ilia/ansible
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add monitoring and backup roles, enhancing infrastructure management capabilities. Introduce Proxmox VM creation playbook for automated VM provisioning. Update Makefile with new commands for monitoring and backup tasks. Enhance README.md with detailed usage instructions for new features, including automated backups and system monitoring tools. Refactor existing roles for improved organization and clarity, ensuring compatibility across various systems.

Browse Source
This commit is contained in:
ilia 2025-09-07 22:17:22 -04:00
parent 00d660201a
commit 4621ea4674
41 changed files with 1069 additions and 577 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.ansible-lint Normal file
View File

@ -0,0 +1,26 @@
# Ansible Lint Configuration
---
# Exclude patterns
exclude_paths:
- .cache/
- .github/
- .ansible/
# Skip specific rules
skip_list:
- yaml[line-length] # Allow longer lines in some cases
- name[casing] # Allow mixed case in task names
- args[module] # Skip args rule that causes "file name too long" issues
- var-naming[no-role-prefix] # Allow shorter variable names for readability
- risky-shell-pipe # Allow shell pipes in maintenance scripts
# Warn instead of error for these
warn_list:
- experimental # Allow experimental features
- jinja[spacing] # Allow flexible jinja spacing
# Don't try to decrypt vault files during linting
offline: true
# Verbosity level (0-2)
verbosity: 1

0
.ansible/.lock
View File

41
Makefile
View File

@ -1,4 +1,4 @@
.PHONY: help bootstrap lint test check apply dev local clean status tailscale tailscale-check tailscale-dev tailscale-status create-vault .PHONY: help bootstrap lint test check apply dev local clean status tailscale tailscale-check tailscale-dev tailscale-status create-vault create-vm monitoring backup
.DEFAULT_GOAL := help .DEFAULT_GOAL := help
## Colors for output ## Colors for output
@ -26,10 +26,12 @@ help: ## Show this help message
@echo " make apply # Run on all dev hosts" @echo " make apply # Run on all dev hosts"
@echo " make dev HOST=dev01 # Run on specific host" @echo " make dev HOST=dev01 # Run on specific host"
@echo " make local # Run local playbook" @echo " make local # Run local playbook"
@echo " make maintenance # Run maintenance on all hosts" @echo " make maintenance # Run maintenance on all hosts"
@echo " make maintenance GROUP=dev # Run maintenance on dev group" @echo " make maintenance GROUP=dev # Run maintenance on dev group"
@echo " make maintenance HOST=dev01 # Run maintenance on specific host" @echo " make maintenance HOST=dev01 # Run maintenance on specific host"
@echo " make maintenance CHECK=true # Dry-run maintenance on all hosts" @echo " make maintenance CHECK=true # Dry-run maintenance on all hosts"
@echo " make maintenance VERBOSE=true # Run with verbose output"
@echo " make maintenance-verbose GROUP=dev # Verbose maintenance on dev group"
@echo "" @echo ""
bootstrap: ## Install required collections and dependencies bootstrap: ## Install required collections and dependencies
@ -110,7 +112,7 @@ security: ## Run only security-related roles
ansible-playbook dev-playbook.yml --tags security ansible-playbook dev-playbook.yml --tags security
# Unified maintenance target with intelligent parameter detection # Unified maintenance target with intelligent parameter detection
maintenance: ## Run maintenance (usage: make maintenance [GROUP=dev] [HOST=dev01] [SERIAL=1] [CHECK=true]) maintenance: ## Run maintenance (usage: make maintenance [GROUP=dev] [HOST=dev01] [SERIAL=1] [CHECK=true] [VERBOSE=true])
@$(MAKE) _maintenance-run @$(MAKE) _maintenance-run
_maintenance-run: _maintenance-run:
@ -150,6 +152,11 @@ _maintenance-run:
echo "$(YELLOW)Running maintenance on $$DESCRIPTION...$(RESET)"; \ echo "$(YELLOW)Running maintenance on $$DESCRIPTION...$(RESET)"; \
fi; \ fi; \
\ \
if [ "$(VERBOSE)" = "true" ]; then \
ANSIBLE_CMD="$$ANSIBLE_CMD -v"; \
echo "$(BLUE)Running with verbose output...$(RESET)"; \
fi; \
\
if [ -n "$(GROUP)" ] && [ "$(GROUP)" != "dev" ] && [ "$(GROUP)" != "local" ]; then \ if [ -n "$(GROUP)" ] && [ "$(GROUP)" != "dev" ] && [ "$(GROUP)" != "local" ]; then \
echo "$(BLUE)Available groups: dev, gitea, portainer, homepage, ansible, local$(RESET)"; \ echo "$(BLUE)Available groups: dev, gitea, portainer, homepage, ansible, local$(RESET)"; \
fi; \ fi; \
@ -166,6 +173,9 @@ maintenance-all: ## Run maintenance on all hosts (legacy alias)
maintenance-check: ## Dry-run maintenance (legacy alias, usage: make maintenance-check [GROUP=dev]) maintenance-check: ## Dry-run maintenance (legacy alias, usage: make maintenance-check [GROUP=dev])
@$(MAKE) maintenance CHECK=true GROUP=$(GROUP) @$(MAKE) maintenance CHECK=true GROUP=$(GROUP)
maintenance-verbose: ## Run maintenance with verbose output (usage: make maintenance-verbose [GROUP=dev])
@$(MAKE) maintenance VERBOSE=true GROUP=$(GROUP)
docker: ## Install/configure Docker only docker: ## Install/configure Docker only
@echo "$(YELLOW)Running Docker setup...$(RESET)" @echo "$(YELLOW)Running Docker setup...$(RESET)"
ansible-playbook dev-playbook.yml --tags docker ansible-playbook dev-playbook.yml --tags docker
@ -304,8 +314,6 @@ ifndef HOST
endif endif
ansible-vault edit host_vars/$(HOST).yml ansible-vault edit host_vars/$(HOST).yml
test-connectivity: ## Test network connectivity and SSH access to all hosts test-connectivity: ## Test network connectivity and SSH access to all hosts
@echo "$(BOLD)Connectivity Test$(RESET)" @echo "$(BOLD)Connectivity Test$(RESET)"
@if [ -n "$(CURRENT_HOST)" ]; then \ @if [ -n "$(CURRENT_HOST)" ]; then \
@ -364,4 +372,19 @@ endif
create-vault: ## Create encrypted vault file for secrets (passwords, auth keys, etc.) create-vault: ## Create encrypted vault file for secrets (passwords, auth keys, etc.)
@echo "$(YELLOW)Creating vault file for storing secrets...$(RESET)" @echo "$(YELLOW)Creating vault file for storing secrets...$(RESET)"
ansible-vault create group_vars/all/vault.yml ansible-vault create group_vars/all/vault.yml
@echo "$(GREEN)✓ Vault file created. Add your secrets here (e.g. vault_tailscale_auth_key)$(RESET)" @echo "$(GREEN)✓ Vault file created. Add your secrets here (e.g. vault_tailscale_auth_key)$(RESET)"
create-vm: ## Create Ansible controller VM on Proxmox
@echo "$(YELLOW)Creating Ansible controller VM on Proxmox...$(RESET)"
ansible-playbook proxmox-create-vm.yml --ask-vault-pass
@echo "$(GREEN)✓ VM creation complete$(RESET)"
monitoring: ## Install monitoring tools on all machines
@echo "$(YELLOW)Installing monitoring tools...$(RESET)"
ansible-playbook -i hosts dev-playbook.yml --tags monitoring
@echo "$(GREEN)✓ Monitoring installation complete$(RESET)"
backup: ## Set up automated backups on all machines
@echo "$(YELLOW)Setting up automated backups...$(RESET)"
ansible-playbook -i hosts dev-playbook.yml --tags backup
@echo "$(GREEN)✓ Backup setup complete$(RESET)"

453
README.md
View File

@ -1,31 +1,42 @@
# Ansible Development Environment Setup # Ansible Infrastructure Management
This Ansible playbook automates the setup of development environments across multiple machines. This Ansible project provides comprehensive infrastructure automation for development environments, server management, and VM provisioning across multiple machines and platforms.
