Servercow-Ansible/operating-automation
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

current state + english docs

Browse Source
This commit is contained in:
Ansible Servercow
2026-02-20 13:56:27 +01:00
parent 787f438a97
commit ea7d5112d6
46 changed files with 519 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
playbooks/cleanups/clean-pve-snapshots.yml Normal file
View File

@@ -0,0 +1,16 @@
- hosts: all
user: tincadmin
gather_facts: false
become: true
vars_files:
# Load vault file for sensitive data like Proxmox API tokens
- ../../vault.yml
tasks:
- name: Include Proxmox Info task
ansible.builtin.include_role:
name: proxmox-automation
tasks_from: get-vmid
- name: Clean Proxmox VE Snapshots
ansible.builtin.include_role:
name: proxmox-automation
tasks_from: delete-snapshots

2
playbooks/deploy-clamav-server.yml
View File

@@ -1,4 +1,6 @@
---
- hosts: clamav-servers
user: tincadmin
become: true
roles:
- deploy-clamd

2
playbooks/docker/cleanup-all.yml
View File

@@ -1,5 +1,7 @@
- name: Run Docker Cleanup (full)
hosts: all
user: tincadmin
become: true
tasks:
- include_role:
name: managed-mailcow

2
playbooks/docker/cleanup-images.yml
View File

@@ -1,5 +1,7 @@
- name: Clean Docker Images on Host
hosts: all
user: tincadmin
become: true
tasks:
- include_role:
name: docker

11
playbooks/docker/install-docker.yml Normal file
View File

@@ -0,0 +1,11 @@
- name: Install Docker on Host
hosts: all
user: tincadmin
become: true
tasks:
- include_role:
name: system
tasks_from: install-docker.yaml
vars:
docker_install_source: "official"

2
playbooks/hardening/manage-ssh-keys.yaml
View File

@@ -1,4 +1,6 @@
- hosts: all
user: tincadmin
become: true
# vars:
# good_keys: "{{ lookup('env', 'good_keys') | from_json }}"
# bad_keys: "{{ lookup('env', 'bad_keys') | from_json }}"

2
playbooks/managed-mailcow/add-haveged.yaml
View File

@@ -1,6 +1,8 @@
---
- name: Deploy Haveged to VMs
hosts: all
user: tincadmin
become: true
tasks:
- name: Install Haveged
apt:

6
playbooks/managed-mailcow/change-garbagecleaner.yaml
View File

@@ -1,10 +1,12 @@
---
- name: Garbage Cleaner ändern
- name: Change garbage cleaner configuration
hosts: all
user: tincadmin
become: true
tasks:
- name: "Prüfe ob mailcow.conf exists"
- name: "Check if mailcow.conf exists"
ansible.builtin.stat:
path: /opt/mailcow-dockerized/mailcow.conf
register: mailcow_conf

8
playbooks/managed-mailcow/count-mailboxes.yml
View File

@@ -1,6 +1,8 @@
---
- name: Mailcow Mailbox Counter
hosts: all
user: tincadmin
become: true
gather_facts: no
tasks:
- import_role:
@@ -26,18 +28,18 @@
ansible.builtin.set_fact:
mailbox_count_int: "{{ mailbox_count.stdout | int }}"
- name: Summiere alle Mailboxen über alle Hosts
- name: Summarize all mailboxes across all hosts
hosts: all
gather_facts: false
run_once: true
tasks:
- name: Summiere aktive Mailboxen
- name: Summarize active mailboxes
ansible.builtin.set_fact:
total_mailboxes: "{{ (total_mailboxes | default(0) | int) + (item.value.mailbox_count_int | default(0) | int) }}"
loop: "{{ hostvars | dict2items }}"
when: "'mailbox_count_int' in item.value"
- name: Zeige Gesamtsumme
- name: Show total sum
ansible.builtin.debug:
msg: "Gesamtanzahl aktiver Mailboxen: {{ total_mailboxes }}"

6
playbooks/managed-mailcow/enable-sni-globally.yml
View File

@@ -2,6 +2,8 @@
- name: Enable SNI globally
hosts: all
user: tincadmin
become: true
vars:
debug: false
tasks:
@@ -11,12 +13,12 @@
name: managed-mailcow
tasks_from: find-mailcow-composedir
- name: "Prüfe ob mailcow.conf exists"
- name: "Check if mailcow.conf exists"
ansible.builtin.stat:
path: "{{ mailcow_dir_result.files[0].path }}/mailcow.conf"
register: mailcow_conf
- name: "Setze SNI global ein"
- name: "Set SNI globally"
ansible.builtin.replace:
path: "{{ mailcow_dir_result.files[0].path }}/mailcow.conf"
regexp: "^ENABLE_SSL_SNI=n"

