From a7e86ee6391307b9c108489e280b5ec2a7a5484a Mon Sep 17 00:00:00 2001 From: Someone Date: Fri, 4 Oct 2024 13:42:33 +0200 Subject: [PATCH] [roles/base/ansible/autoselfheal] Setup automatic/periodic selfhealing --- .../default/ansible_autoselfheal.logrotate | 16 + .../default/ansible_autoselfheal.service | 20 ++ .../files/default/ansible_autoselfheal.timer | 18 + .../autoselfheal/files/default/known_hosts | 8 + .../base/ansible/autoselfheal/tasks/main.yml | 324 ++++++++++++++++++ 5 files changed, 386 insertions(+) create mode 100644 roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.logrotate create mode 100644 roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.service create mode 100644 roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.timer create mode 100644 roles/base/ansible/autoselfheal/files/default/known_hosts create mode 100644 roles/base/ansible/autoselfheal/tasks/main.yml diff --git a/roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.logrotate b/roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.logrotate new file mode 100644 index 0000000..da27a50 --- /dev/null +++ b/roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.logrotate @@ -0,0 +1,16 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +/var/log/ansible_autoselfheal.log { + rotate 4 + weekly + missingok + notifempty + copytruncate + create 640 ansible root +} diff --git a/roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.service b/roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.service new file mode 100644 index 0000000..a75acbf --- /dev/null +++ b/roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.service @@ -0,0 +1,20 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +[Unit] +Description=Ansible autoselfheal +ConditionPathIsDirectory=/var/ansible/ansible +OnFailure=unit-status-mail@%n.service + +[Service] +Type=oneshot +User=ansible +Group=root +TimeoutStartSec=2h +WorkingDirectory=/var/ansible/ansible +ExecStart=/bin/bash -c 'set -o pipefail; sleep 120; ./run_somesible.sh -D -e ignore_online_errors=True 2>&1 | tee -a /var/log/ansible_autoselfheal.log; exit $?' diff --git a/roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.timer b/roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.timer new file mode 100644 index 0000000..6c9e797 --- /dev/null +++ b/roles/base/ansible/autoselfheal/files/default/ansible_autoselfheal.timer @@ -0,0 +1,18 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +[Unit] +Description=Weekly ansible autoselfhealing + +[Timer] +OnCalendar=Mon *-*-* 01:00:00 +RandomizedDelaySec=1h +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/roles/base/ansible/autoselfheal/files/default/known_hosts b/roles/base/ansible/autoselfheal/files/default/known_hosts new file mode 100644 index 0000000..3b4778e --- /dev/null +++ b/roles/base/ansible/autoselfheal/files/default/known_hosts @@ -0,0 +1,8 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +[git.somenet.org]:2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxM0LsUKHNE8G3+FIo/ytRDzQdRLkhmHN+hI3Xv27uu diff --git a/roles/base/ansible/autoselfheal/tasks/main.yml b/roles/base/ansible/autoselfheal/tasks/main.yml new file mode 100644 index 0000000..2903059 --- /dev/null +++ b/roles/base/ansible/autoselfheal/tasks/main.yml @@ -0,0 +1,324 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# automatic/periodic self healing. +# +--- +- name: install ansible + apt: + pkg: + - ansible + state: present + policy_rc_d: 101 + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: copy ssh config + copy: + src: "{{ansible_setup_autoselfheal_ssh_dir_location}}/.ssh/config" + dest: "/var/ansible/.ssh/config" + mode: 0600 + owner: "ansible" + group: "root" + + +- name: copy somesibleupdater private key + copy: + src: "{{ansible_setup_autoselfheal_ssh_dir_location}}/.ssh/key" + dest: "/var/ansible/.ssh/somesible_autoupdater_key" + mode: 0600 + owner: "ansible" + group: "root" + + +- name: ensure ansible_autoselfheal.log exists + copy: + content: "" + dest: "/var/log/ansible_autoselfheal.log" + force: no + mode: 0640 + owner: "ansible" + group: "root" + + +- name: create logrotate entry for ansible_autoselfheal.log + copy: + src: "{{item}}" + dest: "/etc/logrotate.d/ansible_autoselfheal" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/ansible_autoselfheal.logrotate" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/ansible_autoselfheal.logrotate" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/ansible_autoselfheal.logrotate" + - "default/ansible_autoselfheal.logrotate" + + +- name: remove "ansible_autoselfheal" workdir to force re-creation. + file: + path: "/var/ansible/ansible" + state: absent + when: ansible_setup_reset | bool + + +- name: create "ansible_autoselfheal" workdir and set permissions + file: + path: "/var/ansible/ansible" + state: directory + mode: "u+rwX,go-rwx" + owner: "ansible" + group: "root" + + +- name: copy run_somesible.sh script from "{{lookup('env','PWD')}}" + copy: + src: "{{lookup('env','PWD')}}/run_somesible.sh" + dest: "/var/ansible/ansible/run_somesible.sh" + mode: 0700 + owner: "ansible" + group: "root" + + +- name: create group_vars-dir + file: + path: "/var/ansible/ansible/group_vars" + state: directory + mode: "u+rwX,go-rwx" + owner: "ansible" + group: "root" + tags: "ansible-sync" + + +- name: copy the group vars of groups the host is in + copy: + src: "{{lookup('env','PWD')}}/group_vars/{{item}}.yml" + dest: "/var/ansible/ansible/group_vars/{{item}}.yml" + mode: 0600 + owner: "ansible" + group: "root" + with_items: "{{group_names + ['all']}}" + ignore_errors: yes + tags: "ansible-sync" + + +- name: list files in /var/ansible/ansible/group_vars + shell: "ls -1 /var/ansible/ansible/group_vars" + register: contents + tags: "ansible-sync" + changed_when: False + + +- name: remove unmanaged files in /var/ansible/ansible/group_vars + file: + path: "/var/ansible/ansible/group_vars/{{item}}" + state: absent + with_items: "{{contents.stdout_lines}}" + when: item|regex_replace('^(.