## 🏗️ Architecture ## 🏗️ Architecture
### Host Groups ### Host Groups
- `dev`: Development machines (dev01, bottom, debianDesktopVM) - `dev`: Development machines (dev01, bottom, debianDesktopVM)
- `gitea`: Gitea server - `gitea`: Gitea server (Alpine Linux)
- `portainer`: Portainer container management - `portainer`: Portainer container management (Alpine Linux)
- `homepage`: Homepage dashboard - `homepage`: Homepage dashboard (Debian)
- `ansible`: Ansible control node - `ansible`: Ansible control node
- `local`: Local machine management
### Roles ### Roles
#### Core Roles #### Core Infrastructure Roles
- **`maintenance`**: System updates, package cleanup, and reboots - **`maintenance`**: System updates, package cleanup, and automated reboots
- **`base`**: Core system packages, security tools, and system hardening - **`base`**: Core system packages, security tools, and system hardening
- **`ssh`**: SSH server hardening and firewall configuration
- **`user`**: User management and configuration
#### Development & Shell Roles
- **`development`**: Development tools (git, nodejs, build-essential, python3) - **`development`**: Development tools (git, nodejs, build-essential, python3)
- **`shell`**: Shell configuration (zsh + oh-my-zsh + powerlevel10k) - **`shell`**: Shell configuration (zsh + oh-my-zsh + powerlevel10k)
- **`docker`**: Docker CE installation and user configuration - **`docker`**: Docker CE installation and user configuration
- **`ssh`**: SSH server and firewall configuration
- **`user`**: User management
#### Application Roles #### Application Roles
- **`applications`**: Desktop applications (Brave, LibreOffice, Redshift, Evince) - **`applications`**: Desktop applications (Brave, LibreOffice, Redshift, Evince)
- **`snap`**: Snap daemon and snap applications (VSCode, Cursor) - **`snap`**: Snap daemon and snap applications (VSCode, Cursor)
#### Network & Monitoring Roles
- **`tailscale`**: VPN mesh networking across all machines
- **`monitoring`**: System monitoring tools and scripts
- **`backup`**: Automated backup solutions (✨ NEW)
#### Infrastructure Roles
- **`proxmox_vm`**: Proxmox VM creation and management (✨ NEW)
## 🚀 Usage ## 🚀 Usage
### Quick Start with Makefile (Recommended) ### Quick Start with Makefile (Recommended)
@ -36,7 +47,7 @@ make bootstrap
# Test everything # Test everything
make test make test
# Dry run to see what would change # Dry run to see what would change
make check make check
# Apply to all development hosts # Apply to all development hosts
@ -49,6 +60,53 @@ make dev HOST=dev01
make local make local
``` ```
### New Infrastructure Features
#### Proxmox VM Creation (✨ NEW)
```bash
# Create new VMs on Proxmox
make create-vm
# Or manually:
ansible-playbook proxmox-create-vm.yml
```
#### Automated Backups (✨ NEW)
```bash
# Deploy backup system
make backup
# Includes:
# - Daily home directory backups (2:00 AM)
# - Daily system config backups (2:30 AM)
# - 7-day retention for home, 30-day for system
# - Automated cleanup and logging
```
#### System Monitoring (✨ NEW)
```bash
# Deploy monitoring tools
make monitoring
# Includes:
# - Advanced system monitoring (btop, iotop, nethogs)
# - Custom monitoring scripts
# - System information dashboards
# - Tailscale network status integration
```
#### Tailscale VPN Network
```bash
# Deploy Tailscale across all machines
make tailscale
# Check Tailscale status
make tailscale-status
# Deploy to development machines only
make tailscale-dev
```
### Prerequisites (Manual Setup) ### Prerequisites (Manual Setup)
```bash ```bash
# Install required collections # Install required collections
@ -56,10 +114,9 @@ ansible-galaxy collection install -r collections/requirements.yml
``` ```
### Vault Password Setup ### Vault Password Setup
Host variables are encrypted with Ansible Vault. You have two options: Host variables and sensitive data are encrypted with Ansible Vault:
#### Option 1: Vault Password File (Recommended) #### Option 1: Vault Password File (Recommended)
Create a vault password file:
```bash ```bash
# Create the vault password file # Create the vault password file
echo "your_vault_password" > ~/.ansible-vault-pass echo "your_vault_password" > ~/.ansible-vault-pass
@ -67,49 +124,53 @@ chmod 600 ~/.ansible-vault-pass
``` ```
#### Option 2: Interactive Password Prompt #### Option 2: Interactive Password Prompt
Use `--ask-vault-pass` with each command to be prompted for the vault password. Use `--ask-vault-pass` with each command.
### Basic Setup ### Vault Configuration
Create vault files with encrypted secrets:
```bash ```bash
# Run on all development machines (with vault password file) # Create/edit vault files
ansible-playbook dev-playbook.yml make create-vault
make edit-vault HOST=dev01
# Run on all development machines (interactive vault password) # Required vault variables:
ansible-playbook dev-playbook.yml --ask-vault-pass # - vault_tailscale_auth_key: "tskey-auth-your-key"
# - vault_proxmox_host: "proxmox-server-ip"
# Run on specific host # - vault_proxmox_user: "root@pam"
ansible-playbook dev-playbook.yml --limit dev01 # - vault_proxmox_password: "proxmox-password"
# - vault_vm_cipassword: "vm-user-password"
# Skip reboots for specific host # - vault_ssh_public_key: "ssh-ed25519 AAAA..."
ansible-playbook dev-playbook.yml --limit bottom
``` ```
### Selective Execution with Tags ### Selective Execution with Tags
#### Using Makefile (Recommended) #### Using Makefile (Recommended)
```bash ```bash
# Security-related roles only # Infrastructure roles
make security make security # Security-related roles only
make monitoring # Monitoring tools only
make backup # Backup system only
# Development tools only # Development tools
make docker make docker # Docker installation only
make shell make shell # Shell configuration only
make apps # Applications only
# Applications only # Network services
make apps make tailscale # VPN network setup
make tailscale-status # Check VPN status
# Maintenance (unified system) # Maintenance (unified system)
make maintenance # All hosts make maintenance # All hosts
make maintenance GROUP=dev # Specific group make maintenance GROUP=dev # Specific group
make maintenance HOST=dev01 # Specific host make maintenance HOST=dev01 # Specific host
make maintenance CHECK=true # Dry-run all hosts make maintenance CHECK=true # Dry-run all hosts
make maintenance GROUP=dev SERIAL=1 # Serial execution make maintenance GROUP=dev SERIAL=1 # Serial execution
# Check connectivity # Infrastructure management
make status make create-vm # Create new Proxmox VMs
make status # Check connectivity
# Get detailed help make facts # Gather system facts
make help
``` ```
#### Manual Commands #### Manual Commands
@ -117,49 +178,25 @@ make help
# Security-related roles only # Security-related roles only
ansible-playbook dev-playbook.yml --tags security ansible-playbook dev-playbook.yml --tags security
# Development tools only # Development tools only
ansible-playbook dev-playbook.yml --tags development,docker ansible-playbook dev-playbook.yml --tags development,docker
# Applications only # Network services
ansible-playbook dev-playbook.yml --tags apps ansible-playbook tailscale-playbook.yml
# Infrastructure provisioning
ansible-playbook proxmox-create-vm.yml
# Skip maintenance # Skip maintenance
ansible-playbook dev-playbook.yml --skip-tags maintenance ansible-playbook dev-playbook.yml --skip-tags maintenance
``` ```
### Skip Reboots ### Playbook Overview
Add `skip_reboot=true` to host variables: - **`dev-playbook.yml`**: Complete development environment setup
```ini - **`local-playbook.yml`**: Local machine configuration
[dev] - **`tailscale-playbook.yml`**: VPN network deployment
bottom ansible_host=10.0.10.156 ansible_user=beast skip_reboot=true - **`proxmox-create-vm.yml`**: VM provisioning on Proxmox
``` - **`maintenance-playbook.yml`**: System maintenance operations
### Debug Output
Control debug information display with the `ansible_debug_output` variable:
```bash
# Default: No debug output (clean, production-ready output)
ansible-playbook dev-playbook.yml --limit dev01
# Enable debug output (shows detailed status information)
ansible-playbook dev-playbook.yml --limit dev01 -e "ansible_debug_output=true"
# Set permanently in group_vars/all.yml
ansible_debug_output: true
```
### Dry Run and Testing
```bash
# Using Makefile
make test # Lint + syntax check
make check # Dry run all hosts
make check-local # Dry run localhost
make quick # Test + check workflow
# Manual commands
ansible-playbook dev-playbook.yml --check # Check what would change
ansible-playbook dev-playbook.yml -v # Verbose output
```
## 🔧 Configuration ## 🔧 Configuration
@ -168,11 +205,23 @@ ansible-playbook dev-playbook.yml -v # Verbose output
- `locale`: System locale (default: en_US.UTF-8) - `locale`: System locale (default: en_US.UTF-8)
- `ansible_debug_output`: Show debug information (default: false) - `ansible_debug_output`: Show debug information (default: false)
- `fail2ban_bantime`: Ban duration in seconds - `fail2ban_bantime`: Ban duration in seconds
- `fail2ban_findtime`: Time window for failures - `fail2ban_findtime`: Time window for failures
- `fail2ban_maxretry`: Max failures before ban - `fail2ban_maxretry`: Max failures before ban
### Tailscale Configuration
- `tailscale_auth_key`: Authentication key (stored in vault)
