jriou/ansible-pilote
1
0
Fork 0
Code Issues Pull requests Activity

style: Add ansible-lint

Browse source 
Signed-off-by: Julien Riou <julien@riou.xyz>
This commit is contained in:
Julien Riou 2024-05-10 13:32:56 +02:00
parent 0063f2157c
commit 38fef42aa6
No known key found for this signature in database
GPG key ID: A2EB1F2CA8E3F677
23 changed files with 128 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.ansible-lint Normal file
View file

@ -0,0 +1,9 @@
---
exclude_paths:
- .cache/
- .github/
- .pre-commit-config.yaml
- group_vars/pilote.yml
skip_list:
- latest

6
.github/workflows/pre-commit.yml vendored
View file

@ -10,6 +10,6 @@ jobs:
pre-commit: pre-commit:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- uses: actions/setup-python@v3 - uses: actions/setup-python@v3
- uses: pre-commit/action@v3.0.1 - uses: pre-commit/action@v3.0.1

19
.pre-commit-config.yaml
View file

@ -1,9 +1,14 @@
--- ---
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0 rev: v4.6.0
hooks: hooks:
- id: check-yaml - id: check-yaml
- id: detect-private-key - id: detect-private-key
- id: end-of-file-fixer - id: end-of-file-fixer
- id: trailing-whitespace - id: trailing-whitespace
- repo: https://github.com/ansible/ansible-lint
rev: v24.2.3
hooks:
- id: ansible-lint

3
TODO.md
View file

@ -2,6 +2,3 @@
* EasyRSA tasks * EasyRSA tasks
* Variables documentation * Variables documentation
* Github actions
* pre-commit
* ansible-lint

72
main.yml
View file

@ -1,23 +1,55 @@
--- ---
- hosts: pilote - name: Configure pilote
hosts: pilote
gather_facts: true gather_facts: true
tasks: tasks:
- ansible.builtin.include_tasks: tasks/sysctl.yml - name: Configure sysctl
- ansible.builtin.include_tasks: tasks/apt.yml ansible.builtin.include_tasks: tasks/sysctl.yml
- ansible.builtin.include_tasks: tasks/users.yml
- ansible.builtin.include_tasks: tasks/profile.yml - name: Configure apt
- ansible.builtin.include_tasks: tasks/hostname.yml ansible.builtin.include_tasks: tasks/apt.yml
- ansible.builtin.include_tasks: tasks/motd.yml
- ansible.builtin.include_tasks: tasks/time.yml - name: Configure users
- ansible.builtin.include_tasks: tasks/ssh.yml ansible.builtin.include_tasks: tasks/users.yml
- ansible.builtin.include_tasks: tasks/openvpn.yml
- ansible.builtin.include_tasks: tasks/nagios.yml - name: Configure profile
- ansible.builtin.include_tasks: tasks/nrpe.yml ansible.builtin.include_tasks: tasks/profile.yml
- ansible.builtin.include_tasks: tasks/mosquitto.yml
- ansible.builtin.include_tasks: tasks/serial2mqtt.yml - name: Configure hostname
- ansible.builtin.include_tasks: tasks/telegraf.yml ansible.builtin.include_tasks: tasks/hostname.yml
- ansible.builtin.include_tasks: tasks/bacula.yml
- ansible.builtin.include_tasks: tasks/iptables.yml - name: Configure motd
# TODO ansible.builtin.include_tasks: tasks/motd.yml
#- ansible.builtin.include_tasks: tasks/easyrsa.yml
- ansible.builtin.include_tasks: tasks/vim.yml - name: Configure time
ansible.builtin.include_tasks: tasks/time.yml
- name: Configure SSH
ansible.builtin.include_tasks: tasks/ssh.yml
- name: Configure OpenVPN
ansible.builtin.include_tasks: tasks/openvpn.yml
- name: Configure Nagios
ansible.builtin.include_tasks: tasks/nagios.yml
- name: Configure NRPE
ansible.builtin.include_tasks: tasks/nrpe.yml
- name: Configure Mosquitto
ansible.builtin.include_tasks: tasks/mosquitto.yml
- name: Configure serial2mqtt
ansible.builtin.include_tasks: tasks/serial2mqtt.yml
- name: Configure telegraf
ansible.builtin.include_tasks: tasks/telegraf.yml
- name: Configure bacula
ansible.builtin.include_tasks: tasks/bacula.yml
- name: Configure iptables
ansible.builtin.include_tasks: tasks/iptables.yml
- name: Configure vim
ansible.builtin.include_tasks: tasks/vim.yml

