpd_conf_dir }}/conf.d/welcome.conf" 46 | owner: 0 47 | group: 0 48 | mode: "0644" 49 | notify: 50 | - Restart httpd 51 | 52 | - name: RedHat | Enable Ports in Firewalld 53 | ansible.posix.firewalld: 54 | immediate: true 55 | port: "{{ item }}/tcp" 56 | permanent: true 57 | state: enabled 58 | loop: "{{ firewall_ports }}" 59 | 60 | - name: RedHat | Start and Enable Service {{ systemd_service }} 61 | ansible.builtin.service: 62 | name: "{{ systemd_service }}" 63 | state: started 64 | enabled: true 65 | -------------------------------------------------------------------------------- /roles/hl.httpd/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.k8s-cluster/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | calico_version: "3.29.2" 7 | k8s_dashboard_version: "2.7.0" 8 | k8s_version: "1.31.6" 9 | k8s_pod_network: "192.168.0.0/16" 10 | k8s_ha_dns: "kubelb.hl.test" 11 | k8s_api_port: "6443" 12 | k8s_service_dns: "apps.hl.test" 13 | k8s_admin_config: "/etc/kubernetes/admin.conf" 14 | 15 | sysctl_config: 16 | - name: net.bridge.bridge-nf-call-iptables 17 | value: 1 18 | - name: net.bridge.bridge-nf-call-ip6tables 19 | value: 1 20 | 21 | ## This has to match with {{ ansible_user }} 22 | k8s_user: "ansible" 23 | k8s_user_home: "/home/{{ k8s_user }}" 24 | 25 | calico_net_url: "https://raw.githubusercontent.com/projectcalico/calico/v{{ calico_version }}/manifests/calico.yaml" 26 | calico_net_config: "calico.yaml" 27 | 28 | k8s_token_file_master: "join-master-command" 29 | k8s_token_file_node: "join-node-command" 30 | k8s_kubelet_config: "/etc/kubernetes/kubelet.conf" 31 | 32 | dashboard_url: "https://raw.githubusercontent.com/kubernetes/dashboard/v{{ k8s_dashboard_version }}/aio/deploy/recommended.yaml" 33 | dashboard_config: "kubernetes-dashboard.yml" 34 | k8s_dashboard_adminuser_config: "dashboard-adminuser.yaml" 35 | k8s_dashboard_url: "https://{{ k8s_ha_dns }}:{{ k8s_api_port }}/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/overview?namespace=default" 36 | -------------------------------------------------------------------------------- /roles/hl.k8s-cluster/files/dashboard-adminuser.yaml: -------------------------------------------------------------------------------- 1 | # Make sure that you know what you are doing before proceeding. 2 | # Granting admin privileges to Dashboard's Service Account might be a security risk. 3 | --- 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: admin-user 8 | namespace: kube-system 9 | --- 10 | apiVersion: rbac.authorization.k8s.io/v1 11 | kind: ClusterRoleBinding 12 | metadata: 13 | name: admin-user 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: ClusterRole 17 | name: cluster-admin 18 | subjects: 19 | - kind: ServiceAccount 20 | name: admin-user 21 | namespace: kube-system 22 | -------------------------------------------------------------------------------- /roles/hl.k8s-cluster/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.k8s/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | k8s_version: "1.31.6" 7 | k8s_repository_redhat: "https://pkgs.k8s.io/core:/stable:/v{{ k8s_version.split('.')[0] }}.{{ k8s_version.split('.')[1] }}/rpm/" 8 | k8s_gpg_key_redhat: "https://pkgs.k8s.io/core:/stable:/v{{ k8s_version.split('.')[0] }}.{{ k8s_version.split('.')[1] }}/rpm/repodata/repomd.xml.key" 9 | 10 | # nfs-utils is required to configure NFS based Persistent Volumes 11 | packages: 12 | - kubectl-{{ k8s_version }}* 13 | - kubeadm-{{ k8s_version }}* 14 | - iproute-tc 15 | - iptables-services 16 | - nfs-utils 17 | 18 | dependencies: 19 | - kubernetes-cni-1.5.1-* 20 | - kubelet-{{ k8s_version }}* 21 | 22 | systemd_service: "kubelet" 23 | 24 | packages_to_remove: 25 | - firewalld 26 | - nftables 27 | 28 | modules_config_file: "modules.conf" 29 | modules_directory: "/etc/modules-load.d" 30 | 31 | kubelet_file: "/etc/sysconfig/kubelet" 32 | 33 | sysctl_config: 34 | - name: net.ipv4.ip_forward 35 | value: 1 36 | - name: net.bridge.bridge-nf-call-iptables 37 | value: 1 38 | - name: net.bridge.bridge-nf-call-ip6tables 39 | value: 1 40 | 41 | # 8443 - Kubernetes API server 42 | # 2379,2380 - etcd server client API 43 | # 2381 - etcd metrics API 44 | # 10250 - Kubelet API 45 | # 10251 - kube-scheduler 46 | # 10252 - kube-controller-manager 47 | k8s_firewall_ports_master: 48 | - 6443 49 | - 2379-2381 50 | - 10250-10252 51 | 52 | # 10250 - Kubelet API 53 | # 30000-32767 - NodePort Services 54 | k8s_firewall_ports_node: 55 | - 10250 56 | - 30000-32767 57 | 58 | # 179 - Calico networking (BGP) 59 | k8s_firewall_ports_cni: 60 | - 179 61 | 62 | # 7946 - MetalLB 63 | k8s_firewall_ports_metallb: 64 | - 7946 65 | -------------------------------------------------------------------------------- /roles/hl.k8s/files/modules.conf: -------------------------------------------------------------------------------- 1 | ip_tables 2 | br_netfilter 3 | -------------------------------------------------------------------------------- /roles/hl.k8s/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Disable SWAP because K8s up to v1.22 does work with swap enabled (1/2) 3 | ansible.builtin.command: swapoff -a 4 | when: ansible_swaptotal_mb > 0 5 | register: swap_off 6 | changed_when: swap_off.rc != 0 7 | 8 | - name: RedHat | Remove SWAP from fstab because K8s up to v1.22 does not work with swap enabled (2/2) 9 | ansible.posix.mount: 10 | name: "{{ item }}" 11 | fstype: swap 12 | state: absent 13 | with_items: 14 | - swap 15 | - none 16 | 17 | - name: RedHat | Add the br_netfilter module 18 | community.general.modprobe: 19 | name: br_netfilter 20 | state: present 21 | 22 | - name: RedHat | Configure Sysctl Values 23 | ansible.posix.sysctl: 24 | name: "{{ item.name }}" 25 | value: "{{ item.value }}" 26 | state: present 27 | loop: "{{ sysctl_config }}" 28 | 29 | - name: RedHat | Remove firewalld/nftables from RHEL 8 and 9 30 | ansible.builtin.package: 31 | name: "{{ item }}" 32 | state: absent 33 | loop: "{{ packages_to_remove }}" 34 | when: (ansible_distribution_major_version == "8") or (ansible_distribution_major_version == "9") 35 | 36 | - name: RedHat | Add Kubernetes Repository Sources 37 | ansible.builtin.yum_repository: 38 | file: "kubernetes-{{ k8s_version.split('.')[0] }}.{{ k8s_version.split('.')[1] }}" 39 | name: "kubernetes-{{ k8s_version.split('.')[0] }}.{{ k8s_version.split('.')[1] }}" 40 | description: "kubernetes-{{ k8s_version.split('.')[0] }}.{{ k8s_version.split('.')[1] }}" 41 | baseurl: "{{ k8s_repository_redhat }}" 42 | gpgcheck: true 43 | gpgkey: "{{ k8s_gpg_key_redhat }}" 44 | enabled: true 45 | skip_if_unavailable: true 46 | 47 | - name: RedHat | Install Dependencies 48 | ansible.builtin.package: 49 | name: "{{ item }}" 50 | state: present 51 | allow_downgrade: true 52 | loop: "{{ dependencies }}" 53 | 54 | - name: RedHat | Install Packages 55 | ansible.builtin.package: 56 | name: "{{ item }}" 57 | state: present 58 | allow_downgrade: true 59 | loop: "{{ packages }}" 60 | 61 | - name: RedHat | Print Message About cgroupDriver 62 | ansible.builtin.debug: 63 | msg: "In K8s v1.22, if the user is not setting the cgroupDriver field under KubeletConfiguration, kubeadm will default it to systemd." 64 | 65 | - name: RedHat | Configure Kubelet Eviction Thresholds 66 | ansible.builtin.lineinfile: 67 | path: "{{ kubelet_file }}" 68 | state: present 69 | regexp: "^KUBELET_EXTRA_ARGS=" 70 | line: "KUBELET_EXTRA_ARGS=--eviction-hard=memory.available<256Mi,nodefs.available<1Gi,imagefs.available<1Gi" 71 | 72 | - name: RedHat | Start and Enable Service {{ systemd_service }} 73 | ansible.builtin.service: 74 | name: "{{ systemd_service }}" 75 | state: started 76 | enabled: true 77 | 78 | - name: RedHat | Deploy {{ modules_config_file }} 79 | ansible.builtin.template: 80 | src: "files/{{ modules_config_file }}" 81 | dest: "{{ modules_directory }}/{{ modules_config_file }}" 82 | owner: root 83 | group: root 84 | mode: "0644" 85 | force: true 86 | 87 | - name: RedHat | Add the ip_tables module 88 | community.general.modprobe: 89 | name: ip_tables 90 | state: present 91 | -------------------------------------------------------------------------------- /roles/hl.k8s/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.keepalived/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - keepalived 8 | - psmisc 9 | 10 | systemd_service: "keepalived" 11 | keepalived_config_file: "keepalived.conf" 12 | 13 | # Virtual IP to use with keepalived 14 | keepalived_vip: "10.11.1.30" 15 | 16 | # Unique identifier per VRRP instance (same across all servers on the instance) 17 | keepalived_virtual_router_id: "255" 18 | 19 | # Either true or false. False if HAProxy will not be deployed 20 | keepalived_with_haproxy: "true" 21 | 22 | # auth_pass: stored in ansible vault defaults/secure.yml 23 | 24 | # The host's kernel needs to be configured to allow a process to bind 25 | # to a non-local IP address. This is because non-active VRRP nodes will 26 | # not have the virtual IP configured on any interfaces. 27 | sysctl_config: 28 | - name: net.ipv4.ip_forward 29 | value: 1 30 | - name: net.ipv4.ip_nonlocal_bind 31 | value: 1 32 | -------------------------------------------------------------------------------- /roles/hl.keepalived/defaults/secure.yml: -------------------------------------------------------------------------------- 1 | $ANSIBLE_VAULT;1.1;AES256 2 | 37393033353037346263666164613439373737656633656239356238373938643633346333653939 3 | 6161303234393232656632376633353638643234393562320a383563396462313536316638383262 4 | 62316231343965356465326463356361373464616166646463666634646165636530613532373163 5 | 3336396638386632660a366237393861353436623034623234663632643663646634643762393865 6 | 37383766396438313562316634366366663062306330633562666531623762393834333938666639 7 | 39646332376564366561646634316632653036636130666631336637386666313766636366353639 8 | 633461313538303333396339323430323338 9 | -------------------------------------------------------------------------------- /roles/hl.keepalived/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart keepalived 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.keepalived/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Include Secure Vars 3 | ansible.builtin.include_vars: 4 | file: ../defaults/secure.yml 5 | 6 | - name: RedHat | Install Packages 7 | ansible.builtin.package: 8 | name: "{{ item }}" 9 | state: present 10 | loop: "{{ packages }}" 11 | 12 | - name: RedHat | Configure Sysctl Values 13 | ansible.posix.sysctl: 14 | name: "{{ item.name }}" 15 | value: "{{ item.value }}" 16 | state: present 17 | loop: "{{ sysctl_config }}" 18 | 19 | - name: RedHat | Allow VRRP Traffic to Pass Between the Keepalived Nodes 20 | ansible.posix.firewalld: 21 | immediate: true 22 | permanent: true 23 | state: enabled 24 | rich_rule: "rule protocol value=vrrp accept" 25 | 26 | - name: RedHat | Configure Master Keepalived Server 27 | ansible.builtin.template: 28 | src: "{{ keepalived_config_file }}.master.j2" 29 | dest: "/etc/keepalived/{{ keepalived_config_file }}" 30 | owner: root 31 | group: root 32 | mode: "0644" 33 | force: true 34 | when: "'dns1' in group_names" 35 | notify: 36 | - Restart keepalived 37 | 38 | - name: RedHat | Configure Slave Keepalived Server 39 | ansible.builtin.template: 40 | src: "{{ keepalived_config_file }}.slave.j2" 41 | dest: "/etc/keepalived/{{ keepalived_config_file }}" 42 | owner: root 43 | group: root 44 | mode: "0644" 45 | force: true 46 | when: "'dns2' in group_names" 47 | notify: 48 | - Restart keepalived 49 | 50 | - name: RedHat | Start and Enable Service {{ systemd_service }} 51 | ansible.builtin.service: 52 | name: "{{ systemd_service }}" 53 | state: started 54 | enabled: true 55 | -------------------------------------------------------------------------------- /roles/hl.keepalived/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.keepalived/templates/keepalived.conf.master.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # Inspired by https://www.lisenet.com/2015/setting-up-a-load-balancing-haproxy-cluster-with-keepalived/ 5 | {% if keepalived_with_haproxy == "true" %} 6 | # Keepalived with HAProxy 7 | {% endif %} 8 | 9 | global_defs { 10 | notification_email { 11 | root@localhost 12 | } 13 | notification_email_from root@localhost 14 | smtp_server localhost 15 | smtp_connect_timeout 30 16 | vrrp_skip_check_adv_addr 17 | vrrp_strict 18 | vrrp_garp_interval 0 19 | vrrp_gna_interval 0 20 | } 21 | 22 | {% if keepalived_with_haproxy == "true" %} 23 | # Script used to check if HAProxy is running 24 | vrrp_script check_haproxy { 25 | script "/usr/bin/killall -0 haproxy" # check the haproxy process 26 | interval 2 # every 2 seconds 27 | weight 2 # add 2 points if OK 28 | } 29 | {% endif %} 30 | 31 | vrrp_instance VI_1 { 32 | state MASTER # MASTER on haproxy, BACKUP on haproxy2 33 | interface {{ ansible_default_ipv4.interface }} 34 | virtual_router_id {{ keepalived_virtual_router_id }} 35 | priority 101 # 101 on haproxy, 100 on haproxy2 36 | advert_int 1 37 | authentication { 38 | auth_type PASS 39 | auth_pass {{ keepalived_auth_pass }} 40 | } 41 | virtual_ipaddress { 42 | {{ keepalived_vip }} 43 | } 44 | {% if keepalived_with_haproxy == "true" %} 45 | track_script { 46 | check_haproxy 47 | } 48 | {% endif %} 49 | } 50 | -------------------------------------------------------------------------------- /roles/hl.keepalived/templates/keepalived.conf.slave.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # Inspired by https://www.lisenet.com/2015/setting-up-a-load-balancing-haproxy-cluster-with-keepalived/ 5 | {% if keepalived_with_haproxy == "true" %} 6 | # Keepalived with HAProxy 7 | {% endif %} 8 | 9 | global_defs { 10 | notification_email { 11 | root@localhost 12 | } 13 | notification_email_from root@localhost 14 | smtp_server localhost 15 | smtp_connect_timeout 30 16 | vrrp_skip_check_adv_addr 17 | vrrp_strict 18 | vrrp_garp_interval 0 19 | vrrp_gna_interval 0 20 | } 21 | 22 | {% if keepalived_with_haproxy == "true" %} 23 | # Script used to check if HAProxy is running 24 | vrrp_script check_haproxy { 25 | script "killall -0 haproxy" # check the haproxy process 26 | interval 2 # every 2 seconds 27 | weight 2 # add 2 points if OK 28 | } 29 | {% endif %} 30 | 31 | vrrp_instance VI_1 { 32 | state BACKUP # MASTER on haproxy, BACKUP on haproxy2 33 | interface {{ ansible_default_ipv4.interface }} 34 | virtual_router_id {{ keepalived_virtual_router_id }} 35 | priority 100 # 101 on haproxy, 100 on haproxy2 36 | advert_int 1 37 | authentication { 38 | auth_type PASS 39 | auth_pass {{ keepalived_auth_pass }} 40 | } 41 | virtual_ipaddress { 42 | {{ keepalived_vip }} 43 | } 44 | {% if keepalived_with_haproxy == "true" %} 45 | track_script { 46 | check_haproxy 47 | } 48 | {% endif %} 49 | } 50 | -------------------------------------------------------------------------------- /roles/hl.libvirt/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - qemu-kvm 8 | - libvirt 9 | - virt-install 10 | 11 | systemd_service: "libvirtd" 12 | 13 | libvirt_images_location: "/var/lib/libvirt/images" 14 | libvirt_networks_dir: "/etc/libvirt/qemu/networks" 15 | bridge_net_template: "ifcfg-br0.example" 16 | ethx_net_template: "ifcfg-ethx.example" 17 | -------------------------------------------------------------------------------- /roles/hl.libvirt/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart libvirtd 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.libvirt/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | - name: RedHat | Start and Enable Service {{ systemd_service }} 9 | ansible.builtin.service: 10 | name: "{{ systemd_service }}" 11 | state: started 12 | enabled: true 13 | 14 | - name: RedHat | Destroy (stop) Default Network 15 | ansible.builtin.command: virsh net-destroy default 16 | ignore_errors: true 17 | register: virsh_output # Registers the command output. 