2026-04-11 13:57:28 +02:00
9 changed files with 167 additions and 14 deletions
--- a/ansible-playbooks/common/config.ini
+++ b/ansible-playbooks/common/config.ini
@@ -0,0 +1,21 @@
 [all:vars]
 ansible_python_interpreter=/usr/bin/python3
 ansible_user=ansible
 ansible_ssh_private_key_file=~/.ssh/id_ed25519
 [lxc-hosts]
 postgres ansible_host=192.168.1.170
 gitea ansible_host=192.168.1.172
 appserver ansible_host=192.168.1.173
 [workload-hosts]
 authentik ansible_host=192.168.1.171
 pangolingw ansible_host=192.168.1.175
 [docker-hosts]
 authentik ansible_host=192.168.1.171
 appserver ansible_host=192.168.1.173
 [k3s-hosts]
 k3smainnode ansible_host=192.168.1.177
 k3sworkernode ansible_host=192.168.1.178
--- a/ansible-playbooks/common/create-ansible-user.yml
+++ b/ansible-playbooks/common/create-ansible-user.yml
@@ -1,8 +1,8 @@
-# command: ansible-playbook -i config/<target manifest>.ini common/create-ansible-user.yml --ask-become-pass
+# command: ansible-playbook -i common/config.ini common/create-ansible-user.yml --ask-become-pass
 # Note: this playbook requires an interactive mode or passed secret for privilege escalation
 ---
 - name: Create ansible user and configure passwordless sudo
-  hosts: all
+  hosts: workload-hosts
  become: true
  become_method: sudo
  vars:
--- a/ansible-playbooks/common/create-lxc-ansible-user.yml
+++ b/ansible-playbooks/common/create-lxc-ansible-user.yml
@@ -0,0 +1,81 @@
 # command: ansible-playbook -i common/config.ini common/create-lxc-ansible-user.yml --ask-become-pass
 # Note: this playbook requires an interactive mode or passed secret for privilege escalation
 ---
 - name: Create ansible user and configure passwordless sudo
  hosts: lxc-hosts
  become: true
  become_method: sudo
  vars:
    ansible_user: root
  tasks:
    - name: Ensure 'ansible' user exists
      ansible.builtin.user:
        name: ansible
        groups: sudo
        append: yes
        shell: /bin/bash
        state: present
    - name: Check if passwordless sudo is already configured for 'ansible'
      ansible.builtin.shell: |
        grep -Fxq "ansible ALL=(ALL) NOPASSWD: ALL" /etc/sudoers.d/ansible
      register: sudoers_check
      ignore_errors: true
      changed_when: false
    - name: Allow 'ansible' user passwordless sudo
      ansible.builtin.copy:
        dest: /etc/sudoers.d/ansible
        content: "ansible ALL=(ALL) NOPASSWD: ALL\n"
        owner: root
        group: root
        mode: '0440'
      when: sudoers_check.rc != 0
    - name: Ensure /home/ansible/.ssh directory exists
      ansible.builtin.file:
        path: /home/ansible/.ssh
        state: directory
        owner: ansible
        group: ansible
        mode: '0700'
    - name: Copy id_ed25519 private key to ansible user
      ansible.builtin.copy:
        src: ~/.ssh/id_ed25519
        dest: /home/ansible/.ssh/id_ed25519
        owner: ansible
        group: ansible
        mode: '0600'
    - name: Copy id_ed25519 public key to ansible user
      ansible.builtin.copy:
        src: ~/.ssh/id_ed25519.pub
        dest: /home/ansible/.ssh/id_ed25519.pub
        owner: ansible
        group: ansible
        mode: '0644'
    - name: Ensure authorized_keys exists
      ansible.builtin.file:
        path: /home/ansible/.ssh/authorized_keys
        state: touch
        owner: ansible
        group: ansible
        mode: '0600'
    - name: Read public key content
      ansible.builtin.slurp:
        src: /home/ansible/.ssh/id_ed25519.pub
      register: pubkey_content
    - name: Ensure public key is present in authorized_keys
      ansible.builtin.lineinfile:
        path: /home/ansible/.ssh/authorized_keys
        line: "{{ pubkey_content['content'] | b64decode | trim }}"
        owner: ansible
        group: ansible
        mode: '0600'
