|
@@ -4,76 +4,119 @@ title: Ansible ff@home aufsetzen
|
|
toc: yes
|
|
toc: yes
|
|
...
|
|
...
|
|
|
|
|
|
|
|
+
|
|
|
|
+
|
|
# Software
|
|
# Software
|
|
- Debian 12 (bookworm) oder Ubuntu 22.04
|
|
- Debian 12 (bookworm) oder Ubuntu 22.04
|
|
- python3 und ansible
|
|
- python3 und ansible
|
|
|
|
|
|
-***** Es empfiehlt sich, eine python virtuelle Umgebung zu verwenden *****
|
|
|
|
-Die folgenden Pakete installieren:
|
|
|
|
|
|
+ ***** Es empfiehlt sich, eine python virtuelle Umgebung zu verwenden *****
|
|
|
|
+ Die folgenden Pakete installieren:
|
|
|
|
|
|
- sudo apt install python3-pip python3-venv
|
|
|
|
|
|
+ sudo apt install python3-pip python3-venv
|
|
|
|
|
|
-Dazu in das Basisverzeichnis gehen (bei mir /datadisk), dann die virtuelle Umgebung anlegen
|
|
|
|
|
|
+Dann in das Basisverzeichnis gehen (bei mir /datadisk) und die virtuelle Umgebung anlegen
|
|
|
|
+
|
|
|
|
+ python3 -m venv ffhome
|
|
|
|
+
|
|
|
|
+In dem Verzeichnis ffhome die Umgebung aktivieren
|
|
|
|
|
|
- python3 -m venv ffhome
|
|
|
|
-In das Verzeichnis ffhome wechseln und die Umgebung aktivieren
|
|
|
|
-source (oder.) bin/activate
|
|
|
|
-
|
|
|
|
- cd /datadisk/ffhome
|
|
|
|
source bin/activate
|
|
source bin/activate
|
|
|
|
|
|
-Dadurch ändert sich der prompt:
|
|
|
|
-(ffhome) 18:16:41[frankb@berglap /datadisk/ffhome 0]
|
|
|
|
|
|
|
|
-Zum Verlassen der Umgebung:
|
|
|
|
-deactivate oder Terminal Fenster schliessen
|
|
|
|
|
|
+Dadurch ändert sich der prompt:
|
|
|
|
+
|
|
|
|
+ (ffhome) 18:16:41[frankb@berglap /datadisk/ffhome 0]
|
|
|
|
|
|
-Jetzt kann ansible in der ffhome Umgebung installiert werden:
|
|
|
|
|
|
+Zum Verlassen der Umgebung:
|
|
|
|
+deactivate oder Terminal Fenster schliessen
|
|
|
|
|
|
|
|
+Jetzt kann ansible in der ffhome Umgebung installiert werden:
|
|
pip3 install ansible
|
|
pip3 install ansible
|
|
|
|
|
|
|
|
|
|
-18:11:20[frankb@berglap /datadisk/ffhome 0]
|
|
|
|
-
|
|
|
|
-Die Verzeichnistruktur der Testumgebung
|
|
|
|
-tree -L 4
|
|
|
|
- .
|
|
|
|
- ├── ansible.cfg
|
|
|
|
- ├── bin
|
|
|
|
- │ ├── activate
|
|
|
|
- │ ├── activate.csh
|
|
|
|
- │ ├── activate.fish
|
|
|
|
- │ ├── Activate.ps1
|
|
|
|
- │ ├── ansible
|
|
|
|
- │ ├── ansible-community
|
|
|
|
- ...
|
|
|
|
- │ └── yamllint
|
|
|
|
- ├── include
|
|
|
|
- ├── inventory
|
|
|
|
- │ ├── hosts.yaml
|
|
|
|
- │ └── host_vars
|
|
|
|
- │ ├── bergdesk
|
|
|
|
- │ │ ├── vars
|
|
|
|
- │ │ └── vault
|
|
|
|
- │ ├── berghofen
|
|
|
|
- │ │ ├── vars
|
|
|
|
- │ │ └── vault
|
|
|
|
- │ ├── berglap
|
|
|
|
- │ │ ├── vars
|
|
|
|
- │ │ └── vault
|
|
|
|
- │ └── luna
|
|
|
|
- │ ├── vars
|
|
|
|
- │ └── vault
|
|
|
|
- ├── lib
|
|
|
|
- │ └── python3.10
|
|
|
|
- ├── lib64 -> lib
|
|
|
|
- ...
