From 89d91224200ce4edf5c842f285153454baa6b0b4 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 18:14:51 +0200 Subject: [PATCH 1/4] tag plays in playbooks (instead of tasks in roles) --- playbooks/deploy.yaml | 43 +++++++++++++++++++ playbooks/maintenance.yaml | 6 +++ .../handlers/main.yaml | 1 - .../tasks/disable.yaml | 3 -- .../tasks/enable.yaml | 4 -- .../tasks/main.yaml | 2 - roles/knot/handlers/main.yaml | 3 -- roles/knot/tasks/01-install.yaml | 1 - roles/knot/tasks/02-configure.yaml | 4 -- roles/knot/tasks/03-configure-exporter.yaml | 2 - 10 files changed, 49 insertions(+), 20 deletions(-) diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index a3b047b..ad866cc 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -3,69 +3,98 @@ hosts: base_config_hosts roles: - base_config + tags: + - base_config - name: Ensure systemd-networkd config deployment on systemd_networkd_hosts hosts: systemd_networkd_hosts roles: - systemd_networkd + tags: + - systemd_networkd - name: Ensure nftables deployment on nftables_hosts hosts: nftables_hosts roles: - nftables + tags: + - nftables - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: - infrastructure_authorized_keys + tags: + - infrastructure_authorized_keys - name: Ensure Nextcloud config hosts: nextcloud_hosts roles: - nextcloud + tags: + - nextcloud - name: Ensure ola deployment on ola_hosts hosts: ola_hosts roles: - ola + tags: + - ola - name: Ensure foobazdmx deployment on foobazdmx_hosts hosts: foobazdmx_hosts roles: - foobazdmx + tags: + - foobazdmx - name: Ensure Dokuwiki config hosts: wiki_hosts roles: - dokuwiki + tags: + - dokuwiki - name: Ensure NetBox deployment on netbox_hosts hosts: netbox_hosts roles: - netbox + tags: + - netbox - name: Ensure NGINX deployment on nginx_hosts, which are also public_reverse_proxy_hosts, before certbot role runs hosts: nginx_hosts:&public_reverse_proxy_hosts roles: - nginx + tags: + - nginx + - public_reverse_proxy - name: Ensure certbot and certificate deployment on certbot_hosts hosts: certbot_hosts roles: - certbot + tags: + - certbot - name: Ensure OnlyOffice custom fonts ansible.builtin.import_playbook: onlyoffice_fonts.yaml + tags: + - onlyoffice_fonts - name: Ensure Docker Compose deployment on docker_compose_hosts hosts: docker_compose_hosts roles: - docker_compose + tags: + - docker_compose - name: Ensure NGINX deployment on nginx_hosts hosts: nginx_hosts:!public_reverse_proxy_hosts roles: - nginx + tags: + - nginx - name: Configure unattended upgrades for all non-hypervisors hosts: all:!hypervisors @@ -77,32 +106,46 @@ - "o=${distro_id},n=${distro_codename}" - "o=Docker,n=${distro_codename}" - "o=nginx,n=${distro_codename}" + tags: + - unattended_upgrades - name: Ensure Alloy is installed and Setup on alloy_hosts hosts: alloy_hosts become: true roles: - alloy + tags: + - alloy - name: Ensure ansible_pull deployment on ansible_pull_hosts hosts: ansible_pull_hosts roles: - ansible_pull + tags: + - ansible_pull - name: Ensure msmtp is setup on msmtp_hosts hosts: msmtp_hosts roles: - msmtp + tags: + - msmtp - name: Ensure Renovate is setup on renovate_hosts hosts: renovate_hosts roles: - renovate + tags: + - renovate - name: Run ensure_eh22_styleguide_dir Playbook ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml + tags: + - eh22_styleguide_dir - name: Setup authoritative dns servers hosts: auth-dns roles: - knot + tags: + - knot diff --git a/playbooks/maintenance.yaml b/playbooks/maintenance.yaml index c912a53..9fe3886 100644 --- a/playbooks/maintenance.yaml +++ b/playbooks/maintenance.yaml @@ -1,5 +1,7 @@ - name: Ensure NGINX repo setup and nginx install on relevant hosts hosts: nginx_hosts:nextcloud_hosts + tags: + - nextcloud_nginx