initial commit
Signed-off-by: Thomas Schmid <tom@lfence.de>
This commit is contained in:
commit
3dfff93c0e
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
.vault_passwd
|
16
ansible.cfg
Normal file
16
ansible.cfg
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
[defaults]
|
||||||
|
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
||||||
|
interpreter_python = auto
|
||||||
|
inventory = ./hosts
|
||||||
|
nocows = 1
|
||||||
|
remote_user = root
|
||||||
|
retry_files_enabled = False
|
||||||
|
roles_path = ./roles
|
||||||
|
vault_password_file = ./.vault_passwd
|
||||||
|
# Use the YAML callback plugin.
|
||||||
|
stdout_callback = debug
|
||||||
|
# Use the stdout_callback when running ad-hoc commands.
|
||||||
|
bin_ansible_callbacks = True
|
||||||
|
|
||||||
|
[ssh_connection]
|
||||||
|
pipelining = true
|
6
group_vars/all/vars.yml
Normal file
6
group_vars/all/vars.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
acertmgr_mode: webdir
|
||||||
|
|
||||||
|
root_keys:
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||||
|
- "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAH+k8kCgonUvgBUE/XRABAUsmBbWGHc3lgsxZU4O99595EuCq8AtZa3i5XzGBExm5tFwEqL2u4RuYuxwePaV3fLAAGBwTPGxkCobRtOpaPC6XVLShYl+qFkKzijG3GexdJClUFIPvcvuol+4LgZQK2QCn5QERxhQUNDYQeao1mRBPNpLw== venti@sky"
|
13
group_vars/all/vault.yml
Normal file
13
group_vars/all/vault.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
65616234613165653261333463353761353165373339626365393238323866363562396638663862
|
||||||
|
6163366532653966663862343530386233386464303736340a363961616163663963326432323565
|
||||||
|
33326433343962383338613962366533386132333434386265353961626631383132343832393464
|
||||||
|
3538383634333931310a386131646330653163363538386139353036373531316363396634663161
|
||||||
|
37346365396637653864346537613963326464653531633132373234656539353037643265393561
|
||||||
|
66626530666439353439343630616138613539376638623531316633613632393134613665346532
|
||||||
|
35306161353034316563343832343035613165353831393866646630363134393831633665376634
|
||||||
|
36663538366537306566303963316131386339373863383562363766656637333534326463653364
|
||||||
|
32343962383631316636336563343833643739663766666361343362346530353961383463316136
|
||||||
|
65396563326138623632663136636162386331646134356463323162373430363332623434326364
|
||||||
|
63383032366561336337656465623038636434303332373961343632313566386533623566303434
|
||||||
|
34366337616533313965
|
2
host_vars/canneloni.binary.kitchen
Normal file
2
host_vars/canneloni.binary.kitchen
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
octoprint_display_name: Prusa Mini
|
||||||
|
octoprint_domain: canneloni.binary.kitchen
|
2
host_vars/maccaroni.binary.kitchen
Normal file
2
host_vars/maccaroni.binary.kitchen
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
octoprint_display_name: Voron 2.4
|
||||||
|
octoprint_domain: maccaroni.binary.kitchen
|
1
host_vars/raspberrypi
Normal file
1
host_vars/raspberrypi
Normal file
@ -0,0 +1 @@
|
|||||||
|
octoprint_domain: raspberrypi.fritz.box
|
2
host_vars/spaghetti.binary copy.kitchen
Normal file
2
host_vars/spaghetti.binary copy.kitchen
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
octoprint_display_name: Prusa MK3s
|
||||||
|
octoprint_domain: spaghetti.binary.kitchen
|
8
hosts
Normal file
8
hosts
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
[3D_Printers_test]
|
||||||
|
raspberrypi
|
||||||
|
|
||||||
|
[Octoprint_hosts]
|
||||||
|
spaghetti.binary.kitchen
|
||||||
|
maccaroni.binary.kitchen
|
||||||
|
canneloni.binary.kitchen
|
||||||
|
|
3
roles/acertmgr/defaults/main.yml
Normal file
3
roles/acertmgr/defaults/main.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
acertmgr_version: "{{ lookup('url', 'https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt') | trim }}"
|
37
roles/acertmgr/tasks/main.yml
Normal file
37
roles/acertmgr/tasks/main.yml
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install dependencies
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- python3-cryptography
|
||||||
|
- python3-dnspython
|
||||||
|
- python3-yaml
|
||||||
|
- python3-pkg-resources
|
||||||
|
|
||||||
|
- name: Install acertmgr
|
||||||
|
apt:
|
||||||
|
deb: "https://github.com/moepman/acertmgr/releases/download/{{ acertmgr_version }}/python3-acertmgr_{{ acertmgr_version }}-1_all.deb"
|
||||||
|
|
||||||
|
- name: Create config directories
|
||||||
|
file:
|
||||||
|
path: /etc/acertmgr
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Configure acertmgr
|
||||||
|
template:
|
||||||
|
src: acertmgr.conf.j2
|
||||||
|
dest: /etc/acertmgr/acertmgr.conf
|
||||||
|
|
||||||
|
- name: Create challenge directory
|
||||||
|
file:
|
||||||
|
path: /var/www/acme-challenge/
|
||||||
|
owner: root
|
||||||
|
mode: 0755
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Enable acertmgr cronjob
|
||||||
|
cron:
|
||||||
|
name: certmgr
|
||||||
|
special_time: daily
|
||||||
|
job: /usr/bin/acertmgr
|
5
roles/acertmgr/templates/acertmgr.conf.j2
Normal file
5
