-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup.yml
37 lines (36 loc) · 1.21 KB
/
setup.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#! /usr/bin/ansible-playbook
- name: minimal server setup
hosts: app
become: true
tags: bootstrap
vars:
ssh_ca_private_key_path: ~/.ssh/ca/ssh_ca
ssh_ca_public_key_path: "{{ ssh_ca_private_key_path }}.pub"
roles:
- create_ansible_user
- trust_ssh_ca
- sign_host_keys
- secure_access
- name: full app server setup
hosts: app
become: true
vars:
domain: "{{ '.'.join(inventory_hostname.split('.')[-2:]) }}"
server_email: "server+{{ inventory_hostname_short }}@{{ domain }}"
mail_forwarding: "{{ mail_forwarding_json | from_json }}"
pre_tasks:
# This doesn't work reliably. Effectively, this tests the mtime of
# /var/lib/apt/lists, however that depends on (I think) the image creation
# time. Changing it to a day makes it work (update_period - 1) /
# update_period percent of the time, since auto-upgrades happen daily.
# TODO: A better solution might be to move the apt-get update
# unconditionally into cloud-init, since it can't be reproducibly done via
# Ansible.
- name: update package cache
apt:
cache_valid_time: 86400
roles:
- setup_automatic_updates
- increase_max_user_watches
- borgmatic
- docker