18 | changed_when: virsh_output.rc != 0 # Uses the return code to define when the task has changed. 19 | notify: 20 | - Restart libvirtd 21 | 22 | - name: RedHat | Undefine (permanently remove) Default Network 23 | ansible.builtin.command: virsh net-undefine default 24 | args: 25 | removes: "/var/lib/libvirt/dnsmasq/default.conf" 26 | ignore_errors: true 27 | register: ignore_errors_register 28 | notify: 29 | - Restart libvirtd 30 | 31 | - name: RedHat | Deploy Network Example Files 32 | ansible.builtin.template: 33 | src: "{{ item }}" 34 | dest: "/etc/sysconfig/network-scripts/{{ item }}" 35 | owner: root 36 | group: root 37 | mode: "0644" 38 | force: true 39 | loop: 40 | - "{{ bridge_net_template }}" 41 | - "{{ ethx_net_template }}" 42 | 43 | - name: RedHat | Print Message 44 | ansible.builtin.debug: 45 | msg: "Bridge file /etc/sysconfig/network-scripts/{{ bridge_net_template }} has been deployed but no changes to system networking have been made." 46 | -------------------------------------------------------------------------------- /roles/hl.libvirt/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.libvirt/templates/ifcfg-br0.example: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | ONBOOT=no 5 | 6 | DEVICE=br0 7 | STP=no 8 | BRIDGING_OPTS=priority=32768 9 | TYPE=Bridge 10 | PROXY_METHOD=none 11 | BROWSER_ONLY=no 12 | BOOTPROTO=none 13 | DEFROUTE=yes 14 | IPV4_FAILURE_FATAL=yes 15 | IPV6INIT=no 16 | IPV6_AUTOCONF=no 17 | IPV6_DEFROUTE=no 18 | IPV6_FAILURE_FATAL=no 19 | IPV6_ADDR_GEN_MODE=stable-privacy 20 | NAME=br0 21 | IPADDR={{ ansible_default_ipv4.address }} 22 | PREFIX={{ homelab_cidr_prefix }} 23 | GATEWAY={{ homelab_gateway }} 24 | DNS1={{ homelab_dns1_server }} 25 | DNS2={{ homelab_dns2_server }} 26 | DNS3={{ homelab_dns3_server }} 27 | PEERDNS=yes 28 | -------------------------------------------------------------------------------- /roles/hl.libvirt/templates/ifcfg-ethx.example: -------------------------------------------------------------------------------- 1 | NAME=ethx 2 | DEVICE=ethx 3 | ONBOOT=yes 4 | TYPE=Ethernet 5 | BOOTPROTO=none 6 | BRIDGE=br0 7 | ETHTOOL_OPTS="-s ${DEVICE} wol g" 8 | -------------------------------------------------------------------------------- /roles/hl.mysql-server/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | mysql_gpg_keys: 7 | - https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 8 | - https://repo.mysql.com/RPM-GPG-KEY-mysql-2022 9 | - https://repo.mysql.com/RPM-GPG-KEY-mysql 10 | 11 | packages: 12 | - mysql-community-server 13 | - mysql-community-client 14 | - mysqltuner 15 | 16 | systemd_service: "mysqld" 17 | 18 | mysql_config_file: "/etc/my.cnf" 19 | -------------------------------------------------------------------------------- /roles/hl.mysql-server/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart mysqld 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.mysql-server/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Import MySQL GPG Key from a URL 3 | ansible.builtin.rpm_key: 4 | state: present 5 | key: "{{ item }}" 6 | loop: "{{ mysql_gpg_keys }}" 7 | 8 | - name: RedHat | Add MySQL Repositories into the Same File (1/3) 9 | ansible.builtin.yum_repository: 10 | name: mysql80-community 11 | description: "MySQL 8.0 Community Server" 12 | file: mysql-community 13 | baseurl: "http://repo.mysql.com/yum/mysql-8.0-community/el/8/$basearch/" 14 | gpgkey: "https://repo.mysql.com/RPM-GPG-KEY-mysql-2023" 15 | gpgcheck: yes 16 | enabled: yes 17 | when: ansible_distribution_major_version == "8" 18 | 19 | - name: RedHat | Add MySQL Repositories into the Same File (2/3) 20 | ansible.builtin.yum_repository: 21 | name: mysql-connectors-community 22 | description: "MySQL Connectors Community" 23 | file: mysql-community 24 | baseurl: "http://repo.mysql.com/yum/mysql-connectors-community/el/8/$basearch/" 25 | gpgkey: "https://repo.mysql.com/RPM-GPG-KEY-mysql-2023" 26 | gpgcheck: yes 27 | enabled: yes 28 | when: ansible_distribution_major_version == "8" 29 | 30 | - name: RedHat | Add MySQL Repositories into the Same File (3/3) 31 | ansible.builtin.yum_repository: 32 | name: mysql-tools-community 33 | description: "MySQL Tools Community" 34 | file: mysql-community 35 | baseurl: "http://repo.mysql.com/yum/mysql-tools-community/el/8/$basearch/" 36 | gpgkey: "https://repo.mysql.com/RPM-GPG-KEY-mysql-2023" 37 | gpgcheck: yes 38 | enabled: yes 39 | when: ansible_distribution_major_version == "8" 40 | 41 | - name: RedHat | Disable the Default MySQL Module on EL8 42 | ansible.builtin.command: yum module disable -y mysql 43 | when: ansible_distribution_major_version == "8" 44 | register: module_disable 45 | changed_when: module_disable.rc != 0 46 | 47 | - name: RedHat | Install Packages 48 | ansible.builtin.package: 49 | name: "{{ item }}" 50 | state: present 51 | loop: "{{ packages }}" 52 | 53 | - name: RedHat | Copy my.cnf Global MySQL Configuration 54 | ansible.builtin.template: 55 | src: my.cnf.j2 56 | dest: "{{ mysql_config_file }}" 57 | owner: root 58 | group: root 59 | mode: "0644" 60 | force: true 61 | notify: Restart mysqld 62 | 63 | - name: RedHat | Enable MySQL Service 64 | ansible.builtin.systemd: 65 | name: "{{ systemd_service }}" 66 | enabled: true 67 | state: started 68 | -------------------------------------------------------------------------------- /roles/hl.mysql-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.mysql-server/templates/my.cnf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # For advice on how to change settings please see 5 | # http://dev.mysql.com/doc/refman/8.0/en/server-configuration-defaults.html 6 | 7 | [mysqld] 8 | default-authentication-plugin = mysql_native_password 9 | sql_mode = NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,ONLY_FULL_GROUP_BY 10 | transaction_isolation = READ-COMMITTED 11 | optimizer_search_depth = 0 12 | tls_version = '' 13 | character_set_server = utf8mb4 14 | collation_server = utf8mb4_general_ci 15 | lower_case_table_names = 1 16 | explicit_defaults_for_timestamp = ON 17 | 18 | # *** Basic Settings *** 19 | user = mysql 20 | pid_file = /var/run/mysqld/mysqld.pid 21 | socket = /var/lib/mysql/mysql.sock 22 | bind_address = 127.0.0.1 23 | port = 3306 24 | datadir = /var/lib/mysql 25 | tmpdir = /run/mysqld 26 | log-error = /var/log/mysqld.log 27 | skip_external_locking = 1 28 | skip_name_resolve = 1 29 | mysqlx = 0 30 | 31 | # *** Tuning *** 32 | max_connections = 50 33 | wait_timeout = 60 34 | interactive_timeout = 60 35 | open_files_limit = 5000 36 | table_open_cache = 1024 37 | max_allowed_packet = 1M 38 | max_heap_table_size = 128M 39 | tmp_table_size = 128M 40 | 41 | # *** Fine Tuning *** 42 | key_buffer_size = 6M 43 | read_rnd_buffer_size = 256K 44 | thread_stack = 256K 45 | thread_cache_size = 9 46 | join_buffer_size = 256K 47 | sort_buffer_size = 256K 48 | read_buffer_size = 128K 49 | 50 | # *** Logging *** 51 | general_log_file = /var/log/mysqld.log 52 | general_log = 0 53 | 54 | slow_query_log = 0 55 | slow_query_log_file = /var/lib/mysql/mysql-slow.log 56 | long_query_time = 10 57 | log_queries_not_using_indexes = 0 58 | log_slow_admin_statements = 0 59 | 60 | 61 | # *** Replication and Binlogs *** 62 | # Binlogs are disabled 63 | disable_log_bin 64 | server_id = 1 65 | max_binlog_size = 128M 66 | sync_binlog = 0 67 | 68 | # *** InnoDB *** 69 | innodb_strict_mode = ON 70 | innodb_file_per_table = 1 71 | innodb_flush_log_at_trx_commit = 1 72 | innodb_buffer_pool_size = 512M 73 | innodb_buffer_pool_instances = 1 74 | innodb_page_cleaners = 4 75 | innodb_log_buffer_size = 32M 76 | innodb_redo_log_capacity = 134217728 77 | innodb_lock_wait_timeout = 100 78 | innodb_data_file_path = ibdata1:16M:autoextend:max:1024M 79 | innodb_temp_data_file_path = ibtmp1:12M:autoextend:max:1024M 80 | 81 | 82 | [mysqldump] 83 | quick 84 | quote_names 85 | max_allowed_packet=1M 86 | 87 | [mysqld_safe] 88 | log-error = /var/log/mysqld.log 89 | pid_file = /var/run/mysql/mysql.pid 90 | open_files_limit = 5000 91 | -------------------------------------------------------------------------------- /roles/hl.mysqld-exporter/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - tar 8 | 9 | prometheus_user: "prometheus" 10 | 11 | mysqld_exporter_port: "9104" 12 | mysqld_exporter_url: "https://github.com/prometheus/mysqld_exporter/releases/download/v0.14.0/mysqld_exporter-0.14.0.linux-amd64.tar.gz" 13 | mysqld_exporter_binary: "mysqld_exporter" 14 | mysqld_exporter_systemd_service: "mysqld_exporter.service" 15 | mysqld_my_cnf_file: "/etc/.my-exporter.cnf" 16 | -------------------------------------------------------------------------------- /roles/hl.mysqld-exporter/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | # 9 | # Configure MySQL Exporter systemd service 10 | # 11 | - name: RedHat | Create System Group {{ prometheus_user }} 12 | ansible.builtin.group: 13 | state: present 14 | system: true 15 | name: "{{ prometheus_user }}" 16 | 17 | - name: RedHat | Create System User {{ prometheus_user }} 18 | ansible.builtin.user: 19 | state: present 20 | system: true 21 | name: "{{ prometheus_user }}" 22 | groups: "{{ prometheus_user }}" 23 | shell: "/sbin/nologin" 24 | 25 | - name: RedHat | Enable Service in Firewalld {{ mysqld_exporter_port }} 26 | ansible.posix.firewalld: 27 | immediate: true 28 | port: "{{ mysqld_exporter_port }}/tcp" 29 | permanent: true 30 | state: enabled 31 | 32 | - name: RedHat | Unarchive a file that needs to be downloaded 33 | ansible.builtin.unarchive: 34 | src: "{{ mysqld_exporter_url }}" 35 | dest: "/usr/local/bin" 36 | remote_src: true 37 | owner: root 38 | group: root 39 | extra_opts: 40 | - "--strip-components" 41 | - "1" 42 | 43 | - name: RedHat | Copy Systemd File {{ mysqld_exporter_systemd_service }} 44 | ansible.builtin.template: 45 | src: "{{ mysqld_exporter_systemd_service }}.j2" 46 | dest: "/etc/systemd/system/{{ mysqld_exporter_systemd_service }}" 47 | owner: root 48 | group: root 49 | mode: "0644" 50 | 51 | - name: RedHat | Force Systemd to Reread Configs 52 | ansible.builtin.systemd: 53 | daemon_reload: true 54 | 55 | - name: RedHat | Start and Enable Service {{ mysqld_exporter_systemd_service }} 56 | ansible.builtin.service: 57 | name: "{{ mysqld_exporter_systemd_service }}" 58 | state: started 59 | enabled: true 60 | -------------------------------------------------------------------------------- /roles/hl.mysqld-exporter/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.mysqld-exporter/templates/mysqld_exporter.service.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | [Unit] 5 | Description=Prometheus 6 | Documentation=https://github.com/prometheus/mysqld_exporter 7 | Wants=network-online.target 8 | After=network-online.target 9 | 10 | [Service] 11 | Type=simple 12 | User={{ prometheus_user }} 13 | Group={{ prometheus_user }} 14 | ExecReload=/bin/kill -HUP $MAINPID 15 | ExecStart=/usr/local/bin/{{ mysqld_exporter_binary }} \ 16 | --config.my-cnf={{ mysqld_my_cnf_file }} \ 17 | --tls.insecure-skip-verify \ 18 | --web.listen-address=0.0.0.0:{{ mysqld_exporter_port }} \ 19 | --web.telemetry-path=/metrics 20 | 21 | SyslogIdentifier=prometheus 22 | Restart=always 23 | 24 | [Install] 25 | WantedBy=multi-user.target 26 | -------------------------------------------------------------------------------- /roles/hl.node-exporter/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - tar 8 | 9 | prometheus_user: "prometheus" 10 | 11 | node_exporter_port: "9100" 12 | node_exporter_url: "https://github.com/prometheus/node_exporter/releases/download/v1.5.0/node_exporter-1.5.0.linux-amd64.tar.gz" 13 | node_exporter_binary: "node_exporter" 14 | node_exporter_systemd_service: "node_exporter.service" 15 | -------------------------------------------------------------------------------- /roles/hl.node-exporter/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | # 9 | # Configure Node Exporter systemd service 10 | # 11 | - name: RedHat | Create System Group {{ prometheus_user }} 12 | ansible.builtin.group: 13 | state: present 14 | system: true 15 | name: "{{ prometheus_user }}" 16 | 17 | - name: RedHat | Create System User {{ prometheus_user }} 18 | ansible.builtin.user: 19 | state: present 20 | system: true 21 | name: "{{ prometheus_user }}" 22 | groups: "{{ prometheus_user }}" 23 | shell: "/sbin/nologin" 24 | 25 | - name: RedHat | Check Services 26 | ansible.builtin.service_facts: 27 | 28 | - name: RedHat | Enable Service in Firewalld {{ node_exporter_port }} 29 | ansible.posix.firewalld: 30 | immediate: true 31 | port: "{{ node_exporter_port }}/tcp" 32 | permanent: true 33 | state: enabled 34 | when: "'firewalld.service' in ansible_facts.services" 35 | 36 | - name: RedHat | Unarchive a file that needs to be downloaded 37 | ansible.builtin.unarchive: 38 | src: "{{ node_exporter_url }}" 39 | dest: "/usr/local/bin" 40 | remote_src: true 41 | owner: root 42 | group: root 43 | extra_opts: 44 | - "--strip-components" 45 | - "1" 46 | 47 | - name: RedHat | Copy Systemd File {{ node_exporter_systemd_service }} 48 | ansible.builtin.template: 49 | src: "{{ node_exporter_systemd_service }}.j2" 50 | dest: "/etc/systemd/system/{{ node_exporter_systemd_service }}" 51 | owner: root 52 | group: root 53 | mode: "0644" 54 | 55 | - name: RedHat | Force Systemd to Reread Configs 56 | ansible.builtin.systemd: 57 | daemon_reload: true 58 | 59 | - name: RedHat | Start and Enable Service {{ node_exporter_systemd_service }} 60 | ansible.builtin.service: 61 | name: "{{ node_exporter_systemd_service }}" 62 | state: started 63 | enabled: true 64 | -------------------------------------------------------------------------------- /roles/hl.node-exporter/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.node-exporter/templates/node_exporter.service.