1
tasks/apt.yml
View file

@ -10,6 +10,7 @@
ansible.builtin.template: ansible.builtin.template:
src: apt/raspi.list.j2 src: apt/raspi.list.j2
dest: /etc/apt/sources.list.d/raspi.list dest: /etc/apt/sources.list.d/raspi.list
mode: "0644"
- name: Update system - name: Update system
ansible.builtin.apt: ansible.builtin.apt:

2
tasks/bacula.yml
View file

@ -7,7 +7,6 @@
- bacula-fd - bacula-fd
- bacula-sd - bacula-sd
- bacula-console - bacula-console
state: latest
- name: Configure database - name: Configure database
ansible.builtin.copy: ansible.builtin.copy:
@ -61,6 +60,7 @@
ansible.builtin.template: ansible.builtin.template:
src: "bacula/conf.d/{{ item }}.conf.j2" src: "bacula/conf.d/{{ item }}.conf.j2"
dest: "/etc/bacula/conf.d/{{ item }}.conf" dest: "/etc/bacula/conf.d/{{ item }}.conf"
mode: "0644"
loop: loop:
- clients - clients
- filesets - filesets

8
tasks/easyrsa.yml
View file

@ -1,13 +1,13 @@
--- ---
# TODO # TODO
- name: copy easyrsa sources to /root - name: Copy easyrsa sources to /root
copy: ansible.builtin.copy:
src: files/easyrsa/EasyRSA-v3.0.6 src: files/easyrsa/EasyRSA-v3.0.6
dest: /root/ dest: /root/
mode: preserve mode: preserve
- name: add easyrsa binary to path - name: Add easyrsa binary to path
file: ansible.builtin.file:
src: /root/EasyRSA-v3.0.6/easyrsa src: /root/EasyRSA-v3.0.6/easyrsa
dest: /usr/local/sbin/easyrsa dest: /usr/local/sbin/easyrsa
state: link state: link

3
tasks/hostname.yml
View file

@ -1,9 +1,10 @@
--- ---
- name: Setup hostname - name: Setup hostname
hostname: ansible.builtin.hostname:
name: "{{ hostname }}" name: "{{ hostname }}"
- name: Manage /etc/hosts - name: Manage /etc/hosts
ansible.builtin.template: ansible.builtin.template:
src: hostname/hosts.j2 src: hostname/hosts.j2
dest: /etc/hosts dest: /etc/hosts
mode: "0644"

2
tasks/iptables.yml
View file

@ -57,7 +57,7 @@
name: name:
- netfilter-persistent - netfilter-persistent
- iptables-persistent - iptables-persistent
state: latest
- name: Save iptables - name: Save iptables
ansible.builtin.command: netfilter-persistent save ansible.builtin.command: netfilter-persistent save
changed_when: true

2
tasks/mosquitto.yml
View file

@ -3,12 +3,12 @@
ansible.builtin.apt: ansible.builtin.apt:
name: name:
- mosquitto - mosquitto
state: latest
- name: Configure mosquitto - name: Configure mosquitto
ansible.builtin.copy: ansible.builtin.copy:
src: files/mosquitto/conf.d src: files/mosquitto/conf.d
dest: /etc/mosquitto dest: /etc/mosquitto
mode: "0644"
- name: Copy mosquitto password - name: Copy mosquitto password
ansible.builtin.template: ansible.builtin.template:

8
tasks/motd.yml
View file

@ -6,10 +6,16 @@
- name: Run figlet - name: Run figlet
ansible.builtin.shell: ansible.builtin.shell:
cmd: "hostname | figlet -f /usr/share/figlet/smslant.flf" cmd: >-
set -o pipefail
hostname | figlet -f /usr/share/figlet/smslant.flf"
args:
executable: /bin/bash
register: _motd register: _motd
changed_when: true
- name: Create motd - name: Create motd
ansible.builtin.copy: ansible.builtin.copy:
dest: /etc/motd dest: /etc/motd
content: "{{ _motd.stdout }}\n" content: "{{ _motd.stdout }}\n"
mode: "0644"

15
tasks/nagios.yml
View file

@ -9,12 +9,12 @@
- python3-requests - python3-requests
- python3-jsonschema - python3-jsonschema
- python-pexpect - python-pexpect
state: latest
- name: Generate nagios configurations - name: Generate nagios configurations
ansible.builtin.template: ansible.builtin.template:
src: "nagios/conf.d/{{ item }}.cfg.j2" src: "nagios/conf.d/{{ item }}.cfg.j2"
dest: "/etc/nagios4/conf.d/{{ item }}.cfg" dest: "/etc/nagios4/conf.d/{{ item }}.cfg"
mode: "0644"
loop: loop:
- commands - commands
- hosts - hosts
@ -26,6 +26,7 @@
ansible.builtin.template: ansible.builtin.template:
src: nagios/contacts.cfg.j2 src: nagios/contacts.cfg.j2
dest: /etc/nagios4/objects/contacts.cfg dest: /etc/nagios4/objects/contacts.cfg
mode: "0644"
- name: Copy check_timesyncd - name: Copy check_timesyncd
ansible.builtin.copy: ansible.builtin.copy:
@ -47,7 +48,7 @@
- name: Configure notify-by-telegram - name: Configure notify-by-telegram
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id } | to_json }}" content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id} | to_json }}"
dest: /etc/nagios4/telegram.json dest: /etc/nagios4/telegram.json
owner: root owner: root
group: nagios group: nagios
@ -62,11 +63,13 @@
ansible.builtin.copy: ansible.builtin.copy:
src: files/nagios/nagios.cfg src: files/nagios/nagios.cfg
dest: /etc/nagios4/nagios.cfg dest: /etc/nagios4/nagios.cfg
mode: "0644"
- name: Copy CGI configuration - name: Copy CGI configuration
ansible.builtin.copy: ansible.builtin.copy:
src: files/nagios/cgi.cfg src: files/nagios/cgi.cfg
dest: /etc/nagios4/cgi.cfg dest: /etc/nagios4/cgi.cfg
mode: "0644"
- name: Reload nagios - name: Reload nagios
ansible.builtin.service: ansible.builtin.service:
@ -77,16 +80,19 @@
ansible.builtin.template: ansible.builtin.template:
src: nagios/htdigest.users.j2 src: nagios/htdigest.users.j2
dest: /etc/nagios4/htdigest.users dest: /etc/nagios4/htdigest.users
mode: "0644"
- name: Secure Apache - name: Secure Apache
copy: ansible.builtin.copy:
src: files/nagios/security.conf src: files/nagios/security.conf
dest: /etc/apache2/conf-available/security.conf dest: /etc/apache2/conf-available/security.conf
mode: "0644"
- name: Configure vhost for the web interface - name: Configure vhost for the web interface
ansible.builtin.copy: ansible.builtin.copy:
src: files/nagios/apache2.conf src: files/nagios/apache2.conf
dest: /etc/nagios4/apache2.conf dest: /etc/nagios4/apache2.conf
mode: "0644"
- name: Enable Apache modules - name: Enable Apache modules
ansible.builtin.command: ansible.builtin.command:
@ -94,6 +100,7 @@
loop: loop:
- auth_digest - auth_digest
- headers - headers
changed_when: true
- name: Restart apache - name: Restart apache
ansible.builtin.service: ansible.builtin.service:
@ -101,7 +108,7 @@
state: restarted state: restarted
- name: Allow HTTP from vpn - name: Allow HTTP from vpn
iptables: ansible.builtin.iptables:
chain: INPUT chain: INPUT
protocol: tcp protocol: tcp
source: "{{ openvpn_subnet }}" source: "{{ openvpn_subnet }}"