|
|
|
|
- ├── playbooks
|
|
|
|
- │ └── update.yaml
|
|
|
|
- └── pyvenv.cfg
|
|
|
|
|
|
+18:11:20[frankb@berglap /datadisk/ffhome 0]
|
|
|
|
+Die Verzeichnistruktur der Testumgebung
|
|
|
|
+
|
|
|
|
+ tree -L 4 /datadisk/ffhome
|
|
|
|
+ /datadisk/ffhome
|
|
|
|
+ ├── ansible.cfg
|
|
|
|
+ ├── bin
|
|
|
|
+ │ ├── activate
|
|
|
|
+ │ ├── activate.csh
|
|
|
|
+ │ ├── activate.fish
|
|
|
|
+ │ ├── Activate.ps1
|
|
|
|
+ │ ├── ansible
|
|
|
|
+ │ ├── ansible-community
|
|
|
|
+ ...
|
|
|
|
+ │ └── yamllint
|
|
|
|
+ ├── include
|
|
|
|
+ ├── inventory
|
|
|
|
+ │ ├── hosts.yaml
|
|
|
|
+ │ └── host_vars
|
|
|
|
+ | │ ├── bergdesk
|
|
|
|
+ │ │ │ ├── vars
|
|
|
|
+ │ │ │ ├── vars.01.bak
|
|
|
|
+ │ │ │ ├── vars.02.bak
|
|
|
|
+ │ │ │ └── vault
|
|
|
|
+ │ │ ├── berghofen
|
|
|
|
+ │ │ │ ├── vars
|
|
|
|
+ │ │ │ ├── vars.01.bak
|
|
|
|
+ │ │ │ ├── vars.bak
|
|
|
|
+ │ │ │ └── vault
|
|
|
|
+ │ │ ├── berglap
|
|
|
|
+ │ │ │ ├── vars
|
|
|
|
+ │ │ │ ├── vars.01.bak
|
|
|
|
+ │ │ │ ├── vars.bak
|
|
|
|
+ │ │ │ └── vault
|
|
|
|
+ │ │ └── luna
|
|
|
|
+ │ │ ├── vars
|
|
|
|
+ │ │ └── vault
|
|
|
|
+ │ └── resources
|
|
|
|
+ │ └── host
|
|
|
|
+ │ └── bergdesk
|
|
|
|
+ ├── lib
|
|
|
|
+ │ └── python3.10
|
|
|
|
+ ├── lib64 -> lib
|
|
|
|
+ ...
|
|
|
|
+ ├── playbooks
|
|
|
|
+ │ ├── resources
|
|
|
|
+ │ │ └── host
|
|
|
|
+ │ │ ├── tincbergdesk.gz
|
|
|
|
+ │ │ └── tincberghofen.gz
|
|
|
|
+ │ ├── templates
|
|
|
|
+ │ │ ├── tinc-up.lan.j2
|
|
|
|
+ │ │ └── tinc-up.wan.j2
|
|
|
|
+ │ ├── tincbuild.yaml
|
|
|
|
+ │ └── update.yaml
|
|
|
|
+ └── pyvenv.cfg
|
|
|
|
|
|
Bei den ... sind Zeilen der Übersichtlichkeit halber weggelassen.
|
|
Bei den ... sind Zeilen der Übersichtlichkeit halber weggelassen.
|
|
|
|
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+Die verwendete ansible.cfg:
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ [defaults]
|
|
|
|
+ inventory=./inventory/
|
|
|
|
+ roles_path=./roles
|
|
|
|
+ playbook_dir=./playbooks/
|
|
|
|
+ interpreter_python=auto_silent
|
|
|
|
+ #vault_password_file=~/.vault-password
|
|
|
|
+ log_path=/tmp/ansible_ffhome.log
|
|
|
|
+ cow_selection=random
|
|
|
|
+ nocows=True
|
|
|
|
+ stdout_callback=yaml
|
|
|
|
+ display_args_to_stdout=True
|
|
|
|
+
|
|
|
|
+ [privilege_escalation]
|
|
|
|
+ become=True
|
|
|
|
+
|
|
|
|
+ [ssh_connection]
|
|
|
|
+ pipelining=True
|
|
|
|
+
|
|
|
|
+
|
|
Datei mit den beteiligten Hosts inventory/hosts.yaml
|
|
Datei mit den beteiligten Hosts inventory/hosts.yaml
|
|
|
|
|
|
---
|
|
---
|
|
@@ -123,16 +166,26 @@ Datei mit den beteiligten Hosts inventory/hosts.yaml
|
|
Die Gruppen apus und desktops enthalten die testhosts, die Gruppen altlast und supernodes sind nicht komplett einbezogen.
|
|
Die Gruppen apus und desktops enthalten die testhosts, die Gruppen altlast und supernodes sind nicht komplett einbezogen.
