Merge pull request 'dev' (#2) from dev into main

Reviewed-on: #2

ansible-playbooks/common/config.ini

@@ -0,0 +1,21 @@
+[all:vars]
+ansible_python_interpreter=/usr/bin/python3
+ansible_user=ansible
+ansible_ssh_private_key_file=~/.ssh/id_ed25519
+
+[lxc-hosts]
+postgres ansible_host=192.168.1.170
+gitea ansible_host=192.168.1.172
+appserver ansible_host=192.168.1.173
+
+[workload-hosts]
+authentik ansible_host=192.168.1.171
+pangolingw ansible_host=192.168.1.175
+
+[docker-hosts]
+authentik ansible_host=192.168.1.171
+appserver ansible_host=192.168.1.173
+
+[k3s-hosts]
+k3smainnode ansible_host=192.168.1.177
+k3sworkernode ansible_host=192.168.1.178

ansible-playbooks/common/create-ansible-user.yml

@@ -1,8 +1,8 @@
-# command: ansible-playbook -i config/<target manifest>.ini common/create-ansible-user.yml --ask-become-pass
+# command: ansible-playbook -i common/config.ini common/create-ansible-user.yml --ask-become-pass
 # Note: this playbook requires an interactive mode or passed secret for privilege escalation
 ---
 - name: Create ansible user and configure passwordless sudo
-  hosts: all
+  hosts: workload-hosts
   become: true
   become_method: sudo
   vars:

ansible-playbooks/common/create-lxc-ansible-user.yml

@@ -0,0 +1,81 @@
+# command: ansible-playbook -i common/config.ini common/create-lxc-ansible-user.yml --ask-become-pass
+# Note: this playbook requires an interactive mode or passed secret for privilege escalation
+---
+- name: Create ansible user and configure passwordless sudo
+  hosts: lxc-hosts
+  become: true
+  become_method: sudo
+  vars:
+    ansible_user: root
+  tasks:
+    - name: Ensure 'ansible' user exists
+      ansible.builtin.user:
+        name: ansible
+        groups: sudo
+        append: yes
+        shell: /bin/bash
+        state: present
+    - name: Check if passwordless sudo is already configured for 'ansible'
+      ansible.builtin.shell: |
+        grep -Fxq "ansible ALL=(ALL) NOPASSWD: ALL" /etc/sudoers.d/ansible
+      register: sudoers_check
+      ignore_errors: true
+      changed_when: false
+    - name: Allow 'ansible' user passwordless sudo
+      ansible.builtin.copy:
+        dest: /etc/sudoers.d/ansible
+        content: "ansible ALL=(ALL) NOPASSWD: ALL\n"
+        owner: root
+        group: root
+        mode: '0440'
+      when: sudoers_check.rc != 0
+    - name: Ensure /home/ansible/.ssh directory exists
+      ansible.builtin.file:
+        path: /home/ansible/.ssh
+        state: directory
+        owner: ansible
+        group: ansible
+        mode: '0700'
+    - name: Copy id_ed25519 private key to ansible user
+      ansible.builtin.copy:
+        src: ~/.ssh/id_ed25519
+        dest: /home/ansible/.ssh/id_ed25519
+        owner: ansible
+        group: ansible
+        mode: '0600'
+    - name: Copy id_ed25519 public key to ansible user
+      ansible.builtin.copy:
+        src: ~/.ssh/id_ed25519.pub
+        dest: /home/ansible/.ssh/id_ed25519.pub
+        owner: ansible
+        group: ansible
+        mode: '0644'
+    - name: Ensure authorized_keys exists
+      ansible.builtin.file:
+        path: /home/ansible/.ssh/authorized_keys
+        state: touch
+        owner: ansible
+        group: ansible
+        mode: '0600'
+    - name: Read public key content
+      ansible.builtin.slurp:
+        src: /home/ansible/.ssh/id_ed25519.pub
+      register: pubkey_content
+    - name: Ensure public key is present in authorized_keys
+      ansible.builtin.lineinfile:
+        path: /home/ansible/.ssh/authorized_keys
+        line: "{{ pubkey_content['content'] | b64decode | trim }}"
+        owner: ansible
+        group: ansible
+        mode: '0600'
+        create: yes
+        state: present
+
+    - name: Allow 'ansible' user to write to /etc/systemd/resolved.conf
+      ansible.builtin.file:
+        path: /etc/systemd/resolved.conf
+        owner: ansible
+        group: ansible
+        mode: '0664'
+        state: file
+      become: true

ansible-playbooks/common/install-docker.yml

@@ -1,7 +1,7 @@
-# command: ansible-playbook -i config/<target manifest>.ini common/install-docker.yml
+# command: ansible-playbook -i common/config.ini common/install-docker.yml
 ---
 - name: Install Docker and Test
-  hosts: all
+  hosts: docker-hosts
   become: true
   become_method: sudo
 

ansible-playbooks/common/update-docker.yml

@@ -1,7 +1,7 @@
-# command: ansible-playbook -i config/<target manifest>.ini common/update-docker.yml
+# command: ansible-playbook -i common/config.ini common/update-docker.yml
 ---
 - name: Update Docker only on hosts where it is installed
-  hosts: all
+  hosts: docker-hosts
   become: true
   become_method: sudo
 

ansible-playbooks/common/update-hosts.yml

@@ -1,4 +1,4 @@
-# command: ansible-playbook -i config/<target manifest>.ini common/update-hosts.yml
+# command: ansible-playbook -i common/config.ini common/update-hosts.yml
 ---
 - name: Update and upgrade all apt packages
   hosts: all

ansible-playbooks/common/update-release.yml

@@ -0,0 +1,34 @@
+# command: ansible-playbook -i common/config.ini common/update-release.yml
+---
+- name: Upgrade Ubuntu to next release
+  hosts: workload-hosts, k3s-hosts
+  become: true
+  tasks:
+    - name: Ensure update-manager-core is installed
+      ansible.builtin.apt:
+        name: update-manager-core
+        state: present
+
+    - name: Update all current packages to latest version
+      ansible.builtin.apt:
+        update_cache: yes
+        upgrade: dist
+
+    - name: Check if a reboot is required before upgrading
+      ansible.builtin.stat:
+        path: /var/run/reboot-required
+      register: reboot_required_pre
+
+    - name: Reboot if required before major upgrade
+      ansible.builtin.reboot:
+      when: reboot_required_pre.stat.exists
+
+    - name: Run do-release-upgrade non-interactively
+      ansible.builtin.shell: do-release-upgrade -f DistUpgradeViewNonInteractive
+      async: 3600  # Sets timeout to 1 hour
+      poll: 60     # Checks status every 60 seconds
+      register: upgrade_output
+
+    - name: Reboot the server after successful upgrade
+      ansible.builtin.reboot:
+      when: upgrade_output is succeeded

ansible-playbooks/config.ini

@@ -1,7 +0,0 @@
-[all:vars]
-ansible_python_interpreter=/usr/bin/python3
-ansible_user=ansible
-ansible_ssh_private_key_file=~/.ssh/id_ed25519
-
-[gameservers]
-minecraft ansible_host=minecraft.mngoma.lab

docker-stacks/app-server/semaphore.yml

@@ -0,0 +1,24 @@
+services:
+  semaphore:
+    image: semaphoreui/semaphore:latest
+    container_name: semaphore
+    restart: unless-stopped
+    ports:
+      - "{PORT}:3000"
+    environment:
+      SEMAPHORE_DB_USER: {SEMAPHORE_DB_USER}
+      SEMAPHORE_DB_PASS: {SEMAPHORE_PASSWORD}
+      SEMAPHORE_DB_HOST: {SEMAPHORE_DB_HOST}
+      SEMAPHORE_DB_PORT: 5432
+      SEMAPHORE_DB_DIALECT: postgres
+      SEMAPHORE_DB: {SEMAPHORE_DB_NAME}
+      
+      SEMAPHORE_ADMIN: {SEMAPHORE_ADMIN_USERNAME}
+      SEMAPHORE_ADMIN_PASSWORD: {SEMAPHORE_ADMIN_PASSWORD}
+      SEMAPHORE_ADMIN_NAME: Administrator
+      SEMAPHORE_ADMIN_EMAIL: {SEMAPHORE_ADMIN_EMAIL}
+      
+      SEMAPHORE_ACCESS_KEY_ENCRYPTION: {SEMAPHORE_ACCESS_KEY_ENCRYPTION}
+      
+    volumes:
+      - /tmp/semaphore:/tmp/semaphore