-
Notifications
You must be signed in to change notification settings - Fork 19
/
main.yml
560 lines (497 loc) · 16.8 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
- name: set proxmox password
set_fact:
proxmox_password: "{{ lookup('env', 'PROXMOX_PASSWORD_' + proxmox_var.host.split('.')[0]) }}"
when: proxmox_var is defined and vm_host is defined and lookup('env','PROXMOX_PASSWORD_'+proxmox_var.host.split('.')[0])
- name: init cache/templates/
local_action:
module: file
path: "cache/templates/"
state: directory
force: no
mode: 0755
when: proxmox_password is defined
become: no
- name: check if proxmox template downloaded
local_action:
module: stat
path: "cache/templates/{{ proxmox_var.ostemplate }}"
register: template_downloaded
when: proxmox_password is defined
become: no
- name: download proxmox template
local_action:
module: get_url
dest: "cache/templates/{{ item }}"
url: "http://download.proxmox.com/images/system/{{ item }}"
mode: 0644
with_items:
- "{{ proxmox_var.ostemplate }}"
- "{{ '.'.join(proxmox_var.ostemplate.split('.')[0:-2]) + '.aplinfo' }}"
when: proxmox_password is defined and not template_downloaded.stat.exists and (proxmox_var.kvm is not defined or proxmox_var.kvm == 0)
register: download_template
become: no
- name: check template sha512sum
local_action:
module: shell
_raw_params: "sha512sum 'cache/templates/{{ proxmox_var.ostemplate | quote }}' | grep $(grep sha512sum: 'cache/templates/{{ '.'.join(proxmox_var.ostemplate.split('.')[0:-2]) + '.aplinfo' | quote }}' | cut -d' ' -f2)"
when: proxmox_password is defined and download_template.changed
become: no
- name: send proxmox template
local_action:
module: proxmox_template
timeout: 60
api_host: "{{ proxmox_var.host }}"
api_user: "ansible@pve"
api_password: "{{ proxmox_password }}"
node: "{{ vm_host.split('.')[0] }}"
src: "cache/templates/{{ proxmox_var.ostemplate }}"
storage: "local"
when: proxmox_password is defined and (proxmox_var.kvm is not defined or proxmox_var.kvm == 0)
become: no
- name: create container
local_action:
module: proxmox
timeout: 240
api_host: "{{ proxmox_var.host }}"
api_user: "ansible@pve"
api_password: "{{ proxmox_password }}"
cores: "{{ proxmox_var.cpus }}"
cpus: "{{ proxmox_var.cpus }}"
disk: "{{ proxmox_var.storage }}:{{ proxmox_var.disk }}"
hostname: "{{ inventory_hostname }}"
netif: "{{ proxmox_var.netif }}"
memory: "{{ proxmox_var.memory }}"
node: "{{ vm_host.split('.')[0] }}"
onboot: yes
ostemplate: "local:vztmpl/{{ proxmox_var.ostemplate }}"
password: "{{ lookup('password', 'credentials/proxmox/' + inventory_hostname) }}"
pubkey: "{{ lookup('file', lookup('env', 'PROXMOX_SSHPUBKEY')) }}"
state: present
storage: "{{ proxmox_var.storage }}"
swap: "{{ proxmox_var.swap }}"
unprivileged: yes
vmid: "{{ proxmox_var.vmid }}"
when: proxmox_password is defined and (proxmox_var.kvm is not defined or proxmox_var.kvm == 0)
register: create_ct
become: no
# To create kvm template:
# wget http://cloud.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2
# qm create 9000 --name debian-12-genericcloud-amd64 --net0 virtio,bridge=vmbr0 --net1 virtio,bridge=vmbr1,firewall=1
# qm importdisk 9000 debian-12-genericcloud-amd64.qcow2 local-zfs
# qm set 9000 --scsihw virtio-scsi-pci --scsi0 local-zfs:vm-9000-disk-0
# qm set 9000 --ide2 local-zfs:cloudinit
# qm set 9000 --boot c --bootdisk scsi0
# qm set 9000 --serial0 socket --vga serial0
# qm template 9000
- name: create VM
local_action:
module: proxmox_kvm
timeout: 240
api_host: "{{ proxmox_var.host }}"
api_user: "ansible@pve"
api_password: "{{ proxmox_password }}"
cipassword: "{{ lookup('password', 'credentials/proxmox/' + inventory_hostname) }}"
ciuser: "root"
clone: "{{ proxmox_var.ostemplate }}"
cores: "{{ proxmox_var.cpus }}"
cpulimit: "{{ proxmox_var.cpus }}"
name: "{{ inventory_hostname }}"
net: "{{ proxmox_var.net }}"
newid: "{{ proxmox_var.vmid }}"