- `tailscale_accept_routes`: Accept subnet routes (default: true)
- `tailscale_accept_dns`: Accept DNS settings (default: true)
- `tailscale_ssh`: Enable SSH access through Tailscale (default: true)
### Backup Configuration (`roles/backup/defaults/main.yml`)
- `backup_enable_cron`: Enable automated backups (default: true)
- `backup_retention_days_home`: Home backup retention (default: 7)
- `backup_retention_days_system`: System backup retention (default: 30)
- `backup_users`: Users to backup (default: ['master', 'beast', 'ladmin', 'user'])
### SSH Configuration (`roles/ssh/defaults/main.yml`) ### SSH Configuration (`roles/ssh/defaults/main.yml`)
The SSH role provides comprehensive security hardening: Comprehensive security hardening:
- `ssh_port`: SSH port (default: 22) - `ssh_port`: SSH port (default: 22)
- `ssh_permit_root_login`: Root login setting (default: 'no') - `ssh_permit_root_login`: Root login setting (default: 'no')
- `ssh_password_authentication`: Password auth (default: 'no') - `ssh_password_authentication`: Password auth (default: 'no')
@ -180,32 +229,16 @@ The SSH role provides comprehensive security hardening:
- `ssh_allowed_users`: Restrict to specific users (default: []) - `ssh_allowed_users`: Restrict to specific users (default: [])
- `ssh_allowed_groups`: Restrict to specific groups (default: ['sudo', 'ssh']) - `ssh_allowed_groups`: Restrict to specific groups (default: ['sudo', 'ssh'])
Override any setting in your host or group variables: ### Proxmox VM Configuration (`roles/proxmox_vm/defaults/main.yml`)
```yaml - `vm_memory`: RAM allocation (default: 8192MB)
# Example: Custom SSH port - `vm_cores`: CPU cores (default: 2)
ssh_port: 2222 - `vm_disk_size`: Disk size (default: 20G)
- `vm_iso`: Ubuntu Server ISO (default: ubuntu-24.04-live-server-amd64.iso)
# Example: Allow specific users - `vm_ciuser`: Default user (default: master)
ssh_allowed_users: ['admin', 'deploy']
```
### Host Variables (`host_vars/`)
- `skip_reboot`: Skip automatic reboots
- Encrypted variables for sensitive data
## 🛡️ Security Features ## 🛡️ Security Features
### Fail2ban Configuration ### Comprehensive SSH Hardening
- SSH brute force protection
- Configurable ban times and retry limits
- Email notifications (configured in template)
### UFW Firewall
- Deny-by-default policy
- SSH access allowed
- Automatic enablement
### SSH Hardening
- Modern cryptographic algorithms (ChaCha20-Poly1305, AES-256-GCM) - Modern cryptographic algorithms (ChaCha20-Poly1305, AES-256-GCM)
- Secure key exchange (Curve25519, DH Group 16) - Secure key exchange (Curve25519, DH Group 16)
- Disabled password authentication - Disabled password authentication
@ -213,10 +246,21 @@ ssh_allowed_users: ['admin', 'deploy']
- User/group access restrictions - User/group access restrictions
- Configuration validation and automatic backup - Configuration validation and automatic backup
### System Hardening ### Fail2ban Integration
- Timezone and locale configuration - SSH brute force protection
- Security package installation - Configurable ban times and retry limits
- Modern CLI tools and system monitoring - Email notifications
### UFW Firewall
- Deny-by-default policy
- SSH access allowed
- Automatic enablement
### Tailscale VPN Security
- Zero-trust mesh networking
- End-to-end encryption
- SSH access through secure tunnel
- Subnet routing capabilities
## 📦 Installed Packages ## 📦 Installed Packages
@ -234,11 +278,24 @@ ssh_allowed_users: ['admin', 'deploy']
- `brave-browser`, `libreoffice`, `evince`, `redshift` - `brave-browser`, `libreoffice`, `evince`, `redshift`
- `code` (VSCode), `cursor` (via snap) - `code` (VSCode), `cursor` (via snap)
### Docker ### Docker & Containers
- Docker CE with all components - Docker CE with all components
- Docker Compose - Docker Compose
- User added to docker group - User added to docker group
### Backup Tools (✨ NEW)
- `rsync`, `borgbackup`, `rclone`, `restic`
- Automated backup scripts and cron jobs
### Monitoring Tools (✨ NEW)
- `htop`, `iotop`, `nethogs`, `btop`
- Custom system information scripts
- Network monitoring utilities
### VPN & Network
- `tailscale` - Mesh VPN networking
- Network utilities and monitoring
## 🔧 Modern CLI Tools ## 🔧 Modern CLI Tools
The base role installs modern replacements for traditional Unix tools: The base role installs modern replacements for traditional Unix tools:
@ -249,7 +306,7 @@ The base role installs modern replacements for traditional Unix tools:
rg "pattern" files/ # ripgrep - faster than grep rg "pattern" files/ # ripgrep - faster than grep
fd "filename" # fd-find - intuitive find replacement fd "filename" # fd-find - intuitive find replacement
# Data processing # Data processing
jq '.key' file.json # JSON processor and formatter jq '.key' file.json # JSON processor and formatter
yq '.key' file.yaml # YAML processor and formatter yq '.key' file.yaml # YAML processor and formatter
@ -257,70 +314,76 @@ yq '.key' file.yaml # YAML processor and formatter
btop # Modern system monitor (better than htop) btop # Modern system monitor (better than htop)
tree directory/ # Directory structure visualization tree directory/ # Directory structure visualization
# File operations # File operations
tree -L 2 # Limit tree depth tree -L 2 # Limit tree depth
rg -i "case insensitive" # Case-insensitive search rg -i "case insensitive" # Case-insensitive search
fd -e yml # Find only YAML files fd -e yml # Find only YAML files
jq -r '.items[].name' # Raw JSON output jq -r '.items[].name' # Raw JSON output
``` ```
### Integration Examples ## 🔄 Maintenance & Operations
```bash
# DevOps workflows
kubectl get pods -o json | jq '.items[].metadata.name'
docker ps --format json | jq '.Names'
rg "ansible.builtin" roles/ --type yaml
fd "main.yml" roles/ -x cat
```
## 🔄 Maintenance
### Unified Maintenance System ### Unified Maintenance System
The maintenance system provides a single, intelligent command for all maintenance operations:
```bash ```bash
# Basic usage # Basic usage
make maintenance # Run on all hosts make maintenance # Run on all hosts
make maintenance GROUP=dev # Run on specific group make maintenance GROUP=dev # Run on specific group
make maintenance HOST=dev01 # Run on specific host make maintenance HOST=dev01 # Run on specific host
# Advanced options # Advanced options
make maintenance CHECK=true # Dry-run (safe testing) make maintenance CHECK=true # Dry-run (safe testing)
make maintenance GROUP=dev SERIAL=1 # One host at a time make maintenance GROUP=dev SERIAL=1 # One host at a time
make maintenance GROUP=local # Local machine (auto-sudo) make maintenance GROUP=local # Local machine (auto-sudo)
# Legacy support (still works)
make maintenance-all # Same as: make maintenance
make maintenance-check GROUP=dev # Same as: make maintenance GROUP=dev CHECK=true
``` ```
### Available Host Groups ### Backup Operations (✨ NEW)
- `dev`: Development machines (dev01, bottom, debianDesktopVM)
- `gitea`: Gitea server
- `portainer`: Portainer container management
- `homepage`: Homepage dashboard
- `ansible`: Ansible control node
- `local`: Localhost (with automatic sudo handling)
### Maintenance Features
The maintenance role handles:
- Package updates (`apt upgrade`)
- Unused package removal (`apt autoremove`)
- Cache cleanup (`apt autoclean`)
- Conditional reboots (respects `skip_reboot` setting)
- System information reporting
- Intelligent sudo password handling
### Direct Ansible Commands
```bash ```bash
# Using the dedicated maintenance playbook # Deploy backup system
ansible-playbook maintenance-playbook.yml -e "target_group=dev" make backup
ansible-playbook maintenance-playbook.yml --limit "dev01"
ansible-playbook maintenance-playbook.yml --check --diff # Dry-run
# Using tags with development playbook # Manual backup operations
ansible-playbook dev-playbook.yml --tags maintenance sudo /opt/backups/scripts/backup-home.sh # Run home backup
ansible-playbook dev-playbook.yml --skip-tags maintenance sudo /opt/backups/scripts/backup-system.sh # Run system backup
# Check backup logs
tail -f /var/log/backups/home.log
tail -f /var/log/backups/system.log
```
### Monitoring Operations (✨ NEW)
```bash
# Deploy monitoring tools
make monitoring
# Use monitoring scripts
/usr/local/bin/monitoring/sysinfo # System information dashboard
/usr/local/bin/monitoring/netinfo # Network information
# System monitoring
btop # Interactive system monitor
```
### Tailscale Network Management
```bash
# Deploy VPN network
make tailscale
# Check status across all machines
make tailscale-status
# Manual Tailscale commands
tailscale status # Check connection status
tailscale ip # Show Tailscale IP
tailscale netcheck # Network connectivity check
```
### Infrastructure Provisioning (✨ NEW)
```bash
# Create new VMs on Proxmox
make create-vm
# Custom VM creation
ansible-playbook proxmox-create-vm.yml -e "vm_name=new-server vm_id=111"
``` ```
## 🐛 Troubleshooting ## 🐛 Troubleshooting
@ -330,31 +393,32 @@ ansible-playbook dev-playbook.yml --skip-tags maintenance
1. **SSH Connection Issues** 1. **SSH Connection Issues**
- Check `ansible.cfg` SSH settings - Check `ansible.cfg` SSH settings
- Verify host keys and user permissions - Verify host keys and user permissions
- Test Tailscale connectivity: `tailscale ping hostname`
2. **Package Installation Failures** 2. **Vault Access Issues**
- Run with `-v` for verbose output - Verify vault password file: `~/.ansible-vault-pass`
