Added Cloudflare DNS, HAProxy LB

applications.yml

@@ -0,0 +1,10 @@
+# Playbook Application Install
+---
+- name: Haproxy Control LB
+  hosts:
+    - control_lb_nodes
+  roles:
+    - role: haproxy_control_lb
+      tags:
+        - haproxy
+        - haproxy_control_lb

k8s_services.yml

@@ -1,6 +1,5 @@
----
 # Playbook Services Install
-
+---
 - name: Install services on K8S
   become: false
   gather_facts: false

os.yml

@@ -0,0 +1,28 @@
+# Playbook OS Install
+---
+- name: Cloudflare DNS
+  become: false
+  gather_facts: false
+  hosts:
+    - debian
+  roles:
+    - role: cloudflare_dns
+      tags:
+        - cloudflare_dns
+        - dns
+
+- name: Debian
+  hosts:
+    - debian
+  roles:
+    - role: debian
+      tags:
+        - debian
+
+- name: Ubuntu
+  hosts:
+    - ubuntu
+  roles:
+    - role: ubuntu
+      tags:
+        - ubuntu

playbook.yml

@@ -4,7 +4,20 @@
   tags:
     - talos
 
-- name: Include playbook services
-  ansible.builtin.import_playbook: services.yml
+- name: Include playbook k8s_services
+  ansible.builtin.import_playbook: k8s_services.yml
   tags:
+    - k8s_services
     - services
+
+- name: Include playbook os
+  ansible.builtin.import_playbook: os.yml
+  tags:
+    - os
+    - loadbalancer
+
+- name: Include playbook applications
+  ansible.builtin.import_playbook: applications.yml
+  tags:
+    - applications
+    - loadbalancer

requirements.txt

@@ -0,0 +1,6 @@
+#!/usr/bin/env  -S  python3  -m pip  install  --upgrade  --requirement
+ansible
+ansible-lint
+dnspython
+netaddr
+kubernetes

requirements.yml

@@ -0,0 +1,5 @@
+#!/usr/bin/env  -S  ansible-galaxy  install  --force  --role-file
+---
+collections:
+  - name: community.crypto
+  - name: community.general

roles/cloudflare_dns/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Create an A record at Cloudflare
+  delegate_to: localhost
+  when: inventory_hostname is match('.*\.k8s\.snel\.com')
+  community.general.cloudflare_dns:
+    zone: snel.com
+    record: "{{ inventory_hostname | regex_replace('\\.snel\\.com$', '') }}"
+    type: A
+    value: "{{ ansible_host }}"
+    api_token: "{{ cloudflare_token }}"
+  register: record

roles/common/handlers/main.yml

@@ -1,2 +1,6 @@
+---
 - name: Import Talos handlers
   ansible.builtin.import_tasks: handlers/talos.yml
+
+- name: Import Restart handlers
+  ansible.builtin.import_tasks: handlers/restart.yml

roles/common/handlers/restart.yml

@@ -0,0 +1,66 @@
+---
+- name: Restart Systemd-Journald
+  ansible.builtin.systemd:
+    name: systemd-journald.service
+    state: restarted
+    daemon_reload: true
+
+- name: Restart Apache2
+  ansible.builtin.systemd:
+    name: apache2.service
+    state: restarted
+    daemon_reload: true
+
+- name: Restart MySQL
+  ansible.builtin.systemd:
+    name: mysql.service
+    state: restarted
+    daemon_reload: true
+
+- name: Restart Containerd
+  ansible.builtin.systemd:
+    name: containerd.service
+    state: restarted
+    daemon_reload: true
+
+- name: Restart SSH
+  ansible.builtin.systemd:
+    name: ssh.service
+    state: restarted
+    daemon_reload: true
+
+- name: Restart Postfix
+  ansible.builtin.systemd:
+    name: postfix.service
+    state: restarted
+    daemon_reload: true
+
+- name: Restart haproxy
+  ansible.builtin.systemd:
+    name: haproxy.service
+    state: restarted
+    daemon_reload: true
+
+- name: Restart PHP-FPM
+  ansible.builtin.systemd:
+    name: php{{ php_version }}-fpm.service
+    state: restarted
+    daemon_reload: true
+
+- name: Restart New Relic Infra
+  ansible.builtin.systemd:
+    name: newrelic-infra.service
+    state: restarted
+    daemon_reload: true
+
+- name: Restart networking
+  ansible.builtin.systemd:
+    name: networking.service
+    state: restarted
+    daemon_reload: true
+
+- name: Restart systemd-networkd
+  ansible.builtin.systemd:
+    name: systemd-networkd.service
+    state: restarted
+    daemon_reload: true