ipconfig: "{{ proxmox_var.ipconfig }}"
memory: "{{ proxmox_var.memory }}"
node: "{{ vm_host.split('.')[0] }}"
onboot: yes
ostype: "l26"
scsi:
scsi0: "{{ proxmox_var.storage }}:{{ proxmox_var.disk }},format=raw"
sshkeys: "{{ lookup('file', lookup('env', 'PROXMOX_SSHPUBKEY')) }}"
state: present
when: proxmox_password is defined and (proxmox_var.kvm is defined and proxmox_var.kvm == 1)
register: create_vm
become: no
- name: update VM config
local_action:
module: proxmox_kvm
timeout: 240
api_host: "{{ proxmox_var.host }}"
api_user: "ansible@pve"
api_password: "{{ proxmox_password }}"
cipassword: "{{ lookup('password', 'credentials/proxmox/' + inventory_hostname) }}"
ciuser: "root"
cores: "{{ proxmox_var.cpus }}"
cpulimit: "{{ proxmox_var.cpus }}"
name: "{{ inventory_hostname }}"
net: "{{ proxmox_var.net }}"
ipconfig: "{{ proxmox_var.ipconfig }}"
memory: "{{ proxmox_var.memory }}"
node: "{{ vm_host.split('.')[0] }}"
onboot: yes
ostype: "l26"
scsi:
scsi0: "{{ proxmox_var.storage }}:{{ proxmox_var.disk }},format=raw"
sshkeys: "{{ lookup('file', lookup('env', 'PROXMOX_SSHPUBKEY')) }}"
state: present
update: yes
when: proxmox_password is defined and (proxmox_var.kvm is defined and proxmox_var.kvm == 1)
become: no
- name: enable nesting support on VM, required for systemd
command: "pct set {{ proxmox_var.vmid }} --features nesting=1"
delegate_to: "{{ vm_host }}"
when: proxmox_password is defined and (proxmox_var.docker is not defined or not proxmox_var.docker) and (proxmox_var.kvm is not defined or proxmox_var.kvm == 0)
become: yes
- name: enable docker support on VM
command: "pct set {{ proxmox_var.vmid }} --features keyctl=1,nesting=1"
delegate_to: "{{ vm_host }}"
when: proxmox_password is defined and proxmox_var.docker is defined and proxmox_var.docker and (proxmox_var.kvm is not defined or proxmox_var.kvm == 0)
become: yes
- name: start container
local_action:
module: proxmox
api_host: "{{ proxmox_var.host }}"
api_user: "ansible@pve"
api_password: "{{ proxmox_password }}"
state: started
vmid: "{{ proxmox_var.vmid }}"
when: proxmox_password is defined and (proxmox_var.kvm is not defined or proxmox_var.kvm == 0)
become: no
- name: start VM
local_action:
module: proxmox_kvm
api_host: "{{ proxmox_var.host }}"
api_user: "ansible@pve"
api_password: "{{ proxmox_password }}"
state: started
vmid: "{{ proxmox_var.vmid }}"
when: proxmox_password is defined and (proxmox_var.kvm is defined and proxmox_var.kvm == 1)
become: no
- name: configure ipv6 on host interfaces
interfaces_file:
iface: vmbr0
address_family: inet6
option: "post-up"
value: "/sbin/ip -f inet6 neigh add proxy {{ proxmox_var.ipv6 }} dev vmbr1"
delegate_to: "{{ vm_host }}"
when: proxmox_password is defined and (create_ct.changed or create_vm.changed) and vm_host | regex_search('osm2[67].openstreetmap.fr')
become: yes
- name: configure ipv6 on host
raw: "/sbin/ip -f inet6 neigh add proxy {{ proxmox_var.ipv6 }} dev vmbr1 "
delegate_to: "{{ vm_host }}"
when: proxmox_password is defined and (create_ct.changed or create_vm.changed) and vm_host | regex_search('osm2[67].openstreetmap.fr')
become: yes
- name: configure ipv6 on host interfaces
interfaces_file:
iface: vmbr1
address_family: inet6
option: "post-up"
value: "/sbin/ip -f inet6 neigh add proxy {{ proxmox_var.ipv6 }} dev vmbr0"
delegate_to: "{{ vm_host }}"
when: proxmox_password is defined and (create_ct.changed or create_vm.changed) and vm_host | regex_search('osm1[123].openstreetmap.fr')
become: yes
- name: configure ipv6 on host interfaces
interfaces_file:
iface: vmbr2
address_family: inet6
option: "post-up"
value: "/sbin/ip -f inet6 neigh add proxy {{ proxmox_var.ipv6 }} dev vmbr0"
delegate_to: "{{ vm_host }}"
when: proxmox_password is defined and (create_ct.changed or create_vm.changed) and vm_host | regex_search('osm14.openstreetmap.fr')
become: yes
- name: configure ipv6 on host
raw: "/sbin/ip -f inet6 neigh add proxy {{ proxmox_var.ipv6 }} dev vmbr0 "
