M roles/containers/calckey/defaults/main.yml => roles/containers/calckey/defaults/main.yml +2 -2
@@ 1,9 1,9 @@
---
-calckey_project_dir: "world"
+calckey_project_dir: world
calckey_port: "4753"
calckey_open: "false"
calckey_domain: "{{ calckey_project_dir }}.ccw.icu"
calckey_postgres_pass: ""
calckey_postgres_user: ""
calckey_sonic_pass: ""
-calckey_id: "aid"
+calckey_id: aid
M roles/containers/calckey/tasks/caddy.yml => roles/containers/calckey/tasks/caddy.yml +9 -7
@@ 2,23 2,25 @@
- name: Make sure calckey-caddy reverse proxy config exists
become: true
vars:
- domain: "{{ calckey_domain }}"
- port: "{{ calckey_port }}"
- template:
+ project_domain: "{{ calckey_domain }}"
+ project_port: "{{ calckey_port }}"
+ ansible.builtin.template:
src: ../../../network/caddy/templates/reverse-proxy.template
+ mode: "0644"
dest: /etc/caddy/calckey
validate: caddy validate --adapter caddyfile --config %s
- name: Make sure caddy links to the calckey config
become: true
- lineinfile:
+ ansible.builtin.lineinfile:
path: /etc/caddy/Caddyfile
- search_string: "^import /etc/caddy/calckey"
- line: "import /etc/caddy/calckey"
+ search_string: ^import /etc/caddy/calckey
+ mode: "0644"
+ line: import /etc/caddy/calckey
validate: caddy validate --adapter caddyfile --config %s
- name: Restart caddy
become: true
- service:
+ ansible.builtin.service:
name: caddy
state: restarted
M roles/containers/calckey/tasks/main.yml => roles/containers/calckey/tasks/main.yml +4 -2
@@ 1,3 1,5 @@
---
-- include_tasks: setup.yml
-- include_tasks: caddy.yml
+- name: Setup calckey docker images
+ ansible.builtin.include_tasks: setup.yml
+- name: Setup calckey reverse proxy
+ ansible.builtin.include_tasks: caddy.yml
M roles/containers/calckey/tasks/setup.yml => roles/containers/calckey/tasks/setup.yml +20 -28
@@ 1,83 1,75 @@
---
-- name: Ensure calckey-project-dir "{{ calckey_project_dir }}" exists
- file:
+- name: Ensure calckey-project-dir exists
+ ansible.builtin.file:
path: "{{ container_dir }}/{{ calckey_project_dir }}"
state: directory
+ mode: "0777"
recurse: true
# Copy config files
- name: Ensure calckey config directory exists
- file:
+ ansible.builtin.file:
path: "{{ container_dir }}/{{ calckey_project_dir }}/.config"
+ mode: "0777"
state: directory
recurse: true
- name: Copy calckey config to the project dir
- template:
+ ansible.builtin.template:
src: calckey.conf
+ mode: "0777"
dest: "{{ container_dir }}/{{ calckey_project_dir }}/.config/default.yml"
- name: Copy sonic config to the project dir
- template:
+ ansible.builtin.template:
src: sonic.conf
+ mode: "0777"
dest: "{{ container_dir }}/{{ calckey_project_dir }}/sonic.cfg"
# Setup docker images
- name: Setup calckey redis
- docker_container:
+ community.docker.docker_container:
name: calckey_redis
image: docker.io/redis:7.0-alpine
restart_policy: unless-stopped
volumes:
- - "{{ container_dir }}\
- /{{ calckey_project_dir }}\
- /redis:/data"
+ - "{{ container_dir }}/{{ calckey_project_dir }}/redis:/data"
- name: Setup calckey db
- docker_container:
+ community.docker.docker_container:
name: calckey_db