|
|
|
|
|
|
|
|
|
|
-Im Verzeichnis inventory/host_vars sind Variablen für die einzelnen hosts, also hier die passwords, in vars unverschlüsselt, in vault aes256 geschützt. Beispielhaft mal für bergdesk
|
|
|
|
|
|
+Im Verzeichnis inventory/host_vars sind Variablen für die einzelnen hosts, u.a. die passwords, in vars unverschlüsselt, in vault aes256 geschützt. Weiter sind Parameter für tinc enthalten, nur in vars, unverschlüsselt..
|
|
|
|
+Beispielhaft für berghofen
|
|
|
|
+
|
|
|
|
+berghofen/vars
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ ---
|
|
|
|
+ berghofen_password: "{{ vault_berghofen_password }}"
|
|
|
|
+ tinc_bindto: 192.168.178.51
|
|
|
|
+ wan_broadcast_ip: 193.43.220.191
|
|
|
|
+ wan_ip: 193.43.220.162/27
|
|
|
|
+
|
|
|
|
+ lan_broadcast_ip: 192.168.34.255
|
|
|
|
+ lan_ip: 192.168.34.1/24
|
|
|
|
|
|
-bergdesk/vars
|
|
|
|
|
|
|
|
- ---
|
|
|
|
- bergdesk_password: "{{ vault_bergdesk_password }}"
|
|
|
|
|
|
+berghofen/vault
|
|
|
|
|
|
-bergdesk/vault
|
|
|
|
|
|
|
|
- $ANSIBLE_VAULT;1.2;AES256;xx
|
|
|
|
|
|
+ $ANSIBLE_VAULT;1.2;AES256;xx
|
|
35656536383233636434636533613830303439316263636436363932333636626462616461636537
|
|
35656536383233636434636533613830303439316263636436363932333636626462616461636537
|
|
3838626266396332363236643361626134393238636133640a646333333866643161356333626564
|
|
3838626266396332363236643361626134393238636133640a646333333866643161356333626564
|
|
32373735343033633666353763376230646137663639373438393537663031643562376365396337
|
|
32373735343033633666353763376230646137663639373438393537663031643562376365396337
|
|
@@ -140,27 +193,38 @@ bergdesk/vault
|
|
30613139313661643932373239333865616338653132613530393161656466326561633537383535
|
|
30613139313661643932373239333865616338653132613530393161656466326561633537383535
|
|
3631356664643139383037636565346630643036353364333866
|
|
3631356664643139383037636565346630643036353364333866
|
|
|
|
|
|
-Zur Erzeugung der Verschlüsselung in der vault Datei
|
|
|
|
|
|
+In der vault Datei (hier Klartext)
|
|
|
|
|
|
---
|
|
---
|
|
- vault_bergdesk_password: hier das echte PW eintragen
|
|
|
|
|
|
+ vault_berghofen_password: hier das echte PW eintragen
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+dann die vault Datei verschlüsseln mit
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ ansible-vault encrypt vault --vault-id xxxxx@prompt
|
|
|
|
|
|
-dann mit
|
|
|
|
-
|
|
|
|
- ansible-vault encrypt vault --vault-id xx@prompt
|
|
|
|
|
|
|
|
-die verschlüsselte vault datei erzeugen.
|
|
|
|
-Anzeigen kann man die Datei mit
|
|
|
|
|
|
+anzeigen kann man die Datei mit
|
|
|
|
+
|
|
|
|
|
|
ansible-vault view vault
|
|
ansible-vault view vault
|
|
|
|
|
|
-und entschlüsseln mit
|
|
|
|
|
|
+
|
|
|
|
+und wieder entschlüsseln mit
|
|
|
|
+
|
|
|
|
|
|
ansible-vault decrypt vault
|
|
ansible-vault decrypt vault
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-playbooks/update.yaml
|
|
|
|
|
|
+
|
|
|
|
+Es gibt z.Zt. zwei playbooks: update.yaml und tincbuild.yaml
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+playbooks/update.yaml
|
|
|
|
+
|
|
|
|
+
|
|
|
|
|
|
---
|
|
---
|
|
# name: update yaml
|
|
# name: update yaml
|
|
@@ -185,6 +249,27 @@ playbooks/update.yaml
|
|
# - name: Warte auf enter Taste
|
|
# - name: Warte auf enter Taste
|
|
# ansible.builtin.pause:
|
|
# ansible.builtin.pause:
|
|
|
|
|
|
|
|
+ - name: Ist flatpak installiert
|
|
|
|
+ stat:
|
|
|
|
+ path: /usr/bin/flatpak
|
|
|
|
+ register: flatpak_file
|
|
|
|
+ when: ansible_os_family == "Debian"
|
|
|
|
+
|
|
|
|
+ - name: Update flatpak Pakete falls snap vh
|
|
|
|
+ command: /usr/bin/flatpak update
|
|
|
|
+ when: ansible_os_family == "Debian" and flatpak_file.stat.exists
|
|
|
|
+
|
|
|
|
+ - name: Ist snap installiert
|
|
|
|
+ stat:
|
|
|
|
+ path: /usr/bin/snap
|
|
|
|
+ register: snap_file
|
|
|
|
+ when: ansible_os_family == "Debian"
|
|
|
|
+
|
|
|
|
+ - name: Update snap Pakete falls snap vh
|
|
|
|
+ command: /usr/bin/snap refresh
|
|
|
|
+ when: ansible_os_family == "Debian" and snap_file.stat.exists
|
|
|
|
+
|
|
|
|
+
|
|
- name: apt update mit upgrade und autoremove
|
|
- name: apt update mit upgrade und autoremove
|
|
ansible.builtin.apt:
|
|
ansible.builtin.apt:
|
|
update_cache: yes
|
|
update_cache: yes
|
|
@@ -200,85 +285,291 @@ playbooks/update.yaml
|
|
- name: reboot falls erforderlich
|
|
- name: reboot falls erforderlich
|
|
ansible.builtin.reboot:
|
|
ansible.builtin.reboot:
|
|
when:
|
|
when:
|
|
- - needrestart_file.stat.exists == True
|
|
|
|
|
|
+ - ansible_os_family == "Debian" and
|
|
|
|
+ ( needrestart_file.stat.exists or
|
|
|
|
+ rebootreq_file.stat.exists
|
|
|
|
+ )
|
|
|
|
+
|
|
|
|
+ - name: playbook hier beenden bei ! debian
|
|
|
|
+ meta: end_play
|
|
|
|
+ when: ansible_os_family != "Debian"
|
|
|
|
|
|
|
|
|
|
-Ausgabe von playbook update.yaml (die letzten beiden tasks stat und reboot sind nicht in der Ausgabe, weil sie später hinzugefügt wurden)
|
|
|
|
|
|
|
|
-luna ist ausgeschaltet und nicht erreichbar.
|
|
|
|
|
|
+playbooks/tincbuild.yaml
|
|
|
|
|
|
-(ffhome) 20:55:59[frankb@berglap /datadisk/ffhome 0]
|
|
|
|
- ansible-playbook -b playbooks/update.yaml -i inventory/hosts.yaml --ask-vault-pass
|
|
|
|
- Vault password:
|
|
|
|
|
|
|
|
-PLAY [desktops,apus,altlast] ***************************************************************
|
|
|
|
-
|
|
|
|
-TASK [Gathering Facts] *********************************************************************
|
|
|
|
-[WARNING]: Platform linux on host berglap is using the discovered Python interpreter at
|
|
|
|
-/usr/bin/python3.10, but future installation of another Python interpreter could change the
|
|
|
|
-meaning of that path. See https://docs.ansible.com/ansible-
|
|
|
|
-core/2.17/reference_appendices/interpreter_discovery.html for more information.
|
|
|
|
-ok: [berglap]
|
|
|
|
-\n[WARNING]: Platform linux on host bergdesk is using the discovered Python interpreter at
|
|
|
|
-/usr/bin/python3.11, but future installation of another Python interpreter could change the
|
|
|
|
-meaning of that path. See https://docs.ansible.com/ansible-
|
|
|
|
-core/2.17/reference_appendices/interpreter_discovery.html for more information.
|
|
|
|
-ok: [bergdesk]
|
|
|
|
-fatal: [luna]: UNREACHABLE! => changed=false
|
|
|
|
- msg: 'Failed to connect to the host via ssh: ssh: connect to host 192.168.178.224 port 24: No route to host'
|
|
|
|
- \n unreachable: true
|
|
|
|
-[WARNING]: Platform linux on host berghofen is using the discovered Python interpreter at
|
|
|
|
-/usr/bin/python3.11, but future installation of another Python interpreter could change the
|
|
|
|
-meaning of that path. See https://docs.ansible.com/ansible-
|
|
|
|
-core/2.17/reference_appendices/interpreter_discovery.html for more information.
|
|
|
|
-ok: [berghofen]
|
|
|
|
-\n[WARNING]: Platform freebsd on host hoerde is using the discovered Python interpreter at
|
|
|
|
-/usr/local/bin/python3.9, but future installation of another Python interpreter could
|
|
|
|
-change the meaning of that path. See https://docs.ansible.com/ansible-
|
|
|
|
-core/2.17/reference_appendices/interpreter_discovery.html for more information.
|
|
|
|
-ok: [hoerde]
|
|
|
|
-
|
|
|
|
-TASK [Testausgabe] *************************************************************************
|
|
|
|
-ok: [bergdesk] =>
|
|
|
|
- msg: Hallo von bergdesk Ansible managed!
|
|
|
|
-ok: [berglap] =>
|
|
|
|
- msg: Hallo von berglap Ansible managed!
|
|
|
|
-ok: [berghofen] =>
|
|
|
|
- msg: Hallo von berghofen Ansible managed!
|
|
|
|
-ok: [hoerde] =>
|
|
|
|
- msg: Hallo von hoerde Ansible managed!
|
|
|
|
-
|
|
|
|
-TASK [df -h Aufruf] ************************************************************************
|
|
|
|
-ok: [berglap]
|
|
|
|
-ok: [bergdesk]
|
|
|
|
-ok: [berghofen]
|
|
|
|
-ok: [hoerde]
|
|
|
|
-
|
|
|
|
-TASK [debug] *******************************************************************************
|
|
|
|
-ok: [bergdesk] =>
|
|
|
|
- msg: '[''Dateisystem Größe Benutzt Verf. Verw% Eingehängt auf'', ''/dev/sdb1 439G 98G 319G 24% /''] Debian'
|
|
|
|
-ok: [berglap] =>
|
|
|
|
- msg: '[''Dateisystem Größe Benutzt Verf. Verw% Eingehängt auf'', ''/dev/mapper/system-root 444G 298G 124G 71% /''] Ubuntu'
|
|
|
|
-ok: [berghofen] =>
|
|
|
|
- msg: '[''Dateisystem Größe Benutzt Verf. Verw% Eingehängt auf'', ''/dev/sda6 18G 5,1G 12G 30% /''] Debian'
|
|
|
|
-ok: [hoerde] =>
|
|
|
|
- msg: '[''Filesystem Size Used Avail Capacity Mounted on'', ''s3pool25/jail/hoerde.ffdo.net 3.9G 891M 3.0G 22% /''] FreeBSD'
|
|
|
|
-
|
|
|
|
-TASK [ping meine hosts] ********************************************************************
|
|
|
|
-ok: [berglap]
|
|
|
|
-ok: [bergdesk]
|
|
|
|
-ok: [berghofen]
|
|
|
|
-ok: [hoerde]
|
|
|
|
-
|
|
|
|
-TASK [apt update mit upgrade und autoremove] ***********************************************
|
|
|
|
-skipping: [hoerde]
|
|
|
|
-ok: [bergdesk]
|
|
|
|
-ok: [berglap]
|
|
|
|
-ok: [berghofen]
|
|
|
|
-
|
|
|
|
-PLAY RECAP *********************************************************************************
|
|
|
|
-bergdesk : ok=6 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
|
|
|
|
-berghofen : ok=6 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
|
|
|
|
-berglap : ok=6 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
|
|
|
|
-hoerde : ok=5 changed=0 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
|
|
|
|
-luna : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
|
|
|
|
|
|
+ ---
|
|
|
|
+ # name: tincbuild yaml
|
|
|
|
+ - hosts: [desktops, apus, altlast]
|
|
|
|
+ vars:
|
|
|
|
+ TINC_VERSION: 1.1pre18
|
|
|
|
+ tinc_dev: /dev/net/tun
|
|
|
|
+ tinc_mode: switch
|
|
|
|
+ tinc_adr_family: ipv4
|
|
|
|
+ tinc_max_timeout: 30
|
|
|
|
+
|
|
|
|
+ tinc_port:
|
|
|
|
+ lan: 10001
|
|
|
|
+ wan: 661
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ tasks:
|
|
|
|
+
|
|
|
|
+ # - name: Show facts available on the system
|
|
|
|
+ # ansible.builtin.debug:
|
|
|
|
+ # var: ansible_facts
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ # das folgende klappt leider nicht {{tinc_port.{{ item }}}} syntaxfehler
|
|
|
|
+ # geschachtelte variablen gehen nicht.
|
|
|
|
+ # - name: willi
|
|
|
|
+ # debug: msg="var {{ tinc_port.{{lan}}}}"
|
|
|
|
+
|
|
|
|
+ - name: Testausgabe
|
|
|
|
+ debug: msg="Hallo von {{ ansible_hostname }} Ansible managed!"
|
|
|
|
+
|
|
|
|
+ - name: df -h Aufruf
|
|
|
|
+ command: df -h /
|
|
|
|
+ changed_when: false
|
|
|
|
+ register: df_cmd
|
|
|
|
+
|
|
|
|
+ - debug:
|
|
|
|
+ msg: '{{df_cmd.stdout_lines}} {{ansible_distribution }}'
|
|
|
|
+
|
|
|
|
+ # - name: ping meine hosts
|
|
|
|
+ # ansible.builtin.ping:
|
|
|
|
+ # changed_when: false
|
|
|
|
+
|
|
|
|
+ # - name: Warte auf enter Taste
|
|
|
|
+ # ansible.builtin.pause:
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ - name: playbook hier beenden bei ! debian
|
|
|
|
+ meta: end_play
|
|
|
|
+ when: ansible_os_family != "Debian"
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ - name: Ist tinc Konfigurationsverzeichnis vorhanden
|
|
|
|
+ stat:
|
|
|
|
+ path: /etc/tinc
|
|
|
|
+ register: tinckonf
|
|
|
|
+
|
|
|
|
+ - name: Gibt es Sicherung von tinc Konfiguration
|
|
|
|
+ # ueberlebt keinen reboot
|
|
|
|
+ stat:
|
|
|
|
+ path: /tmp/tinc{{ ansible_hostname }}.gz
|
|
|
|
+ register: tincgz
|
|
|
|
+
|
|
|
|
+ - name: Konfiguration packen wenn noetig
|
|
|
|
+ community.general.archive:
|
|
|
|
+ path: /etc/tinc
|
|
|
|
+ dest: /tmp/tinc{{ ansible_hostname }}.gz
|
|
|
|
+ when: tinckonf.stat.exists
|
|
|
|
+
|
|
|
|
+ - name: Gesicherte Konfiguration auf Controlnode kopieren
|
|
|
|
+ ansible.builtin.fetch:
|
|
|
|
+ src: /tmp/tinc{{ ansible_hostname }}.gz
|
|
|
|
+ dest: resources/host/
|
|
|
|
+ flat: true
|
|
|
|
+ when: tinckonf.stat.exists
|
|
|
|
+
|
|
|
|
+ # - name: Gesicherte Konfiguration auf targetnode loeschen
|
|
|
|
+ # file:
|
|
|
|
+ # name: /tmp/tinc{{ ansible_hostname }}.gz
|
|
|
|
+ # state: absent
|
|
|
|
+ # when: tincgz.stat.exists
|
|
|
|
+
|
|
|
|
+ - name: Abhängigkeiten fuer tinc installieren
|
|
|
|
+ apt:
|
|
|
|
+ pkg: "{{ item }}"
|
|
|
|
+ state: present
|
|
|
|
+ with_items:
|
|
|
|
+ - build-essential
|
|
|
|
+ - libncurses-dev
|
|
|
|
+ - libreadline-dev
|
|
|
|
+ - pkg-config
|
|
|
|
+ - zlib1g-dev
|
|
|
|
+ - liblzo2-dev
|
|
|
|
+ - libssl-dev
|
|
|
|
+ - texinfo
|
|
|
|
+
|
|
|
|
+ - name: create directory for tinc
|
|
|
|
+ file:
|
|
|
|
+ name: /opt/tinc
|
|
|
|
+ state: directory
|
|
|
|
+
|
|
|
|
+ - name: Download tinc source
|
|
|
|
+ get_url:
|
|
|
|
+ url: "https://www.tinc-vpn.org/packages/tinc-{{TINC_VERSION}}.tar.gz"
|
|
|
|
+ dest: /opt/tinc/tinc-{{TINC_VERSION}}.tar.gz
|
|
|
|
+ register: gettinc
|
|
|
|
+
|
|
|
|
+ - name: tinc-Quellen entpacken
|
|
|
|
+ unarchive:
|
|
|
|
+ src: /opt/tinc/tinc-{{TINC_VERSION}}.tar.gz
|
|
|
|
+ dest: /usr/src
|
|
|
|
+ remote_src: true
|
|
|
|
+ when:
|
|
|
|
+ - gettinc.changed
|
|
|
|
+
|
|
|
|
+ - name: Pruefen tinc programm vh
|
|
|
|
+ stat:
|
|
|
|
+ path: /usr/sbin/tinc
|
|
|
|
+ register: tinc_bin
|
|
|
|
+
|
|
|
|
+ - name: tinc kompilieren und installieren
|
|
|
|
+ shell: "cd /usr/src/tinc-{{TINC_VERSION}}
|
|
|
|
+ && ./configure --prefix=/usr --sysconfdir=/etc --runstatedir=/run
|
|
|
|
+ --localstatedir=/var --with-systemd
|
|
|
|
+ && make
|
|
|
|
+ && make install"
|
|
|
|
+ when:
|
|
|
|
+ - tinc_bin.stat.exists == False or gettinc.changed
|
|
|
|
+
|
|
|
|
+ - name: Gibt es schon eine (alte) tinc Konfiguration
|
|
|
|
+ stat:
|
|
|
|
+ path: /etc/tinc
|
|
|
|
+ register: tinc_etc
|
|
|
|
+
|
|
|
|
+ - name: tinc Konfigurationsreste beseitigen
|
|
|
|
+ file:
|
|
|
|
+ path: /etc/tinc
|
|
|
|
+ state: absent
|
|
|
|
+ when:
|
|
|
|
+ - tinc_etc.stat.exists
|
|
|
|
+
|
|
|
|
+ - name: tinc lan/wan vorkonfigurieren in mehreren Schritten
|
|
|
|
+ shell: "tinc --net={{ item }} init {{ansible_hostname}}"
|
|
|
|
+ with_items:
|
|
|
|
+ - lan
|
|
|
|
+ - wan
|
|
|
|
+ # when:
|
|
|
|
+ # - tinc_bin.stat.exists == False or gettinc.changed
|
|
|
|
+
|
|
|
|
+ - name: 2048er priv und pub keys löschen
|
|
|
|
+ shell: "rm /etc/tinc/{{ item }}/*.priv
|
|
|
|
+ && rm /etc/tinc/{{ item }}/hosts/*"
|
|
|
|
+ with_items:
|
|
|
|
+ - lan
|
|
|
|
+ - wan
|
|
|
|
+ # when:
|
|
|
|
+ # - tinc_bin.stat.exists == False or gettinc.changed
|
|
|
|
+
|
|
|
|
+ - name: 4096er keys generieren
|
|
|
|
+ shell: "tinc --net={{ item }} -b generate-keys 4096"
|
|
|
|
+ with_items:
|
|
|
|
+ - lan
|
|
|
|
+ - wan
|
|
|
|
+ # when:
|
|
|
|
+ # - tinc_bin.stat.exists == False or gettinc.changed
|
|
|
|
+
|
|
|
|
+ - name: tinc.conf einrichten
|
|
|
|
+ shell: "tinc --net={{ item }} set Device {{tinc_dev}}
|
|
|
|
+ && tinc --net={{ item }} set Mode {{tinc_mode}}
|
|
|
|
+ && tinc --net={{ item }} set AddressFamily {{tinc_adr_family}}
|
|
|
|
+ && tinc --net={{ item }} set MaxTimeout {{tinc_max_timeout}}
|
|
|
|
+ && tinc --net={{ item }} set BindToAddress {{tinc_bindto}}"
|
|
|
|
+ with_items:
|
|
|
|
+ - lan
|
|
|
|
+ - wan
|
|
|
|
+ # when:
|
|
|
|
+ # - tinc_bin.stat.exists == False or gettinc.changed
|
|
|
|
+
|
|
|
|
+ - name: lan/wan ports setzen
|
|
|
|
+ # das geht leider nicht in loop, da Variablen nicht geschachtelt
|
|
|
|
+ shell: "tinc --net=lan set Port {{ tinc_port.lan }}
|
|
|
|
+ && tinc --net=wan set Port {{ tinc_port.wan }}"
|
|
|
|
+
|
|
|
|
+ - name: tinc-up anpassen
|
|
|
|
+ ansible.builtin.template:
|
|
|
|
+ src: templates/tinc-up.{{ item }}.j2
|
|
|
|
+ dest: /etc/tinc/{{ item }}/tinc-up
|
|
|
|
+ with_items:
|
|
|
|
+ - lan
|
|
|
|
+ - wan
|
|
|
|
+ # when:
|
|
|
|
+ # - tinc_bin.stat.exists == False or gettinc.changed
|
|
|
|
+
|
|
|
|
+ - meta: end_play
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+Aufruf der beiden playbooks mit
|
|
|
|
+
|
|
|
|
+ ansible-playbook -b playbooks/update.yaml -i inventory/hosts.yaml --ask-vault-pass
|
|
|
|
+ ansible-playbook -b playbooks/tincbuild.yaml -i inventory/hosts.yaml --ask-vault-pass
|
|
|
|
+
|
|
|
|
+Gekürzte Ausgabe:
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ (ffhome) 20:55:59[frankb@berglap /datadisk/ffhome 4] ansible-playbook -b playbooks/update.yaml -i inventory/hosts.yaml --ask-vault-pass
|
|
|
|
+ Vault password:
|
|
|
|
+
|
|
|
|
+ PLAY [desktops,apus,altlast] ***************************************************************
|
|
|
|
+ TASK [Gathering Facts] *********************************************************************
|
|
|
|
+ [WARNING]: Platform linux on host berglap is using the discovered Python interpreter at
|
|
|
|
+ /usr/bin/python3.10, but future installation of another Python interpreter could change the
|
|
|
|
+ meaning of that path. See https://docs.ansible.com/ansible-
|
|
|
|
+ core/2.17/reference_appendices/interpreter_discovery.html for more information.
|
|
|
|
+ ok: [berglap]
|
|
|
|
+ [WARNING]: Platform linux on host bergdesk is using the discovered Python interpreter at
|
|
|
|
+ /usr/bin/python3.11, but future installation of another Python interpreter could change the
|
|
|
|
+ meaning of that path. See https://docs.ansible.com/ansible-
|
|
|
|
+ core/2.17/reference_appendices/interpreter_discovery.html for more information.
|
|
|
|
+ ok: [bergdesk]
|
|
|
|
+ fatal: [luna]: UNREACHABLE! => changed=false
|
|
|
|
+ msg: 'Failed to connect to the host via ssh: ssh: connect to host 192.168.178.224 port 24: No route to host'
|
|
|
|
+ unreachable: true
|
|
|
|
+ [WARNING]: Platform linux on host berghofen is using the discovered Python interpreter at
|
|
|
|
+ /usr/bin/python3.11, but future installation of another Python interpreter could change the
|
|
|
|
+ meaning of that path. See https://docs.ansible.com/ansible-
|
|
|
|
+ core/2.17/reference_appendices/interpreter_discovery.html for more information.
|
|
|
|
+ ok: [berghofen]
|
|
|
|
+ [WARNING]: Platform freebsd on host hoerde is using the discovered Python interpreter at
|
|
|
|
+ /usr/local/bin/python3.9, but future installation of another Python interpreter could
|
|
|
|
+ change the meaning of that path. See https://docs.ansible.com/ansible-
|
|
|
|
+ core/2.17/reference_appendices/interpreter_discovery.html for more information.
|
|
|
|
+ ok: [hoerde]
|
|
|
|
+
|
|
|
|
+ TASK [Testausgabe] *************************************************************************
|
|
|
|
+ ok: [bergdesk] =>
|
|
|
|
+ msg: Hallo von bergdesk Ansible managed!
|
|
|
|
+ ok: [berglap] =>
|
|
|
|
+ msg: Hallo von berglap Ansible managed!
|
|
|
|
+ ok: [berghofen] =>
|
|
|
|
+ msg: Hallo von berghofen Ansible managed!
|
|
|
|
+ ok: [hoerde] =>
|
|
|
|
+ msg: Hallo von hoerde Ansible managed!
|
|
|
|
+
|
|
|
|
+ TASK [df -h Aufruf] ************************************************************************
|
|
|
|
+ ok: [berglap]
|
|
|
|
+ ok: [bergdesk]
|
|
|
|
+ ok: [berghofen]
|
|
|
|
+ ok: [hoerde]
|
|
|
|
+
|
|
|
|
+ TASK [debug] *******************************************************************************
|
|
|
|
+ ok: [bergdesk] =>
|
|
|
|
+ msg: '[''Dateisystem Größe Benutzt Verf. Verw% Eingehängt auf'', ''/dev/sdb1 439G 98G 319G 24% /''] Debian'
|
|
|
|
+ ok: [berglap] =>
|
|
|
|
+ msg: '[''Dateisystem Größe Benutzt Verf. Verw% Eingehängt auf'', ''/dev/mapper/system-root 444G 298G 124G 71% /''] Ubuntu'
|
|
|
|
+ ok: [berghofen] =>
|
|
|
|
+ msg: '[''Dateisystem Größe Benutzt Verf. Verw% Eingehängt auf'', ''/dev/sda6 18G 5,1G 12G 30% /''] Debian'
|
|
|
|
+ ok: [hoerde] =>
|
|
|
|
+ msg: '[''Filesystem Size Used Avail Capacity Mounted on'', ''s3pool25/jail/hoerde.ffdo.net 3.9G 891M 3.0G 22% /''] FreeBSD'
|
|
|
|
+
|
|
|
|
+ TASK [ping meine hosts] ********************************************************************
|
|
|
|
+ ok: [berglap]
|
|
|
|
+ ok: [bergdesk]
|
|
|
|
+ ok: [berghofen]
|
|
|
|
+ ok: [hoerde]
|
|
|
|
+
|
|
|
|
+ ...
|
|
|
|
+
|
|
|
|
+ PLAY RECAP *********************************************************************************
|
|
|
|
+ bergdesk : ok=6 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
|
|
|
|
+ berghofen : ok=6 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
|
|
|
|
+ berglap : ok=6 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
|
|
|
|
+ hoerde : ok=5 changed=0 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
|
|
|
|
+ luna : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
|
|
|
|
+
|