roles/dci_login/tasks/main.yml

@@ -66,4 +66,4 @@
 
 - name: Set fact with server info from DCI Manager
   ansible.builtin.set_fact:
-    dci_server_info: "{{ _dci_server.content | from_json | community.general.json_query('list[?@.ip[?@.name==`' ~ ansible_remote ~ '`]]') | first }}"
+    dci_server_info: "{{ _dci_server.content | from_json | community.general.json_query('list[?@.ip[?@.name==`' ~ ansible_host ~ '`]]') | first }}"

roles/dci_reinstall_talos/tasks/main.yml

@@ -30,7 +30,7 @@
   ansible.builtin.wait_for:
     delay: 10
     state: stopped
-    host: "{{ ansible_remote }}"
+    host: "{{ ansible_host }}"
     port: 50000
     timeout: 300
 
@@ -39,6 +39,6 @@
   become: false
   ansible.builtin.wait_for:
     delay: 10
-    host: "{{ ansible_remote }}"
+    host: "{{ ansible_host }}"
     port: 50000
     timeout: 1200

roles/debian/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+have_mail: true
+have_firewall: true
+timezone: Europe/Brussels

roles/debian/files/security/limits.conf

@@ -0,0 +1,10 @@
+root             soft    nofile          1024000
+root             hard    nofile          1024000
+root             soft    core            0
+root             hard    core            0
+*                soft    nofile          1024000
+*                hard    nofile          1024000
+*                soft    core            0
+*                hard    core            0
+mysql            soft    memlock         unlimited
+mysql            hard    memlock         unlimited

roles/debian/files/systemd/journald.conf.d/persistent.conf

@@ -0,0 +1,4 @@
+[Journal]
+Storage=persistent
+SystemMaxFiles=10000
+RuntimeMaxFiles=10000

roles/debian/files/usr/local/bin/apt-get-noninteractive

@@ -0,0 +1,5 @@
+#!/bin/bash
+IFS=$'\n'
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+export DEBIAN_FRONTEND=noninteractive
+apt-get  --assume-yes  -o Dpkg::Options::='--force-confdef'  -o Dpkg::Options::='--force-confold'  "$@"

roles/debian/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: common

roles/debian/tasks/ansible_remote.yml

@@ -0,0 +1,20 @@
+---
+- name: "Create Ansible remote_tmp ~/.ansible/tmp"
+  ansible.builtin.file:
+    path: ~/.ansible/tmp
+    state: directory
+    mode: u=rwx,go=
+
+- name: Stop & Disable unwanted services
+  ansible.builtin.include_tasks: shared/tasks/disable_service.yml
+  loop:
+    - motd-news
+  loop_control:
+    loop_var: __disable_service_name
+
+- name: Kill unattended-upgrades
+  ansible.builtin.command:
+    cmd: pkill -f unattended-upgrade
+  register: _pkill_unattended_upgrade
+  failed_when: _pkill_unattended_upgrade.rc not in [0, 1]
+  changed_when: false

roles/debian/tasks/apt.yml

@@ -0,0 +1,19 @@
+---
+- name: Check if APT cache exists
+  ansible.builtin.find:
+    paths: /var/lib/apt/lists/
+    patterns: "*_{{ ansible_distribution_release }}_InRelease"
+  register: _pkgcache
+
+- name: Update repositories cache
+  when: _pkgcache.matched == 0
+  ansible.builtin.apt:
+    update_cache: true
+
+- name: Wait for APT Lock
+  ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
+
+- name: Install APT Transport HTTPS
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present