roles/acertmgr/templates/acertmgr.conf.j2
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
mode: {{ acertmgr_mode }}
|
||||||
|
webdir: /var/www/acme-challenge/
|
||||||
|
authority_tos_agreement: true
|
8
roles/common/defaults/main.yml
Normal file
8
roles/common/defaults/main.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
logrotate_excludes:
|
||||||
|
- "/etc/logrotate.d/alternatives"
|
||||||
|
- "/etc/logrotate.d/apt"
|
||||||
|
- "/etc/logrotate.d/dpkg"
|
||||||
|
- "/etc/logrotate.d/dbconfig-common"
|
||||||
|
- "/etc/logrotate.d/btmp"
|
||||||
|
- "/etc/logrotate.d/wtmp"
|
2790
roles/common/files/.zshrc
Normal file
2790
roles/common/files/.zshrc
Normal file
File diff suppressed because it is too large
Load Diff
12
roles/common/files/.zshrc.local
Normal file
12
roles/common/files/.zshrc.local
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
# completion
|
||||||
|
autoload -U compinit
|
||||||
|
compinit
|
||||||
|
|
||||||
|
|
||||||
|
# cache for the completion
|
||||||
|
zstyle ':completion::complete:*' use-cache 1
|
||||||
|
|
||||||
|
|
||||||
|
# promt
|
||||||
|
autoload -U promptinit
|
||||||
|
promptinit
|
0
roles/common/files/motd
Normal file
0
roles/common/files/motd
Normal file
1
roles/common/files/resume
Normal file
1
roles/common/files/resume
Normal file
@ -0,0 +1 @@
|
|||||||
|
RESUME=none
|
2
roles/common/files/vimrc.local
Normal file
2
roles/common/files/vimrc.local
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
set mouse=
|
||||||
|
set ttymouse=
|
15
roles/common/handlers/main.yml
Normal file
15
roles/common/handlers/main.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Restart chrony
|
||||||
|
service:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
state: restarted
|
||||||
|
when: "{{ item.os == ansible_facts['distribution'] }}"
|
||||||
|
loop:
|
||||||
|
- os: Debian
|
||||||
|
name: chrony
|
||||||
|
- os: Archlinux
|
||||||
|
name: chronyd
|
||||||
|
|
||||||
|
- name: Restart journald
|
||||||
|
service: name=systemd-journald state=restarted
|
77
roles/common/tasks/Archlinux.yml
Normal file
77
roles/common/tasks/Archlinux.yml
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install misc software
|
||||||
|
pacman:
|
||||||
|
name:
|
||||||
|
- htop
|
||||||
|
- less
|
||||||
|
- net-tools
|
||||||
|
- openssl
|
||||||
|
- rsync
|
||||||
|
- sudo
|
||||||
|
- vim
|
||||||
|
- zsh
|
||||||
|
- logrotate
|
||||||
|
|
||||||
|
- name: Configure misc software
|
||||||
|
copy: src={{ item.src }} dest={{ item.dest }}
|
||||||
|
diff: no
|
||||||
|
with_items:
|
||||||
|
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||||
|
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||||
|
|
||||||
|
- name: Set shell for root user
|
||||||
|
user: name=root shell=/bin/zsh
|
||||||
|
|
||||||
|
- name: Prevent normal users from running su
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/pam.d/su
|
||||||
|
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
|
||||||
|
line: "auth required pam_wheel.so"
|
||||||
|
|
||||||
|
- name: Configure journald retention
|
||||||
|
lineinfile:
|
||||||
|
path: "/etc/systemd/journald.conf"
|
||||||
|
state: "present"
|
||||||
|
regexp: "^#?MaxRetentionSec=.*"
|
||||||
|
line: "MaxRetentionSec=7day"
|
||||||
|
notify: Restart journald
|
||||||
|
|
||||||
|
- name: Set logrotate.conf to daily
|
||||||
|
replace:
|
||||||
|
path: "/etc/logrotate.conf"
|
||||||
|
regexp: "(?:weekly|monthly)"
|
||||||
|
replace: "daily"
|
||||||
|
|
||||||
|
- name: Set logrotate.conf rotation to 7
|
||||||
|
replace:
|
||||||
|
path: "/etc/logrotate.conf"
|
||||||
|
regexp: "rotate [0-9]+"
|
||||||
|
replace: "rotate 7"
|
||||||
|
|
||||||
|
- name: Find logrotate.d configuration files
|
||||||
|
find:
|
||||||
|
paths: "/etc/logrotate.d/"
|
||||||
|
register: "logrotateconfigs"
|
||||||
|
|
||||||
|
- name: Convert found files to path list
|
||||||
|
set_fact:
|
||||||
|
alllogrotateconfigpaths: "{{ logrotateconfigs.files | map(attribute='path') | list }}"
|
||||||
|
|
||||||
|
- name: Exclude files from ansible management
|
||||||
|
set_fact:
|
||||||
|
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
|
||||||
|
|
||||||
|
- name: "Set logrotate.d/* to daily"
|
||||||
|
replace:
|
||||||
|
path: "{{ item }}"
|
||||||
|
regexp: "(?:weekly|monthly)"
|
||||||
|
replace: "daily"
|
||||||
|
loop: "{{ logrotateconfigpaths }}"
|
||||||
|
|
||||||
|
- name: "Set /etc/logrotate.d/* rotation to 7"
|
||||||
|
replace:
|
||||||
|
path: "{{ item }}"
|
||||||
|
regexp: "rotate [0-9]+"
|
||||||
|
replace: "rotate 7"
|
||||||
|
loop: "{{ logrotateconfigpaths }}"
|
83
roles/common/tasks/Debian.yml
Normal file
83
roles/common/tasks/Debian.yml
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install misc software
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- apt-transport-https
|
||||||
|
- dnsutils
|
||||||
|
- gnupg2
|
||||||
|
- htop
|
||||||
|
- less
|
||||||
|
- net-tools
|
||||||
|
- openssl
|
||||||
|
- psmisc
|
||||||
|
- pydf
|
||||||
|
- rsync
|
||||||
|
- sudo