restart_policy: unless-stopped
image: docker.io/postgres:12.2-alpine
volumes:
- - "{{ container_dir }}\
- /{{ calckey_project_dir }}\
- /db:/var/lib/postgresql/data"
+ - "{{ container_dir }}/{{ calckey_project_dir }}/db:/var/lib/postgresql/data"
links:
- calckey_redis
env:
POSTGRES_PASSWORD: "{{ calckey_postgres_pass }}"
POSTGRES_USER: "{{ calckey_postgres_user }}"
- POSTGRES_DB: "calckey"
+ POSTGRES_DB: calckey
- name: Setup calckey sonic
- docker_container:
+ community.docker.docker_container:
name: calckey_sonic
restart_policy: unless-stopped
image: docker.io/valeriansaliou/sonic:v1.4.0
volumes:
- - "{{ container_dir }}\
- /{{ calckey_project_dir }}\
- /sonic:/var/lib/sonic/store"
- - "{{ container_dir }}\
- /{{ calckey_project_dir }}\
- /sonic.cfg:/etc/sonic.cfg"
+ - "{{ container_dir }}/{{ calckey_project_dir }}/sonic:/var/lib/sonic/store"
+ - "{{ container_dir }}/{{ calckey_project_dir }}/sonic.cfg:/etc/sonic.cfg"
links:
- calckey_db
- name: Setup calckey web
- docker_container:
+ community.docker.docker_container:
name: calckey_web
restart_policy: unless-stopped
image: codeberg.org/comcloudway/firefish-docker:latest
ports:
- "{{ calckey_port }}:3000"
volumes:
- - "{{ container_dir }}\
- /{{ calckey_project_dir }}\
- /files:/firefish/files"
- - "{{ container_dir }}\
- /{{ calckey_project_dir }}\
- /.config:/firefish/.config:ro"
+ - "{{ container_dir }}/{{ calckey_project_dir }}/files:/firefish/files"
+ - "{{ container_dir }}/{{ calckey_project_dir }}/.config:/firefish/.config:ro"
links:
- calckey_sonic
- calckey_db
M roles/containers/uptime-kuma/defaults/main.yml => roles/containers/uptime-kuma/defaults/main.yml +2 -2
@@ 1,4 1,4 @@
---
-uptime_kuma_project_dir: "status"
+uptime_kuma_project_dir: status
uptime_kuma_port: 3001
-uptime_kuma_domain: "status.ccw.icu"
+uptime_kuma_domain: status.ccw.icu
M roles/containers/uptime-kuma/tasks/caddy.yml => roles/containers/uptime-kuma/tasks/caddy.yml +9 -7
@@ 2,9 2,10 @@
- name: Make sure uptime-kuma-caddy reverse proxy config exists
become: true
vars:
- domain: "{{ uptime_kuma_domain }}"
- port: "{{ uptime_kuma_port }}"
- template:
+ project_domain: "{{ uptime_kuma_domain }}"
+ project_port: "{{ uptime_kuma_port }}"
+ ansible.builtin.template:
+ mode: "0644"
src: ../../../network/caddy/templates/reverse-proxy.template
dest: /etc/caddy/uptime-kuma
validate: caddy validate --adapter caddyfile --config %s
@@ 12,16 13,17 @@
- name: Make sure caddy links to the uptime-kuma config
become: true
- lineinfile:
+ ansible.builtin.lineinfile:
+ mode: "0644"
path: /etc/caddy/Caddyfile
- search_string: "^import /etc/caddy/uptime-kuma"
- line: "import /etc/caddy/uptime-kuma"
+ search_string: ^import /etc/caddy/uptime-kuma
+ line: import /etc/caddy/uptime-kuma
validate: caddy validate --adapter caddyfile --config %s
register: caddyconfig
- name: Restart caddy
become: true
- service:
+ ansible.builtin.service:
name: caddy
state: restarted
when: projectconfig.changed or caddyconfig.changed
M roles/containers/uptime-kuma/tasks/main.yml => roles/containers/uptime-kuma/tasks/main.yml +4 -2
@@ 1,3 1,5 @@
