# tasks file for system configuration

- block:

- name: disable SWAP (Kubeadm requirement)
shell: |
swapoff -a

- name: disable SWAP in fstab (Kubeadm requirement)
replace:
path: /etc/fstab
regexp: '^([^#].*?\sswap\s+sw\s+.*)$'
replace: '# \1'

- name: create an empty file for the Containerd module
copy:
content: ""
dest: /etc/modules-load.d/containerd.conf
force: no

- name: configure modules for Containerd
blockinfile:
path: /etc/modules-load.d/containerd.conf
block: |
overlay
br_netfilter

- name: create an empty file for Kubernetes sysctl params
copy:
content: ""
dest: /etc/sysctl.d/99-kubernetes-cri.conf
force: no

- name: configure sysctl params for Kubernetes
lineinfile:
path: /etc/sysctl.d/99-kubernetes-cri.conf
line: "{{ item }}"
with_items:
- 'net.bridge.bridge-nf-call-iptables = 1'
- 'net.ipv4.ip_forward = 1'
- 'net.bridge.bridge-nf-call-ip6tables = 1'

- name: apply sysctl params without reboot
command: sysctl --system

- name: add Docker's dnf repository
get_url:
url: https://download.docker.com/linux/rhel/docker-ce.repo
dest: /etc/yum.repos.d/docker-ce.repo
mode: '0644'
force: true


- name: add Kubernetes' dnf repository
yum_repository:
name: Kubernetes
description: Kubernetes
baseurl: https://pkgs.k8s.io/core:/stable:/v{{ ansible_local['static']['kubernetes']['version'] }}/rpm/
gpgkey: https://pkgs.k8s.io/core:/stable:/v{{ ansible_local['static']['kubernetes']['version'] }}/rpm/repodata/repomd.xml.key
enabled: true
gpgcheck: true
state: present

- name: install Containerd
ansible.builtin.dnf:
name: containerd.io
state: present

- name: create Containerd directory
file:
path: /etc/containerd
state: directory

- name: add Containerd configuration
shell: /usr/bin/containerd config default > /etc/containerd/config.toml

- name: configuring the systemd cgroup driver for Containerd
lineinfile:
path: /etc/containerd/config.toml
regexp: ' SystemdCgroup = false'
line: ' SystemdCgroup = true'

- name: enable the Containerd service and start it
systemd:
name: containerd
state: restarted
enabled: yes
daemon-reload: yes

- name: install packages
dnf:
name:
- kubelet
- kubeadm
- kubectl
- iproute-tc
state: present
update_cache: true
register: packages

- name: download helm script
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
dest: /tmp/get-helm-3.sh
mode: '0755'
force: true

- name: install helm
ansible.builtin.shell:
cmd: /tmp/get-helm-3.sh

- name: enable the Kubelet service, and enable it persistently
service:
name: kubelet
enabled: yes

- name: load br_netfilter kernel module
modprobe:
name: br_netfilter
state: present

- name: set bridge-nf-call-iptables
sysctl:
name: net.bridge.bridge-nf-call-iptables
value: 1

- name: set ip_forward
sysctl:
name: net.ipv4.ip_forward
value: 1

- name: reboot and wait for reboot to complete
reboot:
when: packages.changed

---
# tasks file for common

- name: Account management tasks
block:
- name: Ensure group "admin" exists
ansible.builtin.group:
name: admin
gid: 4141
state: present

- name: Accounts configuration
ansible.builtin.user:
name: "{{ item.name }}"
uid: "{{ item.uid }}"
state: present
group: "{{ item.group }}"
loop: "{{ accounts }}"

- name: Set up multiple authorized keys
ansible.builtin.authorized_key:
user: "{{ item.user }}"
key: "{{ item.key }}"
manage_dir: true
loop: "{{ keys }}"

- name: Add sudoers for ansible and hola
ansible.builtin.lineinfile:
path: /etc/sudoers.d/systems
line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
create: true
loop: "{{ accounts }}"
when: item.admin | bool

- name: Change root password
ansible.builtin.user:
name: root
password: "{{ root_password }}"
state: present

- name: Change hola password
ansible.builtin.user:
name: hola
password: "{{ user_password }}"
state: present

- name: Install the packages when os is rhel
ansible.builtin.dnf:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop: "{{ packages_rhel }}"
when: ansible_os_family == "RedHat"

