Refactor dev-playbook.yml to use role tags for improved task organization. Update README.md to include prerequisites and examples for selective execution with tags. Enhance applications role to check for existing installations and manage Brave browser setup. Modify base role to streamline UFW handling and add mailutils. Update docker role to include checks for existing installations and improve repository management. Add reboot check in maintenance tasks to ensure system changes are applied correctly.
This commit is contained in:
ilia
parent
8b403e3aa5
commit
e3d93ca4c8
21
README.md
21
README.md
@ -28,6 +28,12 @@ This Ansible playbook automates the setup of development environments across mul
|
||||
|
||||
## 🚀 Usage
|
||||
|
||||
### Prerequisites
|
||||
```bash
|
||||
# Install required collections
|
||||
ansible-galaxy collection install -r collections/requirements.yml
|
||||
```
|
||||
|
||||
### Basic Setup
|
||||
```bash
|
||||
# Run on all development machines
|
||||
@ -40,6 +46,21 @@ ansible-playbook dev-playbook.yml --limit devVM
|
||||
ansible-playbook dev-playbook.yml --limit bottom
|
||||
```
|
||||
|
||||
### Selective Execution with Tags
|
||||
```bash
|
||||
# Security-related roles only
|
||||
ansible-playbook dev-playbook.yml --tags security
|
||||
|
||||
# Development tools only
|
||||
ansible-playbook dev-playbook.yml --tags development,docker
|
||||
|
||||
# Applications only
|
||||
ansible-playbook dev-playbook.yml --tags apps
|
||||
|
||||
# Skip maintenance
|
||||
ansible-playbook dev-playbook.yml --skip-tags maintenance
|
||||
```
|
||||
|
||||
### Skip Reboots
|
||||
Add `skip_reboot=true` to host variables:
|
||||
```ini
|
||||
|
||||
6
collections/requirements.yml
Normal file
6
collections/requirements.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
collections:
|
||||
- name: community.general
|
||||
version: ">=6.0.0"
|
||||
- name: ansible.posix
|
||||
version: ">=1.4.0"
|
||||
@ -2,21 +2,20 @@
|
||||
become: true
|
||||
|
||||
roles:
|
||||
- maintenance
|
||||
- base
|
||||
- development
|
||||
- shell
|
||||
- docker
|
||||
- ssh
|
||||
- user
|
||||
- applications
|
||||
- snap
|
||||
- { role: maintenance, tags: ['maintenance'] }
|
||||
- { role: base, tags: ['base', 'security'] }
|
||||
- { role: user, tags: ['user'] }
|
||||
- { role: ssh, tags: ['ssh', 'security'] }
|
||||
- { role: shell, tags: ['shell'] }
|
||||
- { role: development, tags: ['development', 'dev'] }
|
||||
- { role: docker, tags: ['docker'] }
|
||||
- { role: applications, tags: ['applications', 'apps'] }
|
||||
- { role: snap, tags: ['snap', 'apps'] }
|
||||
|
||||
pre_tasks:
|
||||
- name: Update apt cache
|
||||
apt:
|
||||
update_cache: yes
|
||||
run_once: true
|
||||
|
||||
tasks:
|
||||
# Additional tasks can be added here if needed
|
||||
|
||||
@ -1,4 +1,14 @@
|
||||
---
|
||||
- name: Check if desktop applications are installed
|
||||
apt:
|
||||
list: "{{ item }}"
|
||||
register: app_check
|
||||
loop:
|
||||
- redshift
|
||||
- libreoffice
|
||||
- evince
|
||||
changed_when: false
|
||||
|
||||
- name: Install desktop applications
|
||||
apt:
|
||||
name:
|
||||
@ -6,20 +16,63 @@
|
||||
- libreoffice
|
||||
- evince
|
||||
state: present
|
||||
when:
|
||||
- app_check.results[0].installed is not defined or
|
||||
- app_check.results[1].installed is not defined or
|
||||
- app_check.results[2].installed is not defined
|
||||
|
||||
- name: Check if Brave is already installed
|
||||
command: brave-browser --version
|
||||
register: brave_check
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
|
||||
- name: Check if Brave package is installed via apt
|
||||
apt:
|
||||
list: brave-browser
|
||||
register: brave_apt_check
|
||||
changed_when: false
|
||||
|
||||
- name: Remove old Brave repository files