*)\\.yml$', '\\1') not in (group_names+['all']) + tags: "ansible-sync" + + +- name: create group_files/all-dir + file: + path: "/var/ansible/ansible/group_files/all" + state: directory + mode: "u+rwX,go-rwx" + owner: "ansible" + group: "root" + tags: "ansible-sync" + + +- name: synchronize group_files/all-dir + synchronize: + src: "{{lookup('env','PWD')}}/group_files/all/" + dest: "/var/ansible/ansible/group_files/all/" + delete: yes + checksum: yes + recursive: yes + archive: no + ignore_errors: yes + tags: "ansible-sync" + + +- name: synchronize group_files/{{group_files_group}}-dir + synchronize: + src: "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/" + dest: "/var/ansible/ansible/group_files/{{group_files_group}}/" + delete: yes + checksum: yes + recursive: yes + archive: no + when: group_files_group != "all" + tags: "ansible-sync" + + +- name: list dirs in /var/ansible/ansible/group_files + shell: "ls -1 /var/ansible/ansible/group_files" + register: contents + tags: "ansible-sync" + changed_when: False + + +- name: remove unmanaged dirs in /var/ansible/ansible/group_files + file: + path: "/var/ansible/ansible/group_files/{{item}}" + state: absent + with_items: "{{contents.stdout_lines}}" + when: item != "all" and item != group_files_group + tags: "ansible-sync" + + +- name: create ansible host_files-dir + file: + path: "/var/ansible/ansible/host_files" + state: directory + mode: "u+rwX,go-rwx" + owner: "ansible" + group: "root" + tags: "ansible-sync" + + +- name: synchronize host's host_files-dir + synchronize: + src: "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/" + dest: "/var/ansible/ansible/host_files/{{inventory_hostname}}/" + delete: yes + checksum: yes + recursive: yes + archive: no + ignore_errors: yes + tags: "ansible-sync" + + +- name: create ansible host_playbooks-dir + file: + path: "/var/ansible/ansible/host_playbooks" + state: directory + mode: "u+rwX,go-rwx" + owner: "ansible" + group: "root" + tags: "ansible-sync" + + +- name: copy host's playbook + copy: + src: "{{lookup('env','PWD')}}/host_playbooks/{{inventory_hostname}}.yml" + dest: "/var/ansible/ansible/host_playbooks/{{inventory_hostname}}.yml" + mode: 0600 + owner: "ansible" + group: "root" + tags: "ansible-sync" + + +- name: create ansible host_vars-dir + file: + path: "/var/ansible/ansible/host_vars" + state: directory + mode: "u+rwX,go-rwx" + owner: "ansible" + group: "root" + tags: "ansible-sync" + + +- name: synchronize host's host_vars dir + synchronize: + src: "{{lookup('env','PWD')}}/host_vars/{{inventory_hostname}}" + dest: "/var/ansible/ansible/host_vars/{{inventory_hostname}}" + delete: yes + checksum: yes + recursive: yes + archive: no + ignore_errors: yes + tags: "ansible-sync" + + +# Make the site consist of only the host's playbook +- name: ensure ansible.inventory exists + copy: + content: "#AUTOGENERATED\n---\n- import_playbook: host_playbooks/{{inventory_hostname}}.yml\n" + dest: "/var/ansible/ansible/site.yml" + force: yes + mode: 0600 + owner: "ansible" + group: "root" + tags: "ansible-sync" + + +# Make the loopback connection run as "local" +- name: ensure ansible.inventory exists + copy: + content: "#AUTOGENERATED\n\n{% for grp in group_names %}[{{grp}}]\n{{inventory_hostname}} ansible_connection=\"local\" ansible_setup=\"False\" run_is_ansible_autoselfheal=\"True\" group_files_group=\"{{group_files_group}}\"\n\n{% endfor %}" + dest: "/var/ansible/ansible/ansible.inventory" + mode: 0600 + owner: "ansible" + group: "root" + tags: "ansible-sync" + + +- name: fix "ansible_autoselfheal" workdir permissions. + file: + path: "/var/ansible/ansible" + state: directory + recurse: yes + mode: "u+rwX,go-rwx" + owner: "ansible" + group: "root" + tags: "ansible-sync" + + +- name: copy ansible_autoselfheal.service to /etc/systemd/system/ + copy: + src: "{{item}}" + dest: "/etc/systemd/system/ansible_autoselfheal.service" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/ansible_autoselfheal.service" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/ansible_autoselfheal.service" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/ansible_autoselfheal.service" + - "default/ansible_autoselfheal.service" + + +- name: copy ansible_autoselfheal.timer to /etc/systemd/system/ + copy: + src: "{{item}}" + dest: "/etc/systemd/system/ansible_autoselfheal.timer" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/ansible_autoselfheal.timer" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/ansible_autoselfheal.timer" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/ansible_autoselfheal.timer" + - "default/ansible_autoselfheal.timer" + + +- name: enable and start ansible_autoselfheal.timer + include_role: name="base/systemd/enable-and-start" + vars: + service_name: ansible_autoselfheal.timer + + + +############################################# +# update "ansible_autoselfheal" known_hosts # +############################################# +# TODO: maybe useless +- name: copy known_hosts + copy: + src: "{{item}}" + dest: "/var/ansible/.ssh/known_hosts" + mode: 0600 + owner: "ansible" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/known_hosts" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/known_hosts" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/known_hosts" + - "default/known_hosts" + when: ansible_setup_autoselfheal_update_known_hosts | bool -- 2.43.0