feat: Commit initial

2025-11-07 09:33:38 +01:00 · 2025-11-07 09:33:38 +01:00 · 40dc0f4184
commit 40dc0f4184
43 changed files with 1990 additions and 0 deletions
--- a/ansible/roles/common/defaults/main.yml
+++ b/ansible/roles/common/defaults/main.yml
@ -0,0 +1,6 @@
+---
+# Default variables for common role
+
+timezone: "Europe/Paris"
+swap_enabled: false
+unattended_upgrades_enabled: true
--- a/ansible/roles/common/handlers/main.yml
+++ b/ansible/roles/common/handlers/main.yml
@ -0,0 +1,11 @@
+---
+# Handlers for common role
+
+- name: restart unattended-upgrades
+  systemd:
+    name: unattended-upgrades
+    state: restarted
+
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@ -0,0 +1,95 @@
+---
+# Common configuration for all nodes
+
+- name: Set timezone
+  timezone:
+    name: "{{ timezone }}"
+
+- name: Install common packages
+  apt:
+    name: "{{ common_packages }}"
+    state: present
+    update_cache: yes
+
+- name: Disable swap
+  shell: |
+    swapoff -a
+    sed -i '/swap/d' /etc/fstab
+  when: not swap_enabled
+  changed_when: false
+
+- name: Load kernel modules
+  modprobe:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - overlay
+    - br_netfilter
+
+- name: Configure kernel modules to load at boot
+  copy:
+    dest: /etc/modules-load.d/k3s.conf
+    content: |
+      overlay
+      br_netfilter
+    mode: '0644'
+
+- name: Configure sysctl parameters
+  sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: yes
+    sysctl_file: /etc/sysctl.d/99-k3s.conf
+  loop: "{{ sysctl_config | dict2items }}"
+
+- name: Configure unattended-upgrades
+  include_tasks: unattended-upgrades.yml
+  when: unattended_upgrades_enabled
+
+- name: Create k3s directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - /etc/rancher/k3s
+    - /var/lib/rancher/k3s
+
+- name: Configure firewall rules (ufw)
+  block:
+    - name: Install ufw
+      apt:
+        name: ufw
+        state: present
+
+    - name: Allow SSH
+      ufw:
+        rule: allow
+        port: '22'
+        proto: tcp
+
+    - name: Allow K3s API
+      ufw:
+        rule: allow
+        port: '6443'
+        proto: tcp
+
+    - name: Allow K3s etcd
+      ufw:
+        rule: allow
+        port: '2379:2380'
+        proto: tcp
+
+    - name: Allow K3s metrics
+      ufw:
+        rule: allow
+        port: '10250'
+        proto: tcp
+
+    - name: Enable ufw
+      ufw:
+        state: enabled
+        policy: deny
+        direction: incoming
+  when: false  # Disabled by default, enable if needed
--- a/ansible/roles/common/tasks/unattended-upgrades.yml
+++ b/ansible/roles/common/tasks/unattended-upgrades.yml
@ -0,0 +1,40 @@
+---
+# Configure unattended-upgrades for automatic OS updates
+
+- name: Install unattended-upgrades package
+  apt:
+    name:
+      - unattended-upgrades
+      - apt-listchanges
+    state: present
+
+- name: Get hostname
+  set_fact:
+    current_hostname: "{{ ansible_hostname }}"
+
+- name: Set reboot time based on hostname
+  set_fact:
+    reboot_time: "{{ reboot_schedule[current_hostname] | default('03:00') }}"
+
+- name: Configure unattended-upgrades
+  template:
+    src: 50unattended-upgrades.j2
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    mode: '0644'
+  notify: restart unattended-upgrades
+
+- name: Enable automatic updates
+  copy:
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Download-Upgradeable-Packages "1";
+      APT::Periodic::AutocleanInterval "7";
+      APT::Periodic::Unattended-Upgrade "1";
+    mode: '0644'
+
+- name: Start and enable unattended-upgrades service
+  systemd:
+    name: unattended-upgrades
+    state: started
+    enabled: yes
--- a/ansible/roles/common/templates/50unattended-upgrades.j2
+++ b/ansible/roles/common/templates/50unattended-upgrades.j2
@ -0,0 +1,47 @@
+// Unattended-Upgrade configuration
+// Managed by Ansible - do not edit manually
+
+Unattended-Upgrade::Allowed-Origins {
+    "${distro_id}:${distro_codename}";
+    "${distro_id}:${distro_codename}-security";
+    "${distro_id}ESMApps:${distro_codename}-apps-security";
+    "${distro_id}ESM:${distro_codename}-infra-security";
+};
+
+// List of packages to not update
+Unattended-Upgrade::Package-Blacklist {
+};
+
+// Automatically reboot if needed
+Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_automatic_reboot | lower }}";
+
+// Reboot time (staggered per node)
+Unattended-Upgrade::Automatic-Reboot-Time "{{ reboot_time }}";
+
+// Automatically reboot even if users are logged in
+Unattended-Upgrade::Automatic-Reboot-WithUsers "{{ unattended_upgrades_automatic_reboot_with_users | lower }}";
+
+// Remove unused kernel packages
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+// Remove unused dependencies
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+// Send email on errors
+Unattended-Upgrade::Mail "";
+
+// Always send email
+Unattended-Upgrade::MailReport "on-change";
+
+// Update package lists
+Unattended-Upgrade::Update-Days {"Mon";"Tue";"Wed";"Thu";"Fri";"Sat";"Sun";};
+
+// Automatically fix dpkg interruptions
+Dpkg::Options {
+   "--force-confdef";
+   "--force-confold";
+};
+
+// Logging
+Unattended-Upgrade::SyslogEnable "true";
+Unattended-Upgrade::SyslogFacility "daemon";