---
-- include_tasks: setup.yml
-- include_tasks: caddy.yml
+- name: Setup uptime-kuma docker images
+ ansible.builtin.include_tasks: setup.yml
+- name: Setup uptime-kuma reverse proxy
+ ansible.builtin.include_tasks: caddy.yml
M roles/containers/uptime-kuma/tasks/setup.yml => roles/containers/uptime-kuma/tasks/setup.yml +4 -7
@@ 1,19 1,16 @@
---
-- name: Ensure woodpecker-project-dir "{{ uptime_kuma_project_dir }}" exists
- file:
+- name: Ensure woodpecker-project-dir exists
+ ansible.builtin.file:
path: "{{ container_dir }}/{{ uptime_kuma_project_dir }}"
state: directory
recurse: true
- name: Setup uptime-kuma
- docker_container:
+ community.docker.docker_container:
name: uptime-kuma
restart_policy: unless-stopped
image: louislam/uptime-kuma:1.22.1-alpine
volumes:
- - "{{ container_dir }}\
- /{{ uptime_kuma_project_dir }}\
- /uptime-kuma-data\
- :/app/data"
+ - "{{ container_dir }}/{{ uptime_kuma_project_dir }}/uptime-kuma-data:/app/data"
ports:
- "{{ uptime_kuma_port }}:3001"
M roles/containers/wireguard/defaults/main.yml => roles/containers/wireguard/defaults/main.yml +6 -6
@@ 1,10 1,10 @@
---
-wireguard_domain: "vpn.ccw.icu"
-wireguard_project_dir: "vpn"
+wireguard_domain: vpn.ccw.icu
+wireguard_project_dir: vpn
wireguard_port: "51820"
wireguard_peers:
- default
-wireguard_timezone: "Europe/London"
-wireguard_bridge_subnet: "149.102.148.89/21"
-wireguard_bridge_gateway: "149.102.144.1"
-wireguard_bridge_parent: "eth0"
+wireguard_timezone: Europe/London
+wireguard_bridge_subnet: 149.102.148.89/21
+wireguard_bridge_gateway: 149.102.144.1
+wireguard_bridge_parent: eth0
A roles/containers/wireguard/handlers/main.yml => roles/containers/wireguard/handlers/main.yml +6 -0
@@ 0,0 1,6 @@
+---
+- name: Restart nftables
+ become: true
+ ansible.builtin.service:
+ name: nftables
+ state: restarted
M roles/containers/wireguard/tasks/config.yml => roles/containers/wireguard/tasks/config.yml +2 -8
@@ 1,16 1,10 @@
---
- name: Wait for peer config to be generated
ansible.builtin.wait_for:
- path: "{{ container_dir }}\
- /{{ wireguard_project_dir }}\
- /config\
- /peer_{{ item }}/peer_{{ item }}.conf"
+ path: "{{ container_dir }}/{{ wireguard_project_dir }}/config/peer_{{ item }}/peer_{{ item }}.conf"
loop: "{{ wireguard_peers }}"
- name: Fetch peer config
ansible.builtin.fetch:
dest: ./output
- src: "{{ container_dir }}\
- /{{ wireguard_project_dir }}\
- /config\
- /peer_{{ item }}/peer_{{ item }}.conf"
+ src: "{{ container_dir }}/{{ wireguard_project_dir }}/config/peer_{{ item }}/peer_{{ item }}.conf"
loop: "{{ wireguard_peers }}"
M roles/containers/wireguard/tasks/main.yml => roles/containers/wireguard/tasks/main.yml +6 -3
@@ 1,4 1,7 @@
---
-- include_tasks: setup.yml
-- include_tasks: network.yml
-- include_tasks: config.yml
+- name: Setup wireguard docker images
+ ansible.builtin.include_tasks: setup.yml
+- name: Configure firewall for wireguard
+ ansible.builtin.include_tasks: network.yml
+- name: Copy generated wireguard device config
+ ansible.builtin.include_tasks: config.yml
