mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
fix: cleanup freebsd and alpine stuff (#105)
This commit is contained in:
parent
e502a92451
commit
d3b516c594
12 changed files with 22 additions and 300 deletions
|
|
@ -11,7 +11,7 @@
|
||||||
#
|
#
|
||||||
# Prerequisites:
|
# Prerequisites:
|
||||||
# - Target host has SSH access via Tailscale
|
# - Target host has SSH access via Tailscale
|
||||||
# - Target host has a base OS installed (Debian/FreeBSD)
|
# - Target host has a base OS installed (Debian)
|
||||||
# - ansible-galaxy install -r requirements.yml
|
# - ansible-galaxy install -r requirements.yml
|
||||||
|
|
||||||
# ──────────────────────────────────────────────
|
# ──────────────────────────────────────────────
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
# Update all hosts (apt for Linux, pkg for FreeBSD, apk for Alpine).
|
# Update all hosts (apt upgrade).
|
||||||
# Usage: ansible-playbook playbooks/update-all.yml
|
# Usage: ansible-playbook playbooks/update-all.yml
|
||||||
|
|
||||||
- name: Update Linux hosts (apt)
|
- name: Update Linux hosts (apt)
|
||||||
|
|
@ -28,37 +28,3 @@
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "WARNING: REBOOT REQUIRED on {{ inventory_hostname }}"
|
msg: "WARNING: REBOOT REQUIRED on {{ inventory_hostname }}"
|
||||||
when: reboot_required.stat.exists
|
when: reboot_required.stat.exists
|
||||||
|
|
||||||
- name: Update Alpine hosts (apk)
|
|
||||||
hosts: alpine
|
|
||||||
ignore_unreachable: true
|
|
||||||
tags: [update, alpine]
|
|
||||||
tasks:
|
|
||||||
- name: Apk update + upgrade
|
|
||||||
community.general.apk:
|
|
||||||
update_cache: true
|
|
||||||
upgrade: true
|
|
||||||
register: apk_result
|
|
||||||
|
|
||||||
- name: Show upgrade summary
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "{{ apk_result.stdout_lines | default(['No output']) }}"
|
|
||||||
|
|
||||||
- name: Update FreeBSD hosts (pkg)
|
|
||||||
hosts: freebsd
|
|
||||||
ignore_unreachable: true
|
|
||||||
tags: [update, freebsd]
|
|
||||||
tasks:
|
|
||||||
- name: Pkg update
|
|
||||||
ansible.builtin.command: pkg update -f
|
|
||||||
register: pkg_update_result
|
|
||||||
changed_when: "'Updating' in pkg_update_result.stdout"
|
|
||||||
|
|
||||||
- name: Pkg upgrade
|
|
||||||
ansible.builtin.command: pkg upgrade -y
|
|
||||||
register: pkg_upgrade_result
|
|
||||||
changed_when: "'upgraded' in pkg_upgrade_result.stdout or 'installed' in pkg_upgrade_result.stdout"
|
|
||||||
|
|
||||||
- name: Show upgrade summary
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "{{ pkg_upgrade_result.stdout_lines | default(['No output']) }}"