- name: Install the packages when os is debian
ansible.builtin.apt:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop: "{{ packages_debian }}"
when: ansible_os_family == "Debian" or ansible_os_family == "Ubuntu"

become: true
ignore_errors: false
remote_user: root
vars:
ansible_ssh_private_key_file: "~/ansi/key"




- name: Generate facts
block:
- name: Create directory for ansible custom facts
ansible.builtin.file:
state: directory
recurse: true
path: /etc/ansible/facts.d

- name: Chcek if exsit custom facts
ansible.builtin.stat:
path: /etc/ansible/facts.d/static.fact
register: host_facts_stat

- name: Install custom fact
ansible.builtin.copy:
src: static.fact
dest: /etc/ansible/facts.d
when: not host_facts_stat.stat.exists

- name: End the play after first time to create custom facts
meta: end_play
when: not host_facts_stat.stat.exists

become: true
ignore_errors: false
remote_user: root
vars:
ansible_ssh_private_key_file: "~/ansi/key"

- name: Load custom facts
ansible.builtin.setup:
filter: ansible_local




- name: System configuration tasks
block:
- name: Re-read facts after adding custom fact
ansible.builtin.setup:
filter: ansible_local

# Upgrade packages
# - name: Upgrade all packages for rhel
# ansible.builtin.dnf:
# name: "*"
# state: latest
# when: ansible_os_family == "RedHat"

# - name: Upgrade all packages for debian
# ansible.builtin.apt:
# name: "*"
# state: latest
# when: ansible_os_family == "Debian" or ansible_os_family == "Ubuntu"
- name: Set hostname
ansible.builtin.hostname:
name: "{{ ansible_local['static']['general']['hostname'] }}"
when: ansible_local['static']['general']['hostname'] is defined and ansible_local['static']['general']['hostname'] != ""

- name: Configure eth0 ip address
ansible.builtin.template:
src: nmconnection_eth0.j2
dest: /etc/NetworkManager/system-connections/eth0.nmconnection
owner: root
group: root
mode: 0700
register: nmconnection_eth0_result

- name: Reload eth0 configuration
command: |
nmcli connection reload
nmcli connection up eth0
when: nmconnection_eth0_result.changed

- name: Disable cloud-init network
ansible.builtin.lineinfile:
path: /etc/cloud/cloud.cfg
regexp: '^ renderers'
insertafter: '^ network:'
line: " config: disabled"
when: nmconnection_eth0_result.changed

- name: Configure eth1 ip address
ansible.builtin.template:
src: nmconnection_eth1.j2
dest: /etc/NetworkManager/system-connections/eth1.nmconnection
owner: root
group: root
mode: 0700
when: ansible_local['static']['general']['ipaddr_eth1'] is defined and ansible_local['static']['general']['ipaddr_eth1'] != ""
register: nmconnection_eth1_result

- name: Reload eth1 configuration
command: |
nmcli connection reload
nmcli connection up eth1
when: nmconnection_eth1_result.changed


# - name: Display all variables/facts known for a host
# debug:
# var: hostvars[inventory_hostname]
# tags: debug_info

- name: Install the packages when os is rhel
ansible.builtin.dnf:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop: "{{ packages_rhel }}"
when: ansible_os_family == "RedHat"

- name: Install the packages when os is debian
ansible.builtin.apt:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop: "{{ packages_debian }}"
when: ansible_os_family == "Debian" or ansible_os_family == "Ubuntu"

- name: Enable atop is enabled and started
ansible.builtin.systemd_service:
name: atop
enabled: true
state: started

- name: Disable SELinux persist
ansible.builtin.selinux:
state: permissive
policy: targeted

- name: Set SELinux in permissive mode at runtime
command: setenforce 0

- name: kernel parameters
ansible.builtin.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
loop: "{{ kernel_parameters }}"

- name: Update grubby
command: grubby --update-kernel=ALL --args="net.ifnames=0 biosdevname=0 crashkernel=256M intel_idle.max_cstate=0 processor.max_cstate=1 idle=poll console=tty1 ipv6.disable=1 pci=nommconf pcie_aspm=off mitigations=off"
when: ansible_os_family == "RedHat"

- name: Ensure bash profile history lines number is unlimited
ansible.builtin.lineinfile:
path: /etc/profile
regexp: '^HISTSIZE '
insertafter: '^#HISTSIZE '
line: HISTSIZE=-1

