aboutsummaryrefslogtreecommitdiff
path: root/ansible/roles
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles')
-rw-r--r--ansible/roles/prometheus-bird-exporter/handlers/main.yml5
-rw-r--r--ansible/roles/prometheus-bird-exporter/tasks/main.yml18
-rw-r--r--ansible/roles/prometheus-node-exporter/handlers/main.yml5
-rw-r--r--ansible/roles/prometheus-node-exporter/tasks/main.yml18
-rw-r--r--ansible/roles/superusers/tasks/main.yml2
-rw-r--r--ansible/roles/systemd-networkd/handlers/main.yml5
-rw-r--r--ansible/roles/systemd-networkd/tasks/main.yml17
-rw-r--r--ansible/roles/traefik-server/handlers/main.yml5
-rw-r--r--ansible/roles/traefik-server/tasks/main.yml56
-rw-r--r--ansible/roles/traefik-server/templates/traefik.service.j252
-rw-r--r--ansible/roles/unifi/handlers/main.yml3
-rw-r--r--ansible/roles/unifi/tasks/main.yml23
12 files changed, 176 insertions, 33 deletions
diff --git a/ansible/roles/prometheus-bird-exporter/handlers/main.yml b/ansible/roles/prometheus-bird-exporter/handlers/main.yml
new file mode 100644
index 0000000..f4f9381
--- /dev/null
+++ b/ansible/roles/prometheus-bird-exporter/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: restart
+ become: yes
+ systemd:
+ name: prometheus-bird-exporter
+ state: restarted
diff --git a/ansible/roles/prometheus-bird-exporter/tasks/main.yml b/ansible/roles/prometheus-bird-exporter/tasks/main.yml
new file mode 100644
index 0000000..6d8b999
--- /dev/null
+++ b/ansible/roles/prometheus-bird-exporter/tasks/main.yml
@@ -0,0 +1,18 @@
+- become: yes
+ package:
+ name: "{{ items }}"
+ state: present
+ vars:
+ items:
+ - prometheus-bird-exporter
+- name: /etc/default/prometheus-bird-exporter
+ become: yes
+ copy:
+ dest: /etc/default/prometheus-bird-exporter
+ content: |
+ # Set the command-line arguments to pass to the server.
+ # Due to shell escaping, to pass backslashes for regexes, you need to double
+ # them (\\d for \d). If running under systemd, you need to double them again
+ # (\\\\d to mean \d), and escape newlines too.
+ ARGS="-bird.v2 -format.new"
+ notify: restart
diff --git a/ansible/roles/prometheus-node-exporter/handlers/main.yml b/ansible/roles/prometheus-node-exporter/handlers/main.yml
new file mode 100644
index 0000000..f4f9381
--- /dev/null
+++ b/ansible/roles/prometheus-node-exporter/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: restart
+ become: yes
+ systemd:
+ name: prometheus-bird-exporter
+ state: restarted
diff --git a/ansible/roles/prometheus-node-exporter/tasks/main.yml b/ansible/roles/prometheus-node-exporter/tasks/main.yml
new file mode 100644
index 0000000..e7c6d18
--- /dev/null
+++ b/ansible/roles/prometheus-node-exporter/tasks/main.yml
@@ -0,0 +1,18 @@
+- become: yes
+ package:
+ name: "{{ items }}"
+ state: present
+ vars:
+ items:
+ - prometheus-node-exporter
+- name: /etc/default/prometheus-node-exporter
+ become: yes
+ copy:
+ dest: /etc/default/prometheus-node-exporter
+ content: |
+ # Set the command-line arguments to pass to the server.
+ # Due to shell escaping, to pass backslashes for regexes, you need to double
+ # them (\\d for \d). If running under systemd, you need to double them again
+ # (\\\\d to mean \d), and escape newlines too.