        create: yes
        state: present
    - name: Allow 'ansible' user to write to /etc/systemd/resolved.conf
      ansible.builtin.file:
        path: /etc/systemd/resolved.conf
        owner: ansible
        group: ansible
        mode: '0664'
        state: file
      become: true
--- a/ansible-playbooks/common/install-docker.yml
+++ b/ansible-playbooks/common/install-docker.yml
@@ -1,7 +1,7 @@
-# command: ansible-playbook -i config/<target manifest>.ini common/install-docker.yml
+# command: ansible-playbook -i common/config.ini common/install-docker.yml
 ---
 - name: Install Docker and Test
-  hosts: all
+  hosts: docker-hosts
  become: true
  become_method: sudo
--- a/ansible-playbooks/common/update-docker.yml
+++ b/ansible-playbooks/common/update-docker.yml
@@ -1,7 +1,7 @@
-# command: ansible-playbook -i config/<target manifest>.ini common/update-docker.yml
+# command: ansible-playbook -i common/config.ini common/update-docker.yml
 ---
 - name: Update Docker only on hosts where it is installed
-  hosts: all
+  hosts: docker-hosts
  become: true
  become_method: sudo
--- a/ansible-playbooks/common/update-hosts.yml
+++ b/ansible-playbooks/common/update-hosts.yml
@@ -1,4 +1,4 @@
-# command: ansible-playbook -i config/<target manifest>.ini common/update-hosts.yml
+# command: ansible-playbook -i common/config.ini common/update-hosts.yml
 ---
 - name: Update and upgrade all apt packages
  hosts: all
--- a/ansible-playbooks/common/update-release.yml
+++ b/ansible-playbooks/common/update-release.yml
@@ -0,0 +1,34 @@
 # command: ansible-playbook -i common/config.ini common/update-release.yml
 ---
 - name: Upgrade Ubuntu to next release
  hosts: workload-hosts, k3s-hosts
  become: true
  tasks:
    - name: Ensure update-manager-core is installed
      ansible.builtin.apt:
        name: update-manager-core
        state: present
    - name: Update all current packages to latest version
      ansible.builtin.apt:
        update_cache: yes
        upgrade: dist
    - name: Check if a reboot is required before upgrading
      ansible.builtin.stat:
        path: /var/run/reboot-required
      register: reboot_required_pre
    - name: Reboot if required before major upgrade
      ansible.builtin.reboot:
      when: reboot_required_pre.stat.exists
    - name: Run do-release-upgrade non-interactively
      ansible.builtin.shell: do-release-upgrade -f DistUpgradeViewNonInteractive
      async: 3600  # Sets timeout to 1 hour
      poll: 60     # Checks status every 60 seconds
      register: upgrade_output
    - name: Reboot the server after successful upgrade
      ansible.builtin.reboot:
      when: upgrade_output is succeeded
--- a/ansible-playbooks/config.ini
+++ b/ansible-playbooks/config.ini
@@ -1,7 +0,0 @@
 [all:vars]
 ansible_python_interpreter=/usr/bin/python3
 ansible_user=ansible
 ansible_ssh_private_key_file=~/.ssh/id_ed25519
 [gameservers]
 minecraft ansible_host=minecraft.mngoma.lab
--- a/docker-stacks/app-server/semaphore.yml
+++ b/docker-stacks/app-server/semaphore.yml
@@ -0,0 +1,24 @@
 services:
  semaphore:
    image: semaphoreui/semaphore:latest
    container_name: semaphore
    restart: unless-stopped
    ports:
      - "{PORT}:3000"
    environment:
      SEMAPHORE_DB_USER: {SEMAPHORE_DB_USER}
      SEMAPHORE_DB_PASS: {SEMAPHORE_PASSWORD}
      SEMAPHORE_DB_HOST: {SEMAPHORE_DB_HOST}
      SEMAPHORE_DB_PORT: 5432
      SEMAPHORE_DB_DIALECT: postgres
      SEMAPHORE_DB: {SEMAPHORE_DB_NAME}
      SEMAPHORE_ADMIN: {SEMAPHORE_ADMIN_USERNAME}
      SEMAPHORE_ADMIN_PASSWORD: {SEMAPHORE_ADMIN_PASSWORD}
      SEMAPHORE_ADMIN_NAME: Administrator
      SEMAPHORE_ADMIN_EMAIL: {SEMAPHORE_ADMIN_EMAIL}
      SEMAPHORE_ACCESS_KEY_ENCRYPTION: {SEMAPHORE_ACCESS_KEY_ENCRYPTION}
    volumes:
      - /tmp/semaphore:/tmp/semaphore