samsapti/pi-ansible
Archived
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Linting

Browse source
This commit is contained in:
Sam A. 2023-03-22 19:31:21 +01:00
parent c25c0d29ac
commit e712bbe212
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
19 changed files with 67 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.ansible-lint
View file

@ -66,9 +66,9 @@ warn_list:
# - role-name
# - yaml[document-start] # you can also use sub-rule matches
skip_list:
- fqcn[action-core]
- fqcn[action]
# skip_list:
# - fqcn[action-core]
# - fqcn[action]
# Some rules can transform files to fix (or make it easier to fix) identified
# errors. `ansible-lint --write` will reformat YAML files and run these transforms.

12
roles/docker_services/tasks/main.yml
View file

@ -1,19 +1,19 @@
# vim: ft=yaml.ansible
---
- name: Add Docker PGP key
apt_key:
ansible.builtin.apt_key:
keyserver: keyserver.ubuntu.com
id: '0x8D81803C0EBFCD88'
state: present
- name: Add Docker apt repository
apt_repository:
ansible.builtin.apt_repository:
repo: 'deb [arch=arm64] https://download.docker.com/linux/ubuntu focal stable'
state: present
update_cache: true
- name: Install Docker
apt:
ansible.builtin.apt:
name: "{{ pkgs }}"
state: present
vars:
@ -22,13 +22,13 @@
- docker-compose-plugin
- name: Create docker-compose symlink
file:
ansible.builtin.file:
name: /usr/local/bin/docker-compose
src: /usr/libexec/docker/cli-plugins/docker-compose
state: link
- name: Install Python bindings for Docker
pip:
ansible.builtin.pip:
name: "{{ pkgs }}"
state: present
executable: pip3
@ -38,7 +38,7 @@
- docker-compose
- name: Set up Docker services
import_tasks: services.yml
ansible.builtin.import_tasks: services.yml
tags:
- services
- reboot

12
roles/docker_services/tasks/services.yml
View file

@ -1,7 +1,7 @@
# vim: ft=yaml.ansible
---
- name: Copy Docker daemon config file
template:
ansible.builtin.template:
src: daemon.json.j2
dest: /etc/docker/daemon.json
owner: root
@ -9,7 +9,7 @@
register: daemon_config
- name: Disable and (re)start Docker daemon
service:
ansible.builtin.service:
name: "{{ item }}"
enabled: false
state: "{{ 'restarted' if daemon_config.changed else 'started' }}"
@ -18,14 +18,14 @@
- docker.service
- name: Create base directory for Docker volumes
file:
ansible.builtin.file:
name: "{{ base_volume }}"
owner: "{{ ansible_user }}"
mode: u=rwx,g=rx,o=rx
state: directory
- name: Create Docker network for services
docker_network:
community.docker.docker_network:
name: services
ipam_config:
- subnet: 172.16.0.0/16
@ -33,11 +33,11 @@
state: present
- name: Deploy services
include_tasks: services/{{ item.key }}.yml
ansible.builtin.include_tasks: services/{{ item.key }}.yml
loop: "{{ services | dict2items }}"
when: single_service is not defined
- name: Deploy single service
include_tasks: services/{{ single_service }}.yml
ansible.builtin.include_tasks: services/{{ single_service }}.yml
when: single_service is defined and
single_service in services

6
roles/docker_services/tasks/services/caddy.yml
View file

@ -1,7 +1,7 @@
# vim: ft=yaml.ansible
---
- name: Create Caddy volume directories
file:
ansible.builtin.file:
name: "{{ services.caddy.volume }}/{{ dir }}"
owner: root
mode: u=rwx,g=rx,o=rx
@ -13,14 +13,14 @@
loop_var: dir
- name: Copy Caddyfile
template:
ansible.builtin.template:
src: Caddyfile.j2
dest: "{{ services.caddy.volume }}/Caddyfile"
owner: root
mode: u=rw,g=r,o=r
- name: Deploy Caddy Docker container
docker_container:
community.docker.docker_container:
name: caddy
image: caddy:{{ services.caddy.version }}
restart_policy: always

4
roles/docker_services/tasks/services/emby.yml
View file

@ -1,7 +1,7 @@
# vim: ft=yaml.ansible
---
- name: Create Emby volume directories
file:
ansible.builtin.file:
name: "{{ services.emby.volume }}/{{ dir }}"
owner: "{{ ansible_user }}"
mode: u=rwx,g=rx,o=rx
@ -14,7 +14,7 @@
loop_var: dir
- name: Deploy Emby Docker container
docker_container:
community.docker.docker_container:
name: emby_app
image: emby/embyserver_arm64v8:{{ services.emby.version }}
restart_policy: always

4
roles/docker_services/tasks/services/monerod.yml
View file

@ -1,12 +1,12 @@
# vim: ft=yaml.ansible
---
- name: Create Docker volume for Monero blockchain data
docker_volume:
community.docker.docker_volume:
volume_name: monerod-node-blockchain
state: present
- name: Deploy Monero node Docker container
docker_container:
community.docker.docker_container:
name: monerod_node
image: sethsimmons/simple-monerod:{{ services.monerod.version }}
restart_policy: always