M roles/containers/wireguard/tasks/network.yml => roles/containers/wireguard/tasks/network.yml +4 -10
@@ 1,14 1,8 @@
---
- name: Make sure the nftables vpn rule exists
become: true
- template:
- src: ../templates/52_vpn.nft.template
+ ansible.builtin.template:
+ mode: "0644"
+ src: 52_vpn.nft.template
dest: /etc/nftables.d/52_vpn.nft
- register: firewall
-
-- name: Restart nftables
- become: true
- service:
- name: nftables
- state: restarted
- when: firewall.changed
+ notify: Restart nftables
M roles/containers/wireguard/tasks/setup.yml => roles/containers/wireguard/tasks/setup.yml +6 -9
@@ 1,12 1,12 @@
---
-- name: Ensure wireguard-dir "{{ wireguard_project_dir }}" exists
- file:
+- name: Ensure wireguard-dir exists
+ ansible.builtin.file:
path: "{{ container_dir }}/{{ wireguard_project_dir }}"
state: directory
recurse: true
- name: Setup wireguard
- docker_container:
+ community.docker.docker_container:
name: wireguard
image: linuxserver/wireguard:1.0.20210914-alpine
restart_policy: unless-stopped
@@ 17,16 17,13 @@
SERVERURL: "{{ wireguard_domain }}"
SERVERPORT: "{{ wireguard_port }}"
PEERS: "{{ wireguard_peers | join(',') }}"
- INTERNAL_SUBNET: "10.0.0.0"
+ INTERNAL_SUBNET: 10.0.0.0
ALLOWEDIPS: "0.0.0.0/0, ::/0"
- PEERDNS: "1.1.1.1"
+ PEERDNS: 1.1.1.1
ports:
- "{{ wireguard_port }}:{{ wireguard_port }}/udp"
volumes:
- - "{{ container_dir }}\
- /{{ wireguard_project_dir }}\
- /config\
- :/config"
+ - "{{ container_dir }}/{{ wireguard_project_dir }}/config:/config"
mounts:
- source: /lib/modules
target: /lib/modules
M roles/containers/woodpecker-ci/defaults/main.yml => roles/containers/woodpecker-ci/defaults/main.yml +7 -7
@@ 1,15 1,15 @@
---
-woodpecker_project_dir: "ci"
+woodpecker_project_dir: ci
woodpecker_port: "8000"
woodpecker_open: "false"
-woodpecker_domain: "ci.ccw.icu"
-woodpecker_host: "https://{{ woodpecker_domain }}"
-woodpecker_gitea: "https://codeberg.org"
-woodpecker_gitea_client: "changeme"
-woodpecker_gitea_secret: "changeme"
+woodpecker_domain: ci.ccw.icu
+woodpecker_host: https://{{ woodpecker_domain }}
+woodpecker_gitea: https://codeberg.org
+woodpecker_gitea_client: changeme
+woodpecker_gitea_secret: changeme
woodpecker_orgs: ""
woodpecker_admin: "{{ username }}"
woodpecker_repo_owners: "{{ username }}"
-woodpecker_agent_secret: "changeme"
+woodpecker_agent_secret: changeme
woodpecker_max_pipeline_timeout: "1440"
woodpecker_default_pipeline_timeout: "60"
M roles/containers/woodpecker-ci/tasks/caddy.yml => roles/containers/woodpecker-ci/tasks/caddy.yml +9 -7
@@ 2,26 2,28 @@
- name: Make sure woodpecker-caddy reverse proxy config exists
become: true
vars:
- domain: "{{ woodpecker_domain }}"
- port: "{{ woodpecker_port }}"
- template:
+ project_domain: "{{ woodpecker_domain }}"
+ project_port: "{{ woodpecker_port }}"
+ ansible.builtin.template:
src: ../../../network/caddy/templates/reverse-proxy.template
dest: /etc/caddy/woodpecker
+ mode: "0644"
validate: caddy validate --adapter caddyfile --config %s
register: projectconfig
- name: Make sure caddy links to the woodpecker config
become: true
- lineinfile:
+ ansible.builtin.lineinfile:
path: /etc/caddy/Caddyfile
- search_string: "^import /etc/caddy/woodpecker"
- line: "import /etc/caddy/woodpecker"
+ mode: "0644"
+ search_string: ^import /etc/caddy/woodpecker
+ line: import /etc/caddy/woodpecker
validate: caddy validate --adapter caddyfile --config %s
register: caddyconfig
- name: Restart caddy
become: true
- service:
+ ansible.builtin.service:
name: caddy
state: restarted
when: caddyconfig.changed or projectconfig.changed
M roles/containers/woodpecker-ci/tasks/main.yml => roles/containers/woodpecker-ci/tasks/main.yml +4 -2
@@ 1,3 1,5 @@
---
-- include_tasks: setup.yml
-- include_tasks: caddy.yml
+- name: Setup woodpecker docker images
+ ansible.builtin.include_tasks: setup.yml
+- name: Setup woodpecker reverse proxy
+ ansible.builtin.include_tasks: caddy.yml
M roles/containers/woodpecker-ci/tasks/setup.yml => roles/containers/woodpecker-ci/tasks/setup.yml +7 -11
@@ 1,22 1,19 @@
---
-- name: Ensure woodpecker-project-dir "{{ woodpecker_project_dir }}" exists
- file:
+- name: Ensure woodpecker-project-dir exists
+ ansible.builtin.file:
path: "{{ container_dir }}/{{ woodpecker_project_dir }}"
state: directory
recurse: true
- name: Setup woodpecker-server
- docker_container:
+ community.docker.docker_container:
name: woodpecker-server
restart_policy: unless-stopped
image: woodpeckerci/woodpecker-server:next-0cf602a1f6-alpine
ports:
- "{{ woodpecker_port }}:8000"
volumes:
- - "{{ container_dir }}\
- /{{ woodpecker_project_dir }}\
- /woodpecker-server-data\
- :/var/lib/woodpecker"
+ - "{{ container_dir }}/{{ woodpecker_project_dir }}/woodpecker-server-data:/var/lib/woodpecker"
env:
WOODPECKER_OPEN: "{{ woodpecker_open }}"
WOODPECKER_HOST: "{{ woodpecker_host }}"
@@ 27,12 24,11 @@
WOODPECKER_ORGS: "{{ woodpecker_orgs }}"
WOODPECKER_ADMIN: "{{ woodpecker_admin }}"
WOODPECKER_REPO_OWNERS: "{{ woodpecker_repo_owners }}"
- WOODPECKER_DEFAULT_PIPELINE_TIMEOUT:
- "{{ woodpecker_default_pipeline_timeout }}"
+ WOODPECKER_DEFAULT_PIPELINE_TIMEOUT: "{{ woodpecker_default_pipeline_timeout }}"
WOODPECKER_MAX_PIPELINE_TIMEOUT: "{{ woodpecker_max_pipeline_timeout }}"
- name: Setup woodpecker-agent
- docker_container:
+ community.docker.docker_container:
name: woodpecker-agent
restart_policy: unless-stopped
image: woodpeckerci/woodpecker-agent:next-0cf602a1f6-alpine
@@ 41,5 37,5 @@
volumes:
- /var/run/docker.sock:/var/run/docker.sock
env:
- WOODPECKER_SERVER: "woodpecker-server:9000"
+ WOODPECKER_SERVER: woodpecker-server:9000
WOODPECKER_AGENT_SECRET: "{{ woodpecker_agent_secret }}"
M roles/network/caddy/tasks/main.yml => roles/network/caddy/tasks/main.yml +1 -1
@@ 7,7 7,7 @@
state: latest
- name: Make sure caddy is running and enabled on boot
- service:
+ ansible.builtin.service:
name: caddy
enabled: true
state: started
M roles/network/caddy/templates/reverse-proxy.template => roles/network/caddy/templates/reverse-proxy.template +2 -2
@@ 1,3 1,3 @@
-{{ domain }} {
- reverse_proxy :{{ port }}
+{{ project_domain }} {
+ reverse_proxy :{{ project_port }}
}
M roles/system/defaults/docker.yml => roles/system/defaults/docker.yml +1 -1
@@ 1,2 1,2 @@