|
|
||||||
|
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
||||||
---
|
|
||||||
# Update FreeBSD hosts only (pkg).
|
|
||||||
# Usage: ansible-playbook playbooks/update-freebsd.yml
|
|
||||||
#
|
|
||||||
# Equivalent to: ansible-playbook playbooks/update-all.yml --tags freebsd
|
|
||||||
# This is a convenience wrapper for when you only want FreeBSD hosts.
|
|
||||||
|
|
||||||
- name: Update FreeBSD hosts (pkg)
|
|
||||||
hosts: freebsd
|
|
||||||
ignore_unreachable: true
|
|
||||||
tasks:
|
|
||||||
- name: Pkg update
|
|
||||||
ansible.builtin.command: pkg update -f
|
|
||||||
register: pkg_update_result
|
|
||||||
changed_when: "'Updating' in pkg_update_result.stdout"
|
|
||||||
|
|
||||||
- name: Pkg upgrade
|
|
||||||
ansible.builtin.command: pkg upgrade -y
|
|
||||||
register: pkg_upgrade_result
|
|
||||||
changed_when: "'upgraded' in pkg_upgrade_result.stdout or 'installed' in pkg_upgrade_result.stdout"
|
|
||||||
|
|
||||||
- name: Show upgrade summary
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "{{ pkg_upgrade_result.stdout_lines | default(['No output']) }}"
|
|
||||||
|
|
@ -1,9 +1,6 @@
|
||||||
---
|
---
|
||||||
# Update Linux hosts only (apt + Alpine apk).
|
# Update Linux hosts (apt upgrade). Alias for update-all.yml.
|
||||||
# Usage: ansible-playbook playbooks/update-linux.yml
|
# Usage: ansible-playbook playbooks/update-linux.yml
|
||||||
#
|
|
||||||
# Equivalent to: ansible-playbook playbooks/update-all.yml --tags linux,alpine
|
|
||||||
# This is a convenience wrapper for when you only want Linux hosts.
|
|
||||||
|
|
||||||
- name: Update Linux hosts (apt)
|
- name: Update Linux hosts (apt)
|
||||||
hosts: linux
|
hosts: linux
|
||||||
|
|
@ -30,17 +27,3 @@
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "WARNING: REBOOT REQUIRED on {{ inventory_hostname }}"
|
msg: "WARNING: REBOOT REQUIRED on {{ inventory_hostname }}"
|
||||||
when: reboot_required.stat.exists
|
when: reboot_required.stat.exists
|
||||||
|
|
||||||
- name: Update Alpine hosts (apk)
|
|
||||||
hosts: alpine
|
|
||||||
ignore_unreachable: true
|
|
||||||
tasks:
|
|
||||||
- name: Apk update + upgrade
|
|
||||||
community.general.apk:
|
|
||||||
update_cache: true
|
|
||||||
upgrade: true
|
|
||||||
register: apk_result
|
|
||||||
|
|
||||||
- name: Show upgrade summary
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "{{ apk_result.stdout_lines | default(['No output']) }}"
|
|
||||||
|
|
|
||||||
|
|
@ -6,9 +6,8 @@
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
cache_valid_time: 3600
|
cache_valid_time: 3600
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
- name: Install baseline packages (Debian)
|
- name: Install baseline packages
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- curl
|
- curl
|
||||||
|
|
@ -24,44 +23,6 @@
|
||||||
- fail2ban
|
- fail2ban
|
||||||
- ufw
|
- ufw
|
||||||
state: present
|
state: present
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
- name: Install baseline packages (Alpine)
|
|
||||||
community.general.apk:
|
|
||||||
name:
|
|
||||||
- curl
|
|
||||||
- wget
|
|
||||||
- git
|
|
||||||
- htop
|
|
||||||
- tmux
|
|
||||||
- vim
|
|
||||||
- jq
|
|
||||||
- fish
|
|
||||||
- rsync
|
|
||||||
- shadow
|
|
||||||
- py3-requests
|
|
||||||
state: present
|
|
||||||
when: ansible_facts["os_family"] == "Alpine"
|
|
||||||
|
|
||||||
- name: Install baseline packages (FreeBSD)
|
|
||||||
community.general.pkgng:
|
|
||||||
name:
|
|
||||||
- curl
|
|
||||||
- wget
|
|
||||||
- git
|
|
||||||
- htop
|
|