tasks: - name: Ensure NGINX repo is setup ansible.builtin.include_role: @@ -13,6 +15,8 @@ - name: Ensure Docker repo setup and package install on relevant hosts hosts: docker_compose_hosts:nextcloud_hosts + tags: + - nextcloud_docker tasks: - name: Ensure Docker repo is setup ansible.builtin.include_role: @@ -28,6 +32,8 @@ hosts: all:!hypervisors roles: - apt_update_and_upgrade + tags: + - apt_update_and_upgrade - name: Run deploy Playbook ansible.builtin.import_playbook: deploy.yaml diff --git a/roles/deploy_systemd_resolved_config/handlers/main.yaml b/roles/deploy_systemd_resolved_config/handlers/main.yaml index b40760b..05b7521 100644 --- a/roles/deploy_systemd_resolved_config/handlers/main.yaml +++ b/roles/deploy_systemd_resolved_config/handlers/main.yaml @@ -1,6 +1,5 @@ --- - name: "reload systemd-resolved" - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: "systemd-resolved.service" diff --git a/roles/deploy_systemd_resolved_config/tasks/disable.yaml b/roles/deploy_systemd_resolved_config/tasks/disable.yaml index 9092116..afa646a 100644 --- a/roles/deploy_systemd_resolved_config/tasks/disable.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/disable.yaml @@ -1,13 +1,11 @@ --- - name: Ensure /etc/resolv.conf is a plain file - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.file: path: "/etc/resolv.conf" state: file - name: Write nameserver config directly into /etc/resolv.conf - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.template: src: "resolv.conf.j2" @@ -17,7 +15,6 @@ mode: u=rw,g=r,o=r - name: Disable systemd-resolved - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: "systemd-resolved.service" diff --git a/roles/deploy_systemd_resolved_config/tasks/enable.yaml b/roles/deploy_systemd_resolved_config/tasks/enable.yaml index 9a7438e..2659c32 100644 --- a/roles/deploy_systemd_resolved_config/tasks/enable.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/enable.yaml @@ -1,13 +1,11 @@ --- - name: Ensure systemd-resolved is installed - tags: [ "deploy_systemd_resolved_config" ] become: true when: ansible_facts["distribution"] == "Debian" ansible.builtin.package: name: [ "systemd-resolved" ] - name: Deploy systemd-resolved config - tags: [ "deploy_systemd_resolved_config" ] become: true notify: "reload systemd-resolved" ansible.builtin.template: @@ -18,7 +16,6 @@ mode: u=rw,g=r,o=r - name: Make /etc/resolv.conf points to systemd-resolved - tags: [ "deploy_systemd_resolved_config" ] become: true when: deploy_systemd_resolved_config__mode != "extern" ansible.builtin.file: # noqa: jinja @@ -35,7 +32,6 @@ {%- endif -%} - name: Ensure systemd-resolved is running and enabled - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: systemd-resolved.service diff --git a/roles/deploy_systemd_resolved_config/tasks/main.yaml b/roles/deploy_systemd_resolved_config/tasks/main.yaml index 00bc293..00558dc 100644 --- a/roles/deploy_systemd_resolved_config/tasks/main.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/main.yaml @@ -1,10 +1,8 @@ --- - name: Include enable.yaml - tags: [ "deploy_systemd_resolved_config" ] ansible.builtin.include_tasks: enable.yaml when: deploy_systemd_resolved_config__enable - name: Include disable.yaml - tags: [ "deploy_systemd_resolved_config" ] ansible.builtin.include_tasks: disable.yaml when: not deploy_systemd_resolved_config__enable diff --git a/roles/knot/handlers/main.yaml b/roles/knot/handlers/main.yaml index 38fce75..feb3ceb 100644 --- a/roles/knot/handlers/main.yaml +++ b/roles/knot/handlers/main.yaml @@ -1,19 +1,16 @@ --- - name: reload knot - tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot.service state: reloaded - name: netplan apply - tags: [ auth-dns ] become: true changed_when: true ansible.builtin.command: "netplan apply" - name: restart knot-exporter - tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot-exporter.service diff --git a/roles/knot/tasks/01-install.yaml b/roles/knot/tasks/01-install.yaml index 0a269d6..8a5feed 100644 --- a/roles/knot/tasks/01-install.yaml +++ b/roles/knot/tasks/01-install.yaml @@ -1,6 +1,5 @@ --- - name: Install knot - tags: [ auth-dns ] become: true ansible.builtin.package: name: diff --git a/roles/knot/tasks/02-configure.yaml b/roles/knot/tasks/02-configure.yaml index 2b0b0fa..a2a8e55 100644 --- a/roles/knot/tasks/02-configure.yaml +++ b/roles/knot/tasks/02-configure.yaml @@ -1,6 +1,5 @@ --- - name: Ensure required directories exist - tags: [ auth-dns ] become: true loop: [ "/etc/knot", "/etc/knot/zones" ] ansible.builtin.file: @@ -11,7 +10,6 @@ mode: u=rwx,g=rx,o= - name: Deploy knot configuration file - tags: [ auth-dns ] become: true notify: reload knot ansible.builtin.template: @@ -22,7 +20,6 @@ mode: u=rw,g=r,o= - name: Deploy configured zones - tags: [ auth-dns ] become: true notify: reload knot loop: "{{ knot__zones }}" @@ -42,7 +39,6 @@ # this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one. # so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled - name: Disable IPv6 SLAAC - tags: [ auth-dns ] become: true notify: netplan apply ansible.builtin.template: diff --git a/roles/knot/tasks/03-configure-exporter.yaml b/roles/knot/tasks/03-configure-exporter.yaml index 4254acb..8077ecd 100644 --- a/roles/knot/tasks/03-configure-exporter.yaml +++ b/roles/knot/tasks/03-configure-exporter.yaml @@ -1,5 +1,4 @@ - name: Deploy knot-exporter systemd unit - tags: [ auth-dns ] become: true register: knot_deploy_service_file notify: restart knot-exporter @@ -11,7 +10,6 @@ mode: u=rw,g=r,o=r - name: Ensure knot-exporter is running and enabled - tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot-exporter.service From b0347d64bf9603c9bce1a05ef5e145ed9bb7d6a6 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 20:13:48 +0200 Subject: [PATCH 2/4] remove configuration for deleted woodpecker host --- resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone | 2 -- .../grafana/docker_compose/prometheus_alerts.rules.yaml | 8 ++++---- .../public-reverse-proxy/nginx/acme_challenge.conf | 1 - .../chaosknoten/public-reverse-proxy/nginx/nginx.conf | 1 - .../docker_compose/config/services-chaosknoten.yaml | 8 -------- 5 files changed, 4 insertions(+), 16 deletions(-) diff --git a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone index 21a8d0e..a9c4851 100644 --- a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone +++ b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone @@ -196,7 +196,6 @@ matrix-intern IN A 172.31.17.150 ; have this for compatibility (like references in CI) public-web-static-intern IN AAAA 2a00:14b0:42:102::17 git-intern IN A 172.31.17.154 -woodpecker-intern IN A 172.31.17.160 penpot-intern IN A 172.31.17.162 forgejo-runner-builder IN A 172.31.17.202 renovate-forgejo IN A 172.31.17.163 @@ -275,7 +274,6 @@ matrix IN CNAME public-reverse-proxy mas IN CNAME public-reverse-proxy element-admin IN CNAME public-reverse-proxy netbox IN CNAME public-reverse-proxy -woodpecker IN CNAME public-reverse-proxy onlyoffice IN CNAME public-reverse-proxy pad IN CNAME public-reverse-proxy pretalx IN CNAME public-reverse-proxy diff --git a/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml b/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml index 4a2bc6f..15b9b1f 100644 --- a/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml +++ b/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml @@ -129,7 +129,7 @@ groups: # General high disk read and write rate alerts. # Excluding: hypervisor hosts, CI hosts - alert: HostUnusualDiskReadRate - expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker", nodename!="chaosknoten"} + expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="chaosknoten"} for: 5m labels: severity: warning @@ -137,7 +137,7 @@ groups: summary: Host unusual disk read rate (instance {{ $labels.instance }}) description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" - alert: HostUnusualDiskWriteRate - expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker", nodename!="chaosknoten"} + expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="chaosknoten"} for: 2m labels: severity: warning @@ -147,7 +147,7 @@ groups: # CI hosts high disk read and write alerts. # Longer intervals to account for disk intensive CI tasks. - alert: CIHostUnusualDiskReadRate - expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner", nodename="woodpecker"} + expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner"} for: 10m labels: severity: warning @@ -155,7 +155,7 @@ groups: summary: CI host unusual disk read rate for 10 min (instance {{ $labels.instance }}) description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" - alert: VirtualHostUnusualDiskWriteRate - expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner", nodename="woodpecker"} + expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner"} for: 4m labels: severity: warning diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 93968b0..e8b8c8e 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -70,7 +70,6 @@ map $host $upstream_acme_challenge_host { eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; hacker.tours public-web-static.hosts.hamburg.ccc.de:31820; staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:31820; - woodpecker.hamburg.ccc.de 172.31.17.160:31820; design.hamburg.ccc.de 172.31.17.162:31820; hydra.hamburg.ccc.de 172.31.17.163:31820; ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 843c094..0a004c9 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -91,7 +91,6 @@ stream { eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; hacker.tours public-web-static.hosts.hamburg.ccc.de:8443; staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:8443; - woodpecker.hamburg.ccc.de 172.31.17.160:8443; design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml index 0ee6ef4..74991b7 100644 --- a/resources/external/status/docker_compose/config/services-chaosknoten.yaml +++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml @@ -294,14 +294,6 @@ endpoints: - "[CERTIFICATE_EXPIRATION] > 48h" - "[BODY] == pat(*CCCHH Wiki*)" - - name: Woodpecker - url: "https://woodpecker.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Woodpecker*)" - - name: Zammad url: "https://zammad.hamburg.ccc.de/" <<: *services_chaosknoten_defaults From 6b19f69135c7dcda3d3a812155f9df37c609b2be Mon Sep 17 00:00:00 2001 From: June Date: Tue, 19 May 2026 00:21:51 +0200 Subject: [PATCH 3/4] renovate(role): add cleanup service and timer for renovate volume With time the volume seems to just keeps growing with cache data, so clean it up once a day. --- roles/renovate/files/renovate-cleanup.service | 7 +++++ roles/renovate/files/renovate-cleanup.timer | 9 ++++++ roles/renovate/tasks/main.yaml | 29 +++++++++---------- 3 files changed, 29 insertions(+), 16 deletions(-) create mode 100644 roles/renovate/files/renovate-cleanup.service create mode 100644 roles/renovate/files/renovate-cleanup.timer diff --git a/roles/renovate/files/renovate-cleanup.service b/roles/renovate/files/renovate-cleanup.service new file mode 100644 index 0000000..55c191e --- /dev/null +++ b/roles/renovate/files/renovate-cleanup.service @@ -0,0 +1,7 @@ +[Unit] +Description=renovate cleanup (delete docker volume) +Conflicts=renovate.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/docker volume rm renovate diff --git a/roles/renovate/files/renovate-cleanup.timer b/roles/renovate/files/renovate-cleanup.timer new file mode 100644 index 0000000..510004d --- /dev/null +++ b/roles/renovate/files/renovate-cleanup.timer @@ -0,0 +1,9 @@ +[Unit] +Description=renovate cleanup (delete docker volume) running daily + +[Timer] +# @daily with 10 minute offset +OnCalendar=*-*-* 00:10 + +[Install] +WantedBy=timers.target diff --git a/roles/renovate/tasks/main.yaml b/roles/renovate/tasks/main.yaml index f6988ab..4a6c018 100644 --- a/roles/renovate/tasks/main.yaml +++ b/roles/renovate/tasks/main.yaml @@ -16,31 +16,28 @@ mode: "0640" become: true -- name: ensure systemd service exists +- name: ensure systemd services and timers exist ansible.builtin.copy: - src: renovate.service - dest: /etc/systemd/system/renovate.service + src: "{{ item }}" + dest: "/etc/systemd/system/{{ item }}" owner: root group: root mode: "0644" become: true + loop: + - renovate.service + - renovate-cleanup.service + - renovate.timer + - renovate-cleanup.timer notify: - systemd daemon reload -- name: ensure systemd timer exists - ansible.builtin.copy: - src: renovate.timer - dest: /etc/systemd/system/renovate.timer - owner: root - group: root - mode: "0644" - become: true - notify: - - systemd daemon reload - -- name: ensure systemd timer is started and enabled +- name: ensure systemd timers are started and enabled ansible.builtin.systemd_service: - name: renovate.timer + name: "{{ item }}" state: started enabled: true + loop: + - renovate.timer + - renovate-cleanup.timer become: true From 73e77bde703ce52026e19edd56d482e89afa46ba Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 18:14:51 +0200 Subject: [PATCH 4/4] tag plays in playbooks (instead of tasks in roles) --- playbooks/deploy.yaml | 43 +++++++++++++++++++ playbooks/maintenance.yaml | 6 +++ .../handlers/main.yaml | 1 - .../tasks/disable.yaml | 3 -- .../tasks/enable.yaml | 4 -- .../tasks/main.yaml | 2 - roles/knot/handlers/main.yaml | 3 -- roles/knot/tasks/01-install.yaml | 1 - roles/knot/tasks/02-configure.yaml | 4 -- roles/knot/tasks/03-configure-exporter.yaml | 2 - 10 files changed, 49 insertions(+), 20 deletions(-) diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index a3b047b..ad866cc 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -3,69 +3,98 @@ hosts: base_config_hosts roles: - base_config + tags: + - base_config - name: Ensure systemd-networkd config deployment on systemd_networkd_hosts hosts: systemd_networkd_hosts roles: - systemd_networkd + tags: + - systemd_networkd - name: Ensure nftables deployment on nftables_hosts hosts: nftables_hosts roles: - nftables + tags: + - nftables - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: - infrastructure_authorized_keys + tags: + - infrastructure_authorized_keys - name: Ensure Nextcloud config hosts: nextcloud_hosts roles: - nextcloud + tags: + - nextcloud - name: Ensure ola deployment on ola_hosts hosts: ola_hosts roles: - ola + tags: + - ola - name: Ensure foobazdmx deployment on foobazdmx_hosts hosts: foobazdmx_hosts roles: - foobazdmx + tags: + - foobazdmx - name: Ensure Dokuwiki config hosts: wiki_hosts roles: - dokuwiki + tags: + - dokuwiki - name: Ensure NetBox deployment on netbox_hosts hosts: netbox_hosts roles: - netbox + tags: + - netbox - name: Ensure NGINX deployment on nginx_hosts, which are also public_reverse_proxy_hosts, before certbot role runs hosts: nginx_hosts:&public_reverse_proxy_hosts roles: - nginx + tags: + - nginx + - public_reverse_proxy - name: Ensure certbot and certificate deployment on certbot_hosts hosts: certbot_hosts roles: - certbot + tags: + - certbot - name: Ensure OnlyOffice custom fonts ansible.builtin.import_playbook: onlyoffice_fonts.yaml + tags: + - onlyoffice_fonts - name: Ensure Docker Compose deployment on docker_compose_hosts hosts: docker_compose_hosts roles: - docker_compose + tags: + - docker_compose - name: Ensure NGINX deployment on nginx_hosts hosts: nginx_hosts:!public_reverse_proxy_hosts roles: - nginx + tags: + - nginx - name: Configure unattended upgrades for all non-hypervisors hosts: all:!hypervisors @@ -77,32 +106,46 @@ - "o=${distro_id},n=${distro_codename}" - "o=Docker,n=${distro_codename}" - "o=nginx,n=${distro_codename}" + tags: + - unattended_upgrades - name: Ensure Alloy is installed and Setup on alloy_hosts hosts: alloy_hosts become: true roles: - alloy + tags: + - alloy - name: Ensure ansible_pull deployment on ansible_pull_hosts hosts: ansible_pull_hosts roles: - ansible_pull + tags: + - ansible_pull - name: Ensure msmtp is setup on msmtp_hosts hosts: msmtp_hosts roles: - msmtp + tags: + - msmtp - name: Ensure Renovate is setup on renovate_hosts hosts: renovate_hosts roles: - renovate + tags: + - renovate - name: Run ensure_eh22_styleguide_dir Playbook ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml + tags: + - eh22_styleguide_dir - name: Setup authoritative dns servers hosts: auth-dns roles: - knot + tags: + - knot diff --git a/playbooks/maintenance.yaml b/playbooks/maintenance.yaml index c912a53..9fe3886 100644 --- a/playbooks/maintenance.yaml +++ b/playbooks/maintenance.yaml @@ -1,5 +1,7 @@ - name: Ensure NGINX repo setup and nginx install on relevant hosts hosts: nginx_hosts:nextcloud_hosts + tags: + - nextcloud_nginx tasks: - name: Ensure NGINX repo is setup ansible.builtin.include_role: @@ -13,6 +15,8 @@ - name: Ensure Docker repo setup and package install on relevant hosts hosts: docker_compose_hosts:nextcloud_hosts + tags: + - nextcloud_docker tasks: - name: Ensure Docker repo is setup ansible.builtin.include_role: @@ -28,6 +32,8 @@ hosts: all:!hypervisors roles: - apt_update_and_upgrade + tags: + - apt_update_and_upgrade - name: Run deploy Playbook ansible.builtin.import_playbook: deploy.yaml diff --git a/roles/deploy_systemd_resolved_config/handlers/main.yaml b/roles/deploy_systemd_resolved_config/handlers/main.yaml index b40760b..05b7521 100644 --- a/roles/deploy_systemd_resolved_config/handlers/main.yaml +++ b/roles/deploy_systemd_resolved_config/handlers/main.yaml @@ -1,6 +1,5 @@ --- - name: "reload systemd-resolved" - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: "systemd-resolved.service" diff --git a/roles/deploy_systemd_resolved_config/tasks/disable.yaml b/roles/deploy_systemd_resolved_config/tasks/disable.yaml index 9092116..afa646a 100644 --- a/roles/deploy_systemd_resolved_config/tasks/disable.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/disable.yaml @@ -1,13 +1,11 @@ --- - name: Ensure /etc/resolv.conf is a plain file - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.file: path: "/etc/resolv.conf" state: file - name: Write nameserver config directly into /etc/resolv.conf - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.template: src: "resolv.conf.j2" @@ -17,7 +15,6 @@ mode: u=rw,g=r,o=r - name: Disable systemd-resolved - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: "systemd-resolved.service" diff --git a/roles/deploy_systemd_resolved_config/tasks/enable.yaml b/roles/deploy_systemd_resolved_config/tasks/enable.yaml index 9a7438e..2659c32 100644 --- a/roles/deploy_systemd_resolved_config/tasks/enable.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/enable.yaml @@ -1,13 +1,11 @@ --- - name: Ensure systemd-resolved is installed - tags: [ "deploy_systemd_resolved_config" ] become: true when: ansible_facts["distribution"] == "Debian" ansible.builtin.package: name: [ "systemd-resolved" ] - name: Deploy systemd-resolved config - tags: [ "deploy_systemd_resolved_config" ] become: true notify: "reload systemd-resolved" ansible.builtin.template: @@ -18,7 +16,6 @@ mode: u=rw,g=r,o=r - name: Make /etc/resolv.conf points to systemd-resolved - tags: [ "deploy_systemd_resolved_config" ] become: true when: deploy_systemd_resolved_config__mode != "extern" ansible.builtin.file: # noqa: jinja @@ -35,7 +32,6 @@ {%- endif -%} - name: Ensure systemd-resolved is running and enabled - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: systemd-resolved.service diff --git a/roles/deploy_systemd_resolved_config/tasks/main.yaml b/roles/deploy_systemd_resolved_config/tasks/main.yaml index 00bc293..00558dc 100644 --- a/roles/deploy_systemd_resolved_config/tasks/main.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/main.yaml @@ -1,10 +1,8 @@ --- - name: Include enable.yaml - tags: [ "deploy_systemd_resolved_config" ] ansible.builtin.include_tasks: enable.yaml when: deploy_systemd_resolved_config__enable - name: Include disable.yaml - tags: [ "deploy_systemd_resolved_config" ] ansible.builtin.include_tasks: disable.yaml when: not deploy_systemd_resolved_config__enable diff --git a/roles/knot/handlers/main.yaml b/roles/knot/handlers/main.yaml index 38fce75..feb3ceb 100644 --- a/roles/knot/handlers/main.yaml +++ b/roles/knot/handlers/main.yaml @@ -1,19 +1,16 @@ --- - name: reload knot - tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot.service state: reloaded - name: netplan apply - tags: [ auth-dns ] become: true changed_when: true ansible.builtin.command: "netplan apply" - name: restart knot-exporter - tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot-exporter.service diff --git a/roles/knot/tasks/01-install.yaml b/roles/knot/tasks/01-install.yaml index 0a269d6..8a5feed 100644 --- a/roles/knot/tasks/01-install.yaml +++ b/roles/knot/tasks/01-install.yaml @@ -1,6 +1,5 @@ --- - name: Install knot - tags: [ auth-dns ] become: true ansible.builtin.package: name: diff --git a/roles/knot/tasks/02-configure.yaml b/roles/knot/tasks/02-configure.yaml index 2b0b0fa..a2a8e55 100644 --- a/roles/knot/tasks/02-configure.yaml +++ b/roles/knot/tasks/02-configure.yaml @@ -1,6 +1,5 @@ --- - name: Ensure required directories exist - tags: [ auth-dns ] become: true loop: [ "/etc/knot", "/etc/knot/zones" ] ansible.builtin.file: @@ -11,7 +10,6 @@ mode: u=rwx,g=rx,o= - name: Deploy knot configuration file - tags: [ auth-dns ] become: true notify: reload knot ansible.builtin.template: @@ -22,7 +20,6 @@ mode: u=rw,g=r,o= - name: Deploy configured zones - tags: [ auth-dns ] become: true notify: reload knot loop: "{{ knot__zones }}" @@ -42,7 +39,6 @@ # this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one. # so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled - name: Disable IPv6 SLAAC - tags: [ auth-dns ] become: true notify: netplan apply ansible.builtin.template: diff --git a/roles/knot/tasks/03-configure-exporter.yaml b/roles/knot/tasks/03-configure-exporter.yaml index 4254acb..8077ecd 100644 --- a/roles/knot/tasks/03-configure-exporter.yaml +++ b/roles/knot/tasks/03-configure-exporter.yaml @@ -1,5 +1,4 @@ - name: Deploy knot-exporter systemd unit - tags: [ auth-dns ] become: true register: knot_deploy_service_file notify: restart knot-exporter @@ -11,7 +10,6 @@ mode: u=rw,g=r,o=r - name: Ensure knot-exporter is running and enabled - tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot-exporter.service