ynerant/templier-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: ynerant:f57b1f1b3e025609a4a0cea305ac0fb4fcac4927
Branches Tags
ynerant:main
..
compare: ynerant:main
Branches Tags
ynerant:main

21 Commits
f57b1f1b3e ... main

Author SHA1 Message Date
Emmy D'Anello
da79c9264a Unattend-upgrades upgrade also debian-updates and debian-backports 
Signed-off-by: Emmy D'Anello <ynerant@emy.lu>
 2023-04-09 10:54:16 +02:00
Emmy D'Anello
34c7601cf7 Don't use password for nullmailer 
Signed-off-by: Emmy D'Anello <ynerant@emy.lu>
 2023-04-09 10:50:47 +02:00
Emmy D'Anello
fb1b19bcfd testing server got deleted, minecraft server is temporary down 
Signed-off-by: Emmy D'Anello <ynerant@emy.lu>
 2023-04-03 14:38:43 +02:00
Emmy D'Anello
37ccc19e04 Drop useless step 
Signed-off-by: Emmy D'Anello <ynerant@emy.lu>
 2023-04-03 14:38:43 +02:00
Emmy D'Anello
41c9135dfe Galène uses backports 
Signed-off-by: Emmy D'Anello <ynerant@emy.lu>
 2023-04-03 14:38:43 +02:00
Emmy D'Anello
d320cc0a44 Configure unattended-upgrades 
Signed-off-by: Emmy D'Anello <ynerant@emy.lu>
 2023-04-03 14:38:43 +02:00
Emmy D'Anello
0d560218e2 Add Belenios and Galène 
Signed-off-by: Emmy D'Anello <ynerant@emy.lu>
 2023-04-03 14:38:43 +02:00
Emmy D'Anello
f56276b15b Fix URL in header 
Signed-off-by: Emmy D'Anello <ynerant@emy.lu>
 2023-04-03 13:33:27 +02:00
Emmy D'Anello
cf37b94440 Add Belenios and Galène 
Signed-off-by: Emmy D'Anello <ynerant@emy.lu>
 2023-04-03 13:18:41 +02:00
Emmy D'Anello
9169d8e6c6 Add tgvmax 
Signed-off-by: Emmy D'Anello <ynerant@crans.org>
 2023-02-12 13:45:35 +01:00
Emmy D'Anello
9eb88e6417 nupes is on srv-nat, not adh 
Signed-off-by: Emmy D'Anello <ynerant@crans.org>
 2023-02-12 13:45:29 +01:00
Emmy D'Anello
7cfd15a08f Drop deleted hosts 
Signed-off-by: Emmy D'Anello <ynerant@crans.org>
 2023-01-12 12:52:55 +01:00
Emmy D'Anello
414950f4b5 Remove laptop-specific code 
Signed-off-by: Emmy D'Anello <ynerant@crans.org>
 2023-01-12 12:50:19 +01:00
Emmy D'Anello
7f4f846408 Lot of stuff 
Signed-off-by: Emmy D'Anello <ynerant@crans.org>
 2023-01-12 12:36:32 +01:00
Yohann D'ANELLO
de76ae0085 There is no VM < Bullseye 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2022-07-30 17:34:42 +02:00
Yohann D'ANELLO
a686970b0f [sudo] Replace # by @ 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2022-06-27 16:33:42 +02:00
Yohann D'ANELLO
4fe3babc83 bullseye-security exists 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-11-10 11:46:53 +01:00
Yohann D'ANELLO
a1683dbf19 Synapse has Internet 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-06-22 23:01:17 +02:00
Yohann D'ANELLO
88ac609897 Replace template_path by template_fullpath in Ansible header 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-06-08 17:03:22 +02:00
Yohann D'ANELLO
2a5f6621b6 Add monitoring 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-06-08 16:59:10 +02:00
Yohann D'ANELLO
f7de61b6e2 Fix base playbook order 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
 2021-06-04 17:32:50 +02:00
112 changed files with 1246 additions and 1700 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1 +1,2 @@
__pycache__
debug.yml

20
group_vars/all/all.yml
View File

@@ -1,14 +1,14 @@
---
# Custom header
dirty: "{% if template_path is defined %}{{ lookup('pipe', 'git diff --quiet -- ' + template_path | quote + ' || echo dirty') }}{% else %}{{ lookup('pipe', 'git diff --quiet || echo dirty') }}{% endif %}"
dirty: "{% if template_fullpath is defined %}{{ lookup('pipe', 'git diff --quiet -- ' + template_fullpath | quote + ' || echo dirty') }}{% else %}{{ lookup('pipe', 'git diff --quiet || echo dirty') }}{% endif %}"
ansible_header: |
+++++++++++++++++++++++++++++++++++++++++++++++++++
Ansible managed, don't modify the file locally.
See https://gitlab.crans.org/ynerant/templier-ansible.
{% if template_path is defined %}{% set _, rpath = template_path.split('roles/', 1) %}Commit: {% if dirty %}({{dirty}}) {% endif %}{{ lookup('pipe', 'git log -n 1 --pretty=format:%H -- ' + template_path | quote) }}
See https://git.ynerant.fr/ynerant/templier-ansible.
{% if template_fullpath is defined %}{% set _, rpath = template_fullpath.split('roles/', 1) %}Commit: {% if dirty %}({{dirty}}) {% endif %}{{ lookup('pipe', 'git log -n 1 --pretty=format:%H -- ' + template_fullpath | quote) }}
{% if dirty %}Run by: {{ ansible_env.SUDO_USER }}
{% else %}Author: {{ lookup('pipe', 'git log -n 1 --pretty=format:%an -- ' + template_path | quote) }}
{% else %}Author: {{ lookup('pipe', 'git log -n 1 --pretty=format:%an -- ' + template_fullpath | quote) }}
{% endif %}Template: roles/{{ rpath }}
{% else %}
Run by: {{ ansible_env.SUDO_USER }}
@@ -23,18 +23,6 @@ glob_ldap:
base: 'dc=ynerant,dc=fr'
pass:
upstream: 'ssh://git@git.ynerant.fr:2222/ynerant/pass.git'
dest: '.password-store/'
cliutils:
bash:
bogus_dirs: []
git:
email: ynerant@crans.org
name: Yohann D'ANELLO
signingkey: 3A75C55819C8CF85
bind:
domains:
- name: ynerant.fr

2
group_vars/all/home.yml
View File

@@ -1,4 +1,4 @@
---
glob_home:
ip: 172.16.42.1
mountpoint: /rpool/home
mountpoint: /vm/home

10
group_vars/all/network_interfaces.yml
View File

@@ -1,10 +1,10 @@
glob_network_interfaces:
vlan:
- name: srv
id: 1
gateway: "185.230.76.62"
dns: "{{ query('ldap', 'ip', 'routeur-templier', 'srv') | ipv4 | first }}"
gateway_v6: "2a0c:700:3012::ff:fe02:112"
- name: adh
id: 12
gateway: "185.230.78.99"
dns: "{{ query('ldap', 'ip', 'routeur-templier', 'adh') | ipv4 | first }}"
gateway_v6: "2a0c:700:12::ff:fe00:9912"
- name: adm
id: 42
dns: "{{ query('ldap', 'ip', 'routeur-templier', 'adm') | ipv4 | first }}"

2
group_vars/all/nullmailer.yml
View File

@@ -4,5 +4,3 @@ glob_nullmailer:
smtp_server: smtp.adm.ynerant.fr
defaulthost: ynerant.fr
allmailfrom: root@ynerant.fr
username: noreply@ynerant.fr
password: "{{ vault.mailu_password }}"

3
group_vars/all/prometheus_node_exporter.yaml Normal file
View File

@@ -0,0 +1,3 @@
---
glob_prometheus_node_exporter:
listen_addr: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ipv4 | first }}"

4
group_vars/debian.yml
View File

@@ -2,9 +2,9 @@
glob_apt:
mirror: "http://mirror.adm.ynerant.fr/"
backports: false
monitoring_mail: "ynerant+apt@emy.lu"
extra_repositories: []
pin:
bullseye: []
pin: {}
glob_root:
passwd_hash: '{{ vault.root_passwd_hash }}'

7
group_vars/grafana.yml Normal file
View File

@@ -0,0 +1,7 @@
---
glob_grafana:
root_url: https://grafana.ynerant.fr
icon: crans_icon_white.svg
ldap_base: "{{ glob_ldap.base }}"
ldap_master_ipv4: "{{ glob_ldap.servers[0] }}"
ldap_user_tree: "ou=passwd,{{ glob_ldap.base }}"

4
group_vars/laptop.yml
View File

@@ -1,4 +0,0 @@
---
user:
name: ynerant
root: yes

3
group_vars/nginx.yml
View File

@@ -30,3 +30,6 @@ glob_nginx:
- "172.16.0.0/16"
- "fd00:0:0:42::/64"
deploy_robots_file: false
glob_prometheus_nginx_exporter:
listen_addr: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ipv4 | first }}"

9
group_vars/prometheus.yml Normal file
View File

@@ -0,0 +1,9 @@
---
glob_prometheus: {}
glob_ninjabot:
config:
nick: templier
server: irc.crans.org
port: 6667
channel: "#/dev/null"

4
host_vars/belenios.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

3
host_vars/borg.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,3 @@
---
interfaces:
adm: ens18

4
host_vars/dendrite.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

4
host_vars/dt.adh.crans.org.yml
View File

@@ -1,4 +0,0 @@
---
user:
name: ynerant
root: yes

4
host_vars/fosscord.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

7
host_vars/galene.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,7 @@
---
interfaces:
adm: ens18
srv_nat: ens19
loc_apt:
backports: true

1
host_vars/localhost
View File

@@ -1 +0,0 @@
ynerant-thinkpad.wifi.sand.auro.re.yml

4
host_vars/mastodon.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

4
host_vars/minecraft.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

70
host_vars/monitoring.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,70 @@
---
interfaces:
adm: eth0
srv_nat: eth1
loc_prometheus:
node:
file: targets_node.json
targets: "{{ groups['server'] | select('match', '^.*\\.adm\\.ynerant\\.fr$') | list | sort }}"
config:
- job_name: servers
file_sd_configs:
- files:
- '/etc/prometheus/targets_node.json'
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- source_labels: [__param_target]
target_label: __address__
replacement: '$1:9100'
nginx:
file: targets_nginx.json
targets:
- proxy.adm.ynerant.fr
config:
- job_name: nginx
file_sd_configs:
- files:
- '/etc/prometheus/targets_nginx.json'
relabel_configs:
- source_labels: [__address__]
target_label: instance
- source_labels: [instance]
target_label: __address__
replacement: '$1:9117'
blackbox:
file: targets_blackbox.json
targets:
- https://ynerant.fr/
- https://bibliogram.ynerant.fr/
- https://element.ynerant.fr/
- https://gitea.ynerant.fr/
- https://grafana.ynerant.fr/
- https://hydrogen.ynerant.fr/
- https://nextcloud.ynerant.fr/
- https://mailu.ynerant.fr/
- http://notls.ynerant.fr/
- https://reddit.ynerant.fr/
- https://thelounge.ynerant.fr/
- https://translate.ynerant.fr/
- https://kfet.saperlistpopette.fr/
config:
- job_name: blackbox
file_sd_configs:
- files:
- '/etc/prometheus/targets_blackbox.json'
metrics_path: /probe
params:
module: [http_2xx] # Look for a HTTP 200 response.
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: 127.0.0.1:9115

4
host_vars/nupes.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

4
host_vars/pad.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

4
host_vars/peertube.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

2
host_vars/routeur-templier.adm.ynerant.fr.yml
View File

@@ -1,5 +1,5 @@
---
interfaces:
adm: ens18
srv: ens19
adh: ens19
srv_nat: ens20

4
host_vars/tealc.crans.org.yml
View File

@@ -1,4 +0,0 @@
---
user:
name: ynerant
root: no

4
host_vars/templier.adh.crans.org.yml
View File

@@ -1,4 +0,0 @@
---
user:
name: ynerant
root: yes

8
host_vars/templier.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,8 @@
---
loc_certbot:
- dns_rfc2136_server: '172.16.42.103'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: ynerant@crans.org
certname: adm.ynerant.fr
domains: "*.adm.ynerant.fr"

4
host_vars/tgvmax.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

4
host_vars/wireguard.adm.ynerant.fr.yml Normal file
View File

@@ -0,0 +1,4 @@
---
interfaces:
adm: ens18
srv_nat: ens19

9
host_vars/ynerant-pc.fil.sand.auro.re.yml
View File

@@ -1,9 +0,0 @@
---
user:
name: ynerant
root: yes
laptop:
numpad: true
resolution: 1440p
gpu: true

10
host_vars/ynerant-thinkpad.wifi.sand.auro.re.yml
View File

@@ -1,10 +0,0 @@
---
user:
name: ynerant
root: yes
laptop:
numpad: false
resolution: 1080p
touchscreen: true
gpu: false

4
host_vars/zamok.crans.org.yml
View File

@@ -1,4 +0,0 @@
---
user:
name: ynerant
root: no

53
hosts
View File

@@ -1,35 +1,32 @@
[archlinux:children]
perso
[babel]
babel0.adm.ynerant.fr
babel1.adm.ynerant.fr
babel2.adm.ynerant.fr
babel3.adm.ynerant.fr
babel4.adm.ynerant.fr
babel5.adm.ynerant.fr
babel6.adm.ynerant.fr
[blackbox]
monitoring.adm.ynerant.fr
[certbot]
proxy.adm.ynerant.fr
templier.adm.ynerant.fr
[debian:children]
server
[grafana]
monitoring.adm.ynerant.fr
[nginx]
nupes.adm.ynerant.fr
tgvmax.adm.ynerant.fr
[nginx:children]
reverseproxy
[ntp_server]
routeur-templier.adm.ynerant.fr
[perso]
ynerant-pc.fil.sand.auro.re
ynerant-thinkpad.wifi.sand.auro.re
localhost
[postfix]
mailu.adm.ynerant.fr
[prometheus]
monitoring.adm.ynerant.fr
[reverseproxy]
proxy.adm.ynerant.fr
@@ -44,25 +41,27 @@ vm
templier.adm.ynerant.fr
[virtu]
# dt.adh.crans.org
templier.adm.ynerant.fr
[vm]
# candilib.adm.ynerant.fr
belenios.adm.ynerant.fr
borg.adm.ynerant.fr
dendrite.adm.ynerant.fr
docker.adm.ynerant.fr
dns.adm.ynerant.fr
fosscord.adm.ynerant.fr
galene.adm.ynerant.fr
gitea.adm.ynerant.fr
mailu.adm.ynerant.fr
mastodon.adm.ynerant.fr
#minecraft.adm.ynerant.fr
monitoring.adm.ynerant.fr
nextcloud.adm.ynerant.fr
nupes.adm.ynerant.fr
pad.adm.ynerant.fr
peertube.adm.ynerant.fr
psql.adm.ynerant.fr
proxy.adm.ynerant.fr
re6st.adm.ynerant.fr
routeur-templier.adm.ynerant.fr
synapse.adm.ynerant.fr
[vm:children]
babel
[all:vars]
# Force remote to use Python 3
ansible_python_interpreter=/usr/bin/env python3
tgvmax.adm.ynerant.fr
wireguard.adm.ynerant.fr

8
lookup_plugins/ldap.py
View File

@@ -51,7 +51,7 @@ class LookupModule(LookupBase):
network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
network_result = self.base.result(network_query_id)
vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
if vlan == 'srv':
if vlan == 'adh':
query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
else:
query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
@@ -82,7 +82,7 @@ class LookupModule(LookupBase):
network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
network_result = self.base.result(network_query_id)
vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
if vlan == 'srv':
if vlan == 'adh':
query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
else:
query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
@@ -168,7 +168,7 @@ class LookupModule(LookupBase):
network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
network_result = self.base.result(network_query_id)
vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
if vlan == 'srv':
if vlan == 'adh':
query_id = self.base.search(f"cn={host}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
else:
query_id = self.base.search(f"cn={host}.{vlan}.ynerant.fr,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
@@ -187,7 +187,7 @@ class LookupModule(LookupBase):
res = []
for _, network in result[1]:
network = network['cn'][0].decode('utf-8')
if network == 'srv':
if network == 'adh':
res.append('ynerant.fr')
else:
res.append(f"{network}.ynerant.fr")

27
plays/base.yml
View File

@@ -2,45 +2,22 @@
---
- import_playbook: root.yml
- import_playbook: network_interfaces.yml
- import_playbook: apt.yml
- import_playbook: network_interfaces.yml
- import_playbook: ntp.yml
- import_playbook: ldap-client.yml
- import_playbook: home.yml
- import_playbook: nullmailer.yml
- import_playbook: monitoring.yml
- hosts: debian
roles:
- sudo
- qemu-guest-agent
- hosts: all
roles:
- cli-utils
- vim
- ssh
#- hosts: templier.adh.crans.org
# roles:
# - bind
# - docker
# become: yes
- hosts: perso
roles:
# - sudo
- systemd
- pacman
- ntp-client-arch
- texlive
- xorg
- i3
- terminal
- notification
- mime
- audio
- multimedia
- pass
- communication
- browser
# - scripts

38
plays/monitoring.yml Executable file
View File

@@ -0,0 +1,38 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Prometheus on monitoring server
- hosts: prometheus
vars:
prometheus: "{{ glob_prometheus | default({}) | combine(loc_prometheus | default({})) }}"
alertmanager: "{{ glob_alertmanager | default({}) | combine(loc_alertmanager | default({})) }}"
ninjabot: "{{ glob_ninjabot | default({}) | combine(loc_ninjabot | default({})) }}"
roles:
- prometheus
- prometheus-alertmanager
- ninjabot
# Deploy Grafana on monitoring server
- hosts: grafana
vars:
grafana: "{{ glob_grafana | default({}) | combine(loc_grafana | default({})) }}"
roles:
- grafana
- hosts: blackbox
roles:
- prometheus-blackbox-exporter
# Monitor all hosts
- hosts: server
vars:
prometheus_node_exporter: "{{ glob_prometheus_node_exporter | default({}) | combine(loc_prometheus_node_exporter | default({})) }}"
roles:
- prometheus-node-exporter
# Export nginx metrics
- hosts: nginx
vars:
prometheus_nginx_exporter: "{{ glob_prometheus_nginx_exporter | default({}) | combine(loc_prometheus_nginx_exporter | default({})) }}"
roles:
- prometheus-nginx-exporter

32
roles/apt/tasks/apt-listchanges.yml Normal file
View File

@@ -0,0 +1,32 @@
---
# Install apt-listchanges
- name: Install apt-listchanges
when: ansible_os_family == "Debian"
apt:
name: apt-listchanges
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
# Send email when there is something new
- name: Configure apt-listchanges
ini_file:
path: /etc/apt/listchanges.conf
no_extra_spaces: true
section: apt
option: "{{ item.option }}"
value: "{{ item.value }}"
state: present
mode: 0644
loop:
- option: confirm
value: "true"
- option: email_address
value: "{{ apt.monitoring_mail }}"
- option: which
value: both
...

20
roles/apt/tasks/apt-unattended.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Install unattended-upgrades
when: ansible_os_family == "Debian"
apt:
name: unattended-upgrades
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure unattended-upgrades
template:
src: "apt/apt.conf.d/{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
owner: root
mode: u=rw,g=r,o=r
loop:
- 50unattended-upgrades
- 20auto-upgrades

27
roles/apt/tasks/main.yml
View File

@@ -1,14 +1,5 @@
---
- name: Clear charybde configuration
lineinfile:
state: absent
path: /etc/hosts
regex: "^{{ item }}"
loop:
- "185.230.79.30"
- "2a0c:700:2:0:ea39:35ff:fef0:48c9"
- name: Add mirror.crans.org in /etc/hosts
- name: Add mirror.adm.ynerant.fr in /etc/hosts
lineinfile:
state: present
path: /etc/hosts
@@ -36,6 +27,7 @@
loop: "{{ apt.extra_repositories }}"
- name: Configure pin from future distributions
when: item[2].key != ansible_distribution_release
template:
src: "apt/{{ item[0] }}.d/pin{{ item[1] }}.j2"
dest: "/etc/apt/{{ item[0] }}.d/{{ item[2].key }}{{ item[1] }}"
@@ -46,6 +38,21 @@
- [["sources.list", ".list"], ["preferences", ""]]
- "{{ apt.pin|dict2items }}"
- name: Clear useless pinned configuration
when: item[2].key == ansible_distribution_release
file:
path: "/etc/apt/{{ item[0] }}.d/{{ item[2].key }}{{ item[1] }}"
state: absent
with_nested:
- [["sources.list", ".list"], ["preferences", ""]]
- "{{ apt.pin|dict2items }}"
- name: Update APT cache
apt:
update_cache: true
# APT-List Changes : send email with changelog
- include_tasks: apt-listchanges.yml
# APT Unattended upgrades
- include_tasks: apt-unattended.yml

4
roles/apt/templates/apt/apt.conf.d/20auto-upgrades.j2 Normal file
View File

@@ -0,0 +1,4 @@
{{ ansible_header | comment }}
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

175
roles/apt/templates/apt/apt.conf.d/50unattended-upgrades.j2 Normal file
View File

@@ -0,0 +1,175 @@
{{ ansible_header | comment }}
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted. The accepted keywords are:
// a,archive,suite (eg, "stable")
// c,component (eg, "main", "contrib", "non-free")
// l,label (eg, "Debian", "Debian-Security")
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
// n,codename (eg, "jessie", "jessie-updates")
// site (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "buster")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
"origin=Debian Backports,codename=${distro_codename}-backports,label=Debian Backports"
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "";
Unattended-Upgrade::Mail "{{ apt.monitoring_mail }}";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
//Unattended-Upgrade::MailReport "on-change";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot "true";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
Unattended-Upgrade::SyslogEnable "true";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

5
roles/apt/templates/apt/sources.list.j2
View File

@@ -1,11 +1,8 @@
{{ ansible_header | comment }}
{% if ansible_distribution_release != "bullseye" %}
{# Debian security does not exist yet for bullseye #}
# Mises à jour de sécurité
deb {{ apt.mirror }}debian-security {{ ansible_distribution_release }}/updates main contrib non-free
deb {{ apt.mirror }}debian-security {{ ansible_distribution_release }}-security main contrib non-free
{% endif %}
# Dépôt classique
deb {{ apt.mirror }}debian {{ ansible_distribution_release }} main contrib non-free

11
roles/audio/tasks/main.yml
View File

@@ -1,11 +0,0 @@
---
- name: Queries package manager for audio installation
package:
name:
- alsa-utils
- pulseaudio
- pulsemixer
register: pkg_result
retries: 3
until: pkg_result is succeeded

9
roles/browser/tasks/main.yml
View File

@@ -1,9 +0,0 @@
---
- name: Queries package manager for browser installation
package:
name:
- firefox
- firefox-i18n-fr
register: pkg_result
retries: 3
until: pkg_result is succeeded

40
roles/cli-utils/tasks/main.yml
View File

@@ -1,18 +1,21 @@
---
- name: Install cli utilities
- name: Install useful utilities
package:
name:
- bash
- bash-completion
- bat
- curl
- "{% if ansible_os_family == 'Debian' %}dnsutils{% else %}bind-tools{% endif %}"
- dnsutils
- git
- man
- "mtr{% if ansible_os_family == 'Debian' %}-tiny{% endif %}"
- sl
- htop
- man
- molly-guard
- mtr-tiny
- needrestart
- patch
- rsync
- sl
- sudo
- tmux
- traceroute
@@ -21,30 +24,3 @@
register: pkg_result
retries: 3
until: pkg_result is succeeded
- name: Create directory hierarchy
file:
path: '.config/{{ item }}'
state: directory
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0755
with_items:
- 'git/'
- 'bash/'
become_user: "{{ user.name }}"
- name: Deploying config files
template:
src: '{{ item.src }}'
dest: '{{ item.dest }}'
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0644
with_items:
- { src: bashrc.j2, dest: .bashrc }
- { src: inputrc.j2, dest: .inputrc }
- { src: bash_aliases.j2, dest: .config/bash/bash_aliases }
- { src: gitconfig.j2, dest: .config/git/config }
- { src: tmux.conf.j2, dest: .tmux.conf }
become_user: '{{ user.name }}'

56
roles/cli-utils/templates/bash_aliases.j2
View File

@@ -1,56 +0,0 @@
#!/bin/bash
{{ ansible_header | comment }}
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
alias grep='grep --color=always'
alias fgrep='fgrep --color=always'
alias egrep='egrep --color=always'
fi
# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
alias cd='cd -P'
alias ip='ip -c'
alias less='less -R'
{% if ansible_os_family == "Archlinux" -%}
alias startx='exec startx'
{% endif %}
alias gst='git status -s'
alias proxy='ssh -q -C -N -D 8080'
alias wip='watch -c ip -c'
# Shortcuts to open ports
alias ldap_tealc="ssh -L 1636:tealc.adm.crans.org:636 tealc.adm.crans.org"
alias sam="ssh -L 8006:sam.adm.crans.org:8006 sam.adm.crans.org"
alias jack="ssh -L 8006:jack.adm.crans.org:8006 jack.adm.crans.org"
alias daniel="ssh -L 8006:daniel.adm.crans.org:8006 daniel.adm.crans.org"
alias vi=vim
{% if ansible_os_family == "Debian" -%}
alias bat=batcat
{% endif -%}
alias cat=bat
# Add some emoji aliases
alias 🦇=bat
alias 🐈=cat
alias 🚆=sl
alias 🚂=sl
alias 🚅=sl
alias 💿=cd
{% if ansible_os_family == "Archlinux" -%}
{# Personal computer #}
alias 🐿️="cd /home/ynerant/PycharmProjects/SquirrelBattle && venv/bin/python main.py"
{% endif -%}

59
roles/cli-utils/templates/bashrc.j2
View File

@@ -1,59 +0,0 @@
{{ ansible_header | comment }}
[ -z "$PS1" ] && return
HISTCONTROL=ignoredups:ignorespace
HISTFILE=/dev/null
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe.sh ] && eval "$(SHELL=/bin/sh lesspipe.sh)"
PROMPT_COMMAND=__prompt
__prompt() {
retline=$?
gitline=$(git branch 2> /dev/null | grep '^*' | awk '{print $2}')
# COLORS
RED='\[\e[01;31m\]'
GREEN='\[\e[01;32m\]'
ORANGE='\[\e[01;33m\]'
BLUE='\[\e[01;34m\]'
NC='\[\e[0m\]'
PS1=""
PS1+="$GREEN\u@\h$NC" # user@host
PS1+=" $BLUE\W$NC" # pwd
[ -z $gitline ] || PS1+=" $ORANGE$gitline$NC"
PS1="[ $PS1 ]"
[ $retline -ne 0 ] && PS1+=" $RED$retline$NC "
PS1+="\$ "
return $ret
}
if [ -f ~/.config/bash/bash_aliases ]; then
. ~/.config/bash/bash_aliases
fi
rm -rf {{ cliutils.bash.bogus_dirs | join(" ") }}
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
fi
export XDG_CONFIG_HOME=~/.config/
grep -q '/\.local/bin'<<<$PATH || export PATH=$PATH:~/.local/bin/
## REMOVING LESSHST
LESSHISTFILE=/dev/null
export EDITOR='vim'
export PASSWORD_STORE_ENABLE_EXTENSIONS=true

15
roles/cli-utils/templates/gitconfig.j2
View File

@@ -1,15 +0,0 @@
{{ ansible_header | comment }}
[user]
email = {{ cliutils.git.email }}
name = {{ cliutils.git.name }}
signingkey = {{ cliutils.git.signingkey }}
[commit]
gpgsign = true
[core]
autocrlf = input
editor = vim
[format]
signoff = true
[pull]
ff = only

3
roles/cli-utils/templates/inputrc.j2
View File

@@ -1,3 +0,0 @@
{{ ansible_header | comment }}
set mark-symlinked-directories on

34
roles/cli-utils/templates/tmux.conf.j2
View File

@@ -1,34 +0,0 @@
{{ ansible_header | comment }}
unbind r
bind r source-file ~/.tmux.conf
set -g mouse on
## set the default TERM
set -g default-terminal screen
## update the TERM variable of terminal emulator when creating a new session or attaching a existing session
set -g update-environment 'DISPLAY SSH_ASKPASS SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY TERM'
## determine if we should enable 256-colour support
if "[[ ${TERM} =~ 256color || ${TERM} == fbterm ]]" 'set -g default-terminal screen-256color'
# use the vim motion keys to move between panes
bind h select-pane -L
bind j select-pane -D
bind k select-pane -U
bind l select-pane -R
setw -g mode-keys vi
bind < resize-pane -L 10
bind > resize-pane -R 10
bind - resize-pane -D 10
bind + resize-pane -U 10
bind-key -T copy-mode-vi 'v' send -X begin-selection;
bind-key -T copy-mode-vi 'V' send -X select-line;
bind-key -T copy-mode-vi 'r' send -X rectangle-toggle;
bind-key -T copy-mode-vi 'y' send -X copy-pipe-and-cancel 'xclip -in -selection clipboard'
set -g base-index 1
set -g status-bg colour41

51
roles/communication/tasks/main.yml
View File

@@ -1,51 +0,0 @@
---
- name: Queries package manager for communication installation
package:
name:
- discord
- element-desktop
- evolution
- gnome-keyring
- gnome-themes-extra
- lxappearance
- seahorse
register: pkg_result
retries: 3
until: pkg_result is succeeded
- name: Create lxappearance directory hierarchy
file:
path: '{{ item }}'
state: directory
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0700
with_items:
- '.config/gtk-3.0/'
- '.icons/default/'
become_user: '{{ user.name }}'
- name: Enable dark mode for evolution
template:
src: '{{ item.src }}'
dest: '{{ item.dest }}'
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0644
with_items:
- { src: 'gtkrc.j2', dest: '.gtkrc-2.0' }
- { src: 'settings.ini.j2', dest: '.config/gtk-3.0/settings.ini' }
- { src: 'index.theme.j2', dest: '.icons/default/index.theme'}
become_user: '{{ user.name }}'
- name: Create evolution config and cache parent directories
file:
path: '{{ item }}'
state: directory
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0700
with_items:
- '.config/'
- '.local/share/'
become_user: '{{ user.name }}'

20
roles/communication/templates/gtkrc.j2
View File

@@ -1,20 +0,0 @@
{{ ansible_header | comment }}
# DO NOT EDIT! This file will be overwritten by LXAppearance.
# Any customization should be done in ~/.gtkrc-2.0.mine instead.
include "/home/ynerant/.gtkrc-2.0.mine"
gtk-theme-name="Adwaita-dark"
gtk-icon-theme-name="Adwaita"
gtk-cursor-theme-name="Adwaita"
gtk-cursor-theme-size=0
gtk-toolbar-style=GTK_TOOLBAR_TEXT
gtk-toolbar-icon-size=GTK_ICON_SIZE_SMALL_TOOLBAR
gtk-button-images=0
gtk-menu-images=0
gtk-enable-event-sounds=0
gtk-enable-input-feedback-sounds=0
gtk-xft-antialias=1
gtk-xft-hinting=0
gtk-xft-hintstyle="hintnone"
gtk-xft-rgba="none"

6
roles/communication/templates/index.theme.j2
View File

@@ -1,6 +0,0 @@
{{ ansible_header | comment }}
[Icon Theme]
Name=Default
Comment=Default Cursor Theme
Inherits=Adwaita

17
roles/communication/templates/settings.ini.j2
View File

@@ -1,17 +0,0 @@
{{ ansible_header | comment }}
[Settings]
gtk-theme-name=Adwaita
gtk-icon-theme-name=Adwaita
gtk-cursor-theme-name=Adwaita
gtk-cursor-theme-size=0
gtk-toolbar-style=GTK_TOOLBAR_TEXT
gtk-toolbar-icon-size=GTK_ICON_SIZE_SMALL_TOOLBAR
gtk-button-images=0
gtk-menu-images=0
gtk-enable-event-sounds=0
gtk-enable-input-feedback-sounds=0
gtk-xft-antialias=1
gtk-xft-hinting=0
gtk-xft-hintstyle=hintnone
gtk-xft-rgba=none

5
roles/grafana/handlers/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: Restart grafana
service:
name: grafana-server
state: restarted

100
roles/grafana/tasks/main.yml Normal file
View File

@@ -0,0 +1,100 @@
---
- name: Install GPG
apt:
name: gnupg
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Import Grafana GPG signing key
apt_key:
url: https://packages.grafana.com/gpg.key
state: present
validate_certs: false
register: apt_key_result
retries: 3
until: apt_key_result is succeeded
- name: Add Grafana repository
apt_repository:
repo: deb http://mirror.adm.ynerant.fr/grafana/oss/deb stable main
state: present
update_cache: true
- name: Install Grafana
apt:
name: grafana
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure Grafana
ini_file:
path: /etc/grafana/grafana.ini
section: "{{ item.section }}"
option: "{{ item.option }}"
value: "{{ item.value }}"
mode: 0640
loop:
- section: server
option: root_url
value: "{{ grafana.root_url }}"
- section: analytics
option: reporting_enabled
value: "false"
- section: analytics
option: check_for_updates
value: "false"
- section: security
option: disable_initial_admin_creation
value: "true"
- section: security
option: cookie_secure
value: "true"
- section: snapshots
option: external_enabled
value: "false"
- section: users
option: allow_sign_up
value: "false"
- section: users
option: allow_org_create
value: "false"
- section: auth.anonymous
option: enabled
value: "true"
- section: auth.anonymous
option: hide_version
value: "true"
- section: auth.basic # Only LDAP auth
option: enabled
value: "false"
- section: auth.ldap
option: enabled
value: "true"
- section: alerting
option: enabled
value: "false"
notify: Restart grafana
- name: Configure Grafana LDAP
template:
src: ldap.toml.j2
dest: /etc/grafana/ldap.toml
mode: 0640
notify: Restart grafana
- name: Enable and start Grafana
systemd:
name: grafana-server
enabled: true
state: started
daemon_reload: true
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-grafana
mode: 0755

47
roles/grafana/templates/ldap.toml.j2 Normal file
View File

@@ -0,0 +1,47 @@
{{ ansible_header | comment }}
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "{{ grafana.ldap_master_ipv4 }}"
# Default port is 389 or 636 if use_ssl = true
port = 636
# Set to true if ldap server supports TLS
use_ssl = true
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = true
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
# Use direct bind
bind_dn = "uid=%s,{{ grafana.ldap_user_tree }}"
# Useless as we are doing direct bind,
# but without LDAP auth hang
search_filter = "(uid=%s)"
search_base_dns = ["ou=passwd,dc=ynerant,dc=fr"]
## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
group_search_base_dns = ["ou=group,{{ grafana.ldap_base }}"]
group_search_filter_user_attribute = "cn"
# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
email = "mail"
# All LDAP members can edit
[[servers.group_mappings]]
group_dn = "*"
org_role = "Admin"

3
roles/grafana/templates/update-motd.d/05-service.j2 Executable file
View File

@@ -0,0 +1,3 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
> grafana a été déployé sur cette machine. Voir /etc/grafana/.

35
roles/i3/tasks/main.yml
View File

@@ -1,35 +0,0 @@
---
- name: Queries package manager for graphical instalation
package:
name:
- i3-wm
- i3blocks
- i3status
register: pkg_result
retries: 3
until: pkg_result is succeeded
- name: Create i3 configuration folder hierarchy
file:
path: '.config/{{ item }}'
state: directory
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0755
with_items:
- i3/
- i3status/
become_user: '{{ user.name }}'
- name: Copy i3 configuration files
template:
src: '{{ item }}.j2'
dest: '.config/{{ item }}/config'
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0755
with_items:
- i3
- i3status
become_user: '{{ user.name }}'

241
roles/i3/templates/i3.j2
View File

@@ -1,241 +0,0 @@
{{ ansible_header | comment }}
# This file has been auto-generated by i3-config-wizard(1).
# It will not be overwritten, so edit it as you like.
#
# Should you change your keyboard layout some time, delete
# this file and re-run i3-config-wizard(1).
#
# i3 config file (v4)
#
# Please see https://i3wm.org/docs/userguide.html for a complete reference!
exec /home/ynerant/.fehbg
exec dunst
exec nm-applet
exec battery
exec mpd
exec mpd_reader
{% if laptop.numpad %}
exec numlockx
{% endif %}
set $mod Mod4
set $refresh killall -SIGUSR1 i3status
floating_modifier $mod
# Font for window titles. Will also be used by the bar unless a different font
# is used in the bar {} block below.
font pango:monospace 8
# Center window title and remove edges from windows
title_align center
hide_edge_borders both
# Bindings for volume and light
bindsym XF86MonBrightnessDown exec light -U 1
bindsym XF86MonBrightnessUp exec light -A 1
bindsym XF86AudioRaiseVolume exec volume -A 5 && $refresh
bindsym XF86AudioLowerVolume exec volume -U 5 && $refresh
bindsym Shift+XF86MonBrightnessDown exec light -U 1
bindsym Shift+XF86MonBrightnessUp exec light -A 1
bindsym Shift+XF86AudioRaiseVolume exec volume -A 1 && $refresh
bindsym Shift+XF86AudioLowerVolume exec volume -U 1 && $refresh
bindsym XF86AudioMute exec volume -T && $refresh
bindsym XF86AudioMicMute exec volume -M && $refresh
{% if not laptop.numpad %}
# Binding for mpd
bindsym KP_Add exec mpc next && $refresh
bindsym KP_Subtract exec mpc prev && $refresh
bindsym KP_Multiply exec mpc toggle && $refresh
bindsym $mod+F3 exec mpc volume +5
bindsym $mod+F2 exec mpc volume -5
{% endif %}
# Binding to toggle mouse tapping
bindsym XF86TouchpadToggle exec mouse_tap toggle
# start a terminal
bindsym $mod+Return exec xfce4-terminal -x tmux
bindsym $mod+Shift+Return exec xfce4-terminal
# kill focused window
bindsym $mod+Shift+q kill
# start dmenu (a program launcher)
bindsym $mod+d exec dmenu_run -l 1 -p '[ ynerant@morgoth ~ ]'
bindsym XF86Search exec dmenu_run -l 1
# Launch passmenu
bindsym $mod+t exec passmenu
# Screenshots
bindsym --release Print exec screenshot
bindsym --release Control+Print exec screenshot -c
bindsym --release Shift+Print exec screenshot -s
bindsym --release Control+Shift+Print exec screenshot -s -c
# Binding to lock screen
bindsym $mod+Escape exec physlock
# alternatively, you can use the cursor keys:
bindsym $mod+Left focus left
bindsym $mod+h focus left
bindsym $mod+Down focus down
bindsym $mod+Up focus up
bindsym $mod+Right focus right
bindsym $mod+l focus right
# Move through output
bindsym $mod+j focus output down
bindsym $mod+k focus output up
# alternatively, you can use the cursor keys:
bindsym $mod+Shift+Left move left
bindsym $mod+Shift+h move left
bindsym $mod+Shift+Down move down
bindsym $mod+Shift+Up move up
bindsym $mod+Shift+Right move right
bindsym $mod+Shift+l move right
# Move workspace between output
bindsym $mod+Shift+j move workspace to output down
bindsym $mod+Shift+k move workspace to output up
# split in horizontal orientation
bindsym $mod+s split h
# split in vertical orientation
bindsym $mod+v split v
# enter fullscreen mode for the focused container
bindsym $mod+f fullscreen toggle
# change container layout (stacked, tabbed, toggle split)
bindsym $mod+w layout tabbed
bindsym $mod+e layout toggle split
# focus the parent container
bindsym $mod+a focus parent
# focus the child container
bindsym $mod+y focus child
# Define names for default workspaces for which we configure key bindings later on.
# We use variables to avoid repeating the names in multiple places.
set $ws0 "0"
set $ws1 "1"
set $ws2 "2"
set $ws3 "3"
set $ws4 "4"
set $ws5 "5"
set $ws6 "6"
set $ws7 "7"
set $ws8 "8"
set $ws9 "9"
set $ws10 "10"
# Screen workspace
workspace $ws0 output eDP-1
workspace $ws1 output eDP-1
workspace $ws2 output eDP-1
workspace $ws3 output eDP-1
workspace $ws4 output eDP-1
workspace $ws5 output eDP-1
workspace $ws6 output eDP-1
workspace $ws7 output eDP-1
workspace $ws8 output eDP-1
workspace $ws9 output eDP-1
workspace $ws10 output eDP-1
# switch to workspace
bindsym $mod+0xb2 workspace $ws0
bindsym $mod+1 workspace $ws1
bindsym $mod+2 workspace $ws2
bindsym $mod+3 workspace $ws3
bindsym $mod+4 workspace $ws4
bindsym $mod+5 workspace $ws5
bindsym $mod+6 workspace $ws6
bindsym $mod+7 workspace $ws7
bindsym $mod+8 workspace $ws8
bindsym $mod+9 workspace $ws9
bindsym $mod+0 workspace $ws10
# move focused container to workspace
bindsym $mod+Shift+0xb2 move container to workspace $ws0
bindsym $mod+Shift+1 move container to workspace $ws1
bindsym $mod+Shift+2 move container to workspace $ws2
bindsym $mod+Shift+3 move container to workspace $ws3
bindsym $mod+Shift+4 move container to workspace $ws4
bindsym $mod+Shift+5 move container to workspace $ws5
bindsym $mod+Shift+6 move container to workspace $ws6
bindsym $mod+Shift+7 move container to workspace $ws7
bindsym $mod+Shift+8 move container to workspace $ws8
bindsym $mod+Shift+9 move container to workspace $ws9
bindsym $mod+Shift+0 move container to workspace $ws10
# Leave fullscreen on new window
popup_during_fullscreen leave_fullscreen
# Cycle through workspace
bindsym $mod+Tab workspace next_on_output
bindsym $mod+Shift+Tab workspace prev_on_output
# Dont focus discord (for thunderbird passwd)
no_focus [class="(?i)discord"]
# reload the configuration file
bindsym $mod+Shift+c reload
# restart i3 inplace (preserves your layout/session, can be used to upgrade i3)
bindsym $mod+Shift+r restart
# exit i3 (logs you out of your X session)
bindsym $mod+Shift+e exec "i3-msg exit"
# resize window (you can also use the mouse for that)
mode "resize" {
bindsym Left resize shrink width 1 px or 1 ppt
bindsym Down resize grow height 1 px or 1 ppt
bindsym Up resize shrink height 1 px or 1 ppt
bindsym Right resize grow width 1 px or 1 ppt
# back to normal: Enter or Escape or $mod+r
bindsym Return mode "default"
bindsym Escape mode "default"
bindsym $mod+r mode "default"
}
bindsym $mod+r mode "resize"
# Window thickness
new_window 1pixel
# Toogle bar-1 visibility
bindsym $mod+x bar mode invisible bar-1
bindsym $mod+Shift+x bar mode toggle bar-1
# Start i3bar to display a workspace bar (plus the system information i3status
# finds out, if available)
bar {
output eDP-1
tray_output eDP-1
mode hide
status_command i3status
strip_workspace_numbers yes
}
bar {
output HDMI-2
mode hide
status_command i3status
strip_workspace_numbers yes
}
{% if laptop.touchscreen %}
exec xinput --set-prop 14 "libinput Natural Scrolling Enabled" 1
{% endif %}

63
roles/i3/templates/i3status.j2
View File

@@ -1,63 +0,0 @@
{{ ansible_header | comment }}
# i3status configuration file.
# see "man i3status" for documentation.
# It is important that this file is edited as UTF-8.
# The following line should contain a sharp s:
# ß
# If the above line is not correctly displayed, fix your editor first!
general {
output_format="i3bar"
colors = true
interval = 1
}
# order += "ipv6"
order += "read_file mpd"
order += "volume master"
order+= "ipv6"
order += "wireless _first_"
order += "ethernet _first_"
order += "battery all"
order += "tztime local"
ipv6 {
format_up = "IPV6: %ip"
format_down = ""
}
wireless _first_ {
format_up = "W:%essid, %ip"
format_down = ""
}
ethernet _first_ {
format_up = "E: %ip, %speed"
format_down = ""
}
battery all {
format = "%status %percentage %remaining"
last_full_capacity = true
color_good="#00FFFF"
color_bad="#00FFFF"
}
tztime local {
format = "%d-%m %H:%M:%S"
}
volume master {
format = "♪: %volume"
format_muted = "♪: muted (%volume)"
device = "pulse"
}
read_file mpd {
path = "/tmp/mpd.current"
color_good = "#00FF99"
format_bad = ""
}

27
roles/mime/tasks/main.yml
View File

@@ -1,27 +0,0 @@
---
- name: Queries package manager to install xdg
package:
name: xdg-utils
register: pkg_result
retries: 3
until: pkg_result is succeeded
become: yes
- name: Create default applications config folder
file:
path: '.config/'
state: directory
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0700
become_user: '{{ user.name }}'
- name: Install default applications configuration file
template:
src: 'mimeapps.list.j2'
dest: '.config/mimeapps.list'
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0644
become_user: '{{ user.name }}'

17
roles/mime/templates/mimeapps.list.j2
View File

@@ -1,17 +0,0 @@
{{ ansible_header | comment }}
[Default Applications]
text/html=firefox.desktop
x-scheme-handler/http=firefox.desktop
x-scheme-handler/https=firefox.desktop
x-scheme-handler/ftp=firefox.desktop
x-scheme-handler/about=firefox.desktop
x-scheme-handler/unknown=firefox.desktop
application/x-extension-htm=firefox.desktop
application/x-extension-html=firefox.desktop
application/x-extension-shtml=firefox.desktop
application/xhtml+xml=firefox.desktop
application/x-extension-xhtml=firefox.desktop
application/x-extension-xht=firefox.desktop
application/pdf=org.pwmt.zathura.desktop

38
roles/multimedia/tasks/main.yml
View File

@@ -1,38 +0,0 @@
---
- name: Queries package manager for multimedia installation
package:
name:
- feh
- mpv
- obs-studio
- vlc
- zathura
- zathura-pdf-poppler
register: pkg_result
retries: 3
until: pkg_result is succeeded
- name: Create multimedia folder hierarchy
file:
path: '.config/{{ item }}'
state: directory
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0700
with_items :
- 'mpv/'
- 'zathura/'
become_user: '{{ user.name }}'
- name: Copy multimedia configuration files
template:
src: '{{ item.src }}'
dest: '.config/{{ item.dest }}'
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0644
with_items:
- { src: 'zathurarc.j2', dest: 'zathura/zathurarc' }
- { src: 'mpv.conf.j2', dest: 'mpv/mpv.conf' }
become_user: '{{ user.name }}'

30
roles/multimedia/templates/mpv.conf.j2
View File

@@ -1,30 +0,0 @@
{{ ansible_header | comment }}
##################
# video settings #
##################
# force starting with centered window
geometry=50%:50%
# no window title bar
no-border
##################
# audio settings #
##################
# Specify pulse audio as audio output
ao=pulse
##################
# other settings #
##################
# Display English subtitles if available.
slang=fr,en
# Play Finnish audio if available, fall back to English otherwise.
alang=fr,en
force-window=yes

3
roles/multimedia/templates/zathurarc.j2
View File

@@ -1,3 +0,0 @@
{{ ansible_header | comment }}
set selection-clipboard clipboard

48
roles/ninjabot/tasks/main.yml Normal file
View File

@@ -0,0 +1,48 @@
---
- name: Install python3 IRC library
apt:
name: python3-irc
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Install Flask for python3
apt:
name: python3-flask
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Clone NinjaBot code
git:
repo: https://gitlab.crans.org/nounous/NinjaBot.git
dest: /var/local/ninjabot
version: master
- name: Deploy NinjaBot configuration
template:
src: ninjabot/ninjabot.json.j2
dest: /var/local/ninjabot/ninjabot.json
- name: Deploy NinjaBot systemd unit
template:
src: systemd/system/ninjabot.service.j2
dest: /etc/systemd/system/ninjabot.service
mode: 0644
- name: Load and activate NinjaBot service
systemd:
name: ninjabot
daemon_reload: true
enabled: true
state: started
- name: Indicate NinjaBot in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-ninjabot
mode: 0755

1
roles/ninjabot/templates/ninjabot/ninjabot.json.j2 Normal file
View File

@@ -0,0 +1 @@
{{ ninjabot.config | to_nice_json(indent=2) }}

15
roles/ninjabot/templates/systemd/system/ninjabot.service.j2 Normal file
View File

@@ -0,0 +1,15 @@
{{ ansible_header | comment }}
[Unit]
Description=NinjaBot IRC bot
After=network.target
[Service]
Type=simple
WorkingDirectory=/var/local/ninjabot
User=nobody
Group=nogroup
ExecStart=/usr/bin/python3 /var/local/ninjabot/ninjabot.py
Restart=always
[Install]
WantedBy=multi-user.target

3
roles/ninjabot/templates/update-motd.d/05-service.j2 Executable file
View File

@@ -0,0 +1,3 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
> NinjaBot a été déployé sur cette machine. Voir /var/local/ninjabot/.

30
roles/notification/tasks/main.yml
View File

@@ -1,30 +0,0 @@
---
- name: Queries package manager for notification installation
package:
name:
- dunst
- gnome-icon-theme
- gnome-icon-theme-extras
- gnome-icon-theme-symbolic
register: pkg_result
retries: 3
until: pkg_result is succeeded
- name: Create dunst config directory
file:
path: '.config/dunst/'
state: directory
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0755
become_user: '{{ user.name }}'
- name: Copy dunst configuration file
template:
src: 'dunstrc.j2'
dest: '.config/dunst/dunstrc'
owner: '{{ user.name }}'
group: '{{ user.name }}'
mode: 0644
become_user: '{{ user.name }}'

294
roles/notification/templates/dunstrc.j2
View File

@@ -1,294 +0,0 @@
{{ ansible_header | comment }}
[global]
### Display ###
# Which monitor should the notifications be displayed on.
monitor = 0
# Display notification on focused monitor. Possible modes are:
# mouse: follow mouse pointer
# keyboard: follow window with keyboard focus
# none: don't follow anything
#
# "keyboard" needs a window manager that exports the
# _NET_ACTIVE_WINDOW property.
# This should be the case for almost all modern window managers.
#
# If this option is set to mouse or keyboard, the monitor option
# will be ignored.
follow = none
# The geometry of the window:
# [{width}]x{height}[+/-{x}+/-{y}]
# The geometry of the message window.
# The height is measured in number of notifications everything else
# in pixels. If the width is omitted but the height is given
# ("-geometry x2"), the message window expands over the whole screen
# (dmenu-like). If width is 0, the window expands to the longest
# message displayed. A positive x is measured from the left, a
# negative from the right side of the screen. Y is measured from
# the top and down respectively.
# The width can be negative. In this case the actual width is the
# screen width minus the width defined in within the geometry option.
geometry = "300x5-30+20"
# Show how many messages are currently hidden (because of geometry).
indicate_hidden = yes
# Shrink window if it's smaller than the width. Will be ignored if
# width is 0.
shrink = no
# The transparency of the window. Range: [0; 100].
# This option will only work if a compositing window manager is
# present (e.g. xcompmgr, compiz, etc.).
transparency = 0
# The height of the entire notification. If the height is smaller
# than the font height and padding combined, it will be raised
# to the font height and padding.
notification_height = 0
# Draw a line of "separator_height" pixel height between two
# notifications.
# Set to 0 to disable.
separator_height = 2
# Padding between text and separator.
padding = 8
# Horizontal padding.
horizontal_padding = 8
# Defines width in pixels of frame around the notification window.
# Set to 0 to disable.
frame_width = 3
# Defines color of the frame around the notification window.
frame_color = "#aaaaaa"
# Define a color for the separator.
# possible values are:
# * auto: dunst tries to find a color fitting to the background;
# * foreground: use the same color as the foreground;
# * frame: use the same color as the frame;
# * anything else will be interpreted as a X color.
separator_color = frame
# Sort messages by urgency.
sort = yes
# Don't remove messages, if the user is idle (no mouse or keyboard input)
# for longer than idle_threshold seconds.
# Set to 0 to disable.
# A client can set the 'transient' hint to bypass this. See the rules
# section for how to disable this if necessary
idle_threshold = 120
### Text ###
font = Monospace 9
# The spacing between lines. If the height is smaller than the
# font height, it will get raised to the font height.
line_height = 0
# Possible values are:
# full: Allow a small subset of html markup in notifications:
# <b>bold</b>
# <i>italic</i>
# <s>strikethrough</s>
# <u>underline</u>
#
# For a complete reference see
# <http://developer.gnome.org/pango/stable/PangoMarkupFormat.html>.
#
# strip: This setting is provided for compatibility with some broken
# clients that send markup even though it's not enabled on the
# server. Dunst will try to strip the markup but the parsing is
# simplistic so using this option outside of matching rules for
# specific applications *IS GREATLY DISCOURAGED*.
#
# no: Disable markup parsing, incoming notifications will be treated as
# plain text. Dunst will not advertise that it has the body-markup
# capability if this is set as a global setting.
#
# It's important to note that markup inside the format option will be parsed
# regardless of what this is set to.
markup = full
# The format of the message. Possible variables are:
# %a appname
# %s summary
# %b body
# %i iconname (including its path)
# %I iconname (without its path)
# %p progress value if set ([ 0%] to [100%]) or nothing
# %n progress value if set without any extra characters
# %% Literal %
# Markup is allowed
format = "<b>%s</b>\n%b"
# Alignment of message text.
# Possible values are "left", "center" and "right".
alignment = left
# Show age of message if message is older than show_age_threshold
# seconds.
# Set to -1 to disable.
show_age_threshold = 60
# Split notifications into multiple lines if they don't fit into
# geometry.
word_wrap = yes
# When word_wrap is set to no, specify where to make an ellipsis in long lines.
# Possible values are "start", "middle" and "end".
ellipsize = middle
# Ignore newlines '\n' in notifications.
ignore_newline = no
# Stack together notifications with the same content
stack_duplicates = true
# Hide the count of stacked notifications with the same content
hide_duplicate_count = false
# Display indicators for URLs (U) and actions (A).
show_indicators = yes
### Icons ###
# Align icons left/right/off
icon_position = left
# Scale larger icons down to this size, set to 0 to disable
max_icon_size = 32
# Paths to default icons.
icon_path = /usr/share/icons/gnome/32x32/status/:/usr/share/icons/gnome/32x32/devices/
### History ###
# Should a notification popped up from history be sticky or timeout
# as if it would normally do.
sticky_history = yes
# Maximum amount of notifications kept in history
history_length = 20
### Misc/Advanced ###
# dmenu path.
dmenu = /usr/bin/dmenu -p dunst:
# Browser for opening urls in context menu.
browser = /usr/bin/firefox -new-tab
# Always run rule-defined scripts, even if the notification is suppressed
always_run_script = true
# Define the title of the windows spawned by dunst
title = Dunst
# Define the class of the windows spawned by dunst
class = Dunst
# Print a notification on startup.
# This is mainly for error detection, since dbus (re-)starts dunst
# automatically after a crash.
startup_notification = false
# Manage dunst's desire for talking
# Can be one of the following values:
# crit: Critical features. Dunst aborts
# warn: Only non-fatal warnings
# mesg: Important Messages
# info: all unimportant stuff
# debug: all less than unimportant stuff
verbosity = mesg
# Define the corner radius of the notification window
# in pixel size. If the radius is 0, you have no rounded
# corners.
# The radius will be automatically lowered if it exceeds half of the
# notification height to avoid clipping text and/or icons.
corner_radius = 0
### Legacy
# Use the Xinerama extension instead of RandR for multi-monitor support.
# This setting is provided for compatibility with older nVidia drivers that
# do not support RandR and using it on systems that support RandR is highly
# discouraged.
#
# By enabling this setting dunst will not be able to detect when a monitor
# is connected or disconnected which might break follow mode if the screen
# layout changes.
force_xinerama = false
### mouse
# Defines action of mouse event
# Possible values are:
# * none: Don't do anything.
# * do_action: If the notification has exactly one action, or one is marked as default,
# invoke it. If there are multiple and no default, open the context menu.
# * close_current: Close current notification.
# * close_all: Close all notifications.
mouse_left_click = close_current
mouse_middle_click = do_action
mouse_right_click = close_all
# Experimental features that may or may not work correctly. Do not expect them
# to have a consistent behaviour across releases.
[experimental]
# Calculate the dpi to use on a per-monitor basis.
# If this setting is enabled the Xft.dpi value will be ignored and instead
# dunst will attempt to calculate an appropriate dpi value for each monitor
# using the resolution and physical size. This might be useful in setups
# where there are multiple screens with very different dpi values.
per_monitor_dpi = false
[shortcuts]
# Shortcuts are specified as [modifier+][modifier+]...key
# Available modifiers are "ctrl", "mod1" (the alt-key), "mod2",
# "mod3" and "mod4" (windows-key).
# Xev might be helpful to find names for keys.
# Close notification.
close = ctrl+space
# Close all notifications.
close_all = ctrl+shift+space
# Context menu.
context = ctrl+shift+period
[urgency_low]
# IMPORTANT: colors have to be defined in quotation marks.
# Otherwise the "#" and following would be interpreted as a comment.
background = "#222222"
foreground = "#888888"
timeout = 10
# Icon for notifications with low urgency, uncomment to enable
#icon = /path/to/icon
[urgency_normal]
background = "#0091FF"
foreground = "#ffffff"
timeout = 10
# Icon for notifications with normal urgency, uncomment to enable
#icon = /path/to/icon
[urgency_critical]
background = "#900000"
foreground = "#ffffff"
frame_color = "#ff0000"
timeout = 0
# Icon for notifications with critical urgency, uncomment to enable
#icon = /path/to/icon

7
roles/ntp-client-arch/handlers/main.yml
View File

@@ -1,7 +0,0 @@
---
- name: restart ntpd.service
service:
name: ntpd
state: restarted
become: true

23
roles/ntp-client-arch/tasks/main.yml
View File

@@ -1,23 +0,0 @@
---
- name: Queries package manager for ntp installation
package:
name: ntp
register: pkg_result
retries: 3
until: pkg_result is succeeded
notify: restart ntpd.service
- name: Deploy ntp configuration
template:
src: 'ntp.conf.j2'
dest: '/etc/ntp.conf'
owner: root
group: root
mode: 0644
notify: restart ntpd.service
- name: Enable ntp service
service:
name: ntpd
enabled: yes

27
roles/ntp-client-arch/templates/ntp.conf.j2
View File

@@ -1,27 +0,0 @@
{{ ansible_header | comment }}
# Please consider joining the pool:
#
# http://www.pool.ntp.org/join.html
#
# For additional information see:
# - https://wiki.archlinux.org/index.php/Network_Time_Protocol_daemon
# - http://support.ntp.org/bin/view/Support/GettingStarted
# - the ntp.conf man page
# Associate to Arch's NTP pool
server charybde.crans.org
server 0.fr.pool.ntp.org
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 3.fr.pool.ntp.org
# By default, the server allows:
# - all queries from the local host
# - only time queries from remote hosts, protected by rate limiting and kod
restrict default kod limited nomodify nopeer noquery notrap
restrict 127.0.0.1
restrict ::1
# Location of drift file
driftfile /var/lib/ntp/ntp.drift

3
roles/ntp-client/tasks/main.yml
View File

@@ -9,7 +9,7 @@
until: apt_result is succeeded
when: "'ntp_server' not in group_names"
- name: Install systemd-timesyncd (bullseye)
- name: Install systemd-timesyncd
apt:
name: systemd-timesyncd
update_cache: true
@@ -19,7 +19,6 @@
until: apt_result is succeeded
when:
- "'ntp_server' not in group_names"
- ansible_distribution_release == "bullseye"
- name: Configure NTP
template:

2
roles/nullmailer/tasks/main.yml
View File

@@ -11,7 +11,7 @@
- name: Set nullmailer remotes
copy:
content: "{{ nullmailer.smtp_server }} smtp --auth-login --user={{ nullmailer.username }} --pass='{{ nullmailer.password }}'\n"
content: "{{ nullmailer.smtp_server }} smtp'\n"
dest: /etc/nullmailer/remotes
mode: 0644

28
roles/pacman/tasks/main.yml
View File

@@ -1,28 +0,0 @@
---
- name: Ensure pacman is installed
package:
name:
- pacman
register: pkg_result
retries: 3
until: pkg_result is succeeded
- name: Use Crans mirror
template:
src: pacman.d/mirrorlist.j2
dest: /etc/pacman.d/mirrorlist
owner: root
group: root
mode: 0644
- name: Enable colors and sugar
lineinfile:
regex: "{{ item }}"
line: "{{ item }}"
insertafter: "[options]"
path: /etc/pacman.conf
loop:
- Color
- TotalDownload
- CheckSpace
- ILoveCandy

4
roles/pacman/templates/pacman.d/mirrorlist.j2
View File

@@ -1,4 +0,0 @@
{{ ansible_header | comment }}
Server = https://ftps.crans.org/archlinux/$repo/os/$arch
Server = http://mirror.crans.org/archlinux/$repo/os/$arch

18
roles/pass/tasks/main.yml
View File

@@ -1,18 +0,0 @@
---
- name: Queries package manager to install pass
package:
name:
- jq
- git
- pass
register: pkg_result
retries: 3
until: pkg_result is succeeded
- name: Clone git pass repository
git:
repo: '{{ pass.upstream }}'
dest: '{{ pass.dest }}'
umask: '0066'
become_user: '{{ user.name }}'

5
roles/prometheus-alertmanager/handlers/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: Restart Prometheus Alertmanager
service:
name: prometheus-alertmanager
state: restarted

14
roles/prometheus-alertmanager/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Install Prometheus Alertmanager
apt:
update_cache: true
name: prometheus-alertmanager
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure Prometheus Alertmanager
template:
src: prometheus/alertmanager.yml.j2
dest: /etc/prometheus/alertmanager.yml
notify: Restart Prometheus Alertmanager

60
roles/prometheus-alertmanager/templates/prometheus/alertmanager.yml.j2 Normal file
View File

@@ -0,0 +1,60 @@
{{ ansible_header | comment }}
# See https://prometheus.io/docs/alerting/configuration/ for documentation.
global:
# The smarthost and SMTP sender used for mail notifications.
smtp_smarthost: 'localhost:25'
smtp_from: 'alertmanager@example.org'
#smtp_auth_username: 'alertmanager'
#smtp_auth_password: 'password'
# The directory from which notification templates are read.
templates:
- '/etc/prometheus/alertmanager_templates/*.tmpl'
# The root route on which each incoming alert enters.
route:
# The labels by which incoming alerts are grouped together. For example,
# multiple alerts coming in for cluster=A and alertname=LatencyHigh would
# be batched into a single group.
group_by: ['instance'] # group per instance
# When a new group of alerts is created by an incoming alert, wait at
# least 'group_wait' to send the initial notification.
# This way ensures that you get multiple alerts for the same group that start
# firing shortly after another are batched together on the first
# notification.
group_wait: 30s
# When the first notification was sent, wait 'group_interval' to send a batch
# of new alerts that started firing for that group.
group_interval: 5m
# If an alert has successfully been sent, wait 'repeat_interval' to
# resend them.
repeat_interval: 24h
# A default receiver
receiver: webhook-ninjabot
# Inhibition rules allow to mute a set of alerts given that another alert is
# firing.
# We use this to mute any warning-level notifications if the same alert is
# already critical.
inhibit_rules:
- source_match:
severity: 'critical'
target_match:
severity: 'warning'
# Apply inhibition if the alertname is the same.
equal: ['alertname', 'cluster', 'service']
receivers:
- name: 'webhook-ninjabot'
webhook_configs:
- url: 'http://localhost:5000/'
send_resolved: true
- url: 'http://localhost:8000/'
send_resolved: true

5
roles/prometheus-blackbox-exporter/handlers/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: Restart prometheus-blackbox-exporter
service:
name: prometheus-blackbox-exporter
state: restarted

23
roles/prometheus-blackbox-exporter/tasks/main.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Install Prometheus Blackbox exporter
apt:
update_cache: true
name: prometheus-blackbox-exporter
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Make Prometheus Blackbox exporter listen on localhost only
lineinfile:
path: /etc/default/prometheus-blackbox-exporter
regexp: '^ARGS='
line: >
ARGS='--config.file /etc/prometheus/blackbox.yml
--web.listen-address="localhost:9115"'
notify: Restart prometheus-blackbox-exporter
- name: Activate prometheus Blackbox exporter service
systemd:
name: prometheus-blackbox-exporter
enabled: true
state: started

10
roles/prometheus-nginx-exporter/handlers/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Restart nginx
service:
name: nginx
state: restarted
- name: Restart prometheus-nginx-exporter
service:
name: prometheus-nginx-exporter
state: restarted

33
roles/prometheus-nginx-exporter/tasks/main.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: Install prometheus-nginx-exporter
apt:
update_cache: true
name:
- nginx # Nginx may be not already installed
- prometheus-nginx-exporter
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Make prometheus-nginx-exporter listen on adm only
lineinfile:
path: /etc/default/prometheus-nginx-exporter
regexp: '^ARGS='
line: |
ARGS="-web.listen-address={{ prometheus_nginx_exporter.listen_addr }}:9117 -nginx.scrape-uri=http://[::1]:6424/stub_status"
notify:
- Restart nginx
- Restart prometheus-nginx-exporter
- name: Configure nginx
template:
src: nginx/status.j2
dest: /etc/nginx/sites-available/status
notify: Restart nginx
- name: Activate nginx site
file:
src: /etc/nginx/sites-available/status
dest: /etc/nginx/sites-enabled/status
state: link
notify: Restart nginx

8
roles/prometheus-nginx-exporter/templates/nginx/status.j2 Normal file
View File

@@ -0,0 +1,8 @@
{{ ansible_header | comment }}
server {
listen [::1]:6424;
location = /stub_status {
stub_status;
}
}

51
roles/prometheus-node-exporter/files/apt.sh Executable file
View File

@@ -0,0 +1,51 @@
#!/bin/bash
#
# Description: Expose metrics from apt updates.
#
# Author: Ben Kochie <superq@gmail.com>
upgrades="$(/usr/bin/apt-get --just-print dist-upgrade \
| /usr/bin/awk -F'[()]' \
'/^Inst/ { sub("^[^ ]+ ", "", $2); gsub(" ","",$2);
sub("\\[", " ", $2); sub("\\]", "", $2); print $2 }' \
| /usr/bin/sort \
| /usr/bin/uniq -c \
| awk '{ gsub(/\\\\/, "\\\\", $2); gsub(/\"/, "\\\"", $2);
gsub(/\[/, "", $3); gsub(/\]/, "", $3);
print "apt_upgrades_pending{origin=\"" $2 "\",arch=\"" $NF "\"} " $1}'
)"
autoremove="$(/usr/bin/apt-get --just-print autoremove \
| /usr/bin/awk '/^Remv/{a++}END{printf "apt_autoremove_pending %d", a}'
)"
orphans="$(comm -23 \
<(dpkg-query -W -f '${db:Status-Abbrev}\t${Package}\n' \
| grep '^.[^nc]' | cut -f2 | sort) \
<(apt-cache dumpavail | sed -rn 's/^Package: (.*)/\1/p' | sort -u) \
| awk 'END{printf "apt_orphans %d", NR}'
)"
echo '# HELP apt_upgrades_pending Apt package pending updates by origin.'
echo '# TYPE apt_upgrades_pending gauge'
if [[ -n "${upgrades}" ]] ; then
echo "${upgrades}"
else
echo 'apt_upgrades_pending{origin="",arch=""} 0'
fi
echo '# HELP apt_autoremove_pending Apt package pending autoremove.'
echo '# TYPE apt_autoremove_pending gauge'
echo "${autoremove}"
echo '# HELP apt_orphans Orphan apt package.'
echo '# TYPE apt_orphans gauge'
echo "${orphans}"
echo '# HELP node_reboot_required Node reboot is required for software updates.'
echo '# TYPE node_reboot_required gauge'
if [[ -f '/run/reboot-required' ]] ; then
echo 'node_reboot_required 1'
else
echo 'node_reboot_required 0'
fi

5
roles/prometheus-node-exporter/handlers/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: Restart prometheus-node-exporter
service:
name: prometheus-node-exporter
state: restarted

32
roles/prometheus-node-exporter/tasks/main.yml Normal file
View File

@@ -0,0 +1,32 @@
---
- name: Install Prometheus node-exporter
apt:
update_cache: true
name: prometheus-node-exporter
install_recommends: false # Do not install smartmontools
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Install Prometheus node-exporter-collectors
apt:
update_cache: true
name: prometheus-node-exporter-collectors
install_recommends: false
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Make Prometheus node-exporter listen on adm only
lineinfile:
path: /etc/default/prometheus-node-exporter
regexp: '^ARGS='
line: |
ARGS="--web.listen-address={{ prometheus_node_exporter.listen_addr }}:9100"
tags: restart-node-exporter
- name: Activate prometheus-node-exporter service
systemd:
name: prometheus-node-exporter
enabled: true
state: started

5
roles/prometheus/handlers/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: Restart Prometheus
service:
name: prometheus
state: restarted

42
roles/prometheus/tasks/main.yml Normal file
View File

@@ -0,0 +1,42 @@
---
- name: Install Prometheus
apt:
update_cache: true
name: prometheus
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure Prometheus
template:
src: prometheus/prometheus.yml.j2
dest: /etc/prometheus/prometheus.yml
mode: 0644
notify: Restart Prometheus
- name: Configure Prometheus alert rules
template:
src: prometheus/alert.rules.yml.j2
dest: /etc/prometheus/alert.rules.yml
mode: 0644
notify: Restart Prometheus
# We don't need to restart Prometheus when updating nodes
- name: Configure Prometheus targets
copy:
content: "{{ [{'targets': item.value.targets}] | to_nice_json }}\n"
dest: "/etc/prometheus/{{ item.value.file }}"
mode: 0644
loop: "{{ prometheus | dict2items }}"
- name: Activate prometheus service
systemd:
name: prometheus
enabled: true
state: started
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-prometheus
mode: 0755

187
roles/prometheus/templates/prometheus/alert.rules.yml.j2 Normal file
View File

@@ -0,0 +1,187 @@
{{ ansible_header | comment }}
{# As this is also Jinja2 it will conflict without a raw block #}
{# Depending of Prometheus Node exporter version, rules can change depending of version #}
{% raw %}
groups:
- name: alert.rules
rules:
# Alert for any instance that is unreachable for >3 minutes.
- alert: InstanceDown
expr: up == 0
for: 3m
labels:
severity: critical
annotations:
summary: "{{ $labels.instance }} ({{ $labels.job }}) est invisible depuis plus de 3 minutes !"
# Alert for out of memory
# Do not take into account memory not used by apps
- alert: OutOfMemory
expr: (node_memory_MemFree_bytes + node_memory_Cached_bytes + node_memory_Buffers_bytes + node_memory_PageTables_bytes + node_memory_VmallocUsed_bytes + node_memory_SwapCached_bytes + node_memory_Slab_bytes) / node_memory_MemTotal_bytes * 100 < 10
for: 5m
labels:
severity: warning
annotations:
summary: "Mémoire libre de {{ $labels.instance }} à {{ $value }}%."
# Alert for out of disk space
- alert: OutOfDiskSpace
expr: node_filesystem_free_bytes{fstype="ext4"} / node_filesystem_size_bytes{fstype="ext4"} * 100 < 10
for: 5m
labels:
severity: warning
annotations:
summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value }}%."
# Alert for out of inode space on disk
- alert: OutOfInodes
expr: node_filesystem_files_free{fstype="ext4"} / node_filesystem_files{fstype="ext4"} * 100 < 10
for: 5m
labels:
severity: warning
annotations:
summary: "Presque plus d'inodes disponibles ({{ $value }}% restant) dans {{ $labels.mountpoint }} sur {{ $labels.instance }}."
# Alert for high CPU usage
- alert: CpuBusy
expr: node_load5 > 9
for: 10m
labels:
severity: warning
annotations:
summary: "Charge sur {{ $labels.instance }} à {{ $value }}."
# Check mdadm software RAID
- alert: SoftwareRAIDDegraded
expr: node_md_disks-node_md_disks_active > 0
for: 3m
labels:
severity: warning
annotations:
summary: "Le RAID sur {{ $labels.instance }} a perdu {{ $value }} disque(s)."
# Check systemd unit (> buster)
- alert: SystemdServiceFailed
expr: node_systemd_unit_state{state="failed"} == 1
for: 10m
labels:
severity: warning
annotations:
summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}"
# Check UPS
- alert: UpsOutputSourceChanged
expr: upsOutputSource != 3
for: 5m
labels:
severity: warning
annotations:
summary: "La source d'alimentation de {{ $labels.instance }} a changé !"
description: "https://grafana.crans.org/d/qtbg59mZz/alimentation"
- alert: UpsBatteryStatusChanged
expr: upsBatteryStatus != 2
for: 5m
labels:
severity: warning
annotations:
summary: "L'état de la batterie de {{ $labels.instance }} a changé !"
description: "https://grafana.crans.org/d/qtbg59mZz/alimentation"
- alert: UpsTemperatureWarning
expr: (xupsEnvRemoteTemp < 10) or (xupsEnvRemoteTemp > 26)
for: 5m
labels:
severity: warning
annotations:
summary: "La température autour de {{ $labels.instance }} est de {{ $value }}°C."
description: "https://grafana.crans.org/d/qtbg59mZz/alimentation"
- alert: UpsTemperatureCritical
expr: (xupsEnvRemoteTemp < 0) or (xupsEnvRemoteTemp > 30)
for: 5m
labels:
severity: critical
annotations:
summary: "La température autour de {{ $labels.instance }} est de {{ $value }}°C !"
description: "https://grafana.crans.org/d/qtbg59mZz/alimentation"
- alert: UpsHighHumidity
expr: xupsEnvRemoteHumidity > 65
for: 5m
labels:
severity: warning
annotations:
summary: "L'humidité autour de {{ $labels.instance }} est de {{ $value }}%."
description: "https://grafana.crans.org/d/qtbg59mZz/alimentation"
- alert: UpsVeryHighHumidity
expr: xupsEnvRemoteHumidity > 85
for: 5m
labels:
severity: critical
annotations:
summary: "L'humidité autour de {{ $labels.instance }} est de {{ $value }}% !"
description: "https://grafana.crans.org/d/qtbg59mZz/alimentation"
- alert: UpsHighLoad
expr: upsOutputPercentLoad > 70
for: 5m
labels:
severity: critical
annotations:
summary: "La charge de {{ $labels.instance }} est de {{ $value }}% !"
description: "https://grafana.crans.org/d/qtbg59mZz/alimentation"
- alert: UpsWrongInputVoltage
expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
for: 5m
labels:
severity: warning
annotations:
summary: "La tension d'entrée de {{ $labels.instance }} est de {{ $value }}V."
description: "https://grafana.crans.org/d/qtbg59mZz/alimentation"
- alert: UpsWrongOutputVoltage
expr: (upsOutputVoltage < 215) or (upsOutputVoltage > 245)
for: 5m
labels:
severity: warning
annotations:
summary: "La tension de sortie de {{ $labels.instance }} est de {{ $value }}V."
description: "https://grafana.crans.org/d/qtbg59mZz/alimentation"
- alert: AptAutoremovePending
expr: apt_autoremove_pending > 0
for: 5m
labels:
severity: warning
annotations:
summary: "{{ $value }} paquet(s) APT sont inutile(s) sur {{ $labels.instance }}."
- alert: MailqNotEmpty
expr: postfix_mailq_length > 25
for: 1m
labels:
severity: warning
annotations:
summary: "{{ $value }} mails dans la mailq sur {{ $labels.instance }}."
- alert: NoRadiusLogin
expr: rate(radiusd_access_ok[3m]) == 0
for: 2m
labels:
severity: warning
annotations:
summary: "Personne ne vient taper le RADIUS."
- alert: TooManyReallocatedSectors
expr: smartmon_reallocated_sector_ct_raw_value > 1e3
for: 5m
labels:
severity: warning
annotations:
summary: "{{ $labels.disk }} sur {{ $labels.instance }} a {{ $value }} secteurs réalloués."
{% endraw %}

42
roles/prometheus/templates/prometheus/prometheus.yml.j2 Normal file
View File

@@ -0,0 +1,42 @@
{{ ansible_header | comment }}
global:
# scrape_interval is set to the global default (60s)
# evaluation_interval is set to the global default (60s)
# scrape_timeout is set to the global default (10s).
# Attach these labels to any time series or alerts when communicating with
# external systems (federation, remote storage, Alertmanager).
external_labels:
monitor: 'example'
# Alertmanager configuration
# Use prometheus alertmanager installed on the same machine
alerting:
alertmanagers:
- static_configs:
- targets: ['localhost:9093']
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
- "alert.rules.yml" # Monitoring alerts, this is the file you may be searching!
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
{{
{
"scrape_configs":
[
{
"job_name": "prometheus",
"static_configs" : [
{
"targets": [
"localhost:9090"
]
}
]
}
] + (prometheus | json_query("*.config[0]"))
} | to_nice_yaml(indent=2)
}}

3
roles/prometheus/templates/update-motd.d/05-service.j2 Executable file
View File

@@ -0,0 +1,3 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
> prometheus a été déployé sur cette machine. Voir /etc/prometheus/.

35
roles/scripts/tasks/main.yml
View File

@@ -1,35 +0,0 @@
---
- name: Queries package manager for graphical instalation
package:
name:
- scrot
- network-manager-applet
- acpi
register: pkg_result
retries: 3
until: pkg_result is succeeded
- name: Clone scripts git repo
git:
repo: '{{ scripts.git }}'
dest: '.local/src/scripts'
owner: '{{ user.name }}'
group: '{{ user.name }}'
umask: 0022
become_user: '{{ user.name }}'
- name: Find scripts
find:
path: '.local/src/scripts'
pattern: "*"
register: scripts
become_user: user.name
- name: Link scripts
file:
src: '/home/{{ user.name }}/{{ item.path }}'
dest: '.local/bin/{{ item.path | basename }}'
state: link
force: yes
with_items: '{{ scripts.files }}'
become_user: '{{ user.name }}'

4
roles/sudo/tasks/main.yml
View File

@@ -1,4 +1,8 @@
---
- name: Install sudo
apt:
name: sudo
- name: Configure sudoers
template:
src: "{{ item }}.j2"

4
roles/sudo/templates/sudoers.j2
View File

@@ -22,6 +22,6 @@ root ALL=(ALL:ALL) ALL
USERS ALL=(root:ALL) NOPASSWD:/usr/sbin/qm list
{% endif %}
# See sudoers(5) for more information on "#include" directives:
# See sudoers(5) for more information on "@include" directives:
#includedir /etc/sudoers.d
@includedir /etc/sudoers.d

Some files were not shown because too many files have changed in this diff Show More