ben/mgmt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 集成 OpenTofu + Ansible + Gitea CI/CD

Browse Source 
- 重构项目目录结构
- 添加 OpenTofu 多云支持
- 配置 Ansible 自动化部署
- 集成 Gitea Actions CI/CD 流水线
- 添加 Docker Swarm 管理
- 完善监控和安全配置
This commit is contained in:
Houzhong Xu
2025-09-20 10:48:41 +00:00
parent d755f237a0
commit 7eb4a33523
55 changed files with 3745 additions and 1921 deletions
Download Patch File Download Diff File Expand all files Collapse all files

183
configuration/playbooks/bootstrap/cron-setup.yml Normal file
View File

@@ -0,0 +1,183 @@
---
- name: Setup Automated Maintenance Cron Jobs
hosts: localhost
gather_facts: no
vars:
# 定时任务配置
cron_jobs:
# 每日快速检查
- name: "Daily system health check"
job: "cd /root/mgmt && ./scripts/ops-manager.sh toolkit all --check > /var/log/daily-health-check.log 2>&1"
minute: "0"
hour: "8"
day: "*"
month: "*"
weekday: "*"
# 每周系统清理
- name: "Weekly system cleanup"
job: "cd /root/mgmt && ./scripts/ops-manager.sh cleanup all > /var/log/weekly-cleanup.log 2>&1"
minute: "0"
hour: "2"
day: "*"
month: "*"
weekday: "0" # Sunday
# 每月安全检查
- name: "Monthly security hardening check"
job: "cd /root/mgmt && ./scripts/ops-manager.sh security all --check > /var/log/monthly-security-check.log 2>&1"
minute: "0"
hour: "3"
day: "1"
month: "*"
weekday: "*"
# 每周证书检查
- name: "Weekly certificate check"
job: "cd /root/mgmt && ./scripts/ops-manager.sh cert all > /var/log/weekly-cert-check.log 2>&1"
minute: "30"
hour: "4"
day: "*"
month: "*"
weekday: "1" # Monday
# 每日 Docker 清理 (仅 LXC 组)
- name: "Daily Docker cleanup for LXC"
job: "cd /root/mgmt && ansible lxc -i ansible/inventory.ini -m shell -a 'docker system prune -f' --become -e 'ansible_ssh_pass=313131' > /var/log/daily-docker-cleanup.log 2>&1"
minute: "0"
hour: "1"
day: "*"
month: "*"
weekday: "*"
# 每周网络连通性检查
- name: "Weekly network connectivity check"
job: "cd /root/mgmt && ./scripts/ops-manager.sh network all > /var/log/weekly-network-check.log 2>&1"
minute: "0"
hour: "6"
day: "*"
month: "*"
weekday: "2" # Tuesday
tasks:
# 创建日志目录
- name: Create log directory
file:
path: /var/log/ansible-automation
state: directory
mode: '0755'
become: yes
# 设置脚本执行权限
- name: Make ops-manager.sh executable
file:
path: /root/mgmt/scripts/ops-manager.sh
mode: '0755'
# 创建定时任务
- name: Setup cron jobs for automated maintenance
cron:
name: "{{ item.name }}"
job: "{{ item.job }}"
minute: "{{ item.minute }}"
hour: "{{ item.hour }}"
day: "{{ item.day }}"
month: "{{ item.month }}"
weekday: "{{ item.weekday }}"
user: root
loop: "{{ cron_jobs }}"
become: yes
# 创建日志轮转配置
- name: Setup log rotation for automation logs
copy:
content: |
/var/log/*-health-check.log
/var/log/*-cleanup.log
/var/log/*-security-check.log
/var/log/*-cert-check.log
/var/log/*-docker-cleanup.log
/var/log/*-network-check.log {
daily
missingok
rotate 30
compress
delaycompress
notifempty
copytruncate
}
dest: /etc/logrotate.d/ansible-automation
mode: '0644'
become: yes
# 创建监控脚本
- name: Create monitoring dashboard script
copy:
content: |
#!/bin/bash
# Automation Monitoring Dashboard
echo "🤖 Ansible Automation Status Dashboard"
echo "======================================"
echo ""
echo "📅 Last Execution Times:"
echo "------------------------"
for log in /var/log/*-check.log /var/log/*-cleanup.log; do
if [ -f "$log" ]; then
echo "$(basename "$log" .log): $(stat -c %y "$log" | cut -d. -f1)"
fi
done
echo ""
echo "📊 Recent Log Summary:"
echo "---------------------"
for log in /var/log/daily-health-check.log /var/log/weekly-cleanup.log; do
if [ -f "$log" ]; then
echo "=== $(basename "$log") ==="
tail -5 "$log" | grep -E "(TASK|PLAY RECAP|ERROR|WARNING)" || echo "No recent activity"
echo ""
fi
done
echo "⏰ Next Scheduled Jobs:"
echo "----------------------"
crontab -l | grep -E "(health|cleanup|security|cert|docker|network)" | while read line; do
echo "$line"
done
echo ""
echo "💾 Log File Sizes:"
echo "-----------------"
ls -lh /var/log/*-*.log 2>/dev/null | awk '{print $5, $9}' || echo "No log files found"
dest: /usr/local/bin/automation-status
mode: '0755'
become: yes
# 显示设置完成信息
- name: Display setup completion info
debug:
msg: |
🎉 自动化定时任务设置完成!
📋 已配置的定时任务:
• 每日 08:00 - 系统健康检查
• 每日 01:00 - Docker 清理 (LXC 组)
• 每周日 02:00 - 系统清理
• 每周一 04:30 - 证书检查
• 每周二 06:00 - 网络连通性检查
• 每月1日 03:00 - 安全检查
📊 监控命令:
• 查看状态: automation-status
• 查看定时任务: crontab -l
• 查看日志: tail -f /var/log/daily-health-check.log
📁 日志位置: /var/log/
🔄 日志轮转: 30天自动清理
💡 手动执行示例:
• ./scripts/ops-manager.sh toolkit all
• ./scripts/ops-manager.sh cleanup lxc
• ./scripts/ops-manager.sh health proxmox