||||||
- tmux
|
|
||||||
- vim
|
|
||||||
- jq
|
|
||||||
- rsync
|
|
||||||
state: present
|
|
||||||
when: ansible_facts["os_family"] == "FreeBSD"
|
|
||||||
|
|
||||||
- name: Install fish shell
|
|
||||||
ansible.builtin.package:
|
|
||||||
name: fish
|
|
||||||
state: present
|
|
||||||
when: inventory_hostname != 'london-a'
|
|
||||||
|
|
||||||
- name: Get fish shell path
|
- name: Get fish shell path
|
||||||
ansible.builtin.command: which fish
|
ansible.builtin.command: which fish
|
||||||
|
|
@ -92,33 +53,27 @@
|
||||||
- {regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no'}
|
- {regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no'}
|
||||||
- {regexp: '^#?X11Forwarding', line: 'X11Forwarding no'}
|
- {regexp: '^#?X11Forwarding', line: 'X11Forwarding no'}
|
||||||
notify: Restart sshd
|
notify: Restart sshd
|
||||||
when: ansible_facts["os_family"] != "FreeBSD"
|
|
||||||
|
|
||||||
- name: Enable fail2ban (Debian)
|
- name: Enable fail2ban
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: fail2ban
|
name: fail2ban
|
||||||
state: started
|
state: started
|
||||||
enabled: true
|
enabled: true
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
# --- UFW firewall (Debian only) ---
|
# --- UFW firewall ---
|
||||||
|
|
||||||
- name: Set UFW default deny incoming
|
- name: Set UFW default deny incoming
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
direction: incoming
|
direction: incoming
|
||||||
default: deny
|
default: deny
|
||||||
when:
|
when: common_ufw_enabled | bool
|
||||||
- ansible_facts["os_family"] == "Debian"
|
|
||||||
- common_ufw_enabled | bool
|
|
||||||
notify: Reload ufw
|
notify: Reload ufw
|
||||||
|
|
||||||
- name: Set UFW default allow outgoing
|
- name: Set UFW default allow outgoing
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
direction: outgoing
|
direction: outgoing
|
||||||
default: allow
|
default: allow
|
||||||
when:
|
when: common_ufw_enabled | bool
|
||||||
- ansible_facts["os_family"] == "Debian"
|
|
||||||
- common_ufw_enabled | bool
|
|
||||||
notify: Reload ufw
|
notify: Reload ufw
|
||||||
|
|
||||||
- name: Allow all traffic on Tailscale interface
|
- name: Allow all traffic on Tailscale interface
|
||||||
|
|
@ -127,9 +82,7 @@
|
||||||
direction: in
|
direction: in
|
||||||
interface: tailscale0
|
interface: tailscale0
|
||||||
comment: "Tailscale mesh - allow all"
|
comment: "Tailscale mesh - allow all"
|
||||||
when:
|
when: common_ufw_enabled | bool
|
||||||
- ansible_facts["os_family"] == "Debian"
|
|
||||||
- common_ufw_enabled | bool
|
|
||||||
notify: Reload ufw
|
notify: Reload ufw
|
||||||
|
|
||||||
- name: Allow SSH (safety net)
|
- name: Allow SSH (safety net)
|
||||||
|
|
@ -138,9 +91,7 @@
|
||||||
port: '22'
|
port: '22'
|
||||||
proto: tcp
|
proto: tcp
|
||||||
comment: "SSH"
|
comment: "SSH"
|
||||||
when:
|
when: common_ufw_enabled | bool
|
||||||
- ansible_facts["os_family"] == "Debian"
|
|
||||||
- common_ufw_enabled | bool
|
|
||||||
notify: Reload ufw
|
notify: Reload ufw
|
||||||
|
|
||||||
- name: Allow host-specific ports
|
- name: Allow host-specific ports
|
||||||
|
|
@ -151,7 +102,6 @@
|
||||||
comment: "{{ item.comment | default(omit) }}"
|
comment: "{{ item.comment | default(omit) }}"
|
||||||
loop: "{{ common_ufw_allowed_ports }}"
|
loop: "{{ common_ufw_allowed_ports }}"
|
||||||
when:
|
when:
|
||||||
- ansible_facts["os_family"] == "Debian"
|
|
||||||
- common_ufw_enabled | bool
|
- common_ufw_enabled | bool
|
||||||
- common_ufw_allowed_ports | length > 0