|
||||||
|
- vim
|
||||||
|
- zsh
|
||||||
|
|
||||||
|
- name: Configure misc software
|
||||||
|
copy: src={{ item.src }} dest={{ item.dest }}
|
||||||
|
diff: no
|
||||||
|
with_items:
|
||||||
|
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||||
|
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||||
|
- { src: "motd", dest: "/etc/motd" }
|
||||||
|
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
||||||
|
|
||||||
|
- name: Set shell for root user
|
||||||
|
user: name=root shell=/bin/zsh
|
||||||
|
|
||||||
|
- name: Prevent normal users from running su
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/pam.d/su
|
||||||
|
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
|
||||||
|
line: "auth required pam_wheel.so"
|
||||||
|
|
||||||
|
- name: Configure journald retention
|
||||||
|
lineinfile:
|
||||||
|
path: "/etc/systemd/journald.conf"
|
||||||
|
state: "present"
|
||||||
|
regexp: "^#?MaxRetentionSec=.*"
|
||||||
|
line: "MaxRetentionSec=7day"
|
||||||
|
notify: Restart journald
|
||||||
|
|
||||||
|
- name: Set logrotate.conf to daily
|
||||||
|
replace:
|
||||||
|
path: "/etc/logrotate.conf"
|
||||||
|
regexp: "(?:weekly|monthly)"
|
||||||
|
replace: "daily"
|
||||||
|
|
||||||
|
- name: Set logrotate.conf rotation to 7
|
||||||
|
replace:
|
||||||
|
path: "/etc/logrotate.conf"
|
||||||
|
regexp: "rotate [0-9]+"
|
||||||
|
replace: "rotate 7"
|
||||||
|
|
||||||
|
- name: Find logrotate.d configuration files
|
||||||
|
find:
|
||||||
|
paths: "/etc/logrotate.d/"
|
||||||
|
register: "logrotateconfigs"
|
||||||
|
|
||||||
|
- name: Convert found files to path list
|
||||||
|
set_fact:
|
||||||
|
alllogrotateconfigpaths: "{{ logrotateconfigs.files | map(attribute='path') | list }}"
|
||||||
|
|
||||||
|
- name: Exclude files from ansible management
|
||||||
|
set_fact:
|
||||||
|
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
|
||||||
|
|
||||||
|
- name: "Set logrotate.d/* to daily"
|
||||||
|
replace:
|
||||||
|
path: "{{ item }}"
|
||||||
|
regexp: "(?:weekly|monthly)"
|
||||||
|
replace: "daily"
|
||||||
|
loop: "{{ logrotateconfigpaths }}"
|
||||||
|
|
||||||
|
- name: "Set /etc/logrotate.d/* rotation to 7"
|
||||||
|
replace:
|
||||||
|
path: "{{ item }}"
|
||||||
|
regexp: "rotate [0-9]+"
|
||||||
|
replace: "rotate 7"
|
||||||
|
loop: "{{ logrotateconfigpaths }}"
|
11
roles/common/tasks/chrony.yml
Normal file
11
roles/common/tasks/chrony.yml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install chrony for Debian
|
||||||
|
apt: name=chrony
|
||||||
|
notify: Restart chrony
|
||||||
|
when: ansible_os_family == "Debian"
|
||||||
|
|
||||||
|
- name: Install chrony for Archlinux
|
||||||
|
pacman: name=chrony
|
||||||
|
notify: Restart chrony
|
||||||
|
when: ansible_os_family == "Archlinux"
|
21
roles/common/tasks/main.yml
Normal file
21
roles/common/tasks/main.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Cleanup
|
||||||
|
apt: autoclean=yes
|
||||||
|
when: ansible_os_family == "Debian"
|
||||||
|
|
||||||
|
- name: Gather package facts
|
||||||
|
package_facts:
|
||||||
|
manager: apt
|
||||||
|
when: ansible_os_family == "Debian"
|
||||||
|
|
||||||
|
- name: Debian
|
||||||
|
include: Debian.yml
|
||||||
|
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
|
||||||
|
|
||||||
|
- name: Archlinux
|
||||||
|
include: Archlinux.yml
|
||||||
|
when: ansible_os_family == "Archlinux"
|
||||||
|
|
||||||
|
- name: Setup chrony
|
||||||
|
include: chrony.yml
|
17
roles/docker/tasks/main.yml
Normal file
17
roles/docker/tasks/main.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Enable docker apt-key
|
||||||
|
apt_key: url='https://download.docker.com/linux/debian/gpg'
|
||||||
|
|
||||||
|
- name: Enable docker repository
|
||||||
|
apt_repository:
|
||||||
|
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
|
||||||
|
filename: docker
|
||||||
|
|
||||||
|
- name: Install docker
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- docker-ce
|
||||||
|
- docker-ce-cli
|
||||||
|
- containerd.io
|
||||||
|
- python3-docker
|
3
roles/nginx/defaults/main.yml
Normal file
3
roles/nginx/defaults/main.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
nginx_anonymize: False
|
4
roles/nginx/handlers/main.yml
Normal file
4
roles/nginx/handlers/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Restart nginx
|
||||||
|
service: name=nginx state=restarted
|
42
roles/nginx/tasks/main.yml
Normal file
42
roles/nginx/tasks/main.yml
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install nginx
|
||||||
|
apt: name=nginx-light
|
||||||
|
|
||||||
|
- name: Create certificate directory
|
||||||
|
file: path=/etc/nginx/ssl state=directory mode=0750
|
||||||
|
when: nginx_ssl
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command:
|
||||||
|
cmd: >
|
||||||
|
openssl req -x509 -nodes -newkey rsa:2048
|
||||||
|
-keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
|
||||||
|
-out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||||
|
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