- Check internet connectivity on target hosts - Test vault decryption: `ansible-vault view host_vars/hostname.yml`
3. **Reboot Issues** 3. **Tailscale Connection Issues**
- Use `skip_reboot=true` for problematic hosts - Check service status: `sudo systemctl status tailscaled`
- Check maintenance role handlers - Verify auth key in vault
- Check firewall: `sudo ufw status`
4. **SSH Configuration Issues** 4. **Proxmox VM Creation Issues**
- Original config backed up to `/etc/ssh/sshd_config.backup` - Verify Proxmox credentials in vault
- Test SSH config: `sudo sshd -t` - Check ISO availability: `pvesm list local --content iso`
- Check SSH service: `sudo systemctl status ssh` - Ensure sufficient resources on Proxmox node
- Verify public key authentication is working before applying
5. **Modern CLI Tools Missing** 5. **Backup Issues**
- Check if snap is installed: `snap --version` - Check backup directories: `ls -la /opt/backups/`
- For fd command: Symlink created at `/usr/local/bin/fd` - Review logs: `tail -f /var/log/backups/*.log`
- Alternative: Use `fdfind` directly on Ubuntu systems - Verify cron jobs: `sudo crontab -l`
### Debug Commands ### Debug Commands
```bash ```bash
# Using Makefile # Using Makefile
make status # Test connectivity to all hosts make status # Test connectivity to all hosts
make facts # Gather facts from all hosts make facts # Gather facts from all hosts
make debug # Run with debug output make debug # Run with debug output
make verbose # Run with verbose output make verbose # Run with verbose output
@ -364,16 +428,13 @@ ansible dev -m setup # Check facts
ansible-playbook dev-playbook.yml --tags base # Run specific role ansible-playbook dev-playbook.yml --tags base # Run specific role
# Verify installations # Verify installations
ansible dev -m shell -a "jq --version" # Check jq installation ansible dev -m shell -a "tailscale status" # Check Tailscale
ansible dev -m shell -a "rg --version" # Check ripgrep installation ansible dev -m shell -a "docker --version" # Check Docker
ansible dev -m shell -a "fd --version" # Check fd installation ansible dev -m shell -a "sudo sshd -t" # Validate SSH config
ansible dev -m shell -a "sudo sshd -t" # Validate SSH config
``` ```
## 🛠️ Makefile Workflows ## 🛠️ Makefile Workflows
The included `Makefile` provides convenient shortcuts for common operations:
### Development Workflow ### Development Workflow
```bash ```bash
make bootstrap # Install collections make bootstrap # Install collections
@ -382,10 +443,19 @@ make check # Dry run
make apply # Deploy to all hosts make apply # Deploy to all hosts
``` ```
### Infrastructure Management
```bash
make create-vm # Provision new VMs
make tailscale # Deploy VPN network
make monitoring # Deploy monitoring
make backup # Deploy backup system
```
### Host-Specific Operations ### Host-Specific Operations
```bash ```bash
make dev HOST=dev01 # Deploy to specific host make dev HOST=dev01 # Deploy to specific host
make edit-vault HOST=dev01 # Edit encrypted host variables make edit-vault HOST=dev01 # Edit encrypted host variables
make tailscale-dev # Deploy Tailscale to dev hosts only
``` ```
### Maintenance and Utilities ### Maintenance and Utilities
@ -398,30 +468,35 @@ make install-tools # Install recommended CLI tools locally
Run `make help` for the complete list of available commands. Run `make help` for the complete list of available commands.
## 📝 File Structure ## 📝 File Structure
```
ansible/ ansible/
├── ansible.cfg # Enhanced Ansible configuration ├── ansible.cfg # Enhanced Ansible configuration
├── Makefile # Workflow automation with unified maintenance ├── Makefile # Workflow automation with unified maintenance
├── hosts # Inventory file ├── hosts # Inventory file
├── dev-playbook.yml # Main development playbook ├── dev-playbook.yml # Main development playbook
├── local-playbook.yml # Local machine setup ├── local-playbook.yml # Local machine setup
├── tailscale-playbook.yml # VPN network deployment
├── proxmox-create-vm.yml # VM provisioning playbook
├── maintenance-playbook.yml # Dedicated maintenance playbook ├── maintenance-playbook.yml # Dedicated maintenance playbook
├── collections/ ├── collections/
└── requirements.yml # Required Ansible collections │ └── requirements.yml # Required Ansible collections
├── group_vars/ ├── group_vars/
└── all.yml # Global variables │ └── all.yml # Global variables and Tailscale config
├── host_vars/ # Host-specific variables (encrypted) ├── host_vars/ # Host-specific variables (encrypted)
└── roles/ └── roles/
├── maintenance/ # System maintenance ├── maintenance/ # System maintenance
├── base/ # Core system setup ├── base/ # Core system setup
├── development/ # Development tools ├── development/ # Development tools
├── shell/ # Shell configuration (zsh + oh-my-zsh) ├── shell/ # Shell configuration (zsh + oh-my-zsh)
├── docker/ # Docker installation ├── docker/ # Docker installation
├── ssh/ # SSH hardening and configuration ├── ssh/ # SSH hardening and configuration
├── user/ # User management ├── user/ # User management
├── applications/ # Desktop applications ├── applications/ # Desktop applications
└── snap/ # Snap applications ├── snap/ # Snap applications
``` ├── tailscale/ # VPN mesh networking
├── monitoring/ # System monitoring tools
├── backup/ # Automated backup solutions
└── proxmox_vm/ # VM provisioning on Proxmox
## 🤝 Contributing ## 🤝 Contributing
@ -429,3 +504,5 @@ ansible/
2. Update documentation for new roles/tasks 2. Update documentation for new roles/tasks
3. Use proper handlers for service restarts 3. Use proper handlers for service restarts
4. Follow existing naming conventions 4. Follow existing naming conventions
5. Encrypt sensitive data with ansible-vault
6. Test across different OS distributions (Ubuntu, Debian, Alpine)

2
collections/requirements.yml
View File

@ -2,5 +2,7 @@
collections: collections:
- name: community.general - name: community.general
version: ">=6.0.0" version: ">=6.0.0"
- name: community.proxmox
version: ">=1.0.0"
- name: ansible.posix - name: ansible.posix
version: ">=1.4.0" version: ">=1.4.0"

2
dev-playbook.yml
View File

@ -13,6 +13,8 @@
- { role: applications, tags: ['applications', 'apps'] } - { role: applications, tags: ['applications', 'apps'] }
- { role: snap, tags: ['snap', 'apps'] } - { role: snap, tags: ['snap', 'apps'] }
- { role: tailscale, tags: ['tailscale', 'vpn'] } - { role: tailscale, tags: ['tailscale', 'vpn'] }
- { role: monitoring, tags: ['monitoring'] }
# - { role: backup, tags: ['backup'] }
pre_tasks: pre_tasks:
- name: Update apt cache - name: Update apt cache

2
group_vars/all.yml
View File

@ -29,4 +29,4 @@ tailscale_auth_key: "{{ vault_tailscale_auth_key | default('') }}"
tailscale_accept_routes: true tailscale_accept_routes: true
tailscale_accept_dns: true tailscale_accept_dns: true
tailscale_ssh: true tailscale_ssh: true
tailscale_hostname: "{{ inventory_hostname }}" tailscale_hostname: "{{ inventory_hostname }}"

0
host_vars/devVM.yml → host_vars/dev01.yml
View File

2
local-playbook.yml
View File

@ -14,6 +14,8 @@
- { role: applications, tags: ['applications', 'apps'] } - { role: applications, tags: ['applications', 'apps'] }
- { role: snap, tags: ['snap', 'apps'] } - { role: snap, tags: ['snap', 'apps'] }
- { role: tailscale, tags: ['tailscale', 'vpn'] } - { role: tailscale, tags: ['tailscale', 'vpn'] }
- { role: monitoring, tags: ['monitoring'] }
# - { role: backup, tags: ['backup'] }
pre_tasks: pre_tasks:
- name: Update apt cache - name: Update apt cache

78
proxmox-create-vm.yml Normal file
View File

@ -0,0 +1,78 @@
---
- name: Create Ansible Controller VM on Proxmox
hosts: localhost
connection: local
gather_facts: false
vars:
# Proxmox connection (store credentials in vault)
proxmox_host: "{{ vault_proxmox_host }}"
proxmox_user: "{{ vault_proxmox_user }}"
proxmox_node: "{{ vault_proxmox_node | default('pve') }}"
# VM specs matching your current setup
vm_name: "ansible-control"
vm_id: 110
vm_memory: 8192 # 8GB (match current working setup)
vm_cores: 2 # 2 cores
vm_sockets: 1
vm_disk_size: "32G" # Bigger than current 8G
vm_storage: "local-lvm"
vm_network_bridge: "vmbr0"
# Ubuntu Server 24.04 LTS
vm_iso: "ubuntu-24.04-live-server-amd64.iso"
vm_iso_storage: "local"
# User configuration
vm_ciuser: "master"
vm_ssh_keys:
- "{{ vault_ssh_public_key }}" # Your SSH public key
vm_ip_config: "dhcp" # or set static: "10.0.10.110/24,gw=10.0.10.1"
vm_start_after_create: true
pre_tasks:
- name: Check if VM already exists
community.general.proxmox_kvm:
api_host: "{{ proxmox_host }}"
api_user: "{{ proxmox_user }}"
api_password: "{{ vault_proxmox_password }}"
vmid: "{{ vm_id }}"
state: current
register: vm_check
failed_when: false
- name: Display VM status
ansible.builtin.debug:
msg: |
VM {{ vm_name }} ({{ vm_id }}): {{ 'Already exists' if vm_check.status is defined else 'Will be created' }}
roles:
- { role: proxmox_vm, when: vm_check.status is not defined }
post_tasks:
- name: Wait for VM to be accessible via SSH
ansible.builtin.wait_for:
host: "{{ vm_ip_config.split('/')[0] if '/' in vm_ip_config else 'ansible-control.local' }}"
port: 22
timeout: 300
when:
- vm_check.status is not defined
- vm_start_after_create | bool
- vm_ip_config != "dhcp"
- name: Display next steps
ansible.builtin.debug:
msg: |
🎉 Ansible Controller VM Created Successfully!