roles/debian/tasks/bloatware.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Stop & Disable unwanted services
+  ansible.builtin.include_tasks: shared/tasks/disable_service.yml
+  loop:
+    - motd-news.service
+  loop_control:
+    loop_var: __disable_service_name

roles/debian/tasks/environment.yml

@@ -0,0 +1,4 @@
+---
+- name: Set timezone
+  community.general.timezone:
+    name: "{{ timezone }}"

roles/debian/tasks/firewall.yml

@@ -0,0 +1,32 @@
+---
+- name: Wait for APT Lock
+  ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
+
+- name: Install packages required for Firewall
+  ansible.builtin.apt:
+    name:
+      - ufw
+    install_recommends: false
+
+- name: Get IP of Ansible controller
+  ansible.builtin.set_fact:
+    _ssh_client_ip: "{{ ansible_env.SSH_CLIENT.split(' ')[0] }}"
+
+- name: Allow access to tcp port 22
+  community.general.ufw:
+    rule: allow
+    name: OpenSSH
+    src: "{{ item }}"
+  loop: "{{ ip_whitelist + [_ssh_client_ip] }}"
+
+- name: Delete default SSH rule
+  community.general.ufw:
+    rule: allow
+    port: "22"
+    proto: tcp
+    delete: true
+
+- name: Enable UFW, deny by default
+  community.general.ufw:
+    state: enabled
+    default: deny

roles/debian/tasks/limits.yml

@@ -0,0 +1,6 @@
+---
+- name: Create limits.conf
+  ansible.builtin.copy:
+    src: security/limits.conf
+    dest: /etc/security/limits.conf
+    mode: u=rw,go=r

roles/debian/tasks/local-ssh.yml

@@ -0,0 +1,12 @@
+---
+- name: Add SSH config on ansible host
+  delegate_to: localhost
+  ansible.builtin.copy:
+    dest: ~/.ssh/config.d/{{ inventory_hostname }}.conf
+    content: |
+      Host  {{ inventory_hostname }}  {{ inventory_hostname.split(".")[0] }}
+        Hostname {{ ansible_ssh_hostname | default(inventory_hostname) }}
+        Port 22
+        User root
+        ForwardAgent yes
+    mode: u=rw,go=r

roles/debian/tasks/mail_postfix.yml

@@ -0,0 +1,18 @@
+---
+- name: Wait for APT Lock
+  ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
+
+- name: Install packages required for Postfix
+  ansible.builtin.apt:
+    name:
+      - postfix
+      - libsasl2-modules
+      - mailutils
+    install_recommends: false
+
+- name: Postfix config
+  ansible.builtin.template:
+    src: postfix/main.cf.j2
+    dest: /etc/postfix/main.cf
+    mode: u=rw,g=r,o=
+  notify: Restart Postfix

roles/debian/tasks/mail_ssmtp.yml

@@ -0,0 +1,16 @@
+---
+- name: Wait for APT Lock
+  ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
+
+- name: Install packages required for Mail
+  ansible.builtin.apt:
+    name:
+      - ssmtp
+      - mailutils
+    install_recommends: false
+
+- name: Ssmtp config
+  ansible.builtin.template:
+    src: ssmtp/ssmtp.conf.j2
+    dest: /etc/ssmtp/ssmtp.conf
+    mode: u=rw,g=r,o=

roles/debian/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+- name: Import local-ssh tasks
+  ansible.builtin.import_tasks:
+    file: local-ssh.yml
+  tags:
+    - local
+    - local-ssh
+    - ssh
+
+- name: Import Debian apt tasks
+  ansible.builtin.import_tasks:
+    file: apt.yml
+  tags:
+    - apt
+
+- name: Import Debian bloatware tasks
+  ansible.builtin.import_tasks:
+    file: bloatware.yml
+  tags:
+    - bloatware
+
+- name: Import ssh tasks
+  ansible.builtin.import_tasks:
+    file: ssh.yml
+  tags:
+    - ssh
+
+- name: Import environment tasks
+  ansible.builtin.import_tasks:
+    file: environment.yml
+  tags:
+    - environment
+
+- name: Import mail tasks
+  when: have_mail
+  ansible.builtin.import_tasks:
+    file: mail_postfix.yml
+  tags:
+    - mail
+
+- name: Import sysadmin-tools tasks
+  ansible.builtin.import_tasks:
+    file: sysadmin-tools.yml
+
+- name: Import firewall tasks
+  when: have_firewall
+  ansible.builtin.import_tasks:
+    file: firewall.yml
+  tags:
+    - firewall
+
+- name: Import limits tasks
+  ansible.builtin.import_tasks:
+    file: limits.yml
+  tags:
+    - limits
+
+- name: Import systemd tasks
+  ansible.builtin.import_tasks:
+    file: systemd.yml
+  tags:
+    - systemd

roles/debian/tasks/ssh.yml

@@ -0,0 +1,14 @@
+---
+- name: Configure SSH UseDNS=no
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?UseDNS "
+    line: UseDNS no
+  notify: Restart SSH
+
+- name: Configure SSH GSSAPIAuthentication=no
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?GSSAPIAuthentication "
+    line: GSSAPIAuthentication no
+  notify: Restart SSH

roles/debian/tasks/sysadmin-tools.yml

@@ -0,0 +1,73 @@
+---
+- name: Wait for APT Lock
+  ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
+
+- name: Install system administrator tools
+  ansible.builtin.apt:
+    name:
+      - bash
+      - mlocate
+      - joe
+      - nano
+      - sudo
+      - telnet
+      - ncdu
+      - screen
+      - git
+      - curl
+      - python3-pip
+      - apt-dater-host
+      - net-tools
+    install_recommends: false
+
+- name: Stat mlocate
+  ansible.builtin.stat:
+    path: /var/lib/mlocate/mlocate.db
+  register: _mlocate
+
+- name: Stat plocate
+  ansible.builtin.stat:
+    path: /var/lib/plocate/plocate.db
+  register: _plocate
+
+- name: Run updatedb
+  when: not _mlocate.stat.exists  and  not _plocate.stat.exists
+  ansible.builtin.command:
+    cmd: updatedb
+  changed_when: true
+
+- name: Profile.d
+  ansible.builtin.template:
+    src: profile.d/100-ansible.sh.j2
+    dest: /etc/profile.d/100-ansible.sh
+    mode: u=rwx,go=rx
+
+- name: Profile.d
+  ansible.builtin.template:
+    src: profile.d/100-ansible.sh.j2
+    dest: /etc/profile.d/100-ansible.sh
+    mode: u=rwx,go=rx
+
+- name: Disable wordwrap in the Joe editor
+  ansible.builtin.replace:
+    path: /etc/joe/ftyperc
+    regexp: '^(-wordwrap)$'
+    replace: ' \1'
+
+- name: Directory /usr/local/bin
+  ansible.builtin.file:
+    path: /usr/local/bin
+    state: directory
+    mode: u=rwX,go=rX
+
+- name: Create apt-get-noninteractive script
+  ansible.builtin.copy:
+    src: usr/local/bin/apt-get-noninteractive
+    dest: /usr/local/bin/apt-get-noninteractive
+    mode: u=rwx,go=
+
+- name: Configure Apt-Dater to use APT wrapper
+  ansible.builtin.lineinfile:
+    path: /etc/apt-dater-host.conf
+    regexp: "^\\$DPKGTOOL="
+    line: '$DPKGTOOL="/usr/local/bin/apt-get-noninteractive";'

roles/debian/tasks/systemd.yml

@@ -0,0 +1,13 @@
+---
+- name: "Directory for Journald config"
+  ansible.builtin.file:
+    path: /etc/systemd/journald.conf.d
+    state: directory
+    mode: u=rw,go=r
+
+- name: "Config for persistent Journald logging"
+  ansible.builtin.copy:
+    dest: /etc/systemd/journald.conf.d/persistent.conf
+    src: systemd/journald.conf.d/persistent.conf
+    mode: u=rw,go=r
+  notify: Restart Systemd-Journald