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | [Unit] 5 | Description=Prometheus 6 | Documentation=https://github.com/prometheus/node_exporter 7 | Wants=network-online.target 8 | After=network-online.target 9 | 10 | [Service] 11 | Type=simple 12 | User={{ prometheus_user }} 13 | Group={{ prometheus_user }} 14 | ExecReload=/bin/kill -HUP $MAINPID 15 | ExecStart=/usr/local/bin/{{ node_exporter_binary }} \ 16 | --collector.cpu \ 17 | --collector.diskstats \ 18 | --collector.filesystem \ 19 | --collector.loadavg \ 20 | --collector.meminfo \ 21 | --collector.filefd \ 22 | --collector.netdev \ 23 | --collector.stat \ 24 | --collector.netstat \ 25 | --collector.systemd \ 26 | --collector.uname \ 27 | --collector.vmstat \ 28 | --collector.time \ 29 | --collector.mdadm \ 30 | --collector.tcpstat \ 31 | --collector.hwmon \ 32 | --collector.arp \ 33 | --web.max-requests=40 \ 34 | --web.listen-address=0.0.0.0:{{ node_exporter_port }} \ 35 | --web.telemetry-path=/metrics 36 | 37 | SyslogIdentifier=prometheus 38 | Restart=always 39 | 40 | [Install] 41 | WantedBy=multi-user.target 42 | -------------------------------------------------------------------------------- /roles/hl.openvas/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | packages_to_install: 3 | - epel-release 4 | - firewalld 5 | - sudo 6 | - gvm 7 | 8 | atomic_release: "1.0-23" 9 | 10 | openvas_port: "443" 11 | openvas_protocol: "tcp" 12 | -------------------------------------------------------------------------------- /roles/hl.openvas/files/Rocky-PowerTools.repo: -------------------------------------------------------------------------------- 1 | [powertools] 2 | name=Rocky Linux $releasever - PowerTools 3 | mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=PowerTools-$releasever 4 | #baseurl=http://dl.rockylinux.org/$contentdir/$releasever/PowerTools/$basearch/os/ 5 | gpgcheck=1 6 | enabled=1 7 | countme=1 8 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial 9 | -------------------------------------------------------------------------------- /roles/hl.openvas/files/crb-el9.repo: -------------------------------------------------------------------------------- 1 | [crb] 2 | name=Rocky Linux $releasever - CRB 3 | mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=CRB-$releasever$rltype 4 | #baseurl=http://dl.rockylinux.org/$contentdir/$releasever/CRB/$basearch/os/ 5 | gpgcheck=1 6 | enabled=1 7 | countme=1 8 | metadata_expire=6h 9 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 10 | -------------------------------------------------------------------------------- /roles/hl.openvas/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Reboot system 3 | ansible.builtin.reboot: 4 | reboot_timeout: 600 5 | -------------------------------------------------------------------------------- /roles/hl.openvas/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | OpenVAS requires SELinux to be disabled 3 | ansible.builtin.lineinfile: 4 | path: /etc/selinux/config 5 | regexp: "^SELINUX=" 6 | line: SELINUX=disabled 7 | become: true 8 | notify: 9 | - Reboot system # Reboot the machine after disabling SELinux 10 | 11 | - name: RedHat | Configure Sysctl Values 12 | ansible.posix.sysctl: 13 | name: vm.overcommit_memory 14 | value: "1" 15 | state: present 16 | become: true 17 | 18 | # PowerTools was a carryover from CentOS, which is still the equivalent of CRB in RHEL. 19 | # CRB will be the repository name going forward in Rocky Linux and other derivatives. 20 | - name: RedHat | Setup CRB Repository on RHEL9 21 | ansible.builtin.template: 22 | src: "files/crb-el9.repo" 23 | dest: "/etc/yum.repos.d/crb-el9.repo" 24 | owner: 0 25 | group: 0 26 | mode: "0644" 27 | become: true 28 | when: ansible_distribution_major_version == "9" 29 | 30 | - name: RedHat | Setup PowerTools Repository on RHEL8 31 | ansible.builtin.template: 32 | src: "files/Rocky-PowerTools.repo" 33 | dest: "/etc/yum.repos.d/Rocky-PowerTools.repo" 34 | owner: 0 35 | group: 0 36 | mode: "0644" 37 | become: true 38 | when: ansible_distribution_major_version == "8" 39 | 40 | - name: RedHat | Import Atomic GPG Keys 41 | ansible.builtin.rpm_key: 42 | state: present 43 | key: "{{ item }}" 44 | become: true 45 | loop: 46 | - "https://www.atomicorp.com/RPM-GPG-KEY.art.txt" 47 | - "https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt" 48 | 49 | - name: RedHat | Install Atomic rpm From a Remote Repo on Rocky 9 50 | ansible.builtin.yum: 51 | name: "https://updates.atomicorp.com/channels/atomic/rocky/{{ ansible_distribution_major_version }}/x86_64/RPMS/atomic-release-{{ atomic_release }}.el{{ ansible_distribution_major_version }}.art.noarch.rpm" 52 | state: present 53 | become: true 54 | when: ansible_distribution_major_version == "9" 55 | 56 | - name: RedHat | Install Atomic rpm From a Remote Repo on Rocky 8 57 | ansible.builtin.yum: 58 | name: "https://updates.atomicorp.com/channels/atomic/centos/{{ ansible_distribution_major_version }}/x86_64/RPMS/atomic-release-{{ atomic_release }}.el{{ ansible_distribution_major_version }}.art.noarch.rpm" 59 | state: present 60 | become: true 61 | when: ansible_distribution_major_version == "8" 62 | 63 | - name: RedHat | Install Packages 64 | ansible.builtin.package: 65 | name: "{{ item }}" 66 | state: present 67 | become: true 68 | loop: "{{ packages_to_install }}" 69 | 70 | - name: RedHat | Enable and start Firewalld 71 | ansible.builtin.service: 72 | name: firewalld 73 | state: started 74 | enabled: true 75 | become: true 76 | 77 | - name: RedHat | Enable Port in Firewalld {{ openvas_port }} 78 | ansible.posix.firewalld: 79 | immediate: true 80 | port: "{{ openvas_port }}/{{ openvas_protocol }}" 81 | permanent: true 82 | state: enabled 83 | become: true 84 | 85 | - name: RedHat | Print command to setup OpenVAS (this would take two hours, do not run using ansible!) 86 | ansible.builtin.debug: 87 | msg: gvm-setup 88 | 89 | - name: RedHat | Print command to reset gvm admin password 90 | ansible.builtin.debug: 91 | msg: runuser -u gvm -g gvm -- gvmd --user=admin --new-password=changeme 92 | -------------------------------------------------------------------------------- /roles/hl.openvas/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.openvpn-server/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - openvpn 8 | - pkcs11-helper 9 | - easy-rsa 10 | 11 | # Server and client config must match 12 | openvpn_port: "11194" 13 | openvpn_protocol: "udp" 14 | openvpn_subnet: "10.8.0.0/24" 15 | openvpn_cipher: "AES-256-GCM" 16 | openvpn_max_clients: "5" 17 | 18 | openvpn_config_dir: "/etc/openvpn" 19 | openvpn_pki_dir: "/etc/openvpn/pki" 20 | 21 | openvpn_logrotate_template: "templates/openvpn.logrotate.j2" 22 | openvpn_logrotate_file: "/etc/logrotate.d/openvpn" 23 | -------------------------------------------------------------------------------- /roles/hl.openvpn-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.openvpn-server/templates/client.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | client 5 | remote PLACEHOLDER 6 | iproto {{ openvpn_protocol }} 7 | port {{ openvpn_port }} 8 | dev tun 9 | nobind 10 | reneg-sec 0 11 | remote-cert-tls server 12 | key-direction 1 13 | auth SHA512 14 | cipher {{ openvpn_cipher }} 15 | verb 3 16 | 17 | # Redirect changes client routing table so that all traffic is directed via server 18 | redirect-gateway def1 19 | 20 | -------------------------------------------------------------------------------- /roles/hl.openvpn-server/templates/logrotate.openvpn.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | /var/log/openvpn.log { 5 | weekly 6 | rotate 12 7 | copytruncate 8 | compress 9 | delaycompress 10 | dateext 11 | missingok 12 | notifempty 13 | create 0600 root root 14 | } 15 | -------------------------------------------------------------------------------- /roles/hl.openvpn-server/templates/server.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | proto {{ openvpn_protocol }} 5 | port {{ openvpn_port }} 6 | dev tun 7 | server {{ openvpn_subnet | ansible.utils.ipaddr('network') }} {{ openvpn_subnet | ansible.utils.ipaddr('netmask') }} 8 | topology subnet 9 | persist-key 10 | persist-tun 11 | keepalive 10 120 12 | max-clients {{ openvpn_max_clients }} 13 | cipher {{ openvpn_cipher }} 14 | 15 | ca {{ openvpn_pki_dir }}/ca.crt 16 | cert {{ openvpn_pki_dir }}/issued/server.crt 17 | key {{ openvpn_pki_dir }}/private/server.key 18 | dh {{ openvpn_pki_dir }}/dh.pem 19 | 20 | tls-crypt {{ openvpn_pki_dir }}/tc.key 21 | 22 | auth SHA512 23 | push "redirect-gateway def1 bypass-dhcp" 24 | push "explicit-exit-notify 3" 25 | 26 | user nobody 27 | group nobody 28 | verb 3 29 | 30 | explicit-exit-notify 1 31 | status /var/log/openvpn-status.log 32 | log-append /var/log/openvpn.log 33 | duplicate-cn 34 | -------------------------------------------------------------------------------- /roles/hl.php/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | remi_repository_url: "https://rpms.remirepo.net/enterprise" 7 | remi_package_name: "remi-release-{{ ansible_distribution_major_version }}.rpm" 8 | php_version: "8.2" 9 | 10 | packages: 11 | - php 12 | - phg-gd 13 | - php-imagick 14 | - php-intl 15 | - php-mysqlnd 16 | - php-zip 17 | 18 | # If this is set to false, none of the following options will have any effect. 19 | # Any and all changes to /etc/php.ini will be your responsibility. 20 | php_use_managed_ini: true 21 | 22 | # Language options 23 | php_disable_functions: "exec,system,shell_exec,passthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority," 24 | php_disable_classes: "" 25 | 26 | # Miscellaneous 27 | php_expose_php: "Off" 28 | 29 | # Resource limits 30 | php_max_execution_time: "30" 31 | php_max_input_time: "60" 32 | php_max_input_vars: "1000" 33 | php_memory_limit: "128M" 34 | 35 | # Error handling and logging 36 | php_display_errors: "Off" 37 | php_display_startup_errors: "Off" 38 | php_log_errors: "On" 39 | php_report_memleaks: "Off" 40 | php_html_errors: "On" 41 | php_error_log: "/var/log/php_errors.log" 42 | 43 | # Data handling 44 | php_post_max_size: "8M" 45 | 46 | # File uploads 47 | php_file_uploads: "On" 48 | php_upload_tmp_dir: "/var/www/html/php_temp_dir" 49 | php_upload_max_filesize: "8M" 50 | php_max_file_uploads: "2" 51 | 52 | # Fopen wrappers 53 | php_allow_url_fopen: "On" 54 | 55 | # Module settings 56 | php_date_timezone: "Europe/London" 57 | -------------------------------------------------------------------------------- /roles/hl.php/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart name 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.php/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Remi RPM from a Remote Repo {{ remi_repository_url }} 3 | ansible.builtin.dnf: 4 | name: "{{ remi_repository_url }}/{{ remi_package_name }}" 5 | state: present 6 | 7 | - name: RedHat | Install a Modularity Appstream with Defined Stream php:remi-{{ php_version }} 8 | ansible.builtin.dnf: 9 | name: "@php:remi-{{ php_version }}" 10 | state: present 11 | 12 | - name: RedHat | Install PHP Packages 13 | ansible.builtin.package: 14 | name: "{{ item }}" 15 | state: present 16 | loop: "{{ packages }}" 17 | 18 | - name: RedHat | Ensure PHP Directories Exist 19 | ansible.builtin.file: 20 | path: "{{ php_upload_tmp_dir }}" 21 | state: directory 22 | mode: "0755" 23 | 24 | - name: RedHat | Copy php.ini Template File 25 | ansible.builtin.template: 26 | src: "php.ini.j2" 27 | dest: "/etc/php.ini" 28 | owner: root 29 | group: root 30 | mode: "0644" 31 | when: php_use_managed_ini 32 | -------------------------------------------------------------------------------- /roles/hl.php/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.pihole-exporter/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | package_list: 7 | - tar 8 | 9 | prometheus_user: "prometheus" 10 | 11 | pihole_exporter_port: "9617" 12 | pihole_exporter_url: "https://github.com/eko/pihole-exporter/releases/download/v0.3.0/pihole_exporter-linux-arm" 13 | pihole_exporter_binary: "pihole_exporter" 14 | pihole_exporter_systemd_service: "pihole_exporter.service" 15 | -------------------------------------------------------------------------------- /roles/hl.pihole-exporter/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Debian | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | # 9 | # Configure Pi-hole Exporter systemd service 10 | # 11 | - name: Debian | Create System Group {{ prometheus_user }} 12 | ansible.builtin.group: 13 | state: present 14 | system: true 15 | name: "{{ prometheus_user }}" 16 | 17 | - name: Debian | Create System User {{ prometheus_user }} 18 | ansible.builtin.user: 19 | state: present 20 | system: true 21 | name: "{{ prometheus_user }}" 22 | groups: "{{ prometheus_user }}" 23 | shell: "/sbin/nologin" 24 | 25 | - name: Debian | Unarchive a file that needs to be downloaded 26 | ansible.builtin.unarchive: 27 | src: "{{ pihole_exporter_url }}" 28 | dest: "/usr/local/bin" 29 | remote_src: true 30 | owner: root 31 | group: root 32 | creates: "/usr/local/bin/{{ pihole_exporter_binary }}" 33 | extra_opts: 34 | - "--strip-components" 35 | - "1" 36 | 37 | - name: Debian | Copy Systemd File {{ pihole_exporter_systemd_service }} 38 | ansible.builtin.template: 39 | src: "{{ pihole_exporter_systemd_service }}.j2" 40 | dest: "/etc/systemd/system/{{ pihole_exporter_systemd_service }}" 41 | owner: root 42 | group: root 43 | mode: "0644" 44 | 45 | - name: Debian | Force Systemd to Reread Configs 46 | ansible.builtin.systemd: 47 | daemon_reload: true 48 | 49 | - name: Debian | Start and Enable Service {{ pihole_exporter_systemd_service }} 50 | ansible.builtin.service: 51 | name: "{{ pihole_exporter_systemd_service }}" 52 | state: started 53 | enabled: true 54 | -------------------------------------------------------------------------------- /roles/hl.pihole-exporter/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: Debian.yml 4 | when: ansible_os_family == 'Debian' 5 | -------------------------------------------------------------------------------- /roles/hl.pihole-exporter/templates/pihole_exporter.service.j2: -------------------------------------------------------------------------------- 1 | # MANAGED BY ANSIBLE 2 | # 3 | [Unit] 4 | Description=Prometheus Pi-Hole Exporter 5 | Documentation=https://github.com/eko/pihole-exporter 6 | Wants=network-online.target 7 | After=network-online.target 8 | 9 | [Service] 10 | Type=simple 11 | User={{ prometheus_user }} 12 | Group={{ prometheus_user }} 13 | ExecReload=/bin/kill -HUP $MAINPID 14 | ExecStart=/usr/local/bin/{{ pihole_exporter_binary }} \ 15 | --port {{ pihole_exporter_port }} 16 | 17 | SyslogIdentifier=prometheus 18 | Restart=always 19 | 20 | [Install] 21 | WantedBy=multi-user.target 22 | -------------------------------------------------------------------------------- /roles/hl.postfix/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - postfix 8 | - cyrus-sasl-plain 9 | 10 | systemd_service: "postfix" 11 | firewall_port: "smtp" 12 | 13 | postfix_config_file: "main.cf" 14 | sasl_auth_file: "sasl_passwd" 15 | 16 | smtp_host: "defined in defaults/secure.yml as smtp_host" 17 | smtp_port: "defined in defaults/secure.yml as smtp_port" 18 | smtp_username: "defined in defaults/secure.yml as smtp_username" 19 | smtp_password: "defined in defaults/secure.yml as smtp_password" 20 | -------------------------------------------------------------------------------- /roles/hl.postfix/defaults/secure.yml: -------------------------------------------------------------------------------- 1 | $ANSIBLE_VAULT;1.1;AES256 2 | 37393839306634363438336133653430636436333766633761323765366464646633333932636530 3 | 3734373833313037356337366637636134383736383030620a616261313766663230653862376137 4 | 37373137616566386233303038376239316332366335613532613930343032353463633864373561 5 | 3331656665393230330a363736623665393664376163363733623435383264373466316233326265 6 | 64383865636237636662323239373265333834633462396230393731663839323661326262323765 7 | 33306230316162313338656438333636353637623964323630363933366636623434333037613762 8 | 35626631373566396361313862633932333232396632386237306665353836656564316236653335 9 | 62633733316337393365383362633539633665313437663534633965306539343064626130393630 10 | 31376236316164313061386234643961623134643434396263376161393234666431386434653539 11 | 62386337323161623739633065333631333734343361336339396633373264333833616534356433 12 | 393632656432643265363732613633663866 13 | -------------------------------------------------------------------------------- /roles/hl.postfix/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart postfix 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.postfix/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Include Secure Vars 3 | ansible.builtin.include_vars: 4 | file: ../defaults/secure.yml 5 | 6 | - name: RedHat | Install Packages 7 | ansible.builtin.package: 8 | name: "{{ item }}" 9 | state: present 10 | loop: "{{ packages }}" 11 | 12 | - name: RedHat | Enable Service in Firewalld {{ firewall_port }} 13 | ansible.posix.firewalld: 14 | immediate: true 15 | service: "{{ firewall_port }}" 16 | permanent: true 17 | state: enabled 18 | 19 | - name: RedHat | Copy Configuration File {{ postfix_config_file }} 20 | ansible.builtin.template: 21 | src: "{{ postfix_config_file }}.j2" 22 | dest: "/etc/postfix/{{ postfix_config_file }}" 23 | owner: root 24 | group: root 25 | mode: "0644" 26 | force: true 27 | notify: 28 | - Restart postfix 29 | 30 | - name: RedHat | Configure Postfix SASL Authentication 31 | ansible.builtin.template: 32 | src: "{{ sasl_auth_file }}.j2" 33 | dest: "/etc/postfix/{{ sasl_auth_file }}" 34 | owner: root 35 | group: root 36 | mode: "0600" 37 | force: true 38 | notify: 39 | - Restart postfix 40 | 41 | - name: RedHat | Run postmap /etc/postfix/{{ sasl_auth_file }} 42 | ansible.builtin.command: postmap /etc/postfix/{{ sasl_auth_file }} 43 | register: postmap_output # Registers the command output. 