3
tasks/nrpe.yml
View file

@ -10,16 +10,19 @@
ansible.builtin.template: ansible.builtin.template:
src: nrpe/nrpe.cfg.j2 src: nrpe/nrpe.cfg.j2
dest: /etc/nagios/nrpe.cfg dest: /etc/nagios/nrpe.cfg
mode: "0644"
- name: Generate NRPE local configuration - name: Generate NRPE local configuration
ansible.builtin.template: ansible.builtin.template:
src: nrpe/nrpe_local.cfg.j2 src: nrpe/nrpe_local.cfg.j2
dest: /etc/nagios/nrpe_local.cfg dest: /etc/nagios/nrpe_local.cfg
mode: "0644"
- name: Manage daemon settings - name: Manage daemon settings
ansible.builtin.template: ansible.builtin.template:
src: nrpe/nagios-nrpe-server.j2 src: nrpe/nagios-nrpe-server.j2
dest: /etc/default/nagios-nrpe-server dest: /etc/default/nagios-nrpe-server
mode: "0644"
- name: Clone check-mqtt source code - name: Clone check-mqtt source code
ansible.builtin.git: ansible.builtin.git:

4
tasks/openvpn.yml
View file

@ -2,22 +2,24 @@
- name: Install OpenVPN - name: Install OpenVPN
ansible.builtin.apt: ansible.builtin.apt:
name: openvpn name: openvpn
state: latest
- name: Deploy OpenVPN configuration - name: Deploy OpenVPN configuration
ansible.builtin.template: ansible.builtin.template:
src: openvpn/client.conf.j2 src: openvpn/client.conf.j2
dest: /etc/openvpn/client.conf dest: /etc/openvpn/client.conf
mode: '0644'
- name: Deploy OpenVPN CA cert - name: Deploy OpenVPN CA cert
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ openvpn_ca }}" content: "{{ openvpn_ca }}"
dest: /etc/openvpn/ca.crt dest: /etc/openvpn/ca.crt
mode: '0644'
- name: Deploy OpenVPN TLS auth - name: Deploy OpenVPN TLS auth
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ openvpn_ta }}" content: "{{ openvpn_ta }}"
dest: /etc/openvpn/ta.key dest: /etc/openvpn/ta.key
mode: '0600'
- name: Deploy OpenVPN client cert - name: Deploy OpenVPN client cert
ansible.builtin.copy: ansible.builtin.copy:

13
tasks/serial2mqtt.yml
View file

@ -4,7 +4,6 @@
name: name:
- python3-serial - python3-serial
- python3-paho-mqtt - python3-paho-mqtt
state: latest
- name: Clone arduino-sensors-toolkit sources - name: Clone arduino-sensors-toolkit sources
ansible.builtin.git: ansible.builtin.git:
@ -14,11 +13,11 @@
- name: Add serial2mqtt user - name: Add serial2mqtt user
ansible.builtin.user: ansible.builtin.user:
name: serial2mqtt name: serial2mqtt
system: yes system: true
password: '!' password: '!'
home: /var/lib/serial2mqtt home: /var/lib/serial2mqtt
create_home: no create_home: false
append: yes append: true
groups: groups:
- dialout - dialout
@ -34,15 +33,17 @@
ansible.builtin.copy: ansible.builtin.copy:
src: files/serial2mqtt/serial2mqtt.default src: files/serial2mqtt/serial2mqtt.default
dest: /etc/default/serial2mqtt dest: /etc/default/serial2mqtt
mode: '0644'
- name: Copy serial2mqtt service unit - name: Copy serial2mqtt service unit
ansible.builtin.copy: ansible.builtin.copy:
src: files/serial2mqtt/serial2mqtt.service src: files/serial2mqtt/serial2mqtt.service
dest: /etc/systemd/system/serial2mqtt.service dest: /etc/systemd/system/serial2mqtt.service
mode: '0644'
- name: Start serial2mqtt service - name: Start serial2mqtt service
ansible.builtin.systemd: ansible.builtin.systemd:
name: serial2mqtt.service name: serial2mqtt.service
daemon_reload: yes daemon_reload: true
state: restarted state: restarted
enabled: yes enabled: true