|
- common_ufw_allowed_ports | length > 0
|
||||||
notify: Reload ufw
|
notify: Reload ufw
|
||||||
|
|
@ -159,6 +109,4 @@
|
||||||
- name: Enable UFW
|
- name: Enable UFW
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
state: enabled
|
state: enabled
|
||||||
when:
|
when: common_ufw_enabled | bool
|
||||||
- ansible_facts["os_family"] == "Debian"
|
|
||||||
- common_ufw_enabled | bool
|
|
||||||
|
|
|
||||||
|
|
@ -9,14 +9,12 @@
|
||||||
- gnupg
|
- gnupg
|
||||||
state: present
|
state: present
|
||||||
update_cache: true
|
update_cache: true
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
- name: Create keyrings directory
|
- name: Create keyrings directory
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /etc/apt/keyrings
|
path: /etc/apt/keyrings
|
||||||
state: directory
|
state: directory
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
- name: Set Docker repo variables
|
- name: Set Docker repo variables
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
|
|
@ -26,7 +24,6 @@
|
||||||
{{ ansible_facts['architecture']
|
{{ ansible_facts['architecture']
|
||||||
| regex_replace('x86_64', 'amd64')
|
| regex_replace('x86_64', 'amd64')
|
||||||
| regex_replace('aarch64', 'arm64') }}
|
| regex_replace('aarch64', 'arm64') }}
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
- name: Build Docker repo line
|
- name: Build Docker repo line
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
|
|
@ -35,7 +32,6 @@
|
||||||
signed-by=/etc/apt/keyrings/docker.asc]
|
signed-by=/etc/apt/keyrings/docker.asc]
|
||||||
https://download.docker.com/linux/{{ docker_distro }}
|
https://download.docker.com/linux/{{ docker_distro }}
|
||||||
{{ ansible_facts['distribution_release'] }} stable
|
{{ ansible_facts['distribution_release'] }} stable
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
- name: Add Docker GPG key
|
- name: Add Docker GPG key
|
||||||
ansible.builtin.get_url:
|
ansible.builtin.get_url:
|
||||||
|
|
@ -43,7 +39,6 @@
|
||||||
dest: /etc/apt/keyrings/docker.asc
|
dest: /etc/apt/keyrings/docker.asc
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
force: false
|
force: false
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
- name: Add Docker apt repository
|
- name: Add Docker apt repository
|
||||||
ansible.builtin.apt_repository:
|
ansible.builtin.apt_repository:
|
||||||
|
|
@ -51,7 +46,6 @@
|
||||||
filename: docker
|
filename: docker
|
||||||
state: present
|
state: present
|
||||||
update_cache: true
|
update_cache: true
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
- name: Remove old docker packages (Debian/Ubuntu)
|
- name: Remove old docker packages (Debian/Ubuntu)
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
|
|
@ -60,7 +54,6 @@
|
||||||
- docker-compose
|
- docker-compose
|
||||||
- docker-compose-v2
|
- docker-compose-v2
|
||||||
state: absent
|
state: absent
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
- name: Install Docker (Debian/Ubuntu)
|
- name: Install Docker (Debian/Ubuntu)
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
|
|
@ -70,15 +63,6 @@
|
||||||
- containerd.io
|
- containerd.io
|
||||||
- docker-compose-plugin
|
- docker-compose-plugin
|
||||||
state: present
|
state: present
|
||||||
when: ansible_facts["os_family"] == "Debian"
|
|
||||||
|
|
||||||
- name: Install Docker (Alpine)
|
|
||||||
community.general.apk:
|
|
||||||
name:
|
|
||||||
- docker
|
|
||||||
- docker-cli-compose
|
|
||||||
state: present
|
|
||||||
when: ansible_facts["os_family"] == "Alpine"