44 | changed_when: postmap_output.rc != 0 # Uses the return code to define when the task has changed. 45 | 46 | - name: RedHat | Start and Enable Service {{ systemd_service }} 47 | ansible.builtin.service: 48 | name: "{{ systemd_service }}" 49 | state: started 50 | enabled: true 51 | -------------------------------------------------------------------------------- /roles/hl.postfix/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.postfix/templates/sasl_passwd.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | [{{ smtp_host }}]:{{ smtp_port }} {{ smtp_username }}:{{ smtp_password }} 5 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/README.md: -------------------------------------------------------------------------------- 1 | # PXE Boot Server 2 | 3 | Note that user password for PXE boot Kickstart files is set to `packer`. 4 | 5 | ![Homelab PXE Boot Menu](../../images/homelab-pxe-boot-menu.png) 6 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - tftp-server 8 | - syslinux 9 | - vsftpd 10 | - nfs-utils 11 | - nginx 12 | 13 | systemd_services: 14 | - tftp 15 | - vsftpd 16 | - nfs-server 17 | - nginx 18 | 19 | firewall_ports: 20 | - tftp 21 | - ftp 22 | - nfs 23 | - mountd 24 | - rpc-bind 25 | - http 26 | 27 | nfs_selinux_booleans: 28 | - use_nfs_home_dirs 29 | - nfsd_anon_write 30 | 31 | pasv_ftp_min_port: "60000" 32 | pasv_ftp_max_port: "60029" 33 | 34 | vsftpd_config_file: "vsftpd.conf" 35 | nginx_config_file: "nginx.conf" 36 | 37 | tftp_directory: "/var/lib/tftpboot" 38 | ftp_directory: "/var/ftp/pub" 39 | nfs_directory: "/var/nfs" 40 | nginx_directory: "/var/www/html" 41 | 42 | kickstart_file_rocky9_host: "rocky9-host-ks.cfg" 43 | kickstart_file_rocky9_packer: "rocky9-packer-ks.cfg" 44 | kickstart_file_rocky8_host: "rocky8-host-ks.cfg" 45 | kickstart_file_rocky8_packer: "rocky8-packer-ks.cfg" 46 | kickstart_file_ubuntu2004server: "ubuntu2004-server.seed" 47 | kickstart_file_ubuntu2004desktop: "ubuntu2004-desktop.seed" 48 | 49 | networkboot_directory_rocky9: "Rocky9" 50 | networkboot_directory_rocky8: "Rocky8" 51 | networkboot_directory_ubuntu2004server: "Ubuntu2004Server" 52 | networkboot_directory_ubuntu2004desktop: "Ubuntu2004Desktop" 53 | 54 | # Booleans to control whether media should be downloaded 55 | download_pxe_boot_media: true 56 | download_packer_media: true 57 | 58 | # The kernel and initrd files from the Bionic netboot.tar.gz archive 59 | ubuntu_2004_netboot_linux: "http://archive.ubuntu.com/ubuntu/dists/focal-updates/main/installer-amd64/current/legacy-images/netboot/ubuntu-installer/amd64/linux" 60 | ubuntu_2004_netboot_initrd: "http://archive.ubuntu.com/ubuntu/dists/focal-updates/main/installer-amd64/current/legacy-images/netboot/ubuntu-installer/amd64/initrd.gz" 61 | 62 | # These are used for PXE boot 63 | pxe_boot_media: 64 | - name: "ubuntu2004server" 65 | iso_url: "https://releases.ubuntu.com/20.04/ubuntu-20.04.5-live-server-amd64.iso" 66 | iso_sha256: "5035be37a7e9abbdc09f0d257f3e33416c1a0fb322ba860d42d74aa75c3468d4" 67 | source_directory: "{{ nfs_directory }}/{{ networkboot_directory_ubuntu2004server }}/" 68 | netboot_directory: "{{ tftp_directory }}/networkboot/{{ networkboot_directory_ubuntu2004server }}/" 69 | setype: "nfs_t" 70 | mounted_src: "/mnt/casper" 71 | pxeboot_files: 72 | - initrd 73 | - vmlinuz 74 | - name: "ubuntu2004desktop" 75 | iso_url: "https://releases.ubuntu.com/20.04/ubuntu-20.04.5-desktop-amd64.iso" 76 | iso_sha256: "2980570ea889f3467a04df15c8421ef1dc80ecef7bb37243da97f5714cf3f8ef" 77 | source_directory: "{{ nfs_directory }}/{{ networkboot_directory_ubuntu2004desktop }}/" 78 | netboot_directory: "{{ tftp_directory }}/networkboot/{{ networkboot_directory_ubuntu2004desktop }}/" 79 | setype: "nfs_t" 80 | mounted_src: "/mnt/casper" 81 | pxeboot_files: 82 | - initrd 83 | - vmlinuz 84 | - name: "rocky8" 85 | iso_url: "https://download.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-8.10-x86_64-dvd1.iso" 86 | iso_sha256: "642ada8a49dbeca8cca6543b31196019ee3d649a0163b5db0e646c7409364eeb" 87 | source_directory: "{{ ftp_directory }}/pxe/{{ networkboot_directory_rocky8 }}/" 88 | netboot_directory: "{{ tftp_directory }}/networkboot/{{ networkboot_directory_rocky8 }}/" 89 | setype: "public_content_t" 90 | mounted_src: "/mnt/images/pxeboot" 91 | pxeboot_files: 92 | - initrd.img 93 | - vmlinuz 94 | - name: "rocky9" 95 | iso_url: "https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.4-x86_64-dvd.iso" 96 | iso_sha256: "e20445907daefbfcdb05ba034e9fc4cf91e0e8dc164ebd7266ffb8fdd8ea99e7" 97 | source_directory: "{{ ftp_directory }}/pxe/{{ networkboot_directory_rocky9 }}/" 98 | netboot_directory: "{{ tftp_directory }}/networkboot/{{ networkboot_directory_rocky9 }}/" 99 | setype: "public_content_t" 100 | mounted_src: "/mnt/images/pxeboot" 101 | pxeboot_files: 102 | - initrd.img 103 | - vmlinuz 104 | 105 | # These are used for Packer 106 | packer_media: 107 | - iso_url: "https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.4-x86_64-boot.iso" 108 | iso_sha256: "c7e95e3dba88a1f68fff8b7d4e66adf6f76ac4fba2e246a83c46ab79574c78a8" 109 | - iso_url: "https://download.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-8.10-x86_64-boot.iso" 110 | iso_sha256: "203744a255ea6579e49ca7f7f0f17e2fda94e50945d8183a254490e454c7c5b4" 111 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart vsftpd 3 | ansible.builtin.service: 4 | name: vsftpd 5 | state: restarted 6 | 7 | - name: Restart nfs-server 8 | ansible.builtin.service: 9 | name: nfs-server 10 | state: restarted 11 | 12 | - name: Restart nginx 13 | ansible.builtin.service: 14 | name: nginx 15 | state: restarted 16 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/tasks/download_media.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: download_media | Download ISO with check (sha256) - this will take time {{ outer_item.name }} 3 | ansible.builtin.get_url: 4 | url: "{{ outer_item.iso_url }}" 5 | dest: "/root/{{ outer_item.name }}.iso" 6 | mode: "0644" 7 | checksum: "sha256:{{ outer_item.iso_sha256 }}" 8 | 9 | - name: download_media | Mount ISO read-only {{ outer_item.name }} 10 | ansible.posix.mount: 11 | path: "/mnt" 12 | src: "/root/{{ outer_item.name }}.iso" 13 | fstype: iso9660 14 | opts: ro,noauto 15 | state: mounted 16 | 17 | - name: download_media | Copy Files to FTP/NFS Directory {{ outer_item.source_directory }} 18 | ansible.builtin.copy: 19 | src: "/mnt/" 20 | dest: "{{ outer_item.source_directory }}" 21 | setype: "{{ outer_item.setype }}" 22 | force: true 23 | remote_src: true 24 | mode: "0444" 25 | directory_mode: "0555" 26 | 27 | - name: download_media | Set Folder Mode on {{ outer_item.source_directory }} 28 | ansible.builtin.file: 29 | path: "{{ outer_item.source_directory }}" 30 | mode: "0755" 31 | 32 | - name: download_media | Run restorecon on {{ outer_item.source_directory }} 33 | ansible.builtin.command: restorecon -Rv "{{ outer_item.source_directory }}" 34 | register: restorecon_output # Registers the command output. 35 | changed_when: restorecon_output.rc != 0 # Uses the return code to define when the task has changed. 36 | 37 | - name: download_media | Copy pxeboot Files to TFTP networkboot Directory {{ outer_item.netboot_directory }} 38 | ansible.builtin.copy: 39 | src: "{{ outer_item.mounted_src }}/{{ item }}" 40 | dest: "{{ outer_item.netboot_directory }}" 41 | force: true 42 | remote_src: true 43 | mode: "0644" 44 | directory_mode: "0755" 45 | loop: "{{ outer_item.pxeboot_files }}" 46 | ignore_errors: true 47 | register: ignore_errors_register 48 | 49 | - name: download_media | Unmount ISO {{ outer_item.name }} 50 | ansible.posix.mount: 51 | path: "/mnt" 52 | state: unmounted 53 | 54 | # Use the kernel and initrd files from the Bionic netboot.tar.gz archive, 55 | # as I'm not sure the casper files are compatible with preseed/kickstart. 56 | - name: download_media | Download Ubuntu 20.04 netboot.tar.gz Archive Files 57 | ansible.builtin.get_url: 58 | url: "{{ item }}" 59 | dest: "{{ outer_item.netboot_directory }}" 60 | mode: "0644" 61 | loop: 62 | - "{{ ubuntu_2004_netboot_linux }}" 63 | - "{{ ubuntu_2004_netboot_initrd }}" 64 | when: (outer_item.name == 'ubuntu2004server') or (outer_item.name == 'ubuntu2004desktop') 65 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/templates/default.j2: -------------------------------------------------------------------------------- 1 | default menu.c32 2 | prompt 0 3 | timeout 50 4 | menu title Homelab PXE Menu 5 | label Install Rocky 9 Server (Packer kickstart, no swap) 6 | kernel /networkboot/{{ networkboot_directory_rocky9 }}/vmlinuz 7 | append initrd=/networkboot/{{ networkboot_directory_rocky9 }}/initrd.img inst.repo=ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky9 }} inst.ks=ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ kickstart_file_rocky9_packer }} 8 | label Install Rocky 8 Server (Packer kickstart, no swap) 9 | kernel /networkboot/{{ networkboot_directory_rocky8 }}/vmlinuz 10 | append initrd=/networkboot/{{ networkboot_directory_rocky8 }}/initrd.img inst.repo=ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky8 }} inst.ks=ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ kickstart_file_rocky8_packer }} 11 | label Install Rocky 9 Server (host kickstart 240GB sda, swap) 12 | kernel /networkboot/{{ networkboot_directory_rocky9 }}/vmlinuz 13 | append initrd=/networkboot/{{ networkboot_directory_rocky9 }}/initrd.img inst.repo=ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky9 }} inst.ks=ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ kickstart_file_rocky9_host }} 14 | label Install Rocky 8 Server (host kickstart 240GB sda, swap) 15 | kernel /networkboot/{{ networkboot_directory_rocky8 }}/vmlinuz 16 | append initrd=/networkboot/{{ networkboot_directory_rocky8 }}/initrd.img inst.repo=ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky8 }} inst.ks=ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ kickstart_file_rocky8_host }} 17 | label Install Ubuntu 20.04 LTS Server 18 | kernel /networkboot/{{ networkboot_directory_ubuntu2004server }}/linux 19 | append initrd=/networkboot/{{ networkboot_directory_ubuntu2004server }}/initrd.gz ks=nfs:{{ ansible_default_ipv4.address }}:/var/nfs/{{ networkboot_directory_ubuntu2004server }}/preseed/{{ kickstart_file_ubuntu2004server }} --- 20 | label Install Ubuntu 20.04 LTS Desktop 21 | kernel /networkboot/{{ networkboot_directory_ubuntu2004desktop }}/linux 22 | append initrd=/networkboot/{{ networkboot_directory_ubuntu2004desktop }}/initrd.gz ks=nfs:{{ ansible_default_ipv4.address }}:/var/nfs/{{ networkboot_directory_ubuntu2004desktop }}/preseed/{{ kickstart_file_ubuntu2004desktop }} --- 23 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/templates/exports.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | {{ nfs_directory }} {{ homelab_address }}/{{ homelab_cidr_prefix }}(sec=sys,ro) 5 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/templates/nginx.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | user nginx; 5 | worker_processes auto; 6 | error_log /var/log/nginx/error.log; 7 | pid /run/nginx.pid; 8 | 9 | events { 10 | worker_connections 1024; 11 | } 12 | 13 | http { 14 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 15 | '$status $body_bytes_sent "$http_referer" ' 16 | '"$http_user_agent" "$http_x_forwarded_for"'; 17 | 18 | access_log /var/log/nginx/access.log main; 19 | 20 | sendfile on; 21 | tcp_nopush on; 22 | tcp_nodelay on; 23 | keepalive_timeout 65; 24 | types_hash_max_size 4096; 25 | server_tokens off; 26 | 27 | include /etc/nginx/mime.types; 28 | default_type application/octet-stream; 29 | 30 | server { 31 | listen 80; 32 | server_name nginx; 33 | root /var/www/html; 34 | autoindex on; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/templates/rocky8-host-ks.cfg.