10
roles/docker_services/tasks/services/nextcloud.yml
View file

@ -1,14 +1,14 @@
# vim: ft=yaml.ansible
---
- name: Create Nextcloud apache2 directory
file:
ansible.builtin.file:
name: "{{ services.nextcloud.volume }}/apache2"
owner: root
mode: u=rwx,g=rx,o=rx
state: directory
- name: Create Nextcloud app directory
file:
ansible.builtin.file:
name: "{{ services.nextcloud.volume }}/app"
owner: root
group: '33'
@ -16,14 +16,14 @@
state: directory
- name: Create Nextcloud PostgreSQL directory
file:
ansible.builtin.file:
name: "{{ services.nextcloud.volume }}/postgres"
owner: '70'
mode: u=rwx,go=
state: directory
- name: Copy Apache2 config files
copy:
ansible.builtin.copy:
src: nextcloud/apache2/{{ file }}
dest: "{{ services.nextcloud.volume }}/apache2/{{ file }}"
owner: root
@ -35,7 +35,7 @@
loop_var: file
- name: Deploy Nextcloud with Docker Compose
docker_compose:
community.docker.docker_compose:
project_name: nextcloud
pull: true
definition:

6
roles/docker_services/tasks/services/postfix.yml
View file

@ -1,19 +1,19 @@
# vim: ft=yaml.ansible
---
- name: Create Docker network for Postfix
docker_network:
community.docker.docker_network:
name: postfix
state: present
- name: Create Postfix volume directories
file:
ansible.builtin.file:
name: "{{ services.postfix.volume }}/dkim"
owner: root
mode: u=rwx,g=rx,o=rx
state: directory
- name: Deploy Postfix Docker container
docker_container:
community.docker.docker_container:
name: postfix
image: boky/postfix:{{ services.postfix.version }}
restart_policy: always

2
roles/docker_services/tasks/services/restic.yml
View file

@ -1,7 +1,7 @@
# vim: ft=yaml.ansible
---
- name: Deploy Restic with Docker Compose
docker_compose:
community.docker.docker_compose:
project_name: restic
pull: true
definition:

2
roles/docker_services/tasks/services/snowflake.yml
View file

@ -1,7 +1,7 @@
# vim: ft=yaml.ansible
---
- name: Deploy snowflake-proxy Docker container
docker_container:
community.docker.docker_container:
name: snowflake-proxy
image: thetorproject/snowflake-proxy:{{ services.snowflake.version }}
restart_policy: always

4
roles/docker_services/tasks/services/watchtower.yml
View file

@ -1,12 +1,12 @@
# vim: ft=yaml.ansible
---
- name: Create Docker network for Watchtower
docker_network:
community.docker.docker_network:
name: watchtower
state: present
- name: Deploy Watchtower Docker container
docker_container:
community.docker.docker_container:
name: watchtower
image: containrrr/watchtower:{{ services.watchtower.version }}
restart_policy: always

6
roles/docker_services/tasks/services/wireguard.yml
View file

@ -1,19 +1,19 @@
# vim: ft=yaml.ansible
---
- name: Create Wireguard volume directory
file:
ansible.builtin.file:
name: "{{ services.wireguard.volume }}"
owner: root
mode: u=rwx,g=rx,o=rx
state: directory
- name: Create Docker network for Wireguard
docker_network:
community.docker.docker_network:
name: wireguard
state: present
- name: Deploy Wireguard Docker container
docker_container:
community.docker.docker_container:
name: wireguard
image: linuxserver/wireguard:{{ services.wireguard.version }}
restart_policy: always

12
roles/os_config/handlers/main.yml
View file

@ -1,7 +1,7 @@
# vim: ft=yaml.ansible
---
- name: Create .env for apt-update-push
template:
ansible.builtin.template:
src: env.j2
dest: /home/{{ ansible_user }}/apt-update-push/.env
owner: root
@ -9,28 +9,28 @@
listen: apt-update-push
- name: Install apt-update-push
command: /home/{{ ansible_user }}/apt-update-push/install.sh
ansible.builtin.command: /home/{{ ansible_user }}/apt-update-push/install.sh
listen: apt-update-push
- name: Change GPIO_PIN
lineinfile:
ansible.builtin.lineinfile:
regexp: '^GPIO_PIN = '
line: GPIO_PIN = 14
dest: /home/{{ ansible_user }}/pi-fan-controller/fancontrol.py
listen: pi-fan-controller
- name: Install requirements for pi-fan-controller
pip:
ansible.builtin.pip:
requirements: /home/{{ ansible_user }}/pi-fan-controller/requirements.txt
executable: pip3
listen: pi-fan-controller
- name: Install pi-fan-controller
command: /home/{{ ansible_user }}/pi-fan-controller/script/install
ansible.builtin.command: /home/{{ ansible_user }}/pi-fan-controller/script/install
listen: pi-fan-controller
- name: Restart sshd
service:
ansible.builtin.service:
name: sshd
state: restarted
listen: sshd

