From 0614dda2471ff74a9a9fb0af9dbe08e9f75cd9aa Mon Sep 17 00:00:00 2001 From: Khwezi Date: Sat, 11 Apr 2026 11:20:31 +0200 Subject: [PATCH 1/2] Fixed ansible script --- ansible-playbooks/common/config.ini | 21 +++++ .../common/create-ansible-user.yml | 4 +- .../common/create-lxc-ansible-user.yml | 81 +++++++++++++++++++ ansible-playbooks/common/install-docker.yml | 4 +- ansible-playbooks/common/update-docker.yml | 4 +- ansible-playbooks/common/update-hosts.yml | 2 +- ansible-playbooks/config.ini | 7 -- 7 files changed, 109 insertions(+), 14 deletions(-) create mode 100644 ansible-playbooks/common/config.ini create mode 100644 ansible-playbooks/common/create-lxc-ansible-user.yml delete mode 100644 ansible-playbooks/config.ini diff --git a/ansible-playbooks/common/config.ini b/ansible-playbooks/common/config.ini new file mode 100644 index 0000000..045ed15 --- /dev/null +++ b/ansible-playbooks/common/config.ini @@ -0,0 +1,21 @@ +[all:vars] +ansible_python_interpreter=/usr/bin/python3 +ansible_user=ansible +ansible_ssh_private_key_file=~/.ssh/id_ed25519 + +[lxc-hosts] +postgres ansible_host=192.168.1.170 +gitea ansible_host=192.168.1.172 +appserver ansible_host=192.168.1.173 + +[workload-hosts] +authentik ansible_host=192.168.1.171 +pangolingw ansible_host=192.168.1.175 + +[docker-hosts] +authentik ansible_host=192.168.1.171 +appserver ansible_host=192.168.1.173 + +[k3s-hosts] +k3smainnode ansible_host=192.168.1.177 +k3sworkernode ansible_host=192.168.1.178 \ No newline at end of file diff --git a/ansible-playbooks/common/create-ansible-user.yml b/ansible-playbooks/common/create-ansible-user.yml index 5424cab..2ef58f5 100644 --- a/ansible-playbooks/common/create-ansible-user.yml +++ b/ansible-playbooks/common/create-ansible-user.yml @@ -1,8 +1,8 @@ -# command: ansible-playbook -i config/.ini common/create-ansible-user.yml --ask-become-pass +# command: ansible-playbook -i common/config.ini common/create-ansible-user.yml --ask-become-pass # Note: this playbook requires an interactive mode or passed secret for privilege escalation --- - name: Create ansible user and configure passwordless sudo - hosts: all + hosts: workload-hosts become: true become_method: sudo vars: diff --git a/ansible-playbooks/common/create-lxc-ansible-user.yml b/ansible-playbooks/common/create-lxc-ansible-user.yml new file mode 100644 index 0000000..85b7d47 --- /dev/null +++ b/ansible-playbooks/common/create-lxc-ansible-user.yml @@ -0,0 +1,81 @@ +# command: ansible-playbook -i common/config.ini common/create-lxc-ansible-user.yml --ask-become-pass +# Note: this playbook requires an interactive mode or passed secret for privilege escalation +--- +- name: Create ansible user and configure passwordless sudo + hosts: lxc-hosts + become: true + become_method: sudo + vars: + ansible_user: root + tasks: + - name: Ensure 'ansible' user exists + ansible.builtin.user: + name: ansible + groups: sudo + append: yes + shell: /bin/bash + state: present + - name: Check if passwordless sudo is already configured for 'ansible' + ansible.builtin.shell: | + grep -Fxq "ansible ALL=(ALL) NOPASSWD: ALL" /etc/sudoers.d/ansible + register: sudoers_check + ignore_errors: true + changed_when: false + - name: Allow 'ansible' user passwordless sudo + ansible.builtin.copy: + dest: /etc/sudoers.d/ansible + content: "ansible ALL=(ALL) NOPASSWD: ALL\n" + owner: root + group: root + mode: '0440' + when: sudoers_check.rc != 0 + - name: Ensure /home/ansible/.ssh directory exists + ansible.builtin.file: + path: /home/ansible/.ssh + state: directory + owner: ansible + group: ansible + mode: '0700' + - name: Copy id_ed25519 private key to ansible user + ansible.builtin.copy: + src: ~/.ssh/id_ed25519 + dest: /home/ansible/.ssh/id_ed25519 + owner: ansible + group: ansible + mode: '0600' + - name: Copy id_ed25519 public key to ansible user + ansible.builtin.copy: + src: ~/.ssh/id_ed25519.pub + dest: /home/ansible/.ssh/id_ed25519.pub + owner: ansible + group: ansible + mode: '0644' + - name: Ensure authorized_keys exists + ansible.builtin.file: + path: /home/ansible/.ssh/authorized_keys + state: touch + owner: ansible + group: ansible + mode: '0600' + - name: Read public key content + ansible.builtin.slurp: + src: /home/ansible/.ssh/id_ed25519.pub + register: pubkey_content + - name: Ensure public key is present in authorized_keys + ansible.builtin.lineinfile: + path: /home/ansible/.ssh/authorized_keys + line: "{{ pubkey_content['content'] | b64decode | trim }}" + owner: ansible + group: ansible + mode: '0600' + create: yes + state: present + + - name: Allow 'ansible' user to write to /etc/systemd/resolved.conf + ansible.builtin.file: + path: /etc/systemd/resolved.conf + owner: ansible + group: ansible + mode: '0664' + state: file + become: true \ No newline at end of file diff --git a/ansible-playbooks/common/install-docker.yml b/ansible-playbooks/common/install-docker.yml index 3c1a20d..0a9989e 100644 --- a/ansible-playbooks/common/install-docker.yml +++ b/ansible-playbooks/common/install-docker.yml @@ -1,7 +1,7 @@ -# command: ansible-playbook -i config/.ini common/install-docker.yml +# command: ansible-playbook -i common/config.ini common/install-docker.yml --- - name: Install Docker and Test - hosts: all + hosts: docker-hosts become: true become_method: sudo diff --git a/ansible-playbooks/common/update-docker.yml b/ansible-playbooks/common/update-docker.yml index 3d1b5c6..5a3437b 100644 --- a/ansible-playbooks/common/update-docker.yml +++ b/ansible-playbooks/common/update-docker.yml @@ -1,7 +1,7 @@ -# command: ansible-playbook -i config/.ini common/update-docker.yml +# command: ansible-playbook -i common/config.ini common/update-docker.yml --- - name: Update Docker only on hosts where it is installed - hosts: all + hosts: docker-hosts become: true become_method: sudo diff --git a/ansible-playbooks/common/update-hosts.yml b/ansible-playbooks/common/update-hosts.yml index cc4437e..2fe8478 100644 --- a/ansible-playbooks/common/update-hosts.yml +++ b/ansible-playbooks/common/update-hosts.yml @@ -1,4 +1,4 @@ -# command: ansible-playbook -i config/.ini common/update-hosts.yml +# command: ansible-playbook -i common/config.ini common/update-hosts.yml --- - name: Update and upgrade all apt packages hosts: all diff --git a/ansible-playbooks/config.ini b/ansible-playbooks/config.ini deleted file mode 100644 index 924a24a..0000000 --- a/ansible-playbooks/config.ini +++ /dev/null @@ -1,7 +0,0 @@ -[all:vars] -ansible_python_interpreter=/usr/bin/python3 -ansible_user=ansible -ansible_ssh_private_key_file=~/.ssh/id_ed25519 - -[gameservers] -minecraft ansible_host=minecraft.mngoma.lab From d1076fe39a9f2f620510438e6b34700343c60dd6 Mon Sep 17 00:00:00 2001 From: Khwezi Date: Sat, 11 Apr 2026 13:56:16 +0200 Subject: [PATCH 2/2] Added semaphore docker stack --- ansible-playbooks/common/update-release.yml | 34 +++++++++++++++++++++ docker-stacks/app-server/semaphore.yml | 24 +++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 ansible-playbooks/common/update-release.yml create mode 100644 docker-stacks/app-server/semaphore.yml diff --git a/ansible-playbooks/common/update-release.yml b/ansible-playbooks/common/update-release.yml new file mode 100644 index 0000000..50d81bf --- /dev/null +++ b/ansible-playbooks/common/update-release.yml @@ -0,0 +1,34 @@ +# command: ansible-playbook -i common/config.ini common/update-release.yml +--- +- name: Upgrade Ubuntu to next release + hosts: workload-hosts, k3s-hosts + become: true + tasks: + - name: Ensure update-manager-core is installed + ansible.builtin.apt: + name: update-manager-core + state: present + + - name: Update all current packages to latest version + ansible.builtin.apt: + update_cache: yes + upgrade: dist + + - name: Check if a reboot is required before upgrading + ansible.builtin.stat: + path: /var/run/reboot-required + register: reboot_required_pre + + - name: Reboot if required before major upgrade + ansible.builtin.reboot: + when: reboot_required_pre.stat.exists + + - name: Run do-release-upgrade non-interactively + ansible.builtin.shell: do-release-upgrade -f DistUpgradeViewNonInteractive + async: 3600 # Sets timeout to 1 hour + poll: 60 # Checks status every 60 seconds + register: upgrade_output + + - name: Reboot the server after successful upgrade + ansible.builtin.reboot: + when: upgrade_output is succeeded diff --git a/docker-stacks/app-server/semaphore.yml b/docker-stacks/app-server/semaphore.yml new file mode 100644 index 0000000..fd6dabf --- /dev/null +++ b/docker-stacks/app-server/semaphore.yml @@ -0,0 +1,24 @@ +services: + semaphore: + image: semaphoreui/semaphore:latest + container_name: semaphore + restart: unless-stopped + ports: + - "{PORT}:3000" + environment: + SEMAPHORE_DB_USER: {SEMAPHORE_DB_USER} + SEMAPHORE_DB_PASS: {SEMAPHORE_PASSWORD} + SEMAPHORE_DB_HOST: {SEMAPHORE_DB_HOST} + SEMAPHORE_DB_PORT: 5432 + SEMAPHORE_DB_DIALECT: postgres + SEMAPHORE_DB: {SEMAPHORE_DB_NAME} + + SEMAPHORE_ADMIN: {SEMAPHORE_ADMIN_USERNAME} + SEMAPHORE_ADMIN_PASSWORD: {SEMAPHORE_ADMIN_PASSWORD} + SEMAPHORE_ADMIN_NAME: Administrator + SEMAPHORE_ADMIN_EMAIL: {SEMAPHORE_ADMIN_EMAIL} + + SEMAPHORE_ACCESS_KEY_ENCRYPTION: {SEMAPHORE_ACCESS_KEY_ENCRYPTION} + + volumes: + - /tmp/semaphore:/tmp/semaphore