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # version=RHEL8 5 | # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user 6 | 7 | # Use network installation 8 | url --url="ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky8 }}/BaseOS" 9 | repo --name="AppStream" --baseurl="ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky8 }}/AppStream" 10 | # Disable Initial Setup on first boot 11 | firstboot --disable 12 | 13 | # Use text mode install 14 | graphical 15 | # Keyboard layouts 16 | keyboard --vckeymap=gb --xlayouts='gb' 17 | # System language 18 | lang en_GB.UTF-8 19 | # SELinux configuration 20 | selinux --enforcing 21 | # Firewall configuration 22 | firewall --enabled --ssh 23 | # Do not configure the X Window System 24 | skipx 25 | 26 | # Network information 27 | network --bootproto=dhcp --device=eth0 --nameserver={{ homelab_dns1_server }},{{ homelab_dns2_server }} --noipv6 --activate 28 | network --hostname=rocky8.localdomain 29 | 30 | # System authorisation information 31 | auth --useshadow --passalgo=sha512 32 | # Root password 33 | rootpw packer 34 | # Root SSH public key 35 | sshkey --username=root "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzcZWKJVeDTioSe5x1M7WdNGgX4HQsZQeP92zK2LlP7vymnzts/IZz4I5r6Z0WwSMh9VxN9IABxsotdohiC9kroEdqUG9/OmljQhHNXnMOlAhnofJAnnEb7Tr1v1xGJllpQ135PNL+ECTIslQMBD68a2WZGLvJBPg/WSEsaD6oWwVnrldXIolvDaAKx3TnipwoEp/jcZ1KXTA6LuqdpG1XDI35pT8QF9bO79nv05nf9ypynJxMZZ66HcwiKnoNbyY/Xa2b1Yyv5WA+2kY821bKMaYiKRuwABZI/1M5kLLki6RZ9rvUG8FfiJVhhAJXOIguT1reBdQsBfxqLirotf2t8kOzGbKwwXIPqePtTlCFe0GKT5H6qe1x1kXBPF4+m2r2JPllhwcnNtPl5MVn9X/HQSDRgYtTPlXREuyLLWD1n4vpcka6YMrCulE9KJmnN1J++rRGLgeU47/lgFwKOfF0yugMyfTTrbYUffzBDBsV8mSelra/sm4ZwrkjOzNiSStUAHZ6WL4t2vNs94B61eVKHMFKFSbFKeQ79qEisJkQp4pOUJDmNohMZKquNThrwX5qhVsNFJ28mZfYvJrxn+ha2M3by9+WealubGy14FFGz5Ir7UWmL8IsB5Bq+USwiVxOy+TBecMUNyuy5H0ttX7gbkvo3mRF9h4apfcFlxtZlQ== tom@hl.test" 36 | # System timezone 37 | timezone Europe/London --isUtc 38 | 39 | ignoredisk --only-use=sda 40 | # System bootloader configuration 41 | bootloader --location=mbr --timeout=1 --boot-drive=sda 42 | # Clear the Master Boot Record 43 | zerombr 44 | # Partition clearing information 45 | clearpart --all --initlabel 46 | # Reboot after installation 47 | reboot 48 | 49 | # Disk partitioning information 50 | #autopart --type=lvm 51 | part /boot --fstype="xfs" --ondisk=sda --size=1024 --label=boot --asprimary --fsoptions="rw,nodev,noexec,nosuid" 52 | part pv.01 --fstype="lvmpv" --ondisk=sda --size=227911 53 | volgroup vg_os pv.01 54 | logvol /tmp --fstype=xfs --size=1024 --label=lv_tmp --name=lv_tmp --vgname=vg_os --fsoptions="rw,nodev,noexec,nosuid" 55 | logvol swap --fstype=swap --size=4096 --label=lv_swap --name=lv_swap --vgname=vg_os 56 | logvol / --fstype=xfs --size=222788 --label=lv_root --name=lv_root --vgname=vg_os 57 | 58 | %packages 59 | # dnf group info minimal-environment 60 | @^minimal-environment 61 | sudo 62 | # Exclude unnecessary firmwares 63 | -iwl*firmware 64 | %end 65 | 66 | %addon com_redhat_kdump --disable --reserve-mb='auto' 67 | %end 68 | 69 | %post 70 | sed -i 's/^.*requiretty/#Defaults requiretty/' /etc/sudoers 71 | sed -i 's/rhgb //' /etc/default/grub 72 | # SSHD PermitRootLogin and enable the service 73 | sed -i "s/#PermitRootLogin yes/PermitRootLogin yes/g" /etc/ssh/sshd_config 74 | /usr/bin/systemctl enable sshd 75 | # Update all packages 76 | /usr/bin/yum -y update 77 | %end 78 | 79 | %anaconda 80 | pwpolicy root --minlen=10 --minquality=1 --notstrict --nochanges --notempty 81 | pwpolicy user --minlen=10 --minquality=1 --notstrict --nochanges --emptyok 82 | pwpolicy luks --minlen=10 --minquality=1 --notstrict --nochanges --notempty 83 | %end 84 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/templates/rocky8-packer-ks.cfg.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # version=RHEL8 5 | # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user 6 | 7 | # Use network installation 8 | url --url="ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky8 }}/BaseOS" 9 | repo --name="AppStream" --baseurl="ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky8 }}/AppStream" 10 | # Disable Initial Setup on first boot 11 | firstboot --disable 12 | 13 | # Use text mode install 14 | text 15 | # Keyboard layouts 16 | keyboard --vckeymap=gb --xlayouts='gb' 17 | # System language 18 | lang en_GB.UTF-8 19 | # SELinux configuration 20 | selinux --enforcing 21 | # Firewall configuration 22 | firewall --enabled --ssh 23 | # Do not configure the X Window System 24 | skipx 25 | 26 | # Network information 27 | network --bootproto=dhcp --device=eth0 --nameserver={{ homelab_dns1_server }},{{ homelab_dns2_server }} --noipv6 --activate 28 | network --hostname=rocky8.localdomain 29 | 30 | # System authorisation information 31 | auth --useshadow --passalgo=sha512 32 | # Root password 33 | rootpw packer 34 | # Root SSH public key 35 | sshkey --username=root "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzcZWKJVeDTioSe5x1M7WdNGgX4HQsZQeP92zK2LlP7vymnzts/IZz4I5r6Z0WwSMh9VxN9IABxsotdohiC9kroEdqUG9/OmljQhHNXnMOlAhnofJAnnEb7Tr1v1xGJllpQ135PNL+ECTIslQMBD68a2WZGLvJBPg/WSEsaD6oWwVnrldXIolvDaAKx3TnipwoEp/jcZ1KXTA6LuqdpG1XDI35pT8QF9bO79nv05nf9ypynJxMZZ66HcwiKnoNbyY/Xa2b1Yyv5WA+2kY821bKMaYiKRuwABZI/1M5kLLki6RZ9rvUG8FfiJVhhAJXOIguT1reBdQsBfxqLirotf2t8kOzGbKwwXIPqePtTlCFe0GKT5H6qe1x1kXBPF4+m2r2JPllhwcnNtPl5MVn9X/HQSDRgYtTPlXREuyLLWD1n4vpcka6YMrCulE9KJmnN1J++rRGLgeU47/lgFwKOfF0yugMyfTTrbYUffzBDBsV8mSelra/sm4ZwrkjOzNiSStUAHZ6WL4t2vNs94B61eVKHMFKFSbFKeQ79qEisJkQp4pOUJDmNohMZKquNThrwX5qhVsNFJ28mZfYvJrxn+ha2M3by9+WealubGy14FFGz5Ir7UWmL8IsB5Bq+USwiVxOy+TBecMUNyuy5H0ttX7gbkvo3mRF9h4apfcFlxtZlQ== tom@hl.test" 36 | # System timezone 37 | timezone Europe/London --isUtc 38 | 39 | ignoredisk --only-use=vda 40 | # System bootloader configuration 41 | bootloader --location=mbr --timeout=1 --boot-drive=vda 42 | # Clear the Master Boot Record 43 | zerombr 44 | # Partition clearing information 45 | clearpart --all --initlabel 46 | # Reboot after installation 47 | reboot 48 | 49 | # Disk partitioning information 50 | #autopart --type=lvm 51 | part /boot --fstype="xfs" --ondisk=vda --size=1024 --label=boot --asprimary --fsoptions="rw,nodev,noexec,nosuid" 52 | part pv.01 --fstype="lvmpv" --ondisk=vda --size=31743 53 | volgroup vg_os pv.01 54 | logvol /tmp --fstype="xfs" --size=1024 --label="lv_tmp" --name=lv_tmp --vgname=vg_os --fsoptions="rw,nodev,noexec,nosuid" 55 | logvol / --fstype="xfs" --size=30716 --label="lv_root" --name=lv_root --vgname=vg_os 56 | 57 | %packages 58 | # dnf group info minimal-environment 59 | @^minimal-environment 60 | sudo 61 | # Exclude unnecessary firmwares 62 | -iwl*firmware 63 | %end 64 | 65 | %addon com_redhat_kdump --disable --reserve-mb='auto' 66 | %end 67 | 68 | %post 69 | sed -i 's/^.*requiretty/#Defaults requiretty/' /etc/sudoers 70 | sed -i 's/rhgb //' /etc/default/grub 71 | # SSHD PermitRootLogin and enable the service 72 | sed -i "s/#PermitRootLogin yes/PermitRootLogin yes/g" /etc/ssh/sshd_config 73 | /usr/bin/systemctl enable sshd 74 | # Update all packages 75 | /usr/bin/yum -y update 76 | %end 77 | 78 | %anaconda 79 | pwpolicy root --minlen=10 --minquality=1 --notstrict --nochanges --notempty 80 | pwpolicy user --minlen=10 --minquality=1 --notstrict --nochanges --emptyok 81 | pwpolicy luks --minlen=10 --minquality=1 --notstrict --nochanges --notempty 82 | %end 83 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/templates/rocky9-host-ks.cfg.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # version=RHEL9 5 | # This file was generated using the Kickstart Generator page, see below: 6 | # https://access.redhat.com/labs/kickstartconfig/ 7 | 8 | # Use network installation 9 | url --url="ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky9 }}/BaseOS" 10 | repo --name="AppStream" --baseurl="ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky9 }}/AppStream" 11 | # Disable Initial Setup on first boot 12 | firstboot --disable 13 | 14 | # Use text mode install 15 | graphical 16 | # Keyboard layouts 17 | keyboard --vckeymap=gb --xlayouts='gb' 18 | # System language 19 | lang en_GB.UTF-8 20 | # SELinux configuration 21 | selinux --enforcing 22 | # Firewall configuration 23 | firewall --enabled --ssh 24 | # Do not configure the X Window System 25 | skipx 26 | 27 | # Network information 28 | network --bootproto=dhcp --device=eth0 --nameserver={{ homelab_dns1_server }},{{ homelab_dns2_server }} --noipv6 --activate 29 | network --hostname=rocky9.localdomain 30 | 31 | # System authorisation information 32 | auth --useshadow --passalgo=sha512 33 | # Root password 34 | rootpw packer 35 | # Root SSH public key 36 | sshkey --username=root "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzcZWKJVeDTioSe5x1M7WdNGgX4HQsZQeP92zK2LlP7vymnzts/IZz4I5r6Z0WwSMh9VxN9IABxsotdohiC9kroEdqUG9/OmljQhHNXnMOlAhnofJAnnEb7Tr1v1xGJllpQ135PNL+ECTIslQMBD68a2WZGLvJBPg/WSEsaD6oWwVnrldXIolvDaAKx3TnipwoEp/jcZ1KXTA6LuqdpG1XDI35pT8QF9bO79nv05nf9ypynJxMZZ66HcwiKnoNbyY/Xa2b1Yyv5WA+2kY821bKMaYiKRuwABZI/1M5kLLki6RZ9rvUG8FfiJVhhAJXOIguT1reBdQsBfxqLirotf2t8kOzGbKwwXIPqePtTlCFe0GKT5H6qe1x1kXBPF4+m2r2JPllhwcnNtPl5MVn9X/HQSDRgYtTPlXREuyLLWD1n4vpcka6YMrCulE9KJmnN1J++rRGLgeU47/lgFwKOfF0yugMyfTTrbYUffzBDBsV8mSelra/sm4ZwrkjOzNiSStUAHZ6WL4t2vNs94B61eVKHMFKFSbFKeQ79qEisJkQp4pOUJDmNohMZKquNThrwX5qhVsNFJ28mZfYvJrxn+ha2M3by9+WealubGy14FFGz5Ir7UWmL8IsB5Bq+USwiVxOy+TBecMUNyuy5H0ttX7gbkvo3mRF9h4apfcFlxtZlQ== tom@hl.test" 37 | # System timezone 38 | timezone Europe/London --utc 39 | 40 | ignoredisk --only-use=sda 41 | # System bootloader configuration 42 | bootloader --location=mbr --timeout=1 --boot-drive=sda 43 | # Clear the Master Boot Record 44 | zerombr 45 | # Partition clearing information 46 | clearpart --all --initlabel 47 | # Reboot after installation 48 | reboot 49 | 50 | # Disk partitioning information 51 | #autopart --type=lvm 52 | part /boot --fstype="xfs" --ondisk=sda --size=1024 --label=boot --asprimary --fsoptions="rw,nodev,noexec,nosuid" 53 | part pv.01 --fstype="lvmpv" --ondisk=sda --size=227911 54 | volgroup vg_os pv.01 55 | logvol /tmp --fstype=xfs --size=1024 --label=lv_tmp --name=lv_tmp --vgname=vg_os --fsoptions="rw,nodev,noexec,nosuid" 56 | logvol swap --fstype=swap --size=4096 --label=lv_swap --name=lv_swap --vgname=vg_os 57 | logvol / --fstype=xfs --size=222788 --label=lv_root --name=lv_root --vgname=vg_os 58 | 59 | %packages 60 | # dnf group info minimal-environment 61 | @^minimal-environment 62 | sudo 63 | openssh-server 64 | # Exclude unnecessary firmwares 65 | -iwl*firmware 66 | %end 67 | 68 | %addon com_redhat_kdump --disable --reserve-mb='auto' 69 | %end 70 | 71 | %post 72 | sed -i 's/^.*requiretty/#Defaults requiretty/' /etc/sudoers 73 | sed -i 's/rhgb //' /etc/default/grub 74 | # SSHD PermitRootLogin and enable the service 75 | sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config 76 | /usr/bin/systemctl enable sshd 77 | # Update all packages 78 | /usr/bin/yum -y update 79 | %end 80 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/templates/rocky9-packer-ks.cfg.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # version=RHEL9 5 | # This file was generated using the Kickstart Generator page, see below: 6 | # https://access.redhat.com/labs/kickstartconfig/ 7 | 8 | # Use network installation 9 | url --url="ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky9 }}/BaseOS" 10 | repo --name="AppStream" --baseurl="ftp://{{ ansible_default_ipv4.address }}/pub/pxe/{{ networkboot_directory_rocky9 }}/AppStream" 11 | # Disable Initial Setup on first boot 12 | firstboot --disable 13 | 14 | # Use text mode install 15 | text 16 | # Keyboard layouts 17 | keyboard --vckeymap=gb --xlayouts='gb' 18 | # System language 19 | lang en_GB.UTF-8 20 | # SELinux configuration 21 | selinux --enforcing 22 | # Firewall configuration 23 | firewall --enabled --ssh 24 | # Do not configure the X Window System 25 | skipx 26 | 27 | # Network information 28 | network --bootproto=dhcp --device=eth0 --nameserver={{ homelab_dns1_server }},{{ homelab_dns2_server }} --noipv6 --activate 29 | network --hostname=rocky9.localdomain 30 | 31 | # System authorisation information 32 | auth --useshadow --passalgo=sha512 33 | # Root password 34 | rootpw packer 35 | # Root SSH public key 36 | sshkey --username=root "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzcZWKJVeDTioSe5x1M7WdNGgX4HQsZQeP92zK2LlP7vymnzts/IZz4I5r6Z0WwSMh9VxN9IABxsotdohiC9kroEdqUG9/OmljQhHNXnMOlAhnofJAnnEb7Tr1v1xGJllpQ135PNL+ECTIslQMBD68a2WZGLvJBPg/WSEsaD6oWwVnrldXIolvDaAKx3TnipwoEp/jcZ1KXTA6LuqdpG1XDI35pT8QF9bO79nv05nf9ypynJxMZZ66HcwiKnoNbyY/Xa2b1Yyv5WA+2kY821bKMaYiKRuwABZI/1M5kLLki6RZ9rvUG8FfiJVhhAJXOIguT1reBdQsBfxqLirotf2t8kOzGbKwwXIPqePtTlCFe0GKT5H6qe1x1kXBPF4+m2r2JPllhwcnNtPl5MVn9X/HQSDRgYtTPlXREuyLLWD1n4vpcka6YMrCulE9KJmnN1J++rRGLgeU47/lgFwKOfF0yugMyfTTrbYUffzBDBsV8mSelra/sm4ZwrkjOzNiSStUAHZ6WL4t2vNs94B61eVKHMFKFSbFKeQ79qEisJkQp4pOUJDmNohMZKquNThrwX5qhVsNFJ28mZfYvJrxn+ha2M3by9+WealubGy14FFGz5Ir7UWmL8IsB5Bq+USwiVxOy+TBecMUNyuy5H0ttX7gbkvo3mRF9h4apfcFlxtZlQ== tom@hl.test" 37 | # System timezone 38 | timezone Europe/London --utc 39 | 40 | ignoredisk --only-use=vda 41 | # System bootloader configuration 42 | bootloader --location=mbr --timeout=1 --boot-drive=vda 43 | # Clear the Master Boot Record 44 | zerombr 45 | # Partition clearing information 46 | clearpart --all --initlabel 47 | # Reboot after installation 48 | reboot 49 | 50 | # Disk partitioning information 51 | #autopart --type=lvm 52 | part /boot --fstype="xfs" --ondisk=vda --size=1024 --label=boot --asprimary --fsoptions="rw,nodev,noexec,nosuid" 53 | part pv.01 --fstype="lvmpv" --ondisk=vda --size=31743 54 | volgroup vg_os pv.01 55 | logvol /tmp --fstype="xfs" --size=1024 --label="lv_tmp" --name=lv_tmp --vgname=vg_os --fsoptions="rw,nodev,noexec,nosuid" 56 | logvol / --fstype="xfs" --size=30716 --label="lv_root" --name=lv_root --vgname=vg_os 57 | 58 | %packages 59 | # dnf group info minimal-environment 60 | @^minimal-environment 61 | sudo 62 | openssh-server 63 | qemu-guest-agent 64 | # Alsa not needed in a VM 65 | -alsa* 66 | # Microcode updates cannot work in a VM 67 | -microcode_ctl 68 | # Firmware packages are not needed in a VM 69 | -iwl*firmware 70 | # Don't build rescue initramfs 71 | -dracut-config-rescue 72 | -plymouth 73 | %end 74 | 75 | %addon com_redhat_kdump --disable --reserve-mb='auto' 76 | %end 77 | 78 | %post 79 | sed -i 's/^.*requiretty/#Defaults requiretty/' /etc/sudoers 80 | sed -i 's/rhgb //' /etc/default/grub 81 | # SSHD PermitRootLogin and enable the service 82 | sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config 83 | /usr/bin/systemctl enable sshd 84 | # Update all packages 85 | /usr/bin/yum -y update 86 | %end 87 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/templates/ubuntu2004-desktop.seed.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # Enable extras.ubuntu.com. 5 | #d-i apt-setup/extras boolean true 6 | # Install the Ubuntu desktop. 7 | #tasksel tasksel/first multiselect ubuntu-desktop 8 | # On live DVDs, don't spend huge amounts of time removing substantial 9 | # application packages pulled in by language packs. Given that we clearly 10 | # have the space to include them on the DVD, they're useful and we might as 11 | # well keep them installed. 12 | #ubiquity ubiquity/keep-installed string icedtea6-plugin openoffice.org 13 | #d-i base-installer/kernel/altmeta string hwe-20.04 14 | #Generated by Kickstart Configurator 15 | #platform=x86 16 | 17 | # The installer will warn about weak passwords. If you are sure you know 18 | # what you're doing and want to override it, uncomment this. 19 | preseed user-setup/allow-password-weak boolean true 20 | 21 | # Policy for applying updates. May be "none" (no automatic updates), 22 | # "unattended-upgrades" (install security updates automatically). 