||||||
|
creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||||
|
when: nginx_ssl
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Ensure correct certificate permissions
|
||||||
|
file: path=/etc/nginx/ssl/{{ ansible_fqdn }}.key owner=root mode=0400
|
||||||
|
when: nginx_ssl
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Create DH parameters
|
||||||
|
command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
|
||||||
|
when: nginx_ssl
|
||||||
|
with_items:
|
||||||
|
- /etc/nginx/dhparam.pem
|
||||||
|
|
||||||
|
- name: Configure nginx
|
||||||
|
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Configure default vhost
|
||||||
|
template: src=default.j2 dest=/etc/nginx/sites-available/default
|
||||||
|
when: nginx_ssl
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Start nginx
|
||||||
|
service: name=nginx state=started enabled=yes
|
28
roles/nginx/templates/default.j2
Normal file
28
roles/nginx/templates/default.j2
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80 default_server;
|
||||||
|
listen [::]:80 default_server;
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
server_name_in_redirect on;
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
default_type "text/plain";
|
||||||
|
alias /var/www/acme-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ ansible_fqdn }}.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ ansible_fqdn }}.crt;
|
||||||
|
}
|
97
roles/nginx/templates/nginx.conf.j2
Normal file
97
roles/nginx/templates/nginx.conf.j2
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
user www-data;
|
||||||
|
worker_processes auto;
|
||||||
|
pid /run/nginx.pid;
|
||||||
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 768;
|
||||||
|
# multi_accept on;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
|
||||||
|
##
|
||||||
|
# Basic Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
# server_names_hash_bucket_size 64;
|
||||||
|
# server_name_in_redirect off;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
##
|
||||||
|
# SSL Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
{% if nginx_anonymize %}
|
||||||
|
map $remote_addr $ip_anonym1 {
|
||||||
|
default 0.0.0;
|
||||||
|
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
|
||||||
|
"~(?P<ip>[^:]+:[^:]+):" $ip;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $remote_addr $ip_anonym2 {
|
||||||
|
default .0;
|
||||||
|
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
|
||||||
|
"~(?P<ip>[^:]+:[^:]+):" ::;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $ip_anonym1$ip_anonym2 $ip_anonymized {
|
||||||
|
default 0.0.0.0;
|
||||||
|
"~(?P<ip>.*)" $ip;
|
||||||
|
}
|
||||||
|
|
||||||
|
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
|
||||||
|
'"$request" $status $body_bytes_sent '
|
||||||
|
'"$http_referer" "$http_user_agent"';
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log anonymized;
|
||||||
|
{% else %}
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
{% endif %}
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Gzip Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_proxied any;
|
||||||
|
# gzip_comp_level 6;
|
||||||
|
# gzip_buffers 16 8k;
|
||||||
|
# gzip_http_version 1.1;
|
||||||
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Virtual Host Configs
|
||||||
|
##
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
}
|
15
roles/octoprint/defaults/main.yml
Normal file
15
roles/octoprint/defaults/main.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
octoprint_user: octoprint
|
||||||
|
octoprint_group: octoprint
|
||||||
|
octoprint_dir: "/opt/octoprint"
|
||||||
|
octoprint_ssl: false
|
||||||
|
|
||||||
|
octoprint_config_salt: "{{ octoprint_salt }}"
|
||||||
|
octoprint_config_api_key: "{{ octoprint_api_key}}"
|
||||||
|
octoprint_config_secret_key: "{{ octoprint_secret_key }}"
|
||||||
|
octoprint_config_display_name: 3D-Printer
|
||||||
|
|
||||||
|
octoprint_printer_dimension:
|
||||||
|
x: 350
|
||||||
|
y: 350
|
||||||
|
|
||||||
|
octoprint_printer_nozzle: 0.4
|
33
roles/octoprint/files/_default.profile
Normal file
33
roles/octoprint/files/_default.profile
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
axes:
|
||||||
|
e:
|
||||||
|
inverted: false
|
||||||
|
speed: 300
|
||||||
|
x:
|
||||||
|
inverted: false
|
||||||
|
speed: 6000
|
||||||
|
y:
|
||||||
|
inverted: false
|
||||||
|
speed: 6000
|
||||||
|
z:
|
||||||
|
inverted: false
|
||||||
|
speed: 200
|
||||||
|
color: default
|
||||||
|
extruder:
|
||||||
|
count: 1
|
||||||
|
nozzleDiameter: 0.4
|
||||||
|
offsets:
|
||||||
|
- - 0.0
|
||||||
|
- 0.0
|
||||||
|
sharedNozzle: false
|
||||||
|
heatedBed: true
|
||||||
|
heatedChamber: false
|
||||||
|
id: _default
|
||||||
|
model: Generic RepRap Printer
|
||||||
|
name: Default
|
||||||
|
volume:
|
||||||
|
custom_box: false
|
||||||
|
depth: 200.0
|
||||||
|
formFactor: rectangular
|
||||||
|
height: 200.0
|
||||||
|
origin: lowerleft
|
||||||
|
width: 200.0
|
12
roles/octoprint/files/users.yaml
Normal file
12