175
configuration/playbooks/bootstrap/main.yml Normal file
View File

@@ -0,0 +1,175 @@
---
- name: Bootstrap Infrastructure
hosts: all
become: yes
gather_facts: yes
vars:
# 基础软件包
base_packages:
- curl
- wget
- git
- vim
- htop
- tree
- unzip
- jq
- python3
- python3-pip
- apt-transport-https
- ca-certificates
- gnupg
- lsb-release
# Docker 配置
docker_users:
- "{{ ansible_user }}"
# 系统配置
timezone: "Asia/Shanghai"
tasks:
- name: Update package cache
apt:
update_cache: yes
cache_valid_time: 3600
when: ansible_os_family == "Debian"
- name: Install base packages
package:
name: "{{ base_packages }}"
state: present
- name: Set timezone
timezone:
name: "{{ timezone }}"
- name: Create system users
user:
name: "{{ ansible_user }}"
groups: sudo
shell: /bin/bash
create_home: yes
when: ansible_user != "root"
- name: Configure SSH
lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
backup: yes
loop:
- { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin no' }
- { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no' }
- { regexp: '^#?PubkeyAuthentication', line: 'PubkeyAuthentication yes' }
notify: restart ssh
when: ansible_user != "root"
- name: Install Docker
block:
- name: Add Docker GPG key
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
state: present
- name: Add Docker repository
apt_repository:
repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
state: present
- name: Install Docker
package:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-compose-plugin
state: present
- name: Add users to docker group
user:
name: "{{ item }}"
groups: docker
append: yes
loop: "{{ docker_users }}"
- name: Start and enable Docker
systemd:
name: docker
state: started
enabled: yes
- name: Install Docker Compose (standalone)
get_url:
url: "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64"
dest: /usr/local/bin/docker-compose
mode: '0755'
- name: Configure firewall
ufw:
rule: "{{ item.rule }}"
port: "{{ item.port }}"
proto: "{{ item.proto | default('tcp') }}"
loop:
- { rule: 'allow', port: '22' }
- { rule: 'allow', port: '80' }
- { rule: 'allow', port: '443' }
notify: enable ufw
- name: Create application directories
file:
path: "{{ item }}"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0755'
loop:
- /opt/apps
- /opt/data
- /opt/logs
- /opt/backups
- /opt/scripts
- name: Install monitoring tools
package:
name:
- htop
- iotop
- nethogs
- ncdu
- tmux
state: present
- name: Configure system limits
pam_limits:
domain: '*'
limit_type: "{{ item.type }}"
limit_item: "{{ item.item }}"
value: "{{ item.value }}"
loop:
- { type: 'soft', item: 'nofile', value: '65536' }
- { type: 'hard', item: 'nofile', value: '65536' }
- { type: 'soft', item: 'nproc', value: '32768' }
- { type: 'hard', item: 'nproc', value: '32768' }
- name: Configure sysctl
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
reload: yes
loop:
- { name: 'vm.max_map_count', value: '262144' }
- { name: 'fs.file-max', value: '2097152' }
- { name: 'net.core.somaxconn', value: '32768' }
handlers:
- name: restart ssh
systemd:
name: ssh
state: restarted
- name: enable ufw
ufw:
state: enabled