|
|
||||||
|
|
||||||
- name: Enable and start Docker
|
- name: Enable and start Docker
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
|
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
||||||
---
|
|
||||||
# firewall_alpine defaults
|
|
||||||
|
|
||||||
# Enable iptables persistence via OpenRC
|
|
||||||
firewall_alpine_persist: true
|
|
||||||
|
|
||||||
# fail2ban SSH protection
|
|
||||||
firewall_alpine_fail2ban_enabled: true
|
|
||||||
firewall_alpine_fail2ban_maxretry: 10
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
||||||
---
|
|
||||||
- name: Restore iptables
|
|
||||||
ansible.builtin.shell: iptables-restore < /etc/iptables/rules-save
|
|
||||||
changed_when: true
|
|
||||||
|
|
||||||
- name: Restart fail2ban
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: fail2ban
|
|
||||||
state: restarted
|
|
||||||
|
|
@ -1,52 +0,0 @@
|
||||||
---
|
|
||||||
# Firewall management for Alpine hosts.
|
|
||||||
# Manages iptables persistence and fail2ban for SSH protection.
|
|
||||||
#
|
|
||||||
# NOTE: Docker manages port-forwarding rules for published container ports
|
|
||||||
# (e.g. mail ports on nuremberg-a). This role only handles non-Docker rules.
|
|
||||||
|
|
||||||
- name: Install iptables and fail2ban
|
|
||||||
community.general.apk:
|
|
||||||
name:
|
|
||||||
- iptables
|
|
||||||
- fail2ban
|
|
||||||
state: present
|
|
||||||
|
|
||||||
# --- iptables persistence ---
|
|
||||||
|
|
||||||
- name: Ensure /etc/iptables directory exists
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: /etc/iptables
|
|
||||||
state: directory
|
|
||||||
mode: '0700'
|
|
||||||
|
|
||||||
- name: Deploy iptables rules
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: rules.v4.j2
|
|
||||||
dest: /etc/iptables/rules-save
|
|
||||||
mode: '0600'
|
|
||||||
notify: Restore iptables
|
|
||||||
when: firewall_alpine_persist | bool
|
|
||||||
|
|
||||||
- name: Ensure iptables starts on boot
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: iptables
|
|
||||||
enabled: true
|
|
||||||
when: firewall_alpine_persist | bool
|
|
||||||
|
|
||||||
# --- fail2ban ---
|
|
||||||
|
|
||||||
- name: Deploy fail2ban Alpine SSH jail
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: alpine-ssh.conf.j2
|
|
||||||
dest: /etc/fail2ban/jail.d/alpine-ssh.conf
|
|
||||||
mode: '0644'
|
|
||||||
notify: Restart fail2ban
|
|
||||||
when: firewall_alpine_fail2ban_enabled | bool
|
|
||||||
|
|
||||||
- name: Enable fail2ban
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: fail2ban
|
|
||||||
state: started
|
|
||||||
enabled: true
|
|
||||||
when: firewall_alpine_fail2ban_enabled | bool
|
|
||||||
|
|
@ -1,16 +0,0 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
# fail2ban SSH jails for Alpine Linux
|
|
||||||
|
|
||||||
[sshd]
|
|
||||||
enabled = true
|
|
||||||
filter = alpine-sshd
|
|
||||||
port = ssh
|
|
||||||
logpath = /var/log/messages
|
|
||||||
maxretry = {{ firewall_alpine_fail2ban_maxretry }}
|
|
||||||
|
|
||||||
[sshd-ddos]