12
roles/os_config/tasks/base.yml
View file

@ -1,20 +1,20 @@
# vim: ft=yaml.ansible
---
- name: Set hostname
hostname:
ansible.builtin.hostname:
name: "{{ hostname }}"
- name: Set timezone
timezone:
community.general.timezone:
name: "{{ timezone }}"
- name: Upgrade system packages
apt:
ansible.builtin.apt:
update_cache: true
upgrade: full
- name: Install packages via apt
apt:
ansible.builtin.apt:
name: "{{ pkgs }}"
state: present
vars:
@ -29,7 +29,7 @@
- unattended-upgrades
- name: Clone apt-update-push
git:
ansible.builtin.git:
dest: /home/{{ ansible_user }}/apt-update-push
repo: https://github.com/samsapti/apt-update-push.git
clone: true
@ -40,7 +40,7 @@
notify: apt-update-push
- name: Clone pi-fan-controller
git:
ansible.builtin.git:
dest: /home/{{ ansible_user }}/pi-fan-controller
repo: https://github.com/Howchoo/pi-fan-controller.git
clone: true

8
roles/os_config/tasks/disks.yml
View file

@ -1,7 +1,7 @@
# vim: ft=yaml.ansible
---
- name: (Create and) open LUKS containers
luks_device:
community.crypto.luks_device:
uuid: "{{ item.disk.uuid }}"
passphrase: "{{ item.disk.luks_pw }}"
name: "{{ item.name }}"
@ -14,7 +14,7 @@
name: "{{ ssd_name }}"
- name: Create filesystems if they do not exist
filesystem:
community.general.filesystem:
dev: "{{ item }}"
fstype: ext4
state: present
@ -24,7 +24,7 @@
when: ansible_mounts | selectattr('device', 'eq', item) | length == 0
- name: Mount filesystems
mount:
ansible.posix.mount:
src: "{{ item.dev }}"
path: "{{ item.path }}"
fstype: ext4
@ -47,7 +47,7 @@
when: ansible_swaptotal_mb == 0
- name: Mount swapfile
shell: |
ansible.builtin.shell: |
mkswap {{ ssd_mount_point }}/swapfile
swapon {{ ssd_mount_point }}/swapfile
when: ansible_swaptotal_mb == 0

4
roles/os_config/tasks/firewall.yml
View file

@ -1,7 +1,7 @@
# vim: ft=yaml.ansible
---
- name: Allow necessary ports in UFW
ufw:
community.general.ufw:
rule: allow
port: "{{ item.port }}"
proto: "{{ item.proto | default('tcp') }}"
@ -15,6 +15,6 @@
proto: udp
- name: Enable UFW
ufw:
community.general.ufw:
state: enabled
policy: deny

10
roles/os_config/tasks/main.yml
View file

@ -1,20 +1,20 @@
# vim: ft=yaml.ansible
---
- name: Configure system base
import_tasks: base.yml
ansible.builtin.import_tasks: base.yml
- name: Reboot if needed
import_tasks: reboot.yml
ansible.builtin.import_tasks: reboot.yml
tags:
- reboot
- name: Configure firewall
import_tasks: firewall.yml
ansible.builtin.import_tasks: firewall.yml
- name: Configure SSH
import_tasks: ssh.yml
ansible.builtin.import_tasks: ssh.yml
- name: Configure disks
import_tasks: disks.yml
ansible.builtin.import_tasks: disks.yml
tags:
- reboot

6
roles/os_config/tasks/reboot.yml
View file

@ -1,19 +1,19 @@
# vim: ft=yaml.ansible
---
- name: Check if a reboot is needed
stat:
ansible.builtin.stat:
path: /var/run/reboot-required
register: needs_reboot
- name: Reboot host
reboot:
ansible.builtin.reboot:
connect_timeout: 120
when: needs_reboot.stat.exists or
(force_reboot is defined and force_reboot)
register: reboot
- name: Re-gather facts
setup:
ansible.builtin.setup:
filter:
- ansible_mounts
- ansible_swaptotal_mb

8
roles/os_config/tasks/ssh.yml
View file

@ -1,27 +1,27 @@
# vim: ft=yaml.ansible
---
- name: Add public SSH key to default user
authorized_key:
ansible.posix.authorized_key:
user: "{{ ansible_user }}"
key: "{{ ssh_key }}"
exclusive: true
- name: Allow SSH login with public keys
lineinfile:
ansible.builtin.lineinfile:
regexp: '^#?PubkeyAuthentication '
line: PubkeyAuthentication yes
dest: /etc/ssh/sshd_config
notify: sshd
- name: Disallow SSH login with password
lineinfile:
ansible.builtin.lineinfile:
regexp: '^#?PasswordAuthentication '
line: PasswordAuthentication no
dest: /etc/ssh/sshd_config
notify: sshd
- name: Disallow root login over SSH
lineinfile:
ansible.builtin.lineinfile:
regexp: '^#?PermitRootLogin '
line: PermitRootLogin no
dest: /etc/ssh/sshd_config