diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 012369d..12e5cae 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -42,7 +42,7 @@ jobs: # Checkout the code base # ########################## - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: # Full git history is needed to get a proper # list of changed files within `super-linter` diff --git a/.gitignore b/.gitignore index 7151090..787960a 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ .vagrant venv/ external_roles/ +collections/ diff --git a/README.md b/README.md index 9247e73..caeed85 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Freifunk Berlin Ansible Repo +# Freifunk Berlin Ansible Repository This repository currently contains our WIP state for the infrastructure code. @@ -21,7 +21,7 @@ This repository currently manages these services: ## Requirements -- Ansible 5.x +- Ansible 8.x - The secret encryption password for ansible-vault under `./.vaultpass` - For alternative methods look here: - Have the necessary requirements installed: `ansible-galaxy install -r requirements.yml` @@ -35,7 +35,7 @@ Also, the roles are divided into 2 directories, one for external ones, and one f This separation makes using the monorepo approach easier, since we can just exclude all directories in the `.gitignore`. -``` +```text ├── .config # Directory with config files e.g. for github actions ├── .github # Directory for github actions ├── ansible.cfg # Custom settings for this Repository diff --git a/ansible.cfg b/ansible.cfg index bb5c5f6..66a78ae 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,7 +3,7 @@ inventory = ./inventory/hosts collections_paths = ./collections roles_path = ./external_roles:./roles vault_password_file = ./.vaultpass -ansible_managed = Managed by ff-berlin ansible: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} +ansible_managed = Managed by ff-berlin ansible forks = 10 allow_world_readable_tmpfiles=true diff --git a/inventory/hosts b/inventory/hosts index e3ae811..a98e68a 100644 --- a/inventory/hosts +++ b/inventory/hosts @@ -21,7 +21,6 @@ b.tunnel.berlin.freifunk.net # freifunk-gw01 c.tunnel.berlin.freifunk.net # vpn03d.berlin.freifunk.net d.tunnel.berlin.freifunk.net # vpn03f.berlin.freifunk.net f.tunnel.berlin.freifunk.net # vpn03h.berlin.freifunk.net -t-löffel.de [other] util.berlin.freifunk.net diff --git a/requirements.txt b/requirements.txt index 63d2af9..a4ddb74 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -ansible >= 2.13 +ansible >= 2.15 black >= 23.9 isort >= 5.12 diff --git a/requirements.yml b/requirements.yml index 4c02e12..9da55cb 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,15 +3,15 @@ # usage: ansible-galaxy install -r requirements.yml roles: - src: ryandaniels.create_users - version: 1.0.8 + version: 1.0.11 - src: geerlingguy.nginx - version: 3.1.0 + version: 3.1.4 - src: systemli.letsencrypt - version: 2.1.0 + version: 2.3.0 collections: - name: ansible.posix - version: 1.5.1 + version: 1.5.4 - name: community.mysql - version: 3.6.0 + version: 3.8.0 - name: community.general - version: 6.5.0 + version: 7.5.1 diff --git a/roles/caddy/handlers/main.yml b/roles/caddy/handlers/main.yml index e4ca071..f05c288 100644 --- a/roles/caddy/handlers/main.yml +++ b/roles/caddy/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Restart caddy - systemd: + ansible.builtin.systemd: daemon_reload: true name: caddy enabled: true diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml index 773f339..d1fb533 100644 --- a/roles/caddy/tasks/main.yml +++ b/roles/caddy/tasks/main.yml @@ -10,7 +10,7 @@ state: present - name: Install dependencies - apt: + ansible.builtin.apt: name: - caddy state: present @@ -18,12 +18,10 @@ cache_valid_time: 3600 - name: Copy caddyfile - template: + ansible.builtin.template: dest: /etc/caddy/Caddyfile src: "{{ caddy_caddyfile }}" - mode: 0640 + mode: "0640" owner: caddy group: caddy notify: Restart caddy - -... diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 43c4a62..061df31 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,10 +1,4 @@ --- -- name: Restart collectd - ansible.builtin.service: - name: collectd - enabled: true - state: restarted - - name: Restart fail2ban ansible.builtin.service: name: fail2ban diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c2f342f..43d5de2 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,10 +1,9 @@ --- # tasks to be run on all machines - name: Install basic tools - apt: + ansible.builtin.apt: name: - atop - - collectd - curl - fail2ban - git @@ -22,60 +21,50 @@ state: present update_cache: true -# Collectd config -- name: Copy collectd config - template: - src: collectd-ffberlin.conf.j2 - dest: /etc/collectd/collectd.conf.d/ffberlin.conf - mode: 0640 - owner: root - group: root - notify: Restart collectd - - name: Configure fail2ban-jails - template: + ansible.builtin.template: src: fail2ban-ffberlin.local.j2 dest: /etc/fail2ban/jail.local - mode: 0640 + mode: "0640" owner: root group: root notify: Restart fail2ban - name: Copy custom motd - template: + ansible.builtin.template: src: motd.j2 dest: /etc/motd - mode: 0640 + mode: "0640" owner: root group: root - name: Configure prometheus-node-exporter - template: + ansible.builtin.template: src: prometheus-node-exporter.j2 dest: /etc/default/prometheus-node-exporter - mode: 0640 + mode: "0640" owner: root group: root notify: Restart prometheus-node-exporter - name: Disallow password-based login for all users - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config - line: 'PasswordAuthentication no' + line: PasswordAuthentication no insertafter: EOF notify: Restart sshd - name: Disallow login for root user - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config - line: 'PermitRootLogin no' + line: PermitRootLogin no insertafter: EOF notify: Restart sshd - name: Set Journald Max Size to 1G ansible.builtin.lineinfile: path: /etc/systemd/journald.conf - insertafter: '^#SystemMaxUse' - regexp: '^SystemMaxUse' + insertafter: ^#SystemMaxUse + regexp: ^SystemMaxUse line: SystemMaxUse=1G notify: Restart journald diff --git a/roles/common/templates/collectd-ffberlin.conf.j2 b/roles/common/templates/collectd-ffberlin.conf.j2 deleted file mode 100644 index 0d9d15c..0000000 --- a/roles/common/templates/collectd-ffberlin.conf.j2 +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/roles/ff_monitor/handlers/main.yml b/roles/ff_monitor/handlers/main.yml index a859c91..be30678 100644 --- a/roles/ff_monitor/handlers/main.yml +++ b/roles/ff_monitor/handlers/main.yml @@ -1,34 +1,34 @@ --- - name: Restart rrdcached - systemd: + ansible.builtin.systemd: daemon_reload: true name: rrdcached enabled: true state: restarted - name: Restart collectd - systemd: + ansible.builtin.systemd: daemon_reload: true name: collectd enabled: true state: restarted - name: Restart php-fpm - systemd: + ansible.builtin.systemd: daemon_reload: true name: php7.4-fpm enabled: true state: restarted - name: Restart prometheus - systemd: + ansible.builtin.systemd: daemon_reload: true name: prometheus enabled: true state: restarted - name: Restart grafana - systemd: + ansible.builtin.systemd: daemon_reload: true name: grafana-server enabled: true diff --git a/roles/ff_monitor/tasks/main.yml b/roles/ff_monitor/tasks/main.yml index 72d4bfe..85aead4 100644 --- a/roles/ff_monitor/tasks/main.yml +++ b/roles/ff_monitor/tasks/main.yml @@ -6,12 +6,12 @@ - name: Add grafana APT Repo ansible.builtin.apt_repository: - repo: "deb https://apt.grafana.com stable main" + repo: deb https://apt.grafana.com stable main state: present update_cache: false - name: Install dependencies - apt: + ansible.builtin.apt: name: - grafana - prometheus @@ -22,19 +22,19 @@ cache_valid_time: 3600 - name: Copy prometheus config - template: + ansible.builtin.template: dest: /etc/prometheus/prometheus.yml src: prometheus.yml.j2 - mode: '0640' + mode: "0640" owner: prometheus group: prometheus notify: Restart prometheus - name: Copy prometheus defaults - template: + ansible.builtin.template: dest: /etc/default/prometheus src: prometheus.j2 - mode: '0640' + mode: "0640" owner: root group: root notify: Restart prometheus @@ -53,19 +53,19 @@ - collectd-exporter - name: Copy grafana config - template: + ansible.builtin.template: dest: /etc/grafana/grafana.ini src: grafana.ini.j2 - mode: '0640' + mode: "0640" owner: grafana group: grafana notify: Restart grafana - name: Copy collectd config - template: + ansible.builtin.template: dest: /etc/collectd/collectd.conf src: collectd.conf.j2 - mode: '0644' + mode: "0644" owner: root group: root notify: Restart collectd @@ -75,13 +75,13 @@ name: remove old rrd files special_time: daily user: root - job: "find /mnt/collectd/rrd/ -type f -mtime +14 -delete; find /mnt/collectd/rrd/ -type d -empty -delete" + job: find /mnt/collectd/rrd/ -type f -mtime +14 -delete; find /mnt/collectd/rrd/ -type d -empty -delete - name: Create a directory if it does not exist ansible.builtin.file: path: "{{ item }}" state: directory - mode: '0750' + mode: "0750" owner: www-data group: www-data with_items: @@ -94,17 +94,17 @@ ansible.builtin.copy: src: files/firmwaremetrics/ dest: /srv/www/monitor.berlin.freifunk.net/metrics/firmware/ - mode: '0750' + mode: "0750" owner: www-data group: www-data - name: Copy helperscripts ansible.builtin.copy: - src: "files/{{ item }}" + src: files/{{ item }} dest: /opt/helperscripts/ owner: www-data group: www-data - mode: '0750' + mode: "0750" with_items: - create_node_geojson.py - create_node_list.py @@ -114,16 +114,17 @@ name: create node json special_time: daily user: www-data - job: "/opt/helperscripts/create_node_list.py > /srv/www/monitor.berlin.freifunk.net/static/nodes.json" + job: /opt/helperscripts/create_node_list.py > /srv/www/monitor.berlin.freifunk.net/static/nodes.json - name: Cronjob to create node geojson ansible.builtin.cron: name: create node geojson special_time: daily user: www-data - job: "/opt/helperscripts/create_node_geojson.py > /srv/www/monitor.berlin.freifunk.net/static/nodes_geojson.json" + job: /opt/helperscripts/create_node_geojson.py > /srv/www/monitor.berlin.freifunk.net/static/nodes_geojson.json - name: Checkout CGP Repo + become: true become_user: www-data ansible.builtin.git: repo: https://github.com/freifunk-berlin/CGP.git @@ -131,9 +132,9 @@ version: master - name: Copy CGP config - template: + ansible.builtin.template: dest: /srv/www/monitor.berlin.freifunk.net/cgp/conf/config.local.php src: config.local.php.j2 - mode: '0644' + mode: "0644" owner: www-data group: www-data diff --git a/roles/ff_monitor/templates/prometheus.j2 b/roles/ff_monitor/templates/prometheus.j2 index 873ac57..c6768bc 100644 --- a/roles/ff_monitor/templates/prometheus.j2 +++ b/roles/ff_monitor/templates/prometheus.j2 @@ -1,4 +1,4 @@ # {{ ansible_managed }} # Set the command-line arguments to pass to the server. -ARGS="--storage.tsdb.retention.size=70GB --enable-feature=memory-snapshot-on-shutdown --web.listen-address=127.0.0.1:9090" +ARGS="--storage.tsdb.retention.size=90GB --enable-feature=memory-snapshot-on-shutdown --web.listen-address=127.0.0.1:9090" diff --git a/roles/ff_wizard/defaults/main.yml b/roles/ff_wizard/defaults/main.yml index 9cae5d4..4b0c792 100644 --- a/roles/ff_wizard/defaults/main.yml +++ b/roles/ff_wizard/defaults/main.yml @@ -1,5 +1,5 @@ --- ff_wizard_secret: changeme -ff_wizard_connectionstring: "postgresql://wizard:{{ ff_wizard_db_pass }}@127.0.0.1:5432/wizard" +ff_wizard_connectionstring: postgresql://wizard:{{ ff_wizard_db_pass }}@127.0.0.1:5432/wizard ff_wizard_db_pass: changeme ff_wizard_api_pass: changeme diff --git a/roles/ff_wizard/handlers/main.yml b/roles/ff_wizard/handlers/main.yml index 4ace7d3..39dbbf5 100644 --- a/roles/ff_wizard/handlers/main.yml +++ b/roles/ff_wizard/handlers/main.yml @@ -1,13 +1,13 @@ --- - name: Restart uwsgi - systemd: + ansible.builtin.systemd: daemon_reload: true name: uwsgi enabled: true state: restarted - name: Restart postfix - systemd: + ansible.builtin.systemd: daemon_reload: true name: uwsgi enabled: true diff --git a/roles/ff_wizard/tasks/main.yml b/roles/ff_wizard/tasks/main.yml index 55f33ee..1611afc 100644 --- a/roles/ff_wizard/tasks/main.yml +++ b/roles/ff_wizard/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install dependencies - apt: + ansible.builtin.apt: name: - libpq-dev - postfix @@ -40,54 +40,55 @@ # roles: wizard - name: Copy postfix config - template: + ansible.builtin.template: dest: /etc/postfix/main.cf src: postfix_main.cf.j2 - mode: 0640 + mode: "0640" owner: root group: root notify: Restart postfix - name: Copy uwsgi app config - template: + ansible.builtin.template: dest: /etc/uwsgi/apps-enabled/ff-wizard.ini src: uwsgi-ff-wizard.ini.j2 - mode: 0640 + mode: "0640" owner: root group: root notify: Restart uwsgi - name: Create directories - file: + ansible.builtin.file: state: directory path: "{{ item }}" owner: www-data group: www-data - mode: 0750 + mode: "0750" with_items: - /var/www/nipap-wizard/ - /var/log/nipap-wizard/ - name: Checkout ff-wizard - become_user: "www-data" - git: - repo: 'https://github.com/freifunk-berlin/config.berlin.freifunk.net.git' + become: true + become_user: www-data + ansible.builtin.git: + repo: https://github.com/freifunk-berlin/config.berlin.freifunk.net.git version: master dest: /var/www/nipap-wizard force: true notify: Restart uwsgi - name: Copy ff-wizard config - template: + ansible.builtin.template: dest: /var/www/nipap-wizard/config.cfg src: wizard-config.cfg.j2 - mode: 0640 + mode: "0640" owner: www-data group: www-data notify: Restart uwsgi - name: Install nipap in venv - pip: + ansible.builtin.pip: requirements: /var/www/nipap-wizard/requirements.txt virtualenv: /var/www/nipap-wizard/env virtualenv_command: virtualenv --python=python3.7 @@ -95,10 +96,9 @@ notify: Restart uwsgi - name: Set owner of nipap dir - file: + ansible.builtin.file: state: directory path: /var/www/nipap-wizard/ owner: www-data group: www-data recurse: true -... diff --git a/roles/nipap/handlers/main.yml b/roles/nipap/handlers/main.yml index 545207b..6a2f9ed 100644 --- a/roles/nipap/handlers/main.yml +++ b/roles/nipap/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Restart nipapd - systemd: + ansible.builtin.systemd: daemon_reload: true name: nipapd enabled: true diff --git a/roles/nipap/tasks/main.yml b/roles/nipap/tasks/main.yml index 982dcf0..63a4959 100644 --- a/roles/nipap/tasks/main.yml +++ b/roles/nipap/tasks/main.yml @@ -10,7 +10,7 @@ state: present - name: Install dependencies - apt: + ansible.builtin.apt: name: - nipap-cli - nipap-common @@ -24,10 +24,10 @@ cache_valid_time: 3600 - name: Copy nipap config - template: + ansible.builtin.template: dest: /etc/nipap/nipap.conf src: nipap.conf.j2 - mode: 0640 + mode: "0640" owner: root group: root notify: Restart nipapd @@ -57,5 +57,3 @@ # privs: ALL # type: database # roles: nipap,wizard - -... diff --git a/roles/tunneldigger/handlers/main.yml b/roles/tunneldigger/handlers/main.yml index d3cf0d3..4766f62 100644 --- a/roles/tunneldigger/handlers/main.yml +++ b/roles/tunneldigger/handlers/main.yml @@ -13,7 +13,6 @@ enabled: true state: restarted - - name: Restart nftables ansible.builtin.systemd: daemon_reload: true diff --git a/roles/tunneldigger/tasks/main.yml b/roles/tunneldigger/tasks/main.yml index 702645a..a46250b 100644 --- a/roles/tunneldigger/tasks/main.yml +++ b/roles/tunneldigger/tasks/main.yml @@ -21,7 +21,7 @@ - name: Set nftables conf ansible.builtin.template: - src: "nftables.conf.j2" + src: nftables.conf.j2 dest: /etc/nftables.conf mode: "0644" owner: root @@ -33,14 +33,14 @@ - name: Checkout tunneldigger ansible.builtin.git: - repo: 'https://github.com/wlanslovenija/tunneldigger.git' + repo: https://github.com/wlanslovenija/tunneldigger.git version: c50ef46d78d797750979ebf2f8ddc5aa993a02ae dest: "{{ tunneldigger_path }}" force: true notify: Restart tunneldigger - name: Create tunneldigger venv - ansible.builtin.command: "/usr/bin/python3 -m venv {{ tunneldigger_path }}/env" + ansible.builtin.command: /usr/bin/python3 -m venv {{ tunneldigger_path }}/env args: creates: "{{ tunneldigger_path }}/env" notify: Restart tunneldigger @@ -48,13 +48,13 @@ - name: Install tunneldigger in venv ansible.builtin.shell: args: - cmd: "source {{ tunneldigger_path }}/env/bin/activate && cd {{ tunneldigger_path }}/broker && pip install --upgrade setuptools && python setup.py install" + cmd: source {{ tunneldigger_path }}/env/bin/activate && cd {{ tunneldigger_path }}/broker && pip install --upgrade setuptools && python setup.py install creates: "{{ tunneldigger_path }}/broker/dist/" executable: /bin/bash - name: Copy tunneldigger service file ansible.builtin.template: - src: "tunneldigger.service.j2" + src: tunneldigger.service.j2 dest: /etc/systemd/system/tunneldigger.service mode: "0644" owner: root @@ -63,14 +63,14 @@ - name: Copy tunneldigger configuration file ansible.builtin.template: - src: "l2tp_broker.cfg.j2" + src: l2tp_broker.cfg.j2 dest: "{{ tunneldigger_path }}/broker/l2tp_broker.cfg" mode: "0644" owner: root group: root notify: Restart tunneldigger -- name: "Copy tunneldigger scripts" +- name: Copy tunneldigger scripts ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest }}" @@ -79,11 +79,11 @@ group: root notify: Restart tunneldigger loop: - - {src: 'ff.session.mtu-changed.sh.j2', dest: '{{ tunneldigger_path }}/broker/scripts/ff.session.mtu-changed.sh'} - - {src: 'ff.session.up.sh.j2', dest: '{{ tunneldigger_path }}/broker/scripts/ff.session.up.sh'} - - {src: 'dhcp-script.sh.j2', dest: '{{ tunneldigger_path }}/broker/scripts/dhcp-script.sh'} + - {src: ff.session.mtu-changed.sh.j2, dest: "{{ tunneldigger_path }}/broker/scripts/ff.session.mtu-changed.sh"} + - {src: ff.session.up.sh.j2, dest: "{{ tunneldigger_path }}/broker/scripts/ff.session.up.sh"} + - {src: dhcp-script.sh.j2, dest: "{{ tunneldigger_path }}/broker/scripts/dhcp-script.sh"} -- name: "Make sure the correct Kernel modules will load on boot" +- name: Make sure the correct Kernel modules will load on boot ansible.builtin.template: src: modules-tunneldigger.conf.j2 dest: /etc/modules-load.d/tunneldigger.conf @@ -92,9 +92,9 @@ group: root notify: Restart tunneldigger -- name: "Copy dnsmasq config" +- name: Copy dnsmasq config ansible.builtin.template: - src: "dnsmasq.conf.j2" + src: dnsmasq.conf.j2 dest: /etc/dnsmasq.conf mode: "0644" owner: root @@ -104,12 +104,12 @@ - name: Allow ipv4 forwarding ansible.posix.sysctl: name: net.ipv4.ip_forward - value: '1' + value: "1" sysctl_set: true - name: Copy prometheus node_exporter script for tunneldigger ansible.builtin.template: - src: "tunneldigger_exporter.sh.j2" + src: tunneldigger_exporter.sh.j2 dest: /opt/tunneldigger_exporter.sh mode: "0750" owner: root @@ -117,9 +117,9 @@ - name: Run Prometheus Exporter every minute ansible.builtin.cron: - name: "Prometheus tunneldigger exporter" + name: Prometheus tunneldigger exporter minute: "*" - job: "/opt/tunneldigger_exporter.sh" + job: /opt/tunneldigger_exporter.sh user: root - name: Set conntrack size @@ -128,5 +128,5 @@ line: options nf_conntrack hashsize=32768 owner: root group: root - mode: '0644' + mode: "0644" create: true