+ ARGS=""
+ notify: restart
diff --git a/ansible/roles/superusers/tasks/main.yml b/ansible/roles/superusers/tasks/main.yml
index c1f5a47..12672ec 100644
--- a/ansible/roles/superusers/tasks/main.yml
+++ b/ansible/roles/superusers/tasks/main.yml
@@ -16,7 +16,7 @@
unix_groups:
- sudo
- systemd-journal
- with_items: "{{ unix_groups }}"
+ with_items: "{{ unix_groups + (['docker'] if 'docker' in getent_group else []) }}"
loop_control:
loop_var: group
include_tasks: adjust-group.yml
diff --git a/ansible/roles/systemd-networkd/handlers/main.yml b/ansible/roles/systemd-networkd/handlers/main.yml
index 9656da4..c9b2603 100644
--- a/ansible/roles/systemd-networkd/handlers/main.yml
+++ b/ansible/roles/systemd-networkd/handlers/main.yml
@@ -1,4 +1,5 @@
-- name: restart
+- name: reload
+ become: yes
systemd:
name: systemd-networkd
- state: restarted
+ state: reloaded
diff --git a/ansible/roles/systemd-networkd/tasks/main.yml b/ansible/roles/systemd-networkd/tasks/main.yml
index 13c167b..aed4168 100644
--- a/ansible/roles/systemd-networkd/tasks/main.yml
+++ b/ansible/roles/systemd-networkd/tasks/main.yml
@@ -1,9 +1,18 @@
-- systemd:
+- become: yes
+ systemd:
name: systemd-networkd
state: started
enabled: yes
-- loop: "{{ systemd_networkd__files | default([]) }}"
- copy:
+- name: mkdir /etc/systemd/network
+ become: yes
+ file:
+ path: "/etc/systemd/network"
+ state: directory
+ owner: systemd-network
+ group: systemd-network
+- become: yes
+ loop: "{{ systemd_networkd__files | default([]) }}"
+ template:
src: "{{ item }}"
dest: "/etc/systemd/network/{{ item | basename }}"
- notify: restart
+ notify: reload
diff --git a/ansible/roles/traefik-server/handlers/main.yml b/ansible/roles/traefik-server/handlers/main.yml
new file mode 100644
index 0000000..6e34db4
--- /dev/null
+++ b/ansible/roles/traefik-server/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: systemctl restart traefik
+ systemd:
+ daemon_reload: true
+ unit: traefik
+ state: restarted
diff --git a/ansible/roles/traefik-server/tasks/main.yml b/ansible/roles/traefik-server/tasks/main.yml
new file mode 100644
index 0000000..98d45e5
--- /dev/null
+++ b/ansible/roles/traefik-server/tasks/main.yml
@@ -0,0 +1,56 @@
+- name: Download traefik
+ become: true
+ ansible.builtin.get_url:
+ url: https://github.com/traefik/traefik/releases/download/v{{ traefik_version }}/traefik_v{{ traefik_version }}_linux_amd64.tar.gz
+ dest: /tmp/traefik-{{ traefik_version }}.tar.gz
+ checksum: "{{ traefik_download|default('') }}"
+ register: download
+
+- name: Download checksum
+ debug:
+ msg: download.checksum_src={{ download.checksum_src }}
+ when: download.status_code == 200
+
+- name: mkdir /tmp/traefik-x.y.z
+ become: true
+ file:
+ path: /tmp/traefik-{{ traefik_version }}
+ state: directory
+
+- name: Extract traefik
+ become: true
+ unarchive:
+ remote_src: true
+ src: /tmp/traefik-{{ traefik_version }}.tar.gz
+ dest: /tmp/traefik-{{ traefik_version }}
+
+- name: Install traefik
+ become: true
+ copy:
+ remote_src: true
+ src: /tmp/traefik-{{ traefik_version }}/traefik
+ dest: /usr/local/bin/traefik
+ owner: root
+ group: root
+ mode: 0750
+
+- name: /etc/systemd/services/traefik.service
+ become: true
+ template:
+ src: traefik.service.j2
+ dest: /etc/systemd/system/traefik.service
+ owner: root
+ group: root
+ mode: 0644
+
+- name: mkdir /etc/traefik
+ become: true
+ file:
+ path: /etc/traefik
+ state: directory
+
+- name: mkdir /etc/traefik/acme
+ become: true
+ file:
+ path: /etc/traefik/acme
+ state: directory
diff --git a/ansible/roles/traefik-server/templates/traefik.service.j2 b/ansible/roles/traefik-server/templates/traefik.service.j2
new file mode 100644
index 0000000..14bc403
--- /dev/null
+++ b/ansible/roles/traefik-server/templates/traefik.service.j2
@@ -0,0 +1,52 @@
+[Unit]
+Description=traefik proxy
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+AssertFileIsExecutable=/usr/local/bin/traefik
+AssertPathExists=/etc/traefik/traefik.toml
+
+[Service]
+Restart=on-abnormal
+
+#User=traefik
+#Group=traefik
+
+; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
+ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml
+
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
+
+; Use private /tmp and /var/tmp, which are discarded after traefik stops.
+PrivateTmp=true
+
+; Use a minimal /dev (May bring additional security if switched to 'true')
+PrivateDevices=true
+
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+
+; ... except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
+; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+#ReadWriteDirectories=/etc/traefik/acme
+
+; The following additional security directives only work with systemd v229 or later.
+; They further restrict privileges that can be gained by traefik. Uncomment if you like.
+; Note that you may have to add capabilities required by any plugins in use.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+{% set env=traefik_environment.items()|default({}) %}
+{% if env %}
+
+{% for k, v in env %}
+Environment="{{ k }}={{ v }}"
+{% endfor %}
+{% endif %}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible/roles/unifi/handlers/main.yml b/ansible/roles/unifi/handlers/main.yml
deleted file mode 100644
index ce78323..0000000
--- a/ansible/roles/unifi/handlers/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-- name: update apt cache
- apt:
- update_cache: yes
diff --git a/ansible/roles/unifi/tasks/main.yml b/ansible/roles/unifi/tasks/main.yml
deleted file mode 100644
index 11c4c00..0000000
--- a/ansible/roles/unifi/tasks/main.yml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-- name: Ubiquiti APT key
- notify: update apt cache
- apt_key:
- id: 06E85760C0A52C50
- keyserver: keyserver.ubuntu.com
-
-- name: Ubiquiti APT repository
- notify: update apt cache
- copy:
- dest: /etc/apt/sources.list.d/unifi.list
- content: 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti'
-
-- meta: flush_handlers
-
-- name: packages
- apt:
- name: "{{ items }}"
- install_recommends: no
- vars:
- items:
- - openjdk-8-jre
- - unifi
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-01 12:28:18 +0000