diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2017-07-29 13:47:43 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2017-07-29 13:47:43 +0200 |
| commit | a48661c2f5082b8e15a952aaf33b1e8848ffbe90 (patch) | |
| tree | 5b59f8f3c478f30e7926609a6b3786f3f22a00b5 | |
| parent | 874ee116c6f1ee61bca9cba4fa8347a26a0fa1e9 (diff) | |
Fix detection of KVM guests.
| -rw-r--r-- | roles/common/tasks/main.yml | 4 | ||||
| -rw-r--r-- | roles/common/templates/etc/apt/preferences.j2 | 3 | ||||
| -rw-r--r-- | roles/common/templates/etc/apt/sources.list.j2 | 4 |
3 files changed, 5 insertions, 6 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 0230c0c..c63d7a4 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,53 +1,53 @@ --- - include: sysctl.yml tags: sysctl - include: hosts.yml - include: apt.yml tags: apt - name: Install intel-microcode apt: pkg=intel-microcode - when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" + when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'" tags: intel - include: firewall.yml tags: - firewall - iptables - include: stunnel.yml tags: stunnel when: "'webmail' in group_names and 'LDAP-provider' not in group_names" - include: samhain.yml tags: samhain - include: auditd.yml tags: auditd - include: rkhunter.yml tags: rkhunter - include: clamav.yml tags: clamav - include: fail2ban.yml tags: fail2ban - include: smart.yml tags: - smartmontools - smart - when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" + when: "not ansible_virtualization_role == 'guest'" - include: haveged.yml tags: - haveged - entropy - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} dest=/usr/local/bin/{{ item }} owner=root group=staff mode=0755 tags: genkey with_items: - genkeypair.sh - gendhparam.sh - name: Generate DH parameters command: gendhparam.sh /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem tags: genkey - include: ipsec.yml tags: - strongswan diff --git a/roles/common/templates/etc/apt/preferences.j2 b/roles/common/templates/etc/apt/preferences.j2 index 5d4b415..ecbb4ec 100644 --- a/roles/common/templates/etc/apt/preferences.j2 +++ b/roles/common/templates/etc/apt/preferences.j2 @@ -3,37 +3,36 @@ # Install updates as soon as they're available Package: * Pin: release a={{ ansible_lsb.codename }}-updates Pin-Priority: 990 {% if 'backports' in group_names -%} # Automatically packages from backports (those manually installed) Package: * Pin: release a={{ ansible_lsb.codename }}-backports Pin-Priority: 200 {% endif %} {% if inventory_hostname_short in non_free_packages.keys() -%} # Automatically upgrade non-free firmwares (when manually installed) Package: {{ non_free_packages[inventory_hostname_short] | join (' ') }} Pin: version * Pin-Priority: 200 {% endif %} -{% if ansible_processor[0] | search('^(Genuine)?Intel.*') and - not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') -%} +{% if ansible_processor[0] | search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest' -%} # Automatically upgrade the microcode (when manually installed) Package: intel-microcode iucode-tool Pin: version * Pin-Priority: 200 {% endif %} # Never, ever install things from contrib or non-free unless they have been # whitelisted above Package: * Pin: release c=contrib Pin-Priority: -1 Package: * Pin: release c=non-free Pin-Priority: -1 diff --git a/roles/common/templates/etc/apt/sources.list.j2 b/roles/common/templates/etc/apt/sources.list.j2 index 2dbaee4..1f51621 100644 --- a/roles/common/templates/etc/apt/sources.list.j2 +++ b/roles/common/templates/etc/apt/sources.list.j2 @@ -1,13 +1,13 @@ # {{ ansible_managed }} # Do NOT edit this file directly! # vim: set filetype=debsources : -deb http://ftp.{%if geoip is defined %}{{ geoip }}.{% endif %}debian.org/debian/ {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[0] | search("^(Genuine)?Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %} +deb http://ftp.{%if geoip is defined %}{{ geoip }}.{% endif %}debian.org/debian/ {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[0] | search("^(Genuine)?Intel.*") and ansible_virtualization_role == 'guest') %} contrib non-free{% endif %} -deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[0] | search("^(Genuine)?Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %} +deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[0] | search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %} deb http://ftp.{%if geoip is defined %}{{ geoip }}.{% endif %}debian.org/debian/ {{ ansible_lsb.codename }}-updates main {% if 'backports' in group_names -%} deb http://ftp.{%if geoip is defined %}{{ geoip }}.{% endif %}debian.org/debian/ {{ ansible_lsb.codename }}-backports main {% endif %} |