Initial commit

2024-11-23 20:58:45 +01:00 · 2024-11-23 20:58:45 +01:00 · ae63be1df6
commit ae63be1df6
9 changed files with 421 additions and 0 deletions
--- a/tasks/golden_image.yaml
+++ b/tasks/golden_image.yaml
@ -0,0 +1,106 @@
+- name: Configure golden image
+  hosts: myhosts
+  tasks:
+   - name: Set authorized key taken from file
+     ansible.posix.authorized_key:
+       user: root
+       key: "{{  lookup('file', '../config/id_ed25519.pub')  }}"
+   - name: Copy over SSHD config file
+     ansible.builtin.copy:
+       src: ../config/sshd_config
+       dest: /etc/ssh/sshd_config
+       owner: root
+       group: root
+       mode: "0600"
+   - name: Restart SSHD
+     ansible.builtin.systemd_service:
+       name: sshd
+       state: reloaded
+   - name: Upgrade all packages
+     ansible.builtin.dnf:
+       name: "*"
+       state: latest
+   - name: Install wireguard-tools and qemu-guest-agent
+     ansible.builtin.dnf:
+       name:
+         - wireguard-tools
+         - qemu-guest-agent
+       state: latest
+   - name: Enable QEMU guest agent service
+     ansible.builtin.systemd_service:
+       name: qemu-guest-agent
+       enabled: true
+       state: started
+
+   - name: Download gvisor
+     ansible.builtin.get_url:
+       url: https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc
+       dest: /usr/local/bin/runsc
+       force: yes
+       mode: a+x
+
+   - name: Download gvisor containerd-shim
+     ansible.builtin.get_url:
+       url: https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1
+       dest: /usr/local/bin/containerd-shim-runsc-v1
+       force: yes
+       mode: a+x
+
+
+   - name: check if docker repo is installed
+     stat:
+       path: "/etc/yum.repos.d/docker-ce.repo"
+     register: docker_repo
+   - name: debug_msg
+     debug:
+       msg: "Docker repo already present"
+     when: docker_repo.stat.exists
+   - name: Ensure distro docker is not installed
+     ansible.builtin.dnf:
+       name:
+         - docker
+         - docker-client
+         - docker-client-latest
+         - docker-common
+         - docker-latest
+         - docker-latest-logrotate
+         - docker-logrotate
+         - docker-selinux
+         - docker-engine-selinux
+         - docker-engine
+       state: absent
+     when: not docker_repo.stat.exists
+   - name: Install dnf-plugins-core
+     ansible.builtin.dnf:
+       name: dnf-plugins-core
+       state: latest
+   - name: Download Docker dnf repo
+     ansible.builtin.get_url:
+       url: https://download.docker.com/linux/fedora/docker-ce.repo
+       dest: /etc/yum.repos.d/docker-ce.repo
+       mode: 0644
+       force: yes
+   - name: Install Docker packages
+     ansible.builtin.dnf:
+       name:
+         - docker-ce
+         - docker-ce-cli
+         - containerd.io
+         - docker-buildx-plugin
+         - docker-compose-plugin
+
+
+   - name: Copy over docker daemon.json config file
+     ansible.builtin.copy:
+       src: ../config/daemon.json
+       dest: /etc/docker/daemon.json
+       owner: root
+       group: root
+       mode: "0644"
+       force: true
+
+   - name: Enable Docker systemd service
+     ansible.builtin.systemd_service:
+       name: docker
+       enabled: true
+       state: reloaded
--- a/tasks/gvisor.yaml
+++ b/tasks/gvisor.yaml
@ -0,0 +1,58 @@
+- name: Configure golden image
+  hosts: myhosts
+  tasks:
+   - name: Set authorized key taken from file
+     ansible.posix.authorized_key:
+       user: root
+       key: "{{  lookup('file', '../config/id_ed25519.pub')  }}"
+   - name: Copy over SSHD config file
+     ansible.builtin.copy:
+       src: ../config/sshd_config
+       dest: /etc/ssh/sshd_config
+       owner: root
+       group: root
+       mode: "0600"
+   - name: Restart SSHD
+     ansible.builtin.systemd_service:
+       name: sshd
+       state: reloaded
+   - name: Upgrade all packages
+     ansible.builtin.dnf:
+       name: "*"
+       state: latest
+   - name: Install wireguard-tools and qemu-guest-agent
+     ansible.builtin.dnf:
+       name:
+         - wireguard-tools
+         - qemu-guest-agent
+       state: latest
+   - name: Enable QEMU guest agent service
+     ansible.builtin.systemd_service:
+       name: qemu-guest-agent
+       enabled: true
+       state: started
+
+   - name: Download gvisor
+     ansible.builtin.get_url:
+       url: https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc
+       dest: /usr/local/bin/runsc
+       force: yes
+       mode: a+x
+
+   - name: Download gvisor containerd-shim
+     ansible.builtin.get_url:
+       url: https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1
+       dest: /usr/local/bin/containerd-shim-runsc-v1
+       force: yes
+       mode: a+x
+
+
+   - name: Copy over docker daemon.json config file
+     ansible.builtin.copy:
+       src: ../config/daemon.json
+       dest: /etc/docker/daemon.json
+       owner: root
+       group: root
+       mode: "0644"
+       force: true
+
--- a/tasks/ssh_config.yaml
+++ b/tasks/ssh_config.yaml
@ -0,0 +1,26 @@
+- name: My first play
+  hosts: myhosts
+  tasks:
+#   - name: Ping my hosts
+#     ansible.builtin.ping:
+#   - name: Reboot machine
+#     ansible.builtin.reboot:
+#       msg: "Rebooting machine..."
+#   - name: Print message
+#     ansible.builtin.debug:
+#       msg: Hello world
+   - name: Set authorized key taken from file
+     ansible.posix.authorized_key:
+       user: root
+       key: "{{  lookup('file', './config/id_ed25519.pub')  }}"
+   - name: Copy over SSHD config file
+     ansible.builtin.copy:
+       src: ./config/sshd_config
+       dest: /etc/ssh/sshd_config
+       owner: root
+       group: root
+       mode: '0600'
+   - name: Restart SSHD
+     service:
+       name: sshd
+       state: restarted