delegate_to: "{{ vm_host }}"
when: proxmox_password is defined and (create_ct.changed or create_vm.changed) and vm_host | regex_search('osm1[1234].openstreetmap.fr')
become: yes
- name: add VM to .ssh/config
run_once: true
local_action:
module: blockinfile
path: "~/.ssh/config"
backup: yes
marker: "# {mark} ANSIBLE MANAGED for vm {{ item }}"
block: |
Host {{ item }}
Hostname {{ hostvars[item].proxmox_var.ipv6 }}
with_items: '{{ play_hosts }}'
when: proxmox_password is defined and (create_ct.changed or create_vm.changed)
become: no
- name: add ssh key to known_hosts
run_once: true
local_action:
module: known_hosts
name: "{{ hostvars[item].proxmox_var.ipv6 }}"
key: "{{ lookup('pipe', 'ssh-keyscan {{ hostvars[item].proxmox_var.ipv6 }}') }}"
with_items: '{{ play_hosts }}'
when: proxmox_password is defined and (create_ct.changed or create_vm.changed)
become: no
- name: apt-get update
raw: "[ -e /usr/bin/apt-get ] && apt-get update"
- name: bootstrap python3-apt package
raw: "[ -e /usr/bin/apt-get ] && apt-get -y install python3-apt"
- name: Gathering facts
setup:
# disabling atopacct, as it breaks apt-get install atop
- name: Disable atopacct
file:
state: link
src: "/dev/null"
path: "/etc/systemd/system/atopacct.service"
when: ((ansible_distribution == 'Debian' and ansible_distribution_major_version == '8') or
(ansible_distribution == 'Debian' and ansible_distribution_major_version == '9') or
(ansible_distribution == 'Debian' and ansible_distribution_major_version == '10') or
(ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '17') or
(ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '18') or
(ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '20'))
- set_fact:
install_apache: false
when: install_apache is undefined
- name: add backports
apt_repository:
filename: 'backports'
repo: 'deb http://ftp.debian.org/debian {{ ansible_distribution_release }}-backports main'
state: present
update_cache: yes
when: ansible_distribution_release == "buster" or ansible_distribution_release == "bullseye"
- name: install packages
apt:
update_cache: yes
pkg:
- python3
- python3-apt
- acl
- bash-completion
- ca-certificates
- curl
- etckeeper
- fail2ban
- git
- gnupg
- htop
- lftp
- locales
- logrotate
- lsb-release
- mc # Midnight Commander
- munin-node
- mutt
- nano
- screen
- sudo
- time
- vim-nox
- wget
- name: install package python-is-python3
apt:
update_cache: yes
pkg:
- python-is-python3
when: ansible_distribution_release != "buster"
- name: install packages
apt:
pkg:
- language-pack-en-base
when: ansible_distribution == 'Ubuntu'
- name: install packages for apache2
apt:
pkg:
- apache2
- libwww-perl # for apache's munin plugin
when: install_apache
- name: remove packages
apt:
state: absent
pkg:
- locate
- mlocate
- name: download docker apt key
get_url:
url: "https://download.docker.com/linux/debian/gpg"
dest: "/usr/share/keyrings/docker-archive-keyring.gpg.tmp"
checksum: "sha512:d07607e3119181026e3309fb828882a13621960c54290416c2f897e1834f36abdb48d11b6f71aba1d2b9e7dac3f3fe8281c248500cfe13705674a5446826b699"
mode: 0644
when: proxmox_var is defined and proxmox_var.docker is defined and proxmox_var.docker
- name: activate docker apt key
command: "gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg /usr/share/keyrings/docker-archive-keyring.gpg.tmp"
args:
creates: "/usr/share/keyrings/docker-archive-keyring.gpg"
when: proxmox_var is defined and proxmox_var.docker is defined and proxmox_var.docker
- name: add repository for docker
apt_repository:
filename: 'docker'
repo: 'deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
state: present
update_cache: yes
when: proxmox_var is defined and proxmox_var.docker is defined and proxmox_var.docker and ansible_distribution_release == "bullseye"
- name: remove obsolete docker packages
apt:
state: absent
pkg:
- docker
- docker-engine
