Initial commit

2025-07-06 19:40:12 +02:00 · 2025-07-06 19:40:12 +02:00 · bdc6227432
commit bdc6227432
31 changed files with 430 additions and 0 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@ -0,0 +1,14 @@
 [defaults]
 #ask_vault_pass = True
 roles_path = ./roles
 inventory = ./hosts
 ansible_managed = Ansible managed
 remote_user = root
 timeout = 60
 [diff]
 always = yes
 [ssh_connection]
 pipelining = True
 retries = 3
--- a/backups.yml
+++ b/backups.yml
@ -0,0 +1,43 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
    - dodecagon
  roles:
    - borgmatic
  vars:
    borg__keep_hourly: 24
    borg__keep_daily: 30
    borg__keep_weekly: 26
    borg__keep_monthly: 36
    borg__backup_dirs:
      - /etc
      - /home
      - /root
      - /opt
      - /srv
      - /var/backups
      - /var/log
      - /var/local
      - /var/lib
      - /var/mail
      - /var/www
    borg__passphrase: UK2mu1faYKQZeBkePbKjxdhuIKBjQriP
    borg__targets:
      - name: harpagon.infra.federez.net
        hostkeys:
          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH1qDEAEJZ0qDRUq4yeHar5LKFTtsvHJIt2a54TBB/Lz
        user: borgmatic
        path: "/backup/borgmatic/{{ inventory_hostname }}"
      - name: memoragon.infra.federez.net
        hostkeys:
          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINdqX4I1JyvhC6dySHLnW1IioYk1ZqltFlbDCygozrWx
        user: borgmatic
        path: "/backup/borgmatic/{{ inventory_hostname }}"
    # borg__postgresql:
    #   - name: all
    #     username: postgres
    borg__mysql:
      - name: all
        username: root
        password: KtQ7wHTecNPCMDISEJ1x
 ...
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -0,0 +1,8 @@
 ---
 ansible_python_interpreter: /usr/bin/python3
 ansible_host: "{{ inventory_hostname }}.federez.net"
 infra__byte_a: "{{ infra__id // 256 }}"
 infra__byte_b: "{{ infra__id % 256 }}"
 infra__addr_v6: "fd0a:66d3:1c19:42::{{ infra__byte_a }}:{{ infra__byte_b }}"
 infra__addr_v4: "10.42.{{ infra__byte_a }}.{{ infra__byte_b }}"
 ...
--- a/host_vars/carlosgon.yml
+++ b/host_vars/carlosgon.yml
@ -0,0 +1,3 @@
 ---
 infra__id: 13
 ...
--- a/host_vars/dodecagon.yml
+++ b/host_vars/dodecagon.yml
@ -0,0 +1,3 @@
 ---
 infra__id: 4
 ...
--- a/host_vars/dragon.yml
+++ b/host_vars/dragon.yml
@ -0,0 +1,3 @@
 ---
 infra__id: 16
 ...
--- a/host_vars/glucagon.yml
+++ b/host_vars/glucagon.yml
@ -0,0 +1,3 @@
 ---
 infra__id: 2
 ...
--- a/host_vars/harpagon.yml
+++ b/host_vars/harpagon.yml
@ -0,0 +1,3 @@
 ---
 infra__id: 6
 ...
--- a/host_vars/hendecagon.yml
+++ b/host_vars/hendecagon.yml
@ -0,0 +1,3 @@
 ---
 infra__id: 15
 ...
--- a/host_vars/memoragon.yml
+++ b/host_vars/memoragon.yml
@ -0,0 +1,3 @@
 ---
 infra__id: 14
 ...
--- a/host_vars/patagon.yml
+++ b/host_vars/patagon.yml
@ -0,0 +1,3 @@
 ---
 infra__id: 7
 ...
--- a/host_vars/ronderu.yml
+++ b/host_vars/ronderu.yml
@ -0,0 +1,3 @@
 ---
 infra__id: 3
 ...
--- a/host_vars/saigon.yml
+++ b/host_vars/saigon.yml
@ -0,0 +1,3 @@
 ---
 infra__id: 5
 ...
--- a/13
+++ b/13
@ -0,0 +1,13 @@
 [debian]
 dragon
 dodecagon
 saigon
 harpagon
 patagon
 carlosgon
 memoragon
 hendecagon
 [pve]
 glucagon
 ronderu
--- a/monitoring.yml
+++ b/monitoring.yml
@ -0,0 +1,13 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
    - debian
    - pve
  roles:
    - prometheus_node_exporter
  vars:
    prometheus__listen_addrs:
      - "{{ infra__addr_v6 }}"
      #- "{{ infra__addr_v4 }}"
    prometheus__smart_enabled: "{{ 'pve' in group_names }}"
 ...
--- a/requirements.yml
+++ b/requirements.yml
@ -0,0 +1,4 @@
 ---
 collections:
  - name: community.crypto
 ...
--- a/roles/backports/tasks/main.yml
+++ b/roles/backports/tasks/main.yml
@ -0,0 +1,17 @@
 ---
 - name: Install python3-debian
  ansible.builtin.apt:
    name: python3-debian
 - name: Add backports repository
  ansible.builtin.apt_repository:
    filename: backports
    repo: "deb {{ uri }} {{ suite }} {{ components | join(' ') }}"
    update_cache: true
  vars:
    uri: http://deb.debian.org/debian
    suite: "{{ ansible_distribution_release }}-backports"
    components:
      - main
  when: "ansible_distribution_release in backports__supported_releases"
 ...
--- a/roles/backports/vars/main.yml
+++ b/roles/backports/vars/main.yml
@ -0,0 +1,4 @@
 ---
 backports__supported_releases:
  - bullseye
 ...
--- a/roles/borgmatic/defaults/main.yml
+++ b/roles/borgmatic/defaults/main.yml
@ -0,0 +1,10 @@
 ---
 borg__targets: []
 borg__exclude_patterns: []
 borg__keep_hourly: 0
 borg__keep_daily: 0
 borg__keep_weekly: 0
 borg__keep_monthly: 0
 borg__mysql: []
 borg__postgresql: []
 ...
--- a/roles/borgmatic/filter_plugins/pycache/borgmatic.cpython-312.pyc
+++ b/roles/borgmatic/filter_plugins/pycache/borgmatic.cpython-312.pyc
--- a/roles/borgmatic/filter_plugins/borgmatic.py
+++ b/roles/borgmatic/filter_plugins/borgmatic.py
@ -0,0 +1,11 @@
 from urllib.parse import urlunsplit
 class FilterModule:
    def filters(self):
        return { "borg__to_repo": self.to_repo }
    @staticmethod
    def to_repo(target):
        netloc = f"{target['user']}@{target['name']}"
        return urlunsplit(("ssh", netloc, target["path"], None, None))
--- a/roles/borgmatic/handlers/main.yml
+++ b/roles/borgmatic/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: Run daemon-reload
  ansible.builtin.systemd_service:
    daemon_reload: true
 ...
--- a/roles/borgmatic/tasks/main.yml
+++ b/roles/borgmatic/tasks/main.yml
@ -0,0 +1,136 @@
 ---
 - name: Gather ansible_local facts
  ansible.builtin.setup:
    gather_subset: local
 - name: Install backports repository
  ansible.builtin.include_role:
    name: backports
  when: "ansible_distribution_release in borg__backports_needed"
 - name: Install borgmatic
  ansible.builtin.apt:
    name: borgmatic
    default_release: "{{ (release in borg__backports_needed)
                        | ternary(release + '-backports', omit) }}"
  vars:
    release: "{{ ansible_distribution_release }}"
 - name: Install borgmatic
  ansible.builtin.apt:
    name: borgmatic
  when: "ansible_distribution_release not in borg__backports_needed"
 - name: Create configuration directory for borgmatic
  ansible.builtin.file:
    path: /etc/borgmatic
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=
 - name: Create SSH key
  community.crypto.openssh_keypair:
    path: "/etc/borgmatic/remote"
    type: ed25519
    regenerate: full_idempotence
    owner: root
    group: root
    mode: u=rw,g=,o=
  register: ssh_key
 - name: Add server key to known hosts
  ansible.builtin.known_hosts:
    hash_host: true
    host: "{{ item.0.name }}"
    key: "{{ item.0.name }} {{ item.1 }}"
  loop: "{{ borg__targets | subelements('hostkeys')  }}"
 - name: Wait for key deployment
  block:
    - name: Show the generated public key
      ansible.builtin.debug:
        msg: "{{ ssh_key.public_key }}"
    - name: Please deploy the public key on every target
      ansible.builtin.pause: null
  when: "borg__targets
         | map(attribute='name')
         | difference(ansible_local.borgmatic_deployed_keys
                      | default([]))
         | count > 0"
 - name: Add borgmatic configuration file
  ansible.builtin.template:
    src: config.yaml.j2
    dest: /etc/borgmatic/config.yaml
    owner: root
    group: root
    mode: u=rw,g=r,o=
  vars:
    borg__config:
      location:
        source_directories: "{{ borg__backup_dirs }}"
        exclude_patterns: "{{ borg__exclude_patterns }}"
        repositories: "{{ borg__targets | map('borg__to_repo') }}"
        borgmatic_source_directory: /tmp/borgmatic # TODO
      storage:
        encryption_passphrase: "{{ borg__passphrase }}"
        ssh_command: "ssh -i /etc/borgmatic/remote"
      retention:
        keep_hourly: "{{ borg__keep_hourly }}"
        keep_daily: "{{ borg__keep_daily }}"
        keep_weekly: "{{ borg__keep_weekly }}"
        keep_monthly: "{{ borg__keep_monthly }}"
      consistency:
        checks:
          - repository
          - archives
      hooks:
        postgresql_databases: "{{ borg__postgresql }}"
        mysql_databases: "{{ borg__mysql }}"
 - name: Init repository
  ansible.builtin.command: borgmatic init --encryption repokey
 - name: Create Ansible facts.d directory
  ansible.builtin.file:
    path: /etc/ansible/facts.d
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=
 - name: Check deployed keys fact
  ansible.builtin.copy:
    dest: /etc/ansible/facts.d/borgmatic_deployed_keys.fact
    owner: root
    group: root
    content: "{{ borg__targets | map(attribute='name') }}"
    mode: u=rw,g=r,o=
 - name: Create override directory
  ansible.builtin.file:
    path: /etc/systemd/system/borgmatic.timer.d
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx
 - name: Override borgmatic.timer
  ansible.builtin.template:
    src: override.conf.j2
    dest: /etc/systemd/system/borgmatic.timer.d/override.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  notify:
    - Run daemon-reload
 - name: Start and enable borgmatic timer
  ansible.builtin.systemd_service:
    name: borgmatic.timer
    state: started
    daemon_reload: true
    enabled: true
 ...
--- a/roles/borgmatic/templates/config.yaml.j2
+++ b/roles/borgmatic/templates/config.yaml.j2
@ -0,0 +1,5 @@
 ---
 {{ ansible_managed | comment }}
 {{ borg__config | to_nice_yaml }}
 ...
--- a/roles/borgmatic/templates/override.conf.j2
+++ b/roles/borgmatic/templates/override.conf.j2
@ -0,0 +1,12 @@
 {{ ansible_managed | comment }}
 [Timer]
 OnCalendar=
 {% if borg__keep_hourly > 0 %}
 OnCalendar=hourly
 RandomizedDelaySec=20m
 {% else %}
 OnCalendar=daily
 RandomizedDelaySec=3h
 {% endif %}
 FixedRandomDelay=true
--- a/roles/borgmatic/vars/main.yml
+++ b/roles/borgmatic/vars/main.yml
@ -0,0 +1,4 @@
 ---
 borg__backports_needed:
  - bullseye
 ...
--- a/roles/prometheus_node_exporter/defaults/main.yml
+++ b/roles/prometheus_node_exporter/defaults/main.yml
@ -0,0 +1,4 @@
 ---
 prometheus__listen_port: 9100
 prometheus__smart_enabled: false
 ...
--- a/roles/prometheus_node_exporter/handlers/main.yml
+++ b/roles/prometheus_node_exporter/handlers/main.yml
@ -0,0 +1,10 @@
 ---
 - name: Run daemon-reload
  ansible.builtin.systemd_service:
    daemon_reload: true
 - name: Restart prometheus-node-exporter
  ansible.builtin.systemd_service:
    name: prometheus-node-exporter.service
    state: restarted
 ...
--- a/roles/prometheus_node_exporter/tasks/main.yml
+++ b/roles/prometheus_node_exporter/tasks/main.yml
@ -0,0 +1,69 @@
 ---
 - name: Install prometheus-node-exporter
  ansible.builtin.apt:
    name:
      - prometheus-node-exporter
      - prometheus-node-exporter-collectors
    install_recommends: false  # Do not install smartmontools
 - name: Configure prometheus-node-exporter
  ansible.builtin.template:
    src: default.j2
    dest: /etc/default/prometheus-node-exporter
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  notify:
    - Restart prometheus-node-exporter
 - name: Install smartmontools
  ansible.builtin.apt:
    name: smartmontools
  when:
    - "prometheus__smart_enabled"
 - name: Disable SMART monitoring
  block:
    - name: Get unit info for smartmon timer
      command: systemctl list-unit-files --output=json prometheus-node-exporter-smartmon.timer
      register: unit
    - name: Disable prometheus-node-exporter-smartmon.timer
      ansible.builtin.systemd_service:
        name: prometheus-node-exporter-smartmon.timer
        enabled: false
        state: stopped
      when: "unit.stdout | from_json | count > 0"
    - name: Remove smartmon.prom
      ansible.builtin.file:
        path: /var/lib/prometheus/node-exporter/smartmon.prom
        state: absent
  when:
    - "not prometheus__smart_enabled"
 - name: Create override directory
  ansible.builtin.file:
    path: /etc/systemd/system/prometheus-node-exporter.service.d
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx
 - name: Override prometheus-node-exporter.service
  ansible.builtin.template:
    src: override.conf.j2
    dest: /etc/systemd/system/prometheus-node-exporter.service.d/override.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  notify:
    - Run daemon-reload
    - Restart prometheus-node-exporter
 - name: Enable prometheus-node-exporter
  ansible.builtin.systemd_service:
    name: prometheus-node-exporter
    enabled: true
    state: started
 ...
--- a/roles/prometheus_node_exporter/templates/default.j2
+++ b/roles/prometheus_node_exporter/templates/default.j2
@ -0,0 +1,13 @@
 {{ ansible_managed | comment }}
 {# https://github.com/prometheus/exporter-toolkit/issues/91 #}
 {%
  set listen =
    ["--web.listen-address"]
    | product(prometheus__listen_addrs
    	      | ansible.utils.ipwrap
 	      | product([prometheus__listen_port])
              | map("join", ":"))
    | map("join", "=")
 %}
 ARGS="{{ listen | join(' ') }}"
--- a/roles/prometheus_node_exporter/templates/override.conf.j2
+++ b/roles/prometheus_node_exporter/templates/override.conf.j2
@ -0,0 +1,5 @@
 {{ ansible_managed | comment }}
 [Unit]
 After=network-online.target
 Wants=network-online.target