13
playbooks/managed-mailcow/find-roundcube-versions.yaml
View File

@@ -1,6 +1,7 @@
---
- name: Prüfe mailcow-Installation und extrahiere Roundcube-Version aus CHANGELOG.md
- name: Check mailcow installation and extract Roundcube version from CHANGELOG.md
hosts: all
user: tincadmin
become: true
vars:
mailcow_search_paths:
@@ -28,20 +29,20 @@
mailcow_root: "{{ mailcow_dir_result.files[0].path }}"
when: mailcow_dir_result.matched > 0
- name: Prüfe auf Roundcube-Ordner unter data/web
- name: Check for Roundcube folder under data/web
ansible.builtin.stat:
path: "{{ mailcow_root }}/data/web/{{ item }}"
loop: "{{ rc_dirs }}"
register: rc_stat
when: mailcow_root is defined
- name: Bestimme den tatsächlichen Roundcube-Pfad
- name: Determine the actual Roundcube path
ansible.builtin.set_fact:
rc_path: "{{ mailcow_root }}/data/web/{{ item.item }}"
loop: "{{ rc_stat.results }}"
when: item.stat.exists and item.stat.isdir
- name: Prüfe ob CHANGELOG.md existiert
- name: Check if CHANGELOG.md exists
ansible.builtin.stat:
path: "{{ rc_path }}/CHANGELOG.md"
register: changelog_stat
@@ -61,9 +62,9 @@
msg: "Roundcube-Version (laut CHANGELOG.md): {{ rc_version.stdout }}"
when: rc_version.stdout != ""
- name: Warnung wenn keine CHANGELOG.md gefunden wurde
- name: Warning if no CHANGELOG.md found
ansible.builtin.debug:
msg: "Keine CHANGELOG.md unter {{ rc_path }} gefunden."
msg: "No CHANGELOG.md found under {{ rc_path }}."
when:
- rc_path is defined
- not changelog_stat.stat.exists

2
playbooks/managed-mailcow/install-register-cmk-agent.yaml
View File

@@ -1,5 +1,7 @@
- name: "Register hosts against a remote site. Both for updates and TLS."
hosts: all
user: tincadmin
become: true
strategy: linear
vars:
# Basic server and authentication information.

2
playbooks/managed-mailcow/migrate-clamd.yaml
View File

@@ -2,6 +2,8 @@
- name: ClamAV Server auf neuen shared ClamAV setzen
hosts: all
user: tincadmin
become: true
tasks:
- name: "Setze ClamAV Server in rspamd Config auf managed mailcows"
ansible.builtin.replace:

2
playbooks/managed-mailcow/remove-watchdog-mail.yaml
View File

@@ -2,6 +2,8 @@
- name: Enable SNI globally
hosts: all
user: tincadmin
become: true
vars:
debug: false
tasks:

2
playbooks/managed-mailcow/start-stop-mailcow.yaml
View File

@@ -1,5 +1,7 @@
- name: Start/Stop mailcow
hosts: all
user: tincadmin
become: true
tasks:
- import_role:
name: managed-mailcow

65
playbooks/managed-mailcow/update-mailcow.yaml
View File

@@ -1,10 +1,23 @@
- name: Update mailcow (update.sh)
hosts: all
user: tincadmin
become: true
vars:
github_mailcow_ver: "2025-09b" # GitHub Version Tag | Value to compare the current running mailcow version to.
disk_space_percent_max: "97" # Number in percent | Defines the max allowed disk utilization until ansible is not updating mailcow automatically
github_mailcow_ver: "2026-01" # GitHub Version Tag | Value to compare the current running mailcow version to.
do_snapshots: true # Set to true to create Proxmox snapshots before updating mailcow
debug: true # Or False if you dont' wanna see verbose outputs of role outputs
load_vault: true # Set to true to load vault file for sensitive data like Proxmox API tokens
pre_tasks:
- name: Load vault vars (optional)
ansible.builtin.include_vars:
file: ../../vault.yml
when: load_vault | bool
no_log: true
tasks:
- import_role:
name: roles/managed-mailcow
tasks_from: find-mailcow-composedir.yml
@@ -12,16 +25,52 @@
- import_role:
name: roles/managed-mailcow
tasks_from: install-mailcow-components.yml
when: mailcow_dir_result.files[0].path is defined
- ansible.builtin.import_role:
name: roles/managed-mailcow
tasks_from: check-mailcow-install-status.yml
when: mailcow_dir_result.files[0].path is defined
- ansible.builtin.import_role:
name: roles/managed-mailcow
tasks_from: get-mailcow-current-version.yml
when: mailcow_conf.stat.exists
failed_when: local_mailcow_version is not defined
- name: Check Disk Utilization
import_role:
name: roles/system
tasks_from: check-disk-utilization.yaml
- block:
- name: Include Proxmox Info task
ansible.builtin.include_role:
name: proxmox-automation
tasks_from: get-vmid
- name: Create Snapshot before Modifications
ansible.builtin.include_role:
name: proxmox-automation
tasks_from: create-snapshots
vars:
snapshot_name: "pre-mailcow-update-{{ github_mailcow_ver }}"
when:
- do_snapshots
- local_mailcow_version.stdout != github_mailcow_ver
- disk_space_output.stdout | bool # Checks if snapshots are available, mailcow needs an update and disk space is sufficient if any of these is false no snapshot will be created
- proxmox_host is defined
- proxmox_user is defined
- proxmox_token_id is defined
- proxmox_token_secret is defined
- import_role:
name: roles/managed-mailcow
tasks_from: update-mailcow.yml
- import_role:
name: roles/docker
tasks_from: restart-daemon.yml
when: github_mailcow_ver == "2025-09b" # Only restart docker if mailcow was updated
when: local_mailcow_version.stdout != github_mailcow_ver and disk_space_output.stdout | bool
- import_role:
name: roles/docker
tasks_from: cleanup-all.yml
tasks_from: cleanup-all.yml
when: update_mailcow is changed