Next steps:
1. The VM should be starting up now
2. Wait a few minutes for Ubuntu installation to complete
3. SSH to the VM: ssh {{ vm_ciuser }}@[VM-IP]
4. Run the local-playbook.yml to set it up as an Ansible controller
To find the VM IP (if using DHCP):
- Check Proxmox web interface
- Or run: qm guest cmd {{ vm_id }} network-get-interfaces

1
roles/applications/meta/main.yml
View File

@ -1 +0,0 @@
dependencies: []

10
roles/backup/defaults/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
# Backup role defaults
backup_enable_cron: true
backup_retention_days_home: 7
backup_retention_days_system: 30
backup_users:
- master
- beast
- ladmin
- user

50
roles/backup/tasks/main.yml Normal file
View File

@ -0,0 +1,50 @@
---
- name: Install backup tools
ansible.builtin.apt:
name:
- rsync
- borgbackup
- rclone
- restic
state: present
- name: Create backup directories
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- /opt/backups
- /opt/backups/scripts
- /var/log/backups
- name: Deploy backup script for home directories
ansible.builtin.template:
src: backup-home.sh.j2
dest: /opt/backups/scripts/backup-home.sh
mode: '0755'
- name: Deploy backup script for system configs
ansible.builtin.template:
src: backup-system.sh.j2
dest: /opt/backups/scripts/backup-system.sh
mode: '0755'
- name: Create backup cron jobs
ansible.builtin.cron:
name: "{{ item.name }}"
job: "{{ item.job }}"
minute: "{{ item.minute }}"
hour: "{{ item.hour }}"
day: "{{ item.day | default('*') }}"
user: root
loop:
- name: "Daily home backup"
job: "/opt/backups/scripts/backup-home.sh >> /var/log/backups/home.log 2>&1"
minute: "0"
hour: "2"
- name: "Daily system config backup"
job: "/opt/backups/scripts/backup-system.sh >> /var/log/backups/system.log 2>&1"
minute: "30"
hour: "2"
when: backup_enable_cron | default(true) | bool

31
roles/backup/templates/backup-home.sh.j2 Normal file
View File

@ -0,0 +1,31 @@
#!/bin/bash
# Home directory backup script
# Generated by Ansible
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/opt/backups/home"
LOG_FILE="/var/log/backups/home.log"
echo "$(date): Starting home backup" >> "$LOG_FILE"
# Create backup directory
mkdir -p "$BACKUP_DIR"
# Backup each user's home directory
{% for user in backup_users | default(['master', 'beast', 'ladmin', 'user']) %}
if [ -d "/home/{{ user }}" ]; then
echo "$(date): Backing up /home/{{ user }}" >> "$LOG_FILE"
rsync -av --delete \
--exclude='.cache' \
--exclude='.local/share/Trash' \
--exclude='snap' \
--exclude='.docker' \
/home/{{ user }}/ \
"$BACKUP_DIR/{{ user }}_$DATE/" >> "$LOG_FILE" 2>&1
fi
{% endfor %}
# Keep only last 7 days of backups
find "$BACKUP_DIR" -type d -name "*_20*" -mtime +7 -exec rm -rf {} \; 2>/dev/null
echo "$(date): Home backup completed" >> "$LOG_FILE"

43
roles/backup/templates/backup-system.sh.j2 Normal file
View File

@ -0,0 +1,43 @@
#!/bin/bash
# System configuration backup script
# Generated by Ansible
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/opt/backups/system"
LOG_FILE="/var/log/backups/system.log"
echo "$(date): Starting system backup" >> "$LOG_FILE"
# Create backup directory
mkdir -p "$BACKUP_DIR/$DATE"
# Backup important system directories
for dir in /etc /var/lib/dpkg /var/lib/apt/extended_states; do
if [ -d "$dir" ]; then
echo "$(date): Backing up $dir" >> "$LOG_FILE"
rsync -av "$dir" "$BACKUP_DIR/$DATE/" >> "$LOG_FILE" 2>&1
fi
done
# Backup crontabs
if [ -d /var/spool/cron/crontabs ]; then
cp -r /var/spool/cron/crontabs "$BACKUP_DIR/$DATE/"
fi
# Create system info snapshot
{
echo "=== System Info ==="
uname -a
lsb_release -a 2>/dev/null
echo ""
echo "=== Installed Packages ==="
dpkg --get-selections
echo ""
echo "=== Services ==="
systemctl list-unit-files --type=service --state=enabled
} > "$BACKUP_DIR/$DATE/system-info.txt"
# Keep only last 30 days of system backups
find "$BACKUP_DIR" -type d -name "20*" -mtime +30 -exec rm -rf {} \; 2>/dev/null
echo "$(date): System backup completed" >> "$LOG_FILE"

5
roles/base/handlers/main.yml
View File

@ -1,11 +1,6 @@
--- ---
# handlers file for base # handlers file for base
- name: Restart fail2ban
ansible.builtin.systemd:
name: fail2ban
state: restarted
- name: Reload ufw - name: Reload ufw
ansible.builtin.command: ufw reload ansible.builtin.command: ufw reload
changed_when: false changed_when: false

1
roles/base/meta/main.yml
View File

@ -1 +0,0 @@
dependencies: []

13
roles/base/tasks/main.yml
View File

@ -11,12 +11,7 @@
# Network and admin tools # Network and admin tools
- net-tools - net-tools
- ufw - ufw
- fail2ban
- mailutils - mailutils
# Monitoring tools
- iotop
- nethogs
- logwatch
# Modern CLI tools # Modern CLI tools
- jq - jq
- ripgrep - ripgrep
@ -27,7 +22,6 @@
community.general.snap: community.general.snap:
name: name:
- yq - yq
- btop
state: present state: present
- name: Create fd symlink (Ubuntu uses fd-find) - name: Create fd symlink (Ubuntu uses fd-find)
@ -37,12 +31,7 @@
state: link state: link
when: ansible_distribution == "Ubuntu" when: ansible_distribution == "Ubuntu"
- name: Configure fail2ban # fail2ban configuration moved to monitoring role
ansible.builtin.template:
src: jail.local.j2
dest: /etc/fail2ban/jail.local
mode: '0644'
notify: restart fail2ban
# UFW enablement moved to ssh role to avoid lockout # UFW enablement moved to ssh role to avoid lockout

52
roles/development/meta/main.yml
View File

@ -1,52 +0,0 @@
galaxy_info:
author: ansible-user
description: Development tools and environment setup role
company: Personal
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: MIT
min_ansible_version: "2.9"
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

52
roles/docker/meta/main.yml
View File

@ -1,52 +0,0 @@
galaxy_info:
author: ansible-user
description: Docker installation and configuration role
company: Personal
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: MIT
min_ansible_version: "2.9"
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

18
roles/maintenance/defaults/main.yml
View File

@ -3,13 +3,29 @@
# Package management settings # Package management settings
maintenance_update_cache: true # Update apt cache before operations maintenance_update_cache: true # Update apt cache before operations
maintenance_upgrade_packages: true # Perform dist-upgrade maintenance_upgrade_packages: true # Perform package upgrades
maintenance_upgrade_type: "safe" # safe, full, or dist (safe is more reliable)
maintenance_autoremove: true # Remove unused packages maintenance_autoremove: true # Remove unused packages
maintenance_autoclean: true # Clean apt cache maintenance_autoclean: true # Clean apt cache
maintenance_fix_broken: true # Fix broken packages before upgrade
# Network resilience settings
maintenance_apt_retries: 3 # Number of retries for apt operations
maintenance_apt_retry_delay: 30 # Delay between retries (seconds)
maintenance_cache_retry_delay: 10 # Delay between cache update retries
maintenance_individual_upgrade_fallback: true # Try individual upgrades if bulk fails
# Timeout settings
maintenance_bulk_upgrade_timeout: 1800 # 30 minutes for bulk upgrade
maintenance_individual_timeout: 600 # 10 minutes per individual package
maintenance_bulk_poll_interval: 30 # Check bulk progress every 30s
maintenance_individual_poll_interval: 15 # Check individual progress every 15s
