108 lines
2.9 KiB
YAML
108 lines
2.9 KiB
YAML
---
|
|
- name: COMMON | Systempakete aktualisieren und upgraden
|
|
ansible.builtin.apt:
|
|
update_cache: true
|
|
upgrade: dist
|
|
autoremove: true
|
|
autoclean: true
|
|
|
|
- name: COMMON | Notwendige Pakete installieren
|
|
ansible.builtin.apt:
|
|
name:
|
|
- ufw
|
|
- fail2ban
|
|
- unattended-upgrades
|
|
- apt-listchanges
|
|
- docker-ce
|
|
- python3-pip
|
|
- chrony
|
|
- lvm2
|
|
- cephadm
|
|
- ceph-common
|
|
state: present
|
|
|
|
- name: COMMON | Chrony Dienst starten und aktivieren
|
|
ansible.builtin.service:
|
|
name: chronyd
|
|
state: started
|
|
enabled: true
|
|
|
|
- name: COMMON | Docker Dienst starten und aktivieren
|
|
ansible.builtin.service:
|
|
name: docker
|
|
state: started
|
|
enabled: true
|
|
|
|
- name: COMMON | Einen dedizierten Admin-Benutzer erstellen
|
|
ansible.builtin.user:
|
|
name: "{{ admin_user }}"
|
|
password: "{{ admin_password}}"
|
|
shell: /bin/bash
|
|
groups: sudo,docker
|
|
append: true
|
|
state: present
|
|
|
|
- name: COMMON | SSH-Schlüssel für den Admin-Benutzer einrichten
|
|
ansible.posix.authorized_key:
|
|
user: "{{ admin_user }}"
|
|
key: "{{ item }}"
|
|
state: present
|
|
with_items: "{{ authorized_keys }}"
|
|
|
|
- name: COMMON | cephadm-Benutzer erstellen
|
|
ansible.builtin.user:
|
|
name: "cephadm"
|
|
password: "{{ cephadm_password }}"
|
|
shell: /bin/bash
|
|
groups: sudo,docker
|
|
append: yes
|
|
state: present
|
|
|
|
- name: COMMON | .ssh Verzeichnis für cephadm-Benutzer erstellen
|
|
ansible.builtin.file:
|
|
path: /home/cephadm/.ssh
|
|
state: directory
|
|
|
|
- name: COMMON | Passwortloses Sudo für cephadm-Benutzer erlauben
|
|
ansible.builtin.copy:
|
|
dest: "/etc/sudoers.d/91-cephadm-nopasswd"
|
|
content: "cephadm ALL=(ALL) NOPASSWD: ALL"
|
|
mode: '0440'
|
|
validate: 'visudo -cf %s'
|
|
|
|
- name: COMMON | ed25519 SSH-Schlüssel für cephadm-Benutzer generieren (nur auf dem ersten Manager)
|
|
community.crypto.openssh_keypair:
|
|
path: /home/cephadm/.ssh/id_ed25519
|
|
type: ed25519
|
|
owner: cephadm
|
|
group: cephadm
|
|
mode: '0600'
|
|
when: inventory_hostname == groups['managers'][0]
|
|
|
|
- name: COMMON | Öffentlichen SSH-Schlüssel von cephadm abrufen
|
|
ansible.builtin.slurp:
|
|
src: /home/cephadm/.ssh/id_ed25519.pub
|
|
register: cephadm_ssh_pub_key
|
|
when: inventory_hostname == groups['managers'][0]
|
|
|
|
- name: COMMON | Öffentlichen SSH-Schlüssel von cephadm auf allen Knoten verteilen
|
|
ansible.posix.authorized_key:
|
|
user: cephadm
|
|
key: "{{ hostvars[groups['managers'][0]]['cephadm_ssh_pub_key']['content'] | b64decode }}"
|
|
state: present
|
|
|
|
- name: COMMON | Automatische Sicherheitsupdates konfigurieren
|
|
ansible.builtin.copy:
|
|
src: assets/50unattended-upgrades
|
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
|
|
- name: COMMON | Periodische Auto-Updates aktivieren
|
|
ansible.builtin.copy:
|
|
src: assets/20auto-upgrades
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
owner: root
|
|
group: root
|
|
mode: '0644' |