mirror of
https://gitea.com/mcereda/oam.git
synced 2026-02-09 05:44:23 +00:00
387 lines
13 KiB
YAML
387 lines
13 KiB
YAML
---
|
|
|
|
- name: Retry tasks
|
|
ansible.builtin.command: /usr/bin/false
|
|
retries: 3
|
|
delay: 3
|
|
register: command_result
|
|
until: command_result is not failed
|
|
|
|
- name: Create directories recursively
|
|
ansible.builtin.file:
|
|
path: /tmp/path/to/final/dir
|
|
state: directory
|
|
|
|
- name: Write files from tasks
|
|
ansible.builtin.copy:
|
|
dest: "{{ ansible_user_dir }}/.tmux.conf"
|
|
mode: u=rw,go=r
|
|
content: |
|
|
…
|
|
|
|
- name: Import tasks
|
|
block:
|
|
- name: By using absolute paths and special variables (preferred)
|
|
ansible.builtin.import_tasks:
|
|
file: "{{ role_path }}/tasks/install/{{ install_method }}.yml"
|
|
- name: By using paths relative to the including file
|
|
ansible.builtin.import_tasks:
|
|
file: pre-flight.yml
|
|
|
|
- name: Conditionally include tasks
|
|
block:
|
|
- name: by leveraging the 'with_fileglob' loop filter (preferred)
|
|
ansible.builtin.include_tasks:
|
|
file: "{{ item }}"
|
|
with_fileglob: "{{ install_method }}.yml"
|
|
- name: by checking the files' existence
|
|
vars:
|
|
filename: "{{ install_method }}.yml"
|
|
when: lookup('ansible.builtin.fileglob', filename) != []
|
|
ansible.builtin.import_tasks:
|
|
file: "{{ filename }}"
|
|
|
|
- name: Assertions
|
|
ansible.builtin.assert:
|
|
that:
|
|
- install_method in supported_install_methods
|
|
- external_url is ansible.builtin.url
|
|
fail_msg: What to say if any of the above conditions fail
|
|
success_msg: What to say if all of the above conditions succeed
|
|
|
|
- name: Pretty print information
|
|
ansible.builtin.debug:
|
|
msg: >-
|
|
{{
|
|
dict([
|
|
[ 'install_method', install_method ],
|
|
[ 'install_method in supported_install_methods', install_method in supported_install_methods ],
|
|
])
|
|
}}
|
|
|
|
- name: Generate passwords
|
|
block:
|
|
- name: Randomly
|
|
ansible.builtin.debug:
|
|
msg: "{{ lookup('ansible.builtin.password', '/dev/null') }}"
|
|
- name: Specifying requirements
|
|
ansible.builtin.debug:
|
|
msg: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_letters,digits,punctuation') }}"
|
|
- name: Random but idempotent, so it will not change at every execution
|
|
ansible.builtin.debug:
|
|
msg: "{{ lookup('ansible.builtin.password', '/dev/null', seed=inventory_hostname) }}"
|
|
|
|
- name: Add repositories
|
|
block:
|
|
- name: DNF/YUM
|
|
ansible.builtin.yum_repository:
|
|
name: epel
|
|
description: EPEL YUM repo
|
|
baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/
|
|
|
|
- name: Install packages
|
|
block:
|
|
- name: Generic module
|
|
ansible.builtin.package:
|
|
name:
|
|
- tmux
|
|
- screen
|
|
- name: Via PIP
|
|
ansible.builtin.pip:
|
|
name:
|
|
- bottle
|
|
- django>1.11.0,<1.12.0
|
|
- svn+http://myrepo/svn/MyApp#egg=MyApp
|
|
- git+http://myrepo/app/MyApp
|
|
- file:///path/to/MyApp.tar.gz
|
|
|
|
- name: Run containers
|
|
block:
|
|
- name: Directly
|
|
community.docker.docker_container:
|
|
name: gitlab
|
|
image: gitlab/gitlab-ce:16.11.2-ce.0
|
|
hostname: gitlab.lan
|
|
published_ports:
|
|
- "8022:22"
|
|
- "8080:80"
|
|
- "8443:443"
|
|
env:
|
|
GITLAB_OMNIBUS_CONFIG: >-
|
|
external_url 'http://gitlab.lan';
|
|
shm_size: 256m
|
|
volumes:
|
|
- ./config:/etc/gitlab:Z
|
|
- ./logs:/var/log/gitlab:Z
|
|
- ./data:/var/opt/gitlab:Z
|
|
auto_remove: true
|
|
- name: With Compose
|
|
community.docker.docker_compose_v2:
|
|
project_src: /home/user/flask
|
|
|
|
- name: Manipulate strings
|
|
ansible.builtin.set_fact:
|
|
string_with_first_letter_to_uppercase: "{{ 'all_lowercase' | capitalize }}"
|
|
|
|
- name: Manipulate lists
|
|
block:
|
|
- name: Add elements to lists
|
|
set_fact:
|
|
programming_languages: "{{ programming_languages + ['Ruby'] }}"
|
|
- name: Remove elements from lists
|
|
set_fact:
|
|
list_without_items: "{{ dbs_list | difference(['template0','template1','postgres','rdsadmin']) }}"
|
|
- name: Sort dict elements in list by attribute
|
|
vars:
|
|
snapshots:
|
|
- name: sales
|
|
create_time: '2024-06-25T00:52:55.127000+00:00'
|
|
- name: test
|
|
create_time: '2024-05-17T01:53:12.103220+00:00'
|
|
set_fact:
|
|
snapshot_latest: "{{ snapshots | sort(attribute='create_time') | last }}"
|
|
- name: Give back the first not null value (coalesce-like)
|
|
vars:
|
|
list_with_null_values:
|
|
- null
|
|
- null
|
|
- something
|
|
- something else
|
|
set_fact:
|
|
first_non_null_value: "{{ list_with_null_values | select | first }}"
|
|
- name: Get values for a specific attribute in a list of dictionaries
|
|
set_fact:
|
|
vpc_security_group_ids: >-
|
|
{{ instance_information.vpc_security_groups | map(attribute='vpc_security_group_id') }}
|
|
- name: Return only elements with specific attributes matching a filter
|
|
set_fact:
|
|
available_rds_snapshots: snapshots_list | selectattr("status", "equalto", "available")
|
|
mounts_with_path: ansible_facts.mounts | selectattr('mount', 'in', path)
|
|
- name: Return all elements *but* the ones with specific attributes matching a filter
|
|
set_fact:
|
|
available_rds_snapshots: snapshots_list | rejectattr("status", "equalto", "creating")
|
|
mounts_without_path: ansible_facts.mounts | rejectattr('mount', 'in', path)
|
|
- name: Remove lines about RDS protected users and permissions from a dump file
|
|
# remove empty lines
|
|
# remove comments
|
|
# remove creation of the master user
|
|
# remove anything involving 'rdsadmin'
|
|
# remove changes to protected RDS users
|
|
# remove protected 'superuser' and 'replication' assignments
|
|
vars:
|
|
# **Hack notice**: Ansible has issues with splitting on new lines if this template is quoted differently
|
|
permissions_dump_content_as_lines: "{{ dump_file.content | ansible.builtin.b64decode | split('\n') }}"
|
|
master_username: postgresql
|
|
ansible.builtin.set_fact:
|
|
permissions_commands: >-
|
|
{{
|
|
permissions_dump_content_as_lines
|
|
| reject('match', '^$')
|
|
| reject('match', '^--')
|
|
| reject('match', '^CREATE ROLE ' + master_username)
|
|
| reject('match', '.*rdsadmin.*')
|
|
| reject('match', '^(CREATE|ALTER) ROLE rds_')
|
|
| map('regex_replace', '(NO)(SUPERUSER|REPLICATION)\s?', '')
|
|
}}
|
|
|
|
- name: Manipulate dictionaries
|
|
block:
|
|
- name: Merge dictionaries
|
|
vars:
|
|
dict_1:
|
|
a: 43
|
|
b: some string
|
|
dict_2:
|
|
y: true
|
|
z:
|
|
- 4
|
|
- test
|
|
set_fact:
|
|
merged_dict: "{{ dict1 | ansible.builtin.combine(dict_2, {'z':'new_value','w':[44]}) }}"
|
|
recursively_merged_dict: >-
|
|
{{ {'rest':'test'} | ansible.builtin.combine({'z':'new_value','w':[44]}, dict_1, dict_2, recursive=true) }}
|
|
- name: Register the list of extensions per DB
|
|
vars:
|
|
db_extensions: {}
|
|
ansible.builtin.set_fact:
|
|
db_extensions: >-
|
|
{{
|
|
db_extensions
|
|
| combine({
|
|
item.item: item.query_result | map(attribute='extname')
|
|
})
|
|
}}
|
|
with_items: "{{ db_extensions_query.results }}"
|
|
- name:
|
|
vars:
|
|
db_extensions:
|
|
sales:
|
|
- pgaudit
|
|
- plpgsql
|
|
countries:
|
|
- pgcrypto
|
|
- postgis
|
|
- pg_stat_statements
|
|
ansible.builtin.set_fact:
|
|
db_extension_pairs: >-
|
|
{%- set output = [] -%}
|
|
{%- for db in db_extensions.keys() -%}
|
|
{%- for extension in db_extensions[db] -%}
|
|
{{- output.append({'db':db, 'extension': extension}) -}}
|
|
{%- endfor -%}
|
|
{%- endfor -%}
|
|
{{- output -}}
|
|
|
|
- name: "Use the users' home directory for something"
|
|
block:
|
|
- name: Executing commands from specified users
|
|
block:
|
|
- name: "Get users' homedir back"
|
|
become: true
|
|
become_user: "{{ item }}"
|
|
become_flags: "-iH"
|
|
check_mode: false
|
|
command: >-
|
|
echo "{{ item }}: $HOME"
|
|
changed_when: false
|
|
with_items:
|
|
- root
|
|
- ec2-user
|
|
register: users_homedir_retrieve
|
|
- name: Compute and register the results
|
|
ansible.builtin.set_fact:
|
|
users_homedir: >-
|
|
{{
|
|
users_homedir_retrieve
|
|
| community.general.json_query('results[].stdout')
|
|
| map('from_yaml')
|
|
| combine
|
|
}}
|
|
- name: Do your thing!
|
|
become: true
|
|
become_user: "{{ item.key }}"
|
|
ansible.builtin.file:
|
|
path: "{{ item.value }}/placeholder"
|
|
state: touch
|
|
with_dict: "{{ users_homedir }}"
|
|
- name: "From the system's entries"
|
|
block:
|
|
- name: "Get raw information from the system's entries"
|
|
ansible.builtin.getent:
|
|
database: passwd
|
|
key: "{{ item }}"
|
|
split: ":"
|
|
with_items:
|
|
- root
|
|
- ec2-user
|
|
register: users_entries
|
|
- name: Compute and register the results
|
|
ansible.builtin.set_fact:
|
|
users_info: >-
|
|
{{
|
|
users_entries
|
|
| community.general.json_query('results[].ansible_facts.getent_passwd[]')
|
|
| combine
|
|
}}
|
|
- name: Do your thing!
|
|
ansible.builtin.file:
|
|
path: "{{ item.value[4] }}/placeholder"
|
|
owner: "{{ item.key }}"
|
|
state: touch
|
|
with_dict: "{{ users_info }}"
|
|
|
|
- name: Cronjobs
|
|
block:
|
|
- name: At specific times
|
|
become: true
|
|
ansible.builtin.cron:
|
|
name: Prometheus manual data backup
|
|
cron_file: prometheus-manual-data-backup
|
|
|
|
# Mind this is based on the hosts' time.
|
|
hour: 4
|
|
minute: 0
|
|
|
|
user: root
|
|
job:
|
|
# - Keep '%' characters escaped or they'll be treated as newlines.
|
|
# - Archive creation returns 1 if it detects changes to read files.
|
|
# Using ';' instead of '&&' to ignore.
|
|
>
|
|
FILENAME="/tmp/prometheus-data-$(date +'\%s-\%F-\%H-\%m-\%S').tar.gz"
|
|
&& tar -czf "$FILENAME" '/var/lib/prometheus/data'
|
|
; tar -tf "$FILENAME" > '/dev/null'
|
|
&& aws s3 cp "$FILENAME" 's3://backups/prometheus/'
|
|
&& rm "$FILENAME"
|
|
|
|
- name: Debug tasks
|
|
debugger: on_failed
|
|
ansible.builtin.fail:
|
|
msg: Manual, enforced failure
|
|
# print all variables at this point => p task_vars
|
|
# continue => c
|
|
# abort and quit => q
|
|
|
|
- name: Error handling in blocks
|
|
block:
|
|
- name: This executes normally
|
|
ansible.builtin.debug:
|
|
msg: I execute normally
|
|
- name: This errors out
|
|
ansible.builtin.command: "/bin/false"
|
|
- name: This never executes
|
|
ansible.builtin.debug:
|
|
msg: I never execute due to the above task failing
|
|
rescue:
|
|
- name: This executes if any errors arose in the block
|
|
ansible.builtin.debug:
|
|
msg: I caught an error and can do stuff here to fix it
|
|
always:
|
|
- name: This always executes
|
|
ansible.builtin.debug:
|
|
msg: I always execute
|
|
|
|
- name: AWS
|
|
block:
|
|
- name: RDS
|
|
block:
|
|
- name: Create an instance's snapshot
|
|
block:
|
|
- name: Create the snapshot
|
|
amazon.aws.rds_instance_snapshot:
|
|
db_instance_identifier: "db-identifier"
|
|
db_snapshot_identifier: "db-identifier-snapshot"
|
|
register: snapshot_creation
|
|
- name: Wait for the snapshot to be in the 'available state'
|
|
when: snapshot_creation.snapshot_create_time is defined
|
|
amazon.aws.rds_snapshot_info:
|
|
db_snapshot_identifier: "{{ snapshot_creation.db_snapshot_identifier }}"
|
|
register: snapshot_check
|
|
retries: 3
|
|
delay: 120
|
|
until: snapshot_check.snapshots | selectattr("status", "equalto", "available") | length > 0
|
|
- name: "Dump roles' privileges"
|
|
block:
|
|
- name: Dump to file
|
|
environment:
|
|
PGPASSWORD: "someRandomString"
|
|
vars:
|
|
out_file: /tmp/instance-id_roles.sql
|
|
ansible.builtin.command: >-
|
|
pg_dumpall
|
|
--host 'instance-id.c4v563ptr321.eu-west-1.rds.amazonaws.com' --port '5432'
|
|
--user 'postgres' --database 'postgres' --no-password
|
|
--roles-only --no-role-passwords
|
|
--file '{{ out_file }}'
|
|
changed_when: false
|
|
- name: Dump to variable for later use through 'dump_execution.stdout_lines'
|
|
environment:
|
|
PGPASSWORD: "someRandomString"
|
|
ansible.builtin.command: >-
|
|
pg_dumpall
|
|
-h 'instance-id.c4v563ptr321.eu-west-1.rds.amazonaws.com' -p '5432'
|
|
-U 'postgres' -l 'postgres' -w
|
|
-r --no-role-passwords
|
|
changed_when: false
|
|
register: dump_execution
|