- docker.io
- containerd
- runc
when: proxmox_var is defined and proxmox_var.docker is defined and proxmox_var.docker
- name: install docker packages
apt:
pkg:
- docker-ce
- docker-ce-cli
- containerd.io
when: proxmox_var is defined and proxmox_var.docker is defined and proxmox_var.docker
- name: install sensors package
apt:
pkg:
- lm-sensors # for sensors's munin plugin
notify:
- detect sensors
when: not 'vm' in group_names
- name: install package for hosts
apt:
pkg:
- molly-guard
when: not 'vm' in group_names
- name: init /data/ paths
file:
path: "{{ item }}"
state: directory
owner: root
group: root
force: no
mode: 0755
with_items:
- /data
- /data/project
- /data/work
- name: add default sudoers
copy:
src: sudoers
dest: /etc/sudoers.d/ansible-common
mode: 0440
owner: root
group: root
validate: 'visudo -cf %s'
- set_fact:
group_users_root: "{{ q('vars', *q('varnames', '^group_users_root')) | flatten }}"
- name: add sudoers for users
template:
src: sudoers-users
dest: /etc/sudoers.d/ansible-common-users
mode: 0440
owner: root
group: root
validate: 'visudo -cf %s'
when: users_root is defined or group_users_root is defined
- name: Configure .gitignore for etckeeper
blockinfile:
path: /etc/.gitignore
block: |
pve/.clusterlog
pve/.rrd
pve/.vmlist
pve/authkey.pub
pve/local
pve/lxc
pve/nodes/*/lrm_status
pve/openvz
pve/priv/authkey.key
pve/qemu-server
when: "'proxmox' in group_names"
register: gitignore_status
- name: Remove new gitignore items from tracking
shell: |
git rm -r --quiet --cached `git ls-files -i -c --exclude-from=.gitignore`
git add .gitignore
git commit -m "Cleanup git-ignore files"
args:
chdir: /etc/
when: "'proxmox' in group_names and gitignore_status.changed"
- name: update hosts.allow
lineinfile:
dest: /etc/hosts.allow
regexp: '^{{ item }}$'
line: '{{ item }}'
with_items:
- 'sshd: 127.0.0.1'
- 'sshd: stmaur.cquest.org' # Christian
- 'sshd: .openstreetmap.fr' # other machines
- name: configure locales
lineinfile:
dest: /etc/locale.gen
regexp: "{{ item }}"
line: "{{ item }}"
notify:
- generate locales
with_items:
- en_GB.UTF-8 UTF-8
- en_US.UTF-8 UTF-8
- fr_FR.UTF-8 UTF-8
when: ansible_distribution == 'Debian'
- name: create locales
copy:
content: ""
dest: /var/lib/locales/supported.d/local
force: no
owner: root
mode: 0644
when: ansible_distribution == 'Ubuntu'
- name: configure locales
lineinfile:
dest: /var/lib/locales/supported.d/local
regexp: "{{ item }}"
line: "{{ item }}"
notify:
- generate locales
with_items:
- en_GB.UTF-8 UTF-8
- en_US.UTF-8 UTF-8
- fr_FR.UTF-8 UTF-8
when: ansible_distribution == 'Ubuntu'
- name: select default locale
debconf:
name: locales
question: locales/default_environment_locale
value: en_US.UTF-8
vtype: select
notify:
- generate locales
# configure lxfs so that VMs get their own load-average
- name: create systemd override directory for lxcfs
file:
path: '/etc/systemd/system/lxcfs.service.d'
state: directory
mode: 0755
notify:
- systemd daemon-reload
when: "'proxmox' in group_names"
- name: configure systemd override for lxcfs
copy:
src: 'systemd-lxfs-override.conf'
dest: '/etc/systemd/system/lxcfs.service.d/override.conf'
owner: root
group: root
mode: 0644
notify:
- systemd daemon-reload
when: "'proxmox' in group_names"
- name: Add ZFS reservation on /rpool
community.general.zfs:
name: rpool/reservation
state: present
extra_zfs_properties:
reservation: 20G
when: "'proxmox' in group_names"
- ansible.builtin.include_tasks: ssh-tunnel.yml
vars:
user: "ssh-tunnel"
uid: "1104"
when: "'ssh-tunnel' in group_names"
- ansible.builtin.import_tasks: apache2.yml
- ansible.builtin.import_tasks: nginx.yml
- ansible.builtin.import_tasks: munin-node.yml
- ansible.builtin.include_tasks: sysstat.yml
when: "'proxmox' in group_names"
- ansible.builtin.include_tasks: sysctl.yml
when: "'proxmox' in group_names"
- ansible.builtin.include_tasks: ntp.yml
when: "not 'vm' in group_names"