|
|
||||||
enabled = true
|
|
||||||
filter = alpine-sshd-ddos
|
|
||||||
port = ssh
|
|
||||||
logpath = /var/log/messages
|
|
||||||
maxretry = {{ firewall_alpine_fail2ban_maxretry }}
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
# iptables rules for {{ inventory_hostname }}
|
|
||||||
#
|
|
||||||
# Docker and Tailscale manage their own chains automatically.
|
|
||||||
# This file captures non-Docker, non-Tailscale INPUT rules only.
|
|
||||||
#
|
|
||||||
# Mail ports (25,80,110,143,443,465,587,993,995) are exposed via
|
|
||||||
# Docker port mappings — traffic goes through FORWARD, not INPUT.
|
|
||||||
|
|
||||||
*filter
|
|
||||||
:INPUT DROP [0:0]
|
|
||||||
:FORWARD ACCEPT [0:0]
|
|
||||||
:OUTPUT ACCEPT [0:0]
|
|
||||||
|
|
||||||
# Allow loopback
|
|
||||||
-A INPUT -i lo -j ACCEPT
|
|
||||||
|
|
||||||
# Allow established and related connections
|
|
||||||
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
|
|
||||||
# Allow all traffic on Tailscale interface
|
|
||||||
-A INPUT -i tailscale0 -j ACCEPT
|
|
||||||
|
|
||||||
# Allow SSH (public access — fail2ban provides brute-force protection)
|
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
|
||||||
|
|
||||||
# Allow ICMP (ping)
|
|
||||||
-A INPUT -p icmp -j ACCEPT
|
|
||||||
|
|
||||||
{% for rule in firewall_alpine_extra_input_rules | default([]) %}
|
|
||||||
{{ rule }}
|
|
||||||
{% endfor %}
|
|
||||||
COMMIT
|
|
||||||
|
|
@ -1,29 +1,13 @@
|
||||||
---
|
---
|
||||||
# ZFS management: scrub scheduling, pool monitoring.
|
# ZFS scrub scheduling.
|
||||||
# Supports both Linux (systemd timers / cron) and FreeBSD (crontab).
|
|
||||||
|
|
||||||
- name: "ZFS scrub scheduling (Linux)"
|
- name: Install ZFS scrub cron jobs
|
||||||
when: ansible_os_family != "FreeBSD" and zfs_scrub_enabled
|
ansible.builtin.cron:
|
||||||
block:
|
name: "ZFS scrub {{ item }}"
|
||||||
- name: Install ZFS scrub cron jobs (Linux)
|
minute: "{{ zfs_scrub_minute }}"
|
||||||
ansible.builtin.cron:
|
hour: "{{ zfs_scrub_hour }}"
|
||||||
name: "ZFS scrub {{ item }}"
|
weekday: "{{ zfs_scrub_weekday }}"
|
||||||
minute: "{{ zfs_scrub_minute }}"
|
job: "/sbin/zpool scrub {{ item }}"
|
||||||
hour: "{{ zfs_scrub_hour }}"
|
user: root
|
||||||
weekday: "{{ zfs_scrub_weekday }}"
|
loop: "{{ zfs_pools }}"
|
||||||
job: "/sbin/zpool scrub {{ item }}"
|
when: zfs_scrub_enabled
|
||||||
user: root
|
|
||||||
loop: "{{ zfs_pools }}"
|
|
||||||
|
|
||||||
- name: "ZFS scrub scheduling (FreeBSD)"
|
|
||||||
when: ansible_os_family == "FreeBSD" and zfs_scrub_enabled
|
|
||||||
block:
|
|
||||||
- name: Install ZFS scrub cron jobs (FreeBSD)
|
|
||||||
ansible.builtin.cron:
|
|
||||||
name: "ZFS scrub {{ item }}"
|
|
||||||
minute: "{{ zfs_scrub_minute }}"
|
|
||||||
hour: "{{ zfs_scrub_hour }}"
|
|
||||||
weekday: "{{ zfs_scrub_weekday }}"
|
|
||||||
job: "/sbin/zpool scrub {{ item }}"
|
|
||||||
user: root
|
|
||||||
loop: "{{ zfs_pools }}"
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue