CCCHH/ansible-infra
CCCHH/ansible-infra
4
2
Fork 1
Code Issues 4 Pull requests 1 Wiki Activity Actions

Compare commits

base: CCCHH:e6d6d9eed053a0e4c1f11904e77ac24ed2a43129
Branches Tags
CCCHH:main
CCCHH:feature/add-new-router
CCCHH:router-killing-turing
CCCHH:fux-alerts
CCCHH:ansible_pull
CCCHH:move_to_sops
..
compare: CCCHH:433008d211e4b45abbbfd4a597b92d8e98514e6c
Branches Tags
CCCHH:feature/add-new-router
CCCHH:router-killing-turing
CCCHH:main
CCCHH:fux-alerts
CCCHH:ansible_pull
CCCHH:move_to_sops

No commits in common. "e6d6d9eed053a0e4c1f11904e77ac24ed2a43129" and "433008d211e4b45abbbfd4a597b92d8e98514e6c" have entirely different histories.
e6d6d9eed0 ... 433008d211

21 changed files with 763 additions and 837 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.ansible-lint
View file

@ -1,6 +0,0 @@
skip_list:
- "yaml[line-length]"
- "name[casing]"
exclude_paths:
- .forgejo/

15
.editorconfig
View file

@ -1,15 +0,0 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true
indent_style = space
charset = utf-8
[*.md]
indent_size = 2
trim_trailing_whitespace = false
[*.yaml]
indent_size = 2

32
.forgejo/workflows/lint.yaml
View file

@ -1,32 +0,0 @@
# Links & Resources:
# https://github.com/ansible/ansible-lint?tab=readme-ov-file#using-ansible-lint-as-a-github-action
# https://github.com/ansible/ansible-lint/blob/main/action.yml
on:
pull_request:
push:
jobs:
ansible-lint:
name: Ansible Lint
runs-on: docker
steps:
- uses: actions/checkout@v4
- name: Install pip
run: |
apt update
apt install -y pip
- name: Install python jmespath
run: |
pip install jmespath
env:
PIP_BREAK_SYSTEM_PACKAGES: 1
# Don't let it setup python as the then called setup-python action doesn't
# work in our environmnet.
# Rather manually setup python (pip) before instead.
- name: Run ansible-lint
uses: https://github.com/ansible/ansible-lint@main
with:
setup_python: "false"
requirements_file: "requirements.yml"
env:
PIP_BREAK_SYSTEM_PACKAGES: 1

6
.yamllint.yaml
View file

@ -1,6 +0,0 @@
rules:
brackets:
min-spaces-inside: 1
max-spaces-inside: 1
min-spaces-inside-empty: 1
max-spaces-inside-empty: 1

1
playbooks/files/chaosknoten/configs/grafana/docker_compose/grafana-datasource.yml
View file

@ -7,3 +7,4 @@ datasources:
isDefault: true isDefault: true
access: proxy access: proxy
editable: true editable: true

3
playbooks/roles/apt_update_and_upgrade/handlers/main.yaml
View file

@ -1,3 +0,0 @@
- name: reboot the system
become: true
ansible.builtin.reboot:

6
playbooks/roles/apt_update_and_upgrade/tasks/main.yaml
View file

@ -9,5 +9,7 @@
ansible.builtin.apt: ansible.builtin.apt:
upgrade: dist upgrade: dist
register: apt_update_and_upgrade__upgrade_result register: apt_update_and_upgrade__upgrade_result
notify:
- reboot the system - name: reboot, after package upgrade
ansible.builtin.reboot:
when: apt_update_and_upgrade__upgrade_result.changed

3
playbooks/roles/deploy_ssh_server_config/handlers/main.yaml
View file

@ -1,3 +0,0 @@
- name: reboot the system
become: true
ansible.builtin.reboot:

27
playbooks/roles/deploy_ssh_server_config/tasks/main.yaml
View file

@ -7,30 +7,17 @@
ansible.builtin.template: ansible.builtin.template:
force: true force: true
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
mode: "0644" mode: 0644
owner: root owner: root
group: root group: root
src: sshd_config.j2 src: sshd_config.j2
notify: register: deploy_ssh_server_config__ssh_config_copy_result
# Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
- reboot the system
- name: deactivate short moduli - name: deactivate short moduli
ansible.builtin.shell: ansible.builtin.shell:
executable: /bin/bash cmd: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli
cmd: |
set -eo pipefail
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp # Rebooting here instead of restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
if diff /etc/ssh/moduli /etc/ssh/moduli.tmp; then - name: reboot, if ssh server config got changed
rm /etc/ssh/moduli.tmp ansible.builtin.reboot:
else when: deploy_ssh_server_config__ssh_config_copy_result.changed
mv /etc/ssh/moduli.tmp /etc/ssh/moduli
echo "ansible-changed: changed /etc/ssh/moduli"
fi
register: result
changed_when:
- '"ansible-changed" in result.stdout'
notify:
# Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
- reboot the system

1
playbooks/roles/infrastructure_authorized_keys/tasks/main.yaml
View file

@ -4,3 +4,4 @@
user: chaos user: chaos
exclusive: true exclusive: true
key: https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/raw/branch/trunk/authorized_keys key: https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/raw/branch/trunk/authorized_keys

16
playbooks/roles/nginx/tasks/main/config_deploy.yaml
View file

@ -7,11 +7,11 @@
when: nginx__use_custom_nginx_conf when: nginx__use_custom_nginx_conf
block: block:
- name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf` - name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf`
when: not nginx__nginx_conf_ansiblesave_stat_result.stat.exists when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists == false
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/nginx.conf.ansiblesave dest: /etc/nginx/nginx.conf.ansiblesave
mode: "0644" mode: 0644
owner: root owner: root
group: root group: root
remote_src: true remote_src: true
@ -22,7 +22,7 @@
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ nginx__custom_nginx_conf }}" content: "{{ nginx__custom_nginx_conf }}"
dest: "/etc/nginx/nginx.conf" dest: "/etc/nginx/nginx.conf"
mode: "0644" mode: 0644
owner: root owner: root
group: root group: root
become: true become: true
@ -36,7 +36,7 @@
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/nginx.conf dest: /etc/nginx/nginx.conf
mode: "0644" mode: 0644
owner: root owner: root
group: root group: root
remote_src: true remote_src: true
@ -55,7 +55,7 @@
ansible.builtin.get_url: ansible.builtin.get_url:
force: true force: true
dest: /etc/nginx-mozilla-dhparam dest: /etc/nginx-mozilla-dhparam
mode: "0644" mode: 0644
url: https://ssl-config.mozilla.org/ffdhe2048.txt url: https://ssl-config.mozilla.org/ffdhe2048.txt
become: true become: true
notify: Restart `nginx.service` notify: Restart `nginx.service`
@ -71,7 +71,7 @@
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/conf.d/tls.conf dest: /etc/nginx/conf.d/tls.conf
mode: "0644" mode: 0644
owner: root owner: root
group: root group: root
src: tls.conf src: tls.conf
@ -89,7 +89,7 @@
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/conf.d/redirect.conf dest: /etc/nginx/conf.d/redirect.conf
mode: "0644" mode: 0644
owner: root owner: root
group: root group: root
src: redirect.conf src: redirect.conf
@ -104,7 +104,7 @@
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ item.content }}" content: "{{ item.content }}"
dest: "/etc/nginx/conf.d/{{ item.name }}.conf" dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
mode: "0644" mode: 0644
owner: root owner: root
group: root group: root
become: true become: true