diff options
Diffstat (limited to 'roles/proxmox_hypervisor/tasks')
-rw-r--r-- | roles/proxmox_hypervisor/tasks/chrony.yml | 11 | ||||
-rw-r--r-- | roles/proxmox_hypervisor/tasks/main.yml | 31 | ||||
-rw-r--r-- | roles/proxmox_hypervisor/tasks/nagios.yml | 68 | ||||
-rw-r--r-- | roles/proxmox_hypervisor/tasks/postfix.yml | 18 | ||||
-rw-r--r-- | roles/proxmox_hypervisor/tasks/pve.yml | 58 | ||||
-rw-r--r-- | roles/proxmox_hypervisor/tasks/pve_api_user.yml | 21 | ||||
-rw-r--r-- | roles/proxmox_hypervisor/tasks/pve_kvm_template.yml | 32 | ||||
-rw-r--r-- | roles/proxmox_hypervisor/tasks/rsyslog.yml | 16 | ||||
-rw-r--r-- | roles/proxmox_hypervisor/tasks/sudo.yml | 5 | ||||
-rw-r--r-- | roles/proxmox_hypervisor/tasks/unattended_upgrades.yml | 11 | ||||
-rw-r--r-- | roles/proxmox_hypervisor/tasks/zfs.yml | 34 |
11 files changed, 305 insertions, 0 deletions
diff --git a/roles/proxmox_hypervisor/tasks/chrony.yml b/roles/proxmox_hypervisor/tasks/chrony.yml new file mode 100644 index 0000000..ed9b0ce --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/chrony.yml @@ -0,0 +1,11 @@ +- name: generate chrony.conf + template: + src: etc/chrony/chrony.conf.j2 + dest: /etc/chrony/chrony.conf + notify: restart chrony + +- name: start chrony + systemd: + name: chronyd + enabled: yes + state: started diff --git a/roles/proxmox_hypervisor/tasks/main.yml b/roles/proxmox_hypervisor/tasks/main.yml new file mode 100644 index 0000000..6495e74 --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/main.yml @@ -0,0 +1,31 @@ +- name: configure NTP + import_tasks: chrony.yml + tags: ntp,chrony + +- name: configure postfix + import_tasks: postfix.yml + tags: mail,postfix + +- name: configure rsyslog + import_tasks: rsyslog.yml + tags: syslog,rsyslog + +- name: configure sudo + import_tasks: sudo.yml + tags: sudo,sudoers + +- name: configure unattended upgrades + import_tasks: unattended_upgrades.yml + tags: apt,packages + +- name: configure ZFS + import_tasks: zfs.yml + tags: zfs + +- name: configure proxmox VE + import_tasks: pve.yml + tags: pve + +- name: configure nagios plugins + import_tasks: nagios.yml + tags: nagios diff --git a/roles/proxmox_hypervisor/tasks/nagios.yml b/roles/proxmox_hypervisor/tasks/nagios.yml new file mode 100644 index 0000000..b42317d --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/nagios.yml @@ -0,0 +1,68 @@ +- name: install packages + apt: + name: '{{ proxmox_nagios_packages }}' + state: present + +- name: create nagios user + user: + name: nagios + comment: Nagios Pseudo-User + system: yes + shell: /bin/bash + home: '{{ proxmox_nagios_home }}' + create_home: yes + state: present + +- name: add nagios ssh key + authorized_key: + user: nagios + key: '{{ proxmox_nagios_ssh_pubkey }}' + state: present + +- name: copy custom nagios scripts + copy: + src: '{{ item.src }}' + dest: '{{ proxmox_nagios_plugin_dir }}/{{ item.path }}' + mode: 0555 + loop: "{{ lookup('filetree', proxmox_nagios_plugin_dir[1:], wantlist=True) }}" + when: item.state == 'file' + +- name: generate sudo rules + template: + src: etc/sudoers.d/nagios.j2 + dest: /etc/sudoers.d/nagios + mode: 0400 + +- name: set PATH for nagios user + copy: + content: export PATH=/sbin:/bin:/usr/sbin:/usr/bin:{{ proxmox_nagios_plugin_dir }} + dest: '{{ proxmox_nagios_home }}/.bashrc' + owner: '{{ proxmox_nagios_user }}' + group: '{{ proxmox_nagios_user }}' + mode: 0644 + +- name: stop snmpd + systemd: + name: snmpd + state: stopped + +- name: generate snmpd.conf + template: + src: etc/snmp/snmpd.conf.j2 + dest: /etc/snmp/snmpd.conf + mode: 0600 + +- name: add snmpv3 users + lineinfile: + path: /var/lib/snmp/snmpd.conf + line: 'createUser {{ item.name }} SHA "{{ item.auth_pass }}" AES "{{ item.priv_pass }}"' + insertafter: EOF + loop: '{{ snmp_v3_users }}' + loop_control: + label: '{{ item.name }}' + +- name: enable and start snmpd + systemd: + name: snmpd + enabled: yes + state: started diff --git a/roles/proxmox_hypervisor/tasks/postfix.yml b/roles/proxmox_hypervisor/tasks/postfix.yml new file mode 100644 index 0000000..2cb3fb2 --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/postfix.yml @@ -0,0 +1,18 @@ +- name: install postfix + apt: + name: + - postfix + - bsd-mailx + state: present + +- name: generate postifx configuration + template: + src: etc/postfix/main.cf.j2 + dest: /etc/postfix/main.cf + notify: restart postfix + +- name: enable postfix + systemd: + name: postfix + enabled: yes + state: started diff --git a/roles/proxmox_hypervisor/tasks/pve.yml b/roles/proxmox_hypervisor/tasks/pve.yml new file mode 100644 index 0000000..e780bf6 --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/pve.yml @@ -0,0 +1,58 @@ +- name: disable proxmox enterprise repositiory + apt_repository: + filename: pve-enterprise + repo: 'deb {{ proxmox_repo_url }} {{ ansible_distribution_release }} pve-enterprise' + state: absent + update_cache: no + +- name: enable proxmox community repository + apt_repository: + filename: pve-no-subscription + repo: 'deb {{ proxmox_repo_url }} {{ ansible_distribution_release }} pve-no-subscription' + state: present + update_cache: yes + +- name: enable snippets on local storage + lineinfile: + path: /etc/pve/storage.cfg + line: ' content iso,backup,snippets,vztmpl' + regexp: '^\s+content\s' + insertafter: '^dir: local$' + firstmatch: yes + +- name: create snippets directory + file: + path: '{{ proxmox_snippets_dir }}' + state: directory + +- name: generate custom snippets + template: + src: '{{ item.src }}' + dest: '{{ proxmox_snippets_dir }}/{{ item.path | splitext | first }}' + loop: "{{ lookup('filetree', '../templates/{{ proxmox_snippets_dir[1:] }}', wantlist=True) }}" + when: item.state == 'file' + +- name: add ansible API user + import_tasks: pve_api_user.yml + +- name: create kvm image directory + file: + path: '{{ proxmox_kvm_image_dir }}' + state: directory + +- name: get current VMIDs + shell: qm list | awk '{print $1}' + register: vmids + changed_when: false + +- name: install proxmoxer + apt: + name: python3-proxmoxer + state: present + +- name: create KVM templates + include_tasks: pve_kvm_template.yml + when: (image.vmid | string) not in vmids.stdout_lines + loop: '{{ proxmox_kvm_images }}' + loop_control: + loop_var: image diff --git a/roles/proxmox_hypervisor/tasks/pve_api_user.yml b/roles/proxmox_hypervisor/tasks/pve_api_user.yml new file mode 100644 index 0000000..f620a90 --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/pve_api_user.yml @@ -0,0 +1,21 @@ +- name: create unix account + user: + name: "{{ proxmox_api_user | replace('@pam', '') }}" + shell: /sbin/nologin + password: '{{ proxmox_api_password | password_hash("sha512", proxmox_password_salt | default("")) }}' + state: present + +- name: check if user has PVE account + shell: pveum user list --noheader --noborder | cut -d ' ' -f1 + changed_when: False + register: pve_users + +- name: create PVE account + block: + - name: create PVE user + command: pveum user add {{ proxmox_api_user }} + + - name: set user ACLs + command: pveum acl modify / -user {{ proxmox_api_user }} -role PVEAdmin -propagate 1 + + when: proxmox_api_user not in pve_users.stdout_lines diff --git a/roles/proxmox_hypervisor/tasks/pve_kvm_template.yml b/roles/proxmox_hypervisor/tasks/pve_kvm_template.yml new file mode 100644 index 0000000..6f0dfac --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/pve_kvm_template.yml @@ -0,0 +1,32 @@ +- name: download the disk image + get_url: + url: '{{ image.url }}' + checksum: 'sha256:{{ image.sha256 }}' + dest: '{{ proxmox_kvm_image_dir }}/{{ image.name }}.{{ image.type | default("qcow2") }}' + +- name: create a new VM + command: > + qm create {{ image.vmid }} + --name {{ image.name }} + --ostype {{ image.ostype | default('l26') }} + --scsihw virtio-scsi-pci + --memory 2048 + --net0 virtio,bridge={{ proxmox_bridge }} + --serial0 socket + --vga serial0 + --scsi1 {{ proxmox_storage }}:cloudinit + +- name: import the disk image + command: > + qm importdisk {{ image.vmid }} + {{ proxmox_kvm_image_dir }}/{{ image.name }}.{{ image.type | default("qcow2") }} + {{ proxmox_storage }} + +- name: attach disk to VM + command: qm set {{ image.vmid }} --scsi0 {{ proxmox_storage }}:vm-{{ image.vmid }}-disk-0 + +- name: set boot order + command: qm set {{ image.vmid }} --boot order=scsi0 + +- name: convert VM to template + command: qm template {{ image.vmid }} diff --git a/roles/proxmox_hypervisor/tasks/rsyslog.yml b/roles/proxmox_hypervisor/tasks/rsyslog.yml new file mode 100644 index 0000000..bbd981c --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/rsyslog.yml @@ -0,0 +1,16 @@ +- name: install rsyslog + apt: + name: rsyslog + state: present + +- name: generate rsyslog configuration + template: + src: etc/rsyslog.d/forward.conf.j2 + dest: /etc/rsyslog.d/forward.conf + notify: restart rsyslog + +- name: enable rsyslog + systemd: + name: rsyslog + enabled: yes + state: started diff --git a/roles/proxmox_hypervisor/tasks/sudo.yml b/roles/proxmox_hypervisor/tasks/sudo.yml new file mode 100644 index 0000000..7419bf0 --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/sudo.yml @@ -0,0 +1,5 @@ +- name: generate sudoers file + template: + src: etc/sudoers.j2 + dest: /etc/sudoers + mode: 0440 diff --git a/roles/proxmox_hypervisor/tasks/unattended_upgrades.yml b/roles/proxmox_hypervisor/tasks/unattended_upgrades.yml new file mode 100644 index 0000000..9ce7e89 --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/unattended_upgrades.yml @@ -0,0 +1,11 @@ +- name: install unattended-upgrades + apt: + name: unattended-upgrades + +- name: copy unattended-upgrades configuration + copy: + src: etc/apt/apt.conf.d/{{ item }} + dest: /etc/apt/apt.conf.d/{{ item }} + loop: + - 20auto-upgrades + - 50unattended-upgrades diff --git a/roles/proxmox_hypervisor/tasks/zfs.yml b/roles/proxmox_hypervisor/tasks/zfs.yml new file mode 100644 index 0000000..5a1587e --- /dev/null +++ b/roles/proxmox_hypervisor/tasks/zfs.yml @@ -0,0 +1,34 @@ +- name: generate zed.rc + template: + src: etc/zfs/zed.d/zed.rc.j2 + dest: /etc/zfs/zed.d/zed.rc + notify: restart zfs-zed + +- name: enable zfs event daemon + systemd: + name: zfs-zed + enabled: yes + state: started + +- name: create zfs systemd units + template: + src: etc/systemd/system/zfs-{{ item[0] }}@.{{ item[1] }}.j2 + dest: /etc/systemd/system/zfs-{{ item[0] }}@.{{ item[1] }} + loop: "{{ ['scrub', 'trim'] | product(['service', 'timer']) }}" + register: zfs_units + +- name: reload systemd units + systemd: + daemon-reload: yes + when: zfs_units.changed + +- name: enable periodic trim and scrub for zpool + systemd: + name: zfs-{{ item }}@rpool.timer + state: started + enabled: yes + loop: + - trim + - scrub + loop_control: + label: zfs-{{ item }}@rpool.timer |