-
Notifications
You must be signed in to change notification settings - Fork 0
/
builder3.yml
284 lines (251 loc) · 7.68 KB
/
builder3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
---
- name: builder3
hosts: builder3.hamburg.freifunk.net
tasks:
- name: Common system setup
block:
- name: Update all packages - dist-upgrade
register: system_update
apt:
update_cache: yes
upgrade: dist
- name: Reboot after system upgrade, when changed
when: system_update.changed
reboot:
- name: Install debconf
package:
name:
- debconf
- debconf-utils
state: present
- name: Preseed some configuration
with_items:
- name: unattended-upgrades
question: unattended-upgrades/enable_auto_updates
value: "true"
vtype: boolean
debconf:
name: "{{ item.name }}"
question: "{{ item.question }}"
value: "{{ item.value }}"
vtype: "{{ item.vtype }}"
- name: Install default packages
package:
name:
- htop
- mc
- mosh
- screen
- smartmontools
- unattended-upgrades
state: present
- name: Remove os-prober
package:
name: os-prober
state: absent
- name: Configure screen
copy:
dest: /etc/screenrc
backup: yes
owner: root
group: root
mode: "0644"
content: |
hardstatus alwayslastline
hardstatus string '%{= kG}[ %{G}%H %{g}][%= %{= kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u)%?%{r})%{w}%?%+Lw%?%?%= %{g}][%{B} %m-%d %{W}%c:%s %{g}]'
defscrollback 99999
- name: Install ZFS
block:
- name: Prepare for ZFS installation
blockinfile:
backup: yes
create: yes
path: /etc/apt/sources.d/backports.list
marker: "# {mark} backports archive"
mode: "0644"
owner: root
group: root
block: |
deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib non-free
- name: Update apt cache
apt:
update_cache: yes
- name: Install ZFS packages
register: zfs_packages
package:
name:
- linux-headers-amd64
- zfsutils-linux
- zfs-dkms
- zfs-zed
- name: Ensure zfs modules are loaded on boot
lineinfile:
path: /etc/modules
line: zfs
regexp: zfs
- name: Reboot after ZFS install
when: zfs_packages.changed
reboot:
- name: zpool initialization
block:
- name: try to import zpool
register: try_import_zpool
failed_when: false
changed_when: try_import_zpool.rc == 0
command:
cmd: zpool import dpool
- name: Check if zpool is imported
register: zpool_import_status
failed_when: false
changed_when: false
check_mode: false
command:
cmd: zpool list dpool
- name: Create zpool if not imported
when: (zpool_import_status.rc > 0)
command:
cmd: zpool create -o ashift=12 -o autotrim=on -O mountpoint=legacy -O dedup=on -O compression=on dpool mirror /dev/sda4 /dev/sdb4
- name: Create zfs datasets
with_items:
- dataset: dpool
properties:
org.debian:periodic-trim: enable
- dataset: dpool/build
properties:
mountpoint: /build
com.sun:auto-snapshot: false
- dataset: dpool/firmware
properties:
mountpoint: /firmware
com.sun:auto-snapshot: true
com.sun:auto-snapshot:frequent: false
com.sun:auto-snapshot:hourly: false
com.sun:auto-snapshot:weekly: false
com.sun:auto-snapshot:monthly: false
- dataset: dpool/mirror
properties:
mountpoint: /mirror
com.sun:auto-snapshot: true
com.sun:auto-snapshot:frequent: false
com.sun:auto-snapshot:hourly: false
com.sun:auto-snapshot:weekly: false
com.sun:auto-snapshot:monthly: false
zfs:
state: present
name: "{{ item.dataset }}"
extra_zfs_properties: "{{ item.properties }}"
- name: Install software required to build gluon
package:
state: present
name:
- build-essential
- ecdsautils
- gawk
- git
- libncurses-dev
- libssl-dev
- libz-dev
- python2
- python3
- qemu-utils
- subversion
- time
- unzip
- wget
- name: Create build user
user:
name: gluon
state: present
password: "!"
shell: /bin/bash
- name: Set permissions on directories
with_items:
- /build
- /firmware
- /mirror
file:
path: "{{ item }}"
owner: gluon
mode: "0755"
- name: Create symlinks in gluon home
with_items:
- /build
- /firmware
- /mirror
file:
path: "/home/gluon/{{ item | basename }}"
src: "{{ item }}"
state: link
- name: Checkout scripts for the builder
git:
repo: https://github.com/freifunkhamburg/builder-scripts.git
dest: /home/gluon/bin
ssh_opts: -o StrictHostKeyChecking=accept-new
- name: Fix permissions on git repo
file:
path: /home/gluon/bin
owner: gluon
group: gluon
recurse: yes
- name: Set main as default git branch name
git_config:
scope: system
state: present
name: init.defaultBranch
value: main
- name: Configure webserver for builder3
block:
- name: Install nginx
package:
name:
- nginx-light
- libnginx-mod-http-fancyindex
- certbot
- python3-certbot-nginx
state: present
- name: Nginx default config
template:
dest: /etc/nginx/sites-available/default
src: nginx.default
backup: yes
force: yes
mode: "0400"
owner: root
group: root
- name: Check for certbot certificates
register: certbot_status
stat:
path: /etc/letsencrypt/live
- name: Initialize certificates
when: not certbot_status.stat.exists
block:
- name: Ensure nginx is stopped
service:
name: nginx
state: stopped
- name: Initialize certbot certificates standalone
command:
cmd: certbot -n --agree-tos --email [email protected] certonly --domains builder3.hamburg.freifunk.net --standalone
- name: Setup cronjob for certbot
cron:
name: certbot auto renewal
job: certbot renew --webroot --post-hook 'systemctl start nginx' --disable-renew-updates
minute: "7"
hour: "1"
day: "*"
month: "*"
weekday: "*"
- name: Ensure nginx is running
service:
name: nginx
state: started
- name: Automatically build a new gluon master
cron:
name: gluon-master-build
user: gluon
job: /home/gluon/bin/master-build.sh
minute: "17"
hour: "0"
day: "*"
month: "*"
weekday: "1"