23 | preseed pkgsel/update-policy select none 24 | 25 | #System language 26 | lang en_GB 27 | #Language modules to install 28 | langsupport en_GB 29 | #System keyboard 30 | keyboard gb 31 | #System mouse 32 | mouse 33 | #System timezone 34 | timezone --utc Europe/London 35 | #Root password 36 | rootpw packer 37 | #Initial user 38 | user tom --fullname "Tom" --password packer 39 | #Reboot after installation 40 | reboot 41 | #Use interactive kickstart installation method 42 | interactive 43 | #Install OS instead of upgrade 44 | install 45 | #Use NFS installation 46 | nfs --server={{ ansible_default_ipv4.address }} --dir=/var/nfs/{{ networkboot_directory_ubuntu2004desktop }}/ 47 | #System bootloader configuration 48 | bootloader --location=mbr 49 | #Clear the Master Boot Record 50 | zerombr yes 51 | #Partition clearing information 52 | clearpart --all --initlabel 53 | #Disk partitioning information 54 | part /boot --fstype ext4 --size 1024 --asprimary 55 | part swap --size 1024 56 | part / --fstype ext4 --size 1024 --grow --asprimary 57 | #System authorization infomation 58 | auth --useshadow 59 | #Network information 60 | network --bootproto=dhcp --device=auto 61 | #Do not configure the X Window System 62 | skipx 63 | #Package install information 64 | %packages 65 | @ ubuntu-desktop 66 | openssh-server 67 | xterm 68 | vim 69 | -------------------------------------------------------------------------------- /roles/hl.pxe-boot-server/templates/ubuntu2004-server.seed.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # Enable extras.ubuntu.com. 5 | #d-i apt-setup/extras boolean true 6 | # Install the Ubuntu server. 7 | #tasksel tasksel/first multiselect ubuntu-desktop 8 | # On live DVDs, don't spend huge amounts of time removing substantial 9 | # application packages pulled in by language packs. Given that we clearly 10 | # have the space to include them on the DVD, they're useful and we might as 11 | # well keep them installed. 12 | #ubiquity ubiquity/keep-installed string icedtea6-plugin openoffice.org 13 | #d-i base-installer/kernel/altmeta string hwe-20.04 14 | #Generated by Kickstart Configurator 15 | #platform=x86 16 | 17 | # The installer will warn about weak passwords. If you are sure you know 18 | # what you're doing and want to override it, uncomment this. 19 | preseed user-setup/allow-password-weak boolean true 20 | 21 | # Policy for applying updates. May be "none" (no automatic updates), 22 | # "unattended-upgrades" (install security updates automatically). 23 | preseed pkgsel/update-policy select none 24 | 25 | #System language 26 | lang en_GB 27 | #Language modules to install 28 | langsupport en_GB 29 | #System keyboard 30 | keyboard gb 31 | #System mouse 32 | mouse 33 | #System timezone 34 | timezone --utc Europe/London 35 | #Root password 36 | rootpw packer 37 | #Initial user 38 | user tom --fullname "Tom" --password packer 39 | #Reboot after installation 40 | reboot 41 | #Use interactive kickstart installation method 42 | interactive 43 | #Install OS instead of upgrade 44 | install 45 | #Use NFS installation 46 | nfs --server={{ ansible_default_ipv4.address }} --dir=/var/nfs/{{ networkboot_directory_ubuntu2004server }}/ 47 | #System bootloader configuration 48 | bootloader --location=mbr 49 | #Clear the Master Boot Record 50 | zerombr yes 51 | #Partition clearing information 52 | clearpart --all --initlabel 53 | #Disk partitioning information 54 | part /boot --fstype ext4 --size 1024 --asprimary 55 | part swap --size 1024 56 | part / --fstype ext4 --size 1024 --grow --asprimary 57 | #System authorization infomation 58 | auth --useshadow 59 | #Network information 60 | network --bootproto=dhcp --device=auto 61 | #Do not configure the X Window System 62 | skipx 63 | #Package install information 64 | %packages 65 | openssh-server 66 | vim 67 | 68 | %post 69 | # When installing and selecting only the SSH server, the distribution installs correctly, 70 | # but after booting from the disk the default terminal is tty7 (thus only the black screen is shown). 71 | # Switching the ALT + F1 terminal to tty1 solves the problem and shows a normal login prompt. 72 | sed -i -e 's/splash/nosplash/g' /etc/default/grub 73 | update-grub 74 | -------------------------------------------------------------------------------- /roles/hl.resolvconf/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | resolv_config_file: "resolv.conf" 7 | -------------------------------------------------------------------------------- /roles/hl.resolvconf/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Copy Configuration File {{ resolv_config_file }} 3 | ansible.builtin.template: 4 | src: "{{ resolv_config_file }}.j2" 5 | dest: "/etc/{{ resolv_config_file }}" 6 | owner: root 7 | group: root 8 | mode: "0644" 9 | force: true 10 | -------------------------------------------------------------------------------- /roles/hl.resolvconf/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.resolvconf/templates/resolv.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | search {{ homelab_domain_name }} 5 | nameserver {{ homelab_dns1_server }} 6 | nameserver {{ homelab_dns2_server }} 7 | nameserver {{ homelab_dns3_server }} 8 | -------------------------------------------------------------------------------- /roles/hl.samba/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - samba 8 | - samba-client 9 | 10 | systemd_services: 11 | - smb 12 | - nmb 13 | 14 | firewall_port: "samba" 15 | 16 | samba_selinux_booleans: 17 | - samba_export_all_rw 18 | - smbd_anon_write 19 | 20 | samba_config_file: "smb.conf" 21 | samba_share_directory: "/mnt/storage/samba" 22 | samba_guest_account: "nobody" 23 | -------------------------------------------------------------------------------- /roles/hl.samba/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart smb 3 | ansible.builtin.service: 4 | name: smb 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.samba/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | - name: RedHat | Enable Service in Firewalld {{ firewall_port }} 9 | ansible.posix.firewalld: 10 | immediate: true 11 | service: "{{ firewall_port }}" 12 | permanent: true 13 | state: enabled 14 | 15 | - name: RedHat | Start and Enable Services 16 | ansible.builtin.service: 17 | name: "{{ item }}" 18 | state: started 19 | enabled: true 20 | loop: "{{ systemd_services }}" 21 | 22 | - name: RedHat | Check Samba Ports 23 | ansible.builtin.wait_for: 24 | host: "{{ ansible_fqdn }}" 25 | port: "{{ item }}" 26 | timeout: 2 27 | loop: 28 | - "139" 29 | - "445" 30 | ignore_errors: true 31 | register: ignore_errors_register 32 | 33 | - name: RedHat | Set Samba Server to Share All Files and Directories rw (SELinux) 34 | ansible.posix.seboolean: 35 | name: "{{ item }}" 36 | state: true 37 | persistent: true 38 | loop: "{{ samba_selinux_booleans }}" 39 | 40 | - name: RedHat | Create Public Samba Share Directory {{ samba_share_directory }} 41 | ansible.builtin.file: 42 | path: "{{ samba_share_directory }}" 43 | state: directory 44 | owner: "{{ samba_guest_account }}" 45 | group: "{{ samba_guest_account }}" 46 | setype: "public_content_rw_t" 47 | mode: "0777" 48 | 49 | - name: RedHat | Create Samba Configuration File {{ samba_config_file }} 50 | ansible.builtin.template: 51 | src: "{{ samba_config_file }}.j2" 52 | dest: "/etc/samba/{{ samba_config_file }}" 53 | owner: root 54 | group: root 55 | mode: "0644" 56 | force: true 57 | validate: "testparm -s %s" 58 | notify: 59 | - Restart smb 60 | -------------------------------------------------------------------------------- /roles/hl.samba/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.samba/templates/smb.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # See smb.conf.example for a more detailed config file or 5 | # read the smb.conf manpage. 6 | # Run 'testparm' to verify the config is correct after 7 | # you modified it. 8 | 9 | [global] 10 | workgroup = HOMELAB 11 | server string = Samba Server Version %v 12 | 13 | interfaces = lo {{ homelab_address }}/{{ homelab_cidr_prefix }} 14 | hosts allow = 127. 10.11.1. 15 | hostname lookups = no 16 | 17 | log file = /var/log/samba/log.%m 18 | max log size = 50 19 | 20 | security = user 21 | passdb backend = tdbsam 22 | map to guest = bad user 23 | guest account = {{ samba_guest_account }} 24 | load printers = no 25 | client max protocol = SMB2_02 26 | 27 | [hl_share] 28 | comment = Homelab Share 29 | path = {{ samba_share_directory }} 30 | public = yes 31 | writable = yes 32 | browseable = yes 33 | printable = no 34 | guest ok = yes 35 | -------------------------------------------------------------------------------- /roles/hl.sshd/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - openssh-server 8 | 9 | systemd_service: "sshd" 10 | firewall_service: "ssh" 11 | 12 | sshd_config_file: "sshd_config" 13 | 14 | sshd_allow_agent_forwarding: "no" 15 | sshd_allow_tcp_forwarding: "no" 16 | sshd_authorized_keys_file: ".ssh/authorized_keys" 17 | sshd_banner: "/etc/motd" 18 | sshd_ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" 19 | sshd_client_alive_count_max: "3" 20 | sshd_client_interval: "0" 21 | sshd_compression: "no" 22 | sshd_gateway_ports: "no" 23 | sshd_gssapi_authentication: "no" 24 | sshd_host_key_algorithms: "ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com" 25 | sshd_kerberos_authentication: "no" 26 | sshd_kex_algorithms: "curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,curve25519-sha256,diffie-hellman-group-exchange-sha256" 27 | sshd_listen_address: "0.0.0.0" 28 | sshd_log_level: "INFO" 29 | sshd_macs: "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com" 30 | sshd_max_auth_tries: "3" 31 | sshd_max_sessions: "2" 32 | sshd_password_authentication: "no" 33 | sshd_permit_empty_passwords: "no" 34 | sshd_permit_root_login: "no" 35 | sshd_permit_tunnel: "no" 36 | sshd_permit_user_environment: "no" 37 | sshd_port: "22" 38 | sshd_print_last_log: "yes" 39 | sshd_print_motd: "no" 40 | sshd_pubkey_authentication: "yes" 41 | sshd_tcp_keep_alive: "yes" 42 | sshd_use_dns: "no" 43 | sshd_x11_forwarding: "no" 44 | -------------------------------------------------------------------------------- /roles/hl.sshd/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart sshd 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.sshd/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Debian | Configure OpenSSH Server 3 | vars: 4 | - sshd_subsystem: "/usr/lib/openssh/sftp-server" 5 | block: 6 | - name: Debian | Install Packages 7 | ansible.builtin.package: 8 | name: "{{ item }}" 9 | state: present 10 | loop: "{{ packages }}" 11 | 12 | - name: Debian | Copy Configuration File {{ sshd_config_file }} 13 | ansible.builtin.template: 14 | src: "{{ sshd_config_file }}.j2" 15 | dest: "/etc/ssh/{{ sshd_config_file }}" 16 | owner: root 17 | group: root 18 | mode: "0600" 19 | notify: 20 | - Restart sshd 21 | -------------------------------------------------------------------------------- /roles/hl.sshd/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Configure OpenSSH Server 3 | vars: 4 | - sshd_subsystem: "/usr/libexec/openssh/sftp-server" 5 | block: 6 | - name: RedHat | Install Packages 7 | ansible.builtin.package: 8 | name: "{{ item }}" 9 | state: present 10 | loop: "{{ packages }}" 11 | 12 | - name: RedHat | Disable system-wide crypto policy usage for SSH 13 | ansible.builtin.lineinfile: 14 | path: /etc/sysconfig/sshd 15 | regexp: "^# CRYPTO_POLICY=" 16 | line: CRYPTO_POLICY= 17 | when: ansible_distribution_major_version == "8" 18 | 19 | - name: RedHat | Copy Configuration File {{ sshd_config_file }} 20 | ansible.builtin.template: 21 | src: "{{ sshd_config_file }}.j2" 22 | dest: "/etc/ssh/{{ sshd_config_file }}" 23 | owner: root 24 | group: root 25 | mode: "0600" 26 | notify: 27 | - Restart sshd 28 | 29 | - name: RedHat | Check Services 30 | ansible.builtin.service_facts: 31 | 32 | - name: RedHat | Enable Service in Firewalld {{ firewall_service }} 33 | ansible.posix.firewalld: 34 | immediate: true 35 | service: "{{ firewall_service }}" 36 | permanent: true 37 | state: enabled 38 | when: "'firewalld.service' in ansible_facts.services" 39 | ignore_errors: true 40 | register: ignore_errors_register 41 | -------------------------------------------------------------------------------- /roles/hl.sshd/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook RedHat 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | 6 | - name: Include playbook Debian 7 | ansible.builtin.include_tasks: Debian.yml 8 | when: ansible_os_family == 'Debian' 9 | -------------------------------------------------------------------------------- /roles/hl.sshd/templates/sshd_config.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # This is the sshd server system-wide configuration file. See 5 | # sshd_config(5) for more information. 6 | 7 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 8 | 9 | # The strategy used for options in the default sshd_config shipped with 10 | # OpenSSH is to specify options with their default value where 11 | # possible, but leave them commented. Uncommented options override the 12 | # default value. 13 | 14 | Port {{ sshd_port }} 15 | #AddressFamily any 16 | ListenAddress {{ sshd_listen_address }} 17 | #ListenAddress :: 18 | 19 | HostKey /etc/ssh/ssh_host_rsa_key 20 | HostKey /etc/ssh/ssh_host_ecdsa_key 21 | HostKey /etc/ssh/ssh_host_ed25519_key 22 | 23 | # Ciphers and keying 24 | #RekeyLimit default none 25 | 26 | # Logging 27 | #SyslogFacility AUTH 28 | LogLevel {{ sshd_log_level }} 29 | 30 | # Authentication: 31 | 32 | LoginGraceTime 0 33 | PermitRootLogin {{ sshd_permit_root_login }} 34 | #StrictModes yes 35 | MaxAuthTries {{ sshd_max_auth_tries }} 36 | MaxSessions {{ sshd_max_sessions }} 37 | 38 | PubkeyAuthentication {{ sshd_pubkey_authentication }} 39 | 40 | # Expect .ssh/authorized_keys2 to be disregarded by default in future. 41 | AuthorizedKeysFile {{ sshd_authorized_keys_file }} 42 | 43 | #AuthorizedPrincipalsFile none 44 | 45 | #AuthorizedKeysCommand none 46 | #AuthorizedKeysCommandUser nobody 47 | 48 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 49 | #HostbasedAuthentication no 50 | # Change to yes if you don't trust ~/.ssh/known_hosts for 51 | # HostbasedAuthentication 52 | #IgnoreUserKnownHosts no 53 | # Don't read the user's ~/.rhosts and ~/.shosts files 54 | #IgnoreRhosts yes 55 | 56 | # To disable tunneled clear text passwords, change to no here! 57 | PasswordAuthentication {{ sshd_password_authentication }} 58 | PermitEmptyPasswords {{ sshd_permit_empty_passwords }} 59 | 60 | # Change to yes to enable challenge-response passwords (beware issues with 61 | # some PAM modules and threads) 62 | ChallengeResponseAuthentication no 63 | 64 | # Kerberos options 65 | KerberosAuthentication {{ sshd_kerberos_authentication }} 66 | #KerberosOrLocalPasswd yes 67 | #KerberosTicketCleanup yes 68 | #KerberosGetAFSToken no 69 | 70 | # GSSAPI options 71 | GSSAPIAuthentication {{ sshd_gssapi_authentication }} 72 | #GSSAPICleanupCredentials yes 73 | #GSSAPIStrictAcceptorCheck yes 74 | #GSSAPIKeyExchange no 75 | 76 | # Set this to 'yes' to enable PAM authentication, account processing, 77 | # and session processing. If this is enabled, PAM authentication will 78 | # be allowed through the ChallengeResponseAuthentication and 79 | # PasswordAuthentication. Depending on your PAM configuration, 80 | # PAM authentication via ChallengeResponseAuthentication may bypass 81 | # the setting of "PermitRootLogin without-password". 82 | # If you just want the PAM account and session checks to run without 83 | # PAM authentication, then enable this but set PasswordAuthentication 84 | # and ChallengeResponseAuthentication to 'no'. 