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- /etc/apt/sources.list.d/brave-browser.list
|
||||
- /etc/apt/sources.list.d/brave-browser-release.sources
|
||||
when: brave_check.rc != 0 or brave_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Download Brave APT key
|
||||
get_url:
|
||||
url: https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
|
||||
dest: /usr/share/keyrings/brave-browser-archive-keyring.gpg
|
||||
mode: '0644'
|
||||
when: brave_check.rc != 0 or brave_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Add Brave repo (all Debian family)
|
||||
apt_repository:
|
||||
repo: "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main"
|
||||
filename: brave-browser
|
||||
state: present
|
||||
when: brave_check.rc != 0 or brave_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Update apt cache after Brave repo add
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: brave_check.rc != 0 or brave_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Install Brave browser
|
||||
apt:
|
||||
name: brave-browser
|
||||
state: present
|
||||
when: brave_check.rc != 0 or brave_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Display application status
|
||||
debug:
|
||||
msg:
|
||||
- "Redshift installed: {{ 'Yes' if app_check.results[0].installed is defined else 'No' }}"
|
||||
- "LibreOffice installed: {{ 'Yes' if app_check.results[1].installed is defined else 'No' }}"
|
||||
- "Evince installed: {{ 'Yes' if app_check.results[2].installed is defined else 'No' }}"
|
||||
- "Brave already installed: {{ brave_check.stdout if brave_check.rc == 0 else 'Not found' }}"
|
||||
- "Brave package installed: {{ 'Yes' if brave_apt_check.results[0].installed is defined else 'No' }}"
|
||||
- "Actions taken: {{ 'None - All apps already present' if app_check.results[0].installed is defined and app_check.results[1].installed is defined and app_check.results[2].installed is defined and brave_check.rc == 0 and brave_apt_check.results[0].installed is defined else 'Some applications installed/updated' }}"
|
||||
|
||||
@ -7,5 +7,4 @@
|
||||
state: restarted
|
||||
|
||||
- name: reload ufw
|
||||
ufw:
|
||||
state: reloaded
|
||||
command: ufw reload
|
||||
|
||||
@ -16,6 +16,7 @@
|
||||
- net-tools
|
||||
- ufw
|
||||
- fail2ban
|
||||
- mailutils
|
||||
state: present
|
||||
|
||||
- name: Install monitoring tools
|
||||
@ -33,10 +34,7 @@
|
||||
mode: '0644'
|
||||
notify: restart fail2ban
|
||||
|
||||
- name: Enable UFW
|
||||
ufw:
|
||||
state: enabled
|
||||
policy: deny
|
||||
# UFW enablement moved to ssh role to avoid lockout
|
||||
|
||||
- name: Set timezone
|
||||
timezone:
|
||||
|
||||
@ -1,4 +1,24 @@
|
||||
---
|
||||
- name: Debug distribution information
|
||||
debug:
|
||||
msg:
|
||||
- "Distribution: {{ ansible_facts['distribution'] }}"
|
||||
- "Distribution Release: {{ ansible_facts['distribution_release'] }}"
|
||||
- "Distribution Version: {{ ansible_facts['distribution_version'] }}"
|
||||
- "OS Family: {{ ansible_facts['os_family'] }}"
|
||||
|
||||
- name: Check if Docker is already installed
|
||||
command: docker --version
|
||||
register: docker_check
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
|
||||
- name: Check if Docker packages are installed via apt
|
||||
apt:
|
||||
list: docker-ce
|
||||
register: docker_apt_check
|
||||
changed_when: false
|
||||
|
||||
- name: Install Docker requirements
|
||||
apt:
|
||||
name:
|
||||
@ -10,15 +30,57 @@
|
||||
state: present
|
||||
update_cache: yes
|
||||
|
||||
- name: Add Docker's official GPG key
|
||||
apt_key:
|
||||
url: https://download.docker.com/linux/ubuntu/gpg
|
||||
state: present
|
||||
- name: Remove old Docker repository files
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- /etc/apt/sources.list.d/docker.list
|
||||
- /etc/apt/sources.list.d/docker-ce.list
|
||||
when: docker_check.rc != 0 or docker_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Add Docker repository
|
||||
- name: Create keyrings directory
|
||||
file:
|
||||
path: /etc/apt/keyrings
|
||||
state: directory
|
||||
mode: '0755'
|
||||
when: docker_check.rc != 0 or docker_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Download Docker's official GPG key
|
||||
get_url:
|
||||
url: https://download.docker.com/linux/ubuntu/gpg
|
||||
dest: /etc/apt/keyrings/docker.gpg
|
||||
mode: '0644'
|
||||
when: docker_check.rc != 0 or docker_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Add Docker repository for Ubuntu
|
||||
apt_repository:
|
||||
repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
|
||||
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
|
||||
state: present
|
||||
when:
|
||||
- ansible_facts['distribution'] == "Ubuntu"
|
||||
- docker_check.rc != 0 or docker_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Add Docker repository for Debian
|
||||
apt_repository:
|
||||
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
|
||||
state: present
|
||||
when:
|
||||
- ansible_facts['distribution'] == "Debian"
|
||||
- docker_check.rc != 0 or docker_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Add Docker repository for Linux Mint
|
||||
apt_repository:
|
||||
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
|
||||
state: present
|
||||
when:
|
||||
- ansible_facts['distribution'] == "Linux Mint"
|
||||
- docker_check.rc != 0 or docker_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Update apt cache after Docker repo add
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: docker_check.rc != 0 or docker_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Install Docker CE
|
||||
apt:
|
||||
@ -30,16 +92,26 @@
|
||||
- docker-compose-plugin
|
||||
state: present
|
||||
update_cache: yes
|
||||
when: docker_check.rc != 0 or docker_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Start and enable Docker service
|
||||
systemd:
|
||||
name: docker
|
||||
state: started
|
||||
enabled: yes
|
||||
when: docker_check.rc != 0 or docker_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Add user to docker group
|
||||
user:
|
||||
name: "{{ ansible_user }}"
|
||||
groups: docker
|
||||
append: yes
|
||||
when: docker_check.rc != 0 or docker_apt_check.results[0].installed is not defined
|
||||
|
||||
- name: Display Docker status
|
||||
debug:
|
||||
msg:
|
||||
- "Docker already installed: {{ docker_check.stdout if docker_check.rc == 0 else 'Not found' }}"
|
||||
- "Docker CE package installed: {{ 'Yes' if docker_apt_check.results[0].installed is defined else 'No' }}"
|
||||
- "Actions taken: {{ 'None - Docker already present' if docker_check.rc == 0 and docker_apt_check.results[0].installed is defined else 'Docker installation/configuration performed' }}"
|
||||
|
||||
|
||||
@ -15,9 +15,15 @@
|
||||
apt:
|
||||
autoclean: yes
|
||||
|
||||
- name: Reboot if tasks changed things
|
||||
- name: Check if reboot is required
|
||||
stat:
|
||||
path: /var/run/reboot-required
|
||||
register: reboot_required
|
||||
|
||||
- name: Reboot if required
|
||||
reboot:
|
||||
msg: "Reboot triggered by Ansible after system changes."
|
||||
when:
|
||||
when:
|
||||
- ansible_facts['pkg_mgr'] == "apt"
|
||||
- skip_reboot is not defined or skip_reboot != "true"
|
||||
- reboot_required.stat.exists
|
||||
- skip_reboot | default(false) | bool == false
|
||||
@ -1,2 +1,5 @@
|
||||
---
|
||||
# handlers file for ssh
|
||||
- name: restart ssh
|
||||
systemd:
|
||||
name: ssh
|
||||
state: restarted
|
||||
@ -9,3 +9,8 @@
|
||||
rule: allow
|
||||
name: OpenSSH
|
||||
|
||||
- name: Enable UFW with deny default policy
|
||||
ufw:
|
||||
state: enabled
|
||||
policy: deny
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user