first commit

k3s-cluster/ansible/common/create-ansible-user.yml

@@ -0,0 +1,81 @@
+# command: ansible-playbook -i config/<target manifest>.ini common/create-ansible-user.yml --ask-become-pass
+# Note: this playbook requires an interactive mode or passed secret for privilege escalation
+---
+- name: Create ansible user and configure passwordless sudo
+  hosts: all
+  become: true
+  become_method: sudo
+  vars:
+    ansible_user: khwezi
+  tasks:
+    - name: Ensure 'ansible' user exists
+      ansible.builtin.user:
+        name: ansible
+        groups: sudo
+        append: yes
+        shell: /bin/bash
+        state: present
+    - name: Check if passwordless sudo is already configured for 'ansible'
+      ansible.builtin.shell: |
+        grep -Fxq "ansible ALL=(ALL) NOPASSWD: ALL" /etc/sudoers.d/ansible
+      register: sudoers_check
+      ignore_errors: true
+      changed_when: false
+    - name: Allow 'ansible' user passwordless sudo
+      ansible.builtin.copy:
+        dest: /etc/sudoers.d/ansible
+        content: "ansible ALL=(ALL) NOPASSWD: ALL\n"
+        owner: root
+        group: root
+        mode: '0440'
+      when: sudoers_check.rc != 0
+    - name: Ensure /home/ansible/.ssh directory exists
+      ansible.builtin.file:
+        path: /home/ansible/.ssh
+        state: directory
+        owner: ansible
+        group: ansible
+        mode: '0700'
+    - name: Copy id_ed25519 private key to ansible user
+      ansible.builtin.copy:
+        src: ~/.ssh/id_ed25519
+        dest: /home/ansible/.ssh/id_ed25519
+        owner: ansible
+        group: ansible
+        mode: '0600'
+    - name: Copy id_ed25519 public key to ansible user
+      ansible.builtin.copy:
+        src: ~/.ssh/id_ed25519.pub
+        dest: /home/ansible/.ssh/id_ed25519.pub
+        owner: ansible
+        group: ansible
+        mode: '0644'
+    - name: Ensure authorized_keys exists
+      ansible.builtin.file:
+        path: /home/ansible/.ssh/authorized_keys
+        state: touch
+        owner: ansible
+        group: ansible
+        mode: '0600'
+    - name: Read public key content
+      ansible.builtin.slurp:
+        src: /home/ansible/.ssh/id_ed25519.pub
+      register: pubkey_content
+    - name: Ensure public key is present in authorized_keys
+      ansible.builtin.lineinfile:
+        path: /home/ansible/.ssh/authorized_keys
+        line: "{{ pubkey_content['content'] | b64decode | trim }}"
+        owner: ansible
+        group: ansible
+        mode: '0600'
+        create: yes
+        state: present
+
+    - name: Allow 'ansible' user to write to /etc/systemd/resolved.conf
+      ansible.builtin.file:
+        path: /etc/systemd/resolved.conf
+        owner: ansible
+        group: ansible
+        mode: '0664'
+        state: file
+      become: true

k3s-cluster/ansible/common/install-docker.yml

@@ -0,0 +1,86 @@
+# command: ansible-playbook -i config/<target manifest>.ini common/install-docker.yml
+---
+- name: Install Docker and Test
+  hosts: all
+  become: true
+  become_method: sudo
+
+  tasks:
+    - name: Ensure required apt packages are installed
+      ansible.builtin.apt:
+        name:
+          - apt-transport-https
+          - ca-certificates
+          - curl
+          - gnupg
+          - lsb-release
+        state: present
+        update_cache: yes
+
+    - name: Ensure gpg is installed
+      ansible.builtin.apt:
+        name: gpg
+        state: present
+
+    - name: Remove old Docker keyring files if present
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /usr/share/keyrings/docker-archive-keyring.gpg
+        - /usr/share/keyrings/docker-archive-keyring.gpg.asc
+
+    - name: Download Docker's official GPG key (ASCII)
+      ansible.builtin.get_url:
+        url: https://download.docker.com/linux/ubuntu/gpg
+        dest: /usr/share/keyrings/docker-archive-keyring.gpg.asc
+        mode: '0644'
+        force: yes
+
+    - name: Convert Docker GPG key to binary format
+      ansible.builtin.command: >
+        gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg /usr/share/keyrings/docker-archive-keyring.gpg.asc
+
+    - name: Add Docker repository if not present (modern method)
+      ansible.builtin.apt_repository:
+        repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+        state: present
+        filename: docker
+
+    - name: Update apt cache after adding Docker repo
+      ansible.builtin.apt:
+        update_cache: yes
+
+    - name: Check if Docker is already installed
+      ansible.builtin.command: docker --version
+      register: docker_check
+      ignore_errors: true
+      changed_when: false
+
+    - name: Install Docker Engine
+      ansible.builtin.apt:
+        name:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+        state: present
+      when: docker_check.rc != 0
+
+    - name: Check Docker version (post-install)
+      ansible.builtin.command: docker --version
+      register: docker_version
+      changed_when: false
+
+    - name: Show Docker version
+      ansible.builtin.debug:
+        var: docker_version.stdout
+
+    - name: Run hello-world container to test Docker
+      ansible.builtin.command: docker run --name hello-test --rm hello-world
+      register: hello_world_output
+      changed_when: false
+
+    - name: Show hello-world output
+      ansible.builtin.debug:
+        var: hello_world_output.stdout
+

k3s-cluster/ansible/common/update-docker.yml

@@ -0,0 +1,28 @@
+# command: ansible-playbook -i config/<target manifest>.ini common/update-docker.yml
+---
+- name: Update Docker only on hosts where it is installed
+  hosts: all
+  become: true
+  become_method: sudo
+
+  tasks:
+    - name: Check if Docker is installed
+      ansible.builtin.command: docker --version
+      register: docker_check
+      ignore_errors: true
+      changed_when: false
+
+    - name: Update Docker packages if installed
+      ansible.builtin.apt:
+        name:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+        state: latest
+        update_cache: yes
+      when: docker_check.rc == 0
+
+    - name: Debug message if Docker is not installed
+      ansible.builtin.debug:
+        msg: "Docker is not installed on this host. Skipping update."
+      when: docker_check.rc != 0

k3s-cluster/ansible/common/update-hosts.yml

@@ -0,0 +1,19 @@
+# command: ansible-playbook -i config/<target manifest>.ini common/update-hosts.yml
+---
+- name: Update and upgrade all apt packages
+  hosts: all
+  become: true
+  become_method: sudo
+
+  tasks:
+    - name: Update apt cache
+      ansible.builtin.apt:
+        update_cache: yes
+
+    - name: Upgrade all packages
+      ansible.builtin.apt:
+        upgrade: dist
+
+    - name: Autoremove unused packages
+      ansible.builtin.apt:
+        autoremove: yes