From edadc5a1c4d773d86e1fbb7ddf9ed6610ab97c27 Mon Sep 17 00:00:00 2001 From: Jakob Meier Date: Sun, 23 Jul 2023 09:04:45 +0200 Subject: [PATCH] Reformatted files using ansible-lint and manual rewrite --- roles/containers/calckey/defaults/main.yml | 4 +- roles/containers/calckey/tasks/caddy.yml | 16 ++++--- roles/containers/calckey/tasks/main.yml | 6 ++- roles/containers/calckey/tasks/setup.yml | 48 ++++++++----------- .../containers/uptime-kuma/defaults/main.yml | 4 +- roles/containers/uptime-kuma/tasks/caddy.yml | 16 ++++--- roles/containers/uptime-kuma/tasks/main.yml | 6 ++- roles/containers/uptime-kuma/tasks/setup.yml | 11 ++--- roles/containers/wireguard/defaults/main.yml | 12 ++--- roles/containers/wireguard/handlers/main.yml | 6 +++ roles/containers/wireguard/tasks/config.yml | 10 +--- roles/containers/wireguard/tasks/main.yml | 9 ++-- roles/containers/wireguard/tasks/network.yml | 14 ++---- roles/containers/wireguard/tasks/setup.yml | 15 +++--- .../woodpecker-ci/defaults/main.yml | 14 +++--- .../containers/woodpecker-ci/tasks/caddy.yml | 16 ++++--- roles/containers/woodpecker-ci/tasks/main.yml | 6 ++- .../containers/woodpecker-ci/tasks/setup.yml | 18 +++---- roles/network/caddy/tasks/main.yml | 2 +- .../caddy/templates/reverse-proxy.template | 4 +- roles/system/defaults/docker.yml | 2 +- roles/system/handlers/main.yml | 2 +- roles/system/tasks/docker.yml | 20 ++++---- roles/system/tasks/main.yml | 18 ++++--- roles/system/tasks/repo.yml | 12 ++--- roles/system/tasks/shell.yml | 17 ++++--- roles/system/tasks/ssh.yml | 12 ++--- roles/system/tasks/user.yml | 15 +++--- run.yml | 14 +++--- 29 files changed, 175 insertions(+), 174 deletions(-) create mode 100644 roles/containers/wireguard/handlers/main.yml diff --git a/roles/containers/calckey/defaults/main.yml b/roles/containers/calckey/defaults/main.yml index 5cd0652..aa45d94 100644 --- a/roles/containers/calckey/defaults/main.yml +++ b/roles/containers/calckey/defaults/main.yml @@ -1,9 +1,9 @@ --- -calckey_project_dir: "world" +calckey_project_dir: world calckey_port: "4753" calckey_open: "false" calckey_domain: "{{ calckey_project_dir }}.ccw.icu" calckey_postgres_pass: "" calckey_postgres_user: "" calckey_sonic_pass: "" -calckey_id: "aid" +calckey_id: aid diff --git a/roles/containers/calckey/tasks/caddy.yml b/roles/containers/calckey/tasks/caddy.yml index beb2953..3b3c26e 100644 --- a/roles/containers/calckey/tasks/caddy.yml +++ b/roles/containers/calckey/tasks/caddy.yml @@ -2,23 +2,25 @@ - name: Make sure calckey-caddy reverse proxy config exists become: true vars: - domain: "{{ calckey_domain }}" - port: "{{ calckey_port }}" - template: + project_domain: "{{ calckey_domain }}" + project_port: "{{ calckey_port }}" + ansible.builtin.template: src: ../../../network/caddy/templates/reverse-proxy.template + mode: "0644" dest: /etc/caddy/calckey validate: caddy validate --adapter caddyfile --config %s - name: Make sure caddy links to the calckey config become: true - lineinfile: + ansible.builtin.lineinfile: path: /etc/caddy/Caddyfile - search_string: "^import /etc/caddy/calckey" - line: "import /etc/caddy/calckey" + search_string: ^import /etc/caddy/calckey + mode: "0644" + line: import /etc/caddy/calckey validate: caddy validate --adapter caddyfile --config %s - name: Restart caddy become: true - service: + ansible.builtin.service: name: caddy state: restarted diff --git a/roles/containers/calckey/tasks/main.yml b/roles/containers/calckey/tasks/main.yml index 415dc21..0920d49 100644 --- a/roles/containers/calckey/tasks/main.yml +++ b/roles/containers/calckey/tasks/main.yml @@ -1,3 +1,5 @@ --- -- include_tasks: setup.yml -- include_tasks: caddy.yml +- name: Setup calckey docker images + ansible.builtin.include_tasks: setup.yml +- name: Setup calckey reverse proxy + ansible.builtin.include_tasks: caddy.yml diff --git a/roles/containers/calckey/tasks/setup.yml b/roles/containers/calckey/tasks/setup.yml index ff757c0..f434642 100644 --- a/roles/containers/calckey/tasks/setup.yml +++ b/roles/containers/calckey/tasks/setup.yml @@ -1,83 +1,75 @@ --- -- name: Ensure calckey-project-dir "{{ calckey_project_dir }}" exists - file: +- name: Ensure calckey-project-dir exists + ansible.builtin.file: path: "{{ container_dir }}/{{ calckey_project_dir }}" state: directory + mode: "0777" recurse: true # Copy config files - name: Ensure calckey config directory exists - file: + ansible.builtin.file: path: "{{ container_dir }}/{{ calckey_project_dir }}/.config" + mode: "0777" state: directory recurse: true - name: Copy calckey config to the project dir - template: + ansible.builtin.template: src: calckey.conf + mode: "0777" dest: "{{ container_dir }}/{{ calckey_project_dir }}/.config/default.yml" - name: Copy sonic config to the project dir - template: + ansible.builtin.template: src: sonic.conf + mode: "0777" dest: "{{ container_dir }}/{{ calckey_project_dir }}/sonic.cfg" # Setup docker images - name: Setup calckey redis - docker_container: + community.docker.docker_container: name: calckey_redis image: docker.io/redis:7.0-alpine restart_policy: unless-stopped volumes: - - "{{ container_dir }}\ - /{{ calckey_project_dir }}\ - /redis:/data" + - "{{ container_dir }}/{{ calckey_project_dir }}/redis:/data" - name: Setup calckey db - docker_container: + community.docker.docker_container: name: calckey_db restart_policy: unless-stopped image: docker.io/postgres:12.2-alpine volumes: - - "{{ container_dir }}\ - /{{ calckey_project_dir }}\ - /db:/var/lib/postgresql/data" + - "{{ container_dir }}/{{ calckey_project_dir }}/db:/var/lib/postgresql/data" links: - calckey_redis env: POSTGRES_PASSWORD: "{{ calckey_postgres_pass }}" POSTGRES_USER: "{{ calckey_postgres_user }}" - POSTGRES_DB: "calckey" + POSTGRES_DB: calckey - name: Setup calckey sonic - docker_container: + community.docker.docker_container: name: calckey_sonic restart_policy: unless-stopped image: docker.io/valeriansaliou/sonic:v1.4.0 volumes: - - "{{ container_dir }}\ - /{{ calckey_project_dir }}\ - /sonic:/var/lib/sonic/store" - - "{{ container_dir }}\ - /{{ calckey_project_dir }}\ - /sonic.cfg:/etc/sonic.cfg" + - "{{ container_dir }}/{{ calckey_project_dir }}/sonic:/var/lib/sonic/store" + - "{{ container_dir }}/{{ calckey_project_dir }}/sonic.cfg:/etc/sonic.cfg" links: - calckey_db - name: Setup calckey web - docker_container: + community.docker.docker_container: name: calckey_web restart_policy: unless-stopped image: codeberg.org/comcloudway/firefish-docker:latest ports: - "{{ calckey_port }}:3000" volumes: - - "{{ container_dir }}\ - /{{ calckey_project_dir }}\ - /files:/firefish/files" - - "{{ container_dir }}\ - /{{ calckey_project_dir }}\ - /.config:/firefish/.config:ro" + - "{{ container_dir }}/{{ calckey_project_dir }}/files:/firefish/files" + - "{{ container_dir }}/{{ calckey_project_dir }}/.config:/firefish/.config:ro" links: - calckey_sonic - calckey_db diff --git a/roles/containers/uptime-kuma/defaults/main.yml b/roles/containers/uptime-kuma/defaults/main.yml index a0f4ed1..69f10be 100644 --- a/roles/containers/uptime-kuma/defaults/main.yml +++ b/roles/containers/uptime-kuma/defaults/main.yml @@ -1,4 +1,4 @@ --- -uptime_kuma_project_dir: "status" +uptime_kuma_project_dir: status uptime_kuma_port: 3001 -uptime_kuma_domain: "status.ccw.icu" +uptime_kuma_domain: status.ccw.icu diff --git a/roles/containers/uptime-kuma/tasks/caddy.yml b/roles/containers/uptime-kuma/tasks/caddy.yml index 33d3ecb..2d82c65 100644 --- a/roles/containers/uptime-kuma/tasks/caddy.yml +++ b/roles/containers/uptime-kuma/tasks/caddy.yml @@ -2,9 +2,10 @@ - name: Make sure uptime-kuma-caddy reverse proxy config exists become: true vars: - domain: "{{ uptime_kuma_domain }}" - port: "{{ uptime_kuma_port }}" - template: + project_domain: "{{ uptime_kuma_domain }}" + project_port: "{{ uptime_kuma_port }}" + ansible.builtin.template: + mode: "0644" src: ../../../network/caddy/templates/reverse-proxy.template dest: /etc/caddy/uptime-kuma validate: caddy validate --adapter caddyfile --config %s @@ -12,16 +13,17 @@ - name: Make sure caddy links to the uptime-kuma config become: true - lineinfile: + ansible.builtin.lineinfile: + mode: "0644" path: /etc/caddy/Caddyfile - search_string: "^import /etc/caddy/uptime-kuma" - line: "import /etc/caddy/uptime-kuma" + search_string: ^import /etc/caddy/uptime-kuma + line: import /etc/caddy/uptime-kuma validate: caddy validate --adapter caddyfile --config %s register: caddyconfig - name: Restart caddy become: true - service: + ansible.builtin.service: name: caddy state: restarted when: projectconfig.changed or caddyconfig.changed diff --git a/roles/containers/uptime-kuma/tasks/main.yml b/roles/containers/uptime-kuma/tasks/main.yml index 415dc21..d84a03d 100644 --- a/roles/containers/uptime-kuma/tasks/main.yml +++ b/roles/containers/uptime-kuma/tasks/main.yml @@ -1,3 +1,5 @@ --- -- include_tasks: setup.yml -- include_tasks: caddy.yml +- name: Setup uptime-kuma docker images + ansible.builtin.include_tasks: setup.yml +- name: Setup uptime-kuma reverse proxy + ansible.builtin.include_tasks: caddy.yml diff --git a/roles/containers/uptime-kuma/tasks/setup.yml b/roles/containers/uptime-kuma/tasks/setup.yml index b708dde..ffb8575 100644 --- a/roles/containers/uptime-kuma/tasks/setup.yml +++ b/roles/containers/uptime-kuma/tasks/setup.yml @@ -1,19 +1,16 @@ --- -- name: Ensure woodpecker-project-dir "{{ uptime_kuma_project_dir }}" exists - file: +- name: Ensure woodpecker-project-dir exists + ansible.builtin.file: path: "{{ container_dir }}/{{ uptime_kuma_project_dir }}" state: directory recurse: true - name: Setup uptime-kuma - docker_container: + community.docker.docker_container: name: uptime-kuma restart_policy: unless-stopped image: louislam/uptime-kuma:1.22.1-alpine volumes: - - "{{ container_dir }}\ - /{{ uptime_kuma_project_dir }}\ - /uptime-kuma-data\ - :/app/data" + - "{{ container_dir }}/{{ uptime_kuma_project_dir }}/uptime-kuma-data:/app/data" ports: - "{{ uptime_kuma_port }}:3001" diff --git a/roles/containers/wireguard/defaults/main.yml b/roles/containers/wireguard/defaults/main.yml index 22445c4..701e97a 100644 --- a/roles/containers/wireguard/defaults/main.yml +++ b/roles/containers/wireguard/defaults/main.yml @@ -1,10 +1,10 @@ --- -wireguard_domain: "vpn.ccw.icu" -wireguard_project_dir: "vpn" +wireguard_domain: vpn.ccw.icu +wireguard_project_dir: vpn wireguard_port: "51820" wireguard_peers: - default -wireguard_timezone: "Europe/London" -wireguard_bridge_subnet: "149.102.148.89/21" -wireguard_bridge_gateway: "149.102.144.1" -wireguard_bridge_parent: "eth0" +wireguard_timezone: Europe/London +wireguard_bridge_subnet: 149.102.148.89/21 +wireguard_bridge_gateway: 149.102.144.1 +wireguard_bridge_parent: eth0 diff --git a/roles/containers/wireguard/handlers/main.yml b/roles/containers/wireguard/handlers/main.yml new file mode 100644 index 0000000..e974c82 --- /dev/null +++ b/roles/containers/wireguard/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart nftables + become: true + ansible.builtin.service: + name: nftables + state: restarted diff --git a/roles/containers/wireguard/tasks/config.yml b/roles/containers/wireguard/tasks/config.yml index 26b0dd7..0e17194 100644 --- a/roles/containers/wireguard/tasks/config.yml +++ b/roles/containers/wireguard/tasks/config.yml @@ -1,16 +1,10 @@ --- - name: Wait for peer config to be generated ansible.builtin.wait_for: - path: "{{ container_dir }}\ - /{{ wireguard_project_dir }}\ - /config\ - /peer_{{ item }}/peer_{{ item }}.conf" + path: "{{ container_dir }}/{{ wireguard_project_dir }}/config/peer_{{ item }}/peer_{{ item }}.conf" loop: "{{ wireguard_peers }}" - name: Fetch peer config ansible.builtin.fetch: dest: ./output - src: "{{ container_dir }}\ - /{{ wireguard_project_dir }}\ - /config\ - /peer_{{ item }}/peer_{{ item }}.conf" + src: "{{ container_dir }}/{{ wireguard_project_dir }}/config/peer_{{ item }}/peer_{{ item }}.conf" loop: "{{ wireguard_peers }}" diff --git a/roles/containers/wireguard/tasks/main.yml b/roles/containers/wireguard/tasks/main.yml index 28f9a66..88de5ca 100644 --- a/roles/containers/wireguard/tasks/main.yml +++ b/roles/containers/wireguard/tasks/main.yml @@ -1,4 +1,7 @@ --- -- include_tasks: setup.yml -- include_tasks: network.yml -- include_tasks: config.yml +- name: Setup wireguard docker images + ansible.builtin.include_tasks: setup.yml +- name: Configure firewall for wireguard + ansible.builtin.include_tasks: network.yml +- name: Copy generated wireguard device config + ansible.builtin.include_tasks: config.yml diff --git a/roles/containers/wireguard/tasks/network.yml b/roles/containers/wireguard/tasks/network.yml index 222fa15..f057099 100644 --- a/roles/containers/wireguard/tasks/network.yml +++ b/roles/containers/wireguard/tasks/network.yml @@ -1,14 +1,8 @@ --- - name: Make sure the nftables vpn rule exists become: true - template: - src: ../templates/52_vpn.nft.template + ansible.builtin.template: + mode: "0644" + src: 52_vpn.nft.template dest: /etc/nftables.d/52_vpn.nft - register: firewall - -- name: Restart nftables - become: true - service: - name: nftables - state: restarted - when: firewall.changed + notify: Restart nftables diff --git a/roles/containers/wireguard/tasks/setup.yml b/roles/containers/wireguard/tasks/setup.yml index ea0f777..c2984ee 100644 --- a/roles/containers/wireguard/tasks/setup.yml +++ b/roles/containers/wireguard/tasks/setup.yml @@ -1,12 +1,12 @@ --- -- name: Ensure wireguard-dir "{{ wireguard_project_dir }}" exists - file: +- name: Ensure wireguard-dir exists + ansible.builtin.file: path: "{{ container_dir }}/{{ wireguard_project_dir }}" state: directory recurse: true - name: Setup wireguard - docker_container: + community.docker.docker_container: name: wireguard image: linuxserver/wireguard:1.0.20210914-alpine restart_policy: unless-stopped @@ -17,16 +17,13 @@ SERVERURL: "{{ wireguard_domain }}" SERVERPORT: "{{ wireguard_port }}" PEERS: "{{ wireguard_peers | join(',') }}" - INTERNAL_SUBNET: "10.0.0.0" + INTERNAL_SUBNET: 10.0.0.0 ALLOWEDIPS: "0.0.0.0/0, ::/0" - PEERDNS: "1.1.1.1" + PEERDNS: 1.1.1.1 ports: - "{{ wireguard_port }}:{{ wireguard_port }}/udp" volumes: - - "{{ container_dir }}\ - /{{ wireguard_project_dir }}\ - /config\ - :/config" + - "{{ container_dir }}/{{ wireguard_project_dir }}/config:/config" mounts: - source: /lib/modules target: /lib/modules diff --git a/roles/containers/woodpecker-ci/defaults/main.yml b/roles/containers/woodpecker-ci/defaults/main.yml index e89def0..6db7894 100644 --- a/roles/containers/woodpecker-ci/defaults/main.yml +++ b/roles/containers/woodpecker-ci/defaults/main.yml @@ -1,15 +1,15 @@ --- -woodpecker_project_dir: "ci" +woodpecker_project_dir: ci woodpecker_port: "8000" woodpecker_open: "false" -woodpecker_domain: "ci.ccw.icu" -woodpecker_host: "https://{{ woodpecker_domain }}" -woodpecker_gitea: "https://codeberg.org" -woodpecker_gitea_client: "changeme" -woodpecker_gitea_secret: "changeme" +woodpecker_domain: ci.ccw.icu +woodpecker_host: https://{{ woodpecker_domain }} +woodpecker_gitea: https://codeberg.org +woodpecker_gitea_client: changeme +woodpecker_gitea_secret: changeme woodpecker_orgs: "" woodpecker_admin: "{{ username }}" woodpecker_repo_owners: "{{ username }}" -woodpecker_agent_secret: "changeme" +woodpecker_agent_secret: changeme woodpecker_max_pipeline_timeout: "1440" woodpecker_default_pipeline_timeout: "60" diff --git a/roles/containers/woodpecker-ci/tasks/caddy.yml b/roles/containers/woodpecker-ci/tasks/caddy.yml index 989665c..4dc41c7 100644 --- a/roles/containers/woodpecker-ci/tasks/caddy.yml +++ b/roles/containers/woodpecker-ci/tasks/caddy.yml @@ -2,26 +2,28 @@ - name: Make sure woodpecker-caddy reverse proxy config exists become: true vars: - domain: "{{ woodpecker_domain }}" - port: "{{ woodpecker_port }}" - template: + project_domain: "{{ woodpecker_domain }}" + project_port: "{{ woodpecker_port }}" + ansible.builtin.template: src: ../../../network/caddy/templates/reverse-proxy.template dest: /etc/caddy/woodpecker + mode: "0644" validate: caddy validate --adapter caddyfile --config %s register: projectconfig - name: Make sure caddy links to the woodpecker config become: true - lineinfile: + ansible.builtin.lineinfile: path: /etc/caddy/Caddyfile - search_string: "^import /etc/caddy/woodpecker" - line: "import /etc/caddy/woodpecker" + mode: "0644" + search_string: ^import /etc/caddy/woodpecker + line: import /etc/caddy/woodpecker validate: caddy validate --adapter caddyfile --config %s register: caddyconfig - name: Restart caddy become: true - service: + ansible.builtin.service: name: caddy state: restarted when: caddyconfig.changed or projectconfig.changed diff --git a/roles/containers/woodpecker-ci/tasks/main.yml b/roles/containers/woodpecker-ci/tasks/main.yml index 415dc21..4766c31 100644 --- a/roles/containers/woodpecker-ci/tasks/main.yml +++ b/roles/containers/woodpecker-ci/tasks/main.yml @@ -1,3 +1,5 @@ --- -- include_tasks: setup.yml -- include_tasks: caddy.yml +- name: Setup woodpecker docker images + ansible.builtin.include_tasks: setup.yml +- name: Setup woodpecker reverse proxy + ansible.builtin.include_tasks: caddy.yml diff --git a/roles/containers/woodpecker-ci/tasks/setup.yml b/roles/containers/woodpecker-ci/tasks/setup.yml index 5a5252b..2dccd00 100644 --- a/roles/containers/woodpecker-ci/tasks/setup.yml +++ b/roles/containers/woodpecker-ci/tasks/setup.yml @@ -1,22 +1,19 @@ --- -- name: Ensure woodpecker-project-dir "{{ woodpecker_project_dir }}" exists - file: +- name: Ensure woodpecker-project-dir exists + ansible.builtin.file: path: "{{ container_dir }}/{{ woodpecker_project_dir }}" state: directory recurse: true - name: Setup woodpecker-server - docker_container: + community.docker.docker_container: name: woodpecker-server restart_policy: unless-stopped image: woodpeckerci/woodpecker-server:next-0cf602a1f6-alpine ports: - "{{ woodpecker_port }}:8000" volumes: - - "{{ container_dir }}\ - /{{ woodpecker_project_dir }}\ - /woodpecker-server-data\ - :/var/lib/woodpecker" + - "{{ container_dir }}/{{ woodpecker_project_dir }}/woodpecker-server-data:/var/lib/woodpecker" env: WOODPECKER_OPEN: "{{ woodpecker_open }}" WOODPECKER_HOST: "{{ woodpecker_host }}" @@ -27,12 +24,11 @@ WOODPECKER_ORGS: "{{ woodpecker_orgs }}" WOODPECKER_ADMIN: "{{ woodpecker_admin }}" WOODPECKER_REPO_OWNERS: "{{ woodpecker_repo_owners }}" - WOODPECKER_DEFAULT_PIPELINE_TIMEOUT: - "{{ woodpecker_default_pipeline_timeout }}" + WOODPECKER_DEFAULT_PIPELINE_TIMEOUT: "{{ woodpecker_default_pipeline_timeout }}" WOODPECKER_MAX_PIPELINE_TIMEOUT: "{{ woodpecker_max_pipeline_timeout }}" - name: Setup woodpecker-agent - docker_container: + community.docker.docker_container: name: woodpecker-agent restart_policy: unless-stopped image: woodpeckerci/woodpecker-agent:next-0cf602a1f6-alpine @@ -41,5 +37,5 @@ volumes: - /var/run/docker.sock:/var/run/docker.sock env: - WOODPECKER_SERVER: "woodpecker-server:9000" + WOODPECKER_SERVER: woodpecker-server:9000 WOODPECKER_AGENT_SECRET: "{{ woodpecker_agent_secret }}" diff --git a/roles/network/caddy/tasks/main.yml b/roles/network/caddy/tasks/main.yml index 032e874..32be267 100644 --- a/roles/network/caddy/tasks/main.yml +++ b/roles/network/caddy/tasks/main.yml @@ -7,7 +7,7 @@ state: latest - name: Make sure caddy is running and enabled on boot - service: + ansible.builtin.service: name: caddy enabled: true state: started diff --git a/roles/network/caddy/templates/reverse-proxy.template b/roles/network/caddy/templates/reverse-proxy.template index 8c17462..715a634 100644 --- a/roles/network/caddy/templates/reverse-proxy.template +++ b/roles/network/caddy/templates/reverse-proxy.template @@ -1,3 +1,3 @@ -{{ domain }} { - reverse_proxy :{{ port }} +{{ project_domain }} { + reverse_proxy :{{ project_port }} } diff --git a/roles/system/defaults/docker.yml b/roles/system/defaults/docker.yml index 9943360..6792fdf 100644 --- a/roles/system/defaults/docker.yml +++ b/roles/system/defaults/docker.yml @@ -1,2 +1,2 @@ --- -docker_subid: "100000:65536" +docker_subid: 100000:65536 diff --git a/roles/system/handlers/main.yml b/roles/system/handlers/main.yml index 0416cca..6998953 100644 --- a/roles/system/handlers/main.yml +++ b/roles/system/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Restart sshd - service: + ansible.builtin.service: name: sshd state: restarted diff --git a/roles/system/tasks/docker.yml b/roles/system/tasks/docker.yml index 3aa27b7..530f566 100644 --- a/roles/system/tasks/docker.yml +++ b/roles/system/tasks/docker.yml @@ -10,37 +10,37 @@ state: latest - name: Modprobe tun - modprobe: + community.general.modprobe: name: tun - name: Ensure tun is autoloaded - lineinfile: + ansible.builtin.lineinfile: path: /etc/modules - search_string: "^tun$" - line: "tun" + search_string: ^tun$ + line: tun # Run docker rootless - name: Setup subuid for docker-rootless - lineinfile: + ansible.builtin.lineinfile: path: /etc/subuid - search_string: "^{{ username }}:{{ docker_subid }}" + search_string: ^{{ username }}:{{ docker_subid }} line: "{{ username }}:{{ docker_subid }}" - name: Setup subgid for docker-rootless - lineinfile: + ansible.builtin.lineinfile: path: /etc/subgid - search_string: "^{{ username }}:{{ docker_subid }}" + search_string: ^{{ username }}:{{ docker_subid }} line: "{{ username }}:{{ docker_subid }}" - name: Ensure cgroups is running - service: + ansible.builtin.service: name: cgroups enabled: true state: started # Docker startup - name: Ensure docker is running, and starts on boot - service: + ansible.builtin.service: name: docker enabled: true state: started diff --git a/roles/system/tasks/main.yml b/roles/system/tasks/main.yml index 158087f..f09686a 100644 --- a/roles/system/tasks/main.yml +++ b/roles/system/tasks/main.yml @@ -1,7 +1,13 @@ --- -- include_tasks: ssh.yml -- include_tasks: repo.yml -- include_tasks: packages.yml -- include_tasks: user.yml -- include_tasks: shell.yml -- include_tasks: docker.yml +- name: Lock down ssh access + ansible.builtin.include_tasks: ssh.yml +- name: Configure alpine edge repo + ansible.builtin.include_tasks: repo.yml +- name: Install base packages + ansible.builtin.include_tasks: packages.yml +- name: Setup non-root user + ansible.builtin.include_tasks: user.yml +- name: Configure shell + ansible.builtin.include_tasks: shell.yml +- name: Enable root-less docker + ansible.builtin.include_tasks: docker.yml diff --git a/roles/system/tasks/repo.yml b/roles/system/tasks/repo.yml index c496f7e..6717c81 100644 --- a/roles/system/tasks/repo.yml +++ b/roles/system/tasks/repo.yml @@ -1,15 +1,15 @@ --- - name: Use alpine edge branch/version - replace: + ansible.builtin.replace: path: /etc/apk/repositories - regexp: "^#?http(s)?://dl-cdn.alpinelinux.org/alpine/([^/]+)" - replace: "https://dl-cdn.alpinelinux.org/alpine/edge" + regexp: ^#?http(s)?://dl-cdn.alpinelinux.org/alpine/([^/]+) + replace: https://dl-cdn.alpinelinux.org/alpine/edge - name: Enable Testing repo - lineinfile: + ansible.builtin.lineinfile: path: /etc/apk/repositories - line: "https://dl-cdn.alpinelinux.org/alpine/edge/testing" - search_string: "https://dl-cdn.alpinelinux.org/alpine/edge/testing" + line: https://dl-cdn.alpinelinux.org/alpine/edge/testing + search_string: https://dl-cdn.alpinelinux.org/alpine/edge/testing - name: Update Packages community.general.apk: diff --git a/roles/system/tasks/shell.yml b/roles/system/tasks/shell.yml index ee6d052..cdc1e8f 100644 --- a/roles/system/tasks/shell.yml +++ b/roles/system/tasks/shell.yml @@ -1,18 +1,21 @@ +--- - name: Show pfetch on login - lineinfile: + ansible.builtin.lineinfile: path: /etc/profile.d/pfetch.sh + mode: "0644" create: true - search_string: "^pfetch" - line: "pfetch" + search_string: ^pfetch + line: pfetch - name: Make neovim the default editor - lineinfile: + ansible.builtin.lineinfile: path: /etc/profile.d/editor.sh + mode: "0644" create: true - search_string: "^export EDITOR=neovim" - line: "export EDITOR=nvim" + search_string: ^export EDITOR=neovim + line: export EDITOR=nvim - name: Disable login message - file: + ansible.builtin.file: path: /etc/motd state: absent diff --git a/roles/system/tasks/ssh.yml b/roles/system/tasks/ssh.yml index 5589a88..6cc6f44 100644 --- a/roles/system/tasks/ssh.yml +++ b/roles/system/tasks/ssh.yml @@ -1,15 +1,15 @@ --- - name: Disable SSH password auth - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config - regexp: "^#PasswordAuthentication yes" - line: "PasswordAuthentication no" - validate: 'sshd -T -f %s' - mode: 0644 + regexp: ^#PasswordAuthentication yes + line: PasswordAuthentication no + validate: sshd -T -f %s + mode: "0644" notify: Restart sshd - name: Enable ssh on boot - service: + ansible.builtin.service: name: sshd enabled: true state: started diff --git a/roles/system/tasks/user.yml b/roles/system/tasks/user.yml index 77d75f1..cfe9189 100644 --- a/roles/system/tasks/user.yml +++ b/roles/system/tasks/user.yml @@ -1,12 +1,12 @@ --- - name: Ensure all necessary groups are created - group: + ansible.builtin.group: name: "{{ item }}" loop: - docker - name: Ensure a non-root user is created - user: + ansible.builtin.user: name: "{{ username }}" password: "{{ password | password_hash('sha512') }}" groups: @@ -17,10 +17,11 @@ shell: "{{ shell }}" update_password: on_create -- name: Enable passwordless doas for "{{ username }}" - lineinfile: +- name: Enable passwordless doas for created user + ansible.builtin.lineinfile: create: true + mode: "0644" path: /etc/doas.d/user.conf - regexp: "^permit nopass :wheel" - line: "permit nopass :wheel" - validate: "doas -C %s" + regexp: ^permit nopass :wheel + line: permit nopass :wheel + validate: doas -C %s diff --git a/run.yml b/run.yml index 7a55ca2..9ed3530 100644 --- a/run.yml +++ b/run.yml @@ -4,7 +4,7 @@ # overwrites the ssh user set in the hosts.yml, # because the non-root user has yet to be created ############################################ -- name: setup base system +- name: Setup base system hosts: all remote_user: root vars: @@ -17,14 +17,14 @@ # SETUP NETWORK ############################################ # Setup Proxy (caddy) -- name: setup caddy as proxy +- name: Setup caddy as proxy hosts: all become: true roles: - role: network/caddy tags: proxy # Setup Firewall (nftables) -- name: setup nftables firewall +- name: Setup nftables firewall hosts: all become: true roles: @@ -35,25 +35,25 @@ # SETUP CONTAINERS ############################################ # Setup woodpecker-CI -- name: setup Woodpecker CI +- name: Setup Woodpecker CI hosts: all roles: - role: containers/woodpecker-ci tags: ci # Setup Calckey -- name: setup Calckey +- name: Setup Calckey hosts: all roles: - role: containers/calckey tags: calckey # Setup Uptime Kuma -- name: setup Uptime Kuma +- name: Setup Uptime Kuma hosts: all roles: - role: containers/uptime-kuma tags: status # Setup Wireguard -- name: setup Wireguard +- name: Setup Wireguard hosts: all roles: - role: containers/wireguard -- 2.38.5