175 lines
4.4 KiB
YAML
175 lines
4.4 KiB
YAML
---
|
|
- name: Bootstrap Infrastructure
|
|
hosts: all
|
|
become: yes
|
|
gather_facts: yes
|
|
|
|
vars:
|
|
# 基础软件包
|
|
base_packages:
|
|
- curl
|
|
- wget
|
|
- git
|
|
- vim
|
|
- htop
|
|
- tree
|
|
- unzip
|
|
- jq
|
|
- python3
|
|
- python3-pip
|
|
- apt-transport-https
|
|
- ca-certificates
|
|
- gnupg
|
|
- lsb-release
|
|
|
|
# Docker 配置
|
|
docker_users:
|
|
- "{{ ansible_user }}"
|
|
|
|
# 系统配置
|
|
timezone: "Asia/Shanghai"
|
|
|
|
tasks:
|
|
- name: Update package cache
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: 3600
|
|
when: ansible_os_family == "Debian"
|
|
|
|
- name: Install base packages
|
|
package:
|
|
name: "{{ base_packages }}"
|
|
state: present
|
|
|
|
- name: Set timezone
|
|
timezone:
|
|
name: "{{ timezone }}"
|
|
|
|
- name: Create system users
|
|
user:
|
|
name: "{{ ansible_user }}"
|
|
groups: sudo
|
|
shell: /bin/bash
|
|
create_home: yes
|
|
when: ansible_user != "root"
|
|
|
|
- name: Configure SSH
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
backup: yes
|
|
loop:
|
|
- { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin no' }
|
|
- { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no' }
|
|
- { regexp: '^#?PubkeyAuthentication', line: 'PubkeyAuthentication yes' }
|
|
notify: restart ssh
|
|
when: ansible_user != "root"
|
|
|
|
- name: Install Docker
|
|
block:
|
|
- name: Add Docker GPG key
|
|
apt_key:
|
|
url: https://download.docker.com/linux/ubuntu/gpg
|
|
state: present
|
|
|
|
- name: Add Docker repository
|
|
apt_repository:
|
|
repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
|
|
state: present
|
|
|
|
- name: Install Docker
|
|
package:
|
|
name:
|
|
- docker-ce
|
|
- docker-ce-cli
|
|
- containerd.io
|
|
- docker-compose-plugin
|
|
state: present
|
|
|
|
- name: Add users to docker group
|
|
user:
|
|
name: "{{ item }}"
|
|
groups: docker
|
|
append: yes
|
|
loop: "{{ docker_users }}"
|
|
|
|
- name: Start and enable Docker
|
|
systemd:
|
|
name: docker
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Install Docker Compose (standalone)
|
|
get_url:
|
|
url: "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64"
|
|
dest: /usr/local/bin/docker-compose
|
|
mode: '0755'
|
|
|
|
- name: Configure firewall
|
|
ufw:
|
|
rule: "{{ item.rule }}"
|
|
port: "{{ item.port }}"
|
|
proto: "{{ item.proto | default('tcp') }}"
|
|
loop:
|
|
- { rule: 'allow', port: '22' }
|
|
- { rule: 'allow', port: '80' }
|
|
- { rule: 'allow', port: '443' }
|
|
notify: enable ufw
|
|
|
|
- name: Create application directories
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: "{{ ansible_user }}"
|
|
group: "{{ ansible_user }}"
|
|
mode: '0755'
|
|
loop:
|
|
- /opt/apps
|
|
- /opt/data
|
|
- /opt/logs
|
|
- /opt/backups
|
|
- /opt/scripts
|
|
|
|
- name: Install monitoring tools
|
|
package:
|
|
name:
|
|
- htop
|
|
- iotop
|
|
- nethogs
|
|
- ncdu
|
|
- tmux
|
|
state: present
|
|
|
|
- name: Configure system limits
|
|
pam_limits:
|
|
domain: '*'
|
|
limit_type: "{{ item.type }}"
|
|
limit_item: "{{ item.item }}"
|
|
value: "{{ item.value }}"
|
|
loop:
|
|
- { type: 'soft', item: 'nofile', value: '65536' }
|
|
- { type: 'hard', item: 'nofile', value: '65536' }
|
|
- { type: 'soft', item: 'nproc', value: '32768' }
|
|
- { type: 'hard', item: 'nproc', value: '32768' }
|
|
|
|
- name: Configure sysctl
|
|
sysctl:
|
|
name: "{{ item.name }}"
|
|
value: "{{ item.value }}"
|
|
state: present
|
|
reload: yes
|
|
loop:
|
|
- { name: 'vm.max_map_count', value: '262144' }
|
|
- { name: 'fs.file-max', value: '2097152' }
|
|
- { name: 'net.core.somaxconn', value: '32768' }
|
|
|
|
handlers:
|
|
- name: restart ssh
|
|
systemd:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
- name: enable ufw
|
|
ufw:
|
|
state: enabled |