83
configuration/playbooks/bootstrap/system-cleanup.yml Normal file
View File

@@ -0,0 +1,83 @@
---
- name: System Cleanup and Maintenance
hosts: all
become: yes
gather_facts: yes
tasks:
# 清理包缓存和孤立包
- name: Clean package cache (Debian/Ubuntu)
apt:
autoclean: yes
autoremove: yes
when: ansible_os_family == "Debian"
- name: Remove orphaned packages (Debian/Ubuntu)
shell: apt-get autoremove --purge -y
when: ansible_os_family == "Debian"
# 清理日志文件
- name: Clean old journal logs (keep 7 days)
shell: journalctl --vacuum-time=7d
- name: Clean old log files
find:
paths: /var/log
patterns: "*.log.*,*.gz"
age: "7d"
recurse: yes
register: old_logs
- name: Remove old log files
file:
path: "{{ item.path }}"
state: absent
loop: "{{ old_logs.files }}"
when: old_logs.files is defined
# 清理临时文件
- name: Clean /tmp directory (files older than 7 days)
find:
paths: /tmp
age: "7d"
recurse: yes
register: tmp_files
- name: Remove old temp files
file:
path: "{{ item.path }}"
state: absent
loop: "{{ tmp_files.files }}"
when: tmp_files.files is defined
# Docker 清理 (如果存在)
- name: Check if Docker is installed
command: which docker
register: docker_check
failed_when: false
changed_when: false
- name: Clean Docker system
shell: |
docker system prune -f
docker image prune -f
docker volume prune -f
when: docker_check.rc == 0
# 磁盘空间检查
- name: Check disk usage
shell: df -h
register: disk_usage
- name: Display disk usage
debug:
msg: "{{ disk_usage.stdout_lines }}"
# 内存使用检查
- name: Check memory usage
shell: free -h
register: memory_usage
- name: Display memory usage
debug:
msg: "{{ memory_usage.stdout_lines }}"

43
configuration/playbooks/bootstrap/system-update.yml Normal file
View File

@@ -0,0 +1,43 @@
---
- name: System Update Playbook
hosts: all
become: yes
gather_facts: yes
tasks:
- name: Wait for automatic system updates to complete
shell: while fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1; do sleep 5; done
when: ansible_os_family == "Debian"
- name: Update apt cache
apt:
update_cache: yes
cache_valid_time: 3600
when: ansible_os_family == "Debian"
retries: 3
delay: 10
- name: Upgrade all packages
apt:
upgrade: yes
autoremove: yes
autoclean: yes
when: ansible_os_family == "Debian"
register: upgrade_result
retries: 3
delay: 10
- name: Display upgrade results
debug:
msg: "System upgrade completed. {{ upgrade_result.changed }} packages were updated."
- name: Check if reboot is required
stat:
path: /var/run/reboot-required
register: reboot_required
when: ansible_os_family == "Debian"
- name: Notify if reboot is required
debug:
msg: "System reboot is required to complete the update."
when: reboot_required.stat.exists is defined and reboot_required.stat.exists