41
playbooks/managed-mailcow/update-mailcow.yaml.old
View File

@@ -1,41 +0,0 @@
---
- name: Update mailcow stacks
hosts: all
vars:
github_mailcow_ver: "2024-08a"
mailcow_search_paths:
- /opt
- /data
- /root
tasks:
- name: Find mailcow-dockerized directory
ansible.builtin.find:
file_type: directory
paths: "{{ mailcow_search_paths }}"
patterns: mailcow-dockerized
recurse: yes
register: mailcow_dir_result
ignore_errors: true
- name: 'DEBUG: Show file paths'
debug:
msg: "{{ mailcow_dir_result.files[0].path }}"
when: mailcow_dir_result is defined
- name: Check if mailcow.conf exists
ansible.builtin.stat:
path: "{{ mailcow_dir_result.files[0].path }}/mailcow.conf"
register: mailcow_conf
when: mailcow_dir_result is defined
- name: Check mailcow Version
ansible.builtin.shell: |
cd {{ mailcow_dir_result.files[0].path }}/data/web/inc
grep -oP '\$MAILCOW_GIT_VERSION="\K[^"]+' app_info.inc.php
register: local_mailcow_version
when: mailcow_conf.stat.exists
- name: Update mailcow
shell: "cd {{ mailcow_dir_result.files[0].path }} && git fetch && git checkout origin/master update.sh && ./update.sh --force"
when: local_mailcow_version.stdout != github_mailcow_ver and mailcow_conf.stat.exists

3
playbooks/managed-mailcow/use-docker-image-proxy.yaml
View File

@@ -1,7 +1,8 @@
---
- name: Update Docker Daemon configuration and apply proxy settings
hosts: all
become: yes
user: tincadmin
become: true
tasks:
- name: Read current Docker daemon.json
ansible.builtin.slurp:

3
playbooks/managed-mailcow/use-syslog-server.yaml
View File

@@ -1,7 +1,8 @@
---
- name: Update Docker Daemon configuration to use Syslog Server
hosts: all
become: yes
user: tincadmin
become: true
tasks:
- name: Read current Docker daemon.json
ansible.builtin.slurp:

2
playbooks/os-change-mirror.yml
View File

@@ -1,5 +1,7 @@
- name: "Change Mirror"
hosts: all
user: tincadmin
become: true
tasks:
- name: Verify if system is Debian
ansible.builtin.debug:

5
playbooks/os-major-upgrade.yml
View File

@@ -2,10 +2,13 @@
vars:
os_update_major_version: true # Can either be true or false | To toggle if systems need to be upgraded to newer codename
os_update_version_codename: "trixie" # Change to switch major release (e.g. bookworm or trixie) | Used for jinja2 Template fill in as it determines the current codename of system where ansible is run on
do_snapshots: true # Can either be true or false | To toggle if snapshots should be created before major upgrade
snapshot_name: "AUTO_before_major_{{ ansible_date_time.date }}" # Name of the snapshot to be created before major upgrade
vars_files:
# Load vault file for sensitive data like Proxmox API tokens
- ../vault.yml
user: tincadmin
become: true
tasks:
- name: Verify if system is Debian
debug:
@@ -43,6 +46,7 @@
when:
- ansible_os_family == "Debian"
- current_os_codename | lower != os_update_version_codename | lower
- do_snapshots | default(false)
- name: Create Snapshot before Modifications
ansible.builtin.include_role:
@@ -51,6 +55,7 @@
when:
- ansible_os_family == "Debian"
- current_os_codename | lower != os_update_version_codename | lower
- do_snapshots | default(false)
- name: Include OS update role
ansible.builtin.include_role:

51
playbooks/os-update.yml
View File

@@ -1,7 +1,14 @@
- hosts: all
user: tincadmin
become: true
vars:
os_update_major_version: true # Can either be true or false | To toggle if systems need to be upgraded to newer codename
os_also_update_mirror: false # Can either be true or false | To toggle if mirrors should be updated during major upgrade
os_update_version_codename: "trixie" # Change to switch major release (e.g. bookworm or trixie) | Used for jinja2 Template fill in as it determines the current codename of system where ansible is run on
do_snapshots: true # Can either be true or false | To toggle if snapshots should be created before os update
snapshot_name: "AUTO_before_os_update_{{ ansible_date_time.date }}" # Name
vars_files:
# Load vault file for sensitive data like Proxmox API tokens
- ../vault.yml
tasks:
- name: Verify if system is Debian
debug:
@@ -13,7 +20,45 @@
msg: "This playbook only supports Debian."
when: ansible_os_family != "Debian"
- name: Check for available updates
ansible.builtin.apt:
update_cache: yes
cache_valid_time: 0
register: apt_update
when: ansible_os_family == "Debian"
- name: Check if upgrades are available
ansible.builtin.command: apt list --upgradable
register: upgradable_packages
changed_when: false
when: ansible_os_family == "Debian"
- name: Set fact if updates are needed
set_fact:
updates_needed: "{{ upgradable_packages.stdout_lines | length > 1 }}"
when: ansible_os_family == "Debian"
- name: Include Proxmox Info task
ansible.builtin.include_role:
name: proxmox-automation
tasks_from: get-vmid
when:
- ansible_os_family == "Debian"
- do_snapshots | default(false)
- updates_needed | default(false)
- name: Create Snapshot before Modifications
ansible.builtin.include_role:
name: proxmox-automation
tasks_from: create-snapshots
when:
- ansible_os_family == "Debian"
- do_snapshots | default(false)
- updates_needed | default(false)
- name: Include OS update role
include_role:
ansible.builtin.include_role:
name: os-updates
when: ansible_os_family == "Debian"
when:
- ansible_os_family == "Debian"
- updates_needed | default(false)

49
playbooks/reinstall-cmk-agent.yml Normal file
View File

@@ -0,0 +1,49 @@
- name: "Reinstall CMK Agent"
hosts: all
user: tincadmin
become: true
strategy: linear
vars_files:
- ../vault.yml
vars:
# Basic server and authentication information.
# You have to provide the distributed setup yourself.
checkmk_agent_version: "2.4.0p17"
checkmk_agent_edition: "cee"
checkmk_agent_user: "{{ checkmk_automation_user }}"
checkmk_agent_pass: "{{ checkmk_automation_pass }}"
# Here comes the part, where we get into remote registration
checkmk_agent_server_protocol: https
# The following should be set to the central site.
# This where you configure the host objects.
# Currently the agent package is also pulled from here.
checkmk_agent_server: servercow.observer
checkmk_agent_site: "scowmon"
checkmk_server_url: "https://servercow.observer"
checkmk_monitoring_site: "scowmon"
# The following should be pointed to the respective remote site.
# This is where the registration will happen.
checkmk_agent_registration_server: "{{ checkmk_agent_server }}"
checkmk_agent_registration_site: "{{ checkmk_agent_site }}"
# The folder might differ from your remote site name,
# as it is the technical path. Check your configuration for this information.
checkmk_agent_folder: "/managed_mailcows"
# These options need to be enabled for all registrations to work.
# You can however disable the one you do not want to perform.
# But the host needs to be added and changes activated in any case.
checkmk_agent_auto_activate: true
checkmk_agent_update: true
checkmk_agent_tls: true
# These are some generic agent options you might want to configure.
checkmk_agent_discover: true
checkmk_agent_discover_max_parallel_tasks: 0
checkmk_agent_force_install: true
checkmk_agent_delegate_api_calls: localhost
checkmk_agent_delegate_download: "{{ inventory_hostname }}"
checkmk_agent_host_name: "{{ inventory_hostname }}"
checkmk_agent_host_folder: "{{ checkmk_agent_folder }}"
checkmk_agent_host_ip: "{{ ansible_host }}"
checkmk_agent_host_attributes:
ipaddress: "{{ checkmk_agent_host_ip | default(omit) }}"
roles:
- checkmk.general.agent

2
playbooks/setup-checkmk-monitoring.yml
View File

@@ -1,5 +1,7 @@
- name: "Setup CheckMK Monitoring"
hosts: all
user: tincadmin
become: true
vars_files:
- ../vault.yml
tasks:

2
playbooks/setup-chronyd.yml
View File

@@ -1,5 +1,7 @@
- name: "Setup chronyd"
hosts: all
user: tincadmin
become: true
tasks:
- name: Verify if system is Debian or Ubuntu
ansible.builtin.debug: