ansible/deploy.yml

258 lines
3.6 KiB
YAML

---
- name: mount rw
hosts:
- pikvm
become: true
pre_tasks:
- name: mount rw
command: /usr/local/bin/rw
- name: set-up eudev
hosts: suricata
become: true
roles:
- eudev
tags: eudev
- name: basic roles
hosts:
- caladan
- fugu
- narwhal
- snitch
- suricata
- pikvm
- kitchen
- lb
become: true
roles:
- repos
- basic
- name: cryptoraid
hosts:
- suricata
become: true
roles:
- cryptoraid
tags: raid
- name: mounts
hosts:
- suricata
- kitchen
become: true
roles:
- mounts
- name: nfs-server
hosts:
- suricata
become: true
roles:
- nfs-server
tags: nfs
- name: usercfg
hosts:
- suricata
become: true
roles:
- usercfg
- name: lbu.conf
hosts:
- suricata
- kitchen
become: true
roles:
- lbu_conf
tags: lbu_conf
- name: setup_apkcache
hosts:
- suricata
- kitchen
become: true
roles:
- apk_cache
- name: common roles
hosts:
- caladan
- fugu
- narwhal
- snitch
- suricata
- pikvm
- kitchen
- lb
become: true
roles:
- users
- sshd
vars:
users:
- ansible
- btrbk
- builder
- dags
- gopass
- rilla
- woodpecker
tags: common
- name: quality of life tools
hosts:
- caladan
- fugu
- narwhal
- suricata
- kitchen
- lb
become: true
roles:
- quality_of_life
- name: pi_fan_hwpwm
hosts:
- suricata
become: true
roles:
- pi_fan_hwpwm
- name: docker
hosts:
- caladan
- narwhal
become: true
roles:
- docker
- name: podman
hosts:
- suricata
become: true
roles:
- podman
tags: podman
- name: k3s
hosts:
- suricata
become: true
roles:
- k3s
tags: k3s
- name: wifi setup
hosts: snitch
become: true
roles:
- wifi
- name: btrbk
hosts:
- narwhal
- suricata
become: true
roles:
- btrbk
tags: btrbk
- name: caladan-specific things
hosts: caladan
become: true
roles:
- tinyproxy
- name: wireguard
hosts:
- caladan
- fugu
become: true
roles:
- wireguard
vars_files:
- 'vars/vault.yaml'
- name: notifiers
hosts:
- suricata
become: true
roles:
- notifiers
tags: notifiers
- name: set up NUT
hosts:
- narwhal
- pikvm
- suricata
become: true
roles:
- nut
tags: nut
- name: setup gopass
become: true
hosts:
- caladan
- fugu
- narwhal
# - pikvm
roles:
- gopass
- name: setup DAGs
become: true
hosts:
- pikvm
roles:
- dags
tags: dags
- name: set up pikvm's ssl certs
hosts:
- pikvm
become: true
vars:
domain: monotremata.xyz
- name: lbu commit
hosts:
- snitch
- suricata
become: true
tags: lbu
post_tasks:
- name: lbu commit
# I use the shell module instead of the lbu one because the lbu module
# doesn't seem to work with encryption
shell:
cmd: lbu commit
environment:
PASSWORD: '{{ lbu_password }}'
when: ansible_distribution == "Alpine" and alpine_mode in ["diskless", "data"]
- name: create lbu backups directory
file:
state: directory
path: /mnt/backups/lbu
# todo: use less hardcoding
- name: make a more permanent lbu backup
copy:
src: "/media/mmcblk0p2/{{ ansible_hostname }}.apkovl.tar.gz.aes-256-cbc"
dest: "/mnt/backups/lbu/{{ ansible_hostname }}.apkovl.tar.gz.aes-256-cbc.{{ ansible_date_time.iso8601 }}"
remote_src: true
- name: mount ro
hosts:
- pikvm
become: true
post_tasks:
- name: mount ro
command: /usr/local/bin/ro