zailon/olimp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2e9fa4b9f4
olimp/roles/base_setup/tasks/main.yml
Administrator 2e9fa4b9f4 Update 2 files 
- /roles/base_setup/handlers/main.yml
- /roles/base_setup/tasks/main.yml
2025-11-21 07:30:03 +00:00

328 lines
9.1 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
- name: Update and upgrade apt packages (full upgrade)
apt:
upgrade: full
update_cache: yes
cache_valid_time: 3600
become: yes
- name: Install base packages
apt:
name: "{{ base_packages }}"
state: present
update_cache: yes
become: yes
- name: Remove unused packages
apt:
autoremove: yes
autoclean: yes
become: yes
- name: Configure sysctl parameters for Docker compatibility
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_set: yes
state: present
reload: yes
loop:
- { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }
- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }
- { name: 'net.ipv4.ip_forward', value: '1' }
- { name: 'net.ipv4.ip_unprivileged_port_start', value: '0' }
- { name: 'vm.max_map_count', value: '262144' }
- { name: 'fs.inotify.max_user_instances', value: '8192' }
- { name: 'fs.inotify.max_user_watches', value: '524288' }
become: yes
notify: reload sysctl
- name: Configure Docker daemon
copy:
content: |
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"userland-proxy": false,
"iptables": true,
"ipv6": false,
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 65536,
"Soft": 65536
}
}
}
dest: /etc/docker/daemon.json
mode: '0644'
become: yes
when: ansible_facts.services['docker.service'] is defined or ansible_facts.services['docker.service'] is defined
notify: restart docker
- name: Ensure /root/.bashrc exists
file:
path: /root/.bashrc
state: touch
mode: '0644'
become: yes
- name: Add custom aliases and environment to ~/.bashrc
blockinfile:
path: /root/.bashrc
marker: "# {mark} ANSIBLE MANAGED BLOCK: CUSTOM ALIASES AND ENV"
block: |
# Работа с файлами
alias rm='rm -i' # Удалить с подтверждением
alias cp='cp -i' # Копировать с подтверждением
alias mv='mv -i' # Переместить с подтверждением
# ls - вывод списка файлов
alias ls='ls --color=auto' # Цветной вывод
alias ll='ls -la' # Показывать скрытые файлы и представлять вывод в виде списка
alias l.='ls -d .* --color=auto' # Показать только скрытые файлы
# mount - монтирование разделов
alias mount='mount | column -t' # Вывод mount читаемым
# История
alias h='history' # История команд bash
alias c='clear' # Очистить окно терминала
# Дата и время
alias now='date +%T' # Время сейчас
alias nowdate='date +%d-%m-%Y' # Только дата
# Сеть
alias ping5='ping -c 5' # Посылать только пять запросов
alias ports='netstat -tulanp' # Открытые порты
# Работа с пакетами
alias update='sudo apt update && sudo apt upgrade' # Обновление одной командой
# Работа с системой
alias meminfo='free -m -l -t' # Сколько памяти занято
alias psmem='ps auxf | sort -nr -k 4 | head -10' # 10 процессов с самой большой нагрузкой на память
# Переменные окружения
export DISPLAY="{{ x11_display_host }}:0"
export HISTTIMEFORMAT='%F %T '
owner: root
mode: '0644'
become: yes
- name: Configure timezone
timezone:
name: "{{ timezone }}"
become: yes
- name: Configure locale
locale_gen:
name: "{{ system_locale }}"
state: present
become: yes
- name: Set default locale
lineinfile:
path: /etc/default/locale
line: "LANG={{ system_locale }}"
state: present
create: yes
become: yes
- name: Ensure required directories exist
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop: "{{ custom_directories | default([]) }}"
become: yes
- name: Install Python requests library (if needed)
apt:
name: python3-requests
state: present
when: ansible_connection != "local"
become: yes
- name: Ensure SSH directory exists
file:
path: /root/.ssh
state: directory
mode: '0700'
become: yes
- name: Add authorized key for root
authorized_key:
user: root
state: present
key: "{{ item }}"
loop: "{{ ssh_public_keys }}"
become: yes
- name: Configure SSH security
lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
loop:
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin prohibit-password' }
- { regexp: '^PubkeyAuthentication', line: 'PubkeyAuthentication yes' }
notify: restart ssh
become: yes
# ========== Node Exporter Installation ==========
- name: Create node_exporter system user
user:
name: node_exporter
system: yes
shell: /usr/sbin/nologin
create_home: no
become: yes
- name: Download node_exporter
get_url:
url: "https://github.com/prometheus/node_exporter/releases/download/v1.8.2/node_exporter-1.8.2.linux-amd64.tar.gz"
dest: /tmp/node_exporter.tar.gz
mode: '0644'
timeout: 60
become: yes
- name: Create temporary extraction directory
file:
path: /tmp/node_exporter_temp
state: directory
mode: '0755'
become: yes
- name: Extract node_exporter
unarchive:
src: /tmp/node_exporter.tar.gz
dest: /tmp/node_exporter_temp
remote_src: yes
creates: /tmp/node_exporter_temp/node_exporter-1.8.2.linux-amd64/node_exporter
become: yes
- name: Install node_exporter binary
copy:
src: /tmp/node_exporter_temp/node_exporter-1.8.2.linux-amd64/node_exporter
dest: /usr/local/bin/node_exporter
owner: root
group: root
mode: '0755'
remote_src: yes
become: yes
notify: restart node_exporter
- name: Clean up temporary files
file:
path: "{{ item }}"
state: absent
loop:
- /tmp/node_exporter.tar.gz
- /tmp/node_exporter_temp
become: yes
- name: Create textfile collector directory
file:
path: /var/lib/node_exporter/textfile_collector
state: directory
owner: node_exporter
group: node_exporter
mode: '0755'
become: yes
- name: Deploy node_exporter systemd service
copy:
content: |
[Unit]
Description=Prometheus Node Exporter
Documentation=https://github.com/prometheus/node_exporter
After=network.target
[Service]
Type=simple
User=node_exporter
Group=node_exporter
ExecStart=/usr/local/bin/node_exporter \
--collector.systemd \
--collector.processes \
--collector.cpu \
--collector.meminfo \
--collector.diskstats \
--collector.netdev \
--collector.filesystem \
--collector.loadavg \
--collector.time \
--collector.textfile.directory=/var/lib/node_exporter/textfile_collector \
--web.listen-address=0.0.0.0:9100 \
--web.telemetry-path=/metrics
Restart=always
RestartSec=5
# Security settings
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
[Install]
WantedBy=multi-user.target
dest: /etc/systemd/system/node_exporter.service
owner: root
group: root
mode: '0644'
become: yes
notify: restart node_exporter
- name: Start and enable node_exporter
systemd:
name: node_exporter
state: started
enabled: yes
daemon_reload: yes
become: yes
- name: Wait for node_exporter to start
wait_for:
host: localhost
port: 9100
timeout: 30
state: started
delay: 5
become: yes
- name: Verify node_exporter is responding
uri:
url: http://localhost:9100/metrics
status_code: 200
timeout: 10
register: node_exporter_check
become: yes
- name: Show node_exporter status
debug:
msg: "Node Exporter is running and responding on port 9100"
when: node_exporter_check.status == 200
- name: Allow port 9100 in ufw (if enabled)
ufw:
rule: allow
port: 9100
proto: tcp
comment: "Prometheus Node Exporter"
when:
- ansible_facts.services["ufw.service"] is defined
- ansible_facts.services["ufw.service"]["state"] == "running"
become: yes
Reference in New Issue View Git Blame Copy Permalink