roles/octoprint/files/users.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
binarykitchen:
|
||||||
|
active: true
|
||||||
|
apikey: null
|
||||||
|
groups:
|
||||||
|
- users
|
||||||
|
- admins
|
||||||
|
password: fb5adb1fbecb856f2f37da607ea17faf4887cb353b0d28459b12fb814b59d325825b7856d604efddf30b7b0a08e95af0b5a78d6912830bac171d84fe0d8d2a33
|
||||||
|
permissions: []
|
||||||
|
roles:
|
||||||
|
- user
|
||||||
|
- admin
|
||||||
|
settings: {}
|
8
roles/octoprint/handlers/main.yml
Normal file
8
roles/octoprint/handlers/main.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
- name: Reload systemd
|
||||||
|
systemd: daemon_reload=yes
|
||||||
|
|
||||||
|
- name: Restart octoprint
|
||||||
|
service: name=octoprint state=restarted
|
||||||
|
|
||||||
|
- name: Restart nginx
|
||||||
|
service: name=nginx state=restarted
|
5
roles/octoprint/meta/main.yml
Normal file
5
roles/octoprint/meta/main.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: acertmgr, when: octoprint_ssl }
|
||||||
|
- { role: nginx, nginx_ssl: octoprint_ssl }
|
151
roles/octoprint/tasks/main.yml
Normal file
151
roles/octoprint/tasks/main.yml
Normal file
@ -0,0 +1,151 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Create group
|
||||||
|
group:
|
||||||
|
name: "{{ octoprint_group }}"
|
||||||
|
|
||||||
|
- name: Create user
|
||||||
|
user:
|
||||||
|
name: "{{ octoprint_user }}"
|
||||||
|
home: "/home/{{ octoprint_user }}"
|
||||||
|
group: "{{ octoprint_group }}"
|
||||||
|
append: yes
|
||||||
|
groups:
|
||||||
|
- video
|
||||||
|
|
||||||
|
- name: Install requirements
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- python3-pip
|
||||||
|
- python3-virtualenv
|
||||||
|
|
||||||
|
- name: Create virtual env and install python dependencies
|
||||||
|
pip:
|
||||||
|
name: octoprint
|
||||||
|
virtualenv: "{{ octoprint_dir }}"
|
||||||
|
|
||||||
|
- name: Create configuration directories
|
||||||
|
file:
|
||||||
|
path: "/home/{{ octoprint_user }}/{{ item }}"
|
||||||
|
owner: "{{ octoprint_user }}"
|
||||||
|
group: "{{ octoprint_group }}"
|
||||||
|
state: directory
|
||||||
|
mode: u+rw,g+rw,o+r
|
||||||
|
with_items:
|
||||||
|
- .octoprint
|
||||||
|
- .octoprint/printerProfiles
|
||||||
|
|
||||||
|
- name: Install systemd unit
|
||||||
|
template: src=octoprint.service.j2 dest=/lib/systemd/system/octoprint.service
|
||||||
|
notify:
|
||||||
|
- Reload systemd
|
||||||
|
- Restart octoprint
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Octoprint configuration
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
- name: Register if config already exists on target host
|
||||||
|
stat:
|
||||||
|
path: "/home/{{ octoprint_user }}/.octoprint/config.yaml"
|
||||||
|
register: octoprint_register_config_stat
|
||||||
|
|
||||||
|
- name: Default octoprint config
|
||||||
|
set_fact:
|
||||||
|
octoprint_config: "{{ lookup('template', 'config.yaml.j2') | from_yaml }}"
|
||||||
|
|
||||||
|
- name: Initial configuration of octoprint
|
||||||
|
copy:
|
||||||
|
content: "{{ octoprint_config | to_nice_yaml }}"
|
||||||
|
dest: "/home/{{ octoprint_user }}/.octoprint/config.yaml"
|
||||||
|
when: not octoprint_register_config_stat.stat.exists
|
||||||
|
|
||||||
|
- name: Update existing Octoprint configuration
|
||||||
|
block:
|
||||||
|
- name: Read Octoprint config file
|
||||||
|
slurp:
|
||||||
|
src: "/home/{{ octoprint_user }}/.octoprint/config.yaml"
|
||||||
|
register: octoprint_register_config
|
||||||
|
|
||||||
|
- name: Parse Octoprint config file
|
||||||
|
set_fact:
|
||||||
|
current_octoprint_config: "{{ octoprint_register_config['content'] | b64decode | from_yaml}}"
|
||||||
|
|
||||||
|
- name: Write updated octoprint configuration
|
||||||
|
copy:
|
||||||
|
content: "{{ octoprint_config | combine(current_octoprint_config, recursive=True) | to_nice_yaml}}"
|
||||||
|
dest: "/home/{{octoprint_user}}/.octoprint/config.yaml"
|
||||||
|
notify: Restart octoprint
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Octoprint Users
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
when: octoprint_register_config_stat.stat.exists
|
||||||
|
|
||||||
|
- name: Register if user databse already exists on target host
|
||||||
|
stat:
|
||||||
|
path: "/home/{{ octoprint_user }}/.octoprint.users.yaml"
|
||||||
|
register: octoprint_register_users
|
||||||
|
|
||||||
|
- name: Read default octoprint users
|
||||||
|
set_fact:
|
||||||
|
octoprint_defaut_users: "{{ lookup('file', 'users.yaml') | from_yaml }}"
|
||||||
|
|
||||||
|
- name: Copy default users
|
||||||
|
copy:
|
||||||
|
src: users.yaml
|
||||||
|
dest: "/home/{{ octoprint_user }}/.octoprint/users.yaml"
|
||||||
|
when: not octoprint_register_users.stat.exists
|
||||||
|
|
||||||
|
- name: Merge users database with default users
|
||||||
|
block:
|
||||||
|
- name: Read Octoprint users file
|
||||||
|
slurp:
|
||||||
|
src: "/home/{{ octoprint_user }}/.octoprint/users.yaml"
|
||||||
|
register: octoprint_register_users_file
|
||||||
|
|
||||||
|
- name: Parse Octoprint users file
|
||||||
|
set_fact:
|
||||||
|
current_octoprint_users: "{{ octoprint_register_users_file['content'] | b64decode | from_yaml }}"
|
||||||
|
|
||||||
|
- name: Merge current users with default users
|
||||||
|
set_fact:
|
||||||
|
octoprint_users_db: "{{ current_octoprint_users | combine(octoprint_default_users)}}"
|
||||||
|
|
||||||
|
- name: Copy new users file
|
||||||
|
copy:
|
||||||
|
content: "{{ octoprint_users_db | to_nice_yaml }}"
|
||||||
|
dest: "/home/{{ octoprint_user }}/.octoprint.users.yaml"
|
||||||
|
when: octoprint_register_users.stat.exists
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Reverse proxy
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
- name: Configure reverse proxy
|
||||||
|
block:
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/apache2/ssl/{{ octoprint_domain }}.key -out /etc/apache2/ssl/{{ octoprint_domain }}.crt -days 730 -subj "/CN={{ octoprint_domain }}" creates=/etc/apache2/ssl/{{ octoprint_domain }}.crt
|
||||||
|
notify: Restart apache2
|
||||||
|
when: octoprint_ssl
|
||||||
|
|
||||||
|
- name: Configure certificate manager for octoprint
|
||||||
|
template: src=certs.j2 dest=/etc/acertmgr/{{ octoprint_domain }}.conf
|
||||||
|
notify: Run acertmgr
|
||||||
|
when: octoprint_ssl
|
||||||
|
|
||||||
|
- name: Configure vhost
|
||||||
|
template: src=nginx_vhost.j2 dest=/etc/nginx/sites-available/octoprint
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Enable vhost
|
||||||
|
file: src=/etc/nginx/sites-available/octoprint dest=/etc/nginx/sites-enabled/octoprint state=link
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Enable octoprint
|
||||||
|
service:
|
||||||
|
name: octoprint
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
|
46
roles/octoprint/templates/config.yaml.j2
Normal file
46
roles/octoprint/templates/config.yaml.j2
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
appearance:
|
||||||
|
name: "{{ octoprint_config_display_name }}"
|
||||||
|
|
||||||
|
accessControl:
|
||||||
|
salt: "{{ octoprint_config_salt }}"
|
||||||
|
autologinAs: binarykitchen
|
||||||
|
|
||||||
|
api:
|
||||||
|
key: "{{ octoprint_config_api_key }}"
|
||||||
|
|
||||||
|
plugins:
|
||||||
|
tracking:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
server:
|
||||||
|
commands:
|
||||||
|
serverRestartCommand: systemctl restart octoprint
|
||||||
|
systemRestartCommand: reboot
|
||||||
|
systemShutdownCommand: shutdown now
|
||||||
|
firstRun: false
|
||||||
|
onlineCheck:
|
||||||
|
enabled: false
|
||||||
|
pluginBlacklist:
|
||||||
|
enabled: true
|
||||||
|
secretKey: "{{ octoprint_config_secret_key }}"
|
||||||
|
seenWizards:
|
||||||
|
backup: null
|
||||||
|
corewizard: 4
|
||||||
|
tracking: null
|
||||||
|
|
||||||
|
temperature:
|
||||||
|
profiles:
|
||||||
|
- name: ABS
|
||||||
|
chamber: null
|
||||||
|
bed: 100
|
||||||
|
extruder: 240
|
||||||
|
- name: PLA
|
||||||
|
chamber: null
|
||||||
|
bed: 60
|
||||||
|
extruder: 200
|
||||||
|
- name: PETG
|
||||||
|
chamber: null
|
||||||
|
bed: 80
|
||||||
|
extruder: 230
|
60
roles/octoprint/templates/nginx_vhost.j2
Normal file
60
roles/octoprint/templates/nginx_vhost.j2
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
{% if not octoprint_ssl %}
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name {{ octoprint_domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
client_max_body_size 1024M;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Scheme $scheme;
|
||||||
|
proxy_set_header X-Script-Name /octoprint;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_pass http://localhost:5000;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% else %}
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name {{ octoprint_domain }};
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
default_type "text/plain";
|
||||||
|
alias /var/www/acme-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://{{ octoprint_domain }}$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ gitea_domain }};
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
client_max_body_size 1024M;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Scheme $scheme;
|
||||||
|
proxy_set_header X-Script-Name /octoprint;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_pass http://localhost:5000;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% endif %}
|
16
roles/octoprint/templates/octoprint.service.j2
Normal file
16
roles/octoprint/templates/octoprint.service.j2
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Octoprint
|
||||||
|
After=syslog.target
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
RestartSec=2s
|
||||||
|
Type=simple
|
||||||
|
User={{ octoprint_user }}
|
||||||
|
Group={{ octoprint_user }}
|
||||||
|
WorkingDirectory={{ octoprint_dir }}
|
||||||
|
ExecStart={{ octoprint_dir }}/bin/octoprint serve
|
||||||
|
Restart=always
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
4
roles/root_keys/tasks/main.yml
Normal file
4
roles/root_keys/tasks/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Set authorized keys
