Finish up roles

.ansible-lint

@@ -61,6 +61,7 @@ enable_list:
 warn_list:
   - skip_this_tag
   - experimental # experimental is included in the implicit list
+  - no-changed-when
   # - role-name
   # - yaml[document-start]  # you can also use sub-rule matches
 

group_vars/all/secrets.yml

@@ -1,30 +1,40 @@
 $ANSIBLE_VAULT;1.1;AES256
-66653666613865393239313165343731323338616237653731343964373065386138666161653164
-3031306366373335323239396631633034363332306434380a613331613239663035313235383137
-62356463323933303336383363363962643963623934663363636364363034323465326562616463
-3236396135396566300a396162623864346162383338343132353331623664643065303634616664
-65623037636561313237376233623137616537346535333536396662343164633737313938313637
-64313366303264336464653231333562363835383036663864323764636565646137353265363566
-63333332373562663866393139643465346164316464373132636166363562643564343935383737
-61653332326162316532656262666233393132386238653032353435306464343138326236386330
-36316263383863393866616562306365643132633939373836353236666432373662386632323234
-64326132616433643132633035306266623235316137396362306132636437646430323663653233
-62393165333537383232643132353431373338633261323739616565306634306263346163353938
-30393766323339616238613361313834636534623265346237383730386163346562666234303832
-35613236626465393031663833336238323832646261333731393365373539393231366134613866
-36376135396335333437383864613634383635663834393138376635613633333062343338643965
-65343335643435303765666530346431313632353434343735383065346132653035316239353566
-32616536626138653939306137636136396330613964393833616536636464326538396634323037
-63366364393061353638633663343263666132336330306136663662366132343265653361356161
-39666138616331323336313438343763666331363238396364353664383533393632646665326337
-37613034633939356134366639663239653031323037623364633838303734336532626536356365
-66613061653833646231666564316632346166313461636333393965386162626232626465376437
-63396464346137666537626333643564316461316536323236643132346462353133653739363330
-33376137633336616663373633303964323661353636373631633465663566383834373932306330
-38626465353265306431386563343638363064623164393563376365353534343036356331393435
-64613331366234343261343463366330316566313431653632653339386631363966663634656434
-64666161313264386165373231666665303435373138633536616535373132353966636662666561
-35343966373330323231346637363563343063373639326134636364626462663061343231363631
-31303937373261623362323833613837336631346137633831356165313864383364613431646333
-61316636396236633164336563306534626162326263643230303839373761633739366165396331
-33326332393935313262663631386631353936626161623238343335383764343131
+33343537323631306437363833656262343362616463373262346436363462373561373565323035
+3838366637626533363434363539633261346332343939340a393433623033653933336461336337
+61306630343036326139663164646137333235323235306138653030663832353137376339373539
+3965303431346538300a306331363135346262346138343430613337373632343538336664383932
+34333163646339613238646161343239383931343566373337313938323963356338663031333731
+61346636656337346166663132383263666332363162323132303939623566353937633939313166
+38313465363738336336316538356266333138373039356337326133306265616232323466363037
+36643637396262666432356233313964636663623636376637336232633462656537313638376663
+62366162396365343530343335643762656661313762333532656532333334396230626631623561
+32363734376261346264643636323636623935633737306262623630373832363763306364653662
+37323930323432383330313331393930396339393530316133666330386531313731656534633436
+62633737393635626561346364656531333531636633633837353634376439653438616433376464
+65613334623439356637323837383863373034363634373531383862323362323237643431636263
+36306563353238373330643337313833376263663938376663323462626563633035616637663432
+62613862303832633238316436353534306137356663373737313931643132333962646536623837
+34616666396238633432306364633434346334376331633137613235383938643735323536373531
+30393033613662393266306666343337373862613034303538353138653562616662653062316538
+32626233613838313331336634613963636230396131313333376330353061363532623664373331
+62303733383237383666633733643164613065323131616239316537666138393130656332396335
+33333761313261373730333733646135313230346161636536353065366365303436366235323463
+31343334303738333362626665363965306531373862363930656666636434323064656339383462
+64393332623663363762313364333131303539363264656632646564306262323534366531356561
+39303062363530623733343437343836636233353163643733363739316461373431623264643333
+61313465363635653333626230643932363563663066366163636565356431666563343866613862
+65643862636331646434393032363163336565613732373338616237366131626566316534623435
+66343964303335626461323132653734653136363762656166336532633964323636653838626531
+30386130393032623965336336393930653239393263633466666135363439653839663038656264
+65336463636331313365623433383237383730393262656262376465376236613732353663306535
+31653230363263626135393338313864643561346438643633623331333931386337376431303566
+65353736353339653937303164383765653635336632666439313366626133376430626435623232
+64393936363266303934313033303562303562323165316334653162343139636663316534333331
+30323139326265626566393365316434323863333037646235646235363761326336626561376463
+61396439363932643936623764396538346361373635653737633534656665613137656132303033
+31306230326264353133313665346261653033626163323461346330353134323836666139326633
+62326139653762326262393630303932383461353761386434643230633134643163303463613961
+39333531373539366461356166623466626635323564393337396136616363663763313030393863
+31633938323332646366326662393339653137636535343062306233633330656266396162666465
+63623735393864346137333864326165656133653836353836396432396436346265343138666339
+626635323031343133366135303261356136

playbook.yml

@@ -4,8 +4,11 @@
   gather_facts: false
   become: true
   vars:
-    hdd_mount_point: /opt/storage
-    ssd_mount_point: /opt/pi-ssd
+    hdd_name: storage
+    hdd_mount_point: "/opt/{{ hdd_name }}"
+
+    ssd_name: pi-ssd
+    ssd_mount_point: "/opt/{{ ssd_name }}"
 
     timezone: Europe/Copenhagen
 
@@ -13,6 +16,10 @@
     - name: Run OS configuration role
       import_role:
         name: os_config
+      tags:
+        - os
     - name: Run Docker role
       import_role:
         name: docker
+      tags:
+        - docker

roles/docker/tasks/main.yml

@@ -36,18 +36,14 @@
       - docker
       - docker-compose
 
-- name: Start but disable Docker daemon
-  service:
-    name: "{{ unit }}"
-    enabled: false
-    state: started
-  loop:
-    - docker.socket
-    - docker.service
-  loop_control:
-    loop_var: unit
+- name: Copy Docker daemon config file
+  template:
+    src: daemon.json.j2
+    dest: /etc/docker/daemon.json
+    mode: u=rw,g=r,o=r
 
 - name: Set up Docker services
   import_tasks: services.yml
   tags:
+    - boot
     - services

roles/docker/tasks/services.yml

@@ -1,5 +1,14 @@
 # vim: ft=yaml.ansible
 ---
+- name: Start but disable Docker daemon
+  service:
+    name: "{{ item }}"
+    enabled: false
+    state: started
+  loop:
+    - docker.socket
+    - docker.service
+
 - name: Create base directory for Docker volumes
   file:
     name: "{{ base_volume }}"

roles/os_config/tasks/disks.yml

@@ -0,0 +1,46 @@
+# vim: ft=yaml.ansible
+---
+- name: (Create and) open LUKS containers
+  luks_device:
+    uuid: "{{ item.disk.uuid }}"
+    passphrase: "{{ item.disk.luks_pw }}"
+    name: "{{ item.name }}"
+    type: luks2
+    state: opened
+  loop:
+    - disk: "{{ secrets.hdd }}"
+      name: "{{ hdd_name }}"
+    - disk: "{{ secrets.ssd }}"
+      name: "{{ ssd_name }}"
+
+- name: Create filesystems if they do not exist
+  filesystem:
+    dev: "/dev/mapper/{{ item }}"
+    fstype: ext4
+    state: present
+  loop:
+    - "{{ hdd_name }}"
+    - "{{ ssd_name }}"
+
+- name: Mount filesystems
+  mount:
+    src: "/dev/disk/by-uuid/{{ item.uuid }}"
+    path: "{{ item.path }}"
+    fstype: ext4
+    state: ephemeral
+  loop:
+    - uuid: "{{ secrets.hdd.uuid }}"
+      path: "{{ hdd_mount_point }}"
+    - uuid: "{{ secrets.ssd.uuid }}"
+      path: "{{ ssd_mount_point }}"
+
+- name: Create swapfile
+  community.general.filesize:
+    path: "{{ ssd_mount_point }}/swapfile"
+    size: 8G
+    mode: 0600
+
+- name: Mount swapfile
+  shell: |
+    mkswap {{ ssd_mount_point }}/swapfile
+    swapon {{ ssd_mount_point }}/swapfile

roles/os_config/tasks/luks.yml

@@ -1,3 +0,0 @@
-# vim: ft=yaml.ansible
----
-

roles/os_config/tasks/main.yml

@@ -1,16 +1,14 @@
 ---
 - name: Configure system packages
-  import_tasks:
-    - pkgs.yml
+  import_tasks: pkgs.yml
 
 - name: Configure firewall
-  import_tasks:
-    - ufw.yml
-
-- name: Configure disk encryption
-  import_tasks:
-    - luks.yml
+  import_tasks: ufw.yml
 
 - name: Configure SSH
-  import_tasks:
-    - ssh.yml
+  import_tasks: ssh.yml
+
+- name: Configure disks
+  import_tasks: disks.yml
+  tags:
+    - boot

roles/os_config/tasks/pkgs.yml

@@ -1,7 +1,7 @@
 # vim: ft=yaml.ansible
 ---
 - name: Upgrade system packages
-  apt: 
+  apt:
     update_cache: true
     upgrade: full
 

roles/os_config/tasks/ufw.yml

@@ -1,7 +1,7 @@
 # vim: ft=yaml.ansible
 ---
 - name: Allow necessary ports in UFW
-  community.general.ufw:
+  ufw:
     rule: allow
     port: "{{ item.port }}"
     proto: "{{ item.proto | default('tcp') }}"
@@ -15,6 +15,6 @@
       proto: udp
 
 - name: Enable UFW
-  community.general.ufw: 
+  ufw:
     state: enabled
     policy: deny