85 | UsePAM yes 86 | 87 | AllowAgentForwarding {{ sshd_allow_agent_forwarding }} 88 | AllowTcpForwarding {{ sshd_allow_tcp_forwarding }} 89 | GatewayPorts {{ sshd_gateway_ports }} 90 | X11Forwarding {{ sshd_x11_forwarding }} 91 | #X11DisplayOffset 10 92 | #X11UseLocalhost yes 93 | #PermitTTY yes 94 | PrintMotd {{ sshd_print_motd }} 95 | PrintLastLog {{ sshd_print_last_log }} 96 | TCPKeepAlive {{ sshd_tcp_keep_alive }} 97 | PermitUserEnvironment {{ sshd_permit_user_environment }} 98 | Compression {{ sshd_compression }} 99 | ClientAliveInterval {{ sshd_client_interval }} 100 | ClientAliveCountMax {{ sshd_client_alive_count_max }} 101 | UseDNS {{ sshd_use_dns }} 102 | #PidFile /var/run/sshd.pid 103 | #MaxStartups 10:30:100 104 | PermitTunnel {{ sshd_permit_tunnel }} 105 | #ChrootDirectory none 106 | #VersionAddendum none 107 | 108 | # no default banner path 109 | Banner {{ sshd_banner }} 110 | 111 | # Allow client to pass locale environment variables 112 | AcceptEnv LANG LC_* 113 | 114 | # override default of no subsystems 115 | Subsystem sftp {{ sshd_subsystem }} 116 | 117 | # Example of overriding settings on a per-user basis 118 | #Match User anoncvs 119 | # X11Forwarding no 120 | # AllowTcpForwarding no 121 | # PermitTTY no 122 | # ForceCommand cvs server 123 | 124 | Ciphers {{ sshd_ciphers }} 125 | 126 | HostKeyAlgorithms {{ sshd_host_key_algorithms }} 127 | 128 | KexAlgorithms {{ sshd_kex_algorithms }} 129 | 130 | MACs {{ sshd_macs }} 131 | -------------------------------------------------------------------------------- /roles/hl.sshd/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Override default setting for homelab environment 3 | sshd_password_authentication: "yes" 4 | sshd_permit_root_login: "yes" 5 | -------------------------------------------------------------------------------- /roles/hl.staticroute/README.md: -------------------------------------------------------------------------------- 1 | ansible-role-staticroute 2 | ==================== 3 | 4 | Ansible Role - create a static route on RHEL. 5 | 6 | This role is used to configure Kubernetes servers with a static route to access the VPN server. 7 | 8 | ## Requirements 9 | 10 | None. 11 | 12 | ## Example Playbook 13 | 14 | - hosts: k8s_master,k8s_node 15 | roles: 16 | - hl.staticroute 17 | -------------------------------------------------------------------------------- /roles/hl.staticroute/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | network_template: "route-ethx.j2" 7 | vpn_subnet: "10.8.0.0/24" 8 | vpn_client_gateway: "10.11.1.20" 9 | -------------------------------------------------------------------------------- /roles/hl.staticroute/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Create Static VPN Route 3 | become: true 4 | ansible.builtin.template: 5 | src: "{{ network_template }}" 6 | dest: "/etc/sysconfig/network-scripts/route-br0" 7 | owner: root 8 | group: root 9 | mode: "0644" 10 | when: "'kvm' in group_names" 11 | ignore_errors: true 12 | register: ignore_errors_register 13 | -------------------------------------------------------------------------------- /roles/hl.staticroute/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.staticroute/templates/route-ethx.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | # Static VPN route 5 | {{ vpn_subnet }} via {{ vpn_client_gateway }} dev br0 6 | -------------------------------------------------------------------------------- /roles/hl.swapfile/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | # Swap size is in MB 7 | swap_size: "1024" 8 | sysctl_swappiness: "10" 9 | swap_file: "/swapfile" 10 | -------------------------------------------------------------------------------- /roles/hl.swapfile/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Make swap filesystem 3 | ansible.builtin.command: mkswap "{{ swap_file }}" 4 | register: mkswap_output # Registers the command output. 5 | changed_when: mkswap_output.rc != 0 # Uses the return code to define when the task has changed. 6 | -------------------------------------------------------------------------------- /roles/hl.swapfile/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Create Swap File {{ swap_file }} 3 | ansible.builtin.command: "dd if=/dev/zero of={{ swap_file }} bs=1M count={{ swap_size }}" 4 | args: 5 | creates: "{{ swap_file }}" 6 | notify: 7 | - Make swap filesystem 8 | 9 | - name: RedHat | Flush Handlers 10 | ansible.builtin.meta: flush_handlers 11 | 12 | - name: RedHat | Set Swap File Permissions 13 | ansible.builtin.file: 14 | path: "{{ swap_file }}" 15 | state: file 16 | owner: root 17 | group: root 18 | mode: "0600" 19 | 20 | - name: RedHat | Add Swap to /etc/fstab 21 | ansible.posix.mount: 22 | src: "{{ swap_file }}" 23 | name: "none" 24 | fstype: "swap" 25 | opts: "sw,nofail" 26 | dump: "0" 27 | passno: "0" 28 | state: "present" 29 | 30 | - name: RedHat | Run swapon -a 31 | ansible.builtin.command: swapon -a 32 | register: swapon_output # Registers the command output. 33 | changed_when: swapon_output.rc != 0 # Uses the return code to define when the task has changed. 34 | 35 | - name: RedHat | Set Sysctl vm.swappiness to {{ sysctl_swappiness }} 36 | ansible.posix.sysctl: 37 | name: vm.swappiness 38 | value: "{{ sysctl_swappiness }}" 39 | state: present 40 | -------------------------------------------------------------------------------- /roles/hl.swapfile/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.template/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - name 8 | 9 | systemd_service: "name" 10 | firewall_port: "name" 11 | -------------------------------------------------------------------------------- /roles/hl.template/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Restart name 3 | ansible.builtin.service: 4 | name: "{{ systemd_service }}" 5 | state: restarted 6 | -------------------------------------------------------------------------------- /roles/hl.template/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | 8 | - name: RedHat | Enable Service in Firewalld {{ firewall_port }} 9 | ansible.posix.firewalld: 10 | immediate: true 11 | service: "{{ firewall_port }}" 12 | permanent: true 13 | state: enabled 14 | 15 | - name: RedHat | Start and Enable Service {{ systemd_service }} 16 | ansible.builtin.service: 17 | name: "{{ systemd_service }}" 18 | state: started 19 | enabled: true 20 | -------------------------------------------------------------------------------- /roles/hl.template/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/hl.timezone/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | timezone_value: "Europe/London" 7 | -------------------------------------------------------------------------------- /roles/hl.timezone/tasks/Linux.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Linux | Set Timezone to {{ timezone_value }} 3 | community.general.timezone: 4 | name: "{{ timezone_value }}" 5 | -------------------------------------------------------------------------------- /roles/hl.timezone/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: Linux.yml 4 | when: ansible_system == 'Linux' 5 | -------------------------------------------------------------------------------- /roles/hl.users/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | users: 3 | - name: ansible 4 | password: "defined in secure.yml as user_password" 5 | - name: tom 6 | password: "defined in secure.yml as user_password" 7 | 8 | sudo_group_redhat: "wheel" 9 | sudo_group_debian: "sudo" 10 | -------------------------------------------------------------------------------- /roles/hl.users/defaults/secure.yml: -------------------------------------------------------------------------------- 1 | $ANSIBLE_VAULT;1.1;AES256 2 | 64316666346332343763613237343033356133343231363132323366316266336162616263396133 3 | 6238383333366433386361363632333765616538366166340a633936656531363533386436373631 4 | 34303537386134363266373966396666346233666631613330363030336235363838636566323736 5 | 6334393538353262620a363061393762316132343635646639353265623231313363633666316337 6 | 63326138343934383338396536376537633464343137306266663737343331663739376130313234 7 | 3961326166326563613462343464373335323235373561366165 8 | -------------------------------------------------------------------------------- /roles/hl.users/files/id_rsa_ansible.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzcZWKJVeDTioSe5x1M7WdNGgX4HQsZQeP92zK2LlP7vymnzts/IZz4I5r6Z0WwSMh9VxN9IABxsotdohiC9kroEdqUG9/OmljQhHNXnMOlAhnofJAnnEb7Tr1v1xGJllpQ135PNL+ECTIslQMBD68a2WZGLvJBPg/WSEsaD6oWwVnrldXIolvDaAKx3TnipwoEp/jcZ1KXTA6LuqdpG1XDI35pT8QF9bO79nv05nf9ypynJxMZZ66HcwiKnoNbyY/Xa2b1Yyv5WA+2kY821bKMaYiKRuwABZI/1M5kLLki6RZ9rvUG8FfiJVhhAJXOIguT1reBdQsBfxqLirotf2t8kOzGbKwwXIPqePtTlCFe0GKT5H6qe1x1kXBPF4+m2r2JPllhwcnNtPl5MVn9X/HQSDRgYtTPlXREuyLLWD1n4vpcka6YMrCulE9KJmnN1J++rRGLgeU47/lgFwKOfF0yugMyfTTrbYUffzBDBsV8mSelra/sm4ZwrkjOzNiSStUAHZ6WL4t2vNs94B61eVKHMFKFSbFKeQ79qEisJkQp4pOUJDmNohMZKquNThrwX5qhVsNFJ28mZfYvJrxn+ha2M3by9+WealubGy14FFGz5Ir7UWmL8IsB5Bq+USwiVxOy+TBecMUNyuy5H0ttX7gbkvo3mRF9h4apfcFlxtZlQ== tom@hl.test 2 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCRaxrURp9COyfSlB10uyMd2HB6qECqUySSGpU/qRtEH/NFpnVg6EPwddYumVAIXQitHicdTFkXZzD98mEQAQQGhhaeIoCfecJ2PlMmG7oL9QFqhqotpJlPRiv17MNNWGgSQ25JYi50n25rt6ftgWHWzxuOo3I7RmHPZMkc1nZP8Gr7P25IrHW22/FBZiKszsjB8zoZEg6YJo2hhA3cs/ao3HeGP2ezWgYx221EOw87OVFxaGsTc6dB0V7Bv8Z+vni84mtddxhYElTyzpXgyFTaaahlL3PmC80JrfFjF/tyz/zLmD94xqjDIVnK5uaJtl8IOlVjS80GCsuiyl/q3aLn7W4FJfgNlUvjkJUQADPcjul3Q8qHbIQsmJp8iA/9vQu9w7G0LC9y4mR57m/+yuSw6utosYTxhc0ciymk6qvSZhGI7dpPZBr3w0Q1RZjU2UuSnvkY+8qD3E3phIzxKQdqCwMFbyS9+NP9v1aUnQLl9zs3UGz07uJqpQ7CFwrUMwkMZiAoAPXskhbuHjzAA7rZNJk7TbKVbnX3uXs4p/LF4xCn3GzHRv+cf4TxunzHCvfsMaLbX5Ak8OXDNerantKbwsUOFCXX2GsfzWf0GTmVt2TNuqBMmBaK85okkB2EmM96tHeEi03KVrfpP9xTNMnnUMWGvB5+n2Vot5c7IJy3rQ== tom@workstation.local 3 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDOW/NoAIk0ZF7ptPAgKOqGlpA3zrH7CsIL1q/4FAPRDkyaQ4R+8LpGhvmcPgP7ik+7qRQEbuokFaLVNiqf7xz+JqnqFBEZT9vhZhbtUlH25vuQUkTL8fUwwqbMfDQjCgUBbWHDmyXMQB4imK02nmvd7gchsWBV7tScgMAN4G5CDCcAQif6it3zaNojLWVyav97OXaZIc206DUfkDCIk+ji2ACa3qqCVY+nNVt0YAHLCmqpMBmlaPoeNZtHWAkJ0Y1Q+37jUW36xUuFEq99xPzZGgYWrsZ+XbFxvK+7VqTpQCEbod2Jr6xRHlWTEeVLf2HzJJo/V4Jdc+cA/t5yVwzjXV8QPE1ucQICkeSvxgA6TAhHQJjE8OeSWirvTzh9SxbAJgVFQht847aOY3YooPYGfOwsRINQCn94CzLILGaq/jdScs1+PJdBLOKTGK5FFKdjX6Mv7jMgeCkL7MLfarw1ftIsEPEf82YgKqnq5R+wqsUnjLT9ELVMLlDGV94GMYXkg5Xka3aP5Obs1uA0sFuQ9NwoMH/jd7oxr0DXHMB21Yph3zakB/VmKTbjZ3hRzlC7UJoWhEFie63CFnPe8G3qk0LzqZA95YAJi9sl73pUKGrDUvvdFa8WgcYBouX9/xur34Q3zjZiwkReFqsNDe1jLmZZDgjG7kzs/v1k+m6j1w== tom@kvm1.hl.test 4 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqRv3JXOC9rIiC8F6V9m2WN52ud3CERTBIBWJnYBFFUTyvsWpjPR/5G+oJzI/AVBrZx9VYdei7mbAsf64cmGirFj4HABGHiZh+vuGB1Km3cb9LaBxGsXv9A0gwQ0j1Z/Fh/hu0+O1sAbtDrBKNsRsjPWv0SC1x1OlNgrNQmkpThb10NTszPa+pxHtT7TYzZeepQoOpGBOSKJY+MKCFQOiEbVq7iyBTGHLvaVuhKrJPmOEklEsPxmgmerD6M8/9c4sFRMWFvBmorcVTaENcW2VcJGhbzIcSJ8abmSiC2zSzP9iis9CQ3I2zfy7D6Hup1v+CM/blZWksRgIsALflmMgGzRZ6sME+nekrxqQPIbbq9qQRUUBUOcUt5jnVqCbJTkQTRssihNhhMdK29jU7fzPrnCxUx6COp4Sl6G3Mbz2JqJu272ZjEAPHABLswC9LvJw6W7CC2ycNYL43U14nfqYBrIL2gp/MNdlRw6VVjruGFqUyxg15QE6OAY0L0Fx0UP9/X00SFJI+xyScpnT3EmJKRxIGxGJZXDOd9niGuqrC7lCyyLGNH+JOt+6VaViv2LQRtCByvWcaTJ4migCOB95fV/5Iy/8ciCUSNarK+WBGUohry/lwwZIum79fpHRKxncQMK+KtuuTI5+08DRf/ByZSW3KDFPzSGlx0X5l3qz4yQ== tom@srv41-ansible.hl.test 5 | -------------------------------------------------------------------------------- /roles/hl.users/files/id_rsa_root.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzcZWKJVeDTioSe5x1M7WdNGgX4HQsZQeP92zK2LlP7vymnzts/IZz4I5r6Z0WwSMh9VxN9IABxsotdohiC9kroEdqUG9/OmljQhHNXnMOlAhnofJAnnEb7Tr1v1xGJllpQ135PNL+ECTIslQMBD68a2WZGLvJBPg/WSEsaD6oWwVnrldXIolvDaAKx3TnipwoEp/jcZ1KXTA6LuqdpG1XDI35pT8QF9bO79nv05nf9ypynJxMZZ66HcwiKnoNbyY/Xa2b1Yyv5WA+2kY821bKMaYiKRuwABZI/1M5kLLki6RZ9rvUG8FfiJVhhAJXOIguT1reBdQsBfxqLirotf2t8kOzGbKwwXIPqePtTlCFe0GKT5H6qe1x1kXBPF4+m2r2JPllhwcnNtPl5MVn9X/HQSDRgYtTPlXREuyLLWD1n4vpcka6YMrCulE9KJmnN1J++rRGLgeU47/lgFwKOfF0yugMyfTTrbYUffzBDBsV8mSelra/sm4ZwrkjOzNiSStUAHZ6WL4t2vNs94B61eVKHMFKFSbFKeQ79qEisJkQp4pOUJDmNohMZKquNThrwX5qhVsNFJ28mZfYvJrxn+ha2M3by9+WealubGy14FFGz5Ir7UWmL8IsB5Bq+USwiVxOy+TBecMUNyuy5H0ttX7gbkvo3mRF9h4apfcFlxtZlQ== tom@hl.test 2 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCRaxrURp9COyfSlB10uyMd2HB6qECqUySSGpU/qRtEH/NFpnVg6EPwddYumVAIXQitHicdTFkXZzD98mEQAQQGhhaeIoCfecJ2PlMmG7oL9QFqhqotpJlPRiv17MNNWGgSQ25JYi50n25rt6ftgWHWzxuOo3I7RmHPZMkc1nZP8Gr7P25IrHW22/FBZiKszsjB8zoZEg6YJo2hhA3cs/ao3HeGP2ezWgYx221EOw87OVFxaGsTc6dB0V7Bv8Z+vni84mtddxhYElTyzpXgyFTaaahlL3PmC80JrfFjF/tyz/zLmD94xqjDIVnK5uaJtl8IOlVjS80GCsuiyl/q3aLn7W4FJfgNlUvjkJUQADPcjul3Q8qHbIQsmJp8iA/9vQu9w7G0LC9y4mR57m/+yuSw6utosYTxhc0ciymk6qvSZhGI7dpPZBr3w0Q1RZjU2UuSnvkY+8qD3E3phIzxKQdqCwMFbyS9+NP9v1aUnQLl9zs3UGz07uJqpQ7CFwrUMwkMZiAoAPXskhbuHjzAA7rZNJk7TbKVbnX3uXs4p/LF4xCn3GzHRv+cf4TxunzHCvfsMaLbX5Ak8OXDNerantKbwsUOFCXX2GsfzWf0GTmVt2TNuqBMmBaK85okkB2EmM96tHeEi03KVrfpP9xTNMnnUMWGvB5+n2Vot5c7IJy3rQ== tom@workstation.local -------------------------------------------------------------------------------- /roles/hl.users/files/id_rsa_tom.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzcZWKJVeDTioSe5x1M7WdNGgX4HQsZQeP92zK2LlP7vymnzts/IZz4I5r6Z0WwSMh9VxN9IABxsotdohiC9kroEdqUG9/OmljQhHNXnMOlAhnofJAnnEb7Tr1v1xGJllpQ135PNL+ECTIslQMBD68a2WZGLvJBPg/WSEsaD6oWwVnrldXIolvDaAKx3TnipwoEp/jcZ1KXTA6LuqdpG1XDI35pT8QF9bO79nv05nf9ypynJxMZZ66HcwiKnoNbyY/Xa2b1Yyv5WA+2kY821bKMaYiKRuwABZI/1M5kLLki6RZ9rvUG8FfiJVhhAJXOIguT1reBdQsBfxqLirotf2t8kOzGbKwwXIPqePtTlCFe0GKT5H6qe1x1kXBPF4+m2r2JPllhwcnNtPl5MVn9X/HQSDRgYtTPlXREuyLLWD1n4vpcka6YMrCulE9KJmnN1J++rRGLgeU47/lgFwKOfF0yugMyfTTrbYUffzBDBsV8mSelra/sm4ZwrkjOzNiSStUAHZ6WL4t2vNs94B61eVKHMFKFSbFKeQ79qEisJkQp4pOUJDmNohMZKquNThrwX5qhVsNFJ28mZfYvJrxn+ha2M3by9+WealubGy14FFGz5Ir7UWmL8IsB5Bq+USwiVxOy+TBecMUNyuy5H0ttX7gbkvo3mRF9h4apfcFlxtZlQ== tom@hl.test 2 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCRaxrURp9COyfSlB10uyMd2HB6qECqUySSGpU/qRtEH/NFpnVg6EPwddYumVAIXQitHicdTFkXZzD98mEQAQQGhhaeIoCfecJ2PlMmG7oL9QFqhqotpJlPRiv17MNNWGgSQ25JYi50n25rt6ftgWHWzxuOo3I7RmHPZMkc1nZP8Gr7P25IrHW22/FBZiKszsjB8zoZEg6YJo2hhA3cs/ao3HeGP2ezWgYx221EOw87OVFxaGsTc6dB0V7Bv8Z+vni84mtddxhYElTyzpXgyFTaaahlL3PmC80JrfFjF/tyz/zLmD94xqjDIVnK5uaJtl8IOlVjS80GCsuiyl/q3aLn7W4FJfgNlUvjkJUQADPcjul3Q8qHbIQsmJp8iA/9vQu9w7G0LC9y4mR57m/+yuSw6utosYTxhc0ciymk6qvSZhGI7dpPZBr3w0Q1RZjU2UuSnvkY+8qD3E3phIzxKQdqCwMFbyS9+NP9v1aUnQLl9zs3UGz07uJqpQ7CFwrUMwkMZiAoAPXskhbuHjzAA7rZNJk7TbKVbnX3uXs4p/LF4xCn3GzHRv+cf4TxunzHCvfsMaLbX5Ak8OXDNerantKbwsUOFCXX2GsfzWf0GTmVt2TNuqBMmBaK85okkB2EmM96tHeEi03KVrfpP9xTNMnnUMWGvB5+n2Vot5c7IJy3rQ== tom@workstation.local -------------------------------------------------------------------------------- /roles/hl.users/tasks/Linux.