diff --git a/roles/base_setup/tasks/main.yml b/roles/base_setup/tasks/main.yml index 5da0fe5..97c6e68 100644 --- a/roles/base_setup/tasks/main.yml +++ b/roles/base_setup/tasks/main.yml @@ -1,10 +1,17 @@ --- -- name: Update and upgrade apt packages (full upgrade) +# ============================================================================= +# BASE SETUP ROLE +# ============================================================================= + +# ========== System Update ========== +- name: Update and upgrade apt packages (exclude Docker in LXC) apt: upgrade: full update_cache: yes cache_valid_time: 3600 + exclude: "{{ docker_exclude_packages_lxc if (ansible_virtualization_type in ['lxc', 'container'] and lxc_docker_pin_enabled | default(true)) else [] }}" become: yes + tags: [deploy_base, always] - name: Install base packages apt: @@ -12,14 +19,57 @@ state: present update_cache: yes become: yes + tags: [deploy_base, always] - name: Remove unused packages apt: autoremove: yes autoclean: yes become: yes + tags: [deploy_base] - +# ========== Docker Pinning for LXC ========== +- name: Pin Docker packages for LXC containers + block: + - name: Hold Docker packages + dpkg_selections: + name: "{{ item.split('=')[0] }}" + selection: hold + loop: "{{ docker_pinned_packages }}" + become: yes + + - name: Ensure Docker packages at pinned versions + apt: + name: "{{ item }}" + state: present + allow_downgrade: yes + loop: "{{ docker_pinned_packages }}" + become: yes + notify: restart docker + + - name: Configure APT to never upgrade Docker components + copy: + content: | + # Never auto-upgrade these packages in LXC containers + Package: containerd.io runc docker-ce docker-ce-cli + Pin: release * + Pin-Priority: -1 + dest: /etc/apt/preferences.d/docker-pin + owner: root + mode: '0644' + become: yes + + - name: Show Docker pinning status + debug: + msg: "Docker packages pinned for LXC: {{ docker_pinned_packages }}" + when: + - lxc_docker_pin_enabled | default(true) + - ansible_virtualization_type in ['lxc', 'container'] + - ansible_distribution == 'Ubuntu' + - ansible_distribution_version == '24.04' + tags: [deploy_base, docker_pin] + +# ========== System Configuration ========== - name: Disable IPv6 via sysctl sysctl: name: "{{ item.name }}" @@ -31,6 +81,7 @@ - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' } - { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' } become: yes + tags: [deploy_base] - name: Ensure /root/.bashrc exists file: @@ -38,6 +89,7 @@ state: touch mode: '0644' become: yes + tags: [deploy_base] - name: Add custom aliases and environment to ~/.bashrc blockinfile: @@ -82,17 +134,20 @@ owner: root mode: '0644' become: yes + tags: [deploy_base] - name: Configure timezone timezone: name: "{{ timezone }}" become: yes + tags: [deploy_base] - name: Configure locale locale_gen: name: "{{ system_locale }}" state: present become: yes + tags: [deploy_base] - name: Set default locale lineinfile: @@ -101,6 +156,7 @@ state: present create: yes become: yes + tags: [deploy_base] - name: Ensure required directories exist file: @@ -109,21 +165,16 @@ mode: '0755' loop: "{{ custom_directories | default([]) }}" become: yes + tags: [deploy_base] -- name: Install Python requests library (if needed) - apt: - name: python3-requests - state: present - when: ansible_connection != "local" - become: yes - -# ========== SSH Keys ========== +# ========== SSH Configuration ========== - name: Ensure SSH directory exists for root file: path: /root/.ssh state: directory mode: '0700' become: yes + tags: [deploy_base, ssh] - name: Add authorized keys for root (exclusive) authorized_key: @@ -133,8 +184,9 @@ exclusive: yes loop: "{{ ssh_public_keys }}" become: yes + tags: [deploy_base, ssh] -# ========== Создание администратора zailon ========== +# ========== Create Admin User zailon ========== - name: Create admin user zailon user: name: zailon @@ -197,7 +249,7 @@ become: yes tags: [deploy_base, users] -# ========== Настройка SSH ========== +# ========== SSH Security Hardening ========== - name: Configure SSH security lineinfile: path: /etc/ssh/sshd_config @@ -211,24 +263,24 @@ - { regexp: '^PubkeyAuthentication', line: 'PubkeyAuthentication yes' } notify: restart ssh become: yes + tags: [deploy_base, ssh] # ========== Node Exporter Installation ========== - name: Create node_exporter system user - tags: node_exporter user: name: node_exporter system: yes shell: /bin/false create_home: no become: yes + tags: [node_exporter] - name: Set node_exporter architecture - tags: node_exporter set_fact: node_exporter_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else 'arm64' if ansible_architecture == 'aarch64' else ansible_architecture }}" - + tags: [node_exporter] + - name: Download node_exporter - tags: node_exporter get_url: url: "https://github.com/prometheus/node_exporter/releases/download/v1.8.2/node_exporter-1.8.2.linux-{{ node_exporter_arch }}.tar.gz" dest: /tmp/node_exporter.tar.gz @@ -236,32 +288,32 @@ timeout: 60 when: node_exporter_arch in ['amd64', 'arm64'] become: yes + tags: [node_exporter] - name: Fail on unsupported architecture - tags: node_exporter fail: msg: "Unsupported architecture {{ ansible_architecture }} for node_exporter" when: node_exporter_arch not in ['amd64', 'arm64'] + tags: [node_exporter] - name: Create temporary extraction directory - tags: node_exporter file: path: /tmp/node_exporter_temp state: directory mode: '0755' become: yes + tags: [node_exporter] - name: Extract node_exporter - tags: node_exporter unarchive: src: /tmp/node_exporter.tar.gz dest: /tmp/node_exporter_temp remote_src: yes creates: /tmp/node_exporter_temp/node_exporter-1.8.2.linux-amd64/node_exporter become: yes + tags: [node_exporter] - name: Install node_exporter binary - tags: node_exporter copy: src: /tmp/node_exporter_temp/node_exporter-1.8.2.linux-amd64/node_exporter dest: /usr/local/bin/node_exporter @@ -271,9 +323,9 @@ remote_src: yes become: yes notify: restart node_exporter + tags: [node_exporter] - name: Clean up temporary files - tags: node_exporter file: path: "{{ item }}" state: absent @@ -281,9 +333,9 @@ - /tmp/node_exporter.tar.gz - /tmp/node_exporter_temp become: yes + tags: [node_exporter] - name: Create textfile collector directory - tags: node_exporter file: path: /var/lib/node_exporter/textfile_collector state: directory @@ -291,9 +343,9 @@ group: node_exporter mode: '0755' become: yes + tags: [node_exporter] - name: Deploy node_exporter systemd service - tags: node_exporter copy: content: | [Unit] @@ -341,18 +393,18 @@ mode: '0644' become: yes notify: restart node_exporter + tags: [node_exporter] - name: Start and enable node_exporter - tags: node_exporter systemd: name: node_exporter state: started enabled: yes daemon_reload: yes become: yes + tags: [node_exporter] - name: Wait for node_exporter to start - tags: node_exporter wait_for: host: localhost port: 9100 @@ -360,42 +412,31 @@ state: started delay: 5 become: yes + tags: [node_exporter] - name: Verify node_exporter is responding - tags: node_exporter uri: url: http://localhost:9100/metrics status_code: 200 timeout: 10 register: node_exporter_check become: yes + tags: [node_exporter] - name: Show node_exporter status - tags: node_exporter debug: msg: "Node Exporter is running and responding on port 9100" when: node_exporter_check.status == 200 + tags: [node_exporter] - name: Allow port 9100 in ufw (if enabled) - tags: node_exporter ufw: rule: allow port: 9100 proto: tcp comment: "Prometheus Node Exporter" - when: - - ansible_facts.services["ufw.service"] is defined + when: + - ansible_facts.services["ufw.service"] is defined - ansible_facts.services["ufw.service"]["state"] == "running" become: yes - -- name: Show node_exporter status - tags: node_exporter - debug: - msg: "Node Exporter is running and responding on port 9100" - when: node_exporter_check.status == 200 - -- name: Show node_exporter error - tags: node_exporter - debug: - msg: "Node Exporter check failed with status: {{ node_exporter_check.status }}" - when: node_exporter_check.status != 200 \ No newline at end of file + tags: [node_exporter] \ No newline at end of file