il/ilnmors-homelab
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1.0.0 Release IaaS

Browse Source
This commit is contained in:
Il Lee
2026-03-15 04:41:02 +09:00
commit a7365da431
292 changed files with 36059 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
ansible/roles/common/tasks/node/create_default_dir.yaml Normal file
View File

@@ -0,0 +1,34 @@
---
- name: Create common secret directory
ansible.builtin.file:
path: "/etc/secrets"
state: "directory"
owner: "root"
group: "root"
mode: "0711"
become: true
- name: Create user secret directory
ansible.builtin.file:
path: "/etc/secrets/{{ node['uid'] }}"
state: "directory"
owner: "{{ ansible_user }}"
group: "root"
mode: "0500"
become: true
- name: Create user systemd directory
ansible.builtin.file:
path: "{{ node['home_path'] }}/.config/systemd/user"
state: "directory"
owner: "{{ ansible_user }}"
group: "svadmins"
mode: "0700"
- name: Create quadlet directory
ansible.builtin.file:
path: "{{ node['home_path'] }}/.config/containers/systemd"
state: "directory"
owner: "{{ ansible_user }}"
group: "svadmins"
mode: "0700"

9
ansible/roles/common/tasks/node/deploy_hosts.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Deploy /etc/hosts
ansible.builtin.template:
src: "{{ hostvars['console']['node']['config_path'] }}/node/common/hosts.j2"
dest: "/etc/hosts"
owner: "root"
group: "root"
mode: "0644"
become: true

10
ansible/roles/common/tasks/node/deploy_root_ca.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Deploy root_ca.crt
ansible.builtin.copy:
content: "{{ hostvars['console']['ca']['root']['crt'] }}"
dest: "/usr/local/share/ca-certificates/ilnmors_root_ca.crt"
owner: "root"
group: "root"
mode: "0644"
become: true
notify: "notification_update_ca"

20
ansible/roles/common/tasks/node/set_linger.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Checking linger
ansible.builtin.stat:
path: "/var/lib/systemd/linger/{{ ansible_user }}"
register: "is_linger_file"
- name: Activate linger
when: not is_linger_file.stat.exists
block:
- name: Enable linger
ansible.builtin.command: |
loginctl enable-linger {{ ansible_user }}
become: true
changed_when: true
- name: Reboot system to ensure DBUS socket activation
ansible.builtin.reboot:
reboot_timeout: 300
post_reboot_delay: 3
become: true

23
ansible/roles/common/tasks/node/set_networkd.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Set network files directory
ansible.builtin.set_fact:
directory_name: "{{ node['name'] }}"
when: node['name'] in ["vmm", "fw"]
- name: Set target vm
ansible.builtin.set_fact:
target_vm: "{{ node['name'] }}"
- name: Deploy networkd files
ansible.builtin.template:
src: "{{ item }}"
dest: "/etc/systemd/network/{{ item | basename }}"
owner: "root"
group: "systemd-network"
mode: "0640"
loop: "{{ query('fileglob', hostvars['console']['node']['config_path'] + '/node/' + (directory_name | default('common')) + '/networkd/*') | sort }}"
become: true
notify:
- "notification_reload_networkctl"
- "notification_restart_crowdsec"
no_log: true

36
ansible/roles/common/tasks/node/set_nftables.yaml Normal file
View File

@@ -0,0 +1,36 @@
---
- name: Check nftables installation
ansible.builtin.shell: |
command -v nft
become: true # nftables is located in /usr/sbin, which means root permission is needed.
changed_when: false
failed_when: false
register: "is_nftables_installed"
ignore_errors: true
- name: Install nftables
ansible.builtin.apt:
name: "nftables"
state: "present"
become: true
when: is_nftables_installed.rc != 0
- name: Enable nftables.service
ansible.builtin.systemd:
name: "nftables.service"
state: "started"
enabled: true
become: true
- name: Deploy nftables.conf
ansible.builtin.template:
src: "{{ hostvars['console']['node']['config_path'] }}/node/{{ node['name'] }}/nftables.conf.j2"
dest: "/etc/nftables.conf"
owner: "root"
group: "root"
mode: "0700"
validate: "/usr/sbin/nft -c -f %s"
become: true
notify:
- "notification_update_nftables"
- "notification_restart_crowdsec_bouncer"

39
ansible/roles/common/tasks/node/set_resolved.yaml Normal file
View File

@@ -0,0 +1,39 @@
---
- name: Enable systemd-resolved.service
ansible.builtin.systemd:
name: "systemd-resolved.service"
state: "started"
enabled: true
become: true
- name: Check global.conf
ansible.builtin.stat:
path: "/etc/systemd/resolved.conf.d/global.conf"
register: "is_global_conf"
- name: Create resolved directory
ansible.builtin.file:
path: "/etc/systemd/resolved.conf.d"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
become: true
- name: Deploy global conf file
ansible.builtin.template:
src: "{{ hostvars['console']['node']['config_path'] }}/node/common/resolved/global.conf.j2"
dest: "/etc/systemd/resolved.conf.d/global.conf"
owner: "root"
group: "systemd-resolve"
mode: "0640"
become: true
notify: "notification_reload_resolved"
- name: Restart systemd-resolved.service when it is initiated
ansible.builtin.systemd:
name: "systemd-resolved.service"
state: "restarted"
enabled: true
become: true
when: not is_global_conf.stat.exists

119
ansible/roles/common/tasks/node/set_ssh_host.yaml Normal file
View File

@@ -0,0 +1,119 @@
---
- name: Deploy /etc/ssh/local_ssh_ca.pub
ansible.builtin.copy:
content: |
{{ hostvars['console']['ssh']['ca']['pub'] }}
dest: "/etc/ssh/local_ssh_ca.pub"
owner: "root"
group: "root"
mode: "0644"
become: true
no_log: true
- name: Check ssh_host_key-cert.pub
ansible.builtin.stat:
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
register: "is_signed_ca_key"
- name: Get current ssh_host_key-cert.pub Key ID
ansible.builtin.shell: |
set -o pipefail
ssh-keygen -L -f /etc/ssh/ssh_host_ed25519_key-cert.pub | \
grep "Key ID" | \
sed -E 's/.*Key ID: "(.*)"/\1/'
when: is_signed_ca_key.stat.exists
changed_when: false
register: "current_key_id"
no_log: true
- name: Get current ssh_host_key-cert.pub san
ansible.builtin.shell: |
set -o pipefail
ssh-keygen -L -f /etc/ssh/ssh_host_ed25519_key-cert.pub | \
sed -n '/Principals:/,/Critical Options:/p' | \
sed '1d;$d' | \
sed 's/^[[:space:]]*//'
when: is_signed_ca_key.stat.exists
changed_when: false
register: "current_san_id"
no_log: true
- name: Set current key informations
ansible.builtin.set_fact:
current_id_key: "{{ current_key_id.stdout }}"
current_san_list: "{{ current_san_id.stdout_lines }}"
when: is_signed_ca_key.stat.exists
no_log: true
- name: Compare key values between current information and defined information
ansible.builtin.set_fact:
is_certificate_info_different: true
when: (current_id_key | default("")) != node['name'] or (current_san_list | default([])) != (node['ssh_san'].split(',') | map('trim') | list)
- name: Get SSH CA and signing
when: not is_signed_ca_key.stat.exists or (is_certificate_info_different | default(false))
block:
- name: Get ssh_host_key.pub from remote server
ansible.builtin.fetch:
src: "/etc/ssh/ssh_host_ed25519_key.pub"
dest: "/run/user/{{ hostvars['console']['node']['uid'] }}/{{ node['name'] }}_ssh_host_ed25519_key.pub"
flat: true
become: true
- name: Get SSH CA
delegate_to: "console"
ansible.builtin.copy:
content: |
{{ hostvars['console']['ssh']['ca']['key'] }}
dest: "/run/user/{{ hostvars['console']['node']['uid'] }}/local_ssh_ca_private_key"
owner: "console"
group: "svadmins"
mode: "0400"
no_log: true
- name: Sign on ssh host keys (pub file)
delegate_to: "console"
ansible.builtin.command: |
ssh-keygen -s /run/user/{{ hostvars['console']['node']['uid'] }}/local_ssh_ca_private_key \
-h \
-I "{{ node['name'] }}" \
-n "{{ node['ssh_san'] }}" \
/run/user/{{ hostvars['console']['node']['uid'] }}/{{ node['name'] }}_ssh_host_ed25519_key.pub
changed_when: not is_signed_ca_key.stat.exists or (is_certificate_info_different | default(false))
no_log: true
- name: Deploy signed pub file
ansible.builtin.copy:
src: "/run/user/{{ hostvars['console']['node']['uid'] }}/{{ node['name'] }}_ssh_host_ed25519_key-cert.pub"
dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
owner: "root"
group: "root"
mode: "0644"
become: true
notify: "notification_restart_sshd"
always:
- name: Clean temporary files
delegate_to: "console"
ansible.builtin.file:
path: "/run/user/{{ hostvars['console']['node']['uid'] }}/{{ item }}"
state: "absent"
loop:
- "{{ node['name'] }}_ssh_host_ed25519_key.pub"
- "{{ node['name'] }}_ssh_host_ed25519_key-cert.pub"
- "local_ssh_ca_private_key"
no_log: true
- name: Set sshd_config.d files
ansible.builtin.copy:
src: "{{ hostvars['console']['node']['config_path'] }}/node/common/ssh/{{ item }}"
dest: "/etc/ssh/sshd_config.d/{{ item }}"
owner: "root"
group: "root"
mode: "0644"
loop:
- "prohibit_root.conf"
- "ssh_ca.conf"
- "host_certificate.conf"
become: true
notify: "notification_restart_sshd"

20
ansible/roles/common/tasks/node/set_timesyncd.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Create timesyncd.conf.d
ansible.builtin.file:
path: "/etc/systemd/timesyncd.conf.d"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
become: true
- name: Deploy timesyncd.conf.d/local-ntp.conf
ansible.builtin.copy:
src: "{{ hostvars['console']['node']['config_path'] }}/node/common/timesyncd/local-ntp.conf"
dest: "/etc/systemd/timesyncd.conf.d/local-ntp.conf"
owner: "root"
group: "systemd-timesync"
mode: "0640"
become: true
notify: "notification_restart_timesyncd"
no_log: true

15
ansible/roles/common/tasks/node/set_wireguard.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: Create wg0 files
ansible.builtin.template:
src: "{{ hostvars['console']['node']['config_path'] }}/node/fw/wireguard/{{ item }}"
dest: "/etc/systemd/network/{{ item }}"
owner: "root"
group: "systemd-network"
mode: "0640"
loop:
- "30-fw-wg0.netdev"
- "31-fw-wg0.network"
become: true
when: node['name'] == 'fw'
notify: "notification_reload_networkctl"
no_log: true