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Linux | Include Secure Vars 3 | ansible.builtin.include_vars: 4 | file: ../defaults/secure.yml 5 | 6 | - name: Linux | Create Users 7 | remote_user: root 8 | when: ansible_os_family == 'RedHat' 9 | block: 10 | - name: Linux | Create Users 11 | ansible.builtin.user: 12 | state: present 13 | name: "{{ item.name }}" 14 | groups: "{{ sudo_group_redhat }}" 15 | shell: "/bin/bash" 16 | password: "{{ user_password | password_hash('sha512') }}" 17 | update_password: always 18 | loop: "{{ users }}" 19 | no_log: true 20 | 21 | - name: Linux | Configure sudo Rules 22 | ansible.builtin.lineinfile: 23 | state: present 24 | path: "/etc/sudoers" 25 | regexp: "^%{{ sudo_group_redhat }}" 26 | line: "%{{ sudo_group_redhat }} ALL=(ALL) NOPASSWD: ALL" 27 | validate: "/usr/sbin/visudo -cf %s" 28 | 29 | - name: Linux | Create Users 30 | remote_user: root 31 | when: ansible_os_family == 'Debian' 32 | block: 33 | - name: Linux | Create Users 34 | ansible.builtin.user: 35 | state: present 36 | name: "{{ item.name }}" 37 | groups: "{{ sudo_group_debian }}" 38 | shell: "/bin/bash" 39 | password: "{{ user_password | password_hash('sha512') }}" 40 | update_password: always 41 | loop: "{{ users }}" 42 | no_log: true 43 | 44 | - name: Linux | Configure sudo Rules 45 | ansible.builtin.lineinfile: 46 | state: present 47 | path: "/etc/sudoers" 48 | regexp: "^%{{ sudo_group_debian }}" 49 | line: "%{{ sudo_group_debian }} ALL=(ALL) NOPASSWD: ALL" 50 | validate: "/usr/sbin/visudo -cf %s" 51 | 52 | - name: Linux | Set root User Password 53 | ansible.builtin.user: 54 | state: present 55 | name: root 56 | password: "{{ user_password | password_hash('sha512') }}" 57 | update_password: always 58 | 59 | - name: Linux | Create Authorised Keys 60 | remote_user: root 61 | ansible.posix.authorized_key: 62 | state: present 63 | user: "{{ item.name }}" 64 | key: "{{ lookup('file', 'files/id_rsa_' + item.name + '.pub') }}" 65 | loop: "{{ users }}" 66 | 67 | - name: Linux | Create Authorised Keys for root 68 | remote_user: root 69 | ansible.posix.authorized_key: 70 | state: present 71 | user: root 72 | key: "{{ lookup('file', 'files/id_rsa_' + 'root' + '.pub') }}" 73 | 74 | - name: Linux | Allow the ansible User to Run Any Commands 75 | community.general.sudoers: 76 | name: 10_ansible 77 | state: present 78 | user: ansible 79 | runas: root 80 | nopassword: true 81 | commands: ALL 82 | -------------------------------------------------------------------------------- /roles/hl.users/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: Linux.yml 4 | when: ansible_system == 'Linux' 5 | -------------------------------------------------------------------------------- /roles/hl.wakeonlan/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Default variables for the role. These variables have the lowest 3 | ## priority of any variables available, and can be easily overridden 4 | ## by any other variable, including inventory variables. 5 | 6 | packages: 7 | - ethtool 8 | -------------------------------------------------------------------------------- /roles/hl.wakeonlan/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: RedHat | Install Packages 3 | ansible.builtin.package: 4 | name: "{{ item }}" 5 | state: present 6 | loop: "{{ packages }}" 7 | -------------------------------------------------------------------------------- /roles/hl.wakeonlan/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include playbook 3 | ansible.builtin.include_tasks: RedHat.yml 4 | when: ansible_os_family == 'RedHat' 5 | -------------------------------------------------------------------------------- /roles/newrelic.newrelic-infra/LICENSE.md: -------------------------------------------------------------------------------- 1 | All components of this product are Copyright (c) 2017 New Relic, Inc. All rights reserved. 2 | 3 | Certain inventions disclosed in this file may be claimed within patents owned or patent applications filed by New Relic, Inc. or third parties. 4 | 5 | Subject to the terms of this notice, New Relic grants you a nonexclusive, nontransferable license, without the right to sublicense, to (a) install and execute one copy of these files on any number of workstations owned or controlled by you and (b) distribute verbatim copies of these files to third parties. You may install, execute, and distribute these files and their contents only in conjunction with your direct use of New Relic’s services. These files and their contents shall not be used in conjunction with any other product or software, including but not limited to those that may compete with any New Relic product, feature, or software. As a condition to the foregoing grant, you must provide this notice along with each copy you distribute and you must not remove, alter, or obscure this notice. In the event you submit or provide any feedback, code, pull requests, or suggestions to New Relic you hereby grant New Relic a worldwide, non-exclusive, irrevocable, transferrable, fully paid-up license to use the code, algorithms, patents, and ideas therein in our products. 6 | 7 | All other use, reproduction, modification, distribution, or other exploitation of these files is strictly prohibited, except as may be set forth in a separate written license agreement between you and New Relic. The terms of any such license agreement will control over this notice. The license stated above will be automatically terminated and revoked if you exceed its scope or violate any 8 | of the terms of this notice. 9 | 10 | This License does not grant permission to use the trade names, trademarks, service marks, or product names of New Relic, except as required for reasonable and customary use in describing the origin of this file and reproducing the content of this notice. You may not mark or brand this file with any trade name, trademarks, service marks, or product names other than the original brand 11 | (if any) provided by New Relic. 12 | 13 | Unless otherwise expressly agreed by New Relic in a separate written license agreement, these files are provided AS IS, WITHOUT WARRANTY OF ANY KIND, including without any implied warranties of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, or NON-INFRINGEMENT. As a condition to your use of these files, you are solely responsible for such use. New Relic will have no liability to you for direct, indirect, consequential, incidental, special, or punitive damages or for lost profits or data. 14 | -------------------------------------------------------------------------------- /roles/newrelic.newrelic-infra/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | nrinfragent_state: "latest" 3 | nrinfragent_service_enabled: "yes" 4 | nrinfragent_service_state: "started" 5 | nrinfragent_config: 6 | license_key: YOUR_LICENSE_KEY 7 | nrinfragent_integrations: [] 8 | nrinfragent_tarball_url: "http://download.newrelic.com/infrastructure_agent/binaries/linux/{{ nrinfragent_architecture }}/newrelic-infra_linux_{{ nrinfragent_tarball_version }}_{{ nrinfragent_architecture }}.tar.gz" 9 | nrinfragent_tarball_download_dir: "/opt" 10 | nrinfragent_tarball_user: "root" 11 | -------------------------------------------------------------------------------- /roles/newrelic.newrelic-infra/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart newrelic-infra 3 | service: 4 | name: newrelic-infra 5 | state: restarted 6 | when: nrinfragent_service_state != "stopped" 7 | -------------------------------------------------------------------------------- /roles/newrelic.newrelic-infra/tasks/install_dist_pkgs.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: confirm redhat lsb util is present 3 | yum: 4 | name: redhat-lsb-core 5 | state: present 6 | when: nrinfragent_os_name|lower == 'redhat' 7 | 8 | - name: reread ansible_lsb facts 9 | setup: 10 | filter: ansible_lsb* 11 | when: nrinfragent_os_name|lower == 'redhat' 12 | 13 | - name: setup agent repo keys 14 | apt_key: 15 | url: https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg 16 | state: present 17 | when: nrinfragent_os_name|lower == 'debian' 18 | 19 | - name: setup agent repo keys 20 | rpm_key: 21 | key: https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg 22 | state: present 23 | when: nrinfragent_os_name|lower == 'redhat' 24 | 25 | - name: setup agent repo keys 26 | rpm_key: 27 | key: https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg 28 | state: present 29 | when: nrinfragent_os_name|lower == 'suse' 30 | 31 | - name: confirm Debian apt-transport-https is present 32 | apt: 33 | name: apt-transport-https 34 | state: present 35 | when: nrinfragent_os_name|lower == 'debian' 36 | 37 | - name: setup agent repo reference 38 | apt_repository: 39 | repo: "deb [arch=amd64] https://download.newrelic.com/infrastructure_agent/linux/apt {{ nrinfragent_os_codename }} main" 40 | state: present 41 | update_cache: "yes" 42 | when: nrinfragent_os_name|lower == 'debian' 43 | 44 | - name: setup agent repo reference 45 | yum_repository: 46 | baseurl: "https://download.newrelic.com/infrastructure_agent/linux/yum/el/{{ (ansible_service_mgr == 'upstart') | ternary('6', '7') }}/x86_64" 47 | gpgcheck: "yes" 48 | gpgkey: https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg 49 | name: 'newrelic-infra' 50 | repo_gpgcheck: 'yes' 51 | state: present 52 | description: New Relic Infrastructure 53 | when: ansible_distribution|lower == 'amazon' 54 | register: setup_agent_repo 55 | 56 | - name: setup agent repo reference 57 | yum_repository: 58 | baseurl: "https://download.newrelic.com/infrastructure_agent/linux/yum/el/{{ nrinfragent_os_version }}/x86_64" 59 | gpgcheck: "yes" 60 | gpgkey: https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg 61 | name: 'newrelic-infra' 62 | repo_gpgcheck: "{{ (nrinfragent_os_version == '5') | ternary('no', 'yes') }}" 63 | state: present 64 | description: New Relic Infrastructure 65 | when: nrinfragent_os_name|lower == 'redhat' and ansible_distribution|lower != 'amazon' 66 | register: setup_agent_repo 67 | 68 | - name: setup agent repo reference 69 | zypper_repository: 70 | name: newrelic-infra 71 | description: New Relic Infrastructure Agent 72 | repo: "http://download.newrelic.com/infrastructure_agent/linux/zypp/sles/{{ ansible_distribution_version }}/{{ ansible_machine }}/" 73 | runrefresh: "yes" 74 | auto_import_keys: "yes" 75 | disable_gpg_check: "yes" 76 | when: nrinfragent_os_name|lower == 'suse' 77 | register: infra_agent_zypper_repo 78 | 79 | - name: run make cache to actually import gpg key 80 | command: "yum -q makecache -y --disablerepo='*' --enablerepo='newrelic-infra'" 81 | when: nrinfragent_os_name|lower == 'redhat' and setup_agent_repo.changed 82 | tags: 83 | - skip_ansible_lint 84 | args: 85 | warn: false 86 | 87 | - name: install agent 88 | package: 89 | name: "newrelic-infra" 90 | state: "{{ nrinfragent_state }}" 91 | when: nrinfragent_os_name|lower != 'windows' 92 | 93 | - name: install integrations 94 | package: 95 | name: "{{ item.name }}" 96 | state: "{{ item.state }}" 97 | with_items: "{{ nrinfragent_integrations }}" 98 | when: nrinfragent_os_name|lower != 'windows' 99 | 100 | - name: setup agent config 101 | template: 102 | src: newrelic-infra.yml.j2 103 | dest: /etc/newrelic-infra.yml 104 | mode: 0600 105 | notify: restart newrelic-infra 106 | when: 107 | - nrinfragent_state != "absent" 108 | - nrinfragent_os_name|lower != 'windows' 109 | 110 | - name: setup agent service 111 | service: 112 | name: newrelic-infra 113 | state: "{{ nrinfragent_service_state }}" 114 | enabled: "{{ nrinfragent_service_enabled }}" 115 | when: 116 | - nrinfragent_state != "absent" 117 | - nrinfragent_os_name|lower != 'windows' 118 | -------------------------------------------------------------------------------- /roles/newrelic.newrelic-infra/tasks/install_targz.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: validate agent tarball required variables 3 | fail: 4 | msg: "Required variable {{ item }} has not been provided or it's null" 5 | when: vars[item] is undefined or not vars[item] 6 | loop: 7 | - nrinfragent_tarball_version 8 | 9 | - name: downloading bundled agent file 10 | get_url: 11 | url: "{{ nrinfragent_tarball_url }}" 12 | dest: "{{ nrinfragent_tarball_download_dir }}/newrelic-infra_linux_{{ nrinfragent_tarball_version }}_{{ nrinfragent_architecture }}.tar.gz" 13 | 14 | - name: create agent destination directory 15 | file: 16 | path: "{{ nrinfragent_tarball_download_dir }}/newrelic_infra/linux_{{ nrinfragent_tarball_version }}_{{ nrinfragent_architecture }}" 17 | state: directory 18 | recurse: true 19 | 20 | - name: uncompressing bundled agent file 21 | unarchive: 22 | src: "{{ nrinfragent_tarball_download_dir }}/newrelic-infra_linux_{{ nrinfragent_tarball_version }}_{{ nrinfragent_architecture }}.tar.gz" 23 | dest: "{{ nrinfragent_tarball_download_dir }}/newrelic_infra/linux_{{ nrinfragent_tarball_version }}_{{ nrinfragent_architecture }}/" 24 | remote_src: true 25 | creates: "{{ nrinfragent_tarball_download_dir }}/newrelic_infra/linux_{{ nrinfragent_tarball_version }}_{{ nrinfragent_architecture }}/newrelic-infra/" 26 | register: archive_contents 27 | 28 | - name: running installer 29 | command: ./installer.sh 30 | args: 31 | chdir: "/opt/newrelic_infra/linux_{{ nrinfragent_tarball_version }}_{{ nrinfragent_architecture }}/newrelic-infra/" 32 | environment: 33 | NRIA_BIN_DIR: "{{ nrinfragent_tarball_bin_dir | default('') }}" 34 | NRIA_MODE: "{{ nrinfragent_tarball_mode | default('') }}" 35 | NRIA_USER: "{{ nrinfragent_tarball_user | default('') }}" 36 | NRIA_CONFIG_FILE: "{{ nrinfragent_tarball_config_file | default('') }}" 37 | 38 | NRIA_LICENSE_KEY: "{{ nrinfragent_config['license_key'] | default('') }}" 39 | become: true 40 | when: archive_contents is defined and archive_contents.changed == True 41 | 42 | - name: save config options to file 43 | lineinfile: 44 | 'dest=/etc/newrelic-infra.yml 45 | regexp="^{{ item.key }}: " 46 | line="{{ item.key }}: {{ item.value }}"' 47 | with_items: "{{ lookup('dict', nrinfragent_config) }}" 48 | notify: restart newrelic-infra 49 | -------------------------------------------------------------------------------- /roles/newrelic.newrelic-infra/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: installation from tarball package 3 | import_tasks: install_targz.yml 4 | when: nrinfragent_tarball_version is defined 5 | 6 | - name: install from standard distribution packages 7 | import_tasks: install_dist_pkgs.yml 8 | when: nrinfragent_tarball_version is undefined 9 | -------------------------------------------------------------------------------- /roles/newrelic.newrelic-infra/templates/newrelic-infra.yml.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | # Generated by Ansible role {{ ansible_role_name }} 3 | 4 | {# Print out all the configuration options #} 5 | {{ nrinfragent_config | to_nice_yaml }} 6 | 7 | {# For backward compatibility, the license key will be written if it is defined #} 8 | {% if nrinfragent_license_key is defined %} 9 | license_key: {{ nrinfragent_license_key }} 10 | {% endif %} 11 | -------------------------------------------------------------------------------- /roles/newrelic.newrelic-infra/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | nrinfragent_os_name: "{{ ansible_os_family }}" 3 | nrinfragent_os_version: "{{ ansible_lsb.major_release }}" 4 | nrinfragent_os_codename: "{{ ansible_lsb.codename }}" 5 | nrinfragent_architecture: "{{ {'x86_64': 'amd64', 'i386': '386'}[ansible_architecture] | default(ansible_architecture) }}" 6 | --------------------------------------------------------------------------------