# Reboot handling settings # Reboot handling settings
maintenance_check_reboot: true # Check if reboot is required maintenance_check_reboot: true # Check if reboot is required
maintenance_allow_reboot: true # Allow automatic reboots maintenance_allow_reboot: true # Allow automatic reboots
maintenance_reboot_timeout: 300 # Reboot timeout in seconds
maintenance_pre_reboot_delay: 5 # Delay before reboot in seconds
# Cache settings # Cache settings
maintenance_cache_valid_time: 3600 # Cache valid time in seconds (1 hour) maintenance_cache_valid_time: 3600 # Cache valid time in seconds (1 hour)

52
roles/maintenance/meta/main.yml
View File

@ -1,52 +0,0 @@
galaxy_info:
author: ansible-user
description: System maintenance and updates role
company: Personal
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: MIT
min_ansible_version: "2.9"
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

156
roles/maintenance/tasks/main.yml
View File

@ -1,27 +1,169 @@
--- ---
- name: Upgrade all packages - name: Get list of upgradable packages (for reporting)
ansible.builtin.shell: |
apt list --upgradable 2>/dev/null | grep -v "WARNING" | tail -n +2 | wc -l
args:
executable: /bin/bash
register: maintenance_upgradable_count
changed_when: false
- name: Display packages to be upgraded
ansible.builtin.debug:
msg: |
📦 Package Upgrade Summary:
- Total packages to upgrade: {{ maintenance_upgradable_count.stdout | default('0') }}
- Upgrade type: {{ maintenance_upgrade_type }}
- Max retries: {{ maintenance_apt_retries }}
- Retry delay: {{ maintenance_apt_retry_delay }}s
when: ansible_debug_output | default(false) | bool
- name: Show upgradable packages (first 10)
ansible.builtin.shell: |
apt list --upgradable 2>/dev/null | grep -v "WARNING" | head -10
args:
executable: /bin/bash
register: maintenance_upgradable_packages_preview
changed_when: false
when: maintenance_upgradable_count.stdout | int > 0
- name: Display upgradable packages
ansible.builtin.debug:
msg: |
📋 Packages to upgrade:
{{ maintenance_upgradable_packages_preview.stdout_lines | join('\n') }}
when:
- maintenance_upgradable_count.stdout | int > 0
- ansible_debug_output | default(false) | bool
- maintenance_upgradable_packages_preview.stdout_lines is defined
- name: Update apt cache with retries
ansible.builtin.apt: ansible.builtin.apt:
upgrade: dist update_cache: "{{ maintenance_update_cache }}"
cache_valid_time: "{{ maintenance_cache_valid_time }}"
retries: "{{ maintenance_apt_retries }}"
delay: "{{ maintenance_cache_retry_delay }}"
register: maintenance_apt_update_result
until: maintenance_apt_update_result is succeeded
when: maintenance_update_cache | bool
- name: Fix broken packages if any
ansible.builtin.command:
cmd: apt-get --fix-broken install -y # noqa command-instead-of-module
become: true
changed_when: false
failed_when: false
when: maintenance_fix_broken | bool
- name: Upgrade packages with retries and verbose output
ansible.builtin.apt:
upgrade: "{{ maintenance_upgrade_type }}"
force_apt_get: true
update_cache: false # Already updated above
environment:
DEBIAN_FRONTEND: noninteractive
APT_LISTCHANGES_FRONTEND: none
retries: "{{ maintenance_apt_retries }}"
delay: "{{ maintenance_apt_retry_delay }}"
register: maintenance_apt_upgrade_result
until: maintenance_apt_upgrade_result is succeeded
ignore_errors: true
async: "{{ maintenance_bulk_upgrade_timeout }}"
poll: "{{ maintenance_bulk_poll_interval }}"
no_log: "{{ not (ansible_debug_output | default(false) | bool) }}"
when: maintenance_upgrade_packages | bool
- name: Fallback to individual package upgrades if full upgrade failed
when:
- maintenance_apt_upgrade_result is failed
- maintenance_individual_upgrade_fallback | bool
block:
- name: Display fallback message
ansible.builtin.debug:
msg: |
⚠️ Bulk upgrade failed, trying individual package upgrades...
This may take longer but is more reliable for problematic packages.
- name: Get list of upgradable packages for individual upgrade
ansible.builtin.shell: |
apt list --upgradable 2>/dev/null | grep -v "WARNING" | tail -n +2 | cut -d'/' -f1
args:
executable: /bin/bash
register: maintenance_upgradable_packages_fallback
changed_when: false
- name: Display packages for individual upgrade
ansible.builtin.debug:
msg: |
🔄 Attempting individual upgrade for {{ maintenance_upgradable_packages_fallback.stdout_lines | length }} packages:
{{ maintenance_upgradable_packages_fallback.stdout_lines | join(', ') }}
when: maintenance_upgradable_packages_fallback.stdout_lines | length > 0
- name: Upgrade packages individually with progress
ansible.builtin.apt:
name: "{{ item }}"
state: latest # noqa package-latest - This is intentional for maintenance upgrades
force_apt_get: true
environment:
DEBIAN_FRONTEND: noninteractive
APT_LISTCHANGES_FRONTEND: none
loop: "{{ maintenance_upgradable_packages_fallback.stdout_lines | default([]) }}"
loop_control:
label: "📦 Upgrading {{ item }} ({{ ansible_loop.index }}/{{ ansible_loop.length }})"
retries: 2
delay: 10
ignore_errors: true
async: "{{ maintenance_individual_timeout }}"
poll: "{{ maintenance_individual_poll_interval }}"
no_log: "{{ not (ansible_debug_output | default(false) | bool) }}"
register: maintenance_individual_upgrade_results
when: maintenance_upgradable_packages_fallback.stdout_lines | length > 0
- name: Summary of individual upgrades
ansible.builtin.debug:
msg: |
📊 Individual Upgrade Results:
- Total attempted: {{ maintenance_individual_upgrade_results.results | length | default(0) }}
- Successful: {{ maintenance_individual_upgrade_results.results | selectattr('changed', 'equalto', true) | list | length | default(0) }}
- Failed: {{ maintenance_individual_upgrade_results.results | selectattr('failed', 'equalto', true) | list | length | default(0) }}
when:
- maintenance_individual_upgrade_results is defined
- maintenance_individual_upgrade_results.results is defined
- name: Autoremove unused packages - name: Autoremove unused packages
ansible.builtin.apt: ansible.builtin.apt:
autoremove: true autoremove: true
purge: true
retries: 2
delay: 5
when: maintenance_autoremove | bool
- name: Clean apt cache - name: Clean apt cache
ansible.builtin.apt: ansible.builtin.apt:
autoclean: true autoclean: true
when: maintenance_autoclean | bool
- name: Check if reboot is required - name: Check if reboot is required
ansible.builtin.stat: ansible.builtin.stat:
path: /var/run/reboot-required path: /var/run/reboot-required
register: maintenance_reboot_required register: maintenance_reboot_required
when: maintenance_check_reboot | bool
- name: Display maintenance summary
ansible.builtin.debug:
msg: |
Maintenance Summary:
- Cache update: {{ 'Completed' if maintenance_apt_update_result is succeeded else 'Skipped/Failed' }}
- Package upgrade: {{ 'Completed' if maintenance_apt_upgrade_result is succeeded else 'Failed (fallback may have run)' }}
- Reboot required: {{ 'Yes' if (maintenance_reboot_required.stat.exists | default(false)) else 'No' }}
when: ansible_debug_output | default(false) | bool
- name: Reboot if required - name: Reboot if required
ansible.builtin.reboot: ansible.builtin.reboot:
msg: "Reboot triggered by Ansible after system changes." msg: "Reboot triggered by Ansible after system maintenance."
reboot_timeout: "{{ maintenance_reboot_timeout | default(300) }}" reboot_timeout: "{{ maintenance_reboot_timeout }}"
pre_reboot_delay: "{{ maintenance_pre_reboot_delay | default(5) }}" pre_reboot_delay: "{{ maintenance_pre_reboot_delay }}"
when: when:
- ansible_facts['pkg_mgr'] == "apt" - maintenance_check_reboot | bool
- maintenance_reboot_required.stat.exists - maintenance_allow_reboot | bool
- maintenance_reboot_required.stat.exists | default(false)
- not (skip_reboot | default(false) | bool) - not (skip_reboot | default(false) | bool)

5
roles/monitoring/defaults/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
# Monitoring role defaults
monitoring_install_snap_tools: true
monitoring_enable_sysstat: true
monitoring_create_scripts: true

11
roles/monitoring/handlers/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: restart fail2ban
ansible.builtin.systemd:
name: fail2ban
state: restarted
- name: restart sysstat
ansible.builtin.systemd:
name: sysstat
state: restarted
enabled: true

97
roles/monitoring/tasks/main.yml Normal file
View File

@ -0,0 +1,97 @@
---
- name: Install monitoring packages
ansible.builtin.apt:
name:
# System monitoring
- htop
- iotop
- nethogs
- iftop
- ncdu
- dstat
# Log monitoring
- logwatch
- fail2ban
# Network monitoring
- nmap
- tcpdump
- wireshark-common
# Performance monitoring
- sysstat
- atop
state: present
- name: Install modern monitoring tools via snap
community.general.snap:
name:
- btop
- bandwhich
state: present
- name: Configure fail2ban
ansible.builtin.template:
src: jail.local.j2
dest: /etc/fail2ban/jail.local
mode: '0644'
notify: restart fail2ban
- name: Enable sysstat data collection
ansible.builtin.lineinfile:
path: /etc/default/sysstat
regexp: '^ENABLED='
line: 'ENABLED="true"'
notify: restart sysstat
- name: Create monitoring scripts directory
ansible.builtin.file:
path: /usr/local/bin/monitoring
state: directory
mode: '0755'
- name: Deploy system monitoring script
ansible.builtin.copy:
content: |
#!/bin/bash
# System monitoring dashboard
echo "=== System Overview ==="
echo "Hostname: $(hostname)"
echo "Uptime: $(uptime -p)"
echo "Load: $(uptime | awk -F'load average:' '{print $2}')"
echo ""
echo "=== Memory ==="
free -h
echo ""
echo "=== Disk Usage ==="
df -h / /home 2>/dev/null | grep -v tmpfs
echo ""
echo "=== Top Processes ==="
ps aux --sort=-%cpu | head -6
echo ""
echo "=== Network Connections ==="
ss -tuln | head -10
echo ""
if command -v tailscale >/dev/null; then
echo "=== Tailscale Status ==="
tailscale status --peers=false 2>/dev/null || echo "Not connected"
fi
dest: /usr/local/bin/monitoring/sysinfo
mode: '0755'
- name: Deploy network monitoring script
ansible.builtin.copy:
content: |
#!/bin/bash
# Network monitoring script
echo "=== Network Interface Status ==="
ip addr show | grep -E "(inet |state )" | grep -v 127.0.0.1
echo ""
echo "=== Route Table ==="
ip route show
echo ""
echo "=== DNS Configuration ==="
cat /etc/resolv.conf | grep nameserver
echo ""
echo "=== Open Ports ==="
ss -tuln | grep LISTEN | sort
dest: /usr/local/bin/monitoring/netinfo
mode: '0755'

33
roles/monitoring/templates/jail.local.j2 Normal file
View File

@ -0,0 +1,33 @@
[DEFAULT]
# Ban hosts for 1 hour
bantime = 3600
# Check for repeated failures for 10 minutes
findtime = 600
# Allow 3 failures before banning
maxretry = 3
# Email notifications (uncomment and configure if needed)
destemail = idobkin@gmail.com
sender = idobkin@gmail.com
action = %(action_mwl)s
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3
[nginx-http-auth]
enabled = false
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3

27
roles/proxmox_vm/defaults/main.yml Normal file
View File

@ -0,0 +1,27 @@
---
# Proxmox VM defaults based on your current setup
vm_name: "ansible-control"
vm_id: 110
vm_memory: 8192 # 8GB (match current successful setup)
vm_cores: 2 # 2 cores (perfect for Ansible)
vm_sockets: 1
vm_disk_size: 20G # Increase from current 6.1GB
vm_storage: "local-lvm"
vm_network_bridge: "vmbr0"
vm_os_type: "l26" # Linux 2.6+ kernel
# Ubuntu Server ISO
vm_iso: "ubuntu-24.04-live-server-amd64.iso"
vm_iso_storage: "local"
# Cloud-init settings
vm_ciuser: "master"
vm_cipassword: "" # Set in vault: vault_vm_cipassword
vm_ssh_keys: [] # Add SSH public keys
vm_ip_config: "dhcp" # or "192.168.1.100/24,gw=192.168.1.1"
vm_nameservers: "8.8.8.8 8.8.4.4"
# VM behavior
vm_start_after_create: true
vm_enable_agent: true
vm_boot_order: "order=scsi0"

77
roles/proxmox_vm/tasks/main.yml Normal file
View File

@ -0,0 +1,77 @@
---
# Break down the Proxmox VM creation to avoid "file name too long" error
- name: Set VM configuration facts
ansible.builtin.set_fact:
vm_scsi_config:
scsi0: "{{ vm_storage }}:{{ vm_disk_size }},format=raw"
vm_net_config:
net0: "virtio,bridge={{ vm_network_bridge }},firewall=1"
vm_ide_config:
ide2: "{{ vm_iso_storage }}:cloudinit,format=qcow2"
vm_ipconfig:
ipconfig0: "{{ vm_ip_config }}"
- name: Create VM on Proxmox
community.general.proxmox_kvm:
# Connection
api_host: "{{ proxmox_host }}"
api_user: "{{ proxmox_user }}"
api_password: "{{ vault_proxmox_password }}"
api_token_id: "{{ proxmox_token_id | default(omit) }}"
api_token_secret: "{{ vault_proxmox_token | default(omit) }}"
# VM identification
vmid: "{{ vm_id }}"
name: "{{ vm_name }}"
node: "{{ proxmox_node }}"
# Hardware specs
memory: "{{ vm_memory }}"
cores: "{{ vm_cores }}"
sockets: "{{ vm_sockets }}"
cpu: "host"
# Storage and network
scsi: "{{ vm_scsi_config }}"
net: "{{ vm_net_config }}"
ide: "{{ vm_ide_config }}"
# Boot and OS
boot: "{{ vm_boot_order }}"
ostype: "{{ vm_os_type }}"
# Cloud-init
ciuser: "{{ vm_ciuser }}"
cipassword: "{{ vault_vm_cipassword | default(omit) }}"
sshkeys: "{{ vm_ssh_keys | join('\n') if vm_ssh_keys else omit }}"
ipconfig: "{{ vm_ipconfig }}"
nameserver: "{{ vm_nameservers }}"
# VM options
agent: "{{ vm_enable_agent | bool }}"
autostart: false
balloon: 0
state: present
register: vm_creation_result
- name: Start VM if requested
community.general.proxmox_kvm:
api_host: "{{ proxmox_host }}"
api_user: "{{ proxmox_user }}"
api_password: "{{ vault_proxmox_password }}"
api_token_id: "{{ proxmox_token_id | default(omit) }}"
api_token_secret: "{{ vault_proxmox_token | default(omit) }}"
vmid: "{{ vm_id }}"
node: "{{ proxmox_node }}"
state: started
when: vm_start_after_create | bool
- name: Display VM creation results
ansible.builtin.debug:
msg: |
VM Created: {{ vm_name }} (ID: {{ vm_id }})
Memory: {{ vm_memory }}MB
Cores: {{ vm_cores }}
Storage: {{ vm_storage }}:{{ vm_disk_size }}
Network: {{ vm_network_bridge }}
Status: {{ vm_creation_result.msg | default('Created') }}

63
roles/shell/files/.zshrc
View File

@ -1,3 +1,5 @@
typeset -g POWERLEVEL9K_INSTANT_PROMPT=quiet
# Enable Powerlevel10k instant prompt. Should stay close to the top of ~/.zshrc. # Enable Powerlevel10k instant prompt. Should stay close to the top of ~/.zshrc.
# Initialization code that may require console input (password prompts, [y/n] # Initialization code that may require console input (password prompts, [y/n]
# confirmations, etc.) must go above this block; everything else may go below. # confirmations, etc.) must go above this block; everything else may go below.
@ -112,3 +114,64 @@ source $ZSH/oh-my-zsh.sh
# To customize prompt, run `p10k configure` or edit ~/.p10k.zsh. # To customize prompt, run `p10k configure` or edit ~/.p10k.zsh.
[[ ! -f ~/.p10k.zsh ]] || source ~/.p10k.zsh [[ ! -f ~/.p10k.zsh ]] || source ~/.p10k.zsh
[ -f ~/.fzf.zsh ] && source ~/.fzf.zsh
alias reload="source ~/.zshrc && echo 'ZSH config reloaded from ~/.zshrc'"
alias editrc="nano ~/.zshrc"
alias c="clear"
alias ls="ls --color=auto"
alias ..="cd .."
alias ...="cd ../.."
alias ....="cd ../../.."
alias cd..="cd .."
