chore: updated workflow for docker role
All checks were successful
Deploy / Prepare Build (push) Successful in 43s
All checks were successful
Deploy / Prepare Build (push) Successful in 43s
This commit is contained in:
@ -26,5 +26,4 @@ jobs:
|
|||||||
echo "StrictHostKeyChecking no" >> ~/.ssh/config
|
echo "StrictHostKeyChecking no" >> ~/.ssh/config
|
||||||
echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > ~/.vault_password.txt
|
echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > ~/.vault_password.txt
|
||||||
echo "nameserver 10.10.10.1" > /etc/resolv.conf
|
echo "nameserver 10.10.10.1" > /etc/resolv.conf
|
||||||
ansible-galaxy install oefenweb.fail2ban
|
|
||||||
./.gitea/workflows/deploy.sh "${{ github.event.before }}" "${{ github.sha }}"
|
./.gitea/workflows/deploy.sh "${{ github.event.before }}" "${{ github.sha }}"
|
||||||
|
|||||||
@ -5,6 +5,7 @@ if [ ! -z "$changed_tasks" ]; then
|
|||||||
tag=$(echo "$task" | awk -F/ '{print $2}')
|
tag=$(echo "$task" | awk -F/ '{print $2}')
|
||||||
if [[ "$tag" != "deploy-homelab.yml" && "$tag" != "main.yml" && "$tag" != "all.yml" && "$tag" != "all.example.yml" && "$tag" != "ISSUE_TEMPLATE" && "$tag" != "workflows" ]] ; then
|
if [[ "$tag" != "deploy-homelab.yml" && "$tag" != "main.yml" && "$tag" != "all.yml" && "$tag" != "all.example.yml" && "$tag" != "ISSUE_TEMPLATE" && "$tag" != "workflows" ]] ; then
|
||||||
tag=${tag%.*}_install
|
tag=${tag%.*}_install
|
||||||
|
ansible-galaxy install -r requirements.yml
|
||||||
ansible-playbook main.yml --tags "$tag" --vault-password-file ~/.vault_password.txt
|
ansible-playbook main.yml --tags "$tag" --vault-password-file ~/.vault_password.txt
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|||||||
13
hosts
13
hosts
@ -16,10 +16,11 @@ vps01.comprofix.com
|
|||||||
[jellyfin]
|
[jellyfin]
|
||||||
jellyfin.comprofix.xyz
|
jellyfin.comprofix.xyz
|
||||||
|
|
||||||
[base]
|
[servers:children]
|
||||||
vps01.comprofix.com
|
base
|
||||||
vps02.comprofix.com
|
jellyfin
|
||||||
omada-lxc.comprofix.xyz
|
vps
|
||||||
jellyfin.comprofix.xyz
|
omada
|
||||||
|
docker
|
||||||
|
cloud
|
||||||
|
|
||||||
|
|||||||
89
main.yml
89
main.yml
@ -1,28 +1,56 @@
|
|||||||
---
|
---
|
||||||
- hosts: base
|
- name: Prepare all servers
|
||||||
name: Configure all servers
|
hosts: servers
|
||||||
become: yes
|
become: true
|
||||||
gather_facts: yes
|
vars_files:
|
||||||
|
- group_vars/all_secrets.yml
|
||||||
|
|
||||||
|
pre_tasks:
|
||||||
|
- name: Create directories
|
||||||
|
file:
|
||||||
|
path: "/data"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Setup base system
|
||||||
|
import_tasks: tasks/base.yml
|
||||||
|
tags: base_setup
|
||||||
roles:
|
roles:
|
||||||
- role: base
|
- role: geerlingguy.docker
|
||||||
tags: base_install
|
docker_users:
|
||||||
|
- administrator
|
||||||
|
- role: grzegorzfranus.fail2ban
|
||||||
|
vars:
|
||||||
|
fail2ban_ignoreip:
|
||||||
|
- 127.0.0.1/8 # loopback
|
||||||
|
- 10.0.0.0/8 # Private
|
||||||
|
- 172.16.0.0/12 # Private
|
||||||
|
- 192.168.0.0/16 # Private
|
||||||
|
- 169.254.0.0/16 # link-local / APIPA
|
||||||
|
- 100.64.0.0/10 # CGNAT
|
||||||
|
- 203.0.113.0/24 # TEST-NETs
|
||||||
|
- 192.0.2.0/24 # TEST-NETs
|
||||||
|
- 198.51.100.0/24 # TEST-NETs
|
||||||
|
- ::1 # ULA - fc00::/7 # Private
|
||||||
|
- fe80::/10 # Private
|
||||||
|
fail2ban_bantime: "1h"
|
||||||
|
fail2ban_findtime: "30m"
|
||||||
|
fail2ban_maxretry: 3
|
||||||
|
fail2ban_custom_jail_files:
|
||||||
|
- name: sshd-strict # This will create /etc/fail2ban/jail.d/sshd-strict.conf
|
||||||
|
content: |
|
||||||
|
[sshd-strict]
|
||||||
|
enabled = true
|
||||||
|
filter = sshd
|
||||||
|
port = ssh
|
||||||
|
logpath = journal
|
||||||
|
backend = systemd
|
||||||
|
maxretry = 3
|
||||||
|
bantime = 3600
|
||||||
|
findtime = 300
|
||||||
|
|
||||||
- hosts: cloud
|
- hosts: cloud
|
||||||
become: yes
|
become: yes
|
||||||
roles:
|
roles:
|
||||||
- role: oefenweb.fail2ban
|
|
||||||
vars:
|
|
||||||
fail2ban_services:
|
|
||||||
- name: sshd
|
|
||||||
port: 22
|
|
||||||
maxretry: 3
|
|
||||||
bantime: -1
|
|
||||||
tags: fail2ban
|
|
||||||
|
|
||||||
- role: docker
|
|
||||||
tags: docker_install
|
|
||||||
|
|
||||||
- name: traefik
|
- name: traefik
|
||||||
vars:
|
vars:
|
||||||
traefik_host: traefik01.comprofix.com
|
traefik_host: traefik01.comprofix.com
|
||||||
@ -53,17 +81,6 @@
|
|||||||
tags: iscsi_connect
|
tags: iscsi_connect
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- role: oefenweb.fail2ban
|
|
||||||
vars:
|
|
||||||
fail2ban_services:
|
|
||||||
- name: sshd
|
|
||||||
port: 22
|
|
||||||
maxretry: 3
|
|
||||||
bantime: -1
|
|
||||||
tags: fail2ban
|
|
||||||
|
|
||||||
- role: docker
|
|
||||||
tags: docker_install
|
|
||||||
- role: nfs
|
- role: nfs
|
||||||
mounts:
|
mounts:
|
||||||
- name: Data share
|
- name: Data share
|
||||||
@ -157,21 +174,7 @@
|
|||||||
|
|
||||||
- hosts: omada
|
- hosts: omada
|
||||||
become: yes
|
become: yes
|
||||||
pre_tasks:
|
|
||||||
- name: Run base role to update packages
|
|
||||||
import_role:
|
|
||||||
name: base
|
|
||||||
tags: base_install
|
|
||||||
|
|
||||||
- name: Create directories
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
with_items:
|
|
||||||
- "/data"
|
|
||||||
roles:
|
roles:
|
||||||
- role: docker
|
|
||||||
tags: docker_install
|
|
||||||
- role: nfs
|
- role: nfs
|
||||||
mounts:
|
mounts:
|
||||||
- name: Data share
|
- name: Data share
|
||||||
|
|||||||
7
requirements.yml
Normal file
7
requirements.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
roles:
|
||||||
|
- name: grzegorzfranus.fail2ban
|
||||||
|
src: git+https://github.com/grzegorzfranus/ansible-role-fail2ban
|
||||||
|
version: main
|
||||||
|
- name: geerlingguy.docker
|
||||||
|
src: git+https://github.com/geerlingguy/ansible-role-docker
|
||||||
|
version: master
|
||||||
Reference in New Issue
Block a user