158 lines
4.5 KiB
YAML
158 lines
4.5 KiB
YAML
---
|
|
- name: "BASE-SYSTEM: Common Setup for All Nodes"
|
|
hosts: all
|
|
gather_facts: yes
|
|
vars_files:
|
|
- "group_vars/all/vault.yml"
|
|
pre_tasks:
|
|
- name: Set inventory_env fact
|
|
ansible.builtin.set_fact:
|
|
inventory_env: "{{ inventory_file | basename | splitext | first | replace('inventory.', '') }}"
|
|
- name: Load environment-specific variables
|
|
ansible.builtin.include_vars: "{{ item }}"
|
|
with_fileglob:
|
|
- "group_vars/all/generated_vars{{ '.' + inventory_env if inventory_env else '' }}.yml"
|
|
- name: Announce base system setup
|
|
ansible.builtin.debug:
|
|
msg: "Starting base system setup on {{ inventory_hostname }}"
|
|
|
|
tasks:
|
|
# 1. Install System Essentials
|
|
- name: Install NTP for time synchronization
|
|
ansible.builtin.apt:
|
|
name: ntp
|
|
state: present
|
|
become: yes
|
|
|
|
- name: Ensure NTP service is started and enabled
|
|
ansible.builtin.service:
|
|
name: ntp
|
|
state: started
|
|
enabled: yes
|
|
become: yes
|
|
|
|
- name: Install pipx
|
|
ansible.builtin.apt:
|
|
name: pipx
|
|
state: present
|
|
become: yes
|
|
|
|
- name: Install Glances for system monitoring
|
|
ansible.builtin.command: pipx install glances[all]
|
|
args:
|
|
creates: "{{ ansible_env.HOME }}/.local/bin/glances"
|
|
become: yes
|
|
become_user: "{{ ansible_user }}"
|
|
|
|
- name: Install base system packages for tools
|
|
ansible.builtin.apt:
|
|
name:
|
|
- unzip
|
|
- wget
|
|
- xz-utils
|
|
- build-essential
|
|
- python3-pip
|
|
state: present
|
|
update_cache: yes
|
|
become: yes
|
|
|
|
# 2. Secure the Host
|
|
- name: Copy secure sshd_config
|
|
ansible.builtin.copy:
|
|
src: "configs/etc/ssh/sshd_config"
|
|
dest: "/etc/ssh/sshd_config"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
become: yes
|
|
notify: Restart sshd
|
|
|
|
- name: Include Fail2ban role
|
|
ansible.builtin.include_role:
|
|
name: fail2ban
|
|
|
|
# 3. Manage Hostname Resolution
|
|
- name: Update /etc/hosts file for cluster name resolution
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/hosts
|
|
regexp: '.* {{ item }}$'
|
|
line: "{{ hostvars[item].ansible_host }} {{ item }}"
|
|
state: present
|
|
loop: "{{ groups['all'] }}"
|
|
become: yes
|
|
|
|
# 4. Install Docker
|
|
- name: Install Docker
|
|
block:
|
|
- name: Check if Docker is already installed
|
|
ansible.builtin.stat:
|
|
path: /usr/bin/docker
|
|
register: docker_binary
|
|
|
|
- name: Install Docker if not present
|
|
block:
|
|
- name: Add Docker's official GPG key
|
|
ansible.builtin.apt_key:
|
|
url: https://download.docker.com/linux/ubuntu/gpg
|
|
state: present
|
|
|
|
- name: Set up the Docker repository
|
|
ansible.builtin.apt_repository:
|
|
repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_lsb.codename }} stable"
|
|
state: present
|
|
|
|
- name: Install prerequisites for Docker
|
|
ansible.builtin.apt:
|
|
name:
|
|
- apt-transport-https
|
|
- ca-certificates
|
|
- curl
|
|
- software-properties-common
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Install Docker Engine and Docker Compose
|
|
ansible.builtin.apt:
|
|
name:
|
|
- docker-ce
|
|
- docker-ce-cli
|
|
- containerd.io
|
|
- docker-compose-plugin
|
|
- python3-docker
|
|
state: present
|
|
update_cache: yes
|
|
when: not docker_binary.stat.exists
|
|
become: yes
|
|
|
|
# 5. Configure Docker Service & User
|
|
- name: Ensure Docker service is started and enabled
|
|
ansible.builtin.service:
|
|
name: docker
|
|
state: started
|
|
enabled: yes
|
|
become: yes
|
|
|
|
- name: Add deploy user to the docker group
|
|
ansible.builtin.user:
|
|
name: "{{ ansible_user }}"
|
|
groups: docker
|
|
append: yes
|
|
become: yes
|
|
|
|
- name: Reset SSH connection to apply group changes
|
|
ansible.builtin.meta: reset_connection
|
|
|
|
# 6. Create Shared Docker Network
|
|
- name: Ensure shared Docker network exists
|
|
community.docker.docker_network:
|
|
name: "{{ docker_network_name }}"
|
|
driver: bridge
|
|
become: yes
|
|
|
|
handlers:
|
|
- name: Restart sshd
|
|
ansible.builtin.service:
|
|
name: ssh
|
|
state: restarted
|
|
become: yes
|