alias h="cd ~"
alias dc="cd ~/Documents/code"
# System information
alias df="df -h" # disk usage human readable
alias du="du -h" # directory usage human readable
alias free="free -h" # memory usage human readable
# Process management
alias ps="ps aux"
alias cpu="lscpu"
alias top="btop"
alias mem="free -m"
alias ports="ss -tulpn" # open ports
# Network information
alias myip="curl -s http://ipecho.net/plain; echo"
alias localip="ip route get 1.2.3.4 | awk '{print $7}'"
# Python
alias py="python3"
alias pip="pip3"
alias venv="python3 -m venv"
alias activate="source venv/bin/activate"
# Docker
alias d="docker"
alias dc="docker-compose"
alias dcu="docker-compose up -d"
alias dcd="docker-compose down"
alias dcb="docker-compose build"
alias dps="docker ps"
alias di="docker images"
# Date and time
alias now="date +'%Y-%m-%d %H:%M:%S'"
alias today="date +'%Y-%m-%d'"
# Package management (Debian/Ubuntu)
alias update="sudo apt update && sudo apt upgrade -y"
alias install="sudo apt install"
alias remove="sudo apt remove"
alias search="apt search"
# Permissions and ownership
alias chmox="chmod +x"
alias own="sudo chown -R $USER:$USER"
alias nfresh="rm -rf node_modules/ package-lock.json && npm install"

52
roles/shell/meta/main.yml
View File

@ -1,52 +0,0 @@
galaxy_info:
author: ansible-user
description: Shell configuration and setup role
company: Personal
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: MIT
min_ansible_version: "2.9"
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

14
roles/shell/tasks/main.yml
View File

@ -8,8 +8,22 @@
name: name:
- zsh - zsh
- tmux - tmux
- fzf
state: present state: present
- name: Install zsh plugins
ansible.builtin.git:
repo: "{{ item.repo }}"
dest: "/home/{{ shell_target_user }}/.oh-my-zsh/custom/plugins/{{ item.name }}"
version: master
depth: 1
update: false
become: true
become_user: "{{ shell_target_user }}"
loop:
- { name: "zsh-syntax-highlighting", repo: "https://github.com/zsh-users/zsh-syntax-highlighting.git" }
- { name: "zsh-autosuggestions", repo: "https://github.com/zsh-users/zsh-autosuggestions.git" }
- name: Set zsh as default shell for user - name: Set zsh as default shell for user
ansible.builtin.user: ansible.builtin.user:
name: "{{ shell_target_user }}" name: "{{ shell_target_user }}"

12
roles/snap/meta/main.yml
View File

@ -1,12 +0,0 @@
galaxy_info:
author: ansible-user
description: Snap package manager configuration role
company: Personal
license: MIT
min_ansible_version: "2.9"
galaxy_tags: []
dependencies: []

52
roles/ssh/meta/main.yml
View File

@ -1,52 +0,0 @@
galaxy_info:
author: ansible-user
description: SSH configuration and security role
company: Personal
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: MIT
min_ansible_version: "2.9"
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

2
roles/tailscale/defaults/main.yml
View File

@ -17,4 +17,4 @@ tailscale_reset: false # Force reconnection (will logout first)
# ENTERPRISE OPTIONS (leave empty for personal use): # ENTERPRISE OPTIONS (leave empty for personal use):
tailscale_login_server: "" # Custom control server URL tailscale_login_server: "" # Custom control server URL
tailscale_operator: "" # Operator user for Tailscale tailscale_operator: "" # Operator user for Tailscale

6
roles/tailscale/handlers/main.yml
View File

@ -1,13 +1,13 @@
--- ---
- name: start tailscaled - name: Start tailscaled
ansible.builtin.systemd: ansible.builtin.systemd:
name: tailscaled name: tailscaled
state: started state: started
enabled: true enabled: true
become: true become: true
- name: restart tailscaled - name: Restart tailscaled
ansible.builtin.systemd: ansible.builtin.systemd:
name: tailscaled name: tailscaled
state: restarted state: restarted
become: true become: true

10
roles/tailscale/tasks/alpine.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Install required packages for Alpine - name: Install required packages for Alpine
ansible.builtin.apk: community.general.apk:
name: name:
- curl - curl
- gnupg - gnupg
@ -22,20 +22,20 @@
become: true become: true
- name: Update apk cache - name: Update apk cache
ansible.builtin.apk: community.general.apk:
update_cache: true update_cache: true
become: true become: true
- name: Install Tailscale - name: Install Tailscale
ansible.builtin.apk: community.general.apk:
name: tailscale name: tailscale
state: present state: present
become: true become: true
notify: start tailscaled notify: Start tailscaled
- name: Enable and start Tailscale daemon - name: Enable and start Tailscale daemon
ansible.builtin.service: ansible.builtin.service:
name: tailscaled name: tailscaled
enabled: true enabled: true
state: started state: started
become: true become: true

11
roles/tailscale/tasks/debian.yml
View File

@ -7,12 +7,15 @@
become: true become: true
- name: Determine repository codename - name: Determine repository codename
set_fact: ansible.builtin.set_fact:
tailscale_repo_codename: "{{ 'jammy' if ansible_distribution == 'Ubuntu' else 'bookworm' }}" tailscale_repo_codename: "{{ 'jammy' if ansible_distribution == 'Ubuntu' else 'bookworm' }}"
- name: Add Tailscale repository - name: Add Tailscale repository
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/{{ 'ubuntu' if ansible_distribution == 'Ubuntu' else 'debian' }} {{ tailscale_repo_codename }} main" repo: >-
deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg]
https://pkgs.tailscale.com/stable/{{ 'ubuntu' if ansible_distribution == 'Ubuntu' else 'debian' }}
{{ tailscale_repo_codename }} main
state: present state: present
filename: tailscale filename: tailscale
become: true become: true
@ -27,11 +30,11 @@
name: tailscale name: tailscale
state: present state: present
become: true become: true
notify: start tailscaled notify: Start tailscaled
- name: Enable and start Tailscale daemon - name: Enable and start Tailscale daemon
ansible.builtin.systemd: ansible.builtin.systemd:
name: tailscaled name: tailscaled
enabled: true enabled: true
state: started state: started
become: true become: true

25
roles/tailscale/tasks/main.yml
View File

@ -1,31 +1,32 @@
--- ---
- name: Include OS-specific installation tasks - name: Include OS-specific installation tasks
include_tasks: "{{ ansible_os_family | lower }}.yml" ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
- name: Fail if not running on supported OS - name: Fail if not running on supported OS
fail: ansible.builtin.fail:
msg: "This role only supports Ubuntu, Debian, and Alpine systems" msg: "This role only supports Ubuntu, Debian, and Alpine systems"
when: ansible_os_family not in ["Debian", "Alpine"] when: ansible_os_family not in ["Debian", "Alpine"]
- name: Check if Tailscale is already connected - name: Check if Tailscale is already connected
command: tailscale status --json ansible.builtin.command: tailscale status --json
register: tailscale_status register: tailscale_status
failed_when: false failed_when: false
changed_when: false changed_when: false
- name: Parse Tailscale status - name: Parse Tailscale status
set_fact: ansible.builtin.set_fact:
tailscale_connected: "{{ (tailscale_status.stdout | from_json).BackendState == 'Running' if tailscale_status.rc == 0 else false }}" tailscale_connected: "{{ (tailscale_status.stdout | from_json).BackendState == 'Running' if tailscale_status.rc == 0 else false }}"
- name: Reset Tailscale if requested - name: Reset Tailscale if requested
command: tailscale logout ansible.builtin.command: tailscale logout
when: when:
- tailscale_reset | bool - tailscale_reset | bool
- tailscale_connected | bool - tailscale_connected | bool
notify: restart tailscaled notify: Restart tailscaled
changed_when: true
- name: Connect to Tailscale network - name: Connect to Tailscale network
command: > ansible.builtin.command: >
tailscale up tailscale up
{{ '--auth-key=' + tailscale_auth_key if tailscale_auth_key else '' }} {{ '--auth-key=' + tailscale_auth_key if tailscale_auth_key else '' }}
{{ '--hostname=' + tailscale_hostname if tailscale_hostname else '' }} {{ '--hostname=' + tailscale_hostname if tailscale_hostname else '' }}
@ -41,10 +42,10 @@
changed_when: tailscale_up_result.rc == 0 changed_when: tailscale_up_result.rc == 0
- name: Display Tailscale status - name: Display Tailscale status
command: tailscale status ansible.builtin.command: tailscale status
register: final_status register: tailscale_final_status
changed_when: false changed_when: false
- name: Show Tailscale connection status - name: Show Tailscale connection status
debug: ansible.builtin.debug:
msg: "{{ final_status.stdout_lines }}" msg: "{{ tailscale_final_status.stdout_lines }}"

52
roles/user/meta/main.yml
View File

@ -1,52 +0,0 @@
galaxy_info:
author: ansible-user
description: User account management role
company: Personal
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: MIT
min_ansible_version: "2.9"
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

7
tailscale-playbook.yml
View File

@ -7,6 +7,7 @@
vars: vars:
# Variables are set in group_vars/all.yml # Variables are set in group_vars/all.yml
# Override here if needed or pass via: --extra-vars "tailscale_auth_key=your_key" # Override here if needed or pass via: --extra-vars "tailscale_auth_key=your_key"
tailscale_auth_key: "{{ vault_tailscale_auth_key | default('') }}"
pre_tasks: pre_tasks:
- name: Update package cache (Debian/Ubuntu) - name: Update package cache (Debian/Ubuntu)
@ -22,10 +23,10 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: | msg: |
Tailscale has been installed and configured on {{ inventory_hostname }}. Tailscale has been installed and configured on {{ inventory_hostname }}.
To connect this machine to your Tailscale network: To connect this machine to your Tailscale network:
1. If you provided an auth key, the machine should already be connected 1. If you provided an auth key, the machine should already be connected
2. If no auth key was provided, run: sudo tailscale up 2. If no auth key was provided, run: sudo tailscale up
3. Check status with: tailscale status 3. Check status with: tailscale status
Remember to authorize the machine in your Tailscale admin console if needed. Remember to authorize the machine in your Tailscale admin console if needed.