roles/debian/templates/postfix/main.cf.j2

@@ -0,0 +1,8 @@
+inet_interfaces = loopback-only
+mydestination =
+myhostname = {{ inventory_hostname }}
+myorigin = $mydomain
+relayhost = {{ smtp_relay_host }}:{{ smtp_relay_port }}
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = static:{{ smtp_relay_user }}:{{ smtp_relay_password }}
+smtp_sasl_security_options = noanonymous

roles/debian/templates/profile.d/100-ansible.sh.j2

@@ -0,0 +1 @@
+export HISTTIMEFORMAT="%Y-%m-%d %T "

roles/debian/templates/ssmtp/ssmtp.conf.j2

@@ -0,0 +1,8 @@
+Root={{ sysadmin_email }}
+Hostname={{ inventory_hostname }}
+FromLineOverride=no
+Mailhub={{ smtp_relay_host }}:{{ smtp_relay_port }}
+UseSTARTTLS=yes
+AuthUser={{ smtp_relay_user }}
+AuthPass={{ smtp_relay_password }}
+AuthMethod={{ smtp_relay_auth_method | default('cram-md5') }}

roles/haproxy/files/haproxy.env

@@ -0,0 +1 @@
+CONFIG=/etc/haproxy

roles/haproxy/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: common

roles/haproxy/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: Wait for APT Lock
+  ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
+
+- name: Install haproxy
+  ansible.builtin.apt:
+    name:
+      - haproxy
+    install_recommends: false
+
+- name: Directory /etc/sysconfig
+  ansible.builtin.file:
+    path: /etc/sysconfig
+    state: directory
+    mode: u=rwX,go=rX
+
+- name: Haproxy service environment file
+  ansible.builtin.copy:
+    src: haproxy.env
+    dest: /etc/sysconfig/haproxy
+    mode: u=rwX,go=rX
+  notify: Restart haproxy
+
+- name: Haproxy base config
+  ansible.builtin.template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    mode: u=rw,g=r,o=
+    group: haproxy
+  notify: Restart haproxy
+
+- name: Enable haproxy service
+  ansible.builtin.systemd:
+    name: haproxy.service
+    enabled: true

roles/haproxy/templates/haproxy.cfg.j2

@@ -0,0 +1,36 @@
+global
+  log   /dev/log	local0
+  log   /dev/log	local1  debug
+  chroot  /var/lib/haproxy
+  # stats  socket /run/haproxy/admin.sock  mode 660  level admin  expose-fd listeners
+  # stats timeout 30s
+  user haproxy
+  group haproxy
+  daemon
+  # Default SSL material locations
+  ca-base /etc/ssl/certs
+  crt-base /etc/ssl/private
+  # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+  ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+  log	global
+  mode	http
+  option  httplog
+  option  dontlognull
+  timeout connect 5000
+  timeout client  50000
+  timeout server  50000
+  errorfile 400 /etc/haproxy/errors/400.http
+  errorfile 403 /etc/haproxy/errors/403.http
+  errorfile 408 /etc/haproxy/errors/408.http
+  errorfile 500 /etc/haproxy/errors/500.http
+  errorfile 502 /etc/haproxy/errors/502.http
+  errorfile 503 /etc/haproxy/errors/503.http
+  errorfile 504 /etc/haproxy/errors/504.http
+
+backend bk_no_match
+  mode http
+  http-request deny deny_status 403

roles/haproxy_control_lb/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: common
+  - role: haproxy

roles/haproxy_control_lb/tasks/firewall.yml

@@ -0,0 +1,26 @@
+---
+
+- name: Get IP of Ansible controller
+  ansible.builtin.set_fact:
+    _ssh_client_ip: "{{ ansible_env.SSH_CLIENT.split(' ')[0] }}"
+
+- name: Allow access from whitelist to tcp port 50000
+  community.general.ufw:
+    rule: allow
+    port: "50000"
+    src: "{{ item }}"
+  loop: "{{ ip_whitelist + [_ssh_client_ip] }}"
+
+- name: Allow access from nodes to tcp port 50001
+  community.general.ufw:
+    rule: allow
+    port: "50001"
+    src: "{{ hostvars[talos_node].ansible_host }}"
+  loop: "{{ groups['customer_' + customer] }}"
+  loop_control:
+    loop_var: talos_node
+
+- name: Allow public access to tcp port 6443
+  community.general.ufw:
+    rule: allow
+    port: "6443"

roles/haproxy_control_lb/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Import firewall tasks
+  ansible.builtin.import_tasks:
+    file: firewall.yml
+  tags:
+    - firewall
+
+- name: Haproxy LB config
+  ansible.builtin.template:
+    src: haproxy_control_lb.cfg.j2
+    dest: /etc/haproxy/haproxy_control_lb.cfg
+    mode: u=rw,g=r,o=
+    group: haproxy
+  notify: Restart haproxy

roles/haproxy_control_lb/templates/haproxy_control_lb.cfg.j2

@@ -0,0 +1,48 @@
+frontend tcp_talosapi
+    mode tcp
+    option tcplog
+    bind :50000
+    default_backend bk_talosapi
+
+backend bk_talosapi
+    mode tcp
+    balance leastconn
+{% for talos_node in groups['customer_'+customer] %}
+{%   if talos_node in groups['talos_control_nodes'] %}
+    server  {{ talos_node }}  {{ hostvars[talos_node].ansible_host }}:50000  check
+{%   endif %}
+{% endfor %}
+
+####
+
+frontend tcp_talostrustd
+    mode tcp
+    option tcplog
+    bind :50001
+    default_backend bk_talostrustd
+
+backend bk_talostrustd
+    mode tcp
+    balance leastconn
+{% for talos_node in groups['customer_'+customer] %}
+{%   if talos_node in groups['talos_control_nodes'] %}
+    server  {{ talos_node }}  {{ hostvars[talos_node].ansible_host }}:50001  check
+{%   endif %}
+{% endfor %}
+
+####
+
+frontend tcp_kubeapi
+    mode tcp
+    option tcplog
+    bind :6443
+    default_backend bk_kubeapi
+
+backend bk_kubeapi
+    mode tcp
+    balance leastconn
+{% for talos_node in groups['customer_'+customer] %}
+{%   if talos_node in groups['talos_control_nodes'] %}
+    server  {{ talos_node }}  {{ hostvars[talos_node].ansible_host }}:6443  check
+{%   endif %}
+{% endfor %}

roles/talos_config_apply/tasks/main.yml

@@ -19,8 +19,8 @@
     cmd: >-
       talosctl  apply-config
         --file '{{ talos_node_config_file }}'
-        --nodes '{{ ansible_remote }}'
-        --endpoints '{{ ansible_remote }}'
+        --nodes '{{ ansible_host }}'
+        --endpoints '{{ ansible_host }}'
         --mode auto
         {% if talos_machine_status.spec.stage == 'maintenance' %} --insecure{% endif %}
   changed_when: true
@@ -31,7 +31,7 @@
   delegate_to: "{{ talosctl_host }}"
   become: false
   ansible.builtin.wait_for:
-    host: "{{ ansible_remote }}"
+    host: "{{ ansible_host }}"
     port: 50000
     delay: 5
     timeout: 600

roles/talos_config_create/tasks/create_node_config.yml

@@ -9,10 +9,10 @@
           interfaces:
             - interface: "{{ network_interface }}"
               addresses:
-                - "{{ ansible_remote }}/{{ network_cidr_prefix }}"
+                - "{{ ansible_host }}/{{ network_cidr_prefix }}"
               routes:
                 - network: 0.0.0.0/0
-                  gateway: "{{ (ansible_remote ~ '/' ~ network_cidr_prefix) | ansible.utils.ipaddr('1') | ansible.utils.ipaddr('address') }}"
+                  gateway: "{{ (ansible_host ~ '/' ~ network_cidr_prefix) | ansible.utils.ipaddr('1') | ansible.utils.ipaddr('address') }}"
         install:
           disk: "{{ talos_disk }}"
         kubelet:

roles/talos_reboot/tasks/main.yml

@@ -11,8 +11,8 @@
     cmd: >-
       talosctl  reboot
         --wait=true
-        --endpoints '{{ ansible_remote }}'
-        --nodes '{{ ansible_remote }}'
+        --endpoints '{{ ansible_host }}'
+        --nodes '{{ ansible_host }}'
         {% if talos_machine_status.spec.stage == 'maintenance' %} --insecure{% endif %}
   changed_when: true
   environment:
@@ -23,5 +23,5 @@
   become: false
   throttle: 1
   ansible.builtin.wait_for:
-    host: "{{ ansible_remote }}"
+    host: "{{ ansible_host }}"
     port: 50000

roles/talos_reset/tasks/main.yml

@@ -14,8 +14,8 @@
         --graceful=false
         --wait=true
         --reboot
-        --endpoints '{{ ansible_remote }}'
-        --nodes '{{ ansible_remote }}'
+        --endpoints '{{ ansible_host }}'
+        --nodes '{{ ansible_host }}'
   changed_when: true
   environment:
     TALOSCONFIG: "{{ talosconfig }}"
@@ -24,5 +24,5 @@
   delegate_to: "{{ talosctl_host }}"
   become: false
   ansible.builtin.wait_for:
-    host: "{{ ansible_remote }}"
+    host: "{{ ansible_host }}"
     port: 50000

roles/talos_upgrade/tasks/main.yml

@@ -7,7 +7,8 @@
       talosctl  upgrade
         --image="ghcr.io/siderolabs/installer:{{ talos_version }}"
         --endpoints='{{ talos_control_lb_hostname }}'
-        --nodes='{{ ansible_remote }}'
+        --preserve
+        --nodes='{{ ansible_host }}'
         --timeout='30m'
         --wait=true
   changed_when: true
@@ -19,7 +20,7 @@
   throttle: 1
   become: false
   ansible.builtin.wait_for:
-    host: "{{ ansible_remote }}"
+    host: "{{ ansible_host }}"
     port: 50000
     delay: 5
     timeout: 300

roles/talos_upgrade_k8s/tasks/main.yml

@@ -15,7 +15,7 @@
   throttle: 1
   become: false
   ansible.builtin.wait_for:
-    host: "{{ ansible_remote }}"
+    host: "{{ ansible_host }}"
     port: 50000
     delay: 5
     timeout: 300

roles/talos_wait_port/tasks/main.yml

@@ -4,5 +4,5 @@
   delegate_to: "{{ talosctl_host }}"
   become: false
   ansible.builtin.wait_for:
-    host: "{{ ansible_remote }}"
+    host: "{{ ansible_host }}"
     port: 50000

roles/ubuntu/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart unattended-upgrades
+  ansible.builtin.systemd:
+    name: unattended-upgrades.service
+    state: restarted
+    daemon_reload: true

roles/ubuntu/tasks/apt.yml

@@ -0,0 +1,38 @@
+---
+- name: Wait for APT Lock
+  ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
+
+- name: Install packages required for auto update
+  ansible.builtin.apt:
+    name:
+      - unattended-upgrades
+      - update-notifier-common
+    install_recommends: false
+
+- name: Configure unattended-upgrades email
+  ansible.builtin.lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: "^(//)?\\s*Unattended-Upgrade::Mail "
+    line: Unattended-Upgrade::Mail "sysadmin@deovereo.com";
+  notify: Restart unattended-upgrades
+
+- name: Configure unattended-upgrades email on error
+  ansible.builtin.lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: "^(//)?\\s*Unattended-Upgrade::MailReport "
+    line: Unattended-Upgrade::MailReport "only-on-error";
+  notify: Restart unattended-upgrades
+
+- name: Configure unattended-upgrades reboot
+  ansible.builtin.lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: "^(//)?\\s*Unattended-Upgrade::Automatic-Reboot "
+    line: Unattended-Upgrade::Automatic-Reboot "true";
+  notify: Restart unattended-upgrades
+
+- name: Configure unattended-upgrades reboot
+  ansible.builtin.lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: "^(//)?\\s*Unattended-Upgrade::Automatic-Reboot-WithUsers "
+    line: Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
+  notify: Restart unattended-upgrades