|
||||||
|
template: src=authorized_keys.j2 dest=/root/.ssh/authorized_keys
|
10
roles/root_keys/templates/authorized_keys.j2
Normal file
10
roles/root_keys/templates/authorized_keys.j2
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
{% if root_keys %}
|
||||||
|
{% for key in root_keys %}
|
||||||
|
{{ key }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% if root_keys_host is defined %}
|
||||||
|
{% for key in root_keys_host %}
|
||||||
|
{{ key }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
3
roles/uau/defaults/main.yml
Normal file
3
roles/uau/defaults/main.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
uau_reboot: "false"
|
13
roles/uau/tasks/main.yml
Normal file
13
roles/uau/tasks/main.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install unattended upgrades
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- unattended-upgrades
|
||||||
|
- debian-goodies
|
||||||
|
|
||||||
|
- name: Configure unattended upgrades
|
||||||
|
template: src={{ item }}.j2 dest=/etc/apt/apt.conf.d/{{ item }}
|
||||||
|
with_items:
|
||||||
|
- 02periodic
|
||||||
|
- 50unattended-upgrades
|
18
roles/uau/templates/02periodic.j2
Normal file
18
roles/uau/templates/02periodic.j2
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
// {{ ansible_managed }}
|
||||||
|
// Enable the update/upgrade script (0=disable)
|
||||||
|
APT::Periodic::Enable "1";
|
||||||
|
|
||||||
|
// Do "apt-get update" automatically every n-days (0=disable)
|
||||||
|
APT::Periodic::Update-Package-Lists "1";
|
||||||
|
|
||||||
|
// Do "apt-get upgrade --download-only" every n-days (0=disable)
|
||||||
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
||||||
|
|
||||||
|
// Run the "unattended-upgrade" security upgrade script
|
||||||
|
// every n-days (0=disabled)
|
||||||
|
// Requires the package "unattended-upgrades" and will write
|
||||||
|
// a log in /var/log/unattended-upgrades
|
||||||
|
APT::Periodic::Unattended-Upgrade "1";
|
||||||
|
|
||||||
|
// Do "apt-get autoclean" every n-days (0=disable)
|
||||||
|
APT::Periodic::AutocleanInterval "7";
|
147
roles/uau/templates/50unattended-upgrades.j2
Normal file
147
roles/uau/templates/50unattended-upgrades.j2
Normal file
@ -0,0 +1,147 @@
|
|||||||
|
// {{ ansible_managed }}
|
||||||
|
// Unattended-Upgrade::Origins-Pattern controls which packages are
|
||||||
|
// upgraded.
|
||||||
|
//
|
||||||
|
// Lines below have the format format is "keyword=value,...". A
|
||||||
|
// package will be upgraded only if the values in its metadata match
|
||||||
|
// all the supplied keywords in a line. (In other words, omitted
|
||||||
|
// keywords are wild cards.) The keywords originate from the Release
|
||||||
|
// file, but several aliases are accepted. The accepted keywords are:
|
||||||
|
// a,archive,suite (eg, "stable")
|
||||||
|
// c,component (eg, "main", "contrib", "non-free")
|
||||||
|
// l,label (eg, "Debian", "Debian-Security")
|
||||||
|
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
|
||||||
|
// n,codename (eg, "jessie", "jessie-updates")
|
||||||
|
// site (eg, "http.debian.net")
|
||||||
|
// The available values on the system are printed by the command
|
||||||
|
// "apt-cache policy", and can be debugged by running
|
||||||
|
// "unattended-upgrades -d" and looking at the log file.
|
||||||
|
//
|
||||||
|
// Within lines unattended-upgrades allows 2 macros whose values are
|
||||||
|
// derived from /etc/debian_version:
|
||||||
|
// ${distro_id} Installed origin.
|
||||||
|
// ${distro_codename} Installed codename (eg, "buster")
|
||||||
|
Unattended-Upgrade::Origins-Pattern {
|
||||||
|
// Codename based matching:
|
||||||
|
// This will follow the migration of a release through different
|
||||||
|
// archives (e.g. from testing to stable and later oldstable).
|
||||||
|
// Software will be the latest available for the named release,
|
||||||
|
// but the Debian release itself will not be automatically upgraded.
|
||||||
|
"origin=Debian,codename=${distro_codename}-updates";
|
||||||
|
// "origin=Debian,codename=${distro_codename}-proposed-updates";
|
||||||
|
"origin=Debian,codename=${distro_codename},label=Debian";
|
||||||
|
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||||
|
|
||||||
|
// Archive or Suite based matching:
|
||||||
|
// Note that this will silently match a different release after
|
||||||
|
// migration to the specified archive (e.g. testing becomes the
|
||||||
|
// new stable).
|
||||||
|
// "o=Debian,a=stable";
|
||||||
|
// "o=Debian,a=stable-updates";
|
||||||
|
// "o=Debian,a=proposed-updates";
|
||||||
|
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
|
||||||
|
};
|
||||||
|
|
||||||
|
// Python regular expressions, matching packages to exclude from upgrading
|
||||||
|
Unattended-Upgrade::Package-Blacklist {
|
||||||
|
// The following matches all packages starting with linux-
|
||||||
|
// "linux-";
|
||||||
|
|
||||||
|
// Use $ to explicitely define the end of a package name. Without
|
||||||
|
// the $, "libc6" would match all of them.
