diff --git a/ansible-playbooks/common/config.ini b/ansible-playbooks/common/config.ini new file mode 100644 index 0000000..045ed15 --- /dev/null +++ b/ansible-playbooks/common/config.ini @@ -0,0 +1,21 @@ +[all:vars] +ansible_python_interpreter=/usr/bin/python3 +ansible_user=ansible +ansible_ssh_private_key_file=~/.ssh/id_ed25519 + +[lxc-hosts] +postgres ansible_host=192.168.1.170 +gitea ansible_host=192.168.1.172 +appserver ansible_host=192.168.1.173 + +[workload-hosts] +authentik ansible_host=192.168.1.171 +pangolingw ansible_host=192.168.1.175 + +[docker-hosts] +authentik ansible_host=192.168.1.171 +appserver ansible_host=192.168.1.173 + +[k3s-hosts] +k3smainnode ansible_host=192.168.1.177 +k3sworkernode ansible_host=192.168.1.178 \ No newline at end of file diff --git a/ansible-playbooks/common/create-ansible-user.yml b/ansible-playbooks/common/create-ansible-user.yml index 5424cab..2ef58f5 100644 --- a/ansible-playbooks/common/create-ansible-user.yml +++ b/ansible-playbooks/common/create-ansible-user.yml @@ -1,8 +1,8 @@ -# command: ansible-playbook -i config/.ini common/create-ansible-user.yml --ask-become-pass +# command: ansible-playbook -i common/config.ini common/create-ansible-user.yml --ask-become-pass # Note: this playbook requires an interactive mode or passed secret for privilege escalation --- - name: Create ansible user and configure passwordless sudo - hosts: all + hosts: workload-hosts become: true become_method: sudo vars: diff --git a/ansible-playbooks/common/create-lxc-ansible-user.yml b/ansible-playbooks/common/create-lxc-ansible-user.yml new file mode 100644 index 0000000..85b7d47 --- /dev/null +++ b/ansible-playbooks/common/create-lxc-ansible-user.yml @@ -0,0 +1,81 @@ +# command: ansible-playbook -i common/config.ini common/create-lxc-ansible-user.yml --ask-become-pass +# Note: this playbook requires an interactive mode or passed secret for privilege escalation +--- +- name: Create ansible user and configure passwordless sudo + hosts: lxc-hosts + become: true + become_method: sudo + vars: + ansible_user: root + tasks: + - name: Ensure 'ansible' user exists + ansible.builtin.user: + name: ansible + groups: sudo + append: yes + shell: /bin/bash + state: present + - name: Check if passwordless sudo is already configured for 'ansible' + ansible.builtin.shell: | + grep -Fxq "ansible ALL=(ALL) NOPASSWD: ALL" /etc/sudoers.d/ansible + register: sudoers_check + ignore_errors: true + changed_when: false + - name: Allow 'ansible' user passwordless sudo + ansible.builtin.copy: + dest: /etc/sudoers.d/ansible + content: "ansible ALL=(ALL) NOPASSWD: ALL\n" + owner: root + group: root + mode: '0440' + when: sudoers_check.rc != 0 + - name: Ensure /home/ansible/.ssh directory exists + ansible.builtin.file: + path: /home/ansible/.ssh + state: directory + owner: ansible + group: ansible + mode: '0700' + - name: Copy id_ed25519 private key to ansible user + ansible.builtin.copy: + src: ~/.ssh/id_ed25519 + dest: /home/ansible/.ssh/id_ed25519 + owner: ansible + group: ansible + mode: '0600' + - name: Copy id_ed25519 public key to ansible user + ansible.builtin.copy: + src: ~/.ssh/id_ed25519.pub + dest: /home/ansible/.ssh/id_ed25519.pub + owner: ansible + group: ansible + mode: '0644' + - name: Ensure authorized_keys exists + ansible.builtin.file: + path: /home/ansible/.ssh/authorized_keys + state: touch + owner: ansible + group: ansible + mode: '0600' + - name: Read public key content + ansible.builtin.slurp: + src: /home/ansible/.ssh/id_ed25519.pub + register: pubkey_content + - name: Ensure public key is present in authorized_keys + ansible.builtin.lineinfile: + path: /home/ansible/.ssh/authorized_keys + line: "{{ pubkey_content['content'] | b64decode | trim }}" + owner: ansible + group: ansible + mode: '0600' + create: yes + state: present + + - name: Allow 'ansible' user to write to /etc/systemd/resolved.conf + ansible.builtin.file: + path: /etc/systemd/resolved.conf + owner: ansible + group: ansible + mode: '0664' + state: file + become: true \ No newline at end of file diff --git a/ansible-playbooks/common/install-docker.yml b/ansible-playbooks/common/install-docker.yml index 3c1a20d..0a9989e 100644 --- a/ansible-playbooks/common/install-docker.yml +++ b/ansible-playbooks/common/install-docker.yml @@ -1,7 +1,7 @@ -# command: ansible-playbook -i config/.ini common/install-docker.yml +# command: ansible-playbook -i common/config.ini common/install-docker.yml --- - name: Install Docker and Test - hosts: all + hosts: docker-hosts become: true become_method: sudo diff --git a/ansible-playbooks/common/update-docker.yml b/ansible-playbooks/common/update-docker.yml index 3d1b5c6..5a3437b 100644 --- a/ansible-playbooks/common/update-docker.yml +++ b/ansible-playbooks/common/update-docker.yml @@ -1,7 +1,7 @@ -# command: ansible-playbook -i config/.ini common/update-docker.yml +# command: ansible-playbook -i common/config.ini common/update-docker.yml --- - name: Update Docker only on hosts where it is installed - hosts: all + hosts: docker-hosts become: true become_method: sudo diff --git a/ansible-playbooks/common/update-hosts.yml b/ansible-playbooks/common/update-hosts.yml index cc4437e..2fe8478 100644 --- a/ansible-playbooks/common/update-hosts.yml +++ b/ansible-playbooks/common/update-hosts.yml @@ -1,4 +1,4 @@ -# command: ansible-playbook -i config/.ini common/update-hosts.yml +# command: ansible-playbook -i common/config.ini common/update-hosts.yml --- - name: Update and upgrade all apt packages hosts: all diff --git a/ansible-playbooks/config.ini b/ansible-playbooks/config.ini deleted file mode 100644 index 924a24a..0000000 --- a/ansible-playbooks/config.ini +++ /dev/null @@ -1,7 +0,0 @@ -[all:vars] -ansible_python_interpreter=/usr/bin/python3 -ansible_user=ansible -ansible_ssh_private_key_file=~/.ssh/id_ed25519 - -[gameservers] -minecraft ansible_host=minecraft.mngoma.lab