---
-docker_subid: "100000:65536"
+docker_subid: 100000:65536
M roles/system/handlers/main.yml => roles/system/handlers/main.yml +1 -1
@@ 1,5 1,5 @@
---
- name: Restart sshd
- service:
+ ansible.builtin.service:
name: sshd
state: restarted
M roles/system/tasks/docker.yml => roles/system/tasks/docker.yml +10 -10
@@ 10,37 10,37 @@
state: latest
- name: Modprobe tun
- modprobe:
+ community.general.modprobe:
name: tun
- name: Ensure tun is autoloaded
- lineinfile:
+ ansible.builtin.lineinfile:
path: /etc/modules
- search_string: "^tun$"
- line: "tun"
+ search_string: ^tun$
+ line: tun
# Run docker rootless
- name: Setup subuid for docker-rootless
- lineinfile:
+ ansible.builtin.lineinfile:
path: /etc/subuid
- search_string: "^{{ username }}:{{ docker_subid }}"
+ search_string: ^{{ username }}:{{ docker_subid }}
line: "{{ username }}:{{ docker_subid }}"
- name: Setup subgid for docker-rootless
- lineinfile:
+ ansible.builtin.lineinfile:
path: /etc/subgid
- search_string: "^{{ username }}:{{ docker_subid }}"
+ search_string: ^{{ username }}:{{ docker_subid }}
line: "{{ username }}:{{ docker_subid }}"
- name: Ensure cgroups is running
- service:
+ ansible.builtin.service:
name: cgroups
enabled: true
state: started
# Docker startup
- name: Ensure docker is running, and starts on boot
- service:
+ ansible.builtin.service:
name: docker
enabled: true
state: started
M roles/system/tasks/main.yml => roles/system/tasks/main.yml +12 -6
@@ 1,7 1,13 @@
---
-- include_tasks: ssh.yml
-- include_tasks: repo.yml
-- include_tasks: packages.yml
-- include_tasks: user.yml
-- include_tasks: shell.yml
-- include_tasks: docker.yml
+- name: Lock down ssh access
+ ansible.builtin.include_tasks: ssh.yml
+- name: Configure alpine edge repo
+ ansible.builtin.include_tasks: repo.yml
+- name: Install base packages
+ ansible.builtin.include_tasks: packages.yml
+- name: Setup non-root user
+ ansible.builtin.include_tasks: user.yml
+- name: Configure shell
+ ansible.builtin.include_tasks: shell.yml
+- name: Enable root-less docker
+ ansible.builtin.include_tasks: docker.yml
M roles/system/tasks/repo.yml => roles/system/tasks/repo.yml +6 -6
@@ 1,15 1,15 @@
---
- name: Use alpine edge branch/version
- replace:
+ ansible.builtin.replace:
path: /etc/apk/repositories
- regexp: "^#?http(s)?://dl-cdn.alpinelinux.org/alpine/([^/]+)"
- replace: "https://dl-cdn.alpinelinux.org/alpine/edge"
+ regexp: ^#?http(s)?://dl-cdn.alpinelinux.org/alpine/([^/]+)
+ replace: https://dl-cdn.alpinelinux.org/alpine/edge
- name: Enable Testing repo
- lineinfile:
+ ansible.builtin.lineinfile:
path: /etc/apk/repositories
- line: "https://dl-cdn.alpinelinux.org/alpine/edge/testing"
- search_string: "https://dl-cdn.alpinelinux.org/alpine/edge/testing"
+ line: https://dl-cdn.alpinelinux.org/alpine/edge/testing
+ search_string: https://dl-cdn.alpinelinux.org/alpine/edge/testing
- name: Update Packages
community.general.apk:
M roles/system/tasks/shell.yml => roles/system/tasks/shell.yml +10 -7
@@ 1,18 1,21 @@
+---
- name: Show pfetch on login
- lineinfile:
+ ansible.builtin.lineinfile:
path: /etc/profile.d/pfetch.sh
+ mode: "0644"
create: true
- search_string: "^pfetch"
- line: "pfetch"
+ search_string: ^pfetch
+ line: pfetch
- name: Make neovim the default editor
- lineinfile:
+ ansible.builtin.lineinfile:
path: /etc/profile.d/editor.sh
+ mode: "0644"
create: true
- search_string: "^export EDITOR=neovim"
- line: "export EDITOR=nvim"
+ search_string: ^export EDITOR=neovim
+ line: export EDITOR=nvim
- name: Disable login message
- file:
+ ansible.builtin.file:
path: /etc/motd
state: absent
M roles/system/tasks/ssh.yml => roles/system/tasks/ssh.yml +6 -6
@@ 1,15 1,15 @@
---
- name: Disable SSH password auth
- lineinfile:
+ ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
- regexp: "^#PasswordAuthentication yes"
- line: "PasswordAuthentication no"
- validate: 'sshd -T -f %s'
- mode: 0644
+ regexp: ^#PasswordAuthentication yes
+ line: PasswordAuthentication no
+ validate: sshd -T -f %s
+ mode: "0644"
notify: Restart sshd
- name: Enable ssh on boot
- service:
+ ansible.builtin.service:
name: sshd
enabled: true
state: started
M roles/system/tasks/user.yml => roles/system/tasks/user.yml +8 -7
@@ 1,12 1,12 @@
---
- name: Ensure all necessary groups are created
- group:
+ ansible.builtin.group:
name: "{{ item }}"
loop:
- docker
- name: Ensure a non-root user is created
- user:
+ ansible.builtin.user:
name: "{{ username }}"
password: "{{ password | password_hash('sha512') }}"
groups:
@@ 17,10 17,11 @@
shell: "{{ shell }}"
update_password: on_create
-- name: Enable passwordless doas for "{{ username }}"
- lineinfile:
+- name: Enable passwordless doas for created user
+ ansible.builtin.lineinfile:
create: true
+ mode: "0644"
path: /etc/doas.d/user.conf
- regexp: "^permit nopass :wheel"
- line: "permit nopass :wheel"
- validate: "doas -C %s"
+ regexp: ^permit nopass :wheel
+ line: permit nopass :wheel
+ validate: doas -C %s
M run.yml => run.yml +7 -7
@@ 4,7 4,7 @@
# overwrites the ssh user set in the hosts.yml,
# because the non-root user has yet to be created
############################################
-- name: setup base system
+- name: Setup base system
hosts: all
remote_user: root
vars:
@@ 17,14 17,14 @@
# SETUP NETWORK
############################################
# Setup Proxy (caddy)
-- name: setup caddy as proxy
+- name: Setup caddy as proxy
hosts: all
become: true
roles:
- role: network/caddy
tags: proxy
# Setup Firewall (nftables)
-- name: setup nftables firewall
+- name: Setup nftables firewall
hosts: all
become: true
roles:
@@ 35,25 35,25 @@
# SETUP CONTAINERS
############################################
# Setup woodpecker-CI
-- name: setup Woodpecker CI
+- name: Setup Woodpecker CI
hosts: all
roles:
- role: containers/woodpecker-ci
tags: ci
# Setup Calckey
-- name: setup Calckey
+- name: Setup Calckey
hosts: all
roles:
- role: containers/calckey
tags: calckey
# Setup Uptime Kuma
-- name: setup Uptime Kuma
+- name: Setup Uptime Kuma
hosts: all
roles:
- role: containers/uptime-kuma
tags: status
# Setup Wireguard
-- name: setup Wireguard
+- name: Setup Wireguard
hosts: all
roles:
- role: containers/wireguard