- name: Ensure bash profile history file size is unlimited
ansible.builtin.lineinfile:
path: /etc/profile
regexp: '^HISTFILESIZE '
insertafter: '^#HISTFILESIZE '
line: HISTFILESIZE=-1


become: true
ignore_errors: true

@EyebrowsWhite #11 我个人的机器也在用 ansible ，包括 k8s 节点的创建，vps 的一些基础配置，比如加 key,创建用户，nfs 挂载，hostname,软件包的安装，有 ansible 会方便很多

pt 转手呗，比如馒头，多全乎啊，配合 qbit+rss,自动拉取热门资源，什么都不用做

@FlytoSirius #56 解锁 bl 只刷系统不 root ，不会降低等级的，我刷了 grapheneos 什么都不用做，直接可以通过谷歌全部检查。至于为什么有的第三方 rom 即便不 root 也过不了检查，纯属 rom 本身的问题。

minio （新加坡+英国）+ aws s3 （半年内常规 s3 数据，超过的自动转深度归档，地区包含新加坡和日本）+40TB OVH dedicate 备份

@hausen #3
@EyebrowsWhite #6

当你机器配置繁琐的时候，即便数量少，上 ansible 也很轻松。

@EyebrowsWhite #6 看了下监控系统，目前是 1080 台机器。不会同时执行的，我们有不同的 team ，ansible 机器设置了 crontab 错开时间，总共 65 个 team 。倒不是 ansible 机器承受不住，是因为不同 team 配置不同，执行的 role 不同。

至于最多多少台机器执行，这个没法算，我们没有统计每个 team 机器数量。

@FlytoSirius #11 解锁是解锁，root 是 root 。你说的解锁后出问题，是指 root 后有问题。我 pixel9pro 解锁后刷了 grapheneos,完全没有问题，招商银行 app 都支持内置的指纹解锁。

是啊是啊，超爽的，我们 1000+台机器，全靠 ansible

说实在的，想了好久，真的没想出来在车上能做什么

挺有搞头的，配合注入脚本给用户安装，点击后自动截屏获取敏感信息，然后存在本地，定时同步到服务端，密码可能不太行因为全是*号，但是比如 visa 这种信用卡的信息倒是可以的，很多网站是明文显示 cvv 的。总而言之，很有搞头，应该能赚一笔，但 op 能不能打通各个渠道，是否能承担风险就是后话了。

你们 UI 设计呢？

@libasten #3 作为一名 ops ，天天接触 linux 的人，唯一使用面板的场合是 vps 的梯子，x-ui 这种，正式场合下不使用任何面板。

1. 面板有安全漏洞，且上传数据。
2. 面板会把配置搞乱，不遵守很多约定俗成的东西，比如牙刷不在卫生间而在厨房。
3. 永远不知道面板做了什么，操作不可控。
4. 在日常工作中，99%的操作面板中没有，比如设置 acl ，指定 uid ，设置 cpu pin ，执行后台命令，设置 mongodb 参数等。
5. linux 中，cli 确实比点点点要快很多，比如 aws console ，用 cli 查询 ec2 信息只需要一行命令，搜索 history 然后执行用不了 20 秒，同样的操作，在 webui 中需要登录，进子模块等一些列操作，有时候网页卡了还得刷新，没个五分钟下不来。
6. 点鼠标这个行为本身不是小白（毕竟 windows server 也是这么配的），但 linux 中，只有 0.1%的操作支持 GUI 点点点，所以如果某个人只用到了点点点操作而不用命令行，默认他为纯小白（没多少人使用 windows server 的）
7. 遇到相同配置，cli 可以复制粘贴刷配置，面板很麻烦。
8. 不信任任何面板，即便是 x-ui 这种虽然在用，但也不信任，只是因为梯子不用这东西很麻烦。

带了磁吸，能和 iphone 一样挂着充电，其他毫无波澜

@cue #347
@Livid ai 内容，无意义

@chanChristin #115 🐢是什么？

@Gekou #15 cn2gia 的 vps 用于翻墙，同时用该机器搭一个 nginx 目录共享，里面放你需要的一切。如果不考虑传播的风险，让对方打开你网站下载对应软件就好了

@biubiupiupiu #3 没人说不可以这么做