Fixed some lint suggestions
This commit is contained in:
parent
29ead64f6a
commit
3e7f5b44b3
11
chef.yml
11
chef.yml
@ -1,8 +1,9 @@
|
|||||||
- hosts: chef.heaplab.deib.polimi.it
|
- hosts: chef.heaplab.deib.polimi.it
|
||||||
|
name: Base configuration of OS
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
- name: Update system
|
- name: Update system
|
||||||
become: true
|
become: true
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: "*"
|
name: "*"
|
||||||
state: latest # noqa package-latest
|
state: latest # noqa package-latest
|
||||||
- name: Set hostname
|
- name: Set hostname
|
||||||
@ -10,10 +11,10 @@
|
|||||||
ansible.builtin.hostname:
|
ansible.builtin.hostname:
|
||||||
name: chef
|
name: chef
|
||||||
use: systemd
|
use: systemd
|
||||||
#- name: Reboot
|
# - name: Reboot
|
||||||
# become: true
|
# become: true
|
||||||
# reboot:
|
# ansible.builtin.reboot:
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- auto-updates
|
- auto-updates
|
||||||
- base-os
|
- base-os
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
|
|
||||||
- name: Permit traffic from any IP to http port
|
- name: Permit traffic from any IP to http port
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.ufw:
|
community.general.ufw:
|
||||||
direction: in
|
direction: in
|
||||||
from_ip: any
|
from_ip: any
|
||||||
proto: tcp
|
proto: tcp
|
||||||
@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
- name: Permit traffic from any IP to https port
|
- name: Permit traffic from any IP to https port
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.ufw:
|
community.general.ufw:
|
||||||
direction: in
|
direction: in
|
||||||
from_ip: any
|
from_ip: any
|
||||||
proto: tcp
|
proto: tcp
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
- name: Install base packages
|
- name: Install base packages
|
||||||
become: true
|
become: true
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
- htop
|
- htop
|
||||||
- tmux
|
- tmux
|
||||||
@ -9,4 +9,3 @@
|
|||||||
- python3
|
- python3
|
||||||
- acl
|
- acl
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
- name: Install base packages
|
- name: Install base packages
|
||||||
become: true
|
become: true
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
- cockpit
|
- cockpit
|
||||||
- cockpit-bridge
|
- cockpit-bridge
|
||||||
@ -16,10 +16,10 @@
|
|||||||
become: true
|
become: true
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: cockpit.socket
|
name: cockpit.socket
|
||||||
enabled: yes
|
enabled: true
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
- name: Copy cockpit configuration
|
- name: Copy cockpit configuration
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: cockpit.conf.j2
|
src: cockpit.conf.j2
|
||||||
@ -28,6 +28,6 @@
|
|||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
#- name: Reboot
|
# - name: Reboot
|
||||||
# become: true
|
# become: true
|
||||||
# reboot:
|
# ansible.builtin.reboot:
|
||||||
|
@ -1,9 +1,10 @@
|
|||||||
- name: Check if cgroup v2 is available
|
- name: Check if cgroup v2 is available
|
||||||
ansible.builtin.command: grep cgroup2 /proc/filesystems
|
ansible.builtin.command: grep cgroup2 /proc/filesystems
|
||||||
register: cgroup2_present
|
register: cgroup2_present
|
||||||
|
changed_when: cgroup2_present.rc != 0
|
||||||
|
|
||||||
- name: Enable cgroup v2
|
- name: Enable cgroup v2
|
||||||
ansible.builtin.command: 'grubby --update-kernel=ALL --add-args="systemd.unified_cgroup_hierarchy=1"'
|
ansible.builtin.command: 'grubby --update-kernel=ALL --add-args="systemd.unified_cgroup_hierarchy=1"'
|
||||||
become: true
|
become: true
|
||||||
when:
|
when:
|
||||||
- cgroup2_present.rc != 0
|
- cgroup2_present.rc != 0
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
- name: Install base packages
|
- name: Install base packages
|
||||||
become: true
|
become: true
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
- podman
|
- podman
|
||||||
- podman-docker
|
- podman-docker
|
||||||
@ -8,18 +8,30 @@
|
|||||||
|
|
||||||
- name: Add the 'containers' user
|
- name: Add the 'containers' user
|
||||||
become: true
|
become: true
|
||||||
user:
|
ansible.builtin.user:
|
||||||
name: containers
|
name: containers
|
||||||
|
password: "!"
|
||||||
|
system: false
|
||||||
shell: /bin/bash
|
shell: /bin/bash
|
||||||
|
comment: User running unprivileged containers
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Add admin pub keys to authorized_keys
|
||||||
|
become: true
|
||||||
|
ansible.posix.authorized_keys:
|
||||||
|
user: containers
|
||||||
|
key: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
loop: "{{ vault_containers_authorized_keys }}"
|
||||||
|
|
||||||
- name: Check if user is lingering
|
- name: Check if user is lingering
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "/var/lib/systemd/linger/containers"
|
path: "/var/lib/systemd/linger/containers"
|
||||||
register: user_lingering
|
register: user_lingering
|
||||||
|
|
||||||
- name: Enable lingering is needed
|
- name: Enable lingering is needed
|
||||||
become: true
|
become: true
|
||||||
command: "loginctl enable-linger containers"
|
ansible.builtin.command: "loginctl enable-linger containers"
|
||||||
when:
|
when:
|
||||||
- not user_lingering.stat.exists
|
- not user_lingering.stat.exists
|
||||||
|
|
||||||
@ -28,7 +40,7 @@
|
|||||||
ansible.posix.sysctl:
|
ansible.posix.sysctl:
|
||||||
name: net.ipv4.ip_unprivileged_port_start
|
name: net.ipv4.ip_unprivileged_port_start
|
||||||
value: "80"
|
value: "80"
|
||||||
sysctl_set: yes
|
sysctl_set: true
|
||||||
|
|
||||||
- name: Enable podman socket
|
- name: Enable podman socket
|
||||||
become: true
|
become: true
|
||||||
@ -36,30 +48,30 @@
|
|||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
scope: user
|
scope: user
|
||||||
name: podman.socket
|
name: podman.socket
|
||||||
enabled: yes
|
enabled: true
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
- name: Enable podman auto-update timer
|
- name: Enable podman auto-update timer
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: podman-auto-update.timer
|
name: podman-auto-update.timer
|
||||||
enabled: yes
|
enabled: true
|
||||||
|
|
||||||
- name: Copy default containers config file
|
- name: Copy default containers config file
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
remote_src: yes
|
remote_src: true
|
||||||
src: /usr/share/containers/containers.conf
|
src: /usr/share/containers/containers.conf
|
||||||
dest: /etc/containers/containers.conf
|
dest: /etc/containers/containers.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: Change podman default subnet
|
- name: Change podman default subnet
|
||||||
become: true
|
become: true
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/containers/containers.conf
|
path: /etc/containers/containers.conf
|
||||||
regex: "^(.*)default_subnet = (.*)$"
|
regex: "^(.*)default_subnet = (.*)$"
|
||||||
line: 'default_subnet = "172.16.0.0/24"'
|
line: 'default_subnet = "172.16.0.0/24"'
|
||||||
|
|
||||||
#- name: Reboot
|
# - name: Reboot
|
||||||
# become: true
|
# become: true
|
||||||
# reboot:
|
# ansible.builtin.reboot:
|
||||||
|
Loading…
Reference in New Issue
Block a user