|
||||||
|
// "libc6$";
|
||||||
|
// "libc6-dev$";
|
||||||
|
// "libc6-i686$";
|
||||||
|
|
||||||
|
// Special characters need escaping
|
||||||
|
// "libstdc\+\+6$";
|
||||||
|
|
||||||
|
// The following matches packages like xen-system-amd64, xen-utils-4.1,
|
||||||
|
// xenstore-utils and libxenstore3.0
|
||||||
|
// "(lib)?xen(store)?";
|
||||||
|
|
||||||
|
// For more information about Python regular expressions, see
|
||||||
|
// https://docs.python.org/3/howto/regex.html
|
||||||
|
};
|
||||||
|
|
||||||
|
// This option allows you to control if on a unclean dpkg exit
|
||||||
|
// unattended-upgrades will automatically run
|
||||||
|
// dpkg --force-confold --configure -a
|
||||||
|
// The default is true, to ensure updates keep getting installed
|
||||||
|
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
||||||
|
|
||||||
|
// Split the upgrade into the smallest possible chunks so that
|
||||||
|
// they can be interrupted with SIGTERM. This makes the upgrade
|
||||||
|
// a bit slower but it has the benefit that shutdown while a upgrade
|
||||||
|
// is running is possible (with a small delay)
|
||||||
|
//Unattended-Upgrade::MinimalSteps "true";
|
||||||
|
|
||||||
|
// Install all updates when the machine is shutting down
|
||||||
|
// instead of doing it in the background while the machine is running.
|
||||||
|
// This will (obviously) make shutdown slower.
|
||||||
|
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
|
||||||
|
// This allows more time for unattended-upgrades to shut down gracefully
|
||||||
|
// or even install a few packages in InstallOnShutdown mode, but is still a
|
||||||
|
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
|
||||||
|
// Users enabling InstallOnShutdown mode are advised to increase
|
||||||
|
// InhibitDelayMaxSec even further, possibly to 30 minutes.
|
||||||
|
//Unattended-Upgrade::InstallOnShutdown "false";
|
||||||
|
|
||||||
|
// Send email to this address for problems or packages upgrades
|
||||||
|
// If empty or unset then no email is sent, make sure that you
|
||||||
|
// have a working mail setup on your system. A package that provides
|
||||||
|
// 'mailx' must be installed. E.g. "user@example.com"
|
||||||
|
// Unattended-Upgrade::Mail "root";
|
||||||
|
|
||||||
|
// Set this value to "true" to get emails only on errors. Default
|
||||||
|
// is to always send a mail if Unattended-Upgrade::Mail is set
|
||||||
|
// Unattended-Upgrade::MailOnlyOnError "true";
|
||||||
|
|
||||||
|
// Remove unused automatically installed kernel-related packages
|
||||||
|
// (kernel images, kernel headers and kernel version locked tools).
|
||||||
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
||||||
|
|
||||||
|
// Do automatic removal of newly unused dependencies after the upgrade
|
||||||
|
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
|
||||||
|
|
||||||
|
// Do automatic removal of unused packages after the upgrade
|
||||||
|
// (equivalent to apt-get autoremove)
|
||||||
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
||||||
|
|
||||||
|
// Automatically reboot *WITHOUT CONFIRMATION* if
|
||||||
|
// the file /var/run/reboot-required is found after the upgrade
|
||||||
|
Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
|
||||||
|
|
||||||
|
// Automatically reboot even if there are users currently logged in
|
||||||
|
// when Unattended-Upgrade::Automatic-Reboot is set to true
|
||||||
|
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
|
||||||
|
|
||||||
|
// If automatic reboot is enabled and needed, reboot at the specific
|
||||||
|
// time instead of immediately
|
||||||
|
// Default: "now"
|
||||||
|
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
||||||
|
|
||||||
|
// Use apt bandwidth limit feature, this example limits the download
|
||||||
|
// speed to 70kb/sec
|
||||||
|
//Acquire::http::Dl-Limit "70";
|
||||||
|
|
||||||
|
// Enable logging to syslog. Default is False
|
||||||
|
// Unattended-Upgrade::SyslogEnable "false";
|
||||||
|
|
||||||
|
// Specify syslog facility. Default is daemon
|
||||||
|
// Unattended-Upgrade::SyslogFacility "daemon";
|
||||||
|
|
||||||
|
// Download and install upgrades only on AC power
|
||||||
|
// (i.e. skip or gracefully stop updates on battery)
|
||||||
|
// Unattended-Upgrade::OnlyOnACPower "true";
|
||||||
|
|
||||||
|
// Download and install upgrades only on non-metered connection
|
||||||
|
// (i.e. skip or gracefully stop updates on a metered connection)
|
||||||
|
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
|
||||||
|
|
||||||
|
// Verbose logging
|
||||||
|
// Unattended-Upgrade::Verbose "false";
|
||||||
|
|
||||||
|
// Print debugging information both in unattended-upgrades and
|
||||||
|
// in unattended-upgrade-shutdown
|
||||||
|
// Unattended-Upgrade::Debug "false";
|
10
site.yml
Normal file
10
site.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
- name: Setup common rules
|
||||||
|
hosts: [3D_Printers]
|
||||||
|
roles:
|
||||||
|
- common
|
||||||
|
- root_keys
|
||||||
|
|
||||||
|
- name: Setup octoprint
|
||||||
|
hosts: [Octoprint_hosts]
|
||||||
|
roles:
|
||||||
|
- octoprint
|
10
site_testing.yml
Normal file
10
site_testing.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
- name: Setup common rules
|
||||||
|
hosts: raspberrypi
|
||||||
|
roles:
|
||||||
|
- common
|
||||||
|
- root_keys
|
||||||
|
|
||||||
|
- name: Setup octoprint
|
||||||
|
hosts: raspberrypi
|
||||||
|
roles:
|
||||||
|
- octoprint
|
Loading…
Reference in New Issue
Block a user