3
tasks/ssh.yml
View file

@ -2,7 +2,6 @@
- name: Install OpenSSH - name: Install OpenSSH
ansible.builtin.apt: ansible.builtin.apt:
name: openssh-server name: openssh-server
state: latest
- name: Allow authorized keys - name: Allow authorized keys
ansible.posix.authorized_key: ansible.posix.authorized_key:
@ -20,7 +19,7 @@
mode: '0644' mode: '0644'
- name: Reload and enable SSH service - name: Reload and enable SSH service
service: ansible.builtin.service:
name: ssh name: ssh
state: reloaded state: reloaded
enabled: true enabled: true

2
tasks/sysctl.yml
View file

@ -5,4 +5,4 @@
value: '1' value: '1'
state: present state: present
sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf
reload: yes reload: true

5
tasks/telegraf.yml
View file

@ -3,6 +3,7 @@
ansible.builtin.template: ansible.builtin.template:
src: telegraf/influxdata.list.j2 src: telegraf/influxdata.list.j2
dest: /etc/apt/sources.list.d/influxdata.list dest: /etc/apt/sources.list.d/influxdata.list
mode: '0644'
- name: Download influxdata APT key - name: Download influxdata APT key
ansible.builtin.apt_key: ansible.builtin.apt_key:
@ -15,12 +16,14 @@
- telegraf - telegraf
- lm-sensors - lm-sensors
update_cache: true update_cache: true
state: latest
- name: Generate telegraf configurations - name: Generate telegraf configurations
ansible.builtin.template: ansible.builtin.template:
src: "telegraf/{{ item }}.conf.j2" src: "telegraf/{{ item }}.conf.j2"
dest: "/etc/telegraf/telegraf.d/{{ item }}.conf" dest: "/etc/telegraf/telegraf.d/{{ item }}.conf"
mode: '0640'
owner: root
group: telegraf
loop: loop:
- inputs - inputs
- output - output

1
tasks/time.yml
View file

@ -2,3 +2,4 @@
- name: Manage time zone - name: Manage time zone
ansible.builtin.command: ansible.builtin.command:
cmd: "timedatectl set-timezone {{ timezone }}" cmd: "timedatectl set-timezone {{ timezone }}"
changed_when: true

1
tasks/users.yml
View file

@ -11,4 +11,5 @@
src: files/users/bashrc src: files/users/bashrc
owner: "{{ item['name'] }}" owner: "{{ item['name'] }}"
group: "{{ item['name'] }}" group: "{{ item['name'] }}"
mode: '0644'
loop: "{{ users }}" loop: "{{ users }}"

1
tasks/vim.yml
View file

@ -8,6 +8,7 @@
ansible.builtin.copy: ansible.builtin.copy:
src: files/vim/vimrc src: files/vim/vimrc
dest: "{{ '/root/.vimrc' if item['name'] == 'root' else '/home/' + item['name'] + '/.vimrc' }}" dest: "{{ '/root/.vimrc' if item['name'] == 'root' else '/home/' + item['name'] + '/.vimrc' }}"
mode: '0644'
loop: "{{ users }}" loop: "{{ users }}"
loop_control: loop_control:
label: "{{ item['name'] }}" label: "{{ item['name'] }}"

3
upgrade.yml
View file

@ -2,4 +2,5 @@
- name: Upgrade systems - name: Upgrade systems
hosts: all hosts: all
tasks: tasks:
- include_tasks: tasks/apt-upgrade.yml - name: Run apt upgrade
ansible.builtin.include_tasks: tasks/apt-upgrade.yml