zailon/olimp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Обновить roles/base_setup/tasks/main.yml

Browse Source
This commit is contained in:
zailon 2026-05-13 10:00:43 +05:00
parent 712d1af6dd
commit 3bffa17b70
1 changed files with 407 additions and 399 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

806
roles/base_setup/tasks/main.yml
View File

@ -1,400 +1,408 @@
--- ---
# ============================================================================= # =============================================================================
# BASE SETUP ROLE # BASE SETUP ROLE
# ============================================================================= # =============================================================================
# ========== System Update ========== # ========== System Update ==========
- name: Update and upgrade apt packages (full upgrade) - name: Update and upgrade apt packages (full upgrade)
apt: apt:
upgrade: full upgrade: full
update_cache: yes update_cache: yes
cache_valid_time: 3600 cache_valid_time: 3600
become: yes become: yes
tags: [deploy_base, always] tags: [deploy_base, always]
- name: Install base packages - name: Install base packages
apt: apt:
name: "{{ base_packages }}" name: "{{ base_packages }}"
state: present state: present
update_cache: yes update_cache: yes
become: yes become: yes
tags: [deploy_base, always] tags: [deploy_base, always]
- name: Remove unused packages - name: Remove unused packages
apt: apt:
autoremove: yes autoremove: yes
autoclean: yes autoclean: yes
become: yes become: yes
tags: [deploy_base] tags: [deploy_base]
# ========== System Configuration ========== # ========== System Configuration ==========
- name: Disable IPv6 via sysctl - name: Disable IPv6 via sysctl
sysctl: sysctl:
name: "{{ item.name }}" name: "{{ item.name }}"
value: "{{ item.value }}" value: "{{ item.value }}"
sysctl_set: yes sysctl_set: yes
state: present state: present
reload: yes reload: yes
loop: loop:
- { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' } - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }
- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' } - { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }
become: yes become: yes
tags: [deploy_base] tags: [deploy_base]
- name: Ensure /root/.bashrc exists - name: Ensure /root/.bashrc exists
file: file:
path: /root/.bashrc path: /root/.bashrc
state: touch state: touch
mode: '0644' mode: '0644'
become: yes become: yes
tags: [deploy_base] tags: [deploy_base]
- name: Add custom aliases and environment to ~/.bashrc - name: Add custom aliases and environment to ~/.bashrc
blockinfile: blockinfile:
path: /root/.bashrc path: /root/.bashrc
marker: "# {mark} ANSIBLE MANAGED BLOCK: CUSTOM ALIASES AND ENV" marker: "# {mark} ANSIBLE MANAGED BLOCK: CUSTOM ALIASES AND ENV"
block: | block: |
# Работа с файлами # Работа с файлами
alias rm='rm -i' # Удалить с подтверждением alias rm='rm -i' # Удалить с подтверждением
alias cp='cp -i' # Копировать с подтверждением alias cp='cp -i' # Копировать с подтверждением
alias mv='mv -i' # Переместить с подтверждением alias mv='mv -i' # Переместить с подтверждением
# ls - вывод списка файлов # ls - вывод списка файлов
alias ls='ls --color=auto' # Цветной вывод alias ls='ls --color=auto' # Цветной вывод
alias ll='ls -la' # Показывать скрытые файлы и представлять вывод в виде списка alias ll='ls -la' # Показывать скрытые файлы и представлять вывод в виде списка
alias l.='ls -d .* --color=auto' # Показать только скрытые файлы alias l.='ls -d .* --color=auto' # Показать только скрытые файлы
# mount - монтирование разделов # mount - монтирование разделов
alias mount='mount | column -t' # Вывод mount читаемым alias mount='mount | column -t' # Вывод mount читаемым
# История # История
alias h='history' # История команд bash alias h='history' # История команд bash
alias c='clear' # Очистить окно терминала alias c='clear' # Очистить окно терминала
# Дата и время # Дата и время
alias now='date +%T' # Время сейчас alias now='date +%T' # Время сейчас
alias nowdate='date +%d-%m-%Y' # Только дата alias nowdate='date +%d-%m-%Y' # Только дата
# Сеть # Сеть
alias ping5='ping -c 5' # Посылать только пять запросов alias ping5='ping -c 5' # Посылать только пять запросов
alias ports='netstat -tulanp' # Открытые порты alias ports='netstat -tulanp' # Открытые порты
# Работа с пакетами # Работа с пакетами
alias update='sudo apt update && sudo apt upgrade' # Обновление одной командой alias update='sudo apt update && sudo apt upgrade' # Обновление одной командой
# Работа с системой # Работа с системой
alias meminfo='free -m -l -t' # Сколько памяти занято alias meminfo='free -m -l -t' # Сколько памяти занято
alias psmem='ps auxf | sort -nr -k 4 | head -10' # 10 процессов с самой большой нагрузкой на память alias psmem='ps auxf | sort -nr -k 4 | head -10' # 10 процессов с самой большой нагрузкой на память
# Переменные окружения # Переменные окружения
export DISPLAY="{{ x11_display_host }}:0" export DISPLAY="{{ x11_display_host }}:0"
export HISTTIMEFORMAT='%F %T ' export HISTTIMEFORMAT='%F %T '
owner: root owner: root
mode: '0644' mode: '0644'
become: yes become: yes
tags: [deploy_base] tags: [deploy_base]
- name: Configure timezone - name: Configure timezone
timezone: timezone:
name: "{{ timezone }}" name: "{{ timezone }}"
become: yes become: yes
tags: [deploy_base] tags: [deploy_base]
- name: Configure locale - name: Configure locale
locale_gen: locale_gen:
name: "{{ system_locale }}" name: "{{ system_locale }}"
state: present state: present
become: yes become: yes
tags: [deploy_base] tags: [deploy_base]
- name: Set default locale - name: Set default locale
lineinfile: lineinfile:
path: /etc/default/locale path: /etc/default/locale
line: "LANG={{ system_locale }}" line: "LANG={{ system_locale }}"
state: present state: present
create: yes create: yes
become: yes become: yes
tags: [deploy_base] tags: [deploy_base]
- name: Ensure required directories exist - name: Ensure required directories exist
file: file:
path: "{{ item }}" path: "{{ item }}"
state: directory state: directory
mode: '0755' mode: '0755'
loop: "{{ custom_directories | default([]) }}" loop: "{{ custom_directories | default([]) }}"
become: yes become: yes
tags: [deploy_base] tags: [deploy_base]
# ========== SSH Configuration ========== # ========== SSH Configuration ==========
- name: Ensure SSH directory exists for root - name: Ensure SSH directory exists for root
file: file:
path: /root/.ssh path: /root/.ssh
state: directory state: directory
mode: '0700' mode: '0700'
become: yes become: yes
tags: [deploy_base, ssh] tags: [deploy_base, ssh]
- name: Add authorized keys for root (exclusive) - name: Add authorized keys for root (exclusive)
authorized_key: authorized_key:
user: root user: root
state: present state: present
key: "{{ item }}" key: "{{ item }}"
exclusive: yes exclusive: yes
loop: "{{ ssh_public_keys }}" loop: "{{ ssh_public_keys }}"
become: yes become: yes
tags: [deploy_base, ssh] tags: [deploy_base, ssh]
# ========== Create Admin User zailon ========== # ========== Create Admin User zailon ==========
- name: Create admin user zailon - name: Create admin user zailon
user: user:
name: zailon name: zailon
shell: /bin/bash shell: /bin/bash
groups: sudo groups: sudo
append: yes append: yes
create_home: yes create_home: yes
state: present state: present
become: yes become: yes
tags: [deploy_base, users] tags: [deploy_base, users]
- name: Set password for zailon from vault - name: Set password for zailon from vault
user: user:
name: zailon name: zailon
password: "{{ vault_zailon_password | password_hash('sha512') }}" password: "{{ vault_zailon_password | password_hash('sha512') }}"
update_password: always update_password: always
become: yes become: yes
no_log: true no_log: true
tags: [deploy_base, users] tags: [deploy_base, users]
- name: Configure passwordless sudo for zailon - name: Configure passwordless sudo for zailon
copy: copy:
content: "zailon ALL=(ALL) NOPASSWD: ALL\n" content: "zailon ALL=(ALL) NOPASSWD: ALL\n"
dest: /etc/sudoers.d/zailon dest: /etc/sudoers.d/zailon
mode: '0440' mode: '0440'
owner: root owner: root
group: root group: root
validate: 'visudo -cf %s' validate: 'visudo -cf %s'
become: yes become: yes
tags: [deploy_base, users] tags: [deploy_base, users]
- name: Create .ssh directory for zailon - name: Create .ssh directory for zailon
file: file:
path: /home/zailon/.ssh path: /home/zailon/.ssh
state: directory state: directory
mode: '0700' mode: '0700'
owner: zailon owner: zailon
group: zailon group: zailon
become: yes become: yes
tags: [deploy_base, users] tags: [deploy_base, users]
- name: Deploy authorized_keys for zailon - name: Deploy authorized_keys for zailon
copy: copy:
content: "{{ ssh_public_keys | join('\n') }}\n" content: "{{ ssh_public_keys | join('\n') }}\n"
dest: /home/zailon/.ssh/authorized_keys dest: /home/zailon/.ssh/authorized_keys
owner: zailon owner: zailon
group: zailon group: zailon
mode: '0600' mode: '0600'
become: yes become: yes
tags: [deploy_base, users] tags: [deploy_base, users]
- name: Copy bashrc to zailon - name: Copy bashrc to zailon
copy: copy:
src: /root/.bashrc src: /root/.bashrc
dest: /home/zailon/.bashrc dest: /home/zailon/.bashrc
owner: zailon owner: zailon
group: zailon group: zailon
mode: '0644' mode: '0644'
remote_src: yes remote_src: yes
become: yes become: yes
tags: [deploy_base, users] tags: [deploy_base, users]
# ========== SSH Security Hardening ========== # ========== SSH Security Hardening ==========
- name: Configure SSH security - name: Ensure privilege separation directory exists for sshd validation
lineinfile: file:
path: /etc/ssh/sshd_config path: /run/sshd
regexp: "{{ item.regexp }}" state: directory
line: "{{ item.line }}" mode: '0755'
state: present become: yes
validate: 'sshd -t -f %s' tags: [deploy_base, ssh]
loop:
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' } - name: Configure SSH security
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin yes' } lineinfile:
- { regexp: '^PubkeyAuthentication', line: 'PubkeyAuthentication yes' } path: /etc/ssh/sshd_config
notify: restart ssh regexp: "{{ item.regexp }}"
become: yes line: "{{ item.line }}"
tags: [deploy_base, ssh] state: present
validate: 'sshd -t -f %s'
# ========== Node Exporter Installation ========== loop:
- name: Create node_exporter system user - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
user: - { regexp: '^PermitRootLogin', line: 'PermitRootLogin yes' }
name: node_exporter - { regexp: '^PubkeyAuthentication', line: 'PubkeyAuthentication yes' }
system: yes notify: restart ssh
shell: /bin/false become: yes
create_home: no tags: [deploy_base, ssh]
become: yes
tags: [node_exporter] # ========== Node Exporter Installation ==========
- name: Create node_exporter system user
- name: Set node_exporter architecture user:
set_fact: name: node_exporter
node_exporter_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else 'arm64' if ansible_architecture == 'aarch64' else ansible_architecture }}" system: yes
tags: [node_exporter] shell: /bin/false
create_home: no
- name: Download node_exporter become: yes
get_url: tags: [node_exporter]
url: "https://github.com/prometheus/node_exporter/releases/download/v1.8.2/node_exporter-1.8.2.linux-{{ node_exporter_arch }}.tar.gz"
dest: /tmp/node_exporter.tar.gz - name: Set node_exporter architecture
mode: '0644' set_fact:
timeout: 60 node_exporter_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else 'arm64' if ansible_architecture == 'aarch64' else ansible_architecture }}"
when: node_exporter_arch in ['amd64', 'arm64'] tags: [node_exporter]
become: yes
tags: [node_exporter] - name: Download node_exporter
get_url:
- name: Fail on unsupported architecture url: "https://github.com/prometheus/node_exporter/releases/download/v1.8.2/node_exporter-1.8.2.linux-{{ node_exporter_arch }}.tar.gz"
fail: dest: /tmp/node_exporter.tar.gz
msg: "Unsupported architecture {{ ansible_architecture }} for node_exporter" mode: '0644'
when: node_exporter_arch not in ['amd64', 'arm64'] timeout: 60
tags: [node_exporter] when: node_exporter_arch in ['amd64', 'arm64']
become: yes
- name: Create temporary extraction directory tags: [node_exporter]
file:
path: /tmp/node_exporter_temp - name: Fail on unsupported architecture
state: directory fail:
mode: '0755' msg: "Unsupported architecture {{ ansible_architecture }} for node_exporter"
become: yes when: node_exporter_arch not in ['amd64', 'arm64']
tags: [node_exporter] tags: [node_exporter]
- name: Extract node_exporter - name: Create temporary extraction directory
unarchive: file:
src: /tmp/node_exporter.tar.gz path: /tmp/node_exporter_temp
dest: /tmp/node_exporter_temp state: directory
remote_src: yes mode: '0755'
creates: /tmp/node_exporter_temp/node_exporter-1.8.2.linux-amd64/node_exporter become: yes
become: yes tags: [node_exporter]
tags: [node_exporter]
- name: Extract node_exporter
- name: Install node_exporter binary unarchive:
copy: src: /tmp/node_exporter.tar.gz
src: /tmp/node_exporter_temp/node_exporter-1.8.2.linux-amd64/node_exporter dest: /tmp/node_exporter_temp
dest: /usr/local/bin/node_exporter remote_src: yes
owner: root creates: /tmp/node_exporter_temp/node_exporter-1.8.2.linux-amd64/node_exporter
group: root become: yes
mode: '0755' tags: [node_exporter]
remote_src: yes
become: yes - name: Install node_exporter binary
notify: restart node_exporter copy:
tags: [node_exporter] src: /tmp/node_exporter_temp/node_exporter-1.8.2.linux-amd64/node_exporter
dest: /usr/local/bin/node_exporter
- name: Clean up temporary files owner: root
file: group: root
path: "{{ item }}" mode: '0755'
state: absent remote_src: yes
loop: become: yes
- /tmp/node_exporter.tar.gz notify: restart node_exporter
- /tmp/node_exporter_temp tags: [node_exporter]
become: yes
tags: [node_exporter] - name: Clean up temporary files
file:
- name: Create textfile collector directory path: "{{ item }}"
file: state: absent
path: /var/lib/node_exporter/textfile_collector loop:
state: directory - /tmp/node_exporter.tar.gz
owner: node_exporter - /tmp/node_exporter_temp
group: node_exporter become: yes
mode: '0755' tags: [node_exporter]
become: yes
tags: [node_exporter] - name: Create textfile collector directory
file:
- name: Deploy node_exporter systemd service path: /var/lib/node_exporter/textfile_collector
copy: state: directory
content: | owner: node_exporter
[Unit] group: node_exporter
Description=Prometheus Node Exporter mode: '0755'
Documentation=https://github.com/prometheus/node_exporter become: yes
After=network.target tags: [node_exporter]
[Service] - name: Deploy node_exporter systemd service
Type=simple copy:
User=node_exporter content: |
Group=node_exporter [Unit]
ExecStart=/usr/local/bin/node_exporter \ Description=Prometheus Node Exporter
--collector.systemd \ Documentation=https://github.com/prometheus/node_exporter
--collector.processes \ After=network.target
--collector.cpu \
--collector.meminfo \ [Service]
--collector.diskstats \ Type=simple
--collector.filesystem \ User=node_exporter
--collector.loadavg \ Group=node_exporter
--collector.time \ ExecStart=/usr/local/bin/node_exporter \
--collector.textfile.directory=/var/lib/node_exporter/textfile_collector \ --collector.systemd \
--no-collector.arp \ --collector.processes \
--no-collector.netdev \ --collector.cpu \
--web.listen-address=0.0.0.0:9100 \ --collector.meminfo \
--web.telemetry-path=/metrics --collector.diskstats \
Restart=always --collector.filesystem \
RestartSec=5 --collector.loadavg \
--collector.time \
# Security settings --collector.textfile.directory=/var/lib/node_exporter/textfile_collector \
NoNewPrivileges=yes --no-collector.arp \
ProtectSystem=strict --no-collector.netdev \
ProtectHome=yes --web.listen-address=0.0.0.0:9100 \
PrivateTmp=yes --web.telemetry-path=/metrics
ProtectControlGroups=yes Restart=always
ProtectKernelModules=yes RestartSec=5
ProtectKernelTunables=yes
LockPersonality=yes # Security settings
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX NoNewPrivileges=yes
ProtectSystem=strict
[Install] ProtectHome=yes
WantedBy=multi-user.target PrivateTmp=yes
dest: /etc/systemd/system/node_exporter.service ProtectControlGroups=yes
owner: root ProtectKernelModules=yes
group: root ProtectKernelTunables=yes
mode: '0644' LockPersonality=yes
become: yes RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
notify: restart node_exporter
tags: [node_exporter] [Install]
WantedBy=multi-user.target
- name: Start and enable node_exporter dest: /etc/systemd/system/node_exporter.service
systemd: owner: root
name: node_exporter group: root
state: started mode: '0644'
enabled: yes become: yes
daemon_reload: yes notify: restart node_exporter
become: yes tags: [node_exporter]
tags: [node_exporter]
- name: Start and enable node_exporter
- name: Wait for node_exporter to start systemd:
wait_for: name: node_exporter
host: localhost state: started
port: 9100 enabled: yes
timeout: 30 daemon_reload: yes
state: started become: yes
delay: 5 tags: [node_exporter]
become: yes
tags: [node_exporter] - name: Wait for node_exporter to start
wait_for:
- name: Verify node_exporter is responding host: localhost
uri: port: 9100
url: http://localhost:9100/metrics timeout: 30
status_code: 200 state: started
timeout: 10 delay: 5
register: node_exporter_check become: yes
become: yes tags: [node_exporter]
tags: [node_exporter]
- name: Verify node_exporter is responding
- name: Show node_exporter status uri:
debug: url: http://localhost:9100/metrics
msg: "Node Exporter is running and responding on port 9100" status_code: 200
when: node_exporter_check.status == 200 timeout: 10
tags: [node_exporter] register: node_exporter_check
become: yes
- name: Allow port 9100 in ufw (if enabled) tags: [node_exporter]
ufw:
rule: allow - name: Show node_exporter status
port: 9100 debug:
proto: tcp msg: "Node Exporter is running and responding on port 9100"
comment: "Prometheus Node Exporter" when: node_exporter_check.status == 200
when: tags: [node_exporter]
- ansible_facts.services["ufw.service"] is defined
- ansible_facts.services["ufw.service"]["state"] == "running" - name: Allow port 9100 in ufw (if enabled)
become: yes ufw:
rule: allow
port: 9100
proto: tcp
comment: "Prometheus Node Exporter"
when:
- ansible_facts.services["ufw.service"] is defined
- ansible_facts.services["ufw.service"]["state"] == "running"
become: yes
tags: [node_exporter] tags: [node_exporter]