zailon/olimp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update file main.yml

Browse Source
This commit is contained in:
Administrator 2026-03-24 14:47:05 +05:00
parent 69c3dc8d54
commit 8f69f50752
1 changed files with 83 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
roles/base_setup/tasks/main.yml
View File

@ -1,10 +1,17 @@
---
- name: Update and upgrade apt packages (full upgrade)
# =============================================================================
# BASE SETUP ROLE
# =============================================================================
# ========== System Update ==========
- name: Update and upgrade apt packages (exclude Docker in LXC)
apt:
upgrade: full
update_cache: yes
cache_valid_time: 3600
exclude: "{{ docker_exclude_packages_lxc if (ansible_virtualization_type in ['lxc', 'container'] and lxc_docker_pin_enabled | default(true)) else [] }}"
become: yes
tags: [deploy_base, always]
- name: Install base packages
apt:
@ -12,14 +19,57 @@
state: present
update_cache: yes
become: yes
tags: [deploy_base, always]
- name: Remove unused packages
apt:
autoremove: yes
autoclean: yes
become: yes
tags: [deploy_base]
# ========== Docker Pinning for LXC ==========
- name: Pin Docker packages for LXC containers
block:
- name: Hold Docker packages
dpkg_selections:
name: "{{ item.split('=')[0] }}"
selection: hold
loop: "{{ docker_pinned_packages }}"
become: yes
- name: Ensure Docker packages at pinned versions
apt:
name: "{{ item }}"
state: present
allow_downgrade: yes
loop: "{{ docker_pinned_packages }}"
become: yes
notify: restart docker
- name: Configure APT to never upgrade Docker components
copy:
content: |
# Never auto-upgrade these packages in LXC containers
Package: containerd.io runc docker-ce docker-ce-cli
Pin: release *
Pin-Priority: -1
dest: /etc/apt/preferences.d/docker-pin
owner: root
mode: '0644'
become: yes
- name: Show Docker pinning status
debug:
msg: "Docker packages pinned for LXC: {{ docker_pinned_packages }}"
when:
- lxc_docker_pin_enabled | default(true)
- ansible_virtualization_type in ['lxc', 'container']
- ansible_distribution == 'Ubuntu'
- ansible_distribution_version == '24.04'
tags: [deploy_base, docker_pin]
# ========== System Configuration ==========
- name: Disable IPv6 via sysctl
sysctl:
name: "{{ item.name }}"
@ -31,6 +81,7 @@
- { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }
- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }
become: yes
tags: [deploy_base]
- name: Ensure /root/.bashrc exists
file:
@ -38,6 +89,7 @@
state: touch
mode: '0644'
become: yes
tags: [deploy_base]
- name: Add custom aliases and environment to ~/.bashrc
blockinfile:
@ -82,17 +134,20 @@
owner: root
mode: '0644'
become: yes
tags: [deploy_base]
- name: Configure timezone
timezone:
name: "{{ timezone }}"
become: yes
tags: [deploy_base]
- name: Configure locale
locale_gen:
name: "{{ system_locale }}"
state: present
become: yes
tags: [deploy_base]
- name: Set default locale
lineinfile:
@ -101,6 +156,7 @@
state: present
create: yes
become: yes
tags: [deploy_base]
- name: Ensure required directories exist
file:
@ -109,21 +165,16 @@
mode: '0755'
loop: "{{ custom_directories | default([]) }}"
become: yes
tags: [deploy_base]
- name: Install Python requests library (if needed)
apt:
name: python3-requests
state: present
when: ansible_connection != "local"
become: yes
# ========== SSH Keys ==========
# ========== SSH Configuration ==========
- name: Ensure SSH directory exists for root
file:
path: /root/.ssh
state: directory
mode: '0700'
become: yes
tags: [deploy_base, ssh]
- name: Add authorized keys for root (exclusive)
authorized_key:
@ -133,8 +184,9 @@
exclusive: yes
loop: "{{ ssh_public_keys }}"
become: yes
tags: [deploy_base, ssh]
# ========== Создание администратора zailon ==========
# ========== Create Admin User zailon ==========
- name: Create admin user zailon
user:
name: zailon
@ -197,7 +249,7 @@
become: yes
tags: [deploy_base, users]
# ========== Настройка SSH ==========
# ========== SSH Security Hardening ==========
- name: Configure SSH security
lineinfile:
path: /etc/ssh/sshd_config
@ -211,24 +263,24 @@
- { regexp: '^PubkeyAuthentication', line: 'PubkeyAuthentication yes' }
notify: restart ssh
become: yes
tags: [deploy_base, ssh]
# ========== Node Exporter Installation ==========
- name: Create node_exporter system user
tags: node_exporter
user:
name: node_exporter
system: yes
shell: /bin/false
create_home: no
become: yes
tags: [node_exporter]
- name: Set node_exporter architecture
tags: node_exporter
set_fact:
node_exporter_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else 'arm64' if ansible_architecture == 'aarch64' else ansible_architecture }}"
tags: [node_exporter]
- name: Download node_exporter
tags: node_exporter
get_url:
url: "https://github.com/prometheus/node_exporter/releases/download/v1.8.2/node_exporter-1.8.2.linux-{{ node_exporter_arch }}.tar.gz"
dest: /tmp/node_exporter.tar.gz
@ -236,32 +288,32 @@
timeout: 60
when: node_exporter_arch in ['amd64', 'arm64']
become: yes
tags: [node_exporter]
- name: Fail on unsupported architecture
tags: node_exporter
fail:
msg: "Unsupported architecture {{ ansible_architecture }} for node_exporter"
when: node_exporter_arch not in ['amd64', 'arm64']
tags: [node_exporter]
- name: Create temporary extraction directory
tags: node_exporter
file:
path: /tmp/node_exporter_temp
state: directory
mode: '0755'
become: yes
tags: [node_exporter]
- name: Extract node_exporter
tags: node_exporter
unarchive:
src: /tmp/node_exporter.tar.gz
dest: /tmp/node_exporter_temp
remote_src: yes
creates: /tmp/node_exporter_temp/node_exporter-1.8.2.linux-amd64/node_exporter
become: yes
tags: [node_exporter]
- name: Install node_exporter binary
tags: node_exporter
copy:
src: /tmp/node_exporter_temp/node_exporter-1.8.2.linux-amd64/node_exporter
dest: /usr/local/bin/node_exporter
@ -271,9 +323,9 @@
remote_src: yes
become: yes
notify: restart node_exporter
tags: [node_exporter]
- name: Clean up temporary files
tags: node_exporter
file:
path: "{{ item }}"
state: absent
@ -281,9 +333,9 @@
- /tmp/node_exporter.tar.gz
- /tmp/node_exporter_temp
become: yes
tags: [node_exporter]
- name: Create textfile collector directory
tags: node_exporter
file:
path: /var/lib/node_exporter/textfile_collector
state: directory
@ -291,9 +343,9 @@
group: node_exporter
mode: '0755'
become: yes
tags: [node_exporter]
- name: Deploy node_exporter systemd service
tags: node_exporter
copy:
content: |
[Unit]
@ -341,18 +393,18 @@
mode: '0644'
become: yes
notify: restart node_exporter
tags: [node_exporter]
- name: Start and enable node_exporter
tags: node_exporter
systemd:
name: node_exporter
state: started
enabled: yes
daemon_reload: yes
become: yes
tags: [node_exporter]
- name: Wait for node_exporter to start
tags: node_exporter
wait_for:
host: localhost
port: 9100
@ -360,42 +412,31 @@
state: started
delay: 5
become: yes
tags: [node_exporter]
- name: Verify node_exporter is responding
tags: node_exporter
uri:
url: http://localhost:9100/metrics
status_code: 200
timeout: 10
register: node_exporter_check
become: yes
tags: [node_exporter]
- name: Show node_exporter status
tags: node_exporter
debug:
msg: "Node Exporter is running and responding on port 9100"
when: node_exporter_check.status == 200
tags: [node_exporter]
- name: Allow port 9100 in ufw (if enabled)
tags: node_exporter
ufw:
rule: allow
port: 9100
proto: tcp
comment: "Prometheus Node Exporter"
when:
- ansible_facts.services["ufw.service"] is defined
when:
- ansible_facts.services["ufw.service"] is defined
- ansible_facts.services["ufw.service"]["state"] == "running"
become: yes
- name: Show node_exporter status
tags: node_exporter
debug:
msg: "Node Exporter is running and responding on port 9100"
when: node_exporter_check.status == 200
- name: Show node_exporter error
tags: node_exporter
debug:
msg: "Node Exporter check failed with status: {{ node_exporter_check.status }}"
when: node_exporter_check.status != 200
tags: [node_exporter]