diff --git a/playbooks/1_bootstrap.yml b/playbooks/1_bootstrap.yml index 332c0129..135eb102 100644 --- a/playbooks/1_bootstrap.yml +++ b/playbooks/1_bootstrap.yml @@ -2,11 +2,17 @@ - hosts: all gather_facts: false roles: - - { role: robertdebock-ansible-role-bootstrap, tags: "bootstrap", become: true} - - { role: mgrote_users, tags: "user", become: true} - - { role: mgrote_apt_manage_sources, tags: "apt_sources" } - - { role: mgrote_qemu_guest_agent } - - { role: mgrote_apt_update_packages, tags: "updates"} + - role: robertdebock-ansible-role-bootstrap + tags: "bootstrap" + become: true + - role: mgrote_apt_manage_sources + tags: "apt_sources" + - role: mgrote_qemu_guest_agent + - role: mgrote_apt_update_packages + tags: "updates" + - role: mgrote_users + tags: "user" + become: true post_tasks: - name: Change user password @@ -26,5 +32,16 @@ ansible_password: hallowelt ansible_become_password: hallowelt ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'" + ### mgrote.user + users: + - username: ansible-user + password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}" + update_password: always + groups: ssh, sudo + state: present + public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu + allow_sudo: true + allow_passwordless_sudo: true + # Nach dem ersten durchlaufen ist keine Anmeldung mehr per Passwort & ssh möglich. Damit scheitert auch der Versuch das Playbook ein zweites mal durchlaufen zu lassen. diff --git a/playbooks/2_all.yml b/playbooks/2_all.yml index 020bb6db..c1a9e2a3 100644 --- a/playbooks/2_all.yml +++ b/playbooks/2_all.yml @@ -1,17 +1,5 @@ --- -- ansible.builtin.import_playbook: base/apt_sources.yml - ansible.builtin.import_playbook: base/packages.yml -- ansible.builtin.import_playbook: base/ntp_client.yml -- ansible.builtin.import_playbook: base/restic.yml +- ansible.builtin.import_playbook: base/system.yml - ansible.builtin.import_playbook: base/users.yml -- ansible.builtin.import_playbook: base/dotfiles.yml -- ansible.builtin.import_playbook: base/vim.yml -- ansible.builtin.import_playbook: base/postfix.yml - ansible.builtin.import_playbook: base/ufw.yml -- ansible.builtin.import_playbook: base/ssh.yml -- ansible.builtin.import_playbook: base/f2b.yml -- ansible.builtin.import_playbook: base/remove_snapd.yml -- ansible.builtin.import_playbook: base/unattended_upgrades.yml -- ansible.builtin.import_playbook: base/update_packages.yml -- ansible.builtin.import_playbook: base/lvm.yml -- ansible.builtin.import_playbook: base/fwupd.yml diff --git a/playbooks/base/apt_sources.yml b/playbooks/base/apt_sources.yml deleted file mode 100644 index c63f6d5d..00000000 --- a/playbooks/base/apt_sources.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: all - roles: - - role: mgrote_apt_manage_sources - tags: "apt_sources" diff --git a/playbooks/base/dotfiles.yml b/playbooks/base/dotfiles.yml deleted file mode 100644 index 60e6a7dd..00000000 --- a/playbooks/base/dotfiles.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: all - roles: - - { role: mgrote_dotfiles, become: true, tags: "dotfiles" } diff --git a/playbooks/base/f2b.yml b/playbooks/base/f2b.yml deleted file mode 100644 index 910db28f..00000000 --- a/playbooks/base/f2b.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: all - roles: - - { role: mgrote_fail2ban, tags: "f2b" } diff --git a/playbooks/base/fwupd.yml b/playbooks/base/fwupd.yml deleted file mode 100644 index 0dfe3b3a..00000000 --- a/playbooks/base/fwupd.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- hosts: all - roles: - - role: mgrote_fwupd_settings - become: true - tags: fwupd - when: "ansible_facts['distribution'] == 'Ubuntu'" diff --git a/playbooks/base/lvm.yml b/playbooks/base/lvm.yml deleted file mode 100644 index add30f04..00000000 --- a/playbooks/base/lvm.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- hosts: all - roles: - - { role: mrlesmithjr-ansible-manage-lvm, - tags: "lvm", - become: true, - when: manage_lvm == true and manage_lvm is defined } - # $manage_lvm gehört zu dieser Rolle, wird aber extra abgefragt um das PLaybook zu "aktivieren" diff --git a/playbooks/base/ntp_client.yml b/playbooks/base/ntp_client.yml deleted file mode 100644 index d09c1e08..00000000 --- a/playbooks/base/ntp_client.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: all - roles: - - { role: mgrote_ntp_chrony_client, tags: "ntp"} diff --git a/playbooks/base/packages.yml b/playbooks/base/packages.yml index 1b0d6581..cfbfd974 100644 --- a/playbooks/base/packages.yml +++ b/playbooks/base/packages.yml @@ -1,6 +1,18 @@ --- - hosts: all - serial: 3 roles: - - { role: mgrote_apt_manage_packages, tags: "install"} - - { role: mgrote_exa, tags: "exa"} + - role: mgrote_apt_manage_sources + tags: "apt_sources" + - role: mgrote_apt_manage_packages + tags: "install" + - role: mgrote_exa + tags: "exa" + - role: mgrote_remove_snapd + become: true + tags: "snapd" + - role: mgrote_apt_update_packages + tags: "updates" + - role: hifis-net-ansible-role-unattended-upgrades + become: true + tags: unattended + when: "ansible_facts['distribution'] == 'Ubuntu'" diff --git a/playbooks/base/postfix.yml b/playbooks/base/postfix.yml deleted file mode 100644 index 5170c75b..00000000 --- a/playbooks/base/postfix.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: all - roles: - - { role: mgrote_postfix, tags: "postfix" } diff --git a/playbooks/base/remove_snapd.yml b/playbooks/base/remove_snapd.yml deleted file mode 100644 index c7091171..00000000 --- a/playbooks/base/remove_snapd.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: all - roles: - - { role: mgrote_remove_snapd, become: true, tags: "snapd" } diff --git a/playbooks/base/restic.yml b/playbooks/base/restic.yml deleted file mode 100644 index 2eca23f1..00000000 --- a/playbooks/base/restic.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: all - roles: - - { role: mgrote_restic, tags: "restic" } diff --git a/playbooks/base/ssh.yml b/playbooks/base/ssh.yml deleted file mode 100644 index 7816715d..00000000 --- a/playbooks/base/ssh.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: all - roles: - - { role: mgrote_ssh, - tags: "ssh"} diff --git a/playbooks/base/system.yml b/playbooks/base/system.yml new file mode 100644 index 00000000..bb5cb917 --- /dev/null +++ b/playbooks/base/system.yml @@ -0,0 +1,22 @@ +--- +- hosts: all + roles: + - role: mgrote_ntp_chrony_client + tags: "ntp" + - role: mgrote_postfix + tags: "postfix" + - role: mgrote_restic + tags: "restic" + - role: mgrote_fail2ban + tags: "f2b" + - role: mgrote_fwupd_settings + become: true + tags: fwupd + when: "ansible_facts['distribution'] == 'Ubuntu'" + - role: mrlesmithjr-ansible-manage-lvm + tags: "lvm" + become: true + when: manage_lvm == true and manage_lvm is defined + # $manage_lvm gehört zu dieser Rolle, wird aber extra abgefragt um das PLaybook zu "aktivieren" + - role: mgrote_ssh + tags: "ssh" diff --git a/playbooks/base/unattended_upgrades.yml b/playbooks/base/unattended_upgrades.yml deleted file mode 100644 index 608c9916..00000000 --- a/playbooks/base/unattended_upgrades.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- hosts: all,!pve,!pbs - roles: - - { role: hifis-net-ansible-role-unattended-upgrades, - become: true, - tags: unattended, - when: "ansible_facts['distribution'] == 'Ubuntu'"} diff --git a/playbooks/base/update_packages.yml b/playbooks/base/update_packages.yml deleted file mode 100644 index facc9e2e..00000000 --- a/playbooks/base/update_packages.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: all - serial: 3 - roles: - - { role: mgrote_apt_update_packages, tags: "updates"} diff --git a/playbooks/base/users.yml b/playbooks/base/users.yml index 617009d1..bbbe125a 100644 --- a/playbooks/base/users.yml +++ b/playbooks/base/users.yml @@ -1,4 +1,10 @@ --- - hosts: all + become: true roles: - - { role: mgrote_users, tags: "user", become: true } + - role: mgrote_users + tags: "user" + - role: mgrote_dotfiles + tags: "dotfiles" + - role: mgrote_vim + tags: "vim" diff --git a/playbooks/base/vim.yml b/playbooks/base/vim.yml deleted file mode 100644 index 6083f349..00000000 --- a/playbooks/base/vim.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: all - roles: - - { role: mgrote_vim, tags: "vim", become: true }