roles/ubuntu/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Import Ubuntu apt
+  ansible.builtin.import_tasks:
+    file: apt.yml

shared/tasks/disable_service.yml

@@ -0,0 +1,60 @@
+---
+# Requires var:  __disable_service_name  => name with '.service' or '.timer'
+
+- name: disable_service | Check var __disable_service_name
+  ansible.builtin.assert:
+    that: __disable_service_name is defined and __disable_service_name != ''
+    quiet: true
+
+# - name: Update service facts
+#   ansible.builtin.service_facts:
+
+- name: disable_service | List loaded units
+  ansible.builtin.command:
+    cmd: systemctl list-units --state=loaded,masked --plain # noqa command-instead-of-module
+  register: _list_units
+  check_mode: false
+  changed_when: false
+
+- name: disable_service | When service exists
+  when: _list_units.stdout is regex( '\s' + (__disable_service_name | regex_escape()) + '\s')
+  block:
+    - name: Stop and disable {{ __disable_service_name }}
+      ansible.builtin.systemd:
+        name: "{{ __disable_service_name }}"
+        state: stopped
+        enabled: false
+
+- name: disable_service | List fa-iled services
+  ansible.builtin.command:
+    cmd: systemctl  list-units  --failed  --plain # noqa command-instead-of-module
+  register: _systemctl_list_failed
+  changed_when: false
+
+- name: disable_service | Reset-fa-iled service {{ __disable_service_name }}
+  when: _systemctl_list_failed.stdout  is  regex('\s' + (__disable_service_name) + '\s')
+  ansible.builtin.command:
+    cmd: systemctl  reset-failed  '{{ __disable_service_name }}' # noqa command-instead-of-module
+  changed_when: true
+
+- name: disable_service | Find target paths
+  ansible.builtin.find:
+    paths: /etc/systemd/system
+    patterns: "*.wants"
+    file_type: directory
+  register: _target_wants_paths
+
+- name: disable_service | Find target unit files
+  ansible.builtin.find:
+    paths: "{{ _target_wants_paths.files | map(attribute='path') | list }}"
+    file_type: link
+    patterns: "{{ __disable_service_name }}"
+  register: _remove_list
+
+- name: disable_service | Remove target unit files
+  ansible.builtin.file:
+    path: "{{ _remove_file }}"
+    state: absent
+  loop: "{{ _remove_list.files | map(attribute='path') | list }}"
+  loop_control:
+    loop_var: _remove_file

shared/tasks/talos_machine_status.yml

@@ -9,8 +9,8 @@
   ansible.builtin.command:
     cmd: >-
       talosctl  get  machinestatus
-        --endpoints '{{ ansible_remote }}'
-        --nodes '{{ ansible_remote }}'
+        --endpoints '{{ ansible_host }}'
+        --nodes '{{ ansible_host }}'
         --output json
   register: _machine_status_cmd
   failed_when: _machine_status_cmd.rc not in [0, 1]
@@ -25,8 +25,8 @@
   ansible.builtin.command:
     cmd: >-
       talosctl  get  machinestatus
-        --endpoints '{{ ansible_remote }}'
-        --nodes '{{ ansible_remote }}'
+        --endpoints '{{ ansible_host }}'
+        --nodes '{{ ansible_host }}'
         --output json
         --insecure
   register: _machine_status_cmd_insec

shared/tasks/wait_apt.yml

@@ -0,0 +1,4 @@
+---
+- name: Wait for automatic system updates
+  ansible.builtin.raw: systemd-run --property="After=apt-daily.service apt-daily-upgrade.service unattended-upgrades.service cloud-final.service" --wait /bin/true
+  changed_when: false

talos.yml

@@ -1,5 +1,15 @@
----
 # Playbook Talos Install
+---
+- name: Cloudflare DNS
+  become: false
+  gather_facts: false
+  hosts:
+    - talos
+  roles:
+    - role: cloudflare_dns
+      tags:
+        - cloudflare_dns
+        - dns
 
 - name: Wait for Talos port
   become: false