205 lines
6.1 KiB
YAML
205 lines
6.1 KiB
YAML
---
|
||
- name: Update and upgrade apt packages (full upgrade)
|
||
apt:
|
||
upgrade: full
|
||
update_cache: yes
|
||
cache_valid_time: 3600
|
||
|
||
- name: Install base packages
|
||
apt:
|
||
name: "{{ base_packages }}"
|
||
state: present
|
||
update_cache: yes
|
||
|
||
- name: Remove unused packages
|
||
apt:
|
||
autoremove: yes
|
||
autoclean: yes
|
||
|
||
- name: Disable IPv6 via sysctl
|
||
sysctl:
|
||
name: "{{ item.name }}"
|
||
value: "{{ item.value }}"
|
||
sysctl_set: yes
|
||
state: present
|
||
reload: yes
|
||
loop:
|
||
- { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }
|
||
- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }
|
||
|
||
- name: Ensure /root/.bashrc exists
|
||
file:
|
||
path: /root/.bashrc
|
||
state: touch
|
||
mode: '0644'
|
||
|
||
- name: Add custom aliases and environment to ~/.bashrc
|
||
blockinfile:
|
||
path: /root/.bashrc
|
||
marker: "# {mark} ANSIBLE MANAGED BLOCK: CUSTOM ALIASES AND ENV"
|
||
block: |
|
||
# Работа с файлами
|
||
alias rm='rm -i' # Удалить с подтверждением
|
||
alias cp='cp -i' # Копировать с подтверждением
|
||
alias mv='mv -i' # Переместить с подтверждением
|
||
|
||
# ls - вывод списка файлов
|
||
alias ls='ls --color=auto' # Цветной вывод
|
||
alias ll='ls -la' # Показывать скрытые файлы и представлять вывод в виде списка
|
||
alias l.='ls -d .* --color=auto' # Показать только скрытые файлы
|
||
|
||
# mount - монтирование разделов
|
||
alias mount='mount | column -t' # Вывод mount читаемым
|
||
|
||
# История
|
||
alias h='history' # История команд bash
|
||
alias c='clear' # Очистить окно терминала
|
||
|
||
# Дата и время
|
||
alias now='date +%T' # Время сейчас
|
||
alias nowdate='date +%d-%m-%Y' # Только дата
|
||
|
||
# Сеть
|
||
alias ping5='ping -c 5' # Посылать только пять запросов
|
||
alias ports='netstat -tulanp' # Открытые порты
|
||
|
||
# Работа с пакетами
|
||
alias update='sudo apt update && sudo apt upgrade' # Обновление одной командой
|
||
|
||
# Работа с системой
|
||
alias meminfo='free -m -l -t' # Сколько памяти занято
|
||
alias psmem='ps auxf | sort -nr -k 4 | head -10' # 10 процессов с самой большой нагрузкой на память
|
||
|
||
# Переменные окружения
|
||
export DISPLAY="{{ x11_display_host }}:0"
|
||
export HISTTIMEFORMAT='%F %T '
|
||
owner: root
|
||
mode: '0644'
|
||
|
||
- name: Configure timezone
|
||
timezone:
|
||
name: "{{ timezone }}"
|
||
|
||
- name: Configure locale
|
||
locale_gen:
|
||
name: "{{ system_locale }}"
|
||
state: present
|
||
|
||
- name: Set default locale
|
||
lineinfile:
|
||
path: /etc/default/locale
|
||
line: "LANG={{ system_locale }}"
|
||
state: present
|
||
create: yes
|
||
|
||
- name: Ensure required directories exist
|
||
file:
|
||
path: "{{ item }}"
|
||
state: directory
|
||
mode: '0755'
|
||
loop:
|
||
- /opt/scripts
|
||
- /etc/apt/keyrings
|
||
|
||
- name: Install Python requests library (if needed)
|
||
apt:
|
||
name: python3-requests
|
||
state: present
|
||
when: ansible_connection != "local"
|
||
|
||
- name: Ensure SSH directory exists
|
||
file:
|
||
path: /root/.ssh
|
||
state: directory
|
||
mode: '0700'
|
||
|
||
- name: Add authorized key for root
|
||
authorized_key:
|
||
user: root
|
||
state: present
|
||
key: "{{ item }}"
|
||
loop: "{{ ssh_public_keys | default([]) }}"
|
||
|
||
- name: Configure SSH security
|
||
lineinfile:
|
||
path: /etc/ssh/sshd_config
|
||
regexp: "{{ item.regexp }}"
|
||
line: "{{ item.line }}"
|
||
state: present
|
||
loop:
|
||
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
|
||
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin prohibit-password' }
|
||
- { regexp: '^PubkeyAuthentication', line: 'PubkeyAuthentication yes' }
|
||
notify: restart ssh
|
||
|
||
# ========== Node Exporter Installation ==========
|
||
- name: Create node_exporter system user
|
||
ansible.builtin.user:
|
||
name: node_exporter
|
||
system: yes
|
||
shell: /usr/sbin/nologin
|
||
create_home: no
|
||
|
||
- name: Download and extract node_exporter binary
|
||
ansible.builtin.unarchive:
|
||
src: "https://github.com/prometheus/node_exporter/releases/download/v1.8.2/node_exporter-1.8.2.linux-amd64.tar.gz"
|
||
dest: /tmp
|
||
remote_src: yes
|
||
creates: /usr/local/bin/node_exporter
|
||
|
||
- name: Install node_exporter binary
|
||
ansible.builtin.copy:
|
||
src: /tmp/node_exporter-1.8.2.linux-amd64/node_exporter
|
||
dest: /usr/local/bin/node_exporter
|
||
owner: root
|
||
group: root
|
||
mode: '0755'
|
||
remote_src: yes
|
||
|
||
- name: Create textfile collector directory
|
||
ansible.builtin.file:
|
||
path: /var/lib/node_exporter/textfile_collector
|
||
state: directory
|
||
owner: node_exporter
|
||
group: node_exporter
|
||
mode: '0755'
|
||
|
||
- name: Deploy node_exporter systemd service
|
||
ansible.builtin.copy:
|
||
content: |
|
||
[Unit]
|
||
Description=Node Exporter
|
||
After=network.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
User=node_exporter
|
||
ExecStart=/usr/local/bin/node_exporter \
|
||
--collector.systemd \
|
||
--collector.processes \
|
||
--collector.textfile.directory=/var/lib/node_exporter/textfile_collector \
|
||
--web.listen-address=:9100
|
||
Restart=always
|
||
RestartSec=5
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
dest: /etc/systemd/system/node_exporter.service
|
||
owner: root
|
||
group: root
|
||
mode: '0644'
|
||
|
||
- name: Reload systemd and start node_exporter
|
||
ansible.builtin.systemd:
|
||
name: node_exporter
|
||
state: started
|
||
enabled: yes
|
||
daemon_reload: yes
|
||
|
||
- name: Allow port 9100 in ufw (if enabled)
|
||
ansible.builtin.ufw:
|
||
rule: allow
|
||
port: 9100
|
||
proto: tcp
|
||
comment: "Prometheus Node Exporter"
|
||
when: ansible_facts.services["ufw.service"] is defined and ansible_facts.services["ufw.service"]["state"] == "running" |